Download - UG MM LAB WRITE UP
![Page 1: UG MM LAB WRITE UP](https://reader033.vdocuments.net/reader033/viewer/2022042615/55c3b328bb61eb723f8b471e/html5/thumbnails/1.jpg)
UG MMM Lab Report
Here is my write-up for UGMMM lab.
Tools• ssh• netdiscover• nmap• nc• medusa
Method • Scanned network for the target [Netdiscover]• Port,services,version scanned the target [Nmap]• Local port forward to target web server [ssh]• Back connect from target server [nc]• User password brute force for ssh service [Medusa]
At first , I connect to 23.254.101.209 with ssh port 2021. And then , I check which hosts are up host and search target host with netdiscover tools & nmap.
Then found 3 up host on network.• 10.10.10.2• 10.10.10.132• 10.10.10.254
![Page 2: UG MM LAB WRITE UP](https://reader033.vdocuments.net/reader033/viewer/2022042615/55c3b328bb61eb723f8b471e/html5/thumbnails/2.jpg)
Scanning with “Netdiscover” produces a list of all IP’s & MAC addresses and known vendors which are currently connected to the network. The target host hasn’t spoofed their MAC address as well as being inside a VM. Due to there being only one vendor which relates to a VM, VMware, they successfully identified the target.
The target's running services can be identified by Nmap scanning .
Scanning To Target Host
Scanning nmap with options (service scan(-sV) & aggressive scan(-A)) allow me to know what services,port & version are running on the target host.
Command# nmap -A -sV -Pn -O 10.10.10.132
Open Port
• 21 (ftp)• 22 (ssh)• 25 (smtp)• 80 (http)• 138 (netbios-ssn)• 443 (ssl/http)• 445 (netbios-ssn)• 512 (exec)• 513 (login)• 514 (tcpwrapped)• 3306 (mysql)
Port Forward After scanning, I'd known about port 80 http service of target host is open .Now I am trying to browse the web. Target Web server network & my network are different in public and private IP address. So I have to make local port forward using ssh tunnel. Ok let me forward target web server port 80 to my local port 8000.
![Page 3: UG MM LAB WRITE UP](https://reader033.vdocuments.net/reader033/viewer/2022042615/55c3b328bb61eb723f8b471e/html5/thumbnails/3.jpg)
And then don't close the ssh connected terminal and open new terminal for checking port forwarding is succeed or not .With netstat command in following.
Web Application Exploitation
Congratulations! I appreciate myself and open my browser, Firefox. Type “localhost:8000” at address bar and choose to exploit web application.
![Page 4: UG MM LAB WRITE UP](https://reader033.vdocuments.net/reader033/viewer/2022042615/55c3b328bb61eb723f8b471e/html5/thumbnails/4.jpg)
I choose Command injection with medium. At the DNS lookup bar write some bash command to requests some data from target host. eg. ls,id,cat /etc/passwd, etc ….
ls command is work with pipe. So I am try to make back connection. I used nc command and bind /bin/bash with listen port number 4445. (PS: Port number can be define freely with any free port)
![Page 5: UG MM LAB WRITE UP](https://reader033.vdocuments.net/reader033/viewer/2022042615/55c3b328bb61eb723f8b471e/html5/thumbnails/5.jpg)
I enter to 23.254.101.209 and connect to target host with nc. Now connection is established but I am atnormal user with a limited access shell. So I exploit the limited shell with python privilege escalation script.
Check how many user in the target host for enumerate user for brute force.
Command# cat /etc/passwd or
Command# ls /home/
![Page 6: UG MM LAB WRITE UP](https://reader033.vdocuments.net/reader033/viewer/2022042615/55c3b328bb61eb723f8b471e/html5/thumbnails/6.jpg)
Sometime administrator use dictionary words for password. So I start brute force to target host with medusa.
I wait a little minute then I get root password .
Finally I got root access and I add my name at /root/flag.txt .