Better late than never, I guess.  I wanted to write this up a while back but I got distracted and by the time I returned to my notes, I felt like I'd lost the flow.  I had the screenshots but when I looked at it, I could remember that I wanted to discuss a few points but I couldn't remember exactly what.  Rather than just upload the images with some text, I decided to go back through it once more.  But then I had an issue with the server where it was living and I ended up rebuilding the image.  So it's been awhile.  Moving on...

    According to Wiki:  "GlassFish is an open-source application server project started by Sun Microsystems for the Java EE platform and now sponsored by Oracle Corporation. The supported version is called Oracle GlassFish Server."

    When I began poking around, the avenues of attack for GlassFish felt similar to Tomcat.  When I searched for the difference, I came up with:  "Tomcat is simply an HTTP server and a Java servlet container. Glassfish is a complete Java EE application server."  So not exactly the same but perhaps they were built with a similar style.


    Funny story -- I have a number of virtual machines setup for various types of exploitation such as the machine I used below for this RID Hijacking post.  When I'm done with the exploitation, I will revert them back to their previous state to keep things clean and in order to have a fresh slate for my next "project".

    After finishing up this post, I reverted the machine to a point further back than I thought and I was unable to login to the machine with the known password.  Quickly thinking, i was confident the box was vulnerable to MS17-010 but I was incorrect.  :\

    This particular machine is hosted on a Xenserver hypervisor which allows you to detach the disk and reattach it elsewhere -- which is what I did.  Upon accessing the drive from another virtual machine, I changed the utilman.exe executable with a meterpreter executable.  I then reattached it to the original host.  If you're not familiar with this hack:  


    This is not a comprehensive guide on installing Tinyproxy.  This is just a quick write-up on something I found that is very easy to setup for proxying.

    I had a need for a small, simple, proxy, and when I went hunting around, I found Tinyproxy.  This could be installed on a Raspberry Pi, and I may end up doing exactly that at some point but for now, I installed it on the Debian "Small CDs or USB sticks" installation which took less than 10 minutes to install.  I probably spent another two minutes looking at the configuration file.  After that, I was in business -- proxying traffic.


    SP: eric is one of the newer releases from Vulnhub and when I first started enumerating it, I spotted the .git directory.  Right off the bat, I figured that wasn't there by accident and I started Googling to find more information.  After a minute or so, I discovered a post titled:  "Don't publicly expose .git or how we downloaded your website's sourcecode" which lead me to a collection of tools written that facilitate data from sites where .git is exposed.

    While I was working through this box, I was reminded of a Defcon talk, "Hacking Git", which I believe is along the same lines.  A quick search found some tools related from that talk but I wasn't as successful at extracting data as I was with the tools above so as far as I can tell, this is the quickest path to get where you need.

    Anyway, I kick off with an Nmap scan:


    The description for this box states:  "HackinOS is a beginner level CTF style vulnerable machine."  If this is "beginner", I'd hate to see intermediate.  That being said, this was a fun box because it was much more complex when compared to other boxes you'll find on Vulnhub.  There's also a little bit of everything with the different avenues of exploration and exploitation.  It's sprinkled with a few rabbit holes as well and I'll admit, I followed a couple.  To top it off, this box also gives us the opportunity to write a little bit of code which I initially tried to do in Bash (I ended up using PHP) but I couldn't get it to work for whatever reason.  I don't want to dig too much into that now but I'll go over it later when we arrive at that point in the enumeration process.

    Kicking off with an Nmap scan:


    I was tasked with searching for data within Word and Excel files similar to something I'd written a while back but an expansion of that original request.  Instead of searching for a specific term within the filename, we are now searching inside of the files looking for a specific phrase.  When I was finished, I gained some additional knowledge -- some good and some not so good.  I started out with a myopic mindset but realized the gravity of the situation once I moved from my test environment to the live system.

    That's not to say that it doesn't work so let's walk through the test situation and then I can elaborate on the issues.

    We start off with our test folder which contains a dozen or so Excel files.  Within a couple of those Excel files, I've inserted a username and password.  In one of the folders, I've created a subfolder to ensure the -Recurse function was working.  


    © 2020 sevenlayers.com