2019-01-23 22:55:53 +08:00
This document describes Infection Monkey’ s test network, how to deploy and use it.
[Warning\! ](#warning )< br >
[Introduction ](#introduction )< br >
[Getting started ](#getting-started )< br >
[Using islands ](#using-islands )< br >
[Running tests ](#running-tests )< br >
[Machines’ legend ](#machines-legend )< br >
[Machines ](#machines )< br >
[Nr. 2 Hadoop ](#_Toc526517182 )< br >
[Nr. 3 Hadoop ](#_Toc526517183 )< br >
[Nr. 4 Elastic ](#_Toc526517184 )< br >
[Nr. 5 Elastic ](#_Toc526517185 )< br >
[Nr. 6 Sambacry ](#_Toc536021459 )< br >
[Nr. 7 Sambacry ](#_Toc536021460 )< br >
[Nr. 8 Shellshock ](#_Toc536021461 )< br >
[Nr. 9 Tunneling M1 ](#_Toc536021462 )< br >
[Nr. 10 Tunneling M2 ](#_Toc536021463 )< br >
[Nr. 11 SSH key steal ](#_Toc526517190 )< br >
[Nr. 12 SSH key steal ](#_Toc526517191 )< br >
[Nr. 13 RDP grinder ](#_Toc526517192 )< br >
[Nr. 14 Mimikatz ](#_Toc536021467 )< br >
[Nr. 15 Mimikatz ](#_Toc536021468 )< br >
[Nr. 16 MsSQL ](#_Toc536021469 )< br >
[Nr. 17 Upgrader ](#_Toc536021470 )< br >
[Nr. 18 WebLogic ](#_Toc526517180 )< br >
[Nr. 19 WebLogic ](#_Toc526517181 )< br >
[Nr. 20 SMB ](#_Toc536021473 )< br >
[Nr. 21 Scan ](#_Toc526517196 )< br >
[Nr. 22 Scan ](#_Toc526517197 )< br >
[Nr. 23 Struts2 ](#_Toc536021476 )< br >
[Nr. 24 Struts2 ](#_Toc536021477 )< br >
2021-08-24 19:13:19 +08:00
[Nr. 25 Zerologon ](#_Toc536021478 )< br >
[Nr. 3-45 Powershell ](#_Toc536021479 )< br >
[Nr. 3-46 Powershell ](#_Toc536021480 )< br >
2021-09-02 23:06:22 +08:00
[Nr. 3-47 Powershell ](#_Toc536021481 )< br >
2021-09-24 21:29:11 +08:00
[Nr. 3-48 Powershell ](#_Toc536021482 )< br >
[Nr. 250 MonkeyIsland ](#_Toc536021483 )< br >
[Nr. 251 MonkeyIsland ](#_Toc536021484 )< br >
2019-01-23 22:55:53 +08:00
[Network topography ](#network-topography )< br >
# Warning\!
This project builds an intentionally
< span class = "underline" > vulnerable< / span > network. Make sure not to add
production servers to the same network and leave it closed to the
public.
# Introduction:
MonkeyZoo is a Google Cloud Platform network deployed with terraform.
Terraform scripts allows you to quickly setup a network that’ s full of
vulnerable machines to regression test monkey’ s exploiters, evaluate
scanning times in a real-world scenario and many more.
# Getting started:
Requirements:
1. Have terraform installed.
2. Have a Google Cloud Platform account (upgraded if you want to test
whole network at once).
To deploy:
2019-04-11 15:26:46 +08:00
1. Configure service account for your project:
2021-01-20 04:27:43 +08:00
a. Create a service account (GCP website -> IAM & Admin -> Service Accounts -> + CREATE SERVICE ACCOUNT) and name it “your\_name-monkeyZoo-user”
2021-08-24 19:13:19 +08:00
2019-04-11 15:26:46 +08:00
b. Give these permissions to your service account:
2021-08-24 19:13:19 +08:00
2019-04-11 15:26:46 +08:00
**Compute Engine -> Compute Network Admin**
and
2021-01-20 04:27:43 +08:00
**Compute Engine -> Compute Instance Admin (v1)**
2019-04-11 19:00:15 +08:00
and
**Compute Engine -> Compute Security Admin**
and
**Service Account User**
2021-08-24 19:13:19 +08:00
2019-04-11 15:26:46 +08:00
or
2021-08-24 19:13:19 +08:00
2019-04-11 15:26:46 +08:00
**Project -> Owner**
2021-08-24 19:13:19 +08:00
2021-01-20 04:27:43 +08:00
c. Create and download its **Service account key** in JSON and place it in **monkey_zoo/gcp_keys** as **gcp_key.json** .
