HackTheBox Enumeration Lab PDF

Preview

Summary

Enumeration is the most vital portion of pentesting and ethical hacking. Enumeration is defined as establishing a full connection on a machine to extract detailed information and discover potential attack vectors on a target. The information retrieved from this phase is what allows us to make an edu...

Description

CYB 632 5/12/2021

Submission The submission for this lab involves answering questions for each target that was enumerated throughout the lab. Please be professional with your statements in this submission. Writing a professional statement means answering each question in a manner that both technical and non-technical readers can understand.

Blue nmap -sV -sC 10.10.10.40

nmap --script=*smb-vuln* -p 445 10.10.10.40

What was the vulnerable service on Blue? Please provide a description along with a screenshot of discovering the service. The vulnerable service was microsft-ds. “microsoft-ds” is the name given to port 445 which is used by SMB. I ran into a lot of problems on this part. I finally came to realize that the MS17 vulnerability script was not in the list of scripts in the nmap directory. I was not sure why since I updated all the repositories and had the latest version of nmap installed. The only way I could work around this was to download the script directly off the internet and put it in the directory myself. I finally got it working. nmap -p445 --script smb-vuln-ms17-010 10.10.10.40

In at least 50 words, please describe the vulnerability discovered on blue The security vulnerability was MS17 (aka “Eternal Blue”), a cyberattack exploit developed by the National Security Agency and released a month later by a hacker group. It takes advantage of Microsoft’s Server Message Block (SMB) protocol. It exists because Microsoft’s SMBv1 (“SMB version 1”) mishandles certain packets from attackers.

Shocker What is directory traversal? Directory traversal (aka “file path traversal”) is a web security vulnerability attack that allows attackers to take advantage of unsecure filenames to gain root access to a file system. nmap -sV -sC 10.10.10.56

dirb http://10.10.10.56

dirb http://10.10.10.56/cgi-bin -X .sh

In at least 100 words, please explain what vulnerability was discovered on Shocker. Please provide screenshots of the steps taken to discover the vulnerability. The first thing I did for Shocker was run nmap on the system and checked for versions and ran the default scripts (using “sV” and “sC”, respectively). Secondly, I did a directory traversal which took a bit of time. I notice it used a word list. A directory was then discovered that keeps scripts that interact with the web server (or so the name suggests). The directory discovered was “user.sh”. “.sh” files are Unix/Linux shell executable files. These files can be exploited by a hacker to gain access to the file system. It is only appropriate that this box is called Shocker.

Jeeves

What ports were open on the target? Please provide a screenshot of the nmap scan ran on the target. Ports 135/tcp, 445/tcp, and 50000/tcp were open on the target.

Please describe what banner grabbing is and how you found HTTP banners throughout this lab? What tools were used? Banner grabbing captures information about a computer system and the services running on its open ports. What vulnerable application is being hosted on the target? Please provide a screenshot of discovering the application. Server Message Block (SMB) is on the system. It shows in the nmap scan (last screenshot). In 50 words, please describe the vulnerability that is on the application hosted on port 5000. When I went to 50000, it showed an error message and showed the application hosting it was Jetty. I looked up the URL posted and the application and I found out it was a web servlet and server container by Oracle. I knew Oracle was a company that used Java and servlets were in Java, and I found out that Jenkins is made in Java. I have heard that Java has potentials for security vulnerabilities in the past, but this still did not give me much information. The prior lab had us do a directory traversal. I did that with the default wordlist and came up with nothing. I used a different wordlist and came across a subdirectory off 50000

named askjeeves. When I went to askjeeves, I found out it is serviced by Jenkins. Looking up Jenkins, it has been known for security exploits. So, the vulnerability on the application hosted on port 5000 is Jenkins.

Lame What ports were open on the target? Please provide nmap screenshot and description. TCP ports 21, 22, 139, and 445 were open. 21 is an FTP service, 22 is an SSH service, and 139 and 145 are netbios-ssn services. netbios means NetBIOS (“Network Basic Input/Output”) and ssn means “Session Service”. It can also be referred to as “NBSS”. nmap -sV -sC 10.10.10.3

I ran into a huge number of problems with this step. Long story short, I had to scrap the Kali distro I had and upgrade. It was a version from 2017, so I was due anyway. sudo ftp 10.10.10.3

What service allowed us to log in with anonymous credentials? It was an ftp service. What are the two vulnerable service versions running on the machine? Please describe the vulnerabilities and how you plan to attack them. We are not exploiting anything, only gathering information. The FTP service is vulnerable because we were able to log in with a default user name and password. The other vulnerable service is Samba. Samba is a freeware implementation of the SMB networking protocol that works with Windows. There was an exploit discovered that allows for remote code execution which can enable an attacker to take control of a machine. FTP was not built to be secure because of its reliance on clear-text usernames and passwords and the fact it does not use encryption. I know a directory traversal attack can be used on FTP to overwrite or create files outside of the web root folder. The SMB service may be susceptible to EternalBlue. I will be refreshing my skills in metasploit for that.

Do you remember the workaround I did for part two of the Blue box? I was not able to find MS17 because I did not have the nmap script and I had to manually install it. After getting this new and improved latest version of Kali Linux, that problem went away. Here is an updated screenshot showing that the vulnerability was detected....