capture the flag, hacking, web application security

Solving @TryHackMe – Brooklyn Nine Nine

Another day, another challenge.

In this blog post, we’re going to solve the Brooklyn Nine Nine boot 2 root.

Let’s get started.

Going to the room, and pressing the start machine we get our IP address.

Here’s a screenshot of my IP address:

Next, let’s fire a terminal and see if we can enumerate the machine.

Going to the terminal let’s enter the command nmap -sV <IP address> in my case it will be nmap -sV 10.10.188.95

Doing this we get the following:

We see there’s an open port of FTP.

What can we do with FTP?

FTP can be configured where we can enter a username as anonymous with any password. Of course, this is NOT good security as there should be a valid username and password combination.

Let’s try it.

Going back to the terminal and enter ftp press Enter

Next enter open <ip address> in my case it will be open 10.10.164.245

Doing this we see:

We were able to login!

Next, let’s use the ls or list command to see what files/directories (folders) are on the FTP server.

We have one file – note_to_jake.txt

How can we download this file onto our terminal? We can use the GET command

enter get note_to_jake.txt to download the file onto our computer.

Afterwards, enter the command exit to exit the FTP server.

Now we’re back to our terminal on our machine. Enter the command ls -la which will do a long listing showing hidden files as well.

Doing this we see our file – note_to_jake.txt!

Now let’s open the file with cat note_to_jake.txt

We see:

OK – Amy is telling Jake his password is weak. This is good for us as we will need to use Jake’s login information to get into the system.

We’ll keep this in our toolbox.

Going back to the open ports, we now have SSH (22) and HTTP (80).

Let’s try the HTTP server and see what we find.

We’re going to use the brute force program – dirb

Let’s enter the command dir http://<IP address> in my case it will be dirb http://10.10.188.95

Doing this we have:

We didn’t find much.

Let’s move to the SSH server.

We can brute force the password using the hydra command. We’re going to enter the command hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh://<IP address> -t 4

In my case it will be hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh:/10.10.188.95 -t 4

Let’s break it down

hydra – command

-l jake – the user we want to brute force

-P /usr/share/wordlists/rockyou.txt – The wordlists (rockyou.txt) we want to brute force the SSH server with

-t 4 – we’re specifying to hydra that we want use 4 threads (more threads make hydra complete faster)

We found the password for jake’s login credentials for SSH. As you can see the password is not secure.

Now we’re going to log into the SSH server with the following ssh jake@<IP address> in my case it will be ssh jake@10.10.188.95

Doing this we’re prompted to enter our password which is 987654321.

After pressing Enter we’re in!

Now we need to find the user.txt.

How are we going to find this file?

Using the find command

In the terminal let’s enter: find / -name user.txt 2>/dev/null

Let’s break this down

find – the find command

/ – start at the root file system

-name – want to find a file by name

user.txt – the name of the file

2> – redirect errors from standard output (screen)

/dev/null – move the errors (from the 2>) to the /dev/null

Doing this we see:

We found the user.txt

Let’s open the file.

We found the user.txt code.

Now we have one more question – we need to find the root.txt

How are we going to do this?

Let’s see if we can do an escalation of privilege.

One of the first thing we can do is see if the user (jake) can execute any files or directories as root.

How do we check this?

Execute the command sudo -l

Let’s break this command down.

If the user (jake) is in the /etc/sudoers file then the above command will let us know what commands we can execute to get to root.

Entering the command we see:

There’s a command we can enter as to execute our privileges – less.

Let’s see how we can do this.

Doing a google search of less privilege escalation we see the following link.

Click the above link and scrolling down we see how we can do an escalation privilege under the sudo section.

Going back to our terminal let’s enter: sudo less /etc/profile (press) Enter) then enter !/bin/sh

Doing this we see:

Once we press Enter we’re back to the terminal

but if you notice the prompt has changed to a #

doing a whoami we see that we’re root!

Now let’s navigate to the root home directory (/root) to see if the root.txt is located there.

Enter the command cd /root to navigate to the root home directory

Doing a long list to show everything (ls -la) we see there’s a root.txt file!

Now let’s open the root.txt file

Enter the command cat root.txt we see:

capture the flag, hacking

PicoCTF 2017 – Programmers Assemble #reverseengineering #assembly #infosec

Another day, another hacking challenge.

In today’s challenge we’re going to focus on a reverse engineering exercise.

Clicking on the exercise we see the following:

programmers_assemble_challenge_hints

Downloading the file and opening it in WordPad we see:

assembly_screenshot

 

Assembly… eeekk!

Let’s break it down – line by line.

eax = ???

ebx = 0

ecx = 8

for the line test %eax, %eax we’re testing to see if the zero flag of the %eax register is equal to zero

When eax is zero then we jump to the fin label, and compare ebx to see if it’s 46992.

So what do we need to set eax so ebx will be 46991? What happens if we divide 46992/8? Could this possibly give us the value of eax? Dividing 46991/8 = 5,874 decimal = 0x16F2.

You may be wondering, why would you divide 46992 by 8?

Looking at the assembly we know that when eax is not zero, we add 8 to the ebx register, and decrement eax by one and jump back to the loop label. We know if we set eax to 0x16F2 or 5,874 decimal then when eax equal 0 the program will jump to the fin label and the ebx register will be 0xb6790 or 46991 decimal. Once the comparison happens the program will jump again to the good label which will assign the eax register to 1.

To put this in a computer language it will be:

eax = 5874;

ebx = 0;

ecx = 8;

if(eax ==0) {

if(ebx == 46991) {

eax = 1;

} else {

eax = 0;

}

else {

ebx = ebx + ecx;

}

eax–;

Moral of the story assembly is the bare bones of ALL programming languages. No matter what language you use it can be broken down into assembly.

Entering 0x16F2 into the text box we acquired 75 points!

capture the flag, hacking, web application security

New Info Sec Website Alert! – White Hat Academy

Hello All,

It’s been a LONG time since I have blogged. What can I say? Life happens.

Anyway, I have enrolled into a program called White Hat Academy.

This website is great for n00bs as there are lessons to learn about different topics such as bash scripting, stenography, forensics, and mobile.

After completing the lessons there is a Capture the Flag (CTF) challenge that will incorporate what you have learned.

Check it out (https://whitehat.academy/) and enroll today!

capture the flag, hacking

PicoCTF 2017 – Special Agent User #appsec #infosec #forensics

Another day, another challenge.

Today’s blog post we will solving the “Special Agent User” challenge in the PicoCTF.

Let’s get started.

Clicking on the challenge we see:

PicoCTF_Special_Agent_1

We have another pcap (packet capture file) and we need to find the User Agent. OK. Sounds plausible. Let’s look at the hints.

PicoCTF_Special_Agent_2

There’s a link that discuss more about user-agents. Let’s go to that link.

Opening that link we see the following:

PicoCTF_Special_Agent_3

The web page explains the different components of the User-String. This will be useful.

Opening the packet capture file we notice the usual stuff UDP, and ICMP packets. And like with the first “Digital Camouflage” challenge we can ignore this.

User-Agent strings are found in HTTP requests. We need to look at packet captures for just HTTP requests.

Doing this we see a packet that’s piqued our interest…

PicoCTF_Special_Agent_4

On packet 80 (GET / HTTP/1.1) we’ll do a right click, Follow, HTTP stream.

Doing this we have the following:

PicoCTF_Special_Agent_5

Looking at the last entry in the user agent, we can see that the packet is using Firefox 25. Entering that as the flag, we’ve acquired 50 points!

capture the flag, hacking

PicoCTF 2017 – computeAES #infosec #appsec #crypto #ctf

Another day, another challenge.

Today’s blog post will explore solving the “computeAES” challenge in PicoCTF.

Let’s get started.

Clicking on the challenge we see the following:

PicoCTF_computeAES_1

Clicking on the clue link we see the following:

PicoCTF_computeAES_2

Going back to the challenge and clicking the hints we see:

PicoCTF_computeAES_3

Let’s use the hint of using online tools to solve this challenge.

Doing a Google search for “convert base64 to hex” we get the following link.

Going to this link we put in our base64 input to get the hex equivalent.

Doing this for the key and the input we get the following:

Key = 4f9b95cd8b6e04dbfabf08e886c955e3

Input = b75874a9b70e851405e44e3a6ec34b8a67db708e9e82b28fe0b1ed291de54f851d5a386cb0cf11412053ed2ffcadc472

Doing another Google search for “AES calc hex” we get the following link.

Entering the hex value of the key and input we get the following:

PicoCTF_computeAES_4

We found the flag! Copying the flag and removing the extra space we’ve acquired 50 points!

capture the flag, hacking

PicoCTF 2017 – Yarn #appsec #infosec #ctf

Another day, another challenge…

Today’s blog post we will solve the, “Yarn” challenge from PicoCTF.

Let’s get started.

Clicking on the challenge we see:

PicoCTF_Yarn_1

OK, we need to find a flag inside of a file, but we do not know what the file is.

Let’s look at the hints and see if that provides any clues.

PicoCTF_Yarn_2

Looking at the hints we’re provided with two questions. Possibly answering these questions will leads us to the flag.

Answer question #1 – “what does the string command use to determine if something is a string?” We decide to do a Google search to answer just that.

Doing this Google search we’re provided with the following link.

Reading the article we determine that the strings command prints the printable characters from a file.

Doing that we’re provided with the following screenshot:

PicoCTF_Yarn_3

We’ve answered question #1. Let’s answer question #2.

Question #2 – is there a way to change the length that the strings command look for?

Going back to the link we see that there is a way we can specify that there is a way to determine the length of strings we want to print.

How do we use this?

By adding the “-n <length you want to use>”

Doing this we get the following:

PicoCTF_Yarn_4

Scrolling down we see:

PicoCTF_Yarn_5

Hmm… I think we found the flag! “Submit_me_for_I_am_the_flag”

Putting this string as the flag we have acquired 55 points!

capture the flag, hacking

PicoCTF 2017 – Hash101

Another day, another challenge.

Today’s blog post will be solving the “Hash101” challenge from the PicoCTF.

Let’s get started.

Clicking on the challenge we see…

PicoCTF_Hash101_1

OK we need to hashes to claim our flag. Let’s see what the hints say.

PicoCTF_Hash101_2

Looking at the hints Google will be our friend 🙂

Connecting to the server we see:

PicoCTF_Hash101_3

We need to convert the binary to ASCII text.

Doing a Google search of, “binary to ASCII text converter” search we get the following website.

Going there, we see:

PicoCTF_Hash101_7

Changing the binary to the binary in the challenge we get:

PicoCTF_Hash101_8

The text we’re looking for is “peace” entering this in we are now in the second level of the challenge.

PicoCTF_Hash101_11

We need to find the hex value of our word, peace. Going back to the link referenced above, we see that the hex is referenced.

PicoCTF_Hash101_12

Entering that we now need to enter the decimal equivalent. For this, going back to Google and entering “hex to decimal converter” we get the following link.

Clicking the link we see:

PicoCTF_Hash101_9

Entering the hex value we get the following decimal value.

PicoCTF_Hash101_10

Entering that into the challenge we get the following:

PicoCTF_Hash101_13

Going to the third level we see:

PicoCTF_Hash101_14

Reading the description one might ask, what are we looking for?

Remember from the first level of the challenge where we need to find the ASCII text?

Doing a Google search of, “ASCII table” we find the following link.

Opening the link we see the ASCII equivalent of the letters.

We need to find a string that when doing the modulo of base 16 we get a number of 10.

One might wonder… what is modulo?

The modulo is the remainder of a division equation.

We know that we are dividing by 16 and the modulo (remainder) needs to be 10.

One way to achieve this is to find any multiple of 16 and add 10.

Why multiple of 16? Doing a multiple of 16 if we did a modulo of that the modulo would be 0 (as there is no remainder).

Doing this I was able to do the following:

PicoCTF_Hash101_5

Entering 4, we had a module of 4 and not 10.

Entering the string of “:” we were able to complete the level. Why? “:” in ASCII is 58. How did we get 58? 16 * 3  = 48 + 10 = 58. We’re adding 10 because we know we need a remainder of 10.

Moving to level 4 we see:

PicoCTF_Hash101_15

Doing another Google search of, “MD5 decrypter” we get the following link.

Clicking the link and entering the md5 hash, we get the following:

PicoCTF_Hash101_16

Entering this the level we see:

PicoCTF_Hash101_17

Entering this flag into the input box we’ve acquired 50 points!

capture the flag, hacking

PicoCTF 2017 – LeakedHashes

Another day, another challenge…

Today’s blog post we’re going to solve the “LeakedHashes” challenge from PicoCTF.

Let’s get started.

Clicking on the challenge we see:

PicoCTF_Leaked_Hashes_1

OK – we need to log into a service, but we do not know the password. We do have leaked hash passwords.

Clicking the hashdump.txt file we see:

PicoCTF_Leaked_Hashes_2

Let’s see what the hints say.

PicoCTF_Leaked_Hashes_3

OK. Let’s see if we can find a way to crack these passwords!

Doing a Google search for “online cracked hashes” we get the following link.

Trying the first hash of root we were not able to crack the password.

Using the second hash of christene, we get:

PicoCTF_Leaked_Hashes_4

We were able to crack the password.

Let’s try to login in with christene.

Going back to the commnd line and using the nc command we get:

PicoCTF_Leaked_Hashes_5

Scrolling down we see:
PicoCTF_Leaked_Hashes_6

We found the flag, and acquired 90 points!!!

capture the flag, hacking

PicoCTF 2017 – Mystery Box

Another day, another challenge.

In today’s blog post we will be solving the “Mystery Box” challenge from the PicoCTF.

Let’s get started.

Clicking on the challenge we see:

PicoCTF_Mystery_Box_1

OK, we have a mystery machine, with a stick note, and a picture.

Clicking on the sticky note link we see:
PicoCTF_Mystery_Box_2

OK… we have a note. This is going to be useful later.

Clicking on the picture link we see:

PicoCTF_Mystery_Box_3

Going back to the challenge and click on the hints we see:

PicoCTF_Mystery_Box_4

OK. The hints tell us that this box uses gear and it was used from the naval services. Also we have the name of Turing… let’s see what Google would provide us.

Doing a Google search of “Turing machine naval” we get the following link.

This link is the enigma machine emulator.

The enigma machine was used in WW2 (World War 2) to help crack secret messages from Nazi Germany.

The person who was responsible for this machine was Alan Turing. Alan Turing was the father of computer science. He was a computer scientist, mathematician, logician, etc. If you want to read more about his life, click here.

Going back to the enigma machine emulator we see:

PicoCTF_Mystery_Box_5

Hmm… we see that the words are similar to are listed in the note.

Let’s use that to figure out what the enigma machine will return us.

After entering the information we get:

PicoCTF_Mystery_Box_6

Hmm… The enigma machine returned – “quite puzzling indeed”.

Putting this in as the flag, we acquired 60 points!!