commit a691300829692597cfdd150095f038c006a4e791 Author: surtur Date: Sat Dec 18 02:27:55 2021 +0100 initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8dd1b10 --- /dev/null +++ b/.gitignore @@ -0,0 +1,295 @@ +*.swp + +# backup files +*~ + +### TeX ### +## Core latex/pdflatex auxiliary files: +*.aux +*.lof +*.log +*.lot +*.fls +*.out +*.toc +*.fmt +*.fot +*.cb +*.cb2 +.*.lb + +## Intermediate documents: +*.dvi +*.xdv +*-converted-to.* +# these rules might exclude image files for figures etc. +# *.ps +# *.eps +# *.pdf + +*.pdf + +## Bibliography auxiliary files (bibtex/biblatex/biber): +*.bbl +*.bcf +*.blg +*-blx.aux +*-blx.bib +*.run.xml + +## Build tool auxiliary files: +*.fdb_latexmk +*.synctex +*.synctex(busy) +*.synctex.gz +*.synctex.gz(busy) +*.pdfsync + +## Build tool directories for auxiliary files +# latexrun +latex.out/ + +## Auxiliary and intermediate files from other packages: +# algorithms +*.alg +*.loa + +# achemso +acs-*.bib + +# amsthm +*.thm + +# beamer +*.nav +*.pre +*.snm +*.vrb + +# changes +*.soc + +# comment +*.cut + +# cprotect +*.cpt + +# elsarticle (documentclass of Elsevier journals) +*.spl + +# endnotes +*.ent + +# fixme +*.lox + +# feynmf/feynmp +*.mf +*.mp +*.t[1-9] +*.t[1-9][0-9] +*.tfm + +#(r)(e)ledmac/(r)(e)ledpar +*.end +*.?end +*.[1-9] +*.[1-9][0-9] +*.[1-9][0-9][0-9] +*.[1-9]R +*.[1-9][0-9]R +*.[1-9][0-9][0-9]R +*.eledsec[1-9] +*.eledsec[1-9]R +*.eledsec[1-9][0-9] +*.eledsec[1-9][0-9]R +*.eledsec[1-9][0-9][0-9] +*.eledsec[1-9][0-9][0-9]R + +# glossaries +*.acn +*.acr +*.glg +*.glo +*.gls +*.glsdefs +*.lzo +*.lzs + +# uncomment this for glossaries-extra (will ignore makeindex's style files!) +# *.ist + +# gnuplottex +*-gnuplottex-* + +# gregoriotex +*.gaux +*.gtex + +# htlatex +*.4ct +*.4tc +*.idv +*.lg +*.trc +*.xref + +# hyperref +*.brf + +# knitr +*-concordance.tex +# TODO Comment the next line if you want to keep your tikz graphics files +*.tikz +*-tikzDictionary + +# listings +*.lol + +# luatexja-ruby +*.ltjruby + +# makeidx +*.idx +*.ilg +*.ind + +# minitoc +*.maf +*.mlf +*.mlt +*.mtc +*.mtc[0-9]* +*.slf[0-9]* +*.slt[0-9]* +*.stc[0-9]* + +# minted +_minted* +*.pyg + +# morewrites +*.mw + +# nomencl +*.nlg +*.nlo +*.nls + +# pax +*.pax + +# pdfpcnotes +*.pdfpc + +# sagetex +*.sagetex.sage +*.sagetex.py +*.sagetex.scmd + +# scrwfile +*.wrt + +# sympy +*.sout +*.sympy +sympy-plots-for-*.tex/ + +# pdfcomment +*.upa +*.upb + +# pythontex +*.pytxcode +pythontex-files-*/ + +# tcolorbox +*.listing + +# thmtools +*.loe + +# TikZ & PGF +*.dpth +*.md5 +*.auxlock + +# todonotes +*.tdo + +# vhistory +*.hst +*.ver + +# easy-todo +*.lod + +# xcolor +*.xcp + +# xmpincl +*.xmpi + +# xindy +*.xdy + +# xypic precompiled matrices and outlines +*.xyc +*.xyd + +# endfloat +*.ttt +*.fff + +# Latexian +TSWLatexianTemp* + +## Editors: +# WinEdt +*.bak +*.sav + +# Texpad +.texpadtmp + +# LyX +*.lyx~ + +# Kile +*.backup + +# gummi +.*.swp + +# KBibTeX +*~[0-9]* + +# TeXnicCenter +*.tps + +# auto folder when using emacs and auctex +./auto/* +*.el + +# expex forward references with \gathertags +*-tags.tex + +# standalone packages +*.sta + +# Makeindex log files +*.lpz + +# REVTeX puts footnotes in the bibliography by default, unless the nofootinbib +# option is specified. Footnotes are the stored in a file with suffix Notes.bib. +# Uncomment the next line to have this generated file ignored. +#*Notes.bib + +### TeX Patch ### +# LIPIcs / OASIcs +*.vtc + +# glossaries +*.glstex + diff --git a/img/gobuster-h1-80.png