matbra.comMatheus Bratfisch · Cogito ergo sum

| | Home Recents: Hackthebox - Write up of Servmon machine Hackthebox - Write up of Nest machine Installing AvaloniaILSpy on Kali Linux Building OpenSSH 8.2 and using FIDO2 U2F on ssh authentication Use a remote serial port to flash an esp © 2020. All rights reserved. Matheus Bratfisch Cogito ergo sum Hackthebox - Write up of Servmon machine 24 Aug 2020 This time, let’s try to get root on Servmon machine from Hackthebox. Standard starting procedure: NMAP. $ nmap -T4 10.10.10.184 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-29 20:10 EDT Nmap scan report for 10.10.10.184 ( 10.10.10.184 ) Host is up ( 0.22s latency ) . Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5666/tcp open nrpe 6699/tcp open napster Nmap done : 1 IP address ( 1 host up ) scanned in 124.70 seconds Opening website as that has given good results while nmap runs again with -A. It seems there is a software called NVMS-1000 running there. Let’s google and see what that is about. On this search we can see it is vulnerable to a directory traversal. https://www.exploit-db.com/exploits/48311 Keep this in mind and let’s take a look on ftp. Read more Share: Hackthebox - Write up of Nest machine 19 Jun 2020 Hello, As you guys already know I have been studying pentest. Recently I signed up on hackthebox.eu and started doing some easy machines. This writeup will show the steps I have done to get user and root flag. I always start with nmap. $ nmap -T4 -Pn -p- -v 10.10.10.178 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-01 21:41 EDT Initiating Parallel DNS resolution of 1 host. at 21:41 Completed Parallel DNS resolution of 1 host. at 21:41, 0.01s elapsed Initiating Connect Scan at 21:41 Scanning 10.10.10.178 ( 10.10.10.178 ) [ 65535 ports] Discovered open port 445/tcp on 10.10.10.178 Connect Scan Timing: About 3.75% done ; ETC: 21:55 ( 0:13:16 remaining ) Connect Scan Timing: About 16.48% done ; ETC: 21:47 ( 0:05:09 remaining ) Connect Scan Timing: About 39.14% done ; ETC: 21:45 ( 0:02:21 remaining ) Connect Scan Timing: About 66.62% done ; ETC: 21:44 ( 0:01:01 remaining ) Discovered open port 4386/tcp on 10.10.10.178 Completed Connect Scan at 21:44, 220.62s elapsed ( 65535 total ports ) Nmap scan report for 10.10.10.178 ( 10.10.10.178 ) Host is up ( 0.15s latency ) . Not shown: 65533 filtered ports PORT STATE SERVICE 445/tcp open microsoft-ds 4386/tcp open unknown Read data files from: /usr/bin/../share/nmap Nmap done : 1 IP address ( 1 host up ) scanned in 220.71 seconds Port 4386 seems different, will try some telnet to it, and enumerate: $ telnet 10.10.10.178 4386 Trying 10.10.10.178... Connected to 10.10.10.178. Escape character is '^]' . HQK Reporting Service V1.2 > help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> > debug 1 Invalid password entered > list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [ DIR] COMPARISONS [ 1] Invoices ( Ordered By Customer ) [ 2] Products Sold ( Ordered By Customer ) [ 3] Products Sold In Last 30 Days Current Directory: ALL QUERIES > setdir C: \W indows \T emp Error: Access to the path 'C:\Windows\Temp\' is denied. > Read more Share: Installing AvaloniaILSpy on Kali Linux 18 Jun 2020 Hello, I have been studying pentest and eventually I had to decompile some VB NET (.NET) and decided to give a try on AvaloniaILSpy. If you ever need to install it on Kali linux 20 you can install its dependencies with: sudo apt-get update sudo apt-get upgrade wget https://packages.microsoft.com/config/ubuntu/19.10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb sudo apt-get update sudo apt-get install apt-transport-https sudo apt-get update sudo apt-get install dotnet-sdk-3.1 sudo apt-get install mono-devel git clone https://github.com/icsharpcode/AvaloniaILSpy.git cd AvaloniaILSpy/ git submodule update --init --recursive And later to build and run it: $ bash build.sh $ cd artifacts/linux-x64/ $ ./ILSpy Hope this helps you, Matheus Comment Share: Building OpenSSH 8.2 and using FIDO2 U2F on ssh authentication 17 Feb 2020 OpenSSH 8.2 was just released with support for FIDO2 U2F keys. This is a nice extra layer for security! As this is not yet on official repository for Fedora, we will need to build openssh 8.2 if we want to test. OpenSSH 8.2 needs libfido2 and libfido2 needs libcbor systemd-devel. There is no package for FIDO2 on Fedora 31 yet, therefore we also need to build it. Let’s start installing some dependencies: $ sudo dnf group install 'Development Tools' $ sudo dnf install libselinux-devel libselinux libcbor libcbor-devel systemd-devel cmake To install libfido: $ git clone [email protected] :Yubico/libfido2.git $ cd libfido2 $ (rm -rf build && mkdir build && cd build && cmake ..) $ make -C build $ sudo make -C build install Here we are cloning the code and basically using their commands to install it. With this dependency ready let’s get openssh-8.2: $ mkdir openssl-8 $ cd openssl-8 $ mkdir test-openssh $ wget http://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz $ tar xvzf openssh-8.2p1.tar.gz $ cd openssh-8.2p1 With the code in place we will use configure to prepare it: $ ./configure --with-security-key-builtin --with-md5-passwords --with-selinux --with-privsep-path=$HOME/openssl-8/test-openssh --sysconfdir=$HOME/openssl-8/test-openssh --prefix=$HOME/openssl-8/test-openssh Note: --with-security-key-builtin is important to have support for FIDO2 internally. This command will prepare the path as $HOME/openssl-8/test-openssh my idea here is to avoid messing with my existing ssh. After this is completed we can make/make install $ make $ make install I also had to create a udev rule: $ sudo vim /etc/udev/rules.d/90-fido.rules With this content: KERNEL=="hidraw*", SUBSYSTEM=="hidraw", \ MODE="0664", GROUP="plugdev", ATTRS{idVendor}=="1050" After all this I entered on the binary folder $ cd $HOME/openssl-8/test-openssh/bin To run the binary we must use ./ otherwise it will use the other binary which are system wide and we want to run the exact one which we just build. I’m not exactly sure why, but when I was running ssh-keygen, I was having some issues to find the libfido2.so.2 $ ./ssh-keygen -t ecdsa-sk -f /tmp/test_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your authenticator to authorize key generation. /home/matheus/openssl-8/test-openssh/libexec/ssh-sk-helper: error while loading shared libraries: libfido2.so.2: cannot open shared object file: No such file or directory ssh_msg_recv: read header: Connection reset by peer client_converse: receive: unexpected internal error reap_helper: helper exited with non-zero exit status Key enrollment failed: unexpected internal error In my case I found the location of this file and copied it to “/usr/lib64/libfido2.so.2” After this when running the command to generate it without the fido2 plugged in I got: $ ./ssh-keygen -t ecdsa-sk -f /tmp/test_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your authenticator to authorize key generation. Key enrollment failed: device not found Plugin the key in and trying again $ ./ssh-keygen -t ecdsa-sk -f /tmp/test_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your authenticator to authorize key generation. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in -f /tmp/test_ecdsa_sk Your public key has been saved in -f /tmp/test_ecdsa_sk.pub The key fingerprint is: SHA256:.../... [email protected] The key was generated succesfully!! No...