Cyber Security: An Offensive Mindset [Week 4

Page Title

Cyber Security: An Offensive Mindset [Week 4 - Sprint]

Monday

Summary [Mon 10th Feb]

Stand Up in front of class
Taking down notes on Jason's (facilitators) demonstration (hacking a box).
Completed Basic Pentesting 1 on Vulnhub by gaining access to root privileged user.

Stand Up

Strengths

Well structured sprint, with time stamping to keep me focused and using my time in a useful way.
Got through a variety of different resources this week from natas level 9 and OWASP juice.

Weaknesses

Need to focus more on one resource for the week not jumping between pentesterlab, natas and other learning resources it is too much of an overload.

Goals and Expectations

Focus on time stamping again, but focus on one learning resource instead of a handful.
Developing my write up skills on my chosen box to target for this weeks deliverable.

Demonstration Notes

Vulnhub will give you a .ovf file which can be extracted into your virtual machines folder and will make a .vmdk.
Customise the VM that you've created giving it however many resources that it will require.
Once the VM is running you'll be given a black box terminal.
Use tool Netdiscover or ping the box that we're trying to perform reconnaissance onsudo netdiscover.

This will scans all the subnets on your interface looking for what is running and what IP addresses are being used.

Next we will run an nmap scan on the IP address that we've found sudo nmap -sV -sC -o <filename>.log <ipaddress>. We have saved the output of this scan so we can reference it later and not have to conduct the scan multiple times.

sV = Attempt to determine the version of the services running.
sC = Scan with the default nmap scripts.
o = Output into file.

If we look at the ports that the nmap scan we have exposed a port :80 if we add that to the IP address in the browser window we'll be taken to the Apache web servers webpage.
If we then check the code on the webpage we can see comments of changing the language on the webpage to french for example.
We can now conduct directory transversal on the webpage by changing the URL to add the ?lang= at the end of the URL.
Directory transversal cheat sheet can be found at this link:

https://highon.coffee/blog/lfi-cheat-sheet/

Something to keep in mine is that every webpage has an index page.
We'll use gobuster tool as shown to find any directories gobuster dir -u [http://192.168.186.134](http://192.168.186.134) -w -o <wordlist>
Now we can ssh to the box ssh mamadou@192.168.186.134 -p 3333

Username has been found on the webpage as the page states it was created by mamadou

We are now in a python shell type the following commands:

import pty;
pty.spawn('/bin/bash);

sudo -l will give you a log in prompt if you log in it will tell you if you can run thing using sudo.
If you google linux priv esc will show you linux privilege escalation cheatsheets, the thing we're now looking for is sticky bits.

find / -perm -1000 -type d 2>/dev/null

Next we'll look at word-writable files to see what files are accessible by our current shell.
Next we will set up a listener using nc (netcat) the command we'll use is sudo nc -p 5050, this port is random but must be a port that isn't used by any other services.
Cron job is used on linux distros to run specific processes at set time or every 300 seconds for example.
Use the find command to find files owned by the user devops find / -user devops.
In the .antivirus.py file which we found we add our own python script that specifics our kali linux IP address and the port 5050 that we assigned to our netcat to listen to.
wget (curl) is used on most linux systems to get information from a webpage.
Run our own webserver to curl a file on the targeted box using the command sudo python -m SimpleHTTPServer 8080 this is the old python version.
Now we use sudo nc -lvp 5051

Basic Pentesting: Vulnhub

First off we need to spin up both the targeted system VM and kali linux vm, running ifconfig on our kali vm to find the network that we need to target.

To then scan the network to find any services that are currently running we need to run the command sudo netdiscover -r 192.168.240.130.

NOTE: I found that after reattempting the above netdiscover command I wasn't able to find the IP addresses running so instead I ran sudo netdiscover -r 192.168.0.0/16 and it discovered the IP addresses.

By observing the content of the netdiscover scan we can assume that 192.168.240.1 is the network address and 192.168.240.254 will be the broadcast address.
Now we should use the IP address 192.168.240.134 to conduct an nmap scan on the target to see if any ports are open and if they are susceptible.
The nmap scan I used was sudo nmap -sV -sC -o <output file> <target IP address> as shown below:

Now from the above information we are able to do some research about some possible vulnerable services running for example if we google ProFTPD 1.3.3c, we may find some results.

