@TryHackMe – Pickle Rick CTF

Another day, another challenge.

Today’s blog post I will be solving the Pickle Rick CTF on TryHackMe.com. Click HERE to be redirected to the challenge.

After hitting the deploy button we now have our IP address.

pickle_ip_address

We see that this challenge is focused on finding vulnerabilities in a web server.

Let’s run nmap, nikto, and dirbuster to see what we find…

pickle_nmap

Executing nmap, we see that there are two port open – 22 (ssh), and 80 (http).

Moving on to nikto…

pickle_nikto

Running nikto we see that there is an login php file which is interested.

Finally, let’s look at dirbuster.

pickle_dirb

With dirbuster we have an access directory, as well as an index.html, and robots.txt file (both returning a 200 which is good). We also have a server-status which is returning a forbidden http code of 403.

We’ve done basic enumeration let’s move to the web app and see if we can find more clues.

Let’s answer the first question.

pickle_first_ingredient_question

Navigating to the IP address in a browser we see the following.pickle_landing_page

Nothing really stands out, except for the burping :-). Let’s view the source code and see what we find.pickle_source_code

Viewing the source code (Right click on page, select view source code) we see at the bottom there’s a username. Let’s see if we can find a password. Maybe our dirbuster results will come in handy…pickle_robots

Going back to our results in dirb we notice there’s a robots.txt file. Going to this file, we see the above. Hmm, this is a strange robots.txt file. Maybe this could be the password, let’s see if it works.pickle_login

In our nikto results, we had a login page. Navigating to that page and entering our username from the index.html page, and a password from the robots.txt page we get the following.pickle_portal

Success! We’re in the application.

Let’s run the ls (listing) command with the options of all and long listing and see what we have.

pickle_listing

pickle_listing_directory

Opening the Sup3rS3cretPickl3Ingred.txt file we have the first ingredient below.pickle_first_ingredient

Also notice that the directory shows the asset directory that we found in dirbuster. Navigating to that webpage we see the following

pickle_assets_directory

The directory have gifs and jpgs, nothing of importance to solve the challenge.

Let’s move on to question 2.pickle_second_ingredient_question

We know this application is vulnerable to command injection, let’s see if we can perform a directory traversal to view other parts of the application. Going back to the directory  listing we notice there’s a clue.txt file. Opening the file we see the following

pickle_clue_txt

Our hunch was correct, we need to look around the file system to find the next ingredient. pickle_directory_traversal

In the above command we’re doing a directory traversal to move up to the root directory, list all of the files in long form (ls -al), and print the working directory to make sure we’re in the correct folder (pwd). Doing this we get the below screenshot.

pickle_root_directory

We’re viewing the root level directory, so our command(s) were a success! We notice a lot of folders, but at this time two are useful for us. The first is home, which in every  Linux system ever user has a home directory. The second is root (admin/super user) which can only be accessed through the admin. We’ll come back to root later. Let’s see if we can navigate to the home directory.

pickle_change_home_directory

pickle_listing_home_directory

Executing the command above, we’re now in the /home directory! We notice there are two folders, rick and Ubuntu. The Ubuntu folder is from the operating system. Let’s explore the rick folder and see what we can find.

pickle_change_rick_directory

Changing to the rick directory we see the second ingredient!

pickle_list_second_ingredient_rick_directory

pickle_less_second_ingredient

Using the less command we open the second ingredient. Note: The filename is in quotations due to spacing. Without the quotations Linux would interpret the second in second ingredients.

pickle_second_ingredient_answer

We now have our second ingredient, let’s answer the final question.

pickle_third_ingredient_question

Remember in the beginning of this walkthrough, I mentioned that another folder – root is of particular interest to us and only the admin or superuser is the only user to access this folder. Let’s see if we can elevate our privileges to the admin and view this folder.

pickle_sudo_listing

Before we can access this folder, let’s run the sudo -l command to see what privileges we have on this box.

