Given a website, where a person can login and register. Both are irrelevant to the challenge, so I will cut the chase. The other feature, the ‘relevant’ feature of the challenge, is a feature that allows the user to write a note and even send the note to an admin (evil laugh). It isn’t hurt […]
[TJCTF 2020] – File Viewer
Given Challenges looking like this, entering one of that files opens it Looking closer to the URL we can see that it’s most likely some type of file inclusion challenge Trying standard LFI stuff seems to be a success As you can see, we can access ‘/etc/passwd’, soo… what can we do? First thing comes […]
[HackTheBox] – Traverxec
HackTheBox dengan OS Linux Mari kita lakukan enumerasi awal terhadap machine ini terlebih dahulu dengan nmap
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-07 00:01 EST Nmap scan report for 10.10.10.165 Host is up (0.27s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA) | 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA) |_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519) 80/tcp open http nostromo 1.9.6 |_http-server-header: nostromo 1.9.6 |_http-title: TRAVERXEC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Crestron XPanel control system (90%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 280.93 ms 10.10.14.1 2 280.96 ms 10.10.10.165 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 40.36 seconds |
Ada service http di port 80 dan ssh di port 22. Hal yang menarik untuk dilihat adalah nampaknya website menggunakan aplikasi bernama nostromo 1.9.6 Mari kita buka sebentar webnya sebelum ngegas vulnerability buat nostromo 1.9.6 nya , just […]
[HackTheBox] – Wall
Sebuah machine Hack The Box dengan ip 10.10.10.157, nampaknya akan didasarkan oleh eksploitasi CVE. Mari kita lakukan nmap terhadap ip tersebut
|
1 |
nmap -sC -sV 10.10.10.157 |
Lakukan dirbuster dengan wordlist medium Terdapat directory yang menarik bernama monitoring dengan error code 401, yang berarti memerlukan authentication. Mari kita coba buka Kita menemukan page yang di proteksi oleh basic http authentication, […]
[HackTheBox] – Sniper
Box Sniper dengan IP 10.10.10.151 dengan OS Windows *painful af OS Mari lakukan basic enumeration dengan nmap, hasil nmap menunjukkan
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 02:40 EST Nmap scan report for 10.10.10.151 Host is up (0.26s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Sniper Co. 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h01m53s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-03-07T14:43:14 |_ start_date: N/A TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 252.60 ms 10.10.14.1 2 254.10 ms 10.10.10.151 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 83.37 seconds |
Terdapat web service, mari kita coba cek Terdapat user login portal Setelah mencoba beberapa payload basic dan basic credentials, tidak ditemukan apa apa yang bisa digunakan Pada page services, dan setelah berpindah ke page […]
[Angstrom CTF 2020] – canary
Diberikan sebuah binary dengan konfigurasi sebagai berikut: Berikut adalah list dari semua fungsi pada binary: Berikut adalah pseudocode dari fungsi yang memiliki celah:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
unsigned __int64 greet() { char format; // [rsp+0h] [rbp-60h] char v2; // [rsp+20h] [rbp-40h] unsigned __int64 v3; // [rsp+58h] [rbp-8h] v3 = __readfsqword(0x28u); printf("Hi! What's your name? "); gets(&format); printf("Nice to meet you, "); strcat(&format, "!\n"); printf(&format); printf("Anything else you want to tell me? "); gets(&v2); return __readfsqword(0x28u) ^ v3; } |
Dilihat program menggunakan gets() yang memiliki kelemahan buffer overflow dan printf(&format) memiliki kelemahan format string attack. Tujuan dari soal ini adalah untuk memanggil fungsi flag(). Namun dari nama soal dan konfigurasi binary, terdapat stack canary […]
[Joints2020] – crackme
Diberikan sebuah binary 64 bit not stripped. Pseudocode dari fungsi main adalah sebagai berikut:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
int __cdecl main(int argc, const char **argv, const char **envp) { char v4; // [rsp+0h] [rbp-30h] _BYTE v5[3]; // [rsp+5h] [rbp-2Bh] _BYTE v6[6]; // [rsp+Ah] [rbp-26h] int v7; // [rsp+14h] [rbp-1Ch] char v8; // [rsp+19h] [rbp-17h] unsigned __int64 v9; // [rsp+28h] [rbp-8h] v9 = __readfsqword(0x28u); __isoc99_scanf("%5c-%5c-%5c-%5c-%5c", &v4, v5, v6, &v6[5], &v7); v8 = 0; if ( checker(&v4) ) unlock(); else printf("Invalid serial key"); return 0; } |