If we press on the first link that is shown in the search we find a backdoor present in the current version that the FTP service is running on this box.

If we also use the online resource [exploit-db.com](http://exploit-db.com) there is a database full of possible exploits. Here we can also find a possible exploit that can be of use to us.

Next we will be using metasploit in console version on our kali vm, in order to do this we run the msfconsole command.

Now that metasploit is running, we then need to search the metasploit database through command line by typing search proftpd

We will need to use the 4th option for metasploit exploit, to use that specific one we need the use command as shown below:

To then see the possible input options that the exploit requires we need to use options command as shown:

From here we can see that we can add a RHOSTS variable to the exploit so we can add a specific target we want to focus on as shown:

Now that the target information is in the exploit we simply need to type the command exploit and see if we were successful with the exploit.

As you can see from the last sign a reverse shell as been created and if we type id we can see that we are in fact now logged in as root.

Reflection for Monday

Today was another day of steep learning curves using vulnhub was quite daunting, I did find myself absolutely clueless initially. But after I found exploit.db and understood how metasploit actually worked I was on my merry way. From this point onwards I was really successful and managed to gain root on the machine very quickly once I found the correct exploit on metasploit. This experience was was confronting but it through me in the deep end and it felt like I ripped the bandaid off really quickly. But it was so fulfilling to go through the process and understanding how to exploit a machine, then reach the eureka moment pwning the box and gaining root.

Wednesday

Summary [Web 12th Feb]

Aim to complete TryHackMe: Vulnversity

Task 2 by 2pm today [11:00am - 1:30pm].
Task 3 by 3:30pm today [2:00pm - 4:30pm]

TryHackMe: Vulnersity

Task 2 [Reconnasisance]

First when starting this exercise the creators were kind enough to provide useful insight about nmap scans. I found this really helpful and gave me some extra knowledge that I didn't grasp from man pages.

The first scan which I conducted was nmap -sV 10.10.168.82 to see what versions of services are running, as well as the ports they're running on.

From evaluating the information we received I have come to the conclusion that there are 6 ports open which after checking was the correct answer.

The next question was focused around the version of the squid http proxy service that was running. From the scan if we look we can see the version was 3.5.12 which is correct.

Continuing on with the exercises the nmap parameter -p-400 was brought into question asking how many ports it would show? After reading the cheatsheet it would scan 400 ports which was correct.

Next we're exploring the nmap parameter -n which when doing research will tell nmap not to conduct dns reverse lookup, as it usually slows down the scanning process.

I then did a comparison to an nmap scan nmap -sV -n 10.10.168.82 as shown below the results are different.

The answer to the above question is dns wont be resolved as explained because reverse dns lookup isn't used, hence it isn't resolved.

NOTE: when researching I came across a fast scan by using command nmap -F <IP>
REMEMBER: -o <output file> <IP> is used to output scan results into a file so you don't need to keep doing the same scan.

As seen above the aim is to use nmap to find the OS that is running on the box, after looking at the cheatsheet provided the command to do this is nmap -sV -A <IP>.

However, the above scan took way too long instead after doing more research I used nmap -sV -O -Pn <IP> which was faster and also showed the same details.

After conducting the scan I did some further research into the man pages of nmap and found that -A is actually an aggressive scan and to find OS versions I should use the flag -O instead.

Next we need to discover what port number the web server is running on to do this we will need to use nmap -sV <IP> as it will show the ports and the service running on it. I also tried to use the nmap -Pn <IP> but the only information about the port 3333 is dec-notes which isn't very informative.

Finally, the last TIP that is provided from this exercise they recommend that you should scan all ports even in a higher range than 1000 to find if there are any other non-standard ports in use. (Usually this scan nmap -p- <IP> takes a long time so run it in the background)

Task 3 [Locating directories with GoBuster]

This task will be focused upon fast directory discovery tool called GoBuster, this will will allow us to locate a directory that I'll use to upload a shell to.

Kali linux doesn't come installed with gobuster, so we'll need to run the commandsudo apt-get install gobuster .
Eventually I got it working but I came across ERROR messages, so I attempted:

Changing to a smaller word list from the medium one which I was using (no change).
The only thing that mitigated the ERROR was adding the t (threads) to more than the default of 10 (still many errors as seen below).
Constantly finding myself having to restart my VPN and redeploying TryHackMe machine (SERVER VERY DELAYED).
Found myself forgetting to check the new deployment IP address and struggling for 20 minutes only to find that I was attempting to connect to the wrong IP address.