Executing this command we see that we can execute ANY command on this box WITHOUT a password (ALL NOPASSWD: ALL). This surely is NOT good security! Let’s use the sudo command with the listing (ls) with the root folder and see what we can find.

pickle_sudo_listing_as_root

Executing the command, we see that there are two files in the /root folder. One of them is named 3rd.txt. Could this be our third ingredient? Let’s see.

pickle_access_root_listing

Executing the sudo command in conjunction with the less command on the 3rd.txt file, we see that we do indeed have the third and final ingredient.

pickle_less_root_third_ingredient

pickle_third_ingredient

Challenge solved!

Advertisements

@TryHackMe – Basic Pentesting Room

Another day, another challenge.

Today’s blog post – I will give a walk-through on a boot-to-root room called, “Basic Pentesting Room”. This boot to root is perfect to get practice in preparation for the OSCP.

Let’s get started.

Logging into TryHackMe with your credentials and heading into the room we see the following:

TryHackMe1

OK, we have tasks to complete and we will learn the following skills – brute forcing, hash cracking, service enumeration, and Linux enumeration.

The first question is:

TryHackMe2

Clicking the deploy button at the top we get the following:

tryhackme

Second question is:

TryHackMe3

OK, we need to find the services exposed. What can we do?

One solution is to use nmap -sV (TCP scan) <IP address>

In this case it would be nmap -sV 10.0.0.204. Doing this we see the following screenshot:

tryhackme_nmap

Success! We now have the services.

TryHackMe4

Let’s use dirb to find the hidden directories. See the following screenshot:

tryhackme_dirb

Our hidden directory is development.

TryHackMe5

Reviewing our enumeration we see that ports 139 and 445 are open. These ports are used for SMB (Server Message Blocks) which are HIGHLY vulnerable. Let’s run the command enum4linux and see what we find.

tryhackme_smbtryhackme_smb2

We found two users: kay and jan

Question #5!

TryHackMe6

First, entering kay, I received an error. Let’s try entering jan. Success!

TryHackMe7

Let’s fire up Hydra which is password cracking tool with the password list of rockyou (this password list is used a lot in Kali and even in the OSCP… hint, hint!)

tryhackme_hydra

TryHackMe8

The service we use to access the server is SSH.

TryHackMe9

tryhackme_jantryhackme_jan2

TryHackMe10

kay

TryHackMe11

Since we have a new user (kay) and we have a ssh folder that lists the public key we can try to get the password.

TryHackMe12

From question #10 we have the user (kay) and a public key how can we go about cracking the key?

Doing a quick Google search, I was presented with the following link.

Scrolling down we see the following:

ssh_command

Let’s see if we can recreate this to find the passphrase. Using the ssh2john we created the hash.

tryhackme_ssh2johntryhackme_zip

Next we’ll use John The Ripper with the famous rockyou wordlist to see if we can crack the passphrase.tryhackme_kay1We were successful! The passphrase is beeswax. Let’s try to ssh with kay’s private key and see if we can get in.

tryhackme_kay2

Entering the passphrase we see that we were able to successfully log into the kay account! Just to be sure I issued the command of whoami (don’t mind the fat fingering!)

tryhackme_kay_listing

tryhackme_kay_passwordNext, we run the list command to see what we’re working with. We see a pass.bak file, let’s see if this lists the password. Opening the file we see the password. Score!

Let’s run sudo -l, which will show us what commands kay can run as root. We’re prompted with the password and we entered the password that we just acquired. We’re presented with all of the commands that kay can run, and we see that kay can execute all commands as root. Great, this will be helpful for us.

