8 |

Welcome!

This website is dedicated to ethical hacking, script building, and various computer tricks...
Educational purpose only, none of the content presented here should be use maliciously!

Type 'x' to enter!

Index

- nrich: A Tool for Fast IP enrichment   [article] - Initigriti XSS Challenge by TomNomNom   [video] - VIM tutorial: Linux terminal tools for bug bounty   [video] - Hack The Box: 'Starting Point'   [memo] - Useful links: resources and next explorations

nrich - A Tool for Fast IP enrichment   [article]

+

-

~~> [article]

New article from Shodan presenting: nrich, a command-line tool that "quickly analyze all IPs in a file and see which ones have open ports / vulnerabilities". How to simply install it on Linux:

$ sudo dpkg -i nrich_latest_amd64.deb

And to run it, you can simply echo an ip and pipe it to nrich / give it a file containing of list of ips (each one on a different line):

$ nrich <filename>

There is also an option to output the result as a .json file:

$ nrich --output json <filenane>

< ! - - END - - >

Initigriti XSS Challenge by TomNomNom   [video]

+

-

~~> [video]

TomNomNom is showing two techniques to successfully retrieve the flag inside the server. Tweaking the url request to bypass the securities.

First off always analyze the source code: Right click on the page -> 'View Page Source'
'View Page Source' & 'Inspect' are two essential tools. 'Inspect' brings the console were lot of informations on the website are accessible.

The file script.js is interesting here. There is a possible parameter query in the url with the element 'r':

j window.r = href.searchParams.get("r")

As there is a delay in the script.js before it shows the 'popover' element, the idea is to send a .php payload in the url with a sleep command in it:

u https://challenge-0121.intigriti.io/?r=https://example.com/delay.php

The website will hang 30 seconds, so it's working.
Then, back to the script.js, there is an if statement which block us from putting spaces or some special elements in the url:

j if (!url.match(/[<>"' ]/)) {
 ...
} else {
 alert("Invalid URL.")
}

But '%09' is an url encoded 'tab' and seems to be forgotten if placed after '%3f', an url encoded '?'.
We can add it after the payload and try to send a command that will launch an alert. Note that " will invalidate the url, so instate we use `:

u https://challenge-0121.intigriti.io/?r=https://example.com/delay.php%3f%09onmouseover=alert(`{THIS_IS_THE_FLAG}`)

It works! Another cool way to write it (if we can't use any type of quote) is by using 'document.location.hash' and pass our element which won't get inject into the server request but will still be called. 'substring(1)' function removes the #:

u https://challenge-0121.intigriti.io/?r=https://example.com/delay.php%3f%09onmouseover=alert(document.location.hash.substring(1))#{THIS_IS_THE_FLAG}

The second technique is about DOM clobbering. We can use an anchor tag <a> to inject the XSS payload into his href attribute.

In the script.js file there is a condition check that will remove any string containing the word 'javascript' in the URL.
It's supposed to block us from injecting javascript code but we can actually use it to remove the current window.origin (url) by placing it as a subdomain.
In our payload, we then use 'javaScript' with a capital S as it will bypass the condition check and execute as a normal javascript function.

u https://javascript.challenge-0121.intigriti.io/?r=javaScript:alert(`{THIS_IS_THE_FLAG}`)//%09id=origin

The '%09' url-encoded tab allow to change the next attribute of our <a>, and give the id of 'origin'.
The <a> become the window.origin and the script.js continue to excecute. The alert works fine and indeed if we type in the console 'window.origin', we get this return value:

h <a href="javaScript:alert(`{THIS_IS_THE_FLAG}`)//" id="origin">

< ! - - END - - >

VIM tutorial: Linux terminal tools for bug bounty   [video]

+

-

~~> [video]

Video featuring TomNomNom & Stök going through Tom's tools. Fast & interesting technics inside the terminal & Vim. Lot to keep!

The 'tee' command allow us to both output visually the command process and copy it to a file. Very useful when the execution take some time and we want to make sure something is happening. 'tee -a' to append (as >>)

$ <cmd> | tee -a <filename>

Useful grep flags. -H: display the filename / -n: display line number / -r: recursive / -i: case insensitive

$ <cmd> | grep -Hnri <folder> *

To output the result directly in Vim:

$ <cmd> | vim -

Then we can, save a file in Vim + give it a name / search for an entry / search and replace all / sort + delete duplicate / delete specific content using grep:

v :%!grep -v <name>

Xargs, another useful command that takes multiple lines as an input and apply the same command to every lines. -n1 for one at a time, {} represent the lines, sh -c to run a shell command:

v :%!xargs -n1 -I{} sh -c 'echo {} | base64 -d'

