Lessons learned

Zone Transfer

DNS usually runs on UDP. On this box, it ran on tcp and performing a zone transfer allowed up to get a list of all host on the domain. DNS should be configured to only allow zone transfers from trusted IP addresses. There are otherways to enumerate hosts.
SMB had anonymous login without password, this should of been disabled. We also had a share that had WRITE access on it. As shown, we took advantage of that by uploading a reverse shell. Along with access, credentials were stored in plain text!
LFI is not as obvious, in this case we were able to take advantage of an LFI vulnerability that allowed us to execute a php shell on the system. Security meausres should include sanitizaiton, allowed files ... etc.
Python modules can be misconfigured. This is something that I did not know. Regular users should only have read access to such modules. This particular module had rwx for everyone on the system.

Last updated 4 years ago

Was this helpful?

DNS usually runs on UDP. On this box, it ran on tcp and performing a zone transfer allowed up to get a list of all host on the domain. DNS should be configured to only allow zone transfers from trusted IP addresses. There are otherways to enumerate hosts.
SMB had anonymous login without password, this should of been disabled. We also had a share that had WRITE access on it. As shown, we took advantage of that by uploading a reverse shell. Along with access, credentials were stored in plain text!
LFI is not as obvious, in this case we were able to take advantage of an LFI vulnerability that allowed us to execute a php shell on the system. Security meausres should include sanitizaiton, allowed files ... etc.
Python modules can be misconfigured. This is something that I did not know. Regular users should only have read access to such modules. This particular module had rwx for everyone on the system.

Last updated 4 years ago

Was this helpful?