There’s another file that is important in the directory – bash_history. Bash_history is useful because it shows all the commands the user executed before logging off. Let’s open the file.

tryhackme_bash_historytryhackme_listing_2

After opening the file we see a lot of commands. There is one that is very useful – sudo su. If working correctly, running this command we will change from the kay user to root. In other words we would do privilege escalation – where we start as a non-admin user and through improper configuration change to a root user. Let’s try the command and see if it works.

tryhackme_sudo_su

Running the sudo su command, and typing whoami, we see that we’re now root! We do another directory  listing which shows the files from before, so no change. Let’s see if we can get into the root directory.tryhackme_kay6

Changing to the root directory we see that there is a flag.txt file. Opening this file we presented with the verbiage above. We solved the challenge!

OSCP Series: Kioptrix Level 3

Another day, another challenge.

In today’s blog post we’re going to solve level 3 of the Kioptrix series.

For the level 2 walk through, click HERE.

Let’s begin.

Starting the VM, we’re presented with the following login screen.

Kioptrix_Level3_Login

Going back to the login screen the disclaimer states that we need to modify the /etc/hosts to include our IP address that our kioptrix3 vm is running.

Kioptrix_Level3_cat_etc_hosts

Let’s see which services are running on the virtual machineKioptrix_Level3_nmap

Hmm… we have two services open – ssh and http. Let’s go to the web application and do a manual crawl of the site.

Navigating to kioptrix3.com we see the following:

Kioptrix_Level3_webpage1

Clicking the Login button we’re presented with a login screen. At the bottom we notice the page is using LotusCMS. Let’s keep this in mind, just in case we it to exploit the application.Kioptrix_Level3_webpage2_login

Let’s run nikto to see if we can find more vulnerabilities in the web application.

Kioptrix_Level3_nikto

Kioptrix_Level3_nikto2

We see that the application found a phpmyadmin folder. Let’s go to the folder and see what we can find.

Kioptrix_Level3_webpage2_phpMyAdmin

Going to the php page, we realize we don’t have login credentials, so at this point we can’t log into the phpmyadmin page. We know the application is using LotusCMS let’s see if there’s a LotusCMS module that we can use in Metasploit.

Kioptrix_Level3_msfconsole

Kioptrix_Level3_msfconsole2

After opening and searching Metasploit for LotusCMS we see there’s a perfect remote code execution we can use.

Kioptrix_Level3_msfconsole_lotus_exploit

After selecting the exploit let’s review the options to see what we need to add to the module to make the exploit work. We need a remote host (RHOST), remote port (RPORT) and the URI. Let’s add the information below.

Kioptrix_Level3_msfconsole_lotus_meterpreter

After entering the information, and typing run, we notice that we’re presented with a meterpreter shell! Let’s go to the home directory and see how many users are on the box.

Kioptrix_Level3_msfconsole_lotus_meterpreter_2

We have three users, dreg, loneferret, and www (web).  Let’s see what’s in the dreg folder.

Kioptrix_Level3_msfconsole_lotus_meterpreter_dreg

Searching the dreg folder we don’t see much. We see a bash_logout, bashrc, and profile scripts. Let’s move on to loneferret.

Kioptrix_Level3_msfconsole_lotus_meterpreter_loneferret

Hmm… Loneferret has a lot of information. We see there’s a file titled, “.sudo_as_admin_successful”, a company police readme, and a checksec script. Let’s review the company policy readme.

Kioptrix_Level3_msfconsole_lotus_meterpreter_loneferret_company_readme

Well… it seem if we want to edit, create, or view files we need to use the command sudo ht. Let’s keep this in our toolbox because I am sure we will use it later. Remember we found a phpmyadmin page, let’s see if we can find a config file with login credentials.

kioptrix_config_file

Doing a search on the kioptrix3 folder, we see there are three config files. Let’s review the last file, gconfig.php.

Kioptrix_Level3_msfconsole_lotus_meterpreter_loneferret_gconfig

Opening the gconfig.php file we notice there are login credentials for the phpmyadmin page! Let’s keep this in our toolbox because we might have to use it later.

At this point, we have php login credentials, but that’s not enough to gain root privileges. Let’s see if we can review the web application again for more clues.

