Category: pentest

dumb to interactive shell

When spawning new web shell, it is commonly just nothing but the dumb terminal. To explorer target system better, it is mandatory to use fully interactive shell. There are few ways to make it, but I believe those two options were the best.

Python pty module

target$python -c 'import pty; pty.spawn("/bin/bash")'  
target$ctrl+z
host$stty raw -echo
host$fg
target$enter * 2

more accurate

target$python -c 'import pty;pty.spawn("/bin/bash")'
target$ctrl+z
host$echo $TERM // write down 
host$stty -a // write down rows, columns numbers
host$stty raw -echo
host$fg
target$reset
target$export TERM='something' //same as host
target$stty rows 'number' columns 'number' //same as host

other options

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

[HTB] optimum

Attacking Vector

http->code injection->web reverse shell(powershell) -> priv esc

Decision Tree

1)discovery : which ports are opened?
– only 80 port is opened

2)enumerate : input/output sanitization? third platform?
– check the website, does it use open source platform? any known vulnerabilities?
– inject malicious strings, %00, {, |, . are acceptable?
– can execute remote script?

3)manipulate webpage : any possible exploits?
– exploit db, python code compile -> cmd shell (okay)
– but, better way?

4)get a reverse shell : can we get a reverse web shell?
– manipulate HTTP request by using burp
– pawn a powershell

5)privilege escalation : any mis-configurations or vulnerabilities?
– upload/execute powershell script

Tools & References

tools: Empire, nishang, Sherlock
https://www.exploit-db.com/exploits/39161

[HTB] teacher

Attacking Vector

http->code injection->web reverse shell -> priv esc

Decision Tree

1)discovery : which ports are opened?
– only 80 port is opened

2)enumerate : third party web platform?
– use gobuster to check directory structure
– check the website, does it use open source platform? any known vulnerabilities?
– are those files really images? or have weird sizes compared to other one?
– find username and password by enumerating webpage, image files
– ask google for a help, research blog

3)manipulate webpage : any possible exploits?
– inject php code

4)get a reverse shell : can we get a reverse web shell?
– manipulate HTTP request by using burp
– php cmd shell

5)privilege escalation : any mis-configurations or vulnerabilities?
– pspy to check system process
– focus on cronjob which as privileged permission

6)manipulate file
– replace file to /etc/shadow in cronjob
– copy normal users hashed password to root in /etc/shadow

https://blog.ripstech.com/2018/moodle-remote-code-execution/

Tools & References

tools: gobuster, wfuzz, pspy
https://blog.ripstech.com/2018/moodle-remote-code-execution/
https://www.exploit-db.com/exploits/46551

Exploring CTF platform

https://www.owasp.org/index.php/OWASP_Juice_Shop_Project

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications! (https://www.owasp.org/)

Preparation

Base : OWASP Juice Shop Project
CTF Extension:CTFd

OS : Ubuntu 18.04 LTS Server
Installer : Docker

1.Installing Docker

$sudo apt-get update
$sudo apt install apt-transport-https ca-certificates curl software-properties-common 
$curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - 
$sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable" 
$sudo apt-get update && sudo apt-get upgrade 
$apt-cache policy docker-ce 
$sudo apt install docker-ce 
$sudo systemctl status docker

Executing Docker with normal user

$sudo usermod -aG docker ${USER}  
$su - ${USER}  
$id -nG  
$sudo usermod -aG docker username

Basic Docker command

$docker ps -a
$dccker kill containerid
$docker rm containerid
$docker rmi imageid

2.Docker Compose

$sudo curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
$sudo chmod +x /usr/local/bin/docker-compose
$docker-compose --version

3.OWASP Juice Shop Project

$docker pull bkimminich/juice-shop
$docker run -d -e CTF_KEY="any hash key generated" -e "NODE_ENV=ctf" -p 3000:3000 bkimminich/juice-shop

4.CTFd Installation

$cd /opt
$git clone https://github.com/CTFd/CTFd.git

Modify the docker-compose.yml file from the repository to specify a SECRET_KEY environment for the CTFd service. 
: Environment 
 - SECRET_KEY=<SPECIFY_RANDOM_VALUE>

$docker-compose up

Reference

https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-18-04
https://www.digitalocean.com/community/tutorials/how-to-install-docker-compose-on-ubuntu-18-04
https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
https://ctfd.io/
https://www.owasp.org/images/f/f6/OWASP_BeNeLux_2018_Bjoern_Kimminich_-Juice_Shop-_OWASP%27s_most_broken_Flagship.pdf
https://buildmedia.readthedocs.org/media/pdf/ctfd/latest/ctfd.pdf