Command & Control Tool: Pupy

In this article, we will learn to exploit Windows, Linux and Android with pupy command and control tool.

Table of Content :

  • Introduction
  • Installation
  • Windows Exploitation
  • Windows Post Exploitation
  • Linux Exploitation
  • Linux Post Exploitation
  • Android Exploitation
  • Android Post Exploitation

Introduction

Pupy is a cross-platform, post exploitation tool as well as a multi-function RAT. It’s written in python which makes it very convenient. It also has low detectability that’s why it’s a great tool for the red team.  Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.

It uses a reflected DLL to load python interpreter from memory which is great as nothing will be shown in the disk. It doesn’t have any special dependencies. It can also migrate into other processes. The communication protocols of pupy are modular and stackable. It can execute non-interactive commands on multiple hosts at once. All the interactive shells can be accessed remotely.

Installation

To install pupy execute the following commands one by one :

Now download all the requirements using pip like the following command :

Now run pupy using the following command :

This command will open the prompt where you will get your session.

Now, to create our payload we will use the pupygen. Use the following help command to see all the attributes which we can use :

Windows Exploitation

Now we will create a windows payload in order to exploit windows with the following command :

Here,

-O : refers to the operating system

-A : refers to the architecture

-o : refers to the output file path

When you are successful in executing the shell.exe in the victims’ PC, you will have your session as shown in the image :

Windows Post Exploitation

Further, there are number of post-exploits you can use, they are pretty simple to use. Some of them we have shown in our article. For message dialogue box to pop up on the target machine you can use the following command :

As per the command, following dialogue box will open on the target machine :

You can also access the desktop using the remote desktop module with the following command :

After executing the above command you can remotely access the desktop just as shown in the image below :

For bypass UAC, we have the simplest command in pupy i.e. the following :

The above command will recreate a session with admin privileges as shown in the image below :

Then for getting the system’s credentials, you can use the following command :

And as you can see in the image below, you get the information about all the credentials :

Using pupy, we can also migrate our session to a particular process. With migrate command, the attributes of the command are shown in the image below :

With ps command, you can find out the process ID number of all the processes running on the target PC, along with letting you know which process is running. Knowing the process ID is important as it will be required in the migrate command and will help us to migrate our session as we desire.

Now, as we know the processes that are running, we can use it to migrate our session. For this, type the following command :

And then a new session will be created as desired.

Linux Exploitation

To exploit Linux, we will have to generate Linux payload with the following command :

Once you execute the malicious file in the target system, you will have your session as shown in the image below :

As you have a session now, you can check if the target machine is running on a VM or is it a host machine with the following command :

And as you can see in the image below that the target machine is, in fact, running on VM

Linux Post Exploitation

In post-exploitation, you can have detailed information about the target system with the following command :

With pupy, you can also find out all the exploits that are working on the target system with the help of the following command :

As you can see that in the image below, it has given us the list of all the exploits to which the target system is vulnerable.

To get the basic information about the target system such as IP address, MAC address, etc. you can use the following command :

Android Exploitation

Now we will create an android payload in order to exploit windows with the following command :

When you are successful in installing the shell.apk in the victims’ Android Phone, you will have your session as shown in the image :

Android Post Exploitation

In post-exploitation, you can grab the call logs stored on the target device with the following command :

Here,

-a : refers to getting all the call details

-output-folder : refers to the path of the output file containing the call logs

We will use the cat command on callDetails.txt to read the call logs.

To get the camera snap from the primary camera on the target device, you can use the following command :

Here,

-v : refers to view the image directly

As we can see in the given image that we have the snap captured and stored at the given location.

To get the information about the installed packages or apps on the target device, you can use the following command :

Here,

-a : refers to getting all the installed packages details

-d : refers to view detailed information

As we can see in the given image that we have detailed information about the packages or apps installed on the target machine.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiastContact Here

Multiple Ways to Exploiting OSX using PowerShell Empire

In this article, we will learn multiple ways to how to hack OS X using empire. There are various stagers given in empire for the same and we use a few of them in our article. Method to attack OS X is similar to that of windows. For the beginner’s guide to pen-test OS X click here.

