Comprehensive Guide to Sqlmap (Target Options)

Hello everyone. This article will focus on a category of sqlmap commands called the “target commands.” Many might not have tried these commands but they can be proved very useful in corporate world.

In this article we’ll be shifting our focus back on one of the finest tools for SQL penetration testing available called SQLMAP.

This tool comes inbuilt in Kali Linux however you can download its python script from here too.

Since, it is a crime to attack a live website, we are restricting our focus on the websites that are made for this testing purpose only. We have also used a local PC with sql dhakkan installed in it. You can refer to the articles published earlier to get an idea on how to configure dhakkan in your machine too.

So, without further ado, let’s dive in.

http://192.168.1.132/sqli

First and foremost, I configured SQL dhakkan in a machine with IP address 192.168.1.132. I go to the lesson 1 tab for error based SQLi.

Target URL

One of the most basic commands ever. Every database has a webpage and every webpage has a URL. We will attack these URLs to get our hands on the database inside!

By adding   ‘–u <URL>’ in sqlmap command we can specify the URL we are targeting to check for sql injection. It is the most basic and necessary operation.

Here, let’s fetch all the databases that IP address 192.168.1.132 might have by suffixing –dbs

 

Now, all the databases available in the given IP have been dumped!

Targeting Log File

Many tools save a log file to keep a record on the IP addresses communicating back and forth. We can feed one such log file to the sqlmap and it will automatically test all the URLs in that log file.

Log file can have a record of various targets in reality but here we’ll be capturing the request of a website in burp suite and then saving its log file for simplicity. Let’s turn on the intercept then.

Go to the website “master.byethost18.com/Less-1/?id=1” and capture the request in burp. It has an SQL injection lab installed over public IP for penetration testers.

Captured request will be something like:

Now right click->save item and save this request as “logfile” on desktop. No need to provide any extensions here.

 

Open the terminal and type in the following command to automate the attack from the log file itself.

Target Bulkfile

Bulkfile is a text file that has the URLs of all the target machines each in a single line with the exact URL of where the attack is applicable.

So, let’s create a bulkfile on the desktop called bulkfile.txt.

 

This will open up a command line text editor called ‘nano’. Let’s feed in some URLs.

To save the file: CTRL+O -> ENTER

To exit nano: CTRL+X

We are all set to attack both of these URLs together by the command:

 

We’ll get the list of databases and we can continue with our other URL.

Target Google Dorks

We can also automate the process of finding SQLi by adding in a Google dork target. What it does is that it will start searching for all the websites with given Google dork and automatically keep applying sqlmap on the websites that matches the dork. Disclaimer: this attack will automatically be applied to any website that matches the dork, be it government or military, which is a serious criminal offence so it is advised that you play with it carefully.

As we know that error based SQL injections are often found in URLs having ‘.php?id=<num>’ in them, we can apply the inurl Google dork to find all the websites with this in its URL.

As you can see sqlmap has found a website with ‘?id=1’ in it’s URL.

I’ll be pressing n and cancelling the sqlmap scan since it is a crime to do so.

We can also specify the specific page number on which we want to apply the Google dork at by the option “- -gpage”

Target HTTP requests

An HTTP client sends an HTTP request to a server in the form of a request message which includes following format:

  • A Request-line
  • Zero or more header (General|Request|Entity) fields followed by CRLF
  • An empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields
  • Optionally a message-body

The Request-Line begins with a method token, followed by the Request-URI and the protocol version, and ending with CRLF. The elements are separated by space SP characters.                       

Request-Line = Method SP Request-URI SP HTTP-Version CRLF

Hence, we can intercept these HTTP requests, save it in a txt file and automate the attack with sqlmap.

I captured the request of the website “master.byethost18.com/Less-1/?id=1” in burp and will save it in a txt file called “httprequest.txt” and run the command:

 

As you can see that sqlmap has detected the target in the txt file. We can further apply – -dbs to fetch all the databases.

I hope that this article was helpful and the readers have learnt some new options that they might not have heard about before. Many more options will be coming in the next articles. Keep hacking!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

OverTheWire – Bandit Walkthrough (1-14)

Hello friends! Today we are going to solve Bandit’s levels which are the part of OVERTHEWIRE. It is for the completely beginners who are stepping in CTF challenges.

Level 0-1

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level1 page to find out how to beat Level 1.

To connect with every Level, we will use SSH.

It is a cryptographic network protocol for operating network services securely over an unsecured network. The best-known example application is for remote login to computer systems by users.

To listing the all the directories and files. We use ls -la command and look for all the available files. We observe that there is a readme file available that could have valuable information.

By using cat command, we read the readme file and get the flag.

 

The above flag is used for connect bandit1.

Level 1-2

The password for the next level is stored in a file called  (dash) located in the home directory.

