initial commit

.gitignore

@@ -0,0 +1,295 @@
+*.swp
+
+# backup files
+*~
+
+### TeX ###
+## Core latex/pdflatex auxiliary files:
+*.aux
+*.lof
+*.log
+*.lot
+*.fls
+*.out
+*.toc
+*.fmt
+*.fot
+*.cb
+*.cb2
+.*.lb
+
+## Intermediate documents:
+*.dvi
+*.xdv
+*-converted-to.*
+# these rules might exclude image files for figures etc.
+# *.ps
+# *.eps
+# *.pdf
+
+*.pdf
+
+## Bibliography auxiliary files (bibtex/biblatex/biber):
+*.bbl
+*.bcf
+*.blg
+*-blx.aux
+*-blx.bib
+*.run.xml
+
+## Build tool auxiliary files:
+*.fdb_latexmk
+*.synctex
+*.synctex(busy)
+*.synctex.gz
+*.synctex.gz(busy)
+*.pdfsync
+
+## Build tool directories for auxiliary files
+# latexrun
+latex.out/
+
+## Auxiliary and intermediate files from other packages:
+# algorithms
+*.alg
+*.loa
+
+# achemso
+acs-*.bib
+
+# amsthm
+*.thm
+
+# beamer
+*.nav
+*.pre
+*.snm
+*.vrb
+
+# changes
+*.soc
+
+# comment
+*.cut
+
+# cprotect
+*.cpt
+
+# elsarticle (documentclass of Elsevier journals)
+*.spl
+
+# endnotes
+*.ent
+
+# fixme
+*.lox
+
+# feynmf/feynmp
+*.mf
+*.mp
+*.t[1-9]
+*.t[1-9][0-9]
+*.tfm
+
+#(r)(e)ledmac/(r)(e)ledpar
+*.end
+*.?end
+*.[1-9]
+*.[1-9][0-9]
+*.[1-9][0-9][0-9]
+*.[1-9]R
+*.[1-9][0-9]R
+*.[1-9][0-9][0-9]R
+*.eledsec[1-9]
+*.eledsec[1-9]R
+*.eledsec[1-9][0-9]
+*.eledsec[1-9][0-9]R
+*.eledsec[1-9][0-9][0-9]
+*.eledsec[1-9][0-9][0-9]R
+
+# glossaries
+*.acn
+*.acr
+*.glg
+*.glo
+*.gls
+*.glsdefs
+*.lzo
+*.lzs
+
+# uncomment this for glossaries-extra (will ignore makeindex's style files!)
+# *.ist
+
+# gnuplottex
+*-gnuplottex-*
+
+# gregoriotex
+*.gaux
+*.gtex
+
+# htlatex
+*.4ct
+*.4tc
+*.idv
+*.lg
+*.trc
+*.xref
+
+# hyperref
+*.brf
+
+# knitr
+*-concordance.tex
+# TODO Comment the next line if you want to keep your tikz graphics files
+*.tikz
+*-tikzDictionary
+
+# listings
+*.lol
+
+# luatexja-ruby
+*.ltjruby
+
+# makeidx
+*.idx
+*.ilg
+*.ind
+
+# minitoc
+*.maf
+*.mlf
+*.mlt
+*.mtc
+*.mtc[0-9]*
+*.slf[0-9]*
+*.slt[0-9]*
+*.stc[0-9]*
+
+# minted
+_minted*
+*.pyg
+
+# morewrites
+*.mw
+
+# nomencl
+*.nlg
+*.nlo
+*.nls
+
+# pax
+*.pax
+
+# pdfpcnotes
+*.pdfpc
+
+# sagetex
+*.sagetex.sage
+*.sagetex.py
+*.sagetex.scmd
+
+# scrwfile
+*.wrt
+
+# sympy
+*.sout
+*.sympy
+sympy-plots-for-*.tex/
+
+# pdfcomment
+*.upa
+*.upb
+
+# pythontex
+*.pytxcode
+pythontex-files-*/
+
+# tcolorbox
+*.listing
+
+# thmtools
+*.loe
+
+# TikZ & PGF
+*.dpth
+*.md5
+*.auxlock
+
+# todonotes
+*.tdo
+
+# vhistory
+*.hst
+*.ver
+
+# easy-todo
+*.lod
+
+# xcolor
+*.xcp
+
+# xmpincl
+*.xmpi
+
+# xindy
+*.xdy
+
+# xypic precompiled matrices and outlines
+*.xyc
+*.xyd
+
+# endfloat
+*.ttt
+*.fff
+
+# Latexian
+TSWLatexianTemp*
+
+## Editors:
+# WinEdt
+*.bak
+*.sav
+
+# Texpad
+.texpadtmp
+
+# LyX
+*.lyx~
+
+# Kile
+*.backup
+
+# gummi
+.*.swp
+
+# KBibTeX
+*~[0-9]*
+
+# TeXnicCenter
+*.tps
+
+# auto folder when using emacs and auctex
+./auto/*
+*.el
+
+# expex forward references with \gathertags
+*-tags.tex
+
+# standalone packages
+*.sta
+
+# Makeindex log files
+*.lpz
+
+# REVTeX puts footnotes in the bibliography by default, unless the nofootinbib
+# option is specified. Footnotes are the stored in a file with suffix Notes.bib.
