old notes

#cron #crontab #cronjobs

LV 21 —> 22

This was a straight-forward level with a linear problem-solving narrative.

What we know:

“A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.”

What I did with this knowledge:

First, I navigated to the /etc/cron.d directory and researched what this directory contains.

Cron reads the files in /etc/cron.d/ directory. Usually system daemon such as sa-update or sysstat places their cronjob here.

So I understand the /etc/cron.d/ directory to be files read by cron the utility.

I decided to try to run the cronjob most relevant to my goals: crontab cronjob_band22

The response was: /var/spool/cron/: mkstemp: Permission denied

Then I decided to take a look at the cron by using less which gave me:

@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

I then researched the syntax of a cronjob which is:

a b c d e /directory/command [output]

The first section (a b c d e) contains 5 field options to indicate the date/time/re-occurrence of the job.

The second section is the location and script you want to run.

The third section is optional and indicates the output.

In this case, our script is located at /usr/bin/cronjob_bandit22.sh and the output is disappeared into the void of /dev/null.

So I navigated to /usr/bin/ to read the cronjob script (yes, I'm aware I could have done this without navigating there!) and used less to see this script:

#!/bin/bash chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv /usr/bin/cronjob_bandit22.sh (END)

I interpreted this to mean that the output to the cronjob was being saved in a file called t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv in the /tmp folder.

I used less t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv and viola! The password is mine!

What I could have done better:

What is the difference between the file in etc and bin?

running diff /usr/bin/cronjob_bandit22.sh /etc/cron.d/cronjob_bandit22 gives a comparison:

`1,3c1,2 < #!/bin/bash < chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv < cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

---

@reboot bandit22 /usr/bin/cronjobbandit22.sh &> /dev/null * * * * * bandit22 /usr/bin/cronjobbandit22.sh &> /dev/null`

Upon first glance, I notice that the cronjob file in bin has a .sh which means that it is a script for bash. I verified this using file /usr/bin/cronjob_bandit22.sh to see the following output:

/usr/bin/cronjob_bandit22.sh: Bourne-Again shell script, ASCII text executable

Then I used file -- * in theetc/cron.d/` directory and found that they were all just ASCII text files, not executables:

cronjobbandit15root: ASCII text cronjobbandit17root: ASCII text cronjobbandit22: ASCII text cronjobbandit23: ASCII text cronjobbandit24: ASCII text cronjobbandit25_root: ASCII text`

This is something I could have noticed much earlier had I been either more observant of the file suffix' or used the file command to check.

LV 22—>23

A very similar level to the previous. Straight-forward, easy. This time the cronjob script that we had to understand contained:

`#!/bin/bash

myname=$(whoami) mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo “Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget”

cat /etc/bandit_pass/$myname > /tmp/$mytarget`

At first, I thought this was super straight forward so I can the contents of the script replacing the variable myname with my current user of bandit22. I ran it through the md5sum checksum, let it be piped into the cut command to remove the extra space returned by the checksum and then printed the result of the $mytarget variable:

8169b67bd894ddbb4412f91573b38db3

According to the cronjob script, the bandit password is written into the file in /tmp/8169b67bd894ddbb4412f91573b38db3

I was VERY surprised that the result returned here did NOT work as my password! Then I realized I should have been using the username bandit23 and not bandit22 since my goal is to find the password for the next level not this level.

I went through the same steps using the correct username for the $myname variable and checked the output file in the relevant tmp folder and viola! Completed.

#nmap #nc #localhost #networking

Re-write this page with steps vs reflections after redoing it using `tmux

This level. Oh this level.

Things learned: 1. what the results from nmap mean 2. how to find the right port to use (reserved vs ephmeral ports) 3. who sends the message and why?

How to learn more: – is there another way to get the password? – redo using tmux —

The following steps need to happen: 1. a port needs to exist to listen for suconnect 2. suconnect needs to be able to connect to this port 3. this port needs to be able to send a string to suconnect 4. suconnect needs to receive this string and if correct, return the password to the next level

—

Mistakes made:

1. the result you get from nmap localhost shows the ports that are open and listening. This means they are already occupied and cannot be used to make a new socket connection.

