DC-2 - unfinished

Last updated 2 years ago

Was this helpful?

DC-2 - unfinished

192.168.129.194

Enumeration

Nmap scan

nmap -sV -p- 192.168.129.194 -A

Port 80

Running dirb against the site because it fails to go to port 80 at this IP.

Interesting error.

Added IP to host file as dc-2

Made word list with cewl

cewl http://dc-2 -w wordlist

Try to bruteforce the login for wp-login.php

hydra 192.168.129.194 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fdc-2%2Fwp-admin%2F&testcookie=1:Error" -L wordlist -P wordlist -t 64

wpscan --url http://dc-2/ -U users.txt -P wordlist

Exploit

Document here:

Exploit used (link to exploit)
Explain how the exploit works against the service
Any modified code (and why you modified it)
Proof of exploit (screenshot of reverse shell with target IP address output)

Post-Exploit Enumeration

Current User

Click to expand

Document here:
 
- Windows
  - "whoami /all" output
  
- *nix
  - "id" output
  - "sudo -l" output

OS & Kernel

Click to expand

Document here:
  
- Windows
  - "systeminfo" or "Get-ComputerInfo" output
  
- *nix
  - "uname -a" output
  - "cat /etc/os-release" (or similar) output

Users

Click to expand

Document here any interesting username after running the below commands:
  
- Windows
  - Domain:
  	- "net user /domain" or "Get-ADUser -Filter *" output
  
  - Workgroup:
  	- "net user" or "Get-LocalUser" output
  
- *nix
  - "cat /etc/passwd" output

Groups

Click to expand

Document here any interesting groups after running the below commands:
  
- Windows
  - Domain:
  	- "net group /domain" or "Get-ADGroup -Filter *" output
  
  - Workgroup:
  	- "net localgroup" or "Get-LocalGroup" output
  
- *nix
  - "cat /etc/group" output

Network

Interfaces

Document here any interesting / additional interfaces:
  
- Windows
  - "ipconfig" or "Get-NetAdapter" output
  
- *nix
  - "ip address" or "ifconfig" output

ARP Table

If targeting a network and enumerating additional hosts...
Document here:
  
- Windows
  - "arp -a" or "Get-NetNeighbor" output
  
- *nix
  - "ip neigh" or "arp -a" output

Routes

If targeting a network and enumerating additional hosts...
Document here:
  
- Windows
  - "route print" or "Get-NetRoute" output
  
- *nix
  - "ip route" or "route" output

Open Ports

Document here any ports listening on loopback or not available to the outside:
  
- Windows
  - "netstat -ano | findstr /i listening" or "Get-NetTCPConnection -State Listen" output
  
- *nix
  - "netstat -tanup | grep -i listen" output

Ping Sweep

If the host has access to additional routes / interfaces:

  - Look at the IP address space and network mask
  - Find a ping sweep script that will work for the target network
  - Or you could try:
  	- Transfering "nmap" or some other host discover tool to the host
  	- Set up a SOCKS proxy and try a port scan through the foothold

Processes

Click to expand

First...
Enumerate processes:
  
- Windows
  - "tasklist"
  - "Get-Process"
  - "Get-CimInstance -ClassName Win32_Process | Select-Object Name, @{Name = 'Owner' ; Expression = {$owner = $_ | Invoke-CimMethod -MethodName GetOwner -ErrorAction SilentlyContinue ; if ($owner.ReturnValue -eq 0) {$owner.Domain + '\' + $owner.User}}}, CommandLine | Sort-Object Owner | Format-List"
  
- *nix
  - "ps auxf"
  
Then...
Document here:
  - Any interesting processes run by users/administrators
  - Any vulnerable applications
  - Any intersting command line arguments visible

Services

Click to expand

- Windows
  - First...
    Enumerate services:
  	  - "sc.exe query"
  	  	- Then "sc.exe qc <service-name>"
          - List the configuration for any interesting services
  	  - "Get-CimInstance -ClassName Win32_Service | Select-Object Name, StartName, PathName | Sort-Object Name | Format-List"
  - Then...
  	Check for things like:
  	  - Vulnerable service versions
      - Unquoted service path
      - Service path permissions too open?
  
