Let’s keep it simple for now.įirst up, we should check if we get a hit with ‘/wp-admin’ as this may suggest that we are dealing with Wordpress (yes I know we could be dealing with a false trail), but we can always confirm findings with a tool such as wp-scan or CMSMAP.Īs it turns out … we get a 404 (not illustrated). However, ‘easiest’ may be a bit of a time waster. Step 2: Try some ‘stupid’ thingsĪt this point, the ‘easiest’ next steps would be utilize Nikto (a basic web vulnerability scanner) and something such as dirb (although I now prefer go-buster). It’s not a particularly large site, so we can quickly run through it manually. For example, perhaps there might be clues in style sheets, metadata (exif data) in images etc. There are a number of articles as well as links at the top of the page, so at this point it is good to proxy everything through Burp to gain a more comprehensive view of things. Taking a look at the article authors: they are all ‘Start Bootstrap’. blog software, paths, comments with usernames and passwords etc. A check is made to review the HTML source for any comments that might give away any useful information - e.g. We already know that it is a blog of some description. Web Recon Step 0: Initial web root review Let’s go forward by pursuing the blog - it’s the most obvious choice. We might revisit kernel levels if we need to do some privesc. Other details: Linux Kernel - somewhere between 3.2 and 4.9 …not very precise - not enough detail (for now). It also accounts for TCP 57870 that is listed separately. We haven’t done a UDP port scan yet, so may need a revisit. Not a major issue, but just meant I had to click the ‘stop’ button. However, I noticed that the web browser was spinning its wheels trying to load something. Which means that they are isolated from the Internet. Just one minor annoying point: I run my VMs inside a Host Only Network …. HTTP: Port 80, appears to be a blog site called ‘Clean Blog’. Connecting with Netcat confirms the above. Not the most up to date version, so possible exploits to be reviewed. * SSH: Port 22, OpenSSH 6.7p1 Debian 5+deb8u4. Nmap done: 1 IP address (1 host up) scanned in 29.26 seconds Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port |_http-title: Clean Blog - Start Bootstrap Theme |_http-server-header: Apache/2.4.10 (Debian) It is still much quicker than doing an aggressive scan on all 65535 TCP ports - while it is comprehensive, it is like taking a sledgehammer to crack a nut. Although ‘aggressive’ scans take more time, generally this isn’t an issue if it yields us a more detailed picture of the target based on a specific range of ports. We can now perform an aggressive scan (-A) on port 22, 80, 10. Nmap done: 1 IP address (1 host up) scanned in 17.72 seconds MAC Address: 08:00:27:CB:57:1E (Oracle VirtualBox virtual NIC) There is no need at this point to output results to a file … unless of course we get a long series of open ports (which may require some grep work). Since we are in an isolated CTF scenario and not worried about a Blue Team snooping on us, we can up the scan timing to T4 without compromising accuracy. We perform an 'all ports' TCP scan (-p-) to see what is open. Since we know that 10.10.10.1 is a DHCP server (VirtualBox ‘Internal Network’), that leaves us with 10.10.10.2 Step 1: Service Discovery (basic TCP open port scan) For a more detailed explanation, search for ‘CIDR’ (Classless Inter-Domain Routing). The /24 for the IP address basically means ‘look for machines anywhere from 10.10.10.0 through 10.10.10.254’. i eth0 basically means ‘look for targets on ethernet interface zero’. So … as always, let’s see where our target is on the network with netdiscover. Besides, it’s also a nice little brain teaser for the more experienced folk to keep themselves sharp too. After looking around, Toppo seemed to fit the bill quite nicely. Ideally I want to do something that can be completed in a group scenario where everyone can play along and achieve root in a couple of hours tops. The assumption is that they may know about the basic theory behind the stages of rooting a target, but have little by way of hands-on experience. I’ve recently been approached to help introduce some new folk to the wonderful world of ethical hacking.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |