@TryHackMe – Basic Pentesting Room

Another day, another challenge.

Today’s blog post – I will give a walk-through on a boot-to-root room called, “Basic Pentesting Room”. This boot to root is perfect to get practice in preparation for the OSCP.

Let’s get started.

Logging into TryHackMe with your credentials and heading into the room we see the following:

TryHackMe1

OK, we have tasks to complete and we will learn the following skills – brute forcing, hash cracking, service enumeration, and Linux enumeration.

The first question is:

TryHackMe2

Clicking the deploy button at the top we get the following:

tryhackme

Second question is:

TryHackMe3

OK, we need to find the services exposed. What can we do?

One solution is to use nmap -sV (TCP scan) <IP address>

In this case it would be nmap -sV 10.0.0.204. Doing this we see the following screenshot:

tryhackme_nmap

Success! We now have the services.

TryHackMe4

Let’s use dirb to find the hidden directories. See the following screenshot:

tryhackme_dirb

Our hidden directory is development.

TryHackMe5

Reviewing our enumeration we see that ports 139 and 445 are open. These ports are used for SMB (Server Message Blocks) which are HIGHLY vulnerable. Let’s run the command enum4linux and see what we find.

tryhackme_smbtryhackme_smb2

We found two users: kay and jan

Question #5!

TryHackMe6

First, entering kay, I received an error. Let’s try entering jan. Success!

TryHackMe7

Let’s fire up Hydra which is password cracking tool with the password list of rockyou (this password list is used a lot in Kali and even in the OSCP… hint, hint!)

tryhackme_hydra

TryHackMe8

The service we use to access the server is SSH.

TryHackMe9

tryhackme_jantryhackme_jan2

TryHackMe10

kay

TryHackMe11

Since we have a new user (kay) and we have a ssh folder that lists the public key we can try to get the password.

TryHackMe12

From question #10 we have the user (kay) and a public key how can we go about cracking the key?

Doing a quick Google search, I was presented with the following link.

Scrolling down we see the following:

ssh_command

Let’s see if we can recreate this to find the passphrase. Using the ssh2john we created the hash.

tryhackme_ssh2johntryhackme_zip

Next we’ll use John The Ripper with the famous rockyou wordlist to see if we can crack the passphrase.tryhackme_kay1We were successful! The passphrase is beeswax. Let’s try to ssh with kay’s private key and see if we can get in.

tryhackme_kay2

Entering the passphrase we see that we were able to successfully log into the kay account! Just to be sure I issued the command of whoami (don’t mind the fat fingering!)

tryhackme_kay_listing

tryhackme_kay_passwordNext, we run the list command to see what we’re working with. We see a pass.bak file, let’s see if this lists the password. Opening the file we see the password. Score!

Let’s run sudo -l, which will show us what commands kay can run as root. We’re prompted with the password and we entered the password that we just acquired. We’re presented with all of the commands that kay can run, and we see that kay can execute all commands as root. Great, this will be helpful for us.

There’s another file that is important in the directory – bash_history. Bash_history is useful because it shows all the commands the user executed before logging off. Let’s open the file.

tryhackme_bash_historytryhackme_listing_2

After opening the file we see a lot of commands. There is one that is very useful – sudo su. If working correctly, running this command we will change from the kay user to root. In other words we would do privilege escalation – where we start as a non-admin user and through improper configuration change to a root user. Let’s try the command and see if it works.

tryhackme_sudo_su

Running the sudo su command, and typing whoami, we see that we’re now root! We do another directory  listing which shows the files from before, so no change. Let’s see if we can get into the root directory.tryhackme_kay6

Changing to the root directory we see that there is a flag.txt file. Opening this file we presented with the verbiage above. We solved the challenge!

How to Get Started in Pentesting #infosec, #pentesting, #appsec, #security @j0emccray, @infosecaddicts, @ppentestlabs, @pentesterlab, @blackroomsec, @securitytube

Happy Hacking!

Today’s blog post will be on how to get started with pentesting… on a budget.

If you’re following or reading my twitter timeline (@devsecopsgrl007), you will know that I am currently taking SANS SEC542 – Web App Penetration Testing. I am doing this class OnDemand (online), and I have access to the training for 4 months, along with two practice tests, and the certification (once I pass, putting it into existence!) While this course is GREAT, it is EXPENSIVE!

I know if you’re a student, this is WAY out of your price range. So, I would like to list alternatives where you will learn the same content, but it might take you a bit longer.

