Blog

  •

    [CTF] HTB Traceback write-up walkthrough

    4.92 of 84 votes

    This is my write-up and walkthrough for the Traceback (10.10.10.181) box user flag. Traceback is a Linux machine which was a little more challenging for me than I expected. This was my first CTF effort in quite some time and I wanted to refresh my learning. HTB (hackthebox) has also introduced a new Pwnbox feature, which is a custom web-based Parrot OS VM. This utility is a perk of HTB's VIP membership, and I was keen to test it out in practice. When commencing this engagement, Traceback was listed in HTB (hackthebox) with an easy difficulty rating.   Walkthrough First I spun up a new Pwnbox instance. Once this instance was running, I then installed my VPN server key for my desired region. Once the VPN server key was installed, I then pinged the target 10.10.10.181 to check if my instance could reach the Traceback machine. To make things easier moving forward, I opted to add the target machine IP address to my /etc/hosts file. To do this I navigated to the /etc/hosts file. And I added the target IP address and assigned it an identifier label trace Now this was set, I could begin some basic recon. For this I used Nmap, which is an open-source network scanner designed to discover hosts, services, and open ports. My objective was to identify what ports might be open on the target machine. I ran Nmap with the flags sudo nmap -sS -sC -sV trace -oN scan These flags told Nmap to do the following: -sS - Instructs Nmap to not complete the three-way handshake so the connection attempt is not logged on the target. -sC - Instructs Nmap to scan with default NSE scripts, which is useful and safe for discovery. -sV - Instructs Nmap to determine the version of any services running on the ports. The Nmap scan results indicated ports 22 and 80 were open. This confirmed the server was running a web service and SSH. I visited the IP address in my browser (port 80). I could see the web server running indicated a backdoor existed. I decided to take a look at the source code of the page to see if there was anything of interest. A comment left behind suggested ‘some of the best web shells’, hinting the backdoor might be a popular web shell. I decided to Google some of the most known web shells to compile a list. I then ran the list in Gobuster, which is a tool designed to aid in directory traversal and discovery, which enumerates any directories, pages, scripts, assets, and files that exist by submitting predefined names as requests and looking for HTTP 200 status code responses. Success! Gobuster was able to identify that smevk.php existed in the root domain. I visited this in my browser as https://10.10.10.181/smevk.php to see if I could reach it. I was presented with an admin login page. I wasn’t familiar with this web shell, but knew that most come with default credentials, so I tried some of the most obvious. Luckily, the form accepted username admin with the password admin on my first try. I could see a command line field within the interactive web shell, so I tried to identify if the server had Python or Perl installed. My objective now was to set up a reverse shell. This would allow me to instruct the target machine to connect to my machine and accept commands. I could see the server supported and understood Perl, so now I needed a reverse shell written in Perl. I searched Google for a reverse shell cheat sheet to see if I could grab a template for one. This code would open a socket and establish a connection on a specific IP and a specific port. Once I amended the IP and port values to reflect my own IP 10.10.14.252 and the desired port 1338 I was reserving for this attack, I could run this in the interactive web shell command line to start my reverse shell. However, before I executed this, I needed to setup a listener using netcat on my own machine to listen for connection requests on the desired port 1338. Now I could execute the reverse shell. netcat confirmed the reverse shell was active. I could see I was in the home directory as user webadmin. As netcat had previously indicated tty was inactive, I used /usr/bin/script -qc /bin/bash /dev/null to spawn a tty shell to help me navigate and interact. I then checked what was in the home directory and found sysadmin and webadmin. From here navigated to the webadmin directory and used ls -lah to list the folder contents. I could see there was an .ssh folder so proceeded to generate my own public key to add to the authorized_keys subfolder. I then navigated to my newly generated public key and opened it in a text editor. This allowed me to copy the key and write it into a command which would insert it into the target machine's authorized_keys subfolder. I could then use ssh -i key webadmin@trace to establish an active and stable SSH connection to the target machine. From here I list the directory contents and see two files note.txt and exploit.lua. I opened the note.txt using cat note.txt This message from the sysadmin suggested there was a tool coded in lua, which matches the exploit.lua in the same directory.. I opened the exploit.lua using cat exploit.lua I have little experience in the lua language, so I Googled this specific syntax and identified this is a common command for spawning an interactive system shell. Running sudo -l identifies that the user webadmin can access /home/sysadmin/luvit using sysadmin without a password. I chained this to the lua command to attempt privilege escalation. This was successful. From here I navigated to the /home/sysadmin directory and listed the folder contents. Opening the file user.txt gave me the user flag.

