Hands-on Penetration Test Lab Walkthrough

00:00

hands on penetration test, lab walkthrough.

00:07

So really are learning objective here is to get root, right? I don't want to give, you didn't want to give you a lot of information. I wanted it to be kind of

00:14

your opportunity to figure out how to exploit this box. And this is not an easy box to exploit. Uh, and really takes a lot of enumeration figuring out what's going on here. So

00:26

I did a full port scan, I did rsV sc

00:30

Full port skin. I see that to our open port 22 is filtered

00:35

eighties open Apache. You could of course google this and see if there's any vulnerabilities for it

00:40

And as well as a squid proxy. So of course, because 80 is open, I'm going to use my web browser to go to

00:47

this page and I see it's a login page. I'll also view the source

00:53

to see if there's anything interesting, which I don't really.

00:57

And I also see

01:02

that we have Apache, PHP and Debian operating system. So at least I know, you know, we're dealing with Lennox here.

01:08

So how do I get onto this box? This might take you a long time trying to get in here. If I do test at test dot com,

01:19

single quote and anything for password,

01:22

we see that there was an error running the query and that we're dealing with my sequel. Right? So this is uh, an error based sequel injection. Well, it doesn't respond to our typical or one equals one.

01:36

I showed you this. You have to use the double pipes, right? Double pipes. One equals one. And the pound is a comment

01:44

I don't even think will work with the other comments. So this is the only comment that it will work with

01:49

and this will get you some good information.

01:53

He says welcome johN at Sky tech dot com.

01:56

So unfortunately you only have $2 here so but we have a username and password for. Ssh Well how do we get on ssh? Well we know

02:06

that we're dealing with a squid proxy, right

02:10

sort of a squid proxy. HCP squid proxy here. So we need to configure our etc. Hosts file.

02:17

So by nano or etc. M sorry proxy chains.

02:22

If we edit this file

02:24

at the end we could do HDP 1921681 90 on port 3128 HDP 31283128 And what this will do is should allow us to use proxy chains to do things like enumerate. So

02:43

if you want to use End Map, you have to be very very careful with proxy chains.

02:46

So in order to use end map with proxy change, you have to use S. T.

02:51

N. P. N. And you'll notice if we run this

02:57

Port 22 is open so we can now use port

03:00

22, you can use proxy chains to Ssh in

03:06

and we have johN's information. Not Sarah's not yet.

03:09

So if I login is johN and I've told you this before with the TSH, but if I don't do that

03:15

here is johN

03:17

you'll notice it just logs me out right off the bat.

03:21

So if I specify my shell as T. S. H.

03:24

Here is john

03:28

you'll notice I do get my prompt here.

03:30

So I should be johN

03:34

we're at home johN but let's take a look at the web directory.

03:43

Of course I'd consider this a bad show because we can't really see a lot.

03:46

So if I can't log in dot PHP

03:59

I can see

04:01

the database. Local hosts. Root Root Sky Tech.

04:05

So root root username password. Sky Tech.

04:11

So I can log into my sequel Now,

04:14

my sequel

04:15

user is Root password is route

04:21

and now we're in the database. So show databases

04:28

and we saw from that login script. It was using Sky Tech. So we can use Sky Tech

04:39

case sensitive. Right?

04:44

All right,

04:45

show tables

04:48

or select

04:51

all from log in.

04:55

Mhm.

04:57

And we have Now we have the disgruntled employee Sarah

05:01

that hates her job and we have William.

05:03

So, if I'm thinking who's going to have more juicy information? Maybe maybe it's Sarah. So let's let's try to log in now is Sarah now that we have heard credentials?

05:15

Yeah.

05:16

So let's log in now is Sarah.

05:24

I hate my job.

05:30

I'm sorry. I hate this job.

05:34

At least she's specific. Right.

05:38

So, now what do we have? We are home of Sarah. Let's do Sudo. L I told you like to do that

05:45

and we can see that Sarah can run

05:48

cat and LS, which is great. So if I Sudo,

05:53

let me just do this

05:55

Ls accounts

05:59

dot dot or dot dot goes back.

06:01

So let's see where accounts is.

06:05

So I'll go here.

06:09

So accounts,

06:11

we see where it is in the root.

06:14

So if I do Ls

06:16

accounts

06:19

dot dot etc,

06:24

it will show me etc. Right?

06:29

Or if I wanted to L s accounts

06:32

dr

06:34

at sea password.

06:39

Well, it tells me that that file, Let's see. Let's see if we get more information,

06:43

accounts

06:46

dot dot etc password.

06:50

Okay, can we cut that?

06:55

I hope you see what I'm doing here that I can go back a directory.

07:01

So there you go. So now I can use Sudo. Right. And which directory can normally not get too

07:08

Sudo. Ls

07:10

accounts

07:12

dot dot

07:13

route.

07:15

So we still have a flag there and I can also cat this pseudo cat

07:19

accounts

07:23

dot dot

07:24

flag dot txt.

07:29

Oh, I forgot their roots,

07:30

pseudo cat

07:33

accounts

07:35

dot dot route,

07:38

flag dot txt.

07:41

And now it says root password is the sky tower. So here we go. Let's get out of here.

07:47

Let's go to route.

07:53

We shouldn't really have to specify this,

07:56

the sky tower

08:00

and now you can see I'm route.

08:09

All right,

08:09

So we're in the root users

08:11

Home directory.

08:16

So that is how you go from uh

08:22

basically

08:22

a new ring with End Map finding that we have a squid proxy and we also have a login. You can try um sequel map. I didn't get sequel map wouldn't work for me on this and that's one of the reasons why I picked this sequel map wouldn't work on this web form and it was a really, really tricky uh

08:41

syntax that you had to use here for a sequel injection.

08:46

So I wanted you to think outside the box um on sequel injection. Of course, it gave you that

08:52

big hint

08:54

when you did the did the single quote.

08:56

Um and also it kind of tripped you up when you s S station and it logs you want logged you off, you have to think around that as well. So the reason why I like this box was it really made you, I think think outside the Box you have to do a lot of different configurations if you did this without, like looking at the walk throughs and the guides online.

09:13

I mean, kudos to you, if you figured out that it was Sky Tower,

09:18

there are plenty of walk throughs and guides for this, and I recommend that you read those as well. But I think this one really made me think outside the box, on on how to all these different configurations and flags worked to ultimately get on the box