LA CASA DE PAPEL

SUBMITTED BY: YADHU KRISHNAN

 PENETRATION METHODOLOGY

▪ SCANNING
▪ ENUMERATION

PENETRATION ▪ EXPLOITATION

TEST REPORT ▪ PRIVILEGE ESCALATION

▪ GAINING ROOT ACCESS
 Let's start with finding the IP address of the machine
1.netdiscover

1. SCANNING
The ip address of the host system was found to be
192.168.0.16
Scanning with nmap for open ports
• Nmap –sC –Pn 192.168.0.16
 After getting the IP address of the machine I enumerated
the open ports using nmap tool, and found three services

▪ FTP
▪ SSH
▪ HTTP

After enumeration I found that 'anonymous' ftp login is

2. allowed,so I logged in to ftp
ENUMERATION ▪ Ftp@192.168.0.16
 After downloading the todo.txt in the ftp server.It turned out to be a Honeypot. And there is no use of the ftp
server

Then I moved on to the http service, but couldn't find anything useful.So I brute forced the directories using dirb
tool
I was able to find the robots.txt file which contained the disallowed directory entry which
contained a webpage named 's0mething.php'

After browsing the 's0mething.php' I got a login page

I decided to do a sql injection attack to bypass the login page

I used ' or'1'='1 sql syntax which leads the query to true.
And it worked
 After looking at the source code of the page I found an encode text
'@P_h:@4btD@5%'

From further investigation I found that it is a base85 encoded text and by using 'cyberchef' tool I decoded the
data and got 'b3lla-c1a0'. But I couldn't find what it was for.
Then I browsed 'b3lla-c1a0' in the browser and got a page which included a pdf file named 'money.pdf'

• Http://192.168.0.15/b3lla-c1ao
Looking at the file properties I came to know that it is a jpg file and renamed it to money.jpg.
And using the stegcracker tool I brute forced the jpg file with Rockyou.txt and obtained the password as
'mallows'
• Stegcracker money.jpg /usr/share/wordlists/rockyou.txt

I got another jpg file named Heist.jpg and by further investigation I found a word in the jpg
file "la-c45a-d3-p4p3l"
• Strings heist.jpg
After browsing the word in the browser I got an unusual error displaying the domain name of the host(redteam). So
I knew I had to add the hostname in /etc/hosts
• Nano /etc/hosts
• Add " 192.168.0.15 redteam"

After adding the hostname I reloaded the page and I was redirected to a wordpress page,on the bottom
of the page was a link to the login page and after clicking the link I got a wordpress login page
What I did next was, I tried to login with the defualt credentials. That is admin:admin

From this I came to know that a user 'admin' exists and we just have to find the password.
To brute force the password I used wpscan tool and the selected wordlist was rockyou.txt
The password was found to be 'admin123'
I logged in using the credentials and entered the wordpress management site
 There are several ways to exploit a wordpress site.

What I did was uploaded a reverse tcp connection payload which

was created using msfvenom and copied in the 404 template in
the theme editor

3.EXPLOITATION
Now that I've upoaded the shell, I have to setup a listener in metasploit and browse http://redteam/la-c45a-d3-
p4p3l/wp-content/themes/twentytwenty/404.php

Thus I was able to get a shell as 'www-data' into the host system
 As the user www-data does not have the necessary

4.PRIVILEGE privileges I have to escalate the privileges .

By looking at the home directory I came to know that the
ESCALATION user 'profess0r' is the superuser which has root access
After obtaining a shell of the user www-data I entered the home directory and found 3 users named profess0r,
ri0 & t0kyo

To obtain the password of the user t0kyo I created a dictionary

using 'cupp' tool
Next I brute forced the ssh service using hydra with this wordlist
• Hydra -l t0kyo –P silene.txt ssh://192.168.0.16

Using hydra I got the password "tokyosilene" for the user 't0kyo'
Next I logged in to the ssh using this credentials and was logged in
as 't0kyo'
In the t0kyo user directory I found 2 files named 'gift' and 'letter'.
Opening them gave me a clue to go to the next user, ri0

Opening gift showed a message from Rio to Tokyo and opening the file 'letter' gave me a
password hash
• Cat gift
• Cat letter

I saved the hash into a file and tried to crack the hash using 'john' tool and the selected
dictionary was Seclists
• John –wordlist=/usr/share/wordlists/SecLists/Passwords/xato-net-10-million-passwords.txt rio.txt

The password was found to be '!!Estresado!!'

So I changed the user to ri0
• Su ri0

By enumerating the directories,I found a message from berlin

to Rio

From the message it was clear that the file 'thegiftofprofessor' conained something that
would get me to the superuser
On enumerating further I discovered the private ssh key file named
'thegiftofprofessor' in /usr/games/user
• Cat thegiftofprofessor

I copied the ssh key to another file 'sshkey'

 5.GAINING With the private ssh key obtained I logged in to the
superuser 'profess0r'
ROOT ACCESS
With the key obtained I logged in
• Chmod 700 sshkey
• Ssh -i sshkey profess0r@192.168.0.16

Then I enumerated the SUID bit permission set files

• Find / -perm –u=s –type f 2>/dev/null
The file named 'shell' in the home directory looked fishy. So I checked the properties of the
file and realised it is an executable file which could also run commands
• ./shell /bin/bash

Vola!! Root access acquired successfully