Author: Blade

Hack the Box: Bashed

I ran NMAP.

Nmap 7.25BETA2 scan initiated Sat Feb 10 10:05:35 2018 as: nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 -oA detailed_scan -n 10.10.10.68

Increasing send delay for 10.10.10.68 from 0 to 5 due to 379 out of 1262 dropped probes since last increase.
Nmap scan report for 10.10.10.68
Host is up, received user-set (0.26s latency).
Scanned at 2018-02-10 10:05:37 EST for 1856s
Not shown: 65485 closed ports
Reason: 65485 resets
PORT      STATE    SERVICE REASON                              VERSION
80/tcp    open     http    syn-ack ttl 63                      Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 6AA5034A553DFA77C3B2C7B4C26CF870
| http-methods:
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
7515/tcp  filtered unknown no-response
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=7.25BETA2%E=4%D=2/10%OT=80%CT=1%CU=40317%PV=Y%DS=2%DC=T%G=Y%TM=5A
OS:7F1181%P=i686-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10E%TI=Z%CI=I%TS=8)SEQ(S
OS:P=101%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)SEQ(SP=100%GCD=1%ISR=10D%TI=Z%II
OS:=I%TS=8)SEQ(SP=101%GCD=1%ISR=10E%TI=Z%TS=8)OPS(O1=M508ST11NW7%O2=M508ST1
OS:1NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=71
OS:20%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5
OS:08NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4
OS:(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%
OS:F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%
OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%R
OS:ID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.007 days (since Sat Feb 10 10:26:33 2018)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   257.82 ms 10.10.14.1
2   259.11 ms 10.10.10.68


Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Sat Feb 10 10:36:33 2018 -- 1 IP address (1 host up) scanned in 1859.43 seconds

I checked port 80 then ran dirbuster.

Continue reading “Hack the Box: Bashed”

Hack the Box: Sense

I ran NMAP.

nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 -oA detailed_scan -n 10.10.10.60

