TryHackMe | Bounty Hunter Box

TryHackMe has a box called “Bounty Hunter” which was a ton of fun, and definitely an experience. Let’s dive right into it.

I started off with a regular old nmap scan of the IP. It showed that there were three ports open, and so that means three potential points of entry. Now, before we start testing everything, we’d usually try to grab the versions of the software running on this ports, to make sure there is no blatantly obvious vulnerability. SSH ended up being up to date, so we’ll follow my normal approach for this type of situation. Which is immediately looking into FTP.

The most common thing that occurs for these beginner level boxes is that the FTP login is left to be anonymous. You don’t even usually NEED to use metasploit to scan it, you can just attempt to FTP in and if user: anonymous and password: anonymous doesn’t work, then it’s not anonymous login haha. Let’s go ahead and login to the FTP server.

Annnnd, success! Just like I thought. Time to poke around a bit.

So there are two files in here, locks.txt and task.txt. Let’s download and open them up.

Cool, so this looks like a password list. It’ll come in handy later, so store it somewhere safe. No, there’s one bit I missed documenting here, but I’ll do my best to explain it.

On our scan, port 80 was open, which is http. This means they are most likely running a website. Which also means there could be extra directories, code to audit, etc. Through exploring that site, I found the name “lin”. This appeared to be a username of some sorts. So we had a username, and now we have a list of passwords. There’s one service that has yet to be useful to us; SSH. So, it’s gotta be the login to that. Power up Hydra and let’s get to brute forcing.

Start her up!

Nice! Glad to know that worked out in our favor. Let’s see what we can get to through SSH.

So our goals for this challenge were to get user.txt and root.txt. We’ve got user.txt, so now we need to get root on the box, and that means a little bit of privilege escalation.

This shows that the user we are logged in as (lin) can run the following commands as root: /bin/tar. This means we need to head over our favorite site ( to see how we can escape to root using this command.

Looks like it worked, and the box is now fully completed!

Thanks for reading!

Analysis of Commands Used in TryHackMe’s “Kenobi” box

This is more just notes for me than anything, but here we go:

So this is an nmap scan being used to enumerate for SMB shares. Let’s dissect it.

  • “-p 445” means it is only scanning the specified port, AKA port 445
  • “–script=” there are a bunch of different scripts, directories, script-categories, and more in here
  • “smb-enum-shares.nse” and “smb-enum-users.nse” are scripts developed for nmap to do what their names describe; they enumerate smb shares and users of the smb shares. More info on at least one of these scripts can be found here.

The rest of this (nmap, machine_ip) is pretty self-explanatory.

Here are some of the SMB commands. Luckily, “smbclient” is a pretty simple one. It is similar to how an ftp connection works through the command line, and just connects to an SMB instance on a certain machine’s IP.

“smbget -r” downloads files from a share. The “r” is for resume, which means it automatically resumes aborted files.

So, here’s another nmap scan:

  • “nfs-ls,nfs-statfs,nfs-showmount” these can be looked at online @ nmap’s official site, the main one we are concerned with is here.

This shows NFS exports, and is what we are mainly after. The others gather the extra info that we rely on as well, but this question on the box’s page surrounds the mount that we can see.

The next question I need to answer for myself is: what is netcat?

Well, netcat is a utility that lets you read and write from connections using TCP or UDP. It has been described as a “networking swiss army knife” and can do a ton of different things. It would definitely be out of my depth to currently attempt to put into words all the things it can do, but it does look very useful.

Searchsploit is a command line search tool that checks Exploit-Db. This is useful because it lets you take an offline version of their database with you wherever you go, and is easily accessed from the command line. It can show exploits and shellcode useful for all manner of things.

Here “proftpd” is the service we are looking for exploits for, and “version” is where we will put the version number, like “1.3.5”.

Now we’ll take a look at two more commands. “SITE CPFR” specifies the file you want to copy, while “SITE CPTO” specifies where you want to copy it to.