So without further ado here’s my list:

  1. Skillshare has a Ethical Hacking package that is $19 for 8 courses. These courses original value was $1,273 – which is a 99% savings. You can buy the class HERE.
  2. There’s a book that is the holy grail for Web Pentesting called, “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” This book has a lab accompanied with the book that is $7/hour. You can buy the book HERE.
  3. Another book, Penetration Testing Essentials, is another GREAT book. It gives an overview of the different concepts of pentesting. You can buy the book HERE.
  4. Joe McCray has a Pentester Candidate Program that is also a GREAT program. Follow Joe on twitter (j0emccray) or his program – @infosecaddicts
  5. PentesterLab has a program – PentesterLabPro where you can pay $19.99/month, or pay for a year and get two months free. More information can be found HERE. PentesterLab also has a bootcamp which is free. More information can be found HERE.
  6. PentesterAcademy has a monthly subscription for $39.99/month. The good thing about PentesterAcademy is they have A LOT of information. Web App Pentesting, Python, etc. More information can be found HERE.
  7. PracticalPentestLab has a promotion where you can pay a one time fee of $42.99 to get the VIP content which has subjects in pentesting, windows exploit, etc. You can contact them on twitter @ppentestlabs. More information can be found HERE.
  8. Hacking-Lab is a free online platform where you can learn hacking skills. More information can be found HERE.
  9. Cybrary is another free website that has an assortment of courses. More information can be found HERE.
  10. PicoCTF is an online CTF platform that is geared towards high school students, but it’s open to anyone. All you need to do is sign-up. More information can be found HERE.

Another big piece is to practice the skills that you have learned.

To do this you will need vulnerable machines to hack 🙂

One of my favorites is HackTheBox which has an assortment of machines. More information can be found HERE. Note: That you will need to hack the site to get the invite code.

Another website that I love is VulnHub. VulnHub has an assortment of machines. The good thing about VulnHub is that some of the machines have been used in CTFs and other security conferences. More information can be found HERE.

The next website is my favorite, called OverTheWire. OverTheWire is a website that has multiple challenges in different areas, web app pentesting, linux, etc. More information can be found HERE.

There’s another website RootMe which is a free online platform to practice pentesting. More information can be found HERE.

I can’t stress enough that you will need to practice. The old adage holds true in this case, practice makes perfect.

Finally, please follow @blackroomsec on twitter who’s a sweetheart! She has a website that lists even more free or inexpensive opportunities to learn pentesting.

 

InfoSec Institute CTF Challenge #14

Another day, another challenge.

Today’s challenge comes from the InfoSec Institute CTF program.

Going to the following link we see the following:

infosec_14_intro

Doing a right click, view page source we see the following:

infosec_14_page_source

Hmm… there’s a file, titled level14 inside the misc folder. Let’s go that file and see what’s there…

Going to the file we see the following:

infosec_14_php_sql_dump

Hmm… it looks like we have a SQL dump that’s showing us all the tables and values inside of a php application.

Scrolling down we see something that looks interesting, and strange…

infosec_14_encoding

Could this be some type of encoding? Possibly hexadecimal encoding?

First, we don’t need the double forward slash, we just need one. Removing the extra slashes we get the following:

infosec_14_encoding_remove_slash

Using a Hex to ASCII converter here, we get:

infosec_14_solved

We found the flag – infosec_flagis_whatsorceryisthis

Lessons learned:

Our trick still works! We were able to find valuable information when looking at the page source. Going to the file listed we noticed it was a dump of SQL tables. Looking through the tables we noticed suspicious output, which we guessed was some type of encoding. Using information we learned from a previous challenge we were able to deduce that the encoding was hexadecimal encoding. From there we were able to find the flag.

InfoSec Institute CTF #13

Another day, another challenge…

Today’s challenge is from the InfoSec Institute.

Going to the following link, we see the following:

infosec_13_intro

Doing a right click, view page source we see the following:

infosec_13_page_source

So from the hint we’re looking for a back-up file.

Since this is on a Linux box, let’s see what what the naming conventions are for backup files.

Let’s see if there’s a backup folder.

infosec_13_backup

That led us to a dead-end.

Let’s try adding .old at the end of the file.

Adding the “.old” at the end of the URL and pressing enter we get the following:

infosec_13_old

Hmm… this looks like another file. Let’s open it.

Opening the file in a text editor we get the following:

infosec_13_hidden_content

Looking at the file we see the the first paragraph, which matches our first screenshot.

Next we see commented out code, that is asking us to download a mysterious file, “iamadecoy”.

Let’s navigate to this file and see what we find.

After the file downloads, we try to open it.

Hmm… that’s weird when clicking on the file a prompt is shown asking what type of file this is.

Since we don’t know what type of file it is, let’s go to this site here, to find out.

After uploading our file we determine that is a pcap file.

infosec_13_pcap

We’re going to need Wireshark for this one…
Opening Wireshark, and opening our file we’re presented with the following:

infosec_13_wireshark

The beginning of the file is DNS queries that are rejected we can ignore that.

Searching through the file we notice some HTTP requests that are getting files, in particular – HoneyPy.png

Going to packet 633

infosec_13_wireshark_633

We can reconstruct this exchange.

Going to File –> Export Objects –> HTTP

We get the following:

infosec_13_wireshark_http_objects

Our file is highlighted in the above screenshot, so let’s click Save.

