I wanted to add a little more detail to what I’m doing with reconnaissance, but I want to be careful not to just copy the stuff in the book. I don’t think that adds anything of value when trying to learn, plus I don’t think anyone would appreciate me uploading their book to the internet one chapter at a time.
So to take it a little further and focus more on OSCP objectives, as I’ve understood from my research, we want to do as much of this enumeration as we can without tools like Nessus. The first thing to try is running nmap scripts. Nmap comes with a ton of scripts loaded that can gauge for vulnerabilities, perform exploits, detect service versions, plus a ton of other things. For my purposes I’m only running the default scripts to just get an idea of what they do.
We get a ton of information here. From the top, we see FTP. It has run a script and tested anonymous logon and found that open. We can dig just a little deeper and see if we can find anything else with netcat:
Netcat displays the version and would allow us to log in. We can do a search and find that there doesn’t seem to be any exploits associated with this particular version of Filezilla. Moving on, we see that SMTP was listed along with a list of available commands. From here we can attempt to verify any possible account names we may think we have. The nmap scan shows us that ports 80 and 443 are hosting websites is XAMPP 1.7.2. We can verify this pretty easily:
We can use netcat again to connect and find out a little more information about the server. What kind of web server is it running? What supporting services?
This is my first time really using netcat operationally, I’m familiar with the functionality and syntax but now we’re in it. As you see above, I get what appears to be an error. Even though we get an error, we still get the information we were looking for. The server is running Apache 2.2.12, WebDAV 2 is running which we know from the text should be examined for default credentials, and php 5.3 is running.
I tried to dig more into the error and decided to fire up Aule (vulnerable Ubuntu machine that is designed for use with the book) and try that. So the website works:
And we try netcat:
And get a similar error, but again we get the header information we were looking for. This needs more testing, right now on every server I have with a website I get back the “bad request” error but it isn’t the end of the world since I get the header info and that is my objective right now.
One of the things the book points out about Lorien is that it is running phpmyadmin, because it comes in XAMPP. Since it is there in black and white, we know to check it. But how could we use a tool to find this out if it were not in the book? Using Nikto we can scan Lorien to see more information about available web interfaces:
I ran it this way to just get an idea of the output. For Lorien I got a lot of output and it was easier to pipe the Nikto results into a text file and go through it that way. Nikto enumerates each available directory and we can look at the web pages associated with those. Like the /server-status page:
The server information we have here matches up with the results of the Nikto scan, the netcat results, the nmap scan, the Nessus scan, and the OpenVAS scan. Which is cheating, since Nessus and OpenVAS actually use nmap. But still important to note the different ways to get needed info.
Further down the directory list we see /server-info:
Again, we see the server info. But there is much more. We have the root directory right there, which if we didn’t already know would help us with directory traversal. We have the location of various configuration files. Hey let’s look at at mod_alias.c, the Apache file that maps URL requests to aliases (among other things):
We see several accessible directories and can try each one. Hey look, it’s phpmyadmin:
We can look at this service and determine vulnerabilities, but the page is helpful as well:
There are some other issues to identify here from the book, but I’m more concerned with how to get the info on my own and using tools I know rather than just reading the vulnerability info from the book. We have enough information now to move forward. One thing I do want to investigate is credentials. From the book we know that WebDAV is running here with default credentials, however I need to identify the best way to discover that using available tools.
This is finals/project presentation time at school so I have no idea when I will get a chance to move forward with my lab. At least a week I am thinking.