SlideShare a Scribd company logo

3. Basic Pentesting 1 Walkthrough.pdf

Setiya Nugroho
Setiya Nugroho

Basic Pentesting

Technology
1 of 14
Download to read offline
Modul Praktikum Keamanan Jaringan ============================== 1 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Lab - Basic Pentesting: 1 CTF Walkthrough This small boot2root VM contains multiple remote vulnerabilities and multiple privilege escalation vectors. The validation for this walkthrough used VirtualBox, which is the recommended platform. It may also work with VMware. Hardware Requirements • Installation of VirtualBox • One virtual install of Kali Linux • One virtual install of the Basic Pentesting OVA file, which can be downloaded from here. Ensure the network adapter for both machines to set to either bridged or NAT. This VM will not boot until you go into the settings and disable the USB controller. This CTF is specifically intended for those new to penetration testing. If you’re a beginner, you should hopefully find the difficulty of the VM to be just right. Your goal is to attack this VM and gain root privileges remotely. Organization Create a folder on the desktop of your Kali machine. Name the folder, pentest. When using a terminal, change the directory to the pentest folder and run all your commands from this location. Save any downloads or captured files to this location.
Modul Praktikum Keamanan Jaringan ============================== 2 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Enumeration We begin with the basics (always) by enumerating the machine for its IP address and any open ports and running services. There’s no harm in getting the network ranges by doing an IFCONFIG from your Kali terminal. Once we have our network range, we can discover the target machine’s IP address using netdiscover, Nmap, or ARP. Using netdiscover netdiscover -r 192.168.0.0/24
Modul Praktikum Keamanan Jaringan ============================== 3 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Using ARP arp-scan -l We’re now ready to do a Nmap scan. This is my IP address for my target! Your target IP address will differ! nmap -sS -AT4 192.168.0.30 The -sS switch looks for open ports and services, while the -AT4 switch looks for OS information. From the results, we look for the low-hanging fruit first.
Modul Praktikum Keamanan Jaringan ============================== 4 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Port: 21 There is an ftp server listening on port 21. Nmap informs us that the ftp service is likely ProFTPD 1.3.3c. Port: 22 There is an ssh service listening on port 22. Nmap informs us that it is likely OpenSSH 7.2p2 Ubuntu 4ubuntu 2.2. Port: 80 There is an HTTP server listening on port 80. It is likely Apache httpd 2.4.18. Since we have HTTP running on port 80, let’s conduct a web server scan using Nikto and dirb. This is my IP address for my target! Your target IP address will differ! nikto -host 192.168.0.30
Modul Praktikum Keamanan Jaringan ============================== 5 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang dirb http://192.168.0.30 This is my IP address for my target! Your target IP address will differ! DIRB is a Web Content Scanner. It looks for existing or hidden Web Objects. It works by launching a dictionary-based attack against a web server and analyzing the response. Nikto and dirb both indicate the existence of a secret directory at /secret/. Furthermore, the files and directories discovered by dirb suggest that /secret/ is a WordPress site. Visiting the page confirms this, so we will run a scan to enumerate the site.
Modul Praktikum Keamanan Jaringan ============================== 6 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Using our browser and the IP address of the target, we get the default page for the site. Appending/secret to the front of the IP address gives up the hidden page. The website is distorted, but we now know this is a WordPress site. Let’s add the domain name to our Kali host file to see if we can get the theme page. This is my IP address for my target! Your target IP address will differ! echo "192.168.0.30 vtcsec" >> /etc/hosts
Modul Praktikum Keamanan Jaringan ============================== 7 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Using the same IP and URL for the /secret/ page, we now get the WordPress theme page properly rendered. Scroll down the page until you come to the link for the login. Nearly all well know applications and networking devices come preconfigured with a default username and password. We should always try the well-known default username password when attempting to guess the login information. For example, for a Cisco appliance out of the box, the default username and password are cisco: cisco, and for a WordPress site, admin: admin.