- *nix
  - First...
  	Enumerate services:
      - "service --status-all" or "systemctl list-units"
  - Then...
    Check for things like:
      - Vulnerable service versions
      - Configuration files
      - Writable unit files
  	  - Writable service binaries  
  
Then...
Document here:
  - Any interesting services or vulnerabilities
  - Any vulnerable service versions
  - Any intersting configuration files

Scheduled Tasks

Click to expand

First...
Enumerate scheduled tasks:
  
- Windows
  - "schtasks /QUERY /FO LIST /V | findstr /i /c:'taskname' /c:'run as user' /c:'task to run'"
  - "Get-CimInstance -Namespace Root/Microsoft/Windows/TaskScheduler -ClassName MSFT_ScheduledTask | Select-Object TaskName, @{Name = 'User' ; Expression = {$_.Principal.UserId}}, @{Name = 'Action' ; Expression = {($_.Actions.Execute + ' ' + $_.Actions.Arguments)}} | Format-List"
  
- *nix
  - "crontab -l"
  - "cat /etc/cron* 2>/dev/null"
  - "cat /var/spool/cron/crontabs/* 2>/dev/null"
  
Then...
Document here:
  - Any interesting scheduled tasks
  - Any writable paths in the scheduled task
  - Any intersting command line arguments visible

Interesting Files

File 1

File contents

Privilege Escalation

Document here:

Exploit used (link to exploit)
Explain how the exploit works
Any modified code (and why you modified it)
Proof of privilege escalation (screenshot showing ip address and privileged username)\

Persistence

Document here how you set up persistence on the target

Flags

User

Flag here

Root

Flag here

Shell

Root

Template partially from 0xC0FFEE https://notes.benheater.com

PreviousDriftingBlues6 NextInfoSecPrep

Last updated 2 years ago

Was this helpful?

192.168.129.194

Enumeration

Nmap scan

nmap -sV -p- 192.168.129.194 -A

Port 80

Running dirb against the site because it fails to go to port 80 at this IP.

Interesting error.

Added IP to host file as dc-2

Made word list with cewl

cewl http://dc-2 -w wordlist

Try to bruteforce the login for wp-login.php

hydra 192.168.129.194 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fdc-2%2Fwp-admin%2F&testcookie=1:Error" -L wordlist -P wordlist -t 64

wpscan --url http://dc-2/ -U users.txt -P wordlist

Exploit

Document here:

Exploit used (link to exploit)
Explain how the exploit works against the service
Any modified code (and why you modified it)
Proof of exploit (screenshot of reverse shell with target IP address output)

Post-Exploit Enumeration

Current User

Click to expand

Document here:
 
- Windows
  - "whoami /all" output
  
- *nix
  - "id" output
  - "sudo -l" output

OS & Kernel

Click to expand

Document here:
  
- Windows
  - "systeminfo" or "Get-ComputerInfo" output
  
- *nix
  - "uname -a" output
  - "cat /etc/os-release" (or similar) output

Users

Click to expand

Document here any interesting username after running the below commands:
  
- Windows
  - Domain:
  	- "net user /domain" or "Get-ADUser -Filter *" output
  
  - Workgroup:
  	- "net user" or "Get-LocalUser" output
  
- *nix
  - "cat /etc/passwd" output

Groups

Click to expand

Document here any interesting groups after running the below commands:
  
- Windows
  - Domain:
  	- "net group /domain" or "Get-ADGroup -Filter *" output
  
  - Workgroup:
  	- "net localgroup" or "Get-LocalGroup" output
  
- *nix
  - "cat /etc/group" output

Network

Interfaces

Document here any interesting / additional interfaces:
  
