Over the past week, on an engagement with 3 other guys from the team, I realized again, that I am a part of the best team. I got a call from my wife that she was taking our daughter to the ER, due to her having trouble breathing and a cough that was like no other. As soon as I had told the members of our team about it, the initial question that was said was ‘Do you need to get home, if you do, no questions asked, we’ll make sure you get there.’
At a time when I can only describe as being absolutely helpless, not knowing what was happening with/to my daughter, my team that I work with, the company I for, is the absolute best there is! Actions truly do speak louder than words. Rosewood, Grunt, and BK201 were all outstanding, understanding, and the best. Grunt was, and is, a Marine. A Marine that was there for me in my time of need, there to shoot the shit about other aspects of our time on the project, accomplishing the task of getting my mind off of being helpless. Rosewood and BK201 were there as well to get my mind off of things by having good laughs, and talking about just about everything under the sun. Hell, I think BK201 driving us back to the hotel from dinner, seeing all the sites of the city had an equal effect of getting my mind off of things.
When I did hear from my wife after seeing the doctors, I could relax knowing that our daughter had a case of croup, which was tightening her throat up. I emailed the manager of our team in the morning, letting her know of the situation from the previous night, and my eternal gratitude for the team and their shoulders. In her response, she had assured me of what I found out the previous night. FAMILY is priority, and if there is ever a situation like that in the future, there’s never a time limit on contacting anyone, if arrangements need to be made to get back home, or ears to listen to what needs to be said.
If I didn’t have a second guessing on whether or not I was working for the right company, my experience while on this gig has certainly shown me that there is no second guess to be had, I AM working for the right company. Paychecks are great, but if you’re working for a company that doesn’t give a shit about your family, who the hell are you really working for?
It’s been a hell of a past few months. I’ve seen many talks about it, and seen a lot of people getting discouraged, because it’s hard to get into the InfoSec field as a profession. I fully agree that it is hard to get into InfoSec, but it can be done. Like anything, getting a job in a field that you want to get into is a challenge. Not only do you have to have the training or knowledge to get into the field, but you also need to have the perseverance to reach out and get that career started. I have been reading, studying, and learning as much about information security as I could, since I got my degree in CIT, give or take for the past 6 years.
The best thing I could advise would be to not worry about what you don’t know. If you see a position dealing with information security, apply! My dad always told me to not worry about what was on a job posting, as far as what the employer was requiring the candidate to have or possess. The things that are ‘required’ are, for the most part, what HR wants you to have. Furthermore, if you do possess all of the things that an employer ‘requires’, you’re going to be getting paid about $20K less than what you’re worth! With that being said, if you see things that the employer is ‘requiring’, do some head work and look up said requirement and at least gain some knowledge of what they want, so if they bring up that topic on an interview, you can tell the manager that you aren’t 100% sure about it, but you did take the initiative to look into it and got some great points of reference on the material.
Start networking with professionals in the field; go to security/hacking conferences (huge list here,) Most of the security conferences are $100/ticket, and don’t fret it if you can’t afford a ticket, all of the conferences I’ve gone to have volunteer spots open that give you free entrance, as long as you’re willing to put in some leg-work to get the conference going, and make sure things run smooth. Get on twitter and start following people in InfoSec. LinkedIn is another great resource for finding those in InfoSec and finding out if they’re hiring for InfoSec people. Another place I can’t praise enough of is Reddit. They have a sub-reddit that is specifically for those that are in, or wanting to get in, Information Security, which you can get to here. At the top of the postings will be a post called ‘/r/netsec’s QX 20YY Information Security Hiring Thread,’ where companies will post positions they have that need filled. The Hiring Thread is great, because you can talk with the person that posted the position, to answer any questions that you have.
The last thing I can say to anyone trying to break into InfoSec is to not stop looking, you will eventually get a break. I was looking for an InfoSec position for the past 5 years, working at a job that I could feel killing me every day. I was searching reddit and found a post for the position I’m currently in. I could not be happier to have found a job where I’m ecstatic to get online every day I wake up. I get to learn new things every day, and work with a team of freaking awesome individuals. rosewood, hinge, du1d, fuzzy, stumblebot, bizmark, and everyone else on the team, you guys are the best!
I recently attempted to get my OSCP certification. Even though I failed at the attempt, I am not going to let it bring me down. I am going to attempt to pas the certification again and take away what lessons I learned while attempting it. Of the things I had taken away from the exam, the first I am going to do next time I take the exam will be to eat a full and hearty meal before hand. The full 24 hours is necessary, if not for breaking into all of the machines, to give myself some extra time for the documentation, which is the biggest pain in the ass for just about any security consultant that I’ve talked to, and heavily disliked. During the time of the exam, try to have plenty of fulfilling snacks, or prepared meals that you can nuke for quick fixes.
