domingo, 27 de agosto de 2023

Remote VulNyx Writeup

Scanning

We scan the open ports with the nmap tool with scripts and software versions:

Enumeration

We access to web server and we enumerate an Apache Debian default page:

We use to gobuster tool with a dictionary large, we can see the wordpress directory on the server:

We access the source code and see that the website loads a domain name:

We access WordPress and detect software versions deployed on the server:

We enumerate also the administration panel:


We confirm that the user is "tiago", so now we try to do an automated attack with the WPScan tool, but after several minutes we don't get credentials.

I launch nmap with the http-wordpress-enum script, it shows a plugin called "gwolle-gb 1.5.3" which has exploits:



Exploitation

So we mount a PHP file with a webshell so we can execute commands from the URL:

We set a netcat to listen and run a reverse shell with mkfifo:

We get the database connection credentials:

We reused the password on the user "tiago" and managed to read the user flag::

Privilege Escalation

We run sudo -l and see that we can run the "rename" binary as the root user::

We see the binary help:

We see that it has the "Manual" (-m) option, so we press enter until we see that it lets us write, so we try the "classic !sh", we manage to escalate privileges as the root user and read the flag:

sábado, 26 de agosto de 2023

Lesson Learned? TryHackMe Writeup


Scanning

We scan the open ports with the nmap tool, scripts and software versions:


Enumeration

We access the website and we can see a authentication:

We can testing with guessing password, but not working:

We try with login Bypass techniques, we see a SQL Injection protection with "OR" characters, the error message suggests us a "hint" to use techniques that does not require "OR", so we are on the right track...

We find to Tib3rius in Twitter, he has post with mentions about to SQL Injection and not uses "OR" parameter:

Exploitation

We try different payloads, we use 1' union select ''# , we successfully to bypass the authentication and we see the flag:

martes, 22 de agosto de 2023

lunes, 29 de mayo de 2023

Jorani v.1.0.0 - SQL Injection (CVE-2023-2681)

Introduction

  • CVE-ID: CVE-2023-2681
  • Vulnerability Type: SQL Injection
  • Affected Product Code Base: Jorani v.1.0.0 (or before to v1.0.0)
  • Affected Component: Affected source code the "id" parameter of the "/leaves/validate" section.
  • Attack Type: Remote
  • Impact: Extraction or alteration of information stored in the database, and on occasion, could lead to remote code execution and server compromise.
  • Attack Vectors: To exploit the vulnerability, it is required to be authenticated with a low privilege user.

Description

A remote attacker, authenticated in the application as a user with few privileges, can perform queries with malicious SQL code on the path "/leaves/validate" and the "id" parameter, managing to extract arbitrary information from the database.

sábado, 27 de mayo de 2023

Valley TryHackMe Writeup

logo

Scanning

We scan the open ports with the nmap tool with scripts and software versions.

nmap -p22,80,37370 10.10.140.77 -sVC -oN nmap.txt
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 10:32 CEST
Nmap scan report for 10.10.140.77
Host is up (0.049s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c2842ac1225a10f16616dda0f6046295 (RSA)
|   256 429e2ff63e5adb51996271c48c223ebb (ECDSA)
|_  256 2ea0a56cd983e0016cb98a609b638672 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
37370/tcp open  ftp     vsftpd 3.0.3
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

sábado, 20 de mayo de 2023

Weasel TryHackMe Writeup

logo

Scanning

We scan the open ports with the nmap tool with scripts and software versions.

> nmap -sVC 10.10.81.101
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-20 10:57 CEST
Nmap scan report for 10.10.81.101
Host is up (0.050s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 2b17d88a1e8c99bc5bf53d0a5eff5e5e (RSA)
|   256 3cc0fdb5c157ab75ac8110aee298120d (ECDSA)
|_  256 e9f030bee6cfeffe2d1421a0ac457b70 (ED25519)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: DEV-DATASCI-JUP
|   NetBIOS_Domain_Name: DEV-DATASCI-JUP
|   NetBIOS_Computer_Name: DEV-DATASCI-JUP
|   DNS_Domain_Name: DEV-DATASCI-JUP
|   DNS_Computer_Name: DEV-DATASCI-JUP
|   Product_Version: 10.0.17763
|_  System_Time: 2023-05-20T08:57:46+00:00
| ssl-cert: Subject: commonName=DEV-DATASCI-JUP
| Not valid before: 2023-03-12T11:46:50
|_Not valid after:  2023-09-11T11:46:50
|_ssl-date: 2023-05-20T08:57:54+00:00; -1s from scanner time.
8888/tcp open  http          Tornado httpd 6.0.3
| http-title: Jupyter Notebook
|_Requested resource was /login?next=%2Ftree%3F
| http-robots.txt: 1 disallowed entry 
|_/ 
|_http-server-header: TornadoServer/6.0.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-05-20T08:57:51
|_  start_date: N/A

Enumeration

Accessing the only web service through port 8888, we find the Jupyter Notebook 6.0.3 software.

domingo, 14 de mayo de 2023

Prioritise TryHackMe Writeup

logo

Scanning

We scan the open ports with the nmap tool with scripts and software versions.

> nmap -sVC -p- --min-rate 5000 prioritise.thm -Pn -n -oN nmap-prioritise.thm
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-14 21:15 CEST
WARNING: Service 10.10.247.170:80 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
Nmap scan report for prioritise.thm (10.10.247.170)
Host is up (0.055s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 51fe13747bbc526a883d21d1b3bf13ad (RSA)
|   256 73fef7fdedf492bde2997188f855b28f (ECDSA)
|_  256 f848693d7f199f03166337369f84a87a (ED25519)
80/tcp open  rtsp
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 5082
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8" />
|     <meta
|     name="viewport"
|     content="width=device-width, initial-scale=1, shrink-to-fit=no"
|     <link
|     rel="stylesheet"
|     href="../static/css/bootstrap.min.css"
|     crossorigin="anonymous"
|     <link
|     rel="stylesheet"
|     href="../static/css/font-awesome.min.css"
|     crossorigin="anonymous"
|     <link
|     rel="stylesheet"
|     href="../static/css/bootstrap-datepicker.min.css"
|     crossorigin="anonymous"
|     <title>Prioritise</title>
|     </head>
|     <body>
|     <!-- Navigation -->
|     <nav class="navbar navbar-expand-md navbar-dark bg-dark">
|     <div class="container">
|     class="navbar-brand" href="/"><span class="">Prioritise</span></a>
|     <button
|     class="na
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Allow: HEAD, GET, OPTIONS
|     Content-Length: 0
|   RTSPRequest: 
|     RTSP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Allow: HEAD, GET, OPTIONS
|_    Content-Length: 0
|_rtsp-methods: ERROR: Script execution failed (use -d to debug)
|_http-title: Prioritise

Enumeration

We access the website, no credentials are required and we can create and order items.