  • Nothing is more monstrous than man

    4.83 of 88 votes

    Fiction can teach real and important lessons. Contrary to popular belief, Frankenstein was actually the name of the doctor that created the infamous monster. There is an almost poetic irony in the fact pop-culture always fails to recognise this important distinction between Frankenstein and his creation. Much like the symbolic nature of the unknown, unnatural, and unexplained, the hideous creature Frankenstein created was nameless. What was done to the nameless creature was monstrous, and this is what eventually created a monster. In my experience, this story seems to echo the natural consequence of social participation today. Interior feelings trump facts and anything unknown, unnatural, and unexplained that doesn’t align with the narrowly defined status quo is often expelled or petitioned for censorship. Any discourse against the curve of political correctness can quickly turn hostile, resulting in polemic attacks and ad hominem arguments that create more monsters than they target. The misunderstood are outcast. Why? Because we’ve allowed ourselves to be consumed by the serenity of convenient truths and the comfort of insulated exposure. We were raised in an environment of Fisher-Price rounded corners, talking costumed animals, and irenic fairy-tale endings to believe the world is one of cordial culture and civility. This lie has made many of us intolerant toward dissent, and now we’ve shamefully become a content moderated collective that can only accept the world through the lens of filtered selfies, Hollywood heroes, and picturesque celebrity lifestyles. This comes at a social cost. Silenced outcasts become nameless. Anonymous prey-turned-predators left to wander the deep dark recesses of their own minds, assembling hideous thoughts from parts of exhumed ideas until their voice someday returns to life. As if rising from the lab table something different, the troll inhabitants of the Internet, but far from folklore. Nietzsche nailed it. Real monsters live in the abyss of every mind – and when you gaze long enough into your reflection and the monster inside you gazes back, consider that maybe just on the other side of this life is another. Like an unfinished book you muse over until you reach a blank page where the story ends and you’re left alone with yourself and your thoughts. There lives the scariest monster. Nameless and frightful. One that even the most powerful drugs cannot slay, and one that you may someday need to face yourself, lest someone else face it first.If we don’t like these monsters we’re creating then maybe we should consider the Frankensteins we have ourselves become — as like most, they become a part of our imagination or a part of ourselves. Much is monstrous, but nothing more monstrous than man.

  •

    Useful network posters you can download and print

    • General
    • by Jacob Riggs
    • 03-06-2020
    4.95 of 88 votes

    I decided to put together some minimalistic posters on network fundamentals that people can download and print for free. I hope these might help individuals, academic institutions, or maybe even companies with an IT ops function looking to decorate their office space with useful reference material. Download OSI + TCP/IP Common Ports Network Topologies All posters are A3 (297mm x 420mm) in size. I therefore recommend that if you wish to print these, you do so in A3 format between 600 and 1200 dpi for optimal print quality.If you like these posters or find them useful for your work, please consider sharing them with friends and colleagues.

