HackTheBox - Lazy

Key Takeaways

hey guys what's going on this is epic and I'll be doing lazy from hack the box this video I may do a bit fast I have to head out to b-sides DC today if I didn't do the video today then it would be delayed like three days after release which I did not want to do so we'll do this pretty quick and let's jump in stripping off we do have to do the end map so SC for save scripts SP enumerate version I'll put all formats then the IP address of lazy which I believe is 10 10 10 18 I've already done this so let's look at the results and we see only point 22 and 80 open so let's open up Firefox and go to 10 10 10 18 and we see just a blank log-in page so the very first thing I always do let's go here and type like admin and then do it and the search thing so you can see or one equals one things like that no okay let's put these in quotes and I just try a bunch of potential sequel injections didn't work so what I'm going to do next is open up burp go to a proxy tab to intercept on and we'll capture a request and the reason I'm doing this is so I can have sequel map running in the background while I test other things it's always important to do multiple things at once especially if something's just a simple recon I do not want to click that default and then admin go over to boot copy this entire request go back to a terminal good a new session and we will V login request and then clear these blank lines I'm sure there's a better way to copy the stupid request but this isn't big enough hassle for me to Google and figure out what I'm doing wrong there but so we're going to do SQL map - request login - request and we'll do think - just level 4 - - risk 3 I get those two reversed so if this errors will do level 3 risk for and that should be going soon there we go let's make sure it doesn't ask us for anything that's quelle map okay it is testing so the next thing I want to do is let's register a user and see what happens register I'm gonna register if SEC password and I'm just playing password and we'll try walking in and it says we're currently logged in and that is it so the next thing I'm going to do is go to our HTTP history tab let's get this login request it was a post nope that is register where is Logan oh there is no login because it just auto logged me in so what I'm going to do well gal well again if SEC put the password and I want to examine the cookies so let's go over to purp intercept on like a tab to the right window it would be helpful so I'm gonna send this to sequencer and what this is gonna do is replay this login request a few hundred times so I'm gonna start the live CAPTCHA because it's got its token location with response already see is the author spawn so start live captcha and essentially what that's doing is will send this to repeater click go it's capturing it's sending this request capturing this response and logging it so you should be able to pause this analyze now and all I want to do is see if the login token is changing and go to character level analysis bit level it doesn't have enough to do character level so let that run and we can actually no I just copied the tokens and we will paste them V logon tokens that's gonna take a little bit to get off my clipboard we can stop this we don't need to do a sequencer anymore and the next thing I want to do is we'll try like second order SQL injections or things like that so what that means is the developers have been told hey do not trust user input because users can do bad things if you trust user input may have bad time because they control it what developers sometimes forget is that if users can control the input that goes into the database and the developers like you know what I can trust anything that comes from the database I'm not gonna do sanitization checks because it's the database the database is trusted that's not the user well if the user put something bad in then it becomes the developers problem so do that so basic sequel injection technique we're just ending the quote then inserting a comment and we'll do password password well again okay it looks like it's sanitized that well so may not be that the next thing we'll do is let's see one register named admin with the space and see what happens again tabs user exists and then bunch of spaces so that's not going to work um that's weird duplicate now it's showing the sequel error up here we'll do admin equals try like a no sequel type injection things and we log in and we get right in so this wasn't really a valid technique it's in the source it's doing like removing all equal signs for some reason so we register the user admin equals and then when it does the check it's valid if you look at the decrypt PHP I can show that but that's one way the other way is did this finish copy yeah so here's all the auth tokens so we can see they do vary which means there's some type of randomness and creating this token so if there wasn't any random that we know oh there's a unique signing key that goes to all these tokens and once we get a valid token it's gonna be good forever because there's nothing unique in that auth token or nothing unique signing the auth token or encrypting it or whatnot so the next thing I'm going to do I'm gonna register really close to admin like see dmin and what do you password password login okay now when I go back into burp turn intercept on because I want to intercept this request refresh we're going to send this to intruder make sure a position is set on that auth token and a payload is going to be a bit flipper so I'm assuming that this is some encrypted value right now and I don't know how it's encrypted but if I flip a bit it may be able to change one character if it changes that C to an A or something then I'm admin so that's what I'm trying to do just flip random bits and encryption and I know that my username varies by one bit so I may get lucky and become admin so payload processing value and we will start this attack sort it by length and we do see multiple different lengths so if you go down here and look at the response invalid padding this hints that it's a Oracle padding attack which we can show you right after this we go up let's see you're logged in as see dmin CD Emma see this response is to still see dmin it is I know it could right-click somewhere and add a new tab and create this as a column but oh well user not found doesn't tell me what the username is so that was probably some really bad thing that completely bereft on see doing let's see the next one CD li n see bad character MinC team in CL men so you can see me flipping this bit I'm trying to get one that has admin and it finished and does not look like I have any could have swore this should have worked so we'll try the user be dmin instead of C and we'll see if we have different luck there we need to send this request again I'm not chef how repeatable this is if it would do the same bits every time so let's see no dmin so that's bad let's we'll go surprise to disable intercept ID did that again be dmin password and let's try it with this one intercept oh wait I don't want to copy that I just need to send to intruder well I could just do this last one and positions we will paste start attack and this one will say we got lucky and flipped it with admin is this is a completely different response