b/img/gobuster-h1-80.png new file mode 100644 index 0000000..6aff253 Binary files /dev/null and b/img/gobuster-h1-80.png differ diff --git a/img/gobuster-h2-80.png b/img/gobuster-h2-80.png new file mode 100644 index 0000000..2d3a432 Binary files /dev/null and b/img/gobuster-h2-80.png differ diff --git a/img/gobuster-h3-8080.png b/img/gobuster-h3-8080.png new file mode 100644 index 0000000..14f0c3a Binary files /dev/null and b/img/gobuster-h3-8080.png differ diff --git a/img/gobuster-h4-443-gitea.png b/img/gobuster-h4-443-gitea.png new file mode 100644 index 0000000..3068e5e Binary files /dev/null and b/img/gobuster-h4-443-gitea.png differ diff --git a/img/gobuster-h4-80.png b/img/gobuster-h4-80.png new file mode 100644 index 0000000..6bb9d8f Binary files /dev/null and b/img/gobuster-h4-80.png differ diff --git a/img/gobuster-h4-8080.png b/img/gobuster-h4-8080.png new file mode 100644 index 0000000..6827419 Binary files /dev/null and b/img/gobuster-h4-8080.png differ diff --git a/img/gobuster-h4-9090.png b/img/gobuster-h4-9090.png new file mode 100644 index 0000000..c6b9396 Binary files /dev/null and b/img/gobuster-h4-9090.png differ diff --git a/img/h1-nmap.png b/img/h1-nmap.png new file mode 100644 index 0000000..ea446bb Binary files /dev/null and b/img/h1-nmap.png differ diff --git a/img/h2-22-ssh.png b/img/h2-22-ssh.png new file mode 100644 index 0000000..271bf4d Binary files /dev/null and b/img/h2-22-ssh.png differ diff --git a/img/h2-80-msf-joomla.png b/img/h2-80-msf-joomla.png new file mode 100644 index 0000000..3463ddb Binary files /dev/null and b/img/h2-80-msf-joomla.png differ diff --git a/img/h3-445-smb-vulns.png b/img/h3-445-smb-vulns.png new file mode 100644 index 0000000..8dcd170 Binary files /dev/null and b/img/h3-445-smb-vulns.png differ diff --git a/img/h3-8080-jboss.png b/img/h3-8080-jboss.png new file mode 100644 index 0000000..41e43cd Binary files /dev/null and b/img/h3-8080-jboss.png differ diff --git a/img/h4-22-ssh.png b/img/h4-22-ssh.png new file mode 100644 index 0000000..36f3fa4 Binary files /dev/null and b/img/h4-22-ssh.png differ diff --git a/img/h4-443-gitea.png b/img/h4-443-gitea.png new file mode 100644 index 0000000..1641efb Binary files /dev/null and b/img/h4-443-gitea.png differ diff --git a/img/msf-gitea-rce-descr.png b/img/msf-gitea-rce-descr.png new file mode 100644 index 0000000..3a4300e Binary files /dev/null and b/img/msf-gitea-rce-descr.png differ diff --git a/img/msf-gitea-rce.png b/img/msf-gitea-rce.png new file mode 100644 index 0000000..87014bb Binary files /dev/null and b/img/msf-gitea-rce.png differ diff --git a/img/msfconsole-3.png b/img/msfconsole-3.png new file mode 100644 index 0000000..8b76053 Binary files /dev/null and b/img/msfconsole-3.png differ diff --git a/pv_0x05.tex b/pv_0x05.tex new file mode 100644 index 0000000..ff2c2bc --- /dev/null +++ b/pv_0x05.tex @@ -0,0 +1,247 @@ +% vim: tw=0 wrap +\documentclass[12pt,a4paper]{article} +\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} +\usepackage{amsmath} +\usepackage[pdftex,pdfsubject={Protocol 5},]{hyperref} +\usepackage{url} +\usepackage{hyperxmp} +\usepackage[affil-it]{authblk} +\usepackage{enumitem} +\usepackage{graphicx} +\graphicspath{ {./img/} } + +\date{\today} + +\title{Protocol 5 - \textbf{Information gathering}} +\author{Adam Mirre} + +\begin{document} +\affil{FAI UTB, Zlín} + +\maketitle +\tableofcontents + +\paragraph{Task} +\textit{Find out what operating systems and what services are running on given +IP addresses.