Don't be a Hammer. Learning more tools with VMs and Vulnhub

[Music]

this talk is basically just about expanding your security toolset how many of you guys do capture-the-flag type stuff alright how many of you want to get into it or would kind of be interested alright good then maybe this will be beneficial okay a little bit about me it's don't care anybody know what this is yell it out alright when I first started playing with security this is the only thing I knew only thing I used if you couldn't exploit it with Metasploit it was safe so most things were safe that I came across not entirely the case so that's Metasploit able it's a free image that you can download here's a list of all the services that are in it

I mean you can can you guys read that yeah be SFTP 2.3.4 that was actually issued with a backdoor built in so that's a straight root exploit same with the Unreal ircd another straight root a lot of these they'll get you straight to root or with very little effort you can do privilege escalation once you get a shell and jump up to root and you can also it's kind of fun to load up like a vanilla Windows Server 2003 or Windows XP you know you can play with the Oh 8 67 there's a deesser exploit for Windows 2003 that's kind of fun to play with and Metasploit is good about post exploitation you can do a lot with it

but it gets really old just seeing that over and over typing the same command set target set el honks tell of that so I thought I'd try and break out a little bit so this is about expanding your toolset once again so how many of you are familiar with VirtualBox ok so quite a few of you anybody use bone hub a couple of you so with these two things both are completely free you can jump in start doing pen testing capture the flags it's it's a lot of fun for that bond hub is basically just puzzles for geeks you string together exploits I mean it it's just great like I've spent hours and hours going through different

CTF so on Bowlin hub and you know things like this where they have a CTF like this is a good way to kind of practice up for it get a little bit of familiarity with it and then like once you're here you can actually start getting flags get your name up on the board it's always fun to see that so Boldin have most of the ones you can download as an OVA VMDK both of those you can import straight into VirtualBox no problems I so you just have to mount it up into the CD drive essentially and then boot off of it install it I do like that they do they give you the level of

difficulty for each challenge I stick with the easy two very easy but they do go up to very hard and I don't even know what the descriptions of those mean but if you do get stuck Oh almost all of the challenges have walkthroughs if they've been out for any period of time sometimes they'll have video walkthroughs most of them do have text-based walkthroughs and that's a great way like if you're like alright Metasploit it's not working you can go and get a hint and find out what tool you should actually be looking at so VirtualBox once again completely free runs on Mac Linux windows I don't think they have an Android version but I wouldn't be surprised now this is

important when you're setting up your virtual machines make sure you set the adapter to host only you're playing with exploit machines Kali Kali I don't know they say Kali on Indiana Jones but make sure you set it host only that way all of the traffic is just within your computer none of it leaves nothing can come in I actually heard about a capture the flag where everybody was using Kali and you know the default password is T oor and there is one guy that just started SSH into everybody's box and shutting him down and he won now I ran into this with a bunt - I don't remember running in to it with Debian or Windows but when I

went to set it host only you actually had to create a host only network and that's within that the preferences for VirtualBox itself the host-only adapter that's actually within the individual virtual machine preferences anybody here not familiar with Kali or what it is good I didn't want to explain it anyway

typically it works better if you can actually see what you're doing within the VM will give it oh there we go okay so usually when I start one of these the first thing I do is discovery by just trying to see what all is on that host only network and I use net Discoverer

so net discover - our and then you specify the range that you want and actually before I do anything let me get the IP of this system oh okay alright so that is my local IP go ahead and throw that in leafpad real quick

okay so that pops up a few addresses there I already cheated and looked within the other VM and it's the dot 103 but that's a quick way to get it so exit out of that and then give me just a second right so I'm just going to set a variable called target and we'll set that to the target address okay so now we want to see what else running on that so I'll do in map SV so that scans the services and then tries to fingerprint the version of the service running and it will do target okay give that a minute to run

there we go so a few services open here a few different possibilities since I've done this before I'm not going to waste your time by looking into each of these services I'm just going to go right for HTTP our interview familiar with nikto neato I don't know how to say it do you know how to pronounce that nikto okay so I'm going to use nikto to scan that and this basically just scans an HTTP server looks for common vulnerabilities so - host

all right can you guys read this is this too small well alright it says a wordpress installation was found so you know obviously that's the direction that we're going to go with this so we'll do WP scan

and then we're going to try and enumerate the users that are on the system if I can spell don't oh alright give me just a second don't ever do this i I didn't update the databases on my virtual machine I should have actually I've ran through this demo on another computer I should have done it on this one