Table of Content :

  • osx/macho
  • osx/applescript
  • osx/launcher
  • osx/jar
  • osx/safari_launcher

osx/macho

The first stager we will use to attack is osx/macho. This stager will create a Mach-O file, which is an executable format of binaries in OS X. This file format is made for OS X specifically. This file format informs the system about the order in which code and data are read into memory. So, this stager is quite useful when it comes to attacking OS X.

The listener creation is the same as windows, use the http listener. Once the listener is created, execute the following set of commands:

As the shell.macho is executed in the victim’s PC, you will have your session as shown in the image below :

osx/applescript

The next stager we will use is osx/applescript. This stager will create a code in an apple script, this script has an automated control over scriptable Mac applications as its dedicated script for Mac. Therefore, it’s an important stager for pen-testing Mac. To create the malicious said apple script run the following set of commands :

Executing the above stager will create a code, run this code in the targeted system as it is shown in the following image :

As soon as the code is executed in the victim’s PC, you will have your session as shown in the image :

osx/launcher

The next stager we will use is osx/launcher. This stager is most commonly used. To execute this stager, run the following commands :

copy this code and run it in the target system’s shell. Now as soon as the code is executed, you will have your session as shown in the image below :

osx/jar

The nest stager which we will use is osx/jar. This stager creates a jar file which is a Java archive file. This file format is used for compressed java files which when extracted as run as desired. This file extension is specifically made for Java files. This stager turns out to be a suitable one when it comes to attacking OS X. Use the following set of commands to execute the said stager :

The stager will create a jar file as told above, as the said file will be executed in the victim’s system, you will have your session as shown in the image :

osx/safari_launcher

The last stager we will use is osx/safari_launcher, this will generate an HTML script for safari. For this stager, run the following set of commands:

Run the generated code in the safari of victim’s PC and so you shall have your session as shown in the image below :

So, these were five ways to attack or pentest OS X. They are pretty easy and convenient. Each of them is valid and up to date.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

Web Developer: 1: Vulnhub Lab Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “Web Developer: 1”. The credit for making this VM machine goes to “Fred Wemeijer” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

  • IP Discovery using netdiscover
  • Network scanning (Nmap)
  • Surfing HTTP service port
  • Enumerating directories using Dirb
  • Finding “cap” file
  • Analyzing the “cap” file and finding WordPress password
  • Installing the vulnerable plugin in WordPress
  • Exploiting the vulnerable to get a reverse shell
  • Finding SSH login and password
  • Finding application is a sudoers list
  • Getting flag

Walkthrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.19.131

Our next step is to scan our target with nmap.

From the NMAP Version Scan we enumerated the following details:

22 Port having the SSH service and 80 Port having HTTP service.

As the HTTP service is running on the target server, let’s open the IP Address on the Web Browser.

As we couldn’t find any links on this page. So, we will do a directory bruteforcing using dirb scan. From the scanning result, we choose the highlighted directory for further enumeration.

So, we opened this directory in the browser and found a cap file.

We will open cap file in Wireshark, and you can see that we found the username and password through it.

And using the above username and password, you can directly log on to the website. As you can see that the website is in WordPress. And I remember that there is a plug-in of WordPress that is vulnerable. So, in the plugin I added a new plugin i.e. ReFlex Gallery as you can in the image below:

Now, we will use the in-build exploit from Metasploit to exploit this plugin and get a session. And for this, we use the following set of commands:

Once we got the session, I navigated through it a lot and found the wp-config.php, now, when reading the config file, we find username and password.

Now we find credentials inside the file, we use this credential to log in through SSH. After logging in we check the sudoers list and find we can run “tcpdump” as the root user.

So, we can execute a file using tcpdump, so we use the following command to execute “ls -al /root” command. Now the command will be executed only when tcpdump captures a packet.

After starting tcpdump, in a new terminal, we connect to the target machine through SSH. Now we send a TCP packet to the 127.0.0.1 using netcat. We had to use this locally as we started tcpdump on the loopback interface.