+# Uncomment the next line to have this generated file ignored.
+#*Notes.bib
+
+### TeX Patch ###
+# LIPIcs / OASIcs
+*.vtc
+
+# glossaries
+*.glstex
+

pv_0x05.tex

@@ -0,0 +1,247 @@
+% vim: tw=0 wrap
+\documentclass[12pt,a4paper]{article}
+\usepackage[utf8]{inputenc}
+\usepackage[T1]{fontenc}
+\usepackage{amsmath}
+\usepackage[pdftex,pdfsubject={Protocol 5},]{hyperref}
+\usepackage{url}
+\usepackage{hyperxmp}
+\usepackage[affil-it]{authblk}
+\usepackage{enumitem}
+\usepackage{graphicx}
+\graphicspath{ {./img/} }
+
+\date{\today}
+
+\title{Protocol 5 - \textbf{Information gathering}}
+\author{Adam Mirre}
+
+\begin{document}
+\affil{FAI UTB, Zlín}
+
+\maketitle
+\tableofcontents
+
+\paragraph{Task}
+\textit{Find out what operating systems and what services are running on given
+IP addresses.\\Enclose screenshots of the scans and create tables with
+information on the services running and exploits found. You may also add more
+details on the type and ramifications of particular exploits. You must also
+attach the website, on which you have found the exploit.\\Use \texttt{gobuster}
+with the \texttt{big.txt} dictionary for HTTP services, document the learnt
+directory layout.}\\
+
+IPs:
+\begin{enumerate}[nosep,topsep=2pt,itemsep=2pt]
+  \item 10.53.26.42
+  \item 10.53.27.125
+  \item 10.53.27.182
+  \item 10.53.27.164
+\end{enumerate}
+
+\newpage
+\section{Information gathering}
+\subsection{10.53.26.42}
+The figure~\ref{h1_80} shows the result of running gobuster against host 1.
+
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{gobuster-h1-80}
+\caption{gobuster on h1, port 80}
+\label{h1_80}
+\end{figure}
+
+\newpage
+Nmap scan documented partly in figure~\ref{h1_nmap} allows us to determine the
+OS of the host as \texttt{Microsoft Windows Server 2008 R2 - 2012}, probably
+meaning the most recent update of the software occured in 2012. No
+vulnerabilities were found for the services on this host.
+
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{h1-nmap}
+\caption{h1 \texttt{nmap} scan revealing IIS websever and samba yielding OS version
+string.}
+\label{h1_nmap}
+\end{figure}
+
+
+\newpage
+\subsection{10.53.27.125}
+The figure~\ref{h2_22} shows \texttt{(deb7u2)} as part of the version string of
+the SSH daemon package running.
+
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=.75\textwidth]{h2-22-ssh}
+\caption{\texttt{SSH} daemon on h2}
+\label{h2_22}
+\end{figure}
+
+Based on
+\url{https://www.debian.org/doc/manuals/developers-reference/pkgs.html#nmu-changelog}
+Debian developer's reference page, the "number" in \texttt{deb<number>} is supposed
+indicate the Debian version the package is intended for, which in this case
+would mean the OS running can be determined as \texttt{Debian 7}.
+
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{h2-80-msf-joomla}
+\caption{Web server/framework + OS id as shown in \texttt{msfconsole}}
+\label{h2_jomla}
+\end{figure}
+
+The \texttt{Joomla!} Open Source Content Management software version 1.5.15 has
+been found vulnerable to a multitude of vulnerabilities, including Directory
+Traversal, SQL Error Information Disclosure, XSS and Token Remote Admin Change
+Password:
+\begin{itemize}[nosep,topsep=2pt,itemsep=2pt]
+  \item \url{https://www.exploit-db.com/exploits/34955}
+  \item \url{https://www.exploit-db.com/exploits/46710}
+  \item \url{https://www.exploit-db.com/exploits/6234}
+\end{itemize}
+
+\newpage
+Figure~\ref{h2_80} shows directory listing on host 2 using gobuster.
