Kioptrix level 2-editing

Kioptrix level 2 

Vulnbub is perfect place to practice hands-on experience for pen-test. I personally recommend do most of vulnhub lab before registering PWK(OSCP) course.

Kioptrix level 2 : https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
Easily download the virtual machine image from the link, set up the network into Bridge or NAT (depends on your preference)

kioptrix2

(kioptrix level2 img)

 

0. Find the ip address
– netdiscover : active/passive network scooping tool, Kali and Backtrack already have it as default. If you

netdisscover.png

netdiscoverresult

If you prefer GUI rather than CLI, there’re other netscan program for Windows(including Wireshark or netscan)
– netscan on windows: https://filehippo.com/download_softperfect-network-scanner/71274/ 

 

After getting target’s IP address, type the address on the browser and see if it has any default web page. The website is simply showing login page. Let’s gather more information with enumeration and scanning tools

Image 5

 

1. Enumeration/ Scanning
– nmap or zenmap : web scanner
– nikto : scanning webserver with OSVD details
– dirbuster : finding available directory via bruteforcing based on a directory wordlist file.

niktho'.png

 

nmap

2. Website login page
– XSS (Cross Site Scripting) : not working
– SQL Injection : Getting into next page with SQL injection

fiddler

Once you bypass authentication process with SQL injection, you can see “pingit.php” page, which ping input ip address (Have you checked DVWA before?).

Let’s try to print out /etc/passwd value on the page, see if the command injection is working after typing ip address and semicolon(;)cmdin

cmdex_result

You can check id , by typing id, but it’s showing as apache. To get a root access, we need to find exploit to get privilege access.

pingid

For command injection, if you want real-time shell, you can use commix  
https://github.com/commixproject/commix/

eg) $ python commix.py –url=”http://192.168.88.135/pingit.php” –data=”ip=127.0.0.1E&submit=submit” –auth-url=”http://192.168.178.2/index.php” –auth-data=”uname=admin&psw=%27+OR+1%3D1–+-&btnLogin=Login”

*Please don’t forget to encode/decode your value (uname and psw) to use it on URL https://www.urlencoder.org/

 

commix-exe

*If you just prefer using Kioptrix Apache admin page (ping page),

Let’s find any information regarding to OS and kernel with cat command
1) Kernel information  > “192.168.88.131; cat /proc/version
Result : Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007

2) OS information > “192.168.88.131; cat /etc/redhat-release
Result : CentOS release 4.5 (Final)

osv.jpg

 

3. Search any available privilege escalation

There’re other tools that you can install and use it to find exploit such as Searchsploit or Findsploit “https://www.exploit-db.com/searchsploit/”, if you prefer details information about exploit, CVE or Exploit-DB website would be better

searchsploit.png

 

4. Download vulnerable /exploitable source code
Since it’s apache access, can’t download the files on /root or /home, so we hav to find the directory where the apache can access to with “find” command

writable

Download it via $ wget command from exploit DB, (some of exploit code may already in your kali machine)
“s”

Advertisements

HTB – invite code

 

https://www.hackthebox.eu/ 

To signup the ‘Hack the Box’ website needs to find “invite code”.
First, find the missing/hidden information on the page. You can easily edit HTML elements with developer tools, which will show on your browser by pressing key F12.

main

You can see the token value is changing whenever refreshing the page. Sadly, token value is not the invite code.

Secondly, find the function, active javascript which generate the invite code.
On [Inspector] tab, you can see javascript codes, the problem is which one? Let’s find out.

javascript

You can easily find out details about each javascript code by asking Mr.Google.
– google-analytics.com : analytics.js      #analytics code details
– staticxx.facebook.com : BbnCpbXY9XB.js #facebook’s analytic code
-js-agent.newrelic.com : nr-1044.min.js

-d31qvc1cthcecs.cloudfront.net : atrk.js :

-connect facebooknet: fbevent.js, sdk.js

-www.hackthebox.ue : htb-frontend.min.js , inviteapi.min.js :

(… still editing…  checking the code   )

 

inviteapi.min.js is the one generate invite code. After beautifying the obfuscated javascript codes via beautifer (jsbeautifier.org), you can see the function details.

beautifierdjs

makeInviteCode() function generate invite code by sending “POST” to “/api/invite/how/to/generate”. Once the post has been sent, the data comes ”

{"success":1,"data":{"data":"SW4gb3JkZXIgdG8gZ2VuZXJhdGUgdGhlIGludml0ZSBjb2RlLCBtYWtlIGEgUE9TVCByZXF1ZXN0IHRvIC9hcGkvaW52aXRlL2dlbmVyYXRl","enctype":"BASE64"},"0":200}

It’s showing data, but when i decode this data (via https://www.base64decode.org/) (SW4gb3JkZXIgdG8gZ2VuZXJhdGUgdGhlIGludml0ZSBjb2RlLCBtYWtlIGEgUE9TVCByZXF1ZXN0IHRvIC9hcGkvaW52aXRlL2dlbmVyYXRl) with base64, its showing “In order to generate the invite code, make a POST request to /api/invite/generate”.

