Posts

Hack The Box Write-up - Dropzone

10 minute read Published:

Write-up for the machine Dropzone from Hack The Box. This is a very interesting box since you have to get in only by writing files to arbitrary locations. An initial TCP port scan returns no open ports at all, only after scanning UDP you find an open TFTP daemon on port 69. After playing with it a little, you find out the box is an old Windows XP machine and you can read and write anywhere. The flag is hidden so you need a shell to explore the system. Remembering the old Stuxnet exploits, you can find a way in by exploiting Windows WMI with a malicious MOF file uploaded to a special folder. The last step to get both flags is to read the ADS of the hidden file, which only works after uploading the streams.exe tools from Sysinternals.
Enumeration Port scan As usual, start with a quick port scan to identify open ports for inspection: $ masscan -e tun0 -p 1-65535 --rate 2000 10.10.10.90 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2018-10-08 20:55:02 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [65535 ports/host] Not a single open port was identified. Instead of debugging masscan, checking the VPN connection, trying out all sorts of firewall evasion techniques, or going crazy otherwise, remember port scans do TCP by default but can do UDP as well:

Hack The Box Write-up - DevOops

7 minute read Published:

Write-up for the machine DevOops from Hack The Box. The box is Python-focused and illustrates nicely the various kinds of mistakes you can make when using Python libraries carelessly. XML parsing is vulnerable to XXE, giving access to source code. The source reveals that pickle is used to parse user input, which turns into RCE as an unpriviledged user. From there, searching the history of a git repository left on the box exposes a deleted private key, which can be used to SSH in with root. There is an unintended shortcut since the SSH key of the unpriviledged user is accessible via XXE, but I ignore this way in for this write-up.
Enumeration Port scan Start with a fast standard port scan and you find only two open ports: $ masscan -e tun0 -p 1-65535 --rate 2000 10.10.10.91 ... Discovered open port 22/tcp on 10.10.10.91 Discovered open port 5000/tcp on 10.10.10.91 A targeted nmap scan confirms SSH on port 22 and identifies port 5000 as a Python web server, running gunicorn: $ nmap -sV -sC -p 22,5000 10.10.10.91 ... PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.

Hack The Box Write-up - Sunday

8 minute read Published:

Write-up for the machine Sunday from Hack The Box. The box is pretty straightforward but still cool to do. You start with enumerating finger, finding some usernames. If you did thorough port scans and did not miss SSH on a non-standard port, one of these names allow you to brute-force your way into the box. Cracking a password hash from a shadow-file backup you find get's you to the other, from which you can escalate to root after realizing you can sudo wget.
After quite a while, this is another write for a Hack The Box machine. This time for “Sunday”, a relatively easy machine based on Solaris. Never worked with this OS before, so I was keen to see what I would find. Enumeration Port scan To start, we quickly scan the ports of the box. An initial scan with high rate using masscan takes only a few seconds and reveals a few open ports:

flaws.cloud - Level 2

8 minute read Published:

In a previous post, I covered level 1 of flAWS.cloud, a CTF-style cloud security game in which you have to find your way in to an AWS account by abusing common misconfigurations. This walkthrough now covers level 2, in which you discover content in another vulnerable bucket. This time, S3 ACLs are the culprit. The level demonstrates one of the most common mistakes in S3 access control configuration.
In level 1, we discovered that the homepage http://flaws.cloud is hosted in an S3 bucket with Amazons static page feature. Since the creator of the bucket configured the permissions such that unauthenticated users could list it, we discovered a secret file named “secret-dd02c7c.html”. It lead us to the start page of level 2. Now, the level description says we have to do something similar, but need our own AWS account this time.

flaws.cloud - Level 1

6 minute read Published:

flAWS.cloud is a set of CTF-like challenges that teach you common security issues in AWS accounts. This post is the first of a series of walkthroughs for these challenges. It's basically a short writeup on how to solve level 1, followed by a brief explanation of the AWS configuration that leads to this flaw and how to mitigate it. Before reading, go [here](http://flaws.cloud/) and try yourself first! ;)
Adoption of cloud computing is rising rapidly. Studies predict it will soon surpass on-premises hosting also for enterprise workloads. Large corporates are hesitant mostly due to security concerns, which are partly of more general nature (“uploading data to the cloud”), but also due to the myriad of cloud security failures you read about every day in the news. For example, many companies misconfigure AWS S3 bucket permissions and leave sensitive data unprotected.

Steganography challenge - The Book of Secrets

10 minute read Published:

A small steganography challenge illustrating basic tricks used to hide data inside images. This post introduces the challenge, walks you through the soliution, and ends by describing how the challenge was created. The solution involves some basic JPG image screening, hexedit surgery, and password cracking with custom wordlists.
Steganography is the practice of hiding information inside other media like images, audio or video files, text, or pretty much anything else. It is different from encryption in that it aims not at making information unreadable but at concealing the very fact that it is there. Steganography and steganalysis (detection of steganography) are long-standing fields of research. Overviews of the field can be found, e.g., in Subhedar/Mankar (2014) or ZieliƄska/Mazurczyk/Szczypiorski (2014).

Hack The Box Write-up - SolidState

12 minute read Published:

Write-up for the machine SolidState from Hack The Box. Requires thorough port scanning to find an esoteric telnet admin interface of the Apache James email server. With default root credentials, you become James admin and break into people's email inboxes. Inside, you find SSH credentials, bypass a restricted shell and finally find an insecure cron job to escalate to root.
This is my second write-up for a machine from Hack The Box. It is again a rather easy one but still lots of fun. Lots of opportunities to do some oldschool telnet work on email servers. It starts with port scanning and illustrates the importance of scanning also more unpopular ports. After finding the email server with default credentials, you must use your administrator power to get code execution. Once on the box, all you have to do is finding an insecure cron job and you are root.

Hack The Box Write-up - Calamity

10 minute read Published:

Write-up for the Hack The Box machine called Calamity. Involves basic enumeration, finding a way into a hidden admin panel of the webserver, injecting PHP code after getting past the login, evading an intrusion detection system, recovering an SSH password hidden inside audio files and finally using LXD/LXD to exploit a user administration mistake to get root.
Hack The Box is a new company offering lab servers you can test penetration testing techniques on. It is quite educative and a lot of fun. They have multiple machines and all follow a similar pattern. You start with an IP address, have to find a way to get code execution on the machine (usually as an unprivileged user) and have to escalate from there to root. This post is about one of the machines called calamity.