\\Enclose screenshots of the scans and create tables with +information on the services running and exploits found. You may also add more +details on the type and ramifications of particular exploits. You must also +attach the website, on which you have found the exploit.\\Use \texttt{gobuster} +with the \texttt{big.txt} dictionary for HTTP services, document the learnt +directory layout.}\\ + +IPs: +\begin{enumerate}[nosep,topsep=2pt,itemsep=2pt] + \item 10.53.26.42 + \item 10.53.27.125 + \item 10.53.27.182 + \item 10.53.27.164 +\end{enumerate} + +\newpage +\section{Information gathering} +\subsection{10.53.26.42} +The figure~\ref{h1_80} shows the result of running gobuster against host 1. + +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{gobuster-h1-80} +\caption{gobuster on h1, port 80} +\label{h1_80} +\end{figure} + +\newpage +Nmap scan documented partly in figure~\ref{h1_nmap} allows us to determine the +OS of the host as \texttt{Microsoft Windows Server 2008 R2 - 2012}, probably +meaning the most recent update of the software occured in 2012. No +vulnerabilities were found for the services on this host. + +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{h1-nmap} +\caption{h1 \texttt{nmap} scan revealing IIS websever and samba yielding OS version +string.} +\label{h1_nmap} +\end{figure} + + +\newpage +\subsection{10.53.27.125} +The figure~\ref{h2_22} shows \texttt{(deb7u2)} as part of the version string of +the SSH daemon package running. + +\begin{figure}[!hbt] +\centering +\includegraphics[width=.75\textwidth]{h2-22-ssh} +\caption{\texttt{SSH} daemon on h2} +\label{h2_22} +\end{figure} + +Based on +\url{https://www.debian.org/doc/manuals/developers-reference/pkgs.html#nmu-changelog} +Debian developer's reference page, the "number" in \texttt{deb} is supposed +indicate the Debian version the package is intended for, which in this case +would mean the OS running can be determined as \texttt{Debian 7}. + +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{h2-80-msf-joomla} +\caption{Web server/framework + OS id as shown in \texttt{msfconsole}} +\label{h2_jomla} +\end{figure} + +The \texttt{Joomla!} Open Source Content Management software version 1.5.15 has +been found vulnerable to a multitude of vulnerabilities, including Directory +Traversal, SQL Error Information Disclosure, XSS and Token Remote Admin Change +Password: +\begin{itemize}[nosep,topsep=2pt,itemsep=2pt] + \item \url{https://www.exploit-db.com/exploits/34955} + \item \url{https://www.exploit-db.com/exploits/46710} + \item \url{https://www.exploit-db.com/exploits/6234} +\end{itemize} + +\newpage +Figure~\ref{h2_80} shows directory listing on host 2 using gobuster. +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{gobuster-h2-80} +\caption{\texttt{gobuster} on h2, port 80} +\label{h2_80} +\end{figure} + + +\newpage +\subsection{10.53.27.182} +Based on data in figure~\ref{h3_445_msf}, in which a metasploit scanner +\texttt{smb\_version} was used, as well as an nmap scan (90\% certainty), the OS +appears to be \texttt{Windows XP with SP3}.