Oh

all right so anyway that WP scan you can actually go through enumerate the users it'll show you any that are available and then I actually have a word list once you get the username you can run a dictionary attack with a word list and when I did that you would have seen that it showed up at the admin password was a SDF a SDF so just imagine that I did that that would have been very cool so let's see if I can still get to this

well I did not it but because of the captive portal it's given me an SSL error and for some reason Firefox ESR isn't even presenting the certificate for me to make an exception all right so let's make this a little bigger here so we will login

okay so once they're into a WordPress installation you actually have access you know all of the different files one of the cool things you can do is start playing with a PHP header file okay so this is a header file now we're going to jump back to the command line here and open up Metasploit oh maybe there we go

I as everybody used Metasploit er yeah and a little bit we're going to use an exploit it's actually a web delivery script and you'll kind of see what it does here so use exploit okay so in Metasploit once you tell it which I exploit you want to use you do a show options and it gives you all of this and basically anything you want to set here you say set and then that for the most part so we will go ahead and do set l host 1 9 - oh give me just a second

okay so I'm going to set the localhost to my IP address of course and then I'll do show targets and say you have Python PHP and psh since we're doing PHP that's what we're going to set our target for okay so payloads so basically what this is doing is just showing you all the different payloads that I can send so whether you're gonna have it tunnel back to you or whatever I'd like to use the reverse TCP

okay and then at that point type exploit that's like in the movies so it gives me this little tag down here and that's right here in between the quotation marks that's what we need to throw in our header.php file there and

actually I'm just gonna put it right after this tag

okay so now I think if we go here and just reload the WordPress page so you see it sends meterpreter session one open that means we got our tunnel back from that host so in theory we should have a shelter Oh

so there's our one session so I'll do session I for interact one help pearl

okay so right now we're in a shell basically as www-we want to get a little bit further than that so we'll go ahead and drop into a shell and this is kind of a bastardized shell it's not fully interactive so I'm going to go ahead and run a Python command that should give us a more interactive shell let's see I thought I had that on here oh yeah

okay so that looks a little bit more normal down there I just feel better with that so if we start looking around in here I have a bunch of config files and since I know which one we need to look at I'll just go ahead and open it it's the wp-config.php we'll see if less works database root and then root password so and it's a capture the flag we got to go ahead and at least try that so su and it was root password oh yeah I just got root so that's kind of fun now it is a capture the flag on most boot to route capture the flags can anybody tell me the first place you look for the flag

once you get root yeah so do a CDE /root oh look and there's your flag so this one is an extremely easy boot to route capture the flag but just doing this this is one of the first ones I did and I went through the walkthrough and I got stuck I learned about nikto WP scan the reverse PHP I mean just an afternoon playing with this and I learned a ton of new tools so I would highly recommend looking into Volm hub and you know just start playing around with it just free can't really hurt anything as long as you do the host-only adapter of course so yeah anybody have any questions

well actually I have a book that I got I don't even remember what it's called so there's a terrible plug for it but it's it's not I think I just typed in network security on Amazon and pick the one that had the highest reviews and that showed some of this stuff but even with the walkthroughs once you go through and start seeing tools you don't recognize Google it absolutely pin test and test execution standard all right I'll check that one up okay yeah or get hugged one of the two yeah yep that's it that's the one yeah it's on my desk at work all right I'll do that oh yeah absolutely all right if nobody

has any more questions and I'll wrap it up I just want to say thanks to Beth and everybody that put this on thanks to the vendors and thanks to Jason [Music]