Security Researcher | Independent Penetration Tester | CTF Player | Good Vibes ✌️

HackTheBox - Grandpa/Granny

r0kit published on 2020-09-03 included in Hackthebox Infosec

Please note that the exploitation process for both the granny and grandpa machines is pretty much identical. This writeup will only cover the steps to gain SYSTEM level access on the grandpa machine, but you can reproduce the same steps to get the same SYSTEM level access on the granny machine.

Machine release date: April 12, 2017

Active Ports

sudo nmap -p80 -sC -sV -oA nmap/full-tcp-version 10.10.10.14

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-03 12:22 EDT
Nmap scan report for 10.10.10.14
Host is up (0.028s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods:
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|   WebDAV type: Unknown
|   Server Date: Thu, 03 Sep 2020 16:24:53 GMT
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_  Server Type: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Vulnerability Discovery

As seen in the nmap scan above, Microsoft IIS httpd 6.0 is extremely outdated, so I went ahead and googled for some known exploits against it. It turns out that some research showed that the vulnerability disclosure date was shortly after this box was released.

HackTheBox - Bastard

r0kit published on 2020-09-02 included in Hackthebox Infosec

Active Ports

sudo nmap -p80,135,49154 -sC -sV -oA nmap/full-tcp-version 10.10.10.9

# Nmap 7.80 scan initiated Wed Sep  2 13:56:23 2020 as: nmap -p80,135,49154 -sC -sV -oA nmap/full-tcp-version 10.10.10.9
Nmap scan report for 10.10.10.9
Host is up (0.051s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep  2 13:57:27 2020 -- 1 IP address (1 host up) scanned in 63.62 seconds

Vulnerability Discovery

The web page was running Drupal 7:

OSCP Prep - Metasploitable3 (Windows Server 2008)

r0kit published on 2020-09-02 included in Oscp Prep Infosec

Metasploitable3 (Windows Server 2008 R2)

The point of this excercise is to demonstrate how to use metasploit to search and exploit vulnerabilities in outdated software. Most software installed on this machine is vulnerable to known exploits that you can find in metasploit, so if you want to get some practice with the metasploit framework, I highly recommend running some metasploit modules against metasploitable3!

There are likely multiple ways to become SYSTEM, but I will only be covering one way to do it.

HackTheBox - October

r0kit published on 2020-09-01 included in Hackthebox Infosec

Active Ports

sudo nmap -p22,80 -sC -sV -oA nmap/full-tcp-version 10.10.10.16

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 09:26 EDT
Nmap scan report for 10.10.10.16                                                                                                                                                                                 
Host is up (0.032s latency).                                                                            
                                                    
PORT   STATE SERVICE VERSION                                                                            
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                                                          
|   1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)                                       
|   2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)                                      
|   256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)                                                                                                                                                  
|_  256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)                            
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))                                                                                                                                                               
| http-methods:                                  
|_  Potentially risky methods: PUT PATCH DELETE                                                         
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: October CMS - Vanilla
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Vulnerability Discovery

Navigating to the web service, we have an instance of October CMS.

OSCP Prep - Brainpan Level 1

r0kit published on 2020-08-22 included in Oscp Prep Infosec

Host Discovery

$ sudo nmap -sn 192.168.254.145/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-22 12:05 EDT
Nmap scan report for 192.168.254.1
Host is up (0.00066s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.254.2
Host is up (0.00016s latency).
MAC Address: 00:50:56:E3:2E:ED (VMware)
Nmap scan report for 192.168.254.150
Host is up (0.00029s latency).
MAC Address: 00:0C:29:BB:05:43 (VMware)
Nmap scan report for 192.168.254.254
Host is up (0.00078s latency).
MAC Address: 00:50:56:EA:85:24 (VMware)
Nmap scan report for 192.168.254.145
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.32 seconds

I ran the scan above from a host in my VMware NAT subnet 192.168.254.0/24. Since I only had my kali machine and brainpan running in the subnet, I was able to figure out that host 192.168.254.150 was the brainpan level 1 virtual machine.

OSCP Prep - Stack Buffer Overflow Process

r0kit published on 2020-08-22 included in Oscp Prep Infosec

Basic Assembly

POP -> Pops the top of the stack into the EIP register.

The General Process

Find all inputs to the application.
Fuzz each input with garbage data in a loop that incrementally sends more bytes to get the application to crash.
Find the offset where the application crashes. Do this by creating a pattern with either pwntools or metasploit’s pattern_create.
Copy the value from EIP which indicates where the application crashed and calculate the offset with either pwntools or metasploit’s pattern_offset.
Take control over EIP by using 4 bytes at the offset returned by pattern_offset.
See if you can get more space for your shellcode by adding more bytes to your buffer and reproducing the same crash. The more space you have for your shellcode, the better off you will be.
Check for bad characters from 0x00 - 0xff. You can right-click on ESP and select Follow in Dump to show the input buffer of hex characters in memory. Check how buffer of bad characters got modified.
Encode your shellcode so that it doesn’t contain any bad characters.
Search for a JMP ESP gadget. This gadget must comply with the following criteria:

It does not come from a library compiled with ASLR support.
The address does not contain any bad characters.
ADVANCED TIP: If the module was compiled with DEP support, the JMP ESP needs to be located in the .text code segment of the module with both Read (R) and Executable (E) permissions.

You will need the opcode for the gadget. You should be able to achieve so with pwntools or metasploit’s nasm_shell.
Use the address of the new found gadget to redirect execution back into your shellcode. Generally speaking, this works by JMP’ing ESP to your shellcode since you previously overflowed ESP with your shellcode.

Make sure that the EIP address is in little endian so that the CPU can interpret the opcode correctly!

Generate the shellcode with msfvenom.

Certain shellcode encodings like shikata_ga_nai require some NOP padding to function because they require some additional space to extract itself, so don’t forget to add the NOP sled!
The default exit behavior of msfvenom shellcode is ExitProcess. If you want the process to stay alive after you lose your shell, you want to set the exit function to ExitThread.

Setup a netcat listener and pwn!

Starting windows services

services.msc

Bad Characters

badchars = (b"\x00"
b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

Using mona.py to detect bad characters

Generate a bytearray