DEV Community: ckyoo

network bridging

ckyoo — Mon, 17 Feb 2025 07:51:23 +0000

. Run console

delete all connections

nmcli --fields UUID,TIMESTAMP-REAL con show | awk '{print $1}' | while read line; do nmcli con delete uuid $line; done

create bridge br0

nmcli con add type bridge con-name br0 ifname br0

set host-machine IP for br0

(for example, host machine IP=192.168.1.100/24, gateway=192.168.1.1, dns=192.168.1.254, domain search=example.com)

nmcli con mod br0 ipv4.addresses "192.168.1.100/24"
nmcli con mod br0 ipv4.gateway "192.168.1.1"
nmcli con mod br0 ipv4.dns "192.168.1.254 "
nmcli con mod br0 ipv4.dns-search "example.com"
nmcli con mod br0 ipv4.may-fail no

Disable DHCP and enable manual settings for br0

nmcli con mod br0 ipv4.method manual

Add real network card (eth1) to bridge br0

nmcli con add type ethernet con-name "br0-slave-eth1" ifname eth1 master br0

Enable bridge br0

nmcli con up br0

Now you can attach to br0 any virtual machine from QEMU/KVM.

For example 192.168.1.100 - host,

192.168.1.10 - virt machine 1,

192.168.1.20 - virt machine 2

// for deleting the device br0 that is showing up even after deleting connection in nmcli,
nmcli device delete br0

some workaround when using kvm virtualization

ckyoo — Fri, 07 Feb 2025 00:47:15 +0000

To run a terminal, i was using Ctrl + Alt + T to open a terminal in the host OS. Now that I am inside a guest OS, running the command would render a terminal 'outside' of the guest OS, and I cant exit the terminal.

Then I find out about Ctrl Alt F1 to switch to the virtual terminal on the host.

Then I can now access the overlay terminal and execute the exit command.

virtualization inside almalinux 9

ckyoo — Wed, 05 Feb 2025 07:08:58 +0000

start by installing the ISOs of selected OSes.
With almalinux 9 and kali linux,

check if hardware is enabled with virtualization
egrep -c '(vmx|svm)' /proc/cpuinfo

install KVM
sudo dnf install qemu-kvm libvirt libvirt-client virt-top virt-install virt-manager virt-viewer libguestfs-tools

sudo systemctl start libvirtd
sudo systemctl enable libvirtd

check the status of libvirtd
sudo systemctl status libvirtd

default path of ISO when downloaded in my machine is
Downloads/Github/ copy it to /var/lib/libvirt/boot/

AlmaLinux-9-latest-x86_64-dvd.iso
download the iso with
sudo virt-install --name AlmaLinux-server --ram=2048 --vcpus=2 --cpu host --hvm --disk path=/var/lib/libvirt/images almalinuxservervml,size=20 --cdrom /var/lib/libvirt/boot/AlmaLinux-9-latest-x86_64-dvd.iso --graphics vnc

First plagued with error: Validating install media '/var/lib/libvirt/boot/AlmaLinux-9-latest-x86_64-DVD.iso' failed: Must specify storage creation parameters for non-existent path '/var/lib/libvirt/boot/AlmaLinux-9-latest-x86_64-DVD.iso'.

the error was the inconsistent naming in the ISOs, with the 'DVD'. The capitalization of the specified --cdrom was different with the one that is stored in the path.

docker....and anything

ckyoo — Wed, 05 Feb 2025 05:51:51 +0000

In archlinux, downloading docker started with
sudo pacman -S docker

starting docker would require
systemctl start docker.socket for lesser consumption of resources

stopping is systemctl stop <service>

my fafo with docker
with archlinux,
sudo docker-compose up -d
sudo docker-compose down

not advised:
downgraded docker
using downgrade in AUR
sudo downgrade docker

SNIPE-IT ASSET MANAGEMENT

ckyoo — Tue, 28 Jan 2025 09:50:07 +0000

Fresh install almalinux 9;