so I'm guessing if I convert it to like binary then I would have seen exactly one rope went wrong but we won't worry about that we'll just log in and verify that yes we have two different ways we have done this challenge so tools foxy no cookie manager and we want to do 10 10 10 18 and at this cookie and we will paste okay proxy intercept off refresh and what admin again so the last way we can do this is with a Oracle padding attack and we knew that because of that invalid padding error message basically local padding is a information leak and that allows you to brute-force the key one bit at a one byte at a time and it does so by using the padding variable which I guess you can think of kind of like a checksum that says yes this whole block is fine horrible explanation maybe I'll do a better one one time or you can YouTube Oracle panic attack and learn about it but we're gonna use a tool called pad buster there we go that's what it is and if you just google this tool you can easily find it so we do pearl pad Buster to see the usage go over to SQL map nothing appeared injectable so we can exit that and we'll name this pad buster okay so what we want to do is pearl pad Buster and it wants the URL so you want to go to 10 10 10 18 and let me oh do I have a bad cookie yeah this will be the cookie we use the IPSec cookie so go back here the next thing it wants is the encrypted sample the block size either choose 8 or 16 it's normally one of those two we're gonna do eight and then options so we want to do - cookies right here and specify all equals that that looks good let this go for a second okay it's gonna ask which response English do we want to use it recommends us doing - so we're gonna do - and while that runs let's go back to a web page Tassos this is my SSH key just in case you ever want to log in and check something out thank you so we'll copy this key going over here we see it has brute force 1 byte 2 bytes 3 bytes and you can see 256 because it's just trying 256 different values for each byte this next one we will do W get on that key that I copied we see the URL is my SSH key with name MIT CIL's MIT s OS so we will name that to MIT saw stocky to make it easy and I'm sure that translates to something at a different language before we can use the key we have to chmod it to 600 and now we can SSH - I mid-south key and then 10 10 10 18 let's go back to pad Buster it's still trying it decrypted the first block of 8 bytes and it is user equals imp go back here know we name this window - SSH okay wait oh I didn't specify the user well that logs in check pad buster still going so we're logged in and we see the binary backup it's got PDA which is a gdb extension I'm pretty sure I did that in another video we execute back up and it just catched the shadow file so we could copy this and try to crack this hash but that is I believe sha-512 as signified by dollar sign six dollar sign which means we're probably not going to crack this the other thing we could do is analyze this and like binary ninja Aida or something but since it's got PETA on it I hate that name of the application I don't know any other way to pronounce it but we can just run gdb and step through this so gdb on backup we're gonna break main and then when we run this we can see kind of what it's doing so right here it's calling system and just before it's calling system it is loading a variable into ESP which would be the argument for system so if we step twice we get to this and if we just think x /s examine this variable just do that yeah we can see it's going to be Etsy shadow cat Etsy shadow so we'll step one more time to execute this call we look in ESP and we will see that variable get put here the key note is it's not a absolute path it's just catting Etsy shadow so what that means is how the path works if I type ping it knows what ping is if we do echo path ping is going to be in one of these locations so if we do which ping we see it is in /bin so use a local s-bend it's gonna run through all these and hit this so if paying exist in any of these previous directories then it's going to execute that file so same way with cat we do which cat it's going to be in bin so what I'm going to do is create a file called cat and we're going to it's going to be a bash script and we're just going to call Sh so chmod plus x to make this executable and now actually before we do this this will be easier to explain so if we can't @c passwd nothing happens because we have an editor a path yet so if I do export path equals PWD path now when I echo path I have home MIT source in my path as the first thing so if I do that cat Etsy passwd it should have H mod + X cat I don't know why that was an executable did I screw something up huh weird I'm actually not sure what's going on see if we run back up pass object so I guess doesn't work in the actual terminal window so if we do V task PI import OS OS dot P open I think oh it's that system exists if not we can do the other one print that and we get path hijacked so if we move that cat file to be cat back run that Python script it does cat Etsy passwd so that's exactly what's happening there so let's move that cat back and edit this so instead of echoing path hijacked let's just give ourselves a shell so dot slash backup and then we see our effective user ID is zero so if we go to CD / root cat root text doesn't output it why not because a path is screwed so I know what happened there so if we just blast that file we could get it but whatever she'll go back into this cat file so remember what I did can't @c passwd and it's doing that it's because path is loaded into my bash session so if I just do bash redo all my environment variables from here and cat Etsy passwd we get path i jacked so that is that challenge if we go to pad buster we can see it has decrypted or a cookie that we gave it remember pad buster has no knowledge of the plain text that was user equals if set so we'll do - plain text user equals admin now and it's going to run that again so this could take a little bit but this will return us the cookie for an admin user so well it does that let's look into the PHP script isn't it classes be user key code send user I know so here is the decrypt strip script it is using what was that did I miss it let's see I pride gets in classes user so I had just stripped out a lot to make it easier so let's go back to that so right here is why that equals thing worked it's taking user exploding it to remove the equals not exactly sure why it's doing that it is using an initialization vector it's gonna show something maybe it was just this list user explode if we go back to pad buster so it says it encrypted this so this should be the cookie so we log out intercept the request go to cookies equals think that should be good so mr. Peter just in case it's not I did something wrong let's just login with IPSec password and replace the cookie I slept off well again tip SEC password okay except on fresh oh I did cookies instead of cookie that's it and we see we get back to admin because that cookie says we logged in as admin so something else I was doing just before that I don't think so so I hope you guys enjoyed that video hopefully it wasn't all over the place I like to take more time but again have to head out to besides DC now take care guys later