Beep - HTB
The following are a few takeaway points from the Beep box.
Image Enumeration
Download the image file from online.
curl -k http://url -o image.png | k ---> ignore certificae checking
exiftool image.png
Linux-PAM
Pluggable Authentication Modules evolved from the Unix-PAM architecture is a powerful suite of shared libraries used to dynamically authenticate a user to applications (or services) in a Linux system.
/etc/pam.d/passwords-auth /etc/pam.d/system-auth
/proc/self/
The /proc/self/ directory is a link to the currently running process. In other words it represents the process that’s reading /proc/self/.
If you do ls -l /proc/self
you'll see ls's pid
/proc/self/status -> get curent user id and group id
SSH Files
- .ssh/authorized_keys – Holds the
signatureof the public key of any authorised clients. - .ssh/id_rsa – Holds the private key for the client.
- .ssh/id_rsa.pub – Holds the public key for the client.
- .ssh/known_hosts – Holds a list of host signatures of hosts that the client has previously connected to.
A couple of caveats:
- This is for OpenSSH, commercial SSH uses different file names and formats.
- id_rsa covers keypairs generate using the RSA algorithm. If DSA is used the filename is id_dsa
Assuming an attacker has managed to compromise an account and got access to the above ssh files. A simple way to launch a horizontal attack is by getting a list of servers that the machine has connected to before. The list can be obtained from the .known_hosts file.
Once the attacker has the list he can connect to the servers assumming the servers are up and passwordless ssh key connection is setup in the .known_host file.
Administrators need to understand the risks of using ssh keys.
Gobuster -k flag
I encountered a problem when I was trying to perform directory bursting using the famous tool gobuster. This had to do with ssl certificate verification.
To solve this simply add the -k flag in the command which is meant to skip certificate verification.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.7/ -k
Enumerating PBX:
Tools: svmap and svwar
svmap 10.10.10.7
svwar -m INVITE -e200-600 10.10.10.7 ---> Identifies working extension lines on a PBX
Linux File descriptors:
These are integer numbers that uniquely represents an opened file in operating system.
| Standard | In | stdin | 0 | ||
| Standard | Out | stdout | 1 | ||
| Standard | Error | stderr | 2 |
1>filename # Redirect stdout to file "filename."
2>filename # Redirect stderr to file "filename."
&>filename # Redirect both stdout and stderr to file "filename." # This operator is now functional, as of Bash 4, final release.
M>N
# "M" is a file descriptor, which defaults to 1, if not explicitly set.
# "N" is a filename.
# File descriptor "M" is redirect to file "N."
2>&1
# Redirects stderr to stdout.
# Error messages get sent to same place as standard output.
>>filename 2>&1
bad_command >>filename 2>&1
# Appends both stdout and stderr to the file "filename" ...
2>&1 | [command(s)]
bad_command 2>&1 | awk '{print $5}' # found
# Sends stderr through a pipe.
# |& was added to Bash 4 as an abbreviation for 2>&1 |.
Opening the file descriptors for reading and writing:
#!/bin/bash
FILENAME="/tmp/out.txt"
# Opening file descriptors # 3 for reading and writing
# i.e. /tmp/out.txt
exec 3<>$FILENAME
# Write to file
echo "Today is $(date)" >&3
echo "Fear is the path to the dark side. Fear leads to anger. " >&3
echo "Anger leads to hate. Hate leads to suffering." >&3
echo "--- Yoda" >&3
# close fd # 3
exec 3>&-
Leave a comment