2. Get these permissions in the monkeyZoo project (guardicore-22050661) for your service account (ask monkey developers to add them):
2019-01-23 22:55:53 +08:00
a. **Compute Engine -\> Compute image user**
2021-01-20 04:27:43 +08:00
2019-01-23 22:55:53 +08:00
3. Change configurations located in the
../monkey/envs/monkey\_zoo/terraform/config.tf file (don’ t forget to
link to your service account key file):
2019-09-04 15:19:36 +08:00
provider "google" {
2021-08-24 19:13:19 +08:00
2019-09-04 15:19:36 +08:00
project = "test-000000" // Change to your project id
2021-08-24 19:13:19 +08:00
2019-09-04 15:19:36 +08:00
region = "europe-west3" // Change to your desired region or leave default
2021-08-24 19:13:19 +08:00
2019-09-04 15:19:36 +08:00
zone = "europe-west3-b" // Change to your desired zone or leave default
2021-08-24 19:13:19 +08:00
credentials = "${file("../gcp_keys/gcp_key.json")}" // Change to the location and name of the service key.
2019-09-04 15:19:36 +08:00
// If you followed instruction above leave it as is
2021-08-24 19:13:19 +08:00
2019-09-04 15:19:36 +08:00
}
2021-08-24 19:13:19 +08:00
2019-09-04 15:19:36 +08:00
locals {
2021-08-24 19:13:19 +08:00
2019-09-04 15:19:36 +08:00
resource_prefix = "" // All of the resources will have this prefix.
// Only change if you want to have multiple zoo's in the same project
2021-08-24 19:13:19 +08:00
2019-09-04 15:19:36 +08:00
service_account_email="tester-monkeyZoo-user@testproject-000000.iam.gserviceaccount.com" // Service account email
2021-08-24 19:13:19 +08:00
2019-09-04 15:19:36 +08:00
monkeyzoo_project="guardicore-22050661" // Project where monkeyzoo images are kept. Leave as is.
2021-08-24 19:13:19 +08:00
2019-09-04 15:19:36 +08:00
}
2021-08-24 19:13:19 +08:00
2019-01-23 22:55:53 +08:00
4. Run terraform init
To deploy the network run:< br >
`terraform plan` (review the changes it will make on GCP)< br >
`terraform apply` (creates 2 networks for machines)< br >
`terraform apply` (adds machines to these networks)
# Using islands:
2021-08-24 19:13:19 +08:00
### How to get into the islands:
2019-01-23 22:55:53 +08:00
**island-linux-250:** SSH from GCP
**island-windows-251:** In GCP/VM instances page click on
island-windows-251. Set password for your account and then RDP into
the island.
2021-08-24 19:13:19 +08:00
### These are most common steps on monkey islands:
2019-01-23 22:55:53 +08:00
2021-10-07 21:56:10 +08:00
### For users
Upload the AppImage deployment option and run it in island-linux-250.
Or upload the MSI deployment option, install it and run it in island-windows-251.
After that use the Monkey as you would on local network.
