Overview
MacOS上的渗透测试工具 这些工具是运行在macOS 和 Linux上的. Enum4linux – depends on rpcclient, net, nmblookup, smbclient which are tools included with Samba and not found on macOS.
The first method, which will work on any operating system version, is to visit Network configuration in System Preferences. Open the Mac system preferences and locate Network, click on the network you are connected to, and below the Status line you will see your IP address. In the command below, we are asking netdiscover to find all the live hosts with IP addresses between 192.168.1.1 to 192.168.1.255. We do this by typing; netdiscover -r 192.168.1.0/24. Step 4: Activate Netdiscover. As soon as we enter the command, netdiscover begins sending out ARP requests over the network and then logging the results on our.
Objective : Get Flag
OVA link: https://www.vulnhub.com/entry/mr-robot-1,151/
Tools used: netdiscover, nmap, nikto, metasploit, truecrack, veracrypt
To start, I just ran a quick netdiscover to get the DroopyOS IP. The highlighted IP is the one we're after.
Running a quick version scan shows up an open port of 80, which would imply a web server of some sort. Let's see what that web page looks like!
Upon loading the webpage, we can see a generic drupal login page (the logo above home is the drupal logo). Drupal is notorious for vulnerabilities so we should have some smooth sailing (hopefully?)
I clicked around the 'create new account' and 'request new password' links but nothing obvious stands out as a hint or direction. To help find some vulnerabilities, I ran a nikto scan with the corresponding output listed below.
We have a lot of information to parse through. The most immediately obvious clue is 'robots.txt', which is referenced multiple times. Loading up this page should some interesting information, as seen below. We can see some file structure we can go through as well as some specific files to checkout.
The 'giveaway' here is the /CHANGELOG.txt. This file is commonly used to show the current Drupal version with corresponding patch notes. We can see here that Drupal 7.30 is running.
A little googling about this version of Drupal, shows a vulnerability via CVE-2014-3704, which has a nicely prepackaged Metasploit exploit dubbed 'Drupageddon'. We can go boot up the msfconsole and see what the options are. Looks like we only need to add the RHOST (192.168.1.137).
This may have been the easiest shell I've ever obtained. I almost feel guily.. perhaps later I'll see if I can code the exploit by hand and see if I can get it to work. Anyways... we got a shell:
Interestingly enough, we have a /tmp folder we can use to get some executable exploits running.
Now we just have to figure out what we have to work with. For this situation, I'm going to call the normal bash shell instead of using meterpreter. The listed below are the commands I ran to just gather some information and find an exploit. It looks like searchsploit found what we need: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Root Shell.
I usually make seperate directories per Vulnhub VM. To get the exploit onto the DroopyOS box, I'm going to copy the exploit to my working directory then download it to the /tmp folder on the target host via meterpreter. I like copying the exploits per use case. This way if I have to edit the exploit and break it, I can always fallback to the original.
To emphasize, you can notice the permission changes below. The 'x' addition means essentially any user can execute the file.
Netdiscover Mac Os Mojave
We now have a raw .c file to compile. You can type 'gcc --version' to check if gcc is installed on the system. A quick compile and execute later, we have root! We're done now! RIGHT?!
I went into the /root/ folder aaand we have an .tc file. This is a file extension for a TrueCrypt container, which I guess we have to brute force?
The only hint we really have to go on is on the Vulnhub page where the author gives the following two hints:
I'm going to assume the rockyou wordlist is needed for the truecrypt file. The email hint is also worth looking into. (fast forward awhile) I found the 'email hint' in '/var/mail/':
Mac Os Download
Ok so now we obviously have to you use rockyou dictionary and we need to get that .tc file on our Kali host. To do this, I copied (as root) the dave.tc file to the /tmp directory. I then downloaded it via meterpreter as follows:
Now we need to prepare the rockyou wordlist. If you're on a new version of Kali, you need to extract it for use. The default location is '/usr/share/wordlists/rockyou.txt.gz'. I like keeping all my wordlists in '/root/Wordlists/'. We can see that this file is huge.. namely 14344392 lines long. From the email we know we can remove all passwords longer than 11 characters. I shortened the list using awk:
I then grepped that list for all entries with the string 'academy' in the password. The last step would (hopefully) be cracking the trucrypt file. Kali has a preinstalled tool called 'Truecrack' for just this purpose. Syntax as follows:
This did not produce any results, however, I tried the 'sha512' hash via :
We got the truecrypt password! Since truecrypt is no longer supported, I downloaded Veracrypt and plugged in the password. We can use this password, enable Truecrypt mode, the hash type, and open the Truecrypt container!
Going into the file structure, there's a couple directories and images but if you do a 'ls -a' you can see hidden directories. Going into '/media/veracrypt1/.secret/.top' will reveal the following flag: