dumb to interactive shell

When spawning new web shell, it is commonly just nothing but the dumb terminal. To explorer target system better, it is mandatory to use fully interactive shell. There are few ways to make it, but I believe those two options were the best.

Python pty module

target$python -c 'import pty; pty.spawn("/bin/bash")'  
target$ctrl+z
host$stty raw -echo
host$fg
target$enter * 2

more accurate

target$python -c 'import pty;pty.spawn("/bin/bash")'
target$ctrl+z
host$echo $TERM // write down 
host$stty -a // write down rows, columns numbers
host$stty raw -echo
host$fg
target$reset
target$export TERM='something' //same as host
target$stty rows 'number' columns 'number' //same as host

other options

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

[HTB] optimum

Attacking Vector

http->code injection->web reverse shell(powershell) -> priv esc

Decision Tree

1)discovery : which ports are opened?
– only 80 port is opened

2)enumerate : input/output sanitization? third platform?
– check the website, does it use open source platform? any known vulnerabilities?
– inject malicious strings, %00, {, |, . are acceptable?
– can execute remote script?

3)manipulate webpage : any possible exploits?
– exploit db, python code compile -> cmd shell (okay)
– but, better way?

4)get a reverse shell : can we get a reverse web shell?
– manipulate HTTP request by using burp
– pawn a powershell

5)privilege escalation : any mis-configurations or vulnerabilities?
– upload/execute powershell script

Tools & References

tools: Empire, nishang, Sherlock
https://www.exploit-db.com/exploits/39161

[HTB] teacher

Attacking Vector

http->code injection->web reverse shell -> priv esc

Decision Tree

1)discovery : which ports are opened?
– only 80 port is opened

2)enumerate : third party web platform?
– use gobuster to check directory structure
– check the website, does it use open source platform? any known vulnerabilities?
– are those files really images? or have weird sizes compared to other one?
– find username and password by enumerating webpage, image files
– ask google for a help, research blog

3)manipulate webpage : any possible exploits?
– inject php code

4)get a reverse shell : can we get a reverse web shell?
– manipulate HTTP request by using burp
– php cmd shell

5)privilege escalation : any mis-configurations or vulnerabilities?
– pspy to check system process
– focus on cronjob which as privileged permission

6)manipulate file
– replace file to /etc/shadow in cronjob
– copy normal users hashed password to root in /etc/shadow

https://blog.ripstech.com/2018/moodle-remote-code-execution/

Tools & References

tools: gobuster, wfuzz, pspy
https://blog.ripstech.com/2018/moodle-remote-code-execution/
https://www.exploit-db.com/exploits/46551

I2C Interaction / BBB

Physical connections

GPIO 1: GND —–> 2
GPIO3 :3.3V ——> 4
GPIO19: P9_20 : SCL ——> 18
GPIO20: P9_19: SDA ——> 17

Check Configuration

//To check slave address and bus number
$i2cdetect -r 2
$i2cset 2 0x70 0x70 2
$i2cdump 2 0x70

//To initialise i2c device
$i2cset -y 2 0x70 0x21 // Setup
$i2cset -y 2 0x70 0x81
$i2cset -y 2 0x70 0xe0

Additional Software installation

$sudo apt-get install pip python-dev python-smbus python-imaging git
$sudo pip install Adafruit-LED-Backpack

$git clone https://github.com/adafruit/Adafruit_Python_LED_Backpack.git 
$cd Adafruit_Python_LED_Backpack
$sudo python setup.py install

Compile code

Regardless of program language there are device’ slave address and bus number are pre-defined. It is required to change those values to be synchronized with local environment.

