LINUX

hacker in flight guide
INTRODUCTION KALI LINUX WINDOWS

My Routine

Right now, it is 1-hour away from the first manned Space-X launch.  As I sit here watching the live feeds, I figured it would be a good time to get the keyboard in front of me and talk about what my routine has been during this journey.

It’s been about two months so far since I decided to go full-up on this journey to be a professional hacker.  In that time, I’ve ordered three online courses, signed up for two hacking sites (HTB and THM), and subscribed to countless YouTube, Twitch, and Facebook channels.  

Interestingly enough, Twitch has turned out to be my favorite.  I have never been a gamer, and therefore made the assumption that Twitch was a streaming platform for only game players.  This is definitely not the case.  As an example, one of my subscriptions is ‘The Cyber Mentor‘ who live streams each day to answer questions and show live hacks.  The nice thing about Twitch is that it will send a notification when one of your followed channels is about to live stream.  Via YouTube, I have been watching recordings of many of these streams, but never had the experience of interacting while the live stream happened.  Twitch has completely opened my eyes into the way social media works now, and I’m a fan.

So needless to say, social media will remain a part of my strategy on this journey.  It not only gives insights into how others think, it also allows a conduit for the most important part of being part of a community… networking!!

So now that you’re aware of my new social media habits, let’s talk about the courses that I intend to enjoy.  The first is a course that I picked up in January.  I was getting the idea that I wanted to take this journey, but hadn’t made all of the decisions to go full-in.  The course was a Udemy course taught by The Cyber Mentor (same as the social media) and was on sale for $20!  As most of these courses offer themselves for a couple hundred, I figured it would be worth picking it up, even if I didn’t start it for a while.  The course was about 24 hours worth of material, and at the moment of this writing, I am about 2/3 the way through. 

The next course that I intend to take is one that showed up for free during the time of this pandemic.  It is from the International Cybersecurity Institute.  Using the code “#StaySafeHome” i was able to sign up for the Certified Network Security Specialist and bypass the seven hundred euro price tag.  Even if I simply skim what they have to offer, it’s learning and definitely worth the price!

The third course that I intend to take is a new one that The Cyber Mentor just released which is on Windows privilege escalation.  Since I was already a student on his first course, i received an invitation to get his next one for $20 as well.  With his first course being so wonderful, I definitely look forward to taking his second… and more if he offers them.

With all of that, and many books in the mix, I intend to sign up for the OSCP course.  I haven’t figured out if the exam can be taken without the course… if that’s the case, I may go straight to the exam.  If it’s not the case, I have no problem with learning more.  The course is about $1k, and includes the exam.  It’s actually called ‘PWK’ which is Penetration Testing With Kali Linux.  There are four other courses offered by the company Offensive Security, but i’ll have to decide later if I want to complete those, or move onto a different company with separate views on teaching hacking.

So for now, that’s my path forward.  I have a full-time job on the side, so it will definitely take priority over this journey… but I am extremely persistent and will prioritize my time and learning accordingly.

hacker in flight guide
KALI LINUX

WEB SERVER EXPLOIT

All about web server hacking…

Today was an interesting day to learn.  I came across a tutorial which described itself as taking over a linux box.  Low and behold, it turned out to be a web server hosted on an Ubuntu box.  

My go-to web server box is usually a CentOS flavor of Linux.  This is because when I created my very first web server on linux many years ago, i did it on a Fedora Core 3 version of Linux.  Since then, I’ve been fond of a Red Hat environment without the cost of a Red Hat enterprise subscription.  In 99% of the cases where I make a server, I don’t need a graphical user interface (GUI) either, so I shied away from Red Hat proper early, and went to minimal installs of CentOS.  I use Ubuntu when I need a GUI, and therefore recognized that www-data as the user and group meant that it was likely Ubuntu.

So, with all that, I recognized the structure of the server pretty much right away.  There was a guide on how to do all of the hacking, but that tends to be no fun.  I only reference that stuff if I’ve been on a certain problem for way too long, and want to press on.  In the case of this server, I just visited the web site to see what was going on.

The site itself was very plain.  my nmap results showed that it was using a different port than normal, and a directory scan showed that there was an uploads section.  Whenever an upload section is found, it can usually be used as an attack vector.  In this case, I was able to upload a web file with a php reverse shell, and request it in my browser.  Using netcat to wait for a connection, i saw the server react to the uploaded file and grant me a connection right away.

The connection had privileges for only the www-data user, which is the web server.  This makes sense because i was granted access through an upload exectued by the web service.  So with this connection, it was time to look around.

The exporing lead to listed users (/home/user), and some other things, but nothing that was noteworthy.  Instead of snooping around  with the ‘ls -alh’ command everywhere, i took an easier approach.  I simply used the find command to figure out which files on the system were executable.  In the find command, we can search with the SUID bit set for permission of 4000.  When a file called /bin/systemctl showed up as user executable, it was fairly obvious that the box could be pwnd using a service.  that systemctl is what starts and stops services, so now a new bogus service with malicious code can be created and started.  In theory, if we set up another listener through netcat, the service would execute as root, and give me a shell with root privileges.

As www-data user, i could write a new file to the web folders.  So it was time to do just that, and build the services file.  Here’s the funny part, though.  I didn’t have access to vi, or vim, or nano, so it was going to be difficult to just copy and paste from a website.  As a result, I ended up doing an echo command with >> to ammend the file each time I send the echo command.  If I messed up any of those commands, I would need to wipe the file and start over.  Luckily, I was able to do it correctly on the first try.  When it was done, I checked the privileges, and pressed on to the privilege escalation to root.

It was only one easy command… systemctl enable test.service.  After that, I just started the service and waited at my kali terminal for netcat to pick up the connection.  When it did, i had root privileges and the box was pwnd.

Pretty sweet!  

Scroll to top