### For developers
2021-08-24 19:13:19 +08:00
#### island-linux-250:
2019-01-23 22:55:53 +08:00
2021-10-07 21:56:10 +08:00
To run monkey island from source:< br >
2019-01-23 22:55:53 +08:00
`sudo /usr/run\_island.sh` < br >
2021-10-07 21:56:10 +08:00
To run monkey from source:< br >
2019-01-23 22:55:53 +08:00
`sudo /usr/run\_monkey.sh` < br >
To update repository:< br >
`git pull /usr/infection_monkey` < br >
Update all requirements using deployment script:< br >
1\. `cd /usr/infection_monkey/deployment_scripts` < br >
2\. `./deploy_linux.sh "/usr/infection_monkey" "develop"` < br >
2021-08-24 19:13:19 +08:00
#### island-windows-251:
2019-01-23 22:55:53 +08:00
2021-10-07 21:56:10 +08:00
To run monkey island from source:< br >
2019-01-23 22:55:53 +08:00
Execute C:\\run\_monkey\_island.bat as administrator
2021-10-07 21:56:10 +08:00
To run monkey from source:< br >
2019-01-23 22:55:53 +08:00
Execute C:\\run\_monkey.bat as administrator
To update repository:< br >
1\. Open cmd as an administrator< br >
2\. `cd C:\infection_monkey` < br >
3\. `git pull` (updates develop branch)< br >
Update all requirements using deployment script:< br >
2021-08-24 19:13:19 +08:00
1\. `cd C:\infection_monkey\deployment_scripts` < br >
2\. `./run_script.bat "C:\infection_monkey" "develop"` < br >
2019-01-23 22:55:53 +08:00
# Machines:
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc526517182" class = "anchor" > < / span > Nr. < strong > 2< / strong > Hadoop< / p >
< p > (10.2.2.2)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 16.04.05 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > < p > JDK,< / p >
< p > < a href = "https://hadoop.apache.org/releases.html" > Hadoop 2.9.1< / a > < / p > < / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > 8020< / td >
< / tr >
< tr class = "even" >
< td > Server’ s config:< / td >
< td > < a href = "https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/SingleCluster.html" > Single node cluster< / a > < / td >
< / tr >
< tr class = "odd" >
< td > Scan results:< / td >
< td > Machine exploited using Hadoop exploiter< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc526517183" class = "anchor" > < / span > Nr. < strong > 3< / strong > Hadoop< / p >
< p > (10.2.2.3)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows 10 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > < p > JDK,< / p >
< p > < a href = "https://hadoop.apache.org/releases.html" > Hadoop 2.9.1< / a > < / p > < / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > 8020< / td >
< / tr >
< tr class = "even" >
< td > Server’ s config:< / td >
< td > < a href = "https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/SingleCluster.html" > Single node cluster< / a > < / td >
< / tr >
< tr class = "odd" >
< td > Scan results:< / td >
< td > Machine exploited using Hadoop exploiter< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc526517184" class = "anchor" > < / span > Nr. < strong > 4< / strong > Elastic< / p >
< p > (10.2.2.4)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 16.04.05 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > < p > JDK,< / p >
< p > < a href = "https://www.elastic.co/downloads/past-releases/elasticsearch-1-4-2" > Elastic 1.4.2< / a > < / p > < / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > 9200< / td >
< / tr >
< tr class = "even" >
< td > Server’ s config:< / td >
< td > Default< / td >
< / tr >
< tr class = "odd" >
< td > Scan results:< / td >
< td > Machine exploited using Elastic exploiter< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > < a href = "https://www.elastic.co/guide/en/elasticsearch/reference/1.4/_index_and_query_a_document.html" > Quick< / a > tutorial on how to add entries (was useful when setting up).< / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc526517185" class = "anchor" > < / span > Nr. < strong > 5< / strong > Elastic< / p >
< p > (10.2.2.5)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows 10 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > < p > JDK,< / p >
< p > < a href = "https://www.elastic.co/downloads/past-releases/elasticsearch-1-4-2" > Elastic 1.4.2< / a > < / p > < / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > 9200< / td >
< / tr >
< tr class = "even" >
< td > Server’ s config:< / td >
< td > Default< / td >
< / tr >
< tr class = "odd" >
< td > Scan results:< / td >
< td > Machine exploited using Elastic exploiter< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > < a href = "https://www.elastic.co/guide/en/elasticsearch/reference/1.4/_index_and_query_a_document.html" > Quick< / a > tutorial on how to add entries (was useful when setting up).< / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021459" class = "anchor" > < / span > Nr. < strong > 6< / strong > Sambacry< / p >