`bandit20@bandit:~$ nmap localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-02 19:59 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00037s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 113/tcp open ident 30000/tcp open ndmps

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds`

FIRST MISTAKE: thinking this meant that I should use these ports RED HERRING: The port 22 does respond

Attempts

1. Trying a reserved port

bandit20@bandit:~$ nc -lp 500 Can't grab 0.0.0.0:500 with bind : Permission denied

• because reserved

2. Trying a random port --5000`

bandit20@bandit:~$ nmap localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-02 20:57 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00032s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 113/tcp open ident 5000/tcp open upnp 30000/tcp open ndmps

1. Trying a random port — '4000'

bandit20@bandit:~$ nmap localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-02 21:16 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00025s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 113/tcp open ident 4000/tcp open remoteanything 30000/tcp open ndmps

The open port for service remoteanything sounded promising so I used the command bandit20@bandit:~$ ./suconnect 4000

Typed in GbKksEFF4yrVs6il55v6gwY5aVje5f0j from the nc port.

The response: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr aka the next password!

Other Ways to Solve This?

• decided to try to use echo to send the password in the same command line as setting up the listening port.

bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -lp 4000

—

Questions

• What type of service was I using? Can't figure this out because don't have lsof permissions

What I know

Summary

#ssh #bashrc #bash

So, I had to ask for a hint on this one from discord. The person said: “you dont need any extra parameters for ssh command”

I misunderstood this level on a fundamental level. I thought the goal was to login so I could access the readme file for the password. This is not the goal. The goal is to get the password. Logging in is irrelevant. This was mistake one.

Having assumed that I had to log in meant that I interpreted the problem as a matter of “disabling the .bashrc” file so I went about on a wild google search reading about different approaches to doing this. It turns out that this is not an uncommon problem — interestingly. However, this was a mistake on my end to do so because it is skipping the step of what my tool (the level tells you to use ssh) was made to do. I looked up different ways of using ssh towards a specific purpose without understanding the tool's stated purpose.

Had I looked at the manual for ssh instead of assuming I already knew its usage(s), I would have found this description:

ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine.

All I needed to do was read the readme via remote command execution. There was no need to go about disabling the .bashrc.

I've noticed that the levels that I get stuck on are from getting too attached to an initial idea and pursuing that instead of examining ALL my possibilities and experimenting. This almost happened in a previous level but I caught myself. Time to make it into an acronym like my 10DIME for algorithms.

How to problem-solve OTW/CTFs:

1. GOAL: What is my goal?
2. ASSUMPTIONS: Are there any procedural assumptions in my goal statement that limit how I can get to that goal or is it truly a goal?
3. DESCRIBE: Describe my tools. If I can't describe their purpose with certainty, read the description SLOWLY. Not backwards. Not diagonally. SLOWLY.
4. Try EVERYTHING!

GADE.

Next.

The solution was simply ssh banditit18@bandit.labs.overthewire.org -p 2220 "less ~/readme"

#SSL #SSH #NC #nmap #bandit #overthewire #linux #cli

Level 13 –> 14

In this level, we were given: – “a private SSH key that can be used to log into the next level”

Upon examination, there was a RSA key in the file sshkey.private. The goal is to use this key to login to the next level.

_What is immediately different about how we are asked to log in here vs previous levels?

• Previously, we had to exit the connection and SSH into the server using the next username and password. This time, we must use the next username and RSA key.

To log in using a private SSH key, we use: ssh -i sshkey.private bandit14@localhost

We are staying on the same server (localhost) so we don't need to specify the port number.

Level 14—>15

We are asked to submit data to port 30000 on localhost in order to retrieve the next password.

The utility nc (netcat) allows us to “read or write data across network connections using the TCP or UDP protocols”. The basic syntax is: nc [options] host port

The data we needed to send is a file called bandit14 so we used: less bandit14 | nc localhost 30000 to solve this level.

QUESTION: Can I log into LV15 from within the server?

Yes! It worked to use SSH bandit15@localhost! Yay for learning to be more efficient!

Level 15 –> 16

In this level, we are asked to submit “the password of the current level to port 30001 on localhost using SSL encryption”.

Tools to explore: openssl, client_s

s_client will connect to “a remote host using SSL/TLS.”

QUESTION: why does it specify that it connects to a remote host? What about connecting to a service on localhost?

