IT Blog

Vulnversity Walkthrough

Today we’re going to be running through TryHackMe’s Vulnversity room! This is meant as an easy box to go over the basics of Penetration Testing. Some of the topics covered are Active Recon, Web App attacking, and Linux privilege escalation.

The room consists of 5 separate tasks: Deploy the machine, Reconnaissance, Locating directoires using GoBuster, Compromise the webserver, and Privilege Escalation

Task 1: Deploy The Machine

This one is easy! If you’re a THM VIP member then you can either start up Attack Box or connect via your OpenVPN client to the target machine.

Task 2: Reconnaissance

Once connected, the guide gives some basic nmap flags to assist in doing some reconnaissance on the device.

-sV – Attempts to determine the version of the services running

-p <x> or -p- – Port scan for port <x> or scan all ports

-Pn – Disable host discovery and just scan for open ports

-A – Enables OS and version detection, executes in-build scripts for further enumeration

-sC – Scan with the default nmap scripts

-v – Verbose Mode

-sU Udp port scan

-sS TCP SYN port scan

So going down the questions:

  1. There are many nmap “cheatsheets” online that you can use too.

This one is a freebie

  1. Scan the box, how many ports are open?

We can run a basic “nmap <IP>” scan and see what comes back. Might have to add -p- if they use higher non-standard ports on the box.

Answer: 6

  1. What version of the squid proxy is running on the machine?

We saw on our previous scan that squid proxy was running on port 3128, so we can use that to enumerate the version with “nmap -sV -p 3128 <IP>”

Answer: 3.5.12

  1. How many ports will nmap scan if the flag -p-400 was used?

The first dash in “-p-400” indicates to start at the beginning and the second dash indicates where to stop.

Answer: 400

  1. Using the nmap flag -n what will it not resolve?

Well you can probably infer from the word “resolve” in the question what the answer will be here, but you can confirm by running an “nmap -help | \\-n” to see that -n prevents resolving DNS and a -R forces resolution.

Answer: DNS

  1. What is the most likely operating system this machine is running?

We can get Operating System information using the flag -O, so trying “nmap -O <IP>” gets us the following:

Typing Linux in as the answer doesn’t get us anywhere. Let’s try something a little broader – “nmap -A <IP>” will scan for all of the basic nmap flags and also run some nmap scripts to get as much info as possible. There’s quite a bit to parse through in the resulting output, but the clue we’re looking for comes from the Web Server running on port 3333:

The Apache version info that it retrieves mentions running on an Ubuntu Linux OS.

Answer: Ubuntu

  1. What port is the web server running on?

We answered this through our scans for the previous question.

Answer: 3333

  1. Another informational freebie.

Task 3: Locating directories using GoBuster

The start of this section explains we’ll be using GoBuster – “a fast directory discovery tool” – to locate a directory where we can upload a shell.

They go onto explain that GoBuster can be used to brute force directories and files, DNS subdomains, and virtual hostnames. In this challenge we’ll be supplying it with a  wordlist of common directory names to brute force our directory enumeration. GoBuster comes installed on most Kali boxes, but if you need to install it then you can do so with “sudo apt-get install gobuster.” Like the previous task, some basic flags are provided:

-e – Print the full URLs in your console

-u – The target URL

-w – Path to your wordlist

-U and -P – Username and Password for Basic Auth

-p <x> – Proxy to use for requests

-c <http cookies> – Specify a cookie for simulating your auth

Two questions follow:

  1. Freebie to indicate you read through the section
  1. What is the directory that has an upload form page?

We can run a basic brute force on port 3333 for the web server with the command “gobuster dir -u http://<ip>:3333 -w <wordlist location>”. Dir indicates we’re running a directory scan, -u provides the URL link, we specify we’re running on http with our IP and port info, and -w gives the path to our wordlist which is going to be /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt due to it being an apache list.

Answer: /internal/

Task 4: Compromise the web server

Not the fun begins! We’re going to utilize what we’ve learned thus far to try and compromise the web server and get our shell installed. We can connect to the webserver with “<IP>:3333” and take a look around before trying to connect to the /internal directory we found. Going to the upload page, we can test out a few different uploads to see if anything sticks. Knowing that we’re trying to get a shell, we can try uploading some shell scripts to get our answer for the first question.

