UG MMM Lab Report

Here is my write-up for UGMMM lab.

Tools• ssh• netdiscover• nmap• nc• medusa

Method • Scanned network for the target [Netdiscover]• Port,services,version scanned the target [Nmap]• Local port forward to target web server [ssh]• Back connect from target server [nc]• User password brute force for ssh service [Medusa]

At first , I connect to 23.254.101.209 with ssh port 2021. And then , I check which hosts are up host and search target host with netdiscover tools & nmap.

Then found 3 up host on network.• 10.10.10.2• 10.10.10.132• 10.10.10.254

Scanning with “Netdiscover” produces a list of all IP’s & MAC addresses and known vendors which are currently connected to the network. The target host hasn’t spoofed their MAC address as well as being inside a VM. Due to there being only one vendor which relates to a VM, VMware, they successfully identified the target.

The target's running services can be identified by Nmap scanning .

Scanning To Target Host

Scanning nmap with options (service scan(-sV) & aggressive scan(-A)) allow me to know what services,port & version are running on the target host.

Command# nmap -A -sV -Pn -O 10.10.10.132

Open Port

• 21 (ftp)• 22 (ssh)• 25 (smtp)• 80 (http)• 138 (netbios-ssn)• 443 (ssl/http)• 445 (netbios-ssn)• 512 (exec)• 513 (login)• 514 (tcpwrapped)• 3306 (mysql)

Port Forward After scanning, I'd known about port 80 http service of target host is open .Now I am trying to browse the web. Target Web server network & my network are different in public and private IP address. So I have to make local port forward using ssh tunnel. Ok let me forward target web server port 80 to my local port 8000.

And then don't close the ssh connected terminal and open new terminal for checking port forwarding is succeed or not .With netstat command in following.

Web Application Exploitation

Congratulations! I appreciate myself and open my browser, Firefox. Type “localhost:8000” at address bar and choose to exploit web application.

I choose Command injection with medium. At the DNS lookup bar write some bash command to requests some data from target host. eg. ls,id,cat /etc/passwd, etc ….

ls command is work with pipe. So I am try to make back connection. I used nc command and bind /bin/bash with listen port number 4445. (PS: Port number can be define freely with any free port)

I enter to 23.254.101.209 and connect to target host with nc. Now connection is established but I am atnormal user with a limited access shell. So I exploit the limited shell with python privilege escalation script.

Check how many user in the target host for enumerate user for brute force.

Command# cat /etc/passwd or

Command# ls /home/

Sometime administrator use dictionary words for password. So I start brute force to target host with medusa.

I wait a little minute then I get root password .

Finally I got root access and I add my name at /root/flag.txt .