Latest News

Open the Window

Today was a fun day because I was finally able to delve into Windows hacking.  I’ve been concentrating on unix machines for quite a while now, and have been very curious about the various hacks that can occur.  I now, finally, have some insights into them.

The thing is, I’ve been using Windows (both server and desktop) for years, and have been very aware of the defenses we use on an enterprise network to detect, track, and overcome attacks.  In fact, I was the lead on a project to get our network rid of the ‘welchia’ virus back in 2003; it was a crazy replicating virus that denied us our network, but didn’t cause any damage.  So knowing Windows, and having been an admin on several large networks, i’m realizing now just how much we didn’t know!

Taking advantage of the features within an Active Domain system, the hacks performed today weren’t even owning the boxes… they were simply intercepting things like password hashes via the standard operating procedures that Windows uses.  It was pretty easy, in fact… scary easy.

One of the things learned today that was a surprise to me was that I could run the program hashcat on Windows.  Throughout this journey, I’ve set up several versions of hacking platforms, and all had hashcat installed by default.  The problem always was the access to video card drivers.  I’ll probably write more about that at another time (I took notes each time I did an install), but for now, I’ll say that being able to run hashcat on Windows allows me to use my huge rig that houses my VMs to also access the graphics card directly.  VMs are unable to have direct access to the PCI bus, which is why I was building a bare-metal rig to do nothing but hashcat.  Now, I can use that as a backup firewall for my segmented networks, and also monitor the resources used by hashcat on Windows.  I thought that was pretty cool.

So overall, a LOT was learned today, and a possible change in my network structure was considered.  I haven’t changed anything yet, but if I do, I’ll write it up.  There’s a lot more to do in the Windows privilege escalation realm, and I’m well on my way to learning it.  I’ve purchased an entire course on nothing but this topic, and can’t wait to start it.  I’ll let you know if the class was worth it, but i have a feeling i already know the answer.  See my references page for all of the courses I’ve taken, and if they were worth the my time.

WEB SERVER EXPLOIT

All about web server hacking…

Today was an interesting day to learn.  I came across a tutorial which described itself as taking over a linux box.  Low and behold, it turned out to be a web server hosted on an Ubuntu box.  

My go-to web server box is usually a CentOS flavor of Linux.  This is because when I created my very first web server on linux many years ago, i did it on a Fedora Core 3 version of Linux.  Since then, I’ve been fond of a Red Hat environment without the cost of a Red Hat enterprise subscription.  In 99% of the cases where I make a server, I don’t need a graphical user interface (GUI) either, so I shied away from Red Hat proper early, and went to minimal installs of CentOS.  I use Ubuntu when I need a GUI, and therefore recognized that www-data as the user and group meant that it was likely Ubuntu.

So, with all that, I recognized the structure of the server pretty much right away.  There was a guide on how to do all of the hacking, but that tends to be no fun.  I only reference that stuff if I’ve been on a certain problem for way too long, and want to press on.  In the case of this server, I just visited the web site to see what was going on.

The site itself was very plain.  my nmap results showed that it was using a different port than normal, and a directory scan showed that there was an uploads section.  Whenever an upload section is found, it can usually be used as an attack vector.  In this case, I was able to upload a web file with a php reverse shell, and request it in my browser.  Using netcat to wait for a connection, i saw the server react to the uploaded file and grant me a connection right away.

The connection had privileges for only the www-data user, which is the web server.  This makes sense because i was granted access through an upload exectued by the web service.  So with this connection, it was time to look around.

The exporing lead to listed users (/home/user), and some other things, but nothing that was noteworthy.  Instead of snooping around  with the ‘ls -alh’ command everywhere, i took an easier approach.  I simply used the find command to figure out which files on the system were executable.  In the find command, we can search with the SUID bit set for permission of 4000.  When a file called /bin/systemctl showed up as user executable, it was fairly obvious that the box could be pwnd using a service.  that systemctl is what starts and stops services, so now a new bogus service with malicious code can be created and started.  In theory, if we set up another listener through netcat, the service would execute as root, and give me a shell with root privileges.

As www-data user, i could write a new file to the web folders.  So it was time to do just that, and build the services file.  Here’s the funny part, though.  I didn’t have access to vi, or vim, or nano, so it was going to be difficult to just copy and paste from a website.  As a result, I ended up doing an echo command with >> to ammend the file each time I send the echo command.  If I messed up any of those commands, I would need to wipe the file and start over.  Luckily, I was able to do it correctly on the first try.  When it was done, I checked the privileges, and pressed on to the privilege escalation to root.

It was only one easy command… systemctl enable test.service.  After that, I just started the service and waited at my kali terminal for netcat to pick up the connection.  When it did, i had root privileges and the box was pwnd.

Pretty sweet!  

Introduction

Hello! My name is ‘usafitz’ and I am an IT professional from all over the U.S. I’ve been all around the world and seen many things, but what absolutely gets my blood flowing are servers and technology. Throughout this blog, you’ll be witness to a brand new journey to which I’ve decided to embark… full-time hacking.

Before I start writing about my journey, i wanted to give some background on what I’ve been up to these past years. At the moment of this writing, I am about to turn forty. Just like most people’s experiences, I’ve had a roller coaster of ups and downs; but there’s always been an incredible drive to keep going and learn more! The center of everything I’ve done has been my love and adoration of servers. I say servers instead of computers because when I look at a machine, my imagination goes wild with what it can accomplish. A computer, in my eyes, represents a simple dumb terminal that becomes a tool to accomplish the goal you set forth. A server is where the real magic happens.

Continue Reading
Scroll to top