TrevorC2 – Command and Control

TrevorC2 is command and control framework. It is a client/server model which works through a browser masquerading as C2 tool. It works on different time intervals which makes it almost impossible to be detected. This tool is coded in python but it’s also compatible with c#, PowerShell, or any other platform. this is supported by both Windows and MacOS along with Linux. It is very easy and convenient to use.

You can download it from

Once its downloaded, open the folder and then open trevorc2_server.py file and change the IP to your localhost IP as shown in the image below. Also, provide the site that will be cloned to the trevorc2 server.

Then, start and run trevorc2 framework.

Once the trevorc2 is up and running, change the IP to your localhost IP in trevorc2.ps1 file.

Then send this file to the victim using any desired social engineering method. Once the file is executed by the victim, you will have your session as shown in the image below :

To see the sessions type :

And to access this session type :

AuthorKavish Tyagi is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. contact here

Bypass Application Whitelisting using cmstp

By default, Applocker allows the executing of binaries in the folder that is the major reason that it can be bypassed. It has been found that such binaries can easily be used in order to bypass Applocker along with UAC. One of such binary related to Microsoft is CMSTP. CMSTP welcomes INF files and so exploitation through INF is possible. And so, we will be learning how to perform such exploitation.

As we all know CMSTP accepts SCT files and runs then without suspicion and therefore we will create a malicious SCT file to reach our goal.  We will use Empire PowerShell for this. For a detailed guide on Empire PowerShell click here.

Launch the empire framework from the terminal of Kali and then type the following commands to create your malware :

Above commands will create a listener for you, then type back to return from listener interface and as for the creation of SCT file type :

Running the above exploit will create your SCT file. We will use the following script to execute our file in PowerShell. In this script give the path of your SCT file and add the following line as shown in the image.

Download this script from here:

 

Now, send the file to the victim’s PC and run the following command in victims’ command prompt :

As soon as you run the command, you will have a session. Use the following command to access your session :

This way, you can use CMSTP binary to bypass applocker restrictions. CMSTP needs an INF file and by using it to your advantage you can have access to victim’s PC.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Hack the Box: Ypuffy Walkthrough

Today we are going to solve another CTF challenge “Ypuffy”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Ypuffy is 10.10.10.107

Penetrating Methodology

  • Network scanning (Nmap)
  • Scanning port 389 using LDAP script
  • Fetching shared directory using smbclient and finding the private key
  • Connecting to VM with SSH using the private key
  • Enumerating files with SUID bit set
  • Discovering that alice1978 can run ssh-keygen as userca
  • Discovering authorized commands at ssh login
  • Fetching principal using the curl command
  • Enumerating public certificate in system
  • Signing RSA key with ca certificate using doas command and previously found the principal
  • Logging into ssh using new private key pair
  • Snagging the flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

The nmap scan shows us that there are 5 ports open: 22(SSH), 80(HTTP), 139(SMB), 389(LDAP), 445(SMB)

As LDAP service is running on port 389, we use nmap script called “ldap-search” to enumerate the target machine and we find the password hash for user “alice1978”.

Now as we find the password hash and username, we can login through using SMB using smbclient.

First, we check the shared directory available on the target machine and find a directory called “alice”. We then access the shared directory and find a file called “my_private_key.ppk”, we download the file to our local system.

The file we downloaded was a “Putty Private Key” file, so we use puttygen to convert the file into RSA private key. After converting it into RSA key, we change the permission of the RSA key and use it to login through SSH.

After logging in through SSH, we find a file called “user.txt”. We take a look at the contents of the file and find the first flag.

Now we check the files with suid bit enabled and find that “doas” is available on the target machine. It is a command utility similar to the “sudo” command. Now we check “/etc/doas.conf” to find what commands we can run. We find that we can run “/usr/bin/ssh-keygen” as user “userca”.

To further enumerate the target machine, we open the ssh configuration file at “/etc/ssh/sshd_config” and find we can run the command “/usr/bin/curl http://127.0.0.1/sshauth?type=key&username=%u” and “/usr/bin/curl http://127.0.0.1/sshauth?type=principals&username=%u”.  

