Total OSCP GuidePayloads All The Things

Kioptrix

Finding Vulnerabilities

  1. we used sudo netdiscover -r 192.168.161.0/24 with our ip to find the vmware ip

  2. we use nmap -T4 -p- -A 192.168.161.130 to find all info about the system

  3. 80/443 default webpage found with apache server running

  4. use nikto for vulnerable scanning

  5. Found that mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.

  6. Information disclosure- Server version

  7. We can use three tools for directory busting:

    • gobuster

    • dirb

    • dirbuster

  8. Found usage subdirectory which disclosed following info: Generated by Webalizer Version 2.01

  9. Using masscan to find ports: sudo masscan -p1-65535 192.168.161.130 --rate 1000 then we can do This method is faster

SMB Enumeration

  1. SMB version found using metasploit- Unix (Samba 2.2.1a)

  2. Then use smbclient to gain access to smb (can potentially contain valuable data) which led to find:

    • smbclient \\\\192.168.161.130\\IPC$

      • Access Denied

    • smbclient \\\\192.168.161.130\\ADMIN$

      • Requires password THIS PATH IS A DEADEND POTENTIALLY OPEN TO trans2open exploit https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/samba/trans2open

SSH Enumeration

  1. We try to make a connection using: ssh 192.168.161.130 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes128-cbc The output:

DSA key fingerprint is SHA256:lEaf2l45SOoTn6qFh/EObfveZjbgCPuTHIXBFtD9mY8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.161.130' (DSA) to the list of known hosts.
kali@192.168.161.130's password

We do this to check for exposed banners(which could have ssh version or created by which companies etc).

SSL remote shell

  1. mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. is the one we targeting

  2. 80/443 -> Found exploit - https://github.com/heltonWernik/OpenLuck

Exploitation

  1. We chose smb to exploit (trans2open using metasploit)

    1. Didn't work first time because of some payload issue. We were using staged [[Exploitation#Staged vs Non- Staged]]

    2. We switch to non staged payload ( :( no meterpreter) We gain root after running exploit

  2. Using OpenFuck to manually exploit:

  3. We got shell access with root privileges.

  4. Undetected malicious activity

Passwords

We got root access and can access the passwd file: Note: The passwd file no longer directly has the passwords Instead we see the shadow file in /etc/shadow:

SSH brute forcing

  1. Using hydra hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.161.130 -t 4 -V

  2. Using metasploit

    • use SSH_Login after search

PreviousJerry HTBNextLame HTB

Last updated

Was this helpful?