The most important part of the exam that I am going to say that I had taken away was to not focus on any one machine for an extended period of time. Once you’ve ran your enumeration scans on a machine, look up ways to break into the machine for a little while, and if you haven’t found a way to get into it in say 2 hours, move on to the next machine. There are some machines that will probably jump out at you as one clear, concise way to get into it, and others that you will have to enumerate multiple times with multiple tools to find the vector that you’re going to compromise it with.
The next time I take the exam, I more than likely will use my Metasploit pass. Luckily, using Metasploit on a machine doesn’t take points away, but seeing as though you can only use Metasploit on a single machine, it needs to be thought out and basically used as a last resort. I will be using Metasploit more on my home vulnerable network to get the commands down, set up some resource files, and practice out more of the meterpreter commands to make sure I know all the ins and outs of the framework.
The last big thing I had taken away from the exam was to prepare for writing the penetration test report by writing out as many of the vulnerabilities as possible in a word document. I say that, because again, you only have 24 hours to write out the report. Having the vulnerabilities written out in a Word document, so that you can cut/paste the vulnerabilities into your report, just having to change the minor details will cut down composing the report immensely. I say this, because I will always read through a report 2 or 3 times, so that I can see if minor details need to be changed, like IPs, hostnames, query IDs, or URLs, I’ll be able to make them to match the tested network.
Lastly, I’d like to thank all of my family, blood and not, that supported me and raised my confidence enough to attempt the certification. So, thank you most importantly, to my wife, Katie, for supporting me in my dream, putting me in my place when necessary, letting me bounce ideas off of her, and offer to help me to expand my horizons with whatever help may be necessary to do so. I love you to the moon, out to the edge of our universe, and back. <3 To my mom, for always being there for me, no matter what, you are the boulder at the base of the mountain. My mother and father-in-law, for watching our youngest while I attempted to achieve the certification. James Siegel, for bouncing ideas off of, explaining terms and effective avenues for exploiting those terms. Dave Kennedy for being one of the best role models for anyone in InfoSec, providing some of the BEST talks available, providing one of the best conventions for security professionals and not to attend. Jayson Street for always offering an ear, shoulder, and akward (or not) hug, along with a plethora of stories to show what does work and doesn't work on social engineering engagements, seriously, between yourself and Dave K., you guys are the best!
I want to start out by first saying that I am NOT a programmer, so yes, there will be better ways that I could have implemented some of the code in the program, and yes, I do care that there are better/more efficient ways to have done things, but the point is that I wanted to create a program that would help people first, then I can make the code better/more efficient after it works.
I wanted to make a program that might make running an nmap scan a little easier, by having a menu for the basic scan, a menu for scans that could be able to bypass firewalls, and a menu to select scans that do vulnerability checks. The idea for the script started after doing some research and finding a lot of people having issues with finding out what options and switches should be used with nmap, and when should each be used.
For the time being, I’ve only added menus for your basic scan, and some scans for evading firewalls. My next thing that I am going to be adding to the script is vulnerability scans that nmap can also be used for, to find http vulnerabilities, SMB vulnerabilities, as well as SSH vulnerability scans. I may even try to add in a function that would do a search through exploit-db’s database to find exploits that could potentially be used for exploiting the vulnerability.
It’s my hopes that this program will help those that can’t remember what the switch is for a particular objective. All switches are already programmed in, so all they will need to do is feed the script their IP address when they are prompted to do so, and the script will tell nmap what to do after that.
Anyway, if you’d like to take the script for a test-run, I’ve got my code up on github @ d3ad7rack/PyMapIt
I’d love to hear what you think about the script, and if there’s anything else you’d like to see added to the script.
I thought I’d start doing some vulnerable OSes and do a walkthrough for each of the vulnerable OSes that I do to show how, if these were actual production machines, an attacker would be able to leverage the weaknesses in them to own the organization. The first OS that I’m going to go over is Acid Server, which you can download and run on VMWare or VirtualBox, but I decided to do it through root-me.org, which allows security professionals to practice breaking into machines to hone in on their security skills.
The first part of any engagement, whether it’s real-world, for a certification, or on a vulnerable OS, is to do reconnaissance and/or enumeration. To do that with Acid Server, we’re going to run an nmap scan, try to connect to the web server with netcat, as well as run dirbuster on it to see if there’s any juicy unlisted directories that we may be able to leverage.
From the nmap scan that we had just run, we don’t get a lot of information that’s of any use to us. Mainly just that there’s an SSH server running on the machine, but it is not a version of SSH that has any vulnerabilities.