< p > (10.2.2.6)< / p > < / th >
< th > (Not implemented)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 16.04.05 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > Samba > 3.5.0 and < 4.6.4, 4.5.10 and 4.4.14< / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > -< / td >
< / tr >
< tr class = "even" >
< td > Root password:< / td >
< td > ;^TK`9XN_x^< / td >
< / tr >
< tr class = "odd" >
< td > Server’ s config:< / td >
< td > < / td >
< / tr >
< tr class = "even" >
< td > Scan results:< / td >
< td > Machine exploited using Sambacry exploiter< / td >
< / tr >
< tr class = "odd" >
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021460" class = "anchor" > < / span > Nr. < strong > 7< / strong > Sambacry< / p >
< p > (10.2.2.7)< / p > < / th >
< th > (Not implemented)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 16.04.05 x32< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > Samba > 3.5.0 and < 4.6.4, 4.5.10 and 4.4.14< / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > -< / td >
< / tr >
< tr class = "even" >
< td > Root password:< / td >
< td > *.& A7/W}Rc$< / td >
< / tr >
< tr class = "odd" >
< td > Server’ s config:< / td >
< td > < / td >
< / tr >
< tr class = "even" >
< td > Scan results:< / td >
< td > Machine exploited using Sambacry exploiter< / td >
< / tr >
< tr class = "odd" >
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021461" class = "anchor" > < / span > Nr. < strong > 8< / strong > Shellshock< / p >
< p > (10.2.2.8)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 12.04 LTS x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > Apache2, bash 4.2.< / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > 80< / td >
< / tr >
< tr class = "even" >
< td > Scan results:< / td >
< td > Machine exploited using Shellshock exploiter< / td >
< / tr >
< tr class = "odd" >
< td > Notes:< / td >
< td > Vulnerable app is under /cgi-bin/test.cgi< / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021462" class = "anchor" > < / span > Nr. < strong > 9< / strong > Tunneling M1< / p >
< p > (10.2.2.9, 10.2.1.9)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 16.04.05 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > OpenSSL< / td >
< / tr >
< tr class = "odd" >
< td > Default service’ s port:< / td >
< td > 22< / td >
< / tr >
< tr class = "even" >
< td > Root password:< / td >
< td > `))jU7L(w}< / td >
< / tr >
< tr class = "odd" >
< td > Server’ s config:< / td >
< td > Default< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021463" class = "anchor" > < / span > Nr. < strong > 10< / strong > Tunneling M2< / p >
< p > (10.2.1.10)< / p > < / th >
< th > (Exploitable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 16.04.05 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > OpenSSL< / td >
< / tr >
< tr class = "odd" >
< td > Default service’ s port:< / td >
< td > 22< / td >
< / tr >
< tr class = "even" >
< td > Root password:< / td >
< td > 3Q=(Ge(+& w]*< / td >
< / tr >
< tr class = "odd" >
< td > Server’ s config:< / td >
< td > Default< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > Accessible only trough Nr.9< / td >
< / tr >
< / tbody >
< / table >
2019-08-25 23:33:21 +08:00
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021463" class = "anchor" > < / span > Nr. < strong > 11< / strong > Tunneling M3< / p >
< p > (10.2.0.11)< / p > < / th >
< th > (Exploitable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 16.04.05 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > OpenSSL< / td >
< / tr >
< tr class = "odd" >
< td > Default service’ s port:< / td >
< td > 22< / td >
< / tr >
< tr class = "even" >
< td > Root password:< / td >
< td > 3Q=(Ge(+& w]*< / td >
< / tr >
< tr class = "odd" >
< td > Server’ s config:< / td >
< td > Default< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > Accessible only trough Nr.10< / td >
< / tr >
< / tbody >
< / table >
2020-03-12 21:56:06 +08:00
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021463" class = "anchor" > < / span > Nr. < strong > 12< / strong > Tunneling M4< / p >
< p > (10.2.0.12)< / p > < / th >
< th > (Exploitable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows server 2019 x64< / strong > < / td >
< / tr >
< tr class = "odd" >
< td > Default service’ s port:< / td >
< td > 445< / td >
< / tr >
< tr class = "even" >
< td > Root password:< / td >
2020-03-16 18:07:17 +08:00
< td > t67TC5ZDmz< / td >
2020-03-12 21:56:06 +08:00
< / tr >
< tr class = "odd" >
< td > Server’ s config:< / td >
< td > Default< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > Accessible only trough Nr.10< / td >
< / tr >
< / tbody >
< / table >
2019-01-23 22:55:53 +08:00
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc526517190" class = "anchor" > < / span > Nr. < strong > 11< / strong > SSH key steal.< / p >