We notice there’s a gallery section of the application. Maybe we can be lucky and the application is susceptible to sql injection.

Kioptrix_Level3_gallery

Adding an apostrophe to the end of the number there’s no change in the application. We notice at the bottom of the page  there’s a sorting option. Let’s see if changing the sorting option will invoke a SQL injection.Kioptrix_Level3_gallery_photo_id_before_sql_injection_2

Changing the sorting option to Photo Id, and adding the apostrophe to the end of the number, we get the following…Kioptrix_Level3_gallery_photo_id_sql_injection_2

Success! The application is susceptible to SQL injection. Let’s fire up sqlmap and see what goodies we can find.

Kioptrix_Level3_sqlmap

Kioptrix_Level3_sqlmap2

Executing a preliminary SQLMap run we see that SQLMap verified our manual testing results that the application is susceptible to SQL injection. SQLMap also found the technologies the application is using. Let’s do a more extensive probe. Firing SQLMap again we use the dump all to see what data we can find.

Kioptrix_Level3_sqlmap3

Kioptrix_Level3_sqlmap4

We found the dev accounts database, and notice that we have two users dreg, and loneferret, along with their passwords. Remember these are the same users we found when we used Metasploit with the LotusCMS remote code execution.

Now that we have login credentials, and we know that loneferret has more promising information than dreg, let’s connect to loneferret’s account through ssh.

Kioptrix_Level3_ssh

Connecting to loneferret’s account, we try to access the root folder, but receive a permission denied (we’re not root… yet). We also try to execute the sudo ht command that was listed in the company readme file, and we get the error, “error opening terminal: xterm-256color”.

Kioptrix_Level3_cat_etc_hosts_xterm

Doing a quick google search we find that we need to use the following command “export TERM=xterm”. Doing this and running the sudo ht command again we’re presented with the following screenshot. Let’s see if we can view and modify the /etc/sudoers file and see if we can escalate our privileges from loneferret to root.

Kioptrix_Level3_ht1

Kioptrix_Level3_ht_adding_sh

Opening the /etc/sudoers file we notice that the loneferret has a user privilege escalation where a password is not required. Right now it’s for the commands: su, and sh. Let’s add our ht command to the list. After adding the command, saving, and exiting we’re presented back to the command prompt.

Kioptrix_Level3_root

Executing the command sudo /bin/sh, and running a whoami we see that we’ve been escalated to root! Running the ls command we see that we’re presented with the same information we had in our meterpreter shell. Changing our directory to /root we notice there’s a Congrats.txt file.Kioptrix_Level3_root2Kioptrix_Level3_root3

Opening the Congrats.txt file we have found the flag and completed the challenge!

OverTheWire: Natas Level 9 – #appsec #webapp #websecurity #wargames

Another day, another hacking challenge…

Today’s challenge is to find the password for level 9.

To view level 8, please go HERE.

After entering the username/password we see the following screen:

level9_beginning

On the right side there’s a link that says, “view sourcecode”.

Clicking this link we see the following:

level9_source_code

First, you should notice that there is weird syntax (language) of “<? and ?>” What is this? Well, this is PHP (Personal Home Page). Which is a server-side programming language.

What exactly is passthru? Passthru is a function that executes a command. To learn more about the passthru function click HERE. In this case we’re using the word in the first screenshot to look through a file named dictionary.txt.

 

Let’s try to enter the word “test” to see what we get…

level9_test

The code returns all of the words that have test in it. OK. Let’s see if we can get ALL of the words in the dictionary.txt file.

Let’s try the word of “” instead of test. Doing that we get the following:

level9_all_words

We have all the words in the dictionary.txt file. Why did I pick “” ? Well if you look in the passthru function the command was enclosed in quotes. I figured that if I entered quotes we would break out of the command which would produce all of the words in the file.

So now we have all of the words, what do we do now?

The challenge seems to be vulnerable to command injection. To learn more about command injection, go to the link HERE.