Acid-Server 1st NMap Scan for enumeration and recon
Well, we didn’t get all that much information from the initial NMap scan that we ran. From the description of the vulnerable OS, we were told that it was completely web-based. Since we didn’t see anything screaming out that the port was a web server listening, we’re going to run another scan, this time scanning for all 65535 ports.
More in depth nmap scan nmap -p1-65535 -sV -oX acid-server.full.xml --stylesheet nmap.xsl -oN acid-server.full.nmap ctf02.root-me.org
This time we got found an additional port that was open and listening that we can connect to through a web browser, port 33447.
Acid-Server 2nd NMap Scan for enumeration and recon
Now that we can see that port 33447 is an http service, we’re going to connect up to the web page using our browser and see what new information we’re able to get.
Acid-Server root web page
As a pentester, if you’re working on web apps, the first thing that you want to do is always, always, always, look at the source code of a web page. The source code will have comments with test usernames and passwords, debugging information, and other trivial information that developers had forgotten to take out when they moved the page to production status. Looking at the source code of the root web page, if you scroll all the way to the bottom of the page, we can see what appears to be some hex code. We can also see in the title of the web page /Challenge, so we’ll make note of that, since we are at the root, and not at the /Challenge directory of the web site, for tinkering with later on.
Beginning of source code for root web page on Acid Serverstill source code from bottom of root web page
I first try to decode the data at the bottom of the source code, since it appears to be hex, with Burp Suite’s decoder tab. Luckily, it does appear that the code is in hex, because I took the leading 0x off of the front of the code and decoded as ASCII Hex and got what appeared to be base64 code. Again, using Burp Suite’s decoder, I decode the test and get a result of wow.jpg, so we’ll make note of this and move on…
Hex at bottom of source code from root page decoded from hex to base64 to ASCII
Let’s take a look at the page referred to from the wow.jpg that we just double-decoded. We’re going to download the wow.jpg image and run strings against it to see if anything pops out, since the image itself doesn’t reveal anything when we view it. Let’s go ahead and download the image with the wget command, then run strings against it to see if there’s anything hidden within the image itself.
At the end of the output that we get from running strings against wow.jpg we can see some unusual text that seems to be out of place. However, when we try to decode the text we don’t get anything of importance, so I decide to move on.
To make sure that we’re covering all of our bases, let’s run dirbuster against the root of the server, having it move recursively through found directories, to see if there are any directories that might yield some more information for us. We’re just going to use a wordlist called directory-list-2.3-small.txt. The wordlist I’m going to be using isn’t the largest out there, but will still take quite a while to finish scanning with on my machine, so it will take some time for dirbuster to load all of the words, but in the end, it’s a fairly large list that contains a lot of directories that are suspected of being on web servers, as either a directory, or web page. After running dirbuster on our victim website, we take a look at the results to see if anything peaks our interest.
Dirbuster against the full site, using recursive search go through found directories
The next page we’re going to take a look at is the Challenge directory, from both the dirbuster report that we created earlier, as well as from the title of the root page. Once we arrive at the Challenge index page, we see that we are being asked for a username and password.
Login page at Challenge directory
After I search the source code for credentials forgotten by the developer. After doing some investigating, I noted that the site is using a secure login script made by peredur from https://github.com/peredurabefrog/phpSecureLogin. The script is already preloaded with a username/password to work by default, and those credentials are username -> test@example.com password -> 6ZaxN2Vzm9NUJT2y
After logging in with the credentials that we were able to get from the developers github page, we are presented with a page that will allow us to either logout or proceed onto another page that, include.php. Again, searching through the html source code that we’re able to view, we can see some hex coding at the bottom of the page. The code is triple encrypted this time, first with hex, then base64, and followed up with reversed ROT13 to find cake.php.
Hex at the bottom of include.phpTriple encoded and reversedDecoded from hex all the way to ROT13 when we see the text is reversed
After toying around with include.php, the page lets us view files that the user that the web server is being run as has the permissions to view. We first test this out by trying /etc/passwd. Viewing the source of the returned page we can see that we were able to retrieve the user accounts associated with the server.
Proof of LFI from being able to read /etc/passwd
Knowing that we can now do LFI with the server, let’s work some magic to pull down the cake.php file and see if we can find anything interesting in it. We can do this with php://filter, which will base64 encode the page and we can then pipe the base64 into bash and decode it on the fly, to see what is in it.
Pulling down the php file, we can now see that the /Magic_Box directory is indeed a directory that’s meant to be abused by us, as well as another php file that we are going to want to check out to see what kind of information it holds. Again, we’re going to use curl along with our php://filter payload to pull down tails.php, then piping it into bash to decode it.
Tails.php source code
As we can see from the source code, when you arrive at /Challenge/Magic_Box/tails.php you will be asked for a key to authenticate with. While looking at the source code for tails.php we can see that the login is validated through proc/validate.php. Using the same method that we used to pull down the previous php files, we can do the same thing to pull down the validate.php file and see if the developer hardcoded anything in it for authentication.