  •

    In memory of my friend Craig Warden

    4.90 of 105 votes

    My colleague and friend unexpectedly passed away last year and I wanted to share a few lasting words which I hope might venerate our friendship and pay tribute to his memory. Craig Allen Warden 16 December 1970  —  13 April 2019 I’ve considered writing something for a long time, but my personal blog is hardly a podium for obituaries and mournful proclamations. Finding the right words has been difficult. I met Craig whilst working at the Guardian newspaper. He was the Head of HR at the time and we met during the natural course of our employment. Working with Craig was always entertaining due to his eloquence. He was quick-witted, had a jovial personality, and always knew how to bring out the best in those he worked with. He would always greet me with his signature “Hello matey!” in a skewed accent (which took me a while to place). Our social relationship was never linear. More often than not we would end up in protracted conversations. Even impromptu corridor banter would at times overrun and command a fleeting wave or a witty one-liner adieu. I like to think this was testament to our discussion value, but looking back I think we just got along well. We always had to rush back to work to avoid being late, but every chat was refreshing and worthwhile. I think about Craig a lot, and often find myself revisiting the moments we shared. This short blog post does the salient volume of his life little justice, but I find solace in knowing it might resonate with the people that were lucky enough to have known him, and maybe serve as insight to those that never had the chance. See you in another life, matey.

  • How to torrent (on Windows)

    4.69 of 71 votes

    The purpose of this tutorial is to provide guidance on how to access and download torrents. Torrents are hosted on file-sharing websites, which act as a directory for finding desired data (such as movies, TV shows, OS images, or open-source software). File-sharing sites themselves do not host the desired data - they just host the torrent files that tell your torrent client where it can retrieve them from. Torrents Torrents are simply peer-to-peer pointers that work by providing a torrent client with an address book of seeds that possess and are actively uploading the desired data. Seeds Seeds (also known as peers) are those in possession of the full data with an open upstream connection that shares it.   Accessing file-sharing sites ISPs block a number of well-known file sharing sites such as ThePirateBay and KickassTorrents, usually via DNS filtering and blocking requests to blacklisted server IP addresses. If you cannot visit these or other file-sharing sites, it may be because your ISP is blocking access. There are a number of methods to circumvent these blocks (and one or more may need to be adopted), but I will focus on three of the most common. Windows: Change DNS Server Navigate to Control Panel > Network and Internet > Network and Sharing Center On the left hand panel, click Change adapter settings Right-click on the connection type (could be Ethernet or WiFi) and select Properties Scroll down the list of items to find Internet Protocol Version 4 (TCP/IPv4) Click on it once to select it and then click Properties Near the bottom of the box is Use the following DNS server addresses Select that option and type in 8.8.8.8 and 8.8.4.4 Now flush your DNS resolver cache by opening CMD and typing ipconfig /flushdns then press Enter Use a VPN You can use a VPN such as ProtonVPN. Using a VPN will mask the traffic to your ISP by tunnelling your connection through a VPN server. Use Tor You can use Tor (The Onion Router). Tor acts in a similar way to a VPN, but introduces a series of encrypted hops which bounce your communications between distributed relays before arriving at the desired destination.   How to torrent files Install a torrent client To torrent files you first need to install a torrent client. For this example I will be using uTorrent. Find the desired torrent Then you need to find which torrent you want from a file-sharing site. For this example I will be using ThePirateBay. Select the desired torrent To select the torrent, you need to copy the torrent URL. For this example, I right-click the magnet icon and select Copy link address This URL follows the magnet URI scheme and identifies a torrent using a SHA-1 or truncated SHA-256 hash (commonly termed the infohash). This is the same value that your torrent client will use to identify a particular torrent when communicating with other peers. Download the desired torrent You must instruct your torrent client to request that torrent. For this example, I open uTorrent and press Ctrl + U to open the Add Torrent from URL window. Then paste the copied torrent link and hit OK   How torrenting works When you click to download a particular torrent, your torrent client will request that the trackers included in the torrent URL search for any peers broadcasting the associated file hash. Trackers Trackers are address-book servers which help organise, manage, and connect active peers. If found, your torrent client will then check if those peers have an authorised open upstream connection. If these conditions are met, your torrent client will then mark them as seeds and begin downloading the desired data. During the download process, your torrent client will automatically verify the integrity of data received by hashing each piece in a Merkle tree format. This ensures any corrupt or incorrect data is dropped during the transfer process to maximise download speed, security, and efficiency. Additional notes File-sharing sites are natural breeding grounds for malware. Torrenting safely requires an appreciation for basic security practices. I recommend you avoid torrenting if you do not know what you are doing. Accessing file-sharing sites and torrenting is perfectly legal, but torrenting unsanctioned copyrighted material is not. Be kind – torrenting can throttle your network and may affect others that share it. You may need to check your torrent client settings to ensure bandwidth rate limiting is correctly optimised. If you are concerned about upload usage, you may need to adjust your torrent client settings to automatically stop seeding once a download has completed. I recommend avoiding peer blocker software such as PeerBlock. These are designed to prevent you from connecting to blacklisted peers, but are often unreliable, significantly reduce your download speeds, and serve little purpose if you’re already using a VPN or Tor.