- Windows
  - "ipconfig" or "Get-NetAdapter" output
  
- *nix
  - "ip address" or "ifconfig" output

ARP Table

If targeting a network and enumerating additional hosts...
Document here:
  
- Windows
  - "arp -a" or "Get-NetNeighbor" output
  
- *nix
  - "ip neigh" or "arp -a" output

Routes

If targeting a network and enumerating additional hosts...
Document here:
  
- Windows
  - "route print" or "Get-NetRoute" output
  
- *nix
  - "ip route" or "route" output

Open Ports

Document here any ports listening on loopback or not available to the outside:
  
- Windows
  - "netstat -ano | findstr /i listening" or "Get-NetTCPConnection -State Listen" output
  
- *nix
  - "netstat -tanup | grep -i listen" output

Ping Sweep

If the host has access to additional routes / interfaces:

  - Look at the IP address space and network mask
  - Find a ping sweep script that will work for the target network
  - Or you could try:
  	- Transfering "nmap" or some other host discover tool to the host
  	- Set up a SOCKS proxy and try a port scan through the foothold

Processes

Click to expand

First...
Enumerate processes:
  
- Windows
  - "tasklist"
  - "Get-Process"
  - "Get-CimInstance -ClassName Win32_Process | Select-Object Name, @{Name = 'Owner' ; Expression = {$owner = $_ | Invoke-CimMethod -MethodName GetOwner -ErrorAction SilentlyContinue ; if ($owner.ReturnValue -eq 0) {$owner.Domain + '\' + $owner.User}}}, CommandLine | Sort-Object Owner | Format-List"
  
- *nix
  - "ps auxf"
  
Then...
Document here:
  - Any interesting processes run by users/administrators
  - Any vulnerable applications
  - Any intersting command line arguments visible

Services

Click to expand

- Windows
  - First...
    Enumerate services:
  	  - "sc.exe query"
  	  	- Then "sc.exe qc <service-name>"
          - List the configuration for any interesting services
  	  - "Get-CimInstance -ClassName Win32_Service | Select-Object Name, StartName, PathName | Sort-Object Name | Format-List"
  - Then...
  	Check for things like:
  	  - Vulnerable service versions
      - Unquoted service path
      - Service path permissions too open?
  
- *nix
  - First...
  	Enumerate services:
      - "service --status-all" or "systemctl list-units"
  - Then...
    Check for things like:
      - Vulnerable service versions
      - Configuration files
      - Writable unit files
  	  - Writable service binaries  
  
Then...
Document here:
  - Any interesting services or vulnerabilities
  - Any vulnerable service versions
  - Any intersting configuration files

Scheduled Tasks

Click to expand

First...
Enumerate scheduled tasks:
  
- Windows
  - "schtasks /QUERY /FO LIST /V | findstr /i /c:'taskname' /c:'run as user' /c:'task to run'"
  - "Get-CimInstance -Namespace Root/Microsoft/Windows/TaskScheduler -ClassName MSFT_ScheduledTask | Select-Object TaskName, @{Name = 'User' ; Expression = {$_.Principal.UserId}}, @{Name = 'Action' ; Expression = {($_.Actions.Execute + ' ' + $_.Actions.Arguments)}} | Format-List"
  
- *nix
  - "crontab -l"
  - "cat /etc/cron* 2>/dev/null"
  - "cat /var/spool/cron/crontabs/* 2>/dev/null"
  
Then...
Document here:
  - Any interesting scheduled tasks
  - Any writable paths in the scheduled task
  - Any intersting command line arguments visible

Interesting Files

File 1

File contents

Privilege Escalation

Document here:

Exploit used (link to exploit)
Explain how the exploit works
Any modified code (and why you modified it)
Proof of privilege escalation (screenshot showing ip address and privileged username)\

Persistence

Document here how you set up persistence on the target

Flags

User

Flag here

Root

Flag here

Shell

Root

Template partially from 0xC0FFEE https://notes.benheater.com