[PentesterLab] Bootcamp

Page

After ‘graduation’ with the OSCP certification, it’s time to find a new challenge to accomplish.

It seems that the [PentesterLab] Bootcamp will be the perfect fit!
It consists of 15 challenges in total and some, to me, seems to be quite difficult. Maybe I’ll feel otherwise when I get started on it, hands-on.

Time to learn some new stuff! Will update this page again once I’ve completed some of them as I go along. Heh.

Stay safe~

-9emin1

[9th July, 2016]
[Complete Challenge 1-4]

[1]
– Linux and Scripting –

  • Install Linux: Retrieve a virtualization system (VirtualBox, VM player) and install Linux. Use a traditional distribution like Ubuntu not a security related one.
  • Learn the basics of a scripting language: Pick between Ruby (Try Ruby), Python (Online) or Perl and learn its syntax and data types. You will need it to keep going.

I’ve chosen Ubuntu 14.04 LTS for the virtualization system.
I’ve chosen Python, for the choice of a scripting language.

So beautiful~~~

[1]Ubuntu1404.PNG

End of [1]


[2]
– HTTP –

  • Install Apache inside your vm, change the home page of the hosted site using vim. Access this page in your browser (on the host).
  • Change your host file to access the Linux system under the following names: vulnerable
  • Write an HTTP client to retrieve the home page of your site using an http library (for example net/http in ruby).
  • Write an HTTP client to retrieve the home page of your site using a socket.
  • Download Burp Suite (free version) and visit a website and see what requests are sent and what responses are received

So not used to running “sudo” beforehand, hah.

apt-get-install-apache.PNG

Verifying its running.

apache-running.PNG

Accessing it via localhost.

apache-works.PNG

Edited some part of the index.html using vim.

edited-using-vim.PNG

Edited the /etc/hosts file.
Able to directly access the Web Server via “vulnerable”.

etchosts-vulnerable.PNG

Source-code of my Python HTTP client, using a http library.

httpclientpy.PNG

Source-code of my Python HTTP Client, using socket.

socketclientpy.PNG

Downloaded Burp Suite Free edition.

burpsuite-download.PNG

Downloaded successfully.

burpsuite-downloaded.PNG

Downloading the required OpenJDK.

getting-openjdk-for-burp.PNG

Burp Suite working.

burpsuite-work.PNG

Configuring FireFox proxy to allow Burp Suite interception.

configure-proxy-firefox.PNG

Interception success. Able to examine http requests/responses.

intercept-traffic-via-proxy.PNG

End of [2]


[3]
– PHP and DNS –

  • PHP basics:
    • Install PHP in your virtual machine (using your previous Apache installation), write a script that echoes back a parameter in the URL. For example, accessinghttp://vulnerable/hello.php?name=Louiswill return “Hello Louis”.
    • Install Mysql and create a script that retrieves information from it, like article.php?id=1 returns a book and article.php?id=2 returns a computer.
    • Create a page that sends data to itself using a POST request.
  • DNS and whois:
    • Install the command line tool dig in your vm.
    • Find what name servers are used by PentesterLab, find what Mail servers are used by pentesterlab and find the Ip address of http://www.pentesterlab.com
    • Obtain information about pentesterlab.com using the whois tool.

This was quite challenging for me, spent a few hours.
Google-Fu a lot.

install-php5.PNG

Source-code of my hello.php

php-echo-name.PNG

Downloading mysql.

install-mysql.PNG

mysql working.

mysql-success.PNG

Setting up the database for this challenge.

settingup-database.PNG

Filling up the bootcamp database. (Ignore the image. Initially I wanted to beautify it.)

mysql-content.PNG

Source-code of article.php
I forgot to install php5-mysql and I was stuck for quite awhile.
Without php5-mysql, the PHP will not be able to communicate with MySQL.

article-php-sourcecode.PNG

Working article.php code.

articlephp1.PNG

Working article.php code.

articlephp2.PNG

Working article.php code

articlephp-no-result.PNG

Source-code of post.php

post-php.PNG

Working post.php code

post-php-works.PNG

Working post.php code.
“POST” method will not display the variables and its values on the URL.

post-php-works2.PNG

Dig was already installed on my version of Ubuntu.

dig-alr-installed.PNG

“Digging” Pentesterlab.com Mail Servers. (Highlighted in white)

dig-pentestlab-mx.PNG

“Digging” Pentesterlab.com Name Servers. (Highlighted in white)

dig-pentestlab-ns.PNG

“Digging” Pentesterlab.com IP Address. (Highlighted in white)

dig-pentestlab-ip.PNG

The whois tool can be easily installed on Ubuntu.
It was also possible to use the web-based whois tool.

whois-pentesterlab.PNG

End of [3]


[4]
– SSL/TLS – 

  • Setup SSL:
    • enable HTTPs on your web server
    • make sure you disabled all the weak ciphers.
  • Play with SSL:
    • write a SSL client using an HTTP library
    • write a SSL client using a socket
    • acces your SSL server with your previous HTTP script and socat to do the connection socket<->ssl-socket

Enabling SSL.

ssl-setup.PNG

Generating apache.key and apache.crt (RSA:2048)

ssl-setup2.PNG

Edited the default-ssl.conf file.
(Change the variables which are not commented out accordingly)

ssl-setup3.PNG

Verifying our traffic is encrypted.
(The error is expected, since I am using a self-signed cert)

ssl-success.PNG

Source-code of my Python HTTPS client script using a http library.

ssl-http-clientpy.PNG

Source-code of my Python HTTPS client script using socket.

ssl-socket-clientpy.PNG

As shown below,

The source-code of my Python script is requesting “http”, which should not work if forwarded to a SSL server (Error code 400 Bad Request)

I successfully “proxy” http request to my SSL Server on port 443 using socat.
No errors!

http-socat-to-https.PNG

End of [4]