nmap

All posts tagged nmap

Walkthrough of a Linux machine exploitation attacking SQL database, cracking some credentials and gaining root privileges with Metasploit payload.

Deploying the vulnerable machine

What is the name of the large cartoon avatar holding a sniper on the forum?

Obtain access via SQLi

The Nmap scan shows 2 services, SSH and HTTP but not much additional information.

There is an SQL database underneath to abuse via the login page. Our input is put into the SELECT * FROM users WHERE username = :username AND password := password query in the backend. If we put ‘ or 1=1 — – into the user field that authenticates the session as 1=1 is always true, it returns all of the values.

This allows us to bypass the login page.

What page are we get redirected to?

Using SQLMap

First of all we need to intercept a request via this search feature of the site using BurpSuite. 

After catching and saving the whole POST request into a text file we could pass it to SQLMap to use our authenticated user session.

In the users table, what is the hashed password?

What was the username associated with the hashed password?

What was the other table name?

Cracking a password with JohnTheRipper

What is the de-hashed password?

What is the user flag?

Exposing services with reverse SSH tunnels

First of all we have to do some internal enumeration dumping the traffic flowing through the sockets with the tool Ss which is basically a replacement for the Netstat command.

Tcp 10000 is open but blocked by a firewall rule as there was no sign of it during the initial Nmap scan. In a situation like this we can circumvent the block with port forwarding. Local SSH tunneling makes it possible to forward the port from a remote machine back to the local machine.

This means that the same Nmap scan now is able to detect the port and service of the machine via 127.0.0.1.

This can also be confirmed in our webbrowser.

What is the name of the exposed CMS?

What is the CMS version?

Privilege Escalation with Metasploit

Looking for potential exploits we have got a couple Metasploit ones.

Two important things to keep in mind with the tunneling, first of all the SSH port forwarding must be alive during the Metasploit exploit and the second thing is a consequence of this namely that the RHOST will be the local machine, not the victim in the lab.

Thanks for reading and as always, any feedback is most welcome.

Walkthrough of a Windows machine exploiting Jenkins, privilege escalation via Windows authentication tokens.

Initial Access

This room is mainly about misconfigurations of the Jenkins devops automation server. Let us start with a usual Nmap scan.

How many TCP ports are open?

Next, we may want to investigate the Jenkins login page a bit further. Let’s fire up Burp to see a more detailed client-server data exchange and the POST request link on the top to tamper with.

Let’s feed that into Hydra and crack the creds with some very simple wordlists.

What is the username and password for the login panel?

We can login now and the plan is to exploit one of the vulnerabilities of Jenkins resulting a remote code execution. Let’s download the Invoke-PowerShellTcp.ps1 script from the Nishang GitHub page. We need to serve this script on our usual HTTP server.

Let’s login to Jenkins to create a new project and download and invoke the Powershell script from our Kali by saving and building the project in Jenkins.

We should receive a reverse shell on our Netcat listener from the Jenkins server.

What is the user.txt flag?

Switching Shells

To make the privilege escalation easier, let’s switch to a meterpreter shell with a first step of creating an msfvenom Meterpreter reverse shell payload.

What is the final size of the payload we generated?

Like before we need to place this executable into the directory from which our python HTTP server runs and also a Metasploit listener should be booted up. So, let’s upload the payload first using the same method than before creating another project and building it afterwards.

Then starting the listener.

Now, let us get back to our previous shell and find the msfvenom payload to be run.

We should receive a Meterpreter shell as a result.

Despite the fact that we have a higher privileged token, we might not have the permissions of a privileged user thanks to the permission handling of Windows. Let us check the availability of tokens loading the incognito module and then listing out the tokens anyways. We can see that the BUILTIN\Administrators token is available.

Let’s try to impersonate that token shall we.

What is the output when you run the getuid command?

So, what we have to do is the usual process migration to a full system process to circumvent the lack of the full permissions of a privileged user. After that we are able to find those files as well which belong to a higher privileged user.

What is the content of the root.txt file?

Thanks for reading and as always, any feedback is most welcome.

Walkthrough of a Windows machine exploitation leveraging common misconfigurations.

Introduction

This is a very basic and simple to work on machine clearly just for educational purposes. Let us initate a comprehesive vulnerability Nmap script scan against the machine.

How many ports are open with a port number under 1000?

What is this machine vulnerable to?

Gaining Access

We are going to leverage this vulnerability which is also known as Eternal Blue. This exploits a weakness in the Microsoft implementation of SMBv1 allowing the attacker to run arbitrary code on the victim systems. Let’s spin up Metasploit and initiate an attack against the system.

Escalation

Let us background the existing shell with CTRL+Z and upgrade it to a Meterpreter shell as follows. Use the “post/multi/manage/shell_to_meterpreter” post module, add the IP-address of the localhost again, associate the existing session with the module and run it against the victim. As you can see below, another session is created, so all we need to do afterwards is just switching over to that session.

Let’s list out all the processes in order to migrate our current process to an elevated one which is running as NT AUTHORITY\SYSTEM. The reason behind this is even if we are system it does not necessarily mean that our current process is also at system level. Good choices of processes would be Powershell or for example cmd but we chose the Console Host process below as it houses applications that use the command line.

Cracking

We do have full control of the victim machine now, so let us dump the hashes from the SAM database from our elevated Meterpreter  shell.

What is the name of the non-default user?

Let’s copy this password hash to a file and crack it. What is the cracked password?

Finding the flags

Three flags planted on this machine, let’s find them, shall we.

Thanks for reading and as always, any feedback is most welcome.