< p > (10.2.2.11)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 16.04.05 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > OpenSSL< / td >
< / tr >
< tr class = "odd" >
< td > Default connection port:< / td >
< td > 22< / td >
< / tr >
< tr class = "even" >
< td > Root password:< / td >
< td > ^NgDvY59~8< / td >
< / tr >
< tr class = "odd" >
< td > Server’ s config:< / td >
< td > SSH keys to connect to NR. 11< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc526517191" class = "anchor" > < / span > Nr. < strong > 12< / strong > SSH key steal.< / p >
< p > (10.2.2.12)< / p > < / th >
< th > (Exploitable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 16.04.05 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > OpenSSL< / td >
< / tr >
< tr class = "odd" >
< td > Default connection port:< / td >
< td > 22< / td >
< / tr >
< tr class = "even" >
< td > Root password:< / td >
< td > u?Sj5@6(-C< / td >
< / tr >
< tr class = "odd" >
< td > Server’ s config:< / td >
< td > SSH configured to allow connection from NR.10< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > Don’ t add this machine’ s credentials to exploit configuration.< / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc526517192" class = "anchor" > < / span > Nr. < strong > 13< / strong > RDP grinder< / p >
< p > (10.2.2.13)< / p > < / th >
< th > (Not implemented)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows 10 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > -< / td >
< / tr >
< tr class = "odd" >
< td > Default connection port:< / td >
< td > 3389< / td >
< / tr >
< tr class = "even" >
< td > Root password:< / td >
< td > 2}p}aR]& =M< / td >
< / tr >
< tr class = "odd" >
< td > Server’ s config:< / td >
< td > < p > Remote desktop enabled< / p >
< p > Admin user’ s credentials:< / p >
< p > m0nk3y, 2}p}aR]& =M< / p > < / td >
< / tr >
2019-08-21 15:43:54 +08:00
< tr class = "even" >
2019-01-23 22:55:53 +08:00
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021467" class = "anchor" > < / span > Nr. < strong > 14< / strong > Mimikatz< / p >
< p > (10.2.2.14)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows 10 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > -< / td >
< / tr >
< tr class = "odd" >
< td > Admin password:< / td >
< td > Ivrrw5zEzs< / td >
< / tr >
< tr class = "even" >
< td > Server’ s config:< / td >
2019-08-21 15:43:54 +08:00
< td > < p > Has cached mimikatz-15 RDP credentials< / p >
2019-01-23 22:55:53 +08:00
< p > < a href = "https://social.technet.microsoft.com/Forums/windows/en-US/8160d62b-0f5d-48a3-9fe9-5cd319837917/how-te-reenable-smb1-in-windows1o?forum=win10itprogeneral" > SMB< / a > turned on< / p > < / td >
< / tr >
< tr class = "odd" >
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021468" class = "anchor" > < / span > Nr. < strong > 15< / strong > Mimikatz< / p >
< p > (10.2.2.15)< / p > < / th >
< th > (Exploitable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows 10 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > -< / td >
< / tr >
< tr class = "odd" >
< td > Admin password:< / td >
< td > pAJfG56JX> < < / td >
< / tr >
< tr class = "even" >
< td > Server’ s config:< / td >
< td > < p > It’ s credentials are cashed at mimikatz-14< / p >
< p > < a href = "https://social.technet.microsoft.com/Forums/windows/en-US/8160d62b-0f5d-48a3-9fe9-5cd319837917/how-te-reenable-smb1-in-windows1o?forum=win10itprogeneral" > SMB< / a > turned on< / p > < / td >
< / tr >
< tr class = "odd" >
< td > Notes:< / td >
< td > If you change this machine’ s IP it won’ t get exploited.< / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021469" class = "anchor" > < / span > Nr. < strong > 16< / strong > MsSQL< / p >
< p > (10.2.2.16)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows 10 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > MSSQL Server< / td >
< / tr >
< tr class = "odd" >
< td > Default service port:< / td >
< td > 1433< / td >
< / tr >
< tr class = "even" >
< td > Server’ s config:< / td >
2019-04-17 21:14:05 +08:00
< td > < p > xp_cmdshell feature enabled in MSSQL server< / p > < / td >
2019-01-23 22:55:53 +08:00
< / tr >
< tr class = "odd" >
2019-04-17 21:14:05 +08:00
< td > SQL server auth. creds:< / td >
< td > < p > m0nk3y : Xk8VDTsC< / p > < / td >
< / tr >
< tr class = "even" >
2019-01-23 22:55:53 +08:00
< td > Notes:< / td >
< td > < p > Enabled SQL server browser service< / p >
< p > < a href = "https://docs.microsoft.com/en-us/sql/relational-databases/lesson-2-connecting-from-another-computer?view=sql-server-2017" > Enabled remote connections< / a > < / p >
< p > < a href = "https://support.plesk.com/hc/en-us/articles/213397429-How-to-change-a-password-for-the-sa-user-in-MS-SQL-" > Changed default password< / a > < / p > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021470" class = "anchor" > < / span > Nr. < strong > 17< / strong > Upgrader< / p >
