So I’m working on a VM that looks to be exploitable via image upload.
It’s running apache and php, and has a custom made “upload image” form that leaves the images in a gallery. Should be easy enough, even for someone as inexperienced as me.
Well, today I learned not to use _halt_compiler() in an image based reverse shell attempt when I accidentally crashed PHP. Once the image was uploaded it instantly crashed all pages that load that image. DOH. As an upshot, I suppose this proves the PHP code is working though. Back to it.
If you’d like to try an attack like this, there’s currently on on Hack The Box I believe.
In this post I’m going to try my hand at Basic Pentesting 1 by Josiah Pierce. For the purpose of this article, command line entries and results will be in italics.
First things first, let’s find it with nmap.
nmap 192.168.1.0/24 > nmap-network_results.
which (among other things turned up the following VM which was new to my network.
Nmap scan report for vtcsec.pyrrh1c.net (192.168.1.227) Host is up (0.0012s latency). Not shown: 997 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Interestingly, looks like it’s hostname is vtcsec (made a note of that…) Aside from that I see ftp, ssh, and http open. Let’s get some more details with nmap.
nmap -sV -O 192.168.1.227 > nmap-sv-o-results.txt
Which produced the following results.
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-05 11:32 EST Nmap scan report for vtcsec.pyrrh1c.net (192.168.1.227) Host is up (0.00094s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3c 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 – 4.9 Network Distance: 1 hop Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds
Ok, now we’ve got the versions of the services. Let’s see if there’s any low hanging fruit here. I’ll check searchsploit for the FTP server.
searchsploit proftpd 1.3.3c
The output didn’t copy neatly to this blog format, (I run URXVT, so it’s likely some unicode that won’t translate to ASCII neatly… whatever). I did find two options availabl, the one that interests me was “Backdoor Command Execution (metasploit). So let’s fire up metasploit and see what we can do.
Metasploit loads up
It runs and there it is: exploit/unix/ftp/proftpd_133c backdoor! This should be easy enough then.
set rhost 192.168.1.227
Voila. I got a shell. Let’s see who I am.
I’m root. Well damn. That was easy. I’m quite certain there’s other ways in though. So next time I’ll try some other routes in. That’s all for now.
If you haven’t gone through parts one and two, you should definitely do so before proceeding. In this tutorial we will cover installing the rofi application launcher, installing the polybar toolbar, and doing some additional tweaking to the UI elements.
This is fairly simple. Running “apt install rofi” will get the program installed. Then you just need to edit your ~/.i3/config file. Look for the line “bindsym Mod1+d exec dmenu_run” and replace it with “bindsym Mod1+d exec rofi -show run”. Log out, back in, test it and it and if it works… SNAP THE VM.
Start by installing the pre-requisistes. Run the command “apt install cmake cmake-data libcairo2-dev libxcb1-dev libxcb-ewmh-dev libxcb-icccm4-dev libxcb-image0-dev libxcb-randr0-dev libxcb-util0-dev libxcb-xkb-dev pkg-config python-xcbgen xcb-proto libxcb-xrm-dev libasound2-dev libmpdclient-dev libiw-dev libcurl4-openssl-dev libpulse-dev mpd libxcb-composite0-dev”
Once that is done, download polybar by running “git clone https://github.com/jaagr/polybar.git”, the build it by running “cd polybar && ./build.sh” You will be prompted to determine what you want to install, I just say yes to everything YMMV. Do your homework on that.
To actually turn on polybar, comment out the following section:
status_command i3status -t
Add the following line (possibly adjusting for your system:
exec_always –no-startup-id polybar pyrrh1c &
Once polybar is installed, you will need to configure it. I could write a lengthy tutorial on that… But for the sake of brevity you can just download my polybar config file and look at how it’s set up. This is the one piece I couldn’t reduce to an easy walk through. Basically, just make a folder in your .config folder called polybar, then copy the config file into it.
Install some additional Fonts
Polybar uses some special unicode characters. This doesn’t work well unless you install the appropriate fonts. (mainly siji and unifont) You can install unifont by simply running “apt install unifont”. Install Siji by running the following commands:
git clone https://github.com/stark/siji.git
Once that’s done, add the following lines to your .bashrc file
xset +fp /root/.fonts
xset fp rehash
Compton is a desktop compositor. It basically helps glue things together. To get it running, rust run “apt install compton”, then when it’s done edit your ~/.i3/config file an add the line “exec compton”.At this point your box should look somewhat like the one to the left.
