Thursday, October 24, 2019

IDS-SP8

 2019-10-24 08:29:02,234 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 134.122.34.213 already banned
2019-10-24 08:29:02,330 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 138.68.76.244 already banned
2019-10-24 08:29:02,425 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 159.203.114.242 already banned
2019-10-24 08:29:02,519 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 161.35.86.181 already banned
2019-10-24 08:29:02,613 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 181.214.218.69 already banned
2019-10-24 08:29:02,706 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 18.134.152.30 already banned
2019-10-24 08:29:02,802 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 194.233.164.177 already banned
2019-10-24 08:29:03,009 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 54.163.14.22 already banned
2019-10-24 08:29:03,119 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 85.31.46.211 already banned
2019-10-24 08:30:01,356 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 134.122.34.213 already banned
2019-10-24 08:30:01,451 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 138.68.76.244 already banned
2019-10-24 08:30:01,543 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 159.203.114.242 already banned
2019-10-24 08:30:01,708 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 161.35.86.181 already banned
2019-10-24 08:30:01,873 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 181.214.218.69 already banned
2019-10-24 08:30:01,972 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 18.134.152.30 already banned
2019-10-24 08:30:02,158 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 194.233.164.177 already banned
2019-10-24 08:30:02,323 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 54.163.14.22 already banned
2019-10-24 08:30:02,433 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 85.31.46.211 already banned
2019-10-24 08:31:01,681 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 134.122.34.213 already banned
2019-10-24 08:31:01,811 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 138.68.76.244 already banned
2019-10-24 08:31:01,906 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 159.203.114.242 already banned
2019-10-24 08:31:02,001 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 161.35.86.181 already banned
2019-10-24 08:31:02,095 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 181.214.218.69 already banned
2019-10-24 08:31:02,190 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 18.134.152.30 already banned
2019-10-24 08:31:02,284 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 194.233.164.177 already banned
2019-10-24 08:31:02,379 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 54.163.14.22 already banned
2019-10-24 08:31:02,474 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 85.31.46.211 already banned
2019-10-24 08:32:01,726 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 134.122.34.213 already banned
2019-10-24 08:32:01,828 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 138.68.76.244 already banned
2019-10-24 08:32:01,925 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 159.203.114.242 already banned
2019-10-24 08:32:02,021 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 161.35.86.181 already banned
2019-10-24 08:32:02,117 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 181.214.218.69 already banned
2019-10-24 08:32:02,214 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 18.134.152.30 already banned
2019-10-24 08:32:02,310 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 194.233.164.177 already banned
2019-10-24 08:32:02,408 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 54.163.14.22 already banned
2019-10-24 08:32:02,617 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 85.31.46.211 already banned
2019-10-24 08:33:01,865 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 134.122.34.213 already banned
2019-10-24 08:33:01,961 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 138.68.76.244 already banned
2019-10-24 08:33:02,057 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 159.203.114.242 already banned
2019-10-24 08:33:02,152 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 161.35.86.181 already banned
2019-10-24 08:33:02,319 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 181.214.218.69 already banned
2019-10-24 08:33:02,432 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 18.134.152.30 already banned
2019-10-24 08:33:02,531 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 194.233.164.177 already banned
2019-10-24 08:33:02,626 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 54.163.14.22 already banned
2019-10-24 08:33:02,720 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 85.31.46.211 already banned
2019-10-24 08:34:01,968 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 134.122.34.213 already banned
2019-10-24 08:34:02,131 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 138.68.76.244 already banned
2019-10-24 08:34:02,291 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 159.203.114.242 already banned
2019-10-24 08:34:02,419 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 161.35.86.181 already banned
2019-10-24 08:34:02,513 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 181.214.218.69 already banned
2019-10-24 08:34:02,609 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 18.134.152.30 already banned
2019-10-24 08:34:02,704 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 194.233.164.177 already banned
2019-10-24 08:34:02,798 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 54.163.14.22 already banned
2019-10-24 08:34:02,893 IDS-SP8.actions        [873]: WARNING [WebAPPConn-Sec] 85.31.46.211 already banned

Friday, October 18, 2019

Auto Domain Expire Check

#!/bin/sh
_domains='/etc/domains'
sp8_chd()
{
while read line; do
echo $line >> /var/log/DomainExpire.log
whois $line | grep Expiry >> /var/log/DomainExpire.log
done < $_domains
}
sp8_chd
cat /var/log/DomainExpire.log | mail -s '[IMPORTANT] Domain Expire Reminder' rizky.md@gmail.com;
sleep 2;
echo > /var/log/DomainExpire.log

Thursday, September 12, 2019

CTF Machine - Bob

Machine : http://c0rruptedb1t.com/vms/Bob.ova
Duration : 3 x 60 Minutes (approximately)

Meet Bob ...

