Categories
Uncategorized

Hack the Box – Cartographer + Grammar

Hack the Box is a great free resource to play capture the flag by practicing penetration testing on a variety of different labs spanning just about every domain of offensive security. Over the past few months I completed two introductory exercises, HDC and Lernaen.

This weekend I cleared Cartographer (update: and Grammar – more at the very bottom) and will detail my approach and learnings below. In doing these exercises, so much learning happens figuring out what doesn’t work.

What didn’t work?

When you open the lab you’re presented with a basic web form.

After doing reconnaissance, I learned and formulated the following plans.

  • The web form gives no error message for incorrect credentials. I could automate a high volume credential brute force attack. The web form is a basic username:password “POST” interaction with the server. Pretty standard, pretty straightforward.
  • I browsed the source code. Nothing juicy, no JavaScript, no custom approaches to authentication.
  • I browsed for .htaccess, robots.txt. No help.
  • I could use dirb to enumerate the directory structure and PHP page names.
  • I used nmap to fingerprint and learn it is an Ubuntu server running Apache 2.4.18. The main page is written in PHP. I could try some of the excellent CVEs published due to Apache being unpatched.
  • Lastly, if nothing else was successful, I could try SQL injection, server injection and a number of other malformed inputs using the Big List of Naughty Strings.

I used Hydra to automate a bruteforce attack on the credentials. I did this by starting with a list of all of the basic Apache and tomcat default credentials. This took a long time, but did not help.

I then used dirb and discovered two interesting pages: /server-status, a default Apache page which was hidden behind a 403 forbidden page. As well as panel.php which was a 300 redirect back to index.php. I lost a lot of time using Metasploit and Burpsuite to attempt to hack into these pages using exploits and manipulating the headers. My thinking was that I might be able to exploit the unpatched version of Apache. Wrong! This turned out to be a distraction.

Finally, I referenced the Big List of Naughty Strings and manually attempted a number of fuzzing queries including server code injection, URL hacking, XXE injection, file inclusion, and then SQL injection. Copying and pasting either of these commands into both the username and password fields worked: ‘ OR 1=1 — 1 and ‘ OR ‘1’=’1. I tried to automate these attacks using Burpsuite, but still have a lot to learn there.

What worked

The SQL injection unlocked two important pieces of information.

1.) The URL changed to /panel.php?info=home What else could home be changed to?

2.) A cookie with PHPSESSID was established and used for session management.

I customized dirb by passing in the cookie with the PHPSESSID and I used the common.txt wordlist and bingo. I found the flag and completed the exercise. This took three iterations. At first dirb gave me no results, because I did not pass the cookie. Then I used the small.txt wordlist which was too small. On my third try I finally found the flag.

Reflections…

I didn’t prioritize my work well. I started with some heavy, somewhat advanced and time consuming attacks before I finished reconaissance and thought through my approach. I bypassed the simpler stuff which ended up being the effective stuff. I’m going to try to do better than that in the next lab.

Hack the Box is a lot of fun. Great learning. A truly awesome resource. I’m going to try to tackle Grammar next. Grammar is the toughest web lab on Hack the Box so we’ll see.

Update: I did end up completing Grammar today, too. I used many of the same reconnaissance techniques on Grammar and Cartographer. I won’t elaborate much on Grammar, but I will say I did use one hint, I needed syntax help to remove quotes and add in a semi-colon when cookie hijacking.

Grammar requires a similar approach to actually getting a Hack the Box invite: Change a GET request to a POST request, decode a session cookie, and take advantage of PHP type juggling vulnerability. I learned a lot about Burp in this exercise and a whole lot about PHP type comparisons.

Categories
Uncategorized

My First Metasploitable Vulnerability, Exploit, and Fix

In getting started with Metasploitable (msf2), I was looking for a simple first vulnerability and exploit to really try out and get some momentum in my learning.

A really simple nmap command let me know that a lot of ports were open. There’s a great deal of practice I’ll be able to put to the test through msf2. I started by noticing the unix login port 513 is open.

From there, I installed the rsh-client on Kali (sudo apt-get install rsh-client) to see if I could gain remote access using the command rlogin -l root ipaddress.  Success!

Then I took a look at the .rhosts file and I found it contained ++.

Here’s what’s going on with this vulnerability. msf2 has an rsh-server running and allowing remote connectivity through port 513. This allows remote access to the host for convenience or remote administration. However the .rhosts file is misconfigured. The ++ signifies that all computers should be treated as friendlies and be allowed to connect. The /etc/hosts.equiv file has the same setting.

Fixing the vulnerability

To fix the vulnerability we need to remove ++ from the .rhosts file. By writing null into the file you can see the next time we try to connect we now need the password! Vulnerability fixed and first legitimate use of msf2 is a success!