NetChameleon.com
VulnHub Write-ups
GoldenEye v1
Initial port scans
unicornscan of all TCP ports
Further investigation into exposed services
SMTP on port 25
HTTP on port 80
POP3 on port 55006
POP3S on port 55007
Plan of attack
Exploitation
Enumerate POP3 accounts
Brute force users passwords with hydra
Read Boris’s email
Read Natalya’s email
Add domain to /etc/hosts
Exploring Xenia’s Moodle account
Reading Doak’s email
Exploring Dr. Doak’s Moodle account
Logging into the admin users Moodle account
Low Privilege shell
Privilege escalation
Stapler v1
Initial port scans
unicornscan or all TCP ports
unicornscan or all UDP ports
Further investigation into exposed services
FTP service on port 21
HTTP service on port 80
NETBIOS-SSN service on port 139
Unknown service on port 666
MySQL service on port 3306
HTTP server on port 12380
Wordpress website content
Nikto scan from wordpress website directory
Enumerating Wordpress users manually
Scanning with wpscan
phpMyAdmin
Plan of attack
Exploitation
Using LFI exploit to obtain database user password
Fixing the exploit to work with Stapler
Testing the modified exploit
LFI wp-config.php
LFI /etc/passwd
Gain command execution using MySQL
Privilege escalation
Alternative Methods for initial shell
Targeted Brute forcing SSH passwords
Alternative privilege escalation
Exploit Cron job
Cisco
Raspberry Pi Console Server
Hardware Requirements
Option 1 - using single USB to Serial adapters
Option 2 - using single USB to multiple Serial adapters
Optional for 1 & 2
Deciding what hardware to use
Hardware Installation
Software Installation
Creating udev rules
Configure ser2net
Start and enable ser2net at boot
Testing
The Finished Console server
SQL Injection
SQL Injection
Overview
Example vulnerable PHP login code
Testing possible injections
Bypass authentication
Database enumeration
ORDER BY
UNION SELECT
Code execution
NetChameleon.com
Docs
»
Index
Index