Vulnhub Milnet writeup

-
Milnet exploitation

All information can be found in www.vulnhub.com and there are some awesome walkthrough :P

Goal: Attack this machine and got root privilege on this machine

-----Summary------
1. information gathering
2. exploitation by redirect to our own payload
3. escalate privileges
-------Start---------

After download and open it, here is VM login page, which includes IP addr. It means we can skip use arp-scan 


If you want to use 2 VM as attacker and victim, make sure they can communicate(in same subnet)
You need to configure to same interface in your computer
Then start information gathering--NMAP scan, this time I use -A option to scan, which don't need root privilege.
And we got port 22, 80 are open. 

First we start from port 80--http. Enter IP addr, can see the webpage
 But it looks like don't have any important information, so we use dirb in my Kali Linux 
Based on the wordlist, it can go through and see if there's any webpage within this server.
From the result below, I got two pages

This info.php looks interesting, after took a look, there's cgi and php functionally, which is a good thing for upload my payload to server


From the information I got, instead of upload payload file, I decide to redirect the server to execute my payload and connect through netcat base on http protocol.
First step is start my apache server, then copy my payload file into it and save as txt format.
 Second is ensure my listener IP and port number in my payload file.(I use payload file is in Kali linux /usr/share/webshell/php/php-reverse-shell.php. My goal is try to let victim server execute this payload file)

 Base on the information I got in the website, I found the picture file is base on directory route to file.
It is a really awesome information for attacker since you can redirect the route to your own backdoor file.(Here is my php-reverse-shell as example.)
So I use burpsuite to edit my request
1) Use POST method rather than GET
2) Set the content-type let browser can decode and execute the payload file
3)add the route parameter in the end, ensure the server can execute my Kali payload file.(Here my Kali IP is 172.16.194.136, victim's IP is 172.16.194.135) 

Open the netcat and start to listen the connection 


After get into the server, there's a thing is really interesting as a hint.
Is the DefenseCode_Unix_WildCards_Gone_Wild.txt,
this file also available from here: http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
Basically is a way to do command injection for an arbitrary command on operating system 

The following command is injection I use on victim server. It's set to open a shell after netcat connection form other host

This is the final result, after I connect to server and have root privilege in this shell.

Thanks for watching :)

留言

張貼留言

這個網誌中的熱門文章

惡意程式分析 - 常用工具篇

-
前言 工作的關係,最近接觸了一點 Malware跟逆向的東西,把常用的工具跟用途紀錄一下,怕以後自己忘記....希望能不定時更新  本篇會分為四個部分來記錄 執行環境 靜態分析 動態分析 以及最後的懶人包 執行環境 最常見的就是Windows,個人偏好用Windows 7 64 bits,很常見也可以裝很多東西,惡意程式大多都是針對Windows 而設計的 另一個很好用的執行環境是 REMnux, 裡面已經預載了很多常用的工具接下來會提到 連結可以參考這裏  https://remnux.org/  以及官方文檔  https://docs.remnux.org/ 靜態分析 顧名思義,不想執行惡意程式但想看看裡頭的內容,針對Windows的話可以用下列工具 PE Studio - 需要額外安裝。可以做初步的分析,同時可以知道是否有Anti-debug/analysis 阻擋著我們 IDA - 逆向標配,可以看assembly,同時也具有Debug功能 Ghidra PE Bear/ PE View - 可以針對PE檔案格式做深入研究 oledump.py - 針對Office格式(Word, Excel)分析裡面的Macro pdf-parser.py - 針對PDF格式分析裡面的Object 動態分析 靜態分析完了之後想驗證自己的想法,可以使用動態分析 動態分析方法比較多種,但大致可以分成自動跟手動, 本魯比較偷懶,比較常用自動分析 Cuckoo - 沙盒標配,資料相當完整,但偶而會被Anti-debug/analysis的招式抓到直接不執行 ANY.RUN - 最簡單就是丟到Cuckoo這類的沙盒,不過最近發現了個很好用且免費的工具,他可以直接跟沙盒內的Windows VM做互動。唯一缺點是只支援Windows平台 對於不屑用沙箱的逆向大神們,先受我一拜........ 喜歡手動的話,也是有些工具可以推薦 Process Hacker - 高配版工作管理員,記錄所有執行中的程式以及詳細內容 (Mutex, process handle.....) 一邊執行一邊看著,通常可以很好發現 Process Injection的特徵 Process Explorer - 記錄所有API usage,但建議搭配視覺化工具像...
閱讀完整內容

Offensive Security Certified Professional (OSCP) 滲透測試證照經驗分享

-
圖片
1. 前言 在資訊安全的證照中, 有許多證照以及課程可以學習 像是CEH, Security+, CISSP. 但真正以實作滲透測試為主的, OSCP算是最大宗. 在台灣並不算很出名...但在國外算是小有名氣的證照之一. 國外的分享數量非常多不在話下, 所以這篇文章將以中文做分享, 希望能藉此機會拋磚引玉一下 2. OSCP介紹與先修材料推薦 2.1 先修材料推薦 由於 OSCP 對修課者會有一定的要求, 有些人或許會好奇, 如何才知道自己是否準備好可以來上課了? 有些資源是我個人很推薦在上課之前可以先參考練習一下: https://www.vulnhub.com  (提供很多脆弱虛擬機可以下載來練習, 網路上很多人有分享解法, 可以一步一步學習依樣畫葫蘆) https://www.hackthebox.eu  (需要用官網提供的VPN進入他的 Lab環境, 跟OSCP Lab類似, 由於是免費的所以並沒有提供教材. 但是是很棒的資源. 他有個前提是要能夠破解官網註冊步驟) 2.2 課程簡介 Lab購買方式 官網是  https://www.offensive-security.com  , 要參與考試之前必須先上他們的線上課程, 課程大綱的網址如下:  https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf 他的課程分為三種 (買lab同時會包含一次的考試, 單買考試是 一次60美金 以漲價變成150美金): Course + 30 days lab Course + 60 days lab Course + 90 days lab 詳細價格在 https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/ 可以發現其實差別只在lab天數. 不建議購買30天lab....因為有很大機會會沒有足夠時間做lab. 但是在購買過Course package後是可以單獨購買lab時數的. (很害羞的說我lab續了兩次, 因為小弟經驗不足實在破不完lab) 課程包括了PDF...
閱讀完整內容

Offensive Security Certified Professional Review

-
圖片
1. Introduction There are tons of certification in cybersecurity, for example, CEH, Security+, CISSP....but OSCP is known for its hands on experience and 24 hour exam. 2. Before OSCP.... 2.1 Material recommend There are some resource I would like to highlight before really step in OSCP's course. Although OSCP is the entry level cert in offsec, it still have lots knowledge Offsec expect people knows. Vulnhub: contain lots vulnerable machine, can download and do it locally https://www.vulnhub.com Hackthebox: Need VPN to their network, similar to OSCP's lab, really good resource before OSCP https://www.hackthebox.eu/ 2.2 Course Intro Official Sire is  https://www.offensive-security.com  , and before take exam, need to take their PWK course, here is syllabus  https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf Course have three types: Course + 30/60/90 days lab, can be found here: https://www.offensive-security.com/information-s...
閱讀完整內容