Dilihat program meminta input sepanjang 25 karakter dan kemudian input akan diproses oleh fungsi checker() dan bila hasil dari checker() adalah true maka fungsi unlock() akan dipanggil. Berikut pseudocode dari fungsi unlock():
|
1 2 3 4 5 6 7 8 9 10 |
int unlock() { char i; // al FILE *stream; // [rsp+8h] [rbp-8h] stream = fopen("flag.txt", "r"); for ( i = fgetc(stream); i != -1; i = fgetc(stream) ) putchar(i); return fclose(stream); } |
Fungsi tersebut akan membuka file flag.txt pada server nc. Berikut pseudocode dari fungsi checker():
[HackTheBox] – Resolute
HackTheBox Resolute dengan OS Windows Sebelumnya penulis merasa paling enak kalau ketemu box windows tuh ya enumnya pakai sparta, karena udah include smbenum, nmap, semua kebutuhan enumeration ditanganin sparta. Tapi for some reason kali ini sparta ku rusak :'( jadi mau ga mau sedikit manual Mari kita mulai dengan nmap
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-21 00:20 EDT Nmap scan report for 10.10.10.169 Host is up (0.25s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-21 04:30:38Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=3/21%Time=5E75964B%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=3/21%OT=53%CT=1%CU=36449%PV=Y%DS=2%DC=T%G=Y%TM=5E75976 OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=109%TI=I%CI=I%TS=A)SEQ(SP=1 OS:07%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=A)SEQ(SP=107%GCD=1%ISR=109%TI=I% OS:II=I%SS=S%TS=A)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54D OS:NW8ST11%O5=M54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W OS:5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y OS:%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q= OS:)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A OS:=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%D OS:F=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O OS:=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD= OS:G)IE(R=Y%DFI=N%T=80%CD=Z) Network Distance: 2 hops Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h29m12s, deviation: 4h02m30s, median: 9m11s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Resolute | NetBIOS computer name: RESOLUTE\x00 | Domain name: megabank.local | Forest name: megabank.local | FQDN: Resolute.megabank.local |_ System time: 2020-03-20T21:33:12-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-03-21T04:33:13 |_ start_date: 2020-03-20T20:22:10 TRACEROUTE (using port 8080/tcp) HOP RTT ADDRESS 1 262.23 ms 10.10.14.1 2 262.35 ms 10.10.10.169 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 318.13 seconds |
Kita mendapatkan beberapa open […]
[HackTheBox] – Forest
Hack The Box – Forest Machine Kali ini kita akan mengerjakan box dengan OS Windows, OS yang dibenci banyak kalangan orang haha, termasuks saya. First time windows box. Terlihat dari review yang diberikan orang orang bahwa kita akan banyak berurusan dengan situasi real life, enumerasi dan eksplotasi menggunakan CVE. Mari kita mulai, pertama akan kita […]
[HackTheBox] – Obscurity
HackTheBox Obscurity Mari kita lakukan recon pertama-tama, dengan menggunakan nmap
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 00:54 EST Nmap scan report for 10.10.10.168 Host is up (0.31s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 33:d3:9a:0d:97:2c:54:20:e1:b0:17:34:f4:ca:70:1b (RSA) | 256 f6:8b:d5:73:97:be:52:cb:12:ea:8b:02:7c:34:a3:d7 (ECDSA) |_ 256 e8:df:55:78:76:85:4b:7b:dc:70:6a:fc:40:cc:ac:9b (ED25519) 80/tcp closed http 8080/tcp open http-proxy BadHTTPServer | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Date: Fri, 06 Dec 2019 05:55:37 | Server: BadHTTPServer | Last-Modified: Fri, 06 Dec 2019 05:55:37 | Content-Length: 4171 | Content-Type: text/html | Connection: Closed | <!DOCTYPE html> | <html lang="en"> | <head> | <meta charset="utf-8"> | <title>0bscura</title> | <meta http-equiv="X-UA-Compatible" content="IE=Edge"> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta name="keywords" content=""> | <meta name="description" content=""> | <!-- | Easy Profile Template | http://www.templatemo.com/tm-467-easy-profile | <!