ESXi cheetcheat

It’s not everyday you work on a Vmware Esxi platform, and I now felt the need to collect some of the quick fix that I keep forgetting. Most of the issues are with the new Esxi 6,5 on a “none-supported” platform.

esxi 6.5 angular js error on login with chrome (You can’t log in with chrome)

Fix: ssh/consol to host:

esxcli software vib install -v http://download3.vmware.com/software/vmw-tools/esxui/esxui-signed-latest.vib

 “Failed to power on the virtual machine, The attempted operation cannot be performed in the current state(Powered Off)” error
You can’t turn on a vm, even if it’s turned off. The VM is stuck in state you can’t recover from. I’ve now recreated the issue, and happens when you try to edit (remove ISO from cdrom) when the server is still running.


Unregistered the VM
Register a VM
Pick the vmx from the datastore

Extrem low performance with m2 ssd disk

The follow keep apperaing in the log, clearly stating that we are having a problem with the datastore.
ESXi 6.5 is using a new ahci driver, and in it’s current state sux big time.

[root@esxi:/vmfs/volumes/../] time sh -c “dd if=/dev/zero of=testfile bs=100k count=1k && sync”
1024+0 records in
1024+0 records out
real 0m 54.17s
user 0m 0.00s
sys 0m 0.00s

Fix: ssh/consol to host:

esxcli system module set –enabled=false –module=vmw_ahci

and then you have better performance

[root@esxi:/vmfs/volumes/../] time sh -c “dd if=/dev/zero of=testfile bs=100k count=1k && sync”
1024+0 records in
1024+0 records out
real 0m 0.44s
user 0m 0.00s
sys 0m 0.00s

From 50sec to under 1 sec, I would say that’s quick an performance boost! 🙂

Redmine Turnkey to Debian Stretch Stable

This has been way overdue, but when I start to use redmine it was such as hassle getting it up and running. So turning to a turnkey appliance was a easy fix, but as time goes by… and new version are released. Upgrading a turnkey wasn’t easy. But now it was time to try a redmine upgrade, and move to new server approach. I’ve tried it before, but failing hard. But this time around it was quite easy. Since I’m not doing any fancy stuff in redmine, no repositories, plugins etc. I only need to convert the database.

Here are my quick notes to convert from turnkey redmine (old version) to a fresh Debian stretch setup.

## Get info on current installation

root@redmineOLD ~# cat /var/www/redmine/config/database.yml|grep “username:\|password:\|database:”
database: redmine_development
username: redmine
password: xxxxxxxxxxxxxxx
database: redmine_test
username: redmine
password: xxxxxxxxxxxxxxx
database: redmine_production
username: redmine
password: xxxxxxxxxxxxxxx

## Dump the database

root@redmineOLD ~# mysqldump -u redmine -p redmine_production > redmine-dump.sql

Do a clean install of Debian debian-9.1.0-amd64-netinst.iso
With only ssh enabled as default.

Pro-Tip, install mysql (Mariadb) before trying to install redmine.

root@redmine:~# apt-get install mysql-server

Next up is install redmine.

root@redmine:~# apt-get install redmine-mysql

Do the default, but make sure you pick mysql as database

I’ve got an error when it tried to set up the redmine instance, but don’t care about that, we are rebuilding it anyway.

Now let’s setup apache and passenger

root@redmine:~# apt-get install apache2 libapache2-mod-passenger

Now you need to deactivate the default website, and enable redmine

root@redmine:~# cp /usr/share/doc/redmine/examples/apache2-passenger-host.conf /etc/apache2/sites-available/redmine.conf
root@redmine:~# a2ensite redmine.conf
Enabling site redmine.
To activate the new configuration, you need to run:
systemctl reload apache2
root@redmine:~# a2dissite 000-default.conf
Site 000-default disabled.
To activate the new configuration, you need to run:
systemctl reload apache2
root@redmine:~# systemctl reload apache2

Drop the current DB, and create a empty database.

root@redmine:~# mysqladmin drop redmine_default -u root -p
Enter password:
Dropping the database is potentially a very bad thing to do.
Any data stored in the database will be destroyed.

Do you really want to drop the ‘redmine_default’ database [y/N] y
Database “redmine_default” dropped

root@redmine:~# mysqladmin create redmine_default -u root -p
Enter password:

Get the password for the redmine db username

root@redmine:~# cat /etc/redmine/default/database.yml
adapter: mysql2
database: redmine_default
host: localhost
port: 3306
username: redmine/instance
password: xxxxxxxxxxxxxxxxxxxxx
encoding: utf8

Upload your redmine mysql db file and fill the new db with it. (Use the password found in the previous step)

root@redmine:~# mysql -u redmine/instance -p redmine_default < /root/redmine-dump.sql

No go to the redmine directory and rebuild/upgrade the db

root@redmine:~# cd /usr/share/redmine/
root@redmine:/usr/share/redmine# bundle exec rake db:migrate RAILS_ENV=production

All done 🙂

And if you care anything about security, please set a root password for your mysql server!
Run : mysql_secure_installation

pluck: 1 – Writeup

Getting ready for NetWars later this month it was time to sharpen my game. Let’s pick the first good Vulhub vm and have a go. Pluck: 1 – looked like a good start, no info what so ever.. lets see how it goes.