After a lot of trial and error I found that gobuster wasn't going to work as it took way too long and the ERRORS kept occurring way too frequently. So the magnificent facilitator named Jason helped me to use wfuzz to overcome this task.

Use the below command and wait to see if any 301 status results occur which are moved permanently.

 wfuzz -w /usr/share/wordlists/wfuzz/general/common.txt [http://10.10.25.93:3333/FUZZ](http://10.10.25.93:3333/FUZZ)

As you can see the wfuzz has uncovered the directory internal and if you go to the web browser typing the http://10.10.25.93:3333/internal/ into the browser we see that it is valid and we can use this as the answer /internal/.

Task 4 [Compromise The Webserver]

The next challenge is utilising the form we just found /internal/ to upload files, we can leverage this upload and execute our payload that will lead to compromising the web server.
First step is to upload different file types to see what is blocked, after many uploads I saw that the answer was simply in front of me the entire time .php as seen in the URL.

Reflection for Wednesday

Definitely quite disappointed with my use of time as it took me 5 hours to complete just two tasks for the TryHackMe: Vulnversity box. I have to admit though it was really challenging, testing my nmap skills and forced me to use gobuster for the first time (even though it was a fail in the end). I got to instead use wfuzz a similar tool which actually resulted in getting the correct answer to pass task 3 which I had spent 2 hours trying to complete. These tasks really taught me that research is a huge part of reconnaissance, and without thorough reconnaissance penetration testing isn't very successful. You need to find clues and keep delving deeper and uncovering as much as possible. Don't give up so easily in the words of Jason.

Thursday

Summary [Thurs 13th Feb]

Attempt to get HackTheBox invitation code by 1pm today, if I'm not successful move onto a Vulnhub or TryHackMe box. (MOVED ON)
Pick my box (TryHackMe: Boiler CTF) and commence the first stage of reconnaissance for the box until 4pm.
After 4pm I came back to the HackTheBox invitation code and with the help of a few nudges from my facilitator Jason I was able to complete the challenge by 6pm.

Stand Up

Strengthens

Staying persistent and asking more questions when I know I need a nudge in the right direction, which I usually wouldn't do I'd struggle until the very end and suffer for it.

Negatives

Struggling with web application side of things, especially when working on trying to get the HackTheBox invite code (without any tips from google).
Also burning myself out at university staying for long periods because the NBN in my suburb is and has been currently down for 5 days straight.

Goals and Expectations

By the middle of the day today (1pm) if I'm unable to get a HackTheBox invite code, I will move onto either vulnhub or tryhackme boxes and get a solid amount of work done for it today.

Demonstration

Make a directory called /TryHackMe/BasicPentesting on your machine, we'll keep all nmap scans output files in here so we don't have to scan multiple times.
First off we'll be running the command sudo nmap -sC -sV -o basicpentesting.log 10.10.150.146 which will scan for open ports with the services running on them.
From here we can see there are 6 ports open one of which is :80 so what we'll do is go to our web browser and type 10.10.150.146:80.
If we inspect the webpage we can see commends stating check dev notes if you are unsure where to start your work from, after checking /dev there is no luck.
So we will try and use gobuster tool to brute force any potential directories on the webpage we're on, do this by typing gobuster dir -u [http://10.10.50.54](http://10.10.50.54) -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log.
From gobuster we uncover that the directory we're looking for is /development, if we head there we can see two files are available if we view dev.txt we can see communication between two users and hints about struts, Apache, SMB and apache version (2.5.12).
Next we are going to go to exploit.db and search for any potential vulnerabilities for these services being used on this box.
If the above fails, head onto google and see if you can find any information about potential exploits.
When we exhausted google as a resource we moved to terminal and typed searchsploit apache struts 2.5.12 to see if there is any documentation on apache struts version the box is using.
We can use the enumeration tool found on kali called enum4linux <IP> and it will enumerate using bash scripting to give you information about the host.
We then find that 10.10.150.146/Anonymous which is a share drive.
Then go to a linux terminal and type smbclient[//10.10.150.146/Anonymous](//10.10.150.146/Anonymous) which will port us into a windows cmd so we need to type dir and it will show a file called staff.txt.