Modul Praktikum Keamanan Jaringan ============================== 8 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang We attempt to login into the word press site using the default username and password of admin: admin. And we are in! We now have complete administrative access to the WordPress site. This is more common than you might think. As a pentester or hacker, you will find plenty of default usernames and passwords being used. We need not waste our time trying to guess login credentials. These can be discovered using any number of vulnerability scanners with a signature file that will attempt to log in using the default credentials. For WordPress, we can use wpscan scan to brute-force the login credentials for a WordPress site. wpscan --url http://192.168.0.30/secret/ This is my IP address for my target! Your target IP address will differ!
Modul Praktikum Keamanan Jaringan ============================== 9 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang We can now use wpscan with a wordlist to try and brute force the password. wpscan --url 192.168.0.30/secret --passwords /usr/share/wordlists/dirb/big.txt --threads 2 Reading the scan results, it seems we did not recover a password, but there is an error message “We received an unknown response for login: admin and password: admin.” So we did brute- force the site and recovered admin: admin as the username and password. We type in admin as the username and admin as the password back to our WordPress login page. Success! We have logged onto the WordPress site with full administrative access; this will allow us to upload and run files on the server.
Modul Praktikum Keamanan Jaringan ============================== 10 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Vulnerability Analysis We have two additional ports to examine. Using searchsploit, we can look for any known exploit that might be used against the FTP service and version running on the server, ProFTPD 1.3.3c FTP Searchsploit indicates that this version of ProFTPD can be backdoored, and there is a Metasploit module for the exploit. We will return to this opportunity later. SSH searchsploit OpenSSH 7.2p2 We find a vulnerability in this version of OpenSSH that allows username enumeration. Still, since we are likely to get a shell through either FTP or HTTP, we can mark this as the last chance for romance-type possibility.
Modul Praktikum Keamanan Jaringan ============================== 11 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Exploitation We can search Metasploit for the FTP exploit we found earlier using searchsploit. We found our exploit, and it is rated as excellent. We next need to load the exploit. Use the show options command to see what setting to configure.
Modul Praktikum Keamanan Jaringan ============================== 12 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang For this exploit, all we need to set is the remote host’s IP address, which is our target IP address. Next, set the payload. To see what payloads are available, use the show payload command. We can use the number associated with the payload. For this lab, we can use payload 0. set payload 0
Modul Praktikum Keamanan Jaringan ============================== 13 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang At the prompt, type in the exploit command. We’re not going to see a prompt, but it’s there. We next need to use a bit of Python coding to improve our situation. python -c 'import pty; pty.spawn("/bin/bash")' We have root access to the machine! Summary – This was an easy CTF to complete. There are plenty of walkthroughs for this CTF on the Internet. I tried many of them and ended up taking bits and pieces for two or three of the best to get one that would work with the latest version of Kali and the software. We exploited FTP, HTTP, and WordPress. You were shown how to use wpscan to brute-force a username and password on the WordPress site. You were introduced to a bit of Python code to take a limited shell to full root access. This lab had something for everyone and used the hacking methodology to gain root access. Get used to building and organizing your attack. You don’t want files scattered all over your desktop. For every step shown in the walkthrough, there are 3 or 4 others that will get you the same result.
Modul Praktikum Keamanan Jaringan ============================== 14 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Everything shown is reusable and, over time, and with enough practice, you will start to recall some of your favorite exploits. End of the Walkthrough!

