Friday, 3 April 2015

SQL Injection to Shell


SQLi to Shell


First thing first, I downloaded the VM and as this was a grey-box test, I minimized the VM I would be attacking so I knew nothing about it, then I scanned a range of IP's on my network. As shown in fig 1.

Fig 1
I saw two open ports (SSH & HTTP). It would be pointless going after SSH, so I looked at what was running on port 80. It turns out there was a 'Photoblog' which was hosting a couple of images. A quick click through the hyperlinks showed that these images were being stored in a database, as I could replace the ID and see a different picture (Fig 2).


Fig 2
The ID number represented a different picture in the database. This meant that there *could* be some juicy information in the database.

Fig 3


I knew there was a SQLi to be had on this machine, as the title on VulnHub said so, so I began working on it, finding out what version was running (Fig 4):
Fig 4




And what user was currently active on the webserver (Fig 5):

Fig 5

I could have spent a short while manually doing a SQLi attack, but to save time, I used a tool to fetch the column names/rows for further recon (Fig 6):

Fig 7
I thought this was going to be fruitless, as I wasn't presented with any passwords at first, that was, until I scrolled down and saw a hash which was already cracked for me. I now had a login of 'admin' and a password 'P4ssw0rd' (Fig 8).

Fig 8
Next, I logged into the webserver and browsed to the upload page. I tried uploading a shell (Fig 9):

Fig 9
But a nice little curveball: PHP uploads were not allowed! This took me longer than it should have to figure out how to bypass it. I was wondering whether a .htaccess file was sitting on the server blocking PHP uploads (Fig 10):

Fig 10

I renamed my shell to shell.php5, thinking that this would bypass the filter, which it did! (Fig 11):
Fig 11
I now looked at the source and navigated to where the shell was located (Fig 12):
Fig 12
Unfortunately, php5 just wanted to download the file, so I went back and changed it to php3 in the end. (Fig 13):

Fig 13
Finally, I had a LFI which allowed me to execute code on the server (Fig 14).

Fig 14
I set up my listener and got the reverse shell (Fig 15). The shell was limited and I couldn't seem to escalate it, so I left it at that. In a real-world test, the SQLi vector would need to be patched along with having a stronger, more complex password that wouldn't be so easily crackable would have stopped me getting the shell.
Fig 15

Thanks for reading! Many more to come!

Monday, 22 December 2014

OSCP Review



Introduction
 I'd wanted to take on the OSCP since it was known as 'PWB' (Pen-testing with Backtrack) a few years ago. Time and money got in the way, but having worked as a Security Analyst for some months, I figured there was no time like the present to start the journey - and a journey it was. The OSCP is the MMORPG of security courses.  When signing up, you get the option of signing up for 30 days, 60 days or 90 days. If you're new to pen testing/security concepts, you may want to build some skills before you take on this goliath endeavor, or you should opt for the 90 day package, as I did. I don't believe it's possible to complete the course in 30 days unless you're an experienced pen tester already, can dedicate serious time in those 30 days, or have prior experience.

So, a little bit about me. I'm 25, I was an IT Technician for approx. 5 years before I studied BSc Computer Forensics for 3 years before landing a job as a Security Analyst. I've got some experience with python/scripting, networking/security and I like to believe that I'm good at solving problems in a logical and sometimes illogical manner. Cert-wise, I held some Microsoft certs and the OSWP before signing up for this course. Let me tell you now....I STILL found the OSCP to be the most difficult exam/course I've ever taken. 

Three Headed Dragon 
 The OSCP is a three headed dragon. There are three main parts to it: the labs, the exercises and finally, the exam itself. Once you sign up, you'll receive your VPN login credentials which give you an IP address which will allow you to start interacting with the lab machines. You get a pdf which is essentially the study guide. This study guide contains lots of exercises to carry out, with the difficulty level starting low and rising to the point where you'll barely understand it (at least in my case!). The pdf is bundled with over 5 hours of videos to complement the study guide. Your mission, should you choose to accept it, is to use the study guide and video tutorials to complete the exercises at the end of each chapter, attack the labs and finally, take on the exam itself. 