-- stylesheet css --> | <link rel="stylesheet" href="css/bootstrap.min.css"> | <link rel="stylesheet" href="css/font-awesome.min.css"> | <link rel="stylesheet" href="css/templatemo-blue.css"> | </head> | <body data-spy="scroll" data-target=".navbar-collapse"> | <!-- preloader section --> | <!-- | <div class="preloader"> | <div class="sk-spinner sk-spinner-wordpress"> | HTTPOptions: | HTTP/1.1 200 OK | Date: Fri, 06 Dec 2019 05:55:38 | Server: BadHTTPServer | Last-Modified: Fri, 06 Dec 2019 05:55:38 | Content-Length: 4171 | Content-Type: text/html | Connection: Closed | <!DOCTYPE html> | <html lang="en"> | <head> | <meta charset="utf-8"> | <title>0bscura</title> | <meta http-equiv="X-UA-Compatible" content="IE=Edge"> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta name="keywords" content=""> | <meta name="description" content=""> | <!-- | Easy Profile Template | http://www.templatemo.com/tm-467-easy-profile | <!-- stylesheet css --> | <link rel="stylesheet" href="css/bootstrap.min.css"> | <link rel="stylesheet" href="css/font-awesome.min.css"> | <link rel="stylesheet" href="css/templatemo-blue.css"> | </head> | <body data-spy="scroll" data-target=".navbar-collapse"> | <!-- preloader section --> | <!-- | <div class="preloader"> |_ <div class="sk-spinner sk-spinner-wordpress"> |_http-server-header: BadHTTPServer |_http-title: 0bscura 9000/tcp closed cslistener 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8080-TCP:V=7.80%I=7%D=12/6%Time=5DE9ED1C%P=x86_64-pc-linux-gnu%r(Ge SF:tRequest,10FC,"HTTP/1\.1\x20200\x20OK\nDate:\x20Fri,\x2006\x20Dec\x2020 SF:19\x2005:55:37\nServer:\x20BadHTTPServer\nLast-Modified:\x20Fri,\x2006\ SF:x20Dec\x202019\x2005:55:37\nContent-Length:\x204171\nContent-Type:\x20t SF:ext/html\nConnection:\x20Closed\n\n<!DOCTYPE\x20html>\n<html\x20lang=\" SF:en\">\n<head>\n\t<meta\x20charset=\"utf-8\">\n\t<title>0bscura</title>\ SF:n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=\"IE=Edge\">\n\t< SF:meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-s SF:cale=1\">\n\t<meta\x20name=\"keywords\"\x20content=\"\">\n\t<meta\x20na SF:me=\"description\"\x20content=\"\">\n<!--\x20\nEasy\x20Profile\x20Templ SF:ate\nhttp://www\.templatemo\.com/tm-467-easy-profile\n-->\n\t<!--\x20st SF:ylesheet\x20css\x20-->\n\t<link\x20rel=\"stylesheet\"\x20href=\"css/boo SF:tstrap\.min\.css\">\n\t<link\x20rel=\"stylesheet\"\x20href=\"css/font-a SF:wesome\.min\.css\">\n\t<link\x20rel=\"stylesheet\"\x20href=\"css/templa SF:temo-blue\.css\">\n</head>\n<body\x20data-spy=\"scroll\"\x20data-target SF:=\"\.navbar-collapse\">\n\n<!--\x20preloader\x20section\x20-->\n<!--\n< SF:div\x20class=\"preloader\">\n\t<div\x20class=\"sk-spinner\x20sk-spinner SF:-wordpress\">\n")%r(HTTPOptions,10FC,"HTTP/1\.1\x20200\x20OK\nDate:\x20 SF:Fri,\x2006\x20Dec\x202019\x2005:55:38\nServer:\x20BadHTTPServer\nLast-M SF:odified:\x20Fri,\x2006\x20Dec\x202019\x2005:55:38\nContent-Length:\x204 SF:171\nContent-Type:\x20text/html\nConnection:\x20Closed\n\n<!DOCTYPE\x20 SF:html>\n<html\x20lang=\"en\">\n<head>\n\t<meta\x20charset=\"utf-8\">\n\t SF:<title>0bscura</title>\n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20co SF:ntent=\"IE=Edge\">\n\t<meta\x20name=\"viewport\"\x20content=\"width=dev SF:ice-width,\x20initial-scale=1\">\n\t<meta\x20name=\"keywords\"\x20conte SF:nt=\"\">\n\t<meta\x20name=\"description\"\x20content=\"\">\n<!--\x20\nE SF:asy\x20Profile\x20Template\nhttp://www\.templatemo\.com/tm-467-easy-pro SF:file\n-->\n\t<!--\x20stylesheet\x20css\x20-->\n\t<link\x20rel=\"stylesh SF:eet\"\x20href=\"css/bootstrap\.min\.css\">\n\t<link\x20rel=\"stylesheet SF:\"\x20href=\"css/font-awesome\.min\.css\">\n\t<link\x20rel=\"stylesheet SF:\"\x20href=\"css/templatemo-blue\.css\">\n</head>\n<body\x20data-spy=\" SF:scroll\"\x20data-target=\"\.navbar-collapse\">\n\n<!--\x20preloader\x20 SF:section\x20-->\n<!--\n<div\x20class=\"preloader\">\n\t<div\x20class=\"s SF:k-spinner\x20sk-spinner-wordpress\">\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.18 seconds |
Mari kita coba akses service http yang ada di port 8080 Ada tampilan seperti halaman blog tentang 0bscura, jika scroll kebawah maka kita akan mendapatkan clue seperti Nampaknya pembuat box menginginkan kita menemukan script python SuperSecureServer.py yang ada di sebuah directory. Maka untuk mencarinya […]