Configure the Exit Sequence to Actually Exit
Edit your ~/.i3/config file. Look for the line “bindsym Mod1+Shift+e exec “i3-nagbar -t warning -m ‘You pressed the exit shortcut. Do you really want to exit i3? this will end you X session.” Change it to “bindsym Mod1+Shift+e exec i3-msg exit”. You will no longer be nagged when you want to exit.:q
That’s all for now. Stay tuned as I may do a more thorough overview for PolyBar at some point. Thanks for reading!
In this tutorial we will cover installing i3-gaps, the urxvt terminal emulator, feh, wal, and rofi. It’s assumed you went through part 1. If not, you may want to go read that now.
I’m not a fan of re-inventing the wheel. There’s a wonderful how-to for installing i3-gaps on Ubuntu that works well for Kali. Head over and follow it, then come back… Done? Great. Now reboot. At the log in screen enter the username, then after hitting next you’ll see a gear.
You’re now logged into the i3 window manager. This is a different world than most window managers. You will be very VERY well served by learning the basic commands and what they do. Take a few minutes to go over the i3 Reference Card and learn how to open up new terminal windows.
So you have probably noticed the ugly red error message by now. That’s a result of the I3 Status bar being referenced, but not installed. There are several options available for status bars (the i3 bar, polybarm lemon bar, etc.) in this series will just add the basic status bar for now. Maybe the polybar later. We’ll see.
So go ahead and open a terminal window with (usually by hitting [alt] + [enter]) and entering the following command: apt install i3status. Once that’s done log out ([alt] + [shift] + [e]) and back in. You should now see the red/white/green status bar. i3 is now ready to go in its most basic form.
Replace the default console app with URXVT
The default terminal doesn’t offer much flexibility so I like to replace it. My terminal of choice is URXVT. Install the URXVT terminal by running apt install rxvt-unicode.
Take a Snapshot!
Things are about to start getting messy. Snapshot now or proceed at your own peril. 😉
Make i3 the default terminal
I’ll assume you know how to edit text files in Linux. If not, here’s a link to using vi. I won’t lie though, if you are trying to Rice Kali Linux, and you don’t know how to edit a text file, I genuinely wonder how you ended up here. 😉
Anyway, edit the i3 config file which is ~/.i3/config. In there, find the line “bindsym Mod1+Return exec i3-sensible-terminal” and replace it with “bindsym Mod1+Return exec /usr/bin/urxvt”. Once it’s saved exit out of all terminal windows and reload the i3 config by pressing [alt]+[shift]+[r].
Remove the URXVT Scroll Bars and Apply Transparency
Create the file ~/.Xdefaults, and in it enter the following line to get rid of the scrollbar and apply transparency: URxvt*scrollBar: false (NOTE THE CAPITAL “B”!!!) URxvt*transparent: true URxvt*shading: 40
Install feh to Add a Wallpaper
Download a wallpaper you like, and save it somewhere easy to access.
(I’ll leave how you download it up to you…) I usually put it in /wallpapers and name it wallpaper.png or something similar. Install feh by running “apt install feh” Once it’s done edit your ~/.i3/config file to add the line exec –no-startup-id feh –bg-scale ‘/wallpapers/wallpaper.jpeg’ You now have a scaled background each time you log in. That said, the text is kind of an odd color. Let’s fix that.
Install and Configure PyWal
Running feh without pywal can make for some ugly (and possibly unusable) color schemes for the terminal. To fix that we use PyWal. Install Python3-pip by running “apt install install python3-pip”, then install pywal running “pip3 install pywal”. Once that’s done, add the following lines at the end of your .bashrc (according to the documentation you should put this in the .i3/config file but it NEVER LAUNCHES FOR ME!!!) wal -i /wallpapers/wallpaper.jpeg clear
Tighten up Those Gaps!
The tutorial is good, but I prefer a smaller gap.
So edit your ~/.i3/config file and update the following lines:
gaps inner 10
gaps outer 0
We made some serious progress here. We installed i3, the i3 status bar, URXVT, feh, and PyWal. We also configured some transparency and colors. Stay tuned for Part 3 where we’ll dig a little deeper and install rofi, polybar, and other fun stuff! Follow @_pyrrh1c_
In this tutorial I’m going to show you the basic techniques I use when ricing Kali Linux. But in case you don’t already know, let’s explain what ricing is first. Urban Dictionary defines ricing like this: “Ricing: To rice, or to soup up a crappy car with the mistaken idea that type ‘R’ stickers and performance yellow paint make it go faster.” In the spirit of that, the tweaks explained here don’t technically make Kali a more effective offensive security platform in and of themselves, but I find they make the interface easier to use, hence they boost my productivity. Let’s be honest, who doesn’t like a customized environment?