Recommended

Writing & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonWriting & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp Boston
Puppet
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
CloudOps CloudStack Days, Austin April 2015
CloudOps CloudStack Days, Austin April 2015CloudOps CloudStack Days, Austin April 2015
CloudOps CloudStack Days, Austin April 2015
CloudOps2005
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docx
stirlingvwriters
 

Recommended

Writing & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonWriting & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp Boston
Puppet
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
CloudOps CloudStack Days, Austin April 2015
CloudOps CloudStack Days, Austin April 2015CloudOps CloudStack Days, Austin April 2015
CloudOps CloudStack Days, Austin April 2015
CloudOps2005
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docx
stirlingvwriters
 
50 tips50minutes
50 tips50minutes50 tips50minutes
50 tips50minutes
Bhakti Mehta
 
DevFest | Presentation | Final - Imran Roshan
DevFest | Presentation | Final - Imran RoshanDevFest | Presentation | Final - Imran Roshan
DevFest | Presentation | Final - Imran Roshan
ImranRoshan5
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
Conrad Cruz
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
Conrad Cruz
 
Building a Gateway Server
Building a Gateway ServerBuilding a Gateway Server
Building a Gateway Server
Dashamir Hoxha
 
One-Man Ops
One-Man OpsOne-Man Ops
One-Man Ops
Jos Boumans
 
NetDevOps Development Environments
NetDevOps Development EnvironmentsNetDevOps Development Environments
NetDevOps Development Environments
Joel W. King
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controls
jasonholtzapple
 
CloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingCloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and Troubleshooting
ShapeBlue
 
REMOTE TRIGGERED SOFTWARE DEFINED RADIO
REMOTE TRIGGERED SOFTWARE DEFINED RADIOREMOTE TRIGGERED SOFTWARE DEFINED RADIO
REMOTE TRIGGERED SOFTWARE DEFINED RADIO
Kunal Bidkar
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014
Puppet
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
smalltown
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
Jayesh Patel
 
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDS
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDSMySQL Database Service Webinar: Upgrading from on-premise MySQL to MDS
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDS
Frederic Descamps
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days
 
Druid in Spot Instances
Druid in Spot InstancesDruid in Spot Instances
Druid in Spot Instances
Imply
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)
Jérémy Vial
 
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
Cloudian
 
Writing & Sharing Great Modules on the Puppet Forge
Writing & Sharing Great Modules on the Puppet ForgeWriting & Sharing Great Modules on the Puppet Forge
Writing & Sharing Great Modules on the Puppet Forge
Puppet
 
Modul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdfModul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdf
Setiya Nugroho
 
Modul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdfModul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdf
Setiya Nugroho
 

More Related Content

Similar to 3. Basic Pentesting 1 Walkthrough.pdf

Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
Conrad Cruz
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
Conrad Cruz
 
REMOTE TRIGGERED SOFTWARE DEFINED RADIO
REMOTE TRIGGERED SOFTWARE DEFINED RADIOREMOTE TRIGGERED SOFTWARE DEFINED RADIO
REMOTE TRIGGERED SOFTWARE DEFINED RADIO
Kunal Bidkar
 
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
Cloudian
 

Similar to 3. Basic Pentesting 1 Walkthrough.pdf (20)

50 tips50minutes
50 tips50minutes50 tips50minutes
50 tips50minutes
 
DevFest | Presentation | Final - Imran Roshan
DevFest | Presentation | Final - Imran RoshanDevFest | Presentation | Final - Imran Roshan
DevFest | Presentation | Final - Imran Roshan
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
Building a Gateway Server
Building a Gateway ServerBuilding a Gateway Server
Building a Gateway Server
 
One-Man Ops
One-Man OpsOne-Man Ops
One-Man Ops
 
NetDevOps Development Environments
NetDevOps Development EnvironmentsNetDevOps Development Environments
NetDevOps Development Environments
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controls
 
CloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingCloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and Troubleshooting
 
REMOTE TRIGGERED SOFTWARE DEFINED RADIO
REMOTE TRIGGERED SOFTWARE DEFINED RADIOREMOTE TRIGGERED SOFTWARE DEFINED RADIO
REMOTE TRIGGERED SOFTWARE DEFINED RADIO
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDS
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDSMySQL Database Service Webinar: Upgrading from on-premise MySQL to MDS
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDS
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
 
Druid in Spot Instances
Druid in Spot InstancesDruid in Spot Instances
Druid in Spot Instances
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)
 
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
 
Writing & Sharing Great Modules on the Puppet Forge
Writing & Sharing Great Modules on the Puppet ForgeWriting & Sharing Great Modules on the Puppet Forge
Writing & Sharing Great Modules on the Puppet Forge
 

More from Setiya Nugroho

More from Setiya Nugroho (14)

Modul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdfModul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdf
 
Modul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdfModul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdf
 
Web-based culinary tourism recommendation system
Web-based culinary tourism recommendation systemWeb-based culinary tourism recommendation system
Web-based culinary tourism recommendation system
 
Network Automation.pdf
Network Automation.pdfNetwork Automation.pdf
Network Automation.pdf
 
RPS 2022-Pemrograman Web 2.pdf
RPS 2022-Pemrograman Web 2.pdfRPS 2022-Pemrograman Web 2.pdf
RPS 2022-Pemrograman Web 2.pdf
 
10. Data Security.pdf
10. Data Security.pdf10. Data Security.pdf
10. Data Security.pdf
 
Basic Cryptography.pdf
Basic Cryptography.pdfBasic Cryptography.pdf
Basic Cryptography.pdf
 