Again we list the files using ls –la command and we see the ‘-‘ file.

Usually, it can’t read by usual way. For this kind of file named with special characters, it can be read via cat ‘./’ <filename>. In the above file, there is a flag.

By using above command, the flag will be generated. The above generated flag will be used for connect bandit2.

 

Level 2-3

The password for the next level is stored in a file called spaces in this filename located in the home directory.

Again, we list the files using ls-la command and cat the text file but here in the file, there are spaces between the words. So we will use single quotes (‘ ’) and then cat command will work.

By the use of above commands, flag will be generated. The above generated flag will be used for connect bandit3.

Level 3-4

The password for the next level is stored in a hidden file in the inhere directory.

Again we will list the files and access the directory named ‘inhere’ using cd command. In next step, we will list the files of ‘inhere’ directory. In this directory, there is a file named .hidden and using cat command, it can be read.

 

The above commands will generate flag and this will be used to connect bandit4.

Level 4-5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

Again, ls -la command will be used to list the files and then we will change the directory named ‘inhere’. In this folder, we will use file command to check the content of the files. Here, file07 contains ASCII text then, we will use cat command to read the file.

The above commands will generate the flag, and the above flag will be used to connect bandit5.

Level 5-6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

  • human-readable
  • 1033 bytes in size
  • not executable

Again, we will use ls -la command for listing the files and view the directory named ‘inhere’ and then using cd command we will access the directory. In the goal, We can clearly see that there is a file having the 1033 bytes in size which is human-readable. It may be a flag. So, there is command called find and in find there is an option for size. In the screenshot, there is a size of byte 1033c. Here c  specifies bytes.  And then we can read the file using cat command.

  

By using above commands, the flag will be generated. This flag will be used to connect bandit6.

Level 6-7

The password for the next level is stored somewhere on the server and has all of the following properties:

  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size

In this level the password file is stored somewhere on the server. According to Level Goal, we need to find that file which fulfil the above conditions.

Again, find command will be used here. In the find command, there are options ‘user’ and ‘group’. So, the command will be

Here ‘/’ represents to scan all the files.

The above command will show the password file. There is only one file which has permission to access by the bandit6.

Now, we can read the password file using cat command.

The above flag will be used to connect bandit7.

Level 7-8

The password for the next level is stored in the file data.txt next to the word millionth.

Again, we will use ls –la command to list all the files. According to Level Goal, we need to find that word next to millionth. There is a command called grep which is used to search words, characters, etc. present in the file.

Here, we will use cat and grep command simultanously by using ‘|’(PIPE). The pipe takes previous output as a input for the second command.

The above command will generate flag. And this flag will be used to connect bandit8.

Level 8-9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.

SORT command is used to sort a file, arranging the records in a particular order. By default, the sort command sorts file assuming the contents are ASCII.

UNIQ command is used to remove duplicates, show a count of occurrences, show only repeated lines, ignore certain characters and compare on specific fields.

Again, we will use ls command to see the files. We get the file named data.txt. According to Level Goal, We need to find the text that occurred only once. The above commands will help to reach our flag. Combining these commands with cat using pipe. We will reach to our flag.

The above commands will be used to generate the flag. This flag will be used to connect bandit9.

 

Level 9-10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

Again, we will use ls –la command to view the files and folders. Here, there is also a data.txt file. According to Level Goal, we need to search the string has beginning with several ‘=’ characters. Here also, we will use grep command.

By using above commands, we can generate our flag. This flag will be used to connect bandit10.

Level 10-11

The password for the next level is stored in the file data.txt, which contains base64 encoded data.

Here, we will use ls –la command to view the files which are present in this directory. We can read this file using cat command easily but According to Level Goal, this text is encoded in base64. So, we will decode it by using base64 –d command.

By using above commands, we can generate the flag. This flag can be used to connect bandit11.

Level 11-12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

Here, we will list all the files using ls command and then read by cat command. Since, this text is encoded in ROT-13. So, we will translate it using ‘tr’ command.

 

By using above commands, we can generate the flag. This flag can be used to connect bandit12.

Level 12-13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!).

Here, we will view all the files using ls –la command. Here is also file named data.txt but it is a hexdump of a file. By using cat command, we can verify that it is hexdump or not.

According to Level Goal, we need to make directory in /tmp.

xxd can convert a hex dump back to its original binary form.

zcat decompresses the data of all the input files, and writes the result on the standard output.

bzip2 is only a data compressor like gzip.

But here, the data.txt file is repeatedly compressed.

By using above commands, we can generate flag. This flag will be used to connect to bandit13.

Level 13-14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.

Here, we can view the files using list command. We can see the file named ‘sshkey.private’. It’s a private key which can be used to connect directly.