The Labs
The labs are essentially a hacker's playground. The admins have worked very hard to build a very realistic network where everything is vulnerable in one way or another. With the first week, I'd already successfully attacked some machines. This soon came to a halt when I came up against some very tough scenarios. You'll find all sorts of operating systems from Windows 2000 to Server 2008, to freeBSD and Linux variants with different service packs/updates installed. As you'll read on other people's OSCP reviews, you'll get to know Bob, OTRS, WIN7 and if you're feeling brave, you can take on the three machines which are the stuff of nightmares: Pain, Sufference and Humble. I managed to root Pain and get a limited shell only on Sufference. I didn't get to attempt Humble during the time I had left but given the opportunity, i'd love to go back and get Sufference and Humble (read useful links at the bottom for more on this!).

The best advice I can give is this: enumerate your target and document everything with explanations on what you're doing and take screenshots. The OSCP will also improve your note-taking skills, which is imperative in a field such as this. One more thing: Backup your data. I had all my notes in a Word document which I uploaded to the cloud every single day so I knew that I had a backup no matter what.

I managed to compromise around 70-80% of machines in the lab - I probably would have been able to do more if I had purchased an extension... and I've purposefully mentioned this because before taking on this course, you need to be aware of the following: You could fail on your first exam attempt (apparently most people do and I can FULLY understand why), you could need to extend the course... This course could honestly run for 6 months - there is SO MUCH content. Even though I've passed, I'll be going back to read and study parts of it again. 

And finally - you need to dedicate A LOT of time to this course. I put in a minimum of 5 hours per day for 3 months - some days, I was working for 12 hours on the course. Let's say (30 days * 5 hrs) * 3 = 450 hours spent on the course, and that's not factoring in the 12 hour days I did. The Offensive Security motto is "try harder" and I could write an entire essay on what "try harder" really means...but I'll save that for now.

The Exam
Now, when you feel you're ready, perhaps your 30, 60 or 90 days is up. Perhaps you've had your extension and you feel as though you're ready for the exam, you can book it (instructions on how to do this are supplied, or you can ask one of the Admins on to do it on IRC. I highly recommend you use the IRC by the way. I used ChatZilla which is a Firefox add-on).

Taken directly from the Offensive-Security.com website: "The OSCP exam consists of a dedicated vulnerable network, which is designed to be compromised within a 24-hour time period. The exam is entirely hands-on and is completed with the examinee submitting an in-depth penetration test report of the OSCP examination network and PWK labs."

As above, you schedule your exam and you're given 24 hours to attack a vulnerable network. This was one of the most demanding exams I've ever taken. Why? Because You're supposed to know the study material inside out. You're supposed to have researched outside of lab material. Then you're in an environment where you don't know what you're up against and you have to successfully compromise as many machines as you can. In a nutshell, each target is worth X amount of points, you need to root systems for points. Once your 24 hours is up, you're given another 24 hours in which to write your pen-test report. (An OffSec template can be found online.) You will also be required to submit your report for your time in the labs. This is VERY much worth doing as it can help you.

I would like to say thanks to the OffSec team for putting together a very difficult, yet interesting course. Thanks to my friends who had to listen to me talk about the OSCP every single day for 3 months (I really am sorry for that...). I can honestly say I've learned a heck of a lot. The course was definitely worth the money. The "try harder" motto is one that I'm going to apply to every aspect of my life from now on. If you work hard enough, anything is possible. If you put the time and effort into this course, you will do it. Good luck on your OSCP journey.

Thank you for reading. Please feel free to comment and I'll get back to each and every one of you ASAP.

Useful links:
  1. The PWK syllabus can be found here
  2. OffSec have responded to people who have passed the OSCP and want to go back to the "hackers playground" I mentioned in this review. Click here to find out more.
  3. gotmi1ks OSCP review on his blog

Sunday, 14 December 2014

Ho ho ho, Merry Christmas!

With Christmas just around the corner, I should be relaxing with a nice, warm mince pie, but instead, i've booked my OSCP exam for the 20th of December - yes, 6 days! Add that to the fact that i'm working over Christmas and you'll be asking yourself: Is he mad?!

But enough about that, what can we expect in 2015? I'm eager to begin posting regularly again, as i've been so busy over the past 3 months that there hasn't been much in the way of content. I expect some big changes in 2015 and more courses on the horizon, so it looks like it's set to be an interesting year.

I'll be sure to let you know how I fare with the exam. But for those celebrating Christmas, have a good one! And for those who aren't celebrating Christmas, happy holidays! Expect an update in seven days time.