“Mkdir” creates a directory. “mount” mounts a drive/directory. This can be used to mount an smb share. “mount machine_ip:/var /mnt/kenobiNFS” mounts this machines /var to our newly created directory. “ls -la” then displays the contents of a directory with a lot of extra info for each file, like the size in bytes, last time of modification, etc. The “a” of “la” lists all entries in the directory, including the entries that begin with a period.

  • “find” takes a path to find things, searches for the parameters you feed it.
  • “/” means find will look through every file on the system.
  • “-perm” means you are looking for a file based on permissions. Which is where this next bit comes in.
  • “-u=s” u stands for user, and the s means “set user or group ID on execution”.
  • “-type f” means that it will only look for files. So type is specifying what type of things it is looking for, and f is specifying files.
  • “2>/dev/null” is apparently a fancy way of redirecting stderr to a black hole. This means it discards the output of the command.

Now, I’m going to attempt to walk myself through this. It might be right, it might be wrong.

So since we cannot run usr/bin/sh the way we want to, we copied its contents, and created a new file named curl with the same content. Now, just running curl wouldn’t work because we still need the correct permissions inside and out. We moved it into the way of /usr/bin/menu, a file that we CAN run, and so that when menu gets run, it hits our curl, which in turn gives us the access we need. This is because it has now fully run our shell (curl) as root.

Hopefully that was a semi-correct explanation. Cool stuff though, I’m looking forwards to doing more of these!

TryHackMe | OhSINT

Another box down on TryHackMe! Now admittedly, this is a much more beginner-oriented box, but it is a great introduction to OSINT (Open-Source Intelligence). There were some cool challenges, but some of it I find out a little funky/cheesy (like the final question). But overall, it was a fun experience.

It starts off by giving us an image to download. So, unless the message is directly hidden in the picture itself, the next step would be to take a look at the EXIF/XMP info that is stored on this image. This can include info like the type of camera used to take the photo, the geo-location, the name of the author, and much more!

So what you end up needing to do, is you can either use your computer to use this data, or some type of tool that can display this EXIF/XMP data for us.

In the copyright for the photo, we can see the name “OWoodflint”. Since there isn’t much else popping out right now, let’s just plug it into Google.

And the top three results are exactly what we are looking for! I just pulled them all up right away to take a quick scan over them.

On his Twitter page we can see that the profile picture is of a cat, so that answers our first question. The next question is to see what city they live in.

Scrolling through the Twitter page, there is a BSSID for a network there. Since he mentions that his house is near this network and that he can access it, if we can find where this network is, we can find his rough location.

Online there are lots of different ways and tools to do this, but I chose Wiggle to check and see if it was recorded in their database. Wiggle is a war-driving program. When people are on the go, they can turn on Wiggle, and it will scan all of the WiFi networks around them, and upload the data that they grab to this service. By inputting his BSSID, I was able to track down the city that he was located in, along with the info for the next question, which was regarding what the SSID of the WAP he was connected to is.

Our next quest is to find his email address. We’ve bled his twitter page pretty dry, so let’s take a look at his GitHub page.

There you have it! Easy enough to find. This info answers the next question as well. Now we are going to attempt to find out where he went on Holiday. Since there is no other info on the GitHub page, we are going to go to the last resource we have; his WordPress site.

Aaaaaaaand it says it right there on the front page, easy-peasy. The final question was a little rougher, because so far in my exploration, I haven’t found this to be a useful thing to do when doing OSINT challenges, but it is included in here. It is to find his password.

This is why I thought it was a bit cheesy. Most of the time, you probably will not run into situations where the user has their password publicly posted, just slightly hidden/white text on a white background. Taking a look at the HTML we see:

That it is just a new paragraph on the post, the text has no color, and is just sitting there. Normally, we might be looking more towards password dumps/breaches to find old passwords for people, but I guess this works too!

Overall, a great beginner box, and a great one to do when you only have a little bit of time and still want some fun.

TryHackMe | Blue

So recently I started to try my hand at vulnerable boxes, and some of my friends recommended a website called “TryHackMe” because it’s a little nicer to beginners than some VulnHub/HackTheBox boxes are, so I decided to go for it! Here is a short overview of my journey exploiting this box.

