Hack the Box: Dropzone Walkthrough

Today we are going to solve another CTF challenge “Dropzone”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Dropzone is 10.10.10.90

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

From given below image, you can observe we found port 69 is open on the target system and running tftp service.

We connect to the target system using tftp client and find that we can upload and download file. We get the “boot.ini” file to find the operating system running system on the target machine.

We take a look at the boot.ini file and find that the target system is running “Windows XP”.

We are unable to find any exploit for tftp service. So we are going to use MOF file WMI exploitation to get reverse shell of the target machine.

We have an msf module called “wbemexec.rb” to generate MOF file (you can find the file here). We download the file and edit it to run our shell code. You can download the modified code from here.

We upload both the shell and the MOF file using tftp.

 

We setup our listener before uploading both the files.

As soon as we upload the MOF file and our payload we get a reverse shell. After getting the reverse shell we check for system information and find that we have spawned a shell as administrator.

We go to “c:\Documents and Settings\Administrator\Desktop” and find a file called “root.txt”. We take a look at the content of the file and find that the flag is not present there.

 

We go to the “flags” directory and find a file called “2 for the price of 1!.txt” and find a hint that we have to use alternate data streams to find the flags. Alternate data streams are an attribute that can be found in NTFS file system. They can also be used to hide data from users.

We can use streams.exe from sysinternals to examine Alternate Data Streams. (You can download the tool from here)

We upload the streams.exe into the target machine. We spawn the shell and execute the file to find data streams in the current directory and find both user and root flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Hack the Box: Bounty Walkthrough

Today we are going to solve another CTF challenge “Bounty”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Medium

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Bounty is 10.10.10.93

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

Things to be observers from its result are port 80 is open for http and Microsoft-IIS/7.5 is service banner.

Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.

Since we didn’t get any remarkable clue from the home page, therefore, we have opted Dirbuster tool for directory enumeration thus execute the following, here we had used directory-list-2.3-medium.txt directory for web directory enumeration.

Hmm!! Here I received HTTP response for /transfer.aspx file and /uploadedFiles directories.

When we have explored 10.10.10.93/transfer.aspx in the browser and further welcomed by following web Page given below. The following web page lets you upload a file.

We try have many attempts to upload a file but every time we get a message “Invalid File. Please try again”.

 After so many efforts, I found this link on googling “IIS 7.5 rce upload”. Here we read about the web.config file, which plays an important role in storing IIS7 (and higher) settings. It is very similar to a .htaccess file in Apache web server. Uploading a .htaccess file to bypass protections around the uploaded files is a known technique.

So with the help of above given link we create an asp file to run web.config which will response by adding 1 and 2.

As you can observe, our web.config file is successfully uploaded inside /uploadedfiles/ directory.

So we have executed this file, it has given the expected response “3” which is sum of 1 and 2. Hence now we can inject malicious code in this file which can create RCE vulnerability through it.

Luckily!! I found this link:  https://raw.githubusercontent.com/tennc/webshell/master/asp/webshell.asp link for ASP webshell . So I copied the whole content of asp webshell in our web.config file and upload it.

On executing updated web.config file, it creates a form where we can run command as RCE. Once such surface you can run any malicious command to exploit RCE. Here we will be executing powershell code generated via web delivery module of metasploit.

Past the highlighted code given in the image mstasploit inside the text file and run this code to get meterpreter session.

Great!! We have successfully got meterpreter session of the victim’s machine, now let’s find out the user.txt file to finish this task.

We successfully found user.txt file inside /users/merlin/Desktop. Next we need to find out root.txt file to finish this challenge and as we know for that we need to escalated root privilege.

Then I run a post exploit “Multi Recon Local Exploit Suggester” that suggests local meterpreter exploits that can be used for the further exploit. The exploits are recommended founded on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter.

Wonderful!! Exploit Suggester truly proof itself by suggesting another exploit name to which target is vulnerable. So now we will go with first option as highlighted in the image.

This Vulnerability in Task Scheduler could allow elevation of privileges. This module has been tested on vulnerable builds of Windows Vista , Windows 7 , Windows Server 2008 x64 and x86.

Another Meterpreter session gets opened, once the selected exploit has been executed.

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

Successfully we have found the root.txt from the path: C:\Users\Administrator \Desktop.