Author: SOURABH is a Information Security Analyst | Pentester | Researcher  Contact Here

Hack the Teuchter VM (CTF Challenge)

Hello friends!! Today we are going to solve latest CTF challenge “Teuchter” presented by vulnhub for penetration practice and design by knightmare. This virtual machine is having intermediate to medium difficulty level. One need to break into VM using web application and from there escalate privileges to gain root access.

Download it from here: https://www.vulnhub.com/entry/teuchter-03,163/

Penetrating Methodologies

  • Network Scanning (netdiscover, Nmap)
  • Abusing HTTP service for PHP extract backdoor
  • Compromise victim’s (Metasploit)
  • SUID Privilege escalation
  • Steganography for original flag.txt

Lets Start!!!

Let’s start with getting to know the IP of VM (Here, I have it at 192.168.1.104 but you will have to find your own)

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

Knowing port 80 is open in victim’s network I preferred to explore his IP in a browser. At first glance, we saw following web page.  When couldn’t found something suspicious, so we try to check its source-code.

Hmmm!! After exploring source code page, you can analysis the “Green color text” sounds a little bit doubtful. Giving priority to /gallery /flicks and /telly we have considered them as the subjective web directories and then try to explore it in the web browser.

Also consider hint given for some extension like .pht for PHP.

So I opened the URL http://192.168.1.104/gallery/ but couldn’t get anything neither from its web page nor from its source code.

Then explored the URL http://192.168.1.104/telly/ and it put-up following web page in front of us and at looking at its page source code we notice something like flicks phpinfo.

So without wasting time we lunch directory brute-force attack on following URL for identify .php and .pht extension files.

And from its result we find a phpinfo.pht file and explored it in the browser and it gives me an internal server error when I open it. So I search in Google phpinfo.php found this link: https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html

Thanks to Mr. Daniel B. Cid for sharing his experience because with help of above link we get the idea to exploit it. As the author has hidden the PHP extract backdoor inside the phpinfo.pht file and now whatever the attacker sends as “ctime” with “atime” as an argument it will be execute successfully.

As you can observe when we try to execute the system command “id” through the given below URL we got following result on the web page.

Let’s compromise the victim’s VM to get the meterpreter shell, therefore, we load metasploit framework and execute below commands.

Copy the highlighted text for malicious PHP code and Paste it inside URL as an argument.

You will get meterpreter session of victim’s machine in your Metasploit framework and after then finished the task by grabbing flag.txt file. Further type following for extracting more information for post exploitation.

Here first I sysinfo command to enumerate install kernel version but didn’t found any working exploit for this VM therefore then I decide to go with manual approach for privilege escalation. Thus execute below commands:

Here I found two files semaphore and test and if you will notice at their permissions then you will realize that SUID bit enabled for semaphore and GUID bit is enabled for test.

Now let access proper tty shell of victim’s VM and enumerate furthermore inside it.

ooooh!! I got something suspicious from inside this path: /home/jkerr, a login.txt and promisedyouamiracle.jpg image. And after reading the note of the login.txt file I decided to download jpg image in our local machine.

Since the python 3 is already running therefore we execute following command for transferring file.

python3 -m http.server 8080

When we explored the promisedyouamiracle.jpg image in browser we got the following photo.

With help of exiftool we try to extract metadata from inside this image and luckily found the bas64 encoded text.

With the help of following command we try to decode the text and got “gemini” which could be possible password.

Let try to login by using gemini as password for user: proclaimers because it holds two important files. Execute the following commands and extract the information.

Ohhhh Great!! As declared above SUID bit enabled for the semaphore and GUID bit enabled for the test, let’s use grep command to get everything related to semaphore.

AwesomeJ, I got a script at this path /usr/local/bin/numpties.sh; let’s open it with cat command.

After reading it, I conclude that the cronjob will add the SUID bit to semaphore and also give root ownership to this file if the file exists.

No wonder, if I replace the original semaphore by the fake semaphore file then our fake file will get SUID permission. So in our local we write a C-program to get bsah shell and compile it.

 

Since we have complied file semaphores and also running python server therefore let’s download our fake semaphore at the place of original semaphores. Thus first I removed original semaphores and download complied file in same directory.

After sometime when I checked the permission for the new semaphore I found the SUID bit was on. At that moment you should run the script which will give root terminal after getting executed and then look for flag inside /root directory.

This was not actual the flag let’s try to get the original flag 

So on………… and at last you will get /ariston which holding a zip file “TeuchterESX.zip”.

cd ariston

Again run following command in current directory to transfer zip file.

Now download TeuchterESX.zip file in local machine and unzip it.

We  got a vmdk file and further ran following command to check list of present drive for mounting disk image.

Here we saw /dev/sdb1 which looks good mounting disk image thus I install the vmfs-tools package.

So we have used vmfs-fuse to mount the drive and execute following commands:

In this text messages the author had given hint to check ISO for getting the password which is related to TV advert and it’s of 25 character.

