-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
27 changed files
with
2,697 additions
and
140 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,204 @@ | ||
| --- | ||
| layout: post | ||
| title: "Under the Wire Cyborg Walkthrough" | ||
| date: 2023-05-02 17:53:33 -0500 | ||
| categories: [post, hacking] | ||
| tags: [post, hacking] | ||
| --- | ||
|
|
||
| In this post, I am going to be continuing my PowerShell training with a walkthrough of Under the Wire’s Cyborg. The goal of each level is to find the password for the next level using PS. I already have a walkthrough of the previous game, Century. To play these games, you will need an SSH client. I used the recommended Putty. | ||
|
|
||
|
|
||
| Cyborg 0 | ||
| The credentials to join the game are on UTW’s slack channel. I connected to cyborg.underthewire.tech on port 22, and entered the username and password. After I did that, I was in, and was ready to start playing the game. | ||
|
|
||
|
|
||
|
|
||
| Cyborg 1 | ||
|
|
||
| “The password for cyborg2 is the state that the user Chris Rogers is from as stated within Active Directory” | ||
|
|
||
| The state referred to the actual state of the United States, not whether the user was enabled or disabled. | ||
|
|
||
| This one required that I find an Active Directory user, which I did with the ‘Get-ADUser’ cmdlet. However, by default that only gave me a limited amount of information. | ||
|
|
||
|
|
||
| I needed to specify one more thing, the state that the user was in. To do that, I just added ‘-Properties State’ to the cmdlet. | ||
|
|
||
|
|
||
| With kansas being the password, I went to the next round. | ||
|
|
||
| Cyborg 2 | ||
|
|
||
| “The password for cyborg3 is the host A record IP address for CYBORG718W100N PLUS the name of the file on the desktop.” | ||
|
|
||
| DNS maps IP addresses to hostnames. Host A records are just the IPv4 addresses of the hostname. | ||
|
|
||
| The first thing I did was use ‘Get-ChildItem’ to see the file on the Desktop, which was _ipv4. I could have also used ‘ls’ or ‘dir’. | ||
|
|
||
|
|
||
| I then used get-help to see if there were any cmdlets like dig or host that would return DNS records. I found a cmdlet named ‘Resolve-DNSname’, which was exactly what I needed. | ||
|
|
||
|
|
||
| The password was 172.31.45.167_ipv4 | ||
|
|
||
| Cyborg 3 | ||
|
|
||
| “The password for cyborg4 is the number of users in the Cyborg group within Active Directory PLUS the name of the file on the desktop.” | ||
|
|
||
| I used ‘Get-ChildItem’ to see the file. | ||
|
|
||
|
|
||
| And then I just had to get the users in the group ‘cyborg’. I used a few cmdlets for that. ‘Get-ADGroup -Filter ‘Name -eq “cyborg”’’ will look for the group with the name ‘cyborg’. ‘Get-ADGroupMember’ gets the users in that group. ‘Measure-Object’ will count how many there are. | ||
|
|
||
|
|
||
| The password was 88_objects. | ||
|
|
||
| Cyborg 4 | ||
|
|
||
| “The password for cyborg5 is the PowerShell module name with a version number of 8.9.8.9 PLUS the name of the file on the desktop.” | ||
|
|
||
| I first figured out the name of the file. | ||
|
|
||
|
|
||
| I then used the cmdlet ‘Get-Module -ListAvailable’ to see all the modules. From there, I could have just looked through them all for the version number, but I wanted to challenge myself. | ||
|
|
||
|
|
||
| I used ‘Select-Object’ to pull out what I needed, which was the version number and name. And then I used ‘Select-String’ to find the exact version number. | ||
|
|
||
| The password was bacon_eggs | ||
|
|
||
| Cyborg 5 | ||
|
|
||
| “The password for cyborg6 is the last name of the user who has logon hours set on their account PLUS the name of the file on the desktop.” | ||
|
|
||
| I used Get-ChildItem to get the name of the file | ||
|
|
||
|
|
||
| I needed the last name of a user who has logon hours set. I just took a wild guess and used ‘Get-ADUser -Filter {logonHours -like ‘*’}, and that returned two users. I did not think it would be the administrator, so I guessed the second user. | ||
|
|
||
|
|
||
| And I was correct. The password was rowray_timer. | ||
|
|
||