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{gobuster-h2-80}
+\caption{\texttt{gobuster} on h2, port 80}
+\label{h2_80}
+\end{figure}
+
+
+\newpage
+\subsection{10.53.27.182}
+Based on data in figure~\ref{h3_445_msf}, in which a metasploit scanner
+\texttt{smb\_version} was used, as well as an nmap scan (90\% certainty), the OS
+appears to be \texttt{Windows XP with SP3}.\\
+
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{msfconsole-3}
+\caption{\texttt{msf} smb\_version module executed against h3}
+\label{h3_445_msf}
+\end{figure}
+
+\newpage
+The figure~\ref{h3_445_nmap} shows vulnerabilities found automatically by nmap
+for the given SMB service version.
+
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{h3-445-smb-vulns}
+\caption{\texttt{nmap} w/ vulns scanning}
+\label{h3_445_nmap}
+\end{figure}
+
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{gobuster-h3-8080}
+\caption{\texttt{gobuster} on h3, port 8080}
+\label{h3_8080}
+\end{figure}
+
+\newpage
+Figures \ref{h3_8080} and \ref{h3_jboss} indicate a jboss websocket server
+is running on the host on port 8080 under Tomcat in version 5.5, which
+according to \url{https://www.exploit-db.com/exploits/12343}, is vulnerable to a
+remote information disclosure vulnerability.
+
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{h3-8080-jboss}
+\caption{\texttt{jboss} under \texttt{Apache Tomcat} on h3}
+\label{h3_jboss}
+\end{figure}
+
+
+\newpage
+\subsection{10.53.27.164}
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{h4-22-ssh}
+\caption{\texttt{SSH} daemon on h4}
+\label{h4_22}
+\end{figure}
+
+Based on host information found in fig.~\ref{h4_22}, the SSH package version
+string yielded \url{https://ubuntu.com/security/notices/USN-3885-2}, which in
+turn revealed the OS as \texttt{Ubuntu 18:04}.
+The subject SSH daemon version is listed in ExploitDB
+(\url{https://www.exploit-db.com/exploits/45939}) as vulnerable to user
+enumeration attacks.
+
+\newpage
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{gobuster-h4-80}
+\caption{\texttt{gobuster} on h4, port 80}
+\label{h4_80}
+\end{figure}
+Gobuster scan of port 80 on host 4 yielded a couple of interesting folder names
+like "phpmyadmin" and "test" (figure~\ref{h4_80}).
+
+\newpage
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=.90\textwidth]{h4-443-gitea}
+\caption{\texttt{Gitea} version 1.9.3 on h4}
+\label{h4_443_gitea}
+\end{figure}
+
+Next, a Gitea service v1.9.3 was found on the host. A recently released stable
+Gitea version bears the number \texttt{1.15.7}
+(\url{https://github.com/go-gitea/gitea/releases/tag/v1.15.7}), so this
+instance should probably be updated soon.
+A gobuster scan has only shown standard Gitea paths.
+
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=.90\textwidth]{gobuster-h4-443-gitea}
+\caption{\texttt{gobuster} on h4, port 443, no TLS}
+\label{h4_443}
+\end{figure}
+
+\newpage
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{msf-gitea-rce}
+\caption{\texttt{msfconsole} - Gitea RCE}
+\label{h4_gitea_rce}
+\end{figure}
+
+Further, the subject Gitea version can be assumbed to be vulnerable (tested on
+slightly newer versions) to an RCE exploit
+(\url{https://www.exploit-db.com/exploits/49571}) if \texttt{git hooks} are
+enabled, as documented in figures \ref{h4_gitea_rce} and
+\ref{h4_gitea_rce_descr}. Only authenticated users would be able to exploit this,
+though, which could be controlled by disabling auto/self-registration. Instead,
+user accounts would manually be created by an instance administrator for
+trusted people only. This obviously does not scale very well and is not
+suitable for a public instance.
+
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{msf-gitea-rce-descr}
+\caption{\texttt{msfconsole} - Gitea RCE description}
+\label{h4_gitea_rce_descr}
+\end{figure}
+
+\newpage
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{gobuster-h4-8080}
+\caption{\texttt{gobuster} on h4, port 8080}
+\label{h4_8080}
+\end{figure}
+
+No more gobuster scans revealed anything interesting on host 4.
+\begin{figure}[!hbt]
+\centering
+\includegraphics[width=1.00\textwidth]{gobuster-h4-9090}
+\caption{\texttt{gobuster} on h4, port 9090}
+\label{h4_9090}
+\end{figure}
+
+\end{document}