Wonderful!! We had completed the both tasks and hacked this box.

Happy Hacking!!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Xerosploit- A Man-In-The-Middle Attack Framework

Networking is an important platform for an Ethical Hacker to check on, many of the threat can come from the internal network like network sniffing, Arp Spoofing, MITM e.t.c, This article is on Xerosploit which provides advanced MITM attack on your local network to sniff packets, steal password etc.

Table of Content

  • Introduction to Xerosploit
  • Man-In-The-Middle
  • Xerosploit Installation
  • PSCAN (Port Scanner)
  • DOS (Denial of service)
  • INJECTHTML (HTML INJECTION)
  • SNIFF
  • dspoof
  • YPLAY
  • REPLACE
  • Driftnet

Introduction to Xerosploit

Xerosploit is a penetration testing toolkit whose goal is to perform man in the middle attacks for testing purposes. It brings various modules that allow to realise efficient attacks, and also allows to carry out denial of service attacks and port scanning. Powered by bettercap and nmap.

For those who are not familiar with Man-in-the-middle attack, welcome to the world of internal network attacks

Dependencies

  • nmap
  • hping3
  • build-essential
  • ruby-dev
  • libpcap-dev
  • libgmp3-dev
  • tabulate
  • terminaltables

Built-up with various Features:

  • Port scanning
  • Network mapping
  • Dos attack
  • Html code injection
  • Javascript code injection
  • Download intercaption and replacement
  • Sniffing
  • Dns spoofing
  • Background audio reproduction
  • Images replacement
  • Drifnet
  • Webpage defacement and more 

Man-In-The-Middle

A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. There are many open source tools available online for this attack like Ettercap, MITMF, Xerosploit, e.t.c

From Wikipedia.org

Xerosploit Installation

Xerosploit is an attack tool for MITM which can run only on Linux OS to do so follow the simple steps:-

Open up terminal and type

It will ask to choose your operating system, here we have press 1 for Kali Linux.

Here it will display your network configuration including IP address, MAC address, gateway, and interface and host name. Now run the following command on xerosploit console to know the initial commands:

In this grid we have list of commands for our attack and we are going for man in middle attack, so I will choose scan command in my next step for scanning the whole network.

scan

This command will scan complete network and will found all devices on your network.

As you can observe that it has scanned all the active hosts. There are so many hosts in this network; you have to choose your target from given result. I am going to select 192.168.1.105 for man in middle attack.

 In next comment it will ask for module you want to load for man in middle attack. Go with this comment and type help.

pscan (Port Scanner)

Let’s begin with pscan which is a port scanner, it will show you all the open ports on network computer and retrieve version of the programs running on the detected ports. Type run to execute pscan and it will show you all the open ports of victim’s network.

DOS (Denial of service)

Type “dos” to load the module, it will send a succession of TCP-SYN request packet to a target’s system to make the machine unresponsive to legitimate traffic which mean it is performing SYN Flood attack.

press ctrl + c to stop

If you are aware of HPING tool then you can notice, this module is initially using HPING command for sending countless SYN request packet.

Inject HTML (HTML Injection)

HTML injection is the vulnerability inside any website that occurs when the user input is not correctly sanitized or the output is not encoded and attacker is able to inject valid HTML code into a vulnerable web page. There are so many techniques which could be use element and attributes to submit HTML content.

So here we will replace victim’s html page with ours. Select any page of yours choice as you will notice that I have written “You have been hacked” in my index.html page which I will replace with the victim’s html page. Whatever page the victim will try to open he/she will see only the replaced one.

First create a page as I have created & save it on Desktop by the name of INDEX.html

Now run injecthtml command to load the injecthtml module. And then type run command to execute the injecthtml and enter the path where you have saved the file.

Bravo! We have successfully replaced the page as you can see in the picture below.

Hit ctrl^c to stop the attack.

Sniff

Now run the following module to sniff all the traffic of the victim with command:

Then enter the following command to execute that module:

Now it will ask you if you want to use SSLTRIP to strip the HTTPS URl’s to HTTP so that we can they catch the login credentials in clear text. So enter y.

When the victim will enter the username and password it will sniff and capture all the data.

Now it will open a separate terminal in which we can see all the credentials in clear text. As you can see it has successfully captured the login credentials.