Connect ethernet to enp6s0 (default ethernet port)
ipv4 172.16.3.26
default rote 172.16.3.254
dns 172.16.1.3

snipe-it@phelan
Install LAMP stack on server:
first sudo dnf update -y

installed git sudo dnf install git
[APACHE]
dnf install httpd -y
systemctl start httpd && systemctl enable httpd
[MYSQL/MARIADB]
dnf install mariadb-server -y
systemctl start mariadb && systemctl enabe mariadb
perform secure install: mysql_secure_installation at root
[PHP]
dnf install -y php <...>
systemctl restart httpd

CREATE DATABASE

in root,
mysql -uroot -p

MariaDB> CREATE DATABASE snipeitdb;

MariaDB > CREATE USER snipe_user@localhost IDENTIFIED BY '[password(stn17]'

MariaDB > GRANT ALL ON snipeitdb.* to snipe_user@localhost;

MariaDB > FLUSH PRIVILEGES;

---error in chown --

1/30/25

setting the correct ownership/permission to the file

chown -R apache:apache /var/www/snipe-it
chmod -R 755 /var/www/snipe-it

<VirtualHost *:80>
    <Directory /var/www/snipe-it/public>
        Allow From All
        AllowOverride All
        Options -Indexes
    </Directory>

    DocumentRoot /var/www/snipe-it/public
    ServerName 172.x.x.x
    # Other directives here
</VirtualHost>

MYSQL COMMANDS TO CHECK TABLES

sudo mysql
use <table_name>;
show tables;
select * FROM <table_name>;

MIGRATE A DB TO ANOTHER DB

mysql -u root -p snipeitdb < path/of/.sql file

CISCO SG500-52

ckyoo — Mon, 27 Jan 2025 06:53:33 +0000

Setting hostname:
configure terminal
hostname Switch-254

config-file-header
Switch-254
v1.4.11.5 / R800_NIK_1_4_220_026
CLI v1.0
set system mode switch queues-mode 4

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 11
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname Switch-254
aaa authentication login authen-list radius local none
line console
login authentication authen-list
password da39a3ee5e6b4b0d3255bfef95601890afd80709 encrypted
exit
username admin password encrypted 990ce22a3f18004ca80b4ded3e635eca5625dbfa privilege 15
sntp server 192.168.11.50
ip domain name <>.edu.ph
!
interface vlan 11
name MGMT
ip address 192.168.11.254 255.255.255.0
no ip address dhcp
!
interface gigabitethernet1/1/48
switchport mode access
switchport access vlan 11
!
exit
Switch-254#
Switch-254#conf t
Switch-254(config)#08-Apr-2020 15:26:48 %LINK-I-Up: gi1/1/48
08-Apr-2020 15:26:48 %LINK-I-Up: Vlan 11
08-Apr-2020 15:26:53 %STP-W-PORTSTATUS: gi1/1/48: STP status Forwarding
08-Apr-2020 15:27:48 %AAA-I-CONNECT: New http connection for user admin, source 192.168.11.154 destination 192.168.11.254 ACCEPTED

[SETTING MANAGEMENT VLAN]

configure terminal
vlan 11
interface vlan 11
name MGMT
ip address 192.168.11.254 255.255.255.0
exit
interface gigabitethernet 1/1/48
switchport mode access
switchport access vlan 11
no shutdown
exit
copy running-config startup-config

[SETTING DOMAIN NAME]
configure terminal
ip domain name <>.edu.ph

[GENERATE RSA]
crypto key generate rsa

[ENABLING LINE CONSOLE]
line console

:: these are all commands that was accessed through COM3 putty serial, since the ip ssh is enabled, we can access it through putty > ssh

[jan2025] thm.jrpt-path. 3/n

ckyoo — Sun, 12 Jan 2025 03:33:59 +0000

[IDOR]

IDOR is an access control vulnerability, which stands for Insecure Direct Object Reference. This happens when the user input that was received is not checked or validated in server-side.

in this link, https://onlinestore.thm/order/1000/invoice there is a segment where the user can manipulate the order #.

One technique that was mentioned is to decode and encode the string and determine if there was any changes in the response.

