Lessons learned from lab.pentestit.ru #11 [MINOR SPOILER]

Alright fellow readers, today we want to share our adventure while trying to score a top position on Lab Pentestit Ru  11th edition...  We actually succeed 👊 but our feeling is that we could have done much better 👎.

On the positive side of things, we had a great amount of experience and fun. In my opinion, it was mostly non technical skills we were lacking to rank higher (not to say we are uber leet hackers either, but at least we had enough knowledge to complete tasks). Let's see what we learned from this journey.

Skip the blog post if you are a tech only addict.  

#1 Search... search everything*

We lost a great amount of time on a specific flag (so called "token" in this lab). Actually, 60% of our overall time lost was due to being stuck on this machine. After end of the competition, we had opportunity to discuss with other challengers. What we learned is that we could have avoided this by simply firing up a search engine and researching info we had in our hands... doh !  Yeah, i know it sounds dead simple and basic. But we did not do it. And we failed.  

Time lost : 6 to 7 hours
Lesson learned. The #1 hack tool is web search engines.

*You are encouraged to use any privacy concerned search engines for this purpose, such as duckduckGo, StartPage or Searx.

#2 Its a war ! 

 

In this lab we had to compete against other players but also versus less "fair-play" hackers, so to say. For instance, one of the bottleneck of the lab was a RDP machine. As you may know RDP session is limited to one user only on Windows desktop OS. While some gentlemen 💂 were organizing themselves in groups to share time-frames between them ... others were jumping inside randomly and disrupting work 👹.

So we had to adapt... 

War-machine: Creating RDP hijack script

Since the machines were rebooting every hour, we decided to create a script using automated keys over X session to be the fastest to connect and change the default password of the user ! We used `xdotool` for that. In practice, this was not really effective: the script probably need multi threads, a connection loop and a kind of detection of valid connection before firing up keys to be more efficient. But anyway, due to this event we are now more literate in writing keyboard and mouse scripts. I'm quite sure it will be useful some days...

windowfocus FreeRDP
getactivewindow windowmove 5 y
getactivewindow windowmove 100 100
mousemove 150 150 click 1
sleep 1
key c
key m
key d

key KP_Enter
sleep 1
key n
key e
key t
key space
key u
key s
key e
key r
key space
key a
key d
key m
key i
key n
key space
key T
key r
key 0
key L
key l
key l
key l
key z
key space
key T
key r
key 0
key L
key l
key l
key l
key l
key z
key KP_Enter

Peacemaker : Enabling multiple RDP session

Alternatively, if you happen to have admin rights on the machine and you want to be at peace with others, you can enable multiple RDP sessions on Windows workstation and create a new user account for  yourself. But who would bother to do that if you can just change password with hint "you haven't said the magic word" and prevent others to compete ? 

Strategy 101: Wrong order of flag / token registration

This one is totally not relevant in real pentest scenario but I liked it so much that I need to mention it. After finding your first flag, you realize quite fast how they are linked together (token X > token Y). Since token registration is public, you can use that broadcast to insinuate fake token paths in other competitors minds, i.e. instead of registering directly the easy first token X, which grants access to token Y, you register first token Z which cannot be obtained without token X and Y. If you check the stats page now of this pentest lab, the first token is obvious.But we can tell you that during first weeks, when only a dozen of guys were competing for top places, it was not. And this simple move could have given you an edge over your competitors.

Is the order from this small box correct ? Who knows...

Ninja-fu: Spying on others

One of the difficult flag was helped by by checking what are others up to on the same machine and receiving hints. This action was permitted by the fact that all attackers used a shared account user. I know it's kinda cheating and defeat the purpose of learning but at least by doing that you get a grasp of tools and methods used by others and you can learn their techniques.

Weapons used during operations :

`who -a`: check who is connected and from where and running what ... just perfect.  

`ps -U shareduser x` and `pstree -p shareduser`: check what your ennemy is running and their related command line  

`ls -alRh /tmp`: check their playground files 

`cat ~/.bash_history` and log files (nano_history, viminfo, auth.log...): check what they have done previously 

`screen ls && tmux ls` then attach: check their screens output

`which gdb && which strace` use on their terminal processes: check what is written to or read from their terminals

As a counter measure, you can: stop using /tmp and use more underground location like /dev/shm or other places (`find / -type d -perm /o+w 2>/dev/null -exec ls -alhd {} +`), stop using screen or tmux in shared servers, you can set +o history to disable bash history or clean sensitive stuff with history -c after issuing commands, same for vi / nano logs. I am not aware of techniques to avoid other mentioned spying methods but you might use fake shells name so they wont debug your binary.