  • Been hacked? What to do next

    • General
    • by Jacob Riggs
    • 12-05-2020
    4.29 of 58 votes

    Please note, the advice below is tailored for online accounts of a personal nature. Any online accounts with existing or potential access to work related data in the context of employment will usually need to follow a more refined internally sanctioned incident response process (likely in accordance with the NIST industry standard). In such circumstances, please refer to your company information security and data privacy guidelines. You’ve just realised one or more of your online accounts has been compromised. Panic sets in. Time is of the essence. You must reassert control. What do you do now? Steps to take Triage – If multiple accounts are involved, you need to quickly self-evaluate risk based on what existing and potential data each account has access to. Things like sensitive pictures and private messages need to be considered. This will enable you to triage according to each account risk profile and prioritise mitigation efforts in order of risk impact. Contain – Firstly, and perhaps most obviously, you want to isolate the attack. Your primary objective should be to cut off the attacker and prevent further unauthorised access or misuse. For this, simply follow the necessary steps to reset your account password. In most cases, successfully resetting your account password will immediately invalidate any actively logged-in sessions being used by the attacker. Once complete, enable soft-token 2FA (Two-Factor Authentication) where possible. Soft-token apps (such as Gauth or Authy) generate authentication codes locally on your mobile device and are preferable to SMS. Harvest – Where possible, harvest screenshots of any new account activities, such as posts, messages, or interactions (likes, follows, etc). Many prominent online websites (such as Twitter, Facebook, and Instagram) offer options to download your full account data in a structured format locally. This evidence will help you assess the full extent of damages and may prove helpful if you later decide to report the incident to the authorities or the web service itself. Discover – Now you want to look at your attack surface by finding any other accounts that may have also been compromised. Searching your email inbox for email subject lines matching keywords such as register, registering, registration will give you insight into many of the online services you have accounts with. For any additional accounts you identify as compromised along the way, repeat steps 2 – 3. Investigate – Now you want to perform some post-incident analysis. Any evidence you harvested in steps 3 – 4 may be helpful. How did this happen? If more than one account was compromised, what security properties did they have in common? Did those accounts share the same or similar passwords? Did you leave those accounts logged in on a missing or potentially compromised device? If you want to understand the attack in detail, building a timeline of events and account activities will help you understand the attack scope and objectives. Recover – Only once the above steps are complete should you assume it is safe to continue using your account normally again. Now you can clean up and delete any bad posts or account interactions. If your account exhibited any anomalous behaviour (abuse/misuse), you may wish to address the circumstances in a public statement. Your findings from step 5 should help you make an informed decision on how best to communicate this to your online following. Prevent – How can you prevent this happening again? Ensure any future passwords you use are long and complex enough. Where possible, enable 2FA. Consider using a password manager such as LastPass or KeePass. Password managers can also help you catalogue your online presence so that you better understand your attack surface in the future. If after following these steps you notice the same accounts are still being compromised, the attacker may have established what we call persistence. This is where an attacker maintains persistent control over a specific device, system, or network that you’re using to login to the affected online accounts. From here they may be able to monitor, intercept, and block your mitigation efforts. In such circumstances, I recommend temporarily moving over to a completely new network and using a clean device to revisit the steps above. I'll focus on how to deal with compromised networks and devices in another blog post. If you are the victim of cyber crime, you reserve the right to report the incident to your local authorities. Below I've included some references that direct to the online reporting forms for each respective country. UK EU US AU Please note, the open nature of the Internet means the law surrounding cyber crime can differ greatly between countries. Duties may be owed within both the presiding jurisdiction of the victim, and that of wherever the attack may have originated.