[jan2025] thm.jrpt-path. 2/n

ckyoo — Thu, 09 Jan 2025 17:52:13 +0000

[Authentication Bypass]

For this day, we're going to explore the Auth bypass section of THM'S JRPT-Path.

-w selects where the "name.txt" is located in local machine. since I am using my arch, using the locate name.txt command was important.
-X specifies the request method , 'GET' is the default.
According to THM, _The -d argument specifies the data that we are going to send. In our example, we have the fields username, email, password and cpassword. We've set the value of the username to FUZZ. In the ffuf tool, the FUZZ keyword signifies where the contents from our wordlist will be inserted in the request. _
The -H argument is used for adding additional headers to the request. In this instance, we're setting the Content-Type so the web server knows we are sending form data.
-u will specify the URL we're requesting
-mr the text on the page we are looking for to validate we've found a valid username.

TASK 3: BRUTE FORCE

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.95.150/customers/login -fc 200

TASK 4
An important lesson here is that a PHP code using '===' means that the code is looking for the exact equivalent of the URL it is checking. One way to bypass it is to change the letter casing.

"will not have their privileges checked and have the page displayed to them, totally bypassing the authentication checks."

The PHP $_REQUEST variable is an array that contains data received from the query string and POST data. If the same key name is used for both the query string and POST data, the application logic for this variable favours POST data fields rather than the query string, so if we add another parameter to the POST form, we can control where the password reset email gets delivered.

I then created a new account, and with that new account, I sent the request of "resetting email" to the account I newly made

I now then got a hold of a URL where the user can update their password (from the luigi@/customer.acmeitsupport.thm dashboard)

After changing robert's password to 1234, I found the flag.

TASK 4 COOKIE TAMPERING

There were important hashing methods that was mentioned: md5, sha-256, sha-512, and sha-1. Cracking it could be done by useful websites like crackstation or base64encode.

concepts/important tools: ffuf , cookie, crackstation, hashing, base64

[jan2025] thm.jrpt-path. 1/n

ckyoo — Tue, 07 Jan 2025 17:49:42 +0000

Decided to formally create a write-up for my tryhackme journey. This is not in sequence, writing from my memory so every section are labeled by their titles in THM.

[Introduction to Web Hacking]

As the attackbox was really slow, I decided to switch to my archlinux machine (was using my windows workstation before).
Setting up OpenVPN in my arch was a smooth-sailing experience (completely oblivious to the absurd errors I'll encounter the next few hours.) I'm completely writing this from my memory so I hope I could remember the fixes I did for my machine and ridiculous errors I encountered.

After downloading OpenVPN on my machine, sudo pacman -Syu openvpn, we connected to the THM by sudo openvpn ~/Downloads/username.ovpn.
Encountered an error, and by changing the username.ovpn to the name of the server, sudo openvpn ~/Downloads/EU-VIP-2.ovpn, the connection was a success.

In the section #[Content Discovery], there was this tricky error since this was my first time using arch with ffuf tool. And keep in mind that I am not using the attackbox, so configurations were manually added.

At first error:/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt not found,

I have to download these packages from AUR, and pacman does not directly download those packages using pacman -S.

git clone https://aur.archlinux.org/ffuf.git
cd ffuf
makepkg -si

is the easiest way to download packages from AUR. There were hiccups at first, like AUR being unreachable. Tried to ping it, and it was unreachable but after restarting my machine and pinging google, making sure I can reach other sites, AUR finally was reachable.

Make sure that the wordlists package is also installed, which is also in AUR. The very tricky part here which I finally cracked after some forum hopping is that the default path might be different, not the ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://MACHINE_IP/FUZZ in THM. I found this while simultaneously solving why the GNU default command locate wasn't working.

sudo pacman -S mlocate
updatedb

And finally, found the path after executing locate common.txt which was /usr/share/wordlists/dirb/common.txt.

And after all those errors, found the answers to:

What is the name of the directory beginning "/mo...." that was discovered?

monthly

What is the name of the log file that was discovered?

development.log

As I wasn't using the default attackbox, it was fun solving these errors.