As soon as we send the packet, our command is executed and we can see all the files inside “/root” directory. Inside “/root” directory, we find a file called “flag.txt”. We are again going to use tcpdump command to open “flag.txt” and are able to get the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

HackInOS:1: Vulnhub Lab Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “HackInOS: 1”. The credit for making this VM machine goes to “Fatih Çelik” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

  • IP Discovery using netdiscover
  • Network scanning (Nmap)
  • Surfing HTTP service port
  • Finding upload directory
  • Finding source code for a web application
  • Getting reverse shell
  • Pivoting using Metasploit
  • Logging in through MySQL and find an SSH credentials
  • Logging in through SSH
  • Getting the root shell and finding the flag

Walkthrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.101

Our next step is to scan our target with nmap.

The NMAP output shows us that there are 2 ports open: 22(SSH), 8000(HTTP)

We find that port 8000 is running HTTP, so we open the IP in our browser and find there is WordPress CMS running on the web server.

We don’t find any vulnerable plugin or theme on the CMS, so we run a dirb scan to enumerate the directories on the target machine.

Dirb scan gave us “robots.txt”, we open it and find a link to “upload.php” and “/uploads”.

We open upload.php and find a page where we can upload images. Here we try to upload an image and get a smiling face, it looks like it means there is an error uploading the file.

We open the source code of the web page and inside a comment we find a GitHub link.

We open the GitHub link and find there is a source code for the upload.php file.

Now to upload the image we just need to add “GIF98” to the start of the php reverse shellcode we want to upload.

Now when we upload our php reverse shell, we are successfully able to upload the shell. But we do not know the filename after it is uploaded on the server.

Taking a look at the source code of “upload.php” we find that after the shell is uploaded the file gets renamed to “md5(<filename><random number )between 1 – 100>.<file extension>”. So, we create a python script that creates a text file filled with all the 100 md5 filename.  You can download the script from here.

Now we run the python script and use dirb to bruteforce the new file name.

We set up the listener, and again run the dirb command again and get a reverse shell.

After getting a reverse shell, we spawn a TTY shell and we find that we are inside a Docker container. We find all files with SUID bit set and find that “tail” command has SUID bit set. So, we use the “tail” command to open “/etc/shadow”.

We get the password for “root” user from /etc/shadow file and we copy and save it in our system. We crack the hash using john the ripper and find the password to be “john”.

After finding the password, we switch to the root user. After becoming a root user, we switch to “/root” directory and find a file called “flag”. We open the “flag” file and find nothing useful.

Further enumerating the system, inside /var/www/html/wp-config.php. We open the username and password for database login. There is no MySQL service running on the machine and we are also not able to login through SSH using these credentials.

Getting back inside /root directory, we find a file called “.port”. We open the file and find a hint to look for other containers.

To further interact with the shell, we get a meterpreter reverse shell. We use the web_delivery module in Metasploit-framework to get a reverse shell.

We copy the command provided by web_delivery module and run it on the target machine.

As soon as we run the command on the target machine, we get a reverse shell. After getting a reverse shell, we use autoroute module in Metasploit-framework for pivoting.

Then we use the ping_sweep module to find all the machines on the new network.

Then we run a portscan module to find all the ports on all the machines.

We find the following ports open on the following machines:

172.18.0.1 22,8000
172.18.0.2 80
172.18.0.3 3306
172.18.0.4 2021

As we know port 3306 is for MySQL service and we also have username and password for WordPress database. So, we can login through MySQL on target “172.18.0.3” and use credentials “wordpress:wordpress”.

After logging in we check all the databases on the MySQL server.

We now check all the tables available on the database and find a table called “host_ssh_cred”. We check the columns inside the table and find the username and hash of a password.

We save the hash in our system and use john the ripper to crack the hash

Now we have the credentials for SSH; hummingbird:123456. We login through SSH and now when we run the id command, we find that we are a member of the docker group. Some containers have a dedicated group to allow unprivileged users to manage their containers without having to escalate their privileges. To exploit this vulnerability, we first need to check the docker images that are available.

We find that the Ubuntu image is available to us, so we use this to create a new docker container and mount the / directory of the host inside a folder called /root. After we run the docker image we go to /root/root and find a file called “flag”. When we open the file, we find our congratulatory flag.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here