BLOG – Page 4 – Hacker's In Flight Guide

HTB – Popcorn – FH: File Upload

Foot-hold: File upload via the torrent server

The Popcorn machine was fun, and played on many things that I had learned through a Udemy Course for web application testing. Specifically, changing the name of a file upload to ensure that the server trusts you.

To begin, I did the nmap scan to find only port 22 and 80 available. This machine was one that was only going to give away tricks through the web interface. I don’t go after port 22 unless I have to! So port 80 it was.

Visiting the webpage showed only some text that said that the web server was working. The source code confirmed that there was nothing interesting, and therefore a dead-end. The program ‘Dirb’ had something entirely different to say, however. I always run nmap to begin, and dirb as a follow-on. Dirb resulted in the discovery of several directories, one of which was torrent. So that was the vector for further enumeration.

HTB – Devel – FH: FTP

Foot-hold: ftp anonymous upload

Devel was not a tricky machine. It was pretty obvious that trying the ftp connection was the way. The NMAP showed port 21 and 80, which didn’t give too many options for an exploit. The website on port 80 only showed an IIS installation, and a link that went to the Microsoft site. Before running a directory scanner, I went ahead and tried the connection to the ftp portion of the server.

HTB – Legacy & Lame – FH: Samba (SMB)

I mentioned not long ago that I am going to change my learning strategy a bit… my goal has always been to accomplish hacks and pwn machines; but right now, I think that my goal should be concentrated on the initial foot-hold of the boxes. Because of this small (temporary) change in strategy, I’ve moved from the Try Hack Me platform, to primarily the Hack The Box platform.

What HTB doesn’t give you is guidance toward what it takes to pwn a machine. THM does that every time, and it’s the primary way that the site works. Although there are a ton of writeups on HTB, they are not required to accomplish the pwn of a box. Therefore, what I am going to do is all of the initial reconnaissance and scans for each of the HTB boxes to which I am interested. At the same time, I’ll be taking a ton of notes… but not learning notes… I am not concentrated on writing reports based on the results of what I’ve found. I have a feeling this will prepare me for what I will find in the future.

The Perfect Importance

I lied a bit in my previous post. I said that my next step after finishing a course in hacking was to organize my notes, and change this website so that it reflects them. The past week, I did quite a bit opposite to that!

After looking at my notes, I got very much interested in learning more. So much so, that I begin two more courses. One was in Web Application Testing, and the other was in Windows Privilege Escalation. I just couldn’t stop learning! The right answer was to do what I described in the previous paragraph, but something just led me to absolutely wanting to know more. I couldn’t stand the fact that there was so much more knowledge out there to learn. In perusing these new courses, I learned a lot, but still needed to take a step back.

THM – Simple CTF

Tonight, I decided to go into a CTF box. I’ve been watching tons of CTF videos by John Hammond and The Cyber Mentor, so it was a logical step in trying to pwn a new box on Try Hack Me.

The tutorial was rather vague. I wasn’t sure why it was asking about port 1000 in since NMAP was only showing other ports. For that question of how many services were running on port 1000, I simply took a guess and got it right.

To start owning the box, I did the standard NMAP and Directory scanning. The Gobuster results were fairly quick, and showed a directory that reveiled a service being run called CMS Made Simple. It was pretty easy to find an exploit… I googled “exploit CMS made simple.” This reveiled the CVE number, and a python script.

The python script (after making it executable) had some errors. It turns out that I didn’t have some required imports for the script. After a pip install, it actually ran.

Computer Rebuild

Recently, I rebooted my computer and got a warning message that said that my CPU was over-temp’ing. Being that I had it water cooled and overclocked, this was not a good message… so I did some upgrading, and man am I happy with it!

My old rig was made up of Rosewill components and I was pretty happy with the way it came together, but it was definitely cramped. I liked how it looked, but there was no intake on the front of the case, and the bottom was not big enough for the new 3-fan radiator that I bought to replace my old 1-fan rad.

THM – Hydra

A couple days ago, on the TryHackMe.com website, I clicked on a machine that was labeled very easy. I figured it wouldn’t take me long to try out the tool called Hydra to which they were referring… man was I wrong!

I wasn’t wrong because it was difficult; far from that. I was wrong because i thought it wouldn’t take much time. The results of my efforts were interesting and fun, but it took me quite a while to strategize how I was going to accomplish the pwn.

THM – Mr Robot

NOTE: This is not a tutorial on the Mr Robot machine hosted by Try Hack Me. It is simply an overview of the strategy used to defeat the box, and a reference for that strategy.

The target machine was a simple server hosting a webpage. Other than the web ports, and SSH, there was nothing else to exploit. I ran across the wordpress construct right after I did a dirbuster search on the box. As soon as I saw ‘wp-content’ in the list, I felt pretty comfortable about the organization of the folders. Knowing the wordpress structure through years of experience allowed me to notice if anything of importance stood out. It also allowed me to play with a tool with which I don’t have much experience… wpscan.

It’s not uncommon to run multiple scans at once and look at results in real time as they present themselves. I mentioned the dirbuster results, but also ran wpscan as soon as wordpress was discovered. I didn’t have many results on that tool other than some suggestions for referenced attacks using meterpreter (wasn’t interested in that here), and some information about versions.

This image has an empty alt attribute; its file name is image.png — WPScan Header Screenshot

Strategy from Here

My TCM course is just about complete. I have about an hour left from the over twenty four hours that were offered. Every second of that course has been awesome, and I’m looking forward to more content from Heath Adams. That said, I wanted to mention my technique when it comes to the end of courses. I’ve used this my entire life, and it really helps to solidify the things that you’ve learned.

This week, I plan to grab all of my notes (around 69 pages worth) and apply them to this website. You probably have noticed that there are two parts to this webpage… the Blog, and the Quick Reference materials. I want to start to build a more logical flow for the information that I’ve encapsulated. I am constantly referencing hackerifg.com to find syntax, and explanations; I can only do this because I write everything on the site. I don’t feel that any wayfarers would find it organized enough to quickly find what they need. Therefore, I plan to truly separate sections into the different stages of hacking. I certainly don’t mind the techniques being listed at the end of the quick-reference, but anything before that needs to be in the order in which you would pen test.

With this goal in mind, I will go through all of those notes that I mentioned and place the material appropriately. I have no doubt that I’ll be adding a ton of content as well. When I’m done with the week, or maybe two depending on how many rabbit holes I go down, I think that my understanding of the material will be cemented. It’s been so much fun on the first round of the material… I guarantee that the second round will be even more exciting. Can’t wait!

Web Application Hacking

The last part of my course is the Web Application Hacking modules. Being that I have been creating web servers for most of my adult life, I was very interested in this next portion. I’ve read several books that mentioned cross site scripting and the rest, but have never delved into actually doing it. Needless to say, this was a very exciting part of the course for me.

I think that first and foremost, it would be good to mention the Juice Shop! It’s a docker container that starts up a web server with challenges containing each web hack that’s out there. It’s nice when you can load up a lab and just start playing thanks to the hackers before me that had enough insight to create such things. It also has quite the reference library! Just about every hack possible is explained, and that’s such a great thing when you’re just learning about them.