You can obtain the latest builds (ISO Images, OVA templates, etc.) from the Kali Linux download page or from the Offensive Security downloads page. For this tutorial, I’m going to deploy Kali virtually using VirtualBox. For the remainder of the tutorial, I’ll assume you are doing the same thing. You can obtain VirtualBox that from their download page.
Since we’re using VirtualBox, I downloaded and imported the 2018.4 OVA template from Offensive Security. If you need help doing that, take a look at the documentation. I named my machine “Pyrrh1c Linux” to differentiate it later from a stock Kali VM.
Immediately after you import the OVA, take a snapshot of the VM. I usually name it something like “VM Imported”. This allows me to undo any changes since the last snapshot was taken, which is important because mistakes happen, and it’s nice to only have to do one step over again instead of numerous.
Power on the machine, and you will shortly be at the login screen. No Install required! If you are following along and doing a traditional install of Kali and need some pointers for the install process, you may want to take a look a the Kali Linux Official Documentation.
Initial OS Preparations
Open up a terminal window and run the commands “apt update”, then “apt upgrade”. This ensures you have all the latest packages on your install. Go pour out a glass of Kraken, this will take a minute… When you get to the step that asks about grub, use the space bar to select /dev/sda and hit OK.
Ready to Go
With the OS installed and updated we are ready to get started customizing. Part 2 will covering installing the i3 window manager, feh, wal and rofi. That’s all for now!
Got into the shop and (crudely) built out the next part of the light arm. I have a seemingly endless supply of scrap 3/4″ plywood laying around, so that’s what I used. Made the lower part of the rotating mechanism 10 cm square then rounded the corners for effect. The vertical part of the rotating mechanism is a simple 10cm by 12 cm. I recessed the servo just like last time. Finally, I attached a 1/2″ x 1/2″ piece of scrap basswood to the vertical axis servo. Ugly as sin, but it works well enough.
Here you can see the unit disassembled into its two pieces. To assemble it I just slide the servo horn onto the shaft.
Here’s the unit assembled. the top portion spins on the X axis and the arm spins on the Y axis. I’m going to attach the photo resistors to a mechanism at the end of the arm.
I love my little Pi Zero W’s, and I love Kali. So why not combine the two? So here’s a post about Installing Kali Linux on a Raspberry Pi Zero W. I’ve done this before, and it’s reasonably well documented elsewhere, but I hate googling for all the pieces each time I do this so I figured I’d make a blog post documenting it all for the future so I’ve got all the links in one place
FWIW, I do most of my daily driving on Windows because that’s what I use at work. Hence this will be written for a Windows PC. It’s also high level because honestly, this is easy and if you’re goal is to install Kali on an rpi0w, you probably don’t need much hand holding. 😉
Raspberry Pi Zero W
Micro SD Card (8GB or bigger)
Accessories for Raspberry Pi Zero (Micro USB to full size USB, Micro HDMI to HDMi, Micro USB power supply, etc.)
So I recently learned just how easy it is to do GPIO on the raspberry pi. So I tried it. I already had several zero W’s, but none with headers. So during my last trip to Micro Center I picked one up with the headers. I put Raspian on it and was ready to go. After some quick Googling I found an example. Got that running and can now interact with GPIO in Python… Total time spent about 15 minutes… Can’t beat that.
All that said, I see this as being useful for overlapping, but not identical purposes to Arduino. I think they will work together nicely for me in the future.
Finally got to the workshop! Built the base unit for the probe. Nothing sexy, but very much functional. It’s a 10 cm round piece of 3/4″ birch furniture grade plywood. (Scraps from a past project). Below it are two strips of 1/2″ basswood cut to 8 cm and screwed on with countersunk 1″ wood screws. Only took about 20 minutes start to finish.
The build went like this:
Measured the servo, and plotted out where it needed to go on the board.
Cut a circle using my table saw and a guide my circle jig.
Routed out the hole for the servo with a Dremel.
Cleaned up the hole with a tiny file.
Carved out a groove for the cables with a round chisel and hammer
Cut the two 8 cm basswood pieces
Pre-drilled two 1/16″ holes for the wood screws.
Counter sunk the holes deep enough so the screw heads are recessed.
Placed in the servo.
It’s snug enough that I don’t really need to use the screw mounts for what I’m doing.
Like I said, not sexy. But it’s very stable, does the job, and cost me nothing but time. All said and done. I like it.
Version 2 might have the base plate carved into the Pyrrh1c logo…