Opening the file we get our flag!

infosec_13_flag

Lessons learned:

Use the hints that are provided! We knew that the file we were looking for was a backup.  After playing around with the filenames we discovered that the file we were looking for ended in an “.old”. Once we opened the file we noticed there was another file “imadecoy”. After downloading that file and trying to open it our operating system was confused on the file type. Uploading our file to the above link we determined that the file had a pcap (packet capture) extension, and we would need to use Wireshark.

Opening Wireshark, we determined that the file we needed was inside of an HTTP packet. Reconstructing the packet we were able to download the file we needed. After opening that file we received our flag. This challenge was a multi-step process. It’s very important to pay attention to detail.

 

InfoSec Institute Challenge #12

Another day, another challenge.

Today’s challenge is coming from the InfoSec Institute.

Going to the following link we see the following:

infosec_12_intro

Doing a right click, view page source we see the following:

infosec_12_css

We noticed there’s an extra CSS (Cascading Style Sheets).  Let’s see what’s in this file.

Going to the file we see the following:

infosec_12_css_opened

Hmm… this looks interesting. Knowing a thing or two about CSS, the colors are represented in hex (hexadecimal, base 16) form. More can be found here.

I’m thinking this is the actual flag, but it’s just encoded.

Using out knowledge from other challenges, let’s try base64 decoding, since it has worked before.

Going to the link here, and typing in the encoding we get the following:

infosec_12_base_64_decoding

Our decoding wasn’t successful. This encoding is not base64.

Going back to the challenge, we know that CSS uses hexadecimal to represent colors.

Maybe the encoding is in hexadecimal form.

Going to Google and typing in “converting hexadecimal to text” we get the following link.

Putting our encoding in the text box and changing the decoding to “hexadecimal to text” we get the following:

infosec_12_flag

We found the flag!

Lessons learned:

Attention to detail! We noticed that there was another file when we did the right click, view page source. Going to that page we noticed that there was encoding. We first tried base64 which did not work. Going back to the drawboard on how CSS works, we know the colors are represented in hexadecimal. Doing a Google search of hexadecimal to text we were able to find the flag.

 

InfoSec Institute CTF Challenge #11

Another day, another challenge.

Today’s challenge is from the InfoSec Institute CTF.

Going to the following LINK we see:

infosec_11_beginning

Doing our favorite trick of right click, view page source we see the following:

infosec_11_pagesource

We see an image of “php-logo-virus.jpg” hmm… what happens when we click this file?

We see the following:

infosec_11_php_virus_picture

Looks like a simple file… looks can be deceiving.

Just going from the title of the file, there’s something in this file that we’re not seeing.

Let’s use our trick from the last challenge of using strings to see if this is a true file.

Using the strings command inside our cygwin terminal we see the following:

infosec_11_strings

Hmm… we see the beginning part of the flag. The last looks like encoding.

Let’s try to decode it.

One of the encoding we’ve seen in the challenges have been base64 encoding, so let’s use that to see if we can decode the message.

Going to this link, and typing in the encoding we see the following:

infosec_11_powershell

We’re presented with a link. Going to that link we see the following:

infosec_11_powerslide

Combining the this with the beginning of the flag, we get infosec_flagis_powerslide!

Lessons learned:

Most of these challenges build on top of each. We still used our tried and true right click, view page source to see if there are any nuggets that were not shown on the page. We noticed there was a file. Looking at the name, we determined that there was more than what met the eye. Using another command we learned – strings we were able to see that the flag was embedded in picture, but it was encoded. Using previous knowledge, we noticed that previous challenges used base64 encoding so we used that (base64) to see if we can decode the text. After decoding we went to the link and used the image to complete the flag.

InfoSec Institute CTF Challenge #9

Another day, another challenge…

Today’s challenge will be #9 from the InfoSec Institute CTF.

Going HERE we’re presented with the following:

infosec_9_intro

Doing our handy source of right clicking viewing the page source we see the following:

infosec_9_pagesource

We see that there’s a form that takes a username and password.

Using the hint from the challenge we know we’re looking for a CISCO IDS login.

Going to Google and typing in “common username and password for CISCO IDS” we’re presented with the following link.

Searching the link for username and passwords we see the following:

infosec_9_username_passwords

Going back to our login screen and entering the first username of “netangr” and password “attack” we get the following:

infosec_9_netangr

The username and password didn’t work 😦

Let’s try the second username of “root” and password of “attack”.

infosec_9_root

We’re presented with the flag… but it looks like gibberish.

infosec_9_flag

Inspecting the flag closely we noticed that it is backwards.

The flag is infosec_flagis_defaultpass!

Lesson learned:

Our handy trick of looking at the page source did not work. It revealed that challenge was using a form. Looking at the webpage we noticed that there is a hint – CISCO IDS. Using this information we know that most devices have a default username and password. Going to Google we found the webpage that listed a default username and password. The first username did not work, second one did. From that we found the flag even though to the naked eye one might ignore it. Looking at the flag again we noticed that the flag was written backwards. After putting the flag in the correct order we were able to see it.