Further enumerating the web application, we find that we can request keys from “http://127.0.0.1/sshauth?type=key&username=%u” and principals from “http://127.0.0.1/sshauth?type=principals&username=%u”, we requested keys for root user and get no response but we are successfully able to get root user’s principal.

As we have the root user’s principal, we can generate SSH keys and sign them with root’s principal. Doing so will allow us to login through SSH as root. Now we know we can run ssh-keygen to generate SSH keys but first, we need a certificate to sign the SSH key. We enumerate the machine to find a certificate and find one inside /home/userca directory.

First, we generate SSH keys and move them into the /tmp directory. Then we sign the keys as userca to read the certificate inside /home/userca/ca.

After signing the RSA keys, we use the RSA key to login through SSH as the root user. After logging in we find a file called “root.txt”. We take a look inside the content of the file and find the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

Pentest Lab Setup on Memcached

In this article, we are going to learn about pen-testing in Memcached lab setup in Ubuntu 18.04. Memcached server is used by corporations in order to increase the speed of their network as it helps to store frequently used data. This helps to take the load of the hardware and decrease the time taken.

Table of Contents

  • Introduction to Memcached.
  • Memcached Installation.
  • Memcached Configuration.

Introduction to Memcached

Memcached is a distributed memory object caching system. It’s an open source and without any cost tool. It is used to speed up web applications by using a database from the cache memory. It is an in-memory key-value store for little bits of self-assertive information (strings, objects) that is extracted from database calls, API calls, or page rendering. Memcached is basic however capable of advancing speed arrangement, ease of advancement, and understands numerous issues confronting expansive information caches. Its API is accessible for most prevalent languages.

Memcached Installation

To install, boot up your Ubuntu machine and open the terminal.

Note: Apache2 should be installed before installing Memcached. You can easily install Apache2 by just typing in a simple command.

Now that we are all done, let’s setup Memcached by typing the commands shown below.

After installing Memcached add ppa:ondrej/php PPA in your Ubuntu system’s repository to

download and install the latest version of PHP available. Follow the commands as shown below.

After adding the repository, update the system by typing in the following command.

Now, install PHP by executing the command shown below :

Now that PHP has been installed successfully in our system, we will go ahead and install the PHP Memcached module by executing the below command:

Once the installation is complete, restart the Apache2 service.

Now check whether the PHP extension is working fine or not by creating an info.php by using the code mentioned below with nano or any text editor you like.

Now save the file in /var/www/html

Once the file is saved, access it from your web browser by typing in the following URL.

You should see the results as shown in the image below.

Memcached Configuration

Now, here we are going to configure the Memcached Server. To do so, we have to edit its configuration file. You will find this configuration file through /etc/memcached.conf path. Open the memcached.conf file using nano or any other text editor. The commands that are shown below will be given and activated by default. The purpose of this mentioning is to let you know that where you can find it; along with why and how to make changes to it., if necessary. Following are the said commands which are important for low-level Memcached Server configuration:

-m 64

Here,

m: specifies the maximum memory limit which is used by Memcached daemon. By default, this limit is 64 MB

-p 11211

Here,

p: specifies the port number. By default, it’s 11211.

-u memcache

Here,

u starts the daemon tool as root.

After this, uncomment “-l 127.0.0.1” by simply adding # as shown in the image, as it will not be so by default. By uncommenting, it will stop binding the IP address of Memcached listener to the loopback IP. Hence, traffic can come from any IP over the internet.

Now once you saved the configuration file after making the changes, restart the service by using the following command :

Then use the following command to confirm whether Memcached configurations are working are not :

Once you are done with the above commands, connect Memcached through telnet and do a version check by typing in “version” command:

Now, you can use nmap to check if the Memcached service is running on the server.

Conclusion

To conclude, we can say that Memcached is a distributed memory caching system. It uses expiration timeouts i.e. if the server has no memory left, it will evict items to replace them with the new ones. The items it chooses to replace are the ones which have not been requested for a long period of time. And so, in the above article, we have provided a basic guide to set up the Memcached penetration testing lab.

Author: Benoy Naskar is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here