Fuckyou-fu: Total disruption  

This is an ancient kung-fu which is banned from our repertoire. But as we were subject to it... It is of course possible to kill the same user ssh -D session which others use for pivoting deeper into the lab. Simply list process of other user tty like `ps -u $(whoami) | grep -v $(tty | cut -d / -f3-4)` and `kill -9 $processid` their terminals. They will be kicked out. You can know your own tty with ... `tty` 👏 so that you don't kick yourself. Others stronger evil spirits used forbidden arts like completely removing the flag / token or DoSing the bottleneck servers. We did not use anything from this paragraph. Samurais fight with honor 😤.

Destroy !!!

Trying to hack others :]

This is why you should iptables in VPN lab. Can we reach other competitors ? It seems that the labpentestit team had good firewalling and isolation between clients. So you could not connect others through the VPN from your VPN client IP nor through the target servers. Bad part of these is that you could not get direct reverse shell inside your client either. SSH GatewayPorts was disabled also in (sshd_config), so without root no ssh -R tunneling for playing. Worth mentioning: we had some fun recently in real world pentests using stealing of SSH Agent socket connections. But we did not test this during the lab. Would have been fun.



Time lost : 2 to 3 hours
Lesson learned. We made our first steps into counter-hacking.

#3 Human mistakes

Another great amount of time was lost due to two human issues:

1. Relying on assumptions

It's better explained with an example: you think a SQL injection is blind based due to a related vulnerability advisory. You then fire up sqlmap in blind mode --technique=B and exploit it, which is kinda slow. In practice, if you would have tested the vulnerability manually you would have realized the SQL injection was not blind at all, due to several other "factors" (yes avoiding spoilers here 👺). Simply testing manually the injection could have win us few hours. Damn ...

2. Falling deep deep deep (deep) down a hole 

It's better explained with an example: after enumeration you suspect a vulnerability but you cannot prove it (banner is missing). So you start trying to exploit it. But there are several versions of this exploit, so you try them all. But there also might be several versions of the software running, so you try to adapt the exploit(s) for all version(s). But what if the server is ... Wait ! Dude ! I cant see you from there !!! You totally felt down that rabbit hole. You missed completely that the door to the server was opened another vulnerability was available. Damn bis ...

Time lost: too much.
Lesson learned. Never assume, test and don't get too focused.

#4 Teamwork forever  

I was always convinced that a super leet guy cannot compete versus two random simple dudes. I could not be more right for this competition. First, without hiding anything, we can say that we made this challenge in a group of 2 people 👬. What's interesting is that we started individually and made progress solo. After being stuck and watching competitors progression we decided to unite. For me it was clear that (i) we sped up our progression exponentially by joining forces and most notably (ii) I could have been stuck for years on things my teammate found quite fast and vice versa (?). Also apart from conferences, meeting experienced pentesters is quite rare so by sharing two lifetime experiences you become much more stronger. 

Time won: days.
Lesson learned confirmed. Teamplay rocks, put ego aside, try it.

 

 #Extra: New tools adopted 

While sharpening our skills, we had the opportunity to test new tools. Some were complete crap, some were really useful. Here is a short list of tools we adopted in our day to day pentest following this challenge:


reGeorg
https://github.com/sensepost/reGeorg
Description: this tool is a total killer and leet. I feel ashamed for not knowing it before. For me, its by far the best tool I learned about on this challenge. This is a server script (several languages are available) which proxies your request via SOCKS over HTTP/HTTPS requests. In other word, you don't need to fight with the firewall anymore, just use the already accessible TCP port and pwn. This php script version has an issue due to dynamic module loading, just remove the line 'dl("php_sockets.dll");' to make it work.
Tool replaced: egress_buster.py 

Dirsearch
https://github.com/maurosoria/dirsearch
Description: I think everyone agrees this is the better file folder enumeration tool as of today. It is fast, it has flexible syntax, a lot of customization options (like multiple file extensions), supports proxies, colors :), error code filtering ... If you need more customization then use wfuzz.py.  
Tool replaced: dirb, wfuzz.py

patator.py 
https://github.com/lanjelot/patator
Description : The simple combo of user enumeration, custom wordlist generation and fast brute force possibility is quite powerful in real life. This was also true in this lab where a good amount of footholds was achieved using smart brute. This requires good tooling. Are you tired of using hydra-wizard to get the syntax correct ? Having SSL issues in hydra ? You find the http module of hydra totally lacking ? You want to stick to the same super flexible tool for all your bruteforce ?  Then welcome to the club ! Join us and git clone patator. This tool is awesome. It has a simple syntax and you will get exactly what you want without spending time reading the help menu. Trust me. Flexible + simple = WIN. It is so flexible it can DNS brute... Can you do that with hydra ? Nope. 
Tool replaced: hydra 

Our feelings about the Lab #11

This lab is great ! First let's thanks the labpentestit guys for managing and running it for free, being available on weekends and doing it for learning purposes. We do recommend the experience. It is not as close as a real company infrastructure as we would like to but its close enough. It is not "fire metasploit and win" either. So you will earn a good amount of pentest experience just by trying it. Have fun !