Lessons learned

Zone Transfer

• DNS usually runs on UDP. On this box, it ran on tcp and performing a zone transfer allowed up to get a list of all host on the domain. DNS should be configured to only allow zone transfers from trusted IP addresses. There are otherways to enumerate hosts.

• SMB had anonymous login without password, this should of been disabled. We also had a share that had WRITE access on it. As shown, we took advantage of that by uploading a reverse shell. Along with access, credentials were stored in plain text!

• LFI is not as obvious, in this case we were able to take advantage of an LFI vulnerability that allowed us to execute a php shell on the system. Security meausres should include sanitizaiton, allowed files ... etc.

• Python modules can be misconfigured. This is something that I did not know. Regular users should only have read access to such modules. This particular module had rwx for everyone on the system.