 

decoding

So edit the URL and get the right data, don’t forget to decode back

rightone

 

PWN2WIN 2017

Started at 20th Oct and ended on 22nd. Unlike other CTF that you can easily submit flag value on web, PWN2WIN 2017 CTF ask us to submit flag value via github. So we spent 2 or 3 hours to setup that environment (getting ssh, getting team’s key..) but it was fun!!

pref

For CTF questions, you can see ranking real-time and total solves; which shows how many people find the flag. I’m web and programming part on our team, but as we already know lot of CTF’s web pretty damm hard. So I started with the easy question such as g00d_b0y..

*You can still check out CTF questions on PWN2WIN 2017 

 

 

 

goodb0y

1. g00d_boy

Simply solved by checking the bottom page of PWN2WIN 2017 rule ; https://pwn2win.party/rules/?lang=en; you can find the flag!!

 

 

readfirst

2. Great Cybernetic Revolution (Read first)

You see.. when people see “read first” sign, they usually read long long story because of the sign!!. I was one of them LOL and spent couples of min to find “mission”. But yeah, you can find the flag in the story…   It was fun to read tho 😀

 

 

3. Sum (Hello World Platform)

sum_hello

looks like after connecting to the server with specific port, it gives us bunch of information regarding to the certificate.

sum

didnt receive the flag at first, but couples of try later, server throw me the flag value!

 

 

 

CTF-Web-level1

CTF-InfoSecInstitude Web_level1
CTF(Capture The Flag) provided by InfoSecInstitude

First level1 is simple cross site scripting(XSS) exercise. This is simple webpage that provide ‘Site Name’ and ‘Site URL’ as input values. Provided hint is disabling front-end validation.

ctf01

 

1.  Checking the webpage source
By pressing [F12]key or right-click “view page source”, you can check out the source. Based on the source, there’re couples of attributes for the input field.

ctf1-1

Site Name

  • type = “text”  //one-line text input field
  • placeholder=”Name of site” //explains or description for the input value
  • maxsize=”10″ // text length will be 10 characters long
  • class=”form-control” // defined class is “form-control” (you can see css details on
  • linked css file)
  • pattern=”[A-Za-z]+” // alphabet only
  • required name=”name” //name is “name”

Site URL

  • type = “url”  //url input
  • placeholder=”URL of site” //explains or description for the input value
  • required maxsize=”15″ // text length will be 10 characters long
  • class=”form-control” // defined class is “form-control” (you can see css details on linked css file)
  • name=”url” //name is “url”

 

2. Edit input type and attributes
You can easily change input’s attributes to type more than 15 characters or numeric or special letters.

In this example, I delete “pattern” and change maxsize as “155”.
ctf1-3ctf1-2

 

 

3. Try XSS and see if it’s working!! or Find another validation
After editing SiteName’s input attributes, we can type basic XSS such as . But some reasons, it’s not showing alert message on the page. It’s literally recognized as letters and typed into the webpage. Which easily means that there’s another input validation in this webpage besides than input attributes.ctf-4

Let’s check out the linked javascript to find input-validation. There’re four different javascripts on this webpage.

  • jquery.min.js
  • bootstrap.min.js
  • functions.js : checking level, adding score and getting OWASP information javascript
  • ex1.js

It seems obvious to find ex1.js have input validation. (name is obvious and you can easily find the trim().replace(<) part also).

ctf1-8

replace(/A/,B) means replacing A into B. ‘g’ stands for global which causes replace-call to all matching not just first one.  So the source means change “<” into “<“. “<” is HTML encoded characters for “<“.

 

 

4. Edit Javascript
After changing javascript, we can see it’s showing alert message now.

ctf1-10

DVWA: File Inclusion

File Inclusion Attack?

File Inclusion attack is similar to file upload attack. The difference is that file uploading attack uses “uploading function” on a target’s website but file inclusion attack uses user-supplied input maliciously.

There’re two types of File Inclusion Attack, LFI(Local File Inclusion) and RFI(Remote File Inclusion). LFI is including files that already located in webserver -> which uses lots of directory traversal keywords (../../).

RFI is including file remotely from other domain. If you have your own server and has malicious php file on it(eg.https://hackerwebserver.com/attack.php) , you can directly include that file path into target website to loads that file.

 

ref :
https://en.wikipedia.org/wiki/File_inclusion_vulnerability
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

1) DVWA : File Inclusion Attack – Low

fil_low_src

This is the source of file inclusion on DVWA. As you can see, there’s no input validation on low-level security in DVWA.

For LFI attack, you can easily go to other directory by typing ../../../../ *if you have hard time finding out directory path, you can use web application crawlers.

dirbuster)setup

 

filei_low

For RFI attack, you can easily put different website url after ‘page=’ on URL. Just like the image below, you can see the new page is loaded if you change last part of URL into  ‘page=https://google.com’.

filei_low_rfi

Which  means if you have malicious php file, you can put the file path on URL and load it to page.