Web Programming Form
Web Programming FormWeb Programming Form
Web Programming Form
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control Fundamentals
 
case study1 web defacement answer.pdf
case study1 web defacement answer.pdfcase study1 web defacement answer.pdf
case study1 web defacement answer.pdf
 
WEEK5 Mobile Device Security 31032022.pdf
WEEK5 Mobile Device Security 31032022.pdfWEEK5 Mobile Device Security 31032022.pdf
WEEK5 Mobile Device Security 31032022.pdf
 
Modul 05 Framework CodeIgniter.pdf
Modul 05 Framework CodeIgniter.pdfModul 05 Framework CodeIgniter.pdf
Modul 05 Framework CodeIgniter.pdf
 
Malware
MalwareMalware
Malware
 
Modul 4 Web Programming HTML Form & Hyperlink.pdf
Modul 4 Web Programming HTML Form & Hyperlink.pdfModul 4 Web Programming HTML Form & Hyperlink.pdf
Modul 4 Web Programming HTML Form & Hyperlink.pdf
 

Recently uploaded

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

3. Basic Pentesting 1 Walkthrough.pdf

  • 1. Modul Praktikum Keamanan Jaringan ============================== 1 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Lab - Basic Pentesting: 1 CTF Walkthrough This small boot2root VM contains multiple remote vulnerabilities and multiple privilege escalation vectors. The validation for this walkthrough used VirtualBox, which is the recommended platform. It may also work with VMware. Hardware Requirements • Installation of VirtualBox • One virtual install of Kali Linux • One virtual install of the Basic Pentesting OVA file, which can be downloaded from here. Ensure the network adapter for both machines to set to either bridged or NAT. This VM will not boot until you go into the settings and disable the USB controller. This CTF is specifically intended for those new to penetration testing. If you’re a beginner, you should hopefully find the difficulty of the VM to be just right. Your goal is to attack this VM and gain root privileges remotely. Organization Create a folder on the desktop of your Kali machine. Name the folder, pentest. When using a terminal, change the directory to the pentest folder and run all your commands from this location. Save any downloads or captured files to this location.
  • 2. Modul Praktikum Keamanan Jaringan ============================== 2 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Enumeration We begin with the basics (always) by enumerating the machine for its IP address and any open ports and running services. There’s no harm in getting the network ranges by doing an IFCONFIG from your Kali terminal. Once we have our network range, we can discover the target machine’s IP address using netdiscover, Nmap, or ARP. Using netdiscover netdiscover -r 192.168.0.0/24
  • 3. Modul Praktikum Keamanan Jaringan ============================== 3 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Using ARP arp-scan -l We’re now ready to do a Nmap scan. This is my IP address for my target! Your target IP address will differ! nmap -sS -AT4 192.168.0.30 The -sS switch looks for open ports and services, while the -AT4 switch looks for OS information. From the results, we look for the low-hanging fruit first.
  • 4. Modul Praktikum Keamanan Jaringan ============================== 4 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Port: 21 There is an ftp server listening on port 21. Nmap informs us that the ftp service is likely ProFTPD 1.3.3c. Port: 22 There is an ssh service listening on port 22. Nmap informs us that it is likely OpenSSH 7.2p2 Ubuntu 4ubuntu 2.2. Port: 80 There is an HTTP server listening on port 80. It is likely Apache httpd 2.4.18. Since we have HTTP running on port 80, let’s conduct a web server scan using Nikto and dirb. This is my IP address for my target! Your target IP address will differ! nikto -host 192.168.0.30
  • 5. Modul Praktikum Keamanan Jaringan ============================== 5 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang dirb http://192.168.0.30 This is my IP address for my target! Your target IP address will differ! DIRB is a Web Content Scanner. It looks for existing or hidden Web Objects. It works by launching a dictionary-based attack against a web server and analyzing the response. Nikto and dirb both indicate the existence of a secret directory at /secret/. Furthermore, the files and directories discovered by dirb suggest that /secret/ is a WordPress site. Visiting the page confirms this, so we will run a scan to enumerate the site.
  • 6. Modul Praktikum Keamanan Jaringan ============================== 6 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Using our browser and the IP address of the target, we get the default page for the site. Appending/secret to the front of the IP address gives up the hidden page. The website is distorted, but we now know this is a WordPress site. Let’s add the domain name to our Kali host file to see if we can get the theme page. This is my IP address for my target! Your target IP address will differ! echo "192.168.0.30 vtcsec" >> /etc/hosts
