Reflections - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki

3.1 DNS Enumeration

Reflection

This lab took me longer than I would like to admit. Not because of difficulty, just because of small issues here and there. Overall, this lab was very useful. One of the most notable things we did in this lab was use nmap to find a DNS server on a target network, which has some insane implications for recon and lateral movement. This lab helped me a lot with bash scripting as I have had to work with a lot of bash lately. I am starting to enjoy it, despite me having already taken SYS-320 and not retaining any information from it.

Troubleshooting

I was unable to do nslookup on the specified servers for a long time. nslookup would just be unable to find the DNS server. The issue was I forgot to have wireguard running. Wireguard turns off every time Kali was reset and I reset kali a few times trying to figure out issues

---

4.1 Cupcake exploit

Reflection

This was one of the first labs where I was able to text actual exploits. I thoroughly enjoyed doing this lab and figuring out what was holding me up. I did not complete this lab on time either, but once I started working I was making decent time. I ran into some issues that I did not foresee like the /etc/passwd being relocated to /etc/passwd-.

The process of doing research and discovery was really fun. Seeing the information I have worked with previously used in new ways to open new prospects is very exciting to me.

---

5.1 Password Guessing

Reflection

This lab was very useful to me. I was able to further my knowledge of hacking, exploits, safe passwords, and the status of my own passwords.

Troubleshooting

My biggest issue with this lab honestly was trying to use SSH brute force. It took an excessive amount of time and did not even give me the right password. I believe I have the syntax right, but I don't know if my password files are good enough to work. I may have chosen the wrong words for the list initially but I don't know what the right words are so I can't say for sure.

I managed to fix this issue, the issue was my wordlists as I predicted. After tinkering around with the initial small wordlists, I Was able to mangle the proper words and guess the correct password.

---

6.1 Password Cracking

Reflection

I enjoyed this lab as well. I was a bit confused about what was happening with deliverable 5/6 where we used the python3 script, however I was able to replicate it. It was just that we had both the plaintext password and the hashed password, so that part seemed a big confusing but other than that it was just time consuming.

---

8.1 Weevely

Reflection

This lab gave me a lot of difficulty because I did not complete the prior 7.1, which made the first two deliverables hard. However once I figured out what was going on with deliverables 1 and 2, I was able to breeze through the rest of the assignment relatively easily. The basis behind the webshells and exploitation is really cool. I feel that the struggling is helping me understand where I am going wrong and what is going write, as well as helping me to troubleshoot.

Troubleshooting

My first attempt will be to use scp to transfer simple-backdoor.php to the /var/www/html directory on 10.0.5.21 under an admin account and hope that it deploys it.

scp simple-backdoor.php [email protected]:/var/www/html

UPDATE: This did not work as I do not have the sufficient privileges on the target box.

I will try the python3 server now because why not.

UPDATE: I did not end up using the python3 server, instead I ended up using my ssh access to access peregrin.took and move the desired files around where I wanted. Then I used wget to extract them from the webserver. I do not understand how to execute a web shell yet so this was my alternative. This worked.

2. Using wget from hostbox, target the desired file

wget http://10.0.5.21/passwd (I moved the passwd file into /var/www/html to be able to do this)

For everything above, I was doing it on the wrong server. I am unable to use these techniques for the correct server.

---

Another issue I was having was being unable to upload files to the target server due to a passive mode glitch. The fix was mput instead of put, which worked for some reason.

UPDATE: This did not work in the end, it was not a long term fix. I do not know what the cause of mput working was, but it only worked once, which is all I needed.

---

Another issue I was having was with weevely itself. It gave me an error involving padding. I ended up fixing potentially by adding

base64.b64decode(s + b'==')

to the end of the php file generated. However I'm not too sure if this was the right fix, or if it was the new file I created on my second attempt that just ended up working without any issues.

---

10.2 Nancurunir

Reflection

I thought this lab was going to be far harder than it actually was. There was barely even an exploit I used, rather unsecured system allowing for basic connection exploits. I thoroughly enjoyed this lab. I had to do everything with no instructions. It was not as complicated as I expected and I never got lost like I expected.

Troubleshooting

No issues except for not being able to SSH directly from my Kali box into the target box. However I mitigated this by SSHing into pippin first and using it as a jump box to the network.