What I tried (unsuccessful):

openssl s_client -connect localhost:30001

I knew this wouldn't work because I wasn't sending the password. But it did say CONNECTED. Unfortunately, it kept waiting for something and I wasn't sure how to interpret this so I looked up a hint online. It turns out it was waiting for a password! There was no password prompt so I didn't think to try sending any input. Had I tried sending _anything at all, I would have received a wrong password message and realized what was happening!

LESSON LEARNED: TRY EVERYTHING!!!

The answer turned out to be: openssl s_client -connect localhost:30001 $PASS (with the password string saved in $PASS)

Level 16 –> 17

In this level, we have to (1) scan for open ports for a server that listens to SSL and then (2) forward the response credentials to login to the next level.

I used nmap -p 31000-32000 localhost to scan for the ports on localhost between 31000-32000 (the range given in the instructions). This returned only 5 active ports (yay!):

Starting Nmap 7.40 ( https://nmap.org ) at 2021-12-31 02:52 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00033s latency). Not shown: 996 closed ports PORT STATE SERVICE 31046/tcp open unknown 31518/tcp open unknown 31691/tcp open unknown 31790/tcp open unknown 31960/tcp open unknown

Then I manually attempted an openssl s_client connection to each port to see if there would be a response.

I found that port 31790 responded with the credentials (an RSA key). I then created a temporary file containing this key and attemped to SSH into the next level using the method from a few levels back: ssh -i lumpo.private bandit17@localhost

Unfortuately, this did not work because I got this warning back:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for 'lumpo.private' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored.

So now my options are to either (1) set permissions for my temporary file so that it is not accessible by others, or (2) find a way to forward the credentials automatically when they are returned from the server.

Trying (1) first:

chmod 600 /tmp/lumpo.private will restrict my file so that the owner (me) has access to read/write but nobody else can do so. Retried sending ssh with private key after adding this permission restriction and success!

What I could have done better?

Instead of manually testing each listening port with openssl s_client, I should have figured out how to automate it because testing manually would not work for a large pool of ports.

Collaborative Projects

1. Homelab

What do I want to explore in this homelab and why?

1. Pi with EXSI set up on ARM: to create a manageable, low-budget hardware that is flexible and multi-use to host VMs

2. Domain Controller: To understand Active Directory, DC hardening, and Windows Sys Admin.

3. Malware Analysis Lab: To conduct static and dynamic (hybrid?) analysis and more efficiently triage threats.

4. Linux Web Server: To gain a deeper understanding of Linux

5. Custom Kali Box: Why not?

Notes on DC server

• What is a Domain Controller?

A server that responds to authentication requests and verifies users — aka DC contains everything an attacker could possibly need to cause massive damage to your data or network, i.e. computer names, group policies (Windows AD only?).

The Domain Controller offers an additional security layer (is layer the right word here?) by managing membership on the network, often using Active Directory as its source of rights.

Active Directory = hierarchical directory service for Windows domain networks

Domain Controller = host(s) on the network that serves the Windows domain network

AD is the software. DC is the box.

Notes on Malware Analysis Lab

• Windows 10 VM (home network)
• Ubuntu VM (home network)
• Undecided OS for SSH Honeypot (VPS)
• ?
• Linux Security Onion?
• How else to capture macro malware, i.e. phishing attempts or malware hosted on a link in an email?

Follow-up Questions

• What are witness nodes?
• What is a Vcenter and when is it needed?
• Why use a Intel NUC set up?

Individual Project(s):

Decide between Dopamine Tracker vs 3rd Party Tracker vs Creepy Stalker Tracker app?

Dopamine Tracker App: Mastery over Distraction

Users can create an account to track their non-work activities for the day. The app will then render a graph categorizing these activities as distraction- or mastery-based dopamine sources and offer a comparison with the previous day. The goal is to help neurodiverse people with addictive brain structures solidify positive habits and catch negative loops before they take a-hold. Similar to a habit tracker but instead of tracking habits per day, this is more about offering a mirror.

3rd Party Tracker

Users can create an account to aggregate browsing privacy data. This app will allow you to visit a URL as if a real user had made the request and receive a triaged list of all the third party cookies posted from the website visited. The goal is to where your information is going when you visit your favourite sites aka the ones you do free labour for on a daily basis.

Creepy Stalker App

Users can create an account to stalk someone via their publicly available What's App info. The app will log every time they come online and their shared location for one week in order to predict their schedule/location for the following week. The goal is the convince my friends that privacy is a civil right worth taking seriously right now.

#outlines #brainstorm