This time, let’s try to get root on Servmon machine from Hackthebox.
Standard starting procedure: NMAP.
$ nmap -T4 10.10.10.184
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-29 20:10 EDT
Nmap scan report for 10.10.10.184 (10.10.10.184)
Host is up (0.22s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5666/tcp open nrpe
6699/tcp open napster
Nmap done: 1 IP address (1 host up) scanned in 124.70 seconds
Opening website as that has given good results while nmap runs again with -A.
It seems there is a software called NVMS-1000 running there. Let’s google and see what that is about. On this search we can see it is vulnerable to a directory traversal. https://www.exploit-db.com/exploits/48311
As you guys already know I have been studying pentest. Recently I signed up on hackthebox.eu and started doing some easy machines.
This writeup will show the steps I have done to get user and root flag.
I always start with nmap.
$ nmap -T4-Pn-p--v 10.10.10.178
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-01 21:41 EDT
Initiating Parallel DNS resolution of 1 host. at 21:41
Completed Parallel DNS resolution of 1 host. at 21:41, 0.01s elapsed
Initiating Connect Scan at 21:41
Scanning 10.10.10.178 (10.10.10.178)[65535 ports]
Discovered open port 445/tcp on 10.10.10.178
Connect Scan Timing: About 3.75% done; ETC: 21:55 (0:13:16 remaining)
Connect Scan Timing: About 16.48% done; ETC: 21:47 (0:05:09 remaining)
Connect Scan Timing: About 39.14% done; ETC: 21:45 (0:02:21 remaining)
Connect Scan Timing: About 66.62% done; ETC: 21:44 (0:01:01 remaining)
Discovered open port 4386/tcp on 10.10.10.178
Completed Connect Scan at 21:44, 220.62s elapsed (65535 total ports)
Nmap scan report for 10.10.10.178 (10.10.10.178)
Host is up (0.15s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
445/tcp open microsoft-ds
4386/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 220.71 seconds
Port 4386 seems different, will try some telnet to it, and enumerate:
$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>debug 1
Invalid password entered
>list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] COMPARISONS
[1] Invoices (Ordered By Customer)[2] Products Sold (Ordered By Customer)[3] Products Sold In Last 30 Days
Current Directory: ALL QUERIES
>setdir C:\Windows\Temp
Error: Access to the path 'C:\Windows\Temp\' is denied.
>
OpenSSH 8.2 was just released with support for FIDO2 U2F keys. This is a nice extra layer for security!
As this is not yet on official repository for Fedora, we will need to build openssh 8.2 if we want to test.
OpenSSH 8.2 needs libfido2 and libfido2 needs libcbor systemd-devel. There is no package for FIDO2 on Fedora 31 yet, therefore we also need to build it.
Note: --with-security-key-builtin is important to have support for FIDO2 internally. This command will prepare the path as $HOME/openssl-8/test-openssh my idea here is to avoid messing with my existing ssh.
To run the binary we must use ./ otherwise it will use the other binary which are system wide and we want to run the exact one which we just build. I’m not exactly sure why, but when I was running ssh-keygen, I was having some issues to find the libfido2.so.2
$ ./ssh-keygen -t ecdsa-sk -f /tmp/test_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
/home/matheus/openssl-8/test-openssh/libexec/ssh-sk-helper: error while loading shared libraries: libfido2.so.2: cannot open shared object file: No such file or directory
ssh_msg_recv: read header: Connection reset by peer
client_converse: receive: unexpected internal error
reap_helper: helper exited with non-zero exit status
Key enrollment failed: unexpected internal error
In my case I found the location of this file and copied it to “/usr/lib64/libfido2.so.2”
After this when running the command to generate it without the fido2 plugged in I got:
$ ./ssh-keygen -t ecdsa-sk -f /tmp/test_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: device not found
Plugin the key in and trying again
$ ./ssh-keygen -t ecdsa-sk -f /tmp/test_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in -f /tmp/test_ecdsa_sk
Your public key has been saved in -f /tmp/test_ecdsa_sk.pub
The key fingerprint is:
SHA256:.../... host@boom
The key was generated succesfully!!