You can easily make malicious(bind or reverse shell) php file and loads that file from victim’s web browser with Metasploit(msfconsole or msfvenom) . First, start metasploitable

2) DVWA : File Inclusion Attack – Medium

The difference between low level and medium level is that there’s input validation, which is simply blocking http:// and https://. This input validation can be exploited by using lower and upper case or write down more words. eg. HtTp://  ,hhttp://ttp://

file_i_medium_src

 

For LFI, ../../ directory traversal keywords are still valid to use this website, so we can use same words that we used from low level.

For RFI, this is easily exploitable by using ‘ H t T p s ‘ (e.g http://192.168.88.132/vulnerabilities/fi/?page=hTtPs://google.com)

 

3) DVWA : File Inclusion Attack – High

 

DVWA: CSRF

1. DVWA (Low) – CSRF
CSRF(Cross-Site Request Forgery) is advanced XSS attack, which forces an end user to send malicious request to webserver by running malicious action on web application.

For low level DVWA CSRF, you can easily change password without login to website. After viewing page source code, you can see the values(new password and password_conf(confirm new password value)) are sent via GET method.

First, Create your own html source which has same form action to change password.

csrf05Second, change action=”” part and type password value.  To make this source code(eg. csrf_test.html) send GET value to actual website(DVWA website) you need to put the form action value as “http://127.0.0.1/dvwa/vulnerabilities/csrf/?&#8221; instead of “# “.

Also assign the value(in this example, this would be ‘csrfdone’) of password_new and password_conf to change the password without loging on to website.

csrf06

Finally, click Change button and the page will redirect to dvwa csrf page, and give you ‘password change’ result!!!

csrf07

DVWA: Brute Force

1. DVWA (Low) – Brute Force
Brute force is password attack, which tries every possible words till it finally finds the right password. This attack method might be useful if the password is only made with English letters or numbers. (But as we all know, lot of people start to create their password with special characters or numbers etc.)

One more advanced attack is dictionary attack, which uses password dictionary(wordlists of characters that people use often as a password;

All-Password-List-Dictionary-collection-2

Back to DVWA, to brute force, there’re well-known tools like Hydra, Patator, etc. To use a tool for web brute force attack, we can’t just directly try all possible password to live server(it will lock the account out or time relay). So we are using another tool, called BurpSuite to intercept the login request and change it.

You need to set up a internet browser’s proxy setting to localhost:8080. For IceWeasel, you can go to [Edit] tab menu > [Preferences] > [Connection Settings]. Check Manual proxy configuration part and type localhost or 127.0.0.1

proxysetting

Then setup BurpSuite Proxy Listeners to 127.0.0.1:8080 on [Proxy]>[Options]>[Proxy Listeners].

HTTP has two well-known method; GET and POST. GET method gets a file or information. Post method is used when you post data like inputting contents into a board.

DVWA:Command Injection

1. DVWA (Low) – Command Injection

Command injection is an attack, which an attacker inputs malicious command and run it on a target.  SQL injection uses SQL query but Command injection use system command such as ifconfig or whoami etc.

*cf command
A | B (whether A is true or not, B starts)
A ; B (whether A is true or not, B starts)
A || B (If A is fail, then B starts)
A && B (If A is true, then B starts)

In DVWA Command injection (security level:Low), if you type ‘192.168.0.25; ls’ on Enter an IP address part, (whether ping 192.168.0.25 is true or not, it will tun ls command after ‘;’) you can see ‘ls’ command shows result after ping result.

07

2. DVWA (Medium) – Command Injection

In DVWA Command Injection (security level:Medium),

You can see the difference between low and medium is there’s black list on ‘; and &&’. So if you type ‘192.168.43.43|ls’, you can still see the result.

command inejtion_medium

 

How to set up DVWA in Kali

1. Download DVWA zip file from Github and unzip it on /var/www/html path.
Go to /var/www/ path on Kali and (you can create ‘html’ or ‘dvwa’ directory with “mkdir” command. Choose the path and download DVWA zip file from ethicalhack3r github.

0

* You can also download the zip file from DVWA.co.uk and unzip it.

Set the permission of dvwa folder 777(writing and execution available)

02

2. Change database password ‘p@ssw0rd’ into ” on config.inc.php.dist file
Go to var/www/html/dvwa/config folder and edit config.inc.php.dist file to change password.04

3. Start apache2 and mysql service
03

4. Go to web browser and type 127.0.0.1 to see if the server is running.
**If you are using old version of Kali, the default browser path will be /var/www not /var/www/html. So, if you couldn’t find html on your kali’s var/www location. You can locate DVWA folder on www and type url as 127.0.0.1/DVWA/login.php or 127.0.0.1/DVWA/setup.php.

In this case, I rename the DVWA folder as dvwa lowercase. so the path will be ‘127.0.0.1/dvwa/login.php’. It will redirect to setup.php to create/reset database.

Click the Create/ Reset Database button and click login link.

04

 

5. Login page , Default id is ‘admin’ and password ‘password’

05

 

**if you are having hard time setting up DVWA environment in kali or other vm, you can easily download virtual image of DVWA (.iso file).

DVWA_ISO

 

06