diannaosec

  In this lab, we have compromised a machine but we only have access as the low privileged user called student. This means that if we try to enumerate cronjobs using techniques such as looking at the crontable, we will not see those which have been scheduled to run as root. We therefore need to enumerate the cronjobs in different ways. One way is to use the pspy tool. This shows running processes including cronjobs scheduled by root. Another way is to enumerate the box looking for interesting files and tar archives. We want to look for files which we can write to just in case they are being used by a cronjob and we can amend them. The command to use is: find / -path /proc -prune o -type f -perm -o+w 2>/dev/null We want to look into interesting tar archives as they might be backing up directories via a cronjob using the * wildcard. This can be exploited to elevate our privileges. In order to unarchive and unzip a tar.gz file, we can use: tar -zxvf monitor.tar.gz Whilst enumeratin...

  As usual, we start with an nmap scan - in this case, we find ports 22, 53 and 80 open.     Seeing port 53 over tcp is interesting since port 53 over udp is used to make dns inquiries. dns uses tcp port 53 for zone transfers and it is always useful to enumerate dns to widen attack surfaces - for example find subdomains to attack. Before attempting a zone transfer, I thought I would have a go at manually enumerating dns with the intention of trying to find interesting subdomains. I started by trying a reverse dns lookup using the dig tool. When it comes to dns records, some will have a ptr record which is where the reverse dns request looks. The ptr record just maps an ipv4 address to a domain name so we can find the domain name by specifying the ipv4 address. This is the opposite of how dns requests are usually made - usually a domain is specified and the ipv4 address is returned from the a record. In the dig command seen in the picture below, the @ symbol lets us specif...