Samurai Skills Update #5

While I still haven’t been able to devout nearly as much time as I would like to play in the student labs I still wanted to post another update on how the Samurai Skills course is going for me.

I’ve now watched all of the videos except for the last one on windows exploit development. I’m looking forward to watching it but I want to wait until I have a full day or two to devote to practicing the techniques covered.

On the lab front, it’s a very weird dynamic. I still go long periods of time with little to no progress which is frustrating and leads to a lot of doubt but I also tell myself that I’m light-years ahead of where I was before I started the class.

The student lab network recently got modified so I had to duplicate the enumeration and scanning phase. Before I started the attack-secure course I had already been exposed to Nmap, Nessus, Nikto and Enum from my SANS 504 course. I had ran all of these tools on the student network previously and now it was time to run them again. The difference was this time I felt a lot more confident and I ran the scans much more efficiently.

My first step was running an Nmap scan across the entire subnet. That scan identified 20 targets which I then piped into Nessus to start that scan. As soon as the Nessus scan started I cranked out the following quick little bash script to check all of the targets with Nikto.

#!/bin/bash
for i in {129..164}
do (cd /pentest/web/nikto/ ; ./nikto.pl -host 172.16.222.$i - output /pentest/web/nikto/student_remix/172_16_222_$i.txt)
Done

And a similar script for enum4linux

#!/bin/bash
for i in {129..164}
do /root/enum4linux-0.8.8/enum4linux.pl -M 172.16.222.$i
Done

These are about the simplest shell scripts imaginable but three months ago I had never written a shell script in my life so I’m proud of them 🙂 Even basic scripts like this can make your Linux life much easier.

I’ve also started being able to spot the low hanging fruit of the ethical hacking world. If Nikto shows that HTTP PUT is allowed, I’ll throw a php web shell or backdoor if the box runs php or use the IIS webdav upload exploit in Metasploit if it’s an IIS box. Once again, about as simple as it gets but it’s still information I didn’t know a few months ago.

I’ve also been able to acquire shell on several boxes where a CMS allows me to upload a file (perhaps as part of a comment or post) or modify a file (a little php backdoor code in a WordPress theme never hurt).

I’m still not great at popping shells but even when I do get a shell I’m horrible at Linux privilege escalation. Most exploits you stumble across on the internet require you to modify them to get them to work on your machine and I don’t have enough knowledge in that area to determine what to modify yet.

I have started running ‘ps aux’ on any Linux shell I get to see what programs are running as root but I only know how to exploit a few of them if I find them like MySQL. I understand the basics of why SUID is important but not quite enough to make it work for me yet.

As I stated earlier it’s a weird feeling when you aren’t making much progress but deep down you know you’re learning. I keep failing, but I’m failing better and better every day.

One thought on “Samurai Skills Update #5

  1. Pingback: A Journey to the Center of the CODENAME: Samurai Skills Course | Attack-Secure.com

Leave a Reply

Your email address will not be published. Required fields are marked *