| Cyborg 6 | ||
|
|
||
| “The password for cyborg7 is the decoded text of the string within the file on the desktop.” | ||
|
|
||
| https://www.sans.org/blog/month-of-powershell-profile-hack-base64-encoding-decoding/ | ||
|
|
||
| This one required some research on how to encode/decode base64 in PowerShell, and I included the resource I used in the link above. It also explains much better than I could how it works. | ||
|
|
||
| The first thing I did was open the file. The encoding was base64. I used the link above to figure out how to decode it. | ||
|
|
||
|
|
||
| The password was cybergeddon. | ||
|
|
||
| Cyborg 7 | ||
|
|
||
| “The password for cyborg8 is the executable name of a program that will start automatically when cyborg7 logs in.” | ||
|
|
||
| https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-startupcommand | ||
|
|
||
| This one I used the above link to figure out how to get the information I needed. Basically, I was looking for the Win32_StartUpCommand, which is the class of commands that run whenever a user logs in. To access that command, I needed to use the ‘Get-WMIObject’ cmdlet. | ||
|
|
||
|
|
||
| The password was skynet. | ||
|
|
||
| Cyborg 8 | ||
|
|
||
| “The password for cyborg9 is the Internet zone that the picture on the desktop was downloaded from.” | ||
|
|
||
| https://devblogs.microsoft.com/scripting/powertip-use-powershell-3-0-to-identify-zone-information-of-files/ | ||
|
|
||
| For this one, I used the above link to figure out how to get to the internet zone, because coming into this I really had no idea how to find that. | ||
|
|
||
| Essentially for this one, it took two cmdlets. | ||
|
|
||
|
|
||
| The first one was the above cmdlet, which is using the ‘Get-Item’ cmdlet, and specifying the Stream parameter as ‘zone*’. I used the wildcard because I did not know the name yet. | ||
|
|
||
|
|
||
| After I found the name, I used the ‘Get-Content’ cmdlet to get more info. | ||
|
|
||
| The password was 4. | ||
|
|
||
| Cyborg 9 | ||
|
|
||
| “The password for cyborg10 is the first name of the user with the phone number of 876–5309 listed in Active Directory PLUS the name of the file on the desktop.” | ||
|
|
||
| I used Get-ChildItem to find the name of the file. | ||
|
|
||
|
|
||
| This one took a lot of playing around with the phone number parameter. I first put in ‘phoneNumber’, for instance. I eventually figured out that I had to use the filter ‘telephoneNumber’. | ||
|
|
||
|
|
||
| The password was onita99. | ||
|
|
||
| Cyborg 10 | ||
|
|
||
| “The password for cyborg11 is the description of the Applocker Executable deny policy for ill_be_back.exe PLUS the name of the file on the desktop.” | ||
|
|
||
| https://learn.microsoft.com/en-us/powershell/module/applocker/get-applockerpolicy?view=windowsserver2022-ps | ||
|
|
||
| I used Get-ChildItem to find the name of the file. | ||
|
|
||
|
|
||
| There is a helpful cmdlet that gets the Applocker policy. It is called Get-ApplockerPolicy. I used the above link to figure out how to use it in this context. | ||
|
|
||
|
|
||
| This essentially just puts it into an XML format. XML is a format for storing data. | ||
|
|
||
| The password was terminated!99. | ||
|
|
||
| Cyborg 11 | ||
|
|
||
| “The password for cyborg12 is located in the IIS log. The password is not Mozilla or Opera.” | ||
|
|
||
| Through the power of Google, I have found that the IIS logs are located in c:\inetpub\logs\LogFiles. When I went there, there was one directory. I went into that directory, and found one file. I used the cmdlet ‘Get-Content’, then used the ‘Select-String’ cmdlet to exclude anything that didn’t match Opera or Mozilla. | ||
|
|
||
|
|
||
| The password was spaceballs. | ||
|
|
||
| Cyborg 12 | ||
|
|
||
| “The password for cyborg13 is the first four characters of the base64 encoded full path to the file that started the i_heart_robots service PLUS the name of the file on the desktop.” | ||
|
|
||
| https://adsecurity.org/?p=478 | ||
|
|
||
| I used the above link to figure out how to encode in base64 in PowerShell. | ||
|
|
||
| I first used Get-ChildItem to find the name of the file. | ||