Cleartext credentials listed in source code
Now that we have the key that tails.php is asking for, let’s put it in and see what else we have to do to gain the flag. Upon being redirected to the next page, command.php, we have are told to enter a host to ping, suggesting that we can do command execution. We enter in 127.0.0.1 as the host to ping, and sure enough, after we viewed the source code, we see that the host did ping itself and gave ping output, just like if you were in front of the terminal entering it.
Command Injection proof
Since we were able to prove that command injection is in fact, possible, let’s fire up some bash-fu and get a reverse shell going, so that we can issue commands and code more efficiently. We’re going to use some php code from pentestmonkey, modifying only the IP that we’re calling back from and the port number.
Finally, firing up netcat on our attacking machine, so that we can catch the shell that will be making it’s way back to us…
nc -lvp 31337
netcat listener
Once we run the command through the command.php page, we get our shell back to us, so that we can issue commands to the victim server without it being too difficult.
reverse shell caught from the victim server
Now that we have our reverse shell, we are going to need to take a look around on the system to see what might be of interest to us, so that we can get some credentials to move ourselves up to root, or so that nothing is off limits. I start by taking a look at the root directory of the server to see if anything jumps out at me. I see a s.bin directory that looks unusual, so I go to the s.bin directory and see a file called investigation.php.
On the way to getting root privs
Upon taking a look at the code for the investigate.php file, we can infer, both from the name of the file and what is talked about in the file, that we need to look for a network packet file, so that we can run it through wireshark to see if we can get any information out of it. Let’s take a look through the system to see if we can find any packet files by using the find command and since we’re not running as root YET, we’ll need to divert all erroneous messages to /dev/null.
find / -name *.pcap* 2>/dev/null
Finding the pcap file to analyze
Now that we’ve found the pcap file, we need to get it to our machine, which has wireshark and tshark on it for analyzing the pcap file. Luckily the victim machine has netcat on it, so we’ll create a listener on the victim machine that will transfer the pcap over to us as soon as we connect up to the listener.
On the victim machine: nc -lvp 1234 < /sbin/raw_vs_isi/hint.pcapng
Set up listener to send pcap file over as soon as our attacking machine connects
On the attacking machine: nc -v ctf01.root-me.org 1234 > hint.pcap
Catching the pcap file on our attacking machine
Now that we have the pcap file on our attacking machine, let’s fire up wireshark and see if there’s any TCP streams that we can follow to see what’s going on in the capture in cleartext.
wireshark hint.pcap
The first TCP packet starts at packet 30, so we’re going to find packet 30, then follow the TCP stream.
Follow the TCP Stream
Once we follow the stream, we can see the conversation that’s happening and we notice the name of a person that was in the /etc/passwd (users file), which was saman. Something that just jumps out at me, that’s on the same line as saman is 1337hax0r. We’re going to try using that as the password for saman and see if we can SSH into the server with those credentials, saman:1337hax0r
ssh saman@ctf01.root-me.org
Logged in as saman
And finally, we can run sudo to see if we have sufficient privledges to run things as root, and so long as we do, we can read the flag file, /passwd is the magic file for root-me.org.
Solved, but you have to find the key 😉
Now, there are many ways that the challenge could have been solved and the flag could have been found, but I didn’t want to spoil all the ways possible. I also didn’t show all of the vulnerabilities on the site, but can assure you, there were more. I’d love to hear what you thought about this piece.
I am a married father of 4 that loves information security. I love to help people to become more secure, and do my best to show them how by not being secure, they can be owned. A huge misconception in information security is that people don’t need it for their everyday personal lives. That misconception is totally false, in all actuality, information security starts with our everyday lives. A lot of people have work laptops that they take home with them. If those laptops are compromised by an attacker, the whole company has the potential of being owned, all because of one employee that wasn’t fully aware of security best-practices. Information security also needs to start with us, the end-user, because what we do in our everyday lives reflects on how we act and what we do at work. If a person works at a financial institution or a medical facility, this could be a pretty serious issue.
I have an Associate’s in Network Security and am currently working towards my OSCP. I am Net+, Security+, and A+ certified with a Microsoft 70-290 certification as well. If there’s any security practices and/or things that you would like explained, please comment with what they are and I’d be more than happy to get some answers put up with explanations on what the topic is and how to protect yourself.
A majority of my posts are going to be for the person(s) that are security aware and are looking for answers that they might not have found yet. I encourage you to comment as well, so if you’re having issues installing a security program I can give you some insight on how to get it installed.
I hope you enjoy your time here at security-focused and if there’s anything you’d like to see, please leave a comment and let me know.