Hit ctrl^c to stop the attack.

dspoof

It load dspoof module which will supply false DNS information to all target browsed hosts Redirect all the http traffic to the specified one IP.

Now type run command to execute module and then it will ask the IP address where you want to redirect the traffic, here we have given our Kali Linux IP.

Now as soon as the victim will open any webpage he/she will get the page store in our web directories which we want to show him/her as shown in the picture below.

Hit ctrl^c to stop the attack.

Yplay

Now let’s catch the other interesting module which is yplay. It will play background video sound in victim browser of your choice. So first execute yplay command followed by run command and give the video i.d what you have selected.

Open your browser and choose your favorite video in YouTube which you want to play in background in victim’s browser. If video having any advertisement then skip that and select id from url. Come back to xerosploit.

 To execute yplay module for attack type run.

Insert you tube video ID which you have copy above from url in next step.

Now in no matters what victim is doing on the laptop. If he will try to open any webpage, on the background he/shell will hear the song which we want him to listen.

Hit ctrl^c to stop the attack.

Replace

I hope all the attacks were quite interesting. But the next is going to be amazing. Now we will replace all the images of victim’s website with our images. For this first execute the command replace followed by run command. Don’t forget to give the path of the .png file which you have created as a surprise box for the victim.

As the victim opens any url he/she will be amazed to see the replaced images of his/her website as shown here.

Hit ctrl^c to stop the attack.

Driftnet

 We will use driftnet module to capture all the images the victim is surfing on the web with following commands and it will save all captured picture in opt/xerosploit/xedriftnet.

Once the attack is launched; we can sniff down all the images that he is viewing on his computer in our screen. We can do much more with this tool simply by using the move you can shake the browser contents 

As you can observe that all the images what victim is viewing on his/her system is captured in your system successfully.

Hopefully!  So it is needless to say that this tool XERSPLOIT is quite interesting and useful as well for performing so many attacks. I hope readers are gonna like this.

HaPpY hAcKing!!

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here

Comprehensive Guide on MSFPC

Hello Friends!!

As you all are aware of MSFvenom-A tool in Kali Linux for generating payload, is also available as MSFvenom Payload Creator (MSFPC) for generating various “basic” Meterpreter payloads via msfvenom. It is fully automating msfvenom & Metasploit is the end goal.

MSFvenom Payload Creator (MSFPC) is a wrapper to generate multiple types of payloads, based on user’s choice. The idea is to be as simple as possible (only requiring one input) to produce their payload.

Source: https://github.com/g0tmi1k/mpc

Author: g0tmi1k

Syntax

Create a Payload with Interactive IP Mode

Let’s create the payload for Windows platform with the help of following command

When you will enter above command it will automatically confirm the interface:

Which interface should be used?

eth0, lo wan

We press 1 for eth0 and then it will start generating payload and as result give us following:

  1. Location of MSF handler file and windows meterpreter created.
  2. Command to be run to start multi handler automatically within metasploit framework.
  3. Command for file transfer through web server.

 

Basically the msfpc is design to reduce the user’s effort in generating payload of various platforms with different-different format of file. So when you will type “msfpc” it will display all types of platform and generate a specific format of file likewise.

Syntax: msfpc <platform-type> <Lhost IP> <Lport>

Windows Payload

If you want to generate a payload to get meterpreter session victim’s machine which operates on Windows, then all you need to do is type following:

If you will not mention IP, it will automatically ask to choose interface as discussed above and choose 443 as default lport. It creates a malicious backdoor in the .exe format for 32-bit architecture. Then it will start generating the payload and as result give us details following details.

  • Location of MSF handler file and windows meterpreter created: ‘/root/windows-meterpreter-staged-reverse-tcp-1234.exe’
  • command to be run to start multi handler automatically: msfconsole -q -r ‘/root/windows-meterpreter-staged-reverse-tcp-1234-exe.rc’
  • Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

 

Now run the following command to launch multi/handler and web server for file transfer.

When victim will browse the following URL where it will ask to download and run the .exe file that will provide meterpreter session to the attacker.

Conclusion: Earlier the attackers were using manual method to generate a payload via msfvenom command and then use Metasploit module “multi/handler” to access the reverse connection via meterpreter session and this technique was quite successfully approach to compromise a victim’s machine although took much time. But same approach is applicable with the help of MSFPC for generating various “basic” Meterpreter payloads via msfvenom.