|
|
||
|
|
||
| I then used the below cmdlet to figure out the path name. | ||
|
|
||
|
|
||
| I followed along with the above link to figure out what to do next. | ||
|
|
||
|
|
||
| The password was ywa6_heart. | ||
|
|
||
| Cyborg 13 | ||
|
|
||
| “The password cyborg14 is the number of days the refresh interval is set to for DNS aging for the underthewire.tech zone PLUS the name of the file on the desktop.” | ||
|
|
||
| I used Get-ChildItem for the file on the desktop. | ||
|
|
||
|
|
||
| Then, using get-help, I found a useful cmdlet, ‘Get-DnsServerZoneAging’, which was exactly what I needed. | ||
|
|
||
|
|
||
| The password was 22_days | ||
|
|
||
| Cyborg 14 | ||
|
|
||
| “The password for cyborg15 is the caption for the DCOM application setting for application ID {59B8AFA0–229E-46D9-B980-DDA2C817EC7E} PLUS the name of the file on the desktop.” | ||
|
|
||
| I used Get-ChildItem to find the file on the desktop. | ||
|
|
||
|
|
||
| The next step took a lot of googling as well, but I found that using the below cmdlet to get the DCOM application setting. The hardest part was figuring out how the filter for the application ID would work. To figure that out, I just ran the below cmdlet without the filter to see what field the application ID would be named. | ||
|
|
||
|
|
||
| The password was propshts_objects. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,96 @@ | ||
| --- | ||
| layout: post | ||
| title: "Under the Wire Cyborg Walkthrough" | ||
| date: 2023-05-16 17:53:33 -0500 | ||
| categories: [post, networking] | ||
| tags: [post, networking] | ||
| --- | ||
|
|
||
| Networking Basics: Network Types | ||
| Networking is how computers communicate with each other, how they share and use resources, how they connect to the internet. It’s an important concept for anybody working in IT to understand because it’s critical for business or personal use. | ||
|
|
||
| In these series of articles, I’m going to try to explain different networking concepts.I’d like to share what I’ve learned so far, in an effort to encourage understanding and dialogue. | ||
|
|
||
|
|
||
| Photo by Jordan Harrison on Unsplash | ||
| For this post, I will first describe the types of networks, and then I will conduct an experiment to demonstrate how a LAN works. | ||
|
|
||
| What is a network? | ||
|
|
||
| To define a network simply, in computer terms, it’s a collection of devices that can communicate with each other and share resources. | ||
|
|
||
|
|
||
| Photo by Marvin Meyer on Unsplash | ||
| Local Area Network | ||
|
|
||
| A local area network is a group of devices in the same geographic area, usually in the same building. LANs are designed for fast data transfer, and they’re cheaper to maintain. As an example, an office building with many different devices that are all connected to each other. | ||
|
|
||
| As another example, when I was a kid we had things called LAN parties. My friends and I would bring our computers to the same physical location to play games together. | ||
|
|
||
| There are wired LANs and wireless LANs. Wired LANs use switches and ethernet cables to connect to each other, while wireless LANs use wireless technology. Wi-Fi is an example of wireless LAN technology. | ||
|
|
||
| Wide Area Network | ||
|
|
||
| A WAN spans over a large geographic area. It can span across countries, and can cover the globe. The Internet is an example of a WAN. | ||
|
|
||
| Personal Area Network | ||
|
|
||
| A PAN connects smartphones, tablets, laptops, and other devices together on a personal level. They are typically wireless, although they are wired as well. If you are using bluetooth, then you are using a PAN. | ||
|
|
||
|
|
||
| Photo by Brett Jordan on Unsplash | ||
| Metropolitan Area Network | ||
|
|
||
| This is a network that connects LANs that span across a city or a town. They typically use fiber optics for their connections. | ||
|
|
||
| Storage Area Network | ||
|
|
||
| A SAN is a network dedicated to data storage. It is partitioned off from the rest of the network so it isn’t affected by network traffic. | ||
|
|
||
| Campus Area Network | ||
