Busqueda is an easy machine that challenges you to read code, find the vulnerability, and craft syntactically correct payloads that suit the code when injected. The privilege escalation is straight forward and explores relative path hijacking through SUID scripts to get root.
Forest is a easy machine that starts with enumerating usernames through LDAP and performing Kerberoasting on that user. After cracking the TGT hash, we obtain the user shell. The privilege escalation involved mapping the Active Directory domain and understanding the group memberships and permissions that could be exploited. WriteDACL permissions were discovered for one of the groups which was abused to perform the DCSync attack to dump the hashes and finally pass them to gain the administrator shell.
Machine Name: Agile IP: 10.10.11.203 Difficulty: Medium
Summary
Agile is a medium machine that starts with discovering a LFI which was leveraged to gain information required to crack the Werkzeug pin. The werkzeug pin allowed console access which allowed us to gain a shell as www-data. A config file revealed MySQL database credentials. The credentials for user corum were found which were used to SSH into the box. Enumerating further, it was found that chrome was running a remote-debugging-port at 41829 which was port forwarded to attacker machine which allowed us access to an existing session of the application. The credentials for user edwards was found here and were used to SSH into the box. Privilege escalation to root involved exploiting the sudo version 1.9.9 which was used to execute a writeable script running as root.
In a dimly lit bar amidst the soft haze of smoke and melancholic tunes of jazz, a girl enters. The door swings open, and a gentle breeze carries the fragrance of damp earth and raindrops, creating an ambience that embraces people midst the cold season. She wears a crimson coat that stands out beautifully against the muted colors of the interior. The tinkling of a bell above the door announces her arrival, momentarily breaking the spell of the piano’s melody. Her steps are graceful, barely audible over the lilting jazz. Making her way to the counter, she settles onto a barstool, capturing the attention of everyone around. The bartender, skilled in reading people, senses the woman’s unspoken longing as he pours her a cup of coffee.
The posts in Malware Development Primer series are intended for educational and red/blue teaming purposes only. The author does not condone infecting systems without the consent of the system owner. The author should not be held responsible for any misuse of this content. Act responsibly!
Introduction
The word “malware” always sets off alarms, and rightly so for all the havoc it can cause. The art in malware development lies in creative evasion. Developing undetectable malware is an essential skill for red teamers as open source offensive tools are easily caught by the most naïve antivirus software. Red teams need to keep up with maturing defenders and blue teams, vice versa. In this series, I intend to document my learnings on developing malware and bypassing latest defenses.
In this post, I will introduce malware development in C/C++ by creating a PE .exe file that executes shellcode to pop a reverse shell.
In this blog post, we will explore the fundamental concepts of buffer overflows. I examine a vulnerable function written in C to understand the mechanics of exploiting this vulnerability, which allows attackers to take control of the program’s flow and execute arbitrary code.
Machine Name: Socket IP: 10.10.11.206 Difficulty: Medium
Summary
Socket is a medium machine that starts with decompiling and obtaining the python source code for an executable. The source code reveals how one can communicate with the WebSocket server that is hosted. The WebSocket server is vulnerable to SQLi which is leveraged to obtain password hashes for the user. The privilege escalation involves exploiting a script that the user can run as root. This script uses PyInstaller to build files. A python file that sets the suid bit was executed using this script to gain root privileges.
Inject is an easy machine which starts with exploiting an LFI to gain information on the application being built on Spring Framework. Through the LFI, we discover one of the configuration files which reveals that the framework version is vulnerable to RCE. The RCE in Spring Cloud is exploited to gain a shell as user Frank. However, only user Phil can read the user flag. The credentials of Phil were found in another configuration file which was used to switch user to Phil. Privilege Escalation consisted of checking for cronjobs and looking for vulnerabilities in the jobs running as root. Ansible was being run on all the “.yml” files, which was exploited to gain access as root.
Late at 1 o’clock on a cold, frosty night, the gust of wind, bearing melancholic whispers of the deserted train station, faded into silence, as it heard a lady humming some abstruse melody. Perched upon a bench near the platform with her fancy luggage nestled between her legs, she immersed herself in music flowing through her headphones. Clad in a pristine white sweater, adorned with an ebony thread that wove her name into its fabric, it proudly proclaimed, “Kashvi.” Time stretched languidly as she awaited her train, scheduled to arrive at 3 am. Immersed in music and captivated by the pages of her mobile library, she sought solace.