\\ + +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{msfconsole-3} +\caption{\texttt{msf} smb\_version module executed against h3} +\label{h3_445_msf} +\end{figure} + +\newpage +The figure~\ref{h3_445_nmap} shows vulnerabilities found automatically by nmap +for the given SMB service version. + +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{h3-445-smb-vulns} +\caption{\texttt{nmap} w/ vulns scanning} +\label{h3_445_nmap} +\end{figure} + +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{gobuster-h3-8080} +\caption{\texttt{gobuster} on h3, port 8080} +\label{h3_8080} +\end{figure} + +\newpage +Figures \ref{h3_8080} and \ref{h3_jboss} indicate a jboss websocket server +is running on the host on port 8080 under Tomcat in version 5.5, which +according to \url{https://www.exploit-db.com/exploits/12343}, is vulnerable to a +remote information disclosure vulnerability. + +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{h3-8080-jboss} +\caption{\texttt{jboss} under \texttt{Apache Tomcat} on h3} +\label{h3_jboss} +\end{figure} + + +\newpage +\subsection{10.53.27.164} +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{h4-22-ssh} +\caption{\texttt{SSH} daemon on h4} +\label{h4_22} +\end{figure} + +Based on host information found in fig.~\ref{h4_22}, the SSH package version +string yielded \url{https://ubuntu.com/security/notices/USN-3885-2}, which in +turn revealed the OS as \texttt{Ubuntu 18:04}. +The subject SSH daemon version is listed in ExploitDB +(\url{https://www.exploit-db.com/exploits/45939}) as vulnerable to user +enumeration attacks. + +\newpage +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{gobuster-h4-80} +\caption{\texttt{gobuster} on h4, port 80} +\label{h4_80} +\end{figure} +Gobuster scan of port 80 on host 4 yielded a couple of interesting folder names +like "phpmyadmin" and "test" (figure~\ref{h4_80}). + +\newpage +\begin{figure}[!hbt] +\centering +\includegraphics[width=.90\textwidth]{h4-443-gitea} +\caption{\texttt{Gitea} version 1.9.3 on h4} +\label{h4_443_gitea} +\end{figure} + +Next, a Gitea service v1.9.3 was found on the host. A recently released stable +Gitea version bears the number \texttt{1.15.7} +(\url{https://github.com/go-gitea/gitea/releases/tag/v1.15.7}), so this +instance should probably be updated soon. +A gobuster scan has only shown standard Gitea paths. + +\begin{figure}[!hbt] +\centering +\includegraphics[width=.90\textwidth]{gobuster-h4-443-gitea} +\caption{\texttt{gobuster} on h4, port 443, no TLS} +\label{h4_443} +\end{figure} + +\newpage +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{msf-gitea-rce} +\caption{\texttt{msfconsole} - Gitea RCE} +\label{h4_gitea_rce} +\end{figure} + +Further, the subject Gitea version can be assumbed to be vulnerable (tested on +slightly newer versions) to an RCE exploit +(\url{https://www.exploit-db.com/exploits/49571}) if \texttt{git hooks} are +enabled, as documented in figures \ref{h4_gitea_rce} and +\ref{h4_gitea_rce_descr}. Only authenticated users would be able to exploit this, +though, which could be controlled by disabling auto/self-registration. Instead, +user accounts would manually be created by an instance administrator for +trusted people only. This obviously does not scale very well and is not +suitable for a public instance. + +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{msf-gitea-rce-descr} +\caption{\texttt{msfconsole} - Gitea RCE description} +\label{h4_gitea_rce_descr} +\end{figure} + +\newpage +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{gobuster-h4-8080} +\caption{\texttt{gobuster} on h4, port 8080} +\label{h4_8080} +\end{figure} + +No more gobuster scans revealed anything interesting on host 4. +\begin{figure}[!hbt] +\centering +\includegraphics[width=1.00\textwidth]{gobuster-h4-9090} +\caption{\texttt{gobuster} on h4, port 9090} +\label{h4_9090} +\end{figure} + +\end{document}