So we mount the new folder /redkola.iso where we found an image file glass_ch.jpg with help of following command:

Further we opened the image “glass_ch.jpg” and it was a picture of Irn-Bru soft-drinks. Probably there could be chances of hidden text in this image therefore we tried steghide to extract out hidden text but when I execute following command it ask to enter some passphrase which we don’t know yet and it should above said 25 character which we need to be found.

steghide extract -sf glass_ch.jpg -xf /root/Desktop/finalflag.txt

Taking help of above hint and image I search Irn-bru-wiki and got this link https://en.wikipedia.org/wiki/Irn-Bru

And after spending a long time over wiki I got 25 character in ‘madeinscotlandfromgirders’, which was Irn-Bru advertising slogan and tried it as passphrase.

We entered above passphrase and extracted the text file on the desktop.

Congrats!! Finally we got the final flag.txt file as shown below.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Box Challenge: Enterprises Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Enterprise” which is available online for those who want to increase their skill in penetration testing and black box testing. Enterprise is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.61 so let’s begin with nmap port enumeration.

From given below image, you can observe we found port 22, 80, 443 and 80 are open on target system.

As port 80 is running http server we open the target machine’s ip address in our browser, and find a website that is running on wordpress.

As port 8080 is also running http server we open the target machine’s ip address in our browser, and find a website that is not made on wordpress.

When we try to open the wordpress admin page but are redirected to domain called “enterprise.htb”. We enter the domain name in /etc/hosts file.

Now when we open wp-admin, we are able to get the login page.

We run dirb on port 80 to enumerate the directories and find a directory called /files.

We open the files/ directory, and find a zip file.

We download the zip file in our system and unzip it. After unzipping it we find 3 php files.

We take a look at the content of the files and it looks like there might be plugin called lcars that is being used by the wordpress site and by the looks of the code it is possible that is vulnerable to SQL-injection.

Now when we open it we get a php error message, we now know that this plugin is vulnerable to SQL-injection.

 

We use sqlmap to dump the database and found a message with a few passwords. We also find that there is a joomla database we try to dump it and find a username geordi.la.forge.

Now we use one of these passwords to login into wordpress. On the webpage we see that there are has been posts made by user william.riker. So we use credentials william.riker:u*Z14ru0p#ttj83zS6 to login into wordpress control panel.

Now we change the 404.php template with our payload to get reverse shell on the machine. First we are going to create our payload using msfvenom.

Now we are going to setup our listener using metasploit.

 

After replacing the 404.php code with our payload, we open the 404.php page in our browser.

As soon as we open it we get our reverse shell.

After getting our reverse shell we find that we are actually in a container app and we find the machine has 2 network card.

Now we find all the ip’s in the subnet of the container.

Now we create another shell using msfvenom to upload it into the joomla site on port 8080.

Now we background our session and change the lport according to our payload.

 

We are first going to login into the joomla site, using credentials, geordi.la.forge:ZD3YxfnSjezg67JZ and upload our shell code.

As soon as we open the page we get our reverse shell.

After getting into the joomla container, we find that we have common file called /var/www/html/files.

We create another php payload using msfvenom to upload this shell into /var/www/html/files directory.

We go to /var/www/html/files directory and upload the shell using meterpreter.

Now we background our current session and change the lport according to our new payload.

When we go to /files directory we find that our shell has been uploaded.

As soon as we click on the payload we get our reverse shell.

After getting the reverse shell on the main machine instead of container we try to find files with suid bit set.

We find a file called lcars, we find that it has been running on port 32812.

When we connect with it using netcat we find that it asks for access code.

We run the file on the target machine using ltrace to find the access code for this binary.

We find that when we pass a it gets compared to a string called pircarda1. We use this to login into the binary.

We are able to access the file using this binary now we try to find this program is vulnerable to buffer overflow. We open the file using gdb to read the assembly code.

Now create 500 byte long string using pattern_create.rb script to find the EIP offset.

After searching all the options we find that option number 4 was vulnerable to buffer overflow.

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an offset of 212. So we need to write 212 characters and then write the address of the instructions we want to be executed.

Now when we try to insert shellcode into the buffer but we were unable to execute it because of DEP. It prevents code from being executed in the stack. Now we are going to do a ret2libc attack to execute a process already present in the process’ executable memory. We go into the target machine and find ASLR in enabled so we have to brute force the address. Now we find the address of system, exit and /bin/sh.

We create an exploit which can be found here. As soon as we run the exploit we get our reverse shell as root user. We go to /root directory and find a file called “root.txt”. When we open it we find our 1st flag. We then go to /home directory inside we find another directory called jeanlucpicard/. Inside /home/jeanlucpicard we find a file called “user.txt”, we open it and find our final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Related Posts Plugin for WordPress, Blogger...