Friday, 28 November 2014

An update on the OSCP

Hello readers,

I have to give you an update on the OSCP course - yes - I am still hanging in there by a thread doing it. This course is by far the hardest course i've ever done, but that's because I was expecting the course contents to cover absolutely everything I needed to know to successfully attack machines. That...hasn't quite been the case and i've found myself doing alot of research.

So now, picture me, coming home after a 12 hour shift, where i've sat in front of the computer for 11 hours and I need to research X/Y/Z before I carry out X/Y/Z attacks in the lab. Yeah - it's rough. Well, as it stands, i've got this far:

59 days in, 21 machines popped, one of which includes the notoriously hard "pain" and i've *almost* got root on "sufference" which is much, much harder than "pain".

I've got 21 days left in the labs, so if I can manage to pop 1 every 2 days, that'd give me 10 more machines, which would give me a grand total of 31 machines popped which is much more respectable than just 21.

Monday, 22 September 2014

90 Days of OSCP

Day 1: 21st September

As does everyone who signs up for the OSCP, I managed to somehow get the starting time wrong. The OffSec website said 00:00 but actually arrived at 01:00 - thanks British Summer Time!
I received a rather lengthy email which consisted of videos to follow, the main pdf which serves as your source of information and your username and password for the VPN you'll use to connect to the lab. I managed to read 47 pages which were fairly straight forward - but I have learned 2/3 new things already. I'm going to get through as much as I can today and see how I find it.

Day 2: 22nd September

It's 00:15 at the time of writing. I've got dark circles around my eyes and this is only the second day. I spent 14 hours 45 minutes reading the pdf and completing exercises yesterday. I went to work and from 9:00am til 5:30pm I was in front of a computer screen.
Once I got home I ate a piece of bread and a single slice of chicken before going onto my laptop and working from 7:30 til 00:00. That's 4 hours 30. I'm sticking to my personal plan quite well but whether I can keep this up I dont know.

Day 3: 23rd September

No progress. Was too busy with other things to study...

Day 4: 24th September

It's proving to be very difficult. Batch scripting and FTP exploits are on my to-do list. I've found the 'reverts' system to be a tad annoying because you only get 6 reverts a day, you tend to use them very scarcely and if an exploit in the lab isn't working, then you've essentially got to use up a revert. If someone is working on the same machine as you (which is possible, albeit unlikely) you might need to revert. It's very early days but i'm not feeling overly confident with this one. On the plus side I've spoken to some really cool people in the IRC. I've even been told to "try harder!" By the offsec staff - not that I wasn't trying hard! And if I wasn't trying hard enough, I fully intend to use every spare moment of this weekend working on this.

Day 5: 25th September

Bob is still causing issues. For those who don't know, Bob is a bit of a legend at OSCP labs. Bob is a machine which requires alot of hard work and determination; if you ask for help be prepared to be told: 'Bob is laughing at you!'. Navigate to the IP in the browser and indeed, Bob really is laughing at you. I'm going to focus on other machines and will return later.

Day 6: 26th September
Bob has now been owned! I was trying the right things but missing a parameter. I've wasted alot of time on Bob. I'm going to do the exercises later and see if I can get through more of the pdf. Enjoying the course so far but i'm hearing ALOT of "try harder" on the IRC.

Day 7: 27th September

managed to pop 'ORACLE' today and make some further progress in the book. So far i'm finding the course quite interesting. The difficulty level is medium. I don't know whether i'll be able to pop all of the machines in the lab in 90 days - i'll certainly try but it has taken 7 days to pop 4. It's impossible to guess how long it'll take to pop others because the difficulty varies per machine.

Day 8: 28th September

Managed to pop another machine. I'm getting the hang of it now. Need to make progress on the exercises. Time isn't on my side at the moment. Lucky for me i've got a break on Wednesday where I can devote a full day to catching up on the exercises and might even pop another machine by then if i'm lucky.

Day 9: 29th September

Managed to pop a Linux machine which was nice. Enumeration really is key. The more information you gain the more avenues you can explore.

Day 10: 30th September

80 days to go. I've popped 6 machines of 54 - I feel like it'll be a race against time to pop them all and complete everything...

Day 11: 1st October

Friend came over so I only made a small bit of progress on a very difficult machine in the labs. Can only get a basic shell.