< p > (10.2.2.17)< / p > < / th >
< th > (Not implemented)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows 10 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Default service port:< / td >
< td > 445< / td >
< / tr >
< tr class = "odd" >
< td > Root password:< / td >
< td > U??7ppG_< / td >
< / tr >
< tr class = "even" >
< td > Server’ s config:< / td >
< td > < a href = "https://social.technet.microsoft.com/Forums/windows/en-US/8160d62b-0f5d-48a3-9fe9-5cd319837917/how-te-reenable-smb1-in-windows1o?forum=win10itprogeneral" > Turn on SMB< / a > < / td >
< / tr >
< tr class = "odd" >
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc526517180" class = "anchor" > < / span > Nr. < strong > 18< / strong > WebLogic< / p >
< p > (10.2.2.18)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 16.04.05 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > < p > JDK,< / p >
< p > < a href = "https://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-main-097127.html" > Oracle WebLogic server 12.2.1.2< / a > < / p > < / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > 7001< / td >
< / tr >
< tr class = "even" >
< td > Admin domain credentials:< / td >
< td > weblogic : B74Ot0c4< / td >
< / tr >
< tr class = "odd" >
< td > Server’ s config:< / td >
< td > Default< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc526517181" class = "anchor" > < / span > Nr. < strong > 19< / strong > WebLogic< / p >
< p > (10.2.2.19)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows 10 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > < p > JDK,< / p >
< p > < a href = "https://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-main-097127.html" > Oracle WebLogic server 12.2.1.2< / a > < / p > < / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > 7001< / td >
< / tr >
< tr class = "even" >
< td > Admin servers credentials:< / td >
< td > weblogic : =ThS2d=m(`B< / td >
< / tr >
< tr class = "odd" >
< td > Server’ s config:< / td >
< td > Default< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021473" class = "anchor" > < / span > Nr. < strong > 20< / strong > SMB< / p >
< p > (10.2.2.20)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows 10 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > -< / td >
< / tr >
< tr class = "odd" >
< td > Default service’ s port:< / td >
< td > 445< / td >
< / tr >
< tr class = "even" >
< td > Root password:< / td >
< td > YbS,< tpS.2av< / td >
< / tr >
< tr class = "odd" >
< td > Server’ s config:< / td >
< td > < a href = "https://social.technet.microsoft.com/Forums/windows/en-US/8160d62b-0f5d-48a3-9fe9-5cd319837917/how-te-reenable-smb1-in-windows1o?forum=win10itprogeneral" > SMB< / a > turned on< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc526517196" class = "anchor" > < / span > Nr. < strong > 21< / strong > Scan< / p >
< p > (10.2.2.21)< / p > < / th >
< th > (Secure)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 16.04.05 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > Apache tomcat 7.0.92< / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > 8080< / td >
< / tr >
< tr class = "even" >
< td > Server’ s config:< / td >
< td > Default< / td >
< / tr >
< tr class = "odd" >
< td > Notes:< / td >
< td > Used to scan a machine that has no vulnerabilities (to evaluate scanning speed for e.g.)< / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc526517197" class = "anchor" > < / span > Nr. < strong > 22< / strong > Scan< / p >
< p > (10.2.2.22)< / p > < / th >
< th > (Secure)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows 10 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > Apache tomcat 7.0.92< / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > 8080< / td >
< / tr >
< tr class = "even" >
< td > Server’ s config:< / td >
< td > Default< / td >
< / tr >
< tr class = "odd" >
< td > Notes:< / td >
< td > Used to scan a machine that has no vulnerabilities (to evaluate scanning speed for e.g.)< / td >
< / tr >
< tr class = "even" >
< td > < / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021476" class = "anchor" > < / span > Nr. < strong > 23< / strong > Struts2< / p >
< p > (10.2.2.23)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 16.04.05 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > < p > JDK,< / p >
< p > struts2 2.3.15.1,< / p >
< p > tomcat 9.0.0.M9< / p > < / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > 8080< / td >
< / tr >
< tr class = "even" >
< td > Server’ s config:< / td >
< td > Default< / td >
< / tr >
< tr class = "odd" >
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021477" class = "anchor" > < / span > Nr. < strong > 24< / strong > Struts2< / p >
