Complex Attack Types: Sample Scenarios 3

6 months ago 42
BOOK THIS SPACE FOR AD
ARTICLE AD

Baris Dincer

In this article, we will strengthen our penetration capabilities on different platforms. While talking about some tips, I will give you the application of the general methodology for penetration tests.

In addition to the general methodology, I will show you the steps in action.

Come on, warm up your fingers punks!

Our target machine is 10.10.194.78.

Our local machine is 10.10.243.138.

As always, determine these variables to take actions faster.

output

Now we must know our enemy well. Nmap is a blessing for this, you know that. Use that command: nmap -sS -sC -T4 -n $target_ip -oN nmap_result.txt

-sS: This flag indicates a TCP SYN scan, which is a common type of scan used to determine which ports are open on a target system.-sC: This flag enables the default script scan, which runs a set of Nmap scripts against the target to gather more information about the services running on open ports.-T4: This flag sets the timing template to "aggressive." It increases the speed of the scan but may be more detectable and can potentially overwhelm some systems or networks.-n: This flag tells Nmap not to do DNS resolution for hostnames, which can speed up the scan.-oN nmap_result.txt: This flag specifies the output format and file name. In this case, it's saving the results of the scan to a file named nmap_result.txt.

This may take some time. Be patient.

output

You see that port 80 is open. An interesting structure appears to be hosted on port 3389. These always interest you.

Or try nmap -sV — script vuln $target_ip -n | tee nmap_result.out .

-sV: This is an option flag for Nmap, indicating that service version detection should be performed during the scan.-script vuln: This is another option flag for Nmap, specifying that Nmap should run scripts related to vulnerability detection against the target. "vuln" refers to vulnerability-related scripts.$target_ip: This is a placeholder for the IP address of the target system you want to scan. You need to replace $target_ip with the actual IP address you want to scan.-n: This option flag tells Nmap not to perform DNS resolution during the scan. This can speed up the scan.| tee nmap_result.out: This part of the command pipes the output of the Nmap scan to the tee command, which then writes the output both to the standard output (your terminal) and to a file named nmap_result.out.
output

This output can be quite long. Be sure that it will be very useful to you.

Let’s check the site on port 80.

output

Conduct directory research with the gobuster tool. You can use this command: gobuster dir -u <TARGET_SITE> -w <WORDLIST_DIRECTORY>

output

We discovered that the /admin page was redirecting us with 302 status code in the following results.

Let’s check.

output

We saw that an application in the style of blogengine.net is running.

You can test this panel via Burp. Or you can catch some interesting facts directly through browser developer functions.

output

Examine the payload under the request and take notes.

output

Save it to your system as Variable. Don’t forget to replace the ^USER^ and ^PASS^ parameters with the test:test user information you entered. You should also give the invalid answer as an additional expression at the end. The page you are targeting should be added at the beginning of this.

It must be like:
“/Account/login.aspx:__VIEWSTATE=J7%2FrKT%2FRbzXElHvOFArr4HX0BUp05PUs%2Bjl4fN5QtFnsigr6tjwFZkWaUW9RaCNkl5wcaaA9I71WXBKsdywllsO45a8kdE%2BO2GeciLswYLZgMhEIYMOLKvVE1g9%2FuxmOjygsPrfW43YX1axgD3V%2FmbHd2lx7jcwje7Qgkp065G2LekTQ&__EVENTVALIDATION=nIJxL4rdGJE3KYMzFDmVH35CAPYLfmVh68KpFWCfpmOAp8i4dLgnYkYLVP3UEDV8IiIqX6kXoIwujnQvd7xTK1Tbiqg5RF0fYL3q6nazJk37P%2BrLs8lq043TvaeMwGi4uqTkx2onf8prQt9NNxgtS4oXE0haNUx6xQId8O8kqlZfYRAG&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed”

output

Now we can use Hydra.

hydra -l admin -P /usr/share/wordlists/rockyou.txt $target_ip http-post-form $payload_request

Depending on the length of your wordlist and the responsiveness of the server, this command may take time.

output

Default usernames must be changed… Now we can get in!

admin:1qaz2wsx

output

Now the fun can begin. Visit the About section to get version information.

output

Now that we have the version information, we can scan for vulnerabilities. There are many methods for this. Either use searchsploit or do a search via exploit-db. If you are going to use Searchsploit, run this command: searchsploit blogengine 3.3.6 remote

output

There are really many methods we can try. Download the exploit.

output

The C# code must be in your locale.

The IP address in the exploit code must be changed to the local IP address and the port number to be listened to was entered in the port section.

output

Create a new post and access File Manager.

output
output

Now, before uploading this vulnerability code here, listen to your server according to the port you specified.

output

Change the C# file extension name.

output

Upload.

output

When you look at the vulnerability documentation, you see that you need to target /?theme=../../App_Data/files.

output

This machine is now ours.

Read Entire Article