##sevensegment_test.py
//display = SevenSegment.SevenSement() 
display =SevenSegment.SevenSegment(address=0x70, busnum=2)

##example.c
//int i2c_bus = 1
int i2c_bus = 2

Reference

https://andicelabs.com/2013/07/adafruit7segment/
https://cdn-learn.adafruit.com/downloads/pdf/led-backpack-displays-on-raspberry-pi-and-beaglebone-black.pdf
https://emalliab.wordpress.com/2013/07/20/adafruit-8x8-backpack-ht16k33-rpi/

Exploring CTF platform

https://www.owasp.org/index.php/OWASP_Juice_Shop_Project

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications! (https://www.owasp.org/)

Preparation

Base : OWASP Juice Shop Project
CTF Extension:CTFd

OS : Ubuntu 18.04 LTS Server
Installer : Docker

1.Installing Docker

$sudo apt-get update
$sudo apt install apt-transport-https ca-certificates curl software-properties-common
$curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
$sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable"
$sudo apt-get update && sudo apt-get upgrade
$apt-cache policy docker-ce
$sudo apt install docker-ce
$sudo systemctl status docker

Executing Docker with normal user

$sudo usermod -aG docker ${USER}  
$su - ${USER}
$id -nG
$sudo usermod -aG docker username

Basic Docker command

$docker ps -a
$dccker kill containerid
$docker rm containerid
$docker rmi imageid

2.Docker Compose

$sudo curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
$sudo chmod +x /usr/local/bin/docker-compose
$docker-compose --version

3.OWASP Juice Shop Project

$docker pull bkimminich/juice-shop
$docker run -d -e CTF_KEY="any hash key generated" -e "NODE_ENV=ctf" -p 3000:3000 bkimminich/juice-shop

4.CTFd Installation

$cd /opt
$git clone https://github.com/CTFd/CTFd.git

Modify the docker-compose.yml file from the repository to specify a SECRET_KEY environment for the CTFd service. 
: Environment 
 - SECRET_KEY=<SPECIFY_RANDOM_VALUE>

$docker-compose up

Reference

https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-18-04
https://www.digitalocean.com/community/tutorials/how-to-install-docker-compose-on-ubuntu-18-04
https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
https://ctfd.io/
https://www.owasp.org/images/f/f6/OWASP_BeNeLux_2018_Bjoern_Kimminich_-Juice_Shop-_OWASP%27s_most_broken_Flagship.pdf
https://buildmedia.readthedocs.org/media/pdf/ctfd/latest/ctfd.pdf

Converting VMs to Hyper-V

Hyper-V provide a specific PowerShell tool for converting other VMs to Hyper-V disk(*.vhd, *.vhdx), but when converting images, it generally occurs errors depending on environment. After some trial errors, I found those errors can be categorized.

VMware to Hyper-V (*.vmdk to *.vhdx)

Download Microsoft Virtual Machine Converter 3.0 tools(mvmc) from MS
In PowerShell, import module from mvmc

PS C:\Users|Administrator>Import-Module ‘C:\Program Files\Microsoft Virtual Machine Converter\MvmcCmdlet.psd1’
PS C:\Users|Administrator>ConvertTo-MvmcVirtualHardDisk -SourceLiteralPath d:\scratch\vmx\VM-disk1.vmdk -VhdType DynamicHardDisk -VhdFormat vhdx -destination c:\vm-disk1

VirtualBox to Hyper-V (*.ova to *.vhdx)

OVA files are simply tar archive files containing the OVF directory. After renaming *ova file to *.tar, we can extract .vmdk file from *.tar.

Next step is same as vmdk

Dealing with errors

Common errors are starting with “The entry… us not a supported disk database entry fir the descriptor”

The dsfok tool helps modifying descriptor. It extracts descriptor from vmdk file then can combine them together. First take a descriptor from image file with difo.exe then inject it with dsfi.exe.

dsfo.exe "d:\folder\file.vmdk" 512 1024 descriptorname.txt
dsfi.exe "d:\folder\file.vmdk" 512 1024 descriptorname.txt

Just comment out where it generates errors.

ddb.toolsInstallType = "2" --> #ddb.toolsInstallType = "2"

