CEH Skill Check - Part III

Challenge 1:

CEHORG suspects of a possible session hijacking attack on a machine in its network. The organisation has retained the network traffic data for the session at C:\Users\Admin\Documents in the EH Workstation – 2 as sniffsession.pcap. You have been assigned a task to perform an analysis and find out the protocol that has been used for sniffing on its network. (Format: AAA)

大致看一下封包，ARP的行為最奇怪，列出來看，有奇怪的來源ip、奇怪的請求

Challenge 2:

You have been assigned a task to perform a clickjacking test on www.goodshopping.com that the CEHORG members widely use. Find out whether the site is vulnerable to clickjacking. (Format: Aaa)

Challenge 3:

Perform an HTTP-recon on www.certifiedhacker.com and find out the version of Nginx used by the web server. (Format: N.NN.N)

用whatweb

Challenge 4:

An FTP site is hosted on a machine in the CEHORG network. Crack the FTP credentials, obtain the “flag.txt” file and determine the content in the file. (Format: Aaaaaaa*AAA)

一樣不懂欸寫甚麼字典檔放在Desktop可以拿去用結果辦不出來，找了很久才找到可以用的字典檔

Challenge 5:

Perform Banner grabbing on the web application movies.cehorg.com and find out the ETag of the respective target machine. (Format: "NaNNNNNaaaNaaNN*N")

用telnet去跟web 互動連上後執行GET / HTTP/1.0得到ETag

Challenge 6:

Identify the Content Management System used by www.cehorg.com. (Format: AaaaAaaaa)

用whatweb

Challenge 7:

Perform web application reconnaissance on movies.cehorg.com and find out the HTTP server used by the web application. (Format: Aaaaaaaaa-AAA/NN.N)

一樣用whatweb

Challenge 8:

Perform Web Crawling on the web application movies.cehorg.com and identify the number of live png files in images folder. (Format: N)

直接用curl 指令搭配grep 、wc 計算有多少.png

Challenge 9:

Identify the load balancing service used by eccouncil.org. (Format: aaaaaaaaaa)

一樣whatweb下去

Challenge 10:

Perform a bruteforce attack on www.cehorg.com and find the password of user adam. (Format: aaaaaaNNNN)

已知該網站是WordPress，用wpscan --url http://cehorg.com/ -U adam -P /home/attacker/Desktop/Wordlist/password.txt

Challenge 11:

Perform parameter tampering on movies.cehorg.com and find out the user for id 1003. (Format: Aaaaa)

用sqlmap 直接dump 出來

Challenge 12:

Perform a SQL Injection attack on movies.cehorg.com and find out the number of users available in the database. Use Jason/welcome as login credentials. (Format: N)

跟上一題一樣，數了一下欄位有9個

Challenge 13:

Perform XSS vulnerability test on www.cehorg.com and identify whether the application is vulnerable to attack or not. (Yes/No). (Format: Aa)

大致去看了一下沒看到問題
ans: No

Challenge 14:

Perform command injection attack on 10.10.10.25 and find out how many user accounts are registered with the machine. Note: Exclude admin/Guest user (Format: N)

這題其實要跟下題借一下DVWA的帳密，登入後再command injection 那裏用|net user在計算扣除Administrator 、krbtgt有8個user

Challenge 15:

A file named Hash.txt has been uploaded through DVWA (http://10.10.10.25:8080/DVWA). The file is located in the directory mentioned below. Access the file and crack the MD5 hash to reveal the original message; enter the content after cracking the hash. You can log into the DVWA using the following credentials. Note: Username- admin; Password- password Path: C:\wamp64\www\DVWA\hackable\uploads\Hash.txt Hint: Use “type” command to view the file. Use the following link to decrypt the hash- https://hashes.com/en/decrypt/hash (Format: Aa*aaNa)

去到這裡DVWA上傳路徑C:\\wamp64\www\DVWA\hackable\uploads\這裡就有Hash.txt用type Hash.txt可拿到hash再拿去crackstation

Challenge 16:

You have identified a vulnerable web application on a Linux server at port 8080. Exploit the web application vulnerability, gain access to the server and enter the content of RootFlag.txt as the answer. (Format: Aa*aaNNNN)

個人覺得這是裡面最經典有趣的lab，首先先找有開8080 port 的IP machine，選定其中一個後用openvas 掃找到有log4j的漏洞，其中這題不能無腦的直接執行python3 poc.py .......，需要解壓縮java加上改程式才能執行成功