If you have any questions, feel free to leave a comment. Some of my answers/explanations may not match up to the answers I gave on TryHackMe, and that is just because they expected a very linear approach and I accidentally went off and used an exploit that did basically the same thing, just in a different way.

So our first task is to scan the machine. TryHackMe gives you an IP, so I booted up Kali, started using ZenMap (yeah I know, I’m a pleb), and hit the machine with an intense scan. The only reason I started with the intense scan is because this is just a box challenge, a normal scenario would require a bit more finesse.

And as you can see outlined in red, I was able to find the three ports that are open that were under 1000.

So, since this box is based off of EternalBlue, and there is an nmap scan specifically for these vulnerabilities, I created a new custom ZenMap profile and did a custom scan looking for these vulnerabilities, plus a few other things.

Now, you can see that this box is definitely vulnerable to the vulnerabilities we were looking for.

In this pic, you can see what options are available in Metasploit to use to get into this box. I would recommend attempting this exploit in any other way than using Metasploit (just for the sake of experience), or at the very least, find a small script yourself (like a python one), study the script a bit, and then use it to exploit the box. The only reason I didn’t, was because I was racing a friend on this box.

Also, you’ll see that I set all of the options for Metasploit to exploit the box successfully.

Hitting “run”, and we’ve got a successful session on the machine, we will want to background this session, just to check a couple other things out real quick.

Running ifconfig, it comes back successfully identifying that we are on the machine now.

getsystem also identifies that we have Admin as well.

Starting a shell, and running whoami, shows that kind of system we are on, and what authority we have.

And we migrated our session to a different service ID on the system successfully. During this though, our process may or may not die, so we might need to restart it!

The three main reasons for migrating the process is:

  1. You have an unstable shell and might need to move to a more “robust” process.
  2. Some exploits require an interactive session (AKA not session 0).
  3. You need to migrate from a 32-bit process to a 64-bit operating system.

You can read more about process migration here.

Using hashdump, we can see that there are three users on the computer. We want into the “Jon” user account though, so we are going to grab that hash and try to crack it.

Luckily, the hash itself is pretty easy to crack using an online database, and we get the password, which is “alqfna22”.

And just as a side note, sites like crackstation don’t usually actively crack hashes for you. They just match the hash up to a preexisting one in their database and give you the result. So it’s a quick and easy way to do it if you don’t feel like actually going through the cracking process, and sometimes you get lucky and find matches.

Now we are on the hunt for flags. Using search search -f flag*.txt we were able to find all of the text files with the word “flag” on the box. The asterisk at the end before “.txt” is a wildcard, which is why flag1, flag2, and flag3 all showed up. All that’s really left is to traverse to those parts of the directory and see what’s inside those files.

This box was a great experience for a beginner like me, and I had a ton of fun working on it! It took me just barely under an hour, and was very short but sweet, and has encouraged me to continue to try out more boxes.

Thanks for giving this a read!

CyLance Smart Antivirus Bypass

Hey! I know it has been quite a while since I last posted, but this coronavirus stuff has been crazy! And aside from that, I haven’t had time to do anything crazy productive outside of my school. But a little extra time came across my hands and I found a great article written by a user called “Slaeryan” and had to post it, because I learned quite a few new things from it. In the article he talks about shellcoding, using metasploit, different attacks and how they might work, and much more. Click the link below to give it a read.

Click here

A Brief Overview of the Equifax Hack

The Equifax breach was one of the largest and impactful breaches of recent years, and I just wanted to take a quick look at it since I discovered that lawmakers had released a PDF report detailing exactly how they were hacked.

Among other things that this report highlights, it looks at how Equifax turned down help from the DHS, and instead went to a private third-party cyber-security company. This isn’t abnormal, but having more than one party check your security, especially when it’s the DHS, can’t hurt one bit.

Above you’ll see a chart that describes how Equifax was breached. Now, the main vulnerability that was used was known, and US-CERT had warned the public about it. For some small businesses, emergency patches like this may not come up for a little while due to negligence or just not knowing the warning had been posted. But when you’re a company as big as Equifax, handling the sensitive data that they have, there is no excuse for a vulnerability to be open in a company that long after they were warned. Something as critical as that should have been patched straight away.

