CTF Write Up: Stapler

CTF Write Up: Stapler

Result Scan

พบว่า 10.8.0.22 เปิด smb ไว้จึงทำการ scan ด้วย enum4linux

ทำการ brute force เพื่อหา username password สำหรับ ssh

Login u:SHayslett p: SHaysett

ทำการตรวจสอบ ว่า user ที่เราเข้ามาได้นั้นมีสิทธิ์ super user หรือไม่

หลังจากตรวจสอบว่าไม่พบจึงทำการค้นหา history file ต่างๆ

ทำให้ค้นพบ user and password: Peter

พบว่า user peter มีสิทธิ์ในเป็น super user

ทำการค้นหา flag file

Recommendation: วิธีการป้องกันหรือแก้ไขระบบ

1. Update Linux and Application to New Version
2. Change configuration File vsftpd.conf
     - Close anonymous user authentication.
     - Fix location path login ftp session user.
3. Clear History file (about: Authentication User)
4. Hide Application Version and Kernel Version.
5. Check permission users and don’t give high permission to users.
6. Close unnecessary service.

CTF Write Up: SkyTower

CTF Write Up: SkyTower

Enumeration Target
  Check Port & Service [Target]
- nmap -p- -A -Pn -v IPaddress

 

Check Web URL Path [Target]
- nikto -h IPaddress

  SQL Injection
- '^' / Check Response

Reverse process backdoor [Backdoor.ExcaliburSrvW]

Reverse process backdoor [Backdoor.ExcaliburSrvW]

Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExcaliburSvcW.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExcaliburSvcW

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winlogonw.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winlogonw

Services

Winlogonw.exe
Winlogonw

ExcaliburSvcW.exe
ExcaliburSvcW

Winlogonw.exe
Winlogonw

ExcaliburSvcW.exe
ExcaliburSvcW

Folder
C:\Program Files\Windows Exlogon
C:\Program Files (x86)\Windows Exlogon

Scripts Remove 

reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExcaliburSvcW.exe /f
reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExcaliburSvcW /f

reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winlogonw.exe /f
reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winlogonw /f

sc stop Winlogonw.exe
sc stop Winlogonw

sc stop ExcaliburSvcW.exe
sc stop ExcaliburSvcW

sc delete Winlogonw.exe
sc delete Winlogonw

sc delete ExcaliburSvcW.exe
sc delete ExcaliburSvcW


rmdir "C:\Program Files\Windows Exlogon" /S /Q
rmdir "C:\Program Files (x86)\Windows Exlogon" /S /Q

Reverse process backdoor [Backdoor.Win32.Androm]

Reverse process backdoor [Backdoor.Win32.Androm]

AD Replication Failed

1

How to Recover a Journal Wrap Error (JRNL_WRAP_ERROR) and a Corrupted FRS SYSVOL from a Good DC – What option do I use, D4 or D2? What’s the Difference between D4 and D2?

        AD Replication Failed

  1.      (Good DC) net stop ntfrs

22.      (Bad DC) net stop ntfrs

33.      (Good DC) Run à  Regedit à HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
double-click “BurFlags.” à Add à D4

44.      (Bad DC) Run à Regedit àHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
double-click “BurFlags.” à Add à D2

55.      (Good DC) net start ntfrs

66.       (Bad DC) net start ntfrs

77.       (Bad DC) à Check Event Log

EventID 13565 which shows the process started
EventID 13516, which shows it’s complete

   

     https://blogs.msmvps.com/acefekay/tag/event-id-13508/

Sysprep Join Domain Same Computer name Failed

Sysprep Join Domain Same Computer name Failed

Event: System --> Event ID 4097 Net Join --> error code 1396

ปรกติ เวลา Join Domain จะใช้

- Contoso\Username

- username@Contoso.local

ซึ่งพบว่าจะไม่สามารถ Join Domain ได้

- Workaround เบื้องต้นให้ใช้เป็น

ad01.contosol.local\username

Error Unable to Connect to MKS: Failed to Connect to Server

Error Unable to Connect to MKS: Failed to Connect to Server

-     vi /etc/vmwere/config

-     vmauthd.server.alwaysProxy = "TRUE" #Add

-     กด ESC :wq #Save file

-     service xinetd restart

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=749640