Stocker is an easy machine which starts with a subdomain enumeration, and leads to NoSQL injection to bypass a login page. Then, it challenges us to understand the flow of API calls that generate a PDF, which can be exploited to read local files on the server using a Server Side XSS exploit. We find credentials of a user by exploiting the Server Side XSS to read the source code of the application. The privilege escalation involves abusing sudo rights that allow the user to run javascript files as root.
Welcome to Part 2 of our blog series on Adversarial Machine Learning! In this installment, we will explore the Fast Gradient Sign Method (FGSM), one of the most widely used and effective adversarial attack techniques. We will understand how the attack works, its significance, and implement the attack through PyTorch code.
Welcome to the first part of our blog series on Adversarial Machine Learning! In this series, we will explore the fascinating field of adversarial machine learning, its background, techniques for attacks, and strategies for defense. Let’s begin with an introduction to adversarial machine learning and its relevance in today’s landscape.
In this blog post, we will discuss how to fine-tune a pre-trained deep learning model using PyTorch. Fine-tuning is a powerful technique that allows us to leverage the knowledge learned by a pre-trained model on a large dataset and apply it to a new task. This can save a significant amount of time and resources compared to training a model from scratch. The fine-tuned model achieved 92.34% accuracy on the test set.
Machine Name: Interface IP: 10.10.11.200 Difficulty: Medium
Summary
Interface is a medium machine that requires some “curling” skills to form request and demystify their respective response codes. The machine has a lot of fuzzing for API endpoints and parameters which lead to an exploit for DomPDF. The vulnerability deals with how DomPDF caches the font file and allows remote files to be read. The privilege escalation teaches a new technique that abuses Arithmetic Expression Injection in bash scripts.
In a world teeming with distractions where the internet unlocks an extraordinary wealth of educational resources that transcend ancient dreams, it emerges as a powerful tool, adept at ensnaring our minds and seizing control of our attention. We consume so much information that the only time we think at peace is in the bathroom while we bathe, the only time when boredom doesn’t irk us to get hold of our mobile phone. It’s when we ponder upon inane ideas that otherwise wouldn’t occur. Our generation has been lucky to see the advent of technology raise the bar for productivity, and stupidity too. Since the time power cuts were used as an excuse to tell stories or dreams and let our imagination run wild, to the present time where a power cut wouldn’t matter in our inverter resourceful homes and gadgets that keep us occupied, we have witnessed a shift in the way we engage our creative minds.
When do we think at peace? When do we enjoy our boredom?
MetaTwo is an easy machine that needs exploiting a SQLi that leads us to hashes that need to be cracked. The cracked hash credentials provide access to a WordPress dashboard. This WordPress version is vulnerable to Blind XXE via a WAVE file format metadata. The XXE gives us access to the “wp-config.php” file which contains cleartext password for FTP. Enumerating the FTP server, SSH credentials are found for user. Privilege Escalation requires understanding of private and public keys and different methods that are used to encrypt them. Passpie is the application that was used to encrypt private keys found. We can crack the GPG format keys using John and gain the credentials for root.
Machine Name: Investigation IP: 10.10.10.197 Difficulty: Medium
Summary
Investigation is a medium machine that has a web server vulnerable to command injection vulnerability. With enough enumeration, it is easy to exploit command injection. However, it only leads to a shell as www-data. Getting a user shell requires some log file analysis and common sense. Privilege escalation deals with binary analysis and code review.
Precious is an easy machine that requires basic enumeration to find and exploit an outdated software running on a web server. To escalate privileges, the machine makes you look at Ruby scripts and understand how one can identify and exploit Insecure Deserialization vulnerabilities.
If you have ever wanted to copy an error to debug and search on stackoverflow or copy a piece of text on terminal from a tmux session and failed, this post will guide you through the process of setting up a the Tmux Plugin Manager and installing Tmux-Yank to copy directly on the Linux System clipboard. I also demonstrate how to use mouse mode to scroll and copy using the mouse in Tmux.
Machine Name: Red Panda IP: 10.10.11.170 Difficulty: Easy
Summary
Red Panda is an easy machine (not really) that exploits SSTI in Java Spring Boot to get an RCE. To escalate privileges to root, enumeration of directories, permissions, identities, groups, processes, and files need to be chained together to exploit a file that runs as a cronjob as root. The main attack involves performing an XXE attack to gain access to the private key of root.