References

https://live.osgeo.org/de/quickstart/hyperv_quickstart.html
https://blogs.msdn.microsoft.com/timomta/2015/06/11/how-to-convert-a-vmware-vmdk-to-hyper-v-vhd/
https://stackoverflow.com/questions/37481737/error-when-converting-vmware-virtual-disk-to-hyperv

Installing Crossbuild tools

A cross compiler is a compiler capable of creating executable code for a platform other than the one on which the compiler is running. For example, a compiler that runs on a Windows 7PC but generates code that runs on Android smartphone is a cross compiler (Wikipedia)

Dependency check on crossbuild-essential-armhf

We should install three pre-requisite packages (actually, two packages)
dpkg-cross, g++arm-linux-gnueabihf and gcc-arm-linux-gnueabihf
$sudo apt-get install dpkg-cross g++arm-linux-gnuabihf

Then, finally crossbuild-essential-armhf can be installed.
$sudo apt-get install crossbuild-essential-armhf

Simple Code Compile/Execution

Hostmachine :Ubuntu 18.04.3 LTS, Architecturer: x86-64

Hostmachine: Debian 9, Architecturer: arm

give BBB an internet access

Tried many things to make BBB connected to internet. There’re few different ways such as by enabling ethernet port or adding USB Wi-Fi dongle. But it won’t work stable when we move BBB to difference environment. Thus, I think sharing host internet is easiest way to give BBB an internet access. To make this we should route all outbound packets to this device from the BBB to the Internet via the Internet access interface.

First thing first, make USB connection between BBB and host machine.
Then check the IP address on USB port.

USB0 has 192.168.7.1 and it is a default gateway for BBB’s usb0 interface.

Host Setting

#Enabling traffic re-routing to Internet Access interface on host machine
#In this case, Internet traffic fro BBB’s USB0 enx4c3fd3c18fa6 will be routed to host’s Wi-Fi interface wlp10
$sudo sysctl net.ipv4.ip_forward=1
$sudo iptables --table nat --append POSTROUTING --out-interface wlp1s0 -j MASQUERADE
$sudo iptables --append FORWARD --in-interface enx4c3fd3c18fa6 -j ACCEPT

BBB Setting

#as a root
[email protected]:/#route add default gw 192.168.7.1
[email protected]:/#echo "nameserver 8.8.8.8" >> /etc/resolv.conf

CISCO ASA

Image retrieved from cisco.com

Open source ? or commercial product? I believe they have pros and cons respectively. PfSense is working perfect as a centralized firewall includes almost everything but need more computing power when it deals with massive network traffic. Cisco ASA series are robust and fast, but expensive. So, maybe mid-range companies or organizations might prefer to use pfSense and big companies seem to use legacy bare-bone firewalls. Anyways it would be better for us to use both side of firewalls and compare its functions together.

Factory reset

Boot up then push esc key few times
rmmon #0>confreg
select no
rmmon #1>confreg 0x41
rmmon #2>boot
ciscoasa>
ciscoasa>enable
blank password
ciscoasa#write erase
ciscoasa#configure terminal
ciscoasa(config)# config-register 0x01
ciscoasa(config)# exit
ciscoasa#show version
ciscoasa#write
ciscoasa#reload
login with blank password
ciscoasa(config)#configure factory-default

Setting up ASDM

#enable password mypassword
#show disk0: (to check asdm bin)
ciscoasa(config)#asdm image disk0:/asdm-xxx.bin
ciscoasa(config)#username sysadmin password mypassword privilege 15 ciscoasa(config)#aaa authentication http console LOCAL
ciscoasa(config)#http server enable 443

We should also install the JRE since ADSM is running on JAVA
Then add JRE path on system environment variables.

Then we can just start making initial configuration for physical ethernet ports. These are might be wan, management, dmz1 or dmz2 depending on purposes, but I would like to say we need to check consoles and GUI together to make sure that configurations are well synchronized.  We can add up Cisco routers or switches to expand or isolate traffics.