Day 12: 2nd October

Finally rooted a machine I've been after for two days. Updated my report and off for a day out for the gf's birthday. Will be spending 10-15 hours on the exercises tomorrow to make up for the time I've missed.

l will update each day for 90 days.

Saturday, 13 September 2014

Unshadowing + Password Cracking




In prep for the OSCP, i'm going over some relatively basic skills so that they're not only fresh in my mind, but so I understand them well enough to take it to the next level with the OSCP. I was researching privilege escalation and came up with a scenario. Let's say that a system administrator has made a boo-boo on the system and any user can see the /etc/shadow file along with the /etc/passwd file. Of course, this would be a, very, very rare occurrence (one would hope!) but it gives us somewhere to start.

So once you've got a hold of the passwd and shadow file, we can see that the passwd file isn't showing the passwords at all, not even hashed! (Great!). However, the shadow file is showing simon's password hash (Fig 1).

 Fig 1


Now, I run hash-identifier (Fig 2) to find out what hash we're dealing with here. This isn't too necessary in this case, but it's a fantastic tool which has helped me plenty of times. Windows users can download the python script from Github. Simply type in (or paste in) the hash and the script will attempt to identify what method of encryption is being used.

 Fig 2


Now I can see that we're dealing with a DES (Unix) password (Fig 3). Makes sense right, after-all, we're looking at a hashed password on a unix-like system.


Fig 3



 So now, it's time to get this hash cracked. We need to use the 'unshadow' feature/function to unshadow the 'passwd' and 'shadow' files. Essentially, by unshadowing, you're combining the files which will let us brute force them shortly with JTR.

In Fig 4 below, you'll see the way this is done - we call the unshadow script from sbin, select our passwd file followed by our shadow file and direct it to a database (file ext not necessary, but it just helps to convey the information).

 Fig 4


 You may notice that i've already cracked the file before taking this screenshot, so i've had to use the '--show' switch to let you see the password in plain text. All that's needed to crack the password is for you to run 'john <nameOfDatabase>', in my case 'john crack'.

In Fig 5, you can see the plain text password:

simon:password:1003:1003:simon:home/simon:/bin/bash

Of course, the more complex the password, the harder or more time consuming it'd be to crack.

Fig 5



Thanks for reading!

Saturday, 30 August 2014

OSCP - Finally Signed Up




I've done it. I've signed up for the OSCP. It has taken quite some time to decide whether or not I should go for it. In fact - it has taken a few years. The course was previously known as 'Pen testing with backtrack', whereas now, it has been updated to 'Pen testing with Kali', as Kali Linux has taken off where Backtrack left off.

In case you're wondering why it has taken me so long to sign up, the answer is simple: cost vs fear of failure. Prior to starting the OSCP, my pen testing knowledge is heavily rooted in wireless security. I've had experience with Bluetooth hacks, WEP, WPA etc but not so much with pen testing desktop computers/laptops/servers.

I've passed the OSWP (Offensive Security Wireless Professional) course and found that it was written very well; one can only hope that the OSCP will follow suit. I've read reviews online which suggest it's very possible to pass providing you put many hours each day into it. I'm prepared to do that in order to pass. Which brings me onto my next point. I've been afraid to take on this course incase I fail, yet I know that its going to be a learning curve - just of bigger proportions.

I've had to remind myself that over the past few years, i've learned first hand that the key to success is trial and error. Do you remember when you first tried to ride a bicycle as a child? You fell off it, right? You got hurt and thought: "I'm not doing that again!" - but you persisted and ultimately, you could ride the bike. The same applies to swimming, relationships, driving etc. You fail more often than you win, but it takes determination to continue until you win.

I'll give you a story. There was a kid born in 1847. Couldn't concentrate in school. His teacher referred to him as "addled". It was looking as if this kid wasn't going to make it; dropping out of school and then being home schooled, this kid didn't look like he was going anywhere. When he was older, he created an automatic voting system, which, as an entrepreneur, should have gained him fame and prosperity. It didn't. It wasn't wanted: it was a failure.

All this guy knew was failure, up until age of 30 when he created the telephone. This guy was Thomas Edison. Failure didn't deter him - and look what he created. You get out what you put in. I know that whatever happens with the OSCP, i'm going to learn alot throughout the course. I don't know if i'll pass the exam first time, but if I don't, i'll try again, and again, and again until I do; afterall the moto is "try harder".