< p > (10.2.2.24)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows 10 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > < p > JDK,< / p >
< p > struts2 2.3.15.1,< / p >
< p > tomcat 9.0.0.M9< / p > < / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > 8080< / td >
< / tr >
< tr class = "even" >
< td > Server’ s config:< / td >
< td > Default< / td >
< / tr >
< tr class = "odd" >
< td > Notes:< / td >
< td > < / td >
< / tr >
< / tbody >
< / table >
2020-11-03 22:11:51 +08:00
< table >
< thead >
< tr class = "header" >
2021-08-24 19:13:19 +08:00
< th > < p > < span id = "_Toc536021478" class = "anchor" > < / span > Nr. < strong > 25< / strong > ZeroLogon < / p >
2020-11-03 22:11:51 +08:00
< p > (10.2.2.25)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Server 2016< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Default server’ s port:< / td >
< td > 135< / td >
< / tr >
< / tbody >
< / table >
2019-01-23 22:55:53 +08:00
< table >
< thead >
< tr class = "header" >
2021-08-24 19:13:19 +08:00
< th > < p > < span id = "_Toc536021479" class = "anchor" > < / span > Nr. < strong > 3-45 Powershell< / strong > < / p >
< p > (10.2.3.45)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows Server 2016 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > WinRM service< / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > -< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > User: m0nk3y, Password: Passw0rd!< br > User: m0nk3y-user, No Password.< / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021480" class = "anchor" > < / span > Nr. < strong > 3-46 Powershell< / strong > < / p >
< p > (10.2.3.46)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows Server 2016 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > WinRM service< / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > -< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > User: m0nk3y, Password: Passw0rd!< / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
2021-09-02 23:06:22 +08:00
< th > < p > < span id = "_Toc536021481" class = "anchor" > < / span > Nr. < strong > 3-47 Powershell< / strong > < / p >
< p > (10.2.3.47)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows Server 2016 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > WinRM service< / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > -< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > User: m0nk3y, Password: Xk8VDTsC< / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
2021-09-24 21:29:11 +08:00
< th > < p > < span id = "_Toc536021482" class = "anchor" > < / span > Nr. < strong > 3-48 Powershell< / strong > < / p >
< p > (10.2.3.48)< / p > < / th >
< th > (Vulnerable)< / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows Server 2019 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > WinRM service< / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > -< / td >
< / tr >
< tr class = "even" >
< td > Notes:< / td >
< td > User: m0nk3y, Password: Passw0rd!< / td >
< / tr >
< / tbody >
< / table >
< table >
< thead >
< tr class = "header" >
< th > < p > < span id = "_Toc536021483" class = "anchor" > < / span > Nr. < strong > 250 MonkeyIsland< / strong > < / p >
2019-01-23 22:55:53 +08:00
< p > (10.2.2.250)< / p > < / th >
< th > < / th >
< / tr >
< / thead >
< tbody >
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Ubuntu 16.04.05 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > MonkeyIsland server, git, mongodb etc.< / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > 22, 443< / td >
< / tr >
< tr class = "even" >
< td > Private key passphrase:< / td >
< td > -< / td >
< / tr >
< tr class = "odd" >
< td > Notes:< / td >
< td > Only accessible trough GCP< / td >
< / tr >
2021-08-24 19:13:19 +08:00
< / tbody >
2019-01-23 22:55:53 +08:00
< / table >
< table >
< thead >
< tr class = "header" >
2021-09-24 21:29:11 +08:00
< th > < p > < span id = "_Toc536021484" class = "anchor" > < / span > Nr. < strong > 251 MonkeyIsland< / strong > < / p >
2019-01-23 22:55:53 +08:00
< p > (10.2.2.251)< / p > < / th >
< th > < / th >
< / tr >
< / thead >
2021-08-24 19:13:19 +08:00
< tbody >
2019-01-23 22:55:53 +08:00
< tr class = "odd" >
< td > OS:< / td >
< td > < strong > Windows Server 2016 x64< / strong > < / td >
< / tr >
< tr class = "even" >
< td > Software:< / td >
< td > MonkeyIsland server, git, mongodb etc.< / td >
< / tr >
< tr class = "odd" >
< td > Default server’ s port:< / td >
< td > 3389, 443< / td >
< / tr >
< tr class = "even" >
< td > Private key passphrase:< / td >
< td > -< / td >
< / tr >
< tr class = "odd" >
< td > Notes:< / td >
< td > Only accessible trough GCP< / td >
< / tr >
< / tbody >
< / table >
# Network topography:
2021-08-24 19:13:19 +08:00
< img src = "/envs/monkey_zoo/docs/images/networkTopography.jpg" >