1. Preparation :

Check my own IP.


Discover neighbours IP.

fping -a -g 10.0.2.0/24

netdiscover -r 10.0.2.0/24



2. Enumeration :

nmap -sS -nvv -A -p22-10000 10.0.2.14

We got some interesting information : /dev_shell.php & /passwords.html, let's dig deeper with dirb
dirb http://10.0.2.14

next, curl it

Browse the main page http://10.0.2.14

Lets jump to  http://10.0.2.14/dev_shell.php
curl http://10.0.2.14/dev_shell.php
seems like someone already mess their server :)
shall we go with basic command checking : whoami

Only basic account www-data anyway, it's ok ... we go deeper to /etc/passwd
cat /etc/passwd

Nop ... but wait, what if we use pipe to run output for the second command ? lets try it ...
whoami | cat /etc/passwd

yess, it's a bliss .... we can identify some user from the passwd file ;
 
c0rruptedb1t : c0rruptedb1t
Bob : bob
James C : jc
Sebastian W : seb
Elliot A : elliot

let's check the home directory :

whoami | ls ../../../home/

confirmed is bob & friends ... now we check every last of their directory,  perhaps we can find some gems there, we start from bottom to top, elliot go first ...
found fishy file : theadminisdumb.txt , let's cat it ...
so far we already got the following credential information :
james : jc:Qwerty
elliot : elliot:theadminisdumb

yiihaa ... we might found some low level access, lets try it ...
ssh connection is denied, back to previous nmap result we did not find any ssh service, seems like ssh service is not active or they might already changed the ssh port.
sshd is active, but why we are unable to connect ? lets check the sshd_config
ok, no wonder we can't connect ... default port are changed from 22 to 25468
retrying ssh ...
we got low level access shell, it's good enough .... shall we left the webshell ?

3. Escalation :

Lets see what we have here ...
can we have root privilege with sudo ?
... nop ... sorry ... let's wandering arround the home directory ... isn't Bob is the Sysadmin ?
perhaps he have something that we looking for ...
got some insteresting file, also gpg'ed file ... well check it later.
let's go deeper ...
found a bash script : notes.sh , try to run it ./notes.sh
meaningless ... fallback to previous file
vi /home/bob/Documents/staff.txt
something is burning ...
trying to find root executables ...
find / -user root -perm -4000 -print 2>/dev/null
... nop ... no find , no vi, no cat to use .... to perform escalation ....
ok ... lets carefuly step back to Bob's home dir, and look for hidden file ?
cd /home/bob ; ls -alh
what inside .old_passwordfile.html ?
more .old_passwordfile.html
oooh ... ok, it's James and Sebastian password, let's try them ...
valid password, but it's just another low level shell access, do we miss something ?
login.txt.gpg ... we need to open this
back to /home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh
sh /home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh
the script contain some promising keyword, let's use them to open the pgp'ed file
first ... copying gpg login.txt.gpg to elliot homedir
cd /home/elliot/
cp home/bob/Documents/login.txt.gpg .
then ... let's try to decrypt it ...
gpg -dv login.txt.gpg
trying the possible passphrase combination :
HarryPotter
harrypotter
Cucumber
cucumber
seasanty
SeaSanty
HARPOCRATES
finally ...
found another credential
bob:b0bcat_
use it ...
escalate it ...
sudo su ; whoami
looking for the flag ...
cd /root/ ; ls -alh
check root's bash history
cat .bash_history
here is the flag ...
let's find flag.txt

find / -name flag.txt -exec cat {} \;

Finish ...

Thank you and Greets ~c0rruptedb1t

40 Hadist Seputar Keluarga Samawa (Bagian 3)

 ﷽ Ustadz Yusuf Abu Ubaidah As-Sidawi hafizahullohuta'ala Masjid Al-Aziz  Jl. Soekarno Hatta No. 662 Bandung Hadist 11 : Doa Orangtua Bu...