New Capstone – Practical Ethical Hacking by TCM

by Kal Bartal

Walkthrough – Blue

1, nmap scan

smb could be vulnerable (search version information)

2, Search version information

EternalBlue SMB Remote Code Execution (MS17-010)

3, Metasploit (msfconsole)

search eternalblue
use smb scanner
set rhosts to target IP address
set payload to 64 bit
set lhost to attacker IP address
run
Rooted! – hashdump

4, Alternative, manual exploit

search eternalblue github
clone github
run checker
run shellcode
set lhost IP address and port
run listener
run the exploit
Target’s got bluescreened

Walkthrough – Academy

1, nmap scan

-open ports; 21 (tcp), 22 (ssh), 80 (web server)

2, Go to webpage (port 80)

Apache2 default webpage
information disclosure on 404 page

3, Go to FTP

anonymous login allowed
get note.txt
cat note.txt (sensitive info; usernames, password hashes, etc.)
run hash-identifier (MD5 hash)

4, Google MD5 hash crack

crack hash with hashcat (student)

5, Directory busting

-dirb
-ffuf

Found directories are; academy and phpmyadmin

6, Go to academy directory on server IP address

use credentials found earlier.
file types are not checked, uploading any file as student photo is possible
upload php reverse shell from pentestmonkey on github (change IP)
run netcat listener (before update)
Popped a shell but not rooted the target

7, Privilege escalation with linPEAS

create linpeas.sh with raw code from gihub
host up a web server with python webserver module (same directory as linpeas.sh)
wget linpeas.sh into the target machine’s tmp folder
make linpeas.sh executable
run linpeas.sh
cat config.ph (credentials found)
ssh with credentials
check history with the history command
cat backup.sh from the user folder
validate timer with pspy from github
get bash reverse shell one-liner from pentestmonkey (change IP and port)
set up netcat listener
clear backup.sh and bash reverse shell one-liner
The machine is rooted, once the backup file runs on the timer.

Walkthrough -Dev

1, nmap scan

-open ports; 22 (ssh), 80 (webserver), 111 (rpcbind), 2049 (nfs), 8080 (http)

2, Go to the webpage (port 80 & 8080)

-port 80 is a bolt installation error page (bolt cms)
-port 8080 is a php info page

3, Directory busting

-ffuf both port 80 and 8080

4, Enumerate NFS

showmount – e 192.168.138.137
mkdir /mnt/dev
mount -t nfs 192.168.138.137:/serv/nfs /mnt/dev
cd /mnt/dev
ls

contains save.zip

unzip save.zip
file is password protected.

apt install fcrackzip

fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt save.zip

password found: pw=java101

unzip save.zip

ls
cat todo.txt

signed as JP

ssh -i id_rsa jp@192.168.138.137

no access

5, Enumerate ffuf results

-go to
192.168.138.137:8080/dev/
192.168.138.137/app/
etc

credentials found in config.vml (pass = I_love_java)
Bolt / BoltWire page found

search for BoltWire exploit (google, searchsploit)

local file inclusion exploit found (local file inclusion allows for exposure of a local file like etc/passwd)

Exploit only works for authenticated (registered) users.

paste string below at the end of the bolt directory url

index.php?p=action.search&action=../../../../../../../etc/passwd

JP exposed as jeanpaul.

SSH with user = jeanpaul & pass = I_love_java

logged into SSH as low-level user (jeanpaul)

GTFOBins site lists various escalations. Use zip escalation as listed.

cd /root
ls
cat flag.txt

Walkthrough – Butler

1, nmap scan

-open ports; 7680 (pando-pub), 8080 (http)

2, Go to the webpage (port 80)

-login page for Jenkins

3, Search for Jenkins Exploits

-Looks like authenticated remote code execution is the way to go.

4, Try Jenkins default credentials

-it does not work

5, Try connecting to port 7680 via telnet or netcat

-it does not work

6, Try brute-forcing Jenkins with burpsuite

-credentials found – jenkins, jenkins

7, Search for jenkins script console exploit

-Groovy Reverse Shell seems to be the way to go
-search and paste groovy reverse shell code into the script console
-start netcat listener
-run code in the script console

Shell popped as butler, not system.
-check for system info.

8, Clone winpeas for windows privilege escalation

-host up a server on port 80
-use certutil.exe to transfer winpeas to a writable folder on the target machine.
-run winpeas
-use msfvenom to drop wise.exe to the wise folder (Wise Boot Assistant)
-stop Wise Boot Assistant service
-restart Wise Boot Assistant service (will start as system)
-we get a shell back as system

The machine is rooted.

Walkthrough – Blackpearl

1, nmap scan

-open ports; 22 (ssh), 53 (dns), 80 (http)

2, Visit the webpage on port 80

-email address found in page source code

3, Try directory busting with ffuf

-‘secret’ file found -the file is just info, saying that dir busting won’t work.

4, Run dnsrecon

-create dns record for blackpearl.tcm on our machine
-visit blackpearl.tcm

5, Ffuf blackpearl.com

-‘navigate’ found

6, Go to the navigate directory

-page reveals – Navigate CMS v2.8
-unauthenticated remote code execution exploit is available for Navigate CMS (in msfconsole as well)
-shell popped as www-data
-spawn tty shell
-sudo is not available
-check for potential privilege escalation with linpeas
-SUID is enabled
-Search GTFOBins for SUID escalation
-use php escalation

Escalated to root, cd /root, cat flag.txt.

Related Posts

Leave a Comment