Get this though, the Apache Struts vulnerability that was used was months-old. They knew about it, but just failed to fix it. Using the vulnerability, the attackers gained access to login credentials for three of their servers, and from there, using the same credentials (c’mon guys), they accessed another 48 servers. These servers contained the personal information that was affected.

From there, the attackers stole bits of data from 51 databases ever so slowly, as to not set off any red flags. This process took around 76 days. The breach wasn’t known about until July 29th, and the attackers had their access terminated on July 30th.

In more recent news, Equifax has spent over $200 million on cyber security, and has a newer CISO. The company is attempting to make sure a breach like the one they suffered never happens again. It’s never too late to dump money into cyber security for your company, but why wasn’t this done beforehand? Why weren’t the proper steps taken to ensure their critical infrastructure was secured?

The Justice Department has charged four members of the Chinese Military with the hack though, and it’s amazing that they were even able to come up with names. I, myself, am extremely interested in how they were able to track the culprits down. These attackers had access to the Social Security numbers, birth dates, and more, of about 145 million people. Of course, the Chinese Foreign Ministry is completely denying the charges.

Apparently officials have stated that these hackers covered their tracks by routing traffic through 34 servers in 20 countries to hide their location, and used encrypted channels to communicate, while wiping logs that they left behind. What I’m really looking forward to, is the in-depth forensic report of how they tracked these guys down. I’ve gone through the indictment fully, and it gives away some info, but not much. Especially when it comes to how the U.S. got the server logs/records off of a Taiwanese servers that they hackers almost definitely were cleaning constantly (maybe they weren’t?).


OverTheWire Bandit Walkthrough Levels 0 to 6

OverTheWire is a community run cyber-war zone, that can help users learn practice and learn the major concepts of different security scenarios through games. Currently, they offer 17 in total, but whether some are up or down depends on the day (they are almost always up though, the developers are very reliable).

Bandit is the first game that they recommend people to play, just to gauge where you’re at and help you relearn some of those Linux skills. Let’s start with Level 0 –> Level 1.

Level 0 —> Level 1

Really not too bad at all. The goal of this level was just to get you into the first server, and have you prepped for level one. In level one, you’ll be looking for a file stored in the home directory — it contains a password. Helpful reading:

Secure Shell (SSH)

How to Use SSH

And with a few quick commands, we’ve grabbed it! Now, ssh into the next level and use that long string of numbers that “readme” file gave you.

Level 1 —> Level 2

At this point, I’m going to stop posting screenshots of me ssh’ing in, because I don’t want to annoy you. In this level, you will need to open a file named “-“. When in doubt about a filename, use your slash!

And there ya have it!

Level 2 —> Level 3

Here they want you to open a file with spaces in it’s name. Not to rough, but for the uninformed they might have to do a little reading up on the resources provided on the site to further familiarize themselves with Bash scripting.

Helpful Reading:

Dashed Filename

Advanced Bash Scripting: Special Characters

Level 3 —> Level 4

The file you are looking for in this level is available in a hidden file, in the inhere directory. Make sure as you go through these levels, you also take a look at each commands help pages so that you can learn more about their modifiers.

For example here, the command “ls –help” will bring up information regarding the “ls” command. You can use it to read about the modifier that was used in this level.

Level 4 —> Level 5

For this level, you’ll need to find the only human-readable file in the inhere directory. Here, you might want to look up and learn more about search terms and commands, like “find”. It’ll come in handy later.

Level 5 —> Level 6

Your target file is located in the inhere directory, and is human-readable, 1033 bytes in size, and is not executable. If you looked into the find command for the last one, you’ll really want to use that knowledge here!

Well, that’s it for now! If you have any questions or critiques, feel free to shoot me over a form via the Contact Me page. If you’d like to read more about the topics discussed above, here are a few links:

For Complete Beginners

A Step Up From That

Advanced Bash-Scripting Guide