Hands-on Penetration Test Lab Walkthrough

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:00
hands on penetration test, lab walkthrough.
00:07
So really are learning objective here is to get root, right? I don't want to give, you didn't want to give you a lot of information. I wanted it to be kind of
00:14
your opportunity to figure out how to exploit this box. And this is not an easy box to exploit. Uh, and really takes a lot of enumeration figuring out what's going on here. So
00:26
I did a full port scan, I did rsV sc
00:30
Full port skin. I see that to our open port 22 is filtered
00:35
eighties open Apache. You could of course google this and see if there's any vulnerabilities for it
00:40
And as well as a squid proxy. So of course, because 80 is open, I'm going to use my web browser to go to
00:47
this page and I see it's a login page. I'll also view the source
00:53
to see if there's anything interesting, which I don't really.
00:57
And I also see
01:02
that we have Apache, PHP and Debian operating system. So at least I know, you know, we're dealing with Lennox here.
01:08
So how do I get onto this box? This might take you a long time trying to get in here. If I do test at test dot com,
01:19
single quote and anything for password,
01:22
we see that there was an error running the query and that we're dealing with my sequel. Right? So this is uh, an error based sequel injection. Well, it doesn't respond to our typical or one equals one.
01:36
I showed you this. You have to use the double pipes, right? Double pipes. One equals one. And the pound is a comment
01:44
I don't even think will work with the other comments. So this is the only comment that it will work with
01:49
and this will get you some good information.
01:53
He says welcome johN at Sky tech dot com.
01:56
So unfortunately you only have $2 here so but we have a username and password for. Ssh Well how do we get on ssh? Well we know
02:06
that we're dealing with a squid proxy, right
02:10
sort of a squid proxy. HCP squid proxy here. So we need to configure our etc. Hosts file.
02:17
So by nano or etc. M sorry proxy chains.
02:22
If we edit this file
02:24
at the end we could do HDP 1921681 90 on port 3128 HDP 31283128 And what this will do is should allow us to use proxy chains to do things like enumerate. So
02:43
if you want to use End Map, you have to be very very careful with proxy chains.
02:46
So in order to use end map with proxy change, you have to use S. T.
02:51
N. P. N. And you'll notice if we run this
02:57
Port 22 is open so we can now use port
03:00
22, you can use proxy chains to Ssh in
03:06
and we have johN's information. Not Sarah's not yet.
03:09
So if I login is johN and I've told you this before with the TSH, but if I don't do that
03:15
here is johN
03:17
you'll notice it just logs me out right off the bat.
03:21
So if I specify my shell as T. S. H.
03:24
Here is john
03:28
you'll notice I do get my prompt here.
03:30
So I should be johN
03:34
we're at home johN but let's take a look at the web directory.
03:43
Of course I'd consider this a bad show because we can't really see a lot.
03:46
So if I can't log in dot PHP
03:59
I can see
04:01
the database. Local hosts. Root Root Sky Tech.
04:05
So root root username password. Sky Tech.
04:11
So I can log into my sequel Now,
04:14
my sequel
04:15
user is Root password is route
04:21
and now we're in the database. So show databases
04:28
and we saw from that login script. It was using Sky Tech. So we can use Sky Tech
04:39
case sensitive. Right?
04:44
All right,
04:45
show tables
04:48
or select
04:51
all from log in.
04:55
Mhm.
04:57
And we have Now we have the disgruntled employee Sarah
05:01
that hates her job and we have William.
05:03
So, if I'm thinking who's going to have more juicy information? Maybe maybe it's Sarah. So let's let's try to log in now is Sarah now that we have heard credentials?
05:15
Yeah.
05:16
So let's log in now is Sarah.
05:24
I hate my job.
05:30
I'm sorry. I hate this job.
05:34
At least she's specific. Right.
05:38
So, now what do we have? We are home of Sarah. Let's do Sudo. L I told you like to do that
05:45
and we can see that Sarah can run
05:48
cat and LS, which is great. So if I Sudo,
05:53
let me just do this
05:55
Ls accounts
05:59
dot dot or dot dot goes back.
06:01
So let's see where accounts is.
06:05
So I'll go here.
06:09
So accounts,
06:11
we see where it is in the root.
06:14
So if I do Ls
06:16
accounts
06:19
dot dot etc,
06:24
it will show me etc. Right?
06:29
Or if I wanted to L s accounts
06:32
dr
06:34
at sea password.
06:39
Well, it tells me that that file, Let's see. Let's see if we get more information,
06:43
accounts
06:46
dot dot etc password.
06:50
Okay, can we cut that?
06:55
I hope you see what I'm doing here that I can go back a directory.
07:01
So there you go. So now I can use Sudo. Right. And which directory can normally not get too
07:08
Sudo. Ls
07:10
accounts
07:12
dot dot
07:13
route.
07:15
So we still have a flag there and I can also cat this pseudo cat
07:19
accounts
07:23
dot dot
07:24
flag dot txt.
07:29
Oh, I forgot their roots,
07:30
pseudo cat
07:33
accounts
07:35
dot dot route,
07:38
flag dot txt.
07:41
And now it says root password is the sky tower. So here we go. Let's get out of here.
07:47
Let's go to route.
07:53
We shouldn't really have to specify this,
07:56
the sky tower
08:00
and now you can see I'm route.
08:09
All right,
08:09
So we're in the root users
08:11
Home directory.
08:16
So that is how you go from uh
08:22
basically
08:22
a new ring with End Map finding that we have a squid proxy and we also have a login. You can try um sequel map. I didn't get sequel map wouldn't work for me on this and that's one of the reasons why I picked this sequel map wouldn't work on this web form and it was a really, really tricky uh
08:41
syntax that you had to use here for a sequel injection.
08:46
So I wanted you to think outside the box um on sequel injection. Of course, it gave you that
08:52
big hint
08:54
when you did the did the single quote.
08:56
Um and also it kind of tripped you up when you s S station and it logs you want logged you off, you have to think around that as well. So the reason why I like this box was it really made you, I think think outside the Box you have to do a lot of different configurations if you did this without, like looking at the walk throughs and the guides online.
09:13
I mean, kudos to you, if you figured out that it was Sky Tower,
09:18
there are plenty of walk throughs and guides for this, and I recommend that you read those as well. But I think this one really made me think outside the box, on on how to all these different configurations and flags worked to ultimately get on the box
09:35
and get root.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By