Posts

0wn!ng LazySysAdmin: 1

Image
Hi,

In this post I am going to write on how I owned LazySysAdmin: 1 machine which is hosted on Vulnhub.

As usual, I start with an arp-scan and discover the target IP address.



Next, starts the port-scan.


I decided to first enumerate the webpage:



Enumeration reveals that wordpress and phpmyadmin is running.



It is clear that the name of the admin is "togie" which may come to use at a later time.

Next, I searched through the website and there are files with directory listing, etc but I had hit a roadblock on web service.

I decided I shall look over to smb ports 139 and 445.

using smbclient and checked if null sessions are enabled and my guess is correct.


There are some interesting files here.

After further digging I have two information points:

1. in wp-config, we see dbusername and password is present.


2. File deets.txt has a clue:


Now, with username "Admin" and password "TogieMYSQL12345^^" I can login to phpmysql as phpmysql password is same as mysql passw…

Automating backdoor creation for PE files

Hello,

In this post I shall write about my experiences/attempt on automating the process of backdoor creation for windows PE(Portable Executable) files.
More than a short and quick success attempt, it been many a failures and frustrations but I made some commendable progress by trying harder.

I would like to point out that I am not publishing the entire code but giving you an outline as to "how to do it" but will include short code snippets

The post highlights my journey where I faced most issues and spent most times and where I could have done better

The rough idea for a backdoor is that we need to redirect the code flow at entry point of a PE file to a clean section within the PE file where shellcode is located to do the evil deed and it hand's off control back to the original code execution of the file.

But we need to talk about the above statement in a detailed manner.

[+] Getting the entry point of a PE & making a clean section within PE file.


When loading a progr…

Proteus Pwn4g3

Image
Hi Everyone,

Over this blogpost, I shall write about how I cracked a recently hosted challenge on vulnhub named "Proteus".

Looking at the machine description over Vulnhub:



The machine simulates an environment where you can upload executable files and performs malware analysis over it.

I download the OVA and setup my kali and vulnerable machine on the same network.

First and foremost, network discovery:



So the IP I shall be targeting is 192.168.137.250

I ran nmap and two services stand out:
1. ssh ==> port 22
2. http ==> port 80



I tried checking over ssh but it seems only key based login is allowed.

I shifted my focus over to port:80



Immediately striking are two things:

1. File upload feature
2. Login functionality

It seemed that the file upload is based on mime type and only executable file or sharedlib types are supported for uploads.

First I tried uploading a normal file and as an output we get binary analysis of the file.
Checking the output I see that all the ascii strings inside t…

Pluck w00t!

Image
Time to Pluck!

Though a bit late, I decided to give this machine a try!

As with all almost every machine I began with arp-scan/netdiscover:


Once this is done, next I try to do a port scan on the host.

I began with the tcp scan while upd scans taking more time ran in the background.
Since port 80 was open, I ran nikto in other window.


Post this is done, I move next to check banners on each service.

SSH dint give any banner, neither mysql or llmnr protocol so I tried to enumerate the web.

Just before I went to check the web service, I looked at the nikto results and they were interesting!


Now, this was very interesting, an LFI!!

Meanwhile I had also tried fuzzing the admin page on the webservice and it revealed sql injection:


Now, I had two vectors so I thought lets begin with the LFI.

Doing a /etc/passwd dumped all the contents!!


But Trying lfi on other files like apache logs etc was not getting possible (permission issue??)

This was when something caught my eye....  There was an entr…
Image
I picked up Sedna and these were the steps:

Like any machine, starting with arp-scan to first know the machine IP:

arp-scan -l



The machine got detected at 192.168.137.152

The next step was to run an nmap scan:



From here, I decided that I shall  be concentrating on port 80.

First checking the webpage:


I decided I shall have a peek at the robots.txt as well:


going to /Hackers gave 404 -Not found! Damn! :D

Meanwhile in background, I was running gobuster.

Doing web enumeration and checking web page sources dint reveal much!
I decided to check my gobuster results:


Manually enumerating the dirbuster pointed folders, I quickly became clear that builderengine was running.

Next, a searchsploit revealed exploit for arbitrary upload in BuilderEngine.


Seems BuilderEngine is vulnerable to arbitrary file uploads on the directory:
http://IP_Addr/themes/dashboard/assets/plugins/jquery-file-upload/server/php/

I uploaded a simple php reverse shell to received reverse shell on listening port 443.



And I…