  • 7. Modul Praktikum Keamanan Jaringan ============================== 7 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Using the same IP and URL for the /secret/ page, we now get the WordPress theme page properly rendered. Scroll down the page until you come to the link for the login. Nearly all well know applications and networking devices come preconfigured with a default username and password. We should always try the well-known default username password when attempting to guess the login information. For example, for a Cisco appliance out of the box, the default username and password are cisco: cisco, and for a WordPress site, admin: admin.
  • 8. Modul Praktikum Keamanan Jaringan ============================== 8 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang We attempt to login into the word press site using the default username and password of admin: admin. And we are in! We now have complete administrative access to the WordPress site. This is more common than you might think. As a pentester or hacker, you will find plenty of default usernames and passwords being used. We need not waste our time trying to guess login credentials. These can be discovered using any number of vulnerability scanners with a signature file that will attempt to log in using the default credentials. For WordPress, we can use wpscan scan to brute-force the login credentials for a WordPress site. wpscan --url http://192.168.0.30/secret/ This is my IP address for my target! Your target IP address will differ!
  • 9. Modul Praktikum Keamanan Jaringan ============================== 9 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang We can now use wpscan with a wordlist to try and brute force the password. wpscan --url 192.168.0.30/secret --passwords /usr/share/wordlists/dirb/big.txt --threads 2 Reading the scan results, it seems we did not recover a password, but there is an error message “We received an unknown response for login: admin and password: admin.” So we did brute- force the site and recovered admin: admin as the username and password. We type in admin as the username and admin as the password back to our WordPress login page. Success! We have logged onto the WordPress site with full administrative access; this will allow us to upload and run files on the server.
  • 10. Modul Praktikum Keamanan Jaringan ============================== 10 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Vulnerability Analysis We have two additional ports to examine. Using searchsploit, we can look for any known exploit that might be used against the FTP service and version running on the server, ProFTPD 1.3.3c FTP Searchsploit indicates that this version of ProFTPD can be backdoored, and there is a Metasploit module for the exploit. We will return to this opportunity later. SSH searchsploit OpenSSH 7.2p2 We find a vulnerability in this version of OpenSSH that allows username enumeration. Still, since we are likely to get a shell through either FTP or HTTP, we can mark this as the last chance for romance-type possibility.
  • 11. Modul Praktikum Keamanan Jaringan ============================== 11 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Exploitation We can search Metasploit for the FTP exploit we found earlier using searchsploit. We found our exploit, and it is rated as excellent. We next need to load the exploit. Use the show options command to see what setting to configure.
  • 12. Modul Praktikum Keamanan Jaringan ============================== 12 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang For this exploit, all we need to set is the remote host’s IP address, which is our target IP address. Next, set the payload. To see what payloads are available, use the show payload command. We can use the number associated with the payload. For this lab, we can use payload 0. set payload 0
  • 13. Modul Praktikum Keamanan Jaringan ============================== 13 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang At the prompt, type in the exploit command. We’re not going to see a prompt, but it’s there. We next need to use a bit of Python coding to improve our situation. python -c 'import pty; pty.spawn("/bin/bash")' We have root access to the machine! Summary – This was an easy CTF to complete. There are plenty of walkthroughs for this CTF on the Internet. I tried many of them and ended up taking bits and pieces for two or three of the best to get one that would work with the latest version of Kali and the software. We exploited FTP, HTTP, and WordPress. You were shown how to use wpscan to brute-force a username and password on the WordPress site. You were introduced to a bit of Python code to take a limited shell to full root access. This lab had something for everyone and used the hacking methodology to gain root access. Get used to building and organizing your attack. You don’t want files scattered all over your desktop. For every step shown in the walkthrough, there are 3 or 4 others that will get you the same result.
  • 14. Modul Praktikum Keamanan Jaringan ============================== 14 © 2022 Teknik Informatika S1 Universitas Muhammaadiyah Magelang Everything shown is reusable and, over time, and with enough practice, you will start to recall some of your favorite exploits. End of the Walkthrough!