Now, I needed a server which supports this. Therefore I created a dockerfile from ubuntu:20.04 with an sshd running and openssh 8.2
I’m using ubuntu:20.04 as it has libfido2 on apt and libcbor too.
FROM ubuntu:20.04
RUN apt-get update && apt-get -y install software-properties-common build-essential zlib1g-dev libssl-dev libcbor-dev wget
RUN apt-add-repository -y ppa:yubico/stable && apt-get update && apt-get -y install libfido2-dev
RUN apt-get -y install ssh && apt-get -y remove ssh
RUN wget http://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz
RUN tar xvzf openssh-8.2p1.tar.gz
RUN cd openssh-8.2p1 && ./configure --with-security-key-builtin --with-md5-passwords && make && make install
EXPOSE 22
CMD ["/usr/local/sbin/sshd", "-D"]
Recently I got back to playing with some ESP8266 as I decided to make my home smarter. Taking a look on my boards I noticed I didn’t have any 3.3V board to flash it. Taking a closer look I found I had a raspberry pi around, so I could simply use it.
After doing the setup and being able to flash using the raspberry pi it felt too hard to be programming on it and using vnc or something like this. Therefore I decided to try to use a remote serial port.
At first I got to socat but I couldn’t get it to work as it seems it doesn’t forward some specific signals. After some googling I found ser2net which seems to be compliant with RFC2217.
To install ser2net on my raspberry pi I used:
$ sudo apt-get install ser2net
After this to create a tunnel and expose it on my machine I used:
Basically I’m forwarding my local port 8086 and on the remote device on 8086, being raw with permission 600 with port /dev/ttyAMA0 and baudrate of 115200.
To be able to flash my ESP8266 I used:
$ esptool.py -p socket://localhost:8086 write_flash -fm dio 0x000000 BasicOTA.ino.generic.bin
Note the -p socket:// with this it will use the socket to communicate.
I have been studying a little bit of security and one of the things I’m doing from time to time is reading CVE and trying to test and understand what is happening. Yesterday Max Justicz published Remote Code Execution in Alpine Linux. He found an issues on apk which is the package manager for Alpine Linux which is super popular on docker images.
Max did a great job explaining the steps and the reasoning, but I wanted to try it myself.
- Create a folder at /etc/apk/commit_hooks.d/, which doesn’t exist by default. Extracted folders are not suffixed with .apk-new.
- Create a symlink to /etc/apk/commit_hooks.d/x named anything – say, link. This gets expanded to be called link.apk-new but still points to /etc/apk/commit_hooks.d/x.
- Create a regular file named link (which will also be expanded to link.apk-new). This will write through the symlink and create a file at /etc/apk/commit_hooks.d/x.
- When apk realizes that the package’s hash doesn’t match the signed index, it will first unlink link.apk-new – but /etc/apk/commit_hooks.d/x will persist! It will then fail to unlink /etc/apk/commit_hooks.d/ with ENOTEMPTY because the directory now contains our payload.
The instructions seem simple but if you are not super familiar with how a tar file works, you may not understand it. On a tar file you can have multiple versions/files with the same name and you can extract one of them using --occurrence option. With this in mind, the instructions make a little bit more sense, so shall we try to create this file?
(Pay attention on the order of this files: create directory commit_hooks.d, creation of link and creation of file)
What should be the behavior now? Since apk on alpine runs from / it will create the folder /etc/apk/commit_hooks.k, later it will extract the
link and to finish it will output the content of magic to the link which will be placed inside the X file. Note, I lost A LOT of time trying to see this behavior on tar it self, but it seems tar doesn’t have this behavior and apk implements it’s own extractor.