Nmap scan report for 10.10.10.60
Host is up, received user-set (0.27s latency).
Scanned at 2018-02-16 00:33:19 EST for 756s
Not shown: 65533 filtered ports
Reason: 65533 no-responses
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 lighttpd 1.4.35
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
443/tcp open ssl/http syn-ack ttl 63 lighttpd 1.4.35
|_http-favicon: Unknown favicon MD5: 082559A7867CF27ACAB7E9867A8B320F
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.35
|_http-title: Login
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US/organizationalUnitName=Organizational Unit Name (eg, section)/localityName=Somecity/emailAddress=Email Address
| Issuer: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US/organizationalUnitName=Organizational Unit Name (eg, section)/localityName=Somecity/emailAddress=Email Address
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017-10-14T19:21:35
| Not valid after: 2023-04-06T19:21:35
| MD5: 65f8 b00f 57d2 3468 2c52 0f44 8110 c622
| SHA-1: 4f7c 9a75 cb7f 70d3 8087 08cb 8c27 20dc 05f1 bb02
| -----BEGIN CERTIFICATE-----
| MIIEKDCCA5GgAwIBAgIJALChaIpiwz41MA0GCSqGSIb3DQEBCwUAMIG/MQswCQYD
| VQQGEwJVUzESMBAGA1UECBMJU29tZXdoZXJlMREwDwYDVQQHEwhTb21lY2l0eTEU
| MBIGA1UEChMLQ29tcGFueU5hbWUxLzAtBgNVBAsTJk9yZ2FuaXphdGlvbmFsIFVu
| aXQgTmFtZSAoZWcsIHNlY3Rpb24pMSQwIgYDVQQDExtDb21tb24gTmFtZSAoZWcs
| IFlPVVIgbmFtZSkxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MwHhcNMTcx
| MDE0MTkyMTM1WhcNMjMwNDA2MTkyMTM1WjCBvzELMAkGA1UEBhMCVVMxEjAQBgNV
| BAgTCVNvbWV3aGVyZTERMA8GA1UEBxMIU29tZWNpdHkxFDASBgNVBAoTC0NvbXBh
| bnlOYW1lMS8wLQYDVQQLEyZPcmdhbml6YXRpb25hbCBVbml0IE5hbWUgKGVnLCBz
| ZWN0aW9uKTEkMCIGA1UEAxMbQ29tbW9uIE5hbWUgKGVnLCBZT1VSIG5hbWUpMRww
| GgYJKoZIhvcNAQkBFg1FbWFpbCBBZGRyZXNzMIGfMA0GCSqGSIb3DQEBAQUAA4GN
| ADCBiQKBgQC/sWU6By08lGbvttAfx47SWksgA7FavNrEoW9IRp0W/RF9Fp5BQesL
| L3FMJ0MHyGcfRhnL5VwDCL0E+1Y05az8PY8kUmjvxSvxQCLn6Mh3nTZkiAJ8vpB0
| WAnjltrTCEsv7Dnz2OofkpqaUnoNGfO3uKWPvRXl9OlSe/BcDStffQIDAQABo4IB
| KDCCASQwHQYDVR0OBBYEFDK5DS/hTsi9SHxT749Od/p3Lq05MIH0BgNVHSMEgeww
| gemAFDK5DS/hTsi9SHxT749Od/p3Lq05oYHFpIHCMIG/MQswCQYDVQQGEwJVUzES
| MBAGA1UECBMJU29tZXdoZXJlMREwDwYDVQQHEwhTb21lY2l0eTEUMBIGA1UEChML
| Q29tcGFueU5hbWUxLzAtBgNVBAsTJk9yZ2FuaXphdGlvbmFsIFVuaXQgTmFtZSAo
| ZWcsIHNlY3Rpb24pMSQwIgYDVQQDExtDb21tb24gTmFtZSAoZWcsIFlPVVIgbmFt
| ZSkxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3OCCQCwoWiKYsM+NTAMBgNV
| HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAHNn+1AX2qwJ9zhgN3I4ES1Vq84l
| n6p7OoBefxcf31Pn3VDnbvJJFFcZdplDxbIWh5lyjpTHRJQyHECtEMW677rFXJAl
| /cEYWHDndn9Gwaxn7JyffK5lUAPMPEDtudQb3cxrevP/iFZwefi2d5p3jFkDCcGI
| +Y0tZRIRzHWgQHa/
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running (JUST GUESSING): Comau embedded (92%), FreeBSD 8.X (85%), OpenBSD 4.X (85%)
OS CPE: cpe:/o:freebsd:freebsd:8.1 cpe:/o:openbsd:openbsd:4.0
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Comau C4G robot control unit (92%), FreeBSD 8.1 (85%), OpenBSD 4.0 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.60%E=4%D=2/16%OT=80%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=5A867014%P=i686-pc-linux-gnu)
SEQ(SP=103%GCD=2%ISR=10C%TI=RD%II=RI%TS=22)
OPS(O1=M508NW7ST11%O2=M508NW7ST11%O3=M280NW7NNT11%O4=M508NW7ST11%O5=M218NW7ST11%O6=M109ST11)
WIN(W1=FECC%W2=FECC%W3=FECC%W4=FECC%W5=FECC%W6=FECC)
ECN(R=Y%DF=Y%TG=40%W=FECC%O=M508NW7SLL%CC=N%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=S%TG=40%CD=S)

Uptime guess: 0.000 days (since Fri Feb 16 00:45:39 2018)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Randomized

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 280.70 ms 10.10.14.1
2 283.41 ms 10.10.10.60

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 00:45
Completed NSE at 00:45, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 00:45
Completed NSE at 00:45, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 760.70 seconds
Raw packets sent: 131579 (5.793MB) | Rcvd: 459 (21.726KB)

I found a PfSense login page in port 80 and 443. I tried to use default credentials and common username/password but it didn’t worked.

Continue reading “Hack the Box: Sense”

RDP Session Hijacking using tscon

I read Kevin Beaumont’s RDP Session Hijacking article in Medium and was amazed on how it worked so I decided to replicate it.