Let’s try to add another command to list all of the directories in the folder. The command to enter is: ls%20-la; (%20 is the URL encoding of space). This command is listing all of the files in the directory include hidden ones (in Linux hidden files start with the “.”).

level9_listing_directories

We have listed all of the directories, and have a potential gem. There’s a file named .htpasswd. Let’s add on to the command sequence to open this file. To do that we add the following: cat%20.htpasswd;.

level9_ending

We have received the password! Which is: $1$p1kwO0uc$UgW30vjmwt4x31BP1pWsV.

How to Get Started in Pentesting #infosec, #pentesting, #appsec, #security @j0emccray, @infosecaddicts, @ppentestlabs, @pentesterlab, @blackroomsec, @securitytube

Happy Hacking!

Today’s blog post will be on how to get started with pentesting… on a budget.

If you’re following or reading my twitter timeline (@devsecopsgrl007), you will know that I am currently taking SANS SEC542 – Web App Penetration Testing. I am doing this class OnDemand (online), and I have access to the training for 4 months, along with two practice tests, and the certification (once I pass, putting it into existence!) While this course is GREAT, it is EXPENSIVE!

I know if you’re a student, this is WAY out of your price range. So, I would like to list alternatives where you will learn the same content, but it might take you a bit longer.

So without further ado here’s my list:

  1. Skillshare has a Ethical Hacking package that is $19 for 8 courses. These courses original value was $1,273 – which is a 99% savings. You can buy the class HERE.
  2. There’s a book that is the holy grail for Web Pentesting called, “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” This book has a lab accompanied with the book that is $7/hour. You can buy the book HERE.
  3. Another book, Penetration Testing Essentials, is another GREAT book. It gives an overview of the different concepts of pentesting. You can buy the book HERE.
  4. Joe McCray has a Pentester Candidate Program that is also a GREAT program. Follow Joe on twitter (j0emccray) or his program – @infosecaddicts
  5. PentesterLab has a program – PentesterLabPro where you can pay $19.99/month, or pay for a year and get two months free. More information can be found HERE. PentesterLab also has a bootcamp which is free. More information can be found HERE.
  6. PentesterAcademy has a monthly subscription for $39.99/month. The good thing about PentesterAcademy is they have A LOT of information. Web App Pentesting, Python, etc. More information can be found HERE.
  7. PracticalPentestLab has a promotion where you can pay a one time fee of $42.99 to get the VIP content which has subjects in pentesting, windows exploit, etc. You can contact them on twitter @ppentestlabs. More information can be found HERE.
  8. Hacking-Lab is a free online platform where you can learn hacking skills. More information can be found HERE.
  9. Cybrary is another free website that has an assortment of courses. More information can be found HERE.
  10. PicoCTF is an online CTF platform that is geared towards high school students, but it’s open to anyone. All you need to do is sign-up. More information can be found HERE.

Another big piece is to practice the skills that you have learned.

To do this you will need vulnerable machines to hack 🙂

One of my favorites is HackTheBox which has an assortment of machines. More information can be found HERE. Note: That you will need to hack the site to get the invite code.

Another website that I love is VulnHub. VulnHub has an assortment of machines. The good thing about VulnHub is that some of the machines have been used in CTFs and other security conferences. More information can be found HERE.

The next website is my favorite, called OverTheWire. OverTheWire is a website that has multiple challenges in different areas, web app pentesting, linux, etc. More information can be found HERE.

There’s another website RootMe which is a free online platform to practice pentesting. More information can be found HERE.

I can’t stress enough that you will need to practice. The old adage holds true in this case, practice makes perfect.

Finally, please follow @blackroomsec on twitter who’s a sweetheart! She has a website that lists even more free or inexpensive opportunities to learn pentesting.

 

The BodgeIT Store Series #4, Find Diagnostic Data – #bodgeit #infosec #pentest #appsec #webapp

Happy hacking!

Today’s blog post is #4 in the BodgeIt Store series.