OK, now, we need to deliver this file when running the apk add inside docker. Here, I have updated /etc/hosts and pointed dl-cdn.alpinelinux.org to localhost. Using libraries http-mitm-proxy http-proxy request on node I have created a script to deliver the bad .apk when downloading something which has ltrace on url otherwise it will download the file and send to the docker.
var http = require('http'),
httpProxy = require('http-proxy'),
request = require('request'),
fileSystem = require('fs'),
path = require('path');
var proxy = httpProxy.createProxyServer({});
var server = http.createServer(function(req, res) {
console.log('http://nl.alpinelinux.org' + req.url)
if (req.url.indexOf('ltrace') > -1) {
console.log("Trapped")
var filePath = path.join(__dirname, 'bad-intention.apk');
var stat = fileSystem.statSync(filePath);
var readStream = fileSystem.createReadStream(filePath);
readStream.pipe(res);
} else {
proxy = request('http://nl.alpinelinux.org' + req.url)
proxy.on('response', function (a, b) {}).pipe(res);
}
});
console.log("listening on port 80")
server.listen(80);
Building my docker with docker build -t alpinetest --network=host --no-cache .
FROM alpine:3.8
# RUN apk add python
RUN apk add ltrace
CMD "/bin/sh"
(If you are curious you can take a look on the test of the docker image even if it failed to build and see your files are really inside the correct places. Use docker commit CONTAINER_ID and docker run -it SHA256_STRING sh.)
This returned “The command ‘/bin/sh -c apk add ltrace’ returned a non-zero code: 1”. This happened because apk verifies the signature or the apk and try to clean up the files, but it is not able to since /etc/apk/commit_hooks.k contains a file. How to do some magic to make the apk return exit code 0? Max has found one (or two) ways of doing this.
I still need to study what exactly the python script does to update the exit code but I have tested and it really works, as a quick test you can add RUN apk add python and update folder_for_real_file/magic to call his python code.
I know this may sound simple, but it took me a while to figure out all the tiny details. If you find any mistake I made, or want to say something, drop me a line!
Recently I have deleted a few images from my image which the old link was broken on the last few days. I decided to try to find them on the Google Chrome Cache.
The url chrome://cache was recently removed, but you can find your chrome cache files at: /home/matheus/.cache/google-chrome/Default/Cache/.
If you open it as binary, you will see it is not a file directly. There is more information embeded in the file such as URL, headers, http status code and others. We could take a look on chrome source code to extract everything from the file, not only images. But to be honest I was lazy to dig into that because I had a very specific need in this case. Chrome cache storage
Why not scan the cache files for the JPEG binary? We would need to know how to find the start/end of image. We will have:
bytes 0xFF, 0xD8 indicate start of image
bytes 0xFF, 0xD9 indicate end of image
OK. So how would we do this in python?
Open the file as binary and check if there is a JFIF or EXIF marker on it. (Just trying to ignore files we can’t process)
f = open(filepath, 'rb')
data = f.read()
if 'JFIF' not in data and 'Exif' not in data:
return
Now let’s iterate over all the bytes trying to find that specific sequence. To achieve this let’s have a prev which will have the value of the previous byte, pos to know which position we’re at and an array for SOI (Start of image) and EOI (End of Image) which will hold the positions for this markers. If the previous char is FF and the current one is D8, it will append to SOI, if it is D9 it will append to EOI.
prev = None
soi = []
eoi = []
pos = 0
for b in data:
if prev is None:
prev = b
pos = pos + 1
continue
if prev == chr(0xFF):
if b == chr(0xD8):
soi.append(pos-1)
elif b == chr(0xD9):
eoi.append(pos-1)
prev = b
pos = pos + 1
We can get the SOI e EOI and save it. The only magic we will be doing here is getting the first SOI and the last SOI or EOI depending on each one is bigger.
This code will save only one image. If you want you could iterate over the SOI and EOI and save multiple files.
Would this be some kind of file carving?
I hope this helps you!
