Hacking Machines

101

Furkan ÖZER
July 2023

1
About
• Yıldız Technical University – Computer Engineering

• Red Team Operator – 2016

• Forestall – Co-Founder – 2020

• LockedShields – Green Team Member - 2019

• CS RANGER, OSCP, OSCE, CRTP, CARTP, AWS CSAA

• frknozr.github.io / forestall.io/blog

• Twitter/Github/Gitlab - frknozr

• Borabay, Invoke-Ulubat, Kangal

2
Intro
• Hacking

○ to gain illegal access to (a computer network, system, etc.)

○ a usually creatively improvised solution to a computer hardware or programming problem or limitation

○ a clever tip or technique for doing or improving something

○ using a process, object, or technology in ways it wasn't initially made for

• Machine (in cyber security context)

○ refers to computers, servers, network device, or even specific types of digital machines like ATMs, POS, or
voting machines

3
How do we start?
• What is the target?
○ Is it laptop, server, firewall or atm?

• How can I access the target?

○ Can I access it through the Internet?
○ Can I access it physically?
○ Are we using the same Wi-Fi network?

• What is the target Operating System?

○ Windows, Linux, BSD etc?

• Which ports are accessible on the target?

• Which program/services running on the target?

• Web service, File sharing etc?

4
Reconnaissance

5
Reconnaissance/Information
Gathering/Enumeration
• First, we need to gather the necessary info about the target, to answer questions before

○ Passive information gathering

○ Active information gathering

• Active Info. Gathering

○ Gathering information with establishing a different kind of connections with the target

○ Network scanning, Vulnerability Scanning

• Passive Info. Gathering

○ Gathering as much information as possible without establishing contact to the target

○ Social Media, Third-Party Scanners, Search Engines

6
Active Information Gathering
• Manual methods and various automated tools can be used for active information gathering.

• Nmap ("Network Mapper") is a free and open source command-line tool for network discovery and security auditing

• Nmap is useful for

○ Identifying active hosts

○ Scanning open/closed ports

○ Identifying services and versions

○ Identifying operating systems

○ Detecting vulnerabilities

○ Firewall / IDS evasion

7
Lab Setup

8
Active Information Gathering
# Identifying our IP address and network range
$> ifconfig

9
Active Information Gathering
# Scanning network with nmap to find active hosts
$> nmap 192.168.231.0/24

10
Active Information Gathering
# Scanning target with nmap
# -Pn -> Disable host discovery. Port scan only.
# -v -> Enable verbose mode
# -sT -> TCP connect port scan
# -sV -> Attempts to determine the version of the service running on port
# -p- -> Scan all ports
$> nmap -Pn -v -sT -sV -p- 192.168.231.168

11
How can we use this info?

12
Vulnerability Assessment

13
Vulnerability Assessment
• Vulnerability

○ a weakness in an IT system that can be exploited by an attacker to deliver a successful attack

• CVE (Common Vulnerabilities and Exposures)

○ Common Vulnerabilities and Exposures system provides a reference method for publicly known information-security vulnerabilities
and exposures.

• We need to identify vulnerabilities on these ports/services

○ Commercial tools (Nessus, Nexpose, GreenBone, Netsparker etc)

○ Open Source Vulnerability Scanners (OpenVas, Nmap NSE etc)

○ Vulnerability Databases (exploit.db, attackerkb.com, cvedetails.com etc)

○ Manual methods

14
Vulnerability Assessment – Apache Tomcat
# Enumerating Apache Tomcat
nmap -Pn -sT -A -p 8080 192.168.231.168

15
Metasploit
• Metasploit is a powerful and widely used open-source tool for penetration testing and cybersecurity research.

• The framework includes various tools, ready-made exploits, and payload options to discover, exploit, and verify
vulnerabilities.

• Metasploit also provides the infrastructure to establish a command and control channel over a target system.

16
Vulnerability Assessment – Apache Tomcat
Default Username and Password Usage on Apache Tomcat

17
Exploitation

18
Exploitation
• Exploit

○ is a method, program, or piece of code, designed to find and take advantage of a security vulnerability in an application or
computer system

• After we find the vulnerable service/input etc, we can use the suitable exploit for different purposes

○ Executing code on the system (Remote Code Execution)

○ Retrieving application database (Data Exfiltration)

○ Blocking the access (Denial of Service)

○ Impersonation or takeover accounts (Account Takeover)

○ Modifying or destructing the data (Defacement / Data Destruction)

19
Exploitation – Apache Tomcat

20
Exploitation – Apache Tomcat

21
Vulnerability Assessment – Web Server
# Enumerating Web Server
nmap -Pn -sT -A -p 80 192.168.231.168

22
Vulnerability Assessment – Web Server

23
Vulnerability Assessment – Web Server

24
Exploitation – Web Server
Command Injection on PHPMoAdmin

curl "http://192.168.231.168/mongoadmin/" -d "object=1;system('whoami');exit"

25
Nikto
• Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs, outdated
server software and other vulnerabilities.

• We can quickly use Nikto for basic security checks

# Running Nikto
nikto -h http://192.168.231.168

26
Vulnerability Assessment – Web Server
ShellShock Vulnerability

27
Vulnerability Assessment – Web Server

28
Exploitation – Web Server
ShellShock Vulnerability

29
What do we do now?
• We gained access on the target with several ways

• But what is our next step?

30
Privilege Escalation

31
Privilege Escalation

32
Privilege Escalation

33
Privilege Escalation

34
Privilege Escalation

35
Cyber Kill Chain

36
Mitre ATT&CK Matrix

37
Free Labs
• Hack the Box (https://app.hackthebox.com/)

• Try Hack Me (https://tryhackme.com/)

• VulnHub (https://www.vulnhub.com/)

38