A really cool tool from TomNomNom is gf, a wrapper around grep that uses regex combinations to help find specific elements.
An exemple below for the aws-keys pattern / for base64:

$ grep -HnroE '([^A-Za-z0-9+/]|^)(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[%a-zA-Z0-9+/]+={0,2}' *

To efficiently find files: find -type f, and grep to isolate the files that finished by '.js':

$ find . -type f | grep '\.js$'

TomNomNom shares also a great bash script to efficiently extract objects created for every commits in a Github repo:

b #!/bin/bash
{
 find .git/objects/pack/ -name "*.idx" |
 while read i; do
  git show-index < "$i" | awk '{print $2}';
 done;

 find .git/objects/ -type f | grep -v '/pack/' |
 awk -F '/' '{print $(NF-1)$NF}';
} | while read o; do
 git cat-file -p $o;
done

Let's say we call it: git_extract.sh, we can then use grep -a (which doesn't block binary files, handy for images) to search for useful misplaced infos:

$ ./github_extract.sh | grep -a 'password'

< ! - - END - - >

Hack The Box: 'Starting Point'   [memo]

+

-

~~> [website]

Composed of 18 machines (divided in 3 tiers), it combines good questions + simple exercices to start off on the right foot.
Few notions to remember:

The ping command allow us to see if a server is up or down. The ttl value give us a hint on the OS used (Linux: ~64 / Windows: ~128):

$ ping <ip>

Nmap is a scanning tool which find out open ports on a machine. A complete scan can be done using -sC -sV flags.
-sC performs a script scan (some of them are considered intrusive), -sV will detect what versions are running on what port,
-Pn helps when ping probes are blocked (treat all hosts as online / skip host discovery):

$ nmap -sC -Pn <ip>

The command to connect to a server running telnet service is the following:

$ telnet <ip>

FTP (file transfer protocol) use a communication system called client-server model, it usually runs on port 21 and is not encrypted!
Here are the commands to: connect / activate passive mode / list files / get a file:

$ get <filename>

SMB stands for "Server Message Block", it's a protocol usually running on port 139 (on Linux) or 445 (on Windows).
The following commands allow us to: list the shares on the server / get a shell / download a file:

$ get <filename>

RDP, the "Remote Desktop Protocol" is used on Windows and runs on port 3389. To use it we run xfreerdp, a command-line tool.
The flags used here allow us to respectively: select target IP / ignore the security certificates / use username "Administrator".

$ xfreerdp /v:<ip> /cert:ignore /u:Administrator

Gobuster is a brute-forcing tool for directories discovery. Here is a example command:

$ gobuster dir --url <ip> -w <wordlist>

SQL (Structured Query Language), is designed for managing data. SQL Service > Databases > Tables > Columns + Row = Data.
When not properly protected, we can bypass a web authentification form by adding '# to the username. Which will comment out the password, find the corresponding entry in the database and allow the login. Its most common type of vulnerabilities: SQL injection!

Mysql (or Mariadb) helps us to connect to the database from the terminal:

And then list all databases / enter a database / list all the tables / list all the data inside a table:

$ SELECT * FROM <table>;

Netcat is used as a port listener, it's a direct and easy command-line tool to create a connection between two machines. Useful for reverse shells.
The flags corresponds to: -l listening-mode / -v verbose / -n numeric-only ip / -p port:

$ nc -lvnp <port>

Linux -> Windows terminal command: ls -> dir / cat -> type.
Also Powershell includes the best features of other popular shells, allowing us to run more common commands:

$ powershell -c <command>

Impacket is a "collection of Python classes for working with network protocols". Here is an example of how to run the mssqlclient.py script toward a Windows machine having the MS SQL service on port 445:

$ python3 mssqlclient.py <user>@<ip> -windows-auth

A lot of informations can be found inside the command-line history file. Find it on Linux / Windows:

On linux, the following command delete the complete history:

$ history -c

< ! - - END - - >

Useful links: resources and next explorations

https://ipinfo.io/
https://www.graplsecurity.com/post/iou-ring-exploiting-the-linux-kernel
https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
https://labs.detectify.com/2018/08/02/bypassing-exploiting-bucket-upload-policies-signed-urls/
https://legend.octopuslabs.io/sample-page.html
https://www.sandflysecurity.com/blog/how-to-recover-a-deleted-binary-from-active-linux-malware/
https://www.hacker101.com/
https://hackerone.com/hacktivity
https://skeletonscribe.net/
https://github.com/SecureAuthCorp/impacket
https://github.com/swisskyrepo/PayloadsAllTheThings/
https://www.hackthebox.com/
https://book.hacktricks.xyz/
https://www.cvedetails.com/
http://catb.org/~esr/faqs/hacker-howto.html