Android Payload

If you want to generate a payload to get meterpreter session victim’s machine which operates on Android, then all you need to do is type following:

It creates a malicious backdoor in the .apk format. Then it will start generating the payload and as result give us following details.

  • Location of MSF handler file and android meterpreter created: ‘/root/android-meterpreter-stageless-reverse-tcp-1234.apk’
  • Command to be run to start multi handler automatically: msfconsole -q -r ‘/root/android-meterpreter-stageless-reverse-tcp-1234.apk.rc’
  • Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

Now run the following command to launch multi/handler and web server for file transfer.

When victim will browse the following URL where it will ask to install the application and run the .apk file that will provide meterpreter session to the attacker.

Hence you can observe as said above, we have meterpreter session of target’s machine.

BASH

The pro above MSFPC is that it reduces the stress to remember the format for each platform, all we need to do is just follow the above declare syntax and the rest will be managed by MSFPC automatically. Suppose I want to create a payload for Bash platform, and then it will take a few minutes in MSFPC to generate a bash payload.

It creates a malicious backdoor in the .sh format. Then it will start generating the payload and as result give us following:

  • Location of MSF handler file and bash meterpreter created: ‘/root/bash-shell-staged-reverse-tcp-1234.sh.’
  • Command to be run to start multi handler automatically: msfconsole -q -r ‘/root/bash-shell-staged-reverse-tcp-1234.sh.rc’
  • Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

Now run the following command to launch multi/handler and web server for file transfer.

When victim will browse the following URL where it will ask to install the script and once the target run the bash script with full permission, it will give command shell.  

Hence you can observe as said above, we have command shell of target’s machine and with the help of the following command we have upgraded it into meterpreter shell.

Linux

If you want to generate a payload to get meterpreter session victim’s machine which operates on Linux, then all you need to do is type following:

It creates a malicious backdoor in the .elf format. Then it will start generating the payload and as result give us following details:

  • Location of MSF handler file and Linux shell created: ‘/root/linux-shell-staged-reverse-tcp-4444.elf
  • Command to be run to start multi handler automatically: msfconsole -q -r ‘/root/linux-shell-staged-reverse-tcp-4444.elf.rc’
  • Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

 

Now run the following command to launch multi/handler and web server for file transfer.

When victim will browse the following URL where it will ask to install the application and once the target run the .elf file with full permission, it will give command shell. 

Hence you can observe as said above, we have command shell of target’s machine and with the help of the following command we have upgraded it into meterpreter shell.

Python

If you want to generate a payload to get meterpreter session victim’s machine which operates on Python, then all you need to do is type following:

It creates a malicious backdoor in the .py format. Then it will start generating the payload and as result give us following detaisl:

Location of MSF handler file and python meterpreter created: ‘/root/python-meterpreter-staged-reverse_tcp-5555.py

Command to be run to start multi handler automatically: msfconsole -q -r ‘/root/python-meterpreter-staged-reverse_tcp-5555.py.rc’
Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

Now run the following command to launch multi/handler and web server for file transfer.

When victim will browse the following URL where it will ask to install the script and once the target run the python script, it will give meterpreter session. 

Hence you can observe as said above, we have meterpreter session of target’s machine

Batch (Generates all Possible Combination Payloads)

 Batch is most significant Mode as it generate as much as possible combination of payload. If we want to create all payloads which can give meterpreter session then we can use the following command in that situation.

In the given below command you can observe here it has generated all possible types payload which can give meterpreter sessions. Although the rest technique is as above to execute the payload and get reverse connection.

If we want to create all payloads which can give command shell session of the target’s machine then we can use the following command in that situation.

In the given below command you can observe here it has generated all possible types payload which can give command shell.

Loop (Generates One payload for Each Platform)

Loop is also most significant mode as it generates on of each type of payload with their default values. Hence by default will generate a payload to provide meterpreter session rather than command shell session.

In the given below command you can observe here it has generated all possible types payload for each platform which can give meterpreter sessions. Although the rest technique is as above to execute the payload and get reverse connection.

Generating Stageless Payload

As we all know there are two types of payloads i.e. stag and stageless and by default it creates a stage payload. If you want to create a stageless payload then you can go with the following command to generate stageless payload for command shell session or meterpreter session.

The rest technique is as above to execute the payload and get reverse connection.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...