  1. Try to upload a few file types to the server, what common extension seems to be blocked?

Answer: .php

  1. A freebie indicating that we’re going to be using BurpSuite to perform fuzzing on the upload form.

We’ll start by navigating to the upload page and then starting up BurpSuite. Under Proxy, we’ll make sure the Interceptor is changed to “On” and then back in our browser we’ll make sure our FoxyProxy is also set to send to Burp. Upload a file and hit submit, as the page hangs switch back to Burp and from the Interceptor page we’ll right click our submission and send it over to “Intruder.”

Intruder has a few different tabs. On the Target tab we’ll type in our Web Server IP address with the 3333 port number. Switch over to the Positions tab, for the payload type select Sniper, and with the buttons on the right side click on the Clear button. Locate the “filename=[your file]” portion of the data, highlight the extension for your submitted file, and click the Add button on the right side. Finally, switch to the Payload tab and here you can either import a list of the following extensions given by THM or enter them into Burp manually. Select to Run Attack and you should get something that looks like the following:

Notice that the length of the response is different for phtml, indicating it got a different a different response from the rest of the test attempts.

Answer: phtml

  1. What is the name of the user who manages the Web Server?

To answer this question we’re going to need to first need to exploit the upload page with an approved phtml extension payload. The THM guide offers up the following link to download a php payload that we can use:

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

Go ahead and open that page and copy over the PHP script it contains. Near the top of the script, below the commented section, we’ll need to change the $ip and $port variables to match our attack machine with the port we want to use and save it as a .phtml extension file when we’re finished:

When this is done, go ahead and upload the file in your browser! Don’t be like me thought and remember to turn off your FoxyProxy first so that the upload will go through without being sent to Burp. You should get a Success message indicating the upload was successful.

Before we try to run our script, we need to start a netcat on our attack machine. We can use the standard “nc -lnvp [PORT]” to start that up on our machine. Then we can navigate to “<IP>:3333/internal/uploads/shell.phtml” and check back on our listener to see if it worked!

We can see that the connection has been established and a whoami indicates we’re running as www-data. We can now view the passwd file that should be readable by everyone to see a list of users on the machine with “cat /etc/passwd” to see the following:

There’s only one account listed near the bottom that differs from all of the system accounts listed.

Answer: Bill

  1. What is the user’s home flag?

We can start our search by changing to Bill’s /home directory if we’re able. From there we can drill down into Bill’s directory and list the contents to see the user.txt file that contains our flag:

Answer: 8bd7992fbe8a6ad22a63361004cfcedb

Task 5: Privilege Escalation

Time to take over. This task involves elevating our www-data account to a root account.

The THM guide gives use the hint that we’ll be exploiting SUID – Set Owner UserID upon execution – to gain our root access. These are special file permissions to a file that allow a user running it to run it with the permissions of the file owner instead of their own.

  1. On the system, search for all SUID files. What file stands out?

The hint for the question gives us a command we can use to find all SUID files – “find / -user root -perm -4000 -exec ls -ldb {} \;”

Sandwiched inbetween a lot of permission denied errors is a list of SUID file paths, and of these one looks a bit more interesting than the rest.

Answer: /bin/systemctl

  1. Become root and get the last flag (/root/root.txt)

Now that we have our SUID, we can do a quick google search for any known vulnerabilities. The following link has an exploit we can test out for this machine:

https://gtfobins.github.io/gtfobins/systemctl/

The page is broken up into a SUID portion and Sudo portion, so we’ll stick with the following SUID bit of the exploit:

We can copy and paste this into our shell, but first we’ll need to make a few changes to what commands it runs as well as the path to our SUID at the bottom.

ExecStart=/bin/sh -c “cat /root/root/txt > /tmp/output”

/bin/systemctl link $TF

/bin/systemctl enable –now $TF

We’re telling it to cat the location of the flag and send the output to the /tmp/output location that we can read as our user. Once it runs, we can run “cat /tmp/output” to view our text:

Answer: a58ff8579f0a9270368d33a9966c7fd5

And with that. Congratz, we’ve earned our degree from TryHackMe Vulnversity!

Vulnversity Walkthrough Read More »

Using Eve-NG to Virtualize your Juniper Network

Virtualizing Juniper VSRX devices using Eve-NG

To start, download VM Workstation Player and Eve-NG Community Edition:

You can download either the OVA or the ISO for Eve-NG, but this example uses the OVA image

Once you have both downloaded, install VMWare Workstation Player. When it’s finished open it up and under Player in the navigation bar select File and then Open to browse to the Eve-NG OVA.