|
|
||
| CANs connect multiple LANs in similar geographic areas, such as a university campus. These can also be called Corporate Area Networks, as they can be used in large corporate networks as well. | ||
|
|
||
|
|
||
| Photo by Parker Gibbons on Unsplash | ||
| To demonstrate how a LAN works and the kind of traffic that it generates, I set up a few virtual machines on my virtualbox to act as a LAN. | ||
|
|
||
| I first installed a few machines: a Linux Lite, a Windows, and a Ubuntu Desktop. I made sure that each one had the necessary protocols and ports open. I made sure SSH was running on each of the Linux machines, and I installed apache2 on my Linux Lite machine. | ||
|
|
||
| After all three were installed and ready to go, I played around with the networking settings. I tried a few settings, and for this particular experiment, I created a host-only network so that each machine could only communicate with each other. | ||
|
|
||
|
|
||
| The initial setup | ||
| When all three were up, I pinged each machine a few times to see if they could communicate with each other. And after that, I used SSH for each machine a few times and sent files over to each machine. | ||
|
|
||
| To take the experiment a little bit further, I wanted to set up a DNS server on the Linux Lite machine. I first powered off all the machines. Then I connected the Linux Lite machine to a bridged adapter, so it had internet connectivity to install software. I kept the host-only adapter as well, so that it was connected to my LAN. | ||
|
|
||
| Dnsmasq is intended to provide DNS support for LANs, which is perfect for this experiment. For those who do not know, DNS is the protocol that maps IP addresses to domain names. It is the reason why you don’t have to memorize IP addresses when you are browsing the web. | ||
|
|
||
| The first thing I did was stop the systemd-resolved service, which would conflict with dnsmasq. Systemd-resolved essentially provides DNS. | ||
|
|
||
| Then I ran ‘sudo apt update’ and ‘sudo apt install dnsmasq’ to install dnsmasq. | ||
|
|
||
|
|
||
| After that, I played around with the configuration file. The important part here was making sure it was listening for DNS requests on the interface for my LAN. Then I added the new addresses, naming the Windows machine ‘windows.testlan’ and naming the Ubuntu machine ‘ubuntu.testlan’. | ||
|
|
||
|
|
||
|
|
||
| After that was done, I went to the Windows machine to configure the DNS for that service, so it uses my new DNS server. I went to ‘Control Panel’, ‘Network and Internet’, then to ‘Network and Sharing Center’. I clicked on ‘Change Adapter Settings’, right clicked on the connection (ethernet in this case), clicked on properties, went to ‘Internet Protocol Version 4 (TCP/IP)’, and then added the IP address of my DNS server there. | ||
|
|
||
|
|
||
| How to do it on Windows | ||
| The Ubuntu machine was similar. I clicked on the connection icon in the right hand corner, clicked on ‘wired connection’ , then went to Settings, clicked on IPv4, and set the DNS server to be my own. | ||
|
|
||
|
|
||
| How to do it on Ubuntu | ||
| After everything was set up, I went to my Windows machine to ping the Ubuntu machine using the address, to make sure that it worked properly. I did the same thing from my Ubuntu machine. | ||
|
|
||
|
|
||
| And then I used SSH to get into each machine using their new addresses. | ||
|
|
||
|
|
||
| In a practical sense, configuring a DNS server on a LAN can make accessing the resources of each machine much easier. Even in this experiment, I had to have the IP addresses and the machines they belonged to written down. It was a lot easier after the DNS server was setup. If there was a LAN with a lot more than just three machines, like in an office setting, proper DNS configuration would be beneficial just for everyday use. | ||
|
|
||
| In the future, I want to take this LAN setup further by installing additional services to experiment with them, attempting a penetration test of all the machines, and even intentionally cause network problems to troubleshoot. | ||
|
|
Oops, something went wrong.