https://blog.s4yhii.com/tags/rce/ Recent content in Rce on s4yhii's blog https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E Hugo -- 0.155.3 en-us Tue, 10 Jan 2023 12:00:00 -0400 https://blog.s4yhii.com/posts/2023-01-10-aws-cloudgoat-lab/ Tue, 10 Jan 2023 12:00:00 -0400 https://blog.s4yhii.com/posts/2023-01-10-aws-cloudgoat-lab/ <h1 id="cloudgoat-rce_web_app-scenario">Cloudgoat RCE_WEB_APP Scenario</h1> <h2 id="introduction">Introduction</h2> <p>CloudGoat is a training and learning platform developed by Rhino Security Labs to help individuals and organizations understand the risks and vulnerabilities associated with cloud-based applications. One of the scenarios available on CloudGoat is the RCE_web_app scenario, which allows users to practice exploiting remote code execution vulnerabilities in a web application running on the cloud.</p> <p>In this blog post, we will walk through the RCE_web_app scenario in CloudGoat and provide a step-by-step guide on how to exploit the vulnerability and gain access to the application&rsquo;s backend. We will also discuss the significance of this vulnerability and how it can be prevented in real-world scenarios. By the end of this post, you should have a better understanding of the risks and challenges associated with web application security in the cloud and how to mitigate them. So, let&rsquo;s get started!</p> https://blog.s4yhii.com/posts/2021-11-15-jarvis-htb/ Mon, 15 Nov 2021 12:00:00 -0400 https://blog.s4yhii.com/posts/2021-11-15-jarvis-htb/ <p><strong>Machine IP</strong>: 10.10.10.143</p> <h3 id="reconocimiento">Reconocimiento</h3> <p>Primero hacemos un escaneo de puertos para saber cuales están abiertos y conocer sus servicios correspondientes</p> <h3 id="nmap">Nmap</h3> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/jarvis/nmap.png"></p> <p>Como vemos tiene el puerto 80 abierto, que es el http, veremos en el navegador de que se trata y analizaremos la web.</p> <h3 id="wappalyzer">Wappalyzer</h3> <p>Usando la extensión wappalizer para identificar las tecnologías usadas en la web, encontramos que la web está usando phpmyadmin version 4.8</p> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/jarvis/wappa.png"></p> <p>Al hacer un poco de research encontramos la siguiente vulnerabilidad <a href="https://www.exploit-db.com/exploits/50457">phpMyAdmin 4.8.1 - Remote Code Execution (RCE)</a> , que se aprovecha del ejecutar comandos a traves de parametros sql.</p> https://blog.s4yhii.com/posts/2021-09-08-lame-htb/ Wed, 08 Sep 2021 12:00:00 -0400 https://blog.s4yhii.com/posts/2021-09-08-lame-htb/ <h2 id="enumeración">Enumeración</h2> <p><strong>System IP: 10.10.10.3</strong></p> <h2 id="matriz-de-la-maquina">Matriz de la maquina</h2> <p>Esta matriz nos muestra las características de explotación de la maquina.</p> <p><img alt="Matriz de la maquina" loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/lame/matrix.png"></p> <p><strong>Enumeración de servicios</strong></p> <table> <thead> <tr> <th>Server IP Address</th> <th>Ports Open</th> </tr> </thead> <tbody> <tr> <td>10.10.10.3</td> <td><strong>TCP</strong>: 21,22,139,445,3632</td> </tr> </tbody> </table> <p><strong>Nmap Scan Resultados:</strong></p> <p>Usando el siguiente comando para enumerar las versiones y servicios que corren en cada puerto luego de hacer un escaneo de puertos abiertos.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap -A -n -Pn -p21,22,139,445,3632 10.10.10.3 </span></span><span class="line"><span class="cl">Host discovery disabled <span class="o">(</span>-Pn<span class="o">)</span>. All addresses will be marked <span class="s1">&#39;up&#39;</span> and scan <span class="nb">times</span> will be slower. </span></span><span class="line"><span class="cl">Starting Nmap 7.91 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2021-08-28 21:12 EDT </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.10.3 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.12s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">21/tcp open ftp vsftpd 2.3.4 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ftp-anon: Anonymous FTP login allowed <span class="o">(</span>FTP code 230<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ftp-syst: </span></span><span class="line"><span class="cl"><span class="p">|</span> STAT: </span></span><span class="line"><span class="cl"><span class="p">|</span> FTP server status: </span></span><span class="line"><span class="cl"><span class="p">|</span> Connected to 10.10.14.2 </span></span><span class="line"><span class="cl"><span class="p">|</span> Logged in as ftp </span></span><span class="line"><span class="cl"><span