Before starting it, open up its settings and customize your processor and RAM allocations. If you’re on a desktop make sure your network adapter settings are set to Bridged and if you’re on a laptop that it’s set to NAT. Once your settings are good you can start the image.

The default credentials are root / eve to login and then you can follow the wizard to do your initial setup. Create your user account and if you have an IP in mind that you’d like to use turn off DHCP and set it along with your DNS server, otherwise leave everything defaulted. When the VM finishes booting test your internet connectivity by pinging 8.8.8.8. If your tests went well then you should be able to get your IP address through ifconfig (add the pnet0 argument if you can’t scroll up) to view your DHCP IP address. Open up an internet browser on your host machine and navigate to your VM IP address where you should see an Eve-NG login screen. Login with the credentials admin / eve and change the drop down to use HTML5. From here you should be able to create new labs using any nodes you have installed on your Eve-NG VM.

To add a node like Juniper vSRX to your Eve-NG VM requires you FTP to the VM itself and add it. Using FileZilla, or any FTP program you’d like, connect over Port 22 to the VM IP address using your root / eve credentials and navigate to the /opt/unetlab/addons/qemu folder and copy your qcow2 vSRX folder over. Rename the folder and file on VM using the naming conventions on this website – https://www.eve-ng.net/index.php/documentation/qemu-image-namings/ – mine was vsrxng-20.3R1.8 and virtioa.qcow2. Once you have those files uploaded and renamed you have to update the VM’s wrappers in the VM CLI using the command /opt/unetlab/wrappers/unl_wrapper -a fixpermissions. Once that goes through without any errors you should be able to open up a lab in the Eve-NG web portal and select the Juniper vSRX from the node list.

To install Docker Nodes first use apt update and apt upgrade in the Eve-NG VM. Once those are finished you should be able to use the command apt install eve-ng-dockers to pull the Docker images down to your VM.

Using Eve-NG to Virtualize your Juniper Network Read More »

Generating and Applying an SSL Certificate in CPanel

1) Issue and Apply SSL Cert

  • Generate CSR in cPanel from CPanel
  • Inside of CPanel go to Security -> SSL/TSL
  • On the side bar, choose to Generate a new CSR
  • Fill out the required domain information:
    • Domain: example.com
    • City: Chicago
    • State: IL
    • Country: US
    • Company: cyberwatson
    • Passphrase: PasswordsRCool
    • Description: cyberwatson SSL
  • Submit and save the CSR and RSA key strings
  • Once complete, (re)issue the SSL certificate request
  • Paste in your CSR, set the primary domain, and hit next
  • Select your verification method (Add CNAME record) and continue through the prompts
  • Click the Edit Methods link in the instructions or go to the Domain List in CPanel and click on your domain
  • Drop down the Edit Methods button and select Get Record
  • Copy the Host and Target information provided to a notepad
  • Go back to CPanel and under Domains select Zone Editor
  • Find your domain and select Manage
  • Select the CNAME filter to view your existing CNAME records and then drop down the blue Add Record box on the right and select to ‘Add “CNAME” Record’
  • Copy the Host and Target sections of your DCV request and paste them in the Name and Record portions of your CNAME record and then select to Add Record
  • Navigate back to your CPanel and click Done on your SSL Domain List page. If a few moments, after refreshing the page, you should see the yellow PENDING Certification Status change to a green ISSUED status
  • To verify the SSL certificate is live, you can go to your Domain List and view all applied and expiring SSLs for each domain

2) Apply SSL Certificate to Website

  • In your CPanel go to Domain Lists and Download your SSL Certifcate bundle to get your pubic CRT key and Intermediate CABundle. Also make sure you have the RSA Private key generated during your SSL certificate creation
  • If you issued a new SSL certificate, you need to update the corresponding keys for your domains webhosting
  • Open your CPanel and under Security select SSL/TLS
  • On the right side select to the Manage SSL sites
  • Use either the dropdown to find your domain or next to the existing SSL certificate select to Update Certificate
  • Copy and paste your CRT, CABundle, and RSA keys into their respective textboxes and submit
  • You should get a verification that the update completed and an updated expiration date to match the new SSL cert

Generating and Applying an SSL Certificate in CPanel Read More »