If you want to view post #3 click HERE.

In today’s post we’re going to find diagnostic data.

So exactly what is diagnostic data?

In this case, we’re looking for a webpage inside the store that will reveal debugging data.

What exactly is debugging data?

Debugging data is used by developers who want to make sure their application is working correctly.

The problem is that the developers do not turn off the debugging feature before moving their application to production (live).

Let’s get started.

So how are we going to find the debug data? We’re going to add the following in the URL address bar: ?debug=true

Let’s start with the home page:

debug_true_1

We added the debug command, and it the page rendered the same. No debugging code on this page.

Let’s try the about us page.

Adding the debug command, the page rendered the same. No debugging code on this page.

debug_true_2

 

Let’s try the contact us page.

Adding the debug command, the page rendered the same. No debugging code on this page.

debug_true_3

Let’s try the login page.

Adding the debug command… the page rendered:

debug_true_4_yess

If you view the top of the page, you will see the new line – DEBUG: Clear.

This is an example of debugged code!

We were able to find diagnostic code in the application.

Let’s try the Your Basket page, and see what we get:

debug_true_5_yes

We found another page that has diagnostic data! In this case the debugged line says – DEBUG basketid = 5.

Let’s try search page, and see what we get:

debug_true_6

No diagnostic data here.

Let’s see what the scoreboard says:

bodgeit_scoring_5

We have successfully completed the find diagnostic data challenge (it’s green)!

The BodgeIT Store Series #3, Get the Store to Owe You Money – #bodgeit #infosec #pentest #appsec #webapp

Happy hacking!

Today’s post is #3 in a series of solving the BodgeIt Store.

If you want to check post #2, click HERE.

In today’s challenge we will make the store owe us money.

Before continuing on, you will need an interception proxy.

Two of the most popular interception proxies are ZAP and Burp.

I am going to use the free version of Burp (Community Edition) which can be downloaded HERE.

After downloading and installing Burp we need to set our proxy to have Burp intercept the traffic.

Note: I am using Chrome, but the steps are VERY similar between browsers (IE, Chrome, and Firefox)

When opening Burp, and clicking on the Proxy –> Options tab we see that the Proxy Listener is listening on 127.0.0.1, port 8080.

burp_settings

Going to your browser, go to Options.

In Chrome, click the three dots, and select Settings

You should see the following screen:

chrome_settings

In the search settings type in “proxy” which will show the following:

chrome_proxy_settings

Clicking on the last option – Open proxy setting we see:

internet_properties_1

Clicking on the Connections tab, we see:

internet_properties_2

Clicking the LAN settings button, make the settings look like the following screenshot and press “OK”.

internet_LAN_properties

To summarize: We’re setting the proxy in Chrome (or IE, Firefox, depending on the browser) to send traffic through our Burp proxy which is listening on 127.0.0.1:8080.

Going back to Burp, make sure that the intercept is on –  see screenshot:burp_intercept

Refreshing the BodgeIt page, we see:

burp_bodgeit

Yay! our traffic is being trapped properly through Burp.

Click Forward until the Raw tab is blank, and turn the intercept off.  Click the intercept is on box once and it will turn off the interception.

OK… now let’s earn some $$$!!!

Navigating to the home page, click on any of the items on the left side. I am going to click on Doodah’s (first item), and I see the following:

Doodah_1

I am going to click on the most expensive item which in this case is Doo dah day, and I see:

Doodah_2

OK, let’s turn on the interception back on. Click the intercept is off button once to turn the interception back on.

After the interception is on, click on the basket button. I see:

burp_price

Changing the quantity to -10 (which is a negative value, and should not be permitted as you can’t purchase a NEGATIVE item) we see:

burp_updated_price

Going back to BodgeIt…

We have successfully made the store owe us money!!!

burp_updated_price_final

Going back to the scoreboard…

bodgeit_scoring_4

we see this challenge is now complete (green)!