For more information about the RDP Hijacking please check Kevin Beaumont article (https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6).

 

The Setup:
2 virtual machines both running in Windows 7

Continue reading “RDP Session Hijacking using tscon”

Hack the Box: Node

I ran NMAP.

nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 -oA detailed_scan -n 10.10.10.58

 

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-17 02:20 EST

Nmap scan report for 10.10.10.58

Host is up, received user-set (0.28s latency).

Scanned at 2018-02-17 02:20:14 EST for 791s

Not shown: 65533 filtered ports

Reason: 65533 no-responses

PORT     STATE SERVICE REASON         VERSION

22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)

| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwesV+Yg8+5O97ZnNFclkSnRTeyVnj6XokDNKjhB3+8R2I+r78qJmEgVr/SLJ44XjDzzlm0VGUqTmMP2KxANfISZWjv79Ljho3801fY4nbA43492r+6/VXeer0qhhTM4KhSPod5IxllSU6ZSqAV+O0ccf6FBxgEtiiWnE+ThrRiEjLYnZyyWUgi4pE/WPvaJDWtyfVQIrZohayy+pD7AzkLTrsvWzJVA8Vvf+Ysa0ElHfp3lRnw28WacWSaOyV0bsPdTgiiOwmoN8f9aKe5q7Pg4ZikkxNlqNG1EnuBThgMQbrx72kMHfRYvdwAqxOPbRjV96B2SWNWpxMEVL5tYGb

|   256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)

| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKQ4w0iqXrfz0H+KQEu5D6zKCfc6IOH2GRBKKkKOnP/0CrH2I4stmM1C2sGvPLSurZtohhC+l0OSjKaZTxPu4sU=

|   256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (EdDSA)

|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5cgCL/RuiM/AqWOqKOIL1uuLLjN9E5vDSBVDqIYU6y

3000/tcp open  http    syn-ack ttl 63 Node.js Express framework

| hadoop-datanode-info:

|_  Logs: /login

|_hadoop-jobtracker-info:

| hadoop-tasktracker-info:

|_  Logs: /login

|_hbase-master-info:

|_http-favicon: Unknown favicon MD5: 30F2CC86275A96B522F9818576EC65CF

| http-methods:

|_  Supported Methods: GET HEAD POST OPTIONS

|_http-title: MyPlace

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

OS fingerprint not ideal because: Missing a closed TCP port so results incomplete

Aggressive OS guesses: Linux 3.2 - 4.8 (92%), Linux 3.10 - 4.8 (90%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 3.16 (90%), Linux 3.16 - 4.6 (90%), Linux 3.18 (90%), Linux 3.8 - 3.11 (90%), Linux 4.4 (90%)

No exact OS matches for host (test conditions non-ideal).

TCP/IP fingerprint:

SCAN(V=7.60%E=4%D=2/17%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=5A87DAC5%P=i686-pc-linux-gnu)

SEQ(SP=FF%GCD=1%ISR=FB%TI=Z%II=I%TS=8)

OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)

WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)

ECN(R=Y%DF=Y%TG=40%W=7210%O=M508NNSNW7%CC=Y%Q=)

T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)

T2(R=N)

T3(R=N)

T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)

U1(R=N)

IE(R=Y%DFI=N%TG=40%CD=S)



Uptime guess: 0.014 days (since Sat Feb 17 02:13:15 2018)

Network Distance: 2 hops

TCP Sequence Prediction: Difficulty=255 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel



TRACEROUTE (using port 22/tcp)

HOP RTT       ADDRESS

1   301.92 ms 10.10.14.1

2   302.66 ms 10.10.10.58



NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 02:33

Completed NSE at 02:33, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 02:33

Completed NSE at 02:33, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 794.34 seconds

           Raw packets sent: 131581 (5.793MB) | Rcvd: 467 (21.244KB)

I checked port 3000 running in Express Node.js.

While browsing the pages I noticed a page that showed user information such as ID, username, password hash and if the user is an admin or not.

Continue reading “Hack the Box: Node”