class="p">|</span> TYPE: ASCII </span></span><span class="line"><span class="cl"><span class="p">|</span> No session bandwidth limit </span></span><span class="line"><span class="cl"><span class="p">|</span> Session timeout in seconds is <span class="m">300</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Control connection is plain text </span></span><span class="line"><span class="cl"><span class="p">|</span> Data connections will be plain text </span></span><span class="line"><span class="cl"><span class="p">|</span> vsFTPd 2.3.4 - secure, fast, stable </span></span><span class="line"><span class="cl"><span class="p">|</span>_End of status </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">1024</span> 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd <span class="o">(</span>DSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ <span class="m">2048</span> 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Samba smbd 3.X - 4.X <span class="o">(</span>workgroup: WORKGROUP<span class="o">)</span> </span></span><span class="line"><span class="cl">445/tcp open netbios-ssn Samba smbd 3.0.20-Debian <span class="o">(</span>workgroup: WORKGROUP<span class="o">)</span> </span></span><span class="line"><span class="cl">3632/tcp open distccd distccd v1 <span class="o">((</span>GNU<span class="o">)</span> 4.2.4 <span class="o">(</span>Ubuntu 4.2.4-1ubuntu4<span class="o">))</span> </span></span><span class="line"><span class="cl">Service Info: OSs: Unix, Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel </span></span></code></pre></div><h2 id="identificación-de-vulnerabilidades">Identificación de vulnerabilidades</h2> <p>Como podemos observar, en el puerto 445 corre la version 3.0.20 de samba, entonces hacemos una búsqueda en searchsploit con el comando searchsploit samba 3.0.20.</p> https://blog.s4yhii.com/posts/2021-08-28-knife-htb/ Sat, 28 Aug 2021 12:00:00 -0400 https://blog.s4yhii.com/posts/2021-08-28-knife-htb/ <p><strong>Machine IP</strong>: 10.10.10.242</p> <p><strong>DATE</strong> : 28/08/2021</p> <h2 id="matriz-de-la-maquina">Matriz de la maquina</h2> <p>Esta matriz nos muestra las características de explotación de la maquina.</p> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/knife/matrix.png"></p> <h2 id="reconocimiento">Reconocimiento</h2> <p>Primero hacemos un escaneo de puertos para saber cuales están abiertos y conocer sus servicios correspondientes</p> <h2 id="nmap">Nmap</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="go">┌──(j3sm0n㉿kali)-[~] </span></span></span><span class="line"><span class="cl"><span class="go">└─$ nmap -sC -sV 10.10.10.242 148 ⨯ 1 ⚙ </span></span></span><span class="line"><span class="cl"><span class="go">Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-07 02:03 EDT </span></span></span><span class="line"><span class="cl"><span class="go">Nmap scan report for 10.10.10.242 </span></span></span><span class="line"><span class="cl"><span class="go">Host is up (0.11s latency). </span></span></span><span class="line"><span class="cl"><span class="go">Not shown: 998 closed ports </span></span></span><span class="line"><span class="cl"><span class="go">PORT STATE SERVICE VERSION </span></span></span><span class="line"><span class="cl"><span class="go">22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) </span></span></span><span class="line"><span class="cl"><span class="go">| ssh-hostkey: </span></span></span><span class="line"><span class="cl"><span class="go">| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA) </span></span></span><span class="line"><span class="cl"><span class="go">| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA) </span></span></span><span class="line"><span class="cl"><span class="go">|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519) </span></span></span><span class="line"><span class="cl"><span class="go">80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) </span></span></span><span class="line"><span class="cl"><span class="go">|_http-server-header: Apache/2.4.41 (Ubuntu) </span></span></span><span class="line"><span class="cl"><span class="go">|_http-title: Emergent Medical Idea </span></span></span><span class="line"><span class="cl"><span class="go">Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="go">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span></span><span class="line"><span class="cl"><span class="go">Nmap done: 1 IP address (1 host up) scanned in 23.02 seconds </span></span></span></code></pre></div><p>Como vemos tiene el puerto 80 abierto, que es el http, veremos en el navegador de que se trata y analizaremos la web</p>