Matheus
Get this script create the OUTPUT_FOLDER and run it as python yourfile.py filetocheck, this version should be able to handle multiple images inside the same file. Now you can check and output stream for instance.
import os
import glob
import sys
OUTPUT_FOLDER = "output-this2"
def save_file(data, path, filename, count, eoi, soi):
file = open('{}/{}-{}.jpg'.format(OUTPUT_FOLDER, filename, count), 'wb')
m1 = soi[0]
m2 = soi[-1] if soi[-1] > eoi[-1] else eoi[-1]
file.write(data[m1:m2])
file.close()
def extract(filepath):
count = 0
f = open(filepath, 'rb')
data = f.read()
if 'JFIF' not in data and 'Exif' not in data:
return
path, filename = os.path.split(filepath)
old_soi = []
old_eoi = []
prev = None
soi = []
eoi = []
eoi_found = False
pos = 0
for b in data:
if prev is None:
prev = b
pos = pos + 1
continue
if prev == chr(0xFF):
if b == chr(0xD8):
if eoi_found:
save_file(data, path, filename, count, eoi, soi)
old_soi = old_soi + soi
old_eoi = old_eoi + eoi
soi = []
eoi = []
count = count + 1
eoi_found = False
soi.append(pos-1)
elif b == chr(0xD9):
eoi.append(pos-1)
eoi_found = True
prev = b
pos = pos + 1
save_file(data, path, filename, count, eoi, soi)
print(filename, "SOI", soi, len(old_soi))
print(filename, "EOI", eoi, len(old_eoi))
def main():
if len(sys.argv) < 2:
sys.exit(1)
extract(sys.argv[1])
if __name__=="__main__":
main()
For a long time my father has beem complaining that using the printer wasn’t practical enough, so to solve this I decided to add a Raspberry pi Zero W connected to my printer (HP Deskjet F2050) and share the printer using CUPS.
Initially you need to connect to your RPi and install CUPS.
sudo apt-get install cups
If you want to have a webinterface to configure it from your local network, update /etc/cups/cupsd.conf
sudo vim /etc/cups/cupsd.conf
Find the line:
Listen localhost:631
And update it to:
# Listen localhost:631
Port 631
You will have multiple <Location, if you want to be able to access only from your computer, add Allow from YOUR_IP for every section. Example:
<Location />
Order allow,deny
Allow from 10.0.0.2
</Location>
(If you want from any, use Allow from all)
Add your user (in my case PI) to lpadmin group.
sudo usermod -a -G lpadmin pi
Access your Raspberry Pi ip on your browser on port 631 (https://RPI_IP:631/).
Go to Administration - Add printer Menu. You should see your local printer there, select it and follow the wizard to setup it.
If you’re using HP printer and can’t find yours, try:
I was running my server on ec2 instance with RDS and it was becoming a little bit expensive, so I decided to move everything to one machine and dockerize my setup so I could easily switch my servers.
To achieve this, I have created a docker-compose with:
PHP-FPM and sendmail to process php and sendmail
Nginx to serve jekyll static files and if they’re not found serve my old wordpress blog
I’m using a custom Dockerfile which comes from php:7.0-fpm and add sendmail support and mysql extension. There is a custom starter script which will run sendmail + php-fpm. (I know I should create a specific container for sendmail)
On this container I’m basically mapping some php files and config files:
./wordpress.matbra.com to /var/www/wordpress.matbra.com which are my wordpress files
./php7fpm/sendmail.mc to /usr/share/sendmail/cf/debian/sendmail.mc which is my configuration file for sendmail
I’m also mapping the port 9000 to 9000, so I will communicate with PHP-FPM on this ports, creating a link to mariadb and naming my hostname.
NGINX container:
I’m using the regular nginx alpine with some maps:
./nginx/nginx.conf to /etc/nginx/nginx.conf which is my nginx configuration
./nginx/app.vhost to /etc/nginx/conf.d/default.conf which is my website configuration with Jekyll falling back to wordpress
./logs/nginx to /var/log/nginx which will be my log directory
./wordpress.matbra.com/ to /var/www/wordpress.matbra.com which is the place where nginx can find wordpress website
./jekyll.matbra.com/ to /var/www/jekyll.matbra.com which is the place where nginx can find jekyll website
I’m also mapping ports 80 to 80 and 443 to 443 and create a link to PHP-FPM so nginx can communicate with fpm container.
MARIADB container:
No mistery here, regular mariadb image, with a mapping for data and some environment variables.
Because I’m not adding my website files to the image, I have created a command init.sh to remove website directory and clone website from git. There is a command called update-config.sh to update wp-config.php file with the correct environment variables.
With this I can easily spin up a new machine with my website structure.