First let’s run a nmap and discover what service we have to deal with.

Okey, we’ve got a web server, and mysql? Let’s look at what webpage we have.

Looks like a bootstrap theme, and by clicking around I can see it’s using ?page=filename.php
This smells like LFI, quickly grab /etc/passwd to verify.

Look a the last line, that looks interesting…..
backup-user:x:1003:1003:Just to make backups easier,,,:/backup:/usr/local/scripts/backup.sh

Could there be a tftp server here as well? I know the filename I’m looking for, this should be a quick win.

By extracting the backup.tar file I’ve got a backup of the /home/ directory and /var/www/html

Quick side note, they are trolling the SQLi guys.. When ever you input the escape charc in admin.php You will get something that looks like a sql error message.

Back on track, let’s see what we have at the home directory. Paul is a user with a lot of keys. Check them all, and maybe we get lucky once more.

By using id_key4 I could log in as user paul without a password. I tested all other combination for know users (source /etc/passwd), but with no luck. The paul user was limited to pdmenu.

Here I got a little bit stuck. I looks like it was possible to do some escaping from “Edit file” meny, or even from the “www” (lynx), but no luck. There must be some basic protection within the pdmenu that prevents normal escape routines to work. Using the Directory listning and change directory I could move around and look at the file system but it was way to to slow, and you had to type/remember your path and files. After trying it out a bit, it was time to move on, let’s get a shell. I could use the edit file option and run Local-File-Inclusion to get me a www-user shell.

## Update ##
During some playing with another shell escape. My normal escape with :!/bin/bash would not work as an escape from the Edit file menu.
But by using the alias command :set shell=/bin/bash and invoking it with the :shell I could have skipped the php shell LFI workaround…


Dump pentest monkey php revereshell to /tmp and used LFI to get shell.

After running the most basic private escalation, and going back to the backup folder (It looks like the user bob had some sudo rights..) I start looking for kernel exploits. DirtyCow should work on this version, and they did have gcc on it. But missing some libs, and without a proper shell. Booting up a Ubuntu 16.10 64bit Server VM and build/test it there. And I’m glad I did it, cause dirtycow is unstable, and you have to be fast to input the magic line of “echo 0 > /proc/sys/vm/dirty_writeback_centisecs” otherwise the system will crash, and a reboot is necessary. Build/test and upload to target.

And that’s it.. I’ve got ROOT, and time to claim my flag.

This was a fun little evening session, but I do however think there is other ways getting in and around the system. But I’ll leave that for the next victime of pluck:1.




Wireshark – Passiv SSL Decrypt

There are two ways of doing SSL decrypt, one where you are in control of the end-client, and has the possible to capture the complete key exchange. This is the only way to decrypt cipher with DH in the name. The other is the passive way, and you might have a pcap of traffic and you have the private key.

This is quick tutorial on passive decrypt with private key.

If you want to try it yourself, you can start with the LAMP stack VM provided by Turnkey.
Lampstack @ turnkeylinux.com

You only need to change one part, disabling ciphers an pick one you know you can do passive decrypt on. If you have a working web server with SSL, disabling cipher with DH in the name should be enough.

File: /etc/apache2/mods-enabled/ssl.conf

## Disable all CipherSuite execpt the one we want.
+SSLcipherSuite AES128-SHA

Remove the line in red, and add the line in green, and restart apache.

Now you should get the private key used. This need to be added to Wireshark.
Under protocols you should select SSL.

A debug file is smart to add, this way you can go through and find out what is happening if it doesn’t succeed. But you just create an empty file, and put it into the (Pre)-Master-Secret log filename.

The private key needs to have a .pem ending and needs to look something like this. From the LAMP stack, this can be extracted from the /etc/ssl/private/cert.pem


Then you can add it to the RSA keys list. The IP address can use “any” or use the server IP of the server your trying to decrypt traffic from. Port in this scenario should be 443 (https) and the protocol is http.

When you close all windows, wireshark will try to decrypt the traffic.
Follow TCP stream is not smart, but use Follow http stream work really good.

Here you can clearly see we have http request / respons in clear http format.

One quick note, if you have problem. After the keys has been added to wireshark. Try reopen the pcap. Go back to the SSL option page and just press ok, this should trigger a decrypt process… I’ve seen a couple of time where wireshark is having problem and everything just fails even if you done everything correctly.

Wireshark – export cert

Recently I’ve been working a lot with Wireshark, and in one scenario I had to verify what certificate was used. Exporting the public certificate from a Wireshark it’s pretty easy if you know what to do.

First you need to capture the handshake. If you do see the Client/Server Hello messages but no Certification, you are probably seeing a resumed SSL session. You need to get the initial handshake.

If you do get the Certificate message, you can expand the Secure Sockets Layer to reach the cert.

The full certification chain will be display, but you are probably interested in the first. Right click on the line and choose “Export Packet Bytes..”

Save the file as a “cert.der” The data will be save in binary format.

By using the openssl suit you can now convert in to a bit more human readable format.

openssl x509 -inform der -in cert.der -out cert.pem
openssl x509 -in cert.pem -text -noout

Or the last to show a print out of the certificate.

Source Capture Cert: https://www.wireshark.org/lists/wireshark-users/201003/msg00080.html
Source Convert Cert: https://www.sslshopper.com/article-most-common-openssl-commands.html